Infosecurity weekly brief - September 15, 2009

Breaches

A security researcher has found an SQL injection vulnerability in the web site of RideMatch.Info, a car pooling website that allows Californians to organise rides into work. The bug gave hackers access to sensitive information including names, home addresses and commute times.

Net luminary Robert Scoble was one of many people whose Wordpress websites were hacked after villains found a flaw in the code distributed by the communty project. Upgrade now, says Wordpress.

Dupont has apparently found a case of industrial espionage for the second time in two years. The case again involves a Chinese-born worker who was allegedly about to return to China with company secrets.

California-based Ferma Corp was robbed of US$447 000 by online crooks who used a combination of money mules and a probable online banking trojan to siphon off the cash.

Chase Bank had to notify customers of a data breach after a computer tape with personal information went missing from a third part vendor's care. It won't say how many customers are affected, what types of information were on the tape, or whether it was encrypted.

Threats

University researchers have discovered that security could be breached in cloud computing environments by launching attacks between virtual machines.

SANS has found a blue screen of death attack affecting Windows Vista, Windows Server 2008, and Windows 7. And Sunbelt has documented the attack in its Vista security newsletter, which it has just renamed to Win7News.

Panda Labs has documented the most dangerous computing malware programs of the last 20 years. And a new site called the Malware Distribution Project - the equivalent of those weapons labs that still keep small batches of smallpox for old times' sake - has another 3 336 483 of them on ice. Let's hope that its online security is good.

The Polytechnical Institute of New York University is organising the 2009 cyber war games, a hacking challenge which will hopefully identify the next generation of security experts.

Protections

Both Microsoft and Cisco have released security updates designed to stop a TCP-based denial of service attack discovered around a year ago.

Apple's anti-phishing update to mobile Safari isn't working as it should, according to anti-malware firm Intego. Its researchers tested the tool and found that the iPhone lets through sites that the desktop version of the browser blocks. Still, that isn't stopping Apple from beefing up the rest of its security; the firm issued fixes for over 47 security bugs across its products last week.

VeriSign launched a distributed denial of service (DDoS) monitoring and mitigation service called the VeriSign Internet Defense Network.

Directions

NIST has published a report on how to measure cybersecurity.

What’s Hot on Infosecurity Magazine?