Additionally, and the implications of this could end up being insignificant, yet still very suspicious, HTC also decided to add an app called androidvncserver.apk to their Android OS installations. If you're not familiar with the definition of VNC, it is basically a remote access server. On the EVO 3D, it was present from the start and updated in the latest OTA. The app doesn't get started by default, but who knows what and who can trigger it and potentially get access to your phone remotely? I'm sure we'll know soon enough - HTC, care to tell us what it's doing here?

Now, just a few days later, one of those firms, Palo Alto-based Palantir, has publicly cut ties with HBGary and apologized for its role in the WikiLeaks response plan, essentially verifying the reality of that plan and isolating HBGary further.

I'm going to go for the bargain and hack the State of Michigan and have some real fun. Ha! Try to find yourself on the hand now, Michiganders!

Ross Anderson gives a smackdown to British bankers who are unhappy about a student thesis

How to create a better password, by using an algorithm; of course, once the algorithm is well known, it's easy to crack passwords that use it.

Gawker's mess, via Forbes #infosec

ARBSEC is the first Wednesday of every month. Unlike other meetups, you will not be expected to pay dues, "join up", or present a zero-day exploit to attend.

Travis describes two flaws: the PRNG is a 16-bit LFSR and it is not seeded with very much entropy. However, the datasheet recommends this random number generator be used to create cryptographic keys. It’s extremely scary to find such a poor understanding of crypto in a device capable of forging billing records or turning off the power to your house.

Finally, the surveyed ISPs also said their vendor infrastructure equipment continues to lack key security features (like capacity for large ACL lists) and suffers from poor configuration management and a near complete absence of IPv6 security features. While most ISPs now have the infrastructure to detect bandwidth flood attacks, many still lack the ability to rapidly mitigate these attacks. Only a fraction of surveyed ISPs said they have the capability to mitigate DDoS attacks in 10 minutes or less. Even fewer providers have the infrastructure to defend against service-level attacks or this year’s reported peak of a 40 gigabit flood attack.

But, a blog buried within Network World’s community is hard to find so as of today I am re-launching threatchaos.com. With complete control over the technology I use and the features I develop this site will quickly become a valauble resource to the entire IT security industry. In addition to my daily blog posts I will be retaining people to help with news coverage. I am also embarking on several video ventures that will show up here.

I remember a conversation back in 1995 or 1996 with someone who described to me how the Automated ClearingHouse (ACH) for checking worked. He explained that once you had an ACH merchant account, you sent in a message of roughly the form (src, dest, amount, reason) and money got moved. I argued with him that this was inconceivable (yeah, yeah), and he must be mis-understanding. He assured me that no, he was right, and that the reason they ran this way was because it was cheaper, and because only trustworthy people could get ACH merchant accounts.

good reliable security blog

The ID theft ring stole more than 40 million credit and debit card numbers, said Michael Sullivan, U.S. attorney for the District of Massachusetts. The criminals installed sophisticated "sniffer" programs on the retailers' networks, allowing them to collect credit card and password information, he said during a press conference.

Which is why CSE 484, an undergraduate computer-security course taught this quarter at the University of Washington, is so interesting to watch. Professor Tadayoshi Kohno is trying to teach a security mindset.
You can see the results in the blog the students are keeping. They're encouraged to post security reviews about random things: smart pill boxes, Quiet Care Elder Care monitors, Apple's Time Capsule, GM's OnStar, traffic lights, safe deposit boxes, and dorm -room security.

For secure name resolution, it is important that your DNS resolver uses random source ports. The box below will tell you if there is something you need to worry about.

Founded in 1997 and headquartered in Ann Arbor, Michigan, Ensure Technologies is an innovative developer of intelligent security solutions designed to provide maximum security with minimal impact on users.

passive web application security assessment tool

bruce schneier notes that birthdate + zip code + gender is probably enough to identify you. (ed43 + 48104)

account of 2002 era attacks on the root name servers, no SLA payouts

Phage List: archive, by date. 3/11/88 - Morris Internet Worm - 20th anniversary coming up

The foundation was one of 92 clients of the vendor, Convio, affected by the breach, Sponauer said.

Attackers have stolen passwords and accounts from 92 nonprofits by infiltrating systems at Convio, the leading online marketing company for nonprofits.

no user authentication! Any user can forge anybody else’s identity when interacting with any OpenSocial application. As it currently stands, it is not possible to write secure social applications on the platform

I’m really starting to wonder about the overall security of the OpenSocial platform’s design. Not to say that I know more than Google, but I am surprised these issues weren’t noticed prior to launch.

a significant problem with OpenID I've brought this up before and had assumed that most of these schemes would not get off the ground because of the severity and obviousness of the problem -- but I was wrong.

Hackers have hijacked a server operated by Internet advertising company 24/7 Real Media Inc. and are using it to seed legitimate Web sites with ads carrying attack code, Symantec Corp. said Friday.

3 classes of attacks on openid. (looks like a worse and worse system every time I read one of these articles)

The OpenID fanboys want OpenID to work on any old platform using only standard software, and so therefore are doomed to live in the world of broken authentication. This is fine if what you protect with your OpenID is worthless, but it seems clear that the

OpenID announced the release of a new draft of OpenID Authentication 2.0 today. I’m reluctantly forced to come to the conclusion that the OpenID people don’t care about phishing, since they’ve defined a standard that has to be the worst I’ve ever

Beyond this, OpenID is pretty much useless. The reasons for this are many: OpenID is highly vulnerable to phishing and other attacks, creates insurmountable privacy problems, is not a trust system, suffers from usability problems, and makes it unappealing

When we put our OpenID provider through the security review wringer (many thanks to Glenn Brunette and his team for their work on this!), some nitsy OpenID protocol questions came out, along with issues of provider and consumer behavior in the wild. Some

TJX Cos. said that it reached a tentative settlement with customers who were victims of the largest security breach of personal data ever reported and that it would provide store vouchers to some people whose data were compromised and a three-day sale for

Since 8,585 tapes were stolen from the School of Nursing two weeks ago - the third data theft in the last year - University officials are stressing the importance of protecting against data theft.

The company today confirmed that as many as 34,000 of its employees may be at risk of identity theft after a former employee illegally accessed and download copies of confidential information from a Pfizer computer system without the company's knowledge.

At this point Mike Shaver threw down the gauntlet. He gave me his business card with a hand written note on it, laying his claim on the line. The claim being - with responsible disclosure Mozilla can patch and deploy any critical severity holes within “

From the Pwnie Awards website, the Mass 0wnage Pwnie Award is Awarded to the person who discovered the bug that resulted in the most widespread exploitation. Also known as the Pwnie for Breaking the Internet.

For those who host with Dreamhost: I received a confirmation email from them at 8:27pm PST on June 5th that yes indeed, something in the neighbourhood of 3,500 FTP accounts have been compromised. If you’re on Dreamhost, time to change all your passwords

Google Calendar gives users the choice of keeping calendar entries private or publishing them for the world to see, but some Google Calendar users appear to be sharing their calendar information without realizing it.

some details emerging of dreamhost hack problems. black hat seo spam appears to be the nature of the exploit.

slashdot notes jose nazario's reporting on the estonian denial of service attacks

When it comes to denial-of-service attacks, Jose Nazario has seen just about everything.

Research by security firm Symantec suggests that the raw value of a WoW account is now higher than a credit card and its associated verification data.

Detailing the sheer magnitude of a crime first reported earlier this year, TJX yesterday disclosed in financial reports that at least 45.6 million credit and debit card numbers were stolen in 2005 and another 130,000 last year by hackers who have yet to b

We suffered an unauthorized intrusion into portions of our computer systems that process and store information related to customer transactions that we believe resulted in the theft of customer data. We do not know who took this action and whether there w

free vpn software. holding my recco until some infosec geek blesses it

korean internets depend on active x controls for info security, locking out mac, linux. k. professor sues

ddos against dns, film at 11

infosec dashboard of global threats and attacks

malicious javascript installs keystroke logger.

two a2b3'ers at this security ops meeting at Microsoft. hoping for a recap

South Korea as a Windows only, no Mac, no firefox software monoculture. & the dangers thereof.

huge amounts of spam generated by bots, problems getting worse.

reddit's user base has been stolen - user names, email addresses, passwords. passwords are like underwear, change yours frequently. via it harvest.

what % of search engine results are dangerous to click on? wide variety here analyzed.

good old fashioned identity theft, notes Richard Stiennon

when i fight the bots the bots always win

dory leifer on the solution space for providing guest access to the net, wired or wireless.

Today four Connecticut librarians spoke publicly for the first time about their experience as recipients of a National Security Letter (NSL) demanding library records.

see also Andy Bichlbaum interview on Teeter Talk

Echelon is the world's largest information vacuum cleaner.

Jim Duncan has been working on this

pursuing research on "unintended information revelation" at SUNY Buffalo