Beware of Orkut Facebook and Myspace

April 2008

Beware of hacker attacks via Orkut, Facebook. As per the 2007 Internet Security Threat Report compiled by anti-virus and security solutions major Symantec, social networking sites have become the latest target of hackers to attack home and enterprise computers. “With the web emerging as the seamless medium of communication, information and interaction, online users are prone to get infected by engaging in social networking and browsing frequented websites due to malicious online activity in the form of worms, bots, viruses and Trojans,” Symantec India managing director said. Some of the popular social networking sites on the worldwide web are Bebo, Facebook (70 million registered users worldwide), Flickr (9.6 million users), MySpace (1.1 billion users), and Orkut.

Hack a Mac...

April 2008

Mac hack contest bug had been public for a year. The winner of last month’s PWN2OWN contest to install unauthorized software on a machine running a fully patched version the Mac OS X operating system exploited a flaw that had been publicly disclosed nearly a year before the contest. The flaw, it turns out, lay in an open-source software library called the Perl Compatible Regular Expressions (PCRE) library, which is used by many products including Apache, the PHP scripting language, and Apple’s Safari browser, which a person hacked to win the contest. In an e-mail interview, a security researcher said he found the bug, which he publicly disclosed in November 2007. PCRE developers fixed the bug months earlier while writing an incomplete fix for the issue in the May 2007 PCRE 6.7 product. Although Apple’s Safari browser uses the PCRE software library, the company did not patch its version of the library until late last week. That means that an astute hacker who had noticed the fix in PCRE 6.7 would have been given an early tip on how to hack into Apple’s computers. Discovering a software bug is the first step toward figuring out how to use that flaw in an attack, but not every flaw leads to a successful exploit. In an e-mail interview, the contest winner confirmed that the bug he had exploited was the same one that was patched in PCRE 6.7, but said that researchers at his company, Independent Security Evaluators, had found it “completely independently.”

Change Your Password!!!

April 2008

Most computer users repeat passwords, at their peril. Using the same password for multiple Web pages is the Internet-era equivalent of having the same key for your home, car, and bank safe-deposit box. Even though a universal password is like gold for cyber crooks because they can use it to steal all of a person’s sensitive data at once, nearly half the Internet users queried in a new survey said they use just one password for all their online accounts. At the same time, 88 percent of the 800 people interviewed in the U.S. and the U.K. for the survey by the Accenture consultancy, which is to be released Thursday, said personal irresponsibility is the key cause of identity theft and fraud. Researchers say the findings suggest that many users underestimate the growing threat from organized cyber criminals who can reap big profits from selling stolen identities. “There’s a lot of confusion out there – a lot of people don’t think there’s a problem,” said a senior executive in Accenture’s global security practice. He said the problem with repeating passwords is that a hacker who successfully breaks into one account then has an easy time guessing how to get into all the user’s other accounts.

OK State Leaks SSNs...

April 2008

Oklahoma State leaks tens of thousands of social security numbers. Residents of Oklahoma were told this week that tens of thousands of their names, social security numbers, and allied data were effectively available on the Web for around three years. The source of the problem, says a software security researcher with Fortify Software, is poor coding on the state’s Department of Corrections Web site. “This is a classic SQL injection vulnerability,” he said, adding that, in this case, the security lapse could easily have been caught with a simple code review. Had some form of automated analysis been part of the release procedure for this Web site, the incident could have been avoided, he said. According to newswire reports, anyone with a basic knowledge of SQL programming could interpret the URL and other data returned by the Oklahoma DoC Web site. Then, by the simple process of amending the long URLs returned by the site, they could retrieve tens of thousands of social security numbers and their allied data from the site.

Microsoft Word Tips and Tricks

April 2008

There is no way to delete them directly from the Getting Started task pane,
but you can delete them from the bottom of the File menu (assuming you're
using Word 2002 or 2003). Press Ctrl+Alt+Hyphen and click on one of the
filenames. Repeat as needed. Use this shortcut with care because it will
delete *any* menu item you click on. Deleting the filenames from the MRU
list on the File menu will also remove them from the task pane.

Thanks to S. Barnhill

Microsoft Word Tips and Tricks

April 2008

There is no way to delete them directly from the Getting Started task pane,
but you can delete them from the bottom of the File menu (assuming you're
using Word 2002 or 2003). Press Ctrl+Alt+Hyphen and click on one of the
filenames. Repeat as needed. Use this shortcut with care because it will
delete *any* menu item you click on. Deleting the filenames from the MRU
list on the File menu will also remove them from the task pane.

Thanks to S. Barnhill

Windows Mobile 6.1

April 2008

Microsoft released the new Windows Mobile 6.1. Now it’s even easier to stay connected and manage your busy life—from just about anywhere. Windows Mobile 6.1 is full of enhancements, made with your needs in mind:

* Instant messaging-like texting
* Improved Internet browsing
* Simpler e-mail and Bluetooth setup
* New Home screen interface
* New Getting Started Center
* Security enhancements
* Easier Wi-Fi connection
* More personal choice

Find out more about how Windows Mobile 6.1 can make it easier to do the things that are important in your life.

Click the link below for a list of phones that can be updated:
Phone List

A Little Email Security Note:

April 2008

E-mail scams
Q: How can I tell if an e-mail message is fraudulent?
A: Look for clues. Fraudsters often use URLs with typos in them that are easy to overlook, such as"google, apple or micosoft."

Q: Should I click links in e-mail messages?
A: It's actually safer to copy and paste the URL from your e-mail message to the address bar in your Internet browser.

Q: What should I do if I think an e-mail is a scam?
A: Report it by clicking on the"Report phishing scam" button in Google, Hotmail or Yahoo.

Q: How do I check if an offer is a scam?
A: Scams are often listed on sites like snopes.com. You can go there and search for information on a suspicious offer, such as"fee for Google, Hotmail or Yahoo".


Password protection
Q: How do I help keep my password secure?
A: While you're thinking of it, go to your accounts to change your password today. Make sure you create a strong password.

* Use more than 7 characters
* Use uppercase and lowercase letters, numbers and special characters — such as @, #, and $
* Set your password to expire every 72 days

Suspicious activities
Q: What are suspicious activities?
A: Be wary if you think someone accessed your account or if a log-in/sign-in page or e-mail looks fraudulent.

Q: What should I do if I notice suspicious activities?
A: First, immediately change your password. Then, make sure your computer hasn't been infected by running a free full-PC scan to check for and remove viruses, spyware, and other potentially unwanted software.

Q: What if I receive an unexpected password reset confirmation message?
A: If you did not request a password change, someone may be trying to obtain access to your account by making the password reset. If you did not make the password reset request, delete that email. Then, log into your account and change your password as soon as possible. If you cannot log into your account and change your password, please contact support immediately.

Q: What should I do if a suspicious e-mail message asks for my sign-in ID?
A: Do not provide your ID. Do not click any links. Instead of clicking a link, copy and paste it into the address bar of your browser. Confirm its authenticity by navigating from the website's home page. Check to see if the email is a scam on a site like snopes.com.

Be Safe: Knowing is Everything...

Windows XP: Bye Bye Bye...Come June 2008

April 2008

Microsoft originally announced over a year ago that Windows XP would be going off the market in January 2008. XP was later given a brief stay of execution, to June 30, 2008. That deadline is fast approaching, which has led to much panicking from people who aren't quite sure what XP's "going off market" means, exactly. What does this means for users...Go to Yahoo to find out more...


or Buy an Apple Mac...(^o^)

Google Maps Sued!!!!

April 2008

In Pittsburgh, A couple is suing Google of invasion of privacy for posting images of their home on the websites street view.
The couple says they purchased the home with the desire for privacy and posted a sign that reads Private Road.
Google used a automobile with a camera on top to take pictures of streets of major cities. Google says they hate that the couple did use Youtube or their website to find out how to take their home off the map ( much like Dick Cheney) and that they hate that it has now become a lawsuit. However within that request Google states that people must "CITE A GOOD REASON AND CONFIRM THEY OWN THE PROPERTY"
Hey Google, DID YOU ASK ANYONE BEFORE YOU STARTED DOING THIS?

Words to search for more information:
Borings
Dennis Moskai, who makes a good point by stating that litigation is the only way to deter big business from over stepping their boundaries and violating privacy of citizens.
Allegheny County
When a citizen expresses their rights, and big companies are in the wrong, instead of "Doing the Right Thing" the companies more likely than not try to make the citizen appear to be hiding something ( see Dick Cheney )

MOORE STATED IT BEST: WHO WATCHES THE WATCHMEN???

Laptop with Vista Attack Codes...Tks eBay!

April 2008

Laptop, complete with Vista attack code, listed on eBay. The winner of a recent hacking contest is offering the computer he broke into for sale on eBay, possibly with the Microsoft Vista attack code he used intact. In a Monday listing, the man is selling the Fujitsu U810 laptop he won last Friday during the CanSecWest PWN 2 OWN contest. His listing claims that exploit code could probably still be extracted from the machine. Although he makes no guarantees, he wrote, “My successfull [sic] exploitation of Vista SP1 remotely, is most likely still present. This laptop is a good case study for any forensics group/company/individual that wants to prove how cool they are, and a live example, not canned of what a typical incident responce sitchiation [sic] would look like.” The man was one of two hackers to claim laptops and cash prizes for penetrating systems during last week’s contest. Organizers offered Vista, Mac OS, and Linux-based laptops for the taking, along with prizes that varied from $5,000 to $20,000, depending on the difficulty of the exploit. By Friday, however, only the Linux laptop remained unbreached.

Organized Criminal Hackers...

April 2008

Organized crime exploiting browser vulnerabilities. Organized criminal hackers are waging a highly sophisticated war by exploiting vulnerabilities in end users’ web browsers using drive-by downloads, security experts warn. The extent of the threat was exposed in a recent Google Online Security Blog post and the 2007 Trend Statistics Report from IBM’s X-Force. “It has been 18 months since we started to identify web pages that infect vulnerable hosts via drive-by downloads, i.e. pages that attempt to exploit visitors by installing and running malware automatically,” the Google blog stated yesterday. “During that time we have investigated billions of URLs and found more than three million unique URLs on over 180,000 sites automatically installing malware.” Google’s team also reported that around two percent of malicious websites are delivering malware via advertising. IBM reported recently that criminals are directly attacking web browsers in order to steal identities, gain access to online accounts, and conduct other illicit activities.

Apple Patches Quicktime

April 2008

Apple Inc. patched QuickTime late Wednesday to fix 11 flaws in the Mac and Windows versions of the media player. All but two of the bugs could be used by hackers to hijack users’ machines. QuickTime 7.4.5 – the third security update Apple has released for the program so far in 2008 – plugs vulnerabilities in how the player handles Java and PICT image files, parses some data objects, and uses Animation codec content, among others. Nine bugs patched Wednesday were characterized by Apple as allowing “arbitrary code execution,” a phrase the company uses to describe the most serious threats. Unlike other vendors such as Microsoft Corp. or Oracle Corp., Apple does not rank the bugs it fixes with a scoring or labeling system. Many of the vulnerabilities can be exploited if attackers are able to trick users into visiting malicious Web sites or open rigged files. Of those in the second category, Apple warned that some of the bugs could be triggered by malicious movie or PICT files. One flaw and possible attack vector was explained by Apple this way: “A memory corruption issue exists in QuickTime’s handling of movie media tracks. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution,” the company said. Three of the vulnerabilities affect the Windows version of QuickTime only; the remaining eight exist in both the Mac and Windows editions, Apple said in the notes it released along with the patched program.

Cybercrime Treaty Gains More Interest & Momentum

April 2008

The number of countries that will have ratified the only international treaty addressing cybercrime is expected to nearly double this year, a sign that momentum is building behind efforts to police the Internet. The Council of Europe’s Convention on Cybercrime, which sets guidelines for laws and procedures for dealing with Internet crime, was adopted in 2001. Countries can sign the treaty, which indicates their willingness to comply, and then can ratify it after their laws have been modified. So far, 22 countries have ratified the treaty, a lower number than expected since the treaty was introduced seven years ago, said the head of the economic crime division for the Council of Europe, on Tuesday. However, the Council hopes around 40 countries will ratify it by February 2009. The slow pace comes from the legal and legislative complexities that come with modifying laws in order to comply with the treaty, he said. The Council often works with countries to ensure their compliance. Countries outside the 47-member Council, which represents European countries, may apply for accession, the first step in implementing the treaty. The U.S., for example, has ratified the treaty, and more countries outside Europe are indicating their interest in joining, he said. The Convention is aimed at providing for swifter prosecutions of cybercrime as well as better cooperation between law enforcement agencies, as investigations often cross borders. For example, it requires countries to have a law enforcement contact available at all hours to assist in a digital investigation.

Washington State Passes RFID Anti-Spying Law

April 2008

Washington’s governor this week signed a bill making it a Class C felony to use radio frequency identification (RFID) technology to spy on someone. The bill was signed about a week after the Washington State Senate unanimously passed Bill 1031, which makes it a crime to intentionally scan people’s IDs remotely, without their knowledge and consent, for the purpose of fraud, identity theft, or some other illegal purpose. The bill specifically cites RFID and facial recognition technology. Violators face a prison sentence of up to 10 years. In addition, if the illegally gathered data is used in a separate crime, up to 10 years could be added to whatever sentence violators receive for the second crime. “Our intent was to put some basic rules of the road in place,” said a state congressman. “As the technology is being deployed, it needs to be done in a way that the public won’t sense there’s a huge violation to their privacy rights. My fear is that state legislatures are good at being reactionary when something atrocious happens. We wanted to be ahead of this one.” The congressman, who sponsored the bill, noted that Washington state began using enhanced driver’s licenses this winter. The new licenses use RFID tags and can be used at the Canadian/U.S. border crossing instead of a passport. In light of these new ID cards and the growing number of RFID-based customer-loyalty cards and company ID cards, he said it was time for a law that protects people’s privacy. The law, which goes into in July, focuses on skimming or lifting information from RFID tags without the knowledge of the owner.

Office Exploit Hits the Street...

April 2008

Attack code that targets a recently patched vulnerability in Microsoft Corp.’s Office suite has gone public, a security company said today as it urged users to update immediately. The exploit, which was posted yesterday to the Milw0rm.com Web site, takes advantage of one of two flaws fixed by Microsoft in its MS08-016 security update. Microsoft issued the update on March 11 as part of a four-bulletin batch. “The exploit that is currently available uses a PowerPoint file to leverage the vulnerability on Office XP SP3,” said a Symantec Corp. analyst in an alert to customers of the company’s DeepSight threat network. “The payload is designed to execute the ‘calc.exe’ calculator program on Windows. However, it will not be difficult to modify this exploit to add a malicious payload.” According to the analyst, the rigged PowerPoint file triggers the “Microsoft Office File Memory Corruption Vulnerability,” one of the two vulnerabilities addressed by MS08-016. Microsoft said earlier this month that the flaw is rated “critical” for users of Office 2000 and “important” for Office XP and Office 2003 on Windows machines and Office 2004 for Mac. However, the company acknowledged that if successful, an attack against any of the four versions could result in the attacker wresting control of the machine from its rightful owner. Microsoft spelled out two possible attack vectors: enticing users to a malicious Web site that hosts a specially rigged file or feeding users malformed files as e-mail attachments. “Customers are strongly advised to install the patches from the bulletin MS08-016 if they are not installed already, especially considering the availability of this exploit,” said Symnatec.

DHS Conducts Cyber Storm 2...

April 2008

DHS conducts Cyber Storm II to examine cyber preparedness, response capabilities. The Department of Homeland Security (DHS) is conducting the largest cyber security exercise ever organized. Cyber Storm II is being held from March 10-14 in Washington, D.C. and brings together participants from federal, state and local governments, the private sector and the international community. Cyber Storm II is the second in a series of congressionally mandated exercises that will examine the nation’s cyber security preparedness and response capabilities. The exercise will simulate a coordinated cyber attack on information technology, communications, chemical, and transportation systems and assets. “Securing cyberspace is vital to maintaining America’s strategic interests, public safety, and economic prosperity,” said DHS’s assistant secretary for Cyber Security and Communications. “Exercises like Cyber Storm II help to ensure that the public and private sectors are prepared for an effective response to attacks against our critical systems and networks,” he said. Cyber Storm II will include 18 federal departments and agencies, nine states (Calif., Colo., Del., Ill., Mich., N.C., Pa., Texas and Va.), five countries (United States, Australia, Canada, New Zealand and the United Kingdom), and more than 40 private sector companies.