Tuesday, February 24, 2009

Around The Horn vol.1,48

Alerts

Feb 23, 2009 (19 hours ago)

SB09-054: Vulnerability Summary for the Week of February 16, 2009

from US-CERT Cyber Security Bulletins

Vulnerability Summary for the Week of February 16, 2009

And the Oscar goes to..., (Mon, Feb 23rd)

from SANS Internet Storm Center, InfoCON: green

ISC reader Gary wrote in to let us know that searching for oscar presenters and os ...(more)...

 

Security News

Feb 23, 2009 (13 hours ago)

Protect Your Site With URL Rewriting

from CGISecurity - Website and Application Security News by Robert A.

Bryan Sullivan over at Microsoft has published a lengthy article on the advantages of URL writing to prevent certain types of attacks. "Tim Berners-Lee once famously wrote that "cool URIs don't change." His opinion was that broken hyperlinks erode user confidence in an application and that URIs should be designed in...

Feb 23, 2009 (19 hours ago)

CERT Advisory VU#435052: An Architectural Flaw In Transparent Proxies

from CGISecurity - Website and Application Security News by Robert A.

For the past year in my spare time I've been researching a flaw involving transparent proxies and today CERT has published an advisory for this issue. If you have a vulnerable proxy on your intranet NOW is the time to patch (details of affected vendors in the cert advisory). QBIK New...

Feb 23, 2009 (yesterday)

The Multi-Principal OS Construction of the Gazelle Web Browser

from CGISecurity - Website and Application Security News by Robert A.

I was reading slashdot and saw that Microsoft has released a paper outlining a new secure browser architecture. From the abstract"Web browsers originated as applications that people used to view static web sites sequentially. Asweb sites evolved into dynamic web applications composing content from various web sites, browsershave become multi-principal operating...

Feb 23, 2009 (13 hours ago)

Running Windows Malware in Linux

from McAfee Avert Labs by Lokesh Kumar

For the unaware, Wine is an application that enables users to run Windows applications on Unix like computers. Like many users, I use Wine on my Linux machine to run a couple of Windows applications I cannot do without. I could run these applications either on a virtual machine, or even dual boot with Windows and Linux, but running them in wine is just easier.

6:21 AM (23 minutes ago)

Anti-mafia cops want Skype tapping

from The Register - Security

Euro search for tech solution

A European Union agency is investigating how to snoop on crooks using Skype and other Voice over Internet Phone services to avoid traditional police wiretaps.…

9:18 PM (9 hours ago)

Crypto hash boffins trip on buffer overflow

from The Register - Security

Corvair of computer languages strikes again

Two of the programs submitted in the first round of a competition to find the next cryptographic hash standard contain buffer overflow errors that could make them prone to crashes and security problems.…

Feb 23, 2009 (15 hours ago)

Former staff swipe confidential company data

from The Register - Security

Scruples? They've heard of them

More than half - 59 per cent - of US workers made redundant or who left their job last year admitted swiping confidential corporate data, such as customer list, before they left, a new study claims.…

Feb 23, 2009 (15 hours ago)

Feds forge gold standard for cybersecurity

from The Register - Security

Modest revolution

A consortium of US federal agencies have drawn up a list of critical security controls they hope will serve as a gold standard for cybersecurity.…

Feb 23, 2009 (15 hours ago)

Proxy server bug exposes websites' private parts

from The Register - Security

By the dozen

Updated Computer networks that use proxy servers to automatically redirect browser connections should be on the lookout for a serious architectural flaw that could allow attackers to remotely access intranets and other website resources that are normally off limits, security experts are warning.…

Feb 23, 2009 (21 hours ago)

Conficker variant dispenses with need to phone home

from The Register - Security

Stealth variant Sidesteps MS-led takedown effort

Virus authors have released a new variant of the infamous Conficker (Downadup) worm with enhanced auto-update features.…

Feb 23, 2009 (22 hours ago)

Making IT security matter

from The Register - Security

Not just an end in itself

Tech Panel Last year, Freeform Dynamics surveyed the attitudes of tech professionals into IT security.…

4:48 AM (1 hour ago)

Cell phone security

from Network World on Security by M. E. Kabay

Computer scientists Wayne Jansen and Karen Scarfone of the Computer Security Division of the Information Technology Laboratory at the National Institute of Standards and Technology (NIST) have written a new (October 2008) Special Publication entitled "Guidelines on Cell Phone and PDA Security," which summarizes the security issues and provides recommendations for protecting sensitive information carried on these devices.

4:48 AM (1 hour ago)

NAC deemed a money-making business

from Network World on Security by Tim Greene

There have been two acquisitions over the past weeks that involved NAC vendors.

4:48 AM (1 hour ago)

Adobe flaw has been used in attacks since early January

from Network World on Security by Robert McMillan

A dangerous and unpatched vulnerability in Adobe's PDF-reading software has been around a lot longer than previously realized.

Feb 23, 2009 (yesterday)

Manageability problems

from Network World on Security by David Newman and Joel Snyder

Our woes with Network and Security Manager began when we tried to use it to manage the SRX 5800. With eight years of experience using NSM in Opus One’s labs, we were looking forward to the unification of JunOS and ScreenOS management. We started out needing to change IP addresses, a common enough task. For a ScreenOS system, this takes three clicks: two clicks to see a summary interfaces and IP addresses, and third to begin editing.

Feb 23, 2009 (yesterday)

Fed agencies push new security audits

from Network World on Security by Ellen Messmer

Several federal agencies today expressed backing for the "Consensus Audit Guidelines," a set of proposed 20 cybersecurity controls, that could end up as network and application security requirements for federal agencies and their contractors.

Feb 23, 2009 (yesterday)

Enterprise Provisioning vs. Federated Provisioning

from Network World on Security by Dave Kearns

When last we spoke I left you thinking about deprovisioning both your people from apps you don't control or your apps from people you don't control. It's a big issue with software-as-a-service (SaaS) and federated provisioning. It was the Burton Group's Ian Glazer who said: "...there should be no reason why deprovsioning from an application like Salesforce.com is any harder than deprovisioning from LDAP." And, in truth, maybe it isn't.

4:48 AM (1 hour ago)

The Grill: Jeannette M. Wing on the hot seat

from Network World on Security by Gary Anthes

Jeannette M. Wing is a pioneer in a new discipline called "computational thinking," a term she coined. Computational thinking applies the problem-solving methods of computer science to other disciplines. She's also an authority on "formal methods," mathematically-based techniques for specifying and verifying the correctness of computer hardware and software.

4:48 AM (1 hour ago)

Officer faces court for accessing restricted data

from Network World on Security by Darren Pauli

A 28-year-old police officer will appear in court next month charged with unauthorised access to sensitive police data. The male officer, attached to a Specialist Command, was served with a Court Attendance Notice last week and faces a charge of accessing restricted data held in a police computer. He will appear at Downing Centre Local Court on Thursday March 26.

4:48 AM (1 hour ago)

Starbucks sued after laptop data breach

from Network World on Security by Robert McMillan

A Chicago-area Starbucks employee has brought a class-action lawsuit against the coffee retailer, claiming damages from an October 2008 data breach.

4:48 AM (1 hour ago)

Another payment processor said to suffer data breach

from Network World on Security by Jaikumar Vijayan

Just weeks after Heartland Payment Systems Inc. disclosed what may be one of the largest breaches of payment card data thus far, news is emerging of what could be another major breach involving a payment processing company.

Feb 23, 2009 (17 hours ago)

EBay auction tool Web site infected with malware

from Network World on Security by Jeremy Kirk

A Trojan horse lurking on servers belonging to Auctiva.com, a Web site offering eBay auction tools, infected people's PCs last week.

Feb 23, 2009 (17 hours ago)

Cutting Through the Fog of Cloud Security

from Network World on Security by John Edwards

Daniel Flax, CIO at New York-based investment banking and financial services firm Cowen and Co. , relies on cloud computing to automate his company's sales activities. While he's satisfied with cloud technology's potential to lower upfront costs, decrease downtime and support additional services, he admits that he has had to work hard to get a handle on the emerging technology's security weaknesses . "Security is one of the things we've had to come to grips with," he says.

Feb 23, 2009 (17 hours ago)

Legalize cell phone jammers?

from Network World on Security by Mike Elgan

Jamming a cell phone is illegal in the U.S. Very illegal. And not just by ordinary citizens. It's illegal for theater and restaurant owners to jam calls, and even state and local police or prison officials. The U.S., in fact, has the strictest laws in the world against jamming cell calls.

Feb 23, 2009 (17 hours ago)

Controversial data-security rules slow to take hold in state

from Network World on Security by Jaikumar Vijayan

Massachusetts officials this month gave companies a second reprieve on complying with new regulations aimed at any entity that stores the personal data of state residents. They also softened a particularly contentious provision requiring businesses to ensure that third parties handling such data are in compliance with the rules.

Feb 23, 2009 (17 hours ago)

Computer Thefts Prompt Security Check at Nuke Lab

from Network World on Security by Jaikumar Vijayan

Los Alamos National Laboratory last week launched a monthlong effort to ensure that computers taken off-site by employees fully comply with the nuclear research facility's information security policies.

Feb 23, 2009 (17 hours ago)

Three months, three breaches at Florida university

from Network World on Security by Jaikumar Vijayan

For the second time in three months, the University of Florida in Gainesville has acknowledged a major data breach -- and a statement posted on the University's Web site indicates that there was a third, less public, breach discovered by the school during the same period.

Feb 23, 2009 (17 hours ago)

BigFix hits rivals with 50 percent price chop

from Network World on Security by John E. Dunn

Tough times could be driving increased competition in enterprise software with the news that BigFix is to undercut its rivals' patch management renewal licensing by up to 50 percent.

Feb 23, 2009 (yesterday)

Hackers Target 0-Day Vulnerability In Adobe PDF Reader & Acrobat

from Darknet - The Darkside by Darknet

Another flaw in the Adobe product suite! It seems like PDF is turning into a complex animal, complexity of course always brings more security issues. It was only back in February last year when there was a bug in Adobe Reader, and almost exactly a year later another one. This time it’s a zero-day just hit and [...]
Read the full post at darknet.org.uk

Feb 23, 2009 (17 hours ago)

Turf War, (Mon, Feb 23rd)

from SANS Internet Storm Center, InfoCON: green

Malware which comes with its own hosts file to install in \system32\drivers\etc\hosts is ...(more)...

Feb 23, 2009 (18 hours ago)

Brief: Another payment firm breached, details few

from SecurityFocus News

Another payment firm breached, details few

Feb 23, 2009 (19 hours ago)

Brief: Attackers exploit unpatched Acrobat flaw

from SecurityFocus News

Attackers exploit unpatched Acrobat flaw

Feb 23, 2009 (22 hours ago)

2009-02-23 - Consensus Audit Guidelines: Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance

from SANS Press Room

Consensus Audit Guidelines: Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance

Feb 23, 2009 (22 hours ago)

2005-08-25 - GIAC Honors Paper

from SANS Press Room

GIAC Honors Paper Computer Forensics Investigation Analyze an Unknown Image

Feb 23, 2009 (22 hours ago)

2005-04-07 - Press Release: New Standard for GIAC Certification and Upgrades To SANS On-Line Training

from SANS Press Room

Press Release: New Standard for GIAC Certification and Upgrades To SANS On-Line Training

11:10 PM (7 hours ago)

E-voting security fixes will get us nowhere without stats

from Ars Technica - Front page content by jtimmer@arstechnica.com (John Timmer)

The recent American Association for the Advancement of Science meeting included a session entitled "Science for Public Confidence in Election Fairness and Accuracy" and, as might be expected, computer science made a significant appearance. Ed Felten of Princeton, whose work in the area we've covered extensively, spoke and emphasized the limits of what computer science can do, and how the ultimate goal should be to ensure that electronic voting systems are verifiable and auditable. Of course, that raises the question of what you do with the auditing information, which is where Arlene Ash, a biostatistician at Boston University's School of Medicine, came in. It turns out that we already have excellent statistical tools for detecting problematic patterns of voting—the legal system just chooses to ignore them.

Feb 23, 2009 (15 hours ago)

Citibank tries to wire $27 million to Nigerian scammers

from Ars Technica - Front page content by jhruska@arstechnica.com (Joel Hruska)

Last week, we covered a so-called Nigerian scam in which a group of thieves eschewed the standard approach of pretending to be your great-grandmother's sister's former roommate, and instead went directly after state coffers. Now there's news that some would-be fraudsters are turning up their collective noses at the thought of robbing a mere state, and are instead going after entire countries. Given the severity of jail sentences and the dim view federal judges take of those who would steal the wealth of nations, the grand-scale carnival shysters are playing an extremely high-stakes game.

Feb 23, 2009 (14 hours ago)

Visa, MasterCard Issue New Breach Warning

from Wired Top Stories by Kim Zetter

Financial institutions are alerted to yet another successful hack attack on a credit and debit card processor. Not surprisingly, nobody's identifying the company at fault.

Feb 23, 2009 (13 hours ago)

Faux Facebook App May Harbor Malware

from PC World Latest Technology News

The fake application attempt to steal personal information for ID fraud.

Other News

Feb 23, 2009 (19 hours ago)

Ubuntu Will Target Cloud Computing With October Release

from PC World Latest Technology News

Ubuntu will target cloud computing with October release, company CEO says.

No comments:

Post a Comment

My Blog List