security

My father's Motorola E815 from Verizon is suffering chronic SMS, or text message, spam. At first, the unwanted messages trickled in--religious messages with pictures of saints one time, pharmaceutical marketing another. Then the spam rate escalated. After one spammy text message yesterday and two this morning, Dad decided he wanted out.

"Out" in his case, and in the case of most North American mobile phone users, is as much about the phone bill as it is receiving unwanted texts. Service providers like Verizon and T-Mobile charge for inbound and outbound SMS activity, either per message, generally 10 cents to 15 cents per outgoing text message, or as part of a larger service, usually between $5 and $10 more per month depending on the plan. Data downloads cost extra too, so spam texts with image attachments ratchet up the bill. "This was becoming an expensive habit," says Dad.

The kicker, of course, is that it's not his habit.… Read more

An ad hoc group will be presenting the Annual Pwnies awards at this year's Black Hat. The categories include Best Server-Side Bug, Best Client-Side Bug, Mass 0wnage, Most Innovative Research, Lamest Vendor Response, Most Overhyped Bug, and, yes, Best Song. Nominations can be submitted by category here. Final judges include Dave G, Mark Dowd, Dino Dai Zovi, HD Moore, Dave Aitel, Halvar Flake, and Alexander Sotirov. The awards will be announced on Thursday, August 2, 2007.

You all remember Artie MacStrawman, don't you? Well, if you don't, Computerworld's Greg Keizer can reacquaint you with our old friend.

Criticism from Mac users and other security researchers was almost immediate, with the former focusing on crude insults and the latter concentrating on InfoSec's refusal to identify himself or herself, or prove that the worm existed.

Oh, no, you dih-unt!

The latter group questioned InfoSec's motives and the veracity of his or her claims.

And the former group said "Poopy ka-ka boobies monkey butt!"

"Let's see this worm deliver a … Read more

Researchers at Independent Security Evaluators have announced at least two exploits that take advantage of the way the Apple iPhone opens a specially crafted Web page in Safari. Exact details of the vulnerability exploited will have to wait until a presentation at the end of next week's Black Hat conference in Las Vegas. However, some general information has been offered here.

In a preliminary draft of the Black Hat presentation, ISE researchers Charlie Miller, Jake Honoroff, and Joshua Mason note that there are "serious problems with the design and implementation of security on the iPhone," and they … Read more

In an interview posted on SecurityFocus, a person identifying himself as "DCT" denied that there is a cybergang responsible for creating the MPack tool, a package of malicious software responsible for the latest wave of PC compromises.

"We are just a group of people working together, but doing some illegal business," he said. He also denied any contact with real-world Russian criminals. He said the "Dream Coders Team" (DCT) consists of three people, plus a few other freelancers. The developers are all Russian, while the others are from various countries. He said $ash, an … Read more

If you ever wanted to be Nevada's governor for a day, it doesn't seem to be that hard.

In what could be a whopping security hole, Nevada has posted the password to the gubernatorial e-mail account on its official state Web site. It appears in a Microsoft Word file giving step-by-step instructions on how aides should send out the governor's weekly e-mail updates, which has, as a second file shows, 13,105 subscribers.

The Outlook username is, by the way, "governor" and the password is "kennyc". We should note at this point that … Read more

A soap opera is playing out on the mailing lists of several security newsgroups this morning, complete with people hiding behind pseudonyms, people "outing" one another and rumors of death threats against the major players. At stake? A possible worm for Apple's Mac OS X operating system.

Over the weekend, someone using the name Infosec Sellout posted on the BugTraq mailing list news of a worm exploiting a vulnerability in mDNSResponder, a component of Apple's Bonjour automatic network service. Apple patched the mDNSResponder vulnerability in May, but the author claims there remains an unpatched vulnerability. The … Read more

Today, Mozilla patched nine vulnerabilities including the Firefox portion of the Internet Explorer-Firefox flaw identified last week. That flaw occurs when IE passes malformed URLs from IE to another application such as another browser. Mozilla wrote, "this fix only prevents Firefox and Thunderbird from accepting bad data." And it stated in boldface, "this patch does not fix the vulnerability in Internet Explorer."

This security update also addresses known issues involving browser crashes, privilege escalation, and cross-site scripting vulnerability. Current users of Firefox 2.0.0.4 or earlier will be automatically prompted to install the new … Read more

A cheesy, old security riddle goes like this: how do you protect your bagels? Put lox (locks) on them. Ha, ha. Ha. I can see you rolling your eyes, and I understand. Smack-you-over-the-head Brooklyn humor isn't for everyone. Yet when the nitty gets gritty, this easy-as-smoked-salmon-pie security technique must not be as obvious for mobile phone users as it should be, because although mobile attacks have been steadily rising, users have been more interested in games, ringtones, and customization apps for their PDAs than in protecting mobile data. (See the related CNET News.com article.)

Last December, I put together a little something with tips on how to secure your wireless mobile device. I've updated that below, because it never hurts to rediscover some good security "lox."… Read more