Vulnerabilities & attacks

Risks factors for data breaches vary industry to industry and defy a "cookie cutter" approach to security, according to a report released Thursday by Verizon Communications.

The new report (PDF) builds on data released in June. The initial report spanned four years and included more than 500 forensic investigations involving 230 million compromised records.

In the initial report, Verizon found that 73 percent of the data breaches were the result of outside sources, with only 18 percent from insider threats. Of the outside sources, 39 percent were attributed to business partners. But that's an average.

The new … Read more

Microsoft and the Attorney General's office in Washington state said on Monday they have filed a handful of lawsuits over pop-up ads that scare consumers into paying for software that supposedly fixes critical errors on a PC.

The lawsuit filed by the Attorney General's office alleges a Texas firm sent incessant pop-up ads that falsely claimed the computer had critical errors in its registry and directed people to a Web site where they could download free scanning software to find the problems.

The software then reports 43 critical problems and offers to sell a fix for $39.95. However, the software, dubbed "Registry Cleaner XP," does nothing but lull the consumer into a false sense of security, officials said.

It's a "blatant rip off of consumers," Washington State Attorney General Rob McKenna said in a news conference. Consumers were "duped into downloading a fake scan (of the computer) and then duped into paying for software they don't need."

The pop-ups take advantage of a function called Windows Messenger (not to be confused with Microsoft's instant-messaging program Windows Live messenger) that was designed to allow network administrators to send alerts to Windows PCs on a network. The functionality was turned off in Windows XP Service Pack 2, said Richard Boscovich, senior attorney for Microsoft's Internet Safety Enforcement Team.

The messages often would be displayed repeatedly, with one IP address receiving more than 200 in one day, the complaint alleges. … Read more

Jason Ostrom of VoIP Hopper on Saturday plans to release his next-generation VoIP sniffer at Toorcon in San Diego to help raise awareness of the type of vulnerabilities businesses face as they adopt unified communications (UC) technology.

He told CNET News that the tool, UCSniff, has two settings. One is a learning mode, sniffing all the IP traffic then mapping telephone extensions to specific addresses. By default, it is capturing all the calls and saving them to wave files.

The other setting is a bit more creepy: targeting conversations. After learning the IP addresses of the phone system, someone using … Read more

Mozilla pushed out an update to its e-mail client Thunderbird today. The 2.0.0.17 update, for both Windows and Mac versions, corrects two potential exploits. Centered around Newsgroup functionality and an obscure UTF-8 hyperlink spoof, they could've allowed an attacker to execute arbitrary code.

A spate of bug fixes, memory leaks, and other less severe tweaks were addressed, too. The full changelog can be read here.

Mozilla released Firefox 2.0.017 and Firefox 3.0.2, updated versions of its browser, on Wednesday to address a dozen security vulnerabilities. Four are ranked by Mozilla as critical, one high, two moderate, and the rest of the patches are considered low priority. About half do not apply to Firefox 3.

The updates are pushed automatically to current users and will take effect the next time the browser is restarted. Current users of Firefox 2 are encouraged to upgrade by manually downloading Firefox 3 as soon as possible. … Read more

A grand jury in Chattanooga, Tenn., investigating who hacked Republican vice presidential candidate Sarah Palin's Yahoo e-mail ended its meeting on Tuesday without indicting a Tennessee lawmaker's son.

Speculation on the Internet has centered on 20-year-old David Kernell, a University of Tennessee student.

On the Internet forum 4Chan.org, where the e-mail break-in was first announced, posts attributed to someone named "Rubico" more or less described how the Yahoo account had been compromised using the password recovery feature. The e-mail address used for Rubico has been linked to Kernell.

Kernell's father, Democratic Tennessee state representative … Read more

When political tensions flared last month between Georgia and its large neighbor to the north, the country was ready to block Internet traffic from Russia, hoping to avoid the denial-of-service attacks that shut down Internet service in Estonia for several days in 2007. Instead, most of the DoS attacks that were directed against Georgia came from an unlikely place: the United States.

"Russia is one of the most capable countries when it comes to launching system intrusion hacking attempts, distributed denial-of-service attacks, and operation of botnets," said Don Jackson, director of Threat Intelligence for SecureWorks. "Yet you'll notice the number of attacks coming from Russia are very low."

SecureWorks on Monday released a list ranking the countries with the most infected computers enlisted for use with botnets. On that list, Russia ranks 7th, far behind the United States, China, Brazil, South Korea, Poland, and Japan. The reason Russia is so low, Jackson said, is that hackers from Russia don't attack from within Russia.

Instead of attacking using Russian IP addresses, Jackson said, the hackers who wanted to attack Georgia used "computers and control servers located in Turkey while the bots (the infected computers) that they controlled were mostly in the United States." … Read more

A second criminal hacker accused of involvement in the massive data breach targeted at T.J. Maxx's parent company, one of the largest security breaches to date, reportedly pleaded guilty on Monday.

As part of a plea bargaining arrangement Christopher Scott, 25, of Miami, has admitted to computer hacking, access device fraud, and identity theft, according to the Associated Press. He could face a sentence of up to 22 years in jail and a fine of up to $1 million for his crimes.

The plea comes almost two weeks after Damon Patrick Toey pleaded guilty to his role. The … Read more

A new study found that 85 percent of malware is being distributed through Web applications, which is creating a growing threat for corporations as employees increasingly do online social networking, video watching, and personal e-mail at work.

Other findings of the survey, conducted by security firm Webroot, are:

•Web-borne malware increased more than 500 percent in 2007.

•One-quarter of companies report that data has been compromised by a Web-based threat.

•Nearly one-third say their Web security was compromised as a result of employees using computers at work to access social networks, Web-based e-mail, and video sites.

•15 percent enforce Internet … Read more