Uncategorized

From SearchSecurity (Rob Westervelt)
Stolen FTP credentials are suspected as the root cause of a massive attack compromising over 40,000 web sites.
Attackers have targeted legitimate websites in the latest wave, and so far researchers at security vendor Websense Inc. say it isn’t likely that SQL injection, cross-site scripting or other website vulnerabilities are to blame. Instead, the attackers are easily injecting malicious JavaScript code into sites by logging in with stolen usernames and passwords.  Read the full story [techtarget.com]

ZDNet.com.au recently posed the question to security professionals at the AusCERT 2009 IT security conference on the Gold Coast.

From SC Magazine (Chuck Miller)
Using financial information purchased from crooked bank insiders, a ring of thieves compromised the checking accounts of nearly 350 New York-based corporations, religious institutions, hospitals and schools, as well as city and state government agencies, to steal millions of dollars, prosecutors said this week. Read the full story [scmagazine.com]

From SearchSecurity.co.uk (Ron Condon)

Simple mistakes by organisations can cause data loss, and those errors are making it easy for cybercriminals to flourish on the Internet, according to a forensics expert who investigated some of the world’s biggest security breaches.

From Information Week (George Hulme)
Today the Center for Internet Security released a set of benchmarks designed to help consumers and businesses alike communicate using their favorite toy. Whoops, I meant smartphone. The guidance is worth a look.

By Don Leatham

One recent Friday afternoon I took time off to visit two new health providers:  a new dentist (nearer my home) and an orthopedic (to look at my lateral epicondylitis).  In both cases, as a new patient, I filled in page after page of medical history and personal information, including my Social Security Number.   I did pause, but I have to admit I wrote it down both times (I’ve grown weary of the discussions/arguments that ensue if I don’t – I’ve even been denied service from a healthcare provider who felt my SSN was their only tool, should I decide not to pay).

In research to be presented at the IEEE Symposium on Security and Privacy [virginia.edu] this week, researchers from Microsoft and Carnegie Mellon University plan to show that the secret questions used to secure the password-reset functions of a variety of websites are woefully insecure.
In a study involving 130 people, the researchers found that 28 percent of the people who knew and were trusted by the study’s participants could guess the correct answers to the participant’s secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question.  Read the full story [technologyreview.com]