Confirmed: Time Warner Cable users impacted by DDoS attack
When users of Time Warner Cable systems report issues concerning slow broadband performance affecting a wide region, they've been happy to see prompt responses from JeffTWC -- one Jeff Simmermon, who's the company's New York-based Director of Digital Communication. In recent days, though, Simmermon's Twitter feed has been exploding with complaints.
As it turned out, there's a serious reason for concern, as Simmermon explained in a longer-than-Twitter post late yesterday: Time Warner Cable systems are the apparent target of an orchestrated denial-of-service attack.
OneSwarm network improves file-sharing control, anonymity
University of Washington researchers this week have released a peer-to-peer file-sharing technology that actually does, or can, limit one's sharing to one's actual peers. The client, called OneSwarm, uses a "friend-to-friend" (F2F) model that gives users extremely granular, extremely hard-to-expose sharing capabilities.
The OneSwarm technical paper, (PDF available here) submitted by graduate students Tomas Isdal and Michael Piatek and faculty members Arvind Krishnamurthy and Tom Anderson, is quite explicit in its concerns about the dangers of indiscriminate sharing. "Although widely used, currently popular P2P networks expose the sharing behavior of their users to scrutiny by third parties," the paper's conclusion states.
Citibank nearly duped by Nigerian scam
Minyanville.com's headline probably puts it most bluntly: Citibank officially dumber than your spam filter. A Nigerian man, Paul Gabriel Amos, has been indicted in New York for allegedly attempting a fraud that would have pulled over $27 million from Citibank's coffers into two dozen receiving accounts around the world.
Citibank, which received $45 billion in Troubled Assets Relief Program (TARP) funds from the US government last year, did not perceive irregularities with the attempted withdrawal from the account of the National Bank of Ethiopia (a real bank). Instead, the scam was foiled only when some of the receiving banks warned Citibank that they were unable to process the transactions.
Check Point checks in with 64-bit ZoneAlarm updates
The ZoneAlarm family of security software expanded on Monday as Check Point debuted three 64-bit-compatible versions of their flagship software. The company also launched an all-in-one version of ZoneAlarm combining the line's firewall, anti-virus, anti-spam, and anti-spyware tech with online backup capabilities.
ZoneAlarm Extreme Security, the new suite, builds in a few features that should add a layer or two of extra security, particularly on machines piloted by the unwary and click-happy. ForceField, a virtualized browser security application introduced last year, keeps an eye on sites visited and flags things that seem dicey -- the "banking site" that isn't what it appears to be, for instance. The package also includes protective features such as (optional) private-key encryption capabilities and system-maintenance and online backup tools for tending one's more critical data.
Capitol One phishing warning looks, well, fishy
An attempt by credit-card issuer Capital One to alert customers to ongoing phishing attempts may be causing more FUD than it's curing, according to an observer posting to the RISKS discussion list.
The latest issue of the RISKS Digest includes a wry note from Marc Auslander, noting that his Gmail account flagged the note, sent by a third-party mailer, as spam. When he alerted Capital One to the problem, he writes, "Their response is advice on how to turn the warning off! So much for their anti-phishing campaign." Indeed.
Adobe acknowledges another JavaScript issue with Acrobat, Reader
An independent security research firm is warning of a non-ingenious JavaScript buffer overflow ploy that modern Web browsers would probably filter out, but which impacts recent versions of Adobe Reader for PDF files.
The surprise about the latest Adobe Acrobat issue is that there doesn't seem to be much new about it, at least in terms of methodology. A group called the Shadowserver Foundation announced yesterday that it was aware of an active ploy using malformed PDF files. Embedded JavaScript in those files can trigger a kind of managed buffer overflow, the group said, which leaves the heap full of shellcode that can be executed without the need for privilege.
The data-breach devil's in the details
Kim Zetter over at Wired's Threat Level blog has a tremendous feature story up today concerning the work of the Open Security Foundation, a volunteer organization that keeps track of data breaches big, small and smaller.
By monitoring breach reports published in thousands of places (including those that never get journalists' attention), the group has become ace at seeing patterns -- most recently, putting the pieces together about the Heartland Payment Systems breach well before the company copped to it. Zetter's coverage is long but impressive; well worth your time this morning.
Our troops and the Internet (the continuing saga)
No one reasonable thinks that our armed forces' cybersecurity isn't regularly at risk from The Bad Guys. On the whole, the various service branches have been working recently toward a reasonable balance of security and access. So how badly do you have to mess up, Maxwell-Gunter AFB in Montgomery, Ala., to get your entire Internet connection taken away?
Seriously, this sounds like a doozy. The Defense Department's still holding to that ban on thumb drives, since people couldn't follow directions on how to keep them from ending up improperly attached to the classified SIPRNet (Secret Internet Protocol Router Network) network. But they still have network access. You don't, flyboys.
Who ya gonna call? CISOs!
A brief interlude to brighten your day, security-minded readers, as Guerilla CISO Michael Smith explains how Everything He Needs To Know About Security, He Learned From Ghostbusters. Many information-security personnel could do a lot worse.
Smith's a contractor working at a government agency and, for want of anyone else to take up the task, the de facto security officer there. Like many security folk, he occasionally has trouble explaining the job to people, including himself. And so Smith took a moment on his Guerilla CISO blog to map his general routine to the action in beloved 80's movie -- not so much the Stay-Puft Marshmallow Man (or the memorization of ISO 27001, for that matter), but the approach that best gets the job done without causing irreversible harm to Sigourney Weaver the workplace and its processes.
IFPI site hacked amid Pirate Bay trial
The Swedish language Web site belonging to the International Federation of the Phonographic Industry -- which is leading the legal charge against file sharing site The Pirate Bay -- was hacked this afternoon and has been pulled offline.
At around 7:50 pm Central European Time, the Web site for the IFPI -- the international recording industry's representative body -- was replaced with a bulletin, or rather a declaration of war, which read (translated):
Microsoft tells its security story (in pictures)
It's been a long strange trip toward better security for Microsoft, but they've made enough progress to have both improvements to their technique and some highly interesting war stories. The company's got a new site explaining the past decade's advances, and you have a reason to read comics at work today.
The process of "baking security in" -- getting developers to think about security less as "those people who yell at us" and more as an integral part of any software-construction effort -- lends its name to Baking Security In, which details Microsoft's progress on the Security Development Lifecycle, a process involving 14 stages and checkpoints over the six stages of the software-dev cycle (requirements, design, implementation, verification, release, support/service).
Sun gives key management an open-source twist
Key management standards may not be the most glamorous aspect of IT security, but when you're trying to get your encryption-using devices to interoperate with your network, it matters. Now Sun's offering an open-source option.
The Crypto KMS Agent Toolkit is Sun's version of a KIMP (Key Management Interface Protocol) is, according to the company, the world's first generic communication protocol between a Key Manager and an encrypting device. It's available as part of the OpenSolaris Project.
Microsoft offers $250,000 for capture of Conficker writer
The Conficker situation has to be maddening for Microsoft. The vulnerability was patched months ago, but as the infection spreads through unpatched systems, it's hitting some very high-profile networks. And so the company's offering a remarkable reward for what could be a very fragile peace of mind.
Microsoft announced on Thursday that it's prepared to hand over a quarter of a million dollars (or the equivalent sum in your local currency; the offer's worldwide) for information leading to the arrest and conviction of the person or persons who wrote Conficker. That's not a bad payday for a knowledgeable person willing to drop a dime, but a look at past arrests for alleged malware-writing reveals that usually the people who get nabbed are, to be blunt, script kiddies who tweaked up a variant and got (un)lucky. (Remember Jeffrey Lee Parson? The Blaster B variant? Anyone?)
Latest Mozilla updates, including Firefox, address a serious vulnerability
Download Mozilla Firefox 3.0.6 for Windows from Fileforum now.
Some of Mozilla's best researchers into the field of cross-site scripting discovered another instance where code from one site can be made to control the interface of another. As it turns out, version 3.0.6 software contains the fix.
Microsoft says yes, will augment UAC in the next Win7 RC
In a stunning and maybe unprecedented accedence to public opinion this morning, Microsoft has announced it will take the emotion out of its discussion, and simply do something its users are asking for.
Perhaps taking a cue from President Obama himself -- who on Wednesday evening after the failure of two of his cabinet nominees told the American public, "I screwed up" -- Microsoft's Steven Sinofsky and Jon DeVaan yesterday took a blow for the team. In a contrite and euphemism-free blog post this morning, the two senior vice presidents in charge of Windows cited excerpts from their own critics who demanded that the adjustable User Account Control dial in Windows 7 not be exempt from User Account Control itself, and then essentially responded, "Okay."
© 1998-2026 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.