Tuesday, 17 November 2009

Kaspersky Internet Security ID Vault Bundle

Kaspersky Internet Security ID Vault Bundle
Purchase Internet Security and receive ID Vault for FREE!
A limited time offer Offer Expires 12/31/09

Coupon Code: No Code Needed!

Researcher Hacks Twittter Using SSL Vulnerability

By Brian Prince
eWEEK.com
2009-11-16

A security researcher has demonstrated how attackers could use a newly discovered vulnerability in the Secure Sockets Layer protocol to launch an attack on Twitter.

The researcher, Anil Kurmus, posted details of the attack to his blog, The Secure Goose, Nov. 10. The exploit takes advantage of a vulnerability reported Nov. 5 by researchers from PhoneFactor. Although the security hole Kurmus took advantage of has reportedly been closed by Twitter, one of the researchers at PhoneFactor who discovered the bug said the exploit underscores the flaw's significance.

The exploit takes advantage of an SSL renegotiation issue. According to PhoneFactor, the vulnerability partially invalidates the SSL lock and enables attackers to launch attacks that could compromise a variety of sites that use SSL for security.including banking sites, and back-office systems that use Web services-based protocols.

In a paper, PhoneFactor researchers Steve Dispensa and Marsh Ray explained (PDF) that the vulnerability allows a man-in-the-middle attack to inject an arbitrary amount of chosen plaintext into the beginning of the application protocol stream. This in turn can lead to a variety of abuses, they contended.

Obama said to be close again to naming cybersecurity chief

By Jaikumar Vijayan
Computerworld
November 16, 2009

The Obama administration is once again reported to be close to naming a White House cybersecurity coordinator.

A story in the Federal Times, quoting unnamed sources, said that an announcement could come as soon as Thanksgiving.

The two people in the running for the post are Frank Kramer, a former assistant secretary of defense during the Clinton administration, and Howard Schmidt, a former White House cybersecurity adviser and corporate chief security officer (CSO), the report says. Both are names that have been mentioned as likely candidates for the position for several months.

This is not the first time that the White House has been rumored to be close to announcing its pick. In September, Reuters reported that an announcement was imminent. When that did not happen, some security analysts suggested that the White House could be waiting for October to make the announcement because the month had been designated as a "cybersecurity month."

Report: Countries prepping for cyber war

By Elinor Mills
InSecurity Complex
CNet News
November 16, 2009

Major countries and nation-states are engaged in a "Cyber Cold War,"
amassing "cyber weapons," conducting espionage, and testing networks in preparation for using the Internet to conduct war, according to a new report to be released on Tuesday by McAfee.

In particular, countries gearing up for cyber offensives are the U.S., Israel, Russia, China, and France, the says the report, compiled by former White House Homeland Security adviser Paul Kurtz and based on interviews with more than 20 experts in international relations, national security and Internet security.

"We don't believe we've seen cases of cyber warfare," said Dmitri Alperovitch, vice president of threat research at McAfee. "Nations have been reluctant to use those capabilities because of the likelihood that [a big cyber attack] could do harm to their own country. The world is so interconnected these days."

Threats of cyber warfare have been hyped for decades. There have been unauthorized penetrations into government systems since the early ARPANET days and it has long been known that the U.S. critical infrastructure is vulnerable.

A different kind of antiviral donation for Africa

Africa is suffering from yet another plague: this one infects their computers instead of their communities.

Chris Michael, writing in the English newspaper The Guardian in August 2009, summarized the situation as follows: "...Africa has become a hive of [T]rojans, worms and exploiters of all stripes. As PC use on the continent has spread in the past decade (in Ethiopia it has gone from 0.01% of the Ethiopian population to 0.45% through 1999-2008), viruses have hitched a ride, wreaking havoc on development efforts, government programmes and fledgling businesses."

Michael points out that African organizations can hardly afford to pay $50 per year per computer for virus protection, and thus computers all over the continent are sinking into unusability. Organizations lose critical documents ("an agriculture bureau employee ... lost the multi-year plan for agricultural improvements for the Benishangul-Gumuz region, Ethiopia's fourth poorest area"), suffer slow access to the Internet ("it is not unusual to wait 10 minutes to access a single [W]eb page"), randomly reboot computers, and destroy files.

Alan Mercer, a computer specialist with Voluntary Service Overseas (VSO), is bitter about the effect of (mostly Chinese) virus writers on his African clients:

"I'd take them to Ethiopia," Mercer says. "I'd show them the man who lost his agricultural development plan to the virus he wrote. Then I'd show him the kids who will die in two years because the agricultural reforms came too late and the annual harvest failed because the agricultural development plan at the regional agricultural bureau was destroyed by his virus."

Police probe breach of NHS smartcard security as e-records launched in London

By Tony Collins
ComputerWeekly.com
16 Nov 2009

An NHS trust at the forefront of work on the 12.7bn NHS IT scheme has called in police after a breach of smartcard security compromised the confidentiality of hundreds of electronic records.

Patients in Hull have expressed their dismay that an unauthorised NHS employee has accessed their confidential records; and the local primary care trust, NHS Hull, says it is "shocked" at the breach of security by a member of staff who has since left.

Details of the breach emerged as health officials in London were, in an unrelated event, telling journalists about the start of a roll-out of electronic records across London, as part of the National Programme for IT [NPfIT].

The roll-out is part of plans by the Department of Health to create for 50 million people in England an electronic "summary" medical record on a central database run by BT.

But doctors say that the breach of security at NHS Hull shows that an insider with a smartcard can access confidential electronic records without authorisation, if the person is determined to do so.

GMH data breached in stolen laptop

By Laura Matthews
Pacific Daily News
November 17, 2009

The Guam Memorial Hospital suffered an information breach when a laptop containing unsecured health information was stolen in late October.

It wasn't until late last week that they found out the machine contained a file with personal information for approximately 2,000 employees, volunteers, contractors and physicians.

Their names, the date of their last physical examinations and their vaccination, Tuberculosis and Hepatitis B statuses were contained in the machine, which was being used by the GMH Employee Health Office.

"No patients were affected, only the people seen by the Employee Health Office," said Connor Murphy, the hospital's spokesman. "No social security numbers, addresses, dates of birth or financial information was breached. From the feedback I am getting, this is what people are most worried about."

The machine wasn't password-protected.

emails

a

The Register - Security

IQ test

The Register - Security: Anti-Virus

HackWire - Hacker News