« Archives in May, 2011

Experts suggest Lockheed hack attack down to RSA thieves

Security experts are suggesting that an attack on Lockheed Martin’s servers may have been carried out by the same hackers who infiltrated RSA’s systems earlier this year.
This week reports from within Lockheed Martin, one of the world’s biggest arms and aeronautics manufacturers, suggest that the company has suffered a major IT breach, and is overhauling its use of the RSA SecureID two-factor authentication technology.

Huh. Was Lockheed just using token authentication? Just because keys (seed records) have been compromised doesn’t mean anyone using RSA authentication solution is potently compromised. Seed records are the “something you have” in two-factor authentication but without the “something you know” and the mapping of these “somethings” to an actual person (account) authentication will not be successful.

I don’t even want to start on the “remote access into its servers”. Really? With the kind of work Lockheed does.

Read more…

US dodges the question of whether its military built Stuxnet

I agree with the author. It would have been better to say “no comment”.

AS ANY POLITICIAN KNOWS, sometimes the best way to not answer a question is to completely skirt around it, but sometimes being evasive can say more than a thousand words.
In an interview on CNBC’s cyberwar documentary show CodeWars: America’s Cyber Threat, US deputy defence secretary William Lynn was caught in a trap of his own making. As Wired picked up, Lynn had some difficulty answering this straightforward sounding question: “Was the US involved in any way in the development of Stuxnet?”
Lynn responded with this confused sentence that didn’t really say anything, replying, “The challenges of Stuxnet, as I said, what it shows you is the difficulty of any, any attribution and it’s something that we’re still looking at, it’s hard to get into any kind of comment on that until we’ve finished our examination.”
Interviewer Melissa Lee pressed, “But sir, I’m not asking you if you think another country was involved. I’m asking you if the U.S. was involved. If the Department of Defense was involved.” To which Lynn replied, “And this is not something that we’re going to be able to answer at this point.”

Read more…

Microsoft is accused of giving misguided security advice

Say it isn’t so.

SOFTWARE FLOGGER Microsoft and Trend Micro have got into a dispute about the severity of a vulnerability in Internet Explorer that could allow a hacker to steal a victim’s cookies.
It all centres (not my spelling) around a vulnerability found by Italian security researcher Rosario Valetto called ‘cookiejacking’, or what is more well known as session hijacking. He said all versions of Internet Explorer have the bug, which if exploited can allow a hacker to steal data items from the web browser that are known as cookies.

Read more…

35 Million Google Profiles Dumped Into Private Database

Proving that information posted online is indelible and trivial to mine, an academic researcher has dumped names, email addresses and biographical information made available in 35 million Google Profiles into a massive database that took just one month to assemble.

University of Amsterdam Ph.D. student Matthijs R. Koot said he compiled the database as an experiment to see how easy it would be for private detectives, spear phishers and others to mine the vast amount of personal information stored in Google Profiles. The verdict: It wasn’t hard at all. Unlike Facebook policies that strictly forbid the practice, the permissions file for the Google Profiles URL makes no prohibitions against indexing the list.

Read more…

Google rolls out fix for Android security threat

Google has plugged a security hole that exposed the vast majority of Android phone users’ calendars and contacts when they accessed those services over unsecured networks.

“Today we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts,” a company spokesman wrote in an email. “This fix requires no action from users and will roll out globally over the next few days.”

Read more…

‘Checkout Your PROFILE Stalkers’ scam spreading on Facebook

So this scam has been going around for the last week. You’ll most likely see the following on your news feed.
facebook stalker scam
If you find the monkey is irresistible then you will be presented with another “copy and paste’ technique. If you read my last post, this is not cross site scripting (xss). This is an attempt to get curious Facebook users to paste in a URL to manually direct their browsers to a malicious website.

Don’t click the monkey!

Facebook rolls out several security enhancements

Facebook has announced several initiatives designed to better protect its users, including improved content scanning, and the introduction of anti-cross site scripting and clickjacking technology.

Check this out.

“Now, when our systems detect that someone has pasted malicious code into the address bar, we will show a challenge to confirm that the person meant to do this as well as provide information on why it’s a bad idea.”

Wow, that’s security! If you can detect a malicious link that a user pastes into the address bar, why don’t you prevent the person from posting it in the first place.

likeI like this one. Sorry for the Facebook pun.

Another major addition to Facebook’s security measures is cross site scripting protection.
“Spammers take advantage of another browser weakness by asking people to copy and paste malicious code into their address bar, which then causes the browser to take actions on those people’s behalf, including posting status updates with phony links and sending spam messages to all friends,” the blog post said.

This isn’t cross-site scripting. This is uneducated users.

Read more…but don’t believe it. There so much more Facebook needs to do.

Hackers turn Cisco phones into remote bugging devices

Internet phones sold by Cisco Systems ship with a weakness that allows them to be turned into remote bugging devices that intercept confidential communications in a fashion similar to so many Hollywood spy movies, SC Magazine reported.

Read more…

PlayStation Network hack launched from Amazon EC2

Yeah Cloud!

The hackers who breached the security of Sony’s PlayStation Network and gained access to sensitive data for 77 million subscribers used Amazon’s web services cloud to launch the attack, Bloomberg News reported.

The attackers rented a server from Amazon’s EC2 service and penetrated the popular network from there, the news outlet said, citing an unnamed person with knowledge of the matter. The hackers supplied fake information to Amazon. The account has now been closed.

Read more…

Facebook caught exposing millions of user credentials

Facebook has leaked access to millions of users’ photographs, profiles and other personal information because of a years-old bug that overrides individual privacy settings, researchers from Symantec said.

The flaw, which the researchers estimate has affected hundreds of thousands of applications, exposed user access tokens to advertisers and others. The tokens serve as a spare set of keys that Facebook apps use to perform certain actions on behalf of the user, such as posting messages to a Facebook wall or sending RSVP replies to invitations. For years, many apps that rely on an older form of user authentication turned over these keys to third parties, giving them the ability to access information users specifically designated as off limits.

Read more…