From the category archives:

Internet Security

Energizer Press Release

Energizer Announces Duo Charger and USB Charger Software Problem
ST. LOUIS, March 5, 2010 /PRNewswire via COMTEX/ — Energizer has been informed by the CERT Coordination Center (CERT) that the Windows software that was referenced and made available via a download with its Duo Charger, Model CHUSB, contains a vulnerability. Energizer introduced the Duo Charger in the United States and the USB Charger in Latin America, Europe and Asia in 2007. Both products charge Nickel Metal Hydride batteries from both a wall outlet and a USB connection. The product included a feature that would allow the user to view the battery charging status on a computer if associated software was installed. The Duo Charger product documentation referenced www.energizer.com/usbcharger to download the software. The site offered downloadable software in both Windows and Apple(R) versions; however only the Windows version contained the vulnerability.

Energizer has discontinued sale of this product and has removed the site to download the software. In addition, the company is directing consumers that downloaded the Windows version of the software to uninstall or otherwise remove the software from your computer. This will eliminate the vulnerability. In addition CERT and Energizer recommend that users remove a file that may remain after the software has been removed. The file name is Arucer.dll, which can be found in the Window system32 directory.

Energizer is currently working with both CERT and U.S. government officials to understand how the code was inserted in the software. Additional technical information can be found at http://www.kb.cert.org/vuls/id/154421.

{ 0 comments }

Convicted Spammer starts sentence

by certifiedbug on March 4, 2010

in Internet Security

Spamhaus

Leaving a wake of over 12-years of criminal spamming and trillions of sent junk emails behind him, long time ROKSO listed spammer Alan Ralsky is finally behind the walls of a US Federal Prison. After pleading guilty to multiple federal criminal charges, and after time extensions to “get his affairs in order”, Ralsky reported to FCI Morgantown in north-central West Virginia on March 1st to start serving his 4-year, 3-month sentence.

Spamhaus, on behalf of the world’s internet email users, gives thanks to all involved. Big thank-you’s to FBI Special Agent Tom Winterhalter, U.S. Attorney Terry Berg, AUSA Julie Beck, USPIS Postal Inspector Karl Hansen and IRS Special Agent Marta Jacks. Over the course of a three-year investigation and prosecution, the investigation & prosecution teams were able to identify and convict 9 domestic and international members of this spam & fraud conspiracy, including Ralsky and his associates.

http://www.spamhaus.org/news.lasso?article=658

{ 0 comments }

Security Seal provider to settle FTC charges

March 3, 2010

FTC Press Release 2/25/2010.
ControlScan, a company that consumers have relied on to certify the privacy and security of online retailers and other Web sites, has agreed to settle Federal Trade Commission charges that it misled consumers about how often it monitored the sites and the steps it took to verify their privacy and security practices. [...]

Read the full article →

Three arrested for running “Mariposa” botnet

March 3, 2010

Spanish police have arrested three men allegedly responsible for the Mariposa botnet which controlled nearly 13 million infected computers.
The botnet was rendered inactive on December 23, 2009 following months of collaboration between security firms Panda Security and Defense Intelligence in co-operation with the FBI, Spain’s Guardia Civil and security experts around the world.
Personal [...]

Read the full article →

FTC Warns of Widespread Consumer Data Breaches on P2P

February 24, 2010

Press Release.

Widespread Data Breaches Uncovered by FTC Probe
The Federal Trade Commission has notified almost 100 organizations that personal information, including sensitive data about customers and/or employees, has been shared from the organizations’ computer networks and is available on peer-to-peer (P2P) file-sharing networks to any users of those networks, who could use it to commit identity [...]

Read the full article →

Adobe Download Manager 0-day vulnerabilities

February 19, 2010

Days after Adobe released a security update for Flash Player, researcher Aviv Raff disclosed he has discovered a vulnerability in Adobe’s Download Manager which can be exploited to remotely install malware on end users computers.
Even if you upgraded to the latest Flash version (10.0.45.2) and use an alternative PDF reader you are probably not safe [...]

Read the full article →

Adobe Flash Player Security update available

February 11, 2010

All Platforms
Vulnerability identifier: APSB10-06
CVE number: CVE-2010-0186, CVE-2010-0187
A critical vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests.
Affected software versions
Adobe Flash Player 10.0.42.34 and earlier versions
Adobe AIR 1.5.3.1920 and earlier versions
To verify the Adobe Flash Player version number installed on your system, access the About Flash Player page, or right-click on content [...]

Read the full article →

FeedDemon Vulnerability

February 10, 2010

SecurityFocus
FeedDemon is prone to a remote buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
FeedDemon 2.7 and prior versions are vulnerable.
FeedDemon 3.1 Release Notes
Build 3.1.0.12 / February 2, 2010
Download

Read the full article →

Edelman on Upromise

January 21, 2010

Benjamin Edelman
January 21, 2010

Upromise Savings — At What Cost?
Upromise touts opportunities for college savings. When members shop at participating online merchants, dine at participating restaurants, or purchase selected products at retail stores, Upromise collects commissions which fund college savings accounts.
Unfortunately, the Upromise Toolbar also tracks users’ behavior in excruciating detail. In my testing, when [...]

Read the full article →

Lethic Botnet Taken Down-bots attempt connection to new host

January 13, 2010

Darkreading.com reports that researchers with communications security firm Neustar took over the Lethic botnet command-and-control servers.
Yet another botnet has been shut down as of today as researchers joined forces with ISPs to cut communications to the prolific Lethic spamming botnet — a development that illustrates how botnet hunters increasingly are going on the offensive [...]

Read the full article →