Articles about Security

IRS servers in need of hebdomadal malware scans

A report released last week by the Treasury Inspector General for Tax Administration (TIGTA) after a year-long audit states that servers at the Internal Revenue Service are in need of hebdomadal malware scans, after the agency's Cybersecurity Computer Security Incident Response Center noted a 45% increase in malware infections between 2007 and 2008.

Michael Phillips, deputy inspector general for audit at TIGTA, issued four recommendations for the IRS, all in line with statutory requirements that the agency get a good look from auditors on a regular basis.

Continue reading

Egress debuts fresh data-security model

Operating on the theory that data at rest isn't a problem until it becomes restless, Egress Software Technologies on Monday debuted a security system designed to protect data in motion -- over the net, on a thumbdrive, in the cloud, or what you will.

Bob Egner, US president of the UK-based Egress, notes that practically speaking you can't not share data these days; the ways we all work with partner firms and third-party vendors dictate it. The problem is that as your data gets further from you, its primary keeper, it can become increasingly hard to make sure that only the right people can access it. The ubiquity of cheap, capacious data containers (DVD-Rs, thumb drives, even MP3 players) adds another layer of complexity, making it even easier for large masses of data to go on walkabout.

Continue reading

Microsoft exec to join DHS as CIO nominee gets tangled in FBI raid

Will the last person in Seattle to leave for the Obama administration please turn off the Space Needle? The Department of Homeland Security today announced that a senior Microsoft exec will step into a major cybersecurity role. Meanwhile, back in the other Washington, an FBI raid at the former DC CTO offices of new federal CIO Vivek Kundra is raising questions.

The raid, which appears to have been predicated on a bribery sting operation, is not known to involve Vivek, whom President Obama nominated to be his chief information officer a week ago today. But there have been two arrests -- Yusuf Acar, an information systems security officer with the city, and Sushil Bansal, president and chief executive of Advanced Integrated Technologies Corp. AITC has a number of contracts with city agencies including the DMV, and the city's human-resources department; Mr. Bansal used to be a city government employee. Both men appeared in federal court Thursday afternoon and corruption charges were brought against them.

Continue reading

T-I-double-guh-Er...The unique and fierce Tigger Trojan pounces

A piece of malware known alternately as Syzor and Tigger.A is gaining interest from security researchers thanks to its unusual behavior, and from stock and options-trading firms thanks to targeting customers and employees in that sector.

Tigger takes advantage of a vulnerability in Windows' privilege-escalation fuctionality, a vuln reported in MS08-066 and patched in October. The privilege-escalation exploit allows the malware to override whatever limitations might be on the account. In other words, if you're sensible enough not to run your machine in administrator mode, this malware sidesteps your puny attempt at safe computing. But wait, there's more!

Continue reading

An inter-office squabble could have triggered a Baltic cyber-war

A Russian official speaking on an infowar panel last week revealed that his assistant was responsible for the 2007 cyber-attacks that crippled the nation of Estonia. The only person surprised was Nargiz Asadova, the moderator of the discussion.

Sadly, the statement by Sergei Markov, an official from the pro-Kremlin Unified Russia party, has garnered only mild interest in the general press. (Almost no one I queried Tuesday even remembered the attacks, which knee-capped financial and government institutions as well as the nation's Internet traffic. It was started over the proposed relocation of a statue. Seriously.) Markov claimed that the assistant, whom he refused to name lest it imperil the man's visa applications, undertook the act as a patriotic gesture against perceived fascism (in, again, the relocation of a statue).

Continue reading

Critical no-click Adobe vulnerability fixed, for some

What a great world we'd live in if legitimate businesses were as eager to save us trouble as toil as the malware guys are, right? A critical zero-day flaw in Adobe Reader and Acrobat can be used to attack a Windows machine without even opening the infected file -- the height of convenience indeed.

A buffer-overflow flaw is news to nobody familiar with Windows, but the service targeted, the Windows Indexing Service, may not be familiar to all. That service provides an index of files on the system -- it's how you can see the title and author and so forth for a PDF document in Windows Explorer, or how you view thumbnails if that's your Explorer preference.

Continue reading

Helmut Buhler's big day: An everyday programmer finds a critical Windows hole

The typical security vulnerability and patching story paints security researchers as the good guys in the white hats, the straight shooting style, and the soda pop. But on this particular Patch Tuesday (a lighter one than most) Microsoft is crediting not some white-hat researcher but a really good guy -- a fellow who's the author of a simple Sidebar gadget that displays the contents of your clipboard -- as having done the right thing and notified Microsoft of a critical hole.

German developer Helmut Buhler, whose other claim to fame is a portable wrapper function that makes dialog boxes in Windows 95 and XP look like those in Vista, was credited by Microsoft today for discovering one of the critical vulnerabilities being addressed by the March edition of its Patch Tuesday bug fixes.

Continue reading

Google Docs security hole may have exposed private documents

Over the weekend, some -- though not all -- users of Google Docs received notifications in their Gmail inboxes stating that some of their cloud-based documents marked as private may have been sharable with other users anyway. The problem apparently concerns marking multiple documents as private with a single command, which ended up not fulfilling that task.

Here is the text of the letter Google Docs users received, which was published over the weekend independently by multiple bloggers who use the service:

Continue reading

Beckstrom resigns National Cybersecurity Center post

The buzz online today may have been about Robert Scoble's exit from Fast Company, but there's a major change afoot at the top of the NCSC: Rod Beckström, the director, has submitted his resignation to DHS head Janet Napolitano effective in one week (that is, Friday the 13th). The move comes after rumors of ferocious power struggles at NCSC, which Beckström has led since its inception last year.

The politics at DHS, which oversees NCSC, can't have been much fun for the co-author of The Starfish and the Spider, a book advocating for "the unstoppable power of leaderless organziations." In his resignation letter to Napolitano, Beckström cited his ongoing struggle to keep NCSC out of the clutches of the NSA (which is run by the Department of Defense rather than the civilian DHS and operations from the intelligence worldview rather than that of security professionals or network ops) and noted glumly that "during the past year the NCSC received only five weeks of funding, due to various roadblocks engineered within the department and by the Office of Management and Budget." (Image courtesy beckstrom.com)

Continue reading

Phishers hijack 750+ Twitter accounts

Trend Micro is reporting, and Twitter confirms, that Twitter users are once again under attack by people who need to upgrade their ethics. Targets receive a tweet from someone claiming to be female, 23, and in possession of a webcam. Click the link and you end up on an "adult" site that both attempts to phish your credit-card info and slathers your computer with ads for the same stuff.

Twitter says it has changed the passwords and removed the spam from the 750-odd accounts, none of which were believed to actually be kept by anyone female, 23, and in possession of a webcam. Trend Micro notes tartly that though it's not clear how how the attack was undertaken, "with Twitterers' willingness to enter their Twitter username and password into any number of third-party websites offering Twitter-related services, the opportunities for cybercrime are many."

Continue reading

Thief cops personal information from NYPD pension database

UPI reports that a civilian employee of the New York Police Department has been charged with burglary, grand larceny, and computer trespass after disabling security cameras and stealing eight backup tapes from a warehouse on Staten Island. Anthony Borelli, the accused, is the former director of communications for the NYPD pension fund, and the tapes found in his home contain Social Security numbers and direct-deposit information for 80,000 current and retired officers.

The police potentially affected are receiving letters warning them that their personal information may have been violated. Leaving aside the wisdom of stealing from 80,000 cops, the department could have spared itself a great deal of grief simply by encrypting the data. As Credant senior VP Michael Callahan pointed out Thursday, "Eight backup tapes with heavily encrypted data on them have a resale value measured in tens of dollars, whereas with 80,000 identity theft kits on them in readable format, the value starts to skyrocket into the hundreds of thousands if not millions of dollars category."

Continue reading

FISMA, CAG, and the Department of Redundancy Department

There's a plaintive subhead in the draft of the Consensus Audit Guidelines (CAG) that sums up how the writers of the document must feel about their work to improve governmental IT security. It's right there on page 3: "Why this project is so important: Gaining agreement among CISOs, CIOs and IGs." See? pleads the subtext See, information security offices and information officers and federal inspectors general? You can't possibly ignore this very important information if we address you by your title... can you?

Oh, but they can. This is, after all, information security, where people regularly spend more energy circumventing a system than following it. The guidelines are a mighty attempt to ease government and private-sector organizations into embracing good security controls. It remains to be seen if this time will finally prove the charm.

Continue reading

OMB releases its annual FISMA security report to Congress

It's report-card time again for government agencies as the Office of Management and Budget released its fiscal year 2008 report to Congress on Wednesday in accordance with the Federal Information Security Management Act (FISMA).

The report (PDF available here) covers 25 major and dozens of small and independent agencies and includes, as usual, qualitative and quantitative testing. Area measured include certification and accreditation, controls testing, and contingency plan testing, along with privacy protection.

Continue reading

Marine One docs fly to Tehran, but not from Lockheed

A Maryland company appears to have made it possible for sensitive information on Marine One -- President Obama's helicopter -- to turn up at an IP address in Tehran, according to Tiversa, a third-party monitor of peer-to-peer networks. Blueprints, avionics information and cost breakdowns were found on the Iranian computer.

A number of Bethesda-area firms are contractors or subcontractors to the Department of Defense, including Lockheed Martin, which is building the next iteration of Marine One and recently came under fire for spectacular cost overruns on the project. (The current fleet was designed by Connecticut-based Sikorsky.) But a continuing investigation by Rick Earle at Pittsburgh's WPXI says that according to Tiversa, Lockheed is not the source of the leak, which was apparently caused by a contractor who loaded a peer-to-peer client on her or his machine.

Continue reading

Fun with algorithms at Microsoft TechFest

It's a shame Microsoft only lets wizened old journalists into TechFest and not, say, packs of second graders. Because if there's anything that could show kids that math really is a ridiculous amount of fun, it would be a room full of people paid to find new ways to go about it.

All the truly significant tech companies have understood that somewhere at the heart of the firm, you have to make room for the guys who will never hand over an entirely shelf-ready product. That's true of most items found at TechFest, but it's a little more true of those working in theory -- and if you doubt me, ask the video crew charged with getting good footage of new search algorithms.

Continue reading

© 1998-2026 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.