MSBlast epidemic far larger than believed
By Robert Lemos
Staff Writer, CNET News.com
Story last modified April 2, 2004, 5:02 PM PST
New data from Microsoft suggests that at least 8 million Windows computers have been infected by the MSBlast, or Blaster, worm since last August--many times more than previously thought. The latest data comes from the software giant's ability to track the usage of an online tool that its engineers created to clean systems infected with the worm. Since the January release of the tool, more than 16 million of the systems that connected to Microsoft's Windows Update service were found to be infected with MSBlast and were offered a patch and the use of the disinfecting tool, the software giant told CNET News.com. During the same period, about 8 million systems actually called on Update to patch them and prevent reinfection and used the special tool to remove the worm.
More....
Google mail is evil - privacy advocates
By Andrew Orlowski in San Francisco
The
Register
The Register Mobile: Find out what the fuss is about. Take the two week trial today.
This week should have seen a public relations triumph for Google. The company began offering a free e-mail service with 100 times as much storage as Yahoo's $59.99 service. Instead the criticism has taken Google by surprise, as privacy advocates who had never before voiced criticism stepped forward. Google has previously responded to privacy concerns by saying, "we're nice, trust us" or pointing users to the company's mission statement of "do no evil". Such trite sentiments didn't work this time; even The Drudge Report piled in.
Google executives had ignored a fierce internal debate over the ethics of the service and on Wednesday afternoon rushed out a jokey April 1 press release, ostensibly to trump a New York Times scoop.
But it isn't so much Google searching email that has caused the anxiety from privacy watchdogs this week, as the company's confused retention policy. What will Google do with that data?
More....
New
Netsky variant blames users
Netsky.Q first appeared today and is spreading
News Story by Paul Roberts
Computerworld
MARCH 29, 2004 (IDG
NEWS SERVICE) - A new version of the Netsky e-mail worm is on the
loose. It's programmed to launch a distributed denial-of-service
attack on peer-to-peer networks, contains a message blaming users
for spreading viruses and says Netsky's authors want to stop
hacking and illegal file trading, antivirus software companies
warned. Netsky.Q first appeared today and is spreading on the
Internet. It is the 17th variant of the worm to be released since
Netsky first appeared in February, antivirus companies said.
The Q variant arrives in e-mail file attachments with .pif
(Program Information File) or .zip file extensions. Netsky also
tries to exploit a long-patched Microsoft Corp. security hole that
allows file attachments to be launched automatically when the
e-mail message is read, according to F-Secure Corp. in Helsinki.
More....
Cisco warns of new hacking tool kit
The Cisco Global Exploiter uses exploits for nine software
vulnerabilities
News Story by Paul Roberts
MARCH 29, 2004 (IDG NEWS SERVICE) - Cisco Systems Inc. has
warned customers about the public release of computer code that
exploits multiple security vulnerabilities in Cisco products.
Using exploits for nine software vulnerabilities, the program
could allow malicious hackers to compromise Cisco's popular
Catalyst switches or a wide variety of machines running versions
of the company's Internetwork Operating System (IOS), the
networking equipment vendor said Saturday.
Called the Cisco Global Exploiter, the program appears to give
users a menu of choices, depending on the system they are trying
to crack. It offers, for example, the "Cisco 677/678 Telnet
Buffer Overflow Vulnerability" or the "Cisco Catalyst
3500 XL Remote Arbitrary Command Vulnerability," according to
the Web site, www.k-otik.com. Computer code for a program matching
the description in the Cisco security notice was posted on the
French-language computer security exploit site yesterday.
While many of the exploits can be used only to shut down affected
Cisco devices in denial-of-service attacks, at least one enables
remote attackers to run malicious code on the affected system
without needing a username or password, according to the Cisco
security notice. More....
Programmers told to put security over
creativity
By Robert Lemos
Staff Writer, CNET
News.com
Story last modified April 1, 2004, 4:07 PM PST
Certification for programmers, better education and even new
laws are needed to improve software security, stated a report
published Thursday by a coalition of corporate security experts,
academic researchers and government agencies.
The report--the third of five expected to be published in March
and April by the National Cyber Security Partnership--proposes
changes to education, software development and patching as well as
incentives to convince software makers to improve the security of
their wares.
The broad swath of initiatives is needed to help companies
improve the quality of their software, said Scott Charney, chief
security strategist for Microsoft and co-chairman of the Security
Across the Software Development Life Cycle Task Force.
"There is no silver bullet for making software secure,"
he said in a statement. More....
Windows Server 2003 security questioned
Infoconomy
5 April 2004 A technology analyst is disputing Microsoft's claims
that Windows Server 2003 is more secure than its
predecessors.
On 1 April, Microsoft chairman Bill Gates sent a letter to
customers, citing a big fall in the number of 'critical' or
'important' security alerts that have been issued since the latest
version of its operating system, Windows Server 2003, was
released.
Gates claimed that during its first 320 days, Windows Server 2003
was the subject of nine serious alerts -- or an average of one
every five weeks. However Windows 2000 Server, the previous
version of the software, had 40 serious alerts during its first
320 days.
But Joe Wilcox, an analyst with Jupiter Research's Microsoft
Monitor, claims that Gates has dramatically exaggerated the
improvement in security vulnerabilities, since the way that
Microsoft classifies security alerts has been changed between the
time of Windows 2000 Server and Windows Server 2003. More....
The Future of Phishing
by Dr. Jonathan Tuliani - UK Technical Manager for Cryptomathic
Ltd. - Monday, 5 April 2004.
This article examines how attackers are likely to respond to the
current move towards 2-factor authentication as a defence against
phishing scams, and describes an alternative approach, available
today, that provides a longer-term solution.
In recent months, newspaper and television reports have
highlighted how highly-organised criminal gangs are launching
large-scale, carefully planned attacks against high-street banks
and other services, both in the UK and overseas. These so-called 'phishing'
attacks begin with an email. Appearing to come from the bank, it
leads the recipient to a convincing web page, at which point he is
tricked into entering his username and password.
Of course the web page has been set up by the attacker and does
not belong to the bank at all. Once obtained, these details are
used by the attacker to log-in to the user's account and drain it
of funds. More....
Forrester questions Linux
security
Matthew Broersma, Techworld.com
05/04/2004 16:20:23
A new study from Forrester Research has concluded that the Linux
operating system is not necessarily more secure than Windows. The
report finds that on average, Linux distributors took longer than
Microsoft to patch security holes, although Microsoft flaws tended
to be more severe.
But leading Linux vendor Red Hat said that while Forrester's
underlying figures were sound, its conclusions didn't give an
accurate idea of relative security, as they failed to distinguish
between patch times for critical updates and routine, obscure
problems.
The report arrives in the midst of a fierce debate around the
relative merits of Linux and Windows, and follows a number of
reports perceived to have been slanted in Microsoft's favor. Last
October, Forrester forbade its customers to publicize studies they
had commissioned; it made the move partly because of criticism of
a report from Forrester subsidiary Giga Research that found some
companies saved money by developing with Windows rather than
Linux. Forrester said it stood by the integrity of the study, but
had erred in allowing Microsoft to use it in anti-Linux
advertising.
Forrester's report may lend credibility to Microsoft's ongoing
efforts to play down security concerns about its software. A new
tactic in that battle has been to compare how long it takes for
various operating system vendors to patch flaws -- the "days
of risk" for each operating system. Microsoft's argument is
simple, said Bradley Tipp, Microsoft's National Systems Engineer
for the U.K., last autumn: "Open source systems are likely to
be at risk for more days than Windows systems." More....
Wiping Old Hard Disks Clean
Mark Joseph Edwards
Winnet
Magazine
March 31, 2004
A component that's typically changed during computer upgrades is
the hard disk. Users run out of space and need a larger disk,
particularly if their existing disks are somewhat old and
therefore probably have less capacity.
Swapping out disks or complete systems is common, but I wonder
whether you wipe clean your old disks before sending them off for
recycling or resale. If you do wipe the disks, are you sure that
data can't be recovered from them?
Some people might think that simply using Fdisk to destroy
partitions is a good enough technique for eliminating data. After
all, if the partitions are gone, who could recover the data,
right? Wrong. Fdisk changes only partition tables--it doesn't
touch the other sectors on the drive. So any data that users
stored on those other sectors is still there, which means that
someone with a little knowledge could recover that data.
More....
Vulnerabilities
