Hackers steal details of 4.5 million in attack on Monster jobs site

The personal details of millions of job seekers have been stolen in the largest data theft in Britain, The Times has learnt.

Hackers gained access to confidential details provided by 4.5 million people to Monster.co.uk, the online recruitment site.

Names, passwords, telephone numbers, e-mail addresses, birth dates, sex and ethnicity data as well as other “demographic information”, were all stolen, the company admitted yesterday.

It is the most extensive breach of confidential data since HM Revenue and Customs lost the details of 25 million child benefit recipients in 2007.

Monster.com refused to comment on how much information had been taken but The Times understands that the personal details of millions of people can be downloaded in under an hour once a hacker has gained access.

Security analysts told The Times that the plundered data from the recruitment site would be used by organised gangs to open fake bank accounts or take out loans in the names of unsuspecting customers.

About four out of ten people use the same password to access multiple websites, Mr Cluley said, meaning that criminals could use the Monster.co.uk data to obtain far more sensitive information. “These hackers could now use the passwords to access e-mail and online bank accounts.”

It is the third time in two years that security at the world’s largest recruitment site has been breached.

In August 2007 Monster.com’s data-base was infected by a virus called infostealer.monstres, which siphoned off more than 1.6 million records, mostly of customers based in the US.

A Russian gang called Phreak was said to be responsible. It was found to be selling “identity harvesting services” to fraudsters, charging £300 for data.

Yesterday Monster.com said the stolen data did not contain details of CVs or financial information. “We are taking appropriate law enforcement action,” a spokeswoman said.

Read here for more details.

Microsoft Releases Security-Enhanced Internet Explorer 8

It seems not too long ago that Microsoft released IE 7.0. That was on October 18, 2006.

Not being very impressed with the new version, til date I'm still using IE 6.0 SP2. You may probably have come across website incompatibilities with the newer versions of IEs, reason being some of the websites are still not updated to work with newer versions of browsers.

IE 8.0 RC1 was officially released on 26th January 2009, boasting of many new security features.

For more details, read here or download a copy of IE 8.0 here.
Alternatively if you're anti IE, you can grab a copy of Firefox 3.0 here.

New Travel Hazard

Have you booked any airline travel recently? Don't be surprised to receive an email reminding you that your credit card has been charged for it. But here comes the catch:

Do not open the attachment that is likely to be accompanied with the message.

If you do, you would probably end up installing malicious code on your machine. The email will usually name a specific dollar amount that your credit card has supposedly been charged for air travel. It even offers you a login and password for the airline’s website, but what the bad guys want you to do is click on the attached “invoice and the airplane ticket.” The “invoice” is actually malicious code.

Spam messages are circulating from purportedly several major airlines. United Airlines is the latest airline that has been mentioned, with the following involved as well: Northwest Airlines, JetBlue, Midwest Airlines, and Sun Country Airlines.

Users are encouraged to follow best practices and not to click links in unsolicited email messages. Also, make sure your operating system is fully patched and your antivirus software is fully up-to-date in order to guard against this and other threats finding their way onto your computer.

Read here for more details.

SanDisk Cruzer USB drive listed for Common Criteria Certification

USB drives are getting more sleek and certified. Introducing the SanDisk Cruzer Enterprise FIPS edition secure USB flash drive:

SanDisk has been selected for evaluation of this new product for Common Criteria EAL2 certification under the data protection schedule of the Defense Signals Directorate, Australian Government Department of Defense.

SanDisk Cruzer Enterprise FIPS edition is designed to meet the security requirements of government agencies and financial institutions, featuring FIPS 140-2 level 2 certification for encryption, a standard set by the National Institute of Standards and Technology (NIST). The encrypted flash drive imposes mandatory access control on all files, which are stored in a secure partition that implements 256-bit hardware-based AES encryption.

FYI:
The Evaluation Assurance Level (EAL1 through EAL7) of an IT product or system is a numerical grade assigned following the completion of a Common Criteria security evaluation. EAL2 certifies the product is Structurally Tested.

Common Criteria is a framework in which computer system users can specify their security requirements, vendors can then implement and/or make claims about the security attributes of their products and testing laboratories can evaluate the products to determine if they actually meet the claims.

'Curse of Silence' Hack Kills SMS Text Message Delivery

Text-message junkies beware: A new exploit demonstrated this week shows how an attacker can silently crash the SMS text message in-boxes of several models of Nokia mobile phones.

A specially formatted SMS message is used to wage a denial-of-service attack on the victim's phone. It targets vulnerability in versions 8 through 9.2 of the Symbian operating system and so far has been shown to affect the Nokia Series 60 phone versions 2.6, 2.8, 3.0, 3.1, and the Sony Ericsson UiQ.

Some phones immediately stop receiving text messages, while others lock up after receiving one or more of the messages.

So far, the documented affected phone models are as follows:

S60 3rd Edition, Feature Pack 1 (S60 3.1):
Nokia E90 Communicator
Nokia E71
Nokia E66
Nokia E51
Nokia N95 8GB
Nokia N95
Nokia N82
Nokia N81 8GB
Nokia N81
Nokia N76
Nokia 6290
Nokia 6124 classic
Nokia 6121 classic
Nokia 6120 classic
Nokia 6110 Navigator
Nokia 5700 XpressMusic

S60 3rd Edition, initial release (S60 3.0):
Nokia E70
Nokia E65
Nokia E62
Nokia E61i
Nokia E61
Nokia E60
Nokia E50
Nokia N93i
Nokia N93
Nokia N92
Nokia N91 8GB
Nokia N91
Nokia N80
Nokia N77
Nokia N73
Nokia N71
Nokia 5500
Nokia 3250

S60 2nd Edition, Feature Pack 3 (S60 2.8):
Nokia N90
Nokia N72
Nokia N70

S60 2nd Edition, Feature Pack 2 (S60 2.6):
Nokia 6682
Nokia 6681
Nokia 6680
Nokia 6630

For more details, you can read here or see the demonstration here.

AVG Rescue CD: Free toolset for repair of infected machines

The AVG Rescue CD is essentially a portable version of AVG Anti-Virus supplied through Linux distribution. It can be used in the form of a bootable CD or bootable USB flash drive to recover your computer when the system cannot be loaded normally, such as after an extensive or deep-rooted virus infection.

In short, the AVG Rescue CD enables you to fully remove infections from an otherwise inoperable PC and render the system bootable again.

Apart from the usual AVG functions (malware detection and removal, updates from internet or external device, etc.), the AVG Rescue CD also contains the following set of administration tools:

• Midnight Commander - a two-panel file manager
• Windows Registry Editor– simple registry editor for more experienced users
• TestDisk - powerful hard drive recovery tool
• Ping - to test the availability of network resources (servers, domains, IP addresses)
• Common Linux programs and services– vi text editor, OpenSSH daemon, ntfsprogs etc.

The AVG Rescue CD is a free-to-use product that anyone can download. This also covers any new program versions and virus database updates. If you have any other paid AVG license, you are also entitled to receive our full technical support.

Linux Rescue CD

The System Rescue CD site provides an extensive set of tools to aid Linux users or corporate Linux administrators in recovery efforts if the O/S environment becomes damaged. It includes an excellent set of documentation and user forums to submit questions.

Linux Rescue CD
http://www.sysresccd.org/Main_Page

QUOTE: SystemRescueCd is a Linux system rescue disk available as a bootable CD-ROM or USB stick for administrating or repairing your system and data after a crash. It aims to provide an easy way to carry out admin tasks on your computer, such as creating and editing the partitions of the hard disk. It comes with a lot of linux software such as system tools (parted, partimage, fstools, ...) and basic tools (editors, midnight commander, network tools). It requires no installation since you just have to boot on the CD-ROM.

EXTENSIVE DOCUMENTATION
http://www.sysresccd.org/Online-Manual-EN

USER SUPPORT FORUMS
http://www.sysresccd.org/forums/

F-Secure Linux Rescue CD - New Version 3.11

The utilities on this CD might be useful in troubleshooting issues:

F-Secure Linux Rescue CD - New Version 3.11
http://www.f-secure.com/linux-weblog/2009/09/22/rescue-cd-311/
http://www.f-secure.com/linux-weblog/files/f-secure-rescue-cd-3.11.23804-release-notes.txt

QUOTE: The new utilities on the CD are:

* PhotoRec is a tool that can be used to recover data that has been accidentally deleted or lost due to a corrupted file system on a disk.

* TestDisk is another data recovery tool that can be used to recover a lost partition, for example.

* Smartmontools contain utilities that can be used to inspect S.M.A.R.T. values of hard disks. By analyzing these numbers you may get a hint if your hard disk is starting to show signs of breaking down.