Privacy Digest

Firefox Infects Vietnamese Users With Trojan Code - Via Threat Level:

Mozilla, the maker of the open source Firefox browser, is redoubling its efforts to check user created add-ons for viruses and Trojans after it discovered that a language pack on its official add-on page had been infected for months with rogue code, the organization reported Wednesday.

Starting in mid-Feburary,  Vietnamese users of Mozilla's open source Firefox browser were at risk of infection from malicious Trojan Horse code seemingly accidentally embedded in a language pack available on its Add-ons site.

The virus's signature was unknown at the time, and thus passed Mozilla's testing of add-ons.  read more »

oCERT.org - Open Source CERT:

The oCERT project is a public effort providing security handling support to Open Source projects affected by security incidents or vulnerabilities, just like national CERTs offer services for their respective countries.

The service aims to help both large infrastructures, like major distributions, and smaller projects that can't afford a full-blown security team and/or security resources. This means aiding coordination between distributions and small project contacts. The goal is to reduce the impact of compromises on small projects with little or no infrastructure security, avoiding the ripple effect of badly communicated or handled compromises, which can currently result in distributions shipping code which has been tampered with.

oCERT also provides security vulnerability mediation for the security community, having reliable security contacts between registered projects and reporters that need to get in touch with a specific project regarding infrastructure security issues.

Last but not least oCERT provides aid with security vulnerability research and assessment.

(Read Original Article .)

Web firm sounds alert on criminal data trove - Via Reuters:

LONDON (Reuters) - A Web security firm said on Tuesday it had tipped off international banks and police after finding a huge trove of stolen business and personal data amassed on a server in the space of just three weeks.

Finjan Inc said it had notified the U.S. Federal Bureau of Investigation, police in various countries and more than 40 financial institutions in the United States, Europe and India about the discovery of the so-called "crimeserver".

"This server was running for about three weeks and within this period it managed to collect 1.4 gigabytes of data. It is indeed the largest treasure we've found in this very short time," Yuval Ben-Itzhak, chief technology officer of the California-based firm, said in a phone interview from Israel.

The stolen data consisted of 5,388 unique log files including 1,037 from Turkey, 621 from Germany, 571 from the United States, 322 from France, 308 from India and 232 from Britain.  read more »

"Crimeserver" Full of Personal/Business Data Found - Via Slashdot:

Presto Vivace sends news of a server found by security firm Finjin that contained a 1.4-GB cache of stolen data, accumulated over a period of less than a month from compromised PCs around the world. The "crimeserver," as Finjin dubs it, "provided command and control functions for malware attacks in addition to being a drop site for data harvested from compromised computers... The stolen data consisted of 5,388 unique log files including 1,037 from Turkey, 621 from Germany, 571 from the United States, 322 from France, 308 from India and 232 from Britain." Oddly enough, the data was stored in the open, with not even basic auth to protect it. Finjin notes in their press release that this huge trove of data gathered over a short period of time indicates that the crimeware problem is far larger than most observers have been assuming.

(Read Original Article - Via Slashdot.)

I just entered the promotion code h24870p43h8037 for the Cheerios Helping Hearts promotion that was inside the box of Cheerios that I had just finished. Then I figured that while I was at it I'd enter the promotion that was in the box I hadn't opened yet. Imagine my surprise when I opened the box flap and found the same promotion code h24870p43h8037.

At first I thought it was a printing mistake, but when I entered the code again. The site said that it was accepted and that a dollar was being donated. Hopefully that is what actually happened.

I wonder if its true for all the codes?

I was also happily surprised that no name and address information was required to activate the code.

Google backs open-source CERT group - Via Network World :

Google has thrown its weight behind a fledgling security reporting group for the open-source community.

The search engine giant, long a proponent of open-source software, is now one of three sponsors of oCERT, the Open Source Computer Emergency Response Team.

Launched in late March, oCERT aims to be a clearinghouse for data on security vulnerabilities in open-source products, keeping open-source distributors on top of flaws and helping small software projects ensure that users of their code are aware of any issues.  read more »

Google Backs Open-Source CERT Group - Via Slashdot :

alphadogg points to a Network World story, excerpting
"Google has thrown its weight behind a fledgling security reporting group for the open-source community. The search engine giant, long a proponent of open-source software, is now one of three sponsors of oCERT, the Open Source Computer Emergency Response Team. Launched in late March, oCERT aims to be a clearinghouse for data on security vulnerabilities in open-source products.

(Read Original Article - Via Slashdot.)

Judge in Murdoch Hacker Trial Admonishes CEO - Via Threat Level:

A California judge overseeing the trial against a Rupert Murdoch company for allegedly hacking a competitor and helping pirates steal pay-TV content, admonished the CEO of the Murdoch firm for leaving the court without testifying. As a result of the CEO's action, the judge suggested that if his company loses the trial it could face shareholder lawsuits.

Multichannel News reports that U.S. District Court Judge David Carter made the comments on Friday after temporarily halting the trial in mid-testimony and dismissing the jury.  read more »

500 Thousand MS Web Servers Hacked - Via Slashdot:

andrewd18 writes "According to F-Secure, over 500,000 webservers across the world, including some from the United Nations and UK government, have been victims of a SQL injection. The attack uses an SQL injection to reroute clients to a malicious javascript at nmidahena.com, aspder.com or nihaorr1.com, which use another set of exploits to install a Trojan on the client's computer. As per usual, Firefox users with NoScript should be safe from the client exploit, but server admins should be alert for the server-side injection. Brian Krebs has a decent writeup on his Washington Post Security Blog, Dynamoo has a list of some of the high-profile sites that has been hacked, and for fun you can watch some of the IIS admins run around in circles at one of the many IIS forums on the 'net."

(Read Original Article - Via Slashdot.)

Digital Deception - Via washingtonpost.com - Technology:

With a test, Web sites let people in and keep out computers set to unleash spam attacks. Now, computers are cracking the code.

Are you a human or a computer?

Over the Internet, it's getting harder and harder to tell.

Some of the common tests used by Web sites to distinguish between legitimate flesh-and-blood visitors and malicious human-mimicking computers recently appear to have been outwitted.

Last month, the human verification tests, which typically require users to identify deformed letters set against a cluttered backdrop, were broken by a computer. The computer then repeatedly created free Hotmail e-mail accounts and sent spam from them, according to Websense, the security firm that detected the hacking.  read more »

White House Plans Proactive Cyber-Security Role for Spy Agencies - Via washingtonpost.com - Technology:

America's spy agencies for the first time would be tasked with gathering intelligence on threats to the nation's computer networks under a policy that could be detailed by the White House as early as next week, a senior administration official said Wednesday.

Speaking at a security conference in Washington, the official said the Bush administration wants to harness the intelligence community's offensive capabilities in defense of government and civilian computer systems.

"We've never looked at how all the unique things this government wages against others could be used to inform our defensive posture," said the official, who asked not to be named because the White House has not yet released details about the plan. "We really need to move from [the reality that] the advantage is always with the attacker to how we can have our offense better inform our defense to shrink that gap."  read more »

Declassified NSA Document Reveals the Secret History of TEMPEST - Via Threat Level:

It was 1943, and an engineer with Bell Telephone was working on one of the U.S. government's most sensitive and important pieces of wartime machinery, a Bell Telephone model 131-B2. It was a top secret encrypted teletype terminal used by the Army and Navy to transmit wartime communications that could defy German and Japanese cryptanalysis.

Then he noticed something odd.

Far across the lab, a freestanding oscilloscope had developed a habit of spiking every time the teletype encrypted a letter. Upon closer inspection, the spikes could actually be translated into the plain message the machine was processing. Though he likely didn't know it at the time, the engineer had just discovered that all information processing machines send their secrets into the electromagnetic ether.  read more »

FBI Wants Authority To Filter Net Backbone - Via Slashdot: Your Rights Online:

Dionysius, God of Wine and Leaf, writes "There are places where criminal activity is centralized: the backbone hubs located in hosting facilities across the country. All of the Internet's activity, legal and illegal, flows through these 'choke points,' and the feds, of course, are already tapping those points and siphoning off data. What Mueller wants is the legal authority to comb through the backbone data, which is already being siphoned off by the NSA, in order to look for illegal activity."

(Read Original Article - Via Slashdot: Your Rights Online.)

Kraken Infiltration Revives "Friendly Worm" Debate - Via Slashdot:

Anonymous Stallion writes "Two security researchers from TippingPoint (sponsor of the recent CanSecWest hacking contest) were able to infiltrate the Kraken botnet, which surpasses its predecessors in size. The researchers have published a pair of blog entries: Owning Kraken Zombies and Kraken Botnet Infiltration. They dissect the botnet and go so far as to suggest that they could cleanse it by sending an update to infected hosts. However, they stopped short of doing so. This raises the old moral dilemma about a hypothetical 'friendly worm' that issues software fixes (except that the researchers' vector is a server that can be turned off, not an autonomous worm that can't be recalled once released). What do you think — is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"

(Read Original Article - Via Slashdot.)

Microsoft Gives Backdoor to Law Enforcement -- Well, Not Really - Via Threat Level:

Admit it. You always thought Microsoft had put a backdoor into its operating system to allow law enforcement agents to worm their way into your computer.

Now the proof is here. At least that's how some readers are interpreting a story out yesterday about a forensic tool that Microsoft is providing crime-stoppers to help them extract evidence from computers seized at crime scenes.

The Computer Online Forensic Evidence Extractor, or COFEE, is a USB memory stick that was "quietly distributed" to a handful of law-enforcement agencies last June, according to Seattle Times tech reporter Benjamin Romano. Romano says the portable device can "decrypt passwords and analyze a computer's Internet activity, as well as data stored in the computer."  read more »

Which Gov Agency Should Be Your Computer's Firewall? - Via Threat Level:

First the NSA says it needs to examine every search and email on the internet to prevent an e-9/11 attack, then President Bush signs a secret cyber-security Presidential Directive to make that possible, while the Air Force has set up a cyber warfare division where cyber-security is played like a game of Space Invaders.

Not to be left out on the cybarmegeddon! action, the Department of Homeland Security plans to spearhead a "Manhattan Project" attempt to secure the internet. But there's no way FBI chief Robert Mueller is gonna let DHS honcho Michael Chertoff have all the bits, so this week he told a House committee that G-Men need to be living in the tubes, too.  read more »

AT&T Denies Resetting P2P Connections - Via Slashdot: Your Rights Online:

betaville points out comments AT&T filed with the FCC in which they denied throttling traffic by resetting P2P file-sharing connections. Earlier this week, a study published by the Vuze team found AT&T to have the 25th highest (13th highest if extra Comcast networks are excluded) median reset rate among the sampled networks. In the past, AT&T has defended Comcast's throttling practices, and said it wants to monitor its network traffic for IP violations.  read more »