Security

Comparisons between two mass Javascript injection attacks suggest they may be related, according to a security company. The latest attack has compromised various sites including one United Nations and several UK government sites with links to malicious servers.

On Tuesday Websense reported seeing distinct similarities between attacks staged earlier this month and over the weekend. Specifically, they cite the use of the same tool to execute the attack being resident on the malicious server. Last summer various groups used the MPACK toolkit to propagate a similar series of Javascript injections.

Javascript injections are browser attacks and require no more effort … Read more

Although CNN escaped a distributed denial-of-service (DDoS) attack planned for Saturday, the site has experienced either random outages or inflated response times over the last 72 hours, according to one Internet research company.

Netcraft reported Tuesday that during a three-hour period on Sunday morning, the CNN.com site was unavailable from its listening post in Pennsylvania. And on Monday, the site experienced inflated response times. CNN.com did suffer a minor DDoS last Thursday, but recovered by limiting access from certain geographic areas, mainly Asia.

Also on Tuesday, The Dark Visitor, a site that tracks Chinese hackers, said a downloadable … Read more

On Monday, Microsoft released to manufacturers (RTM) the final code for Windows XP SP3. The upgrade provides support for WPA2 and the Peer Name Resolution Protocol (PNRP) used in Windows Vista, among other things. The public version will be available for download via the Web on April 29. Based on our initial installation, the upgrade will be effortless for most Windows XP users.

The last Service Pack for Windows XP, SP2, was released in August 2004. The initial release took some users all night to download and install. The company pushed back the initial public release from June 2004 originally. … Read more

On Monday, Fujitsu Computer Products of America announced the Fujitsu MHZ2 CJ series for business notebooks that features full disk encryption. The new 2.5" 7,200RPM SATA hard disk drive (HDD) incorporates the AES-256 encryption standard at the hardware level without the need for additional software.

Unlike encryption with Windows Vista BitLocker, which requires the operating system to be present, the new Fujitsu drive performs its encryption entirely within the BIOS during power on. Encryption performed within the BIOS prevents the keys from being stored in the clear anywhere on the drive.

According to Fujitsu, "the key … Read more

Late Friday, leaders of the Revenge of the Flame called off a planned denial-of-service attack on CNN.com, according to The Dark Vistor, a Web site that follows Chinese computer hacker activity.

"Our original plan for 19 April has been canceled because too many people are aware of it, and the situation is chaotic," cyberprotest organizers said in a statement. "At an unspecified date in the near future, we will launch the attack. We ask that everyone remain ready."

However, early Saturday morning, a post on The Dark Vistor contained detailed plans for various Revenge of the Flame participants, … Read more

PayPal is seriously considering blocking some browsers from accessing its site, according to a paper (PDF) available to shareholders.

Titled "A Practical Approach to Managing Phishing," the paper admits that there's no one silver bullet to prevent fraudsters from making money on the Internet. However, authors Michael Barrett, PayPal's chief information security officer, and Dan Levy, the company's senior director of risk management for Europe, say companies could and should start addressing five specific areas:

Prevent fraudulent e-mail from getting into users' in-boxes

Prevent phishing sites by shutting them down

Authenticate users so that stolen … Read more

In a paper (PDF) presented at the Usability, Psyschology, and Security Conference 2008 in San Francisco, researchers from the University of California at Davis warned that browsers within popular electronic gadgets often eliminate important security features available on desktop browsers.

Researchers Yuan Niu, Francis Hsu, and Hao Chen looked at the Mobile Safari browser in Apple iPhone, as well as the Opera browser included in the Nintendo Wii and DS gaming systems. In general, they cited the reliance on screen typing as a deterrent to typing in known URLs. They said users are more likely to click on URLs presented … Read more

Several groups of Internet organizers plan to show on Saturday that they can mobilize patriotic Chinese Internet users and wield their influence worldwide against what they say is anti-Chinese media in the Western world.

The Dark Visitor, a site that tracks the activities of Chinese computer hackers, is reporting that a distributed denial-of-service (DDoS) attack on CNN.com is planned for 8 p.m. Beijing time, or 5 a.m. PT in the United States.

But the organizers themselves (Google translated page) appear to be waffling, and Jose Nazario of Arbor Networks reports that there has been little preattack activity … Read more

What would it take to get you give up your office network password to a total stranger? In London, women were more likely than men to give over their password for a piece of chocolate, says researchers for Infosecurity Europe.

The survey was conducted among 576 office workers contacted outside the Liverpool Street Station in London. The good news is that, overall, just 21 percent of those questioned would give up their password, with 45 percent of women saying yes versus 10 percent of men. Last year, 64 percent of people surveyed said were prepared to give away their passwords … Read more