Planet Security

The Register - Security: Texting vuln turns iPhone into remote bugging device

Thu, 02 Jul 2009 21:30:49 +0000

SpyPhone 3GS

If you own an iPhone, security researcher Charlie Miller can take control of it, and short of turning off the device, it appears there isn't much you can do to stop him. Not until Apple fixes the flaw, anyway.…

The power of collaboration within unified communications

hackaday: Self-portrait machine

Thu, 02 Jul 2009 21:15:05 +0000

[Jen Hui Liao] created a device that guides the user into drawing a portrait of themselves. Dubbed Self-Portrait Machine, it comments on how much in society is created by machines and we are dependent on them. Unlike previous drawing robots, the user is part of the sketching process. The machine holds the users hands and uses stepper motors and servos to move them around like a LOGO turtle. Liao promises to have more details available soon. Video of the machine after the jump.

Roger's Information Security Blog: Alternatives to Desktop Lockdown

Thu, 02 Jul 2009 21:11:55 +0000

This is another post based on notes from the Gartner Information Security Summit. Neil MacDonald gave a talk titled Five Alternatives to Desktop Lockdown: Balancing Control and Creativity.

Desktop Lockdown has failed.

But so has complete freedom.

So what do you do?

From an operational perspective, desktop lockdown was performed to reduce the number of disk images the helpdesk had to maintain. It reduced application conflicts and visits by the helpdesk. IFrom a security perspective, lockdown was performed to prevent malware and prevent users from disabling security applications.

Lockdown has failed for a number of reasons. In XP, the locked down experience is lacking. You can't change the timezone or install a printer driver. Its not workable for the traveling user.

Locking down computers failed because new technologies bypass local controls. For example it doesn't prevent the user from using Google Apps and other forms of cloud computing in a insecure manner. Being a standard user doesn't even prevent all software installs. Google Chrome installs as a standard user. Microsoft was pressured to make Silverlight install without administrative rights. As long as the software only writes to your user profile and your portion of the registry, it can install as a standard user. Malware writers will not be deterred by lack of admin rights.

Its almost a cliché at this point but the consumerization of IT has led to a new workforce. Generation Y digital natives. They may not be better at not falling for fake AntivirusXP but they expect full access all the time.

Does IT really know what people need to do their jobs? Locking down was supposed to be a means to an end, not an end itself. Protecting the data is the primary goal.

Saying that lockdown has failed, does not mean that complete freedom has succeeded.
The cost of managing end user computers are far greater for unmanaged computer. The risk of virus attacks is much greater with administrative rights.

So what do you do? The talk reviewed multiple alternatives.

Alternative 1De-Privilege Admins - UAC
UAC prompts to elevate rights when admin rights are needed.

As you already know, that can be annoying if you have a lot of applications that are poorly written and need admin rights. Also depending on the user this can barely be a speedbump in stopping malware.

Alternative 2White list
While basic whitelisting is currently available in Windows XP and later as well as most Endpoint Protection (AV) applications, newer offerings from companies like Bit9 make it easier to whitelist. They maintain the lists so you dont have to manually update each time a new version is released. They also can use reputation services that make a judgment about any new/unknown files.

One user when told we were considering this technology stated as an engineer they install all sorts of software and really important work would stop if he couldn't install every random file he found on the Internet.

Host Based Intrusion Detection Systems (HIPS) also fall into this category. They are much more complex, and can cause instability issues depending on how it is integrated.

Alternative 3Remote Presentation
In this scenario users log into a remote server such as vmware or terminal server. Of the local computer and the remote session one is managed and one is unmanaged.

This scenario requires solid network connectivity. It also isn't clear how the network is protected from the unmanaged computer.

Alternative 4 Multiple Virtual Machines running locally
Unlike the previous example, the user can work with remotely. The virtual machines are on the local computer.

The major drawback to this approach is licensing cost, patching, and extra hardware cost.

In the future the hypervisor may make it to the desktop for better performance, but we are not there yet.

Alternative 5Workspace Virtualization
In this alternative the risky applications are put into their own sandbox.
Ringcube, Creedo, and InstallFree are three vendors in this space.

Alternative 6 Hybrid
A few from column a and a few from column b.

Alternative 7Employee Owned PCs
I've read the articles on companies that are providing dollars for people to buy and support their own computer. I also read about a smaller company where the owner considered the computer like a toolbox. The craftsman provides his own tools. Not a great analogy because a craftsman power saw isn't going to get infected and DDoS the network. (Although cheap worker provided power tools could break spectacularly in a particularly liable fashion).

The analogy provided during the presentation was a road. A trucker provides the truck. He can buy the truck he wants, but it must meet certain requirements. Then while used on the road he must obey traffic laws. Officer Friendly is waiting to write a speeding ticket.

Those are seven alternatives to desktop lockdown. I think that application whitelisting will become the most mainstream the fastest. Although virtualization is moving fast. XP mode within Windows 7 is virtualization. I believe Macs have a virtual MS Windows. The question I would have is what gets virtualized. Every Internet facing application?

For the longest time, vender's made me feel like I was at the only company in America to allow Administrator rights to users. (Neil MacDonald, if you head this way I'd love to know what percentage of companies in general and Federal Contractors in particular lock down the computers by restricting admin rights as required by the FDCC). It is very interesting to hear about some other solutions. Obviously antivirus is not working but we still need to provide protections.

CNET News.com - Security: Apple fixing iPhone SMS security hole

Thu, 02 Jul 2009 21:03:00 +0000

Vulnerability in the way iPhones handle text messages could be used to track the location of the phone, turn on the microphone, or turn phone into botnet zombie.

HP - Application Security Center Community: Quality Engineers & Testers - StarWest is Coming Up!

Thu, 02 Jul 2009 20:45:00 +0000

I'm thrilled to announce that I have been selected to speak at the StarWest 2009 Quality Conference (SQE) October 5-9th 2009, hosted at the DisneyLand Hotel in Annaheim, CA! Link to the conference website is here (http://www.sqe.com/starwest/Schedule/Default.aspx) and there are a number of awesome speakers as well!

The StarEast conference was chock-full of great speakers, vendors and of course yours-truly... speaking on Security topics and why the quality assurance teams are so crucial to the web application security process. That's right, I've been talking about Q/A engineering and testing teams and why they're so crucial to the success of any enterprise web application security program - but now for the first time you'll get the truth that the IT Security guys probably won't tell you - YOU are the key! My talk on this topic promises to be riveting and will certainly have an impact on formal testing and security organizations...

As an added bonus - if you sign up you'll get money OFF the price of your admission!

Normal 0 false false false EN-US X-NONE X-NONE

Register using special promo code SKWS and save up to $300! Register by September 4^th to add the Early Bird Discount for up to $600 in total savings! Call the client support group at 888.268.8770 or register online at: https://www.sqe.com/starwest/Register/SelectConference.aspx

I'll see you all there!

hackaday: Crack WEP using BackTrack

Thu, 02 Jul 2009 20:30:16 +0000

Lifehacker wrote a guide for cracking a WiFi network’s WEP password using BackTrack. BackTrack is a Linux live CD used for security testing and comes with the tools needed to break WEP. Not just any wireless card will work for this; you need one that supports packet injection. The crack works by collecting legitimate packets then replaying them several times in order to generate data. They point out that this method can be hit-or-miss, especially if there are few other users on the network, as the crack requires authenticated packets. We covered cracking WEP before, but using BackTrack should smooth out compatibility issues.

hackaday: Scratchbot: Whiskers to the rescue

Thu, 02 Jul 2009 19:50:30 +0000

Scratchbot is designed as a rescue bot, going places where there is low visibility. It’s defining feature is the fact that it uses “whiskers” to feel for things. We feel like this is a little gimmicky. If it is a low visibility situation, wouldn’t IR or audio, possibly sonar be a more effective? How would it differentiate between different physical obstacles? Are the whiskers really new? Aren’t they really just bump sensors? Maybe they have something a little more complicated going on. There was another recent bot that utilized whiskers and compared different tactile profiles to determine what it was touching.

SANS Internet Storm Center: Cold Fusion web sites getting compromised, (Thu, Jul 2nd)

Thu, 02 Jul 2009 19:49:27 +0000

There have been a high number of Cold Fusion web sites being compromised in last 24 hours. We received several e-mails about this.

It appears that the attackers are exploiting web sites which have older installations of some Cold Fusion applications. These applications have vulnerable installations of FCKEditor, which is a very popular HTML text editor, or CKFinder, which is an Ajax file manager. The vulnerable installations allow the attackers to upload ASP or Cold Fusion shells which further allow them to take complete control over the server.

The attacks we've been seeing in the wild end up with inserted script tags into documents on compromised web sites. As you can probably guess by now, the script tags point to a whole chain of web sites which ultimately serve malware and try to exploit vulnerabilities on clients.

What's interesting is that the group behind this is probably connected (if not the same) as the group that performed a lot of similar attacks back in March. I wrote several diaries about them seehttp://isc.sans.org/diary.html?storyid=6001 and http://isc.sans.org/diary.html?storyid=6010

Back in March, once they gained access to the server, they used a local privilege escalation exploit for a vulnerability that was, at that time, unpatched. If your servers are up to date with Microsoft patches, the vulnerability has been patched but they still can modify local web site files in a lot of cases (and sometimes even more, depending on Cold Fusion's configuration).

We'll be carefully monitoring the situation with this, of course. In the mean time, make sure that all applications you are running are up to date and fully patched. Another thing you might want to do is check for any old software you might have on your servers it is very common for applications to leave old, vulnerable parts that are not used any more hanging around. And such applications are just waiting to be compromised.

Thanks to Adam for giving us an early heads up.

--

Bojan

hackaday: How-to: Bus Pirate probe cable

Thu, 02 Jul 2009 19:08:22 +0000

A probe cable makes it easy to connect the Bus Pirate to a circuit and get hacking. Good test clips make quick connections on cramped PCBs without causing short circuits. We made two cables for the Bus Pirate v2, keep reading for an overview of our designs and list of part suppliers.

Friday, July 3, 2009 is the last day to pre-order a Bus Pirate. There’s only two days left to get your own Bus Pirate, fully assembled and shipped worldwide, for only $30.

Overview

We use these cables to connect the Bus Pirate’s I/O pins to a microchip or test circuit. A cable consists of a 2×5 connector, a cable, and some kind of attachable probe like an alligator clip or test hook.

The gray cable (top) is a ‘junk box’ cable, we recycled it from scrap parts and old computer hardware. The ‘expensive’ cable (bottom) uses high quality and special-order parts.

2×5pin female connector

The Bus Pirate’s I/O header is two rows of five 0.1″ spaced pins. We used a 2×5 arrangement because 2×5pin female ribbon cable connectors are common and cheap. We decided against a single row of 10 pins because the connector is an expensive specialty item.

The pin names are shown above, and are silk-screened on the bottom of the PCB. See the Bus Pirate page for detailed descriptions of each pin function.

The junk box cable uses a 2×5pin female connector from an old PC ISA card.

The expensive cable uses a black connector with a reinforced cable holder. Mouser has gray connectors ($0.69) and black connectors ($1.15).

Ribbon cable connectors have internal pins that pierce the cable when the top part is pressed onto the bottom part.

Ribbon cable

Standard 2×5pin female connectors attach to 0.05″ 10-strand ribbon cable. The wire thickness is usually 22, 24, or 26 AWG. We think 12inches (30cm) is a useful length that doesn’t get in the way.

Grey ribbon cable is pretty common. We salvaged a piece from an old computer connector, you might get lucky and find one with a 2×5 connector already attached.

A color coded cable makes it easy to identify each connection. DigiKey has 5 foot sections ($3.03), Mouser has it by the foot ($1.16, $1.19).

Ribbon cable is cheap and readily available, but it tends to tangle and kink. A really nice probe could use a ribbon cable stub attached to thicker test leads.

Test clips

Test clips are the most important part of the cable. They have to be easy to position, and maintain contact with the circuit. Alligator clips work, but there’s a lot of exposed metal that can create short circuits. Professional test clips have a grabber that retracts into the probe leaving less metal exposed.

Alligator clips

The junk box cable has alligator clip probes, we pulled them off test leads like these (40 leads for $12). You could also use loose red and black clips (20 for $2.30).

Remember to put the rubber housing on the cable before soldering the wire to the alligator clip, it won’t go on later. In the photos you can see that some of our covers are cut to fit over the front of the clip because we forgot.

Round test hooks

This is the classic, round-bodied test hook. These are great for grabbing onto 0.1″ pin headers, wires, and the leads of through-hole components. The hooks are usually too big to use with surface mount components, and the round body makes it hard to fit more than a few in a small space.

Test hooks are easy to position. Squeeze the probe to extend a single metal hook, grab something, then release. The hook retracts into the body of the probe, securing it in place and preventing short circuits.

Most hooks come apart by pulling the top away from the body. Put the test lead through the hole in the cap and solder it to the metal tab. Push the halves together when the joint is cool.

DigiKey ($17.26) and Fry’s ($14.95) have multi-colored hooks in sets of 10. Deal Extreme has dirt-cheap 10 packs of yellow ($2.30) and black ($2.33) hooks, but the reviews say the quality matches the price so buy extra (via [haku]).

Flat test tweezers

Tweezer-probes are great for clipping onto the legs of through-hole, surface mount, and many smaller chips. They usually have a flat body so they fit better in tight spaces than round hook probes.

This type of probe has tiny tweezers instead of a hook. Accidental short circuits are rare because there’s so little exposed metal when the tweezers retract.

Most tweezer-probes pull apart and have a metal solder tab inside. Run a cable strand through the hole in the cap, solder it to the metal tab, and then press the halves back together.

Tweezer quality varies dramatically among brands, we’ve used no-name probes that bend easily or don’t grip well. The X- series micro-hooks from E-Z-Hook are the Cadillac of tweezer-probes, we first used the XKM version that comes with the Saleae Logic. They’re intended to fit specialty test leads, but it’s easy to solder a wire to them instead. About $2 each, available directly from the E-Z-Hook website.

Conclusion

We highly recommend a cable with hook or tweezer-probes for secure connections without causing shorts. The right probe depends on the parts you use. Round test hooks work best with through-hole parts and wires. Flat test tweezers attach well to small, surface mount chips.

Please share any additional part sources in the comments. We did our best to provide a variety of sources, but there’s going to be some great places we’ve missed.

Friday, July 3, 2009 is the last day to pre-order a Bus Pirate. There’s only two days left to get your own Bus Pirate, fully assembled and shipped worldwide, for only $30.

F-Secure - News from the Lab: SMS remote code execution vulnerability in iPhone

Thu, 02 Jul 2009 18:39:53 +0000

Charlie Miller, a well-known security researcher who specializes in Mac and iPhone security, yesterday revealed information about a new vulnerability in iPhone that allows remote code execution via SMS. Not a lot is known about the vulnerability, which was announced at the SyScan conference in Singapore, except that Charlie is working with Apple to get it fixed as soon as possible.

(picture from apple.com)

This is about as bad as it gets as the vulnerability seems to allow unsigned code to run which circumvents a core part of iPhone's security model as it's usually only able to run signed code, i.e. Apps that have been approved by Apple. No user-interaction required which is unlike current mobile malware. InfoWorld has the original story here.

PS. I’m shift manager for one of our three daily response shifts this week and I'm tweeting about what we’re doing in the shift over at http://twitter.com/patrikrunald

On 02/07/09 At 06:30 PM

hackaday: Clever stair climbing robot

Thu, 02 Jul 2009 18:26:19 +0000

Stairs are one of the most commonly faced mobility challenges for a robot. This robot’s design eliminates the need for a complex drive train or computer, and instead uses a clever mechanical design to climb stairs. Version three of the robot uses five servos modified for continuous rotation, a Picaxe28, sharp IR sensors, and bump sensors.

[via BotJunkie]

Privacy Digest: Out of business, Clear may sell customer data

Thu, 02 Jul 2009 18:05:30 +0000

Out of business, Clear may sell customer data: Via computerworld.

It would go to a similar provider authorized by the TSA

Three days after ceasing operations, owners of the Clear airport security screening service acknowledged that their database of sensitive customer information may end up in someone else's hands, but only if it goes to a similar provider, authorized by the U.S. Transportation Security Administration.

Until this week, the Clear service had given customers a way to skip long security lines in certain airports. For a $199 annual fee, air travelers could be pre-screened for flight and then use Clear's security checkpoints instead of the TSA's. Clear was run by New York's Verified Identity Pass, which also shut down on Monday.

Customers had to provide personal information, including credit card numbers, fingerprints and iris scans in order to participate in the program. After Clear abruptly shut its doors -- it has not yet declared bankruptcy -- some worried that this data could fall into the wrong hands. read more »

Privacy Digest: TSA asked to ensure safety of customer data after Clear closing

Thu, 02 Jul 2009 18:01:59 +0000

TSA asked to ensure safety of customer data after Clear closing: Via computerworld.

Transportation security agency given July 8 deadline to explain how private information will be safeguarded

The chairman of the House Committee on Homeland Security has given the Transportation Security Administration until July 8 to explain how the agency plans to ensure the security of private data collected by a recently shuttered company that offered a registered traveler program.

In a letter to the TSA's acting assistant secretary, committee Chairman Bennie Thompson (D-Miss.) expressed his concern over the abrupt closure of Verified Identity Pass Inc.

For a $199 annual fee, New York-based VIP offered a service called Clear that was designed to help air travelers get through airport security checks faster by vetting their identities and backgrounds in advance. read more »

The Register - Security: Speculation mounts over AVG plans for OS X client

Thu, 02 Jul 2009 18:00:09 +0000

'Mac users have no antibodies'

AVG bosses aren't saying much, but there's new evidence the anti-virus maker is seriously considering building an application for the Mac.…

CNET News.com - Security: Waledac worm targeting July 4 spam offensive

Thu, 02 Jul 2009 17:49:00 +0000

Researcher warns people to be cautious about clicking on links related to Independence Day videos in e-mails over the holiday.

eWEEK Security: How to Improve IT Cyber-Security with Visual Analytics

Thu, 02 Jul 2009 17:38:59 +0000

Few disciplines require the comprehension of as much information in so little time as computer security. With billions of data records piling up daily for large organizations, no technique holds as much promise as using computer-generated images to tell the story of what's in the data a process known as visual analytics. Here, Knowledge Center contributor Justin Wolf explains how to use visual analytics to improve IT cyber-security.
- Data visualization has been around for decades, but modern desktop computers finally possess the power to turn raw data into interactive displays for analysis, enabling computer security analysts to use visual analytics techniques to solve daily problems. Although many other tools exist to assi...

McAfeee Avert Labs Blog: FakeAlerts Uncovered

Thu, 02 Jul 2009 17:32:26 +0000

It has been almost a year since the rogue antivirus products, a.k.a. scareware, became rampant. These Trojan families are typically spread via Drive by downloads, SEO poisoning, Spam campaigns and clever social engineering.
Having these methods discussed in earlier blogs, today we will look into the protection mechanisms adopted by these fake alerts Trojan families to evade detection from antivirus vendors.

Code obfuscation using junk instructions

In the above screenshot, lots of junk code is visible between valid instructions. Usage of junk instructions is being used widely across Fake Alert families.

Fake API calls

The screen shot shows the usage of API called SetArcDirection which is not necessary in the code. These kinds of unnecessary APIs are used by malware to defeat emulation. Sometimes, API calls that don’t exist are also used by these families to check if they are being emulated.

Customized packer

Lot of fake alert families uses their own custom packers, encryption routines. Some of the families patch the existing packers.

Use of XMM and MMX instruction sets

Usage of XMM, MMX and FPU instructions which are not needed in the code along with the other junk code are also utilized by most of the fake alert families.

The techniques discussed above are not something very new and has been used in notable malware. But fake alert Trojans use these evasion techniques to there full potential with every new variant. Just when we thought we’re seeing a decline in adware and spyware – fake alert Trojans families have stepped in to claim the scum of the Internet tag.

ItoolBox Networking and Infrastructure: Developing a Proposal Pricing Approach

Thu, 02 Jul 2009 17:23:33 +0000

The purpose of this task is to develop a pricing approach and cost topics, which will support the decision to bid and Win Strategy and guide the proposal development effort. Developing a Pricing Approach Develop the Pricing Approach that: · dem...

Emergent Chaos: Rebellion over an ID plan

Thu, 02 Jul 2009 17:12:54 +0000

What they were emphatically not doing, said Jay Platt, the third-generation proprietor of the ranch, was abiding by a federally recommended livestock identification plan, intended to speed the tracing of animal diseases, that has caused an uproar among ranchers. They were not attaching the recommended tags with microchips that would allow the computerized recording of livestock movements from birth to the slaughterhouse.
“This plan is expensive, it’s intrusive, and there’s no need for it,” Mr. Platt said.

The New York Times reports that not even cattle need Real ID in"Rebellion on the Range Over a Cattle ID Plan." There's a web site, NoNAIS.org which is tracking things like

Oklahoma is now mandating Premises ID for anyone wanting participate in the Swine Shows. One more tricky little way that they make “voluntary” into mandatory.

Image: IstockPhoto

Schneier on Security: Information Leakage from Keypads

Thu, 02 Jul 2009 17:09:30 +0000

Can anyone guess the entry codes for these door locks?

There are 10,000 possible four-digit codes, but you only have to try 24 on these keypads. The second is almost certainly guessable in one.

infosecurity.us: Dilbert: Marketing

Thu, 02 Jul 2009 17:05:31 +0000

Roger's Information Security Blog: Useless Useful Technology: IP6 #GartnerSecurity

Thu, 02 Jul 2009 17:03:50 +0000

These are notes from the last session at the 2009 Gartner Security Summit; a tongue in cheek look at the worst best practices in IT.

We're all familiar with the upcoming change to IP version 6. The main impetus for performing this migration is the IP space crisis.

The reality is few enterprises have a lot of public IPs. The migration to IP6 is costly and fraught with questions.

This item I almost question including because I think its more widely believed that IP6 is not worth the trouble than believe it will be a cure-all.

By 2014, 20% of remote and mobile employees will connect via a IP6 enabled ISP. That necessitates our action.

infosecurity.us: Mitnick Security Re-Direct Incident Reported

Thu, 02 Jul 2009 17:00:23 +0000

News, of another DNS compromise, web defacement and subsequent re-direct, of the primary site of Mitnick Security. This is now the second reported DNS re-direct incident of the security consultant’s host provider hostedhere.net. Time to move, methinks. A short snippet, including linkage, appears after the jump.

From the original post via The Register’s Dan Goodin: “Mitnick site targeted in DNS attack on webhost“

“A website belonging to security expert Kevin Mitnick was compromised after hackers managed to access a domain name server maintained by the site’s webhost and redirect visitors to pages that displayed pornographic images. It was the second time in the past few years that a security lapse at hostedhere.net has allowed hackers to redirect the site, Mitnick told The Register. At time of writing, domain name system records for Mitnick Security have been restored, but some users continue to see the fraudulent website because many DNS caches still show the incorrect information…” “It’s a general pain in the ass for everybody around because my site was redirected and now this webhosting provider has to rebuild all their customer boxes,” Mitnick said. “So they’re not happy with the hours of work they’re going to have to spend doing it…”

Yahoo! News: Computer Security and Viruses: Conficker: Forgotten but not Gone (PC World)

Thu, 02 Jul 2009 16:56:00 +0000

PC World - Conficker may not dominate the headlines any longer, but it's still going strong, according to Trend Micro's Malware Blog and stats from the Conficker Working Group.

sunbeltblog: Pornography, government and the Internet

noreply@blogger.com (Tom Kelchner) — Thu, 02 Jul 2009 16:48:18 +0000

It’s probably superstition, but it seems that news stories comes in bunches. Today’s theme is: “governments across the planet try to deal with Internet pornography”:

-- The Green-Dam saga continues. China delayed indefinitely the requirement that new computers have an installation of Green Dam-Youth Escort filtering software to protect young people from pornographic and violent Internet content. The big question seems to be: “will the delay be temporary or permanent.” They really should just make the filtering voluntary AFTER they get rid of the political censorship issue and AFTER they resolve the copyright-infringement issues and AFTER they fix the vulnerabilities in it. But I digress.

-- The Ukraine has made illegal the possession of pornography except for medicinal purposes. I just don’t know what to say about “medicinal purposes” except that it’s going to generate another category of spam that will probably give a whole new meaning to “Canadian pharmacy.”

-- In the U.S., several adult-content web sites appear to be collateral casualties of the take down of the Pricewert ISP by the Federal Trade Commission. Some are reporting the loss of $5,000 per day. Some are scrambling to find their web site content, since the Federal court and FTC confiscated Pricewert’s servers. I guess the lesson here is: don’t do business with businesses that do illegal stuff.

-- The Georgia (USA) Bureau of Investigation is warning that an email containing a six-minute child porn video is circulating in the Stone Mountain area. The video may be might be a 2005 clip from the Dominican Republic that has been known to investigators. There are conflicting news reports, but at least one says it’s being spammed by malware. Possession of the video on one’s computer is a felony in the U.S. Investigators are telling Internet users to delete the email on sight (Subject line: "VERY Disturbing! TAKE CARE OF YOUR KIDS/ they should kill this man, do not open if your [sic] sensitive... click video link." )

Pornography has been a complicated issue since, well, forever. There are paintings in the ruins of Pompeii of “adult” nature that were buried in the year 79. In the quaint 1950s in the very Puritan U.S., there were “nudist” and “art photo” magazines that pushed the legal envelop and “men’s” magazines explored how much of a woman’s anatomy they could show and still stay at least one millimeter away from the legal limit.

In the U.S., porn enthusiasts probably won the battle when courts as high as the U.S. Supreme Court found themselves completely unable to define the difference between pornography and free speech. In 1964, U.S. Supreme Court Justice Potter Steward wrote the legendary articles of surrender, saying that he couldn’t define pornography, but “I know it when I see it.” Shortly after that, the VCR went on sale and it was REALLY “game over” for the anti-porn side.

The result has been a legal shadow world and very lucrative gray economy that turned into a terrific environment for scams, fraud, rogue anti-malware products and thieving computer malcode. Yes, there is a load of pornography out there on the Internet that is perfectly legal, sold by perfectly legal businesses with secure servers. Governments in conservative places will always try to fight it. They will only ever have very limited success. Sex will always be a very shiny lure.

The bottom line: if you see any advertisement on the web or in your email for “adult” anything, it simply will never be truly safe to go there.

Links to stories:

“China's Web 'Dam' “

“Yushchenko signs porn law despite widespread opposition”

“Web-Hosting Firm’s Shutdown Costing Adult Affiliate Operator $5K a Day “

“GBI: Open This E-Mail, Go Directly to Jail (Possibly)”

Tom Kelchner

eWEEK Security: Michael Jackson Malware Rings in July 4 Weekend

Thu, 02 Jul 2009 16:35:39 +0000

Security researchers at Symantec and Sophos are reporting the prevalence of spam related to the death of pop star Michael Jackson last week. Rather than relying on just their normal Independence Day-related e-mails, spammers have launched a number of campaigns to infect users with malware using news about the singer as a lure.
- st1\:* st1\:* July 4 weekend is usually a time for barbecues, beach parties and Independence Day spam. But the death of pop superstar Michael Jackson may have changed the face of the annual spam barrage. Instead of just the typica...

Internet Security and Programming: PC Invader Costs Ky. County $415,000

Thu, 02 Jul 2009 16:30:45 +0000

Cyber criminals based in Ukraine stole $415,000 from the coffers of Bullitt County, Kentucky this week. The crooks were aided by more than two dozen co-conspirators in the United States, as well as assistance from a family of malicious software capable of defeating online security measures put in place by many banks. Bullitt County Attorney Walt Sholar said the trouble began on June 22, when someone started making unauthorized wire transfers of $10,000 or less from the county’s payroll to accounts belonging to at least 25 individuals around the country (some individuals received multiple payments). On June 29, the county’s bank realized something was wrong, and began requesting that the banks receiving those transfers start reversing them, Sholar said. “Our bank told us they would know by Thursday how many of those transactions would be able to be reversed,” Sholar said. “They told us they thought we would get some

Read more…

LinuxSecurity.com - Articles: Spam blacklist bids top $1m

Thu, 02 Jul 2009 16:18:06 +0000

LinuxSecurity.com: ONE of the largest spam blacklists in the world, developed in Australia, is up for sale and the creator has already received offers of more than $1million.

Yahoo! News: Computer Security and Viruses: Court Orders Spammers to Pay $3.7 Million (PC World)

Thu, 02 Jul 2009 16:10:14 +0000

PC World - A U.S. district court has ordered members of an alleged international spam ring to give up US$3.7 million that they made while sending out illegal e-mail messages pitching bogus weight-loss products and human growth hormone pills.

infosecurity.us: Dilbert: Beta

Thu, 02 Jul 2009 16:05:37 +0000

infosecurity.us: SuSE Linux Critical Security Update: Acroread

Thu, 02 Jul 2009 16:00:30 +0000

Novell INC’s (NasdaqGS: NOVL) SuSE Linux unit has announced a mid-week security update focusing on the acroread PDF reader application. Specifically, the implementation of acroread is vulnerable to security issues leading to remote code execution. More information, including the full text announcement, MITRE CVE enumerated vulnerability listings [specifically CVE-2009-0198, CVE-2009-0509, CVE-2009-0510, CVE-2009-0511, CVE-2009-0512, CVE-2009-1855, CVE-2009-1856, CVE-2009-1857, CVE-2009-1858, CVE-2009-1859, CVE-2009-1861], and download links appear after the page jump.

SUSE Security Announcement

Package: acroread
Announcement ID: SUSE-SA:2009:035
Date: Wed, 01 Jul 2009 17:00:00 +0000
Affected Products: openSUSE 10.3
openSUSE 11.0
openSUSE 11.1
SUSE Linux Enterprise Desktop 10 SP2
SLES 11 DEBUGINFO
SLED 11
Vulnerability Type: remote code execution
Severity (1-10): 8
SUSE Default Package: yes
Cross-References: CVE-2009-0198, CVE-2009-0509, CVE-2009-0510
CVE-2009-0511, CVE-2009-0512, CVE-2009-1855
CVE-2009-1856, CVE-2009-1857, CVE-2009-1858
CVE-2009-1859, CVE-2009-1861

Content of This Advisory:
1) Security Vulnerability Resolved:
acroread 8.1.6 security release
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information

_____________________________________________________________________________

1) Problem Description and Brief Discussion

This update of the Adobe Acrobat Reader acroread to version 8.1.6
fixes the following vulnerabilities:
- CVE-2009-1855: stack overflow that could lead to code execution
- CVE-2009-1856: integer overflow with potential to lead to arbitrary
code execution
- CVE-2009-1857: memory corruption with potential to lead to arbitrary
code execution
- CVE-2009-1858: memory corruption with potential to lead to arbitrary
code execution
- CVE-2009-1859: memory corruption with potential to lead to arbitrary
code execution
- CVE-2009-0198: memory corruption with potential to lead to arbitrary
code execution
- CVE-2009-0509, CVE-2009-0510 CVE-2009-0511, CVE-2009-0512: heap
overflow that could lead to code execution
- CVE-2009-1861: heap overflow that could lead to code execution

2) Solution or Work-Around

There is no known workaround, please install the update packages.

3) Special Instructions and Notes

Restart all running instances of acroread after the update.

4) Package Location and Checksums

The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command

rpm -Fhv <file.rpm>

to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.

x86 Platform:

openSUSE 11.1:
http://download.opensuse.org/update/11.1/rpm/i586/acroread-8.1.6-0.1.1.i586.rpm

openSUSE 11.0:
http://download.opensuse.org/update/11.0/rpm/i586/acroread-8.1.6-0.1.i586.rpm

openSUSE 10.3:
http://download.opensuse.org/update/10.3/rpm/i586/acroread-8.1.6-0.1.i586.rpm

Sources:

openSUSE 11.1:
http://download.opensuse.org/update/11.1/rpm/src/acroread-8.1.6-0.1.1.nosrc.rpm

openSUSE 11.0:
http://download.opensuse.org/update/11.0/rpm/src/acroread-8.1.6-0.1.nosrc.rpm

openSUSE 10.3:
http://download.opensuse.org/update/10.3/rpm/src/acroread-8.1.6-0.1.nosrc.rpm

Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:

SUSE Linux Enterprise Desktop 10 SP2
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=51b789f54aaa39933fd956fe4641c418

SLED 11
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=afe186fd3bad60212fb8d8d8b51e1454

SLES 11 DEBUGINFO
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=afe186fd3bad60212fb8d8d8b51e1454

______________________________________________________________________________

5) Pending Vulnerabilities, Solutions, and Work-Arounds:

See SUSE Security Summary Report.
______________________________________________________________________________

6) Authenticity Verification and Additional Information

- Announcement authenticity verification:

SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.

To verify the signature of the announcement, save it as text into a file
and run the command

gpg –verify <file>

replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:

gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from “SuSE Security Team <security@suse.de>”

where <DATE> is replaced by the date the document was signed.

If the security team’s key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command

gpg –import gpg-pubkey-3d25d3d9-36e12d04.asc

- Package authenticity verification:

SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.

The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command

rpm -v –checksig <file.rpm>

to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@suse.de with the key ID 9C800ACA.

This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of ‘root’ during
installation. You can also find it on the first installation CD and at
the end of this announcement.

- SUSE runs two security mailing lists to which any interested party may
subscribe:

opensuse-security@opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security+subscribe@opensuse.org>.

opensuse-security-announce@opensuse.org
- SUSE’s announce-only mailing list.
Only SUSE’s security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security-announce+subscribe@opensuse.org>.

=====================================================================
SUSE’s security contact is <security@suse.com> or <security@suse.de>.
The <security@suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________

The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.

SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.

Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>

- —–BEGIN PGP PUBLIC KEY BLOCK—–
Version: GnuPG v1.4.2 (GNU/Linux)

mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4×0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- —–END PGP PUBLIC KEY BLOCK—–

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.9 (GNU/Linux)

iQEVAwUBSkuJv3ey5gA9JdPZAQJJswgAmXQrRPCiSB0GOks0ZZKS1nka90A/7cGz
TU5+qJbC/XqJMxcmgeViQgCH0WwSVrXISe+R4AMP2QgEmYulGqaqc80Lwwu8R1D3
FRP9GbCsbrWqGiDM0Kktby9×7xc3ok4omkQUoQchsCDSMORPnqZaT2vhWzrYd2JH
K4N6sptshzttMmqrSltYSLMsYF/E+KXzn8zqEp+Ub02rXEasG2W0aqr/lJGohxmP
Q5/S3FKJs10eDRSIlGOIpn/m9WoYjVpLppZRuI0AwVCcn3f2y+lAdbaP+YynxUAc
UiRozVKZ9MwYlOrN/4JJE5al+G1JwC/isoSvoqPHB38bZ7ytKG7tUA==
=MPyb
—–END PGP SIGNATURE—–

Network World on Security: The notification chain when a breach is suspected