Anton RSS Feeds

This page summarizes a whole lot of security RSS feeds that I watch. Thanks to Chris Lee for a script that made this page possible!

Schneier on Security (08/07/08)

Indictments Against Largest ID Theft Ring Ever (08/07/2008)

It was really big news yesterday, but I don't think it's that much of a big deal. These crimes are still easy to commit and it's still too hard to catch the criminals. Catching one gang, even a large one, isn't going to make us any safer.

If we want to mitigate identity theft, we have to make it harder for people to get credit, make transactions, and generally do financial business remotely:

The crime involves two very separate issues. The first is the privacy of personal data. Personal privacy is important for many reasons, one of which is impersonation and fraud. As more information about us is collected, correlated, and sold, it becomes easier for criminals to get their hands on the data they need to commit fraud. This is what's been in the news recently: ChoicePoint, LexisNexis, Bank of America, and so on. But data privacy is more than just fraud. Whether it is the books we take out of the library, the websites we visit, or the contents of our text messages, most of us have personal data on third-party computers that we don't want made public. The posting of Paris Hilton's phone book on the Internet is a celebrity example of this.

The second issue is the ease with which a criminal can use personal data to commit fraud. It doesn't take much personal information to apply for a credit card in someone else's name. It doesn't take much to submit fraudulent bank transactions in someone else's name. It's surprisingly easy to get an identification card in someone else's name. Our current culture, where identity is verified simply and sloppily, makes it easier for a criminal to impersonate his victim.

Proposed fixes tend to concentrate on the first issue -- making personal data harder to steal -- whereas the real problem is the second. If we're ever going to manage the risks and effects of electronic impersonation, we must concentrate on preventing and detecting fraudulent transactions.

I am, however, impressed that we managed to pull together the police forces from several countries to prosecute this case.

Hacking Mifare Transport Cards (08/07/2008)

London's Oyster card has been cracked, and the final details will become public in October. NXP Semiconductors, the Philips spin-off that makes the system, lost a court battle to prevent the researchers from publishing. People might be able to use this information to ride for free, but the sky won't be falling. And the publication of this serious vulnerability actually makes us all safer in the long run.

Here's the story. Every Oyster card has a radio-frequency identification chip that communicates with readers mounted on the ticket barrier. That chip, the "Mifare Classic" chip, is used in hundreds of other transport systems as well ? Boston, Los Angeles, Brisbane, Oslo, Amsterdam, Taipei, Shanghai, Rio de Janeiro ? and as an access pass in thousands of companies, schools, hospitals, and government buildings around Britain and the rest of the world.

The security of Mifare Classic is terrible. This is not an exaggeration; it's kindergarten cryptography. Anyone with any security experience would be embarrassed to put his name to the design. NXP attempted to deal with this embarrassment by keeping the design secret.

The group that broke Mifare Classic is from Radboud University Nijmegen in the Netherlands. They demonstrated the attack by riding the Underground for free, and by breaking into a building. Their two papers (one is already online) will be published at two conferences this autumn.

The second paper is the one that NXP sued over. They called disclosure of the attack "irresponsible," warned that it will cause "immense damages," and claimed that it "will jeopardize the security of assets protected with systems incorporating the Mifare IC." The Dutch court would have none of it: "Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings."

Exactly right. More generally, the notion that secrecy supports security is inherently flawed. Whenever you see an organization claiming that design secrecy is necessary for security ? in ID cards, in voting machines, in airport security ? it invariably means that its security is lousy and it has no choice but to hide it. Any competent cryptographer would have designed Mifare's security with an open and public design.

Secrecy is fragile. Mifare's security was based on the belief that no one would discover how it worked; that's why NXP had to muzzle the Dutch researchers. But that's just wrong. Reverse-engineering isn't hard. Other researchers had already exposed Mifare's lousy security. A Chinese company even sells a compatible chip. Is there any doubt that the bad guys already know about this, or will soon enough?

Publication of this attack might be expensive for NXP and its customers, but it's good for security overall. Companies will only design security as good as their customers know to ask for. NXP's security was so bad because customers didn't know how to evaluate security: either they don't know what questions to ask, or didn't know enough to distrust the marketing answers they were given. This court ruling encourages companies to build security properly rather than relying on shoddy design and secrecy, and discourages them from promising security based on their ability to threaten researchers.

It's unclear how this break will affect Transport for London. Cloning takes only a few seconds, and the thief only has to brush up against someone carrying a legitimate Oyster card. But it requires an RFID reader and a small piece of software which, while feasible for a techie, are too complicated for the average fare dodger. The police are likely to quickly arrest anyone who tries to sell cloned cards on any scale. TfL promises to turn off any cloned cards within 24 hours, but that will hurt the innocent victim who had his card cloned more than the thief.

The vulnerability is far more serious to the companies that use Mifare Classic as an access pass. It would be very interesting to know how NXP presented the system's security to them.

And while these attacks only pertain to the Mifare Classic chip, it makes me suspicious of the entire product line. NXP sells a more secure chip and has another on the way, but given the number of basic cryptography mistakes NXP made with Mifare Classic, one has to wonder whether the "more secure" versions will be sufficiently so.

This essay originally appeared in the Guardian.

Security Idiocy Story (08/06/2008)

From the Dilbert blog:

They then said that I could not fill it out - my manager had to. I told them that my manager doesn't work in the building, nor does anyone in my management chain. This posed a problem for the crack security team. At last, they formulated a brilliant solution to the problem. They told me that if I had grocery bag in my office I could put the laptop in it and everything would be okay . Of course, I don't have grocery bags in my office. Who would? I did have a windbreaker, however. So I went up to my office, wrapped up the laptop in my windbreaker, and went back down.

People put in charge of implementing a security policy are more concerned with following the letter of the policy than they are about improving security. So even if what they do makes no sense -- and they know it makes no sense -- they have to do it in order to follow "policy."

NSA Forms (08/06/2008)

They're all here:

Via a Freedom of Information Act request (which involved paying $700 and waiting almost 4 years), The Memory Hole has obtained blank copies of most forms used by the National Security Agency.

Most are not very interesting, but I agree with Russ Kick:

They range from the exotic to the pedestrian, but even the most prosaic form shines some light into the workings of No Such Agency.

Laptop with Trusted Traveler Identities Stolen (08/05/2008)

Oops. A laptop with the names of 33,000 people enrolled in the Clear program -- the most popular airport "trusted traveller" program -- has been stolen at SFO. The TSA is unhappy.

Stealing databases of personal information is never good, but this doesn't make a bit of difference to airport security. I've already written about the Clear program: it's a $100-a-year program that lets you cut the security line, and nothing more. Clear members are no more trusted than anyone else.

Anyway, it's easy to fly without an ID, as long as you claim to have lost it. And it's also easy to get through airport security without being an actual airplane passenger.

None of this is security. Absolutely none of it.

EDITED TO ADD (8/7): The laptop has been found. Turns out it was never stolen:

The laptop was found Tuesday morning in the same company office where it supposedly had gone missing, said spokeswoman Allison Beer.

"It was not in an obvious location," said Beer, who said an investigation was under way to determine whether the computer was actually stolen or had just been misplaced.

Why in the world do these people not use full-disk encryption?


Warning: MagpieRSS: Failed to fetch http://leo.users.sonic.net/sn.xml (HTTP Response: HTTP/1.1 404 Not Found ) in /homepages/12/d142459691/htdocs/rss2html/magpierss/rss_fetch.inc on line 238

Honeyclient Development Project (07/02/07)

New Honeyclient Project Website (07/02/2007)

It's been a long time, but that doesn't mean we have not been busy. I'm going to go ahead and do what I should have done a while back, so here's where our up-to-date project website is now at. At...

Email Honeyclient Available for Download (01/06/2006)

Aidan Lynch and Daragh Murray from Dublin City University have written a cool new extension to the honeyclient which they call the email honeyclient. This extension allows you to use Outlook to grab email URLs and send them back to...

Recent World of Warcraft Account Compromises (10/08/2005)

Recently, a whole bunch of World of Warcraft (WoW) player accounts were compromised via a keylogger being installed on the users' machines. The infection epidemic was so bad that Blizzard Entertainment set up customer service lines for weekend support. This...

More Honeyclient News at ToorCon (09/22/2005)

Dan Hubbard of Websense also gave a talk on honeyclient technology at ToorCon 7. It's good to see this technology area talked about in the security community. We really need to move away from reactive intrusion detection technologies, given that...

Slides for Lastest Honeyclient Talk Posted (09/21/2005)

I've just posted my slides from the latest honeyclient talk at ToorCon 7. The slides can be downloaded here. I had a great time at ToorCon, and will talk more in detail about that on my personal weblog soon....

Honeyclient Briefing at ToorCon 2005 (09/13/2005)

I will be speaking about honeyclients at the upcoming ToorCon 2005. If you are planning on attending ToorCon, or if you're in San Diego, please stop by and say 'hi'. There will be new information presented at ToorCon, and I...

Microsoft Releases Technical Paper on HoneyMonkeys (08/14/2005)

Microsoft released a technical paper, entitled Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities. The paper can be downloaded here. I read the paper and thought it was very interesting. 'HoneyMonkeys' is Microsoft's term for...

New Version of Honeyclient Now Available for Download (07/05/2005)

Since RECON, I've been busy with my day job, and with travelling. Finally, over the long weekend, I was able to fix a bug in the previous honeyclient release. Namely, the MSIE browser caching mechanism was giving me some problems....

Honeyclient Talk Slides Available for Download (06/21/2005)

I just posted the slides that were used during yesterday's honeyclient talks at RECON. They are now downloadable off the main page. I am still in Montreal today, and will be returning home tomorrow. Today, I enjoyed sightseeing around the...

Honeyclient Talk Today (06/18/2005)

I gave a talk today at RECON on honeyclients. Also, the world's first open-sourced honeyclient has just been released during my talk. Download the latest tarball from the download section on the main page. Talking to the people at RECON...

Cerberus-like Attack for Botnet Formation (06/14/2005)

I thought that this article from eWeek highlighted only the beginning of what we will start to see with increasing frequency - multi-staged attacks. I just called this attack 'Cerberus-like' because it is a three step attack. Basically, the first...

A New Business Model? (06/14/2005)

How could it be that a company in Russia is building a business around infecting other people's machines? 'No way!', you say. Well, this article from Information Week has the details. This Russian company (which I will not link directly...

Microsoft's Honeyclient Project (06/14/2005)

According to this Slashdot post, Microsoft has their own version of a honeyclient, which they call 'honeymonkeys'. I have to say, that's a cute moniker. More importantly, though, this goes to show that it's becoming increasingly important to actively seek...

Oops, Did You Mean To Type 'google'? (06/14/2005)

Next time you try and access Google, be careful how you type. This article in eWeek points out that typing 'googkle' instead of 'google' lands you at a malicious site that then attempts to install beasties such as backdoors and...

Why We Need Honeyclients (06/14/2005)

This article talks about how attackers are now using fake weblogs to entice users to click on certain links. Once those links are accessed, malware such as keyloggers and trojans are uploaded to the victim host from the malicious server....

SANS Internet Storm Center, InfoCON: green (08/07/08)

Infocon: green

Cleanup in isle 3 please. Asprox lying around

Cleanup in isle 3 please. Asprox lying around, (Thu, Aug 7th)

Whilst looking for something completely different I came across our old friend ASPROX See previous d ...(more)...

Olympic Clicks, (Thu, Aug 7th)

You dont have to be the oracle of Delphi to be able to predict that the next few weeks are go ...(more)...

When spammers use your own e-mails, (Wed, Aug 6th)

Some time ago, one of our readers, Mike S, sent an e-mail with an interesting observation about how ...(more)...

Watching those DNS logs, (Tue, Aug 5th)

Among the frantic activity to get all the DNS resolvers patched, very little has been said on how to ...(more)...

The news update you never asked for, (Tue, Aug 5th)

If you missed last week's chance to get your airplane ticket, you currently have a secon ...(more)...

isc.sans.org vs. isc.org, (Mon, Aug 4th)

Over the last weeks, with all the attention focused on DNS, we have seen a couple of news articles m ...(more)...

Securing A Network - Lessons Learned, (Sun, Aug 3rd)

A few months ago I took over the Abuse Department for a small ISP in the Midwest. Lit ...(more)...

Issues affecting sites using Sitemeter [resolved], (Sat, Aug 2nd)

We received several reports (thanks Thanos and Jim) of sites which use the Sitemeter visitor counter ...(more)...

SecuriTeam.com (08/07/08)

8e6 Technologies R3000 Internet Filter Bypass with Host Decoy (08/06/2008)

The 8e6 Professional Edition offers "high-performance, enterprise-level filtering with the R3000 Internet Filter. An appliance optimized for speed and scalability, the R3000 provides 90+ categories and millions of Web sites in the 8e6 Database. Deployed in pass-by or transparent mode, the R3000 sits outside the flow of network traffic to "watch" rather than "stop and check", delivering unmatched network compatibility and performance". A vulnerability in the way 8e6 Technologies R300 filtering HTTP requests can be bypassed by sending it a malformed Host field, this would allow an attacker to bypass the restrictions imposed by the 8e6 solution.

Wireshark RMI Packet Dissector Information Disclosure (08/06/2008)

A vulnerability in the way Wireshark handles RMI packets allows attackers to cause the Wireshark program to read beyond the buffer used to store data, which in turn allows the attacker to read arbitrary memory and also crash the Wireshark product.

America's Army Server Termination (08/05/2008)

"America's Army (also known as AA or Army Game Project) is a tactical multiplayer first-person shooter owned by the United States Government and released as a global public relations initiative to help with U.S. Army recruitment." A vulnerability in AA (America's Army) server allows attackers to cause it to fail by sending it an invalid voice index packet.

Sun xVM VirtualBox Privilege Escalation Vulnerability (08/05/2008)

Virtualization technologies allow users to run different operating systems simultaneously on top of the same set of underlying physical hardware. This provides several benefits to end users and organizations, including efficiency gains in the use of hardware resources, reduction of operational costs, dynamic re-allocation of computing resources and rapid deployment and configuration of software development and testing environments.

Novell eDirectory dhost Integer Overflow Code Execution Vulnerability (07/17/2008)

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell eDirectory. Authentication is not required to exploit this vulnerability.

PuttyHijack - Putty Hijacking Tool (08/05/2008)

ArpON - ARP Management System (08/05/2008)

SDT Cleaner (07/24/2008)

Ratproxy - Passive Web Application Security Assessment Tool (07/02/2008)

PktAnon - Packet Trace Anonymization Tool (06/29/2008)

Libxslt Heap-Based Buffer Overflow (08/05/2008)

A vulnerability in libxslt allows attackers that can supply an arbitrary XSLT file to cause the library to overflow an internal buffer which in turn can be used to execute arbitrary code.

Apache Tomcat XSS Vulnerability (08/05/2008)

The message argument of Apache Tomact's HttpServletResponse.sendError() call is not only displayed on the error page, but is also used for the reason-phrase of HTTP response. This may include characters that are illegal in HTTP headers. It is possible for a specially crafted message to result in arbitrary content being injected into the HTTP response. For a successful XSS attack, unfiltered user supplied data must be included in the message argument.

Apple Mac OS X CoreGraphics PDF Type1 Font Integer Overflow Vulnerability (08/05/2008)

Mac OS X is "a Unix operating system built from the XNU kernel. Mac OS X provides all the standard Unix capabilities and tools with an additional GUI component". Remote exploitation of an integer overflow vulnerability in Apple Inc.'s Mac OS X could allow an attacker to execute arbitrary code with the privileges of the currently logged in user.

Ingres Database for Linux Multiple Vulnerabilities (08/04/2008)

Ingres Database is "a database server used in several Computer Associates' products. For example, CA Directory Service use the Ingres Database server". Multiple local issues have been found in the Ingres database product.

SAP MaxDB dbmsrv Untrusted Execution Path Vulnerability (08/01/2008)

SAP's MaxDB is "a database software product". MaxDB was released as open source from version 7.5 up to version 7.6.00. Later versions are no longer open source but are available for download from the SAP SDN website (sdn.sap.com) as a community edition with free community support for public use beyond the scope of SAP applications. The "dbmsrv" program is set-uid "sdb", set-gid "sdba", and installed by default. Local exploitation of an untrusted path vulnerability in the "dbmsrv" program, as distributed with SAP AG's MaxDB, allow attackers to elevate privileges to that of the "sdb" user.

Hewlett-Packard OVIS Probe Builder Arbitrary Process Termination Vulnerability (08/01/2008)

Hewlett-Packard's Internet Services provides "end-user emulation of major business applications and a single integrated view of the Internet infrastructure". Remote exploitation of a denial of service vulnerability in Hewlett-Packard's Internet Services Probe Builder product allows an unauthenticated attacker the ability to terminate any process.

Microsoft Outlook Web Access XSS (MS08-039) (07/17/2008)

Several Cross Site Scripting vulnerabilities were found in within Outlook Web Access (OWA) 2003/2007. An attacker can craft a malicious email which will trigger within a user's browser. Different version of OWA and different clients (Light and Premium) have different attack vectors which can result in an attacker gaining *persistent* control over a victim's use of Outlook Web Access. An attacker would have full control and access to the victims e-mail account. This control could be further abused by utilising techniques such as JavaScript root-kits or web worms.

Vulnerabilities in DNS Allows Spoofing (MS08-037) (07/09/2008)

This security update resolves two privately reported vulnerabilities in the Windows Domain Name System (DNS) that could allow spoofing. These vulnerabilities exist in both the DNS client and DNS server and could allow a remote attacker to redirect network traffic intended for systems on the Internet to the attacker s own systems.

Vulnerability in Windows Explorer Allows Code Execution (MS08-038) (07/09/2008)

This security update resolves a publicly reported vulnerability in Windows Explorer that could allow remote code execution when a specially crafted saved-search file is opened and saved. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Vulnerabilities in Outlook Web Access for Exchange Server Allows Elevation of Privilege (MS08-039) (07/09/2008)

This security update resolves two privately reported vulnerabilities in Outlook Web Access (OWA) for Microsoft Exchange Server. An attacker who successfully exploited these vulnerabilities could gain access to an individual OWA client s session data, allowing elevation of privilege. The attacker could then perform any action the user could perform from within the individual client s OWA session.

Kaminsky DNS Cache Poisoning Flaw (Exploit) (07/24/2008)

This exploit targets a fairly ubiquitous flaw in DNS implementations which allow the insertion of malicious DNS records into the cache of the target nameserver. This exploit caches a single malicious host entry into the target nameserver. By causing the target nameserver to query for random hostnames at the target domain, the attacker can spoof a response to the target server including an answer for the query, an authority server record, and an additional record for that server, causing target nameserver to insert the additional record into the cache.

Kaminsky DNS Cache Poisoning Flaw Exploit for Domains (07/24/2008)

This exploit targets a fairly ubiquitous flaw in DNS implementations which allow the insertion of malicious DNS records into the cache of the target nameserver. This exploit caches a single malicious nameserver entry into the target nameserver which replaces the legitimate nameservers for the target domain. By causing the target nameserver to query for random hostnames at the target domain, the attacker can spoof a response to the target server including an answer for the query, an authority server record, and an additional record for that server, causing target nameserver to insert the additional record into the cache. This insertion completely replaces the original nameserver records for the target domain.

Simple DNS Plus Denial of Service (07/17/2008)

A vulnerability in the way Simple DNS plus handles incoming DNS queries allows a remote attacker to cause the product to fail by sending it a malformed DNS request.

Alt-N SecurityGateway Username Buffer Overflow (Exploit) (06/17/2008)

A vulnerability in Alt-N SecurityGateway allows remote attackers to overflow a buffer found inside the SecurityGateway.dll which would allow a remote attacker to cause the program to execute arbitrary code.

freeSSHD Post Authentication Buffer Overflow (Exploit) (06/09/2008)

"freeSSHd, like it's name says, is a free implementation of an SSH server." A vulnerability in freeSSHD allows remote attackers to cause the server to overflow an internal buffer by sending it an arbitrary long change directory request/

Lateral SQL Injection: a New Class of Vulnerability in Oracle (04/27/2008)

A new class of vulnerabilities have been discovered in Oracle, these vulnerabilities can be exploited through the use of Oracle's ability to allow users to manipluate the way certain internal functions work.

Microsoft Windows DNS Stub Resolver Cache Poisoning (MS08-020) (04/09/2008)

The Windows DNS stub resolver is a Windows service used by Windows desktop software to resolve DNS names into IP addresses. The DNS stub resolver forwards DNS queries to the DNS server configured for the workstation (or server) and returns the DNS server s response to the requesting software.

Cold Boot Attacks on Disk Encryption (02/25/2008)

The below linked paper shows that disk encryption, the standard approach to protecting sensitive data on laptops, can be defeated by relatively simple methods. The paper also demonstrates the methods by using them to defeat three popular disk encryption products: BitLocker, which comes with Windows Vista; FileVault, which comes with MacOS X; and dm-crypt, which is used with Linux.

OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vulnerability (02/13/2008)

A serious weakness has been discovered in OpenBSD's PRNG, which allows an attacker to predict the next transaction ID (typically up to 8-10 guesses) given a series of consecutive 12-15 transaction IDs.

Exploiting WDM Audio Drivers (01/07/2008)

For those researchers who are interested in the driver security and also for driver writers, the paper "Exploiting WDM Audio Drivers" has been released.

SANS NewsBites (08/07/08)

SANSFIRE 2008

More than 40 courses, SANS top instructors, all in one great place! SANSFIRE 2008 is being held in Washington, DC on July 22-31. Register today!

FCC Vote Effectively Ends Selective Traffic Blocking (August 2, 2008)

In a 3 to 2 vote, the US Federal Communications Commission (FCC) said that Comcast violated federal policy by throttling Internet traffic for subscribers using BitTorrent file sharing software.......

Senate Approves Amended ID Theft Legislation (July 31, 2008)

The US Senate has unanimously approved an amended version of the Identity Theft Enforcement and Restitution Act, sponsored by Senators Patrick Leahy (D-Vt.......

Dutch Police Arrest Two Brothers in Botnet Case (August 4, 2008)

Police in the Netherlands have arrested two brothers who allegedly controlled an international botnet of 40,000 to 100,000 computers; just 1,100 of the compromised machines were in the Netherlands.......

Some Firewall Software Undoes DNS Patch Port Randomizing (August 4, 2008)

Firewall vendors are "scrambling" to update their products to address a problem in the software that undoes the source port randomization component of the recently released DNS patches.......

Apple DNS Patch Doesn't Fix Client Versions of OS X (August 1, 2008)

Apple released a patch for the recently disclosed and exploited DNS vulnerability, but while it fixes Mac OS X systems used as DNS servers, it does not protect Macs being used as client systems.......

Customs and Border Patrol Electronic Device Search Policy Raises Privacy Concerns (August 1 & 3, 2008)

According to recently released documents from the US Department of Homeland Security (DHS), federal agents have the authority to "detain" travelers' electronic devices, including laptop computers, for an unspecified period of time even if the traveler is not suspected of any wrongdoing.......

Judge Likely to Declare Mistrial in Jammie Thomas Case (August 1 & 4, 2008)

At a hearing on Monday, August 4, US District Judge Michael Davis implied that he is likely to declare a mistrial in the case in which a verdict was reached last October.......

Woman Admits to Sharing Music Files, but Says Fines are Excessive (July 28, 2008)

An attorney for the defendant in a New York federal court case regarding illegal file distribution through the Kazaa network says his client did share files, but is arguing that the damages sought by the RIAA are excessive and is looking to change the law that allows them.......

Two Arrested in Connection with Theft and Sale of Countrywide Loan Applicant Data (August 1 & 2, 2008)

A former Countrywide Financial Corp.......

Former Employee Arrested in Calif. Supermarket ATM Scam

(August 1 & 2, 2008).......

Insurance Companies Using Health Databases to Make Coverage Decisions (August 4, 2008)

Some life and health insurance companies are starting to use information from commercial medical databases to make their decisions on individual consumer coverage.......

Lawmakers Want to Know More About ISPs Use of Deep Packet Inspection

(August 1, 2008).......

Paller On Microsoft's Scott Charney and the Public Private Partnership

When the history of Internet security is written, and the authors search for people who made a difference, they are going to find that Scott Charney will be near the top of most experts' list.......

Northcutt Commentary On The Jammie Thomas Case

Capitol v.......

@RISK: The Consensus Security Alert (08/07/08)

SANSFIRE 2008

More than 40 courses, SANS top instructors, all in one great place! SANSFIRE 2008 is being held in Washington, DC on July 22-31. Register today!

(1) CRITICAL: RealPlayer Multiple Vulnerabilities

Category: Widely Deployed Software

Affected:

(2) HIGH: Trend Micro OfficeScan ActiveX Control Multiple Vulnerabilities

Category: Widely Deployed Software

Affected:

(3) MODERATE: HP OVIS Probe Builder Arbitrary Process Kill Vulnerability

Category: Widely Deployed Software

Affected:

08.31.17 EMC Retrospect Backup Client Password Hash Information Disclosure

CVEs: CVE: Not Available

Platform: Cross Platform

08.31.18 EMC Retrospect Backup Client NULL Pointer Remote Denial of Service

CVEs: CVE: Not Available

Platform: Cross Platform

08.31.19 Asterisk IAX "POKE" Requests Remote Denial of Service

CVEs: CVE: CVE-2008-3263

Platform: Cross Platform

08.31.20 OpenSSH "X11UseLocalhost" X11 Forwarding Session Hijacking

CVEs: CVE: Not Available

Platform: Cross Platform

08.31.21 ZDaemon NULL Pointer Remote Denial of Service

CVEs: CVE: Not Available

Platform: Cross Platform

08.31.22 Multiple Vendor DNS Protocol Insufficient Transaction ID Randomization DNS Spoofing

CVEs: CVE: CVE-2008-1447

Platform: Cross Platform

08.31.23 Asterisk IAX2 Firmware Provisioning Packet Amplification Remote Denial of Service

CVEs: CVE: CVE-2008-3264

Platform: Cross Platform

08.31.24 IntelliTamper HTML "Server" Header Parsing Buffer Overflow

CVEs: CVE: Not Available

Platform: Cross Platform

08.31.25 Minix Psuedo Terminal Denial of Service

CVEs: CVE: Not Available

Platform: Cross Platform

08.31.26 RealPlayer Unspecified Local Resource Reference

CVEs: CVE: CVE-2008-3064

Platform: Cross Platform

08.31.27 European Performance Systems Probe Builder Unspecified Denial of Service

CVEs: CVE: CVE-2008-1667

Platform: Cross Platform

08.31.28 Links "only proxies" Unspecified Security

CVEs: CVE: CVE-2008-3329

Platform: Cross Platform

08.31.29 @Mail Multiple Local Information Disclosure Vulnerabilities

CVEs: CVE: Not Available

Platform: Cross Platform

08.31.12 openSUSE "libxcrypt" Insecure Password Hash Weakness

CVEs: CVE: Not Available

Platform: Linux

08.31.13 SUSE openSUSE x86_64 Kernel Unspecified Buffer Overflow

CVEs: CVE: CVE-2008-3247

Platform: Linux

08.31.14 GNU Coreutils "pam_succeed_if" PAM Local Authentication Bypass

CVEs: CVE: CVE-2008-1946

Platform: Linux

08.31.113 Axesstel AXW-D800 Multiple Remote Authentication Bypass Vulnerabilities

CVEs: CVE: Not Available

Platform: Network Device

08.31.1 EMC Dantz Retrospect Backup Client "retroclient.exe" Remote Memory Corruption

CVEs: CVE: Not Available

Platform: Third Party Windows Apps

08.31.10 CoolPlayer M3U File Buffer Overflow

CVEs: CVE: Not Available

Platform: Third Party Windows Apps

08.31.11 Eyeball MessengerSDK "CoVideoWindow.ocx" ActiveX Control Remote Buffer Overflow

CVEs: CVE: Not Available

Platform: Third Party Windows Apps

08.31.2 PowerDVD ".m3u" and ".pls" File Multiple Buffer Overflow Vulnerabilities

CVEs: CVE: Not Available

Platform: Third Party Windows Apps

08.31.3 Outpost Security Suite Pro Filename Parsing Security Bypass

CVEs: CVE: Not Available

Platform: Third Party Windows Apps

08.31.4 RealNetworks RealPlayer SWF File Heap-Based Buffer Overflow

CVEs: CVE: CVE-2007-5400

Platform: Third Party Windows Apps

08.31.5 Cygwin "setup.exe" Installation and Update Process Mirror Authenticity Verification

CVEs: CVE: Not Available

Platform: Third Party Windows Apps

08.31.6 RealNetworks RealPlayer "rmoc3260.dll" ActiveX Control Multiple Memory Corruption Vulnerabilities

CVEs: CVE: Not Available

Platform: Third Party Windows Apps

08.31.7 RealPlayer "rjbdll.dll" ActiveX Control "Import" Method Stack Buffer Overflow

CVEs: CVE: CVE-2008-3066

Platform: Third Party Windows Apps

08.31.8 Trend Micro OfficeScan "ObjRemoveCtrl.dll" ActiveX Control Multiple Stack Overflow Vulnerabilities

CVEs: CVE: Not Available

Platform: Third Party Windows Apps

08.31.9 AVG Anti-Virus UPX File Parsing Denial of Service

CVEs: CVE: Not Available

Platform: Third Party Windows Apps

08.31.15 vsftpd FTP Server Pluggable Authentication Module (PAM) Remote Denial of Service

CVEs: CVE: CVE-2008-2375

Platform: Unix

08.31.16 reSIProcate Multiple Unspecified Memory Corruption Vulnerabilities

CVEs: CVE: Not Available

Platform: Unix

08.31.100 Jamroom Cookie Authentication Bypass Vulnerability and Multiple Unspecified Security Vulnerabilities

CVEs: CVE: Not Available

Platform: Web Application

08.31.101 ATutor "import.php" Remote File Include

CVEs: CVE: Not Available

Platform: Web Application

08.31.102 IDevSpot BizDirectory Multiple SQL Injection and Cross-Site Scripting Vulnerabilities

CVEs: CVE: Not Available

Platform: Web Application

08.31.103 Cerberus Content Management System "cerberus_user" Cookie Parameter HTML Injection

CVEs: CVE: Not Available

Platform: Web Application

08.31.104 miniBB RSS Plugin Multiple Remote File Include Vulnerabilities

CVEs: CVE: Not Available

Platform: Web Application

08.31.105 HTTrack URI Parsing Remote Buffer Overflow

CVEs: CVE: Not Available

Platform: Web Application

08.31.106 Unreal Tournament 2004 NULL Pointer Remote Denial of Service

CVEs: CVE: Not Available

Platform: Web Application

08.31.107 JnSHosts PHP Hosting Directory "admin.php" Remote File Include

CVEs: CVE: Not Available

Platform: Web Application

08.31.108 ScrewTurn Software ScrewTurn Wiki

CVEs: CVE: Not Available

Platform: Web Application

08.31.109 Unreal Tournament 3 Denial of Service and Memory Corruption Vulnerabilities

CVEs: CVE: Not Available

Platform: Web Application

08.31.110 PhpWebGallery Information Disclosure

CVEs: CVE: Not Available

Platform: Web Application

08.31.111 InfoMining BookMine SQL Injection and Cross-Site Scripting Vulnerabilities

CVEs: CVE: Not Available

Platform: Web Application

08.31.112 Unica Affinium Campaign Multiple Remote Vulnerabilities

CVEs: CVE: Not Available

Platform: Web Application

08.31.69 Jobbex JobSite "search_result.cfm" Multiple SQL Injection and Cross-Site Scripting Vulnerabilities

CVEs: CVE: Not Available

Platform: Web Application

08.31.70 EasyDynamicPages Multiple SQL Injection and Cross-Site Scripting Vulnerabilities

CVEs: CVE: Not Available

Platform: Web Application

08.31.71 EasyPublish "read" Parameter Multiple SQL Injection and Cross-Site Vulnerabilities

CVEs: CVE: Not Available

Platform: Web Application

08.31.72 MyBlog Multiple Remote Information Disclosure Vulnerabilities

CVEs: CVE: Not Available

Platform: Web Application

08.31.73 EZWebAlbum "download.php" Local File Include

CVEs: CVE: Not Available

Platform: Web Application

08.31.74 Flip "config.php" Remote File Include

CVEs: CVE: Not Available

Platform: Web Application

08.31.75 Interact "help.php" Multiple Local File Include Vulnerabilities

CVEs: CVE: Not Available

Platform: Web Application

08.31.76 IntelliTamper HTML "href" Parsing Buffer Overflow

CVEs: CVE: Not Available

Platform: Web Application

08.31.77 EMC Retrospect Weak Hash Algorithm Insecure Password Weakness

CVEs: CVE: Not Available

Platform: Web Application

08.31.78 HiFriend "cgi-bin/hifriend.pl" Open Email Relay

CVEs: CVE: Not Available

Platform: Web Application

08.31.79 MyReview Remote Information Disclosure

CVEs: CVE: Not Available

Platform: Web Application

08.31.80 EasyE-Cards SQL Injection Vulnerability and Multiple Cross-Site Scripting Vulnerabilities

CVEs: CVE: Not Available

Platform: Web Application

08.31.81 RunCMS Multiple Remote File Include Vulnerabilities

CVEs: CVE: Not Available

Platform: Web Application

08.31.82 eSyndiCat "admin_lng" Cookie Parameter Authentication Bypass

CVEs: CVE: Not Available

Platform: Web Application

08.31.83 AlphAdmin CMS "aa_login" Cookie Parameter Authentication Bypass

CVEs: CVE: Not Available

Platform: Web Application

08.31.84 AtomatiCMS "upload.php" Arbitrary File Upload

CVEs: CVE: Not Available

Platform: Web Application

08.31.85 Ceica Groupware Multiple Remote File Upload Vulnerabilities

CVEs: CVE: Not Available

Platform: Web Application

08.31.86 EZWebAlbum Cookie Authentication Bypass

CVEs: CVE: Not Available

Platform: Web Application

08.31.87 YouTube Blog Multiple Input Validation Vulnerabilities

CVEs: CVE: Not Available

Platform: Web Application

08.31.88 TamperData Firefox Plugin HTML Injection

CVEs: CVE: Not Available

Platform: Web Application

08.31.89 PunBB Unspecified Arbitrary SMTP Command Injection

CVEs: CVE: CVE-2008-3335

Platform: Web Application

08.31.90 Moodle "etitle" Parameter HTML Injection

CVEs: CVE: Not Available

Platform: Web Application

08.31.91 Mantis "account_prefs_update.php" Local File Include

CVEs: CVE: Not Available

Platform: Web Application

08.31.92 Drupal Session Fixation

CVEs: CVE: Not Available

Platform: Web Application

08.31.93 ibase "download.php" Local File Include

CVEs: CVE: Not Available

Platform: Web Application

08.31.94 WordPress Wp Downloads Manager Module "upload.php" Arbitrary File Upload

CVEs: CVE: Not Available

Platform: Web Application

08.31.95 XRMS 1.99.2 Multiple Remote Vulnerabilities

CVEs: CVE: Not Available

Platform: Web Application

08.31.96 CMScout "common.php" Local File Include

CVEs: CVE: Not Available

Platform: Web Application

08.31.97 TalkBack "help.php" Local File Include

CVEs: CVE: Not Available

Platform: Web Application

08.31.98 Pixelpost "index.php" Local File Include

CVEs: CVE: CVE-2008-3199

Platform: Web Application

08.31.99 Trac Unspecified Quickjump Function URI Redirection

CVEs: CVE: Not Available

Platform: Web Application

08.31.30 EasyBookMarker "ajaxp_backend.php" Cross-Site Scripting

CVEs: CVE: Not Available

Platform: Web Application - Cross Site Scripting

08.31.31 Maran PHP Blog "comments.php" Cross-Site Scripting

CVEs: CVE: Not Available

Platform: Web Application - Cross Site Scripting

08.31.32 XOOPS Local File Include and Cross-Site Scripting Vulnerabilities

CVEs: CVE: Not Available

Platform: Web Application - Cross Site Scripting

08.31.33 VisualPic Cross-Site Scripting

CVEs: CVE: Not Available

Platform: Web Application - Cross Site Scripting

08.31.34 Multiple Century System XR Routers Cross-Site Request Forgery

CVEs: CVE: Not Available

Platform: Web Application - Cross Site Scripting

08.31.35 Claroline Prior to 1.8.11 Multiple Cross-Site Scripting Vulnerabilities

CVEs: CVE: Not Available

Platform: Web Application - Cross Site Scripting

08.31.36 PunBB Multiple Cross-Site Scripting Vulnerabilities

CVEs: CVE: CVE-2008-3336

Platform: Web Application - Cross Site Scripting

08.31.37 Geeklog Forum Plugin Cross-Site Scripting

CVEs: CVE: Not Available

Platform: Web Application - Cross Site Scripting

08.31.38 Pure Software Lore Multiple Cross-Site Scripting Vulnerabilities

CVEs: CVE: Not Available

Platform: Web Application - Cross Site Scripting

08.31.39 Web Wiz Forum "mode" Parameter Multiple Cross-Site Scripting Vulnerabilities

CVEs: CVE: Not Available

Platform: Web Application - Cross Site Scripting

08.31.40 Trac Unspecified Wiki Engine Cross-Site Scripting

CVEs: CVE: CVE-2008-3328

Platform: Web Application - Cross Site Scripting

08.31.41 MyBB "search.php" Cross-Site Scripting

CVEs: CVE: CVE-2008-3334

Platform: Web Application - Cross Site Scripting

08.31.42 Web Wiz Rich Text Editor "RTE_popup_link.asp" Cross-Site Scripting

CVEs: CVE: Not Available

Platform: Web Application - Cross Site Scripting

08.31.43 Owl Intranet Engine "register.php" Cross-Site Scripting

CVEs: CVE: CVE-2008-3100

Platform: Web Application - Cross Site Scripting

08.31.44 phpMyAdmin Multiple Cross-Site Scripting Vulnerabilities

CVEs: CVE: Not Available

Platform: Web Application - Cross Site Scripting

08.31.45 DigiLeave "info_book.asp" SQL Injection

CVEs: CVE: Not Available

Platform: Web Application - SQL Injection

08.31.46 HRS Multi "picture_pic_bv.asp" SQL Injection

CVEs: CVE: Not Available

Platform: Web Application - SQL Injection

08.31.47 phpKF "forum_duzen.php" SQL Injection

CVEs: CVE: Not Available

Platform: Web Application - SQL Injection

08.31.48 MojoPersonals "mojoClassified.cgi" SQL Injection

CVEs: CVE: Not Available

Platform: Web Application - SQL Injection

08.31.49 E-topbiz Shopcart DX "product_detail.php" SQL Injection

CVEs: CVE: Not Available

Platform: Web Application - SQL Injection

08.31.50 SocialEngine Multiple SQL Injection Vulnerabilities

CVEs: CVE: Not Available

Platform: Web Application - SQL Injection

08.31.51 Pre Survey Generator "default.asp" SQL Injection

CVEs: CVE: Not Available

Platform: Web Application - SQL Injection

08.31.52 EMC Centera Universal Access "username" Parameter SQL Injection

CVEs: CVE: Not Available

Platform: Web Application - SQL Injection

08.31.53 Camera Life "sitemap.xml.php" SQL Injection

CVEs: CVE: Not Available

Platform: Web Application - SQL Injection

08.31.54 FizzMedia "comment.php" SQL Injection

CVEs: CVE: Not Available

Platform: Web Application - SQL Injection

08.31.55 PhpTest "picture.php" SQL Injection

CVEs: CVE: Not Available

Platform: Web Application - SQL Injection

08.31.56 FipsCMS R Parameter "index.asp" SQL Injection

CVEs: CVE: Not Available

Platform: Web Application - SQL Injection

08.31.57 IceBB SQL Injection

CVEs: CVE: Not Available

Platform: Web Application - SQL Injection

08.31.58 Mobius Web Publishing Software Multiple SQL Injection Vulnerabilities

CVEs: CVE: Not Available

Platform: Web Application - SQL Injection

08.31.59 phpLinkat SQL Injection and Cookie Authentication Bypass Vulnerabilities

CVEs: CVE: Not Available

Platform: Web Application - SQL Injection

08.31.60 phpwebnews-mysql Multiple SQL Injection Vulnerabilities

CVEs: CVE: Not Available

Platform: Web Application - SQL Injection

08.31.61 Willoughby TriO SQL Injection

CVEs: CVE: Not Available

Platform: Web Application - SQL Injection

08.31.62 EPShop "pid" Parameter "index.php" SQL Injection

CVEs: CVE: Not Available

Platform: Web Application - SQL Injection

08.31.63 Greatclone Getacoder Clone "search_form.php" SQL Injection

CVEs: CVE: Not Available

Platform: Web Application - SQL Injection

08.31.64 Greatclone GC Auction Platinum "category.php" SQL Injection

CVEs: CVE: Not Available

Platform: Web Application - SQL Injection

08.31.65 SiteAdmin CMS "art" Parameter "line2.php" SQL Injection

CVEs: CVE: Not Available

Platform: Web Application - SQL Injection

08.31.66 Greatclone Youtuber Clone "ugroups.php" SQL Injection

CVEs: CVE: Not Available

Platform: Web Application - SQL Injection

08.31.67 ViArt Shop "products_rss.php" SQL Injection

CVEs: CVE: Not Available

Platform: Web Application - SQL Injection

08.31.68 Gregarius "ajax.php" SQL Injection

CVEs: CVE: Not Available

Platform: Web Application - SQL Injection

worm blog (05/01/08)

Facebook Worm? (03/28/2008)

Details are sketchy at this point, but is Facebook undergoing an XSS worm attack? I checked with my Aunt, and she thinks someone may have stolen her password and hijacked her account to send out those messages to all her...

Writing A Modular Universal XSS Worm (01/27/2008)

With the recent Orkit worm, and a few MySpace worms, web/XSS worms are a very interesting topic. Here's someone's attempt on the Ph4nt0m group discussion site who is trying to create a sustainable, growable XSS worm. It seems that the...

VB2008 call for papers (01/25/2008)

The Virus Bulletin conference is coming up later this year, but the call for papers closing is only a month and a half away. VB is a nice, fun conference where a lot of top - and rising - AV...

LEET '08 Call for Papers (01/05/2008)

The First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '08) has a CFP that closes soon. From the CFP: Overview As the Internet has become a universal mechanism for commerce and communication, it has also become an attractive...

Diminutive XSS Worm Replication Contest (01/05/2008)

A friend pointed this out to me. Evidently the Sla.ckers.org website is hosting a "Diminutive XSS Worm Replication Contest". Their mission: to see who an write a new XSS worm (like the MySpace one, the recent Orkut one, etc). The...

The 5th ACM Workshop on Recurring Malcode (WORM 2007) (05/24/2007)

Morning, everyone. I know Wormblog has been very, very silent lately as I've been very busy with work. However, I'll wake it up and post a conference call for papers that applies here. I'm on the PC for WORM07, so...

Grey Goo hits Second Life (05/24/2007)

This isn't the first time a worm (self replicating code) has hit a a large online game, and it wont be the last. Via various news outlets (like this BBC story, Slashdot, and the official Second Life blog: [PST 2:44PM]...

Hacking the Malware? A reverse-engineer?s analysis (10/16/2007)

A nice, thorough analysis of a Yahoo! instant messaging worm by Rahul Mohandas, showing how he decoded the exploit, reverse engineered it, and it's effects. Very good example, and something you can learn from. This paper attempts to document an...

A spread model of flash worms (11/07/2006)

I can't let another week go by and not post a paper on worm modeling. This one looks at a more rigorous model of how a "Flash Worm" would work. Some decent math, it's worth the effort to make sure...

And you thought you were safe after SLAMMER, not so, Swarms not Zombies present the greatest risk to our national internet infrastructure (11/06/2006)

I had a great time at WORM06 in Fairfax last week, and in my scramble to get work done in preparation for a day out of the office Wormblog updates slipped. This paper comes from a conference on swarm intelligence...

Donna's SecurityFlash (08/07/08)

A dozen of Microsoft Security Bulletins next week (08/07/2008)

Microsoft is planning to release 12 Security Bulletins on August 12, 2008 that affects Microsoft Windows, Microsoft Office and some components of Windows such as:

The affected Operating Systems are as follows:

The affected Microsoft Office products are:

They also plan to release an updated version of Microsoft Windows Malicious Software Removal Tool

Microsoft is also planning to release the following non-security update on August 12, 2008 via Windows Update website:

References: 

Free tools deactivate unsafe ActiveX controls (08/07/2008)

Switch browser, turn off ActiveX or use free tools:
Axban, ActiveX Compatibility Manager and ActiveXHelper.

http://windowssecrets.com/comp/080807#story1

Malware SPAM: Internet Explorer 7 update.exe (08/07/2008)

Today's malware SPAM will try to trick users to download the latest version or update for Internet Explorer 7 - update.exe. The email spoofs Microsoft email address as admin @ microsoft.com

http://www.dozleng.com/updates/index.php?showtopic=16321

More rogue antivirus, antispyware domains (08/07/2008)

2008-antivirus-free.com
2008-antivirus-free.net
2008-antivirus-software.com
2008-antivirus-software.net
2008-antivirus.net
2008-free-antivirus.com
2008-free-antivirus.net
2008-software-antivirus.com
2008-software-antivirus.net
2008-xp-antivirus.com
2008antivirusfree.com
2008antivirusfree.net
2008antivirussoftware.com
2008antivirussoftware.net
2008antivirusxp.net
2008freeantivirus.com
2008freeantivirus.net
2008softwareantivirus.com
2008softwareantivirus.net
2008xpantivirus.com
2008xpantivirus.net
antivirus-2008-free.com
antivirus-2008-free.net
antivirus-2008-software.com
antivirus-2008-software.net
antivirus-free-2008.com
antivirus-free-2008.net
antivirus-software-2008.com
antivirus-software-2008.net
antivirus2008free.com
antivirus2008free.net
antivirus2008software.com
antivirus2008software.net
antivirus2008xp.net
antivirus2009-software.com
antivirusfree2008.com
antivirusfree2008.net
antivirusgl.com
antivirusprotection.us
free-2008-antivirus.com
free-2008-antivirus.net
free-antivirus-2008.com
free-antivirus-2008.net
free2008antivirus.com
free2008antivirus.net
freeantivirus2008.net
nowantivirus.com
software-2008-antivirus.com
software-2008-antivirus.net
software-antivirus-2008.com
software-antivirus-2008.net
software2008antivirus.com
software2008antivirus.net
softwareantivirus.net
softwareantivirus2008.com
softwareantivirus2008.net
testyourantivirus.com
xp2008antivirus.net
xp-2008.com
antivirus-xp-2008.net
2008antivirusxp.com
adware-download.com

http://www.dozleng.com/updates/index.php?showtopic=16312 for webpage preview (screenshot)

If you are using Outpost Firewall, consider using the IP Blocklist feature.  I update that daily and you can download it at CoU download page.  When I try to block the above long list of domains... I only have to block six (6) because all others are using IP addresses that is already blocked using the Outpost IP Blocklist which means, IP Blocklist users are protected from those bad domains at once.  Even the freewslink.adalert.hop.clickbank.net's IP address that will redirect users to another rogue domain is is already blocked.  I still use HOSTS file because some bad domain is pointing to legitimate sites and I thank the vendors or hosting company for the quick assistance by cleaning up the bad domains or taking care of bad and rogue site by redirecting them to non-malware pages.

ActiveX Vulnerabilities: Even When You Aren't Vulnerable, You May Be Vulnerable (08/07/2008)

Symantec found an exploit case of Access Snapshot Viewer ActiveX Vulnerability that took advantage of a property of the ActiveX system to exploit IE users who did not have the vulnerable control installed.

Symantec wrote:

Sadly, attackers have found a way to install the vulnerable Access Snapshot Viewer ActiveX control through Internet Explorer prior to exploiting it.

Because the control is Microsoft signed, its installation is silent, and does not require any user interaction. Once this vulnerable control is installed on the victim?s computer, it is exploited in the same way as if the control was installed all along. To top it off, this attack is carried out as a drive-by attack, so the unprotected user may never know that they were vulnerable, or had been targeted, let alone infected.

https://forums.symantec.com/syment/blog/article?message.uid=341705

Read Microsoft's Security Advisory on this issue at:

http://blogs.technet.com/msrc/archive/2008/07/07/snapshot-viewer-activex-control-vulnerability.aspx

http://www.microsoft.com/technet/security/advisory/955179.mspx

Apply the suggested action until the patch is released.

Thanks to Tim for the alert.

New domains of rogue Antivirus XP 2008 (08/06/2008)

antivirus-xp-2008. net
2008antivirusxp. com

Another domain that offer rogue software, AdwareAlert is adware-download. com

The above is a report by Malware Database blog: http://malwaredatabase.net/blog/index.php/2008/08/05/sponsored-result-does-not-equal-safe/ after searching using Google with the keyword "CNN Top 10 XP Antivirus"

Add them to your block list, hosts file or restricted sites.

http://www.dozleng.com/updates/index.php?showtopic=16312

NextAdvisor.com Launches Guide to Internet Security Software Providers (08/06/2008)

NextAdvisor.com, the trusted, independent source for comparing the most valuable Internet services, is launching a new comparison of Internet security software providers. Internet security software combines tools that protect consumers and their personal computers from spyware, adware, computer viruses, phishing attacks and email spam.

"Keeping your PC secure requires way more than simple antivirus protection at this point," said NextAdvisor.com Vice President of Research Joe Fahrner. "Our goal in launching the Internet security software comparison on NextAdvisor.com is to educate consumers on the many risks that the Internet represents represents to their computers and their identities while also providing detailed information on how to prevent being victimized."

http://news.yahoo.com/s/prweb/20080806/bs_prweb/prweb1183904;_ylt=A0wNcw6ylZlI3RsAUAbNybYF

Symantec August 2008 State of Spam Report (08/05/2008)

n the month of July, 78 percent of all email was spam according to the August 2008 Symantec State of Spam Report (PDF).

category

origin

https://forums.symantec.com/syment/blog/article?blog.id=spam&thread.id=110

Google Sites tempts spammers (08/05/2008)

Google hosted applications continue to be a favourite destination for malware authors to create infected web pages.

The trend of abusing Google applications such as Google Docs and Google Calendar has continued with spammers now setting their sights on Google Sites, an application that allows surfers to create collaborative internet projects.

Security firm MessageLabs noticed a significant trend in July for infected pages on Google Sites as it allows even a novice to create a malware infected page.

http://www.webuser.co.uk/news/264951.html

Social engineering on Twitter (08/05/2008)

This week it?s Twitter?s turn to host an attack - one that is targeting both Twitter users and the Internet community at large. In this case it's a malicious Twitter profile twitter.com/[skip]/ with a name that is Portuguese for ?pretty rabbit? which has a photo advertising a video with girls posted.

This profile has obviously been created especially for infecting users, as there is no other data except the photo, which contains the link to the video.

http://www.viruslist.com/en/weblog?weblogid=208187551

ValueClick to pay $1 million in settling adware case (08/05/2008)

ValueClick is still facing the music in terms of heavy fines issued against them this year, following prosecution under the CAN-SPAM act that saw them shell out millions on top of losing some important customers. Now, the company has agreed to settle a case brought against them due to the pushing of adware.

Under the settlement, ValueClick will pay $1 million due to their part in allowing adware to be pushed through their service. While ValueClick itself did not personally insert adware into advertisements, they allowed their affiliates to do so and didn't hold them to any code of conduct.
http://www.techspot.com/news/31103-ValueClick-to-pay-1-million-in-settling-adware-case.html

Malware SPAMs: CNN.com Daily Top 10, Your order and Yourlettercard (08/05/2008)

3 highlights today:

Malware Spam: "New shopping new life", Alerting all users, web-based email & Facebook/MySpace users (08/03/2008)

I have not receive the SPAM message "New shopping new life" but there are users in CNET forums and in other site or blog that is experiencing issues.

The email is known to be SPAM, Phishing and Malware because it will send emails to all contacts in your Gmail, Hotmail or Yahoo account. The report by users (Mac and PC users) is they allow Facebook to access their hotmail, gmail or yahoo contacts.

Please scan using your any antimalware for your system or change your passwords of your email accounts.

If you receive this type of email, do not even view it, do not click and delete it soon.

Posted also in CoU Alerts Forums

Montana School Reaps the Benefits of AVG Network Protection (08/03/2008)

Brett Letkehus, Technology Coordinator at Jefferson High School in Boulder, Montana, has been a devoted fan of AVG's security products for his home computer for many years. It took rather longer - and a lot of virus infections - before he was able to convince the school to adopt the same powerful AVG technology for its network.

"Jefferson High has 20 teachers, 20 administrative staff, and around 270 students," said Letkehus. "At any one time, there are more than 150 computers and servers in use on the network, so the potential for infection is pretty high. When I came on board, the school was using Symantec's Norton AntiVirus to keep the network clean. While the software has a good reputation for ease of use, my experience with the product was not too good at keeping viruses out."

http://www.24-7pressrelease.com/press-release-rss/montana-school-reaps-the-benefits-of-avg-network-protection-59271.php

Firefox Unspecified Denial of Service Vulnerability (08/01/2008)

Mozilla Firefox is prone to a remote denial-of-service vulnerability.
Successful exploits can allow attackers to crash the affected browser, resulting in denial-of-service conditions.

This issue affects Firefox 3.0 and 3.0.1; other versions may also be affected.

http://www.securityfocus.com/bid/30486/discuss

Beware: Beijing hotels in spyware shocker (08/01/2008)

As athletes wait for the smog to clear over the Olympic city, reports suggest that another dark cloud of controversy is looming.

Chinese authorities have demanded that Beijing hotels, under the threat of severe penalties, install spyware on hotel guest communications.

It means all internet and communications activities of the anticipated 10,000 accredited media, another 5,000 unaccredited media, as well as international visitors, will be monitored by the Chinese Public Security Bureau.

http://www.travelmole.com/stories/1130481.php?mpnlog=1

Hackers may have taken Univ. of Texas-Dallas personal data (08/01/2008)

Computer hackers may have accessed Social Security numbers and other personal data for 9,100 people connected to the University of Texas at Dallas, the school's second such case in recent years.

School officials told The Dallas Morning News on Thursday it was unclear whether hackers actually viewed the information, but names, addresses, e-mail addresses and telephone numbers were exposed.

The breach was discovered July 12 by the university's computer security staff. UTD did not alert those affected until Thursday because it took time to determine exactly whose data may have been exposed, officials said.

http://www.chron.com/disp/story.mpl/ap/tx/5919353.html

Kaspersky Lab Detects New Worms Attacking MySpace and Facebook (08/01/2008)

Kaspersky Lab, a leading developer of secure content management systems, has detected two variants of a new worm, Net-Worm.Win32.Koobface.a. and Net-Worm.Win32.Koobface.b, which attack MySpace and Facebook respectively. As part of their malicious payload, the worms transform victim machines into zombie computers to form botnets.

Even though the worms are currently only infecting MySpace and Facebook users, Kaspersky Lab analysts are warning users that the worms are designed to upload additional malicious modules with other functionality via the Internet. It is highly probable that victim machines will not only be used for spreading links via these social networking sites, but the botnets will also be used for other malicious purposes.

Net-Worm.Win32.Koobface.a spreads when a user accesses his/her MySpace account. The worm creates a range of commentaries to friends' accounts. Net-Worm.Win32.Koobface.b, which targets Facebook users, creates spam messages and sends them to the infected users' friends via the Facebook site.

http://www.kaspersky.com/news?id=207575670

Travelling? Symantec has Online Safety tips (08/01/2008)

You can read it at their blog entitled "Safe Summer Travels on the Information Superhighway"

Avoid and Block: S3RVAK(dot)COM (08/01/2008)

One of the bad guys --> S3RVAK(dot)COM with IP address 196.32.220.2.  Registered to PrivacyProtect.org who also serve rogue softwares like antispycheck, antivirus-2009pro, antispywareboss

Block and avoid the above domain by adding in your blocklist/hosts file.

More info: http://www.dozleng.com/updates/index.php?showtopic=16246