daily online news

The U.S. Federal Trade Commission released a report on Tuesday that showed a significant drop in the losses due to identity theft, but also noted that changes in the survey questions could have caused the decreased.

The survey, the 2006 Identity Theft Survey Report (PDF), estimated that losses from stolen and fraudulent credit accounts reached $15.6 million, only a third of the $47.6 billion cited in a 2003 survey. However, the report does not rule out the possibility that statistical errors and a change in methodology could have caused the significant drop. The 2006 survey typically asked more specific questions in regards to losses compared to the 2003 survey, the report stated.

"Although we believe that these methodological changes improve the reliability of the estimated values, they tend to cause lower estimates as compared to the 2003 survey," analyst firm Synovate, the author of the report, stated in the document. "Thus, the differences in the estimates between 2003 and 2006 may, at least in part, be due to the changes in methodology as opposed to changes in consumers' actual experiences."

The survey found that identity thieves gained more goods and services -- and thus, consumers lost more -- through opening new, fraudulent accounts in the victim's name, rather than fraudulently using existing accounts. On average, identity thieves stole $1,350 in goods and services through new accounts, compared with $350 using existing accounts. For the worst-hit 10 percent of victims, the average loss was $15,000 for new accounts versus $4,000 for existing accounts. On average, there were no out-of-pocket expenses for victims.

The FTC stressed that even with the lower estimates, identity theft remains a significant problem.

"The important thing is that people learn how to deter identity thieves, detect suspicious activity on their financial records, and defend against the crime, should it happen," Lydia B. Parnes, director of the FTC's Bureau of Consumer Protection, stated in a press release.

Concerns over identity theft and credit-card fraud has risen in recent years because of the public outing of high-profile cases, such as retailer TJX Companies' loss of information on more than 94 million credit- and debit-card accounts. Stores have become increasingly worried about the liability of storing credit-card data. Recent arrests of suspected identity thieves has underscored the increasing sophistication of the groups dealing in such information. A survey of those arrested for identity theft found that the majority have never before been accused of a crime.

The 2006 Identity Theft Survey Report is based on 4,917 interviews conducted in between March and June of 2006.

Google has handed over the IP address of a user of its blogging software after the author was accused of slandering Israeli politicians.

Reports on Israeli news site Globes Online suggest that the blogger made a number of allegations about three Israeli councilmen standing for election, including fraud and links to organised crime.

Google initially declined the request for information but changed its mind after a ruling by Judge Oren Schwartz, of Rishon LeZion Magistrates Court, that the blog constituted criminal defamation.

The search giant struck an agreement with the court to email the blogger within 72 hours of the trial telling them to attend. If Google received no response it promised to hand over the information.

The IP address was subsequently taken by the prosecution to the user's ISP, which identified the individual involved.

Security researchers have discovered a rare, and potentially serious, security bug in Lotus Notes. A buffer overflow flaw in IBM's groupware package enables hackers to trick users into running hostile code on vulnerable systems.

The security bug stems from boundary errors within the Lotus 1-2-3 file viewer (l123sr.dll) component. Successful exploitation of the bug involves tricking users into viewing maliciously crafted Lotus 1-2-3 attachments, designed to allow the execution of arbitrary code on vulnerable systems.

The flaws, discovered by security researchers with Core Security, affect versions 7.x and 8.x of Lotus Notes. Other versions may also be affected.

Sys admins are advised to contact IBM support for patches, as explained here

Computer users and custom applications created with minimal attention to security emerged as the top two attack targets favored by criminals.

SANS Cites Users, Apps As Main Threat Targets

The SANS Top 20 list for 2007 demonstrated a shift away from the typical focus on vulnerabilities in software products. That look at critical problems requiring attention still exists, but there is more for security pros to worry about than just patch updates.

"Facing real improvements in system and network security, the attackers now have two new prime targets that allow them to evade firewalls, antivirus, and even intrusion prevention tools: users who are easily misled and custom-built applications," SANS said in a statement.

"This is a major shift from prior years when attackers limited most of their targets to flaws in commonly used software."

SANS illustrated a few scenarios where these trends have proven problematic for their victims. One scenario alludes to penetration of a sensitive federal agency via a spear phishing attack. The net result caused data to be sent from a chief information security officer's PC to a computer in China.

Other scenarios, based on real world events with details changed to protect identities, showed how attackers managed to place keyloggers on machines. These ranged from a major government think tank, to an individual whose father's bank account was emptied with the ill-gotten gains forwarded to suicide bomber recruiters.

Plugging a new, unprotected machine into the Internet will be a fool's errand, according to SANS. They estimate a machine will last about five minutes before being attacked, and compromised unless it has been configured securely before being connected.

Alan Paller, director of research at SANS, pointed at the rise in poorly-secured web applications as being particularly troublesome. These dynamic applications regularly connect with back-end databases that house sensitive information about the application's users.

"Until colleges that teach programmers and companies that employ programmers ensure that developers learn secure coding, and until those employers ensure that they work in an effective secure development life cycle, we will continue to see major vulnerabilities in nearly half of all Web applications,"

[Silkroad Exploit Step 1 out of 2]

[Joymax account exploit Part 1]
http://www.joymax.com/portal/
- Create a new account

Go on the following link: [Here]
Complete the E-mail Verification Service.

When you are done.

Log out.
Go on http://www.joymax.com/portal/
Go in the Forgot your password
Write your ID and E-mail
click Change Password

Now before clicking on Send verification code:
Exploit Step #1 start here:

http://rev6.com/AccountName.jpg

[Tool used do modify the account]

FireFox: [Here]

FireFox Addons: [Here]

Menu: Tools/Web developper/Forms/Display Form Details
Menu: Tools/Web developper/Forms/Enable auto completion

You will see the hidden variable UserID="YourAccountName"
You need to type the account name of the guy you want to steal he's account.

When it's done, click on [Send Verification Code]

You will receive an Email, click on the link on that email
It will ask for the code that was in the email write it and click confirm.

It will now ask for a new password
Fell free to do a
Menu: Tools/Web developper/Forms/Display Form Details
You will see that the account name that joymax send you is not your account name
But the target account name that you want to steal he's account.

Type the desired password and the First step is done.

Now you can go on
http://www.joymax.com/portal/
Type the password of the account you just stolen and you can look at he's personal setting on Joymax.com.

This is the step 1 of 2.
For security reason we won't release the step 2.

The Website password of the target account had changed to the password you have entered on Joymax.com
Now the 2nd step is to modify the Silkroadonline.net password to the Joymax password.
To change he's account password...

We will let joymax a 24-48 hours delay before posting how it's done.
If joymax doesn't nothing, everything will go Public.

In other word you can Steal someone else, legit or bot account with ONLY THE ACCOUNT NAME!.
I have wasted 42 hours investigating Joymax website.
Joymax fell free to compensate me for my time by using the donation link on the left.

May I add to this that the server Tibet All the high level have been hacked 1 by 1 using this glitch during the last 2 weeks.
Please note this goes against Joymax TOS and Joymax is fully responsible for this error. You will need to do a rollback and to do a compensation event for the time lost.
We Rev6.com did not used this exploit, we were investigating this error based on many user complaints.
Our community reported this anomaly and our objective is to persuade you that you must do a rollback
This mainly affected Tibet server, as for other server, please verify your bug report section.

I would like to thank all the anonymous tips received by many different users.
Joymax, if you read your Bug report, you will find how the entire Account stealing process from just an account name to empty the account on silkroad inside the game.

Sincerely,
C-o-r-E, MuMeD
And you’re friendly Venice Silk Assistant,
NeDra (also known as [GM]NyMbLe)


//** all credits on this post goes to Rev6 **//

To login (from unix shell) use -h only if needed.

[mysql dir]/bin/mysql -h hostname -u root -p

Create a database on the sql server.

create database [databasename];

List all databases on the sql server.

show databases;

Switch to a database.

use [db name];

To see all the tables in the db.

show tables;

To see database's field formats.

describe [table name];

To delete a db.

drop database [database name];

To delete a table.

drop table [table name];

Show all data in a table.

SELECT * FROM [table name];

Returns the columns and column information pertaining to the designated table.

show columns from [table name];

Show certain selected rows with the value "whatever".

SELECT * FROM [table name] WHERE [field name] = "whatever";

Show all records containing the name "Bob" AND the phone number '3444444'.

SELECT * FROM [table name] WHERE name = "Bob" AND phone_number = '3444444';

Show all records not containing the name "Bob" AND the phone number '3444444' order by the phone_number field.

SELECT * FROM [table name] WHERE name != "Bob" AND phone_number = '3444444' order by phone_number;

Show all records starting with the letters 'bob' AND the phone number '3444444'.

SELECT * FROM [table name] WHERE name like "Bob%" AND phone_number = '3444444';

Use a regular expression to find records. Use "REGEXP BINARY" to force case-sensitivity. This finds any record beginning with a.

SELECT * FROM [table name] WHERE rec RLIKE "^a$";

Show unique records.

SELECT DISTINCT [column name] FROM [table name];

Show selected records sorted in an ascending (asc) or descending (desc).

SELECT [col1],[col2] FROM [table name] ORDER BY [col2] DESC;

Return number of rows.

SELECT COUNT(*) FROM [table name];

Sum column.

SELECT SUM(*) FROM [table name];

Join tables on common columns.

select lookup.illustrationid, lookup.personid,person.birthday from lookup
left join person on lookup.personid=person.personid=statement to join birthday in person table with primary illustration id;

Switch to the mysql db. Create a new user.

INSERT INTO [table name] (Host,User,Password) VALUES('%','user',PASSWORD('password'));

Change a users password.(from unix shell).

[mysql dir]/bin/mysqladmin -u root -h hostname.blah.org -p password 'new-password'

Change a users password.(from MySQL prompt).

SET PASSWORD FOR 'user'@'hostname' = PASSWORD('passwordhere');

Allow the user "bob" to connect to the server from localhost using the password "passwd"

grant usage on *.* to bob@localhost identified by 'passwd';

Switch to mysql db.Give user privilages for a db.

INSERT INTO [table name] (Host,Db,User,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv) VALUES ('%','databasename','username','Y','Y','Y','Y','Y','N');

or

grant all privileges on databasename.* to username@localhost;

To update info already in a table.

UPDATE [table name] SET Select_priv = 'Y',Insert_priv = 'Y',Update_priv = 'Y' where [field name] = 'user';

Delete a row(s) from a table.

DELETE from [table name] where [field name] = 'whatever';

Update database permissions/privilages.

FLUSH PRIVILEGES;

Delete a column.

alter table [table name] drop column [column name];

Add a new column to db.

alter table [table name] add column [new column name] varchar (20);

Change column name.

alter table [table name] change [old column name] [new column name] varchar (50);

Make a unique column so you get no dupes.

alter table [table name] add unique ([column name]);

Make a column bigger.

alter table [table name] modify [column name] VARCHAR(3);

Delete unique from table.

alter table [table name] drop index [colmn name];

Load a CSV file into a table.

LOAD DATA INFILE '/tmp/filename.csv' replace INTO TABLE [table name] FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n' (field1,field2,field3);

Dump all databases for backup. Backup file is sql commands to recreate all db's.

[mysql dir]/bin/mysqldump -u root -ppassword --opt >/tmp/alldatabases.sql

Dump one database for backup.

[mysql dir]/bin/mysqldump -u username -ppassword --databases databasename >/tmp/databasename.sql

Dump a table from a database.

[mysql dir]/bin/mysqldump -c -u username -ppassword databasename tablename > /tmp/databasename.tablename.sql

Restore database (or database table) from backup.

[mysql dir]/bin/mysql -u username -ppassword databasename < /tmp/databasename.sql

Create Table Example 1.

CREATE TABLE [table name] (firstname VARCHAR(20), middleinitial VARCHAR(3), lastname VARCHAR(35),suffix VARCHAR(3),officeid VARCHAR(10),userid VARCHAR(15),username VARCHAR(8),email VARCHAR(35),phone VARCHAR(25), groups
VARCHAR(15),datestamp DATE,timestamp time,pgpemail VARCHAR(255));

Create Table Example 2.

create table [table name] (personid int(50) not null auto_increment primary key,firstname varchar(35),middlename varchar(50),lastnamevarchar(50) default 'bato');

Normal Method

$ mysqldump -hlocalhost -uUSERNME -pPASSWORD -Q --opt --databases DATABASE > backup.sql

Compressed Method ( useful if you have bigger database )

$ mysqldump -hlocalhost -uUSERNME -pPASSWORD -Q --opt --databases DATABASE > backup.sql.gz

THE LOSS OF 25 million citizens' records has forced the UK government to review its plans to introduce the national identity register, the foundation of its ID card scheme.

Data protection minister, yeah really, Michael Wills told parliament that it needed to learn some lessons from the loss of 25 million records. The government will scrutinise "everything" and assess things after it had done its peer.

The Home Secretary, Jacquet Smith, still thinks the register is important. Because you can link the biometric data in one database to biographical information in another, everything would be just hunky dory.

Under the plans, every man, woman and child in this country needs to be fingerprinted and photographed. Refuseniks face legal sanctions

Cyber criminals and spies have shifted their focus of attack in response to improved security defences.

Facing improvements in system and network security, crackers have two new prime targets that allow them to evade firewalls, anti-virus, and even intrusion prevention tools: users who are easily misled and custom-built applications, according to the latest annual threat landscape report by the SANS Institute.

The latest edition of the SANS Institute's Top 20 Internet Security Risks list, published Tuesday, highlights a shift away from traditional avenues of attack against flaws in commonly used software packages towards more customised and targeted assaults. Although the Top 20 focuses on emerging attack patterns, old-school vulnerabilities remain a problem.

Browser security bugs and the like are still being targeted by automated attack programs that scan the web for vulnerable systems. A new system can expect to survive only five minutes on the net before being attacked, according to experts at the SANS Institute's Internet Storm Centre.

Qualys, which markets tools that scan for vulnerabilities, reports a "huge jump" in the vulnerabilities in Microsoft Office products, up 300 per cent over the last 12 months. Excel vulnerabilities were the main factor in this growth, according to Amol Sawarte, manager of the vulnerability labs at Qualys.

Patching and standard defences (such as firewalls and intrusion detection) tools go a long way towards fighting off attacks against software vulnerabilities. Defending against user stupidity or attacks against customised applications is a much harder task.

"For most large and sensitive organisations, the newest risks are the ones causing the most trouble," said Alan Paller, director of research at SANS. "The new risks are much harder to defend; they take a level of commitment to continuous monitoring and uncompromising adherence to policy with real penalties, that only the largest banks and most sensitive military organisations have, so far, been willing to implement."

Web application security is a particularly thorny issue because many developers know little about security. Once breached, web applications provide a handy avenue into to back-end databases that hold sensitive information.

"Until colleges that teach programmers and companies that employ programmers ensure that developers learn secure coding, and until those employers ensure that they work in an effective secure development life cycle, we will continue to see major vulnerabilities in nearly half of all web applications," Paller said.

Forty-three security experts from government, industry, and academia in a half dozen countries cooperated to produce the Top 20 threat list of the worst security risks. Suppliers agree that securing web applications is among the toughest challenges facing the industry.

"Although half the total vulnerabilities reported in 2007 are in web applications, it’s only the tip-of-the-iceberg," said Rohit Dhamankar, senior manager of security research for TippingPoint. "These data exclude vulnerabilities in custom developed web applications. Compromised websites provide avenues for massive client-side compromises via web browser, office documents and media player exploits. This vicious circle of compromise is proving to be harder to break each day".

As in past years, Qualys has released a tool that allows users to test computers for the elements on the Top 20 that lend themselves to remote testing.

Mozilla has released a new version of its Firefox browser containing some bug and security fixes.

Version 2.0.0.10 includes a memory error patch, better handling of digitally signed pages and a workaround to thwart hackers attempting to fake HTTP Referer headers.

"[Security researcher] Gregory Fleischer demonstrated that it was possible to generate a fake HTTP Referer header by exploiting a timing condition when setting the 'window.location' property," said Mozilla in a security advisory.

"This could be used to conduct a Cross-Site Request Forgery attack against websites that rely only on the Referer header as protection against such attacks."

Customers still using Firefox 1.5 are strongly advised to upgrade immediately, while those using version two should get updated automatically.

"If you already have Firefox 2.x, you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting 'Check for Updates' from the Help menu," said Mozilla.

Mozilla released a beta of Firefox 3.0 on 20 November offering improved phishing protection, new antivirus software and parental control settings.

SAN FRANCISCO - A security flaw in Apple Inc's Quicktime media software can be taken advantage of by malicious programs, according to security researchers, making applications like iTunes that depend on the standard open to hacker attacks.

The flaw is found inside the Real Time Streaming Protocol (RTSP) on which Quicktime's servers and clients are built, according to the United States Computer Emergency Readiness Team (US-Cert). Unwary users who load rogue RTSP code - via a webpage, or from a file -can give attackers access to their computers undetected, the agency warned.

Programs that depend on Quicktime, such as Apple's iTunes online media-store can be potential compromised.

US-Cert is recommending users consider several workarounds to potentially minimize exposure to the RTSP vulnerabilities.

The workarounds include disabling QuickTime ActiveX controls on Internet Explorer, QuickTime plug-ins for Mozilla-based browsers, JavaScript, and file association for QuickTime files. Other suggestions include avoiding QuickTime files that come from untrusted sources.

Earlier this month, Apple released QuickTime 7.3 to address seven security flaws in QuickTime 7.2. The fixes, however, did not deal with the RTSP vulnerability cited by security researchers over the past three days.

Apple QuickTime versions 7.2 and 7.3 on Windows Vista and Windows XP Pro SP2 are both affected.

A lone New Zealand hacker has triggered a security scare that had Microsoft software engineers in the United States working through their Thanksgiving holiday weekend to fix a design flaw in Windows software.

Beau Butler – who describes himself as an "ethical hacker" – revealed at NZ computer security conference Kiwicon earlier this month that the flaw was exposing millions of computers to hijacking by criminals.

Mr Butler told Melbourne's Age newspaper that he did not get any response to emails in which he tried to alert Microsoft to the problem before going public with his research.

"I assumed they were aware of the issue," he said. The "bug" was first recognised five years ago, but was supposed to have been fixed.

The design flaw meant a person could take control of vast numbers of home or office PCs around the world in a single attack, read data, steal passwords or use them to distribute spam or viruses.

Mr Butler said while testing the flaw, he found more than 160,000 computers in NZ were vulnerable.

Microsoft confirmed the issue was serious and asked the newspaper not to publish specific details over fears they could be mis-used.

Microsoft said it had engineers in Australia and the US working on the problem through the Thanksgiving holiday.

EASTON, Pa. — Linda O'Connor regards Wikipedia the same way former first lady Nancy Reagan campaigned against drugs.

She urges people to "Just Say No."

The Great Meadows (N.J.) Middle School librarian hasn't been a fan of the online encyclopedia for years. This fall, she decided it was time to make others at her school aware of the Web site's pitfalls.

She put up a sign saying "Just Say 'No' to Wikipedia" over the computers in the school library.

Several other school officials feel similarly about the Web site. Wikipedia is blocked on all computers in the Warren Hills Regional School District.

Some teachers at Easton Area High School discourage its use, as do officials at Centenary College and Lehigh University.

"We don't see it as an authoritative source," said Nancy Madasci, Centenary's library director.

The problem with Wikipedia, the school officials said, is it can be modified by anyone. There have been many cases of incorrect information on the Web site, some of which has been biased.

Egregious errors

Warren Hills teachers and students have found at least two cases of incorrect information while using Wikipedia, said Dawn Moore, the high-school librarian. A teacher researching Martin Luther King Jr. found white supremacist information in his entry, she said. A student researching the Vietnam War found Wikipedia's casualty count far lower than the actual number of people killed in the conflict.

O'Connor said many of her students don't realize Wikipedia can contain inaccuracies.

"Kids just take it for gospel, they really do, and that's my concern about it," she said.

Wikipedia officials recognize the problems with using the Web site for research, said Sandra Ordonez, communications manager for Wikimedia Foundation, the nonprofit group behind Wikipedia. The company does not recommend using the Web site as a primary research source, she said.

"Not a primary source"

"The best way to use Wikipedia is to get a global picture of a topic," Ordonez said. "It's not a primary source, and in college, you probably should not be citing an encyclopedia."

Wikipedia can lead researchers to primary sources, as much of the Web site's content comes from such sources, she said.

Several school officials agreed Wikipedia is good to get overviews of topics.

Greg Reihman, the Lehigh faculty development director, encourages students to use the Web site "to get a quick snapshot or an initial sense of views as they are commonly understood," according to university spokeswoman Dina Silver Pokedoff.

Many students use Wikipedia because it's often one of the first Web sites to come up on search engines, according to Kris Dumschat, a high-school senior.

He said his English teacher last year warned students against using the Web site because of inaccuracies. Dumschat said he's sure some of his classmates got points off their research papers for using wrong information from Wikipedia.

"It never happened to me; I stay away from it," he said.

Madasci, the Centenary librarian, said the college also has students who favor the Web site. She said some incoming freshmen have to undergo "Wiki-shock" to learn not to use Wikipedia.

"We've seen freshmen come in and need to be trained to do appropriate research," she said. "Students will gravitate toward what's easy."

Kids, just say 'no'.

A US SCHOOL librarian is treating the do-it-yourself online encyclopaedia Wackypedia like a drugs curse.

Linda O'Connor has blocked the site on the school's computers and stuck up signs all around the library saying "Just say no to Wikipedia". The motto was the same one that Nancy Reagan used for her campaign against drugs.

Soon to follow, we guess, are screenshots of a fried egg with the motto 'this is your brain on Wikipedia'.

O'Connor works for Great Meadows (N.J.) Middle School and says she has had worries about Wackypedia for ages. This was before it started banning entries of the names of famous people who its fake penis expert editors had not heard about.

She had the backing of teachers who also do not see Wackypedia as an authoritative source because it can be modified by anyone.

It all started when a teacher researching Martin Luther King Jr. found white supremacist information in the civil right's leader's entry. Then a student researching the Vietnam War found Wikipedia's casualty count had been lowered by someone who wanted kids to think that the war was a walk in the park.

O'Connor said many kids were dumb enough to take Wackypedia as if it had been handed down from a mountain by God on tablets of stone. This is when it is about as reliable as asking the cat its opinion.

When the Seattle Times asked a Wackypedia spokesperson what she thought of the ban, she agreed with it wholeheartedly.

Sandra Ordonez, communications manager for Wikimedia Foundation, said that the company does not recommend using the Web site as a primary research source either.

She said that the best you could manage is get an overview of a subject. Anyway, in college you should not be quoting rubbish from encyclopaedias anyway.

Besides, being the one part of the universe where there is no Everywhere Girl just makes the whole encyclopaedia thing a farce.

A lone New Zealand hacker has triggered a security scare that had Microsoft software engineers in the United States working through their Thanksgiving holiday weekend to fix a design flaw in Windows software.

Beau Butler – who describes himself as an "ethical hacker" – revealed at NZ computer security conference Kiwicon earlier this month that the flaw was exposing millions of computers to hijacking by criminals.

Mr Butler told Melbourne's Age newspaper that he did not get any response to emails in which he tried to alert Microsoft to the problem before going public with his research.

"I assumed they were aware of the issue," he said. The "bug" was first recognised five years ago, but was supposed to have been fixed.

The design flaw meant a person could take control of vast numbers of home or office PCs around the world in a single attack, read data, steal passwords or use them to distribute spam or viruses.

Mr Butler said while testing the flaw, he found more than 160,000 computers in NZ were vulnerable.

Microsoft confirmed the issue was serious and asked the newspaper not to publish specific details over fears they could be mis-used.

Microsoft said it had engineers in Australia and the US working on the problem through the Thanksgiving holiday.

Email phishing attacks tarnish the reputations of targeted firms, according to a new UK survey. Two in five UK adults (42 per cent) quizzed feel that their trust in a brand would be "greatly reduced" if they received a phishing email purporting to represent it.

Despite this, the majority of respondents to YouGov's online survey reckon the responsibility for protection against phishing attacks lies with ISPs and individuals themselves, rather than the brands targeted by fraudulent emails.

One in four (26 per cent) of 1,960 adults surveyed reckon the main responsibility for protecting against phishing attacks lies with themselves, with a similar percentage (23 per cent) responding that their ISP ought to bear the brunt of filtering spam emails. A further (17 per cent) think the sender's ISP and email service provider holds the greatest responsibility in combating scam emails.

Phishing attacks commonly take the form of forged emails that attempt to trick consumers into disclosing their login credentials in response to bogus warnings that prospective marks need to respond to a "security check".

Many high street names have bought in technologies or developed internal systems to identify and take down websites associated with phishing attacks. Preventing fraudulent emails reaching users' inboxes in the first place would involve measures such as promoting free or discount security and email filtering packages.

The YouGov phishing survey was sponsored by anti-spam firm Cloudmark, which reports that .uk domains are the single most common target of phishing attack across Europe.

Security experts at ISPs said it was unfair for consumers to hold the targets of attacks responsible for the crud hitting their inboxes.

"Whilst awareness to the problem is essential, it is unrealistic to expect businesses to be able to secure themselves fully against such sophisticated criminal activities. The increasingly dynamic and transient nature of the latest threats requires a combination of desktop protection at the client level, and accurate message filtering from ISPs," said Nigel Stevens, product director at THUS.

Gone Vishing

Cloudmark reports that would-be fraudsters are taking advantage of VoIP systems to develop more convincing attacks. One recent email scam, for example, poses as a notification from a recipient's bank requesting that they ring customer services to deal with a problem.

"If the recipient makes the call, it gets routed to a cheap VoIP answering system, which may have been set-up on a compromised host," explained Neil Cook, UK technology chief at Cloudmark. "The system captures the user ID and pincode to sell on to the highest bidder, who then has full access to your account. All the while the call seems very genuine. The reassurance of speaking to an individual rather than working online will lead to many instances of consumers falling foul to such threats.

Security researchers are warning that exploit code has been published that can take advantage of an extremely critical security flaw in a protocol supported by Apple QuickTime.

Apple QuickTime versions 7.2 and 7.3 on Windows Vista and Windows XP Pro SP2 are both affected, according to an advisory originally posted on Milw0rm.com.

And because Apple's iTunes contains a component of QuickTime, installations of iTunes are also at risk, according to a security advisory by the United States Computer Emergency Readiness Team (US-Cert).

The security flaw is found in the Real Time Streaming Protocol (RTSP) supported by Apple's QuickTime Streaming Server and QuickTime player, US-Cert notes. As a result, users who load a malicious RTSP stream via a QuickTime Media Link file or by visiting a malicious Web page, may find their systems compromised. Malicious attackers, for example, could execute arbitrary code from users' systems or launch a denial-of-service attack.

Earlier this month, Apple released QuickTime 7.3 to address seven security flaws in QuickTime 7.2. The fixes, however, did not deal with the RTSP vulnerability cited by security researchers over the past three days.

US-Cert is recommending users consider several workarounds to potentially minimize exposure to the RTSP vulnerabilities. The workarounds include disabling QuickTime ActiveX controls on Internet Explorer, QuickTime plug-ins for Mozilla-based browsers, JavaScript, and file association for QuickTime files. Other suggestions include avoiding QuickTime files that come from untrusted sources.

Comment When it comes to talking about last week's data loss by the HMRC, I was told not to use precious words outlining my feelings of rage and bafflement that a government body can be so cavalier with so much data because, presumably, we all feel the same.

So I will simply note, for the record, that my gob has been totally smacked by this debacle. What I will do is to take a look at the technical elements of this case from the database/data perspective.

First, what was the data format?

Data transfer between systems is typically effected using a simple data format such as CSV or XML, especially if the target and source databases are hosted on different engines (XML seems less likely in this case since that would imply a department that had made it into the 21st century). It is also possible that a format such as an Access .MDB or an .XLS file was used and the data batched over several files. The bottom line is that it is unlikely to be the raw tables from an IMS database.

Of course, "they" won't tell us and, in fairness, they shouldn't. The disks are still missing and it would simply compound the disaster to supply information that would help any black hats that stumble across the data.

The bottom line is that until we are given evidence to the contrary, we can assume a fairly simple format.

Next, the level of encryption.

It is not clear how well the data was protected. Rather worryingly, the term being bandied around is "password protected" rather than "encrypted". Of course, the very fact that we are in the middle of this shambles tells us we are dealing with technically incompetent people, so they may simply not be able to distinguish between the terms. We are almost certainly not talking about RSA encryption here. However, as we are all aware, it is often the human element that torpedoes a technically secure system and the anecdotal information coming out suggests this is an area of considerable concern.

The TimesOnLine reports that:

Shawn Williams, of Rose, Williams and Partners, a legal firm in Wolverhampton that deals with tax fraud cases, said his firm frequently received discs that contained personal data from the HMRC with the password included. 'Sometimes there is no security at all, sometimes there are instructions telling you how to access the data, sometimes the password is just written on a compliments slip and included with the disc'.

With the holiday season fast approaching, and being so in the spirit of giving, I thought I’d compile a list of the top features that led to security issues I discovered with co-researcher Billy Rios.

With the New Year on its way, this should give the developers out there a chance to come up with some New Year’s resolutions regarding the lessons learned from a year in the wild world of computer security.

Picasa’s Button Import Feature and Built-in Web Browser/Server

Google’s Picasa includes a button import feature that can be accessed from a URI. This feature is actually quite useful; as it allows a user to click a link and import an XML description of a button into Picasa that when clicked will post images to Tabblo or Flickr albums. This is done with a Java applet that requires user interaction before upload.

Unfortunately, URIs are also accessible to attackers through cross-site scripting (XSS), so an attacker can XSS a Picasa user, load Flash which doesn’t do DNS pinning (this JUST missed our list), and then steal the user’s images without any interaction or confirmation.

I use Picasa to modify my pictures, but I can’t help worrying about the built-in web browser and web server that Picasa includes. Sure, the server is bound to the local loopback, but we can access it through Flash loaded in Picasa’s built-in browser as mentioned above. We could use the Flash we loaded in the built-in browser to attack the built-in server as well, which may lead to more vulnerabilities.

Starting web servers on the local loopback appears to be a design pattern for Google as Google Desktop does the same. From a features standpoint, this may provide a rich environment for extending applications. It’s important to consider the task at hand, and in the case of an application that is being used for photo editing, I have a hard time finding justification for having any service running.

Google Documents

Not to pick on Google here (they actually have a great security team) but the concept of Google Documents must not have been discussed with them. If it isn’t a big enough security risk to have Google taking ownership of your documents, Billy and I have discovered a couple of holes that allow attackers to steal any documents we can guess the “doc_id” of, which is actually a predictable value.

Feature rich applications that offer people excellent functionality are great, but the privacy implications of putting potentially sensitive documents into the hands of a web application that is accessible by millions are monumental. Perhaps a better solution would’ve been to give users the option to do offline editing and keep their documents local.

The “firefoxurl” URI and the “-chrome” Argument

The firefoxurl URI basically opens Firefox and points it to a URL. This means that an attacker can start an instance of firefox.exe through an XSS attack vector through that same URI, and pass values to the command line. Since these values weren’t sanitized, an attacker could inject additional command line arguments by breaking out of the current argument with a double quote character.

Alone this may not have been a major concern; however, Firefox also accepts the -chrome argument, which allows arbitrary chrome JavaScript code to be passed to Firefox. This allows us to run arbitrary commands.

These features do not seem to be necessary for normal users. If this was a necessary feature, some amount of sanitization should’ve occurred prior to passing the user supplied input.

Trillian’s “aim” URI

“Hold on. The ini argument writes to the file it specifies?!” That was what Billy asked me over an IM session several months ago. “Yeah, I can control where it writes a file to,” I responded. “Can you write content to it?” Billy asked. “No! That would be crazy,” I replied.

WRONG! I could write arbitrary content to any file including as a batch script to the startup folder. This seemingly harmless option led to a command injection through XSS. This functionality should’ve just been hard-coded into the application. The same URI proved to be vulnerable to a stack overflow as user supplied input from the URI was not bounds checked.

So, what lessons have we learned this year? Well, the number of features is directly proportional to the amount of attack surface, and with URI abuse, it’s even worse since it can be exploited through XSS. Some of these flaws should’ve been caught during a Secure SDLC process and it is amazing more companies are not performing these.

Considering XSS can allow scanning/attacking of internal machines, exploit memory corruption issues and command injections, and perform data theft, it can’t possibly be ignored. Claiming XSS is not an issue is akin to believing that global warming is not an issue.

We are a long way from having all applications go through a secure design review. We’re even further away from the day where security wins out over features.

* Nate McFeters is a Senior Security Advisor for Ernst & Young’s Advanced Security Center. He has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for several clients in the Fortune 500.

The vulnerabilities in antivirus software make the programs as much a threat, as a help, to corporate network security, two German security experts argued in a presentation released last week.

The researchers -- Sergio Alvarez and Thierry Zoller, both of German security firm N.runs -- have taken antivirus companies to task for a large number of vulnerabilities the two discovered in how virus scanners parse potentially malicious files. While antivirus software is a typical piece of companies' defense-in-depth strategy, security holes in the software could allow an attacker to bypass other defenses, the pair argued.

"Current AV DiD (antivirus defense-in-depth) implementations define 'the worst possible way' an antivirus product may fail as 'Fails to detect a threat' or 'Fails to detect a virus,' whereas in reality the worst possible way is a more severe one: Compromise of the underlying OS (operating system) through the antivirus engine," Alvarez and Zoller stated in the presentation posted (PDF) last week, but delivered last month at the Hack.lu conference in Luxembourg.

Over the last two years, security researchers have found a large number of vulnerabilities in antivirus software. In 2004, the Witty worm showed just how devastating such a flaw could be. The worm spread using a flaw in intrusion detection software made by Internet Security Systems, now part of IBM.

Alvarez and Zoller found more than 80 parsing vulnerabilities in various antivirus products. The duo apparently see the software flaws as a market opportunity: N.runs plans to release a product to protect against antivirus parsing vulnerabilities, and the contact information at the end of the presentation includes the e-mail address of the company's director of software sales.

Symantec, the maker of antivirus programs for consumers and companies, is the owner of SecurityFocus.

Microsoft has conceded that the pseudo-random number generator used by Windows XP suffer the same security shortcomings at Windows 2000.

Israeli researchers researchers recently discovered it was possible to predict the output of random-number generator built into Windows 2000, after first determining the internal state of the generator. Random numbers are a critical sub-component of cryptography functions, such as the generation of keys used for SSL exchanges.

Win XP - but not Windows Vista - are subject to the same problem, Microsoft admits. However the software giant has no plans to release a fix until Windows XP Service Pack 3 in the first half of 2008.

Microsoft said that to pull off the attack an attacker would need to have gained ownership of a machine, after which worries about random number would be the least of a user's worries. "Because administrator rights are required for the attack to be successful, and by design, administrators can access all files and resources on a system, this is not inappropriate disclosure of information," a company spokesperson told Computerworld. "If an attacker has already compromised a victim machine, a theoretical attack could occur on Windows XP."

WASHINGTON — The Justice Department says it has no interest in tracking law-abiding citizens by their cell phone movements, a possibility raised in new reports Friday.

The Washington Post reported that federal officials increasingly are seeking real-time data from telecommunications companies in order to track criminal suspects such as drug traffickers, raising eyebrows among civil liberties advocates who fear that innocent citizens could get caught up in the investigations.

Click here to read the full report in The Washington Post.

The Post reports that in some cases, courts are granting the request without probable cause, despite Justice Department guidelines saying that investigators should meet that standard.

The Justice Department issued a broad statement Friday, saying: "Law enforcement has absolutely no interest in tracking the locations of law-abiding citizens. What we're doing is going through the courts to lawfully obtain data that will help us locate criminal suspects, sometimes in cases where lives are literally hanging in the balance, such as a child abduction case or a serial murderer on the loose."

In the end, Justice spokesman Dean Boyd said that "the courts determine whether or not this data can be turned over to law enforcement," according to the release.

Boyd also said the department believes that in some cases it is sufficient to get a court order based on a standard of "specific and articulable facts" rather than "probable cause" for certain information like the location of an antenna tower that a suspect is using.

"This type of location information — which even in the best case only narrows a suspect's location to an area of several city blocks — is routinely generated, used, and retained by wireless carriers in the normal course of business," Boyd said.

"With respect to obtaining data from a carrier that is potentially capable of identifying a suspect's precise location in a private area not accessible to the public, the Justice Department strongly recommends that field prosecutors obtain a court order based on the probable cause standard," he added.

Most new cell phones can be turned into specific tracking devices for their owners. It's been possible to estimate a caller's location by tracking tower signals, but the federal government is putting in place the enhanced 911 (E911) system to allow emergency responders to locate phones.

Several phone service providers are already marketing this service as way to help track their children, spouses and employees.

RealVNC allows you to access your PC from any network connected PC. Here, I'll show you how to install and configure RealVNC in an easy step-by-step way that even my mother could do =)

First, go to the RealVNC web page (http://www.realvnc.com/) and download the free version. I won't cover the Enterprise version here because if you need the Enterprise version, and you are reading this, then you should consult your systems administrator. The free version of RealVNC is good enough for most purposes.

Currently, the RealVNC web site requires that you select an appropriate platform. The download page is at http://www.realvnc.com/download-free.html. Select "Windows 9x/2000/NT/XP (x86)" under "Installable packages" and "Documentation" under "Source code & documentation". Make sure that you download the full version and NOT the "viewer program only". You will need both the server and the "viewer". (Although they refer to a "viewer" program at RealVNC, here we will use the term "client" instead.)

If you need a program to unzip the files, you can get ALZip for free at http://www.altools.net. It's an excellent archiving and compression tool and I highly recommend it. (I kissed WinZip goodbye years ago when I found ALZip.)

Once you've downloaded it, double-click the EXE file. You'll see an installer setup screen like this:

Click Next to see this screen:

Read the license agreement, then agree to it and click Next.

Make sure that the path is correct for your system. If in doubt, then it is correct. (Default values are almost always correct for most programs.) Click Next.

This is where it gets a bit tricky... A "Server" is where you get the information from, and in this case, this would be the PC that you want to connect TO. A "Client" is the computer that request the information, and in this case, any computer that you want to connect FROM, e.g. the office, school, a friend's house, etc.

Leave both checked for now. This will allow you to use all of RealVNC's features.

Click Next.

The defaults for this screen will be correct unless you are a power-user and have things configured to your own special tastes. Click Next.

Choices, choices choices... If you actually care about reliability, leave the defaults here. i.e. Yes. You want VNC to run as a service. (Windows "Services" are equivalent to UNIX "daemons". If you don't understand that, dont' worry - just be happy and click Next.)

Icons on the Desktop and in the Quick Launch are nice things to have. Check them if you like those conveniences.

Click Next.

The "Ready to Install" screen lists all of your installation options. Check to make sure that they are correct (as I've detailed above), then click the "Install" button. We're almost done =)

Click "Install".

At this point you need to start making important decisions that are personal to you. The defaults are fine, but adding a password is a good idea. Your password should be at least 8 characters long and have at least 1 upper case letter or 1 number in it.

Click the Desktop tab.

Check anything under "While connected" to provide minor performance improvements. This is only important on slower connections and slower CPUs.

Under "When last client disconnects", check "Do nothing" or "Lock workstation" if you use a password to logon to your computer.

These settings are optional and the defaults should be fine for most people.

Click OK.

If you did not specify a password, you are prompted.

Click OK.

Enter a secure password and click OK.

Almost finally... Read the little blurb there. Those guys did a lot of work to give this to you for free, so perhaps you can spare a couple minutes for them. Click Next.

Finally, click Finish.