If ever there was a case for checking your facts this is it, in a strange manner. Some poor fella that works for a gas company started having the phone ring off the wall with people threatening him and his wife. Why? A group of anti-Scientology hackers thought he was a hacker for the other side. It seems that they were miles from right.
From Recordnet.com:
A 59-year-old man and his wife received dozens of threatening telephone calls from anti-Scientology provocateurs after their home address and telephone number – and her Social Security number – were posted online by hackers who mistook the man for a pro-Scientology hacker, he said.
“Friday we started getting phone calls, me and the wife,” John Lawson of Stockton said Wednesday. “They’d just say, ‘We’re going to get you,’ this and that.”
The Pacific Gas and Electric Co. field clerk said he had “no clue what was going on” until a staff writer for Wired News, the online side of Wired Magazine, called.
The writer, Ryan Singel, said a group of hackers called the “g00ns” believed Lawson to be a hacker who disrupted a Web site frequented by members of Anonymous, a loose league of Internet troublemakers most recently engaged in upsetting the Church of Scientology. The g00ns are skilled hackers and were “pretty convinced that from their forensic work they had found the right guy,” Singel said.
Um, oops? It’s bad enough that they were engaging in threats (never smart) but, to do it to someone who had nothing to do with the entire affair. No word on if the cops will be able to run this to ground.
Tags: Scientology Hacking, John Lawson, Mistaken Identity
It can sometimes be difficult having the sword of Damocles dangling there. Pesky thing.
And now, the news…
- Keeping an Eye on China’s Security
- TSA Misses the Point, Again
- Damaged Cables Cut Internet in Mideast
- Microsoft Under Antitrust Scrutiny Until 2009
- Federal Government To Spend $30 Billion On New Security Efforts
- Terror Suspects Hone Anti-Detection Skills
- Three plead guilty in Nigerian spam scheme
- Remote-control robbery foiled
Click here to subscribe to Liquidmatrix Security Digest!
Tags: News, Daily Links, Security Blog, Information Security, Security News
Drop them all in gen-pop.
From MSNBC:
New York sex offenders would be required to reveal their online aliases to the state under legislation that aims to protect users of MySpace, FaceBook and other Web hangouts from Internet predators.
The identities would then be shared with social-networking sites, according to the bill written by Attorney General Andrew Cuomo’s office.
State law already requires offenders to provide Internet screen names, but the new legislation would clarify and expand what they must supply and permit sharing with online services. That would allow the sites to screen or remove offenders and notify authorities about any illegal behavior.
Tags: Internet Predators, Online Safety, NY Sex Offender Legislation
This could make for some very interesting reading. I have a strong feeling this will be little more than a spin tool. Why?
Example one:
Great Job Kip!
As a TSA Supervisor in Seattle since September 2002. I think the public’s feedback is going to be tremendously invaluable to the job TSA does daily.
And this:
As always, I expect TSA’s detractors to take the most negative information away from this blog. Or even to question why TSA is “blogging”. But I look forward to reading it, because there is a great deal of public misconceptions about who TSA is, what TSA does, and why the public still needs TSA to fulfill its mission.
Be prepared, Mr. Hawley, for comments both praising and scathing, but which will help you and TSA reconnect with the traveling public in a fruitful relationship.
Girding the loins. Heh. I hope this ends up being a successful vehicle for an open discussion. I remain skeptical for the time being.
Tags: TSA, TSA Blog, Airline Security
From the FYI mail bag,
From Secunia:
Description:
Cisco has acknowledged a vulnerability in Cisco Wireless Control System (WCS), which can be exploited by malicious people to compromise a vulnerable system.
From Cisco:
Vulnerable Products
Cisco WCS devices running software 3.x and 4.0.x prior to 4.0.100.0 are affected by this vulnerability. Cisco WCS devices running software 4.1.x and 4.2.x prior to to version 4.2.62.0 are also vulnerable.
Note: The version of WCS software installed on a particular device can be found via the WCS HTTP management interface. Select Help -> About the Software to obtain the software version.
Tags: Cisco Wireless, Cisco Wireless Vulnerability, Cisco Vulnerability
Some woman showed up on my doorstep this morning looking for her lost dog. The dog is named “Toto” or something. Heh. The wind here is blowing like a mad fiend. I’m curious if all of my shingles will still be there when all is said and done.
I’m a little embarrassed today. The Tripwire advisory that I sent out to the world had the wrong URL. Sigh. I have set up a catch for the misdirected folks. Sorry all and thanks to everyone who emailed to let me know. I do appreciate it. As an FYI I have 3 more vulnerabilities that are set for release at the end of February or shortly thereafter.
And now, the news…
- Barracuda defends open-source antivirus from patent attack
- Security of Voting Machine in German State Election Questioned
- 38,000 Social Security Numbers Potentially Exposed After Theft
- Security call after laptop theft affects 60,000 Scots
- Secure Computing Launches New PCI Initiative
- Dissident’s Arrest Hints at Olympic Crackdown
- O’Hare gets device to take all 10 fingerprints of foreign visitors to Chicago
- Giving Social Security data
Click here to subscribe to Liquidmatrix Security Digest!
Tags: News, Daily Links, Security Blog, Information Security, Security News
Aitel to Microsoft…Ya know what? Uh, uh.
From Computer World:
Security researchers yesterday said they’d discredited Microsoft’s claim that the year’s first critical Windows vulnerability would be “difficult and unlikely” to be exploited by attackers.
On Tuesday, Immunity Inc. updated a working exploit for the TCP/IP flaw spelled out Jan. 8 in Microsoft’s MS08-001 security bulletin, and posted a Flash demonstration of the attack on its Web site. The exploit, which was released to customers of its CANVAS penetration testing software — but is not available to the public — was a revised version of code first issued two weeks ago.
“This demonstrates conclusively that the MS08-001 IGMPv3 vulnerability is highly exploitable,” said Dave Aitel, Immunity’s chief technology officer, in a message to his Dailydave security mailing list.
Read on.
Tags: MS08-001, Microsoft Exploit, Dave Aitel
We love Bruce here at Liquidmatrix. He gave a keynote at Linux.conf.au.
From itnews.com.au:
Computer security expert Bruce Schneier took a swipe at a number of sacred cows of security including RFID tags, national ID cards and public CCTV security cameras in his keynote address to Linux.conf.au this morning.
These technologies were all examples of security products tailored to provide the perception of security rather than tackling actual security risks, he said.
“Camera companies are pushing it, but all the actual data points the other way,” Schneier said. “RFID is another one – the industry pushing it is very much distorting facts.”
The discussion of public security — which has always been clouded by emotional decision making -– has been railroaded by groups with vested interests such as security vendors and political groups, he said.
Public discussion which should be a security debate can be coloured by politics, he said.
All too often Myrcurial and I are subjected, in our respective day jobs, to the vendor induced “machine that goes ping” barrage of phone calls. In the past I have railed against vendors that play the Coke v Pepsi routine rather than telling me why their product is good. Bruce hits it on the head. It’s not about the machine with blinky lights. It’s about knowing you’re secure.
“It’s not enough to make someone secure, that person needs to also realise they’ve been made secure. If no-one realises it, no-one’s going to buy it,” Schneier said.
The goal must be to get the reality and perception matching up – so that security solutions aren’t lulling users into a false sense of security, or letting them exist in an unnecessary climate of fear.
Now, we will be selling a new spray called “FUDAWAY” for $49.99 (CDN) per can. Just one spritz and you’re secure.
Tags: Bruce Schneier, Security, Information Security
Summary
Name: Tripwire Enterprise/Server XSS Vulnerability
Release Date: 29 January 2008
Reference: LSD001-2008
Discover: Dave Lewis
Vendor: Tripwire
Product: Tripwire Enterprise/Server Management Web Interface
Systems Affected: version 7.0 (as tested)
NB. Earlier versions are affected as well. Please upgrade.
Risk: Less Critical
Status: Published
Reference:
http://www.liquidmatrix.org/blog/2008/01/29/advisory-tripwire-…ility/
Description
The Tripwire Enterprise management login page contains a vulnerability which is susceptible to a cross site scripting (XSS) attack.
Impact: a remote attacker could execute a XSS attack that could pass arbitrary html to the user.
Technical Details
Input passed to the URL of the web management login page is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
Fix Information
This issue has been resolved.
The patch may be obtained from:
http://www.tripwire.com (Patch 866 “te-7.0.0.866_patch.zip”)
Notes
I would like to thank the Tripwire team for their professionalism. I should note that the release of this advisory does not in any way negatively alter my view that Tripwire is a great audit and control suite.
Liquidmatrix Security Digest
http://www.liquidmatrix.org/blog/
2255B Queen Street East
suite 156
Toronto, Ontario
Canada
M4E 1G3
Tags: Security Advisory, Advisory, Triwpire, Tripwire Enterprise
I often wonder if I should publish a “secret decoder ring” so that some folks can grasp my sense of humour. Some people take me far too literally. Ah well, coffee in hand, bottoms up. I hope everyone has a great day.
And now, the news…
- Top Ten Web Hacks of 2007 (Official)
- The US federal government is given increased authority to monitor the Internet
- Bush looks to beef up protection against cyberattacks
- Honour for Colossus code-cracker
- More than 100 e-mails missing, Basi’s lawyer says
- Washington State Considers Passenger Rights Legislation
- IBM and Consul: A Year of Wedded Bliss in the Security Space
- School hackers not unusual
Click here to subscribe to Liquidmatrix Security Digest!
Tags: News, Daily Links, Security Blog, Information Security, Security News
