SB09-117: Vulnerability Summary for the Week of April 20, 2009
Vulnerability Summary for the Week of April 20, 2009
Google Chrome Universal XSS Vulnerability
By Robert A. on XSS
"During unrelated research, I came across a number of security issues that reside in various parts of Google's web browser - Google Chrome. These issues pose a major threat to any user that browses a maliciously crafted page using Internet Explorer and has Google Chrome installed alongside. Using a vulnerability in...
Web 2.0 Application Proxy, Profiling and Fuzzing tool
By Robert A. on Tools
"This tool helps in assessing next generation application running on Web/enterprise 2.0 platform. It profiles HTTP requests and responses at runtime by configuring it as proxy. It identifies structures like JSON, XML, XML-RPC etc. along with key HTTP parameters like cookie, login forms, hidden values etc. Based on profile one can...
Metasploit Decloaking Engine Gets User's Real IP
By Robert A. on Security Tools
"This tool demonstrates a system for identifying the real IP address of a web user, regardless of proxy settings, using a combination of client-side technologies and custom services. No vulnerabilities are exploited by this tool. A properly configured Tor setup should not result in any identifying information being exposed." Essentially this...
McAfee launches free online cyber crime help center
By Elinor Mills
Is your computer acting funny? Are you worried that you may have visited a malicious Web site or opened an e-mail attachment with malware?
Instead of worrying about it you can now go to a new Web site McAfee is launching on Tuesday that is designed to help computer users ...
Puerto Rico sites redirected in DNS attack
By Elinor Mills
An attack on the main domain name system registrar in Puerto Rico led to the local Web sites of Google, Microsoft, Yahoo, Coca-Cola, and other big companies being redirected for a few hours on Sunday to sites that were defaced, according to security firm Imperva.
Those sites and others including ...
Google plugs PC power into cloud computing
By Stephen Shankland
Even at the cutting edge of cloud computing, Web-based applications can be frustrating to write and to use.
Spreadsheets can't sort data well, there are lags between mouse clicks and the program's response, graphics look Mickey Mouse rather than lavish. But Google, among the most aggressive cloud computing advocates, is trying to address some of those shortcomings.
The company has released experimental but still very much real software that brings in some of the power of the PC, where people often use Web applications. Google Native Client--first released in 2008 but updated with a new version Thursday--is a browser plug-in for securely running computationally intense software downloaded from a Web site. And on Tuesday, Google released O3D, a plug-in that lets Web-based applications tap into a computer's graphics chip, too.
The projects are rough around the edges, to say the least. Native Client--NaCl for short--is more security research project than usable programming foundation right now, and O3D exists in part to try to accelerate the arrival of some future, not necessarily compatible, standard for building 3D abilities into Web applications.
Google Native Client is shown here running a fractal landscape explorer.
(Credit: Google)
But both fundamentally challenge the idea that Web apps necessarily are stripped-down, feeble counterparts to the software that runs natively on a personal computer, and they come from a company that has engineering skill, a yen for moving activity to the Internet, and search-ad profits that can fund projects that don't immediately or directly make money.
"There are things you can do in desktop apps that you can't do in Web apps. We're working very hard to close that gap, so anything you can do in a desktop application you can do safely and securely from a Web application," said Linus Upson, a Google engineering director.
...
Is Malware Heading for Extinction?
By Rik Ferguson on spam
Last week Steve Cutler, Intel’s Technical Marketing Manager, made Intel’s Top 10 technology predictions for the next decade. In a statement reminiscent of Bill Gates misguided prediction, at the World Economic Forum in 2004, of a solution to the Spam problem within two years, Cutler’s prediction number five was especially interesting, it stated: “5. Malware will no longer be a threat [...]
OAT (OCS Assessment Tool) - Office Communication Server Security Assessment Tool
By Darknet on voip-security
OAT is an Open Source Security tool designed to check the password strength of Microsoft Office Communication Server users. After a password is compromised, OAT demonstrates potential UC attacks that can be performed by legitimate users if proper security controls are not in place. Features Online Dictionary Attack Presence Stealing Contact...
Swine Flu Spam
By Chris Barton, Research Scientist and Artemis Geek on Spam and Phishing
The Swine Flu pill spam has started and it’s taking a few Hollywood stars names in vain. Nothing out of the ordinary with the sites on the far end yet though I do expect Oseltamivir [AKA Tamiflu] will get some extra exposure once the affiliate pill sites are updated. Subjects: First US swine flu victims! US swine flu [...]
Security training 101
Installing the latest security hardware and software means nothing if end users don't practice cyber safety. And the best way to get end users to 'think security' is to create an ongoing culture of security at your company.
NewYork State raises the bar for end user security training
New York State is extremely concerned about phishing in general, and more specifically spear phishing, highly targeted phishing attacks designed to penetrate organizations, government agencies, and groups etc.
eBay scammer gets four years in slammer
Busted
A man convicted of swindling more than $259,000 using fraudulent eBay listings and other venues was ordered to serve 52 months in federal prison and pay $252,000 in restitution.…
Pink-slipped BOFH admits to threatening ex-employer's network
Breaking up is hard to do
A system administrator has admitted he threatened to cause extensive damage to his former employer's computer system after he was laid off.…
Reding demands Cyber Cop for Europe
'Member States have been quite negligent'
Europe needs a security tsar to defend and protect its communications networks against attacks from organised crime, rogue states and breakdowns, Viviane Reding has claimed.…
ISPs eye role in Jacqui's mass surveillance system
As long as you're paying for it
The trade body for ISPs has today cautiously welcomed news that the government does not plan to build a massive, centralised database of communications data, but voiced fears about the cost to its members.…
Anonymity proves grey area for IDScan
Redacted 'fake' card details exposed on website
Security software provider IDScan has been left red-faced after a page of supposedly anonymous details of ID cheats on its website turned out not to have been anonymised after all.…
Firefox gets another update, (Mon, Apr 27th)
Didn't I just post about Firefox getting updated? Well, I'm not complaining, good for Mozilla. ...(more)...
Swine Flu (Mexican Flu) related domains, (Mon, Apr 27th)
This is a first cut of a list of Swine Flu related domains. In Europe, this flu is usual ...(more)...
ICE Act would create White House cybersecurity post
By SearchCompliance.com
The Information and Communications Enhancement (ICE) Act would create a White House "cyber office" that would coordinate between government agencies and the private sector.
Former Federal Reserve Bank employee arrested
By SearchFinancialSecurity.com Staff
An IT analyst and his brother allegedly used stolen data, including sensitive bank employee information, to obtain loans.
Adobe Investigating New Vulnerabilities in Reader
Adobe is investigating two new reported remote code execution vulnerabilities in Reader 8 and 9. The flaws have been demonstrated on Linux and are likely to affect other platforms.
- Adobe says they are investigating reports of a new vulnerability in their PDF Reader program. The Adobe report refers to a single vulnerability report on SecurityFocus, but in fact there are two similar reports there, both credited to quot;Arr1val. quot; Both include proof of concept Javascript ...
Qualys Extension to PCI Connect Set To Help SMBs Prove PCI Compliance
With Qualys' new extension to its PCI Connect compliance solution, smaller retailers may have a newfound ability to build complete documents proving their compliance with the most recent PCI specification--provided they enlist the right products and services to cull the data.
- This month at the RSA show in San Francisco, intrusion prevention vendor Qualys announced an extension to its PCI (Payment Card Industry) compliance solution called PCI Connect. The announcement of the extension--which should be available in the July timeframe--essentially boiled down to an inter-ve...
Google Joins Mozilla, Blames IE for Chrome Bug
OPINION: It's an old tradition to blame Microsoft for not doing the security work you should have done yourself.
- Google has fixed a bug in their Chrome browser which could allow cross-site scripting and other dangerous policy violations under interesting circumstances: when Chrome is called from Internet Explorer because a link is executed in IE with the quot;chromehtml quot; protocol handler. Update Chrome ...
Google Chrome, Internet Explorer Caught in Vulnerability Web
Google updates Google Chrome to fix a security vulnerability that would allow hackers to launch universal cross-site scripting attacks. The flaw affects users with the Chrome Web browser installed who visit a malicious Web page with Microsoft Internet Explorer.
- The Google Chrome Web browser and Microsoft Internet Explorer have found themselves at the center of a security issue that could lead to cross-site scripting attacks. Google Chrome has been updated to 1.0.154.59 to fix a security vulnerability in the handling of ChromeHTML URIs (Uniform Resource...
Windows 7's XP Mode and Security
OPINION: It's a brilliant business move to break the upgrading logjam, but is it a risky security move? We don't know enough to say for sure, but it will change things in the security software business.
- For business users who skipped Windows Vista, Windows 7's newly announced Windows XP Mode (XPM) must be intriguing. Yes, you will have to cough up some serious money for new hardware and software, but the really scary and disruptive stuff whether your old software will work is far less of an issu...
Conficker adds new weapon: spam (AP)
In technology
AP - The giant Conficker computer worm, once feared as an out-of-control Internet doomsday machine, seems to have settled — for now — on trying to make money in very predictable ways.
Opportunists exploit swine flu with spam e-mails (Reuters)
In technology
Reuters - Exploiting worries over the swine flu outbreak, spammers flooded the Internet on Monday with millions of e-mails peddling counterfeit drugs as remedies and seeking to steal credit card data, a security firm said.
Salma Hayek's Email Gets Hacked (PC Magazine)
In technology
PC Magazine - Salma Hayek is into designer clothes delivered to her apartment, "Japanese face massages," and iPhone apps from the iTunes store according to the screen shots posted by the hackers who busted into her mac.com account. Pick a stronger password next time, Salma.
As Conficker Turns, Botnets Burn
In Virus and Spyware
Conficker might be interesting to ponder, but the working class botnets are shouldering a heavy load in the background, new research contends.
Infrastructure Security Trapped at Dangerous Crossroads
In Vulnerability Research
Organizations doing business in the critical grid infrastructure space need to up the ante when it comes to IT security, leading experts in the field reported at the RSA Conference.
Hathaway at RSA: Obama Admin's Missed Opportunity
In Virus and Spyware
The Obama Administration missed a huge opportunity by limiting what Cyber Czar Melissa Hathaway could report at RSA.
Catching Up with RSA
In Vulnerability Research
Your faithful blogger hasn't been too faithful, but if you're still curious, stay tuned for some late-breaking RSA coverage.
Is Anybody Watching?
In Virus and Spyware
More organizations may consider restricting employees' Web access related to matters of security. There are proponents on both sides of the debate, but first you need to find out what's happening.
E-Mobsters Continue Brazen Extortion
In Virus and Spyware
A new study from Verizon Bsuiness just reaffirms what we know about organized cyber-crime and our lack of committment to stop it.
Phishing Officially Commoditized
In Virus and Spyware
It's become pretty clear that phishing is everywhere and it's likely only to get more ubiquitous and commoditized.
Job Cuts Leaving IT Systems Open to Attack
In Virus and Spyware
Even with looming job cuts and larger numbers of remote workers, many companies are unprepared to adjust their security defenses, according to a new survey.
Sophos: We're Winning via Simplicity, Integration
In Virus and Spyware
Most organizations are looking for endpoint security that offers integrated functionality with ease of management, according to the company's CEO.
Ghostnet Botnet Fed by Rudimentary Toolkit
In Virus and Spyware
Researchers maintain that one of the drivers behind the sizeable Ghostnet government cyberattack is an easy-to-use authoring toolkit.
Cisco Security Center: IntelliShield Cyber Risk Report
April 20-26, 2009
Report Highlight: Gathering Storm over Cloud Security
Are Network Designs Ready for a Pandemic?
Category: Network Devices
Paper Added: April 27, 2009
Swine Flu: What You Need to Know
By Brandon Keim
With all the news and hype about swine flu, here are the facts you need to know to make sense of it all.
BitLocker, TPM Won't Defend All PCs Against VBootkit 2.0
Lack of broad BitLocker support in Windows 7 means many users won't be protected.
McAfee Launches 'online 911' for Cybercrime Victims
The Web site is a first stop for people who want to take action after a cybercrime
Salma Hayek's MobileMe Account Hacked
So if you're a celebrity (or, well, anyone, really) and you want to make extra sure that people aren't able to easily access...
Spammers Peddle Snake Oil for Swine Flu
Piggybacking on growing health fears, spammers launch efforts to take advantage of global concern about swine flu.
Obama Taps IT Execs for Tech Board
Top executives from Microsoft and Google will be helping the president shape the government's science and technology policies.
Software System Sniffs out Insider Trading
The application will link stock data to news story headlines to detect suspicious stock trading
Europe Funds Secure Operating System Research
Money will ensure five more years of research into developing the Minux operating system
EC's Reding Urges Preventive Action Against Cyberattacks
One month without access to the Internet would cost the EU around €150 billion, commissioner says
How does a pandemic ever end?
By Chris Wilson on explainer
Three influenza pandemics struck the world in the 20th century, including the Spanish flu of 1918 that claimed anywhere from 50 million to 100 million lives. (There were no effective flu vaccines available at the time.) When a flu that contagious spreads across the world, how does it ever die out?
What's happens during a "public health emergency," and what's a "pandemic alert level"?
By Christopher Beam on explainer
As the number of reported domestic cases of swine flu climbed to 20 Sunday, the acting secretary of health and human services declared a "public health emergency." Meanwhile, an official at the World Health Organization said it would decide Tuesday whether to raise its pandemic alert level from 3 to 4. What's the significance of these official declarations?
Posts
No comments:
Post a Comment