Security

A new attack on PayPal could have allowed users who thought they were on a trusted page to access a fraudulent page and possibly expose personal information. On Friday, Finnish researcher Harry Sintonen reported the vulnerability on an IRC chat room.

In an interview with Netcraft, Sintonen said the issue was critical. "You could easily steal credentials." He added that in this case you can't trust the URL http://www.paypal.com.

A few weeks ago PayPal announced it would block users whose browsers did not support EV SSL. Sintonen, who is credited with finding an XSS attack on Barack Obama's Web site … Read more

Visitors to AOL's main portal page may have seen a headline "Disgraced 'Oprah' Author Is Back" circulating, but those who clicked may have infected their computers, says Roger Thompson, Chief Research Officer of AVG Technologies.

Thompson said anyone clicking on the headline link would be taken to a legitimate forum page discussing James Frey's latest book, Morning. However, some of the blog posts on that page contained a link to a video site. In order to view the video associated with that post, the user would have to accept the installation of the video codec.

Upon … Read more

While Operation CyberStorm is intended to improve our ability to defend against a foreign cyberattack, the Air Force is talking openly about our ability to launch a preemptive attack in cyberspace.

In the May 2008 issue of Armed Forces Journal, Col. Charles W. Williamson III wrote that "America needs a network that can project power by building an af.mil robot network (botnet) that can direct such massive amounts of traffic to target computers that they can no longer communicate and become no more useful to our adversaries than hunks of metal and plastic. America needs the ability to … Read more

Following the February 5 presidential primary, several county clerks in New Jersey asked an independent researcher to study the vote results on the state's electronic voting machines. The vendor, Sequoia, has threatened legal action, but so far hasn't taken any. Initial results suggest that there were some inconsistencies in vote tallies, although none were enough to reverse the election results themselves.

Since last year, several states have requested audits of electronic voting systems. In California, the audits resulted in some systems being scrapped for the 2008 presidential primaries. As we turn our attention to the fall 2008 presidential … Read more

Over the past few weeks, things have heated up again in Lebanon, with the U.S.-backed government on one side and the Syrian-backed Hezbollah on the other.

To many U.S. observers, this might be just another case of tensions flaring up in the Middle East. Do not be fooled. This is all about telecommunications policy--and the design of secure, attack-resistant data networks.

But first, a bit of background. Hezbollah and Israel have been at war for some time. In an effort to stop Hezbollah's guerrilla fighters from communicating, Israel has in the past jammed the cell phone … Read more

Recent attacks on legitimate Web sites may have left some end users vulnerable. But on Monday, Check Point Software Technologies released ZoneAlarm ForceField, which might provide some with the safe surfing protection they need.

ZoneAlarm ForceField sells for $29.95 (for a single user license) or $49.95 (for a three-user license) and currently works only with Internet Explorer 7, Firefox 2, and the Firebox 3 beta. In tests at CNET, ZoneAlarm ForceField did not work with Apple Safari for Windows or Opera 9. Installation doesn't require a reboot. When you open your Internet browser, the edges will be … Read more

The United Kingdom has the most surveillance cameras per capita in the world. With the recent news that CCTV cameras do not actually deter crime, how can the local town councils justify the massive surveillance program? By going after pooping dogs.

In a recent interview with The Guardian, the head of the Metropolitan Police's Visual Images Office explained the failings of CCTV:

"Billions of pounds has been spent on it, but no thought has gone into how the police are going to use the images and how they will be used in court. It's been an utter … Read more

Spammers are going legit, and they're using Yahoo e-mail authentication servers to do it, said Mark Sunner, chief security analyst with MessageLabs.

Most people use the Web interface for Yahoo Mail, which attaches a banner of advertising on the e-mail somewhere within the message. Yahoo also provides a service, Yahoo Plus, that allows the sender to use SMTP and traditional e-mail clients such as Outlook Express or Thunderbird. Mail sent via SMTP passes through Yahoo's servers, signing the mail as legit using the Yahoo Domain Keys Identified Mail (DKIM) service.

What this does is strip out the usual … Read more

Last week on my Security Bites podcast I talked with Jeremiah Grossman, CTO of WhiteHat Security, about the recent spate of SQL injections affecting Microsoft SQL.

Grossman said that if users surf to an SQL-injected site, their browsers will attempt to download a variety of exploits, not all of which are Microsoft-based. One site from the Shadowserver Foundation lists exploits affecting Real and other vendors alongside various Microsoft Security bulletins. Grossman also said that just turning off Javascript won't necessarily protect end users from this latest round of attacks since the attackers can use traditional HTML as well.

Below … Read more