Cody Taylor

linuxkrn writes “The State of Colorado’s Office of Technology (OIT) has set up a work skills website. The problem is that the site says ‘DO NOT use FIREFOX or other Browsers besides IE. It has been decided that Mozilla based, non-IE browsers pose a security risk.’ (Original emphasis from site.) If the leading IT agency for the State is making these uneducated claims, should the people worry about their other decisions?”

Read more of this story at Slashdot.

CWmike writes “Microsoft said today that it will deliver three security updates on Tuesday, one of them marked ‘critical,’ but will not fix an Excel flaw that attackers are now exploiting. ‘It doesn’t look like we’re going to see patches for any open Microsoft security advisories,’ said Andrew Storms, director of security operations at nCircle Network Security, pointing to three that have not yet been closed. Those include two advisories issued last year — one from April 2008, another from December — and the Excel alert published last week. ‘I’m not really surprised that the Excel vulnerability won’t be patched, what with the timeline,’ said Storms, ‘but the others have been open for a long time.'”

Read more of this story at Slashdot.

**$tarDu$t** recommends a Washington Post Security Fix blog post dissecting the Tigger.A trojan, which has been keeping a low profile while exploiting the MS08-66 vulnerability to steal data quietly from online stock brokerages and their customers. An estimated quarter million victims have been infected. The trojan uses a key code to extract its rootkit on host systems that is almost identical to the key used by the Srizbi botnet. The rootkit loads even in Safe Mode. “Among the unusually short list of institutions specifically targeted by Tigger are E-Trade, ING Direct ShareBuilder, Vanguard, Options XPress, TD Ameritrade, and Scottrade. … Tigger removes a long list of other malicious software titles, including the malware most commonly associated with Antivirus 2009 and other rogue security software titles… this is most likely done because the in-your-face ‘hey, your-computer-is-infected-go-buy-our-software!’ type alerts generated by such programs just might… lead to all invaders getting booted from the host PC.”

Read more of this story at Slashdot.

An anonymous reader writes “You may remember Google’s NativeClient project, discussed here last December. Don’t be fooled into calling this ActiveX 2.0 — rather than a model of trust and authentication, NaCl is designed to make dangerous code impossible by enforcing a set of a rules at load time that guarantee hostile code simply cannot execute (PDF). NaCl is still in heavy development, but the developers want to encourage low-level security experts to take a look at their design and code. To this end Google has opened the NativeClient Security Contest, and will award prizes topping out at ^13 to top bug submitters. If you’re familiar with low level security, memory segmentation, accurate disassembly of hostile code, code alignment, and related topics, do take a look. Mac, Linux, and Windows are all supported.”

Read more of this story at Slashdot.

nandemoari writes “As his administration continues to work on a stimulus plan that can save America’s economy, Obama’s latest course of action will see millions of dollars being allocated to heighten cyber security. The move will assist government officials in preventing future attacks on the United States. The President recently addressed his 2010 budget, outlining funding plans that will grant the Department of Homeland Security 5 million to secure the nation’s most essential computer systems. The money will be spent on both government and private groups, with much of the funding going to the National Cyber Security Division and the Comprehensive National Cyber Security Initiative programs.”

Read more of this story at Slashdot.

Hugh Pickens writes “A company that monitors peer-to-peer file-sharing networks has discovered a potentially serious security breach involving President Barack Obama’s helicopter. ‘We found a file containing entire blueprints and avionics package for Marine One, which is the president’s helicopter,’ says Bob Boback, CEO of Tiversa, a security company that specializes in peer-to-peer technology. Tiversa was able to track the file, discovered at an IP address in Tehran, Iran, back to its original source. ‘What appears to be a defense contractor in Bethesda, Md., had a file-sharing program on one of their systems that also contained highly sensitive blueprints for Marine One,’ says Boback, adding that someone from the company most likely downloaded a file-sharing program, typically used to exchange music, without realizing the potential problems. ‘I’m sure that person is embarrassed and may even lose their job, but we know where it came from and we know where it went.’ Iran is not the only country that appears to be accessing this type of information through file-sharing programs. ‘We’ve noticed it out of Pakistan, Yemen, Qatar and China. They are actively searching for information that is disclosed in this fashion because it is a great source of intelligence.'”

Read more of this story at Slashdot.

Gov IT writes with this excerpt from NextGov: “Just days after President Obama signed a law giving billions of dollars to develop electronic health records, a university technology professor submitted a paper showing that he was able to uncover tens of thousands of medical files containing names, addresses and Social Security numbers for patients seeking treatment for conditions ranging from AIDS to mental health problems. … The basic technology that runs peer-to-peer networks inadvertently exposed the files probably without the computer user’s knowledge, Johnson said. A health care worker might have loaded patient files onto a laptop, for example, and taken it home where a son or daughter could have downloaded a peer-to-peer client onto the laptop to share music.”

Read more of this story at Slashdot.

Apple this week is believed to have tapped its vast developer community to begin testing Mac OS X 10.5.7, a sizable maintenance and security update to the company’s Leopard operating system with a particular focus on syncing improvements.

nk497 writes “The UK justice secretary Jack Straw has been criticised for using Hotmail as his official government email account after he apparently fell foul of a Nigerian spammer in a phishing attack. A security researcher said using such an account not only left the government in security trouble, but meant any emails sent could not be necessarily accessed via the Freedom of Information Act.”

Read more of this story at Slashdot.