Security Watch
Europe May Require Data Breach Notification
Also: ATMs working like greased slot machines; QuickTime, Flash Player invite hackers to your machine.
The European Commission has put forward
a
proposed change to existing laws governing providers of electronic
communication networks or services which would make it mandatory for them
to advise customers of security breaches, in addition to the existing
requirement that they advise customers of security risks. (For the EU's
working document, click
here.)
The difference could lead to a spate of media stories about lost European
laptops and the like. One has to wonder if these aren't being proposed
because there's been such a lack of interesting computer security stories.
ATMs Give Up Cash Easy Slot Machines
A man allegedly walked up to an ATM machine located at a gas station,
keyed in "something" and got the ATM to issue $20 bills while
counting them as $5 bills. The
story reports that the man "reprogrammed" the ATM. However,
how this was accomplished, or even if it was, is unconfirmed.
The machine was a Tranax Mini-Bank 1500 Series, easily reprogrammed by
obtaining the codes right off of Google. Imagine if you could walk up
to a slot machine, press a few buttons and have it issue a jackpot. So
be careful how much trust you put in "secure" technology.
QuickTime Show More Than Video
Six
separate vulnerabilities were discovered in Apple QuickTime, all of
which could lead to a code of the criminal's choice to execute on a victim
system in the security context of the victim user. All appear to be buffer
overflows of one type or another, involving various QuickTime formats,
such as FLC or FlashPix.
All six are credited to McAfee AVERT labs, making one wonder if some
form of malware has been seen. However, Apple makes no mention and, so
far, neither has McAfee. Two of the vulnerabilities were also discovered
by others, and they have released detailed information regarding their
discoveries.
| Want
More Security? |
This
column was originally published in our weekly Security
Watch newsletter. To subscribe, click here. |
|
|
Drive-By Hacking, Thanks to Adobe Flash Player
According
to Adobe, "multiple input validation errors" have been patched
in Flash Player versions 7 and 8. These issues were corrected in Flash
Player version 9, but not disclosed until now. One of these permitted
criminals to bypass the "allowScriptAccess" option regulating
whether a control could be scriptable. They also indicate that the way
Microsoft Office products invoke the ActiveX control has been modified.
Well, bad month for Adobe. Flash Player was shipped with Windows XP and
is likely installed on most home user systems, if not most corporate systems
also. This is likely to make it an attractive target for criminal sites
looking to do drive-by downloads. Computer Terrorism, the group that Adobe
credited with reporting these Flash Player vulnerabilities, states that
it has seen "undisclosed" proof-of-concept code which works
across multiple operating systems and multiple browser types. Such a beast
is certainly not something we want to see in the wild.
About the Author
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.