Sunday, February 18, 2007

Research: Highest Rates of U.S. Identity Fraud Found in New York. Research: Highest Rates of U.S. Identity Fraud Found in New York. The study also finds that the Detroit and Los Angeles metropolitan areas have high rates of ID theft. [eWEEK Security] 10:01:01 PM  PermaLink   / trackback []

DHS Nixes Use Of RFID In Border Security Program. DHS Nixes Use Of RFID In Border Security Program. The US Department of Homeland Security's VISIT program will not us RFID technology to track foreigners leaving the country after a test of the system failed to impress officials. [Computerworld Security News] 9:53:07 PM  PermaLink   / trackback []

The Doghouse: Onboard Threat Detection System. The Doghouse: Onboard Threat Detection System. It's almost too absurd to even write about seriously -- this plan to spot terrorists in airplane seats: Cameras fitted to seat-backs will record every twitch, blink, facial expression or suspicious movement before sending the data to onboard software which will check it against individual passenger profiles. [...] They say that rapid eye movements, blinking excessively, licking lips or ways of stroking hair or ears are classic symptoms of somebody trying to conceal something. A separate microphone will hear and record even whispered remarks. Islamic suicide bombers are known to whisper texts from the Koran in the moments before they explode bombs. [Schneier on Security] 9:44:55 PM  PermaLink   / trackback []

Half of pirated Vista is malware. Half of pirated Vista is malware. You can't cheat an honest person, they say. Like generations of scammers before them, some malware writers are taking that "advice" to heart, releasing their Trojan software and keyloggers as "cracked" versions of Vista oon peer-to-peer service. Who's going to turn them in, after all -- a would-be pirate? [Computerworld Security News] 8:35:42 PM  PermaLink   / trackback []

Some PayPal users plagued by security warnings, login woes. Some PayPal users plagued by security warnings, login woes. Some users of PayPal are having trouble logging into the site and are getting security warnings -- problems apparently tied to an SSL security certificate used by Omniture, which is gathering data for the online payment site. [Computerworld Security News] 8:33:17 PM  PermaLink   / trackback []

Smokers may be the weak IT security link. Smokers may be the weak IT security link. Just when you thought there were no more ills to ascribe to tobacco, here's one that leaves your lungs alone and attacks your network instead. A U.K. security company is warning that smokers may undermine IT security, leaving open doors that could let in intruders who could abuse a company's network. [Computerworld Security News] 8:28:48 PM  PermaLink   / trackback []

Have you resold your data to crooks? Have you resold your data to crooks?  Eager to get into the identity-theft business? Don't bother breaking into a government employee's house or staking out an unsecured Wi-Fi hot spot. A recent study shows that a simple shopping jaunt on eBay or in a local used-tech store will pay off in personal info over half the time. [Computerworld Viruses News] 8:24:19 PM  PermaLink   / trackback []

Firefox Flaw Could Let Attackers Change Cookies. Firefox Flaw Could Let Attackers Change Cookies. Attackers could change the way Web sites are displayed and how they work. [eWEEK Security] 8:21:10 PM  PermaLink   / trackback []

Handling False Positives and Creating Custom Rules. Handling False Positives and Creating Custom Rules. It is inevitable; you will run into some False Positive hits when using web application firewalls. This is not something that is unique to ModSecurity. All web application firewalls will generate false positives from time to time. The following information will help to guide you through the process of identifying, fixing, implementing and testing new custom rules to address false positives. Every rule set can have false positive in new environments False Positives happen with ModSecurity + the Core Rules mainly as a byproduct of the fact that the rules are [base "]generic[per thou] in nature. There is no way to know exactly what web application is going to be run behind it. That is why the Core Rules are geared towards blocking the known bad stuff and forcing some HTTP compliancy. This catches the vast majority of attacks. Use DetectionOnly mode Any new installation should initially use the log only Rule Set version or if no such version is available, set ModSecurity to Detection only using the SecRuleEngine DetectionOnly command. After running ModSecurity in a detection only mode for a while review the events generated and decide if any modification to the rule set should be made before moving to protection mode. Don't be too hasty to remove a rule Just because a particular rule is generating a false positive on your site does not mean that you should remove the rule entirely. Remember, these rules were created for a reason. They are intended to block a known attack. By removing this rule completely, you might expose your website to the very attack that the rule was created for. This would be the dreaded False Negative. ModSecurity rules are open source Thankfully, since ModSecurity[base ']s rules are open source, this allows you the capability to see exactly what the rule is matching on and also allows you to create your own rules. With closed-source rules, you can not verify what it is looking for so you really have no other option but to remove the offending rule. [Web Security Blog] 8:08:40 PM  PermaLink   / trackback []

Getting Clueful: Five Things You Should Know About Fighting Spam - technology - CIO The battle for your users' e-mail inboxes probably will never end, but it's not a failure of technology. Experienced e-mail and system administrators share the key points they really, really wish you understood. 7:11:21 PM  PermaLink   / trackback []

5 Things the Boss Should Know About Spam Fighting. 5 Things the Boss Should Know About Spam Fighting.   Esther Schindler writes  "Sysadmins and email administrators were asked to identify the one thing they wish the CIO understood about their efforts to fight spam. The CIO website is now running their five most important tips, in an effort to educate the corporate brass. Recommendations are mostly along the lines of informing corporate management; letting bosses know that there is no 'silver bullet', and that the battle will never really end. There's also a suggestion to educate on technical matters, bringing executives into the loop on terms like SMTP and POP. Their first recommendation, though, is to make sure no mail is lost. 'This is a risk management practice, and you need to decide where you want to put your risk. Would you rather risk getting spam with lower risk of losing/delaying messages you actually wanted to get, or would you rather risk losing/delaying legitimate messages with lower risk of spam? You can't have both, no matter how loudly you scream.'"  [Slashdot] 7:09:51 PM  PermaLink   / trackback []

Feds Pull Traveler Help Site. Feds Pull Traveler Help Site. Homeland Security pulls down a website link for travelers with watchlist problems after 27BStroke6 points out security flaws. But TSA won't say whether the site was legal. In 27B Stroke 6. [Wired News: Top Stories] 7:04:38 PM  PermaLink   / trackback []

How to Explain DRM to Your Dad. How to Explain DRM to Your Dad. Several DRM-related scenarios help you explain the problem with digital rights management to people who don't see what's wrong with it. In Listening Post. [Wired News: Top Stories] 7:02:31 PM  PermaLink   / trackback []

AOL and OpenID: Where we are It's not really a secret that AOL has been experimenting with OpenID. As I've said, I think that user-centric, interoperable identity is hugely important to enable the social experiences we're trying to provide. This is a work in progress, but things are coming along thanks to our authentication team's diligent effort. Here's where we are today: Every AOL/AIM user now has at least one OpenID URI, http://openid.aol.com/<;sn>. This experimental OpenID 1.1 Provider service is available now and we are conducting compatibility tests. We're working with OpenID relying parties to resolve compatibility issues. Our blogging platform has enabled basic OpenID 1.1 in beta, so every beta blog URI is also a basic OpenID identifier. (No Yadis yet.) We don't yet accept OpenID identities within our products as a relying party, but we're actively working on it. That roll-out is likely to be gradual. We are tracking the OpenID 2.0 standardization effort and plan to support it after it becomes final. Update: Thanks for all the responses; I've posted a followup over on dev.aol.com. 6:59:33 PM  PermaLink   / trackback []

AOL Now Supports OpenID. AOL Now Supports OpenID. Nurgled writes  "On Sunday John Panzer announced that AOL now has experimental OpenID server support. This means that every AOL user now has an OpenID identifier. OpenID is a decentralized cross-site authentication system which has been growing in popularity over the last few months. AOL is the first large provider to offer OpenID services, and though they do not currently accept logins to their services with OpenID identifiers from elsewhere, they are apparently working on it. The next big challenge for OpenID proponents is teaching AOL's userbase how to make use of this new technology."  [Slashdot] 6:56:54 PM  PermaLink   / trackback []

EFF: DeepLinks - RIAA to ISPs: Help Us Sue Your Customers Better As if suing thousands of music fans isn't bad enough, now the RIAA wants to conscript ISPs into helping them streamline the shakedowns. The major record labels sent a letter to ISPs across the country asking them to trade away customers' rights and make the overzealous file sharing lawsuits more profitable -- and the RIAA even has the audacity to suggest that this is all for your own good. ISPs currently have no obligation to maintain IP log files, and that's a good thing when it comes to protecting your privacy. Those log files can serve as Internet breadcrumbs -- your ISP and any third party that has access to them can retrace your online activities. But the RIAA wants ISPs to maintain (and disclose) a customer's IP logs for six months whenever the RIAA says the user may have infringed copyright. In exchange, the record companies will reduce its initial lawsuit settlement demands. Of course, the actual customer would have no say in the matter. The RIAA letter says it wants the information kept because it could "exculpate" the customer, but of course those same records can also implicate the user. Funny, the labels don't mention that. EFF and others have long warned that copyright claims could become an altar on which personal privacy is sacrificed. Now the RIAA wants your ISP to voluntarily wield the knife, and there's no telling what else the RIAA might ask for once this cut has been made. The RIAA also wants ISPs to keep customers in the dark about their legal options. Before the RIAA has even verified that the user is correctly identified, it wants ISPs to send along a note saying the user might be sued and can already settle potential claims. At the same time, the RIAA scolds ISPs for giving information to their customers that could help provide sound legal counsel. Instead, the RIAA wants ISPs to direct subscribers solely to the RIAA. 6:53:10 PM  PermaLink   / trackback []

MPAA Violates Another Software License. MPAA Violates Another Software License. Patrick Robib, a blogger who wrote his own blogging engine called Forest Blog recently noticed that none other than the MPAA was using his work, and had completely violated his linkware license by removing all links back to the Forest Blog site, not crediting him in any way. The MPAA blog was using the Forest Blog software, but had completely stripped off his name, and links back to his site. He only found about it accidentally when he happened to visit the MPAA site. [Slashdot: Your Rights Online] 6:45:13 PM  PermaLink   / trackback []

Scanning Ajax for XSS entry points. Scanning Ajax for XSS entry points. This contribution from Shreeraj Shah, introduces one to a quick way to identify XSS entry points in an application. By Shreeraj Shah. [Infosec Writers Latest Security Papers] 6:36:31 PM  PermaLink   / trackback []

FTC Files Complaint Against Pretexters. FTC Files Complaint Against Pretexters. FTC says pretexting violates federal law, targets companies involved in HP scandal. [PC World: Latest Technology News] 3:04:09 PM  PermaLink   / trackback []

Microsoft Warns of More Office Exploits. Microsoft Warns of More Office Exploits. Just days after Microsoft issued patches to plug some 20 security holes in its software, the software giant is warning users that bad guys are exploiting two more vulnerabilities in its Office product suite. On Valentine's Day, Microsoft said it had received reports of a previously unknown flaw in Office 2000 and Office XP. Now, Symantec is reporting that there is a virus honing in on an unpatched PowerPoint bug. Microsoft has not confirmed that report. We've seen this pattern before. Hackers wait until Microsoft issues its monthly batch of patches to start exploiting unpatched flaws that they've found or purchased from bug-finders. The hackers well know that they can exploit them for at least another four to eight weeks before Microsoft can offer a patch. In early January, Security Fix published a study of critical patches Microsoft issued in 2006 for Office products. Those accounted for nearly half of all critical updates the company shipped last year. I predicted that Office would continue to be the company's Achilles heel this year, and so far that appears to be true. This latest PowerPoint bug could be the 14th critical security hole reported in Office this year. If it continues at this rate, Microsoft will have patched more than twice as many Office vulnerabilities by the end of this year than it did in all of 2006. Be extremely cautious of opening e-mail attachments that you weren't expecting -- even if they appear to have been sent by someone you know and trust. If you harbor doubts about whether the sender really meant for you to click on an e-mail attachment, fire off a brief reply to confirm its validity before opening it. [Security Fix] 3:01:36 PM  PermaLink   / trackback []

DirectRevenue to Pay $1.5M in Adware Settlement. DirectRevenue to Pay $1.5M in Adware Settlement. FTC charges that New York firm infected victims' computers with adware. [PC World: Latest Technology News] 2:58:55 PM  PermaLink   / trackback []

Three Minutes: The FTC Chief Takes on Cybercrime. Three Minutes: The FTC Chief Takes on Cybercrime. Computer crimes and annoyances are an increasing part of the FTC's work, says Deborah Platt Majoras. [PC World: Latest Technology News] 2:56:30 PM  PermaLink   / trackback []

Is AT&T helping the NSA ? First your phone calls and now your e-mails (For Your Eyes Only? ) NOW | PBS. For Your Eyes Only? NOW | PBS This week, NOW reports on new evidence suggesting the existence of a secret government program that intercepts millions of private e-mails each day in the name of terrorist surveillance. News about the alleged program came to light when a former AT&T employee, Mark Klein, blew the whistle on what he believes to be a large-scale installation of secret Internet monitoring equipment deep inside AT&T's San Francisco office. The equipment, he contends, was created at the request of the U.S. government to spy on e-mail traffic across the entire Internet. Though the government and AT&T refuse to address the issue directly, Klein backs up his charges with internal company documents and personal photos. 2:53:13 PM  PermaLink   / trackback []

For Your Eyes Only? (Breaking the Story) NOW | PBS NOW's Deborah Runcie speaks to journalist Ryan Singel, who covers civil liberty and privacy issues, about his investigative work involving AT&T and the government's alleged secret surveillance of personal electronic mail. Singel's coverage appeared in Wired News. 2:43:54 PM  PermaLink   / trackback []