Information freedom for open source users.

If the public wants online privacy it had better fight now for laws to protect it because businesses won’t and individuals don’t have the clout, security expert Bruce Schneier told RSA Conference.

Facebook’s New Privacy Settings: 5 Things You Should Know

swandives writes “Researchers at US-CERT have warned that software accompanying the Energizer DUO USB battery charger contains a Trojan that gives hackers total access to a Windows PC. The product was sold in the US, Latin America, Europe and Asia starting in 2007. Upon installation, the software creates the file ‘Arucer.dll,’ a Trojan that listens for commands on TCP port 7777. Upon receiving instructions, the Trojan can download and execute files, transmit files stolen from the PC, or tweak the Windows registry. Uninstalling the software disables the automatic execution of the Trojan. Users can also remove Arucer.dll from Windows’ system32 directory and reboot the machine to disable the backdoor component.”

Read more of this story at Slashdot.

Honing in on the need for more security in application development, IBM Rational is planning an enterprise-level  product that features two separately acquired technologies for security testing and code scanning.

An anonymous reader writes “I own a small Web development studio that specializes in open source software, primarily Drupal, WordPress, and Joomla for small businesses. Our production servers, which host about 50 sites and generate ~20K hits/week, are managed by a 3rd party that I’m sure many on Slashdot would recognize. Earlier today I was researching some problems on one of our sites and found that there have been over 1 million SSH authentication failures from ~1200 IP addresses on one of our servers over the last year. I contacted the ISP, who had promised me that server security would be actively managed, and their recommendation was, ‘change the SSH port!’ Of course this makes sense and may help to an extent, but it still doesn’t solve the problem I’m facing: how do you manage server security on a tight budget with literally no system admin (except for me and I know I’m a n00b)? User passwords are randomly generated, we use a non-standard SSH port, and do not use any unencrypted services such as FTP. Is there a server monitoring program you would recommend? Is there an ISP or Web-based service that specializes in this?”

Read more of this story at Slashdot.

Cloud security loomed over the RSA Conference this week as a major concern of business, but worry about the threat of cyber war was also strong, with officials from the White House and FBI weighing in to encourage private participation in government efforts to defend information and communications networks.

An anonymous reader writes “The Obama administration on Tuesday declassified part of the Comprehensive National Cybersecurity Initiative created during the Bush administration, outlining offensive and defensive strategies for protecting information networks. The initiative was originally intended to unify efforts of a number of government agencies into a comprehensive strategy to protect the nation’s computer networks. ‘One area in which the government did officially disclose new details was Einstein 3, a program to protect civilian government systems from intrusion by deploying sensors on the networks of private telecommunications companies. For the first time, the government disclosed officially that the program would use technology developed by the NSA, the nation’s largest intelligence agency. It also said that the Department of Homeland Security, which would run the program, would share malicious code data with the NSA but not the content of communications, such as e-mails.’”

Read more of this story at Slashdot.

Ian Lamont writes “Microsoft has issued a security advisory warning users not to press the F1 key in Windows XP, owing to an unpatched bug in VBScript discovered by Polish researcher Maurycy Prodeus. The security advisory says that the vulnerability relates to the way VBScript interacts with Windows Help files when using Internet Explorer, and could be triggered by a user pressing the F1 key after visiting a malicious Web site using a specially crafted dialog box.”

Read more of this story at Slashdot.

snydeq writes “A new breed of ’spear phishing’ aimed at IT admins is making the rounds. The emails, containing no obvious malicious links, are fooling even the savviest of users into opening up holes in their company’s network defenses. The authentic-looking emails, which often include the admin’s complete name or refer to a real project they are working on, are the product of tactical research or database hacks and appear as if having been sent by the company’s hosting provider. ‘In each case, the victim remembered getting a similar sort of email message when they first signed on with a service and, thus, thought the bogus message was legitimate — especially because their cloud/hosting providers keep bragging about all the new data centers they’re continuing to bring online.’ The phishing messages often include instructions for opening up mail servers to enable spam relaying, to disable their host-based firewalls, and to open up unprotected network shares. Certainly fodder for some bone-headed mistakes on the part of admins, the new attack ‘makes the old days of hoax messages that caused users to delete legitimate operating system files seem relatively harmless.’”

Read more of this story at Slashdot.

An anonymous reader writes “Even with all of the emphasis on writing software with security in mind, most software applications remain riddled with security holes, according to a new report released today about the actual security quality of all types of software. Close to 60 percent of the applications tested by application security company Veracode in the past year-and-a-half failed to achieve a successful rating in their first round of testing. And this data is based on software developers who took the time and effort to have their code tested — who knows about the others.”
Reader sgtrock pointed out another interesting snippet from the article: “‘The conventional wisdom is that open source is risky. But open source was no worse than commercial software upon first submission. That’s encouraging,’ Oberg says. And it was the quickest to remediate any flaws: ‘It took about 30 days to remediate open-source software, and much longer for commercial and internal projects,’ he says.”

Read more of this story at Slashdot.

Among the important benefits of Linux’s permission hierarchy is its ability to keep untrusted users from running amok. The all-or-nothing nature of root access, however, can present headaches when users are trusted, but only so far. That is a problem the sudo utility attempts to solve, and does so fairly well — except for the occasional glitch. more>>

eldavojohn writes “Do you have branch offices in China? iSec has published a new report (PDF) outlining the severity of the attacks on Google.cn, allegedly by the Chinese government, dubbed ‘Aurora’ attacks. Up to 100 companies were victims, and some are speculating that resistance to such attacks is futile. The report lays out the shape of the attacks — which were customized per-company based on installed vulnerable software and antivirus protection: ‘1. The attacker socially engineers a victim, often in an overseas office, to visit a malicious website. 2. This website uses a browser vulnerability to load custom malware on the initial victim’s machine. 3. The malware calls out to a control server, likely identified by a dynamic DNS address. 4. The attacker escalates his privilege on the corporate Windows network, using cached or local administrator credentials. 5. The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite. 6. The attacker uses cracked credentials to obtain VPN access, or creates a fake user in the VPN access server. 7. At this point, the attack varies based upon the victim. The attacker may steal administrator credentials to access production systems, obtain source code from a source repository, access data hosted at the victim, or explore Intranet sites for valuable intellectual property.’ The report also has pages of recommendations as well as lessons learned, which any systems administrator — even those inside the US — should read and take note of.”

Read more of this story at Slashdot.

xsee writes “Only hours after the earthquake and resulting tsunami from Chile, hackers began manipulating search results to direct people seeking information on the event to infected webpages. Exercise caution as to where you get information on this tragedy. Chester Wisniewski describes what happened after he saw a suspicious site listed second on a Google search: ‘It appears to be a normal website with information and videos about different Asian tsunamis over the past few years. It is difficult to tell whether this particular page was SEO-optimized, or was an innocent victim of a malicious script. SophosLabs got back to me that this page contains some obfuscated malicious JavaScript that we detect as MAL/ObfJS-R. This script was appended after the normal code on the page’”

Read more of this story at Slashdot.

eggboard writes “Martin Beck, who in 2008 co-wrote a paper describing a way to inject packets into a secured Wi-Fi system, is back with a more extensive exploit. His ‘Enhanced TKIP Michael Attacks’ still don’t allow extraction of a key, and are limited to TKIP (not AES-CCMP) WPA-protected networks. Still, he’s figured out how to put in large payloads, and to extract data sent from an access point to a client — all without cracking the network key. The attack requires proximity to sniff and inject data, but it’s another crack in the older key standard (TKIP) that no one with serious security interests should still be using.” Here is Beck’s paper (PDF) describing the new attacks.

Read more of this story at Slashdot.

Trailrunner7 writes “SQL injection has become perhaps the most widely used technique for compromising Web applications, thanks to both its relative simplicity and high success rate. It’s not often that outsiders get a look at the way these attacks work, but a well-known researcher is providing just that. Rafal Los showed a skeptical group of executives just how quickly he could compromise one of their sites using SQL injection, and in the process found that the site had already been hacked and was serving the Zeus Trojan to visitors.”

Los’s original blog post has more and better illustrations, too.

Read more of this story at Slashdot.

Johnny Fusion writes “The writer of the Securi Security Blog had an alarming awakening when a honeypot on port 22 on a GoDaddy-hosted VPS recorded login attempts using his GoDaddy username and password and even an attempt to login as root. It turns out the attempt was actually from within GoDaddy’s network. Before he could ‘alert’ GoDaddy about the security breach, he got an email from GoDaddy Demanding his root login credentials.
There is an update where GoDaddy explains itself and says they will change policy.”

Read more of this story at Slashdot.

eldavojohn writes “Move over Russell Crowe, an anonymous hacker in Latvia is being hailed as a real life modern Robin Hood. The hacker refers to himself as ‘Neo,’ claims allegiance with the Fourth Awakening People’s Army, and is outing banks that are capitalizing off of the horrible economic status Latvia is currently suffering from. No word on how he is acquiring the information but it is slowly being leaked to TV sources via Twitter and the common people love him. The hacker is thought to be based in Britain but a TV reporter pointed out the fine line Neo is walking, ‘On the one hand of course he has stolen confidential data … and he actually has committed a crime. But at the same time there is value for the public in the sense that now a lot of information gets disclosed and the whole system maybe becomes a little more transparent.’ An example of a juicy tidbit he revealed is that managers of a Latvian bank did not take the salary cuts they promised they would after the government bailed them out of economic trouble. You can imagine that taxpayers were upset and thankful they knew this information.”

Read more of this story at Slashdot.

An anonymous reader writes “The inability to deflect even a simulated cyber attack or mitigate its effects shown in the exercise that took place some six days ago at Washington’s Mandarin Oriental Hotel doesn’t bode well for the US. Mike McConnell, the former Director of National Intelligence, said to the US Senate Commerce, Science, and Transportation Committee yesterday that if the US got involved in a cyber war at this moment, they would surely lose. ‘We’re the most vulnerable. We’re the most connected. We have the most to lose,’ he stated. Three years ago, McConnell referred to cybersecurity as the ’soft underbelly of this country’ and it’s clear that he thinks things haven’t changed much since then.”

Read more of this story at Slashdot.

The U.S. government, if confronted in a cyber war today, would not come out on top, a former U.S. director of national intelligence said Tuesday. “If the nation went to war today, in a cyber war, we would lose,” Mike McConnell told a U.S. Senate committee. “We’re the most vulnerable. We’re the most connected. We have the most to lose.”

redsoxh8r notes a blog post describing in some detail the operation of “man in the browser” Trojans used to empty victims’ bank accounts. “Banker trojans have become a serious problem, especially in South America and the US. Trojans like Zeus, URLZone and others are the tip of the iceberg. These toolkits are now standard-issue weapons for criminals and state-sponsored hackers. Like Zeus, URLZone was created using a toolkit (available in underground markets). What this means is that the buyer of this toolkit can then create customized malware or botnets with different command-and-controls and configurations (such as which banks to attack), but having all the flexibility and power of the original toolkit. Having such a toolkit in the hands of multiple criminal groups paints a scary picture. It’s simply not enough to eliminate a particular botnet and criminal group to solve this problem.”

Read more of this story at Slashdot.

Rather than targeting Web and email servers, attackers these days are prone to going after enterprises from the inside out, compromising end-user systems and then using them to access confidential data, according to a Web traffic analysis report by security-as-a-service provider Zscaler.