Thursday, May 21, 2009

Around The Horn vol.1,104

Apple has yet to patch "critical" Java vulnerability

By chris.foresman@arstechnica.com (Chris Foresman) on web browser

Mac OS X contains a serious security vulnerability in its implementation of Java, according to several security experts. The vulnerability remains in the software even after Sun had disclosed and patched the problem and Apple had been notified of the issue by at least one security researcher.

A vulnerability related to de-serializing certain Java objects can result in arbitrary code running outside of the JVM's sandbox with the same privileges as the current user. It was reported to Sun in August 2008, and in December 2008, Sun disclosed the vulnerability and issued a patch. Despite recent security updates from Apple, researches say this "critical" vulnerability still exists in Mac OS X.

Microsoft warns of security flaw in IIS

By emil.protalinski@arstechnica.com (Emil Protalinski) on IIS

Microsoft yesterday posted Security Advisory 971492, which contains information regarding a vulnerability in Microsoft Internet Information Services (IIS) 5.0, 5.1, and 6.0. Microsoft describes the vulnerability as follows: "An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests. An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that typically requires authentication."

Microsoft says it will continue to monitor the situation and will either post a patch on Patch Tuesday or will release an out-of-cycle security update. Currently, the software giant notes it is not aware of attacks that attempt to use this vulnerability. The good news is that the vulnerability can only be exploited under very specific circumstances, according to Microsoft:

SamuraiWTF live web testing framework 0.6 released

By Robert A. on Tools

"The SamuraiWTF project team is proud to announce the immediate release of SamuraiWTF 0.6. This release contains a number of fixes and updates as well as the first release of a VM image. This VM requires Vmware 5.0 or better. It will also work in any version of VMWare Fusion.ThanksKevin Johnson"...

Java Flaw still not fixed in Mac OS X

By Robert A. on Vulns

"According to Julien Tinnes in the CR0 Blog, it appears that Apple's recent security update failed to fix a Java flaw that was reported to Sun back in August 2008 and patched by Sun way back in December 2008. The upshot: according to the blog (and I've yet to be able...

U.S. National Archives offers reward for missing hard drive

By Elinor Mills

The U.S. National Archives on Wednesday said it is offering a $50,000 reward for information leading to the recovery of a missing hard drive that contains personal information of former Clinton administration staff and visitors.

The small portable hard drive was being ...

Adobe to release security updates a la Patch Tuesday

By Elinor Mills

Correction 4:05 p.m. PDT: This post initially misstated how often the security updates will be. Adobe plans to issue updates quarterly.

Adobe said on Wednesday it will release quarterly security updates to coincide with Microsoft's Patch Tuesday as part of a new approach to product security for ...

Report: Attackers exploit IIS hole to breach university server

By Elinor Mills

Updated 6 p.m. PDT with Microsoft comment.

It apparently didn't take long for hackers to try to take advantage of a zero-day hole in Microsoft Internet Information Services (IIS).

Ball State University in Muncie, Ind., told The Register that servers running the program were breached on Monday, the ...

Security firm warns of Java flaw in Mac OS X

By Jim Dalrymple

Updated 12:30 p.m. PDT with Apple comment

Macintosh security consulting firm SecureMac.com on Tuesday issued a critical warning for what it says is an unpatched Java security vulnerability in Apple's Mac OS X.

According to the man credited with discovering it, Landon Fuller, the Java flaw ...

Originally posted at News - Apple

Tvviter Typosquatting Phishing Site

By Rik Ferguson on web

I noticed this morning, the appearance of a very sneakily typoed (is that even a verb) phishing website targeting users of the social networking and micro-blogging website Twitter   The URL for the phishing is deliberately misspelled in such a way that at a cursory glance it looks like the real thing www.tvviter.com, that’s with a double [...]

BugSpy - Crawls The Web For Open Source Software Bugs

By Darknet on vulnerabilities

BugSpy is an interesting web site I came across recently, put together using a Python Framework (django) it aggregates bugs from as many open source projects as it can find. Preferably critical bugs. You can search by tag (e.g java, email or php ) or by product name (e.g Ubuntu, Typo3 or Samba). http://bugspy.net/

Virtualization Could Collide With PCI, But Help Forensics

Security experts at CSI/SX and Interop warn that PCI-regulated apps and virtualization may not mix right now; say virtualization can help with incident response

Tippett: Use Application Logs To Catch Data Breaches

At CSI/SX, Verizon Business' Peter Tippett talks trends and lessons learned in data breaches

Microsoft Offers Free Template For Secure Software Development Process

SDL Process Template plugs directly into development tools

Getcha Popcorn Ready - Malware Goes to the Movies

In Virus and Spyware

McAfee has sponsored a new series of short films that highlight the woeful life experiences of some unlucky people who have become victims of cyber-attack.

New Computer Comes with Side Order of Malware

In Virus and Spyware

When Kaspersky Lab purchased an M&A Companion Touch netbook recently, it thought it was just getting a device. It turns out the machine came with a free serving of malware right out of the box.

NARA suffers data breach

The National Archives and Records Administration is missing an external hard drive with the personally identifiable information of some Clinton administration officials and White House visitors.

Double strike by AMTSO

By Igor Muttik on Vulnerability Research

It was very encouraging to see that more than 40 people came to Budapest, Hungary to discuss and find agreement on new industry standards as part of the effort undertaken by Anti-Malware Standards Organization (www.amtso.org). Awesome historic surroundings set the mood for our discussions.   Seeing such a great representation in the current economic climate shows how much AMTSO members [...]

McAfee Unveils H*Commerce Web Film Series on Cybercrime

By David Marcus on Web and Internet Safety

Today we launched a new Web film series, entitled “H*Commerce: The Business of Hacking You.” The film series was created to expose cybercrime as a serious and universal threat that can no longer be ignored. Several of our own Avert Labs researchers lent a hand and their big ole’ brains to the project! The term H*Commerce [...]

Conficker still infecting 50,000 PCs per day

The Conficker worm is still infecting systems at a brisk rate and continues to snag computers in Fortune 1000 companies, according to security researchers.

Missing drive had no Clinton Administration records, says National Archives

No original Clinton Administration records were stored on an external hard drive missing at the U.S. National Archives and Recording Administration (NARA), the agency said this afternoon.

Hard drive with Clinton-era data missing from National Archives

An external hard drive thought to contain nearly 1TB of data -- some of it sensitive information -- from the Clinton Administration is missing from the U.S. National Archives and Recording Administration.

Sophos beams up free Klingon antivirus app to Star Trek fans' PCs

Hard on the heels of renewed interest in the Star Trek franchise, security company Sophos has released a Klingon-language version of a free malware scanning tool it uses to show Earth-bound customers how its technology stacks up against rivals' apps.

Craigslist fires back, sues South Carolina attorney general

Craigslist has filed a lawsuit against South Carolina Attorney General Henry McMaster for his threats to sup the online advertising site earlier in the week.

Angered by Apple delay, hacker posts Mac Java attack

In an effort to draw attention to an long-standing security problem in Apple's Mac OS X operating system, a security researcher has posted attack code that exploits the flaw.

Adobe snaps to attention over security vulnerabilities

Adobe Systems, whose applications have been hit hard by hackers, is combing through legacy code for bugs in its products and plans a regular quarterly patch release, according to a top security official.

Facing criticism, Adobe rethinks PDF security

Blasted in February for being slow to fix a zero-day vulnerability in its popular PDF viewer, Adobe today pledged to root out bugs in older code, speed up the patching process and release regular security updates for Adobe Reader and Acrobat.

Credit card council looks into cloud security

Cloud security is enough of a potential problem that it’s being investigated by the group that sets standards for protecting credit card data.

Advanced Algorithms Enlisted To Fight Cyberwars

First Estonia. Then Georgia. Increasingly, the theoretical potential for cyberwar is becoming hard reality. One new report argues that the unchecked proliferation of cyber warfare weapons is comparable to that of nuclear warheads. At least one branch of the US military, United States Navy takes the threat seriously and monitors cyber threats on a daily basis.

Trend Micro 'de-lags' SMB anti-virus

Trend Micro has released a new version of its 'Worry-Free' SMB security suite, putting the focus on a design it says will greatly improve the software's updating speed.

Arbor beefs up traffic-monitoring system

Arbor Networks has announced that it has beefed up the management and security capabilities in the new version of its traffic monitoring and security platform.

Hard drive missing from US National Archives

A hard drive containing personal information of White House staff and visitors during former U.S. President Bill Clinton's administration is missing from the U.S. National Archives and Records Administration, the agency said.

Apple lags on Java security fix in OS X

While Apple's safety record is pretty good--that is to say the actual number of security breaches on the platform is small--it still has some work to do in terms of its reputation for security. The company is often close-mouthed about its process for dealing with security fixes, and though it does issue updates throughout the year, vulnerabilities sometimes go unpatched for months at a time.

Conficker: Hold the funeral, it's not dead yet
50,000 new Windows systems hit every day

Media coverage of the Conficker superworm has died down over recent weeks but variants of the worm are still infecting 50,000 new PCs a day.…

BitDefender launches 'suck it and see' free anti-virus scanner
Cut-down software in consumer marketing push

Romanian anti-virus firm BitDefender has begun offering a free version of its anti-virus scanner software to consumers.…

Undead deleted photos linger on social networking websites
We're coming to embarrass you, Barbara!

That embarrassing party shot of you and that hot dog may still come back to haunt you - photos posted on social networking websites can often be easily viewed even after users attempt to delete them, according to a study by security researchers at the University of Cambridge.…

NZ couple do bunk with £3.9m bank error
Take the money and run

New Zealand police have asked Interpol to help them apprehend a couple who did a bunk with an unspecified percentage of a NZ$10m (£3.9m) bank error.…

China lowers national security IT ‘trade barrier’
No more knocking at your back door

A certification scheme that threatened to ban many software and hardware products from China has been curtailed. The scheme, which holds IT vendors to controversial national standards, will be limited to public procurement only, a government agency has said.…

Missing: 1TB of Clinton White House data
Hard drive vanishes from National Archives

A hard drive containing more than 1 terabyte of sensitive data from the Clinton administration, including the personal information of White House staff and visitors, is missing from the US National Archives.…

Adobe convenes 'Come to Jesus' meeting for buggy Reader app
Flash left outside the tent

Over the past year, Adobe software has been pummeled by a steady stream of critical zero-day vulnerabilities. On Wednesday, the software maker outlined new initiatives designed to reduce the threats faced by users of its ubiquitous Reader and Acrobat applications.…

Microsoft IIS hole fells university server
Hackers find zero-day bug irresistible

UpdatedThis story was updated at 21st May 2009 05:01 GMT to include Microsoft comments refuting the university's claims that the IIS vulnerability was exploited in the attack.

'Chief whip' tweet suggests early general election
Excites credulous blogosphere regardless of veracity

A sensational tweet from a Labour chief whip has spilled the beans on the next election - except that it probably hasn't at all.…

Beer - The Key Ingredient to Team Development

Category: Management & Leadership

Paper Added: May 20, 2009

Speling and Grammur Opshunall, (Wed, May 20th)

Wanted: Person of low moral character to correct spelling/grammar mistakes on phishing postings. Mus ...(more)...

CiscoWorks TFTP Directory Traversal Vulnerability, (Wed, May 20th)

Cisco has announced that a directory traversal flaw has been discovered in its CiscoWorks product li ...(more)...

Cyber Warfare and Kylin thoughts, (Wed, May 20th)

I believe that most of our readers heard about the Kylin OS. This is suppose to be the super ...(more)...

Breakfast: Java, Serial, and an Apple , (Wed, May 20th)

According to Julien Tinnes in the CR0 Blog, it appears that Apple's recent security update failed to ...(more)...

One In Five Teenagers Claim to Have Used Hacking Tools (15th May 2009)

A recent survey of 4,000 teenagers between the ages of 15 to 18 years of age states that 17% of those surveyed know how to find hacking tools online with one third of that group admitting that they have used the tools.......

Three US Cyber Challenges To Be Announced May 29

This story won't come out until a week from Friday when three national cyber games will be announced at a Center for Strategic and International Studies (CSIS) luncheon.......

UK Serious Organized Crime Agency Tackles Cybercrime (18th May 2009)

The UK's Serious Organized Crime Agency (SOCA) revealed in its annual report how it has been involved in tackling cybercrime.......

Corporate Executive Convicted in Corporate Espionage Case (15th May 2009)

David Goldenberg, a former vice-president of the electronics firm AMX Corp, pleaded guilty in a New Jersey court to illegally accessing internet e-mail belonging to a marketing firm working for a competitor, Creston Electronics.......

US Air Force Cyber Command's New Home (18th May 2009)

The US Air Force is to locate its cyber command headquarters at the Lackland Air Force Base in San Antonio, pending the results of an environmental impact study to be completed later this summer.......

UK Ministry of Defence Admits to Losing 28 laptops This Year (15th May 2009)

Between January 1st and May 11th of this year the UK Ministry of Defence has admitted that 28 laptops, 20 USB Drives, four PCs and a Blackberry were lost or stolen.......

National Child Database Goes Live Despite Security Fears (18 May 2009)

The UK Government will launch a national database system, ContactPoint, containing details of all children under 18 years of age in England.......

Password Bypass Bug in Microsoft IIS Version 6.0 (16th May 2009)

A WebDAV vulnerability in Microsoft's Internet Information Server 6.......

Insider Steals US$9m From Water Company (May 15th 2009)

An former employee at the California Water Service Company is being sought by police for allegedly transferring US$ 9 million from the company's accounts into a number of offshore bank accounts and subsequently fleeing the country.......

Another Phishing Attack Targets Facebook Users (15th May 2009)

Users of the social networking site Facebook have been subjected to another phishing attack.......

Attacks from Gumblar Rise by 190% (15th May 2009)

Infection rates for an attack that has been slowly spreading since late March have jumped nearly 190 percent in the last week.......

Google Services Recover From Outage (15th May 2009)

An error in Google's traffic routing system is believed to have been the cause of a service outage lasting several hours on May 14.......

Adobe shifts to Microsoft patching process, incident response plan

By Robert Westervelt

Adobe Systems Inc. said it would bolster its patch management strategy, issuing quarterly updates for its adobe Reader and Acrobat PDF software.

IT managers under pressure to weaken Web security policy

By Robert Westervelt

A new survey suggests senior and mid-level executives want to expand use of social networking platforms, cloud-based collaboration tools and other applications.

US-CERT warns of Gumblar, Martuz drive-by exploits

By Robert Westervelt

Websites poisoned with the Gumblar and Martuz drive-by download exploits could pass on malware to users who don't have their patches up to date.

CiscoWorks TFTP Directory Traversal Vulnerability

Apple Safari Malformed SVGList Parsing Code Execution Vulnerability

Apple OS X ATSServer Compact Font Format Parsing Memory Corruption Vulnerability

Apple CFNetwork Heap Based Buffer Overflow

CFNetwork is a framework in the Core Services framework that provides a library of abstractions for network protocols. It can be used to perform a variety of network tasks using different protocols such as SSL/TLS, DNS, FTP and HTTP. Besides many other applications the CFNetwork framework is used by Safari and Mail.

HP OpenView Network Node Manager (OV NNM) Execution of Arbitrary Code

Asterisk Multiple Vulnerabilities

Asterisk is an open source telephony engine and toolkit.

Apple Leaves Major Java Security Hole Open for Mac Users

A security researcher releases a proof-of-concept exploit making use of a Java flaw affecting Mac OS X. The flaw can be exploited via drive-by attacks to gain control of a vulnerable system. Apple officials say they are working on a fix.
- It's time for Apple to close a security hole opened by vulnerable Java applets. That's the message from security researcher and former Apple engineer Landon Fuller, who posted a proof-of-concept exploit that takes advantage of a Java flaw that was fixed by Sun Microsystems months ago. The vu...

Adobe Tightens Development Process to Improve Security

After having three known zero-day bugs hit the Web so far this year, Adobe is starting to talk security. Since February, the company has been making changes to its software development process and is planning to begin issuing quarterly updates starting this summer.
- From a security standpoint, Adobe has taken its share of lumps so far this year. In February, news that Adobe Reader and Acrobat were vulnerable to a zero-day attack became public; in April, two other bugs surfaced. All three were eventually patched, but not before proof-of-concept exploit code ...

eWEEK's Products to Watch May 2009

Each month, eWEEK editors name new or newly updated enterprise-class products that we think should be on IT professionals' radars products and services that promise to create efficiencies as well as competitive advantage. This month, eWEEK recommends checking out Nexsan Technologies' Nexsan iSeries, AutoPilot M6 from Nastel, Seapine Software's Surround SCM 2009, Lumigent Technologies' AppGRC for PeopleSoft Financial Management, Lenovo's ThinkStation S20 and D20 workstations, v-Go Shared Accounts Manager from Passlogix, Damballa's Failsafe 3.0, St. Bernard's iPrism Web Filter with Anonymizer, and ActiveVOS 6.2.

From IE to Google Chrome, Researchers Target Cross-Site Scripting

Two researchers are proposing a software answer to cross-site scripting called BluePrint that takes parsing responsibilities away from Web browsers to improve security. Mike Ter Louw and V.N. Venkatakrishnan are presenting their research May 20 at the IEEE Symposium on Security and Privacy, in Oakland, Calif.
- For all the advances in browser security, cross-site scripting remains at the top of the list when it comes to Website vulnerabilities affecting users. Browser vendors have started to address the security issue by building more protections into the browser. Microsoft, for example, added a cross-...

National Archives Breach Includes Clinton-Era Data

Either through accidental loss or theft, the National Archives and Record Administration informs Congress of more than a terabyte of missing data from the Clinton administration, including sensitive information on hundreds of individuals who visited the White House. Accident or not, the FBI has launched a criminal investigation into the matter.
- No one is quite sure what happened yet, but the end result is the National Archives is missing a hard drive containing about a terabyte of information from the Clinton White House. The missing data includes the names and Social Security numbers of visitors and staff at the White House during t...

Investment Firms Report Increased Credit & Debit Card Fraud

In U.S. Government

Financial institutions in the securities and futures industries last year reported a large increase in the number of suspicious transactions attributed to debit and credit card fraud -- nearly double the number reported in 2007, new statistics released by the federal government show. The numbers come from an annual report released by the Financial Crimes Enforcement Network (FinCEN), a division of the U.S. Treasury Department. The report tracks so-called "suspicious activity reports" (SARs), which financial institutions are required to file when they spot customer transactions of $5,000 or more that set off various red flags most commonly associated with money laundering or other fraudulent activity. Originally, these filings were required only of traditional financial institutions, but in 2003, the government began requiring the reports from trading firms and mutual fund providers, too. According to FinCEN, the number of SARs that investment firms attributed to credit and debit card fraud jumped

Adobe Adopts Microsoft's Patch Tuesday Approach

In New Patches

Following a series of high-profile attacks that leveraged security vulnerabilities in its PDF Reader and Acrobat applications, Adobe Systems Inc. is making a major push to revamp its approach to security. The company said today that it plans to ship security updates more regularly and push out emergency updates more speedily, and that it will be continually stress-testing those products to find and close security holes before hackers can exploit them. In announcing the changes, Adobe is borrowing several pages from Microsoft's security playbook. Redmond ships updates on the second Tuesday of each month and regularly fixes vulnerabilities that its in-house researchers have uncovered. Sometime this summer, Adobe will begin shipping patches on a quarterly basis -- on the second Tuesday of every third month. Brad Arkin, Adobe's director for product security and privacy, said that day was picked to help lighten the load on businesses, most of which already

Conficker Still Infecting 50,000 PCs per Day (PC World)

In technology

PC World - The Conficker worm is still infecting systems at a brisk rate and continues to snag computers in Fortune 1000 companies, according to security researchers.

NebuAd closing doors after Internet privacy woes (AP)

In technology

AP - NebuAd Inc., a company that sought to target ads to consumers based on their online behavior, is going out of business after facing scrutiny over whether its technology infringed on the privacy of Internet surfers.

Angered by Apple Delay, Hacker Posts Mac Java Attack (PC World)

In technology

PC World - In an effort to draw attention to an long-standing security problem in Apple's Mac OS X operating system, a security researcher has posted attack code that exploits the flaw.

Locking Down Windows Server 2008 Terminal Services

By (Chris Sanders)

Things you can do to make your Terminal Server environment more secure.

CiscoWorks TFTP Directory Traversal Vulnerability

In Cisco Security Advisory

DNS Attack Downs Internet in Parts of China

An attack on DNS servers used by a domain registrar in China ultimately crippled Internet access for several hours in parts of the country Wednesday.

Facing Criticism, Adobe Rethinks PDF Security

Blasted in February for being slow to fix a zero-day vulnerability in its popular PDF viewer, Adobe has pledged to root out bugs.

Conficker Still Infecting 50,000 PCs per Day

Symantec says that Conficker is still infecting 50,000 computers per day.

VMware Pulls Trigger on VSphere 'cloud OS'

After six months of hype, VMware announced Thursday that its vSphere software is now available worldwide.

A Look at the National Archives Data Blunder and Other Govt. Data Losses

The U.S. National Archives and Records Administration says it lost a hard drive full of sensitive data. It's like deja vu all over again.

Angered by Apple Delay, Hacker Posts Mac Java Attack

A security researcher has released attack code that exploits a nasty Java bug on Mac OS X.

Adobe Snaps to Attention Over Security Vulnerabilities

Adobe Systems is combing through legacy code for bugs in its Reader and Acrobat products and plans a regular quarterly patch release.

Close the Java Security Hole in Many Browsers

As we noted earlier, there's a rather large security hole with Java in Web browsers in all versions of OS X. Because of the way Java applets work, you can be...

New Malware Attack Detected by Sophos

A new web-based malware attack comprising almost half of detected infections this week has been detected by IT security and control firm Sophos.

Apple Lags on Java Security Fix in OS X

While Apple's safety record is pretty good--that is to say the actual number of security breaches on the platform is small--it still has some work to do in terms...

Hard Drive Missing From US National Archives

The U.S. National Archives reports that a hard drive containing personal information is missing.

Advanced Algorithms Enlisted To Fight Cyberwars

Memory analytics and white listing will help protect American companies from electronic warfare.

Enterprise Wi-Fi Gets a Security Boost

Wi-Fi Alliance improves security by adding to WPA2 requirements, including a secure handoff standard and tunneled authentication.

New DNS Bug and Fix Announced

Domain name registries are scrambling to patch a bug in popular open source DNS software that could be exploited for denial-of-service attacks.

No comments:

Post a Comment

My Blog List