Information Security week in review

XSS vulnerability in Skype could allow 3rd party to change passwords

A security consultant, Levent Kayan, based in Berlin, posted details of the flaw on his blog on Wednesday and notified Skype a day later. The exploit is done by inserting JavaScript into the "mobile phone" profile field that could be used to hijack a users session. ComputerWorld has the complete article.

Undersea communications cables are cut every 3 days

Robert Graham has an article over at Errata Security showing some of the landing points as well as links to resources in Oregon (I too grew up there) and news about Amazon, Facebook and Google setting up shop near the Bonneville Dam, but I don't see much in the way of facts or statistics regarding actual cuts. I'd be curious to see those.

Apple iOS 4.3.4 release & Jailbroken

On July 16th Apple released version 4.3.4 of it's mobile iOS software to fix a vulnerability in PDF viewer and within 12 hours the new release was already jailbroken.

FBI Arrest 14 in relation Anonymous / PayPal case

On the 19th, I wrote an article on the news of 14 people being suspected of ties to the PayPal denial of service that occurred late last year.

  • one was AT&T insider who provided internal docs
  • one hacked FL InfraGard DB and exposed member info
  • also, 1 arrested in London & 4 arrested in Netherlands

Anonymous Claims Hack of NATO, Sends Warning to FBI

ThreatPost has an article about:

The Internet hacker collective Anonymous claims to have breached the security of NATO's computer network and made off with roughly a gigabyte of “restricted material,” according to a message posted from a Twitter account belonging to the group.

Internet Activist Aaron Swartz Charged in M.I.T. Data Theft

Internet Activist Aaron Swartz who was an early "founding" member of Reddit and an Fellow at Harvard University's Center for Ethics.

Between September and January, Swartz allegedly contrived to break into a restricted computer wiring closet in an MIT basement and access MIT's network from a computer switch there, the DOJ said in a press release. Swartz, a fellow at Harvard University's Center for Ethics, targeted documents provided to MIT by Journal Storage (JSTOR), a nonprofit archive of scientific journals and academic work, the DOJ alleged.

For additional information you can see ComputerWorld or The New York Times

among others.

BING DNS hijacked? SANS says it looks like it

On Wednesday 7/20, the SANS Handler on Duty Christopher Carboni seems to think something isn't quite right.

Three pizza chains ATMs hacked

Scott Thomas Anderson reports:

The rampant hacking of credit cards and ATM accounts that has hit Amador County is partly the result of “malicious software” installed at a Martell business, according to investigators from Amador County Sheriff’s office. Worse yet, six months of online victimization may not be over for some locals, particularly for those who entered Mountain Mike’s Pizza last winter without cash in their hands.
Sheriff’s officials updated reporters yesterday afternoon about a lengthy investigation into more than 70 cases of ATM/credit card fraud inundating its investigations bureau. Additional cases have also been reported to the Jackson Police Department. Undersheriff Jim Wegner said his detectives had been working closely with fraud units from several banks affected by the string of crimes, which began at the end of 2010 and gained an almost overwhelming momentum by February of this year.

Read more on Ledger Dispatch and DataBeaches.net.