Today is the last day on Eradication Phase. The topic is Finding and Removing Hidden Files and ...(more)...

Our old friend Juha-Matti Laurio has created a FAQ on the MS08-067 RPC vulnerability. The FAQ goes a ...(more)...

You've identified the incident, contained the exposure, eradicated the problem, and now. ...(more)...

This data squid was seen at the big demonstration against surveillance that took place in Berlin on October 11, as part of the international privacy action day "Freedom not Fear." The German is Datenkrake, which has a bad connotation to it, like sucking in everything it can get....

Microsoft Windows users who have not yet applied the security update that Redmond released yesterday should take a minute to do that now: Security experts are warning that at least one Trojan horse program with apparent spreading capabilities is in circulation, and that we are likely to see additional malware exploiting the flaw in the coming days.

The ThreatExpert Blog has the skinny on Gimmiv.A, a Trojan that appears to have worm-like ability to spread to other systems on a network. This is likely to be more of a threat for large, enterprise networks than for individual home users.

On an unpatched corporate network, all it would take is for an employee to plug an infected laptop into the network, and without firewalls enabled on each machine inside of the network or some type of host-based intrusion detection software running, that network could be in real trouble very quickly.

Oddly enough, ThreatExpert says that in addition to taking a swipe at the victim's stored passwords and trying to sucker punch any one of several anti-virus tools that could be installed on the victim's machine, Gimmiv downloads an image file of Homer Simpson. Woo-hoo!

Sunbelt Software says they're not able to verify ThreatExpert's claims that Gimmiv.a is anything more than a data-stealing Trojan, calling claims that the Trojan also functions as a network worm as "misinformation."

Regardless, this is a nasty vulnerability, period. If you haven't patched, do it now. If history is any teacher, Sunbelt's estimation of the threat is probably spot-on: "We would make an educated guess that a worm will hit soon (maybe in the next day or so)."

Here's one....

You may have noticed that the ISC Infocon was raised from Green to Yellow. This was to highlight the ...(more)...

Update #5 (updated): As Sourcefire have their sigs available, i would recommend to use thes ...(more)...

Interesting: In a nutshell, the guide advocates that organizations calculate cyber security risks and costs by asking questions of every organizational discipline that might be affected: legal, compliance, business operations, IT, external communications, crisis management, and risk management/insurance. The idea is to involve everyone who might be affected by a security breach and collect data on the potential risks and...

Welcome to Day 24 of the SANS ISC's participation in the Cyber Security Awareness Month. Today's top ...(more)...

Clever work: The researchers from the Security and Cryptography Laboratory at Ecole Polytechnique Federale de Lausanne are able to capture keystrokes by monitoring the electromagnetic radiation of PS/2, universal serial bus, or laptop keyboards. They've outline four separate attack methods, some that work at a distance of as much as 65 feet from the target. In one video demonstration, researchers...

Microsoft said late Wednesday that it plans to break out of its monthly patch cycle to issue a security update today for a critical vulnerability in all supported versions of Windows.

Redmond rarely releases security patches outside of Patch Tuesday, the second Tuesday of each month. The software giant isn't providing many details yet, but the few times it has departed from its Patch Tuesday cycle it has always done so to stop the bleeding on a serious security hole that criminals were using to break into Windows PCs on a large scale.

By Security Fix's count, this would be the fourth time since January 2006 that Microsoft has deviated from its monthly patch cycle to plug security holes. As shown by the stories in the linked examples above, Microsoft has fixed problems, each time, that were being actively exploited by bad guys to break into PCs.

Microsoft's advanced notification bulletin says the problem is critical on Windows 2000, Windows XP and Windows Server 2003, meaning this is a vulnerability that can be exploited through little or no help from the user. Redmond's labels the flaw "important" on Windows Vista and Windows Server 2008 machines.

Microsoft is expected to push out the update around 1:00 p.m. ET. The company also will reveal more details about the patch in a special Webcast. I'll have more information on this update as soon as the patch is out and details are released. Stay tuned.

Update, 12:00 p.m.: Corrected the time Microsoft is expected to release this patch today.

Update, 12:45 p.m. ET: A source of mine received some information from Microsoft saying the vulnerability stems from a critical, wormable problem in the Windows server message block service, a component of Windows used to provide shared access to files, printers, and other communications over a network. My source, who asked not to be identified because Microsoft has not yet publicly discussed the details, said Redmond has acknowledged that criminals have for the past three weeks been using the vulnerability to conduct targeted attacks. The source said that so far, fewer than 100 targeted attacks leveraging this flaw have been spotted by Microsoft's security team, but that Microsoft was rushing out this patch because the number of attacks appears to be increasing of late.

Update, 1:31 p.m.: Microsoft has released the update, MS08-067, which will soon hit Windows update as well. My source told me this was an SMB flaw, but he was only partly right.

The vulnerability lies with the Windows Server service, and more specifically with Microsoft's implementation of "remote procedure call" (RPC), a communications technology deeply embedded in the Windows operating system that allows a program to execute another process on a remote system. RPC vulnerabilities are extremely dangerous, as they can be used by a computer worm to spread malicious software to machines on a network with lightning speed. The infamous "Blaster worm" that attacked Microsoft and infected millions of Windows PCs in Aug. 2003 is probably the most recognizable example of malware exploiting an RPC flaw.

Microsoft does not release these so-called "out-of-band" updates lightly. I would highly recommend applying this patch as soon as possible, either by visiting Windows Update or enabling Automatic Updates. A quick scan with Windows Update on my Vista system offered the patch, which installed without incident (requires a reboot).

Kip Hawley, head of the TSA, has responded to my airport security penetration testing, published in The Atlantic. Unfortunately, there's not really anything to his response. It's obvious he doesn't want to admit that they've been checking ID's all this time to no purpose whatsoever, so he just emits vague generalities like a frightened squid filling the water with ink....

If it's not installed, it can't be exploited. It's as simple as that ...(more)...

The biggest contenders in the Web browser wars have been tripping over themselves to offer new privacy protections for users, and that's largely a good thing. But making sense of these features is a bit like trying to compare mobile phone plans from various phone companies: Unless you have the features compared side-by-side, making that comparison can be a tall order.

Happily, the Center for Democracy & Technology, a nonprofit consumer advocacy group in Washington, has published a clear and concise guide to help consumers understand and take advantage of these new privacy features.

The white paper examines the privacy features now built into four Web browsers - Firefox 3,
Internet Explorer 8 Beta 2, Google Chrome, and Safari 3. The paper also looks at privacy add-ons, including Stealther for a Firefox privacy mode, CookieSafe for cookie controls in Firefox, AdBlock Plus (must-have, in my option) for object controls in Firefox, and PithHelmet for object controls in Safari.

The CDT says Apple, Google, Microsoft and Mozilla all verified the accuracy of the claims made in the report about their browser software. Check out the report at this link here (PDF).

It's the ultimate movie-plot threat: terrorists using child porn: It is thought Islamist extremists are concealing messages in digital images and audio, video or other files. Police are now investigating the link between terrorists and paedophilia in an attempt to unravel the system. It could lead to the training of child welfare experts to identify signs of terrorist involvement as...

I was traveling to speak at a couple of conferences most of the past week, so I missed out on covering some of the bigger cyber-security justice developments to come in a long while: The FBI announced it has busted up an online bazaar for cyber thieves, working with international authorities to nab at least 56 people suspected of buying and selling stolen personal and financial data. In other news, the Federal Trade Commission convinced a judge to freeze the assets of what's being called the world's largest spam gang.

The FBI said the arrests came after investigators infiltrated DarkMarket.ws, a Web forum for cyber crooks that once boasted more than 2,500 members who were interested in buying and selling credit card data, stolen user names and passwords.

"What they didn't know was that one of the site's administrators and most respected members, who called himself Master Splyntr, was one of us -- an undercover FBI agent who had infiltrated the site posing as a cyber crook," the FBI said of forum members, in a statement.

The undercover agent said he saw millions of dollars worth of stolen goods being exchanged on DarkMarket. The bureau estimates that the bust prevented more than $70 million in potential losses.

Wired.com's Kevin Poulsen has an interesting back story on this undercover operation, which was apparently almost blown two years ago when a rival forum operator fingered Master Splyntr as an undercover fed.

In a separate action, the FTC said a federal court had frozen the assets of an international spam ring (PDF) that pushed male-enhancement pills and knockoff prescription drugs.

The FTC said the online pharmacies lied about the safety of their drugs and the security of their Web site (the sites said they were using https:// when they weren't), and that they spoofed the source of the spam, most of which was sent using one of the world's largest botnets. The commission said it received more than three million complaints about spam messages connected to this junk e-mail operation.

The agency's complaint names two individuals -- Lance Atkinson, a New Zealand citizen living in Australia, and Jody Smith of Texas - and four companies they control: Inet Ventures Pty Ltd., Tango Pay Inc., Click Fusion Inc., and TwoBucks Trading Limited. Atkinson already has a rap sheet for spamming: In June 2005, the FTC obtained a $2.2 million judgment against Atkinson and another business partner for running a similar spam affiliate program that marketed herbal products.

In supplemental documents filed by the FTC, the commission alleges that Atkinson and Smith's operations generated sales of more than $500,000 monthly. Earlier this year, security company Marshal Software identified the source of the spam e-mails as the "Mega-D" botnet, which it estimated was made up of 35,000 compromised PCs and at one point was responsible for sending 32 percent of all spam.

It's not clear yet whether the enforcement actions have stemmed the tide of pill spam blasted out through Mega-D. But Joe Stewart, a senior security researcher for Atlanta-based SecureWorks, said much of the pill spam sent via Mega-D has since been replaced by junk e-mail touting Russian brides and other online dating scams.

Update, 9:44 a.m.: Speaking of spam: In an effort to cut back on the amount of spam in blog comments, washingtonpost.com is instituting a site-wide change that requires those who wish to comment to have registered on the site. No doubt, this change will discourage some readers who do not wish to go through the free registration process, and that's unfortunate. But a series of comment-spam attacks across all blogs have caused serious and unacceptable slowdowns for the site as a whole.

Last week I wrote about a story that indicated that terrorist fear mongering is working less well. Here's another story, this one from Canada: two pipeline bombings in Northern British Columbia: Investigators are treating the explosions as acts of vandalism, not terrorism, Shields said. "Under the Criminal Code, it would be characterized as mischief, which is an intentional vandalism. We...

While I am strongly opposed to a national ID, I have consistently said that giving strongly secured ID cards to groups like port workers is a good idea. It's happening in New England: The scannable card serves as proof that a background check has been performed and it contains features aimed at preventing misuse. In addition to a photograph, the...

Quantum cryptography is back in the news, and the basic idea is still unbelievably cool, in theory, and nearly useless in real life. The idea behind quantum crypto is that two people communicating using a quantum channel can be absolutely sure no one is eavesdropping. Heisenberg's uncertainty principle requires anyone measuring a quantum system to disturb it, and that disturbance...