The day of the primary is a bad day to have your website attacked. It had happened before but this time it looks like a DDOS attack:

But the earlier two attacks involved defacements — the hacker altered content on Lieberman’s home page. This time, attackers toppled the Lieberman site with requests, probably by directing an army of hacked computers at the site.

Lieberman lost the primary and now goes on to run as an independent. Might it be time to find a new host?

Lieberman campaign site, e-mail hacked [MSNBC]

A how-to on boarding early on Southwest…

…Use any HTML editor to change the “B” or “C” graphic on your saved boarding pass to the “A” graphic that you saved.

Not rocket science, but points out the inherent insecurity of boarding passes you print out yourself. I suspect it’s similarly easy with other airlines. Recently, Southwest filed suit against APassOnly.com which acted as a proxy to get you first in line boarding, so I don’t expect this site to stay up long.

How To Change A Southwest Airlines Boarding Pass From a “C” or “B” to and “A”! [boardfast.blogspot.com]

Internet Explorer 7 will be a huge win for web security, and Microsoft has announced how they will be distributing it:

AU will notify you when IE7 is ready to install. Alternately, you will be able to visit the Windows Update or Microsoft Update sites and obtain IE7 by performing an “Express” scan for high-priority updates. Either way, you will see the welcome screen that allows you to choose whether to install it.

Enterprises will have some ability to control this:

We are also providing a Blocker Toolkit for our enterprise customers who may want to block automatic delivery of IE7 in their organizations; this blocker has no expiration date.

IE7 to be distributed via Automatic Updates [IE Blog on MSDN]

eWeek Columnist Larry Seltzer looks to find out why domain names he searches for mysteriously get registered hours after he looks them up. Seems they are exploiting weaknesses in the privacy of Whois searches:

I decided to run some tests, so I picked three names out of the air and checked them with the CNet Domain Search page including myfuzzycat.com and lickmynose.com.

I let the matter go and about 30 hours later I checked with a separate whois service and determined that the domains belonged to Chesterton Holdings.

I’ve never had this happen to me, but it’s a disturbing trend.

Whois Hijacking My Domain Research? [eWeek]

There’s some Javascript malware worming it’s way around Yahoo! Mail. There’s not a ton of users affected, and they says they’ve put a mitigation in place. The more disturbing thing is the trend, as Michael Haisley at the SANS ISC points out:

After testing several popular web applications, we have found that several are in fact vulnerable to the very same type of exploit. Good coding practices, verifying that users are coming from an authorized form and that they are not submitting malicious code can protect developers against this type of exploit.

First MySpace, now Yahoo Mail, what’s next? As Web 2.0 sites become more functional (and complex) we’ll being seeing more and more of these kind of exploits.

Yahoo Webmail Worm on the Loose [Security Fix]

Javascript/AJAX/Worm Like Behavior [SANS ISC]

UPDATE: Information Week has a good article outlining the risks of javascript.

The very useful and very free Site Advisor from McAfee has their list of most dangerous search terms:

Free Screensaver
Bearshare
Screensavers
Winmx
Limewire
Download Yahoo messenger
Lime wire
Free ringtones

Site Advisor has gone onto my “list of software I make sure is installed on my Mom’s computer.” You know what they say about an once of prevention.

Killer phrase will fill your PC with Spam [the Inquirer]

The Safety of Internet Search Terms [siteadvisor.com]

Six Apart, creaters of the blooging tool Movable Type and the hosting service TypePad, was the victim of a massive DDoS Attack. It seems a Russian spammer trying to take down the Anti-Spam company Blue Security, hit TypePad when they redirected their website there.

Ouch. Thousands of sites went down, details are still emerging. Reminds me of a similar attack written up in CSO last year.

News.com Article

Blue Security Press Release [BusinessWire]

Detailed Profile of a DDoS [CSO]

UPDATE:� Spammer Speaks [Wired]

The British paper The Guardian exposes a hole in British Airlines website. Given someone’s name and frequent flier number you could steal their entire identity:

We logged on to the BA website, bought a ticket in Borer’s name and then, using the frequent flyer number on his boarding pass stub, without typing in a password, were given full access to all his personal details - including his passport number, the date it expired, his nationality (he is Dutch, living in the UK) and his date of birth. The system even allowed us to change the information.

The airline responded and closed the hole. According to the article, somehow this whole issue is the fault of CAPPS II, the now-defunct TSA program for screening for airline terrorists. While I’m not excited about any program that invades my privacy and marks my friend’s 2-year-old as a terrorist, the airline is at fault here, not the TSA.

However, there are two lessons here:

1. Be careful of how you deal with any information that is a unique identifier to you. You never know what other information it might be tied to.
2. When engineering or auditing a system, approach it in a threat-based way. Ask yourself, “If I only knew X piece of information how much could I learn.” Better you find out the nasty truth than a national newspaper.

Q. What could a boarding pass tell an identity frustrated about you? A. Way too much [The Guardian] (via Likehacker)

ComputerWorld has a scary article about the strategies being utilized by some of the more advanced trojans to bypass SSL and even the most advanced authentication. Among the strategies they are using:

• Stealing passwords via keystroke loggers, plus taking screen shots of secondary authentication mechanisms like on-screen keyboards.
• Creating a man-in-the middle site on the users own computer and using that to harvest credentials, while still proxying them on to the real site.
• And, my favorite, using the existing authenticated channel to the bank:

The Trojan then manipulates the underlying transaction, so that what the user thinks is happening is different from what’s actually transpiring on the site’s servers…When the user successfully authenticates, the Trojan opens a hidden browser window, reads the user’s account balance, and creates another hidden window that initiates a secret transfer.

I may be transferring all my money to First National Bank of the Mattress soon.

How SSL-evading Trojans Work

McAfee has an on-line quiz to see you can determine which site is safe and which one will install addware and spyware. It’s quick and revealing. I only got 4 of 8 right. (Mulligan: The one to the left is safe).

It’s from a spyware removal vendor, and it’s pushing their SiteAdvisor service, so take it all with a grain of salt. But SiteAdvisor is free, and is pretty useful for spotting malicious websites.

McAfee: SiteAdvisor Quiz

Our favorite Internet regulator, ICAN’T ICANN, is close to deciding that the contact info needed in WHOIS is the technical contact. From the WSJ article:

… the Icann committee responsible for Whois voted 18-9 to restrict its listings solely to someone who can resolve technical “configuration” problems. That means a Web-hosting company could be listed without any link to the person who controls what appears on the site. After the committee makes recommendations on other aspects of the Whois rules, the full Icann board is expected to approve the reduced disclosure requirement.

It has been pushed by privacy advocates, but is opposed by ‘major corporations’ and the US Government. This may have significant implications for those of you who do investigations, or even normal users who are trying to determine if they are being phished.

The current options if you’d like your contact info to remain private are to:

1. Dummy it up (officially against ICANN policy, but rarely enforced) or
2. Pay your domain registrar extra to mask your whois information for you (can be as little as $1/domain)

I’m not sure we really need something beyond these two options, although I sure am tired of getting SPAM and telemarketing calls based on my WHOIS.

Sorry, the Wall Street Journal is a pay-subscription only, and Google News says no one else has picked it up yet.

Wall Street Journal: Should Owners of Websites be Anonymous?

After the much publisized security risks of kids using MySpace, it seems the tide has turned.

Officials at Riverton High School began investigating on Tuesday after learning that a threatening message had been posted on MySpace.com, he said.

The message discussed the significance of April 20, which is Adolf Hitler’s birthday and the anniversary of the 1999 Columbine High School attack in Colorado, in which two students wearing trench coats killed 13 people and committed suicide, the sheriff said.

“The message, it was brief, but it stated that there was going to be a shooting at the Riverton school and that people should wear bulletproof vests and flak jackets,” Norman said.

Thank God that criminals are still stupid.

CNN: MySpace foils school shooting

A List Apart has a great article targeted at web developers with tips for securing your community-oriented website from Cross Site Scripting (XSS). A great read to forward to the web developers at you company who don’t quite “get it.”

ALA: Secure Your Code