An East Cost supermarket chain (Hannaford) announced on Monday that a computer network compromise resulted in the theft of 4.2 million credit & debit card account numbers which has led to 1,800 cases of fraud. Hannaford became aware of the breach Feb. 27th. [more]
For the full story, see the following:
The security vendor Trend Micro announced Thursday that the company's website had been hacked earlier in week. Mike Sweeny, a Trend Micro spokesman said "We took the pages down overnight Tuesday night - and took corrective action." [more]
On Thursday security vendor McAfee reported that more than 20,000 Web pages have been affected by the attack. The pages are infected with malicious code that tries to install password-stealing software on the PCs of people who visit the sites.
Researchers are still not sure how the attackers are managing to hack these Web pages, but the pages all seem to use Microsoft's Active Server Page (ASP) technology, which is used by many Web development programs to create dynamic HTML pages. A software bug in any of those programs is all the attackers need to install their malicious code. The infected Web pages are not obviously malicious, but the attackers have added a small bit of JavaScript code that redirects visitors' browsers to an invisible attack launched from servers based in China. The JavaScript attack code hosted on these infected Web sites takes advantage of bugs that have already been patched, so users whose software is up-to-date are not at risk. However, McAfee warns that some of the exploits are for obscure programs such as ActiveX controls for online games, which users may not think to patch.
For more information visit http://www.networkworld.com/news/2008/031408-trend-micro-hit-by-massive.html?fsrc=rss-security or http://www.infoworld.com/article/08/03/14/Trend-Micro-hit-by-massive-Web-hack_1.html
Google offers a service called "Google Alerts" alowing you to monitor what is being posted on the Internet about your company or even yourselft. [more]
Simply go to http://www.google.com/alerts, to Create a Google Alert (see options below):
You can also sign up for a Google account and manage your alerts within your account - to sign up for a Google account go to https://www.google.com/accounts/NewAccount
For more information about Google alerts, visit their FAQs at http://www.google.com/support/alerts/bin/static.py?page=faq.html&hl=en
Hackers calling themselves the iPhone Dev Team got ahold of the new firmware that ships with the SDK (version 1.2 as beta, but is to be released as 2.0 to the public) and reported they had "already decrypted the disk image and jailbroken the firmware." The "Jailbreak" apparently only works with hacked activiation, meaning it currently doesn't work with AT&T iPhone's. [more]
To read more, visit http://www.modmyifone.com/forums/showthread.php?t=62591 or http://www.informationweek.com/news/showArticle.jhtml?articleID=206903250
G-Archiver, a shareware application used to backup Gmail accounts, was reported to be storing usernames and passwords. [more]
Jeff Atwood reports that he received the following "hair-raising tale" from Dustin Brooks via e-mail:
"I was looking for a way to back up my gmail account to a local drive. I've accumulated a mass of important information that I would rather not lose. During my search I came across G-Archiver, I figured what the heck I'll give it a try.
It didn't really have the functionality I was looking for, but being a programmer myself I used Reflector to take a peek at the source code. What I came across was quite shocking. John Terry, the apparent creator, hard coded his username and password to his gmail account in source code. All right, not the smartest thing in the world to do, but then I noticed that every time a user adds their account to the program to back up their data, it sends and email with their username and password to his personal email box! Having just entered my own information I became concerned.
I opened up a browser and logged in to gmail using his account information. It still worked.
Upon getting to the inbox I was greeted with 1,777 emails with account information for everyone who had ever used the software and right at the top was mine. I decided to go ahead and blast every email to the deleted folder and then empty it. I may have accidentally changed the password and security question to something I don't remember as well, whoops, my bad. I also contacted google to erase this account as I didn't see a way to delete it myself."
For more details, visit http://www.codinghorror.com/blog/archives/001072.html or http://www.informationweek.com/news/showArticle.jhtml?articleID=206902839
This is a perfect example of why end users need to be very conscious of what they install, and why companies need to have adequate policies and procedures related to the installation and use of software. As we have said in our company before, "Paranoia is not necessarily a bad thing"
The U.S. Department of Homeland Security (DHS) is conducting the largest cyber security exercise ever organized. Cyber Storm II is being held from March 10-14 in Washington, D.C. and brings together participants from federal, state and local governments, the private sector, and the international community.
To read more, visit http://www.dhs.gov/xnews/releases/pr_1205180340404.shtm
29A is a notorious virus "research" group, with member such as Benny, VirusBuster, Super, ValleZ who were prominent in the virus-writing circles. This group published a virus magazine in order to spread the know how to create viruses. Over the past few years, the group has steadily lost members. One of the last remaining members, VirusBuster, posted what looks to be the last message: "29A has left the building!" For more information, go to http://www.securityfocus.com/blogs/655
A penetration testing company has found that many companies running BlackBerry Enterprise Server (BES) could be inadvertently opening a door to attackers.
The complete story can be found at http://www.pcworld.com/article/id,143291/article.html
A team of researchers primarily from Princeton released Thursday, Feb. 21st, vulnerabilities in many full-disk encryption software packages that could allow attackers to gain access to the encryption key from RAM. In most cases, the system would have to be compromised while on, or in "suspend" or "hibernate" mode; however, some exceptions exist. To read the full research paper, watch the video, or review frequently asked questions go to http://citp.princeton.edu/memory/
Most of us know that digital cellular phone communications, such as global system for mobile communications (GSM), which many major service providers use, are encrypted. And some of us may know that it has been cracked. And I suppose we all think that nobody, except maybe a government, has the equipment or know how to listen in...
A Forbes.com reports that in a presentation Wednesday at the Black Hat security conference, two young cyber-security researchers demonstrated a new technique for cracking the encryption used on GSM. The encryption is used to prevent eavesdropping, but the two researchers say that by using their technology they can record a GSM cell phone conversation from miles away and decode it in about half an hour with just $1,000 in computer equipment. GSM is the most popular standard for mobile phones in the world and the most notable service providers using GSM in the U.S. are AT&T and T-Mobile. [more]
Keep in mind that this technology is for sale, so you might should consider your cellular phone communications to be about as secure as unencrypted e-mail of the Internet.
To read the original Forbes.com article visited: http://www.forbes.com/2008/02/21/cellular-spying-decryption-tech-security-cx_ag_0221cellular.html