Wednesday, March 29, 2006

Security Fix - Attacks on Unpatched IE Flaw Escalate - Brian Krebs on Computer and Internet Security - (washingtonpost.com) More than 200 Web sites -- many of them belonging to legitimate businesses -- have been hacked and seeded with code that tries to take advantage of a unpatched security hole in Microsoft's Internet Explorer Web browser to install hostile code on Windows computers when users merely visit the sites.  In an update to its Security Response Web log, Microsoft security program manager Stephen Toulouse said the attacks Redmond is seeing against the IE flaw "are limited in scope for now and are being carried out by malicious Web sites." I have to call Microsoft out on both counts, and I think some of what I've uncovered so far about these attacks should make it clear that the situation is serious and getting worse by the hour. According to a list obtained by Security Fix, hackers have infected at least 200 sites, many of which you would not normally expect to associate with such attacks (i.e., porn and pirated-software vendors). Among the victims are a regional business council in Connecticut, a couple of vacation resorts in Florida, a travel-reservation site, an online business consultancy, an insurance company, and a site featuring things to do at various cities across the country. 12:23:56 PM  PermaLink   / trackback []

Web Site Attacks Against Unpatch IE Flaw Spike. Web Site Attacks Against Unpatch IE Flaw Spike. An anonymous reader wrote to mention a Washingtonpost.com article about an increase in attacks against IE users via a critical, unpatched flaw. The bug allows software to be downloaded to the vulnerable PC even if the only act the user takes is browsing to a web site. From the article: "[A] password-stealing program landed on the Windows PC belonging to Reaz Chowdhury, a programmer for Oracle Corp. who works out of his home in Orlando, Fla. Chowdhury said he's not sure which site he browsed in the past 24 hours that hijacked his browser, but he confirmed that the attackers had logged the user name and password for his company's virtual private network (VPN)." [Slashdot] 12:19:23 PM  PermaLink   / trackback []

Authorities get on top of spam Down Under | The Register Australia has cracked down on junk mail with an industry code for tackling spam. Under the new code, internet service providers (ISPs) will bear some of the responsibility for helping fight spam. Service providers must offer spam-filtering options to their subscribers and advise them on how to best deal with and report the nuisance mail. ISPs will also be compelled to impose "reasonable" limits on subscribers' sending email. More than 680 ISPs will be affected in Australia; global email operators like MSN Hotmail and Yahoo! will also be hit by the legislation. The code, which goes further than the 2003 Spam Act, is due to come in to force in July. The previous act focused more on the spammers themselves. 12:14:50 PM  PermaLink   / trackback []

Getting on Top of Spam Down Under. Getting on Top of Spam Down Under. The Register is reporting that Australia has implemented a new industry code for the regulation of email with respect to spam. From the article: "Under the new code, internet service providers (ISPs) will bear some of the responsibility for helping fight spam. Service providers must offer spam-filtering options to their subscribers and advise them on how to best deal with and report the nuisance mail. ISPs will also be compelled to impose 'reasonable' limits on subscribers' sending email."  [Slashdot] 12:12:06 PM  PermaLink   / trackback []

Iran Cracks Down on Bloggers. Iran Cracks Down on Bloggers. From sex to the Islamic bomb, Iranian blogs dive into the issues of the day. But the hard-line government, which can't stomach such openness, is cranking up an imposing censorship machine. [Wired News: Top Stories] 11:51:01 AM  PermaLink   / trackback []

Deja Vu as Third Parties Ship IE Patches Two well-respected Internet security companies have shipped unofficial patches for a critical flaw in Microsoft's Internet Explorer browser a full two weeks before the software maker's scheduled release of a comprehensive update. With a wave of zero day attacks underway, eEye Digital Security and Determina offered separate hotfixes to provide temporary protection for IE users, but experts warn that the third-party patches carry a "buyer beware" tag. As a general rule, Microsoft never recommends third-party updates because, without rigorous quality assurance testing, it is impossible to know what impact the unofficial fix might have on applications mandated in regulated industries or in-house applications. Earlier this year, at the height of the WMF malware attacks, reverse-engineering guru Ilfak Guilfanov created a temporary patch that was recommended by experts at the SANS ISC (Internet Storm Center) and anti-virus vendor F-Secure. This time around, the SANS Storm Center is not recommending the temporary patch. In a diary entry, chief research officer Johannes Ullrich said the Microsoft-sanctioned workaround to turn off Active Scripting is sufficient to mitigate the risk from an attack. However, eEye's co-founder and chief hacking officer Marc Maiffret said some IE users may experience problems on legitimate Web sites that require Active Scripting. "Our patch is not meant to replace the one Microsoft will release. It's only temporary protection and we're recommending it as a last-resort for people who need to have Active Scripting enabled," Maiffret said in an interview with eWEEK. 11:47:26 AM  PermaLink   / trackback []

Two Unofficial IE Patches Block Attacks. Two Unofficial IE Patches Block Attacks. Pentrex writes "eWeek reports that two well-respected Internet security companies (eEye and Determina) have released unofficial patches to correct the vulnerability being exploited to load spyware, bots and Trojan downloaders on Windows machines. Microsoft isn't sanctioning the third-party patches, which include source code for review. As always, the advice is to weigh the risks before opting for an unofficial hotfix." [Slashdot] 11:44:31 AM  PermaLink   / trackback []

Pay-per-email and the Pay-per-email and the "Market Myth". Bennett Haselton has written a thoughtful piece on the latest developments in the pay-for-email schemes making the rounds from some of the big players in the world of AOL. This one is really worth your time, so please click on and read what he has to say. [Slashdot] 11:38:05 AM  PermaLink   / trackback []

HIPAA doesn't protect all health information, Ohio court rules In what could be a landmark ruling, the Ohio Supreme Court has decided that the state's open records law supersedes the federal Health Insurance Portability and Accountability Act's privacy protections for medical records. The decision may be the first in the country concerning a conflict between a state's open records law and HIPAA was at issue, attorney John Greiner said. He represented the Cincinnati Enquirer newspaper in its successful suit to compel the city to release information about landlords and homeowners cited for lead paint violations. Greiner said the ruling could affect areas beyond Ohio because many states have similar open records laws. Joy Pritts, a privacy expert in Washington, D.C., said the ruling highlights a potential area of vulnerability in HIPAA protections for individuals' health records. In its unanimous March 17 decision, Ohio's highest court found that the Cincinnati Health Department erred by citing privacy of personal health information, when it refused to release records about the houses whose were cited for lead paint contamination. 11:19:12 AM  PermaLink   / trackback []

Too many eyes on personal health data | ajc.com ( by Former congressman and U.S. Attorney Bob Barr) The most endangered species on the planet? It's not the snail darter. Or the Calabasas County jumping field mouse. No; it's the privacy of your medical information. In one of the worst examples ever of the federal government creating a problem, purporting to solve the problem and then making it much worse, the Congress and the Bush administration have made it all but impossible for you to maintain the confidentiality of your most personal information. The problem began years ago, with the advent of the massive, government health payment system, Medicare-Medicaid. This bureaucracy blew a huge hole in the notion that the medical information of the citizenry was --- as reflected in the Hippocratic Oath --- confidential and sacrosanct, to be shared only by the patient, his or her doctor and the pharmacist, unless the patient consented to have the data shared more widely. Government-driven tax policies providing incentives for employer-provided health insurance made the problem infinitely worse. [...] Like virtually every aspect of our lives since Sept. 11, the federal government is using the excuse of "protecting us from acts of terrorism" to snatch what little privacy we might have had left. Claiming, for example, that having a single, standardized electronic system of health data in the country would help identify possible evidence of bioterrorism attacks, the administration is pushing Congress to pass a law forcing doctors and others who create, develop and maintain medical records to do so in accordance with federal standards. Such a so-called National Health Information Network, with electronic health records on virtually every person receiving health care, would be the death knell of private medical information in America. Why? Because it would be absolutely impossible once you visit a doctor, purchase a prescription drug or submit a claim to your health insurer to keep that information from being immediately transferred electronically to a massive database accessible by --- you guessed it --- every company out there with even the most remote claim to having something to do with "health care." Employers? You bet. Banks? Sure thing. Drug marketing firms? Of course. Law enforcement? Yessir. Not only would the pending legislation blow an irreparable hole in the notion of patient privacy, but it would also prohibit states such as Georgia, which have laws that provide stronger protection for patient information than federal law, from doing so. The Republican Party --- which in an era long, long ago could perhaps have been relied on to deep-six such an anti-individual privacy and pro-government regulation proposal --- is sponsoring the legislation. Yet, there is a solution. It is advocated by the Austin, Texas-based Patient Privacy Rights, among others from across the ideological spectrum. These organizations are proposing simply that clear language affirming that it is the patient who owns his or her medical information be incorporated into the pending legislation. Will such a reasonable provision be included in the legislation? Only if we the people --- and our doctors --- demand it. 11:16:35 AM  PermaLink   / trackback []

Mobile users to get more control of personal data. Mobile users to get more control of personal data. Mobile subscribers will be able to easily control what applications can access their location and other personal information with software that's now commercially available from Redknee Inc., the mobile infrastructure software vendor said Tuesday. [Computerworld Privacy News] 11:08:56 AM  PermaLink   / trackback []

Iran Cracks Down on Bloggers. Iran Cracks Down on Bloggers. From sex to the Islamic bomb, Iranian blogs dive into the issues of the day. But the hard-line government, which can't stomach such openness, is cranking up an imposing censorship machine. [Wired News: Security Blanket] 11:06:59 AM  PermaLink   / trackback []

The Internet's War of the Roses. The Internet's War of the Roses. A Supreme Court ruling in the case of a wife who let police search for her husband's drug paraphernalia offers hope to privacy advocates. Just substitute "corporations" for "angry wife," and "your personal data" for "cocaine straw." Commentary by Jennifer Granick. [Wired News: Security Blanket] 11:04:05 AM  PermaLink   / trackback []

Guess who's reading your e-mails We've got a story coming out in Sunday's WorkLife section about employee privacy on the job. Electronic surveillance of workers and property is increasing, according to the article by Patricia Kitchen of Newsday. Here's what employers today are doing, according to the article: -- Monitoring and reviewing Web sites visited (76 percent of employers) -- Storing and reviewing e-mail messages (55 percent) -- Monitoring time spent on the phone and numbers called (51 percent) -- Saving and reviewing employees' computer files (50 percent) -- Monitoring time employees spend on computer, content, keystrokes entered (36 percent) -- Taping employee phone conversations (22 percent) -- Taping and reviewing voicemail messages (15 percent) Is this acceptable? Nancy Flynn, executive director of the ePolicy Institute in Columbus, Ohio, says the provisions of the federal Electronic Communications Act can be translated this way: "The computer system is the property of the employer and as such the employer has the right to monitor Internet activity and e-mail. Employees should have no reasonable expectation to privacy." 11:02:33 AM  PermaLink   / trackback []

Version 0.7 of the OSSEC HIDS is now available. Version 0.7 of the OSSEC HIDS is now available. OSSEC HIDS is an open source host-based intrusion detection system. It performs log analysis, integrity checking, rootkit detection, time-based alerting and active response. This is one of the most improved versions so far. It now includes support for squid, pure-ftpd, postfix and AIX ipsec logs (in addition to a lot of improvements to the previous rules). The integrity checking engine now allows granular options, where you can specify exactly what options you want to monitor (checksum, size, ownership, etc). The rootkit detection had a lot of improvements too, reducing false positives on most of the systems and with a lot of new anomaly checks to detect kernel level rootkits. We also have a new website and the installation in 4 different languages (portuguese, english, german and turkish). [LinuxSecurity.com] 10:52:02 AM  PermaLink   / trackback []

Steganography FAQ. Steganography FAQ. This FAQ about Staganography submitted by Aelphaeis Mangarae, discusses what it is, a brief history, how it works, how to detect it, and some tool talk. By Aelphaeis Mangarae. [Infosec Writers Latest Security Papers] 10:49:26 AM  PermaLink   / trackback []

CYBEREYE: Security: Lots of lessons nothing learned The issues of personal data security and identity theft broke into the national consciousness a year ago, when Choice-Point reported that thieves had established accounts with the data broker to obtain sensitive information on 145,000 people. Outrage was immediate, but the problem has persisted. Despite congressional hearings, a plethora of federal bills and the passage of laws in at least 22 states, data on more than 53 million people was stolen, lost or exposed in 121 more incidents over the next year, according to the Privacy Rights Clearinghouse. By far the largest exposure was at payment processor CardSystems Solutions Inc., which effectively was put out of business after data on 40 million people was hacked. These breaches are not the work of genius hackers. Most hacks, like that at CardSystems, are the result of poor security and worse policy. Many breaches are just, well, stupid. There were 30 reported thefts or losses of computers and nine cases of lost or stolen backup tapes reported in the last year. Some companies printed Social Security numbers on mailing labels and one publisher recycled paper containing sensitive data to wrap bundles of newspapers for distribution. It just goes to show you, no amount of legislation or technology is going to solve this problem. Laws and tools are needed, of course. But the problem will not be solved until the human beings involved start taking it seriously. 10:45:01 AM  PermaLink   / trackback []