Motion Picture association accused of online misdeeds
The Motion Picture Association of America (MPAA) is being sued for allegedly enlisting a black-hat hacker to help it take revenge on a company it accuses of helping copyright violators.
According to a report from CNET News.com, the lawsuit was filed in U.S. District Court for the Central District of California by Torrentspy.com parent Valence Media Ltd. The suit doesn't identify the man Valence alleges was approached by an MPAA executive, but the hacker was a former associate of one of the plaintiffs who was asked to steal private information on Torrentspy.com, a search engine that directs users to download links.
Valence claims the MPAA paid the hacker $15,000 to steal email correspondence and trade secrets. The man has apparently admitted his role in the plot, CNET News.com reported, and is cooperating with the company.
The suit comes three months after the MPAA filed suit against Torrentspy and other Torrent directories for allegedly making it easier for pirates to distribute movies over the Internet.
Cisco fixes VPN flaw
Cisco Systems Inc. has fixed a flaw in its virtual private network (VPN) Client software that attackers could exploit to gain local system privileges.
Cisco VPN Client is designed to create IPsec tunnels to Cisco VPN-capable devices. It is available for Microsoft Windows, Linux, Sun Solaris, Apple Mac Classic and OS X operating systems.
The San Jose, Calif.-based networking giant said VPN Client is susceptible to a local privilege-escalation vulnerability because of an unspecified flaw in the VPN client dialer application. "It is conjectured that this issue is due to a failure of the application to properly drop privileges prior to opening user-specified files and applications," Cisco said. "This allows local attackers to gain local system privileges on affected computers. This facilitates the complete compromise of affected computers."
The flaw specifically affects Cisco VPN Client installations on the Microsoft Windows platform. Versions prior to 4.8.01.x, with the exception of version 4.7.00.0533 are affected. The advisory outlines the fixes that are available.
Blood donors' information compromised
The personal information of about a million blood donors in the Missouri-Illinois Blood Services Region of the American Red Cross might have been stolen earlier this year by a former employee and was possibly used in identity thefts.
According to a Computerworld report, the former worker had access to 8,000 blood donors in a database she used in her job, all of whom were notified by mail of possible identity theft problems on March 17. After the warning letters went out, the Red Cross decided to expand the identity theft warnings to all 1 million donors in the Missouri-Illinois region because of concerns that she may have accidentally accessed other records in the larger group, Computerworld reported.
At least four of the donors among the original 8,000 in the donor database were victims of the data-theft scheme, Jim Williams, a spokesman for the regional agency, told Computerworld. The agency is investigating whether anyone else has been affected.
The former employee apparently entered random numbers of past donors into her 8,000-donor database, then was able to access the names, Social Security numbers, phone numbers and birth dates of potential victims.
HP fixes multiple flaws
Hewlett-Packard Co. has fixed a number of flaws attackers could exploit to execute arbitrary commands, create malicious files and gain elevated user privileges.
The first problem is an error in HP OpenView Storage Data Protector that surfaces when certain requests are handled. Attacker could exploit this to execute arbitrary commands.
The second problem involves multiple vulnerabilities in HP OpenView Network Node Manager. Like the first problem, this is an error that surfaces when certain requests are handled. Attackers could exploit this to gain privileged access, execute arbitrary commands or create arbitrary files on a vulnerable system.
The third problem is an error in the Software Distributor of HP-UX, which local attackers could exploit to obtain elevated privileges.