Saturday, October 21, 2006

Spamming Worm Gets Into Cal Poly Computers

Cynthia Neff writes in The San Luis Obispo Tribune:

Cal Poly is notifying nearly 7,000 former and current students that their names and Social Security numbers were on a computer system recently breached by a worm, a program similar to a virus.

The computer system, used in conjunction with the campus telephone billing system, contained personal information on students who lived in Cal Poly’s residence halls and had a campus telephone account between 2001 and 2005. Students who lived on campus but didn’t have a telephone account aren’t affected.

University officials do not believe any personal information was accessed.

Still, concerned students can put a fraud alert on their credit reports, according to a letter sent out to the 6,919 students.

This is the sixth case in less than two years in which information about Cal Poly students was exposed. It also has affected the biggest number of students.

More here.

(Props, Flying Hamster.)

Friday, October 20, 2006

Political Toon: The Death of Habeas Corpus


Click for larger image.


6-Alarm Blaze Breaks Out at Fort Meade, Md.

An AP newswire article, via MSNBC, reports that:

A fire at the Army base that houses the National Security Agency heavily damaged a building containing “sensitive” materials Friday afternoon, base officials said.

There were no serious injuries, officials at Fort Meade said.

The six-alarm fire at Fort Meade started shortly before 4 p.m. in a building whose contents are “sensitive in nature,” said Fort Meade spokeswoman Jennifer Downing.

More here.

Maryland Voting Disks Were Likely Made For Testers

Cameron W. Barr writes in The Washington Post:

A Maryland election official said yesterday that possibly stolen computer disks believed to be electronic voting software were "apparently produced" for use by a testing firm hired by the Maryland legislature in November 2003.

Ross Goldstein, deputy administrator of the Maryland State Board of Elections, said documents indicate that the disks were sent to Maryland so Raba Technologies Inc. could assess the security of the state's electronic voting system, which is provided by Diebold Election Systems. A receptionist at Raba, based in Columbia, declined to comment yesterday after consulting with her supervisor.

Labels on the disks indicate that they contain the versions of two Diebold programs that powered electronic voting machines in Maryland in 2004, Goldstein said Thursday. Diebold said one version of one program is still in use in some jurisdictions elsewhere in the United States.

Cheryl C. Kagan, a former Maryland delegate who has questioned the security of electronic voting systems, said the disks were delivered anonymously to her office in Olney on Tuesday.

State elections administrator Linda H. Lamone has asked the FBI to investigate the apparent theft and leaking of proprietary voting software.

More here.

California: Fry's Electronics Steps up Web Presence



Michelle Quinn writes in The Mercury News:

Better late than never might be the new motto of Fry's Electronics.

The quirky electronics store chain based in San Jose has owned the name Frys.com since 1997 after it legally wrestled it away from Frenchy Fries, a Seattle company.

But only this month did Fry's officially rename its Web site Frys.com and begin using Frys.com as part of its national advertising campaign.

Why now? And is it too late for Frys.com to compete in the crowded, cutthroat online electronics and computer parts market?

More here.

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Friday, Oct. 20, 2006, at least 2,787 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,230 died as a result of hostile action, according to the military's numbers.

The AP count is two more than the Defense Department's tally, last updated Friday at 10 a.m. EDT.

More here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casuality Count website here.

Hackers Hit National Austrlian Bank Website

Via The Australian.

Problems with the National Australia Bank's online banking services stem from an attack by unknown parties to deliberately slow or shut down its website, a spokeswoman says.

Complaints of slow or intermittent access to the NAB's online banking services resulted from a "deliberate attempt" by people outside the bank to interfere with its website, NAB chief information officer Michelle Tredenick said.

"They did this by jamming NAB's connection to the internet with hits making it more difficult for legitimate users to gain access," she said.

More here.

(Props, Flying Hamster.)

Cost of Data Breaches Rises Sharply

Matt Hines writes on eWeek:

Leaks of sensitive customer information and other corporate data are costing companies in the United States substantially more in related financial and business losses in 2006, according to a new study published by the Ponemon Institute.

Based on the findings of the Ponemon Data Breach Study, to be published on Oct. 23, information losses cost U.S. companies an average of $182 per compromised record in 2006, compared to an average loss of $138 per record in 2005, for an increase of about 31 percent.

More here.

The Way We Wore: A Century of IBM Attire


IBM employees attending a 1930 company outing in London, England.
Image source: IBM


Oh, this is priceless.

It wasn't too long ago that some observers said that IBMers wore a uniform of pin-striped suits, white button-down shirts, rep ties and wing-tipped shoes. Who us?

While it may have been true there was a time such attire was not uncommon in IBM offices, it is also true that pin-striped suits, white button-down shirts, rep ties and wing-tipped shoes were not unique to IBM -- then or now. In fact, IBM men and women, like people everywhere, have tended to dress pretty much in the fashions prevailing in their own period and place.

As the style of business clothing around the world has evolved and varied with the passage of time, so too has the appearance of IBMers changed from year to year and from locale to locale.

Here -- in a kind of diversity fashion timeline -- is an album of just some of the many people in many countries who helped to make IBM a 20th century global success. And, aside from a baseball team in 1938, there's not a uniform among them.

Start here.

(Props, Stephen Shankland.)

Pentagon Urges Less 'Gee Whiz', More 'Relevant' R&D

George Leopold writes on EE Times:

U.S. military planners, faced with mounting casualties in Iraq and Afghanistan along with a decline in federal R&D spending, are pressing contractors to shift their focus from gee-whiz technologies to "relevant" ones that can save lives and improve capabilities today.

As procurement and military health and retirement costs soar, pressure is building to reduce the Pentagon's science-and-technology budget. Thus, Defense Department planners are asking technology companies "to become more relevant to the war fighters," said David Janos, business development manager at Northrop Grumman's Electronic Systems unit (Baltimore).

Janos headed an industry forecast panel on DOD science-and-technology spending sponsored by the Government Electronics and Information Technology Association (GEIA). The results of the GEIA forecast were released here last week.

More here.

Final Firefox 2.0 Browser to be Released Tuesday

Todd Weiss writes on ComputerWorld:


The final version of the new Firefox 2.0 Web browser will be launched Tuesday, just eight days after the last review candidate for the software was released for public use.

A spokeswoman for the nonprofit Mozilla Foundation, which maintains the open-source browser code, said the Release Candidate 3 (RC3) version of Firefox 2.0, which was posted for download on Monday has been doing well among users and is ready to be finalized as Firefox 2.0 for distribution.

"RC3 is substantially the same as the final release," the spokeswoman said. The final version will be branded as Firefox 2.0 and will be available for free download on its own Mozilla Web page sometime on Tuesday afternoon. "That's definitely scheduled," she said.

More here.

Shameful America: Hungry Military Families

Nicole Belle writes on Crooks and Liars:

San Diego Union-Tribune:

The women and children who formed a line at Camp Pendleton last week could have been waiting for a child-care center to open or Disney on Ice tickets to go on sale.

Instead, they were waiting for day-old bread and frozen dinners packaged in slightly damaged boxes. These families are among a growing number of military households in San Diego County that regularly rely on donated food.

As the Iraq war marches toward its fourth anniversary, food lines operated by churches and other nonprofit groups are an increasingly valuable presence on military bases countywide. Leaders of the charitable groups say they're scrambling to fill a need not seen since World War II.
Wonderful. We'll ask the troops to put their lives on the line in the Middle East, but Congress can't pony up a little more cash so their families at home can afford to eat. Meanwhile, how much has Congress given to Halliburton and its subsidiaries in no-bid contracts for Iraq?

Link.

Defense Tech: The Invisible Warship


DDG1000 Zumwalt
Image source: PopSci.com / John MacNeill



Gregory Mone writes on PopSci.com:

It will be almost silent, nearly invisible to enemy radar—and capable of dropping six powerful missiles simultaneously on a single target up to 95 miles away. But the most important feature of the DDG1000 Zumwalt, the Navy's first new destroyer in 30 years, could be its versatility. The 600-foot-long ship will be just as comfortable in the deep ocean as in the mine-infested shallows of the Persian Gulf.

Yesterday’s big boats were designed for open-water standoffs, not hostile coastlines. They show up like giant bull’s-eyes on land-based radar installations. And the ships lack sufficient sensor systems to dodge the waterborne mines common to enemy harbors.

More here.

FBI Pairs With Website Violating Law To Make Kids Safer

Ryan Singel writes on 27B Stroke 6:

The FBI has set up a masterful site called Safe Online Surfing to help kids learn how to use the internet safely. Via a scavenger hunt, children get to learn that its okay to talk about Disney characters online at the Privacy Falls challenge on Surf Swell Island and get online tips from the Miami Hurricanes website and finally are directed to take an Internet test at the Common Knowledge Scholarship Foundation.

Now, what's great isn't that the final Internet quiz actually tests you on whether you know how to become an FBI Special Agent (Sample question: What do you say to a female applicant who says she's not strong enough to bust down doors?)

What's great is that the Common Knowledge site violates the Children's Online Privacy Protection Act, which mandates that any site collecting personal information on a child under the age of 13 must get verifiable consent from a parent. While Common Knowledge claims to be in compliance with COPPA, I was able to register as a 12 year-old (First name: Vulnerable, Last name: Child Address:123 TouchMe Way). Registration requires a name, an address, a phone number, a date of birth, an email address, your school name, and your extra-curricular interests just to take an online quiz. While I was required to add my parent's email address, the site never sent an email to that address, let alone complied with the law requiring the site to get a parent's verifiable consent. The site's legitimacy is only burnished by having its domain registered to a post office box and running Yahoo! ads on the front page.

More here.

Researcher Attempts to Shed Light on Security Troll, n3td3v

Robert Lemos writes on SecurityFocus:

For over a year, subscribers to the Full Disclosure security mailing list had to endure the taunts and rants of a self-styled vulnerability researcher known as "n3td3v."

The troll--as such taunting posters are dubbed--would frequently ignite massive angry e-mail responses, or flame wars, at times limiting the usefulness of the Full Disclosure list. Over time, n3td3v took on multiple online personalities, or gained members of the n3td3v group, and attempted to create an online security hub. The group's favorite targets included Yahoo!, Google, other researchers and security news reporters, including this one.

More here.

Microsoft Trains Colombian Ex-Paramilitaries . . . in IT

John Blau writes on NetworkWorld:

Former paramilitary fighters in Colombia may be able to shoot a gun far better than they can fire off an e-mail, but that could soon change thanks to a new program, partly funded by Microsoft, that aims to train the ex-combatants on computers.

Microsoft has agreed to contribute more than US$300,000 to the three-year La Llave program initiated by the Organization of American States (OAS), the company said Thursday.

More here.

FBI’s DNA Index System to be Designed by Unisys

William Welsh writes on GCN.com:

A next-generation DNA index system for the FBI will be deployed by Unisys Corp. through a two-year, $11 million contract.

Unisys of Blue Bell, Pa., will design and develop software, oversee deployment and furnish operations and maintenance support for the Next-Generation Combined DNA Index System.

If all options are exercised, the contract could be worth $50 million, the company said.

FBI laboratory’s Combined DNA Index System allows federal, state and local labs to share and compare profiles, helping law enforcement officials link convicted offenders to violent crimes. Unisys’ solution uses a sophisticated search engine to accelerate the matching process.

More here.

Whacked Out MPAA Mojo: 'Be Loyal, Kind and Don't Steal Movies'

How sickening...

An AP newswire article, via The Boston Globe, reports that:

A Boy Scout is trustworthy, loyal, helpful, etc., etc. He is also respectful of copyrights.

Boy Scouts in the Los Angeles area will now be able to earn a merit patch for learning about the evils of downloading pirated movies and music.

The patch shows a film reel, a music CD and the international copyright symbol, a "C" enclosed in a circle.

The movie industry has developed the curriculum.

"Working with the Boy Scouts of Los Angeles, we have a real opportunity to educate a new generation about how movies are made, why they are valuable, and hopefully change attitudes about intellectual property theft," Dan Glickman, chairman of the Motion Picture Association of America, said in a statement Friday.

More here.

Defense Tech: TIA 2.0


Via Defense Tech.

The Office of the Director of National Intelligence is building a new terrorist profiling system, called Tangram. What's wrong with the old profiling systems, you might ask? Well, according to an unclassified document describing Tangram, they're not all that good at catching terrorists.

The document, which is a description of the Tangram program for potential contractors, describes other, existing profiling and detection systems that haven't moved beyond so-called "guilt-by-association models," which link suspected terrorists to potential associates, but apparently don't tell analysts much about why those links are significant. Tangram wants to improve upon these methods, as well as investigate the effectiveness of other detection links such as "collective inferencing," which attempt to create suspicion scores of entire networks of people simultaneously.

Tangram's pedigree also is familiar. It is apparently the next generation of DARPA's Total Information Awareness system, which has been conducted in secret since Congress pulled public funding on the project in 2003. TIA programs form the foundation for Tangram, the document describing the system shows. (With one big difference: no privacy protections.)

Read the full story on Tangram in National Journal here.

More here.

Bickering Over Vulnerability in Internet Explorer 7

Via heise Security.

The first vulnerability in Internet Explorer 7, reported yesterday (Thursday), which has been known in IE6 for 6 months has given rise to bickering. Microsoft has now issued its first public response. It claims that the problem lies in neither Internet Explorer 6 nor Internet Explorer 7, despite the fact that the demonstration of the vulnerability uses these browsers as its attack vector. The fault lies with an Outlook Express component in Windows - Microsoft is looking into the matter.

Thomas Christensen, CTO of Secunia, gave his response to heise Security, "Just because a vulnerability stems from an underlying component does not relieve IE or any other piece of software from responsibility when it provides a clear direct vector to the vulnerable component."

For some time Microsoft has pursued a policy of categorising every imaginable security vulnerability as a vulnerability in the operating system, for which Internet Explorer is the primary or only attack vector. This causes confusion and can lead users and administrators to underestimate the seriousness of a problem.

More here.

Cisco Lines Up 7600 Successor

Ray Le Maistre and Craig Matsumoto write on Light Reading:

Cisco Systems Inc. is believed to have started development work on a successor to its workhorse 7600 series routers, according to industry sources.

The move comes as Cisco finds itself under increasing competitive pressure from its main IP rivals in the carrier router and Ethernet aggregation markets: Alcatel and Juniper Networks Inc.

More here.

No Polygraphs for Aussie Intel Agencies

Via UPI.

Australian intelligence has recommended against using polygraph tests in security investigations because of unreliability, The Australian reported Thursday.

The decision by the Australian Security Intelligence Organization -- which also found the procedure incompatible with the professional culture of the country's intelligence agencies -- followed a three-year trial, during which time ASIO staffed voluntarily submitted to polygraphs.

More here.

Microsoft Blocks Vista Rootkit Exploit

Ryan Naraine writes on eWeek:

Microsoft has blocked the attack vector used to slip unsigned drivers past new security policies being implemented in Windows Vista, according to Joanna Rutkowska, the stealth malware researcher who created the exploit.

Rutkowska, who demonstrated the exploit at the Black Hat conference in August, said she tested the attack against Windows Vista RC2 x64 and found that the exploit doesn't work anymore.

"The reason: Vista RC2 now blocks write-access to raw disk sectors for user mode applications, even if they are executed with elevated administrative rights," Rutkowska wrote on her Invisible Things blog.

Rutkowska, a Windows Internals expert at Singapore-based IT security firm COSEINC, however warned that the way the exploit is being blocked could be problematic and cause application compatibility issues.

More here.

In Memoriam: Abha Ahuja

Abha, you were a great friend and colleague.
I think of you often, and you are very much missed every day.




Abha Ahuja
1972 -- October 20, 2001

Thursday, October 19, 2006

Officials Probing Possible Theft of Voting Software in Maryland

Cameron W. Barr writes in The Washington Post:

The FBI is investigating the possible theft of software developed by the nation's leading maker of electronic voting equipment, said a former Maryland legislator who this week received three computer disks that apparently contain key portions of programs created by Diebold Election Systems.

Cheryl C. Kagan, a former Democratic delegate who has long questioned the security of electronic voting systems, said the disks were delivered anonymously to her office in Olney on Tuesday and that the FBI contacted her yesterday. The package contained an unsigned letter critical of Maryland State Board of Elections Administrator Linda H. Lamone that said the disks were "right from SBE" and had been "accidentally picked up."

More here.

National Australia Bank Hit by DDoS Attack

Munir Kotadia writes on ZDNet Australia:

The National Australia Bank (NAB) has warned its customers to beware of new phishing attacks after the bank's Web site was hit by a DDoS attack earlier this week.

NAB customers experienced problems accessing the online banking service on Wednesday, according to a bank spokesperson.

"We first noticed [the attack] on Wednesday. For the moment it is not having any impact and has been OK for the past 24 hours but there was a bit of residual impact yesterday.

"Customers were having to, in some cases, try a number of times. It did slow down the access and jam the system intermittently," the spokesperson told ZDNet Australia.

According to the spokesperson, the bank decided to re-issue its phishing warning in case the fraudsters use future attacks to try and trick customers into visiting spoofed versions of the bank's Web site.

More here.

Defense Tech: The First F-22 Rolls Off the Line



Via Technology News Daily.

Lockheed Martin rolled out the first combat-capable F-22 Raptor Oct. 16 destined for basing and operations in the Pacific Rim.

Raptor 5087 completed its final assembly, with Air Force leaders from Alaska and Lockheed Martin employees on hand to mark the event outside the production line in Marietta.

The F-22 Raptor is currently assigned to four bases across the United States. Testing is conducted at Edwards AFB, Calif. Tactics development is ongoing at Nellis AFB, Nev. A full squadron of Raptors is based at Tyndall AFB, Fla., for pilot and maintainer training. Operational F-22s at the 1st Fighter Wing are assigned to two squadrons at Langley AFB, Va.

More here.

Thousands of U.S. Troops Barred from Overseas Duty Because of Debt Security Concerns

An AP newswire atricle by Thomas Watkins, via The Dallas Morning News, reports that:

Thousands of U.S. troops are being barred from overseas duty because they are so deep in debt they are considered security risks, according to an Associated Press review of military records.

The number of troops held back has climbed dramatically in the past few years. And while they appear to represent a very small percentage of all U.S. military personnel, the increase is occurring at a time when the armed forces are stretched thin by the wars in Iraq and Afghanistan.

More here.

Ex-Gizmondo Exec on Trial in L.A. for Ferrari Theft


The remains of wrecked Ferrari Enzo involved in the February 2006 crash.
Image source: The Register


Drew Cullen writes on Reg Hardware:

A Swedish former executive of Gizmondo, the crash and burn handheld games firm, was in a Los Angeles court today, standing trial for drunken driving, car theft and embezzlement.

Bo Stefan Eriksson's world came crashing down on 21 February, one month after Gizmondo went bust with $200m debts, when he wrapped a $1m Ferrari Enzo around a lamppost on the Pacific Highway. He tested over the limit for alcohol, but denied driving the car at the time. A German guy, who he only knew as Dietrich, had been behind the wheel and had fled the scene, he said.

Eriksson, 44, later admitted making the story up, but on Monday he rejected a plea bargain that would have sent him to jail for two years and four months.

More here.

ISPs Plan Security Push?

Tim Wilson writes on Light Reading:

Panda Software, like many enterprises, thinks Internet service providers should be doing more to sanitize the traffic they deliver to their customers.

"Comparisons can be made between the services offered by water companies and those provided by the ISPs," said the security software company in a statement earlier this week. "Whereas the water companies are required to provide potable water, the ISPs are not subject to the same demands."

The "water analogy," which has been set forth by security tool vendors such as MessageLabs, Panda, and others in recent weeks, suggests that ISPs could do more to detect and eradicate spam, spyware, and other malware as it traverses the Internet, potentially reducing the volume of infected traffic handled by enterprises and end users at the ends of the pipes.

More here.

Quote of the Day: Rev. Joseph Lowery

"To suggest that Martin [Rev. Martin Luther King Jr.] could identify with a party that affirms preemptive, predatory war, and whose religious partners hint that God affirms war and favors the rich at the expense of the poor, is to revile Martin."

- Rev. Joseph Lowery, the former president of the Southern Christian Leadership Conference, reacting to a radio advertisement ran by black conservative group that proclaimed that the Rev. Martin Luther King Jr. was a Republican.

Encryption Dilemma: Idaho Killer Holds Key to Laptop Mystery

An AP newswire article by Nicholas K. Geranios, via The Tribune-Star (Terre Haute, Indiana), reports that:

As the man accused of kidnapping two children and killing their family waits in a jail cell for a federal indictment to be handed down, he still holds what could be a bargaining chip: An encrypted laptop that may contain more horrors.

The FBI's top hackers apparently have been unable to break through Joseph Edward Duncan III's security encryptions, and a plea bargain Duncan's lawyers struck Monday with state prosecutors says the key must only be shared with his defense lawyer.

The computer key may provide Duncan some negotiating leverage in the next few weeks when authorities file federal charges that are expected to carry the death penalty.

More here.

Blogger Admits NFL Threat a Scam

Brian Ross reports on ABC News' "The Blotter":

Federal agents tell ABC News a man in Milwaukee has admitted sending phony NFL terror threats as part of a "writer's duel."

The agents say the Milwaukee man and a second suspect in Texas attempted to "outdo" the other in producing the scariest terror threat.

According to the agents, the Milwaukee man said he used the Internet to find future football games and combined them with Ramadan dates to concoct a believable terror story.

The suspect interviewed in Texas has corroborated the Milwaukee man's story, according to the agents.

More here.

Padilla Was Drugged, Threatened by Authorities, His Lawyers Say

This is a bit off-topic for the blog, but if Uncle Sam can do this to one American Citizen, it can now do it to any American Citizen. Even you.

Jeff Bliss and Jeff St. Onge write for Bloomberg News:

Lawyers for accused terrorism supporter Jose Padilla say U.S. authorities drugged him with LSD or PCP, filled his cell with "noxious fumes" and threatened to slash him with a knife while he was being held without charges.

In court papers seeking dismissal of charges against Padilla, his lawyers said the abuse occurred after President George W. Bush declared him an "enemy combatant" following his arrest in 2002. The designation allowed Padilla, a U.S. citizen, to be held without being charged with a crime for three years and five months.

"The torture took myriad forms, each designed to cause pain, anguish, depression and, ultimately, the loss of will to live," according to the court document filed Oct. 4 in federal court in Miami.

A call and e-mail seeking comment from the U.S. Justice Department weren't immediately returned.

More here.

German States Agree on PC, Phone Internet License Fee

Via Reuters.

Germany's 16 states agreed on Thursday to introduce from January 1 a license fee of 5.52 euros ($6.94) a month on computers and mobile phones that can access television and radio programs via the Internet.

The plan has attracted sharp criticism from industry groups that argue it would harm German firms, especially small and medium-sized businesses.

More here.

ICANN Approves .ASIA TLD

An AP newswire article by Anick Jesdanun, via The Globe and Mail, reports that:

The Internet will soon have a domain to unify businesses and other users in the Asia-Pacific region. A key oversight agency has approved a ".asia" domain for Internet addresses, supplementing suffixes available for individual countries, such as ".cn" for China and ".jp" for Japan. The Internet Corporation for Assigned Names and Numbers earlier approved ".eu" for the European Union.

Made up of groups that run domain names for China, Japan, South Korea, Vietnam and other countries, the DotAsia Organization Ltd. plans to explore permitting domain names in Asian languages under ".asia." ICANN also has been exploring allowing suffixes in other languages, too, though that will take time and is unaffected by Wednesday's decision on ".asia."

Finalizing the contract between ICANN and DotAsia could take weeks. Registrations for English-language names is not expected for another six to nine months. Prices will vary, and trademark holders will get the first picks.

More here.

Dilbert: That Magic Java


Click for larger image.


Vonage Apologizes for Security SNAFU

John Leyden writes on The Register:

Vonage has apologised after coding slip-ups caused one of its customers to be billed 80 times - at a cost £5.99 per occasion - for changes to accounts that didn't belong to him.

Reg reader and UK-based small businessman Tom came to us with his problems last week after he found out he was able to see other customers' account details and credit card information when he logged into his Vonage account. The IP telephony firm had changed his number so many times that his Linksys router had given up to the ghost. To add insult to injury, Tom discovered he'd been billed scores of times for changes to other people's accounts.

More here.

Holes Found in Tor Privacy System?

John E. Dunn writes on TechWorld (UK):

A research team has published techniques it claims could be used to unmask the IP addresses of people using the The Onion Router (Tor) privacy system.

The report’s lead author, Andrew Christensen of Danish security consultancy FortConsult, uses Practical Onion Hacking [.pdf] to detail how the anonymity of the system could be undermined by tampering with traffic going through the server through which traffic exits Tor, the so-called "exit node".

Although the vulnerabilities are in browser-based applications using Tor, Javascript and Shockwave, and not in the peer-to-peer routing protocols of the system itself, the effect could be to render the IP addresses of users accessible to anyone with the motivation to use the exploits.

More here.

New U.S. Federal Requirements for Driver's Licenses Rev Up Privacy Debate



Now is probably a good time to point out UnRealID.com.

Mike Stuckey writes for MSNBC:

Any hope we may have of keeping government, industry and criminals out of our personal business is scheduled to vanish completely in 18 months, privacy advocates say.

That’s when the federal government’s Real ID Act is to be fully in place, effectively setting up a national identification program by requiring states to adopt strict new high-tech standards for driver’s licenses and ID cards if they are to be accepted by federal authorities at places ranging from airports to U.S. courthouses.

More here.

A Multifaceted Approach to Understanding the Botnet Phenomenon

Thorsten Holz writes on Honeyblog:

At the upcoming Internet Measurement Conference 2006, one of the papers deals with botnets. The paper entitled "A Multifaceted Approach to Understanding the Botnet Phenomenon" [.pdf] by Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, and Andreas Terzis from Johns Hopkins University presents results from their botnet studies. The data they have collected are very similar to the ones we have collected at the German Honeynet Project. In fact, they use nepenthes as one of the basic blocks of their system. They then analyze the collected binaries via "graybox testing" (logging of all network-related activity + active IRC testing) - perhaps CWSandbox would yield better results

Abstract:

The academic community has long acknowledged the existence of malicious botnets, however to date, very little is known about the behavior of these distributed computing platforms. To the best of our knowledge, botnet behavior has never been methodically studied, botnet prevalence on the Internet is mostly a mystery, and the botnet life cycle has yet to be modeled. Uncertainty abounds. In this paper, we attempt to clear the fog surrounding botnets by constructing a multifaceted and distributed measurement infrastructure. Throughout a period of more than three months, we used this infrastructure to track 192 unique IRC botnets of size ranging from a few hundred to several thousand infected end-hosts. Our results show that botnets represent a major contributor to unwanted Internet traffic—27% of all malicious connection attempts observed from our distributed darknet can be directly attributed to botnetrelated spreading activity. Furthermore, we discovered evidence of botnet infections in 11% of the 800,000 DNS domains we examined, indicating a high diversity among botnet victims. Taken as a whole, these results not only highlight the prominence of botnets, but also provide deep insights that may facilitate further research to curtail this phenomenon.

More here.

Zombies Try to Blend in With The Crowd

Joris Evers writes on C|Net News:

Hackers are trying harder to make their networks of hijacked computers go unnoticed.

Cybercrooks are moving to new Web-based techniques to control the machines they have commandeered, popularly referred to as "zombies." Before, they used to send orders via Internet chat services, but with that method, they ran the risk of inadvertently revealing the location of the zombies and themselves.

More here.

First IE7 Security Flaw Found

A PC World article by Peter Sayer, via Yahoo! News, reports that:

Less than 24 hours after the launch of Internet Explorer 7, security researchers are poking holes in the new browser.

Danish security company Secunia reported today that IE7 contains an information disclosure vulnerability, the same one it reported in IE6 in April. The vulnerability affects the final version of IE7 running on Windows XP with Service Pack 2.

If a surfer uses IE7 to visit a maliciously crafted Web site, that site could exploit the security flaw to read information from a separate, secure site to which the surfer is logged in. That could enable an attacker to read banking details, or messages from a Web-mail account, said Thomas Kristensen, Secunia's chief technology officer.

More here.

Complete Works of Charles Darwin Go Online

Via Reuters.

The complete evolutionary works of Charles Darwin have gone online, including the stolen notebook he carried in his pocket around the Galapagos Islands.

Tens of thousands of pages of text and pictures and audio files have been made available, including some previously unpublished manuscripts and diaries of the great British scientist.

Among the unique collection is the notebook used during the Beagle voyage which would later forge his scientific arguments. It was stolen in the 1980s, but Darwin's great-great-grandson hopes the publication online, thanks to a transcription from a microfilm copy made two decades earlier, will persuade whoever has it to return it.

More here.

Wednesday, October 18, 2006

Political Commentary: 'Beginning of The End of America'

Keith Olbermann sums it up quite well.

We have lived as if in a trance.

We have lived as people in fear.

And now—our rights and our freedoms in peril—we slowly awake to learn that we have been afraid of the wrong thing.

Therefore, tonight have we truly become the inheritors of our American legacy.

For, on this first full day that the Military Commissions Act is in force, we now face what our ancestors faced, at other times of exaggerated crisis and melodramatic fear-mongering:

A government more dangerous to our liberty, than is the enemy it claims to protect us from.

Much more here.

Music Companies Grab a Share of the YouTube Sale

Andrew Ross Sorkin and Jeff Leeds write in The New Tork Times:

YouTube’s young founders may have been the biggest beneficiaries of last week’s $1.65 billion deal with Google, but they have some unexpected bedfellows — old-line media companies that had been considered YouTube’s biggest legal threat.

Three of the four major music companies — Vivendi’s Universal Music Group, Sony and Bertelsmann’s jointly owned Sony BMG Music Entertainment, and the Warner Music Group — each quietly negotiated to take small stakes in YouTube as part of video- and music-licensing deals they struck shortly before the sale, people involved in the talks said yesterday. The music companies collectively stand to receive as much as $50 million from these arrangements, these people said.

More here.

Toon: U.S. Star Wars


Click for larger image.


Microsoft Releases Final IE7 for Windows XP

Elizabeth Montalbano writes on InfoWorld:

Microsoft released the long-awaited version of the Internet Explorer 7 (IE7) browser for Windows XP late Wednesday.

IE 7 for Windows XP is available as a free download from Microsoft's Web site, and it will also be offered as a high-priority update via Microsoft's Automatic Updates service in November.

More here.

U.S. Agents Crack Down on Internet Child Pornography

Via Reuters.

U.S. law enforcement officials on Wednesday said a crackdown on Internet child pornography has resulted in the arrest of 125 people nationwide, including police officers, high school teachers, and a federal border patrol agent.

Those arrested are accused of using a commercial Web site to access videos and images of hard-core pornography involving children as young as infants engaged in sexual activities with adults, according to federal officials.

The suspects allegedly subscribed to the Web site over a period of two to three months late last year and early this year.

More here.

U.S. Officials Skeptical of Threat Against NFL Stadiums

Via MSNBC.

A Web site is claiming that seven NFL football stadiums will be hit with radiological dirty bombs this weekend, but the government on Wednesday expressed doubts about the threat.

The warning, posted Oct. 12, was part of an ongoing Internet conversation titled “New Attack on America Be Afraid.” It mentioned NFL stadiums in New York, Miami, Atlanta, Seattle, Houston, Oakland and Cleveland, where games are scheduled for this weekend.

The Homeland Security Department alerted authorities and stadium owners in those cities, as well as the NFL, of the Web message but said the threat was being viewed “with strong skepticism.” Homeland Security spokesman Russ Knocke said there was no intelligence that indicated such an attack was imminent, and that the alert was “out of an abundance of caution.”

More here.

AOL Laying Off 1,300 in New Mexico, Arizona

An AP newswire article by Tim Korte, via SFGate.com, reports that:

AOL announced Wednesday it will lay off 1,300 employees by closing call centers in New Mexico and Arizona as part of a previously announced restructuring plan.

AOL, the Time Warner Inc. online unit formerly known as America Online, also plans to sell its call center in Ogden, Utah.

The cuts include 900 layoffs at the Albuquerque call center and 400 jobs at the center in Tucson, Ariz., AOL spokesman Nicholas Graham said. The Arizona and New Mexico call centers each have operated for 10 years.

More here.

Airship Tech: Scientists Shed Light on the Last 'Flying Aircraft Carrier' Crash

Like its sister ship, the USS Akron (shown here flying over the city of San Francisco), the USS Macon was a familiar sight across the United States. Thousands of people would turn out to observe the “flying aircraft carrier” conducting training maneuvers. The USS Macon was constructed with a built-in aircraft hangar and a trapeze launch and recovery system to facilitate fighter planes intended to protect the aircraft in war.
Image source: PhysOrg.com / Wiley Collection, Monterey Maritime and History Museum



Via PhysOrg.com.

The 1935 crash of the Navy zeppelin USS Macon off the California coast marked an inglorious end to a unique experiment in aviation. Four times longer than a modern Goodyear blimp, the Macon could carry 100 crewmembers, including pilots specially trained to fly small reconnaissance airplanes stowed in the zeppelin's massive hull. The giant airship was one of only two ''flying aircraft carriers'' ever built, and both went down in the ocean without ever seeing combat.

In September 2006, 71 years after the Macon plunged into the Pacific, a team of marine researchers, including engineers from Stanford University, conducted the first comprehensive survey of the airship's final resting place on the floor of Monterey Bay more than 1,000 feet below sea level.

The story of the Macon and the Navy's ill-fated zeppelin program has long fascinated military historians and aircraft aficionados. Over the years, a surprising number of faculty, students and alumni from the Stanford School of Engineering have played a crucial role in bringing that story to light.

More here.

Microsoft: Excuses on iPod Virus Not Credible

Paul F. Roberts writes on InfoWorld:

Security and quality assurance experts reacted negatively to Apple Computer's efforts Tuesday to blame manufacturing problems that resulted in iPod MP3 players shipping with a virus that affects Microsoft's Windows operating system.

Security professionals, including Microsoft's own product release virus scanning chief, called Apple's efforts to deflect blame onto Microsoft misleading and said the batch of factory-infected iPods reveals a troubling lack of thoroughness in the company's manufacturing process.

More here.

Iran Cuts Internet Speeds to Homes and Cafes

A Reuters newswire article, via MSNBC, reports that:

Iran’s internet service providers have started reducing the speed of Internet access to homes and cafes based on new government-imposed limits, a move critics said appeared to be part of a clampdown on the media.

An official said last week that ISPs were now “forbidden” by the Telecommunications Ministry from providing Internet connections faster than 128 kilobytes per second (KBps), the official IRNA news agency reported. He did not give a reason.

More here.

ICANN Board to Vote on Domain Tasting Measure

Kieren McCarthy writes on CircleID:

The ICANN Board will vote today on a new registry service put forward by PIR for .org which is its attempt to solve the domain tasting issue.

It takes the form of an amendment to the .org contract and enables PIR to charge five cents per domain "when the number of such deleted registrations is in excess of 90 per cent of the total number of initial registrations".

More here.

Identity Thieves Use Yahoo! e-Mail to Purchase Goods Online

Fiona Raisbeck writes on SC Magazine Online:

Over three quarters of suspected identity thefts use Yahoo! email accounts, according to a report published yesterday.

The research, completed by checkmyfile.com, found that consumers using popular internet based email addresses, such as Yahoo! and Hotmail, to make online purchases are more likely to be blacklisted as identity thieves by retailers.

It found that companies accepting transactions from such email accounts are up to seven times more likely to have to refund a consumer's credit card because the card owner doesn't recognise the purchase, compared to customers using other email providers. According to the report 82 per cent of suspected identity theft attempts use Yahoo! addresses.

More here.

`Colbert Report' Celebrates First Anniversary With Auction

Stephen Colbert
Image source: Comedy Central


An AP newswire article by Jake Coyle, via The Boston Globe, reports that:

"The Colbert Report" celebrated its one-year anniversary by offering the show's devoted audience -- the "Colbert Nation" -- a piece of its leader.

Stephen Colbert announced on Tuesday that he will auction the portrait that hangs above the fireplace on the set of his Comedy Central show. The painting depicts a debonair Colbert standing in front of a similar portrait of himself.

The portrait will be auctioned on eBay until Oct. 27, with the winner announced on the show on Oct. 30. Proceeds will benefit Westport, Conn.-based Save the Children.

"I've already saved the world. How hard could saving the children be?" Colbert said in a statement.

More here.

Tuesday, October 17, 2006

Hackers Link Pakastani Consulate Website to Porn Pages

Ashfaq Ahmed writes on GulfNews.com:

The website of the Pakistan Consulate General in Dubai has been hacked into; a click on options on the home page menu leads to pornographic sites.

"I was stunned to see links for 'girls' and 'dating' when I tried to get information about educational institutions in Pakistan on the consulate's website www.pakcgdubai.org.ae," said a prominent Pakistani businessman.

He said this shows that no one at the consulate is updating or maintaining the website, which is a window to information on consular services and other information.

An official at the consulate said that they had already complained to Etisalat and the links have been blocked.

More here.

(Props, Flying Hamster.)

Gapingvoid: Would You Like Fries With That?

Via gapingvoid.com. Enjoy!

FBI Director Wants ISPs to Track Users

I knew that the Chertoff "announcement" wasn't just an isolated thing. This is a concerted effort to track you on the Net.

Declan McCullagh writes on C|Net News:

FBI Director Robert Mueller on Tuesday called on Internet service providers to record their customers' online activities, a move that anticipates a fierce debate over privacy and law enforcement in Washington next year.

"Terrorists coordinate their plans cloaked in the anonymity of the Internet, as do violent sexual predators prowling chat rooms," Mueller said in a speech at the International Association of Chiefs of Police conference in Boston.

"All too often, we find that before we can catch these offenders, Internet service providers have unwittingly deleted the very records that would help us identify these offenders and protect future victims," Mueller said. "We must find a balance between the legitimate need for privacy and law enforcement's clear need for access."

The speech to the law enforcement group, which approved a resolution on the topic earlier in the day, echoes other calls from Bush administration officials to force private firms to record information about customers. Attorney General Alberto Gonzales, for instance, told Congress last month that "this is a national problem that requires federal legislation."

More here.

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Tuesday, Oct. 17, 2006, at least 2,775 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,207 died as a result of hostile action, according to the military's numbers.

The AP count is 8 more than the Defense Department's tally, last updated Monday at 10 a.m. EDT.

More here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casuality Count website here.

Wo0t! Oracle Releases 101 Fixes

Dan Kaplan writes on SC Magazine Online:

Database giant Oracle today released 101 fixes, marking its largest quarterly critical patch update (CPU) in more than a year.

The update delivered fixes for a host of company solutions, including Oracle Database (22 patches), Application Server (14), E-Business Suite (13) and PeopleSoft Enterprise (eight).

None of the bugs in Oracle Database - the vendor's most popular product - are remotely exploitable without valid authorization, according to the CPU. The highest Database risk assessment score - on a scale of 1 to 10 - was 4.2.

More here.

'Vitriol' Rootkit to Demo at MS BlueHat Hacker Summit

Ryan Naraine writes on eWeek:

Microsoft's twice-yearly BlueHat summit will kick off with a demo of a virtualization-based rootkit that can be used to defeat the company's PatchGuard technology.

Microsoft's twice-yearly BlueHat hacker summit, running Oct. 26-27, will kick off later this week with a demo of a virtual machine rootkit that can potentially be used to defeat the controversial PatchGuard technology.

Dino Dai Zovi, a principal at penetration-testing outfit Matasano Security, has been invited to Microsoft's Redmond, Wash., campus to showcase a hardware VM-based rootkit called Vitriol that piggybacks on Intel's VT-x virtualization extension.

Zovi, an expert on exploitation techniques, 802.11 wireless attacks and operating system kernel security, will demo the rootkit at the conference, to which select members of the hacking community are invited to brainstorm security issues with Microsoft employees and executives.

More here.

Windows Virus Worms Onto Some Apple iPods

Ina Fried writes on C|Net News:

Apple Computer warned on Tuesday that some of its latest iPods have shipped with a Windows virus.

The company said that a small number of video iPods made after Sept. 12 included the RavMonE virus. It said it has seen fewer than 25 reports of the problem, which it said does not affect other models of the media player, nor does it affect Macs.

The Cupertino, Calif.-based company apologized on its Web site for the problem, but also used the opportunity to jab at Microsoft, its operating system rival.

More here.

ACLU Says New Law Undermines Due Process and the Rule of Law

Via The ACLU.

As President Bush signed S. 3930, the Military Commissions Act of 2006 into law, the American Civil Liberties Union expressed outrage and called the new law one of the worst civil liberties measures ever enacted in American history.

To highlight concerns with the act, the ACLU took out a full page advertisement in today's Washington Post, calling itself "the most conservative organization in America." Since its founding, the ACLU has fought to conserve the system of checks and balances and defend the Bill of Rights.

More here.

Political Toon: Adding Up


Click for larger image.


AllofMP3 Hosts Its First Press Conference

Nate Anderson writes on ARS Technica:

In an effort at greater transparency (and to counter recent criticism by US Trade Representative Susan Schwab), AllofMP3.com hosted a virtual press conference today at which it took questions from journalists about its business model and legal dispute with record labels. Unfortunately, what emerged was a mass of contradictory information.

The Russian site, which offers two-dollar downloads of major-label albums, says that it wants to support artists. In response to a question from Ars Technica, Director General Vadim Mamotin said that his company pays 15 percent of its earnings to ROMS (the Russian Multimedia and Internet Society), from whom AllofMP3 has a license to sell digital music. Copyright holders in both the UK and the US assert that they have not seen a dime from the site. AllofMP3 simply asserts that "it's ROMS responsibility to compensate the appropriate copyright holders." Where's the money going? No one knows, and AllofMP3 provided no details or explanation.

More here.

Great Firewall of China: Zeroing In on Page Specifics?

Tenille Bonoguore writes in The Globe and Mail:

China has partially lifted its ban on the open-forum Internet encyclopedia Wikipedia, but many users are still being blocked from the Chinese-language version and cannot access controversial articles.

English-language articles on topics such as the Tiananmen Square massacre of 1989 remain inaccessible despite the government relaxing its censorship almost a year after it completely blocked the site.

The changes have raised concerns that China's online censors may have moved to a page-by-page blocking system rather than sweeping site-wide bans.

More here.

Patches Available for Bluetooth Flaw

Brian Krebs writes on Security Fix:

Security flaws present in the software components that power wireless communications over Bluetooth on a number of popular laptop models could let attackers compromise vulnerable machines.

Bluetooth is a communications technology that allows electronic devices to exchange information wirelessly over short distances (the theoretical range is between 10 to 100 meters, depending on the class of the devices used). The problem stems from Bluetooth device drivers made by Toshiba Corp., drivers that are present not only in many Toshiba notebooks but also in a number of machines made by Dell Computer.

According to an advisory from Atlanta-based SecureWorks, an attacker would not need to have login credentials on the target computer to execute the attack. While an attacker would need to know the Bluetooth address assigned to the victim's device, this wouldn't be an issue for machines configured to allow other Bluetooth devices to discover it (one of several free Bluetooth scanning tools could be used to discover the address).

More here.

Supercomputers Help, But Can't Mimic a Real Nuclear Blast

An AP newswire article by Angelina Charlton, via USA Today, reports that:

While North Korea was testing a nuclear bomb, France was verifying its nuclear arms, too — with a battalion of soundless, black, cabinet-sized calculators buried beneath a meadow.

The world's established nuclear powers have for the past decade foregone real test blasts for the onscreen kind, harnessing the world's most powerful computers to simulate as best as possible what happens when a nuclear bomb explodes.

So why should any nation test-blast weapons anymore if supersimulators can do the job? Because, nuclear experts say, it has turned out to be tougher than most people thought to mimic the "real thing."

More here.

Quote of the Day: Scott Adams

"Recently an airport security guy confiscated my 4 ounce shampoo container because he said the maximum allowed is 3 ounces. I pointed to the airport’s own sign that says 4 ounces is allowed, but that didn’t seem like a good argument to him. It was too late to check my bags, so he confiscated my mostly empty 4 ounce container."

"But here’s the interesting part. The container is semi-transparent, and contained obviously less than 1 ounce of liquid. Apparently the empty portion of the container posed a threat. Or to put it another way, as we humorists like to do, the airport confiscated my 3 ounces of nothing so that I couldn’t use that nothing to blow up the plane."

- Scott Adams, on The Dilbert Blog.

Double Standards in Security Hassles

Bob Sullivan writes in The Red Tape Chronicles:

It’s privacy week at MSNBC.com. We’ve tried to examine that very complex topic from many angles in the hopes of beginning a wider dialog on the subject. We only lightly touched on privacy’s twin subject -- the yin of privacy’s yang – security. A deeper look at that subject will come in the coming weeks and months.

Suffice to say that we have all been asked to surrender some of our privacy with the promise of increasing our level of security.

But have we succeeded in making ourselves safer? Last week’s tragic death of Yankees pitcher Cory Lidle in a New York City airplane crash raises this issue. Are all Americans being asked to make the same sacrifices in the name of security? Lidle’s ill-fated flight suggests a disturbing answer. To get there, we must ask this obvious question: How could someone fly a plane into a New York City high-rise without anyone knowing that an aircraft was there?

More here.

New U.S. Space Policy 'Sets Up' Intel Turf War

Via UPI.

The new U.S. policy on space exploration and exploitation sets the stage for a turf battle between intelligence and the military, says one expert.

Steven Aftergood, the government transparency campaigner at the Federation of American Scientists, says the new policy, released recently by the White House, "creates overlapping and possibly conflicting responsibilities" for Director of National Intelligence John Negroponte and Secretary of Defense Donald Rumsfeld.

Aftergood noted that the section of the policy on national security was higher up in the document than in the 1996 policy it replaced, which "perhaps reflects a higher priority" for national security concerns.

More here.

California: Anti-Bush Teen Finds Fame Fast

Laurel Rosenhall writes in The Sacramento Bee:

Once upon a time Julia Wilson dreamed of becoming the next Christina Aguilera, a pop star famous for glamour but not politics. Instead, she's become the next Cindy Sheehan, receiving global attention for displaying her anger at President Bush.

The story of the Sacramento teenager questioned last week by federal agents about her anti-Bush Web page has spread around the world, with newspapers in Egypt, China, Australia and Europe publishing articles about her and national television stations clamoring for interviews.

The 14-year-old McClatchy High School student who posted the words "Kill Bush" -- along with a photo-collage showing a cartoon dagger stabbing the president's hand -- on her MySpace page last year is scheduled to be interviewed today by CNN. She and her father appeared on MSNBC over the weekend and turned down interview requests from Fox News.

More here.

Universal Music Sues Two Online Video Websites

Yinka Adegoke writes for Reuters:

Universal Music Group said on Tuesday it filed lawsuits against online video sharing sites Grouper and Bolt.com for allowing users to swap pirated versions of its musicians' videos.

Universal, whose artists include U2, Mary J Blige and Mariah Carey, said it is seeking damages up to as much as $150,000 for each incident of copyright infringement plus costs. It estimated that thousands of music videos were being viewed on both sites, to their benefit alone.

The lawsuits were filed late on Monday at the U.S. District Court, Central District of California, Western Division.

Grouper and Bolt officials were not immediately available for comment.

More here.

Swiss Banks Broke Privacy Laws Over SWIFT Transfers

Via OUT-LAW.com.

Swiss banks broke the law by passing customer bank details to US authorities, Switzerland's top data protection official has said. The banks should have told customers that international transaction company SWIFT was passing details to the US, he said.

Hanspeter Thür, the Federal Data Protection Commissioner of Switzerland, said that the banks broke data protection laws when they failed to inform customers that information was being transferred.

SWIFT (Society for Worldwide Interbank Financial Telecommunication) manages international payments between banks and has allowed US authorities to have access to transaction details since the terrorist attacks in the US of 11th September 2001.

More here.

Spamhaus Appeals Possible Shutdown Ruling

Robert McMillan writes on InfoWorld:

The Spamhaus Project has told a U.S. court that it plans to appeal a recent ruling that threatened the volunteer organization with millions of dollars in legal fines and the possible shutdown of a database of known spammers.

The notice was filed Friday in the U.S. District Court for the Northern District of Illinois by lawyers with Jenner & Block, a Chicago law firm that is now representing Spamhaus.

Spamhaus, based in the U.K., has a team of 25 investigators and claims to block between 8 billion and 10 billion e-mail messages per day. Its database is used by several major security vendors, including Microsoft.

The filing marks the group's return to a legal fight against an e-mail marketing company called e360 Insight that Spamhaus had tried its best to ignore.

More here.

Level 3 Plans $1.4B Broadwing Buyout

Ed Sutherland writes on internetnews.com:

Accelerating its push into the retail enterprise fiber-optic market, wholesaler Level 3 announced a $1.4 billion cash and stock acquisition of Austin, Texas-based Broadwing.

The deal, the latest in a series, effectively doubles Level 3's enterprise revenue.

More here.

Microsoft Advises Users To Run Update Again

Gregg Keizer writes on TechWeb News:

Windows users may have to update their PCs more than once to completely patch one of the vulnerabilities Microsoft fixed last week, the company's support site said Monday.

Security update MS06-061 -- one of five labeled "critical" by Microsoft -- may install multiple versions of the XML Parser or XML Core Services when it's downloaded manually or via an automatic update mechanism. But "if you install a version of MSXML after you install this security update, you may have to install an additional package for this security update," read a Microsoft support document.

More here.