Vulnerabilities & attacks

Social Engineering 101: Mitnick and other hackers show how it's done

NEW YORK--Kevin Mitnick knows that the weakest link in any security system is the person holding the information.

As a young fugitive hacker, he went to jail for breaking into computer networks, mostly by using his cunning and persuasion than his tech skills. He was an early master of the science of social engineering--manipulating people into doing what you want, such as giving out passwords and other information that unlocks sensitive information on networks.

Mitnick and a panel of other hackers discussed their social engineering pranks and gave live demonstrations at the Live HOPE (Hackers on Planet Earth) conference late … Read more

Dutch court allows publication of Mifare security hole research

Updated 8:30 a.m. PDT with researcher comment and photos. Updated 11:17 a.m. with NXP comment.

NEW YORK--A Dutch court ruled on Friday that a university can publish an article on security flaws in the Mifare Classic wireless smart card chip, the most popular chip used in transit systems around the world.

NXP Semiconductors, formerly Philips Semiconductors, sued to prevent computer science professor Dr. B. Jacobs Radboud at University Nijmegen from publishing a scientific paper on the technology, arguing that it would be irresponsible to make the information public.

The Rechtbank Arnhem court ruled that prohibiting publishing … Read more

HOPE conference highlights everyday hacking

Updated July 18, 7:52 AM PDT with more details about live radio broadcast

NEW YORK--From sessions on how-to create fluorescent mice and crack safes to discussions on losing your privacy in a taxi and complaints about Wikipedia, the Last HOPE conference starting here Friday has something for just about everyone.

The conference is the brainchild of Emmanuel Goldstein, aka Eric Corley, who publishes the notorious 2600 magazine. Corley has seen the community grow from its early days in the1980s with kids going to jail for breaking into the AT&T network, to millions of regular citizens skirting the … Read more

Mozilla updates Firefox with three security patches

On Thursday, Mozilla pushed out a new security update for its new Firefox browser. Version 3.0.1 for Windows and Mac addresses vulnerabilities in malformed GIF files on Mac OS X, command-line URLs that could launch multiple tabs when Firefox is not running, and a potential remote code execution by overflowing CSS reference counter.

Meanwhile, Mozilla updated the earlier version of Firefox with 2.0.16 on Tuesday. The update addresses two of the Firefox 3 critical issues--command-line URLs and overflowing CSS reference counter.

Version-specific updates have been pushed out automatically to existing Firefox users.

Mozilla will continue to … Read more

Microsoft revises DirectX security bulletins

Microsoft issued two critical security bulletin revisions on Wednesday related to vulnerabilities in Microsoft DirectX.

The revisions relate to holes that could allow an attacker to run code remotely on the machine or take control of it if a user opened a malicious media file.

The bulletins were revised to add DirectX 9.0a as affected software, Microsoft said.

One of the updates is for Windows 2000, XP, Server 2003 and Vista. The other update covers those systems, as well as Server 2008.

Cyber-capos: How cybercriminals mirror the mafia and businesses

Cybercrime, the harvesting and sale of credit card and other data for online fraud and theft, is a "shadow economy" that mimics the real business world in its practices and the mafia in its structure, according to a new report from security firm Finjan.

"The current cybercrime organizations bear an uncanny resemblance to organized crime organizations such as 'La Cosa Nostra,'" concludes Finjan's Malicious Code Research Center's Web Security Trends Report for the second-quarter of 2008 (survey required before downloading the 21-page report).

There's a boss that heads up the organization for both … Read more

San Francisco IT worker arrested in hijacking of city network

A network administrator for the city of San Francisco has been arrested on charges of taking control of the city's computer network and locking administrators out, according to the San Francisco Chronicle.

Terry Childs, 43, was due to be arraigned on Tuesday after his arrest Sunday. He remains in jail on $5 million bail.

Childs, who has worked for the city for five years, is accused of tampering with the new Fiber Wide Area Network after allegedly being disciplined for poor performance. He is accused of electronically spying on his supervisors and their attempt to fire him, according to … Read more

IT managers worried about data leaks, survey shows

IT managers are almost as worried about what sensitive corporate data is leaking out of the company as they are about malware infections from the Web, according to a new survey.

Nearly 40 percent of IT staff at mid to large companies in North America said they believed that unintentional leaks by employees are a bigger threat to the security of their data than spyware or malicious software, according to a survey of 109 IT decision makers conducted over the Web last month by Osterman Research for FaceTime, a company that sells tools that allow companies to easily monitor and … Read more

Malware targets 'Simpsons' fans on AIM

Whatever you do, don't run that .exe file from "Chunkylover53," an alias for Homer Simpson.

Years ago, fans of The Simpsons added "Chunkylover53" to their AIM buddy list after learning that the writer-producer of the show was responding to fans in the voice of Homer from "Chunkylover53@aol.com."

Since then, the screen name has been inactive, until a few days ago when Chunkylover53's "Away" message appeared, prompting people to click on a link and run an executable in order to see "a *new* Internet-only exclusive Simpson's episode.&… Read more