Articles about Security

Pirate to pwned with Apple's iWork '09

File sharers picking up pirated copies of the newly released iWork '09 apps suite may be biting into a poisoned Apple. Various Mac-security sites and sharing sites such as BitTorrent are reporting that some versions of the file are carrying a Trojan that can phone home and install additional malware.

PC users are encouraged to console their Mac brethren about what sounds, frankly, like a rather familiar scenario. The Trojan, which Intego is calling OSX.Trojan.iService.A rides along with the pirated versions of iWork as a package called iWorkServices.pkg. It installs as a startup item during the usual installation process and gets in contact with a remote server. What happens next can vary, but considering that the Trojan gives itself read/write/execute permissions, it's capable of doing anything from grabbing more malware to turning into a botnet-style zombie under the command of a remote server.

Continue reading

Downadup worm causes confusion over Autorun

The DHS' US-CERT (Computer Emergency Readiness Team) released a security alert yesterday that disabling Autorun in Windows, an action meant to stanch the spread of the Downadup virus, is actually a vulnerability itself.

The Downadup worm has reached epidemic proportions (meaning, I have begun to overhear conversations between elderly women talking about it). But an announcement from US-CERT this week says that one of the remedies to the problem, a registry fix that disables Autorun, is unsound.

Continue reading

Apple pushes a QuickTime 7.6 security update

Addressing security issues for both the Mac and Windows platforms, Apple has released an update to QuickTime not unlike the one released last spring, only less prolific.

Seven QuickTime vulnerabilities are addressed in the latest update, all revolving around malware movie files that cause "unexpected application termination or arbitrary code execution."

Continue reading

What lessons can we learn from the Heartland credit card breach?

The company's response is raising troubling questions about the security of such processing centers and laws ostensibly intended to protect consumers in general.

Millions of credit cards per month, primarily used in restaurants, could have been exposed to hackers who broke into the Heartland Payment Systems processing center network, in an incident the company said Tuesday took place the previous week.

Continue reading

Mobile malware menaces money

Kaspersky is reporting this morning that a Trojan affecting Symbian systems looks to transfer money from the accounts of users of a certain mobile-phone operator and into the accounts of someone else, presumably the person or persons responsible for the malware. The Trojan's not new -- but the target certain is.

Written in Python, the malware -- as per Kaspersky, Trojan-SMS.Python.Flocker, versions .ab through .af -- sends an SMS message with an instruction to transfer money from the user's mobile account to the other account. The amounts are rather small (under a dollar), but obviously if the infection becomes widespread, such things can add up without triggering a reaction from any scammed individual.

Continue reading

Conficker, Downadup, Kido: A skunk by any other name

The vulnerability that's enabled the new Downadup (or Conficker or Kido or whatever) worm was patched back in October of last year. Still, because at least 9 million machines that haven't been patched are now infected, here's what you need to know.

Windows of all shapes and sizes. The worm targets them all: Win95, Win98, Windows Me, NT, XP and Vista, along with Windows 2000, Windows Server 2003, and Windows server 2008. Oh, and Windows 7 pre-beta.

Continue reading

Heartland breaks the nine-figure data-breach barrier

The 2006 Veteran's Administration breach will always hold a special place in our hearts for targeting a population who deserved much better protection, and the TJX breach of 2007 will live forever in the legends of security professionals who can't fathom how the security-light retailer managed to stay in business after such a heaping helping of incompetence, but the newly revealed hole at Heartland Payment Systems gets some special price for sheer scope of theft. Even the head of the company isn't sure, but the company handles over 100 million transactions every month.

The company does know what was not compromised, according to a release this morning: merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), consumer addresses or telephone numbers; Heartland's check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms. And they really knew how to kick off the damage-control effort: Announce when all eyes are on the inauguration, and pick up a URL for their breach-info site that emphasizes the year the breach apparently occurred (2008) rather than the year it was revealed (2009).

Continue reading

Malware purveyors skeeve around the Inauguration

New Administration, new(ish) botnet? Maybe the perpetrators of Waledac have that sort of sense of history. They're definitely taking advantage of everyone else's sense of the importance of the moment.

The latest malware pitch appears tailored to would-be purchasers of commemorative gear. According to analysts at MessageLabs, fully 0.2% of all spam on Tuesday is "related" to the new president and the activities around his inauguration.

Continue reading

DHS to take on core routing vulnerability

No serious security geek has forgotten last year's big reveal of the hole at the heart of the net's routing protocol, but is the Department of Homeland Security the outfit you'd imagined patching it?

The Border Gateway Protocol (BGP) is essential stuff, allowing the Net to be decentralized but still able to get stuff from point A to point B. It's not something you can simply not use, like JavaScript or even HTTP. As such, BGP is a fat target for bad guys, and last year at DefCon, two security researchers demonstrated a technique that would let such entities monitor and even alter unencrypted net traffic.

Continue reading

The next net neutrality showdown, on the edge of the network

The deck chairs are being shuffled all over Washington this month, but some familiar net neutrality legislation may be brought up once again. This time, one of the nation's biggest content providers is ready to face it down.

Perhaps the entire success of CE manufacturers' plans to endow their HDTV displays with built-in IPTV channels, linked directly to services such as Netflix through the Internet, is based on the notion that those displays will soon have faster access to less compressed, richer high-definition content than they do today. In fact, the content delivery networks (CDN) that enable movies and other high-bandwidth content to appear faster, if at all, are looking at ways to engineer the Internet itself to reduce the number of hops required to deliver items such as movies.

Continue reading

The case for VESA DisplayPort: Both open and shut

The Video Electronics Standards Association announced the next steps in its DisplayPort specification, but copy-protection features that can make it difficult for users to play back legitimately acquired content are still there.

First proposed in 2005, DisplayPort's advantage is that a single digital interface connects both internal and external displays. This means that DisplayPort can carry pixels directly from any display source to any LCD panel. Other advantages of DisplayPort over Digital Visual Interface (DVI) and VGA include a small USB-sized connector with available latching, two-way display connectivity, optional audio support, higher performance than dual link DVI at 10.8 Gbps, and a unique micro-packet architecture that enables new display features.

Continue reading

Tikitag: A barcode-based alternative to personal RFID tags

In the same week as Microsoft's own rollout of Tags, smaller personal electronic tag maker Tikitag -- an Alcatel-Lucent venture -- talked up the future addition of less expensive barcode tags to its existing RFID offering.

Tikitag -- first announced at the the Demo show in San Diego -- uses high frequency RFID (HFRFID) operating at 13.56 MHz to connect real world items such as business cards, stuffed toys, and paintings to the Web through passive RFID tags and active readers.

Continue reading

Is DRM on its last throes at last?

A lively set of CES panelists tore into the current state of digital-rights management for movies, music and other content. Apple fans probably felt their ears burning for much of it.

You might expect that the announcement this week that Apple's dumping most DRM for iTunes-purchased tracks would have been the focus of much of "How Can Digital Rights Management Make Sense?" Not really. Ted Cohen, managing partner of TAG Strategies and a longtime music-industry figure, said, "Apple says jump and the labels say how high; they have been pretty monolithic in their approach to digital music. The quid-pro-quo was digital pricing; that 99-cents-one-size-fits-all doesn't work as well as you'd think." The labels have new artists that could benefit from lower per-track pricing; Apple's been catching real flak from users tired of DRM; this was, said Cohen, "a moment when both sides of the table had something to give."

Continue reading

HDMI technology picks up a tech Emmy

The founders of the High-Definition Multimedia Interface, which advanced the propagation of HD but angers many who dislike the specification's digital content control mechanisms, have been awarded an Emmy for their work.

The HDMI spec, released just over six years ago, manages one or more inputs in over 620 million products shipped so far; by the end of this year, 100% of digital televisions are expected to have at least one HDMI input.

Continue reading

Disgruntled IT guy fells blogging site

It's better than having some jerk walk back in with a gun, but it's sure not good: The journalspace.com blog site has shut down after a "disgruntled" former IT employee used his own data-backup choice to obliterate its entire data store.

Techish reader, would you rely on RAID as your sole "backup" structure for a mission-critical SQL server? That's what the now-former keepers of journalspace did. The chosen RAID setup wrote all data to two large drives, so in theory it was a perfectly redundant disk-array (not backup!) system; if one drive blew up, the other would hold everything and life would go on smoothly.

Continue reading

© 1998-2026 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.