Security

Public-information kiosks are supposed to allow users to find out more about a company or government agency, and that's all. But on Saturday afternoon, Shanit Gupta, a senior consultant at McAfee Foundstone, demonstrated several ways that he and others have been able to map the internal network on a system running XenApp, formerly Citrix Presentation Server.

On the demonstration screen at ShmooCon, an East Coast computer hacking conference, Gupta showed how the familiar toolbars and browser frame are missing on a system running XenApp. The idea is that on a kiosk the public can click on links only within … Read more

WASHINGTON--Two security researchers at ShmooCon demonstrated on Saturday how a laptop connected to a VoIP telephone could, in some cases, expose a business' internal network to outsiders.

John Kindervag, senior security architect for Vigilar, said that public waiting areas in hospitals, conference rooms, and hotel rooms are particularly vulnerable to this attack since often there is no IT staff around. Appearing on stage at the East Coast computer hacker conference with Kindervag was Jason Ostrom, manager of Vigilar's Vulnerability Assessment and Compliance Practice team, who used the ShmooCon conference to show off his latest version of VoIP Hopper, a … Read more

WASHINGTON--Researchers Charlie Miller of Independent Security Evaluators, and Dino Dai Zovi, turned their attention to Second Life during a Saturday morning presentation at ShmooCon, an East Coast computer hacking conference. The researchers didn't exploit a flaw within Linden Labs' Second Life, but within QuickTime. They showed how an attacker could make money stealing from innocent Second Life victims.

Miller and Zovi are both experienced with flaws within Apple products. Miller published the first Apple iPhone flaw shortly after its release. At last year's CanSecWest security conference, Zovi exploited a QuickTime flaw to win a "PWN to Own&… Read more

WASHINGTON--In a keynote address at this year's ShmooCon, an East Coast computer hacker conference, J. Alex Halderman said that electronic voting machines could be good for the electorate--with some modifications.

Halderman is a graduate student studying under Ed Felten, a professor of computer science at Princeton, who is best known for demonstrating that the electronic voting machines produced by Diebold and other companies are vulnerable to attack. Diebold has since changed the name of election equipment to Premier Election Solutions. Felten was to make the keynote address, but canceled at the last minute due to the flu. Halderman is … Read more

The FBI is warning that Valentine's Day e-mails you see this year might be coming not from loved ones, but from the Storm worm botnet. In a press release Tuesday, the FBI warns users to be on the lookout for e-mail that "directs the recipient to click on a link to retrieve the electronic greeting card (e-card). Once the user clicks on the link, malware is downloaded to the Internet-connected device and causes it to become infected and part of the Storm worm botnet."

Dr. Jose Nazario of Arbor Networks said the authors of Storm have launched … Read more

Update 11:45 a.m. PST: This blog incorrectly described part of what the link downloads. It downloads a Trojan horse. The link does not take viewers to a video.

Moving beyond Valentine's Day as a social-engineering theme, online criminals have started sending out e-mail with a supposed link to a recent interview with Sen. Hillary Clinton. Instead of a video, the link downloads a Trojan horse onto the viewer's computer. Security experts predict 2008 presidential election e-mails and phishing sites will continue throughout the year.

On Thursday in Symantec blog, researcher Kelly Conley writes that the e-mail … Read more

After months of lying and evading our questions, Comcast seems to have developed a love affair with the blogosphere. Is this an early Valentine's Day present for bloggers, or is the company up to its usual tricks?

Comcast has gotten into a bit of hot water with the Federal Communications Comission over its widely criticized anti-BitTorrent filtering. The FCC Chairman Kevin Martin announced the agency's plans to investigate Comcast last month, stating that "the question is going to arise: Are they reasonable network practices?" He added that "when they have reasonable network practices, they should … Read more

Update: This blog post has been modified since it was first published. Click here for more details, or scroll to the bottom to see the original text.

A pro-consumer, bipartisan data-breach bill was stripped of most its provisions before its feeble remains were finally passed by an Indiana Senate committee on Tuesday.

This came after two weeks of intensive lobbying by AT&T, Verizon, Microsoft, and LexisNexis, all of which wanted to kill the bill. For the most part, they were successful.

In a blog post last week, I explained how I had worked with my state Rep. Matt Pierce (D-Bloomington) … Read more

Microsoft on Tuesday released its February 2008 security bulletin, which includes 11 bulletins, six of which are deemed "critical" by Microsoft, while five are deemed "important." One bulletin, suggested in the advance notice posted Thursday, failed to be released Tuesday. A majority of the "critical" patches affect Microsoft Office, two critical patches include users of Office for Mac 2004, one affects Visual Basic 6.

The "important" patches are mostly Internet services-related. One patch is specific to the Windows Vista update, however, all the Windows Vista-related updates will be included with Windows Vista … Read more