http://blog.washingtonpost.com/securityfix/ en Copyright 2008 Thu, 15 May 2008 15:50:44 -0400 http://www.movabletype.org/?v=3.36 http://blogs.law.harvard.edu/tech/rss The secrecy surrounding the Bush administration's updated National Cyber Security Initiative -- designed to improve the government's digital defenses and put forth an offensive information warfare doctrine -- is endangering the deterrent value of the project and appears to be aimed chiefly at supporting spying operations abroad, a key U.S. Senate committee concludes in a new report. The Senate Armed Services Committee said a major thrust of the initiative was to inform our adversaries as to the range of potential consequences of a cyber attack on U.S. strategic or national assets. But so far only three of the 18 goals spelled out in the cyber initiative have been discussed publicly; the rest remain classified. "It is difficult to conceive how the United States could promulgate a meaningful deterrence doctrine if every aspect of our capabilities and operational concepts is classified," the committee's report said. "In the era of superpower nuclear http://blog.washingtonpost.com/securityfix/2008/05/government_secrecy_and_the_mys.html?nav=rss_blog http://blog.washingtonpost.com/securityfix/2008/05/government_secrecy_and_the_mys.html U.S. Government Thu, 15 May 2008 15:50:44 -0400 Online merchants who have used a Debian-based operating system to generate secure sockets layer (SSL) certificates for encrypting customer communications should check to make sure the private key needed to decrypt those transactions isn't already posted on the Web for all to see. Normally, even if an attacker is able to intercept https:// traffic between a commercial Web site and a customer, the bad guy is unable to make sense of it without the private key held by the Web site owner. But new research published this week points to a weakness in Debian's cryptographic process that potentially gives eavesdroppers the tools to quickly discover the key needed to unlock https:// transactions and view the traffic in plain text. Most cryptographic systems work by generating a set of public and private keys, with the trick to generating strong, virtually unbreakable keys being randomness. The process starts with an extremely long http://blog.washingtonpost.com/securityfix/2008/05/debian_and_ubuntu_users_fix_yo.html?nav=rss_blog http://blog.washingtonpost.com/securityfix/2008/05/debian_and_ubuntu_users_fix_yo.html Latest Warnings Thu, 15 May 2008 14:44:17 -0400 Three men have been indicted for hacking into a number of cash registers at Dave & Buster's restaurant locations nationwide to steal data from thousands of credit and debit cards, data that was later sold or used to cause more than $600,000 in losses, the Justice Department said this week. The government's 27-count indictment unsealed this week names Maksym "Maksik" Yastremskiy, of Kharkov, Ukraine, and Aleksandr "JonnyHell," Suvorov, of Sillamae, Estonia, with wire fraud conspiracy, wire fraud, conspiracy to possess unauthorized access devices, access device fraud, aggravated identity theft, conspiracy to commit computer fraud, computer fraud and counts of interception of electronic communications. The government also unsealed a complaint against Albert "Segvec" Gonzalez of Miami, who, according to the U.S. Secret Service, was responsible for creating the software used to steal credit and debit card data. The complaint alleges that sometime between April and September of 2007, Yastremskiy and Suvorov http://blog.washingtonpost.com/securityfix/2008/05/three_charged_with_hacking_dav.html?nav=rss_blog http://blog.washingtonpost.com/securityfix/2008/05/three_charged_with_hacking_dav.html Cyber Justice Wed, 14 May 2008 17:15:58 -0400 Microsoft today issued four updates to fix at least six security flaws in its Windows operating system and Office software. The bundle includes a patch for a critical flaw that hackers already are exploiting to break into vulnerable Windows systems. The latest updates are available through Microsoft/Windows Update, or via Automatic Updates. Four of the vulnerabilities fixed in today's roundup earned Microsoft's most dire "critical" label, which means hackers could use them to break into Windows systems with little or no help from the user, save from convincing the user into clicking on a link or opening a file or e-mail. Among the most serious of the critical updates is a fix for a known flaw in Microsoft's Jet Database Engine, a component built into Windows 2000, Windows XP and Windows Server 2003 that provides data access to applications such as Microsoft Access, Microsoft Visual Basic, and many third party http://blog.washingtonpost.com/securityfix/2008/05/microsoft_patches_six_security_1.html?nav=rss_blog http://blog.washingtonpost.com/securityfix/2008/05/microsoft_patches_six_security_1.html New Patches Tue, 13 May 2008 15:30:24 -0400 If you sell enough stuff online at sites like Craigslist and eBay, eventually you will receive an offer for your wares that far exceeds your asking price. Such offers are often the first stage of a scam in which the fraudster sends a counterfeit check along with some elaborate explanation for offering such a high amount. The scam artist then asks the seller to wire back the difference after the check is deposited. It should surprise no one that the checks always bounce, leaving anyone who falls for the scam liable to their bank for the entire amount. This is not a new scam, but I had never seen one of these fake checks in person until my colleague here at washingtonpost.com - Dan - recently received one of these fairly official-looking checks after advertising an $300 bike frame for sale on Craigslist.com. The outer envelope was hand addressed with http://blog.washingtonpost.com/securityfix/2008/05/online_sellers_beware_fake_che.html?nav=rss_blog http://blog.washingtonpost.com/securityfix/2008/05/online_sellers_beware_fake_che.html Fraud Tue, 13 May 2008 11:30:05 -0400 This post was updated at 12:20 p.m. to clarify what's new in this Adobe patch. See the update below the original post. Adobe has issued an update to plug at least eight security holes in its PDF Reader software. The latest patch brings the current, patched, version of Adobe to 8.1.2. If you're reading this post on a system that has Adobe Reader installed, please take a moment now to download and apply this update. Cyber crooks have recently added Adobe vulnerabilities to "Neosploit," a tool that automates the exploitation of outdated browser plug-ins when users visit certain malicious or hacked Web sites. As Symantec notes, you don't have to be doing anything risky to get burned by running an outdated copy of Adobe Reader these days. Symantec writes: "If a user is enticed to a hostile Web site (who knows which ones are hostile these days) using the http://blog.washingtonpost.com/securityfix/2008/05/adobe_plugs_8_security_holes_i.html?nav=rss_blog http://blog.washingtonpost.com/securityfix/2008/05/adobe_plugs_8_security_holes_i.html New Patches Fri, 09 May 2008 11:40:18 -0400 Anyone who downloaded the Vietnamese language pack for Firefox 2 needs to run an anti-spyware and anti-virus scan, then disable the pack for now. Mozilla warned yesterday that all versions of that language pack downloaded from its servers since Feb. 18, 2008, were infected with pop-up ad serving software. Window Snyder, Mozilla's chief security officer, said the Vietnamese language pack was contaminated as the result of a virus infection. "This usually results in the user seeing unwanted ads, but may be used for more malicious actions." Snyder said Mozilla doesn't know how many people downloaded the compromised language pack, but said there have been 16,667 downloads of the pack since November 2007. Mozilla is working on getting a replacement language pack up on the site soon. Snyder said that while Mozilla does virus scans when add-ons are uploaded to its servers, the scanner for whatever reason didn't catch this nasty http://blog.washingtonpost.com/securityfix/2008/05/mozilla_distributes_virusinfec_1.html?nav=rss_blog http://blog.washingtonpost.com/securityfix/2008/05/mozilla_distributes_virusinfec_1.html Latest Warnings Thu, 08 May 2008 12:51:20 -0400 Anyone who doubts that Internet click fraud has become a big money maker should take a look at a Russian Web site called Robotraff.com, which bills itself as "the first stock exchange of Web traffic." Set up a free account at Robotraff and you're ready to buy or sell Web traffic. Got 30,000 hacked personal computers under your thumb? Super! Now you can use those systems to generate a steady income just by pointing them at Web sites requested by a buyer. Or maybe you're just getting started and you can't be bothered to build your own army of hacked PCs the old-fashioned way? No problem! Now you can set up a Web site that tries to exploit Web browser or browser plug-in vulnerabilities and simply buy all the traffic you need. So let's have a look at the transactions Robotraff is handling today: User #704 is selling "search mix" http://blog.washingtonpost.com/securityfix/2008/05/the_click_fraud_stock_exchange_1.html?nav=rss_blog http://blog.washingtonpost.com/securityfix/2008/05/the_click_fraud_stock_exchange_1.html Fraud Wed, 07 May 2008 18:22:18 -0400 Microsoft today finally released Service Pack 3 for Windows XP users. The update should now be offered via both Windows Update or Automatic Updates. The company was expected to release it last week, but pulled the plug at the last minute due to a compatibility problem with an obscure product they offer. Many readers have asked me whether this update is really necessary, given that there isn't a whole lot new in Service Pack 3 aside from all of the security and non-security updates Microsoft has ever released for the operating system. The following are some of the things you should know about installing Service Pack 3 for Windows XP. Microsoft says it is not adding any significant Windows Vista technology into XP with Service Pack 3. No surprise there, given that Microsoft has said Service Pack 3 will be XP's swan song: The company currently plans to stop issuing http://blog.washingtonpost.com/securityfix/2008/05/microsoft_releases_windows_xp_1.html?nav=rss_blog http://blog.washingtonpost.com/securityfix/2008/05/microsoft_releases_windows_xp_1.html New Patches Tue, 06 May 2008 20:35:34 -0400 A broad coalition of technology groups today told a federal appeals court to toss out a lawsuit that adware maker Zango is continuing to pursue against computer security vendor Kaspersky Lab, arguing that to do otherwise would harm consumers and the future of the security software market. In May 2007, Bellvue, Wash.-based Zango -- a company that makes software to serve pop-up ads and tracks users' activities on behalf of online marketers -- sued Kaspersky, charging that the company interfered with its business by removing its "adware" without first alerting the user. In August, the judge assigned to the case dismissed Zango's suit, saying Kaspersky's actions were shielded by the federal Communications Decency Act (CDA). That law contains a "good Samaritan" clause that protects computer services companies from liability for good faith efforts to block material that users may consider objectionable (portions of the CDA have been struck down by http://blog.washingtonpost.com/securityfix/2008/05/tech_groups_back_kaspersky_in.html?nav=rss_blog http://blog.washingtonpost.com/securityfix/2008/05/tech_groups_back_kaspersky_in.html From the Bunker Mon, 05 May 2008 18:30:32 -0400 Read Brian Krebs's latest story on washingtonpost.com: "White House Plans Proactive Cyber-Security Role for Spy Agencies." America's spy agencies for the first time would be tasked with gathering intelligence on threats to the nation's computer networks under a policy set to be detailed by the White House next week, a senior administration official said Wednesday. Speaking at a security conference in Washington, the official said the Bush administration wants to harness the intelligence community's offensive capabilities in defense of government and civilian computer systems. Continue reading... http://blog.washingtonpost.com/securityfix/2008/05/stepped_up_cyber_role_for_spy.html?nav=rss_blog http://blog.washingtonpost.com/securityfix/2008/05/stepped_up_cyber_role_for_spy.html U.S. Government Fri, 02 May 2008 12:46:21 -0400 Security Fix is launching a new feature today called Cyber Justice Chronicles, which will periodically provide short snippets of news about individuals who have been arrested or convicted of computer crime offenses. Law enforcement takes its share of lumps for not doing enough to go after cyber crooks, and while the victories on that front may be few and far between, it seems worthwhile to highlight some of the successes: * On Wednesday, Justice Department officials said they had worked with officials from NASA and Nigerian law enforcement to win the conviction of Akeem Adejumo, a 22-year-old Nigerian man who pled guilty to hacking into a NASA employee's computer. Turns out, Adejumo and an unnamed NASA employee met via an online dating Web site. Adejumo admitted sending the woman an e-mail attachment that contained a keystroke logger, which allowed him to steal her personal information including bank account and Social http://blog.washingtonpost.com/securityfix/2008/05/cyber_justice_chronicles_1.html?nav=rss_blog http://blog.washingtonpost.com/securityfix/2008/05/cyber_justice_chronicles_1.html Cyber Justice Thu, 01 May 2008 17:15:06 -0400 Last week, Security Fix examined new research suggesting that some major Internet service providers are exposing their customers to security flaws when they redirect wayward Web surfers to ad-filled pages. I'm revisiting this controversial practice because another major provider of these services (for one of the nation's largest ISPs) was found to be similarly vulnerable. As noted here last week, Earthlink and a few other ISPs are using a service from a U.K. company called BareFruit, which helps ISPs redirect users to ad-filled pages when they either request a Web site that does not exist or when they mistype a real domain, e.g., ww.example.com (notice the missing "w"). Researcher Dan Kaminsky found that BareFruit's servers contained a security flaw that would have made it easy for hackers and scammers to trick the ISP's customers into visiting phishing sites or downloading malicious software. Kaminsky presented evidence that Verizon was among the http://blog.washingtonpost.com/securityfix/2008/04/more_trouble_with_ads_on_isps.html?nav=rss_blog http://blog.washingtonpost.com/securityfix/2008/04/more_trouble_with_ads_on_isps.html From the Bunker Wed, 30 Apr 2008 06:00:33 -0400 Microsoft is delaying the release of Service Pack 3 for Windows XP users due to a "compatibility issue" with the bundle of updates and a supply-chain solution the company markets to small- and medium-sized businesses. The software giant had previously said SP3 would be released to XP customers today via Windows Update and its software download center. In a written statement, Microsoft said: "In order to make sure customers have the best possible experience we have decided to delay releasing Windows XP SP3 to Windows Update and Microsoft Download Center. "To help protect our customers, we plan to put filtering in place shortly to prevent Windows Update from offering both service packs to systems running Microsoft Dynamics RMS. Once filtering is in place, we expect to release Windows XP SP3 to Windows Update and Download Center." Security Fix will post another update when Microsoft makes Service Pack 3 available for http://blog.washingtonpost.com/securityfix/2008/04/microsoft_delays_windows_xp_se.html?nav=rss_blog http://blog.washingtonpost.com/securityfix/2008/04/microsoft_delays_windows_xp_se.html New Patches Tue, 29 Apr 2008 17:43:21 -0400 Digital real estate leased to one of the Internet's oldest landholders appears to have been quietly seized by e-mail marketers closely associated with an individual once tagged by anti-spam groups as one of the world's most notorious spammers. What's remarkable about this case study is that it pits a vocal spammer against the American Registry for Internet Numbers, which has yet to take action. ARIN is one of five regional Internet registries worldwide that is responsible for allocating IP addresses (ARIN handles this process for the United States, Canada and 22 Caribbean countries). The real estate in question is Internet address space long ago issued to San Francisco Bay Packet Radio, an organization that was involved way back in the 1970s in testing ARPANET, a predecessor to the global commercial Internet that we all use today. That organization was given the rights to do whatever it wanted with any numeric http://blog.washingtonpost.com/securityfix/2008/04/a_case_of_network_identity_the_1.html?nav=rss_blog http://blog.washingtonpost.com/securityfix/2008/04/a_case_of_network_identity_the_1.html From the Bunker Mon, 28 Apr 2008 18:35:43 -0400