Sunday, February 18, 2007

Research: Highest Rates of U.S. Identity Fraud Found in New York. Research: Highest Rates of U.S. Identity Fraud Found in New York. The study also finds that the Detroit and Los Angeles metropolitan areas have high rates of ID theft. [eWEEK Security] 10:01:01 PM

Half of pirated Vista is malware. Half of pirated Vista is malware. You can't cheat an honest person, they say. Like generations of scammers before them, some malware writers are taking that "advice" to heart, releasing their Trojan software and keyloggers as "cracked" versions of Vista oon peer-to-peer service. Who's going to turn them in, after all -- a would-be pirate? [Computerworld Security News] 8:35:42 PM

Some PayPal users plagued by security warnings, login woes. Some PayPal users plagued by security warnings, login woes. Some users of PayPal are having trouble logging into the site and are getting security warnings -- problems apparently tied to an SSL security certificate used by Omniture, which is gathering data for the online payment site. [Computerworld Security News] 8:33:17 PM

Have you resold your data to crooks? Have you resold your data to crooks?  Eager to get into the identity-theft business? Don't bother breaking into a government employee's house or staking out an unsecured Wi-Fi hot spot. A recent study shows that a simple shopping jaunt on eBay or in a local used-tech store will pay off in personal info over half the time. [Computerworld Viruses News] 8:24:19 PM

Firefox Flaw Could Let Attackers Change Cookies. Firefox Flaw Could Let Attackers Change Cookies. Attackers could change the way Web sites are displayed and how they work. [eWEEK Security] 8:21:10 PM

Handling False Positives and Creating Custom Rules. Handling False Positives and Creating Custom Rules. It is inevitable; you will run into some False Positive hits when using web application firewalls. This is not something that is unique to ModSecurity. All web application firewalls will generate false positives from time to time. The following information will help to guide you through the process of identifying, fixing, implementing and testing new custom rules to address false positives. Every rule set can have false positive in new environments False Positives happen with ModSecurity + the Core Rules mainly as a byproduct of the fact that the rules are [base "]generic[per thou] in nature. There is no way to know exactly what web application is going to be run behind it. That is why the Core Rules are geared towards blocking the known bad stuff and forcing some HTTP compliancy. This catches the vast majority of attacks. Use DetectionOnly mode Any new installation should initially use the log only Rule Set version or if no such version is available, set ModSecurity to Detection only using the SecRuleEngine DetectionOnly command. After running ModSecurity in a detection only mode for a while review the events generated and decide if any modification to the rule set should be made before moving to protection mode. Don't be too hasty to remove a rule Just because a particular rule is generating a false positive on your site does not mean that you should remove the rule entirely. Remember, these rules were created for a reason. They are intended to block a known attack. By removing this rule completely, you might expose your website to the very attack that the rule was created for. This would be the dreaded False Negative. ModSecurity rules are open source Thankfully, since ModSecurity[base ']s rules are open source, this allows you the capability to see exactly what the rule is matching on and also allows you to create your own rules. With closed-source rules, you can not verify what it is looking for so you really have no other option but to remove the offending rule. [Web Security Blog] 8:08:40 PM

Scanning Ajax for XSS entry points. Scanning Ajax for XSS entry points. This contribution from Shreeraj Shah, introduces one to a quick way to identify XSS entry points in an application. By Shreeraj Shah. [Infosec Writers Latest Security Papers] 6:36:31 PM

Microsoft Warns of More Office Exploits. Microsoft Warns of More Office Exploits. Just days after Microsoft issued patches to plug some 20 security holes in its software, the software giant is warning users that bad guys are exploiting two more vulnerabilities in its Office product suite. On Valentine's Day, Microsoft said it had received reports of a previously unknown flaw in Office 2000 and Office XP. Now, Symantec is reporting that there is a virus honing in on an unpatched PowerPoint bug. Microsoft has not confirmed that report. We've seen this pattern before. Hackers wait until Microsoft issues its monthly batch of patches to start exploiting unpatched flaws that they've found or purchased from bug-finders. The hackers well know that they can exploit them for at least another four to eight weeks before Microsoft can offer a patch. In early January, Security Fix published a study of critical patches Microsoft issued in 2006 for Office products. Those accounted for nearly half of all critical updates the company shipped last year. I predicted that Office would continue to be the company's Achilles heel this year, and so far that appears to be true. This latest PowerPoint bug could be the 14th critical security hole reported in Office this year. If it continues at this rate, Microsoft will have patched more than twice as many Office vulnerabilities by the end of this year than it did in all of 2006. Be extremely cautious of opening e-mail attachments that you weren't expecting -- even if they appear to have been sent by someone you know and trust. If you harbor doubts about whether the sender really meant for you to click on an e-mail attachment, fire off a brief reply to confirm its validity before opening it. [Security Fix] 3:01:36 PM

DirectRevenue to Pay $1.5M in Adware Settlement. DirectRevenue to Pay $1.5M in Adware Settlement. FTC charges that New York firm infected victims' computers with adware. [PC World: Latest Technology News] 2:58:55 PM

Three Minutes: The FTC Chief Takes on Cybercrime. Three Minutes: The FTC Chief Takes on Cybercrime. Computer crimes and annoyances are an increasing part of the FTC's work, says Deborah Platt Majoras. [PC World: Latest Technology News] 2:56:30 PM

Is AT&T helping the NSA ? First your phone calls and now your e-mails (For Your Eyes Only? ) NOW | PBS. For Your Eyes Only? NOW | PBS This week, NOW reports on new evidence suggesting the existence of a secret government program that intercepts millions of private e-mails each day in the name of terrorist surveillance. News about the alleged program came to light when a former AT&T employee, Mark Klein, blew the whistle on what he believes to be a large-scale installation of secret Internet monitoring equipment deep inside AT&T's San Francisco office. The equipment, he contends, was created at the request of the U.S. government to spy on e-mail traffic across the entire Internet. Though the government and AT&T refuse to address the issue directly, Klein backs up his charges with internal company documents and personal photos. 2:53:13 PM

© Copyright 2007 Paul Hardwick. Last update: 3/4/07; 3:46:18 AM.