archives
April 2010

Google: Single Sign-On, Single Point of Failure?

Spoof or SPOF? IT Security reportage veteran John Markoff reports in the New York Times that the attack on Google's intellectual property reported in January was even more interesting (and disquieting) than most of us realized. According to an unnamed source, some of the information stolen related to the company's password system, Gaia. Gaia is a

Gmail spam: an inside job?

Aleksandr Matrosov, Senior Virus Researcher at ESET Russia, has brought to our attention an avalanche of reports of hacked Gmail accounts. While the exact nature of the hack isn't confirmed, it appears that spammers were able to access the victim's address books in order to send junk mail from the compromised accounts to their owner's

Some possibly interesting links and a very old new paper

If you regularly follow my blogs, you'll know that while this my primary blogspot, it isn't the only site to which I post (see signature for full details). Here are a few recent blogs and microblogs that may be of possible interest. @Mophiee asked me about the ICPP Trojan on Twitter (where I'm @ESETblog or

SEO poisoning, Londoning and Icelanding

I was asked whether I'd seen SEO (Search Engine Optimization) poisoning relating to the Icelandic eruption and the very widespread grounding of aircraft in Europe. Well, there were certainly attempts in March to exploit the earlier Eyjafjallajokull eruption in order to drive googlers interested in finding out more towards malicious web sites. So it would be naive

Smells Like Teen Spirit

I've just read a news item about a nine year old boy who has been accused of hacking into his school's computer system. It seems police claim the nine year old hacked into the Blackboard Learning System used by his school to change teacher's and staff member's passwords, change and delete course content and change

Good Password Practice: Not the Golden Globe Award

The Boston Globe suggested  that changing passwords is a waste of time, based on their interpretation of an article by Herley Cormac. Cormac's paper – well worth reading, by the way - reinforces a point that has been made many times both by me and by the "user education doesn't work" lobby. While I don't believe that education is useless,

Please do not change your password – The Boston Globe

I find it hard to not be shocked at a headline like this… Then I remembered the recent top cybercrime city survey conducted by one of our competing software vendors which had Boston ranked the SECOND HIGHEST risk city in the entire United States. I’m also not one to simply lie down and let cybercriminals

Java 0-Day: who’s brewing the coffee?

Further to Pierre-Marc's blog yesterday about in-the-wild exploitation of the Java Development Kit vulnerability publicised by Tavis Ormandy, David Kennedy has brought to our attention a comprehensive article on the same topic published yesterday by FireEye's Atif Mushtaq.  You may remember that Atif exchanged thoughts and info with us a while ago in relation to

Cyberwarfare and Music: It’s All Tempo

Old joke: how can you tell a lousy drummer is at your front door? The knocks keep slowing down. Tempo of operations are similar in that if you can keep a fast, sustained rhythm outpacing the adversary, you’ll keep the initiative. If your side knows when the tempo is supposed to speed up or slow

A Bit More on Steganography

Craig Johnston recently posted a blog about steganography. It is interesting to me that I have known for years how to get data out of a company on a CD or a DVD with virtually no chance of detection. There are large areas in CD and DVD images that are not supposed to contain data,

Unpatched Java Deployment Kit Vulnerability Exploited in the Wild

 Last Friday, Tavis Ormandy published details about a vulnerability in the Java Deployment Toolkit. The vulnerability allows an attacker to download and execute arbitrary Java code on a vulnerable system. We released generic detection for attacks against this vulnerability, the exploitation code being detected as "JS/Exploit.JavaDepKit.A trojan". Since yesterday, we are starting to see this vulnerability

Dangerous Zips + Responsible Disclosure

Mario Vuksan, Tomislav Pericin and Brian Karney have been talking…about vulnerabilities they’ve found in various compression formats … as well as their potential for steganographical use or misuse…. Perhaps the main problems here will not be technical vulnerabilitiese but careless users and social engineering attacks.

SMishing or IMEI Phishing?

Technically it’s not SMS Phishing… but it’s close: Cybercriminals use the information requested on the web page to clone the smartphone for various uses, including stealing long-distance service from the subscriber or simply using a deniable, disposable smartphone for other criminal activities. In effect, the cybercriminals used phishing techniques to clone smartphones. The strength of

Facebook Newbie | Good Practices

Since our April ESET news has already been dominated by Facebook and Koobface an updated Facebook best practices wrapup seemed in order. Facebook Newbie? Read This First While most of us involved with this blog are old hands at implementing security, sometimes it’s hard for others to process the do’s and don’ts. Michelle Green contributed

Steganography – NOT The Study Of Stegosaurs!

There has been a recent news story about researchers at Princetown University who are working on a new form of steganography that could allow information to be leaked out of an organization on compact disks (CDs) without being detected. Steganography takes one piece of information and hides it within another. Computer files (images, sounds recordings,

Top Four Privacy Hacks/Tips/Trends Of The Week

Clearly, anything which is posted online should be assumed to be eternal, written in stone tablets, and admissible for all time. For the early adopter (Internet, blogger, Friendster, etc.) this also operates as a reminder of the ever-powerful TOS change: just because the terms of service (TOS) say that your content is private now never

Guest Blog: How free is free Antivirus?

I've noticed a number of tests recently that seem to be intended to prove that free antivirus is as good as commercial AV. As it happens, I'm not against free AV in principle, as long as people are entitled to use it – commercial use of free AV is usually not permitted. And I'm overjoyed when

Health Coverage Scams

The front page of USA Today has a headline titled “Health coverage scams spread”. A common theme is that a company offers health insurance for a price that is much lower than what major, well known insurance companies charge. It’s the old “if it looks too good to be true…” scam all over again. In

FBI Cyber Division Describes Criminal Specialization

According to FBI Cyber Division Director Chabinsky’s keynote speech last week the supporting elements of a somewhat clannish and tribal entity such as a cybercrime organization are also specialized and diverse in the 21st century:

Is Net Neutrality a legit beef against Senate Bill 773?

After posting the article regarding this new legislature I continued my research into the objections which have been raised by many cyber activists. Some of the concern is about ‘Net Neutrality’ and the potential for abuse of power. Let’s look first at the issue of content-neutral or client-neutral packet routing. Net Neutrality – A Deeper

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

6 articles related to:
Hot Topic
20 Apr 2010
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.