On May 13, security advisories published by Debian and Ubuntu revealed that, for over a year, their OpenSSL libraries have had a major flaw in their CSPRNG, which is used by key generation functions in many widely-used applications, which caused the "random" numbers produced to be extremely predictable. [lolcat summary]
posted on May 16, 2008 - View this thread

If Bruce Schneier, the expert voice of security moderation, is "worried" than so am I. Since the beginning of the year Storm, an advanced, distributed worm network has been growing quietly as its authors tweak its social engineering attack. Now it seems that it is in place and waiting. Schneier's article. Digital Intelligence and Strategic Operations Group has been monitoring Storm for a year. OWL.
posted on Oct 15, 2007 - View this thread

What's the Big Secret? Four surveillance experts try to figure out what the NSA's superclassified wiretapping program really is (hint: it may have something to do with the filters). They don't seem to realize that this kind of reckless public discussion means some Americans are going to die. [Via Threat Level.]
posted on Aug 30, 2007 - View this thread

FBI's CIPAV nabs first victim: Former Timberline High School student Josh Glazebrook is the first (known) person to be caught by the FBI's secret spyware program, known as CIPAV (Computer and Internet Protocol Address Verifier). Wired broke the story Wednesday, then received a form letter from the FBI in response to a few key questions. (more inside)
posted on Jul 20, 2007 - View this thread

Interesting "New Yorker" article about online extortion via DDoS attacks. Call me naive and underinformed, but I had little understanding of how this works. "In the most common scenario, the bots surreptitiously connect hundreds, or thousands, of zombies to a channel in a chat room. The process is called “herding,” and a herd of zombies is called a botnet."
posted on Oct 7, 2005 - View this thread

A new twist on paying for Internet porn Although no mention of porn in the CNN story. Anyone ever been threatened like this?
posted on Dec 29, 2003 - View this thread

A new MS Internet Explorer vulnerability is discovered. Most digerati already know about the spammer and lamer trick to publish URLs that look like legitimate hostnames to fool people in to trusting a malicious site. This trick is frequently used by spammers to steal people's PayPal accounts, by tricking them in to "resetting" their password at a site owned by the spammer but disguised as PayPal.com. Today's new IE vulnerability is significantly worse. By including an 0x01 character after the @ symbol in the fake URL, IE can be tricked in to not displaying the rest of the URL at all. Don't expect a patch right way, the guy who found the hole released it to BugTraq on the same day he notified Microsoft. (via Simon Willison)
posted on Dec 9, 2003 - View this thread

New Phase for Sobig.f Expected to Hit Friday. Any . . . minute . . . now. . .
posted on Aug 22, 2003 - View this thread

The US government recently released a draft of the National Strategy to Secure Cyberspace, essentially it advocates ensuring security through consensus, with vendors, government agencies and consumers taking responsibility for the tools they use. That's not enough for Marcus Ranman who in the TISC newsletter advocates passing legislation mandating consumers and ISPs to install firewalls and anti-viral software. At what point does an individuals (corporate or consumer) chosen level of computer security become a concern for the federal government?
posted on Oct 17, 2002 - View this thread

Looks like Verisign forgot to renew their UK domain name.
posted on Sep 28, 2002 - View this thread

First JPEG virus discovered... "The W32/Perrun virus, as it is now being called, extracts data from JPEG files and then injects picture files with infected digital images. A fair warning to those individuals who are fond of sending multimedia files to friends and families." Is everyone's porn stash threatened now?
posted on Jun 14, 2002 - View this thread

Hackers target Cell Phones With the connectivity of cell phones to the internet, hackers have begun to target cell phones, programming prank calls, placing calls to wherever and erasing the software in the phone.
posted on Mar 11, 2002 - View this thread

How to hack grey matter A big security loophole with grey matter powered sites is out there. It lets anyone have the username and password to these sites. Luckly there is a fix for it which can be found here.
posted on Feb 23, 2002 - View this thread

AOL has been actively blocking Trillian users. If you switched over to Trillian and use AIM you've had problems connecting all week. As of this morning, version 0.721 is working but will likely be blocked again. AOL is claiming it as a "security" issue.
posted on Jan 31, 2002 - View this thread

Been to a USGS site today? What about your favorite national park site? Probably not, since all are part of the U.S. Department of the Interior, whose external network connections have been severed due to electronic security concerns raised by the court in the case Cobell v. Norton (formerly Cobell v. Babbitt).

With no external email or access to the Internet could you do your job? How dependent is your workplace on electronic information access? (Since all their websites are down, I have no direct link to post. A copy of the memo was sent to the members by the admin of a USGS email distribution list.)
posted on Dec 7, 2001 - View this thread

Dark Address Space leaves some 100 million hosts completely unreachable from portions of the Internet.
posted on Nov 15, 2001 - View this thread

Silicon Valley backs Senate bill that would allow companies to report computer network attacks to the government without having to worry about the public finding out. The reasoning: it would encourage more companies to report the problems and help the government track down the culprits. A similar bill is in the House.
posted on Sep 25, 2001 - View this thread

Seeing weird things in your website logs today? This will explain it... Running IIS and haven't patched it in over a month? Go here. 13,000 servers have already been affected.
posted on Jul 19, 2001 - View this thread

Attrition: Evolution. Attrition.org has decided to cease updating their archive of Web defacement mirrors. The reasons being the total lack of appreciation on some part as well as the shear volume of mirrors per day, and the fact that it sucked up what little personal lives the staff already had. Fear not, however, statistics and commentary will still be around - just based on the Alldas mirror and stay tuned for the rebirth of their more informative sections like Errata and Security.
posted on May 21, 2001 - View this thread

One million credit card numbers stolen! News at 11! The FBI has gone public with a rather dry account of a huge organized attack on ecommerce sites, exploiting security flaws in NT which Microsoft fixed and offered patches for nearly two years ago.
posted on Mar 9, 2001 - View this thread

NYTimes.com has low security
Even me, the casual passerby, could access secret documents about the mysterious "partners," while trying to avoid downloading a cookie. Heh, "channel", "partners", the number 10. They're all related somehow? PS: "channel.nytimes.com" doesn't give access to pages without logging in. Any ideas?
posted on Oct 13, 2000 - View this thread

Any server can read all your IE cookies. From any domain. Anyone. I was just explaing to my folks that the reason cookies are (generally) safe is that this was NOT possible. Well, it's possible now.
posted on May 11, 2000 - View this thread

They bagged the kid who was responsible for all those Denial-of-Service attacks a couple of months ago. He's Canadian.

Here's an interesting legal question: could the US extradite him? The crimes were committed in the US, but he was in Canada at the time he did it, since he worked through the Internet. Whose laws apply?

(By the way, I've seen no indication that the US is considering extradition; I was just curious whether they could extradite him.)
posted on Apr 19, 2000 - View this thread

Worth has a great story on how easy it would be for Goto.com to exploit its paying customers. (There may be some registration issues with this link; if it fails, go to the Worth home page and click on "The Easy Way to Get Rich Click.")
posted on Mar 14, 2000 - View this thread

This page seems to be over a year old, but it's news to me. Did you know that cookies set on international domains (those ending in generic things like co.uk or co.nz) can be read by other servers within those top level country domains? Scary stuff if you're using even the latest versions of Netscape on international sites.
posted on Jan 17, 2000 - View this thread

Yet another reason why HTML email sucks. WebTV should limit incoming messages to plain text only, or at least let users turn off HTML rendering in their mail clients.
posted on Jan 4, 2000 - View this thread