Hydra Security

25m people's personal details lost in the post by HMRC

Alistair Darling said a junior official had broken the rules
Alistair Darling
The government's "basic competence" has been questioned by the Tories after the loss in the post of computer discs with 25m people's personal details on them.

The child benefit data on them includes names, ages, bank and address details.

Tory George Osborne said ministers had failed in their duty to protect people, and questioned whether Alistair Darling "is up to the job" of chancellor.

Mr Darling said he "deeply regretted" what had happened, but stressed there was no evidence of misuse of the data.

Hacker Breaks Into Ebay Server, Locks Users Out

Tue, 09 Oct 2007 11:08:59 +0000
Malicious hacker broke into an eBay Inc. server on Friday and temporarily suspended the accounts of a "very small" number of members, the company said. "We were able to block the fraudster quickly before any permanent damage had been done. At no point did the fraudster get any access to financial information or other sensitive information," eBay spokeswoman Nichola Sharpe said via e-mail.

Gap Security Breach Exposes Data On 800,000

Mon, 01 Oct 2007 23:29:24 +0000 Personal data on 800,000 job applicants at Gap Inc. were exposed to potential identity fraud when a laptop belonging to a third-party contractor was stolen, the retailer acknowledged Friday.

Gap said in a Web site statement that a laptop containing the Social Security numbers of certain job applicants was recently stolen from the offices of an "experienced third-party vendor" that manages job applicant data for the San Francisco-based retailer.

Read more: SearchSecurity.com

Google fixes Gmail zero-day

It's been a bad time for Google as they have just had to fix a serious Gmail zero-day flaw my colleague Dennis Fisher wrote about last week.

The problem is a cross-site scripting flaw attackers could exploit to silently forward emails and contacts from a remote userÂ’s account to any email account he or she chose. The security hole was uncovered by GNUCitizen , a hacking group that tracks Web 2.0 application flaws, and comes into play when a user logged in to Gmail visits a malicious Web site laced with attack code. The site performs an action that injects a filter into the userÂ’s Gmail filter list.

Serious Google Gmail Flaw Exposes Sensitive User Data

Tue, 02 Oct 2007 17:40:07 +0000

Google Inc. is facing some serious questions about the security of its applications after a researcher disclosed a flaw in its popular Gmail offering.

The new issue is a variant of a cross-site scripting vulnerability in Gmail which could enable an attacker to silently forward emails and contacts from a remote user's account to any email account he chose.

Confidential Chicago terrorist threat assessment leaked over P2P

Confidential Chicago terrorist threat assessment leaked over P2P
By Jaikumar Vijayan, September 13, 2007, Computerworld

Officials at consulting firm Booz Allen Hamilton Inc. are looking into how a Fox News reporter acquired a confidential terrorist threat assessment on Chicago over a public file-sharing network.

Larry Yellen, an investigative reporter with WFLD Fox News in Chicago, on Tuesday reported that he recently used a peer-to-peer (P2P) program called LimeWire to obtain the Booz Allen do*****ent. The firm authored the do*****ent in 2002.

George Farrar, a spokesman for Booz Allen, today confirmed the incident and said the do*****ent was commissioned by the Federal Transit Administration (FTA) five years ago. It was one of 35 threat assessments of the nation's bus and rail systems that Booz Allen was commissioned to do by the agency.

"Essentially, yes, those were Booz Allen do*****ents that were available on the Internet via a peer-to-peer file-sharing system," Farrar said. "What we don't know is from what system those do*****ents made their way to the Internet."

Farrar said that after Booz Allen completed the threat assessment, it made the do*****ent available to numerous federal, state and private-sector entities and first responders as required under its contract with the FTA. It was then the responsibility of those entities to protect the do*****ents, Farrar said.

"We investigated internally and didn't find the do*****ent on our computers," Farrar said. He also noted that employees at Booz Allen cannot connect to file-sharing networks at work. "We are continuing to investigate. We can't say definitely one way or the other," who the source of the leaked do*****ent was. But he said it is possible that the do*****ent was leaked from a computer belonging to one of the entities that got the report.

"We don't know what controls were put in place after the do*****ent left our hands. So far, we haven't been able to find evidence that it was from our computers," he said.

The Booz Allen incident again highlights what some analysts say is a growing problem: the easy availability of all sorts of government, personal and confidential information on P2P networks.

The situation is the result of information being leaked onto these networks by individuals who fail to take precautions for securing their computers during P2P sessions. Popular P2P clients such as Kazaa, LimeWire, BearShare, Morpheus and FastTrack are designed to let users quickly download and share music and video files. Normally, such clients allow users to download files to -- and share items from -- a particular folder on their system with other users on the network. But if the access these P2P clients have on a system is not controlled, it is easy to expose and share personal data with all other users on a file-sharing network.

U.S. authorities recently arrested a Seattle man on charges that he deliberately mined and harvested P2P networks for such data which he then used to commit ID theft -- the first time that anyone in the U.S. has been arrested on charges of committing ID theft over P2P networks.

In July, the House Committee on Oversight and Government Reform heard testimony from several witnesses about how everything from classified military do*****ents to corporate data can be found on P2P networks. The leaked do*****ents on P2P networks cited as examples at the hearing included the Pentagon's entire secret backbone network infrastructure diagram; contractor data on radio frequency manipulation to defeat improvised explosive devices in Iraq; and physical terrorism threat assessments for three major U.S cities.

New Skype Worm

New worm spreading via Skype

Multilingual malware posing as porn in chat messages.

VoIP and chat system Skype has been targeted by another worm, sending chat messages to harvested contacts posing as links to pornographic images, which in fact download and install copies of the worm. The new malware has been variously dubbed 'Pykspa.D', 'Skipi.A', 'Ramex.a' and 'Pykse.b'.

The fake messages, which are as likely to come from known contacts as from strangers, can contain text in a wide range of languages selected by the worm based on the sender's system locale settings, which hint that the linked erotic images may be of interest to the recipient. Following the link brings up a 'soap bubble' screensaver, and installs the worm.

Once a system is infected, the worm attempts to disable a range of security software, and adjusts the Windows hosts file to prevent access to security updates and advice. It harvests further addresses from the local contacts list and continues spreading itself across the Skype network.

The worm, a variant of a previous Skype worm seen in April, is currently thought to be spreading at fairly low levels, and requires user interaction to accept and run the malware. Users are reminded to exercise caution online and to ignore unsolicited messages containing suspect links.

A Skype blog posting with initial details, including manual removal instructions, is here. Further discussion on the Symantec blog is here, with detailed analysis of the malware here.

11 September 2007

Microsoft September Patches

As part of Microsoft's routine, monthly security update cycle, today we released four security updates.

MS07-051 - addresses a vulnerability in Windows (KB 938827)

MS07-052 - addresses a vulnerability in Visual Studio (KB 941522)

MS07-053 - addresses a vulnerability in Windows (KB 939778)

MS07-054 - addresses a vulnerability in MSN Messenger and Windows Live Messenger (KB 942099)