News Bytes - Page 1 - SC Magazine

New Chrome version contains malware download security

Google has issued an official update to its Chrome browser to fill 20 security holes, one of which is deemed "critical" and eight of which are considered "high" in severity.

Two suspects skim cards at the ATM door

Two men have been charged with applying a new take on ATM skimming fraud -- placing the data-stealing device on the card reader at the door, not on the actual cash machine.

Adobe announces Flash sandbox for Firefox

Adobe has added a beta sandbox feature to its Flash Player running in the Mozilla Firefox browser, the company announced Monday

Apple ships Mac OS X, Safari updates

Apple on Wednesday released a new version of Mac OS X, 10.7.3 (Lion), to address nearly 50 security vulnerabilities.

SEC accuses Latvian man of hacking brokerage accounts

The federal Securities and Exchange Commission has charged a Latvian man with participating in a scheme that manipulated the value of more than 100 New York Stock Exchange and Nasdaq stocks.

Just-patched critical Microsoft bug under attack

Researchers warned Thursday that a recently patched vulnerability in Windows Media is being used by remote attackers to launch malware.

Android app claims to be Madden 12 video game

With the Super Bowl less than two weeks away, Symantec researchers said Tuesday that have spotted a malicious application in unofficial Android markets claiming to offer a version of the popular video game Madden NFL 12.

Symantec extends cloud offerings

Symantec has acquired LiveOffice, a privately held cloud-based archiving provider, for approximately $115 million.

Anonymous, Reddit to protest SOPA with blackout

Hacktivist group Anonymous and the popular news-sharing site Reddit both have pledged to go offline on Wednesday in protest of the proposed Stop Online Piracy Act (SOPA), an anti-piracy measure that critics believe amounts to an internet censorship bill.

Oracle to ship 79 patches next week

As part of its quarterly security update, Oracle on Tuesday is planning to release 79 patches to address vulnerabilities across its product line.

US-CERT warns about spoofed US-CERT phishes

Phishers are spoofing email addresses belonging to US-CERT, an arm of the Department of Homeland Security that coordinates information sharing related to cyber threats, to trick users into installing malware.

Chrome adds malware download warning functionality

A new beta version of the Google Chrome browser contains malware download protection.

Anonymous attacks Sony again, this time over SOPA

Anonymous said Friday that it is responsible for temporarily defacing the website and Facebook account belonging to Sony Pictures.

Adobe to release quarterly updates to address critical bugs

Adobe announced Friday that it intends to release its quarterly updates next week.

HP "fire" bug patched on dozens of printers

HP has quietly delivered a fix for a vulnerability in some of its printers that could be leveraged to steal sensitive documents, gain control of corporate networks, or even set the affected devices on fire.

WordPress releases update following security issue

WordPress has made available version 3.3.1 of its popular blogging software, which closes 15 vulnerabilities, including a cross-site scripting hole that was revealed Monday by two Indian security researchers.

Security firm releases tool to brute force routers

A Maryland security firm has released an open-source tool that can be used to exploit a vulnerability that permits the brute force hacking of wireless routers, connected using the WiFi Protected Setup (WPS) standard, to retrieve passwords.

Counterfeit card maker pleads in ATM skimming bust

A 21-year-old Connecticut woman on Tuesday pleaded guilty to participating in an ATM skimming operation between February and July, the U.S. attorney's office in Connecticut said.

Twitter makes available some code from Whisper Systems buy

Twitter, which recently acquired year-old Android security start-up Whisper Systems, announced Tuesday that it is making some of the company's open-source code publicly available.

Yahoo deploys two-factor authentication for email

The feature, which is currently available for users in the U.S. Canada, India, and the Philippines, requires a second form of verification beyond a password for any "suspicious" login attempt.

FTC to pay millions to consumers duped by scareware

The Federal Trade Commission (FTC) will partially recoup some 300,000 people who fell victim to a scam in which they purchased rogue anti-virus products to fix problems that didn't exist.

Out-of-band fix for Adobe Reader security issue coming Friday

An out-of-cycle patch is coming to fix a flaw in Adobe Reader and Acrobat 9 for Windows.

Chrome 16 includes 15 vulnerability fixes

Google on Tuesday released Chrome 16, which includes fixes for 15 security vulnerabilities.

Android users share their "rage" for free Windows Phone

Android users have taken to Twitter to air their grievances about their phones, prompted by an unusual offer from a Microsoft employee

China behind majority of cyber attacks, NSA says

The National Security Agency claims a dozen groups connected to China's People's Liberation Army and six nonmilitary groups connected to universities are largely behind cyber spying campaigns.

Yahoo Messenger exploit enables status message hijacking

A newly discovered zero-day exploit against Yahoo Messenger can allow an attacker to hijack users' status updates, according to researchers at anti-virus firm BitDefender.

Former UBS banker sentenced for fraud

A former bank executive has been sentenced to 33 months in prison for committing 84 fraudulent wire transfers that deposited $673,000 of UBS Securities funds into his personal accounts.

Cyber Monday scam emails hit inboxes

Spammers have begun trying to capitalize on the Cyber Monday buying frenzy.

Fake FBI scam email making the rounds

A message purportedly sent from the FBI Anti-Terrorist and Monetary Crimes Division is making its way to inboxes, threatening recipients that they will be arrested if they do not reply back.

Security spending to increase in 2012, survey shows

While the nation's economy remains in the tank, the information security market appears to be avoiding a major slowdown.

Anonymous calls for protests of piracy bill

The Anonymous hacking collective on Sunday called for a "worldwide internet and physical protest" against a controversial bill making its way through Capitol Hill called the Stop Online Piracy Act.

Most spam subject lines contain fake order, ticket numbers

Most spam messages sent in recent days have been delivered with subject lines containing fake order or ticket numbers, delivery invoices, payment notices or tax information, according to researchers from security firm Websense.

Google releases Chrome update to fix high-risk security bug

Google on Wednesday released Chrome 15.0.874.121 to address a high-severity vulnerability affecting the V8 JavaScript engine that could allow for the execution of arbitrary code.

Microsoft to make updates less disruptive, more predicatable

In an effort to smooth the patching process for users, Microsoft plans to improve its updating mechanism in Windows 8, due out next year.

Apple issues iTunes update to close man-in-the-middle hole

Apple on Monday released an updated version of its iTunes program to close a vulnerability that could lead to a man-in-the-middle attack.

Imperva IPO opens high

The debut of Imperva onto the stock exchange led to strong trading gains for the maker of software protection against hackers and data theft.

ACH debit transfer emails leading to malware

Attackers have been circulating a trojan via email messages with subjects such as "ACH payroll payment was not accepted by Central Trust and Savings Bank."

Adobe bids adieu to Flash for mobile

With the exception of issuing critical security fixes for existing installations, Adobe will no longer develop new versions of Flash for mobile.

Adobe releases critical Shockwave Player security update

The flaws corrected by an Adobe Shockwave Player update could allow an attacker to run malicious code on an affected system.

SC Magazine wins Best Photo Spread award

SC Magazine took home the Min Editorial & Design Award for best photography spread among business-to-business magazines.

Report: Anonymous calls off Operation Cartel

Anonymous' plan to expose the information belonging to members of the dangerous Zetas drug cartel in Mexico is back off, after a kidnapped member of the hacktivist group has been released by the gang.

Accused Scarlett Johansson hacker claims innocence

A Florida man pleaded innocent Tuesday to hacking into the email accounts of Scarlett Johansson, Mila Kunis, Christina Aguilera and dozens of other celebrities to steal photos, emails and other documents.

U.S, Asian nations dominate spam-sender list

The United States has maintained the dubious distinction of being the world's No. 1 relayer of spam, but Asian countries are catching up quickly.

Facebook to extend bug bounty program

At some point in the future, Facebook plans to begin asking researchers to review code that has not yet been released, according to Joe Sullivan, CSO at Facebook.

Phishers aiming for Apple IDs, passwords

Spam that seemingly emanates from Apple is making the rounds with the aim of tricking users into handing over their IDs and passwords, researchers at anti-virus firm Trend Micro said in a blog post Monday.

Check Point adds Dyanasec for governance, risk, compliance

Check Point Software Technologies bolstered its portfolio Monday with the acquisition of privately held Dynasec, a 7-year-old, Israel-based provider of governance, risk management and compliance solutions.

Facebook rolls out application-specific passwords

Facebook on Thursday introduced two new security features to help users better protect their accounts. The first is the ability to create unique passwords for each application a user accesses. (Normally they only need to enter in their standard Facebook credentials). The new capability allows members to create a password, which they won't have to remember each time they login to the app, by visiting Account Settings>Security>App Passwords. Meanwhile, the "Trusted Friends" feature allows a user to select three to five trusted individuals to serve as custodians of codes that can be used to access one's account if he or she is ever locked out.

Apple pushes QuickTime update

Apple has released an update for its QuickTime software to close 12 vulnerabilities. Version 7.7.1 includes 10 fixes for flaws that, if exploited, could lead to arbitrary code execution. Most of the bugs involve memory or buffer overflow issues, whereby viewing a malicious movie file could result in an exploit. The update is available for Windows 7, Vista, XP and later versions.

Disgraced bike champ accused of cybercrime

Cyclist Floyd Landis, who was stripped of his Tour de France medal in 2006 following positive doping results, now faces arrest in France for his alleged involvement in planting a trojan on the computer network of the French national anti-doping laboratory (LNDD), which conducted the test. According to reports, French prosecutors said Landis and Arnie Baker, his coach at the time, employed a hacker at Kargus Consultants to plant the trojan in an attempt to steal documents from the lab for an appeals process they were pursuing. Kargus has also been suspected of breaking into Greenpeace and French utility company EDF. Prosecutors said Landis should serve an 18-month suspended prison sentence for his part in the alleged scheme.

Google closes 18 Chrome holes

Google on Tuesday pushed out a new version of its Chrome web browser to rectify 18 vulnerablities, including 11 that are deemed "high" in severity. Version 15, part of the "stable" channel of Chrome, also includes protection against Browser Exploit Against SSL/TLS (BEAST), a JavaScript hacking tool disclosed last month at a security conference in Argentina that can decrypt HTTPS requests and encrypted cookies. Microsoft has since issued an advisory that acknowledges the issue, along with a Fix-It solution. Meanwhile, researchers who disclosed the flaws in Chrome received more than $26,000 combined for their finds as part of Google's bug bounty program.

Microsoft YouTube channel hacked

Hackers over the weekend accessed Microsoft's YouTube channel to swap out videos with their own. It is unclear what the intruders' motive was, but they may have been able to access the account by stealing its login credentials from a Microsoft employee, Graham Cluley, senior technology consultant at anti-virus firm Sophos, said in a blog post Sunday. One of the unauthorized videos posted was titled "Bingo" and featured an animated video game character shooting another character. By Monday morning, the channel was operating normally. The incident followed hackers last week taking over the Sesame Street YouTube channel to display pornographic videos.

NERC CSO departs for newly created DHS role

Mark Weatherford, former CSO of the North American Electric Reliability Corp. (NERC), has been appointed to a newly created position at the U.S. Department of Homeland Security. Serving as deputy under secretary for cybersecurity within the National Protection and Programs Directorate (NPPD), the DHS component charged with reducing risk, Weatherford will focus on ensuring strong cybersecurity operations and communications for the department. He is expected to start in mid-November. Prior to his role at NERC, Weatherford was CISO of the state of California. A former naval cryptologic officer, Weatherford also previously led the Navy's computer network defense operations.

Google enables search encryption by default

Google has turned on encrypted search by default. The tech giant announced in a blog post Tuesday that users, over the next few weeks, will be automatically directed to https://www.google.com when they sign into their accounts. The secure channel will help protect search terms and results pages from being intercepted by a third party. As a result, websites won't have access to each individual search query that drives traffic to their site, but they still will be able to view a list of the top 1,000 queries via Google Webmaster Tools. Users wanting to send their individual search entry to advertisers, so they can improve their campaigns, can opt to still do so by clicking on an ad appearing on the search results page.

Accused LulzSec hacker pleads innocent to Sony attack

A purported member of the hacktivist group LulzSec pleaded innocent Monday in federal court in Los Angeles to charges of hacking into the systems of Sony Pictures Entertainment. Cody Kretsinger, a.k.a. "recursion," 23, of Arizona is facing one count each of conspiracy and unauthorized impairment of a protected computer. He faces a maximum sentence of 15 years in prison. He is accused of participating in a weeklong SQL injection attack, ending in early June, on the Sony Pictures site. The compromise resulted in the theft of data belonging to roughly one million users, some of which was publicly posted.

Celebrity email hacker arrested

A Florida man has been charged with hacking into the email accounts of Mila Kunis, Christina Aguilera, Scarlett Johansson and dozens of other celebrities to steal photos, emails and other documents. Christopher Chaney, 35, of Jacksonville was nabbed following an 11-month police investigation dubbed "Operation Hackerazzi," according to an FBI statement this week. Once he had access to a victim's email account, which he obtained by using publicly available information, he allegedly changed the settings so that all of their emails would be automatically forwarded to him. He also stole private photos, which he offered to celebrity blogs. Chaney was charged with accessing and damaging protected computers without authorization, wiretapping and aggravated identity theft. He faces up to 121 years in prison.

FTC, file-sharing app developer settle charges

The Federal Trade Commission has settled a case with the maker of a mobile peer-to-peer application over allegations that the program automatically shared files with the public by default. The agency's complaint against FrostWire LLC said this caused consumers who downloaded the app to "unwittingly disclose personal files, like pictures and videos, stored on their smartphones and tablet computers," according to an FTC news release on Tuesday. Under the deal, FrostWire is barred from using default settings that allow these files to be shared and is required to freely update users to a new version that corrects the problem.

New exploit toolkit not so nice

At least 10,000 websites have been compromised to redirect users to a new exploit toolkit, called "Nice Pack," according to researchers at Dell SecureWorks. Nice Pack, discovered Wednesday, attempts to take advantage of flaws in users' third-party apps, such as Java and Adobe, to install the "Zero Access Trojan," a rootkit that allows attackers to take control of a victim's machine. Though researchers are still looking into the threat, they have discovered that the JavaScript on compromised sites is nearly identical to the malicious code recently found on MySQL.com, which was infected to redirect users to the Black Hole exploit toolkit.

Apple releases mammoth iTunes update

Apple on Tuesday released an update to its iTunes software to repair a whopping 79 vulnerabilities. Most of the flaws are memory corruption issues found in WebKit, an open source web browser engine that helps render the iTunes Store. In the case of those bugs, adversaries could launch a man-in-middle attack while a user browses the store, which may lead to malicious code execution. The other holes patched by upgrading to iTunes 10.5 lie in CoreFoundation, ColorSync, CoreAudio, CoreMedia and ImageIO.

Couple files suit against Citigroup over breach

A couple from New York state is seeking class-action status for a lawsuit against Citigroup, alleging that the third-largest U.S. bank has "taken no steps" to protect victims in the wake of a massive data breach, according to reports. Citi admitted in June that 360,083 accounts - about 1.5 percent of its card customer base - were compromised in the attack, in which hackers infiltrated the online banking platform, Citi Account Online, and viewed customer account numbers and contact information.The plaintiffs, Kristina and Steven Orman of Northport, N.Y., filed the suit on Friday in response to fraudsters allegedly charging their credit cards and stealing money from their bank accounts.

IT services jobs see growth

Following the release of the Sept. 2011 employment numbers by the Department of Labor Bureau of Labor Statistics, Foote Partners, a Vero Beach, Fla.-based IT research and advisory firm, observed a net gain of 11,500 jobs in two IT services job sectors - management and technical consulting services as well as computer systems design and related services. This would be the 16th consecutive month of positive job growth in these job segments, David Foote, the company's CEO, said in a statement. "There's no question that consulting firms and systems integrators are benefiting from current corporate staffing strategies for acquiring needed pure technology skills - which is to rent them, not to buy them," Foote said.

NIST releases continuous monitoring guidance

The National Institute of Standards and Technology late last week published new guidance to help organizations develop and implement an information security continuous monitoring (ISCM) program. This initiative can help companies better provide ongoing awareness of threats and vulnerabilities, assess the effectiveness of deployed security controls and support risk management decisions, according to the 80-page guidance document. A mature ISCM program, which requires the use of both automated and manual processes, will enable companies to move from compliance-driven to data-driven risk management.

Anonymous: We won't hack Wall Street

The online collective Anonymous is disputing a YouTube video posted over the weekend that promises distributed denial-of-service attacks on Monday against the New York Stock Exchange. In a tweet from the AnonOps Twitter account, considered one of the most trusted sources of information from the group, there are no plans to hack Wall Street properties. Because Anonymous is technically a leaderless organization, it is sometimes difficult to tell if information is accurate. The FBI declined comment on the matter, when reached by SCMagazineUS.com. Anonymous has been instrumental in recent weeks in facilitating the Occupy Wall Street ground protests, which have now spread beyond New York to a number of other cities.

Google patches Chrome holes, pays $10,000

Google this week fixed seven vulnerabilities in the Chrome web browser, and paid $10,000 to researchers who reported them. Researcher Sergey Glazunov scored $8,000 for reporting five Chrome bugs, including $4,500 for three use after free bugs in v8 bindings. Glazunov has dominated Google's Chromium security hall of fame, which pays researchers for reporting bugs in the Chrome browser.

DigiNotar collapse could cost parent nearly $5 million

Authentication solutions provider Vasco expects the bankruptcy of its Dutch-based certificate authority (CA), DigiNotar, to cost it between $3.3 and $4.8 million, according to a statement Tuesday. The estimate does not include losses that may arise through possible lawsuits filed against the company. On Sept. 20, DigiNotar was "declared bankrupt" by a District Court judge in The Netherlands after it emerged that the CA issued hundreds of counterfeit SSL credentials after hackers breached its systems. At least one phony certificate, for Google.com, appeared in the wild, presumably so Iranian users could be spied on the government. Vasco is based in Oakbrook Terrace, Ill.

IBM announces purchase of Q1 Labs

IBM on Tuesday announced it is buying privately held Q1 Labs, a Waltham, Mass.-based vendor of security event and log management software. The company will be integrated into the newly formed IBM Security Systems division, expected to be led by Q1 Labs CEO Brendan Hannigan. Q1 Labs provides analytics and correlation technology that, it says, can help prevent breaches, such as an employee accessing unauthorized information. Financial terms of the deal, the second SIEM-related acquisition announced Tuesday, were not disclosed.

McAfee to acquire NitroSecurity

McAfee on Tuesday announced it is acquiring NitroSecurity, a privately owned security information and event management provider based in Portsmouth, N.H. McAfee said that following the buy, which is subject to regulatory approvals and other customary closing conditions, the integration of NitroSecurity's technology into McAfee ePolicy Orchestrator will give organizations greater visibility into their IT environment. The acquisition is expected to close by the fourth quarter of this year. During 2010, the SIEM market grew from $858 million to $987 million, a growth rate of 15 percent, according to Gartner.

Facebook, Websense partner to flag malicious links

Facebook on Monday began warning users if they are about to visit a malicious URL. As part of a partnership with security firm Websense, each time a user clicks on a link within Facebook, the address will be checked against a database of known malicious sites. If the link matches a known bad site, users will be presented with a page that offers the choice of continuing on, returning to the previous screen or learning why the link was classified as suspicious. Cybercriminals have flocked to sites like Facebook in recent years. A new Ponemon Institute survey of more than 4,000 IT and IT security professionals found that 52 percent have faced an increase in malware as a result of social media.

Microsoft briefly derails Chrome users

Microsoft Security Essentials (MSE), a free utility for Windows-based computers that offers protection against malware, is catching Google's Chrome browser in its dragnet. A faulty signature update for MSE and Microsoft Forefront erroneously classified the Chrome executable file for Windows as an element of the Zeus trojan, notorious for stealing banking information, resulting in a large number of Chrome users being left without their bookmarks and browser plugins. While Microsoft responded within hours with an updated signature (1.113.672.0), and claimed only 3,000 customers were affected, the traffic on blogs and bulletin boards seemed to indicate the number could be much higher. Microsoft advised users to update MSE with the latest signatures and reinstall Chrome.

Corporate bank fraud losses expected to total $210M

Businesses in North America are expected to lose $210 million this year to corporate bank account takeovers, according to a new report from financial research and consulting firm Aite Group. The report, "Banks and Business in the Crosshairs: Cybercrime and Its Impact," estimates that losses from these seizures, by which hackers gain control of online bank accounts to make unauthorized transfers, will grow to $371 million by 2015. Moreover, the number of new, unique strains of malware released each year is expected to increase - from 25 million by the close of 2011 to 87 million by the end of 2015.

USA Today Twitter account hacked by The Script Kiddies

The Twitter account belonging to the USA Today was hacked over the weekend by a group called The Script Kiddies. In tweets posted from the compromised account, the hacktivist group bragged about past hacking feats, and urged users to "like" them on Facebook and vote on who they should infiltrate next. It is unclear how the hackers were able commandeer control of the account. The same group also claimed responsibility earlier this month for hacking the NBC News Twitter account and sending a series of erroneous tweets. In that case, a trojan permitted the takeover.

DHS, Commerce pushing for voluntary botnet notification

The U.S. Commerce and Homeland Security departments are seeking public feedback on a recommended program by which internet service providers would "voluntarily and timely detect and notify end-users that their machines have been infected," a move designed help eradicate botnets. According to a notice posted this week in the Federal Register, the agencies are weighing how such an approach would be implemented, for example, incentives may be offered to service providers that participate, and who would be responsible for running the program - industry, the public sector or a partnership between both. Public comments, which must be received by Nov. 4, are expected to examine a number of areas, including the privacy implications of such an approach.

National breach notification bill passes hurdle

Three separate national breach notification bills making their way through the Senate came a step closer to being enacted into law on Thursday. The bills are intended to bolster privacy protections, and would supersede 46 state laws while nationalizing breach notification provisions. However, passage is a ways off, as Senate Republicans have raised objections, claiming the bills would burden businesses with further regulations. The Personal Data Privacy and Security Act, the Data Breach Notification Act, and the Personal Data Protection and Breach Accountability Act all passed the Senate Judiciary Committee with a 10-8 vote, split along party lines.

FTC to examine implications of facial biometrics

The Federal Trade Commission in December plans to hold a workshop to investigate the privacy and security implications of facial recognition technology. The agency announced this week that the workshop, which is free and open to the public, seeks to bring together consumer protection groups, privacy experts, and industry and academic leaders. The meeting is expected to address such topics as whether consumers should consent to the collection and use of their images. Facial recognition products can provide an added security layer at places like airports or automate photo tagging on sites such as Facebook, but critics worry they also could be used for intrusive surveillance. As a result, offerings have emerged that can help people hide their faces from the technology.

Official: FBI investigating 400 bank account takeovers

Despite fresh guidance and quicker fraud detection, the FBI actively is investigating more than 400 cases of corporate bank account takeovers, an official told federal lawmakers last week. Gordon Snow, the FBI's assistant director of the cyber division, told a House Financial Services subcommittee that these cases, in which criminals initiate unauthorized Automated Clearing House and wire transfers from seized accounts belonging to mostly small and midsize businesses, have resulted in the attempted theft of more than $225 million and actual losses of around $85 million. In his remarks, Snow also discussed risks related to ATM skimming, mobile banking and supply chain compromise.

Scammer of military site sentenced

Stealing data from military rosters posted on peer-to-peer (P2P) servers has led to a six-year sentence in federal prison for a California man, according to reports. Gathering personally identifiable information on 16,000 military members from an account belonging to the U.S. Army and Air Force Exchange Services (AAFES), Rene Quimby, 42, parlayed the data and used social engineering tactics to obtain further information from the site's support staff. He then used the credentials to order merchandise from an online store, which he then sold for profit. A judge also ordered him to pay $210,000 to the AAFES.

Microsoft adds "major" update to detect Zeus trojan

Microsoft has introduced a "fairly major" update to its Malicious Software Removal Tool to detect and kill infections of the insidious and constantly morphing data-stealing malware family known as Zbot, or Zeus. Since the software giant first added detection for Zeus last October, hundreds of thousands of Windows PCs have been expunged of the threat, prominent in banking and e-commerce fraud. But as Zeus, which recently merged code bases with SpyEye, continues to acquire advanced evasion capabilities, Microsoft has had to fight "sneakiness with sneakiness," according to a blog post on Wednesday. The company introduced the update as part of its monthly security patches, released on Tuesday.

NBC Twitter hack attributed to 'Christmas tree' trojan

A group of hacktivists was able to compromise the NBC News Twitter account on Friday by tricking the network's social media head into clicking on a malicious attachment. According to an MSNBC report, a group known as The Script Kiddies commandeered control of the account to send a series of tweets falsely reporting an attack on Ground Zero in New York, two days before the 10th anniversary of 9/11. The mischief makers may have obtained the account's login information by duping Ryan Osborn, NBC News' director of social media, into clicking on an attachment, which installed a copy of the password-stealing "Christmas tree" trojan onto his machine. The erroneous tweets were removed soon after they were posted, and the FBI is looking into the matter. Twitter has since suspended the account of the The Script Kiddies, who also have hacked into the Facebook account of Pfizer.

Oops: Microsoft errantly releases patch details four days early

Microsoft on Friday accidentally posted details about Tuesday's scheduled security update. The software giant removed the five "important" bulletins, but not before organizations such as the SANS Internet Storm Center posted a summary of the patches. According to the group, six of the vulnerabilities being patched are in SharePoint, five in Excel, two in Office and one each in Windows and the Windows Internet Name Service (WINS). The Windows, Excel and Office flaws could lead to remote code execution. However, Microsoft has said none of the five patches earned the software giant's most severe designation of "critical." In a tweet, the Microsoft Security Response Center said it has since removed the content about the patches.

Possibly breached GlobalSign to bring services back Monday

Portsmouth, N.H.-based certificate authority (CA) GlobalSign plans to be back fully operating on Monday after temporarily suspending the issuance of SSL credentials due to claims from a hacker linked to attacks on Comodo and DigiNotar. In a Monday post to Pastebin, a hacker claimed responsibility for the major attack on DigiNotar and said he has access to four other CAs, including GlobalSign. "We are adopting a high-threat approach to bringing services back online and we are working with a number of organizations to audit the process," the company said in a news release. GlobalSign is still investigating the hacker's claims, but said it believes CAs are facing an "industry-wide" attack.

Former DHS official tapped to lead security at Sony

Much-maligned Sony announced Tuesday that it has hired a former U.S. cybersecurity official to serve as its first-ever chief information security officer. Philip Reitinger, 49, the former director of the National Cybersecurity Center at the U.S. Department of Homeland Security since June 2009, who tendered his resignation in May, will be tasked with assuring the protection of the multibillion dollar company's assets and services. It's been a tough year for Sony, which has experienced multiple breaches, most notably the compromise of its PlayStation Network and Qriocity services, which resulted in the exposure of the personal details of tens of millions of users. Reitinger has been in the private sector before, where he held the role of security strategist at Microsoft.

Anonymous targets Texas police chiefs site

In the face of new arrests and the arraignments of 14 Anonymous members accused of launching attacks last year against PayPal, the hacktivist group continues to expose security weaknesses and embarrassing documents. In its latest digital heist, Anonymous on Thursday leaked 3 GB of data from TexasPoliceChiefs.org. Some of the pilfered emails reveal offensive communications among authorities. In a statement, Anonymous said its latest attack comes in retaliation for Texas police's campaign to "harass immigrants and use border patrol operations as a cover for their backwards racist prejudice." The Texas Police Chiefs Association website is currently offline, and a lawyer for the group said its webmaster is investigation how the breach occurred, according to a report.

PCI Council beefs up wireless guidance

The PCI Security Standards Council, charged with managing payment security guidelines, on Friday issued updated guidance around protecting wireless technology in cardholder environments. The update offers expanded advice on securing Bluetooth, and provides methods for testing and detecting rogue wireless access points, which are unauthorized Wi-Fi entryways typically set up by attackers to sniff network traffic. The council first released procedures to secure wireless in 2009.

Microsoft updates free secure development tools

Microsoft on Thursday released updates for three, free Security Development Lifecycle (SLD) tools designed to aid with the design and verification of applications. The updated tools - Threat Modeling Tool v3.1.8, MiniFuzz Tool v1.5.5 and RegExFuzz Tool v1.1.0 - include fixes for security and stability bugs, Microsoft said. In addition, the tools now add support for the 2010 versions of Microsoft's development environment, including Visual Studio and Team Foundation Server. Microsoft's SDL tools have been downloaded nearly 700,000 times since 2008, according to the Redmond, Wash.-based computing giant.

Facebook releases how-to guide to stay protected

Facebook has released a guide to security. Written in simple-to-understand terms, the 14-page document encourages users to set strong passwords and log out of their accounts when they are finished. It also address common scams on the social networking site, including clickjacking. The handbook suggests users implement enhanced security settings, including secure browsing, one-time passwords and account activity monitoring. In addition, it explains how Facebook members can recover their accounts if they have been compromised.

Mozilla's newest release closes 10 memory bugs

Mozilla on Tuesday released version 6 of its Firefox web browser, in the process closing 10 vulnerabilities. "Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort, at least some of these could be exploited to run arbitrary code," according to a security advisory. Mozilla also upgraded its Thunderbird email and news client and SeaMonkey internet suite.

Anonymous plan to "kill" Facebook may be fake

One of the more prominent members of the Anonymous hacking movement has shot down reports that the group is planning to take down Facebook on Nov. 5. "Sabu" tweeted Wednesday that the so-called OpFacebook is a hoax. His claim was backed up by AnonOps, considered the most reliable Anonymous news source on Twitter. It is possible splinter members are planning the attack, which is being launched over allegations that Facebook provides information about its users to government agencies and security firms, according to a YouTube video posted in mid-July. The Nov. 5 date is known as Guy Fawkes Day to commemorate the capture of the British revolutionary who plotted to blow up the House of Lords.

New free tool checks for Shady Rat compromises

Following McAfee's revelations about a massive cyberspying campaign dubbed Operation Shady Rat, a security firm has released a free tool to help organizations determine whether their corporate network was compromised during the attack. The tool, released by cyberthreat management company Seculert, and called Shady Rat Checker, checks IP addresses against those found on the Shady Rat command and control server, Seculert CTO Aviv Raff told SCMagazineUS.com. McAfee said at least 70 different companies worldwide were impacted by the attack, which targeted intellectual property - including government data, business dealings and corporate research. Seculert has identified IP addresses from hundreds of enterprises that have communicated with the nefarious server.

Obama names new fed CIO

President Obama announced on Thursday a replacement for departing federal chief information officer Vivek Kundra, who is leaving for a post at Harvard. The new appointee, Steven VanRoekel, served at Microsoft for 15 years before being recruited into the Obama administration in 2009 as managing director of the Federal Communications Commission. In his new post as the nation's top technology chief, VanRoekel will oversee an $80 billion IT budget and lead how the government uses technology. In a news conference, he said he plans to continue the work of his predecessor, bring in new technologies to upgrade service provided by the government and cut costs.

Report: NSA to recruit from DEFCON attendee pool

Hackers attending the annual DEFCON show in Las Vegas this weekend won't just have the opportunity to see stimulating presentations and network with peers - they also may be able to score a government job. According to a report in Reuters, the National Security Agency will be at the $150-cash-only event, recruiting some of the brightest computer security minds to join the U.S. government as "cyber warriors." The NSA is looking to hire 3,000 people over the next two fiscal years for roles in cyber offense and defense. But this isn't the first time U.S. government agencies have been at DEFCON to recruit potential employees. In fact, the show's founder, Jeff Moss, is also a member of the Department of Homeland Security (DHS) Advisory Council. On the flip side, federal authorities also have made arrests at the show.

Mass injection campaign affects 3.8 million pages

More than three million web pages have been compromised with malware as part of a mass IFRAME injection attack targeting unpatched versions of the open source e-commerce framework, OSCommerce, researchers at web application security firm Armorize have warned. The attack, which appears to originate in the Ukraine, has affected 3.8 million sites, which are running OSCommerce version 2.2 and earlier. Those who visit an affected site are pointed to the malicious domains willysy.com or exero.eu. After a series of redirects, users end up at a domain that attempts to exploit multiple web browser and PDF vulnerabilities, and install a variant of SpyEye.

Phisher gets more than a dozen years in prison

A Long Beach, Calif. man was sentenced Thursday to 12 years, seven months in prison for orchestrating a phishing operation that duped at least 38,500 people, according to federal prosecutors in Sacramento. In September, That Tien Truong Nguyen, 34, pleaded guilty to computer and access device fraud charges for creating fake banking websites designed to trick unsuspecting users into divulging their personal information. Nguyen, who was arrested for the crimes in 2007, sold the stolen data to co-conspirators, who opened up credit lines to make purchases. He reportedly perpetrated the scam to support a meth habit.

Up to 35M South Koreans affected by breach

The personal data belonging to an astounding 35 million people in South Korea may have been compromised this week when hackers infiltrated SK Communications, which runs the Asian nation's largest social networking site, Cyworld, and third-most trafficked search engine, Nate, according to published reports. The Korea Herald reported that officials at SK Communications, part of the SK Group, blamed malware that could be traced back to China. Experts fear the compromised data, which includes usernames, phone numbers, email addresses and passwords, could be used in other attacks that seek even more sensitive information.

Senate hearing set to update anti-hacking law

The U.S. Senate Judiciary Committee next week plans to hold a hearing focused on updating the Computer Fraud and Abuse Act (CFAA), a national anti-hacking law first enacted in 1984 that makes it illegal to access government or financial institution computers without authorization. A White House cybersecurity legislative plan to Congress, released in May, proposed broadening the scope of CFAA and increase penalties under the statute. Witnesses for the hearing are scheduled to include James Baker, associate deputy attorney general for the U.S. Department of Justice, and Pablo Martinez, deputy special agent in charge of the Criminal Investigative Division of the U.S. Secret Service. The hearing is planned for 10 a.m. on Aug. 3 and can be viewed online.

Pfizer latest corporate victim in hacktivist attacks

The Facebook page for Pfizer has returned online after it was compromised by hackers who posted remarks disparaging the pharmaceutical giant. U.K.-based group The Script Kiddies claimed responsibility with gaining control of Pfizer's Facebook page, which has nearly 30,000 followers, to post updates that called the company "corrupt" and "irresponsible." Once it retook control, Pfizer posted a message on the account saying it was "working with Facebook to understand what happened so we can guard against it in the future." The Script Kiddies, through its Twitter account, posted two screenshots of the defacement, done as part of the AntiSec movement recently announced by fellow hacktivist collectives Anonymous and LulzSec.

McAfee President Dave DeWalt resigns

Dave DeWalt has resigned from his most as president of McAfee after four years, the Intel subsidiary announced Tuesday. DeWalt, who oversaw the security software firm through its $7.7 billion acquisition by Intel last year, will serve as a non-employee member of McAfee's board. He will be replaced by two new co-presidents: Michael DeCesare, currently McAfee's executive vice president for global operations, and Todd Gebhart, executive vice president and general manager of McAfee's consumer, mobile and small business division. DeCesare and Gebhart will assume their new roles by the third quarter of this year and report to Renee James, Intel's senior vice president and chairman of McAfee.

Google+ users spammed due to disk space overload

Some users of the new social media service Google+ were inadvertently spammed with email notifications this weekend following a technical malfunction on the site. The error occurred during an 80-minute period when Google+, currently in beta, ran out of disk space on a system that keeps track of notifications, Vic Gundotra, a Google senior vice president of engineering, wrote in a Saturday post. "We didn't expect to hit these high thresholds so quickly, but we should have," Gundotra said.

Hackers steal 1.27M email addresses from Washington Post site

Hackers broke into The Washington Post's jobs website late last month and stole approximately 1.27 million user IDs and email addresses, the newspaper disclosed Thursday. No passwords or other personal information was affected. Attackers leveraged a security vulnerability on the site to break in twice, on June 27 and 28. The newspaper has since fixed the flaw and implemented additional unspecified security measures to ensure a similar incident does not recur. Affected individuals may receive an increase in spam and phishing messages as a result of the hack, The Washington Post warned.

Secret Service probing Fox Twitter hack

The U.S. Secret Service is investigating the compromise of the the Twitter account belonging to Fox News Politics, which was used to post a number of fake tweets reporting that President Obama had been assassinated, an agency spokesman told SCMagazineUS.com. A hacking group known as The Script Kiddies, an offshoot of Anonymous, has claimed responsibility for the attack, according to reports. The fraudulent tweets, delivered to some 38,000 followers of @foxnewspolitics during the early morning hours EST on Monday, have since been removed from the feed. It is unclear how the hackers got access to the account.

Security firm warns of Google+ spam run

Google+ is barely a few days old, but the criminal element already is capitalizing on users' interest in joining the new social networking service, according to Sophos. Researchers at the security firm have spotted a new campaign in which junk mailers are blasting out pharmacy spam disguised as invites to the online sharing portal. "[C]licking on the links will not take you to the new social network, but instead...to a pharmacy website set up to sell the likes of Viagra, Cialis and Levitra to the unwary," wrote Graham Cluley, senior technology consultant at Sophos, in a Friday blog post.

University of Central Missouri hacker pleads guilty

A 21-year-old man pleaded guilty this week to infecting computers with malware at the University of Central Missouri in Warrensburg, prosecutors said. Daniel Fowler of Kansas City, Mo. admitted to, beginning in 2009, taking remote control of the compromised computers -- with the help of a co-conspirator -- in order to download personal data on students, alumni, faculty and staff; transfer money into their personal student accounts and attempt to change their grades. In one case, they used a thumb drive to install the keylogging trojan on a university administrator's computer Fowler faces up to 15 years in prison. His co-conspirator, Joseph Camp, 27, of New York state, who was caught after he tried t sell some of the stolen data for $35,000, is scheduled for trial in the fall, according to reports.

SC MAGAZINE US SITEMAP

News

Products

Blogs

Media

Whitepapers

Buyers Guide

Jobs

More

Topics

Sectors

Verticals

Events