Security Fix

Alpha Software disclosure leads to confusion

Fri, 20 Nov 2009 13:15:36 -0500

A few days ago, Security Fix heard from a reader who received a breach notification so casual in tone that he asked me to verify whether it was for real. Sure enough, Burlington, Mass.-based database application company Alpha Software Inc. recently told customers that a data breach had exposed their payment information. That fact was confirmed by similarly confused users posting to the company's online forum. The e-mail notice to affected customers reads: November 9, 2009 Dear Customer, We have been informed that there has been a security breach at the Internet Service Provider where our web site is hosted. This may have resulted in your credit card information being compromised. While it is entirely possible that your credit card information has not been stolen, in the interests of caution, we recommend that you contact your credit card provider to discuss what steps, if any, they recommend. Going forward, we

FDA targets rogue Internet pharmacies

Thu, 19 Nov 2009 16:45:18 -0500

The U.S. Food and Drug Administration is pressuring a number of Internet service providers to shut off nearly 12 dozen Web sites alleged to be selling counterfeit or unapproved prescription drugs. The FDA's office of criminal investigations said it sent 22 warning letters to the operators of the sites, and alerted the appropriate ISPs and domain name registrars that the sites were selling phony pharmaceuticals, all without requiring a prescription. The agency said none of the sites represent pharmacies located in the United States or Canada, as most claim. According to the letters sent to owners of the 136 targeted sites, the online stores hawked everything from powerful controlled substances, including Valium and Xanax, to lifestyle drugs like Viagra and Levitra. Some sites even offered prescription drugs that have not yet been approved for distribution or sale in the United States, such as the anti-obesity drug Acomplia. "Many U.S. consumers

Bill would ban P2P use on federal networks, PCs

Wed, 18 Nov 2009 12:50:04 -0500

The chairman of the House Oversight and Government Reform Committee introduced legislation on Tuesday to prohibit the use of peer-to-peer (P2P) file-sharing software across all federal government computers and networks. The "Secure Federal File Sharing Act" would direct the White House's Office of Management and Budget to issue guidelines barring the use and/or installation of P2P software on federal systems, unless otherwise approved for a specific purpose. The bill also calls on OMB to develop a policy that would extend to networks and computers operated by agency contractors, as well as to personal computers of federal employees remotely accessing federal networks. "We can no longer ignore the threat to sensitive government information that insecure peer-to-peer networks pose," said Rep. Edolphus Towns, the Democrat from New York who chairs the House oversight panel, in a statement. "Voluntary self-regulations have failed so now is the time for Congress to act." The bill

Experts: Smart grid poses privacy risks

Wed, 18 Nov 2009 09:33:00 -0500

Technologists already are worried about the security implications of linking nearly all elements of the U.S. power grid to the public Internet. Now, privacy experts are warning that the so-called "smart grid" efforts could usher in a new class of concerns, as utilities begin collecting more granular data about consumers' daily power consumption. "The modernization of the grid will increase the level of personal information detail available as well as the instances of collection, use and disclosure of personal information," warns a report (PDF) jointly released Tuesday by the Ontario Information and Privacy Commissioner and the Future of Privacy Forum (FPF), a think tank made up of chief privacy officers, advocates and academics. Smart grid technology -- including new "smart meters" being attached to businesses and homes -- is designed in part to provide consumers with real-time feedback on power consumption patterns and levels. But as these systems begin to

Featured Advertiser

Wed, 18 Nov 2009 09:33:00 -0500

Microsoft warns of Windows 7 security hole

Tue, 17 Nov 2009 09:10:05 -0500

Microsoft has confirmed reports of a security flaw in its Windows operating system that hackers could use to temporarily destabilize Windows 7 PCs. The software giant also acknowledged that blueprints for exploiting the flaw are now available online. At issue is a so-called "denial-of-service" vulnerability in the component of Windows that handles the sharing of files and folders. Microsoft said attackers could use exploit code now publicly available to cause vulnerable systems to stop functioning or become unreliable. The flaw is present in Windows 7 and Windows Server 2008 R2, and does not exist in older versions of the operating system, the software giant said. In a security bulletin published Friday, Microsoft said the vulnerability would not let attackers install malicious software or take control over an affected system, and that any ill effects from an attack on this flaw could be remedied by simply restarting the PC. In addition,

Security update for Apple's Safari Web browser

Fri, 13 Nov 2009 16:22:07 -0500

Apple has shipped a new version of its Safari Web browser that fixes at least seven security vulnerabilities. The Safari 4.0.4 update is available for both Mac and Windows versions of the browser. Mac users can grab the latest version through Software Update; Windows users will need to use the bundled Apple Software Update application.

Nastygram: Beware the NACHA gotcha

Thu, 12 Nov 2009 18:44:19 -0500

Cyber thieves on Thursday began blasting out millions of e-mails impersonating NACHA - The Electronic Payments Association, a not-for-profit group that develops operating rules for organizations that handle electronic payments, from payroll direct deposits to online bill pay services. The missives in this latest scam arrive with various subject lines, but all complain about an unauthorized, rejected or failed ACH transaction. Most regular Internet users probably will ignore this message, as few people probably even know what ACH stands for (ACH, or "automated clearing house" refers to the electronic network used by banks to process credit and debit transactions in batches). That's likely just fine with the attackers, who appear to be targeting bookkeepers at small to mid-sized companies -- people who actually recognize what a failed or rejected ACH transaction can mean for their business's bottom line and reputation. According to an alert at the real NACHA Web

Brazilian Govt: Soot, not hackers, caused '07 blackouts

Wed, 11 Nov 2009 12:35:05 -0500

The Brazilian government is refuting a report aired on Sunday by the CBS news magazine 60 Minutes, which stated that power blackouts in the South American nation in 2005 and 2007 were caused by hackers. Meanwhile, a large swath of Central Brazil is still reeling from another massive blackout that occurred in the region Tuesday evening. Citing six unnamed sources in the intelligence, military and cybersecurity communities, 60 Minutes claimed that a two-day outage that affected 3 million people in the Brazilian state of Espirito Santo was caused by hackers hitting a utility company's control systems. Another, smaller outage in January 2005 also was caused by hackers, the report said. According to the Wired.com Threat Level blog, the utility company involved, Furnas Centrais Elétricas, said it "has no knowledge of hackers acting in Furnas' power transmission system." "Brazilian government officials disputed the report over the weekend, and Raphael Mandarino Jr.,

Featured Advertiser

NEC

Ads by Pheedo

A year later: A look back at McColo

Wed, 11 Nov 2009 10:50:01 -0500

A year ago today, the Internet community witnessed a remarkable event: The unplugging of McColo, a Web hosting facility in Northern California that for a long time controlled a majority of the spam-sending operations on the planet. McColo's two main Internet providers abruptly yanked the cord after Security Fix presented them with scads of evidence collected by security researchers tying massive amounts of spam and other illicit activity to McColo's network. The outcome, of course, is now well known: The volume of spam sent worldwide tanked overnight, and remained at diminished levels for many weeks. All sorts of other badness diminished as well (more on that later). But since then, the sizable chunk of virtual real estate previously occupied by McColo has remained eerily quiet. A review of more than 3,000 Internet addresses previously assigned to the hosting firm reveals an Internet ghost town, as if the entire neighborhood had

Microsoft plugs 15 holes in Windows, Office

Tue, 10 Nov 2009 17:22:53 -0500

Microsoft on Tuesday released software updates to fix at least 15 security flaws in Windows, Windows Server and Microsoft Office. One of the patches addresses a flaw so serious that users could find their Windows PCs compromised just by visiting booby-trapped Web sites. Richie Lai, director of vulnerability research for patch management firm Qualys, said the most dangerous vulnerability addressed in this month's updates is a flaw in the way Windows handles so-called "embedded font" files. An attacker could stitch specially made embedded fonts into a Web page and use this flaw to install malicious software when people merely browse the site with Internet Explorer on Windows 2000, Windows XP or Windows Server 2003 systems, Lai said. Microsoft said it believes hackers will quickly figure out a way to exploit this flaw for criminal gain. Andrew Storms, director of security operations for San Francisco-based security firm nCircle, agreed, saying the

Eight indicted in $9M RBS WorldPay heist

Tue, 10 Nov 2009 12:40:41 -0500

Eight men have been indicted on charges that they hacked into credit card processing firm RBS Worldpay, and helped steal more than $9 million in a highly coordinated heist nearly a year ago, the U.S. Justice Department said Tuesday. The 16-count indictment, which names individuals from Estonia, Moldova and Russia, is the first major break in a case federal investigators are calling "perhaps the most sophisticated and organized computer fraud attack ever conducted." "Today, almost exactly one year later, the leaders of this attack have been charged," said Sally Quillian Yates, acting U.S. attorney of the Northern District of Georgia, in a written statement. "This investigation has broken the back of one of the most sophisticated computer hacking rings in the world." The men are accused of cracking the data encryption that RBS WorldPay used to protect customer data on payroll debit cards, allowing them to clone the cards. Some

Apple ships 50+ security updates

Tue, 10 Nov 2009 10:57:55 -0500

Apple has shipped a large security update for computers running its Leopard and Snow Leopard operating systems for the Mac. The bundle contains security fixes for more than 50 vulnerabilities, including updates for components like Adaptive Firewall, FTP server, QuickTime and Spotlight. The update applies to Snow Leopard (10.6.x) and Mac OS X Leopard (10.5.8) systems, as well as OS X Server versions of these operating systems. Users can grab the patches directly from Apple Downloads or via the Mac's built-in Software Update feature. Some of the individual fixes in these bundles are interesting in their own right. For example, Apple said that a vulnerability in Snow Leopard's Login Window could let a user log in to any account without supplying a password. Another update, this one for a bug in Leopard' Dictionary program, is limited to users on the local network, but gives a whole new meaning to the

Nastygram: MySpace phish plants spy software

Mon, 09 Nov 2009 12:21:00 -0500

A new spam campaign targeting MySpace.com users once again illustrates the blended threat from junk e-mail attacks, experts warn. This latest run tries to lure recipients into giving up their MySpace credentials, and then attempts to trick victims into installing password-stealing malicious software. Attackers began blasting out the junk e-mails early Monday, according to researchers at the University of Alabama, Birmingham, Researchers at the school so far have tracked more than 30 Web site names associated with this attack, each beginning with "accounts.myspace.com" and ending in a United Kingdom country code domain (.uk). The campaign is nearly identical to one launched late last month targeting Facebook.com users, said Gary Warner, director of research in computer forensics at UAB Birmingham: Recipients are directed to a fake Myspace.com page and asked for their login credentials. That attack cycled through at least 242 different look-alike Facebook scam sites before the last was

First iPhone worm targets modified handsets

Mon, 09 Nov 2009 00:09:53 -0500

The first known computer worm written for Apple's iPhone currently is infecting iPhones in Australia, swapping out the device's background image with that of 80s singer Rick Astley. The contagion, dubbed "Ikee," spreads only among iPhones that have been "jailbroken," a process that removes the device's software protection mechanisms and allows iPhone users to install applications that are not available through Apple's official App Store. Ikee spreads not through any vulnerability exactly, but by exploiting a feature that many users of jailbroken iPhones likely never took the time to understand or read about. Most of the software packages that users install in order to jailbreak their iPhones come with a service known as Secure Shell (SSH). This service allows the devices to be accessed remotely over the Internet with a special password. The trouble is that the most common jailbreaking software installs SSH using a default password. As a result,

Poking at Google's new privacy Dashboard

Fri, 06 Nov 2009 13:40:57 -0500

Google this week unveiled a new feature called Dashboard, intended to give users a way to view -- and in modest ways limit -- the breadth of information the search giant collects about our online lives. To check out Dashboard, browse to this link, and sign in to your Google account. From there, you can manage which Google Documents you're sharing, edit your Gchat history, or clear out items from your Web search history, among other tasks. Google said it was launching the service "to provide users with greater transparency and control over their own data." The reaction from privacy experts has been mixed. Ari Schwartz, vice president and chief operating officer at the Center for Democracy & Technology, called the Dashboard offering a good first step, and one that is several steps ahead of what Google's peers in the search businesses currently offer their users. "Google has said that