You Are So ROCKED

"It’s no secret that most people use the same password over and over again for most of the services they sign up for. While it’s obviously convenient, this becomes a major problem if one of those services is compromised. And that looks to be the case with RockYou, the social network app maker.

"Over the weekend, the security firm Imperva issued a warning to RockYou that there was a serious SQL Injection flaw in their database. Such a flaw could grant hackers access to the the service’s entire list of user names and passwords in the database, they warned. Imperva said that after it notified RockYou about the flaw, it was apparently fixed over the weekend. But that’s not before at least one hacker gained access to what they claim is all of the 32 million accounts. 32,603,388 to be exact. The best part? The database included a full list of unprotected plain text passwords. And email addresses. Wow..."

More at TechCrunch...

Microsoft Sat On IE 0day For Months

"Microsoft may not have hustled as fast as researchers thought when the company patched a zero-day bug in Internet Explorer (IE) just 18 days after exploit code went public.

"According to VeriSign iDefense, Microsoft had information about the browser bug nearly six months before the researcher dubbed "K4mr4n" posted attack code to the Bugtraq security mailing list on Nov. 20.

"iDefense's Zero Day Initiative (ZDI), one of the two best-known bug bounty programs, reported the vulnerability to Microsoft on June 9, 2009, iDefense noted in an advisory published Wednesday.

"IE6 and IE7, two versions of Microsoft's browser that collectively accounted for approximately 39% of all browsers used last month, were the only editions affected by the vulnerability. The ancient IE 5.01 and the new IE8 were immune from the threat."

More at ComputerWorld...

HAWT New Haxx: RAM Scrapers

"Forget keyloggers and packet sniffers. In the wake of industry rules requiring credit card data to be encrypted, malware that siphons clear-text information from computer memory is all the rage among scammers, security researchers say.

"So-called RAM scrapers scour the random access memory of POS, or point-of-sale, terminals, where PINs and other credit card data must be stored in the clear so it can be processed. When valuable information passes through, it is uploaded to servers controlled by credit card thieves.

"While RAM scrapers have been around for a few years, they are a `fairly new` threat, according to a report released Wednesday that outlines the 15 most common attacks encountered by security experts at Verizon Business. They come in the wake of Payment Card Industry rules that require credit card data to be encrypted as it passes from merchants to the processing houses.

"`They are definitely a response to some of the external trends that have been going on in the cybercrime environment,` says Wade Baker, research and intelligence principal for Verizon Business. `Within a year, we've seen quite a few of them in the wild.`"

More at The Register...

First, We Hack All The Lawyers...

"The FBI has some advice for law firms: Be careful.

"The agency recently issued a warning alerting firms that what may appear to be e-mails from clients or contacts could instead be from hackers trying to infiltrate law firm databases.

"The FBI says it has `high confidence` that hackers are targeting legal and public relations firms.

"`Opening a message will not directly compromise the system or network because the malicious payload lies in the attachment or linked domain,` the warning reads. `Infection occurs once someone opens the attachment or clicks the link, which launches a self-executing file and, through a variety of malicious processes, attempts to download another file.`

"... It’s no surprise that law firms are being targeted, said Rohyt Belani, co-founder of the New York-based Intrepidus Group, an information security consulting and software company. `If I can get on a senior partner’s machine or the system administrator’s machine, I’ll get access to the keys to the kingdom for the entire network. A law firm is a place where a lot of sensitive data for different [companies] is collected.`"

More at the Wisconsin Law Journal...

Microsoft Buys Some Gartner™ "Research"

"Business analyst Gartner says proprietary office suites will continue to dominate over web-based office suites because there is a significant performance gap between full-function suites and web-based versions. Gartner points out that one of the biggest gaps is the lack of complete offline services.

"In a report titled `The State of Google Apps`, Gartner argues that Google Apps is not an adequate substitute for Microsoft Office.

"In the short term, Gartner says, few big enterprises would be likely to disrupt what they already have in place for Google's offerings. Changing even something such as the email system in the workplace could be costly and cause problems for security, training staff, service levels and technology."

More at smh.com.au...

Facebook Users PWN3D By Rubber Ducky, Cats

"In research commissioned by The Daily Telegraph, which has shocked even top fraud squad police, almost half of users in their 20s agreed to a request from a rubber duck to be Facebook `friends`.

"A similar result occurred with a group of internet users in their 50s, with many agreeing to be Facebook friends with a photo of two cats.

"Many of the Facebook users in both age groups volunteered some of their most intimate details to both the rubber duck and the cats, including their full date of birth, workplace, email address and location. Some even volunteered full addresses and phone numbers without prompting.

"The study was conducted by leading internet security firm Sophos.

"It has raised serious questions about the wisdom of average internet users, given the friend requests were sent without any introduction."

More at The Daily Telegraph...

Believe It? You Will.

Some Things Never Change

"AT&T got some bad news from Consumer Reports this week, as the magazine's latest survey shows that the carrier now has the lowest level of customer satisfaction in the U.S.

"AT&T got its lowest marks in the survey for its voice services, as it was the only wireless carrier in the United States to receive below-average marks for its voice quality. Verizon received above average marks for its voice service while T-Mobile and Sprint both received average marks. AT&T also received subpar remarks across the board for its customer service while receiving average marks for its text-messaging and data services."

From ComputerWorld...