The malicious code, a logic bomb installed last October, was designed to cause damage and disrupt data on servers on an undisclosed date but was caught by other workers before it delivered its payload.

Douglas James Duchak, 46, had worked as a data analyst at the TSA’s Colorado Springs Operations Center, or CSOC, since 2004. The CSOC is used to vet people who have “access to sensitive information and secure areas of the nation’s transportation network,” according to the indictment. A source involved in the case said this involved screening of both passengers and workers at airports and other transportation facilities.

He pleaded not guilty in a Denver federal court on Wednesday and was released on a $25,000 unsecured bond. The indictment did not say whether the malware was crafted to erase or alter data, or simply disable servers.

The CSOC network stores updated information from the government’s terrorist watchlist as well as criminal histories from the U.S. Marshal’s Service Warrant Information Network.

Duchak’s job was to update the CSOC database as new information arrived from these two sources. But on Oct. 15, he was given two weeks’ notice that his job would be terminated.

About a week later, on Oct. 22, Duchak allegedly transmitted the malicious code onto a CSOC server that stored data from the U.S. Marshal’s Service, according to the indictment. The next day, he allegedly loaded malicious code to a server containing the Terrorist Screening Database. The source involved in the case said the servers “are part of the system that contains the no-fly list” and added that the code, if it had gone undetected, could have traveled to a facility in another state that uses a similar computer system.

Duchak has been charged in the U.S. District of Colorado with two counts of attempting to cause damage to a protected computer. If convicted, he faces a possible prison sentence of 10 years and a $250,000 fine for each count.

Duchak’s attorney, David Lindsey, disputes the government’s charges and says that the system Duchak worked on was a beta system used for testing statistical analyses.

“It wasn’t connected to anything that had to do with security,” Lindsey said. “Before anything he had his hands on left, it went to another system before it got into any live system that did screening. As I understand it, it is a system that does statistical analyses on the systems that are up and running. And when the tests are run, those are done at one level and then [go to] a second level and then at a final level before the analyses are verified and passed onto anything you would call a live system.”

Lindsey said the CSOC servers that were allegedly targeted for sabotage were used for screening workers primarily and were only “remotely, remotely” related to passenger screening, though he could not elaborate.

“The government has been very misleading in the indictment and press release as to any potential harm [this might have caused] to the public,” he said, adding that the alleged malware was not a virus and will ultimately be shown to have been “nothing.”

Source: Wired

Vincent Lim, monoprice.com’s operations manager, said the company took the site offline around midnight on Friday, Mar. 5, after it received e-mails and phone calls from several customers complaining about fraudulent charges on their cards that they had used on monoprice.com.

“A few of our customers recently reported to us that information from credit cards they used on the Monoprice website had been misused,” Lim said. “We promptly began an investigation with the help of expert computer forensic investigators to determine if any card data had been stolen from our computers.”

To date, he said, investigators have found no evidence that card information has been stolen from Monoprice’s computer network. The site is now allowing customers to browse products, but Monoprice won’t be taking any new orders until the investigation is completed, Lim said.

“We want to ensure that there is no security vulnerability in any part of our computer network system. We notified local and federal law enforcement agencies, our credit card processing business partners, and all credit card companies that some of our customers reported concerns regarding their card information to us,” the company said in a statement that now frames the top of its Web site. “We also advised these entities that we are working with outside security specialists to determine if there was breach of our computer system. We will post additional information when it is available.”

Monoprice’s corporate page on Facebook.com features a number of interesting comments from customers, some of whom attributed recent fraudulent charges to the incident, while others are praising the company for being so forthcoming and providing continuous updates via Facebook.

Source: Krebson Security

“Apologies to anyone who couldn’t play ACII or SH5 yesterday,” said the publisher in a tweet. “Servers were attacked which limited service from 2:30pm to 9pm Paris time.”

Earlier Ubisoft said the server was having difficulty coping with “exceptional demand”.

Given the widespread negativity of Ubisoft’s latest DRM policy – requiring users to authenticate the game over the internet – it wouldn’t come as a surprise if the attack was orchestrated by members of the PC gaming community in protest.

Source: Videogamer.com

After two days, they confirmed that this vulnerability “could allow an attacker to host a maliciously crafted web page and run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 key in response to a pop up dialog box”, but that there has been no news about attacks exploiting it so far.

Maurycy Prodeus, the security analyst that discovered the vulnerability, says that Windows XP SP3 running IE 8,7 or 6 are vulnerable, and Microsoft assures that users running Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista, are not affected by this issue.

Microsoft is yet to confirm when the fix will be released, but Computerworld reports that Prodeus himself offered a temporary solution: blocking TCP port 445. “However, it is worth to note that blocking this port doesn’t solve the problem, because there might be [an]other attacking vector, for example, uploading an arbitrary file to the victim’s machine at known path location using some third-party browser plug-ins,” he said.

Source: Help Net Security

In what it called ‘Operation b49′ that was the ‘result of months of investigation and the innovative application of a tried and true legal strategy’, according to Microsoft’s associate general counsel Tim Cranton, a federal judge granted a temporary restraining order that quickly and effectively cut off traffic to Waledac at the ‘.com’ or domain registry level.

Cranton said: “Microsoft has since been taking additional technical countermeasures to downgrade much of the remaining peer-to-peer command and control communication within the botnet, and we will continue to work with the security community to mitigate and respond to this botnet.

“Three days into the effort, Operation b49 has effectively shut down connections to the vast majority of Waledac-infected computers, and our goal is to make that disruption permanent. But the operation hasn’t cleaned the infected computers and is not a silver bullet for undoing all the damage we believe Waledac has caused. Although the zombies are now largely out of the bot-herders’ control, they are still infected with the original malware.”

Source: SC Magazine UK

Normally, Flash applications are only permitted to access resources on the server from which they have been loaded. In order to allow content to be loaded more flexibly, since version 7, the Flash framework has allowed ‘cross domain requests’. Sites serving Flash applets can create a crossdomain.xml file which specifies which external sites or servers the Flash applets are permitted to make requests from without requiring a warning to be displayed in Flash Player.

These are usually specified very tightly, with the website operator entering only domains operated by partners and other trusted websites. The current vulnerability appears to allow these restrictions to be circumvented so that a crafted Flash file can access objects on any website without requiring user clearance. Users should therefore not hold back in installing the Flash update as soon as possible.

The update also fixes a denial of service (DoS) vulnerability, no further details of which are given. Further tests are needed to determine whether this is the vulnerability which has been unpatched for several months for which Adobe recently apologised. The vendor originally intended to fix this vulnerability in the next major release, 10.1.

Source: The H Security

Tuesday’s security updates from Microsoft have crippled Windows XP PCs with the notorious Blue Screen of Death (BSOD), users have reported on the company’s support forum.

Complaints began early yesterday, and gained momentum throughout the day.

“I updated 11 Windows XP updates today and restarted my PC like it asked me to,” said a user identified as “tansenroy” who kicked off a growing support thread . “From then on, Windows cannot restart again! It is stopping at the blue screen with the following message: ‘A problem has been detected and Windows has been shutdown to prevent damage to your computer.’”

Others joined in with similar reports. “There is something seriously wrong with the update. I can’t even open in safe mode,” said “Ghellow,” referring to Windows diagnostic mode that’s often a last-chance way to boot a PC.

“I am not very happy with Microsoft as I got to work this morning to find my helpdesk flooded with messages that the PC has the famous Blue Screen,” said “brawfab.”

“I had to go to work and use my Mac to get online to find out what is going on with the XP updates last night,” complained “moosewalk” on the same thread. “I am this much closer to switching over to a Mac for good.”

Source: Infoworld

A notice on TechCrunch.com’s front page on Tuesday morning explains that “TechCrunch.com was compromised by a security exploit”. Access to the site’s story archive has been suspended leaving a two para notice on the hack as the only content visible on the site.

Hackers defaced the front page of the site with a message (recorded by Mikko Hypponen of F-Secure here) apparently abusing site admins and including a link to a pornographic content and warez linking website.

This defacement was removed by site admins who are in the process of identifying the exploit involved in the hack, securing systems, and bringing TechCrunch back online.

The motives or perpetrators of the attack remain unclear but the timing – a day before Apple’s much anticipated iTab launch in San Francisco – could hardly be worse.

Source: The Register

Web site domain registrar and hosting provider Network Solutions acknowledged Tuesday that hackers had broken into its servers and defaced hundreds of customer Web sites.

The hackers appear to have replaced each site’s home page with anti-Israeli sentiments and pictures of masked militants and armed with rocket launchers and rifles, along with the message “HaCKed by CWkomando.”

According to results for that search term entered into Microsoft’s Bing search engine, there may in fact be thousands of sites affected by this mass defacement.

One of the defaced pages belonged to Minnesota’s 8th District GOP, according to a story in The Minnesota Independent, which said the Arabic writing that accompanies the defaced pages contains the dedication “For Palestine,” and the repeated phrase “Allahu Akbar” [God is great].

Network Solutions said the hackers were able to get in by exploiting a “file-inclusion” weakness in the company’s Unix servers. So-called remote file inclusion attacks are quite common, and can let attackers insert code that gives them backdoor access to and control over the affected server. Network Solutions said it is in the process of helping customers restore their sites.

“These incidents are regrettable and we apologize for the inconvenience,” the company said in its statement. “Due to the nature of the web, the race between technology and the bad elements is a challenge that companies face continually.”

Network Solutions said there was no danger to customers’ “personally identifiable or secure information” as a result of the incident. Other recent break-ins at NetSol have not been so benign: Last summer, hackers broke into a number of Network Solutions Web servers and planted rogue code that resulted in the compromise of more than 573,000 debit and credit card accounts.

Source: Krebson Security