When you use Gmail, facebook, yahoo or hotmail, your login session cookie may be easily "cloned" via Sidejacking via Wireless network. If you do want to know more about Sidejacking, go to Youtube.com and type in "SideJacking" or simply click this URL: http://www.youtube.com/watch?v=nFNFa-48lpI

Recently, Google has release a logging records to users to monitor
URL: http://erratasec.blogspot.com/2008/07/gmail-now-shows-ip-address-log.html

After you login Gmail, you could find there is a link to "More details". Once you click into it, you will find the following screen with logs.

Please regularly check the log so that you could guarantee no other guys from other IP address to access your Gmail account, if yes, it will be shown up. If it happens on you, capture the log screen first (with IP address) and log off ALL the sessions to prevent from further information exposure.

If you want to know why Google Gmail's cookie could be sniffed, you could refer this URL:
http://erratasec.blogspot.com/2008/08/google-vs-sidejacking-round-7.html

Recently, Google is working hard to fix this, people could set SSL even after logging into Gmail and it is hard to sniff the session cookie. lol:

Regards,
Anthony Lai

2008年8月20日
[Yahoo!奇摩] 網路徵信 雇小駭客竊個資

2008年8月19日
[Yahoo!奇摩] 偽造雅虎奇摩釣魚　駭客竟是未成年
[CNET] Android security team appeals to bug hunters

2008年8月18日
[Yahoo!奇摩] 網路帳號、密碼外洩後遺症
[Yahoo!奇摩] 識破假拍賣網頁 網友教戰
[CNET] More security holes plague MySpace, possibly Facebook
[Computerworld] VMware users crippled by 'time bomb' snafu
[Computerworld] Microsoft puts out 11 fixes, pulls another
[The Register] 'Malvertizement' epidemic visits house of Newsweek.com
[The Register] Cisco plugs online meeting bug
[VNUNET] Paedophile internet 'librarian' jailed indefinitely
[VNUNET] Spammers go down to Georgia

2008年8月16日
[Yahoo!奇摩] 用資訊卡取代密碼 駭客沒輒
[The Register] GlobalSign revokes cert of rogue security app

2008年8月15日
[明報] 匯豐簽承諾書 保障客戶資料
[CNET] Security Bites 112: Out of the shadows
[The Register] Home Office reaches half-way hash in secure data handling
[The Register] Microsoft ramps up vuln ActiveX controls cull
[The Register] Mystery web attack hijacks your clipboard

2008年8月14日
[明報] 黑客新手法﹕網頁做手腳播毒
[明報] 上網防「中招」錦囊
[ComputerWorld] Phishing scam dupes hundreds of MobileMe users
[The Register] AOL phisher jailed for 7 years
[The Register] µTorrent silently fixes long-standing zero-day vuln
[The Register] Bear prints found on Georgian cyber-attacks
[VNUNET] Dutch police smash Shadow botnet
[VNUNET] Malware heats up in July

2008年8月13日
[ZDNet台灣] 微軟釋出Office弱點修補程式
[CNET] Don't click that headline, security researchers warn
[CNET] Another side to the DNS problem for Web site owners
[ComputerWorld] Former prosecutor: U.K. hacker's extradition is inevitable
[The Register] Apple faithful snared in phishing scam targeting .Mac users
[The Register] How poor crypto housekeeping left OpenID open to abuse

Please click "Read Me" for the past news

What is Privnote?
Privnote is a web tool that you can use to send private notes over the Internet.

What makes Privnote different from sending a regular email or instant message?

You get a link to the note, and once that link is clicked the note is destroyed so it can only be seen once. If someone intercepts the link and sees the note before the person who's intended to read it, that person will know that the note has been eavesdropped, and can tell you about it.
If you want to be notified when your note gets read you can do it by checking the notify box located below the note. Neither email nor instant messaging provides a reliable way to know if, let alone when, your messages are read.
If you send a note and suddenly regret having done so, you can click the link yourself which will destroy the note and prevent the receiver from reading it.
Sending links in emails is as easy as writing the note in the email itself, so why not add a little extra privacy at zero cost? Besides, everybody knows how to click on a link so you won't have to explain anything new in your email.

URL: https://privnote.com/

Dear readers,

I have set up a Facebook account and a group for Infosec Hong Kong for you to join.

Please feel free to add me at anthonation@gmail.com or Anthony Lai

For your information, there are some famous security fellows has devoted and shared their ideas. There is no longer a "One Man Bank".

Let's promote privacy and information security!

Regards,
Anthony Lai
Founder and Editor
InfoSec Hong Kong

仁濟醫院遺失約3000名申請病歷紀錄人士的姓名、身分證號碼及處理情況資料。

仁濟醫院發言人表示，他們於6月30日得悉，病歷紀錄服務部員工在替一批備份3.5吋軟式磁碟進行加密工作時，發現並沒有其中一個時段的軟碟，該批軟碟是員工過往的工作流程紀錄副本，儲存了2005年1月16日至2006年1月15日期間約3000位申請病歷紀錄人士的姓名、身分證號碼，與及員工處理有關申請的登記日期、處理日期及完成日期等。

URL: http://www.mpinews.com/htm/inews/20080708/gb21830a.htm

My comment:
I have already told you all once a corp/company leaks information, they will uncover themselves. However, I am the most worried about the SMEs and retail shops.

How about protect your privacy? For example, last week, I bought a shirt from Ken & Curwen in Ocean Terminal in TST. The sales ladies asked me to have a signature and then made a carbon copy with the pencil. I have told you all that the shop has NO rights to do that. As I was in hurry, I have made a phone to request back the signed receipt with credit card carbon copy. I have asked them to discuss with the back office as PCO (www.pco.org.hk) has proven such case. They returned it to me with an envelope. Otherwise, they could be sued.

Another case is that there are many young girls carry out interview in the street, will you disclose the information and privacy information to them?

Meanwhile, will you apply broadband and credit card in the street? HKMA (www.hkma.gov.hk) also comments many banks have not trained those Part-Time credit card promoters how to secure the information, do you still seek for convenience and sacrifice your privacy?

Lastly, you coud advise and discuss with your mum, daddy and grandma and grandpa, did they complain themselves or speak to themselves in the street? Some bad guys listened to it and sold medicine and asked your relatives to trust a god by paying some money?

All of them are about privacy but who cares?

Remember: Never disclose your privacy unless it is needed. Meanwhile, you should know you have the rights to ask:
What is the purpose to use my information and how do you handle my private information? Don't feel annoyed and scared. You are the data owner!

Be smart, my friends.

Regards,
Anthony Lai

二 零 零 八 年 五 月 十 二 日 ， 中 國 四 川 省 發 生 黎 克 特 制 8 級 地 震 ， 廣 泛 地 區 受 到 破 壞 ， 逾 萬 人 死 亡 ， 傷 者 更 是 不 計 其 數 。
地 震 發 生 後 ， 民 政 事 務 總 署 馬 上 設 立 機 制 ， 收 集 香 港 市 民 的 捐 款 ， 以 協 助 災 民 。 由 二 零 零 八 年 五 月 十 四 日 下 午 一 時 起 ， 民 政 事 務 總 署 轄 下 18 區 民 政 事 務 處 共 20 個 諮 詢 服 務 中 心 ， 以 及 各 區 郵 政 局 ， 在 辦 公 時 間 內 收 集 市 民 的 支 票 捐 款 。 所 有 捐 款 會 存入 以 “民 政 事 務 局 局 長 法 團 — 捐 款” 名 義 開 設 的 銀 行 帳 戶 。
我 們 會 妥 善 處 理 捐 款 ， 款 項 會 全 部 交 予 五 個 救 援 組 織 ， 分 別 是 香 港 紅 十 字 會 、 香 港 世 界 宣 明 會 、 樂 施 會 、 聯 合 國 兒 童 基 金 會 以 及 救 世 軍 ， 用 於 四 川 地 震 的 緊 急 賑 災 工 作 。
URL: http://www.had.gov.hk/tc/whats_new/sichuan.htm

When I silently pray for the victims in the earthquake, tears conti
nues to drop down as we, as human, could never resist against nature. You will never pray for 35,000 servers down. Even I work in information and cororate security, what could I do?

Meanwhile, it is a good time to cherish our family, friends and our lives.

Regards,
Anthony

I have not seen there is a day with many security and privacy news and suggestions, 8 May is Hong Kong Security "Incidence" Day :)

匯豐銀行觀塘分行遺失一部電腦銀行伺服器，失去的帳戶資料多達近16萬個，包括帳戶號碼、姓名、交易金額及種類，觀塘重案組已接手調查。URL: http://www.mingpaonews.com/20080508/gab1.htm

入境處監視名單外泄
員工違規帶機密文件回家 誤經Foxy上載
http://www.mingpaonews.com/20080508/gaa1.htm

專家：Foxy程式有漏洞 不用為妙
http://www.mingpaonews.com/20080508/gaa2.htm

防泄關鍵：用家遵保安規條
http://www.mingpaonews.com/20080508/gaa3.htm

People always aware when incidence comes to them.
Prevention is better than correction

Regards,
Anthony Lai

The word 'free' often equates to an inferior product but, in this case, there is no doubt that this is a professional product.

Split into three sections and a Control Centre, AVG Anti-Virus protects against viruses in a number of key areas. The Resident Shield works in the background and checks all files and file types (including floppy disk, CD content etc.) for viruses, whilst the Email Scanner works with Microsoft Exchange and Outlook.

AVG Free now comes with a link scanner. It checks search results from sites such as Google to make sure there are no malicious scripts and displays an icon to show the threat level. Active protection against malicious scripts is only available in the paid for version of AVG; the free version does no more than warn.

The Boot-up Scanner operates at start-up, and checks the most important areas of a PC before you begin to use it. Every aspect of AVG's virus protection can be configured using the Control Centre, which allows you to modify a number of program settings and to schedule scans, among other things.

When installing there's an option to create a rescue disk for use should any of your key system files become infected. All crucial areas and files on a PC are backed up, and can be restored from this disk.

Note the review above was for the older free v7.x edition. The download here is for the brand new major v8 release, along with an improved user-interface, anti-virus and anti-spyware protection and much more.

URL: http://www.vnunet.com/vnunet/downloads/2129071/avg-antivirus-free-edition

You could find it in the Download area.

Dear Readers,

I should be the Jockey Newspaper author to make tips for you.
Bingo! USB with patients' data was lost in taxi?

http://www.rthk.org.hk/rthk/news/expressnews/news.htm?expressnews&20080506&55&487816

Do they need to bring their information back to home or to other hospital to continue their works?

I do feel bored, come on, I want some fresh air? Which governement department will come next?

Regards,
Anthony

公務員事務局失USB
(明報) 04月 30日 星期三 06:05PM
公務員事務局轄下公務員紀律秘書處發現上周遺失一枚載有25名公務員資料的USB記憶棒，向受影響人士致歉。

該裝置內存有兩宗涉及兩名公務員懷疑行為不當的紀律研訊資料，但沒有涉及任何公眾人士。有關事件已向警方報案，局方亦已向個人資料私隱專員公署作出報告。

公務員事務局局長俞宗怡對遺失儲存裝置事件表示關注，並已指令及採取行動，加強局方使用及存放載有個人或機密資料的儲存裝置（USB記憶棒）的保安措施。她亦提醒所有員工，須時刻遵守有關的保安規例。

My Comment:
Bingo, I believe I could be kinds of tips provider in Jockey newspaper. Which department will join this party? :)

Let me summarize:
1. Policy is thick (Govt. always like to cover everythng in the policy, you could find their styles in recruitment news and contract details);

2. Speech is bureaucratic; Style and culture are conservative (due to scare to take up a "black wok";

3. Making stuff complicated;

4. Lack of in-depth audit and review (i.e. afraid of disclosing its weaknesses, be frank, have you found any news from Audit Department comments on various department about their inability to implement system security and privacy?)

Finally, lack of controls and inconsistencies are disclosed. What a M&M Security - Hard security on the surface but soft and weak in the core.

Regards,
Anthony Lai
Founder and Editor
InfoSec Hong Kong

Regards,
Anthony

衛生署失掉近七百病人資料
衛生署公布，兒童體能智力測驗服務部失竊藏有病人資料的抽取電子儲存裝置(USB)，涉及近七百名病人。

衛生署副署長譚麗芬召開記者會，她宣布一名女醫生於上周五(4月18日)，在屯門兒童體能智力測驗服務部，失去一支藏有病人資料的抽取電子儲存裝置(USB)，內裏藏有約700名病人的資料，她向涉及的病人及其家人致歉，並已發出665封通知信。

她指出，該名醫生在當日上午將該支USB放在電腦中，她下午離開時，沒有收藏好，亦沒有關門，她回來時發現該USB失去，她在當日及翌日，均支能發現，她遂通知主管，而主管亦於第二日報案，警方已將案件列為偷竊案處理。

譚麗芬指出，這是非常嚴重的事件，已展開調查，幸沒有影響服務。有關同事沒有按政府的保安要求處理重要資料，不排除按公務員操守要求，作出處理。


每 套 資 料 黑 市 價 500 元
【 本 報 訊 】 失 竊 的 USB 記 憶 體 內 藏 600 多 名 病 人 的 姓 名 連 身 份 證 號 碼 、 住 址 及 電 話 等 最 敏 感 的 個 人 資 料 。 有 保 安 專 家 指 出 ， 現 時 每 套 香 港 人 的 身 份 資 料 黑 市 價 是 500 元 ， 600 多 套 資 料 可 賣 得 30 多 萬 元 ， 不 法 之 徒 可 利 用 身 份 資 料 偽 造 假 護 照 及 身 份 證 ， 更 可 以 設 計 出 千 奇 百 怪 的 騙 局 ， 後 果 可 大 可 小 。



身 家 清 白 偽 證 難 揭 發
衞 生 署 昨 日 公 佈 ， 失 竊 的 USB 記 憶 體 內 文 件 ， 佔 50% 是 醫 護 人 員 的 內 部 溝 通 訊 息 ； 17% 是 醫 生 對 病 人 的 評 估 ； 17% 是 住 院 病 人 轉 院 紀 錄 ； 10% 是 醫 生 對 病 人 及 家 長 查 詢 的 回 覆 ； 6% 是 雜 項 醫 療 資 料 。 這 類 文 件 包 含 665 名 病 人 的 姓 名 、 身 份 證 號 碼 及 出 生 日 期 ， 部 份 病 人 家 長 的 住 址 及 電 話 ， 及 病 人 的 個 人 背 景 等 私 隱 。
私 家 偵 探 張 大 偉 指 ， 姓 名 連 身 份 證 號 碼 若 果 落 在 不 法 之 徒 手 上 ， 有 可 能 被 利 用 來 申 請 信 用 卡 ， 或 申 請 手 提 電 話 ， 甚 至 向 財 務 公 司 借 貸 ， 今 次 涉 及 洩 漏 資 料 的 都 是 未 成 年 的 兒 童 ， 所 以 未 必 會 即 時 用 於 上 述 用 途 。
他 指 出 ， 港 人 的 身 份 資 料 ， 在 黑 市 出 售 每 套 公 價 500 元 ， 不 法 之 徒 可 利 用 資 料 偽 造 護 照 及 身 份 證 ， 供 非 法 入 境 者 及 被 通 緝 的 歹 徒 掩 飾 身 份 及 離 境 。 醫 院 病 人 的 資 料 由 於 較 「 身 家 清 白 」 ， 用 來 做 偽 證 ， 被 揭 發 機 會 較 低 。
他 表 示 ， 騙 徒 也 可 以 利 用 這 類 資 料 了 解 病 人 的 詳 細 家 庭 背 景 ， 從 中 設 計 出 千 奇 百 怪 的 騙 局 ， 例 如 病 人 出 事 需 錢 急 用 等 ， 令 病 人 及 他 們 的 親 屬 防 不 勝 防 。

Privacy questions for you:
1. Do you know how your ex-employer use your personal information, could they still keep your data?

2. Do you have rights to request to remove your personal data from any companies?

3. Do you think it is mandatory to disclose for any privacy data disclosure is found?

Government and banks like cover and cover, in fact, from my experience, it happens in my audit life very often, however, you will never get any news about it from TV.

I have proposed my belonging security association, PISA (www.pisa.org.hk) to hold a Public Panel Discussion over Privacy Crisis and I will keep you posted for further arrangement.

By the way, understanding your rights, please visit www.pco.org.hk and study and read its enquiry and complain section. :Hammer:

Regards,
Anthony Lai

英匯豐失37萬客資料光碟
(星島) 04月 08日 星期二 09:10AM
(綜合報道)

(星島日報 報道)英國 匯豐銀行發生遺失一隻載有三十七萬名客戶資料的電腦光碟事件，可能受到當局調查及重罰。該隻光碟約在四星期前，由豐在修咸頓的辦公室經外判的速遞公司送往一家再保險公司時遺失，碟內載有銀行人壽保險客戶的姓名、出生日期和保單承保範圍等資料。香港豐則回應指，正向英國匯豐了解事件。

URL: http://hk.news.yahoo.com/080407/60/2ry41.html



My comment: It happens everywhere and I don't feel angry. In fact, many enterprises have put claims from data loss in their annual budget and cost. It is a good idea to provide compensation but it does not mean everything, corporations could have such kind of "generous" offer to victims.

It is because the data owner is not HSBC, Citibank, JP Morgan or other business owners. Please take extra care.

Regards,
Anthony Lai
Founder and Editor
InfoSec Hong Kong

Dear readers,

It is good to understand the Hackers' history, their exploits/hacking and revolution.


From this article, most of them are finally jailed although they have high hacking techniques and used them illegally.

Regards
InfoSec Hong Kong

Dear readers

Here is a great web site with independent review on various brands of AV software:
http://www.av-comparatives.org/

This review is held regularly on Feb, May, Aug and Nov. It provides online report and detailed one on:
1. Detecting existing virus/worms/trojan
2. Proactive detect suspicious virus/worms/trojan.

Finding: you could Nod32 could have a better Proactive detection on suspicious virus/worms/trojan.

For http://av-test.org, it provides:
* Grote virusscanner test kent meerdere winnaars [Security.nl]
* Security Suiten 2008 im Test (Q1/2008) [CHIP]
* Latest antivirus test results from Andreas Marx [SunbeltBlog]
* Vergleichstest von 28 Antivirus-Programmen [PC-WELT]
* Bake-off: Many AV Products Can't Detect Rootkits [Dark Reading]
* Anti-Malware Performance Testing [PC Magazine]


It is good for you to reference when auditing and make recommendation.

Dear readers,

You may miss my session and demo held in Cyberport on last Saturday (23 Feb). I have enclosed this simply but large impact attack sidejacking. In addition, I believe you could visit 7-11 to get e-Zone about it for next issue. You need to understand the attack and get to know how to defense.



If your WiFi access point is encrypted with WEP, it is easily be cracked as well.
http://www.youtube.com/watch?v=TiPWUykw3uU

Lastly, Mobile Phone Security, do you know your phone book and information is read by others?
http://www.youtube.com/watch?v=qP1BOZqrp5g

Disclaimer
It is for awareness purpose and please do not try it on other networks without permission, otherwise, you will be jailed and charged for any unauthorized access and illegal activities.

USB Disk Security 5.0 - Once it is installed, it helps you to scan USB stick any virus and even "remove" any "suspicious" Autorun.inf. Many hackers use "Autorun.inf" to install Trojan Horse programs from the USB stick to your computer.

http://www.zbshareware.com

Over 130 people have registered! Free bus with refreshment and you could learn more recent Wifi attacks, why not come and join? Meanwhile, you could earn CPE for your professionals!

Date 23-Feb-2008 (Sat)
Time 2:30pm - 5:30pm
2:15pm - 2:30pm (Registration)

Fee: Free of charge

Language: Cantonese with English presentation slides

Venue
Training Theatre, Cyberport
(Transportation to Cyberport: free shuttle bus pickup at Central. Booking is required.)

Seats
Members of organisers, co-organisers, supporting organisation and invited guests. Limited seats. First come first serve. (IMPORTANT: PLEASE MENTIONED YOU ARE REFERRED BY ANTHONY LAI FROM PISA AND INFOSECHK.ORG

Registration
Use this Registration Form: http://www.pisa.org.hk/event/registration.htm
Fax:2900-8338
Email to registration@pisa.org.hk

Speakers:
Speakers from ISOC-HK, PISA, WTIA and invited guests

Outline
1. Recent WLAN Security Surveys (War Driving) in Hong Kong & Macau
2. Weak Wi-Fi Security
3. Live Demonstration on Wi-Fi Attack
4. Implementing WLAN Security Technologies in Enterprise Scale
5. Discussion Forum

For more details: http://www.pisa.org.hk/event/live-wifi-attack-defense.htm

I will demo a Sidejacking which should impress you. See you there

I have observed this news for a week. The focus is put on the victim celebrities whose photos are stolen and leaked out.

Of course, I express sympathy to the victims as those photos are stolen and I would like to blame on the hackers unauthorized access and illegal action. Especially, if you may take your laptop/computer to fix, please do ensure whether your files are critical and they should be already encrypted (like using WINZIP). However, let me put that in an interesting way.

Motivation of taking s.e.x-related photos
You or I always take photos for our friends and family, immediately distributing to them to share our happiness. Especially, for such s.e.x-related one, it is readily a kind of enjoyment by the owner, he/she would like to keep it for kinds of memory. However, these photos are highly sensitive and impact to public. Meanwhile, this is related to moral issue. Be frank, noone feels interested in a fat boy like me but celebrities and some public figures. The photos ownership are very important, and the possibility/risk of leaking out continues if the owner continues to make such "personal collection". I do not believe those could use separate camera or computer to store such "masterpieces". Now, we could find its impact on their personalities and reputation.

If you are ignorant on privacy/information security protection, there will be an impact. It is the same idea applied to the corporate.

Digital Imaging Forensic
For your interest, digital imaging forensic is readily a challenging topic. here are some materials I have got during my US trip to Las Vegas in 2007.
Dr. Neal Krawetz
A Picture's Worth...
Slides:
https://www.blackhat.com/presentations/bh-usa-07/Krawetz/Presentation/bh-usa-07-krawetz.pdf
Whitepaper:
https://www.blackhat.com/presentations/bh-usa-07/Krawetz/Whitepaper/bh-usa-07-krawetz-WP.pdf
Program:
https://www.blackhat.com/presentations/bh-usa-07/Krawetz/Extras/jpegquality.c

Other BH archives:
https://www.blackhat.com/html/bh-media-archives/bh-archives-2007.html

There is a list of books about digital forensic:
http://www.amazon.com/s/ref=nb_ss_gw/104-2918044-0173500?url=search-alias%3Daps&field-keywords=digital+imaging+forensic&x=0&y=0
http://www.amazon.com/Adobe-Photoshop-Forensics-Cynthia-Baron/dp/1598634054/ref=pd_bxgy_b_img_b

Final words..
If you take these kind of photos/videos, it is readily an individual freedom. However, if you take this as a habit and keep it as your "personal collection", I do suggest those should physically put into nearby Bank Safe and locked it up immediately. Please take the responsibility to protect the information from the ower perspective. Meanwhile, it is a must to respect your partner as it is not an individual issue.

Be frank, from moral perspective, if one is a public figure, he/she has the social responsibility. You can't imagine the one promoting charity is the one with ridiculous life.


Anthony Lai
Founder and Editor
InfoSec Hong Kong

Program Director of High Technology Crime and Investigation Association (Asia Pacific)
www.htcia.org.hk

Program Committee of Professional Information Security Association (www.pisa.org.hk)

Hong Kong Chapter leader of Open Web Application Security Association
(www.owasp.org)

Dear readers,

Sometimes, even we have installed an anti-virus software, it may not be detected because different brand names have different logic to scan virus out.

I suggest if you find a susipicous file, it may be a virus, you could visit:
http://www.virustotal.com

You could simply upload that file and this web provides scanning with 32 different brands of anti-virus software over it.

By the way, if you want to scan your computer with online trusted engine:
http://www.google.com.hk/search?sourceid=navclient&ie=UTF-8&rls=EGLC,EGLC:2007-13,EGLC:en&q=online+scanner

You could try Trendmicro and F-secure, they are good :)

Dear readers,

You will find me in the TV Box on 24 Jan (Thur, 7pm)
有關WIFI危機的專題將於下星期四(24/1/08) 晚上七時翡翠台新聞透視播出, 敬請留意. 謝謝.
http://jade.tvb.com/schedule/20080124.html

and also in Pearl Report in 27 Jan (Sun, 6:55pm):
http://pearl.tvb.com/schedule/chi/20080127.html

I am one of the PISA members (www.pisa.org.hk) provides demonstration
on wireless security and hacking. For my demo, I will provide a
SideJacking - your login session are stolen by me and I could see
your login session like in Gmail, facebook, Yahoo, hotmail, etc. This
hacking was opened and learnt when I attended to the Blackhat security
conference in Las Vegas last year.

Meanwhile, for this purpose, I have got a link for you to secure your
computer, it is good to you if you have time and follow it.
http://mywebpages.comcast.net/SupportCD/SecureXP.html

Happy new year and wish you all with wonderful Y2008.

Regards,
Anthony Lai
Founder and Editor

Dear Readers,

Happy New Year to all of you and wish you all have a wonderful, prosperous and happy Y2008. Please do forward my blesses to your family, friends and pets.


Let's turn it to the topic. If you have downloaded and installed Firebox as your Internet Browser, there are some add-ons and plugins for you to protect your security. Here is a list of plugins for your reference provided from the web site.
http://mashable.com/2007/07/25/firefox-security/

In my opinion, there are some useful tools that I have installed. Add-on for privacy to make your web surfing anonymous like FoxTor - Allows you to “mask” and “unmask” yourself at will as you cruise around the web.

SafeHistory - Restricts sites from seeing your previous surfing history.

Dr.Web anti-virus link checker - Check files for viruses before you download them, and pages before you visit.

FirePhish Anti-Phishing Extension - Anti-phising toolbar that works with the Open Phishing Database to alert you any susipious or potential fake web site.

Personal Anti-Phishing Sidebar - Combines multiple extensions in to one to help fight phishing and spoofing attacks.

my-spambox - Create a temporary email address for 12 hours to use when signing up with websites. You don't need to use your Company or your real personal email account indeed.

In fact, Microsoft IE has tried very hard on security. However, choices from Firefox are much more suitable to me indeed in security control area.

Regards,
Anthony Lai
Founder and Editor

You will never suppress your laugh, however, have you thought over the physical security of your office and building?

Regards,
Anthony

主辦機構
香港電腦保安事故協調中心
政府資訊科技總監辦公室
香港警務處

日期及時間 2007年11月28日 (上午九時正至下午五時三十分)

地點 香港銅鑼灣高士威道66號 香港中央圖書館演講廳
語言 粵語 (輔以英文詞彙)
費用 免費

參加表格:
http://www.hkcert.org/ppt/event142/clean_pc_day2007chi.pdf

2007年10月31日
[明報] 騙徒侵網銀戶口做市 盜用恒生寶盛中銀戶口高買低沽 4客戶損失310萬
[明報] 專家教3招自保
[明報] 議員促買賣設「雙重認證」
[Yahoo!奇摩] 電子郵件也有詐騙

2007年10月30日
[VNUNET] Tenth of junk email now MP3 spam
[VNUNET] Analysts predict bonanza for mobile anti-malware
[The Register] Whois database targeted for destruction
[The Register] Bank and mortgage scam nets ID crooks thousands
[The Register] UK.gov lambasted for ignoring peers' cybercrime report
[The Register] When antivirus products (and Internet Explorer) fail you
[ComputerWorld] Spammers employ stripper to crack CAPTCHAs
[ComputerWorld] New cross-site scripting attack targets VoIP
[ComputerWorld] Whistle-blower e-mail addresses exposed in Judiciary Committee snafu
[ComputerWorld] Hartford Financial misplaces back-up tapes with personal data on policy holders
[ComputerWorld] Think tank, lawmakers create U.S. cybersecurity commission

2007年10月29日
[Yahoo!奇摩] 釣魚伎倆 郵件散播假網址
[Yahoo!奇摩] 如何避免進到假網站
[CNET台灣] PDF檔被用來攻擊電腦
[CNET台灣] 報告：美國第一大垃圾郵件發送地
[ComputerWorld] Ghosts in the machine, spooks on the wire
[CNET] Perspective: Why we still invite data breaches
[CNET] Bogus FTC e-mail has virus
[CNET] FTC: Let us fine spyware operations, already
[CNET] Daylight saving glitch leaves hangover for some
[CNET] FAQ: What the daylight saving shift means to you
[VNUNET] Cyber-crime 'worse than burglary'
[VNUNET] Attackers take aim at IE7 flaw
[VNUNET] Scammers exploit California fire victims
[VNUNET] Stolen mobiles blocked in 24 hours
[ComputerWorld] Security Issues Are Everywhere
[ComputerWorld] After a Data Breach: Navigating the tangle of state notification laws can be exasperating -- and costly
[ComputerWorld] New iPhone, iPod Touch 'jailbreak' app patches critical TIFF bug
[ComputerWorld] FAQ: What Visa's payment application security mandates mean
[ComputerWorld] Attack code out for critical Kodak bug in Windows
[ComputerWorld] Ethics in IT: Dark secrets, ugly truths -- and little guidance
[ComputerWorld] Microsoft rebuts OneCare auto update accusations
[ComputerWorld] Phishers Nearly Pull Off $10M Scam of Grocer
[ComputerWorld] State Data Loss Renews Emphasis on Encryption
[ComputerWorld] Get Serious About Info Integrity
[ComputerWorld] No More Optimism

2007年10月27日
[CNET] Report: PDF files used to attack computers

2007年10月26日
[CNET] Report: U.S. tops list of spam-offending countries
[VNUNET] Manufacturing firms open to data theft
[VNUNET] Information Commissioner welcomes data protection review
[The Register] Facebook sued for mis-sending dirty texts
[The Register] Microsoft sics worldwide braintrust on XP vuln
[ComputerWorld] Russian PDF attacks surge; Microsoft takes blame
[ComputerWorld] 'We're not scared' of Storm, say researchers
[ComputerWorld] Microsoft now admits to WSUS update error
[ComputerWorld] Real reveals six new bugs in RealPlayer
[ComputerWorld] Security experts to New Jersey AG: Fuggedabowdit!
[ComputerWorld] TJX violated nine of 12 PCI controls at time of breach, court filings say
[ComputerWorld] 'We're not scared' of Storm, say researchers
[ComputerWorld] Seven things to know about reducing risk with an e-mail archive

2007年10月25日
[CNET] Security firm: Hackers can divert Vonage calls
[The Register] eBay employee 'torpedos' fraud trial
[The Register] Online trading site was left wide open
[ComputerWorld] Encrypt data stored off site, warns Louisiana agency
[ComputerWorld] Microsoft rebuts rogue WSUS reports
[ComputerWorld] Visa rolls out new payment application security mandates
[ComputerWorld] Microsoft's OneCare silently changes Automatic Updates
[The Register] New strain of Gozi Trojan prowels the net

For news in early October, please click "Read More"

Bluecoat is a big vendor and focus on against phishing and content filtering. The software should be great and you could download and try it. Please go to the Download section -> Parental Control section.

Regards,
Anthony Lai
Founder and Editor
InfoSec Hong Kong

Tips from the video:
Enable your firewall
Use difficult password
Use different password for different accounts/systems

Please do not think it will not happen on you. Take care.

Regards,
Anthony Lai
Founder and Editor

From this video, if your home or office still engages traditional cylinder lock, it may be subject to attack. The solution is replace the lock/key with Mul-T-Lock: http://www.mul-t-lock.com/

Please consult your nearby Lock vendor :)

Regards,
Anthony Lai
Founder and Editor

2007年9月28日
[蘋果日報] 入侵電腦偷拍女生裸照
[明報] 層壓式網上詐騙 swisscash 3人被捕
[Yahoo!奇摩] 國土安全部實驗顯示美國電力系統易遭網路駭客攻擊

2007年9月27日
[CNET台灣] 專訪WhiteHat CTO：Web應用使邏輯漏洞危害更大
[CNET] Gmail cookie vulnerability exposes user's privacy
[CNET] F-Secure: Low threat from mobile malware
[CNET] Owners of unlocked iPhones hosed by software update
[CNET] Apple patches 10 iPhone flaws
[VNUNET] Cyber-squatters exploit UK iPhone launch
[VNUNET] Estonia attacks down to online 'flash mob'
[VNUNET] Cyber-criminals turn to smaller botnets
[VNUNET] Joint effort key to IT security future
[VNUNET] Virus and phishing attacks soar in September
[The Register] How to expose Gmail contacts without really trying
[The Register] Experts fret over credit card compliance
[The Register] Stats office deal sparks confidentiality fears
[ComputerWorld] Microsoft's stealth updates stymie XP repairs
[ComputerWorld] Number of malicious e-mails bearing bad links balloons tenfold
[ComputerWorld] Questions remain about eBay members' info theft
[VNUNET] Payment security is lagging
[VNUNET] Web site glitch exposes hotel customers' details
[The Register] Adobe gifts internal file permissions to unwashed masses

2007年9月26日
[CNET台灣] 信用卡風險控管催生IT商機
[CNET台灣] OpenOffice漏洞殃及多種作業系統
[CNET台灣] 蘋果與駭客鬥法 破解iPhone又被鎖上
[ComputerWorld] Building a cheap and powerful intrusion-detection system
[CNET] Privacy experts: T.J. Maxx breach was foreseeable
[VNUNET] ISPs urged to take control of security
[VNUNET] Google Video blasted over piracy claims
[VNUNET] Carnegie Mellon floats anti-phishing game
[VNUNET] Fujacks hacker offered security job
[VNUNET] Firms must be alert to social engineering tricks
[The Register] If users are a security threat, how do you manage them?
[The Register] Phishers bait hook with Verified by Visa scam
[ComputerWorld] Gmail zero-day flaw allows attackers to steal messages
[ComputerWorld] 'Fraudster' posts confidential eBay member info on forum
[ComputerWorld] Excel 2007 flunks some math problems
[ComputerWorld] AIM vulnerable to worm attack, researchers warn
[ComputerWorld] Connecticut sues Accenture over stolen backup tape
[ComputerWorld] Parents worry about Web but don't stop kids' use
[ComputerWorld] Fraud police buckling under mountains of data
[ComputerWorld] After criticism, Sun changes Java updates
[ComputerWorld] Opinion: Lost data tapes are non-events
[ComputerWorld] Security experts pitch 'culture of data'

2007年9月25日
[Yahoo!奇摩] 釣魚網站數量 台北居亞太都市之首
[CNET] OpenOffice bug hits multiple operating systems
[CNET] Trojan attack targets top executives
[The Register] Guessing at compromised host numbers
[The Register] TrafficMaster sells clients' location info to UK.gov
[The Register] Symantec accidentally warns of internet meltdown
[The Register] NY probes Facebook over pedophile controls
[The Register] Privacy chief condemns weakening of EU data protection
[ComputerWorld] Sound off: Why worry about wireless?
[ComputerWorld] Sound off: Is your wireless network a security breach waiting to happen?
[ComputerWorld] Sound off: Why you need wireless protection
[ComputerWorld] Critical vulnerability found in Ask.com toolbar
[ComputerWorld] Canadian probe finds TJX breach followed wireless hack

2007年9月24日
[Yahoo!奇摩] 垃圾郵件偽裝E-Card 一點擊電腦就中毒
[Yahoo!奇摩] 電子月餅人人愛 小心有病毒
[CNET] Officials say PR campaign may boost Real ID popularity
[CNET] Study: Businesses falling short on data disposal
[CNET] Unisys probed for Homeland Security breach
[VNUNET] Microsoft 'error' shuts out .Mac
[VNUNET] Social network hijacks website ads
[VNUNET] Three quarters of tech companies have suffered corporate fraud


2007年9月22日
[Yahoo!奇摩] 超級駭客蘇柏榕再犯！盜百萬個資