security posts on CNET - Page 284


Sony PlayStation site victim of SQL-injection attack

Early Wednesday, antivirus vendor Sophos reported that some visitors to the Sony PlayStation site may have been prompted to download an antivirus scanner.

Pages promoting the PlayStation games SingStar Pop and God of War contained SQL-injected code. Visitors to those specific game pages would see a fake antivirus scan , then a message that their computer was infected with different viruses and Trojan horses. Warned, the user would then be asked to purchase the scanner to remove the bogus malware.

The injected code linking to the scanner has since been removed.

Sophos said the attack could have downloaded malicious payloads, but … Read more

IE 8 to have antimalware protection

On Wednesday, Microsoft announced new security features within the upcoming release of Internet Explorer 8 Beta 2. The features are designed to combat the rising tide of drive-by downloads and malicious scripts contained within carefully crafted links embedded in e-mail and Web pages. Most of the new features require systems to be running Windows Vista SP1 or Windows XP SP3.

Perhaps the most anticipated addition is Internet Explorer's new antimalware protection. Opera 9.5 and Firefox 3 both recently added antimalware protection. Safari has so far not announced plans for similar protection. Using mostly its own antimalware technology, Microsoft … Read more

PINs stolen from Citibank ATMs

We all worry about keeping our online passwords safe from prying eyes. But now our faith in ATM PIN codes is being shaken.

Three people face charges in federal court in New York for allegedly breaking into Citibank's ATM network inside 7-Eleven stores and stealing PIN codes, according to court filings reported on by The Associated Press on Tuesday.

The alleged thieves made off with about $2 million between October 2007 until March of this year. Officials believe they remotely broke into the back-end computers that approve cash withdrawals and grabbed the PINs as they were being transmitted from … Read more

Researchers: 637 million browser users at risk

A group of researches on Tuesday said 637 million Web users are surfing with outdated Internet browsers and therefore at greater risk of Web-based attacks.

Using data collected from Google Web searches and security firm Secunia, the researchers, Stefan Frei (of ETH, Zurich), Thomas D?bendorfer (Google), Gunter Ollmann (IBM ISS), and Martin May (ETH, Zurich), analyzed the browsers used in a new report (PDF). They did so in an effort to understand why so many recent attacks by criminal hackers have been aimed at the browser, and why those attacks have been so successful.

Overall the authors found that … Read more

McAfee reports on spam in the real world

Taking a cue from Morgan Spurlock who lived on fast food for 30 days in the Super Size Me documentary, McAfee gathered volunteers from around the world who would, for one hour a day, surf the Internet, signing up for various newsletters, filling in various forms. As they did so, the participants were asked to blog about their experiences.

On Tuesday, McAfee released the results of the experiment it called S.P.A.M., or Spammed Persistently All Month.

Over the course of the month, McAfee's test subjects accumulated 104,000 spam messages, or roughly 70 per day per … Read more

Security Bites 106: McAfee plays with spam

McAfee released on Tuesday the results of a monthlong spam experiment. The security company provided 50 people worldwide with a clean laptop armed only with antivirus protection (no anti-spam protection) and a brand new domain for e-mail. McAfee then asked them to surf the Net and blog about their experiences.

Within the first 24 hours, the individuals received their first spam e-mail in the S.P.A.M. (Spammed Persistently All Month) Experiment.

Over the course of 30 days, McAfee's test subjects accumulated 104,000 spam e-mails, or roughly 70 spam messages per day per recipient. Put another way, … Read more

U.K. scientists demo graphic passwords

Think it's tough coming up with memorable yet secure letter/number combo passwords? Wait until you have to think of something to draw.

A system devised by computer scientists at Newcastle University in the U.K. uses human-scribbled doodles in lieu of traditional passwords.

Don't worry. One need not be the next Picasso for the graphic passcode system to work.

The Background Draw-a-Secret (BDAS) system, developed by Jeff Yan, a computer science lecturer at the School of Computing Science at Newcastle University, and graduate student Paul Dunphy, lets people choose from a selection of base images.

The image … Read more

Google Calendar now the target of phishers

Updated Tuesday at 9:10 a.m. with Google comment.

A few months ago, spam came to Google Calendar. Now phishing has arrived.

Intrepid Google watcher Philipp Lenssen wrote late last week about being the target of a phishing attempt via Google Calendar.

He received an e-mail to his Gmail account with a reference to a legitimate event from his calendar. The sender was listed as "customer care," and it asked him to verify his account by supplying his username and password.

"We are having congestions (sic) due to the anonymous registration of Gmail accounts, so we … Read more

'World of Warcraft' to sell token device for added security

The makers of World of Warcraft are offering players of the online role-playing game an optional layer of security in the form of an electronic token device called Blizzard Authenticator designed to prevent unauthorized access to an account.

The lightweight device, which fits on a keyring, provides a unique, one-time six-digit numeric code that the account holder includes when logging in. It is used in addition to a password and account name.

It was offered to attendees at the 2008 Blizzard Entertainment Worldwide invitational in Paris over the weekend and will be available for $6.50 through Blizzard's online … Read more

SecureWorks unmasks the Coreflood Trojan

On Monday, SecureWorks released its analysis of the Coreflood Trojan, providing an inside look at a stealthy online predator.

According to a blog by Joe Stewart, director of malware research for SecureWorks, Coreflood started out as an IRC (Internet relay chat) botnet back in 2002. Coreflood--or AFcore, as the author refers to it within the code--is apparently viewed by its author as corporate software that can be tweaked as business needs change. For example, over the last six years, Coreflood has evolved from initiating distributed denial-of-service attacks to collecting IDs and passwords for bank fraud.

With the help of Spamhaus, … Read more