IBM has made Firefox the company’s default Web browser. According to IBM’s vice president of Linux and open source software, company-wide Firefox adoption will accelerate IBM’s shift to cloud computing.

Via: ars technica

Canada Post is warning its customers of a fraudulent email disguised as a delivery notification identifying itself as having been sent from Canada Post. The email states that Canada Post is trying to deliver a package and provides further directions for the recipient to open an email attachment in order to proceed with the package delivery.

Canada Post says the email is a fake and likely contains a virus or other malware. Recipients are being strongly cautioned against opening the attachment.

Additionally, Canada Post said that if a tracking number is provided in the email, you can check separately at the agency’s website. If it comes up as invalid, then the tracking number is a fake and the email should be deleted.

Read more at News1130

A Bank of America employee has been charged with installing malware on ATMs in North Carolina. The employee, who was a member of the bank’s IT staff, was able to withdraw cash without leaving transaction records from the ATMs over the course of 7 months during 2009.

The charges were filed the same day that credit card company Visa warned the banking industry that Eastern European ATM malware recently showed up in America for the first time. That code, initially spotted last year on some 20 ATMs in Russia and Ukraine, was designed primarily to capture PINs and bank card magstripe data, but also allowed thieves to instruct the machine to eject whatever cash was still in it… At least 16 versions of the East European malware have been found so far and were designed to attack ATMs made by Diebold and NCR, according to the April 1 Visa alert. There is no information tying the malware found in Russia with the malware allegedly used by Caverly.

Further details available at Wired’s Threat Level

Students at the University of Cambridge have discovered a new flaw that is compromised by using a MITM attack that deceives a terminal in to thinking that a card’s PIN is correct irregardless of what number is provided for the PIN.

The attack uses an electronic device as a “man-in-the-middle” in order to prevent the PIN verification message from getting to the card, and to always respond that the PIN is correct. Thus, the terminal thinks that the PIN was entered correctly, and the card assumes that a signature was used to authenticate the transaction.

“We think this is one of the biggest flaws that we’ve uncovered – that has ever been uncovered – against payment systems, and I’ve been in this business for 25 years,” said Professor Ross Anderson from the school’s Computer Laboratory.

More details are available at the University of Cambridgde Computer Laboratory Security Group website.

From ISPreview:

WeFi, a free wireless Wi-Fi broadband Hotspot locator website with a database of 47,000,000 access points around the world, has revealed that 40% of Hotspots in the USA are unlocked and do not require a security password. This compares with 25% in Europe.

According to WeFi’s data, a traveler would find a higher percentage of open hotspots in countries such as Thailand, Israel, Brazil, Argentina and the Bahamas as compared with both the US and Europe. Across the world, approximately 30% of recorded Wi-Fi access points are unlocked, while some 70% are locked

Full Article: ISPreview

Scientists are set to unveil a lightweight system they say makes an operating system significantly more resistant to rootkits without degrading its performance. The hypervisor-based system is dubbed HookSafe, and it works by relocating kernel hooks in a guest OS to a dedicated page-aligned memory space that’s tightly locked down. The team installed HookSafe on a machine running Ubuntu 8.04, and found the system successfully prevented nine real-world rootkits targeting that platform from installing or hiding themselves. The program was able to achieve that protection with only a 6 percent reduction in performance benchmarks.

Via: The Register

The release of OpenBSD 4.6 was released on Sunday. Highlights of the new release include:

• Simplified installation process.
• Improved documentation and man pages.
• New versions of packages in ports (package management system). Over 5800 packages in total.
• Hardware driver updates: sensors, chipsets, video devices etc. New drivers, functionality and reliability updates.
• Network stack updates: stricter default settings. Wired interfaces are now preferred over wireless ones.
• Firewall changes: enabled by default, stricter checking of package formats.
• Routing daemon updates: mainly BGP daemon updates, fixes few bugs.
• New more secure smtpd (mail server).New OpenSSH released (5.3).

Grab a CD set or download from a mirror, and please support the project

A joint study conducted by TELUS and the Rotman School of Management at the University of Toronto surveyed more than 600 Canadian IT security professionals on Canadian IT security practices this year.

The economic downturn has increased the risk organizations:

“The threat environment worsens because when the economy goes into a downturn, job losses mount, and as people leave the organization many often take data with them,” Mr. Hejazi said.

About 33 per cent of reported security breaches this year came from within companies, and unauthorized access by employees represented the fastest-growing threat area, according to TELUS Security Labs managing director and study co-author Alan LeFort.

Last year, about 17 per cent of Canadian organizations reported so-called “insider breaches.” This year, that number has more than doubled to 36 per cent.

The complete article can be read at The Globe and Mail

Most organizations are focusing their patching efforts and vulnerability scanning on the operating system — but 60 percent of the total number of attacks occur on Web applications, and many attacks are aimed at third-party applications such as Microsoft Office, and Adobe Flash and other tools, according to actual attack data gathered for the report. Meanwhile, enterprises are taking twice as long to patch their applications than to patch their operating systems, the report says.

More at darkREADING

Sun Microsystems’ product plans are up in the air pending its acquisition by Oracle, but the company’s chip engineers continue to present new designs in the hope they’ll see the light of day. At the Hot Chips conference at Stanford University on Tuesday, Sun presented plans for a security accelerator chip that it said would reduce encryption costs for applications such as VoIP calls and online banking Web sites. The chip, known as a coprocessor, will be included on the same silicon as Rainbow Falls, the code name for the follow-on to Sun’s multithreaded Ultrasparc T2 processor.

Via: OSNews