This section is devoted to featuring late-breaking cyber security news stories.
Apr. 30, 2008 - Michael S. Mimoso, Information Security Magazine
SQL Injection Attack Infects Hundreds of Thousands of Websites
Chinese hackers have conducted successful SQL injection attacks on hundreds of thousands of websites during the past 10 days, culling their targets from search engines.
Normally, SQL injection attacks are targeted attacks, one IP address at a time. The closest attack on this scale would be the SAMY worm attack on the MySpace.com domain, but that was against just one domain.
Apr. 29, 2008 - Kevin Howe, Monterey County Herald
One Breach Is One Too Many in Cyber Warfare
Cyberspace is a battleground that the U.S. military should learn to dominate, just as it has land, sea and air, says an expert with the Naval Postgraduate School's computer science department.
"Destroying a computer infrastructure is like denying somebody air," said Scott Cote, senior lecturer in the school's Center for Information Security Studies and Research.
Apr. 29, 2008 - Benjamin J. Romano, Seattle Times
Microsoft Device Helps Police Pluck Evidence from Cyberscene of Crime
Microsoft has developed a small plug-in device that investigators can use to quickly extract forensic data from computers that may have been used in crimes.
The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a USB "thumb drive" that was quietly distributed to a handful of law-enforcement agencies last June. Microsoft General Counsel Brad Smith described its use to the 350 law-enforcement experts attending a company conference Monday.
Apr. 28, 2008 - Kevin Coleman, DefenseTech.org
Media Warfare - Hacking Live Television
Whoever becomes our next president will inherit a cyber infrastructure under almost constant attack and at greater risk than eight years ago, and a handful of experts and legislators have come together to ensure that cybersecurity has a high priority in his or her administration.
Apr. 28, 2008 - William Jackson, GCN
Experts Struggle with Cybersecurity Agenda
Whoever becomes our next president will inherit a cyber infrastructure under almost constant attack and at greater risk than eight years ago, and a handful of experts and legislators have come together to ensure that cybersecurity has a high priority in his or her administration.
Apr. 28, 2008 - Robert McMillan, IDG News Service
Security Vendors Slam Defcon Virus Contest
There will be a new contest at the Defcon hacker conference this August, one that anti-virus vendors already hate.
Called Race-to-Zero, the contest will invite Defcon hackers to find new ways of beating anti-virus software. Contestants will get some sample virus code that they must modify and try to sneak past the anti-virus products.
Apr. 28, 2008 - Katherine Walsh, TechWorld
Staff Actively Seek Enterprise Security Loopholes
Enterprise users are "actively and intentionally" evading IT security controls and ignoring acceptable use policies, according to Palo Alto Networks' first annual "Application Usage and Risk Report."
The recent survey results from Palo Alto, a firewall vendor, are based on traffic from 350,000 users in 20 organisations that span the financial services, manufacturing, healthcare, state/local government and healthcare industries.
Apr. 25, 2008 - BBC News
Hackers Warn High Street Chains
High street chains will be the next victims of cyber terrorism, some of the world's elite hackers have warned.
They claim it is only a "matter of time" before the likes of Tesco and Marks & Spencer are targeted.
Criminals could use the kind of tactics which crippled Estonia's government and some firms last year, they warned.
Apr. 25, 2008 - Dan Goodin, The Register
Department of Homeland Security Website Hacked
The sophisticated mass infection that's injecting attack code into hundreds of thousands of reputable web pages is growing and even infiltrated the website of the Department of Homeland Security.
While so-called SQL injections are nothing new, this latest attack, which we we reported earlier, is notable for its ability to infect huge numbers of pages using only a single string of text. At time of writing, Google searches showed almost 520,000 pages containing the infection string, though the exact number changes almost constantly. Even the DHS, which is responsible for protecting US infrastructure against cyber attacks, wasn't immune.
Apr. 25, 2008 - Nancy Gohring, IDG News Service
Scott Charney: Microsoft's Ax Man
Some people might dream of having the power to kill a product just before launch at a company the size of Microsoft, but for Scott Charney, that's just part of the job.
Charney, vice president of trustworthy computing, was hired by Microsoft in early 2002 to spearhead the company's security strategy. He built a team that looks for vulnerabilities in products during development and works to implement security into product design. If the team finds an issue, even if the product is just about to ship, Charney can order the product back to the drawing board until the problem is fixed.
Apr. 25, 2008 - Heath Urie, Daily Camera
More than 9,000 Affected By CU Computer Breach
Personal information including the names, Social Security numbers, addresses and grades of about 9,000 students and 500 instructors at the University of Colorado has been compromised by a computer hacker, CU spokesman Bronson Hilliard said Friday.
Apr. 24, 2008 - Dennis Fisher, SearchSecurity.com
New SQL Injection Technique Threatens Oracle Databases
Database security expert David Litchfield has devised a new method of exploiting various PL/SQL procedures that do not take any input. The technique, which he describes as lateral SQL injection, can be used to compromise Oracle databases remotely.
Apr. 24, 2008 - Tom Roeder, The Gazette
Cadets Fight in Cyberwar
Bleary-eyed cadets at the Air Force Academy, including members of a group dubbed the "nerdy dozen" for its computer prowess, have spent the week battling the nation's electronic spy agency in an all-out cyberwar.
The cadets and students at other military-run schools nationwide are competing in the National Security Agency's 8th Annual Cyber Defense Exercise. The team that wins is the team that can defend its specially built computer network from viruses, e-mail attacks and security penetrations by the NSA's world-class hackers.
Apr. 23, 2008 - BBC News
Net Card Fraud "Underestimated"
The extent to which criminals are targeting the internet for credit and debit card fraud is far greater than earlier estimates, new figures suggest.
Banking industry data shows card losses from phone, internet or mail order crime totalled £290.5m in 2007.
But a BBC investigation found if failed attempts had been successful, the total could have been £500m.
Apr. 23, 2008 - Ben Rubin, The Journal News
West Point Cadets Battle NSA Hackers in Cyber Defense Exercise
WEST POINT - A crew of about 30 cadets in fatigues huddled around banks of computer screens in a command center at Thayer Hall. Camouflage netting lined one wall of the room.
For four days this week, starting on Monday, the cadets would need to protect a computer network of their own creation from the National Security Agency's Red Team, professional hackers working at the Fort Meade Army post in Maryland.
Apr. 22, 2008 - Iain Thomson at Infosec Europe
Infosec: Security Community Must Work Together
Microsoft has called on companies to work together to improve overall security, and not just rely on the police to do it for them.
Ed Gibson, Microsoft's chief security advisor in the UK, said during his keynote at Infosecurity Europe 2008 that security affects the entire industry and that companies must work together.
Apr. 22, 2008 - Robert Westervelt, News Editor
Former Lending Tree Employees Pilfer Firm's Customer Database
Charlotte, N.C.-based LendingTree is warning customers that their personal data may have been compromised by its former employees who used their passwords to pilfer the data from the company's systems.
In an email to customers, LendingTree said the former employees helped some mortgage lenders gain access to its customer database by sharing their confidential passwords. The data was used by those lenders to market their own mortgage loans.
Apr. 22, 2008 - Sumner Lemon, IDG News Service
China Continues to Face Severe Botnet Problem
China continues to face a severe problem with botnets, networks of computers infected with software that allows them to be controlled remotely for denial-of-service attacks and to send spam, according to a report by China's National Computer Network Emergency Response Technical Team (CNCERT).
Apr. 22, 2008 - The Korea Times
Caught Off Guard: Hackers Attack Presidential Office's Computer Network
A series of hackers' attacks have hurt South Korea's pride in its information technology (IT) and Internet prowess. People are shocked by reports that the presidential office's computer network was hacked into in mid-February. This case is raising serious worries about the country's poor Internet security system, which might threaten national security. What's more surprising is that the government failed to detect the hacking until late March.
Apr. 21, 2008 - AFP
Researchers Find Hole in "Flawless" Encryption Technology
Quantum cryptography, a new technology until now considered 100 per cent secure against attacks on sensitive data traffic, has a flaw after all, Swedish researchers say.
"In computer terms, we've found a bug," said Jan-Aake Larsson, an associate professor of applied mathematics at the Linkoeping University in southern Sweden.
Apr. 21, 2008 - Joe Barr, linux.com
Baker College Wins National Collegiate Cyber Defense Competition
Baker College of Flint, Mich., defeated defending champion Texas A&M University and four other regional winners from across the country to capture the third annual National Collegiate Cyber Defense Competition, which concluded in San Antonio, Texas, over the weekend. Texas A&M finished a close second, and the University of Louisville took third. Also competing for the championship were the Community College of Baltimore County, Mount San Antonio College of Los Angeles County, and the Rochester Institute of Technology.
Apr. 21, 2008 - posted by Larry Seltzer, PC Blogs
A Hack We Can Believe In
Hackers redirected portions of the BarackObama.com web site to HillaryClinton.com, according to several reports.
It's amazing more of this sort of thing hasn't happened already, especially since web-based donations are more important than ever to the campaigns. Four years ago Security Watch reported on a phishing e-mail that asked for donations to the John Kerry campaign.
Apr. 21, 2008 - Kim Zetter, Wired
Rupert Murdoch Firm Goes on Trial for Alleged Tech Sabotage
Did a Rupert Murdoch company go too far and hire hackers to sabotage rivals and gain the top spot in the global pay-TV war?
This is the question a jury will be facing in a spectacular five-year-old civil lawsuit that is finally being tried this month in California but which has, oddly, received little notice from U.S. media.
Apr. 21, 2008 - Dan Goodin, The Register
Microsoft: Finding Flaws on Our Website is OK
In a first for a major company, Microsoft has publicly pledged not to sue or press charges against ethical hackers who responsibly find security flaws in its online services.
The promise, extended Saturday at the ToorCon security conference in Seattle, is a bold and significant move. While researchers are generally free to attack legally acquired software running on their own hardware, they can face severe penalties for probing websites that run on servers belonging to others. In some cases, organizations have pursued legal action against researchers who did nothing more than discover and responsibly report serious online vulnerabilities.
Apr. 21, 2008 - Christopher Burgess, CSO
Nation States' Espionage and Counterespionage
...Not a month passed in 2007 without a reference to intellectual property theft or a revelation that IP theft was being sponsored by a nation-state. More frequently, we hear of yet another government condoning, encouraging and creating a mandate for its national intelligence and security resources to steal intellectual property for competitive and national advantage.
Apr. 21, 2008 - Shaun Waterman, Washington Times
FBI Organizes Defense Against Cyber-Attacks
The FBI quietly established last summer a task force involving U.S. intelligence and other agencies to identify and respond to cyberthreats against the United States.
Called the National Cyber Investigative Joint Task Force, the group has "several dozen" personnel working together at an undisclosed location in the Washington area, said Shawn Henry, the FBI's deputy assistant director of its cyberdivision.
Apr. 20, 2008 - Jim Boren, The Fresno Bee
We Make It Way Too Easy for Those Who Steal Identities
No wonder identity theft is the fastest-growing crime. Our common sense hasn't caught up with our technology.
We let anyone have our Social Security and driver's license numbers. We might as well leave our wallets on a store counter and walk away. A thief with a computer can quickly empty our bank accounts.
Apr. 18, 2008 - Dan Goodin, The Register
Notorious eBay Hacker Arrested in Romania
Vladuz, the notorious hacker who repeatedly accessed off-limits parts of eBay's network and then publicly bragged about it, has been arrested, the online auctioneer says.
The hacker was arrested by Romanian law enforcement officials with the help of the US Secret Service, the FBI and eBay's global fraud investigation team, eBay said. The company wouldn't discuss additional details, and representatives from the Secret Service and the FBI couldn't be reached for comment.
Apr. 16, 2008 - John Leyden, The Register
Security Gumshoes Locate Source of Mystery Web Compromise
The source of the mystery infection of more than 10,000 websites back in January has been uncovered. Thousands of legitimate websites were compromised at the start of the year to serve up malware.
It seemed that the exploitation of SQL Injection vulnerabilities was involved in the automated attacks. The precise mechanism was unclear until earlier this week when security researchers discovered a malicious executable later linked to the attack on a hacker site.
Apr. 10, 2008 - Brian Gow, Keith Epstein and Chi-Chu Tschang
The New E-spionage Threat
The e-mail message addressed to a Booz Allen Hamilton executive was mundane—a shopping list sent over by the Pentagon of weaponry India wanted to buy. But the missive turned out to be a brilliant fake. Lurking beneath the description of aircraft, engines, and radar equipment was an insidious piece of computer code known as "Poison Ivy" designed to suck sensitive data out of the $4 billion consulting firm's computer network.
Apr. 3, 2008 - Dan Campbell, special to GCN
Justice, Commerce Warn of Web 2.0-and 3.0-Security Risks
Defense-in-depth protection for agency Web sites is the recommendation from Justice and Commerce department representatives who spoke during the FOSE 2008 Conference and Exposition about the dangers of targeted attacks.
“[The] Web is a collaboration method, but the benefits of collaboration will not be realized unless that collaboration is done securely,” said Michael Castagna, Commerce’s chief information security officer.
Apr. 2, 2008 - AFP
Estonia to Drill NATO's Future Cyber-War Defenders
Almost a year after falling victim to a "cyber-war" blamed on Russian hackers, the Baltic state of Estonia is now piloting NATO's efforts to ward off future online attacks on alliance members.
After this week's NATO's summit in Romania, Estonia and seven other alliance partners will set up the "Cyber Defence Centre of Excellence" in Tallinn next month.
Apr. 2, 2008 - Ryan Singel, Wired Blog Network
DDoS Packets are Two Percent of Net Traffic, Report Says
One out of every 50 packets on the internet is malicious junk intended simply to clog the tubes, according to a high level traffic analysis by Arbor Networks.
Distributed Denial of Service attacks or DDoSes aim to bring a site down by bombarding it with fake requests for a web page or image. It's like having 1,000 people continually crank calling a company -- the real customers can't get through.
Apr. 2, 2008 - Jaikumar Vijayan, Computerworld Security
Vermont Ski Area Reports Hannaford-Like Theft of Payment Card Data
In a security breach that sounds similar to the one disclosed by Hannaford Bros. Co. last month, the Okemo Mountain Resort ski area in Vermont announced this week that data from more than 46,000 credit and debit card transactions may have been compromised during a system intrusion over a 16-day period in February.
Apr. 1, 2008 - John Leyden, The Register
U.S. Auto Parts Store Spills Data to Hackers
Advance Auto Parts, the US motoring parts retailer, is the latest firm to give up customer credit card data to hackers.
The bad guys gleaned financial information on up to 56,000 customers, through an attack affecting 14 stores nationwide, the firm said on Monday.
The mechanism of the attack and the identity of the perps are unknown.
