DoD computer systems have been apparently taking ‘fire’ from Russian hackers.
From the LA Times:
Reporting from Washington — Senior military leaders took the exceptional step of briefing President Bush this week on a severe and widespread electronic attack on Defense Department computers that may have originated in Russia — an incursion that posed unusual concern among commanders and raised potential implications for national security.
Defense officials would not describe the extent of damage inflicted on military networks. But they said that the attack struck hard at networks within U.S. Central Command, the headquarters that oversees U.S. involvement in Iraq and Afghanistan, and affected computers in combat zones. The attack also penetrated at least one highly protected classified network.
This comes at a time of increasing tension between the two countries. The true nature of the attack remains a bit of a mystery for the time being. Well, at least for those of us who are members of the public. I have little doubt that the folks in know have a clear idea of the target of the attacks.
I guess the world economy isn’t taking the piss out of everyone. Today we get word (thx tipster) that security firm Next Generation Security Software Ltd (“NGSS”) has been purchased by the NCC Group.
From the NCC Group Website:
NCC Group plc (LSE: NCC, “NCC Group” or “the Group”), the international, independent provider of Escrow Solutions, Assurance Testing and Consultancy, has acquired Next Generation Security Software Ltd (“NGSS”), a security and testing company, for a maximum consideration of up to £10.0m in cash.
This is the third acquisition by NCC Group in less than two years and as well as complementing its own capabilities in the network, testing and software security market; it will also substantially strengthen the Group’s position in this fast growing sector.
An all cash deal? Yup, the market is still good for some folks.
Congrats to David Litchfield and crew.
CBS.com, one of the highest ranking sites on the web according to Quantcast (3.9 million visitors over 4 months) and Alexa (which ranked it 964 overall), was compromised by hackers apparently operating from Russia. The security firm Finjan discovered the breach and alerted CBS.
From Finjan:
The cybercriminals added a malicious obfuscated script to the infected page. The injected script injects a malicious IFrame to the page.
The injected IFrame automatically loads another malicious script from a remote server controlled by criminals in Russia, causing a possible installation of malware on the unsuspecting client machine. The remote Russian server is already down.
One can only wonder how many folks got nailed with this exploit as no doubt folks are checking the site as they enjoy their Thanksgiving weekend in the US.
To the bloggers out there using Wordpress as their platform of choice its time to upgrade. This release addresses a couple of security issues.
From Wordpress:
WordPress 2.6.5 is immediately available and fixes one security problem and three bugs. We recommend everyone upgrade to this release.
The security issue is an XSS exploit discovered by Jeremias Reith that fortunately only affects IP-based virtual servers running on Apache 2.x. If you are interested only in the security fix, copy wp-includes/feed.php and wp-includes/version.php from the 2.6.5 release package.
Please note that the jump from 2.6.3 to revision 2.6.5 is intentional. There is not, nor will ever be, a version of Wordpress at 2.6.4 due to a fake code release.
Right, on yer bike.
Today brings news that the spammers that were using McColo Corp have retaken their botnet and are back in business of blasting out spam. As a tangent, we read Google’s response to the rise in pwned Gmail accounts.
From Google Online Security Blog:
We’ve seen some speculation recently about a purported security vulnerability in Gmail and the theft of several website owners’ domains by unauthorized third parties. At Google we’re committed to providing secure products, and we mounted an immediate investigation. Our results indicate no evidence of a Gmail vulnerability.
With help from affected users, we determined that the cause was a phishing scheme, a common method used by malicious actors to trick people into sharing their sensitive information. Attackers sent customized e-mails encouraging web domain owners to visit fraudulent websites such as “google-hosts.com” that they set up purely to harvest usernames and passwords. These fake sites had no affiliation with Google, and the ones we’ve seen are now offline. Once attackers gained the user credentials, they were free to modify the affected accounts as they desired. In this case, the attacker set up mail filters specifically designed to forward messages from web domain providers.
The thought by some folks was that this was due to a CSRF bug that was discovered in Sept 2007. According to Google this problem was addressed within 24 hours of the initial discovery.
Today I received an email from someone I know who had their Gmail account pinched by ne’er do wells. They were nice enough to blast out spam with his/her entire address book in the “To:” field.
Decidedly uncool.
What does this accomplish? Does this make the spammer money? Of course not. Does it piss off people that would like nothing better than to hunt the little peckerwoods down? You bet.
The long and the short of it is that we all need to take precautions when using any webmail account. Google offers this advice on how to help better protect oneself using HTTPS with Gmail. Is it bulletproof? No. But, it’s better than getting your password snarfed.
Good morning!
I may have actually lost it just prior to posting this. I cannot be held responsible for the content of this edition. It’s Dave’s fault, he gave me the password.
To the Americans – I sincerely hope you have a peaceful long holiday weekend with a combination of laughter, gratitude and a good night’s sleep or two.
Warm Regards,
The Intern
Click here to subscribe to Liquidmatrix Security Digest!.
And now, the news…
- The 5 Books Every IT Manager Should Read Right Now – Baseline
- Google admits breaking App Store rules – C-Net
- Juror dismissed over Facebook poll – The Register And somehow this member of the brain trust made it through the jury selection process.
- Blue Box Evidence Images from the FBI, 1971 – Boing Boing
- You Gotta Try Mr. Tweet – Mashable
- Final judgment: SCO owes Novell millions (plus interest) ars technica Here’s one for the vultures of Intellectual Property claimants.
- Aussie government muffs plans for internet filtering – The Register
- Hardening the Linus desktop IBM We know we should do it, but do you?
- Bailout costs more than Marshall Plan, Louisiana Purchase, moonshot, S&L bailout, Korean War, New Deal, Iraq war, Vietnam war, and NASA’s lifetime budget — *combined*! – Boing Boing
- 7 Tip for Getting Along With Your Difficult Relatives over Thanksgiving – The Happiness Project
… and finally, we at the Digest really do care about you and familial harmony. We do.
Tags: News, Daily Links, Security Blog, Information Security, Security News
Sometimes I am amazed at human behaviour. Other times I’m too busy giggling to give a damn. Any guess as to my state of mind for this story? A named Phillip Sherman, from Arkansas, apparently left his iPhone in a local McDonald’s restaurant. If it weren’t bad enough that he misplaced his phone (yes, I’m iPhone an addict) the guy didn’t have a passcode lock on.
Beyond the obvious security reasons for having done so (recent vulns notwithstanding) you would guess that he would be worried about someone glancing at the nude pics of this wife.
From Internet News:
After he returned to retrieve it, he said he discovered nude photos of his wife that he’d stored on his iPhone had been illegally distributed on the Internet without his consent.
Now he and his wife, Tina, are suing the McDonald’s Corp., the franchise owner and the store manager for $3 million in damages, according to the AP, for “suffering, embarrassment and the cost of having to move to a new home.” The suit says that Sherman left the phone at the McDonald’s in July and that employees promised to secure it until he returned.
So, for those of you playing the home game, he:
- lost his phone
- neglected to lock the screen
- had naked pics of his wife on the iPhone
- believed a bunch of teenagers working at a fast food restaurant
Now, they’re suing for $3 million?
Um, sec…”Hey sweetie, could you come in here? I feel like a run to McDonald’s”
Apply head to desk, repeat.
Knock, knock!
Who’s there?
Not me.
Not me, who?
What?
Thank you for reading, see you tomorrow!
Click here to subscribe to Liquidmatrix Security Digest!.
And now, the news…
- YouTube Widescreen! – Mashable
- Mamas, don’t let your babies grow up to be Luddites – The Globe and Mail
- Cybercrime Servers Selling Billions of Dollars’ Worth of Stolen Information, Illicit Services – Dark Reading
- Google Patches Chrome File-Stealing Bug – CSO Online
- Whit Diffie on Encryption and PKI – CSO Online
- Reexamining AV in the control system – Digital Bond
- Replace Your Taskbar with Object Dock – The Washington Post
- iPhone Dev Team releases 2.2 jailbreak – Mobility Today
- Was Ebay’s BillMeLater Acquisition A Huge Blunder? – Tech Crunch
Tags: News, Daily Links, Security Blog, Information Security, Security News
Good morning!
End of the month is in sight, and soon after, the end of the year. I’m wondering where 2008 went? Sign of getting old, I suppose. I hope 2009 brings resolution to some old things and also presents some new opportunities. The holidays are ramping up and the days fly even faster, now I’m musing about the passage of time. Shut up, Intern.
Ok.
Cheers!
Click here to subscribe to Liquidmatrix Security Digest!.
And now, the news…
- Apple plugs a dozen iPhone security holes – Security Focus
- Stuff You Might Like – RiskAnalys.is I’m only posting this because You Might Like it. Really.
- IBM authorizes OpenSolaris on mainframes – The Register
- Google Analytics – Yes, it is a security risk – The Register
- The nerd-geek-dork continuum – The Globe and Mail I meant to post this earlier. Nerd Girl tends to spawn interesting conversations.
- Fed Blotter: Murder-For-Hire Plot Unfolds in Text Messages – Wired … and the guy who dates this woman is serving in the military. Brilliance!
- How to launch a tech company in a weekend – CNN
See you tomorrow!
Tags: News, Daily Links, Security Blog, Information Security, Security News
Another ID theft operator gets pinched.
From North Country Gazette:
Manhattan district attorney Robert Morgenthau said that 25-year-old Igor Klopov was sentenced Wednesday to 3 ½ to 10 ½ years in state prison. Klopov, a 24-year-old Russian with an expertise in mining the Internet to obtain personal information about potential victims, was able to gain information easily about the value of property, size of outstanding mortgages and existing lines of credit.
As ringleader of the identity theft ring, Morgenthau said Klopov generally targeted the home equity line of credit (HELOC) accounts of people who owned expensive properties and had large lines of credit.
Among the victims were a Silicon Valley couple, the head of a major credit reporting agency, and a wealthy Texas businessman. Morgenthau said Klopov found many of his victims through the Forbes 400 list. Many of the victims lived in states – such as Texas and California – where property deed information is available online.
And like that, poof, he’s gone. Probably would have been smarter to have gone after smaller fish to avoid detection. Gotta love greed sometimes. It makes smart people foolish. And foolish people dumber than a bag of wet socks.
