Robert McMillan, IDG News Service

San Francisco's ambitious plans to roll out computerized smart parking meters have hit a snag: They can be hacked for free parking.

Security researchers say that it is easy for a technically savvy hacker to make a fake payment card that gives them unlimited free parking. To prove their point, they will talk about how they built just such a card in about three days at a computer security conference Thursday.

According to Joe Grand, owner of Grand Idea Studio, San Francisco's parking meters have no way of telling the difference between a genuine payment card and a fake. These cards can be used to pay 23,000 meters citywide.

Grand, who hadn't worked much with smart cards, said that the work wasn't particularly hard to do. His card simply replays the same signals used by genuine cards to the meter. Although he never actually used the card to get free parking, Grand said he was able to build a card with a balance of US$999.99 -- the maximum possible -- that would never run out of funds.

"If I found this problem, chances are somebody else knows about the problem and possibly is exploiting it," he said. "That's costing all of us taxpayers money."

To figure out how the payment system worked, Grand hooked up an oscilloscope to a parking meter and monitored what happened when he used a genuine payment card. He then analyzed that data by hand, and wrote a software program that would emulate the smart card. After some trial and error, he finally figured out what his program needed to say to the meter in order to work. Then he built a card that would replay the same data, using a programmable smart card called a Silver Card.

San Francisco uses McKay Guardian XLE meters, Grand said, but because these meters are implemented differently in different cities, his technique may not work outside of San Francisco.

Cities across the U.S. are rolling out computerized parking meter systems designed to be easier to pay and manage. San Francisco's smart meters were rolled out as part of a broader program, known as SFpark, which will eventually deploy parking sensors that can detect when a space is empty and transmit that information wirelessly to drivers looking for spots.

But there have been some problems. In May, about 125 smart meters in Chicago stopped working properly, prompting speculation that the machines may have been hacked.

Posted by Nancy Pursley in Virus & AntiVirus News at 09:29

WASHINGTON (AFP) – Microsoft released a security patch on Tuesday aimed at preventing hackers from exploiting a vulnerability in its Web browser, Internet Explorer.

The US software giant said that the security update would be automatically installed for Internet Explorer users who have automatic updating enabled on their computers but would need to be installed manually by other users.

It said the update resolves three privately reported vulnerabilities in Internet Explorer.

"These vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer," Microsoft said.

It said the security patch "addresses these vulnerabilities by modifying the way that Internet Explorer handles objects in memory and table operations."

Microsoft said an attacker could exploit the vulnerability by constructing a specially crafted Web page.

"When a user views the Web page, the vulnerability could allow remote code execution," it said. "An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user."

"If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system," it said.

Microsoft said the security update was considered "critical" for users of certain versions of Internet Explorer running on Windows 2000 and Windows XP operating systems.

Our Comment: Make sure you update on a regular basis and get these patches quickly.

Original Article:

Posted by Nancy Pursley in Virus & AntiVirus News at 10:19

Security firm McAfee has identified more than 1.2 million different types of malware in the first half of 2009.

McAfee said that this is over double the 500,000 unqiue pieces of malware it identified in the same period in 2008. In total, the security firm identified 1.5 milliion types of malware in 2008, and it expects the 2009 figure to top this.

"In the first half of 2009, we have seen about three times the unique malware discovered in the same period in 2008," said Dave Marcus, director of security research and communications at McAfee.

"This tremendous growth is a signal of daunting times for users, as malware infiltrates more and more of the platforms we trust."

McAfee also revealed that around 40 percent of all password-stealing Trojans can be found on websites connected to gaming and virtual worlds, while 80 percent of all banking e-mail recieved by Web users are phishing scams.

McAfee also said on average victim's of phishing scams lose £520 per scam.

Our Advice: Don't let your ESET NOD32 or Smart Security lapse. We can do a renewal 60 days before the expiration date but we always extend the new expiration date so you don't loose any time. Don't be caught without protection.

Original Article

Posted by Nancy Pursley in Virus & AntiVirus News at 08:39

SAN FRANCISCO (AFP) – Longtime computer security rivals are joining forces to battle increasingly sophisticated online attacks by cyber criminals.

"The attacks are getting more complex, and if we want to get ahead of attackers the call is to work together in a community approach," said Microsoft Security Response Center director Mike Reavey.

"One of the things becoming clear is that customers want vendors to work together, and they want information and protection out faster."

Microsoft used a premier Black Hat security conference taking place this week in Las Vegas as a stage to unveil enhancements to the software giant's computer defense collaboration efforts.

Microsoft released a new tool designed to make it easier for software security firms to model hacker threats and craft defenses.

The Redmond, Washington-based technology firm also unveiled a guidebook to de-mystify the realm of software security updates and vulnerability patches.

"There is a sea of information out there and we want to help customers navigate those waters," Reavey told AFP. "The guide walks them through what we do."

A Microsoft Active Protections Program launched at Black Hat last year has grown to 47 members that share information to minimize time hackers have to craft and launch attacks on newly discovered software weaknesses, Reavey said.

"By working together, the security vendors get free vulnerability information, Microsoft knows their products will be protected from widespread exploitation when the disclosure goes out, and customers win by remaining protected," TippingPoint security researcher Jason Avery said in a release.

"Everyone wins."

Microsoft provides computer security allies with an "exploitability index" that gauges the likelihood hackers will target various vulnerabilities to help security firms prioritize responses.

Microsoft also shares lessons learned while analyzing software for flaws.

"What we are seeing is they are working well with us and we are working well together," Reavey said of allies in the software security world.

Security industry teamwork was crucial in countering a Conficker virus that plagued the Internet early this year.

Posted by Nancy Pursley in Virus & AntiVirus News at 10:37