Tuesday, May 19, 2009

Around The Horn vol.1,102

IIS6.0 WebDav Unicode Remote Auth Bypass

By Robert A. on Vulns

Update: Microsoft has posted some additional information in multiple entries. A new unicode bug in IIS has been discovered which allows an attacker access to resources behind password protected sites. This issue only seems to affect IIS 6 (5 and 7 seem immune) and no fix has been issued at this...

Microsoft warns of new server vulnerability

By Ina Fried

A new, unpatched vulnerability exists in one of Microsoft's server products, the company warned late Monday.

In a technical bulletin, the company said it is looking into "public reports of a possible vulnerability in Microsoft Internet Information Services (IIS)."

The company said that a flaw exists in a certain

...

Originally posted at Beyond Binary

Symantec, McAfee target iPhone for new products

By Jim Dalrymple

Security companies Symantec and McAfee will be the latest big-name developers to make products for Apple's iPhone, as the two look to cash in on the popularity of the device.

Speaking to Reuters, McAfee CEO Dave DeWalt said his company is developing security software for the iPhone, though no ...

Originally posted at News - Apple

Retarded E-mails - Brute Force, Change School Grades, Hack US Military & MORE

By Darknet on spammers

It’s been a few months since the last Retard Update, and it’s definitely been slower since I posted the disclaimer and link on the Contact Page. There have been some weird ones, one worders, one liners and stuff in foreign languages. Anyway let’s get started with a classic ‘script-kiddy I can’t operate my computer‘ type mail. lloyd wrote: hey [...]

Samurai Web Testing Framework 0.6 Released - Web Application Security LiveCD

By Darknet on website security

You may remember we wrote about Samurai being released back in November 2008, it’s been quite a while since the last update. The authors have updated and fixed a number of issues with the environment as well as improved performance of the java based tools. They have also included a virtual machine of the environment. [...]

Trusted Computing Group Widens Security Specs Beyond Enterprise Networks

New specs include support for SCADA systems, physical access control systems, guest PCs, printers, and VOIP phones

Report: Over 60 Percent of Websites Contain Serious Vulnerabilities

WhiteHat Security report finds organizations are slow to close known security holes in their Websites

Tough Economy Never Good for Security

In Virus and Spyware

New research indicates that IT security spending is finally cooling as the worldwide economy stumbles.

Smart grid standards released

The government has released a list of 16 interoperability and security standards for the smart electric grid.

CBP to spend $100M on SBInet

U.S. Customs and Border Protection says it will use the money to improve its border surveillance technology and communications.

Air Force selects cyber headquarters site

A new, numbered Air Force headquarters dedicated to cyber issues will likely be located at Lackland Air Force Base, Texas, officials said.

iPhone security, Part 1

My friend and colleague Adjunct Professor Richard Steinberger from the MSIA Program at Norwich University sent me an e-mail note recently about the interesting security model used by Apple for its mobile devices. I invited him to expand on his thoughts and am delighted to present his analysis today. Everything that follows is entirely Ric’s work with minor edits.

Web attack that poisons Google results gets worse

A new attack that peppers Google search results with malicious links is spreading quickly, the U.S. Computer Emergence Response Team warned on Monday.

Paper: Consumer data helps fuel Internet economy

Online targeted advertising and the collection of consumer data are the fuel of Internet commerce, not the major privacy problems described by some advocates and U.S. lawmakers, according to a new paper.

IIS 6 attack could let hackers snoop on servers

Security vendors are warning users of Microsoft's Internet Information Services 6 Web-server software that a new online attack could put their data at risk.

Small company develops new way to stop form spam

Spam isn't just a problem for people with e-mail addresses, but also for companies and organizations running Web sites with various types of feedback forms.

Phishers harvest Facebook passwords for profit

Identity thieves who hit Facebook last week with another round of phishing attacks are harvesting users' passwords for profit, a security researcher said today.

Heartland breach cost firm $12.6M -- so far

Heartland Payment Systems CEO Robert Carr disclosed that the company has already spent or set aside more than $12.6 million to cover costs related to a massive intrusion into its systems that was discovered in January.

More needs to be done with cyber security: Conroy

Senator Stephen Conroy has used his keynote speech at the 2009 AusCert conference, held this week on the Gold Coast, to call for a renewed emphasis on cyber security.

Security budgets are falling, survey says

More than 200 security managers in the high-tech and telecom industries ace reduced information-security budgets, according to a survey.

OpenSSH chink bares encrypted data packets
One in 262,144 chance = good odds

Cryptographers are urging users of a widely employed network protocol to make sure they're running the latest version after discovering a flaw that could allow attackers to read data that's supposed to remain encrypted.…

Microsoft IIS6 bug exposes sensitive files sans password
Server pilfering made easy

Security experts are urging administrators using Microsoft's Internet Information Services version 6 to exercise extreme care following the discovery that the popular web server is vulnerable to a simple attack that exposes password-protected files and folders.…

McAfee buys whitelisting firm Solidcore
If you're not on the list, we're not going in

Net security firm McAfee has bought whitelisting firm Solidcore for approximately $33m in cash, rising to $47m if sales targets are met.…

JSRedir-R/Gumblar badness, (Mon, May 18th)

Reader Ben sent an email reminding me that I must have been living under a rock to miss the sudden u ...(more)...

Cross-Site Scripting, information leakage top list of website vulnerabilities

By Robert Westervelt

Companies are moving more rapidly to correct errors by feeding virtual patches into Web application firewalls, according to WhiteHat founder and CTO Jeremiah Grossman.

Software Piracy pandemic needs government role, better vendor antipiracy plans

By Eric Ogren

Software vendors need better antipiracy plans, but they have to strike a balance to avoid alienating customers and rising support headaches.

Security budgets take hit in media, tech industry, survey finds

By Robert Westervelt

Security spending dropped in 2008 for companies in the technology, media and telecommunications, according to a new Deloitte survey.

Craigslist Targeted by South Carolina Attorney General

Craigslist finds itself the focus of possible legal action less than a week after it announced that it would remove its Erotic Services category. South Carolina Attorney General Henry McMaster has threatened to prosecute the popular Website for posting graphic material, while Craigslist CEO Jim Buckmaster defended the sites South Carolina page as tamer than other, similar venues.
- st1\:* Craigslists promise to remove its Erotic Services category, replacing it with a screened Adult Services section, was apparently not enough for South Carolina Attorney General Henry McMaster, who announced plans to prosecute the popular online classifieds Website, of whic...

MyIDscore.com Offers Free ID Theft Risk Score

In Safety Tips

Consumers trying to determine their risk of becoming an identity theft victim typically are told to check their credit report for signs of unauthorized or suspicious activity. But a new Web-based service aims to give users a view into tricks ID thieves use that credit reports often miss, such as when crooks use only parts of a victim's identity to fabricate a new one. The new service, www.myidscore.com, is a free offering by ID Analytics, a company that sells anti-fraud software to banks and other creditors. After providing some personal information and answering a handful of questions, visitors to the site are presented with a score from 1 to 999. Unlike credit scores, where a higher score signifies a favorable credit history, with myidscore.com, a higher score means a greater risk of identity theft. Avivah Litan, a fraud analyst with Gartner Inc., said the difference between a credit report and

Brief: Much ado about Kylin

Much ado about Kylin

McAfee, EMC team up vs. Symantec in online backup (Reuters)

In technology

Reuters - McAfee Inc, the No. 2 computer security company, plans to team up with EMC Corp to offer online PC backup services, and announced the acquisition of a company that protects ATMs against hackers.

Hackers breach UC Berkeley computer database (AP)

In us

AP - Officials at the University of California at Berkeley say hackers infiltrated restricted computer databases, and the personal information of up to 160,000 people may be compromised.

SB09-138: Vulnerability Summary for the Week of May 11, 2009

Vulnerability Summary for the Week of May 11, 2009

Cisco Security Center: IntelliShield Cyber Risk Report

May 11-17, 2009

Report Highlight: Twitter Roundup: Twittercrat, Twitternaut, Twitterpanic, Twitterfeds

350,000 I/O operations per Second, One vSphere Host

By vmtn@vmware.com (VMTN) on Technical Information

Summary VMware vSphere includes a number of enhancements that enables it to deliver very high I/O performance. In this study, we demonstrate that vSphere can easily support even an extreme demand for I/O throughput made possible by new products like...

Web Attack That Poisons Google Results Gets Worse

ScanSafe says that more than 3,000 Web sites have been infected with Gumblar drive-by attack code.

IIS 6 Attack Could Let Hackers Snoop on Servers

Researchers say an unpatched bug in IIS 6 could let attackers view or upload files to the server.

Heartland Breach Cost $12.6 Million and Counting

Lawsuits, fines, and general cleanup for the data theft contributed to the company's quarterly loss.

Microsoft warns of IIS zero-day vulnerability

By Robert Westervelt

A zero-day flaw in Internet Information Services (IIS) could be exploited to elevate privileges and gain access to sensitive data. US-CERT warns of active attacks in the wild.

XSS bugs, information leakage top list of website vulnerabilities

By Robert Westervelt

Companies are moving more rapidly to correct errors by feeding virtual patches into Web application firewalls, according to WhiteHat founder and CTO Jeremiah Grossman.

No comments:

Post a Comment

My Blog List