22:57 On deck from MS: Four important patches but nothing for IENext Tuesday, Microsoft plans to ship four security updates for multiple flaws affecting Windows, Microsoft SQL Server and Microsoft Exchange Server but the absence of fixes for publicly known Internet Explorer issues is causing raised eyebrows among security professionals.
According to the company’s advance notice for July’s Patch Tuesday, all four bulletins will be rated “important,” [...] >>>
22:54 Review: Google Apps HacksAuthor: Philipp Lenssen
Pages: 361
Publisher: O'Reilly
ISBN: 059651588X
Introduction
Practically everyone on the Internet uses Google for one of its many services. Once only a search engi... >>>
21:37 Apple caught neglecting iPhone securityIf you’re waiting on iPhone 2 to standardize your business on the awesome new device (yeah, I’ll be on line to buy one), you might want to pay attention to the conspicuous absence of iPhone security patches over the last four months.
As WaPo’s Brian Krebs reports, the iPhone runs a stripped down version of Mac [...] >>>
21:11 Opera patches serious code exection flawOpera Software has joined the list of browser vendors shipping fixes for serious remote code execution vulnerabilities.
The company’s new Opera 9.5.1 patches at least four security issues, the most serious being a flaw reported by Microsoft’s Billy Rios that could be used to execute arbitrary code.
Opera is withholding details on the high-risk flaw until a [...] >>>
20:52 Airport security part 4: Attack of the body scanners!If you read my blog postings semi-often, you know that I’m very, very critical of problems with airport security. Nicole Wong of the Boston Globe reported that Boston’s Logan International Airport will become the next airport toimplement full-body scanners (thanks for the link from the LiquidMatrix guys!) that can see through clothing to detect whether [...] >>>
I wanted to let you know that we just posted our Advance Notification for next weeks bulletin release which will occur on Tuesday, July 8, 2008 around 10 a.m. Pacific Standard Time.
It is important to remember that while the information posted below is intended to help with your planning, because it is preliminary information, it is subject to change.
As part of our regularly scheduled bulletin release, were currently planning to release:
Four Microsoft Security Bulletins rated as Important. These updates may require a restart and will be detectable using the Microsoft Baseline Security Analyzer.
As we do each month, the Microsoft Windows Malicious Software Removal Tool will be updated.
We are also planning to release high-priority, non-security updates on Windows Update and Windows Server Update Services (WSUS) as well as high-priority, non-security updates on Microsoft Update and Windows Server Update Services (WSUS). For additional information, please see the Other Information section of the Advanced Notification.
Finally, in late July, well also be releasing KB946928 which updates the infrastructure of the Windows Update client itself. For more information on this update, please visit the Microsoft Update blog.
As always, well be holding the July edition of the monthly security bulletin webcast on Wednesday, July 9, 2008 at 11 a.m., Pacific Standard Time. We will review this months release and take your questions live on-air with answers from our panel of experts. As a friendly reminder, if you cant make the live webcast, you can listen to it on-demand as well. You can register for the webcast here: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032374629&Culture=en-US
Thanks,
Bill Sisk
*This posting is provided "AS IS" with no warranties, and confers no rights.*
20:08 Can Mozillas security metrics project end the patch-counting nonsense?In partnership with indie security consultant Rich Mogull (left) Mozilla has launched a valuable Security Metrics Project that could help to — we can only hope — put an end to the silly notion that patch-counting helps to determine a product’s security posture.
The idea is to develop a metrics model that goes beyond simple [...] >>>
Microsoft has detailed a raft of security improvements due to appear in Internet Explorer 8. The second beta of Redmond's web browser will be packed full of features designed to thwart phishing and drive-by download attacks, Redmond explained on Wednesday.
17:24 Getaway day: How to secure your laptop for holiday travelIt’s getaway day and as we prepare to hit the road, trudge through airport security and snag that car rental, spare a thought for the valuable data that travels with you on that trusty old laptop.
According to a recent study by the Ponemon Institute, more than 637,000 notebooks vanish each year in mid-to-large airports.
With some [...] >>>
It's one thing to start efficiently registering thousands of email accounts at reputable email providers by automatically breaking their CAPTCHA authentication, and entirely another to build a business model on the top of it next to the opportunity to abuse if for your own malicious purposes. Which is exactly what we have here, an underground service that's selling registered accounts at Gmail, Yahoo, Hotmail and the most popular Russian email providers in the thousands. Once the inventory of registered accounts drops due to someone's purchase, it continues registering one to two email accounts per second.
"Breaking Gmail, Yahoo and Hotmails CAPTCHAs, has been an urban legend for over two years now, with do-it-yourself CAPTCHA breaking services, and proprietary underground tools assisting spammers, phishers and malware authors into registering hundreds of thousands of bogus accounts for spamming and fraudulent purposes. This post intends to make this official, by covering an underground service offering thousands of already registered Gmail, Yahoo and Hotmail accounts for sale, with new ones registered every second clearly indicating the success rate of their CAPTCHA breaking capabilities at these services."
Text based CAPTCHA is so broken, that if major web sites whose services are getting abused don't at least try to slow down the efficient approach of breaking it, we are going to see an entire spamming infrastructure build on the foundation of legitimate email service providers.
16:20 NoScript vs. Internet Explorer 8 FiltersNoScript plugin writer Giorgio Maone posted a commentary on IE 8’s new filters, drawing comparisons to his own widely popular NoScriptFirefox plugin. Maone writes:
Im happy to learn that IE8 is going to implement a less ambitious versionof a feature which NoScript users have enjoyed for more than one year now. The announcement posts seem not [...] >>>
15:46 Gmail, Yahoo and Hotmails CAPTCHA broken by spammersBreaking Gmail, Yahoo and Hotmail’s CAPTCHAs, has been an urban legend for over two years now, with do-it-yourself CAPTCHA breaking services, and proprietary underground tools assisting spammers, phishers and malware authors into registering hundreds of thousands of bogus accounts for spamming and fraudulent purposes.
This post intends to make this official, by covering an underground service [...] >>>
Nearly half (45.2 per cent) of all internet surfers neglect to regularly update their browser software. Slackness in applying updates in a timely fashion leaves an estimated 637 million surfers vulnerable to drive-by download attacks, according to a new survey.
07:00 Security World: Recent potential email and Web threatsMX Logic published a new monthly report that aims to help inform organizations about potential email and Web threats in advance so they can take preventative action.
The July forecast calls for:S... >>>
03:45 1500 posts!This is officially post 1500 on the blog. In just under five years, I’ve written 1500 blog posts, some inane “look at me” posts (like this one:-)), some of which I’m pretty proud of. The true count of the posts I’ve written is a bit higher, but I lost more than a few [...] >>>
03:42 Multiple Facebook vulnerabilities reported on Full-DisclosureJouko Pynnonen posted a message to the Full-Disclosure mailing list today, citing multiple “script injection” vulnerabilities within Facebook. I’m not sure if this is a surprise to anybody out there, it’s certainly not to me, as numerous web applications have major problems with Cross-site Scripting vulnerabilities, but I think this is important to note due [...] >>>
03:00 Random Stupidity in the Name of TerrorismAn air traveller in Canada is first told by an airline employee that it is "illegal" to say certain words, and then that if she raised a fuss she would be falsely accused:
When we boarded a little later, I asked for the ninny's name. He refused and hissed, "If you make a scene, I'll call the pilot and you won't be flying tonight."
More on the British war on photographers.
A British man is forced to give up his hobby of photographing busses due to harrassment.
The credit controller, from Gloucester, says he now suffers "appalling" abuse from the authorities and public who doubt his motives.
The bus-spotter, officially known as an omnibologist, said: "Since the 9/11 attacks there has been a crackdown.
"The past two years have absolutely been the worst. I have had the most appalling abuse from the public, drivers and police over-exercising their authority.
Mr McCaffery, who is married, added: "We just want to enjoy our hobby without harassment.
"I can deal with the fact someone might think I'm a terrorist, but when they start saying you're a paedophile it really hurts."
Is everything illegal and damaging now terrorism?
Israeli authorities are investigating why a Palestinian resident of Jerusalem rammed his bulldozer into several cars and buses Wednesday, killing three people before Israeli police shot him dead.
Israeli authorities are labeling it a terrorist attack, although they say there is no clear motive and the man -- a construction worker -- acted alone. It is not known if he had links to any terrorist organization.
New Jersey public school locked down after someone saw a ninja:
Turns out the ninja was actually a camp counselor dressed in black karate garb and carrying a plastic sword.
Police tell the Asbury Park Press the man was late to a costume-themed day at a nearby middle school.
And finally, not terrorism-related but a fine newspaper headline: "Giraffe helps camels, zebras escape from circus":
Amsterdam police say 15 camels, two zebras and an undetermined number of llamas and potbellied swine briefly escaped from a traveling Dutch circus after a giraffe kicked a hole in their cage.
Are llamas really that hard to count?
EDITED TO ADD (7/2): Errors fixed.
03:00 Browser InsecurityThis excellent paper measures insecurity in the global population of browsers, using Google's web server logs. Why is this important? Because browsers are an increasingly popular attack vector.
The results aren't good.
...at least 45.2%, or 637 million users, were not using the most secure Web browser version on any working day from January 2007 to June 2008. These browsers are an easy target for drive-by download attacks as they are potentially vulnerable to known exploits.
That number breaks down as 577 million users of Internet Explorer, 38 million of Firefox, 17 million of Safari, and 5 million of Opera. Lots more detail in the paper, including some ideas for technical solutions.
EDITED TO ADD (7/2): More commentary.
01:53 Antivirus vendor introducing virtual keyboard for secure EbankingKaspersky’s most recent product launch of the Kaspersky Internet Security 2009, is featuring a virtual keyboard “a secure pop-up that enables logins, passwords, bank card details and other important personal information to be entered safely to prevent the theft of confidential information” aiming to protect users from keyloggers, and consequently provide a safer Ebanking experience. [...] >>>
01:47 Matasano ships Web-based firewall managerThe firewall is one of the few security tools that has been proven to be very effective at improving a company’s security posture. However, staying on top of policies — and responding to change requests — while trying to manage multiple firewalls from different vendors can be a never-ending nightmare for IT admins.
In steps Matasano [...] >>>
"So bloggers on forums such as Tianya.cn have taken to posting in formats that China's Internet censors, often employees of commercial Internet service providers, have a hard time automatically detecting. One recent strategy involves online software that flips sentences to read right to left instead of left to right, and vertically instead of horizontally. China's sophisticated censorship regime -- known as the Great Firewall -- can automatically track objectionable phrases. But "the country also has the most experienced and talented group of netizens who always know ways around it," said an editor at Tianya, owned by Hainan Tianya Online Networking Technology Co., who has been responsible for deleting posts about the riot"
An old-school content obfuscation service that they could take advantage of, offers the opportunity to turn a short message into spam or a fake PGP encrypted file, where both parties can easily decode them to the original.
00:02 300 Lithuanian sites hacked by Russian hackersA recently accepted legislation in Lithuania banning communist symbols across Lithuania, has prompted Pro-Russian hackers to start defacing Lithuanian sites, an indication of the upcoming attack was detected last week with active discussions around Russian forums greatly reminding us of the Russia vs Estonia cyberattack sparkled due to the removal of a Red Army memorial [...] >>>
