Articles about Security

January phish buffet: Now with IRS

As regular as tax season itself, phishers pretending to offer information on an IRS "stimulus payment" are targeting thrifty (or is that greedy?) taxpayers.

The latest version of the scam, which is making the e-mail rounds as of Monday morning, travels under the subject line "Stimulus Payment form it's ready for you to submit." The message claims that "After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a Stimulus Payment," and includes a file that looks like a PDF...until you notice the extra ".htm" at the end of the file name.

Continue reading

Twitter twormented by phishers

A phisher or phishers operating over the holiday weekend deluged Twitter users with direct messages luring the unwary to a page designed to steal their sign-in information.

Twitter's official status blog announced the problem Saturday afternoon, but regular users were reporting a welter of suspicious messages throughout the weekend.

Continue reading

CES Countdown #4: Who's securing the CE device's end user?

Computer security fuels many excellent conferences. CES is not typically one of them, but the current state of the economy is compelling conference goers to refocus on their core priorities...and security is one of them.

Some readers will argue that if we're talking about the best possible security for end users, we're at the wrong show -- Macworld's a little to the west. But as security researchers proved when they spanked OS X at last spring's CanSecWest conference, the world is moving on from the impenetrable-Apple era.

Continue reading

How to get a security hole fixed (two versions)

A common but dangerous vulnerability spotted weeks ago on American Express's site was plugged this week after the hole gained blog and then press attention. But there may have been a faster, better way.

Cross-site scripting (XSS) vulnerabilities are unfortunately quite common. An XSS hole allows an attacker to scarf up a legitimate customer's login info, in this case as he enters the site. In the case of the AmEx hole, that information could later be used by the attacker to snoop around the customer's personal information, or worse.

Continue reading

Four-year-old Diebold bug bites a California election

An unusual project monitoring the accuracy of electronic voting in Humboldt County, Calif. uncovered a glitch that dropped or miscounted 197 ballots in the November election. The bug has been known to the manufacturer for four years.

E-voting's troubles are widely known by now, so much so that Humboldt County registrar Carolyn Crnich consented to work with a group of election integrity experts -- banded together and calling themselves the Humboldt County Election Transparency Project (HCETP) -- to find a way to double-check the results of the June 2008 voting in her county. Humboldt uses Diebold optical-scan units running, as it turned out, version 1.18.19.0 of the firm's Gems software.

Continue reading

Feds having fits over FISMA and cybersecurity

The Federal Information Security Act of 2002 caused concern over cybersecurity in government entities that hadn't shown much of it previously, lighting fires under folks who needed warming. So what's all this talk of burning FISMA down?

FISMA's birth certificate is fairly petite -- the section of the E-Government Act of 2002 that created FISMA weighs in at a readable 16 pages (PDF available here). It outlines a set of mandatory processes for compliance for information systems used by or on behalf of the US federal government.

Continue reading

Hey, Sony, leave those kids alone: Settlement in COPPA case

The largest COPPA settlement to date was handed down Thursday when Sony BMG agreed to pay out $1 million for having collected and used without parental consent personal information on tens of thousands of kids under 13.

The violations of the Children's Online Privacy Protection Act involved 196 fan sites for musical acts such as Good Charlotte, Kelly Clarkson, Chris Brown, Britney Spears and Christina Aguilera. According to the US Federal Trade Commission complaint, Sony BMG's sign-up process for viewing and participating in such sites required the user to enter their name, date of birth, email address, mobile phone number, gender, city, state, and country.

Continue reading

The great crimeware boom of 2008, plus happy blowback

Looking for a recession-proof career that's booming? No one's recommending that you actually go into the malware business, of course, but the numbers for 2008 are perversely upbeat. There's even some genuinely good news for you.

The Anti-Phishing Working Group reports, for instance, that phishing-related malware (or "crimeware," as they call the stuff) had an absolute boom in the second quarter of 2008 (PDF available here). The group's analysis found a remarkable 9,529 URLs spreading phishing warez by the end of June; that's 258% higher than the number recorded during the same period last year.

Continue reading

MySpace falls into Google's OpenID arms

Social-networking drama continues this week as MySpace plights its open-identification troth to Google Friend Connect. It also announced a name change for its own universal-login system.

The announcement came on the heels of news from both Facebook and Google that their respective OpenID systems are out of beta.

Continue reading

Mr. Obama? Don't forget the cyberwar threat

A 96-page report released Monday by the Center for Strategic and International Studies paints a gloomy picture of where America stands in the matter of infowar. (Hint: "Stands" may be too optimistic a verb.)

The report is blunt: We're in trouble, our laws are out of date, we need leadership from the White House, and money (public and private) must be applied to the problem. Only a plan that respects privacy and civil liberties will do, and only a comprehensive policy covering both domestic and international situations will work.

Continue reading

Most companies are far too optimistic regarding security

According to a study released this morning, troubled times and sloppy security may prove a mighty temptation for hackers or even disgruntled employees -- and companies' overly high opinions of their own security don't help.

The Enterprise Strategy Group, which conducted the Database Security Controls study in conjunction with Application Security Inc., spoke in October to 179 IT decision-makers working in enterprise-class organizations (meaning those with 1,000 employees or more). The 27-item questionnaire inquired about security budgets, breaches, controls and audits.

Continue reading

Study finds public sectors worse on data security

A study in the works from J. Campana & Associates indicates that public- and volunteer-sector enterprises -- schools, government agencies, non-profits and such -- account for well over half of all info-security breaches.

But how can we be sure? We can't, according to Joseph Campana, because it's rather hard to trust that smaller organizations such as community groups or small towns can recognize a breach when one occurs, or follow proper reporting procedures if they do notice.

Continue reading

Spambots edge back online post-McColo

It was just too good to last: Researchers report that spam levels that dropped in the wake of a high-profile takedown are edging back up -- and that a particularly pernicious botnet made it back online Wednesday night.

When two upstream providers chose to pull the plug on McColo earlier this month, the net at large enjoyed an unusual and slightly eerie quiet, as spam levels dropped by as much as 65%. At the time, anti-malware researchers suggested that we enjoy the peace while it lasted...

Continue reading

US DHS eases off its '10+2' import rules

To the joy of many computer manufacturers, the Department of Homeland Security has done some significant reworking of the "10+2" security regulations for imports, including computer components.

An interim Final Rule version of the Importer Security Filing and Additional Carrier Requirements clauses of the SAFE (Security and Accountability for Every Port) Act of 2006 was entered into the Federal Register on Thursday. Those clauses would go into effect 60 days later -- sort of -- assuming no further comments are received and deemed worthy of action.

Continue reading

PayPal takes another crack at tightening security

EBay's PayPal service wants users to take security more seriously. To that end, it's combining an old security concept with a device most of us don't associate with security at all. Has PayPal chosen wisely?

The newly recruited security device is the humble mobile phone -- assuming it has SMS service. The old concept is a one-time credential, re-generated every few seconds or minutes and valid for just one use, used in conjunction with one's "other," more permanent password and one's username. The combination of something you know and something you have -- since you "have" the second number, though it'll only be useful for a moment -- is in turn a form of two-factor (or "strong") authentication.

Continue reading

© 1998-2026 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.