Sunday, July 5, 2009

Around The Horn vol.1,132

Apple patching critical SMS vulnerability in iPhone OS

By chris.foresman@arstechnica.com (Chris Foresman) on vulnerability

Security researcher Charlie Miller has revealed that Apple is working on a patch for a security flaw he identified in the iPhone's SMS implementation. The flaw can actually lead to arbitrary code execution, as he explained to Ars last month. Miller hasn't yet detailed the flaw, citing an agreement with Apple, though he and partner Vincenzo Iozzo plan to detail their discovery later this month at the Black Hat Security Conference in Las Vegas.

During a presentation at the SyScan security conference in Singapore, Miller explained that a vulnerability in the iPhone's handling of SMS messages makes it possible to send code instead of strictly text. Despite SMS's 140 byte size limitation, the iPhone can reassemble larger messages that are broken up to fit the limitation, which allows larger programs to be sent. The iPhone can be instructed to execute SMS data as code instead of text, and when it executes the code it does so with root privileges and without any interaction from the user.

Symantec's Ramzan on solving the antivirus puzzle

By Elinor Mills

As technical director and architect at Symantec, Zulfikar Ramzan spends his time trying to outsmart the virus writers responsible for the onslaught of malware that infects millions of computers on a daily basis.

Ramzan, 33, talked with CNET News this ...

This time, the Brits get free money!

By Rik Ferguson on email

A new UK focused spam run is hitting spam traps and inboxes this morning. In what has become standard phishing style and very similar to the Australian tax spam last month, this time it is the British who qualify for a “tax refund”.   The original spam mail (below) purports to come from Her Majesty’s Revenue & [...]

InformationWeek Analytics: Data Loss Prevention

Security pros continue the shift from protecting systems to protecting data, and it's about time. Technologies like data loss prevention purport to help. Here's what you need to know about this emerging discipline.

Strategic Security: Web Single Sign-On

A growing number of services help users manage multiple SaaS passwords.

Rolling Review: Code Green's DLP Appliance

Code Green's CI 1500 Content Inspection Appliance shines at pattern matching.

Rollout: Egress Secure File Transfer

The Egress service uses SaaS to make securely sending files a snap.

Practical Analysis: Why Aren't We Better At Protecting Data?

Knowing where your peers have failed to protect data is the first step in crafting an effective data protection policy.

Apple Planning Fix For iPhone SMS Flaw

An SMS vulnerability in Apple's iPhone is slated for disclosure at the Black Hat conference later this month. Apple is reportedly rushing to get a fix ready.

Suit over China's Web filter to target Lenovo, Acer, Sony

A U.S. company will seek legal action against Lenovo, Acer and Sony next week over their shipment in China of controversial software that the company says stole its programming code.

RSA's Coviello: Cloud computing not secure enough

Cloud-based services are being rolled out without enough attention being paid to securing these services and the information they handle. That was the finding of a recent study commissioned by RSA Security.

McAfee false-positive glitch fells PCs worldwide
When AV attacks

IT admins across the globe are letting out a collective groan after servers and PCs running McAfee VirusScan were brought down when the anti-virus program attack their core system files. In some cases, this caused the machines to display the dreaded blue screen of death.…

Kentucky payroll phishing scam nets small fortune
Blue grass county hit by Trojan-fueled cybercrime

A gang of cybercrooks has made off with $415,000 from the coffers of Bullitt County, Kentucky following the conclusion of an elaborate phishing scam, The Washington Post reports.…

Latin Best Buy surfers sprayed by drive-by download malware
¡Ay, Caramba!

Hackers have invaded the Best Buy website to plant exploit code targeted at South and central American surfers.…

A practical guide to disaster recovery planning
Two papers for smaller businesses

Typically, vendor white papers are written with the ITDM or senior ITDM at a large company, in mind. [ITDM is industry jargon for "IT decision maker", since you ask.] People working at smaller companies are rather less well served, in quantity and quality. So today we focus our Reg Library selection on a couple of good papers aimed at small and medium-sized businesses.…

Hackers crack ColdFusion
Drive-by download attack hits multiple hosts

Hackers are running a mass compromise against sites running vulnerable ColdFusion application server installations.…

Happy 4th of July!, (Fri, Jul 3rd)

Celebrate, watch fireworks, but don't click on links in emails or surf to sites with Fourth of July, ...(more)...

BCP/DRP, (Fri, Jul 3rd)

Question, what do Bing.com and Authorize ...(more)...

FCKEditor advisory, (Fri, Jul 3rd)

FCKeditor, a web based open source HTML text editor, suffers from a remote file upload vulnera ...(more)...

Authorize.net down, (Fri, Jul 3rd)

The credit card payment gateway authorize.net is currently down ...(more)...

Apple iPhone 3GS Jailbreaking Tool Hits the Street

The hacker who made the news in 2007 for unlocking Apple's first iPhone has released the a new application for jailbreaking the iPhone 3GS. The tool is currently available for Windows only.
- George Hotz, the 19-year old hacker who made headlines for unlocking Apples original iPhone, has now released the first-known jailbreaking tool for iPhone 3GS. The tool, called `purplea1n, is only available for versions of the Windows operating system - excluding Windows 7 - at the moment, but H...

News: iPhone crashing bug could lead to serious exploit

iPhone crashing bug could lead to serious exploit

You don't know tech: The InfoWorld news quiz (InfoWorld)

In technology

InfoWorld - You win some; you lose some. This week China decided its Web censorship filtering software was not quite ready for prime time, while U.S. courts sentenced phone hackers and file swappers to some crime time.

Symantec Releases Norton 2010 Betas (PC Magazine)

In technology

PC Magazine - The public beta-test editions of Norton Internet Security 2010 and Norton AntiVirus 2010 will focus on reputation-based malware detection—a technology that can detect zero-day malware that's never been seen before.

Well-honed Attacks Sneak Under the Radar

Examples of 'bait files' show that the targeted attacks may be hard to spot.

RSA's Coviello: Cloud Computing Not Secure Enough

Cloud-based services are being rolled out without enough attention being paid to security, according to a RSA Security study.

Report: Problems stymie U.S. cyberspy protection

By Natalie Weinstein

Twin obstacles of technical problems and privacy issues are holding back the overarching system created to protect the federal government's computers from cyberspies, according to The Wall Street Journal.

"The latest complete version of the system, known as Einstein, won't be fully installed for 18 months, according to ...

More on ColdFusion hacks, (Sun, Jul 5th)

Thanks to our reader Adam we received some additional information regarding recent ColdFusion hacks. ...(more)...

No comments:

Post a Comment

My Blog List