Category: Security

Monoprice.com Offline After Fraud Complaints

0
Posted by Tech Paranoia on March 10, 2010 – 10:12 am
Filed under Security
Tagged as ,

Audio visual cabling giant monoprice.com shut down its Web site – possibly for the next couple of weeks – while it investigates the possible compromise of its customer credit and debit card information.

Vincent Lim, monoprice.com’s operations manager, said the company took the site offline around midnight on Friday, Mar. 5, after it received e-mails and phone calls from several customers complaining about fraudulent charges on their cards that they had used on monoprice.com.

“A few of our customers recently reported to us that information from credit cards they used on the Monoprice website had been misused,” Lim said. “We promptly began an investigation with the help of expert computer forensic investigators to determine if any card data had been stolen from our computers.”

To date, he said, investigators have found no evidence that card information has been stolen from Monoprice’s computer network. The site is now allowing customers to browse products, but Monoprice won’t be taking any new orders until the investigation is completed, Lim said.

“We want to ensure that there is no security vulnerability in any part of our computer network system. We notified local and federal law enforcement agencies, our credit card processing business partners, and all credit card companies that some of our customers reported concerns regarding their card information to us,” the company said in a statement that now frames the top of its Web site. “We also advised these entities that we are working with outside security specialists to determine if there was breach of our computer system. We will post additional information when it is available.”

Monoprice’s corporate page on Facebook.com features a number of interesting comments from customers, some of whom attributed recent fraudulent charges to the incident, while others are praising the company for being so forthcoming and providing continuous updates via Facebook.

Source: Krebson Security

Severe IE vulnerability threatens Windows XP users

0
Posted by Tech Paranoia on March 1, 2010 – 10:02 am
Filed under Security, Software
Tagged as , , ,

News of a newly discovered bug in VBScript and Windows Help files in Internet Explorer that could allow a remote attacker to run an arbitrary command has reached Microsoft on Friday and they immediately sat down to investigate the matter.

After two days, they confirmed that this vulnerability “could allow an attacker to host a maliciously crafted web page and run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 key in response to a pop up dialog box”, but that there has been no news about attacks exploiting it so far.

Maurycy Prodeus, the security analyst that discovered the vulnerability, says that Windows XP SP3 running IE 8,7 or 6 are vulnerable, and Microsoft assures that users running Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista, are not affected by this issue.

Microsoft is yet to confirm when the fix will be released, but Computerworld reports that Prodeus himself offered a temporary solution: blocking TCP port 445. “However, it is worth to note that blocking this port doesn’t solve the problem, because there might be [an]other attacking vector, for example, uploading an arbitrary file to the victim’s machine at known path location using some third-party browser plug-ins,” he said.

Source: Help Net Security

http://www.net-security.org/secworld.php?id=8935

Microsoft takes down 277 Waledac infected websites

0
Posted by Tech Paranoia on February 26, 2010 – 10:35 am
Filed under Security
Tagged as , ,

Microsoft has taken down 277 internet domains that it believed was being used to run the Waledac botnet.

In what it called ‘Operation b49′ that was the ‘result of months of investigation and the innovative application of a tried and true legal strategy’, according to Microsoft’s associate general counsel Tim Cranton, a federal judge granted a temporary restraining order that quickly and effectively cut off traffic to Waledac at the ‘.com’ or domain registry level.

Cranton said: “Microsoft has since been taking additional technical countermeasures to downgrade much of the remaining peer-to-peer command and control communication within the botnet, and we will continue to work with the security community to mitigate and respond to this botnet.

“Three days into the effort, Operation b49 has effectively shut down connections to the vast majority of Waledac-infected computers, and our goal is to make that disruption permanent. But the operation hasn’t cleaned the infected computers and is not a silver bullet for undoing all the damage we believe Waledac has caused. Although the zombies are now largely out of the bot-herders’ control, they are still infected with the original malware.”

Source: SC Magazine UK

GMail Goes “https-only” By Default

0
Posted by Tech Paranoia on January 14, 2010 – 9:30 am
Filed under Security
Tagged as , ,

A day after confirming a major security breach by Chinese hackers looking for GMail account information, Google has turned on default “https:” access for its popular Web mail service.

Google had previously added the option for GMail users to “always use https” back in July 2008 but it was turned off by default.

Last June, a group of researchers and academics released an open-letter calling on Google protect users’ communications from theft and snooping by enabling industry standard transport encryption technology (HTTPS) for Google Mail, Docs, and Calendar.

Now comes word that this is indeed happening:

“We are currently rolling out default https for everyone. If you’ve previously set your own https preference from Gmail Settings, nothing will change for your account. If you trust the security of your network and don’t want default https turned on for performance reasons, you can turn it off at any time by choosing “Don’t always use https” from the Settings menu. Gmail will still always encrypt the login page to protect your password. Google Apps users whose admins have not already defaulted their entire domains to https will have the same option.”

Source: ThreatPost

Twitter plans new products and tighter security

0
Posted by Tech Paranoia on January 13, 2010 – 2:00 pm
Filed under Security
Tagged as , ,

Twitter has announced plans to hire 27 professionals to create new products and improve the security of the site.

The increase in headcount is a significant move for the relatively small company, which currently has around 120 staff.

Advertisement

Twitter co-founder Biz Stone stated in November that 2010 will be the “revenue year” for the company, and the variety of job postings currently hosted on the micro-blogging site suggests that he is not digressing from this strategy.

The new employees will focus on creating Twitter front-end features, and should have experience in advertising applications in line with firm’s new advertising strategy scheduled to be rolled out this year.

Twitter is also issuing calls for a professional who will maintain a platform to help developers in media companies create new integrations with Twitter, as well as for another employee who will encourage media professionals to use the tools.

The other job descriptions display Twitter’s plans to increase the support tools available to users, further develop its application programming interface, develop Twitter’s international front-end and add new search capabilities.

A product marketing manager is also wanted to enhance business users’ understanding of the value of Twitter. According to the description, the work can range from creating “better packaging [of] existing features for businesses, managing all outbound marketing for new monetisation products, [and] analysing customer needs for improved product development”.

Finally, Twitter wants to increase its security team after a number of safety issues hit the headlines last year. The most recent incident involved hackers logging in to Twitter and redirecting users to a site hosted by a group calling itself the ‘Iranian Cyber Army’.

A network and infrastructure security manager will audit and secure systems and create procedures that respond to security issues. The job will involve designing a system that will prevent network intrusions. Meanwhile, an anti-spam software engineer will focus on Twitter’s spam detection system.

Source: v3.co.uk

Industry Group Plans Cyber Attack Simulation

0
Posted by Tech Paranoia on January 8, 2010 – 1:00 pm
Filed under Security
Tagged as ,

A financial services industry group is planning to simulate a series of cyber attacks to test how well banks, payment processors and retailers deal with online threats.

The Financial Services Information Sharing and Analysis Center (FS-ISAC), a group formed in response to a 1998 Presidential security directive, on Tuesday invited financial institutions, retailers, card processors, and businesses of all sizes to participate in its Cyber Attack against Payment Processes (CAPP) Exercise.

“FS-ISAC in conjunction with a variety of industry partners is testing their members’ emergency response, notification, and communication procedures in response to a number of different types of cyber attacks against payment processes,” the group’s Web site says. “The three-day exercise will simulate a different attack scenario each day. Detailed result collection is kept confidential.”

The CAPP event is scheduled for February 9 through 11, 2010. Participants will be expected to activate their incident response procedures in accordance with the scenario presented and to complete an anonymous survey to evaluate their organization’s response.

“When cyber security threats occur, swift and well-planned reactions can mean the difference between business continuity and business catastrophe,” said Bill Nelson, FS-ISAC’s president and CEO in a statement. “This is especially true with cyber attacks against payment processes. FS-ISAC is eager to provide payment systems participants with this unique opportunity to test their readiness to respond to major cyber attack incidents.”

The incidence of such incidents has been rising.

The Internet Crime Complaint Center (IC3) said in November that the FBI had seen a significant increase in online banking fraud.

On Tuesday, in its 2009 Annual Malware Report, Panda Labs said that it had seen 25 million new malware variants created during the year, 166% more than the 15 million variants recorded by the company over the rest of its 20-year history.

Most of the new malware samples detected by the company (66%) were online banking trojans.

Source: DarkReading

Cybersecurity expert: Job guaranteed

0
Posted by Tech Paranoia on January 6, 2010 – 11:00 am
Filed under Security
Tagged as

Computer security used to be regarded as a boring and less important field of computer science, but with the proliferation of computer threats (from malware to active attacks) it has become one whose experts are in great demand and has gained quite an aura of “coolness”.

At the moment, there is a serious lack of cybersecurity experts in the U.S., so if your knowledge is up to speed, you are practically guaranteed a job.

Case in point: of the eight students from California State Polytechnic University, Pomona, that beat five other university teams in a challenge that had them defending a business computer network from cyber threats, six seniors got job offers from Boeing.

According to the New York Times, the demand is for experts is great, but luckily, schools and universities have noticed it and have rushed to open programs: the N.Y.U. Polytechnic, Carnegie Mellon, Purdue and George Mason are just some of the universities offering a master’s degree in cybersecurity. Georgia Tech is planning to start an online degree in information security later this year.

Businesses and the military have faith in the fact that the new generations are so familiar with what the online world has to offer, that they will be challenged by the notion of solving security problems and, therefore, interested in a career in cybersecurity. Another thing that they might find attractive is the pay. Professor Naris Memon of N.Y.U. Poly says that a starting pay for someone with a master’s degree in the field ranges from $60,000 to $80,000

Source: Help Net Security

Pentagon cyber-war plans stalled by US Congress

0
Posted by Tech Paranoia on January 5, 2010 – 3:00 pm
Filed under Security
Tagged as ,

Plans by the Pentagon to gain dominance in cyberspace have been stalled by the US Congress which is a little worried about giving the generals too much power.

According to the Washington Post, the Pentagon wanted a command to defend its global network of computer systems. Dubbed cyber command the cunning plan was to consolidate existing offensive and defensive capabilities under one roof.

However the plan has been slowed to a halt by congressional questions about its mission and possible privacy concerns, according to officials familiar with the discussions.

Some of the things that worry Congress are the questions of when acts in cyberspace become a war and how far the Pentagon can go to defend its own networks. There are fears that the US military’s use of wiretaps has gone too far already and the thought is that if it gets a cyber command then this could get much worse.

On one hand the Pentagon’s remit to make defence networks more bulletproof is fairly straightforward. However policymakers want to weigh how aggressive to allow the Pentagon to be in defence of military networks, particularly if an attack might come from private networks.

One US Army official said that the Pentagon sees malware outside its own network as a threat that might have be removed, which could mean cracking a company’s zombie server and shutting it down, or worse.

Until Congress gets answers to these questions it might be a while before the Pentagon gets its cyber command.

Source: The Inquirer

China will soon have the power to switch off the lights in the West

0
Posted by Tech Paranoia on January 5, 2010 – 2:00 pm
Filed under Security
Tagged as ,

The year is 2050, and a diplomatic dispute between China and Britain risks escalating into all-out war. But rather than launching a barrage of ballistic missiles and jet fighters to destroy key British targets, Beijing has a far simpler plan for defeating its enemy. It simply turns off the lights.

At the flick of a switch elite teams of Chinese hackers attached to the People’s Liberation Army (PLA) launch a hi-tech assault on Britain’s computer systems, with devastating consequences. Within minutes the country’s power stations, water companies, air traffic control, government and financial systems are totally shut down.

Britain’s attempt to respond by launching nuclear-armed Trident missiles at China has to be abandoned, as the computer systems that control the weapons system are no longer functioning.

At a time when relations between China and Britain are supposed to be improving, the prospect of Beijing launching a cyber attack against Britain and its allies might seem to be the stuff of fantasy.

Read the full article at: telegraph.co.uk

Twitter bans obvious passwords

0
Posted by Tech Paranoia on December 30, 2009 – 11:00 am
Filed under Security
Tagged as ,

Twitter has decided that when signing up for a new account or changing your password, you can no longer use a password on a list of the most commonly used passwords. This is a great security measure that will protect users from themselves, and hopefully raise the awareness of the necessity for strong passwords.

Full list after the jump.

Read More »