Planet Security

Not entirely sure what the thought process was of John Roth who, after being warned, still travelled to China with a laptop containing military data relating to drones…and then shared said information with a Chinese and Iranian student.

Um, yeah.

From Scientific American:

John Reece Roth, 71, a prominent plasma physicist was sentenced to four years in prison for 18 counts of conspiracy, wire fraud and violations of the Arms Export Control Act, after he allowed a Chinese graduate student to see sensitive information on Unmanned Air Vehicles (UAVs), also known as drones.

“The illegal export of restricted military data represents a serious threat to national security,” David Kris of the U.S. Department of Justice, said in a statement, “We know that foreign governments are actively seeking this information for their own military development. Today’s sentence should serve as a warning to anyone who knowingly discloses restricted military data in violation of our laws.”

Only 4 years? I think he got off easy.

Article Link

“I shall conclude this paper with a specimen of such writing,” he boasted, “which I may safely defy the united ingenuity of the whole human race to decypher to the end of time….”

I think what I really like about this story is how a mathematician bothered to send his new ciphertext to the author of Virginia's statue on religious liberty (as our third President preferred to be remembered). Having just finished Steven Johnson's very enjoyable "The Invention of Air," I'm struck by how broadly engaged with science and the useful arts the founders were. I think that sending an encrypted letter to President Obama would get you ... well, I don't really want to think about it, having just read the Declaration.

Tonight I started thinking that one of the biggest problems affecting IT today is the lack of a clearly defined terminology (both terms and acronyms). Sure certain things have had standardization (CPE comes to mind as a great example) but generally terms are not common across the board. Let's consider a few examples.

VM - Do I mean Vulnerability Management or Virtual Machine? Depending on the industry it could mean either or both.
FP - Do I mean Fingerprint or False Positive? Again, the industry dictates the meaning or both meanings.

There was a period of time where people referred to Cross Site Scripting as CSS... occasionally I still see it places. How about RE? I'm sitting here looking at the spine of 'Reverse Engineering Code with IDA Pro'. The spine says 'RE Code with IDA Pro' but RE commonly refers to regular expressions as well. The list goes on and on, and I think it is a problem that hurts us across the industry. Now miscommunication may not occur because there's generally context around the term but it can happen. I think the bigger issue is misrepresentation outside of the industry. This could be outside of IT, or could be within disciplines of IT.

Take, for example, this blog post on the SecuriTeam blog. The title is 'Mysql authentication bypass'. I was rather excited when I saw the title in my feed reader, I thought that someone had found a way to bypass authentication and access the MySQL database directly. It turns out this wasn't the case. Instead it was talking about a method of SQL Injection that will bypass many filters/IDS and works only against MySQL, it was also a discussion that was 6 months old. A comment pointed out that this wasn't a MySQL Authentication Bypass and I tend to agree, the author disagreed in the comments.

As I see it, an Authentication Bypass is when you are bypassing the authentication process into software or a website. Prefixing it with MySQL leads me to believe we are bypassing the authentication process in mysqld. SQL Injection is so much more than simply bypassing authentication, and at the same time bypassing a filter/IDS is so much less than SQL Injection. The author of the blog post was fairly insistent that he'd titled the blost properly yet I think this is a prime example of terminology failing us.

Is there a way for us to work around this issue, or will it always exist?

EC-Council Awarded More NSA CNSS Certifications

EC-Council Courseware for Certified Ethical Hacker (C|EH), Computer Hacking Forensics Investigator (C|HFI), Disaster Recovery Professional (E|DRP), Certified Security Analyst (E|CSA) and Licensed Penetration Tester (L|PT) Courseware has been certified at the highest national level by the Committee of National Security Systems (CNSS).

The CNSS is a federal government entity under the U.S. Department of Defense that provides procedures and guidance for the protection of national security systems. The NSA certified these programs as meeting the CNSS 4012, 4013A, 4014, 4015 and 4016 training standards for information security professionals in the federal government.

Read more HERE.

Who says business people don't understand security? The former marketing firm for Steak 'n Shake has executed a DoS, the Varnson Group is holding Steak n Shake's website hostage in a payment dispute.

The Varnson Group signed a $4.36 million, 26-month contract in mid-November, with just over half of that to be paid in Steak n Shake stock. Steak n Shake terminated the deal in early February. 

The lawsuit filed by Steak n Shake March 3 in Indianapolis doesn’t go into why the company and Varnson split. Rather, it deals with the aftermath of the breakup. Steak n Shake claims the agency is refusing to turn over myriad proprietary material, including data, Steak n Shake’s marks, promotional materials, photographs, coupon templates and other print advertisement templates. 

Additionally, Steak n Shake claims The Varnson Group refuses to release a Web site domain name where customers can access and print online coupons. Steak n Shake is seeking unspecified damages and return of the proprietary information. 

Product Description
Prepare for the CEH certification exam with this official review guide and learn how to identify security risks to networks and computers. This easy-to-use guide is organized by exam objectives for quick review so you’ll be able to get the serious preparation you need for the challenging Certified Ethical Hacker certification exam 312-50. As the only review guide officially endorsed by EC-Council, this concise book covers all of the exam objectives and includes a CD with a host of additional study tools.

From the Back Cover
Prepare for the CEH certification exam with this official review guide

Learn how to identify security risks to networks and computers and get the serious preparation you need for the challenging Certified Ethical Hacker certification exam 312-50. The only review guide officially endorsed by EC-Council, this concise book covers all of the exam objectives and includes a CD with a host of additional study tools.

• Easy-to-use book is organized by exam objectives for quick review
• Flexible review guide goes hand-in-hand with any learning tool on the market
• "Exam Essentials" in each chapter helps you zero in on what you need to know
• Book includes over 300 review questions and practice tools

Look inside for complete review coverage of all exam objectives for CEH exam 312-50.

Featured on the CD

SYBEX TEST ENGINE
Test your knowledge with advanced testing software. Includes bonus exams and glossary.

ELECTRONIC FLASHCARDS
Reinforce your understanding with flashcards that can run on your PC, Pocket PC, or Palm handheld.

Click Here for more information or to buy from Amazon.com

Sorry, next tweet: go impose some law or order or something, and it was done.

Well, as it often turns out, there was more to it than fits in 140 characters, and the real story is far more complicated. There's a good write up from StratFor, "The Real Struggle in Iran and Implications for U.S. Dialogue:"

This is because the real struggle in Iran has not yet been settled, nor was it ever about the liberalization of the regime. Rather, it has been about the role of the clergy — particularly the old-guard clergy — in Iranian life, and the future of particular personalities among this clergy.

[...]

The key to understanding the situation in Iran is realizing that the past weeks have seen not an uprising against the regime, but a struggle within the regime. Ahmadinejad is not part of the establishment, but rather has been struggling against it, accusing it of having betrayed the principles of the Islamic Revolution. The post-election unrest in Iran therefore was not a matter of a repressive regime suppressing liberals (as in Prague in 1989), but a struggle between two Islamist factions that are each committed to the regime, but opposed to each other.

brianjo posted a photo:

When AV attacks

IT admins across the globe are letting out a collective groan after servers and PCs running McAfee VirusScan were brought down when the anti-virus program attack their core system files. In some cases, this caused the machines to display the dreaded blue screen of death.…

Case Study: WhatsUp keeps Legoland turnstyles ringing

Apple patching serious SMS vulnerability on iPhone: Via computerworld.

Apple may be working to fix an iPhone vulnerability that could possibly allow an attacker to remotely install and run unsigned software code with root access to the phone.

The theoretical attack in question exploits a weakness in the way iPhones handle text messages received via SMS (Short Message Service), said security researcher Charlie Miller, during a presentation at the SyScan conference in Singapore on Thursday. He didn't provide a detailed technical description of the SMS vulnerability.

Miller, the principal security analyst at Independent Security Evaluators, is an authority on MacOS X security, and is a co-author of The Mac Hacker's Handbook. He and another security researcher, Colin Mulliner, discovered the SMS vulnerability together.

An SMS flaw might allow an attacker to run software code on the phone that is sent by SMS over a mobile operator's network. In Miller's case, it appears he used the flaw he found to remotely crash an iPhone, a sign that a more serious attack might be possible.

"I don't have a working exploit for it, just a suspicious looking crash," Miller said.  read more »

Office squid.

Office squid.

Office squid.

Usability guru Jakob Nielsen opened up a can of worms when he made the case for unmasking passwords in his blog. I chimed in that I agreed. Almost 165 comments on my blog (and several articles, essays, and many other blog posts) later, the consensus is that we were wrong.

I was certainly too glib. Like any security countermeasure, password masking has value. But like any countermeasure, password masking is not a panacea. And the costs of password masking need to be balanced with the benefits.

The cost is accuracy. When users don't get visual feedback from what they're typing, they're more prone to make mistakes. This is especially true with character strings that have non-standard characters and capitalization. This has several ancillary costs:

• Users get pissed off.
• Users are more likely to choose easy-to-type passwords, reducing both mistakes and security. Removing password masking will make people more comfortable with complicated passwords: they'll become easier to memorize and easier to use.

The benefits of password masking are more obvious:

• Security from shoulder surfing. If people can't look over your shoulder and see what you're typing, they're much less likely to be able to steal your password. Yes, they can look at your fingers instead, but that's much harder than looking at the screen. Surveillance cameras are also an issue: it's easier to watch someone's fingers on recorded video, but reading a cleartext password off a screen is trivial.

  In some situations, there is a trust dynamic involved. Do you type your password while your boss is standing over your shoulder watching? How about your spouse or partner? Your parent or child? Your teacher or students? At ATMs, there's a social convention of standing away from someone using the machine, but that convention doesn't apply to computers. You might not trust the person standing next to you enough to let him see your password, but don't feel comfortable telling him to look away. Password masking solves that social awkwardness.

• Security from screen scraping malware. This is less of an issue; keyboard loggers are more common and unaffected by password masking. And if you have that kind of malware on your computer, you've got all sorts of problems.

• A security "signal." Password masking alerts users, and I'm thinking users who aren't particularly security savvy, that passwords are a secret.

I believe that shoulder surfing isn't nearly the problem it's made out to be. One, lots of people use their computers in private, with no one looking over their shoulders. Two, personal handheld devices are used very close to the body, making shoulder surfing all that much harder. Three, it's hard to quickly and accurately memorize a random non-alphanumeric string that flashes on the screen for a second or so.

This is not to say that shoulder surfing isn't a threat. It is. And, as many readers pointed out, password masking is one of the reasons it isn't more of a threat. And the threat is greater for those who are not fluent computer users: slow typists and people who are likely to choose bad passwords. But I believe that the risks are overstated.

Password masking is definitely important on public terminals with short PINs. (I'm thinking of ATMs.) The value of the PIN is large, shoulder surfing is more common, and a four-digit PIN is easy to remember in any case.

And lastly, this problem largely disappears on the Internet on your personal computer. Most browsers include the ability to save and then automatically populate password fields, making the usability problem go away at the expense of another security problem (the security of the password becomes the security of the computer). There's a Firefox plugin that gets rid of password masking. And programs like my own Password Safe allow passwords to be cut and pasted into applications, also eliminating the usability problem.

One approach is to make it a configurable option. High-risk banking applications could turn password masking on by default; other applications could turn it off by default. Browsers in public locations could turn it on by default. I like this, but it complicates the user interface.

A reader mentioned BlackBerry's solution, which is to display each character briefly before masking it; that seems like an excellent compromise.

I, for one, would like the option. I cannot type complicated WEP keys into Windows -- twice! what's the deal with that? -- without making mistakes. I cannot type my rarely used and very complicated PGP keys without making a mistake unless I turn off password masking. That's what I was reacting to when I said "I agree."

So was I wrong? Maybe. Okay, probably. Password masking definitely improves security; many readers pointed out that they regularly use their computer in crowded environments, and rely on password masking to protect their passwords. On the other hand, password masking reduces accuracy and makes it less likely that users will choose secure and hard-to-remember passwords, I will concede that the password masking trade-off is more beneficial than I thought in my snap reaction, but also that the answer is not nearly as obvious as we have historically assumed.

Usability guru Jakob Nielsen opened up a can of worms when he made the case for unmasking passwords in his blog. I chimed in that I agreed. Almost 165 comments on my blog (and several articles, essays, and many other blog posts) later, the consensus is that we were wrong.

I was certainly too glib. Like any security countermeasure, password masking has value. But like any countermeasure, password masking is not a panacea. And the costs of password masking need to be balanced with the benefits.

The cost is accuracy. When users don't get visual feedback from what they're typing, they're more prone to make mistakes. This is especially true with character strings that have non-standard characters and capitalization. This has several ancillary costs:

• Users get pissed off.
• Users are more likely to choose easy-to-type passwords, reducing both mistakes and security. Removing password masking will make people more comfortable with complicated passwords: they'll become easier to memorize and easier to use.

The benefits of password masking are more obvious:

• Security from shoulder surfing. If people can't look over your shoulder and see what you're typing, they're much less likely to be able to steal your password. Yes, they can look at your fingers instead, but that's much harder than looking at the screen. Surveillance cameras are also an issue: it's easier to watch someone's fingers on recorded video, but reading a cleartext password off a screen is trivial.

  In some situations, there is a trust dynamic involved. Do you type your password while your boss is standing over your shoulder watching? How about your spouse or partner? Your parent or child? Your teacher or students? At ATMs, there's a social convention of standing away from someone using the machine, but that convention doesn't apply to computers. You might not trust the person standing next to you enough to let him see your password, but don't feel comfortable telling him to look away. Password masking solves that social awkwardness.

• Security from screen scraping malware. This is less of an issue; keyboard loggers are more common and unaffected by password masking. And if you have that kind of malware on your computer, you've got all sorts of problems.

• A security "signal." Password masking alerts users, and I'm thinking users who aren't particularly security savvy, that passwords are a secret.

I believe that shoulder surfing isn't nearly the problem it's made out to be. One, lots of people use their computers in private, with no one looking over their shoulders. Two, personal handheld devices are used very close to the body, making shoulder surfing all that much harder. Three, it's hard to quickly and accurately memorize a random non-alphanumeric string that flashes on the screen for a second or so.

This is not to say that shoulder surfing isn't a threat. It is. And, as many readers pointed out, password masking is one of the reasons it isn't more of a threat. And the threat is greater for those who are not fluent computer users: slow typists and people who are likely to choose bad passwords. But I believe that the risks are overstated.

Password masking is definitely important on public terminals with short PINs. (I'm thinking of ATMs.) The value of the PIN is large, shoulder surfing is more common, and a four-digit PIN is easy to remember in any case.

And lastly, this problem largely disappears on the Internet on your personal computer. Most browsers include the ability to save and then automatically populate password fields, making the usability problem go away at the expense of another security problem (the security of the password becomes the security of the computer). There's a Firefox plugin that gets rid of password masking. And programs like my own Password Safe allow passwords to be cut and pasted into applications, also eliminating the usability problem.

One approach is to make it a configurable option. High-risk banking applications could turn password masking on by default; other applications could turn it off by default. Browsers in public locations could turn it on by default. I like this, but it complicates the user interface.

A reader mentioned BlackBerry's solution, which is to display each character briefly before masking it; that seems like an excellent compromise.

I, for one, would like the option. I cannot type complicated WEP keys into Windows -- twice! what's the deal with that? -- without making mistakes. I cannot type my rarely used and very complicated PGP keys without making a mistake unless I turn off password masking. That's what I was reacting to when I said "I agree."

So was I wrong? Maybe. Okay, probably. Password masking definitely improves security; many readers pointed out that they regularly use their computer in crowded environments, and rely on password masking to protect their passwords. On the other hand, password masking reduces accuracy and makes it less likely that users will choose secure and hard-to-remember passwords, I will concede that the password masking trade-off is more beneficial than I thought in my snap reaction, but also that the answer is not nearly as obvious as we have historically assumed.

Usability guru Jakob Nielsen opened up a can of worms when he made the case for unmasking passwords in his blog. I chimed in that I agreed. Almost 165 comments on my blog (and several articles, essays, and many other blog posts) later, the consensus is that we were wrong.

I was certainly too glib. Like any security countermeasure, password masking has value. But like any countermeasure, password masking is not a panacea. And the costs of password masking need to be balanced with the benefits.

The cost is accuracy. When users don't get visual feedback from what they're typing, they're more prone to make mistakes. This is especially true with character strings that have non-standard characters and capitalization. This has several ancillary costs:

• Users get pissed off.
• Users are more likely to choose easy-to-type passwords, reducing both mistakes and security. Removing password masking will make people more comfortable with complicated passwords: they'll become easier to memorize and easier to use.

The benefits of password masking are more obvious:

• Security from shoulder surfing. If people can't look over your shoulder and see what you're typing, they're much less likely to be able to steal your password. Yes, they can look at your fingers instead, but that's much harder than looking at the screen. Surveillance cameras are also an issue: it's easier to watch someone's fingers on recorded video, but reading a cleartext password off a screen is trivial.

  In some situations, there is a trust dynamic involved. Do you type your password while your boss is standing over your shoulder watching? How about your spouse or partner? Your parent or child? Your teacher or students? At ATMs, there's a social convention of standing away from someone using the machine, but that convention doesn't apply to computers. You might not trust the person standing next to you enough to let him see your password, but don't feel comfortable telling him to look away. Password masking solves that social awkwardness.

• Security from screen scraping malware. This is less of an issue; keyboard loggers are more common and unaffected by password masking. And if you have that kind of malware on your computer, you've got all sorts of problems.

• A security "signal." Password masking alerts users, and I'm thinking users who aren't particularly security savvy, that passwords are a secret.

I believe that shoulder surfing isn't nearly the problem it's made out to be. One, lots of people use their computers in private, with no one looking over their shoulders. Two, personal handheld devices are used very close to the body, making shoulder surfing all that much harder. Three, it's hard to quickly and accurately memorize a random non-alphanumeric string that flashes on the screen for a second or so.

This is not to say that shoulder surfing isn't a threat. It is. And, as many readers pointed out, password masking is one of the reasons it isn't more of a threat. And the threat is greater for those who are not fluent computer users: slow typists and people who are likely to choose bad passwords. But I believe that the risks are overstated.

Password masking is definitely important on public terminals with short PINs. (I'm thinking of ATMs.) The value of the PIN is large, shoulder surfing is more common, and a four-digit PIN is easy to remember in any case.

And lastly, this problem largely disappears on the Internet on your personal computer. Most browsers include the ability to save and then automatically populate password fields, making the usability problem go away at the expense of another security problem (the security of the password becomes the security of the computer). There's a Firefox plugin that gets rid of password masking. And programs like my own Password Safe allow passwords to be cut and pasted into applications, also eliminating the usability problem.

One approach is to make it a configurable option. High-risk banking applications could turn password masking on by default; other applications could turn it off by default. Browsers in public locations could turn it on by default. I like this, but it complicates the user interface.

A reader mentioned BlackBerry's solution, which is to display each character briefly before masking it; that seems like an excellent compromise.

I, for one, would like the option. I cannot type complicated WEP keys into Windows -- twice! what's the deal with that? -- without making mistakes. I cannot type my rarely used and very complicated PGP keys without making a mistake unless I turn off password masking. That's what I was reacting to when I said "I agree."

So was I wrong? Maybe. Okay, probably. Password masking definitely improves security; many readers pointed out that they regularly use their computer in crowded environments, and rely on password masking to protect their passwords. On the other hand, password masking reduces accuracy and makes it less likely that users will choose secure and hard-to-remember passwords, I will concede that the password masking trade-off is more beneficial than I thought in my snap reaction, but also that the answer is not nearly as obvious as we have historically assumed.

Blue grass county hit by Trojan-fueled cybercrime

A gang of cybercrooks has made off with $415,000 from the coffers of Bullitt County, Kentucky following the conclusion of an elaborate phishing scam, The Washington Post reports.…

Infosecurity.US wishes all a safe, happy and fun Independence Day July 4th, 2009.

Visit the Charters of Freedom!

Oracle Corporation (NasdaqGS: ORCL) has announced the release of several patches to the software giant’s Enterprise Linux branded distribution. Ranging from relatively trivial user application updates to critical kernel level security patches, this is a great way to end the week, before a holiday weekend no less… We suggest a thorough examination of the list to determine your patching requirements and to align this patch set with your change management policy. Oracle Enterprise Linux is a variant of RED HAT, INC.’s (NYSE: RHT)  Red Hat Enterprise Linux OS. Additional information - including release notes and linkage - appears, after the jump

Enterprise Linux Security Advisory ELSA-2009-1134

https://rhn.redhat.com/errata/RHSA-2009-1134.html

The following updated rpms for Enterprise Linux 4 have been uploaded to the Unbreakable Linux Network:

i386:
seamonkey-1.0.9-44.0.1.el4_8.

Blue grass county hit by Trojan-fueled cybercrime
A gang of cybercrooks has made off with $415,000 from the coffers of Bullitt County, Kentucky following the conclusion of an elaborate phishing scam, The Washington Post reports.…
Case Study: WhatsUp keeps Legoland turnstyles ringing

Read more…

¡Ay, Caramba!

Hackers have invaded the Best Buy website to plant exploit code targeted at South and central American surfers.…

Good essay -- "The Staggering Cost of Playing it 'Safe'" -- about the political motivations for terrorist security policy.

Senator Barbara Boxer has led an effort to at least put together a public database of ash storage sites so that people can judge the risk to the areas where they live. However, even this effort has been blocked not by coal companies or utilities, but by the DHS. How could it possibly be a national security interest to cover up the location of material that's "not toxic or anything?" It's not. In fact, even if the ash turns out to be as bad as its worst critics fear, blocking the database is far more dangerous than revealing the location of these sites. Not only has there not been any threat against these sites by terrorists, and no workable scenario by which they might cause a problem, coal slurry impoundments are already failing with regularity, dousing parts of America with millions of gallons of this material. It doesn't take terrorists to make this happen.

Blocking the release of this information doesn't protect the citizens of the United States in any way. It's just another example of the same creeping secrecy that makes cities more difficult to manage because of secrecy over facilities. The same creeping secrecy that "blurs" national monuments from images and puts intentional gaps in public information. The same creeping secrecy that increasingly elevates the most unlikely attack -- the shoe bombers of the world -- above our right to know what's going on around us so that we can make informed decisions. The same secrecy that defends torturers.

Good essay -- "The Staggering Cost of Playing it 'Safe'" -- about the political motivations for terrorist security policy.

Senator Barbara Boxer has led an effort to at least put together a public database of ash storage sites so that people can judge the risk to the areas where they live. However, even this effort has been blocked not by coal companies or utilities, but by the DHS. How could it possibly be a national security interest to cover up the location of material that's "not toxic or anything?" It's not. In fact, even if the ash turns out to be as bad as its worst critics fear, blocking the database is far more dangerous than revealing the location of these sites. Not only has there not been any threat against these sites by terrorists, and no workable scenario by which they might cause a problem, coal slurry impoundments are already failing with regularity, dousing parts of America with millions of gallons of this material. It doesn't take terrorists to make this happen.

Blocking the release of this information doesn't protect the citizens of the United States in any way. It's just another example of the same creeping secrecy that makes cities more difficult to manage because of secrecy over facilities. The same creeping secrecy that "blurs" national monuments from images and puts intentional gaps in public information. The same creeping secrecy that increasingly elevates the most unlikely attack -- the shoe bombers of the world -- above our right to know what's going on around us so that we can make informed decisions. The same secrecy that defends torturers.

Good essay -- "The Staggering Cost of Playing it 'Safe'" -- about the political motivations for terrorist security policy.

Senator Barbara Boxer has led an effort to at least put together a public database of ash storage sites so that people can judge the risk to the areas where they live. However, even this effort has been blocked not by coal companies or utilities, but by the DHS. How could it possibly be a national security interest to cover up the location of material that's "not toxic or anything?" It's not. In fact, even if the ash turns out to be as bad as its worst critics fear, blocking the database is far more dangerous than revealing the location of these sites. Not only has there not been any threat against these sites by terrorists, and no workable scenario by which they might cause a problem, coal slurry impoundments are already failing with regularity, dousing parts of America with millions of gallons of this material. It doesn't take terrorists to make this happen.

Blocking the release of this information doesn't protect the citizens of the United States in any way. It's just another example of the same creeping secrecy that makes cities more difficult to manage because of secrecy over facilities. The same creeping secrecy that "blurs" national monuments from images and puts intentional gaps in public information. The same creeping secrecy that increasingly elevates the most unlikely attack -- the shoe bombers of the world -- above our right to know what's going on around us so that we can make informed decisions. The same secrecy that defends torturers.

Two papers for smaller businesses

Typically, vendor white papers are written with the ITDM or senior ITDM at a large company, in mind. [ITDM is industry jargon for "IT decision maker", since you ask.] People working at smaller companies are rather less well served, in quantity and quality. So today we focus our Reg Library selection on a couple of good papers aimed at small and medium-sized businesses.…

Case Study: WhatsUp keeps Legoland turnstyles ringing

Drive-by download attack hits multiple hosts

Hackers are running a mass compromise against sites running vulnerable ColdFusion application server installations.…

On 03/07/09 At 09:50 AM