Security News

GAO pen test brings the hammer down on federal rent-a-cops

By Angela Gunn on July 9, 2009, 10:23 AM

3 Comments

I have a little personality test for you today: Which of the following GAO findings released Wednesday made you laugh hardest about the Federal Protective Service's contract security guard program?

· The armed guard photographed at a Level IV (high volume / high public contact / high sensitivity) facility asleep at his desk after taking Percocet, a bottle of which is in front of him in a photo in the GAO report;

Continue reading GAO pen test brings the hammer down on federal rent-a-cops...

What's Next: Chrome OS will have at least some friends in high places

By Angela Gunn and the Betanews Staff on July 9, 2009, 9:00 AM

4 Comments

The problem with awful neighbors is that the drama never ends, as South Korea would doubtless be the first to tell you. Officials there, having scanned the code that powered the recent DDoS attacks on that nation (and, apparently, the US), were braced for attacks Thursday afternoon (local time) on seven agencies.

Continue reading What's Next: Chrome OS will have at least some friends in high places...

Data sharing among online advertisers: Is sanity in sight?

By Angela Gunn on July 8, 2009, 7:56 PM

1 Comment

[Before we start, a note to everyone expecting a column about the Social Security Guess Mess: Something's come up re the topic and I'm going to hold off for a bit while I figure out if it's an interesting "something." Thanks for your interest and stay tuned.]

The paper titled "Self-Regulatory Program for Online Behavioral Advertising," brought to you by the four largest online advertising trade associations, is 15 pages long and includes sentences such as "The Principles apply to online behavioral advertising, defined as the collection of data online from a particular computer or device regarding Web viewing behaviors over time and across non-affiliate Web sites for the purpose of using such data to predict user preferences or interests to deliver advertising to that computer or device based on the preferences or interests inferred from such Web viewing behaviors."

Continue reading Data sharing among online advertisers: Is sanity in sight?...

What's Next: Circling the wagons against cell phone exclusivity deals

By Angela Gunn and the Betanews Staff on July 7, 2009, 9:00 AM

7 Comments

Hey, guess what? Your Social Security number!

Afternoon of Monday, July 6, 2009 • Carnegie Mellon researchers have run the numbers , and with information on just your date and place of birth, they can predict with decent accuracy some or all of the digits of your Social Security number. The problem's especially severe for the 21-and-under crowd, whose numbers were uniformly assigned soon after birth and therefore conform especially closely to certain well-known numbering patterns. The authors of the survey said they were able to ID all nine numbers of test subjects' SSN in fewer than 1,000 tries for 8.5% of that population, making those numbers "no more secure than a three-digit PIN." In smaller states such as Delaware, they could guess 1 out of 20 numbers in 10 or fewer attempts. The research is available at the link above and will be presented today (Tuesday) on the Proceedings of the National Academy of Sciences . The authors will also present at Black Hat later this month.

Continue reading What's Next: Circling the wagons against cell phone exclusivity deals...

Don't wait for Microsoft's patch: Secure Windows now from Monday's 0-day

By Scott M. Fulton, III on July 6, 2009, 3:44 PM

32 Comments

There's an old ActiveX control hanging around many Windows systems that's still accessible to Internet Explorer, whose original purpose was to tune into MPEG2 transport streams -- typically live video streams sent from a server using MPEG2 format. Yes, MPEG2 transport streams still exist, but any more, browsers including IE8 have appropriate plug-ins to handle them -- Windows Media Player is one, Apple's QuickTime is another.

But still there's this ActiveX control sitting there doing nothing, waiting to be leveraged for an attack. Earlier today, Microsoft acknowledged a SANS Internet Storm Center report saying that there's an active exploit of this disused bit of functionality published on Chinese Web sites. Apparently malicious users are utilizing it now in "drive-by" attacks that could result, say security experts including Sophos' Graham Cluley, in installation and execution of nearly any malicious payload.

Continue reading Don't wait for Microsoft's patch: Secure Windows now from Monday's 0-day...

Symantec goes live with Norton 2010 betas

By Tim Conneally on July 6, 2009, 11:59 AM

29 Comments

Download Norton Internet Security 2010 beta from Fileforum now.

Download Norton Antivirus 2010 Beta from FileForum now.

Continue reading Symantec goes live with Norton 2010 betas...

Fire in downtown Seattle data center knocks out businesses, online services

By Angela Gunn on July 3, 2009, 1:03 PM

11 Comments

A fire that started at around 11:15 PDT Thursday night has taken a wide assortment of Seattle businesses, media outlets, and government services offline. It's believed that a fire in a data center at Fisher Plaza set off the automatic sprinklers, which in turn soaked the generators.

A partial list of affected businesses in Seattle shows the importance of the Fisher vault, which is located near Seattle Center and the Space Needle. ( Grey's Anatomy fans will believe it to be the location of Seattle Grace.) The payment service provider Authorize.net was knocked out; that company has set up a Twitter account to keep clients posted as they work their way back online. Adhost.com is also offline, right down to the phone system.

Continue reading Fire in downtown Seattle data center knocks out businesses, online services...

SMS could be a critical iPhone vulnerability, says white-hat hacker

By Tim Conneally on July 2, 2009, 2:31 PM

4 Comments

In his SyScan presentation in Singapore today, Mac security expert and Pwn2Own 2009 champ Charlie Miller discussed a vulnerability on the iPhone that allows remote code execution through SMS, which can tap into an iPhone's GPS or microphone, to divulge the phone owner's location or eavesdrop on them. Phones that have been compromised can also be used in a botnet or DDOS attack.

Miller is reportedly working with Apple to patch the vulnerability, so he did not go into great detail about the methods of exploitation. However, Miller did say , "SMS is a great vector to attack the iPhone...The iPhone is more secure than OS X, but SMS could be a critical vulnerability."

Continue reading SMS could be a critical iPhone vulnerability, says white-hat hacker...

Google talks spam trends, spiffs up Gmail labels

By Angela Gunn on July 2, 2009, 9:48 AM

2 Comments

The first of the month always brings a bountiful harvest from Google's blogging troops, and two posts yesterday pointed us to some nifty changes to Gmail's labels features and passed along some cheerful numbers concerning spam levels as measured by the company's Postini group.

With one notable exception, those who rely even moderately on Gmail's labels ought to like where things are going. The section is finally positioned above the chat area, for starters, and your labels can be easily grouped and rearranged for your convenience rather than only in alpha order. (Gmail attempts to help you out by picking a few to put at the top of the list, hiding the rest, but we found that it didn't guess well at all; fortunately, sorting it out was drag-and-drop simple.)

Continue reading Google talks spam trends, spiffs up Gmail labels...

The law vs. the right to know: Whose news is it anyway?

By Angela Gunn on July 2, 2009, 9:38 AM

7 Comments

How far would you go to save a life?

How far would you go to save a business model?

Continue reading The law vs. the right to know: Whose news is it anyway?...

A Michael Jackson post-mortem on Internet journalism

By Scott M. Fulton, III on July 1, 2009, 6:52 PM

15 Comments

The first I heard of Michael Jackson's death was six minutes before he was pronounced dead. That's saying something, because I'm not exactly the expert on pop culture, so my ability to have prognosticated the near future, based on something a little bird told me, on the subject of a fellow I seriously believed was still living in Tokyo, would normally be suspect. But there it was, in one of my IM feeds at about 5:20 Eastern time last Thursday, "Michael Jackson died."

My friend and colleague Angela Gunn suggested last Friday that something changed in the fabric of online journalism that day -- a high water mark had at last been reached. And indeed she may be correct, because if this Internet thing is capable of predicting the future even six minutes down the road, then I may want to get into the stock trading business.

Continue reading A Michael Jackson post-mortem on Internet journalism...

With Clear's airport security dissolving, what happens to all that personal data?

By Angela Gunn on June 29, 2009, 7:18 AM

Add Comment

After days of uncertainty following Verified Identity Pass's abrupt shutdown last week, representatives of the defunct company are coming forward with at least some data on what will happen to the large collection of personally identifiable information (PII) it acquired from its customers.

In a letter to former members that's also posted to its Web site , Clear Customer Service attempted to address at least a few of the questions that have come up. The company (the letter was unsigned) reiterated that the data "is secured in accordance with the Transportation Security Administration's Security, Privacy, and Compliance Standards." The company revealed that Lockheed, which has been the firm's lead systems integrator, is working with parent company Verified Identity Pass, Inc. and the US Transportation Safety Administration "to ensure an orderly shutdown as the program closes."

Continue reading With Clear's airport security dissolving, what happens to all that personal data?...

Microsoft updates its controversial Firefox plug-in for .NET 3.5

By Scott M. Fulton, III on June 25, 2009, 5:53 PM

7 Comments

If you're wondering what Microsoft is doing producing a plug-in for Mozilla Firefox, then perhaps you haven't heard the complaints from Firefox users who are not only wondering how that Microsoft plug-in got there, but are puzzled as to how to get rid of it. Today, Firefox users are seeing an update for that plug-in in their Automatic Updates for Windows XP, Vista, and Windows 7 RC.

Whenever Microsoft automatically installs a service with an Orwellian sounding title, automatically folks become skeptical. In this case, the .NET Framework Assistant is a device that allows a kind of security pre-authorization feature that Microsoft tried to make prettier with the marketing name ClickOnce -- which works in Internet Explorer -- to extend to Firefox.

Continue reading Microsoft updates its controversial Firefox plug-in for .NET 3.5...

Good riddance to the Clear 'frequent flyer' program

By Angela Gunn on June 25, 2009, 8:11 AM

6 Comments

Those who subscribed to the Clear (formerly Verified Identity Pass) program, paying $199 to allegedly speed up the TSA checkpoint process, are dismayed that they're out that money now that Verified Identity Pass has abruptly folded. Amazing that they're not as concerned about all that personal data they provided the system, but were they ever?

After a considerable amount of nudging, Verified Identity Pass has confirmed that yes, they're securing the data as required by the TSA's privacy standards for Registered Traveler programs , which a security pal of mine sums up with a snort as, "We decide who gets to buy it." That's a little mean, though as you may remember it took TSA from 2005, when the Registered Traveler pilot program was launched, until July 2008 to notice that Verified Identity Pass was keeping data on thousands of passengers on unencrypted laptops. It's that laser-like focus on detail, you know, that makes TSA what it is today.

Continue reading Good riddance to the Clear 'frequent flyer' program...

Microsoft calls omission of IE8 CSS rendering in Office 2010 a 'powerful' feature

By Scott M. Fulton, III on June 24, 2009, 12:31 PM

25 Comments

4:00 pm EDT June 24, 2009 · In a marketing driven response that looks a lot more like the old Microsoft than the new Microsoft in terms of explaining away its design decisions, a Microsoft corporate vice president characterized Outlook 2010's reliance upon Word instead of Internet Explorer 8 for rendering HTML text symbolic of what he called " The Power of Word ."

Corporate Vice President William Kennedy confirmed that the component of the company's new Office 2010 software -- whose technical preview is currently next month will be limited to select testers -- will rely upon Word rather than IE for reasons that include system security. "For e-mail viewing, Word also provides security benefits that are not available in a browser: Word cannot run web script or other active content that may threaten the security and safety of our customers," he wrote.

Continue reading Microsoft calls omission of IE8 CSS rendering in Office 2010 a 'powerful' feature...

Wired editor accused of plagiarizing Web sources for 'free' book

By Angela Gunn on June 24, 2009, 8:13 AM

5 Comments

Waldo Jaquith, writing for the Virginia Quarterly Review , was reading through a preview copy of Chris Anderson's upcoming Free: The Future of a Radical Price when he noticed that a passage sounded familiar, and then another, and then another. He eventually located several dozen passages in the 274-page book that appear to have been lifted directly and without attribution from Web sources -- Wikipedia mostly, but there were others.

Mr. Jaquith reached out to Mr. Anderson (pictured right) -- who is currently the editor-in-chief of Wired -- and his publishers at Hyperion before going public with the saga on Tuesday in the company blog. Mr. Anderson said he'd correct his "screwups" online by the time the book is released (in July) and in future editions; Hyperion said that was good enough for them.

Continue reading Wired editor accused of plagiarizing Web sources for 'free' book...

New Microsoft 'Morro' anti-malware will share competitors' security events

By Scott M. Fulton, III on June 23, 2009, 5:26 PM

47 Comments

Download Microsoft Security Essentials Beta Build 1.0.1487.0 from Fileforum now.

It's an argument we've seen before from Microsoft's competitors and opponents, as well as from many sensible observers: It may be unfair for the manufacturer of the operating system to leverage its customer visibility to advance a free software platform that cuts out commercial competitors. But there's another argument from opponents as well, many of them the same people: Microsoft should be responsible for the health and well-being of its customers' systems when the operating system is threatened, either through malicious use or from system defects.

Continue reading New Microsoft 'Morro' anti-malware will share competitors' security events...

Sign up to beta test CA's 2010 edition Security Suite

By Scott M. Fulton, III on June 23, 2009, 3:31 PM

Add Comment

With the debate only beginning now over whether Microsoft's Security Essentials will provide adequate protection for Windows 7 users or merely placate users who settle for mediocre security, the question becomes whether competitors in the security field have an appropriate alternative. CA has informed Betanews it's looking for willing participants in a registration-only beta test of its Internet Security Suite Plus 2010 edition.

Rather than consider anti-malware and anti-virus as separate functions, the new edition will utilize a unified engine managed through a completely new front end. So veterans of the 2009 edition should take note that this is a completely new product. Personal firewalls and spam and phishing filters are included in the new edition just as before; but for 2010, the Web site blocking filter has been expanded for more personal -- and more parental -- control. A P2P filter has also been added to the suite.

Continue reading Sign up to beta test CA's 2010 edition Security Suite...

Up Front: DHS shelves domestic spy satellite program

By Angela Gunn and the Betanews Staff on June 23, 2009, 9:00 AM

14 Comments

Privacy advocates on Monday applauded plans by the Obama administration to kill a spy satellite program that would have pointed the cameras at domestic targets. Meanwhile, the company running the nation's biggest "Registered Traveler" program, intended to whisk customers through TSA lines, is out of business.

Continue reading Up Front: DHS shelves domestic spy satellite program...

Solid Oak Software and the Chinese deserve each other

By Angela Gunn on June 17, 2009, 6:24 PM

5 Comments

Of all the filtering software makers in all the world, it's interesting and appropriate that Chinese software developers chose Solid Oak Software's CyberSitter to (allegedly) pirate -- not because it's the best out there, but because it's historically hewed the closest to enforcing the kind of heavy-handed control that Beijing likes.

Santa Barbara-based Solid Oak set up a hue and cry over the weekend, saying that China's "Green Dam Youth Escort" filtering software bears unmistakable proof of piracy. Examination of the software and its server logs seems to indicate the company is correct -- aside from the long list of sites to be filtered, there are bits of familiar code and even calls back to Solid Oak's servers. (Chinese officials have flatly denied that any intellectual property was stolen, and a subsequent update to the package eliminated many of the callbacks and other suspect code.)

Continue reading Solid Oak Software and the Chinese deserve each other...