NewsBits for May 20, 2005 ************************************************************ Data Thefts May Be Linked A computer break-in at database giant LexisNexis Group may be linked to members of a group of young hackers involved in the theft of revealing photos and celebrity contact numbers from the cell phone of hotel heiress Paris Hilton, a senior federal law enforcement official said. Federal investigators this week seized computers and other evidence from several individuals across the country as part of a nationwide investigation of the LexisNexis breach, in which the intruders gained access to 310,000 personal records.,1,4761150.story,1367,67591,00.html FBI raids ID theft suspects Federal agents in the US investigating a major ID theft case have raided 10 properties in California, Minnesota and North Carolina. United States agents have searched the property of at least 10 suspects as they investigate a security breach at data broker LexisNexis that left thousands vulnerable to identity theft, the FBI said on Thursday.,39020375,39199351,00.htm - - - - - - - - - - Scope of bank data theft grows to 676,000 customers Bank employees used computer screen captures to snag customer data. What is thought to be the largest U.S. banking security breach in history has gotten even bigger. The number of bank accounts accessed illegally by a New Jersey cybercrime ring has grown to 676,000, according to police investigators. That's up from the initial estimate of 500,000 accounts police said last month had been breached.,10801,101903,00.html Ecommerce sites panned for lack of security testing,39024655,39130611,00.htm - - - - - - - - - - Internet Scam Costs Local Man $2,000; FBI Investigating An Internet scam cost a man $2,000 after someone convinced him to cash fake money orders to help an overseas student study in Orlando. The victim said he just wanted to do a good thing. Now the FBI has now gotten involved and believes there are more victims of the new scam. In fact, it wasn't until the man came to the post office to cash a second set of money orders that a postal inspector finally told him they were counterfeit. - - - - - - - - - - Judge seizes assets of online pharmacy in Minnesota The courts took over the assets on Friday of a Burnsville-based online pharmacy that prosecutors say sold up to $18 million worth of drugs over the Internet and mislabeled some drugs it sent to patients. U.S. District Judge Michael Davis granted prosecutors' request to shut down several online pharmacies related to Xpress Pharmacy Direct, according to court documents signed Friday. - - - - - - - - - - Sober reloaded Zombie PCs infected with the Sober-P worm are set to reactivate on Monday, 23 May. Sober-P posed as offers of a free ticket for next year's World Cup and set up backdoor access on compromised PCs, claiming thousands of victims since its first appearance earlier this month. These infected machines were later used to generate a German hate-mail spam outbreak this week. The sheer volume of this deluge illustrated the potential for further mischief. - - - - - - - - - - Yahoo! chat bug gives scope for mischief Security researchers have discovered a denial of service vulnerability involving Yahoo!'s popular instant messaging client. Hackers can potentially disconnect users from chat sessions by sending malformed packets to Yahoo! Messenger servers. The flaw stems from a glitch in processing routines used to process URL handler links, as explained in a SecuriTeam advisory (containing "proof of concept" demos) here. - - - - - - - - - - Netscape patches new browser Netscape has released a security update to its Netscape 8.0 browser, fixing more than 40 security holes just hours after the browser's official launch (see story). Version 8 of the browser is the first major update to it since 2002 and includes a number of new security features designed to protect users from remote attacks and malicious Web sites. It is based on the increasingly popular open-source Firefox browser, but it didn't include any of the security patches in the recently released Firefox 1.0.4.,10801,101895,00.html 'Secure' Netscape released with vulnerabilities,2000061733,39192754,00.htm - - - - - - - - - - Widget security worries dog Apple Though Apple Computer updated its latest OS this week to solve a security problem with widgets, worries persist that the small applications still pose a potentially serious risk. Widgets, or small programs that automatically install after downloading, were introduced in Tiger for the Dashboard, which overlays the desktop. An attacker could write a malicious widget for Mac OS X 1.4 Tiger that would run invisibly in the background and hijack a user's "sudo," or administrative, privileges on a system, according to an alert distributed on the Full Disclosure mailing lists late Wednesday. - - - - - - - - - - How Dangerous Was The Ciso Code Theft? A recent hacker attack that compromised some of the crucial equipment powering the Internet has sparked a debate on whether the stolen Cisco Systems code used to penetrate the complex systems still poses a threat to the web. - - - - - - - - - - Underground showdown: Defacers take on phishers A small percentage of Web sites illegally set up for phishing scams have been defaced with warnings to potential victims. While illegal, some Internet watchers believe the trend could be beneficial. Groups fighting against online criminals intent on phishing have gained allies from another species of underground miscreant: Web-site defacers. - - - - - - - - - - Hack attack danger soars in 2005 Security experts have warned of a substantial rise in the number and complexity of hacking attacks during the first half of 2005. According to research commissioned by carrier AT&T, the volume of traditional email attachment viruses has fallen, but the speed at which new variants are appearing is increasing. - - - - - - - - - - Study: Insider revenge often behind cyberattacks Former employees still had access to systems after leaving. Companies hoping to mitigate their exposure to insider attacks need to ensure they have good password, account and configuration management practices, as well as the right processes in place for disabling network access when employees are terminated.,10801,101900,00.html Companies urged to use security to improve productivity,10801,101897,00.html - - - - - - - - - - Feds botch wireless security Federal agencies in the US are leaving their wireless networks open to attack by not implementing key security measures, according to a report issued by the Government Accountability Office (GAO) on Tuesday. Wireless networks also known as Wi-Fi or Wireless Local Area Networks or WLANs can fall victim to malicious hacking techniques, from eavesdropping on company or agency secrets to computer network disruption and the launching of denial of service attacks. Securing 'strange' Wi-Fi devices - - - - - - - - - - Google CEO defends privacy policies Google Chief Executive Eric Schmidt acknowledged that his company's search engine can ruffle privacy feathers, but said the company's technology doesn't violate the company's founding motto, "Don't be evil." Schmidt discovered his own home phone number through Google, but said he was able to remove it by filling out Google's standard form. But Google shouldn't be blamed when that sort of private information crops up, he said. Google Pushes Security In Enterprise Desktop Search Launch - - - - - - - - - - MS UK recruits FBI man Microsoft has head-hunted a senior legal officer from the FBI to become its chief security advisor in the UK. Ed Gibson joins Microsoft in July from the FBI, where he has held senior positions as a special agent for 20 years. Since 2000, he has served as the FBIs assistant legal attache in the UK, where he has been responsible for establishing intelligence alliances between UK police agencies, security services, the FBI and private sector companies. - - - - - - - - - - LAND attack threat 'not significant', says Microsoft Microsoft has rejected the seriousness of a security warning about its software. On Tuesday the French Security Incident Response Team (FrSIRT) issued an alert about a security bug in Microsoft's implementation of TCP/IP in Windows XP and 2003. The flaw in the Windows IPv6 TCP/IP stack means systems are liable to crash when processing maliciously crafted packets in which the SYN flag is set, and the source address and port are the same as the destination address and port (a so-called Land Attack). - - - - - - - - - - Cheaper to patch--Windows or open source? Microsoft has sparked heated debate by claiming that Windows software is cheaper to patch than open-source alternatives. A Microsoft-commissioned study--conducted by its business partner Wipro-- outlined the main areas of so-called "cost savings" by using Windows. A survey of 90 organizations revealed that Windows database servers cost 33 percent less to patch than their open source counterparts. Respondents said on average, Windows clients are 14 percent cheaper to patch. - - - - - - - - - - The seven deadly sins of identity management Last week, I gave a keynote speech at the Digital ID World conference in San Francisco, a gathering of technologists working in identity verification, authentication and biometrics. As an information ethicist, I was asked to share some thoughts about how the human component affects complex systems used in identity management (IDM). Based on more than three decades of observation, I have concluded that most IDM failures arent due to technology glitches. In fact, most of the leading IDM technologies serve their purpose well.,10801,101893,00.html - - - - - - - - - - Los Alamos lab suffers fallout from scandals The Wen Ho Lee case. Confusion over the whereabouts of classified computer disks. Workers buying camping and hunting gear on the government's dime. Disgruntled scientists posting complaints on a blog. A potential brain drain among the weapons experts. - - - - - - - - - - U.S. to launch sex offender registry Web site The Justice Department will launch a national sex offender registry Web site that will allow people to check state databases with a single search, U.S. Attorney General Alberto Gonzales said Friday. "With this technology, every citizen and law enforcement officer will be able to search the latest information for the identity and location of known sex offenders," he said in a statement announcing the new registry. *********************************************************** Search the Archive at: *********************************************************** The source material may be copyrighted and all rights are retained by the original author/publisher. The information is provided to you for non-profit research and educational purposes. Reproduction of this text is encouraged; however copies may not be sold, and NewsBits ( should be cited as the source of the information. Copyright 2000-2005,, Campbell, CA.