Computer Press!

Attackers have begun exploiting a recently disclosed vulnerability in Microsoft web-development applications that opens password files and other sensitive data to interception and tampering.

The vulnerability in the way ASP.Net apps encrypt data was disclosed last week at the Ekoparty Conference in Argentina. Microsoft on Friday issued a temporary fix for the so-called “cryptographic padding attack,” which allows attackers to decrypt protected files by sending vulnerable systems large numbers of corrupted requests.

Now, Microsoft security pros say they are seeing “limited attacks” in the wild and warned that they can be used to read and tamper with a system’s most sensitive configuration files.

Is Stuxnet the ‘best’ malware ever?

The Stuxnet worm is a “groundbreaking” piece of malware so devious in its use of unpatched vulnerabilities, so sophisticated in its multipronged approach, that the security researchers who tore it apart believe it may be the work of state-backed professionals.

“It’s amazing, really, the resources that went into this worm,” said Liam O Murchu, manager of operations with Symantec’s security response team.

“I’d call it groundbreaking,” said Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab. In comparison, other notable attacks, like the one dubbed Aurora that hacked Google’s network and those of dozens of other major companies, were child’s play.

O Murchu and Schouwenberg should know: They work for the two security companies that discovered that Stuxnet exploited not just one zero-day Windows bug but four — an unprecedented number for a single piece of malware.

Stuxnet, which was first reported in mid-June by VirusBlokAda, a little-known security firm based in Belarus, gained notoriety a month later when Microsoft confirmed that the worm was actively targeting Windows PCs that managed large-scale industrial-control systems in manufacturing and utility firms.

Earlier today Gawker published an alarming report  detailing the exploits of a former Google engineer who allegedly used his internal clearances to access private Gmail and GTalk accounts so that he could spy on and harass people, including four minors. The article repeatedly points out how much sensitive data the public has entrusted Google with, and highlights that the company’s internal security policies may not be enough to maintain that security should a trusted employee go rogue. Google has just responded to the article with this statement, and it doesn’t deny anything Gawker reported:

It happened one day last year, as more than a dozen board members of a Baltimore substance abuse center had gathered around a conference room. The CEO was giving a PowerPoint presentation on his accomplishments.

Suddenly, his computer shut down, then restarted, replacing the latest slide with an image of a naked woman onto a 64-inch screen. The board members include city officials and foundation heads and is chaired by Baltimore’s health commissioner.

Today, Baltimore’s State’s Attorney’s Office announced a grand jury had indicted Walter Powell, 51, with hacking into the computer system. They described him as a disgruntled worker who allegedly used his home computer to access the system, distribute confidential emails from his boss and break into the presentation.

IT Departments have been warned that their internal and external data centre providers may be far from being as secure as they may think due to a lack of serious approach to the risks associated with cyber terrorism.

Issuing the warning, The Strategic Directions Group director and data center national practice manager, Mike Andrea, said many Australian data centers were unaware of, or had an apathetic attitude toward risks associated with cyber terrorism.

“The general consensus is that while major [terror] events do create media hype around the place and people get asked questions about what they are doing about it from a corporate perspective, many do not keep it front of mind in terms of true risk to the commercial entity,” he said.

Employee of the firm in charge of World Cup 2010 ticketing found peddling birth dates, passport, other data of 2006 World Cup customers.

Hundreds of thousands of attendees at the 2006 World Cup in Germany were put at risk of identity theft, though the major breach of a FIFA database was only recently uncovered.

Initially reported by Norwegian newspaper Dagbladet, the breach came to light when an employee of the firm in charge of World Cup 2010 ticketing circulated an e-mail peddling more than 250,000 2006 World Cup customer details, including such personal information as birth dates and passport information.