It seems the FCC can now tap your broadband connection. Last Friday the FCC released it's CALEA First Report and Order, which allowed law enforcement to wiretap VoIP service. The original CALEA omitted broadband “information services” from such wiretaps, but now the FCC somehow was able to sneak this in.

read more | digg story

A spokesperson for the software giant acknowledged the MSRC (Microsoft Security Response Center) is investigating public reports of the flaw, which has been rated “moderately critical” by Secunia Inc.
XmlHttpRequest object flaw.

read more | digg story

he American Civil Liberties Union of Georgia today filed a federal lawsuit on behalf of two vegan protesters who were subjected to false imprisonment, false arrest and harassment by officials of the Homeland Security Division of DeKalb County and the DeKalb County Police Department.

read more | digg story

Microsoft® Office 2003 Service Pack 2 contains significant security
enhancements, in addition to stability and performance improvements.
Some of the fixes included with SP2 have been previously released as
separate updates. Office 2003 SP 2 include Office 2003 Service Pack 2
for Proofing Tools, New anti-phishing feature in Outlook 2003
SP2. 

Office is a great software suite.  Office 97 was not my favorite
because of the numerous security holes, but like many of the Microsoft
products (with exception of Internet Explorer) it has gotten better
over time.

What truly amazes me is how intuitive the entire Office suite is. 

read more | digg story

CardSystems Solutions moronic security efforts have resulted in the potential theft of information for 40 million credit cards. Hackers were able to install a rogue program, probably a Trojan, in the CardSystems security network. This program captured credit card information including the cardholder’s name, account number and verification code.

CardSystems Solutions is an Atlanta-based company. Prior to this incident, it processed approximately $15 billion dollars in credit card transactions each year. Small businesses were the primary users of the system.

The FBI and MasterCard International have launched investigations into the hack. It has become apparent CardSystems Solutions should be charged with gross negligence. The company failed to comply with MasterCard security regulations and failed to destroy the information of cardholders after prescribed time periods.

In a matter of gross incompetence, CardSystems failed to encrypt any of the credit card data for users. This is the equivalent of your bank sending monthly account statements will all the information printed on the outside of the envelope. It is simply inexcusable and has led to potentially the biggest theft of financial information in history.

Which Credit Cards?

The incompetence of CardSystems Solutions will have an impact on every major credit card group. Estimated numbers range from about 20 million Visa cards exposed to 14 million MasterCard credit cards. As many as 4 million American Express and Discover accounts were also put on the sacrificial altar by CardSystems.

What You Should Do

You should review all charges on credit card statements over the next 12 months. Contrary to popular belief, hackers typically will not go out and charge up thousands of dollars on the card. Instead, you should look for small charges of $10 to $20 from companies with bland names. Hackers know that many people will not call to reverse a small charge. Don’t be lazy! Closely inspect your statement and contest any charges that aren’t familiar.

Closing

How big is this hack? There are approximately 300 million people in the United States. 40 million accounts equates to 1 in every 7.5 people. Yes, people carry multiple credit cards, but it is still a huge number. CardSystems Solutions should pay a heavy price for its incompetence. Frankly, it should be liquidated. There is little doubt the major credit card companies will take action.

Richard Chapo, Esq., is a business lawyer with http://www.sandiegobusinesslawfirm.com – offering legal advice to San Diego businesses. This article is for general education purposes and does not address every facet of the subject matter. Nothing in this article creates an attorney-client relationship

e-Eye Digital Security hit a homerun in 2004 when they won the $6 Million dollar Defense Information System Agency’s I-ASSURE contract which will allow their robust e-Eye Retina Vulnerability Scanner to be used on DOD systems world wide.

The Retina Vulnerability Scanner will be used to measure compliance with Department of Defense (DoD) Computer Emergency Response Team (CERT) Information Assurance Vulnerability Management Notices.

The DOD used to use Internet System Security (ISS) vulnerability assessment tools exclusively for this task. However, on 30 September 2005 the ISS vulnerability tools will no longer be used by the Department of Defense.

This comes at a time of the “cover up” CiscoGate controversy which involved ISS. On July 2005, Michael Lynn, a former research analyst with Internet Security Systems, resigned from the company just before releasing a major flaw in Cisco routers (many of which are on critical infrastructures).

According to Lynn, Cisco and ISS allowed him to speak about the flaw at the Black Hat but suddenly changed their minds at the last minute attempting to shut Lynn up with legal action. Cisco and ISS were trying to protect there shareholders at the cost of all the customers, organizations and nations that depend on the Cisco routers. From an ethical perspective, this was not a great way for an Internet System Security company to act.

It will be interesting to see if e-Eye Digital will be more ethical than ISS as it comes to power.  Something very evil tends to happen when large groups of people get together to gather large sums of money.

As stated above, after Friday, 30 Sept 05, the ISS scanner will no longer be available. You should be able to download the new e-Eye Retina Network Security Scanner from one of the DISA pages:

e-Eye Retina Network Security Scanner(SCCVI)

http://iase.disa.mil/stigs/iss/index.html (gone 17 Oct Update)

http://iase.disa.mil/stigs/iss/retina.html (gone 17 Oct Update)

http://www.eeye.com/html/company/press/PR20040623.html

DISA IA Announcement: DISA will be converting from using Internet Security Scanner to the e-Eye Retina Network Security Scanner(SCCVI) effective 1 Aug 05 for all security reviews, compliance validations, certification efforts, etc. All open findings related to a penetration test conducted with the ISS tool will be archived (closed) as a Retina penetration test is conducted by DISA. The ISS findings are still valid open findings that need to be worked and closed by the site. However, sites are highly encouraged/recommended to perform a self-assessment using the Retina scanner, as soon as they receive the tool.

Information, online training, and Retina software can be obtained from the http://iase.disa.mil website.

http://www.eeye.com/html/index.html

Retina Network Vulnerability Scanner:

http://www.eeye.com/html/products/retina/index.html

Resources

ISS is Shady

e-Eye Press release

Inside CiscoGate

Lynn’s Lawyer

Lynn Presents at the BlackHat

Cisco & ISS vs. Lynn

Speed test: Tor, sponsored by the EFF, and Google's new beta VPN are both aimed at those of us who want to protect our privacy and rights online. While Google claims that its VPN program is to boost security on wireless networks, it can also be used with wired internet connections to add some more security for the rest of us.

Once again Google uses incredible engineering to create something that may just become number one yet another area of IT.  Google Adsense is doing so well that Yahoo and MSN are testing out similar content relevant ad scripts. 

Tor looks like it is much more secure that the Google implementation.  I mean VPN is pretty secure but Tor is ridiculously secure in that it uses software that uses each system it connects to as a seperate VPN which encrypts traffic at each point.  This makes the traffic very difficult (if not impossible to track) as EFF stores none of that data.  Google will hold the traffic data but claims that the data will be “personally unidentifiable” which means it can not be tracked back to any one person (at least that is how I understand it).

But I wonder what this VPN wireless project could mean in terms of practical use.  Will Google deploy in at Starbucks and Borders Book stores around the world?

read more | digg story

Phishing attacks that attempt to capture a user's Yahoo! ID and password by tricking the gullible into handing over their credentials to fake sign-in pages have been around for months if not years. Recently, though, these phishing sites have begun using alternative Yahoo! Sign In pages, such as Yahoo! Photos, net security firm Websense reports.

I get links to the these sites via email all the time.  It seems that if you place your email@address.com on a website, these criminals have automated software that find these addresses and email you a false email from PayPal or Yahoo! or ebay or any other account that you might have digital cash in. 

Some of the emails they send look legit.  But if you look under the hood, you'll see that it goes to sites that have nothing to do with the company it claims to be from.  Typically, the address comes from outside the U.S. 

read more | digg story

114 Exploits / 449 Bulletins on ElseNot.com

MS05-043: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (896423) Windows 2000 Service Pack 4, Windows XP Service Pack 1, Windows XP Service Pack 2, Windows Server 2003 Gold

MS05-042: Vulnerabilities in Kerberos Could Allow Denial of Service, Information Disclosure, and Spoofing (899587) Windows 2000 Service Pack 4, Windows XP Service Pack 1, Windows XP Service Pack 2, Windows Server 2003 Gold, Windows Server 2003 SP1