Sunday, March 28, 2010

Big Players To Spy On IPv6-Enabled Users

"Leading Web content providers -- including Google, Yahoo, Netflix and Microsoft -- are conducting early-stage conversations about creating a shared list of customers who can access their Web sites via IPv6, the long-anticipated upgrade to the Internet's main communications protocol.

"The DNS Whitelist for IPv6 would be a list of IP addresses that have functioning IPv6 connectivity. Content providers would use this shared DNS Whitelist to serve up content to these IP addresses via IPv6 rather than through IPv4, which is the current version of the Internet Protocol. Web site visitors not listed on the DNS Whitelist for IPv6 would receive IPv4-based content...

"Content providers say they need a DNS Whitelist for IPv6 because the Internet has so many broken IPv6 links due to problematic default behavior and incompatibilities in operating systems, home gateways and customer premises equipment. Without a whitelist to help sort out which customers can and cannot receive IPv6 content, Web developers say they will inadvertently block too many customers from accessing their content."

From NetworkWorld...

Friday, March 26, 2010

Tweeker Busted For High School Hack

"A 21-year-old former Evergreen Public Schools student has pleaded guilty to criminal charges in connection with a computerized payroll security breach in November that put more than 5,000 past and current Vancouver Public Schools employees at risk of identity theft.

"Christopher Berge, a 2006 Mountain View High School graduate last known to live in Oregon City, Ore., was sentenced to 10 years in prison on Wednesday by Clark County Superior Court Judge Roger Bennett.

"Berge pleaded guilty to 31 counts, including 24 counts of second-degree identity theft, first-degree computer trespass, forgery and possession of methamphetamine."

More at The Columbian...

MS, Adobe, Apple Bitch-Slapped At Pwn2Own

"The only researcher to `three-peat` at the Pwn2Own hacking contest said today that security is such a `broken record` that he won't hand over 20 vulnerabilities he's found in Apple's, Adobe's and Microsoft's software.

"Instead Charlie Miller will show the vendors how to find the bugs themselves.

"Miller, who yesterday exploited Safari on a MacBook Pro notebook running Snow Leopard to win $10,000 in the hacking challenge, said he's tired of the lack of progress in security. `We find a bug, they patch it,` said Miller. `We find another bug, they patch it. That doesn't improve the security of the product. True, [the software] gets incrementally better, but they actually need to make big improvements. But I can't make them do that.`"

From ComputerWorld...

Thursday, March 25, 2010

Unemployed IT Worker Of The Month

"A Frenchman who broke into Barack Obama and Britney Spears' Twitter feeds insisted Thursday he is no hacker but a `kind pirate` seeking to expose security weaknesses.

"`I did not act with a destructive aim ... I wanted to warn them, to show up the faults in the system,` said the 23-year-old, who was arrested Tuesday after an operation by French police and FBI agents.

"The curly-haired unemployed computer technician wore a pair of slippers adorned with smiley faces as he sat in his parents' home in central France and told of how he broke into the popular micro-blogging site.

"Francois C., who spoke to AFP on condition that his full surname not be used, is accused of breaking into Twitter and Google accounts, including ones used by US president Obama and pop star Spears..."

Full article at

Monday, March 22, 2010

Hinky Dink Publishes Koobface Data

"Mr. Hinky Dink, a Big Time Security Professional™ today released an analysis of the spread of the Koobface worm. Based on an exhaustive study of his database of over two and a half million open Web proxies collected over two years, Hinky’s findings demonstrate where the most vulnerable social networking users can be found.

"`With more losers piling into social networking sites this trend is very likely to continue,` said Hinky. `This study highlights the cities with the most gullible users on the Internet. This study will no doubt help cybercriminals, script kidz, and Cameroonian puppy scammers target their next online marketing campaigns.`"

Read the complete report here.

Can You Hack Me now?

"Malware-tainted memory cards may have ended up on as many as 3,000 HTC Magic phones, a greater number than first suspected, Vodafone said today.

"The problem came to light earlier this month after an employee of Panda Security plugged a newly ordered phone into a Windows computer, where it triggered an alert from the antivirus software.

"Further inspection of the phone found the device's 8GB microSD memory card was infected with a client for the now-defunct Mariposa botnet, the Conficker worm and a password stealer for the Lineage game.

"Vodafone said it was an isolated incident, but an employee at Spanish security company S21sec discovered another phone with an infected card, which it sent to Panda. That phone was purchased directly from Vodafone's Web site in the same week as the first phone, according to Panda.

"It is unclear how the batch of memory cards became infected and an investigation is under way, said a spokesman for Vodafone in Spain."

More at ComputerWorld...

Saturday, March 20, 2010


"Mozilla yesterday confirmed a critical vulnerability in the newest version of Firefox, and said it would plug the hole by the end of the month.

"Although the patch won't be added to Firefox before next week's Pwn2Own browser hacking challenge, researchers won't be allowed to use the flaw, according to the contest's organizer.

"`The vulnerability was determined to be critical and could result in remote code execution by an attacker,` Mozilla acknowledged in a post to its security blog late Thursday. `The vulnerability has been patched by developers and we are currently undergoing quality assurance testing for the fix.`

"Firefox 3.6, which Mozilla launched in January, is affected, Mozilla said, adding that it would be patched in version 3.6.2, currently slated to ship on March 30..."

From ComputerWorld...

Tuesday, March 16, 2010

Big Brother 2.0

"The Feds are on Facebook. And MySpace, LinkedIn and Twitter, too.

"U.S. law enforcement agents are following the rest of the Internet world into popular social-networking services, going undercover with false online profiles to communicate with suspects and gather private information, according to an internal Justice Department document that offers a tantalizing glimpse of issues related to privacy and crime-fighting.

"Think you know who's behind that `friend` request? Think again. Your new `friend` just might be the FBI..."

More at

Thursday, March 11, 2010

IE Users PWN3D By 0day... Again

"Hackers are exploiting the just-disclosed unpatched bug in Internet Explorer (IE) to launch drive-by attacks from malicious Web sites, security researchers said today.

"`This attack appears to be rather targeted at the moment, but as with other unpatched vulnerabilities in the past, this has the potential to explode now that the word is getting out,` said Craig Schmugar, a threat researcher at McAfee, in a blog post today.

"Attacks are launched from Web sites in a classic drive-by fashion, said Schmugar and others. `Visiting the page is enough to get infected,` Schmugar said."

From ComputerWorld...

The First Rule Of Govt. Info Security...

"Last week, Pennsylvania’s chief information security officer Robert Maley was at an information security conference in San Francisco talking about a hacking incident involving PennDOT’s computers. This week, Maley is gone.

"Gary Tuma, Gov. Ed Rendell’s press secretary, confirmed that Maley is no longer employed by the state, but he declined to comment further, saying it is a personnel matter.

"Attempts to contact Maley yesterday were unsuccessful.

"Danielle Klinger, a spokeswoman for the state Department of Transportation, said the agency is not aware of any hacking or breach that occurred involving scheduling system for its driving test. However, she said that a few weeks ago, `we did discover an anomaly and we have actually turned that over to [the state police] for further investigation. We’re not sure what that anomaly is, but it is being investigated. Unfortunately, I can’t provide any more details on it.`"

More at

Monday, March 8, 2010

Energizer Bunny Arrested, Charged With Battery

"A USB charger from Energizer uses software that contains a Trojan, according to US-CERT. The software was apparently developed outside the U.S. and may have been giving hackers access to PCs since 2007. An analyst said trust in the Energizer bunny may have led many consumers to install the DUO USB charger malware even with a warning.

"US-CERT researchers said Friday that the software that installs with the Energizer charger contains a Trojan horse that gives malicious hackers a back door into Windows machines.

"`An attacker is able to remotely control a system Relevant Products/Services, including the ability to list directories, send and receive files, and execute programs. The backdoor operates with the privileges of the logged-on user,` US-CERT said. `Removing the Energizer USB charger software will also remove the registry value that causes the backdoor to execute automatically when Windows starts.`"

More at

Trust No One 2.0

"Facebook founder Mark Zuckerberg has been accused of hacking into the email accounts of rivals and journalists.

"The CEO of the world's most successful social networking website was accused of at least two breaches of privacy in a series of articles run by
As part of a two-year investigation detailing the founding of Facebook, the magazine uncovered what it claimed was evidence of the hackings in 2004.

"In the first instance, it said that, when Zuckerberg discovered that Harvard's student newspaper The Crimson was planning on running an article on him in 2004, he used reporters' Facebook logins to hack into their accounts.

"In the second instance, the magazine claimed Zuckerberg hacked into the accounts of rivals at Harvard who accused him of stealing their idea for a social network. He then allegedly tried to sabotage the rival network they had set up..."

Read thw whole story here...

Thursday, March 4, 2010

Insurance Companies Leverage Facebook To Raise Your Rates

"Any town U.S.A. You walk into a store and notice someone you recognize, from Facebook. But you really don’t know the individual; only online have you “met” that person. You have shared a note, or played a game on Facebook, Myspace, or other media website. You can choose to say hello or ignore them. That choice is up to you.

"Sometime in the future, you wind up in a car accident and suffer physical injuries that you decide can be claimed in a lawsuit against the insurance company. Now your friends on Facebook may not have any choice of getting to know you up close and in person. You may not even be aware that they are being questioned.

"Insurance companies are beginning to demand access to information about you and they do not want your explicit consent. In a Globe and Mail report, the insurance industry wants to use sites such as Facebook to collect and use background information collected to contradict any evidence you have used in your claim for damages.

"The first thing the insurance lawyers will do in court is to ask plaintiffs if they have Facebook accounts and demand a court order to review those account — even if you have always had your privacy settings configured to be not searchable by Google or other services. And if somehow they find out that you are on Facebook and you said no, chances are your lawsuit against the insurance company may fail. And so the game begins. The lawyers will have access to everything about you; your friends are also now exposed and may be questioned about your online habits what you are doing online, personal messages are read and now your friend’s privacy is also vulnerable - even if you have never met them in person..."

Morre at ZDNet...

XP Users Helpless Against New Web Hack

"Microsoft told Windows XP users today not to press the F1 key when prompted by a Web site, as part of its reaction to an unpatched vulnerability that hackers could exploit to hijack PCs running Internet Explorer (IE).

"In a security advisory issued late Monday, Microsoft confirmed the unpatched bug in VBScript that Polish researcher Maurycy Prodeus had revealed Friday, offered more information on the flaw and provided some advice on how to protect PCs until a patch shipped.

"`The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer,` read the advisory. `If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user.`"

From ComputerWorld...