Archive for March, 2006
Author: Dave Lewis
March 24, 2006 at 8:47 pm · Filed under News, Politics
In a move that can only been seen as the Bush administration getting back at Checkpoint for refusing to open it’s source code. The Israeli based company has dropped it’s attempt to purchase Sourcefire Inc. This on the heels of a very rare investigation by the Committee on Foreign Investments. If you recall this is the same committee that rubber stamped the sale of US port security to a company from the United Arab Emirates.
The U.S. committee has concluded only 25 full-blown investigations in more than 1,600 business transactions it has reviewed since 1988. In roughly half the investigations, companies pulled out of the deal rather than face imminent rejection.
Article Link
Author: Dave Lewis
March 23, 2006 at 8:13 pm · Filed under News
Basic computer and network security has been thrown to the wind at the US Missile Defense Agency. A report that was posted on MDA’s website was removed after FCW posted a story on it. The agency along with it’s contrator, Boeing, had serious flaws that included access to the network without the need for a individual passwords or any audit logs.
Neither MDA nor Boeing officials saw the need to install a system to conduct automated log audits on the unencrypted communications network under development by Northrop Grumman because such a requirement “was not in the contract,” according to the report. However, current DOD policies require such automated network monitoring.
Gotta love project managers. If an item is not “in scope” it is dropped faster than a flaming bag of…
This particular network was developed to conform to DoD policies from 20 years ago (genius). To make things even worse Boeing did not take steps to verify that people with access to the network had the proper security clearances until a year later. There is so much more to this story that ou simply have to read the article. As for the report? Well there is a link to it here (via FCW.com)
Article Link
Author: Dave Lewis
March 23, 2006 at 4:52 pm · Filed under News
The folks at ElcomSoft have discovered a flaw in the Password Safe product. PasswordSafe was originally written by security guru Bruce Schneier. This has since been rolled into an open source project. This product permits a user to save his/her passwords in an encrypted database that can reside on your local system or a USB key.
However, there is even more serious security flaw in version 3.0,
which allows to recover 256-bit database encryption key in a
reasonable time (under certain conditions). And with the recovered
encryption key, it is to decrypt all database records (logins,
passwords, etc) without the master password (so-called “Safe
Combination”).
Fun and games.
Article Link
Author: Dave Lewis
March 23, 2006 at 4:43 pm · Filed under ID Theft, Privacy
This is nuttier than a sh!t house rat. E&Y have lost ANOTHER laptop…yes, another one. This time exposing the data of 40,000 BP workers.
Ernst & Young has sent out a letter to all 38,000 BP employees in the US, telling them that a laptop theft had exposed their names and social security numbers.
Let’s check some of their hit parade.
1. 200,000 HP staff exposed as laptop lost
2. Lost Ernst & Young laptop exposes IBM staff
3. Ernst & Young loses four more laptops
…sigh when will it end? On a related note E&Y will be having a resume writing tutorial 
Article Link
Author: Dave Lewis
March 23, 2006 at 4:25 pm · Filed under Exploit
There is a new exploit for the recently announced IE vulnerability. Secunia posting for the “createTextRange()” Code Execution vulnerability can be found here. Microsoft has posted a workaround for the problem with IE here And of course the US-Cert posting here. So, what’s the impact then? Well, by convincing a user to open a specially crafted web page, a remote unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. Yeah, that’s bad, m’kay. Pickup Firefox today!
Article Link
Author: Dave Lewis
March 23, 2006 at 2:49 pm · Filed under Exploit
OK, we get it. Internet Explorer sux. If you haven’t done so already change over to Firefox now! This bug/hole/vulnerability is the latest in a string of problems with IE.
The flaw was reported to the company earlier this month by Jeffrey van der Stad, a 25-year-old Dutch programmer. The problem is related to the way the browser processes so-called HTA files, Microsoft said in an e-mailed statement. HTA files are associated with Web applications.
Microsoft has managed to put a muzzle on van der Stad when they had him take down details of his findings from his website. No doubt an opportunity to stall for more time. Check out his website for the latest.
Article Link
Author: Dave Lewis
March 23, 2006 at 2:22 pm · Filed under ID Theft, Privacy
What is going on out there? There has been a rash of lost laptops pf late.
Link: Lost Ernst & Young laptop exposes IBM staff
Link: Ernst & Young loses four more laptops
Now, financial services company Fidelity Investments has added to the mix with a lost laptop of their own. This latest “oops” has managed to potentially expose 196,000 current and former HP employees.
“This is to let you know that Fidelity Investments, record-keeper for the HP retirement plans, recently had a laptop computer stolen that contained personal information about you, including your name, address, social security number and compensation,” employees learned via email.
Article Link
MSNBC Link
Author: Dave Lewis
March 23, 2006 at 2:16 pm · Filed under Hacker
It had to happen eventually. The furry toothed critters at ISS’s X-Force have discovered a vulnerability in Sendmail. This would allow attackers to gain full access to the affected networks.
“Due to its high popularity and extensive deployment throughout the internet, this vulnerability represents a serious risk to organisations that rely on Sendmail for email services,” said Gunter Ollmann, director of ISS X-Force, which discovered the flaw.
Article Link
Been there before with the 1988 Morris Worm.
Author: Dave Lewis
March 23, 2006 at 2:11 pm · Filed under Malware
Please please…patch your Windows boxes people and use anti virus that works! Why, well I’ll tell you why. A stealthy bot Trojan has been infecting machines via drive-by-downloads for months, and may have infected a million PCs. It aims to pillage personal bank accounts.
Article Link
Author: Dave Lewis
March 23, 2006 at 1:51 pm · Filed under Privacy
There is a new bill before the Senate on surveillance in the US. This seems to be some backpedalling with regards as to whether or not the NSA monitoring of US citizenry was legal. Well, here is an attempt to make it legal.
(1) the President determines that the surveillance is
necessary to protect the United States, its citizens, or its
interests, whether inside the United States or outside the
United States;
(2) there is probable cause to believe that one party
subject to the surveillance is an agent or member of a group or
organization, affiliated with a group or organization, or
working in support of a group or organization on the list
established under section 3;
(3) the surveillance is initiated and conducted in a manner
reasonably designed to acquire only communications to or from
the United States where–
(A) at least one party to such communications is
reasonably believed to be physically located outside
the United States; or
(B) such communications appear to originate or
terminate outside the United States;
(4) there is not a substantial likelihood that the
surveillance will acquire the substance of any communication
where every party to such communication is physically located
within the United States;
(5) a significant purpose of the surveillance is to obtain
foreign intelligence information; and
(6) minimization procedures are in place with respect to
the surveillance which meet the standards for minimization
procedures under section 101(h) of the Foreign Intelligence
Surveillance Act of 1978 (50 U.S.C. 1801(h)).
The short story is that this will permit the government to monitor US citizens for at least 45 days in order to “determine” if there is any malfeasance.
Article Link
« Previous entries ·
Next entries »
Explore
Security Bloggers Network
