Information Security Philippines

Two zero-day exploits for remote code execution flaws in Yahoo! Messenger’s Webcam application have been released.

One of the flaws is a boundary error in the Yahoo! Webcam Upload ActiveX control; the other is in the Yahoo! Webcam Viewer ActiveX control.

Yahoo! expects to have a fix for the flaws available soon.  The flaws have been confirmed in Yahoo! Messenger version 8.1.0.249 and may exist in other versions as well.

{Update: As of Friday, June 8, 2007, Yahoo! has already prompted yahoo messenger users to download and install a security upgrade to patch the security issue}

More info here on the Yahoo! ActiveX Flaw.

Attackers broke into the computer systems of web host company DreamHost and installed malware on hundreds of websites, including the official site of the Mercury music awards.

DreamHost said the intruder or intruders exploited a flaw in its web control panel software.

DreamHost has notified affected customers of the breach via email.

The attackers attempted to access the company’s central database and billing data, but no billing or credit card data were compromised in the intrusion.

DreamHost is responsible for more than 500,000 domains.  The intrusion affected approximately 3,500 FTP accounts; users were urged to change their FTP account passwords as soon as possible.

Read Dreamhost’s official statement on the breach

Following the directions that come with mobile devices, such as phones and PDAs, to remove data before selling or recycling them is not enough to ensure the next person who holds the device will not be able to see your private information.

Data can still be retrieved from phones that have been reset. A security software company that purchased 10 used smartphones and PDAs on eBay found sensitive, personally identifiable information on nearly all of them.

The company plans to return all the phones to their original owners and has kept all the data it retrieved from the phones on a computer not connected to its corporate network.

Some companies have provided stronger data wiping functions in their newer devices.
http://www.theage.com.au/news/Technology/Software-Can-Resurrect-Cell-Phone-Info/2006/08/31/1156816976190.html
http://software.silicon.com/security/0,39024888,39161863,00.htm
http://www.vnunet.com/vnunet/news/2163176/pdas-sold-ebay-loaded-sensitive

Digital vandals defaced the Web site of hacker-turned-security-consultant Kevin Mitnick over the weekend, replacing information on his books and consulting services with foul language.

According to CNET News.com, the vandals, who are reportedly based in Pakistan, hacked into the machine hosting Mitnick’s site, removed his front page and put their own page in its place. The defacement affected four of Mitnick’s Web addresses, including KevinMitnick.com and MitnickSecurity.com.

“The Web hosting provider that hosts my sites was hacked,” Mitnick told CNET News.com. “Fortunately, I don’t keep any confidential data on my Web site, so it wasn’t that serious. Of course it is embarrassing to be defaced — nobody likes it.”

Mitnick gained notoriety as a hacker who was caught by the FBI in 1995 after a much-publicized pursuit. He served a five-year prison sentence for wire and computer fraud and later became a security consultant and author, traveling the lecture circuit.