Ryan Naraine

Google search reveals 19,000 credit card details

By Carrie-Ann Skinner, PC Advisor
 
The credit card details of 19,000 Brits that shopped online were freely available on Google, it has been revealed. Anyone using the search engine could have easily accessed not only the name and addresses of thousands [infoworld.com] of Visa, Mastercard and American Express card holders, but also the full card details too.
 
According to the banking body APACS, the majority of the cards had already been cancelled but the owners were probably unaware their information was available online.  Google confirmed the information has since been removed.

Inside the BBC’s Chimera botnet

By Dancho Danchev, ZDNet
Earlier this month, the controversial BBC purchase of a botnet and modifying the infected hosts in the name of “public interest” sparked a lot of debate on the pros and cons of their action. Condemned by certain security vendors, and naturally, at least from guerrilla PR perspective, applauded and encouraged as a awareness raising tactic by others, the discussion shifted from technical to moral and legal debate, leaving a single question unanswered – what is the name of the botnet that the BBC rented and what’s so special about it?

Until now. Let’s take a peek inside the BBC “Chimera Botnet” [zdnet.com] offered for rent by a Russian Cybercrime-as-a-service (CaaS) vendor.

Cybercrime profits running into trillions of dollars

By David Neal, vnunet.com

A recent warning from AT&T’s chief security officer, Edward Amoroso, that the cost of cyber crime is running into trillions of dollars [vnunet.com] has been confirmed by security firm Finjan.

Earlier this month Amoroso and a panel of security experts told a US Senate Commerce Committee that revenues from cyber crime now exceed those of drugs crime, and are worth some $1tn (£700bn) annually. The report [PDF from senate.gov] also warned that techniques are rapidly evolving.


By Elinor Mills, ZDNet News
There’s been lots of hype about the fact that the latest variant of the Conficker worm is set to start communicating with other computers on the Internet on April 1 – like an April Fool’s Day time bomb with some mysterious payload.
To help clear up some of the confusion about Conficker, here are answers to common questions [zdnet.com] people may have. Also see story about German researchers scoring a major breakthrough.

Just days ahead of an April 1st activation date for the Conficker worm, a pair of security researchers from the Honeynet Project have scored a major breakthrough, finding a way to remotely and anonymously fingerprint the malware on infected networks.
Now, with the help of Dan Kaminsky and Rich Mogull, off-the-shelf network scanning vendors, including the freely available nmap, have the ability to quickly detect Conficker infections.

Mozilla has released Firefox 3.0.8 to fix a pair of code execution holes that put users of the browser at risk of drive-by download attacks.  It includes a fix for one of the flaws exploited during this year’s CanSecWest Pwn2Own hacker contest.
The update also fixes a separate zero-day flaw disclosed earlier this week on a public exploit site. Both issues are rated “critical,” Mozilla’s highest severity rating.

By Robert Lemos, SecurityFocus
A number of security-focused open-source projects have announced their participation as mentoring organizations in Google’s Summer of Code [google.com].
They include the NMap Project, the OpenSSH project and the Honeynet Project.
Read the full article [securityfocus.com]

By Joe Stewart, SecureWorks

If you’ve been reading any news at all on the Internet in the past week, you’ve probably heard that Conficker Armageddon is approaching, and it’s scheduled for April 1st, only a few days from now.
The truth is, there will be no April 1st outbreak, despite what some of the press stories have said so far. The only thing that will happen with Conficker on April 1st is that already-infected systems will begin to use a new algorithm to locate potential update servers. There, that’s not so scary, is it? So why all the fuss over the 1st?
Read the full essay [secureworks.com]

By Joan Goodchild, CSO
“The dean of the security deep thinkers,” “security luminary, ” and “risk-management pioneer” are all phrases that have been used to describe Dan Geer. Considered one of the foremost leaders in information security, his resume includes time as president and chief scientist at Verdasys Inc, a critical role in Project Athena at MIT, and a now famous firing from @Stake for co-writing a paper warning that a Microsoft monoculture threatened national security.
These days Geer, a 2009 CSO Compass Award winner, is CISO with In-Q-Tel, a non-profit venture capital firm that invests in security technology in support of the intelligence community. Geer recently spoke with CSO [csoonline.com] and explained why, despite all he has accomplished in his past, his sights are still set toward the future of security. Read the full Q&A interview.