Spamzy

If you’ve ever forgotten an appointment, anniversary, or birthday, you know that being late by even a little bit can be terribly awkward. It almost seems worth it to get an arm or leg set in plaster just so you have a proper excuse. Now Microsoft’s trotted out its version of a cast story to explain a seven-year patch delay.

Microsoft Fixes Flaw After Seven Years

Microsoft security bulletin MS08-068 addresses a flaw in the Microsoft Server Message Blog protocol, and in a post on the Microsoft Security Response Center, Christopher Budd acknowledged, “We’ve received some questions from customers about MS08-068 and its relationship to an issue that was first discussed in 2001, called the SMBRelay attack. Specifically, we’ve gotten some questions about why, in 2008, we’re releasing an update that addresses an issue first discussed in 2001.”

Budd, a security communications program manager, then stated, “[W]e could not make changes to address this issue without negatively impacting network-based applications. And to be clear, the impact would have been to render many (or nearly all) customers’ network-based applications then inoperable.”

So, according to Budd (and/or Microsoft, since it’s hard to believe someone would volunteer to be the messenger), Microsoft kept tinkering with things, and finally figured out a way to address the issue without bringing everything else to a halt. And, the Security Response Center post implies, perhaps people shouldn’t complain too much, since implementing SMB signing remains a better idea than applying MS08-068.

Take or leave the explanation as you see fit.

Read more:
Microsoft Fixes Flaw After Seven Years

Happy birthday Belsec!

It looks like the Belgian Security bloggers’ network is just a year old, and in celebration, its bloggers are providing links to free stuff online — check out the following:

60+ freeware programs

Hundreds of eBooks

Fun videos and other stuff

Read the rest here:
Happy Birthday Freebies from the Belgian Security Network

I could have used this technique last night — I got home to my apartment in Oakland at 11:30, only to realize I’d left my keys in Sacramento. Two hours later a locksmith finally came and charged me $100 to let me in my own apartment. Expensive? Maybe, but comparable to other services, and compared to the havoc that a lock-breaker could wreak if he was trying to use his talents for crime rather than service, it’s a small price.

It’s kind of frightening to see how quickly a skilled lock-picker can jimmy a lock and get in. But new technology makes it even simpler — apparently all you need is a good telephoto lens to break in to someone’s house — just wait till they leave their keys out on a table, snap a picture, and take it to an unethical key maker, and wha-la, a perfect replica:

“We built our key duplication software system to show people that their keys are not inherently secret,” said Stefan Savage, the computer science professor from UC San Diego’s Jacobs School of Engineering who led the student-run project. “Perhaps this was once a reasonable assumption, but advances in digital imaging and optics have made it easy to duplicate someone’s keys from a distance without them even noticing.”

Professor Savage presents this work on October 30 at ACM’s Conference on Communications and Computer Security (CCS) 2008, one of the premier academic computer security conferences.

Read the full article here.

Go here to read the rest:
Silent Break-Ins: How Technology Compromises Physical Security Too

People were being scammed long before email and malware entered into daily use — and it’s still happening offline as well as online. So what to do if you know that someone you love is being victimized and scammed?

That’s the question the Consumerist asked readers today, with a story about a Florida grand-dad whose gardener is supposedly fleecing him for over $10k / month, allegedly to help an ailing friend:

Shaun says his 80+-year old grandfather, Steve, is being scammed out of over $10,000 a month. It seems Steve recently hired a female gardener who introduced him to a “wealthy friend,” and now he’s loaning them money to pay for groceries, cable, home upkeep, and, get this, bodyguards to protect her from an ex-husband and son who to want to kill her. When the family tries to intervene, Steve says the family is trying to put him in a nursing home and steal his money. Shaun is at a loss. How can he help his grandfather, who doesn’t want to be helped?

Another question that might be relevant in the IT Security community is, are the elderly more prone to these scams, and if so why? In the tech world it’s widely assumed that the older generation just has a harder time learning and grasping how to use technology so may not understand what is risky and what isn’t.

But perhaps there’s a deeper problem, either with some form of dementia and paranoia in the older years, or just a purer vulnerability associated with being alienated from the new, cutting edge and modern world as we age, or some kind of unwillingness to be suspicious because of the need to have caring people around you?

Here is the original post:
Teaching the Elderly about Scams and Security

WinDefender is a malware program, now it’s promising an update “Get rid of mailware now!” It’s been out a while but now there’s the “Update” going around.

Be wary and warn the folks you know — this isn’t Windows Defender, an anti malware program.

F-secure has a screenshot so you know what to look for…and of course the requisite joke, hoping that future versions might promise an end to “maleware.”

Good luck with that, guys.

The rest is here:

WHEN: Thursday, November 131 PM PT / 4 PM ET

Personal Defender 2009 is a malware disguised as a security tool. This is not a new way to trick people and gain a purchase, but Personal Defender 2009 uses additional misleading tactics to make things work.

PersonalDefender2009 is not able to infect computers on its own; instead, it tricks people into downloading the program voluntarily. PersonalDefender 2009 is delivered by trojan mupd1_2_1711951.exe. The trojan mimics Windows Firewall notifications and asks if user wants to enable protection. By clicking

Win Defender 2009 is typical rogue anti-spyware. This one has more potential to scam people than the others do because its name is similar to Windows Defender, reputable software from Microsoft Corp. Whenever downloading or purchasing a software make sure that it

Ferrychi is a downloader trojan. It is very dangerous because its purpose is downloading and running additional computer parasites. The malware brought by Ferrychi may vary from adware toolbars to rogue security tools. Ferrychi is not able to steal information or corrupt system files on its own. However, it may install parasites that are able to spy on computer owner and steal money or data this way.

Ferrychi infects computers using vulnerability in MS Word 97. Keep your software updated in order to avoid Ferrychi trojan. It infect every MS Word file, so when file is opened on another computer, the trojan spreads further.

Ferrychi hides from user and it is hard to delete. It changes registry entries in order to run automatically on boot. Ferrychi connects to on1000000.cn in order to download malwares. Block this website in advance to avoid problems.

See original here:
Ferrychi

The Consumerist recently posted a story about a Filipino call center that was inundated from a would-be ID Thief, and whose security center was not equipped to properly investigate and nab the guy.

Fortunately, the call center was small, and the ID Thief was obvious, so workers got to know his voice and mannerisms, and were able to forward him to security with every call. Unfortunately, it turned out the Filipino security staff was unprepared to properly handle the scam, because they didn’t know some of the cultural nuances (like the name “Angela” is female) and they had no access to LexisNexis, the U.S. security database of personal information.

Once the ID Thief caught on to the right answers to the security questions, the security staff refused to deal with him –and told the call center staff to deal with him as a verified account holder and give him account access. Eventually the guy was caught–in the U.S. by someone else — for successfully committing fraud.

Such a shame when this could be easily prevented. Companies want to cut costs, but they’re cutting security also.

Read the full article here.

Go here to read the rest:
The Security Problem in International Call Centers