Weekly Brief, April 13, 2010

The SANS Institute released its Investigative Forensic Toolkit (SIFT) Workstation 2.0, an online virtualized workstation environment incorporating most open source and free forensic solutions into a single package. And Mavituna has released a free community version of its Netsparker Scanning tool, which enables manual penetration testers to use a discovered weakness as a pivotal vector for further exploits.

Tyler Reguly, a researcher at nCircle, published a white paper detailing a new category of cross site scripting attack called 'meta-information XSS'. But not all attacks are intentional: bad routing data from a small Chinese ISP called IDC China Telecommunication was rerouted by China's state telecommunications company, and then spread around the world, disrupting networks in many countries.

This week was a busy one in the courts. Countrywide Financial is being targeted by a $20 million class-action lawsuit by customers angry over the 2008 data breach that enabled company insiders to steal their personal information. The New Jersey Supreme Court upheld a ruling that says companies do not have the automatic right to read emails sent from their computers by employees. The ruling came after an appeal by Loving Care Agency, after a nursing manager working there communicated with her lawyer via a private, password-protected web account.

Koobface is the gift that just keeps on giving. The worm is circulating in a new round of emails, according to researchers at anti-malware vendor ESET. And malware wasn't just a problem on the desktop either: F-Secure reported a malicious Windows mobile game that covertly makes expensive phone calls. 3D Anti-terrorist action was produced by a Chinese company, but was adapted by a Russian malware author, who inserted a trojan and uploaded the compromised version to several freeware download sites.

In Connecticut, the Department of Environmental Protection shut down its No Child Left Inside website, which was established to encourage families to get their children playing outside. The website had been hacked, although no financial information or Social Security numbers were stored on it, the Department said. And in Atlanta, officials were investigating a security breach, which led to the personal information of 1000 fire rescue employees being posted on the Internet.

What’s hot on Infosecurity Magazine?