Hack Turns Application Code Against Itself ... New attack uses application flaws to force good code to go rogue

Turns out you don't need malware to exploit a security flaw in an application: A pair of researchers has found a way to automatically make good code do bad things.

Researchers from the University of California at San Diego (UCSD) have devised a technique that basically lets an attacker bypass built-in system defenses aimed at blocking malware, and then execute instructions from inside the application. The process uses an application's vulnerability to turn it against the system on which it runs.

An attacker could take advantage of a flaw in a Web browser, for instance, to force the browser to spam the user's address book using only the browser's own code, according to the researchers. .. More >>

Auditors rap IRS for weak information security

The Internal Revenue Service has failed to secure sensitive electronic taxpayer information properly, increasing the potential for identity theft, according to an audit report released on Thursday.

The inspector general review of three computer systems at the IRS Office of Research, Analysis and Statistics showed several weaknesses in control over access to applications containing sensitive information.

"Managers and system administrators had not placed sufficient emphasis on maintaining the security and privacy of the taxpayer data they are charged with protecting," the report stated. Furthermore, officials failed to provide guidance or monitor compliance with IRS information security policies, and did not supply software to scan for security weaknesses, the IG found. .. More >>

IRS finds unauthorized Web servers connected to its networks

The Internal Revenue Service found more than 1,000 unauthorized Web servers connected to its networks, leaving the agency's systems open to hackers, according to a report released on Thursday by the IRS inspector general.

In September 2007, the IRS Computer Security Incident Response Center scanned the agency's Web servers and identified 2,093 that had at least one security vulnerability. When the center matched those servers to the IRS database of registered Web sites and servers, an inventory of systems that the agency uses to perform security maintenance and apply patches, it found 1,811, or 87 percent, were not listed in the database.

Of the unregistered servers, the IRS identified 661 that were used for legitimate agency business, leaving 1,150 servers being used for potentially unauthorized activity, according to the report. .. More ..