[SecurityRatty] tag: avoid

Pentagon hacker tries one more time to avoid extradition

Wed, 03 Dec 2008 02:00:00 +0000

A British systems administrator who hacked into U.S. military computers in 2001 and 2002 will have another chance to make his case of why he shouldn't be extradited to the U.S.

Its not just about a strong password any more

Fri, 28 Nov 2008 13:30:52 +0000

Make sure, as discussed in this great article, that you have a hard to guess login name.

clipped from www.pcworld.com

Logins Are Half Your Access

Thieves need the login and password to access your accounts, so make the login difficult to guess, too. Avoid a simple, name-based method; add extra numbers, letters, or an ID that’s entirely different. Ideally, use unique logins (and passwords) for each service to isolate any exposure, should someone breach an account. (At the very least, keep unique logins and passwords for your most sensitive accounts, such as online banking.) While you may have to tell a customer service representative your login on occasion, don’t share the information without need. And never give anyone a password.

Links for 2008-11-25 [del.icio.us]

Tue, 25 Nov 2008 21:00:00 +0000

The Myth of Software Support « Chris Swan’s Weblog
More On Why I Think Free Microsoft AV Will Be Good For Consumers | securosis.com
My belief is that we essentially have both conditions today (low innovation, easy evasion), and the nature of attacks will continue to change rapidly enough to exceed the current capabilities of AV.
Idiocy | securosis.com
The Impact Of Free Antivirus From Microsoft | securosis.com
This gives them enough time to avoid suddenly losing 40% (don’t quote me on that, I’m on an airplane and just guessing) of profits over 12 months. The real losers will be the consumer-only AV companies without diversified portfolios or a larger enterprise base.
Rich Mogull: 7 Infosec Trends for 2009 - CSO Online - Security and Risk
Safe bets for IT spending in '09 | Business Tech - CNET News
Second, security management will merge with log management. That works for ArcSight, RSA, LogLogic, and LogRhythm.
Dark Matters: Land of Confusion
InternetNews Realtime IT News - Enterprise SaaS Buyers Want More Than Uptime
High Tower Software Shuts Down | socalTECH.com
Aliso Viejo-based High Tower Software, a venture-backed developer of security, compliance, and log management software, has shut down.

Dont get a lump of coal this season!

Tue, 18 Nov 2008 14:46:21 +0000

Make sure your online protection products are working and updated, or you may get a lump of coal this Holiday season.

clipped from www.marketwatch.com

Webroot Threat Advisory: Online Threats to Increase This Holiday Season

To protect themselves during any online
shopping experience, consumers need to be aware of the security
risks and necessary precautions they should take to avoid being a victim
of cyber crime. Since the October to December timeframe will be a key
money-making season for today’s financially
motivated cyber criminals Webroot is recommending that consumers follow
these five steps:

DIY Phishing Pages With Command and Control Interfaces

Thu, 06 Nov 2008 03:31:43 +0000

The day when DIY phishing pages start coming with manuals is the day when consciously or subconsciously a phisher is lowering down the entry barriers into phishing for yet another time. A much more user-friendly compared to the old-fashioned -- yet effective -- rock phish directory listing, a recently released command and control interface for Rapidshare phishing campaigns aims to empower its users with easy dynamic link generation for their campaigns.

What they've managed to achieve is another trust factor since Rapidshare generates a second dynamic link upon clicking on the original one. The script not only generates a dynamically looking link, but also, actually logs in the victim into their account in order to avoid suspicion whereas it still logs all the accounting data.

Scammers also tend to be ironic every then and now. For instance, in this particular case, one of the users finds it ironic that the Rapidshare phishing page is hosted at Rapidshare itself. Is the script actually working? It appears so at least going through a misconfigured accounting data dump left by one of the phishers.

Related posts:
Phishing Pages for Every Bank are a Commodity
DIY Phishing Kits
DIY Phishing Kit Goes 2.0
DIY Phishing Kits Introducing New Features
209 Host Locked
209.1 Host Locked
66.1 Host Locked

Wells Fargo Opt Out 800 Number

Thu, 30 Oct 2008 15:04:26 +0000

I have been a happy customer of Wells Fargo for a couple of years now, but one thing has always bothered me: being solicited by loosely affiliated companies. Well, I finally found out how to fix this. I called 888.528.8460, which is their "privacy preference line". From there I was able to opt out of all solicitation for new services.

We'll see how well it works.

I'm not a crazy environmentalist, but waste makes me cringe. I make it a habit to contact companies that mail me catalogs that I don't read, telling them to take me off of their lists. I also do little things like bring a couple of bags to the grocery store every time I go in order to avoid generating more plastic waste.

The other day, I was buying my son a sweatshirt in T.J. Maxx, and the clerk popped it into a plastic bag. I said, "Thanks, but I really don't need that bag." He promptly balled it up and threw it in the trash. It makes me sad how so many people just don't get it. If everyone would just think a little bit about this in their daily lives, I think it'd make a big difference for the world we leave to our kids and grandkids.

Barak Obama Discusses Security Trade-Offs

Mon, 27 Oct 2008 03:31:12 +0000

I generally avoid commenting on election politics -- that's not what this blog is about -- but this comment by Barak Obama is worth discussing:

[Q] I have been collecting accounts of your meeting with David Petraeus in Baghdad. And you had [inaudible] after he had made a really strong pitch [inaudible] for maximum flexibility. A lot of politicians at that moment would have said [inaudible] but from what I hear, you pushed back.
[BO] I did. I remember the conversation, pretty precisely. He made the case for maximum flexibility and I said you know what if I were in your shoes I would be making the exact same argument because your job right now is to succeed in Iraq on as favorable terms as we can get. My job as a potential commander in chief is to view your counsel and your interests through the prism of our overall national security which includes what is happening in Afghanistan, which includes the costs to our image in the middle east, to the continued occupation, which includes the financial costs of our occupation, which includes what it is doing to our military. So I said look, I described in my mind at list an analogous situation where I am sure he has to deal with situations where the commanding officer in [inaudible] says I need more troops here now because I really think I can make progress doing x y and z. That commanding officer is doing his job in Ramadi, but Petraeus's job is to step back and see how does it impact Iraq as a whole. My argument was I have got to do the same thing here. And based on my strong assessment particularly having just come from Afghanistan were going to have to make a different decision. But the point is that hopefully I communicated to the press my complete respect and gratitude to him and Proder who was in the meeting for their outstanding work. Our differences don't necessarily derive from differences in sort of, or my differences with him don't derive from tactical objections to his approach. But rather from a strategic framework that is trying to take into account the challenges to our national security and the fact that we've got finite resources.

I have made this general point again and again -- about airline security, about terrorism, about a lot of things -- that the person in charge of the security system can't be the person who decides what resources to devote to that security system. The analogy I like to use is a company: the VP of marketing wants all the money for marketing, the VP of engineering wants all the money for engineering, and so on; and the CEO has to balance all of those needs and do what's right for the company. So of course the TSA wants to spend all this money on new airplane security systems; that's their job. Someone above the TSA has to balance the risks to airlines with the other risks our country faces and allocate budget accordingly. Security is a trade-off, and that trade-off has to be made by someone with responsibility over all aspects of that trade-off.

I don't think I've ever heard a politician make this point so explicitly.

Virtual wont protect in the real online world

Sat, 25 Oct 2008 14:25:33 +0000

Be careful as Virtual becomes the target of the nasty people.

clipped from newsletters.trendmicro.com

Real Threats in Virtual Worlds and Online Games

Thought you could avoid the pitfalls of real life by living in a virtual world? Wrong. Living virtually does not make you immune to the same kinds of online threats you experience in the real world. Unfortunately, the growing popularity of virtual worlds has attracted the attention of both hackers and organized criminals.

Malware? We don't need no stinking malware!

Fri, 24 Oct 2008 10:25:00 +0000

Written by Oliver Fisher

"This site may harm your computer"
You may have seen those words in Google search results — but what do they mean? If you click the search result link you get another warning page instead of the website you were expecting. But if the web page was your grandmother's baking blog, you're still confused. Surely your grandmother hasn't been secretly honing her l33t computer hacking skills at night school. Google must have made a mistake and your grandmother's web page is just fine...

I work with the team that helps put the warning in Google's search results, so let me try to explain. The good news is that your grandmother is still kind and loves turtles. She isn't trying to start a botnet or steal credit card numbers. The bad news is that her website or the server that it runs on probably has a security vulnerability, most likely from some out-of-date software. That vulnerability has been exploited and malicious code has been added to your grandmother's website. It's most likely an invisible script or iframe that pulls content from another website that tries to attack any computer that views the page. If the attack succeeds, then viruses, spyware, key loggers, botnets, and other nasty stuff will get installed.

If you see the warning on a site in Google's search results, it's a good idea to pay attention to it. Google has automatic scanners that are constantly looking for these sorts of web pages. I help build the scanners and continue to be surprised by how accurate they are. There is almost certainly something wrong with the website even if it is run by someone you trust. The automatic scanners make unbiased decisions based on the malicious content of the pages, not the reputation of the webmaster.

Servers are just like your home computer and need constant updating. There are lots of tools that make building a website easy, but each one adds some risk of being exploited. Even if you're diligent and keep all your website components updated, your web host may not be. They control your website's server and may not have installed the most recent OS patches. And it's not just innocent grandmothers that this happens to. There have been warnings on the websites of banks, sports teams, and corporate and government websites.

Uh-oh... I need help!
Now that we understand what the malware label means in search results, what do you do if you're a webmaster and Google's scanners have found malware on your site?

There are some resources to help clean things up. The Google Webmaster Central blog has some tips and a quick security checklist for webmasters. Stopbadware.org has great information, and their forums have a number of helpful and knowledgeable volunteers who may be able to help (sometimes I'm one of them). You can also use the Google SafeBrowsing diagnostics page for your site (http://www.google.com/safebrowsing/diagnostic?site=) to see specific information about what Google's automatic scanners have found. If your site has been flagged, Google's Webmaster Tools lists some of the URLs that were scanned and found to be infected.

Once you've cleaned up your website, use Google's Webmaster Tools to request a malware review. The automatic systems will rescan your website and the warning will be removed if the malware is gone.

Advance warning
I often hear webmasters asking Google for advance warning before a malware label is put on their website. When the label is applied, Google usually emails the website owners and then posts a warning in Google's Webmaster Tools. But no warning is given ahead of time - before the label is applied - so a webmaster can't quickly clean up the site before a warning is applied.

But, look at the situation from the user's point of view. As a user, I'd be pretty annoyed if Google sent me to a site it knew was dangerous. Even a short delay would expose some users to that risk, and it doesn't seem justified. I know it's frustrating for a webmaster to see a malware label on their website. But, ultimately, protecting users against malware makes the internet a safer place and everyone benefits, both webmasters and users.

Google's Webmaster Tools has started a test to provide warnings to webmasters that their server software may be vulnerable. Responding to that warning and updating server software can prevent your website from being compromised with malware. The best way to avoid a malware label is to never have any malware on the site!

Reviews
You can request a review via Google's Webmaster Tools and you can see the status of the review there. If you think the review is taking too long, make sure to check the status. Finding all the malware on a site is difficult and the automated scanners are far more accurate than humans. The scanners may have found something you've missed and the review may have failed. If your site has a malware label, Google's Webmaster Tools will also list some sample URLs that have problems. This is not a full list of all of the problem URLs (because that's often very, very long), but it should get you started.

Finally, don't confuse a malware review with a request for reconsideration. If Google's automated scanners find malware on your website, the site will usually not be removed from search results. There is also a different process that removes spammy websites from Google search results. If that's happened and you disagree with Google, you should submit a reconsideration request. But if your site has a malware label, a reconsideration request won't do any good — for malware you need to file a malware review from the Overview page.

How long will a review take?
Webmasters are eager to have a Google malware label removed from their site and often ask how long a review of the site will take. Both the original scanning and the review process are fully automated. The systems analyze large portions of the internet, which is big place, so the review may not happen immediately. Ideally, the label will be removed within a few hours. At its longest, the process should take a day or so.

Malware? We don't need no stinking malware!

Fri, 24 Oct 2008 10:25:00 +0000