Tuesday, June 16, 2009

Around The Horn vol.1,121

Apple finally issues patch for "critical" Java vulnerability

By jacqui@arstechnica.com (Jacqui Cheng) on vulnerability

Apple has finally issued a patch for a critical Java vulnerability in Mac OS X that made headlines last month. The update comes as part of Java for Mac OS X 10.5 Update 4, a 158MB download from both Apple's website and Software Update and requires Mac OS X 10.5.7.

According to Apple, the update "delivers improved reliability, security, and compatibility for Java SE 6, J2SE 5.0 and J2SE 1.4.2." This includes one vulnerability related to de-serializing certain Java objects, which could result in arbitrary code running outside of the JVM's sandbox with the same privileges as the current user. It was reported to Sun in August 2008, and in December 2008 Sun disclosed the vulnerability and issued a patch. Despite recent security updates from Apple, however, researchers blasted Apple for not having patched the vulnerability in Mac OS X yet.

Article: 'Setting the appropriate security defect handling expectations in development and QA

By Robert A. on Vulns

I have just published the following article on handling application security defects (vulnerabilities) in development and QA. "If you've worked in information security you've likely had to report a security defect to development in an effort to remediate the issue. Depending on your organization and its culture this can be a...

3 Top Issues in Information Security

By Rik Ferguson on patches

1 – Lack of awareness, both at a corporate level and at an end user level.   I am always banging on about a company’s most effective security tool being education, and it’s true. Organisations need to make sure they understand the threat as it really is today, not as they think it is. They need to [...]

Researchers Build Anonymous, Browser-Based 'Darknet'

Black Hat USA presentation will demonstrate how the latest browser technology makes underground, private Internet communities simpler to form, more secretive

Apple Swats Old Java Bug

In Vulnerability Research

Apple got around to plugging a security hole in Java for Mac that left users open to attack.

Navy wants proposals on cyber research

The Office of Naval Research said today it plans to award more than $14.5 million for research on software engineering, networks, social networks and critical infrastructures.

Official: Gates still considering cyber command

A new Defense Department cyber command would not lead to a military takeover of cyberspace, says Deputy Defense Secretary William Lynn.

The limits of a cyber czar

The cybersecurity coordinator needs support from the White House to to the job effectively.

DHS resists security clearance improvements

The inspector general recommended several ways for DHS officials to improve the security clearance process, but agency leaders have objected.

Pointers

As open-source boosters soak up the positive signals they hear from new federal CIO Vivek Kundra, it’s worth noting how much the open-source world has – and has not – changed in the past few years.

DOD cyber command won't militarize cyberspace

Deputy Defense Secretary William Lynn III stressed the need for cooperation between the Pentagon’s new cyber command and the organizations with primary responsibility for the .gov and private-sector domains.

Wisen up to handheld security

As the use of handheld devices in government has vastly expanded during the past eight years, so have the security risks. Agencies need to know the risks and take steps to protect sensitive data and communications.

Homeland Security keeps cybersecurity role

The Homeland Security Department's proposed budget for fiscal 2010 and recent public statements show the Obama administration's new cybersecurity strategy isn't cutting out DHS.

Sensitive information protection remains tough

The government is exploring policy and technology solutions to improve the way it shares sensitive but unclassified terrorism-related information with state, local and industry officials.

Senate bill would loosen IT requirements under Real ID

Senators introduced a bill today that would loosen some information technology requirements under the REAL ID law.

Apple Fixes Java Security Hole

The flaw could have allowed a Java applet to execute malicious code on affected Macs, potentially leading to information theft or a compromised system.

Twitter Security Heating Up In July

In an effort to raise awareness of browser security flaws, one researcher wants to post a vulnerability every day that shows the soft underside of the Fail Whale.

China's Green Dam Software May Pose Legal Risk To U.S. Computer Makers

A research report indicates that the Web-filtering software mandated by the Chinese government contains unauthorized, proprietary code from a Green Dam competitor.

Lawmaker: Power Grid Vulnerable To Cyberattack

Hackers could bring down electrical grids serving entire regions of the U.S., leaving homes and businesses dark for months, Congressman says.

Lawmaker: Power Grid Vulnerable To Cyberattack

Hackers could bring down electrical grids serving entire regions of the U.S., leaving homes and businesses dark for months, Congressman says.

China 'Green Dam' Censorware Called Security Risk

Chinese authorities claim the software is necessary to protect people from pornography, but the software has been found to block politically sensitive terms.

DDOS Is Not The Most Political Way to Protest

By Pedro Bueno on Malware Research

So, Iran had elections this weekend. Some people don’t agree with the results. As consequence, some people are organizing DDoS attacks against Iranian websites, more precisely: http://www.leader.ir/ http://president.ir/ http://www.irib.ir/ http://www.iribnews.ir/ and some specific URLs on those domains. No guys, that’s not the right path, and as it is a malicious activity, we are detecting the tools being distributed to create this [...]

Real ID opposition sparks revisions to national driver's license standard

Widespread opposition to a 2005 bill designed to create a national standard for driver's licenses has prompted a revised version of the bill that no longer contains its most controversial provisions.

With unrest in Iran, cyber-attacks begin

An apparently ad-hoc cyber protest against the results of recent Iranian elections has knocked key Web sites off-line.

Apple Java update fixes security hole

Apple on Monday released Java for Mac OS X 10.5 Update 4 and Java for Mac OS X 10.4 Release 9, two updates that "deliver improved reliability, security and compatibility." Both are available through the Software Update system preference, or for download from Apple's Web site.

Microsoft Issues Record 31 Patches for Bugs in Windows, IE, Office Apps

Microsoft last week issued 10 security updates that patched a record 31 vulnerabilities -- 18 marked "critical" -- in Windows, Internet Explorer, Excel, Word, Windows Search and other programs.

Open Government Could Lead to Data Leaks

The Obama administration's goal of making government data more open and accessible is elevating the need for standardized data classification and information management approaches across federal agencies, security experts say.

Lawmakers Fear White House Cybersecurity Czar Would Undercut DHS Role

Just days after President Obama announced his plan to appoint a new White House cybersecurity coordinator, lawmakers questioned the impact the move might have on the Department of Homeland Security's role.

Universities Cope with New Anti-Piracy Requirement

David Reis, director of IT security and policy at Thomas Jefferson University in Philadelphia, has been on what he calls a "nine-month journey" to figure out exactly how he's going to make sure his school doesn't break the law --even though they were never in trouble in the first place

GP surgery loses thousands of unencrypted patient records

A GP surgery in London has lost the details of 7,000 patients after burglars stole an external hard drive and backup tapes.

A Safe That Looks Like a Calculator

Safe Calculator is a neat little utility that pretends to be the basic Window calculator when you launch it. In actuality, it's a safe that can take a single file and encrypt it, disappearing it into the application itself. This tiny, free utility would be useful on the go or when sharing a public computer, when you need to write something down and then hide it.

Security spending down in Asia-Pac

According to research firm Frost & Sullivan, the size of the Asia-Pacific network security market has dropped two-thirds in comparison to 2008's stellar figures.

Working with consultants

When the client and consultant are discussing problems and how the consultant could help, both parties must be conscious that a consultant always has two allegiances: to the manager hiring her and to the firm employing the manager.

UK E-Crime unit busts online iTunes, Amazon music scam

An international fraud ring, in which a gang allegedly made thousands of pounds downloading its own records from iTunes and Amazon with stolen credit cards has been cracked by the Metropolitan e-Crime Unit and the FBI, the Met claimed.

UK.gov to create central cybersecurity agency
A job for Jim Hacker

Secret operations currently carried out by parts of the intelligence and security services will be centralised in Whitehall as part of an ongoing major review of cybersecurity, according to a report.…

Drive-by Blackouting ?, (Mon, Jun 15th)

Talk about critical infrastructure protection. ...(more)...

Security pros find corporate firewall rules tough to navigate

By Eric Ogren

Tweaking rules could result in disrupting business communications or opening a hole for unauthorized traffic. Firewall management tools ease the burden.

Twitter Security in Spotlight with Month of Twitter Bugs

Security researcher Aviv Raff is launching a Month of Twitter Bugs in July to call attention to security issues affecting the microblogging service. As part of the initiative, Raff says he will publish a new third-party Twitter service vulnerability every day.
- A security researcher has painted a bull's eye on Twitter starting July 1 in the quot;Month of Twitter Bugs. quot; The project is a spin on the quot;Month of Browser Bugs quot; initiative launched in July 2006. Three years later, Israeli security researcher Aviv Raff who also participated in...

Apple's Mac Isn't as Secure as Some Want Us to Believe

NEWS ANALYSIS: Mac OS X is widely considered the most secure operating system around. But is it really as secure as Apple and its supporters want us to believe?
- Apple and its supporters want everyone to know that Mac OS X is a secure operating system that easily bests Microsoft's Windows platform. They contend that because Mac OS X hasn't had nearly the number of security outbreaks that Windows has, it's more secure. And some contend that Mac OS X do...

Chinese Web Filtering Plans Come Under Attack

The Chinese government has ordered the makers of the Green Day Youth Escort Web filtering program to fix any software vulnerabilities. The Chinese government's plan to mandate that all PCs sold in the country include the software has come under fire from critics accusing the software's designers of stealing code from a U.S.-based vendor. Other critics have raised concerns about censorship.
- A Chinese company behind an Internet filtering program backed by the Chinese government is fighting back against critics as it looks to address reported software vulnerabilities. The company, Jinhui Computer System Engineering, has been accused of using pirated technology from U.S.-based Soli...

Re-evaluating IT Security

In this eWEEK podcast hosted by Mike Vizard, Sophos Chief Marketing Officer Rainer Gawlick talks about how the security landscape is changing in the face of new economic realities and more complicated threats.
- Audio Podcast Content....

Apple Patches Java Flaws, At Last

In New Patches

Apple on Monday shipped updates to plug more than two dozen security holes in its version of Java, including a particularly dangerous flaw that Java maker Sun patched back in early December. Last month, Security Fix and others took Apple to task for taking too long to fix Java vulnerabilities. In fact, I found that Apple patches Java flaws on average about six months after Sun had shipped its own updates to fix the same vulnerabilities. At least two different researchers even released proof-of-concept exploits to shame Apple into quickly fixing an easy-to-exploit vulnerability that potential attackers had known about for six months. This Java update appears to address most of the outstanding Java vulnerabilities. From looking at the common vulnerabilities and exposures (CVE) numbers attached to each of the flaws fixed by Apple's Java rollup, it looks like this update brings Mac OS X systems to the equivalent of

SB09-166: Vulnerability Summary for the Week of June 8, 2009

Vulnerability Summary for the Week of June 8, 2009

MS09-027 - Critical: Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (969514)

Bulletin Severity Rating:Critical - This security update resolves two privately reported vulnerabilities that could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

    Related Searches
    on Ask.com

    Microsoft Office Word

    Remote Code Execution

    MS09-026 - Important: Vulnerability in RPC Could Allow Elevation of Privilege (970238)

    Bulletin Severity Rating:Important - This security update resolves a publicly disclosed vulnerability in the Windows remote procedure call (RPC) facility where the RPC Marshalling Engine does not update its internal state appropriately. The vulnerability could allow an attacker to execute arbitrary code and take complete control of an affected system. Supported editions of Microsoft Windows are not delivered with any RPC servers or clients that are subject to exploitation of this vulnerability. In a default configuration, users could not be attacked by exploitation of this vulnerability. However, the vulnerability is present in the Microsoft Windows RPC runtime and could affect third-party RPC applications.

      Related Searches
      on Ask.com

      RPC

      remote procedure call

      MS09-025 - Important: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (968537)

      Bulletin Severity Rating:Important - This security update resolves two publicly disclosed and two privately reported vulnerabilities in the Windows kernel that could allow elevation of privilege. An attacker who successfully exploited any of these vulnerabilities could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users.

        Related Searches
        on Ask.com

        Windows Kernel

        MS09-024 - Critical: Vulnerability in Microsoft Works Converters Could Allow Remote Code Execution (957632)

        Bulletin Severity Rating:Critical - This security update resolves a privately reported vulnerability in the Microsoft Works converters. The vulnerability could allow remote code execution if a user opens a specially crafted Works file. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

          Related Searches
          on Ask.com

          Microsoft Works Converters

          Remote Code Execution

          MS09-023 - Moderate: Vulnerability in Windows Search Could Allow Information Disclosure (963093)

          Bulletin Severity Rating:Moderate - This security update resolves a privately reported vulnerability in Windows Search. The vulnerability could allow information disclosure if a user performs a search that returns a specially crafted file as the first result or if the user previews a specially crafted file from the search results. By default, the Windows Search component is not installed on Microsoft Windows XP and Windows Server 2003. It is an optional component available for download. Windows Search installed on supported editions of Windows Vista and Windows Server 2008 is not affected by this vulnerability.

            Related Searches
            on Ask.com

            Windows Search

            Windows Vista

            MS09-022 - Critical: Vulnerabilities in Windows Print Spooler Could Allow Remote Code Execution (961501)

            Bulletin Severity Rating:Critical - This security update resolves three privately reported vulnerabilities in Windows Print Spooler. The most severe vulnerability could allow remote code execution if an affected server received a specially crafted RPC request. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

              Related Searches
              on Ask.com

              Remote Code Execution

              Windows Print Spooler

              MS09-021 - Critical: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (969462)

              Bulletin Severity Rating:Critical - This security update resolves several privately reported vulnerabilities that could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed record object. An attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

                Related Searches
                on Ask.com

                Microsoft Office Excel

                Remote Code Execution

                MS09-020 - Important: Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483)

                Bulletin Severity Rating:Important - This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Internet Information Services (IIS). The vulnerabilities could allow elevation of privilege if an attacker sent a specially crafted HTTP request to a Web site that requires authentication. These vulnerabilities allow an attacker to bypass the IIS configuration that specifies which type of authentication is allowed, but not the file system-based access control list (ACL) check that verifies whether a file is accessible by a given user. Successful exploitation of these vulnerabilities would still restrict the attacker to the permissions granted to the anonymous user account by the file system ACLs.

                  Related Searches
                  on Ask.com

                  ACL

                  IIS

                  Microsoft Internet Information Services

                  MS09-019 - Critical: Cumulative Security Update for Internet Explorer (969897)

                  Bulletin Severity Rating:Critical - This security update resolves seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The more severe of the vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

                    Related Searches
                    on Ask.com

                    Internet Explorer

                    MS09-018 - Critical: Vulnerabilities in Active Directory Could Allow Remote Code Execution (971055)

                    Bulletin Severity Rating:Critical - This security update resolves two privately reported vulnerabilities in implementations of Active Directory on Microsoft Windows 2000 Server and Windows Server 2003, and Active Directory Application Mode (ADAM) when installed on Windows XP Professional and Windows Server 2003. The more severe vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

                    Microsoft Security Bulletin Summary for June 2009

                    Revision Note: V1.1 (June 10, 2009): Corrected the rating and key notes for CVE-2009-1138 in the Exploitability Index.Summary: This bulletin summary lists security bulletins released for June 2009.

                    Cisco Security Center: IntelliShield Cyber Risk Report

                    June 8-14, 2009

                    Report Highlight: T-Mobile Data Extortion Attack

                    With Unrest in Iran, Cyber-attacks Begin

                    Iran,Activists have taken down key media and state Web sites in Iran, using denial of service attacks.

                    Apple Java Update Fixes Security Hole

                    Apple on Monday released Java for Mac OS X 10.5 Update 4 and Java for Mac OS X 10.4 Release 9, two updates that "deliver improved reliability, security and...

                    Tuesday June 16, 2009 - Google Alerts

                    "cyber security" | cyber security | information security | computer security

                    Gartner to outline security trends in upcoming Information ...

                    NetworkWorld.com - ‎15 hours ago‎

                    By Ellen Messmer , Network World , 06/15/2009 When it comes to information security, should companies be buying best-of-breed products from a number of ...

                    Green Dam Maker Ordered to Fix Security Holes

                    Wall Street Journal - ‎21 hours ago‎

                    “We are specialists in producing Internet filtering software rather than security,” Zhang said, according told the China Daily. Last week, researchers at ...

                    China says unpopular filtering software optional The Associated Press

                    Cracks appear in China's Green Dam Asia Times Online

                    China backs down over controversial censorship software guardian.co.uk

                    MX Logic - TG Daily

                    all 308 news articles »

                    Apple Fixes Java Security Hole

                    InformationWeek - ‎13 hours ago‎

                    In a patch summary posted Monday, Apple states, "Java for Mac OS X 10.5 Update 4 delivers improved reliability, security, and compatibility for Java SE 6, ...

                    Apple Fixes Six-Month-Old Java Bug For Leopard, Tiger ChannelWeb

                    Apple finally patches musty old Java for Mac vulnerabilities ZDNet

                    Apple Issues Java Security Updates For OS X 10.4, 10.5 InformationWeek

                    all 30 news articles »

                    Homeland Security keeps cybersecurity role

                    FCW.com - ‎21 hours ago‎

                    By Ben Bain President Barack Obama's decision to appoint a cybersecurity coordinator in the White House doesn't appear to be the Homeland Security ...

                    IG: DHS Intel folks need cyber education Nextgov

                    Lawmakers fear White House cybersecurity czar would undercut DHS role Computerworld

                    Oversight Challenges of DHS Intelligence HSToday

                    SYS-CON Media (press release) - Christian Science Monitor

                    all 44 news articles »

                    Beware of the Information Security Inertia Syndrome

                    TechNewsWorld - ‎1 hour ago‎

                    His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure ...

                    MiamiHerald.com

                    Add Data Security to the Menu

                    Restaurants & Institutions - ‎Jun 15, 2009‎

                    Aside from performing background checks and hiring honest employees, restaurateurs need to establish an information security policy and ensure the systems ...

                    Ecommerce Know-How: Be Ready to Go Beyond PCI DSS Compliance Practical Ecommerce

                    AP IMPACT: Weak security enables credit card hacks The Associated Press

                    Credit Card Processors Fail To Ensure Security For Consumers RedOrbit

                    Business Wire (press release) - Las Vegas Sun

                    all 276 news articles »

                    US, Mexico pledge increased border cooperation

                    Bizjournals.com - ‎12 hours ago‎

                    US Homeland Security Secretary Janet Napolitano signed an agreement Monday with Mexican Minister of Finance and Public Credit Agustín Carstens that promises ...

                    US may help train Mexican customs agents CNN

                    US and Mexico agree to improve customs The Associated Press

                    Secretary Napolitano and Mexican Finance Minister Agustín Carstens ... 7thSpace Interactive (press release)

                    Earthtimes (press release) - Bizjournals.com

                    all 236 news articles »

                    Miami-Dade Metrorail security guard shot to death

                    MiamiHerald.com - ‎5 hours ago‎

                    BY JOSE PAGLIERY For much of his life, security guard Chevor Wint had trained for that one moment. The one where he'd stop the bad guys, save a life, ...

                    Security Guard Shot, Killed WPLG

                    Miami-Dade police investigate security guard shooting Sun-Sentinel.com

                    Murder Miami Style: Earlington Heights Metrorail Station Miami New Times

                    MiamiHerald.com

                    all 16 news articles »

                    F5 Offers FIPS Security on Its Big-IP App Delivery Controller

                    eWeek - ‎20 hours ago‎

                    F5 Networks is enhancing the performance and security around SSL-encrypted data to meet the FIPS specifications. The move means that the F5 product is ...

                    F5 Networks Announces BIG-IP 6900 Application Delivery Controller TMCnet

                    F5's New BIG-IP Solution Enables Global Organisations to ... CIO Australia

                    F5 Helps Government, Financial, and Healthcare Customers Uphold ... MarketWatch

                    all 15 news articles »

                    US Creates Military Cyber Command to Defend Computer Networks

                    Voice of America - ‎14 hours ago‎

                    That effort will be led by a Cyber Security Coordinator - a new position President Barack Obama says he will soon create at the White House. ...

                    Wanted: 10000 Security Experts Enterprise IT Planet

                    DOD sees clear lines of authority for cybersecurity Nextgov

                    Cybersecurity Poses 'Unprecedented Challenge' to National Security ... Australia.TO

                    GCN.com - Federal Times

                    all 15 news articles »

                    No comments:

                    Post a Comment

                    My Blog List