Chrome adds defence for cross-site scripting attacks, already busted
By Robert A. on XSS
"The 4.0.207.0 release uses a reflective XSS filter that checks each script before it executes to check if the script appears in the request that generated the page. Should it find a match, the script will be blocked. According to Chromium developer Adam Barth, the developers plan to post an academic...
WASC Distributed Open Proxy Honeypot Shows Brute Force Attacks Against Yahoo
By Robert A. on WASC
Fellow WASC officer Ryan Barnett has published findings pertaining to a distributed brute force attack against Yahoo's login pages as part of his findings for the WASC Distributed Open Proxy Honeypot Project . For those not aware of this project, Ryan leads an initiative where people run open relay proxies and...
CNET News - Security
Study: eBay, Yahoo among most trusted companies
By Elinor Mills
eBay is the most trusted company in terms of privacy, and Yahoo and Facebook are among the Top 10, according to a new report released on Wednesday.
Following eBay is Verizon, the U.S. Postal Service, WebMD, IBM, Procter & Gamble, Nationwide and Intuit, with Yahoo and Facebook in the ninth ...
Originally posted at InSecurity Complex
Norton 2010 in pictures
By Seth Rosenblatt
Norton Internet Security 2010
Symantec is betting heavily that program behavior is the future battlefront of security and is making a big push in its 2010 security program lineup with a behavioral engine called Quorum. Take a tour of Norton Internet Security 2010 in this slideshow, and keep in mind that the look is ...
Originally posted at The Download Blog
New scam adds live chat to phishing attack
By Elinor Mills
Updated 4 p.m. PDT throughout with minor additional details.
Online scammers have created a phishing site masquerading as a U.S.-based bank that launches a live chat window where victims are tricked into revealing more information, researchers at the RSA FraudAction Research Team said on Wednesday.
After a ...
Originally posted at InSecurity Complex
Web 2.0 security risks scrutinized
By Vivian Yeo
Web 2.0 sites that enable people to create content are increasingly used to carry out a wide range of attacks, according to a new security study.
Websense's State of Internet Security" (PDF), released Tuesday, notes that attackers are focusing their attention on interactive Web 2.0 elements. Some ...
Apple explains iPhone OS 3.1 Exchange changes
By Jim Dalrymple
iPhone and iPhone 3G users hit a roadblock last week trying to login to Exchange 2007 servers after upgrading to iPhone OS 3.1.
(Credit: Apple)
Because the problems began with the latest update, it may seem reasonable to assume that the update is to blame, but it's not. ...
Originally posted at News - Apple
Ads--the new malware delivery format
By Elinor Mills
Instead of hacking into major online sites to embed malware, malicious hackers are going in through the front door by exploiting security holes in systems for delivering ads.
It happened just days ago, for instance, to the Web site of The New York Times. The newspaper company informed readers on Sunday ...
Originally posted at InSecurity Complex
Cyberdefenses are misdirected, report says
By Manek Dubash
Organizations are finding it difficult to prioritize defense strategies against cyberattacks because most of them do not have an Internet-wide view of the attacks, according to a report from SANS Institute, the security training organization.
As a result, two security risks--Web applications and phishing--carry the greatest potential for damage, even ...
Rogue ad hits New York Times site
By Steven Musil
Updated at 5:50 p.m. PDT September 14 with explanation from The New York Times.
The New York Times' Web site is grappling with problems created by an "unauthorized advertisement," but it is unknown how the ads managed to appear on the site and whether the site had been ...
Hacker pleads guilty to ID thefts netting millions
By Elinor Mills
Albert Gonzalez
(Credit: U.S. Secret Service via Wikipedia)
A 28-year-old Miami man who made millions breaking into computer networks and stealing credit card numbers pleaded guilty on Friday and agreed to forfeit more than $2.7 million in restitution, as well as a condo, jewelry, and a car.
Albert ...
Originally posted at InSecurity Complex
CounterMeasures
Rik Ferguson blogs about security issues.
New York Times pushes Fake AV malvertisement.
By Rik Ferguson on web
Earlier today, the New York Times issued a warning over Twitter and also on the front page of the web site. The newspaper advised visitors that they had had reports from “some NYTimes.com readers” relating to a malicious pop-up window while browsing the site. In the warning, the influential newspaper stated their belief that the pop-ups [...]
Darknet - The Darkside
Ethical Hacking, Penetration Testing & Computer Security
Flawfinder – Source Code Auditing Tool
By Darknet on static analysis tool
Flawfinder is a program that examines source code and reports possible security weaknesses (flaws) sorted by risk level. It’s very useful for quickly finding and removing at least some potential security problems before a program is widely released to the public. It’s a static analysis source code auditing tool. Flawfinder is specifically designed to be easy [...]
FreeBSD Local Root Escalation Vulnerability
By Darknet on vulnerabilities
It’s been a long time since we’ve heard about a problem with FreeBSD, partially because the mass of people using it isn’t that large and secondly because BSD tends to be pretty secure as operating systems go. It’s a pretty serious flaw this time with root escalation, thankfully it’s only a local exploit though and not [...]
4f: The File Format Fuzzing Framework
By Darknet on fuzzing-tool
4f is a file format fuzzing framework. 4f uses modules which are specifications of the targeted binary or text file format that tell it how to fuzz the target application. If 4f detects a crash, it will log crucial information important for allowing the 4f user to reproduce the problem and also debugging information important [...]
DarkReading - All Stories
DarkReading
Microsoft Gives Away Free Fuzzer, Secure Development Tool
More Security Development Lifecycle tools, ROI paper released
Defense Worker Arrested After Accessing Unauthorized Data
Defense employee charged with unauthorized access of terrorist system operated by Army, FBI
SANS Report: 60% Of All Attacks Hit Web Applications, Most In The U.S.
New attack data shows organizations are missing the mark in their security priorities as client-side application flaws, Web flaws dominate as attack vectors
DNS Cloud Security Services Arrive
OpenDNS offers new subscription-based secure DNS service, other vendors' DNS services to follow
Hacker Hits RBS WorldPay Systems Database
Romanian hacker says he discovered a SQL injection flaw on a WorldPay application, RBS says no merchant or cardholder data was compromised
DarkReading - Security News
DarkReading
Compound Profit Launches Revolutionary C-Media Mail Digital Marketing Engine
Prundo.com, a New Website, Helps Car Owners Save Money on Auto Repairs
eWeek Security Watch
Database Security Truths: Orgs Still Struggling to Herd Info
In Trojan attacks
Database security experts maintain that companies are still struggling mightily to understand where all of their critical data resides, and who has access to it.
SANS: Un-Patched Client Side Apps Taking Toll
In Vulnerability Research
Client side vulnerabilities are leaving many organizations open to targeted spear phishing and other attacks, according to experts with SANS.
Google Groups Gamed by Trojan
In Virus and Spyware
Attackers are using Google Groups to test new a new variation of Web 2.0 Trojan control.
Microsoft Backports Windows 7 Security Change to XP, Vista
In Virus and Spyware
Microsoft has backported changes it made to its AutoRun and AutoPlay functionality in Windows 7 to other versions of the operating system, including Windows Vista, Windows XP and Windows Server 2003 and 2008.
NYTimes.com Users Hit by Malicious Ad
In Phishing and Fraud
Some online readers of the New York Times were served a malicious advertisement over the weekend that tried to trick them into downloading bogus anti-virus software. The use of malicious ads on legitimate sites is just another tactic attackers are using to get their hands on your computers and your money.
Apple Fixes Adobe Flash Player Issue in Snow Leopard Upgrade
In Vulnerability Research
A week after security researchers raised concerns, Apple has updated Snow Leopard and stopped downgrading users to a vulnerable version of Adobe Flash Player. Apple also issued a massive update for older versions of the operating system this week.
Federal Computer Week: Security News
IG: DHS needs better management for OneNet
DHS needs better management for its project to consolidate its agencies' network infrastructures, the department's inspector general found.
Intell agencies plan to beef up cybersecurity
Stopping cyber threats is a top priority for intelligence agencies during the next four years, according to a new national strategy.
Kundra's great experiment: Government apps 'store front' opens for business
An online storefront where federal agencies can purchase cloud computing technology was launched today.
Video of Serena Williams' outburst could go viral—literally
The people who create vehicles for the surreptitious delivery of malware are nothing if not timely, as they demonstrated over the weekend by exploiting interest in tennis star Serena Williams.
Pressure builds on Obama to appoint cybersecurity coordinator
The co-chairmen of the House Cybersecurity Caucus say the continued absence of a White House cybersecurity coordinator impedes agencies' abilities to update their cyber policies.
Immigration agency to outsource disaster recovery plans
The Office of the CIO for U.S. Immigration and Customs Enforcement is looking for a contractor that can take over disaster recovery planning and management.
Report: ICE needs better database to track detainees
The DHS agency needs better information systems and database to track its 32,000 detainees and ensure good management, a report recommends.
Pointers: Recommended reading
Lessons learned from data breaches; Password hackers on the loose; the Internet and civic engagement; and Twitter guidelines.
NARA digs out of digital avalanche
The National Archives is under mounting pressure to help the federal government manage its rapidly growing store of electronic records.
NARA's top 10 management challenges
The Office of Inspector General recently listed what it considers the most significant challenges facing the agency.
NRC, FERC to cooperate on cybersecurity for nuke plants
Regulatory commissions will coordinate to protect nuclear power facilities.
Info Security News (isn) Mailing List
Carries news items (generally from mainstream sources) that relate to security.
IRS nearly resolves one security threat, receives incomplete on others
Posted by InfoSec News on Sep 17
http://www.nextgov.com/nextgov/ng_20090915_8372.php
By Jill R. Aitoro
NextGov.com
09/15/2009
The Internal Revenue Service showed mixed results in its effort to reduce security risks associated with laptops and a system that processes individual income tax returns, according to the...
Breaking in New Sport, Dutch Sweat Small Stuff
Posted by InfoSec News on Sep 17
http://www.nytimes.com/2009/09/16/world/europe/16amsterdam.html
By John Tagliabue
New York Times
September 15, 2009
AMSTERDAM -- People of this free-spirited Dutch city, known for its legal prostitution and easy marijuana, have found another pastime that flirts with convention and the...
Peiter Zatko for CyberSecurity Czar
Posted by InfoSec News on Sep 17
http://www.ipetitions.com/petition/mudge4cyberczar/
This petition is posted in support for the nomination of Peiter Zatko (aka mudge) to the President's post of Cybersecurity Chief. We've all seen how effective past efforts have been regarding this initiative, and realize the importance of...
Financial Crypto and Data Security 2010: Deadline Extended to September 23.
Posted by InfoSec News on Sep 17
Forwarded from: Radu Sion <sion (at) moon.crypto.cs.stonybrook.edu>
Dear Colleagues,
As requested by many of you, we are extending the main FC submission deadline to September 23, 11:59pm, pacific time. Please note that also the acceptance notification deadline is now extended to...
Safety first for IT executives in China
Posted by InfoSec News on Sep 17
http://www.crn.com.au/News/155836,safety-first-for-it-executives-in-china.aspx
By Sholto Macpherson
CRN.com.au
Sept 16, 2009
Senior executives in US IT companies have been advised by the US Government to follow extremely strict policies for visits to China which extend far beyond...
Health IT Data Breaches: No Harm, No Foul
Posted by InfoSec News on Sep 17
http://www.eweek.com/c/a/Health-Care-IT/Health-IT-Data-Breaches-No-Harm-No-Foul-293398/
By Roy Mark
eWEEK.com
2009-09-16
Data breach notification rules for health entities covered by the Health Insurance Portability and Accountability Act take effect Sept. 23. Under the rules issued by...
Microsoft Gives Away Free Fuzzer, Secure Development Tool
Posted by InfoSec News on Sep 17
http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=220000750
By Kelly Jackson Higgins
DarkReading
Sept 16, 2009
Microsoft continued efforts to spread its own secure software development program with today's release of a free fuzzer and tool for analyzing binary...
Computer network experts test security at conference
Posted by InfoSec News on Sep 16
http://www.greatfallstribune.com/article/20090915/NEWS01/909150313
By John S. Adams
Tribune Capitol Bureau
September 15, 2009
HELENA - Brad Smith, director of the Helena-based Computer Institute of the Rockies, says there's a global war going on every day, though most of us are...
USENIX LEET 10 Call for Papers Submissions Deadline Approaching
Posted by InfoSec News on Sep 16
Forwarded from: Lionel Garth Jones <lgj (at) usenix.org>
The Program Committee for the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '10) invites you to contribute to your work.
Now in its third year, LEET continues to provide a unique forum for the...
UF has security breach involving safety program
Posted by InfoSec News on Sep 16
http://www.gainesville.com/article/20090914/ARTICLES/909149900/-1/ENTERTAINMENT?Title=UF-has-security-breach-involving-safety-program-
By Nathan Crabbe
The Chalkboard Blog
September 14, 2009
The University of Florida announced a security breach Monday involving information from the...
Intell agencies plan to beef up cybersecurity
Posted by InfoSec News on Sep 16
http://fcw.com/articles/2009/09/15/web-nis-cybersecurity.aspx
By Ben Bain
FCW.com
Sept 15, 2009
Enhancing cybersecurity is a mission objective for intelligence agencies during the next four years, according to an unclassified version of the 2009 National Intelligence Strategy released...
IB calls for block of VoIP services citing security concerns
Posted by InfoSec News on Sep 16
http://www.telegeography.com/cu/article.php?article_id=30092&email=html
TeleGeography's CommsUpdate
15 September 2009
India's Intelligence Bureau (IB) has reportedly called on the Ministry of Communications and Information Technology to block all internet telephony services in and out...
Security Pros Are Focused on the Wrong Threats
Posted by InfoSec News on Sep 16
http://bits.blogs.nytimes.com/2009/09/15/security-pros-are-focused-on-the-wrong-threats/
By Riva Richmond
Bits
New York Times
September 15, 2009
Corporate information technology departments are prioritizing the wrong threats to their computer systems, focusing on old problems and leaving...
The other iPhone lie: VPN policy support
Posted by InfoSec News on Sep 16
http://www.infoworld.com/d/mobilize/other-iphone-lie-vpn-policy-support-865
By Galen Gruman
InfoWorld
September 15, 2009
It turns out that Apple's iPhone 3.1 OS fix of a serious security issue -- falsely reporting to Exchange servers that pre-3G S iPhones and iPod Touches had on-device...
Heartland CEO: Credit card encryption needed
Posted by InfoSec News on Sep 15
http://www.networkworld.com/news/2009/091409-heartland-ceo-credit-card-encryption.html
By Grant Gross
IDG News Service
09/14/2009
Credit card transactions in the U.S. are often not encrypted, and credit card vendors, payment processors and retailers need to embrace an encryption...
Homeland Security to More Than Double Staff for Cyber Threats
Posted by InfoSec News on Sep 15
http://www.bloomberg.com/apps/news?pid=20601087&sid=ayDCHq5H0CH8
By Jeff Bliss
Bloomberg
Sept. 14, 2009
The Department of Homeland Security plans by next year to more than double the number of employees in one of its cyber-security units, a department official said today.
The...
Join USENIX in Baltimore, MD, November 1-6, 2009, for LISA 09!
Posted by InfoSec News on Sep 15
Join us in Baltimore, MD, November 1-6, 2009, for LISA '09.
At LISA '09, "Put Theory into Practice." Find all the practical information you'll need to succeed during our 6-day program, which includes: in-depth tutorials by experts such as Mark Burgess, David N. Blank-Edelman, and...
DHS to review report on vulnerability in West Coast power grid
Posted by InfoSec News on Sep 15
http://www.computerworld.com/s/article/9138017/DHS_to_review_report_on_vulnerability_in_West_Coast_power_grid?taxonomyId=17
By Jaikumar Vijayan
September 14, 2009
Computerworld
The U.S. Department of Homeland Security is looking at a report by a research scientist in China that shows how...
Pressure builds on Obama to appoint cybersecurity coordinator
Posted by InfoSec News on Sep 15
http://fcw.com/articles/2009/09/14/web-cyber-coordinator-urged.aspx
By Ben Bain
FCW.com
Sept 14, 2009
The co-chairmen of the House Cybersecurity Caucus are urging President Barack Obama to quickly make good on his pledge to appoint a cybersecurity coordinator.
Reps. James Langevin...
Samsung Prepares for Next Possible Cyberattack
Posted by InfoSec News on Sep 15
http://www.koreaittimes.com/story/5025/samsung-prepares-next-possible-cyberattack
By Daniel Ko
Korea IT Times
September 14th, 2009
After the July 7th DDoS attack, Samsung plans to create a defense against the next possible cyberattack. Planning to spend whatever it takes, Samsung is...
DNS Cloud Security Services Arrive
Posted by InfoSec News on Sep 15
http://www.darkreading.com/securityservices/security/vulnerabilities/showArticle.jhtml?articleID=220000275
By Kelly Jackson Higgins
DarkReading
Sept 14, 2009
One of the first cloud-based secure DNS services was launched today amid intensified concerns over locking down vulnerable Domain...
Korea to train 3,000 cyber sheriffs
Posted by InfoSec News on Sep 14
http://www.koreaherald.co.kr/NEWKHSITE/data/html_dir/2009/09/14/200909140072.asp
By Cho Chung-un
The Korea Herald
September 14, 2009
The government will train 3,000 "cyber sheriffs" by next year to protect the country from future cyber attacks, officials said yesterday.
Cyber...
Rogue ad hits New York Times site
Posted by InfoSec News on Sep 14
http://news.cnet.com/8301-1009_3-10351460-83.html
By Steven Musil
Security
CNet News
September 13, 2009
The New York Times Web site is grappling with problems created by "an unauthorized advertisement," but it is unknown how the ads appeared on the site and whether the Web...
Hacker Pleads Guilty In Major Credit Card Theft
Posted by InfoSec News on Sep 14
http://www.informationweek.com/news/security/intrusion-prevention/showArticle.jhtml?articleID=220000036
By Antone Gonsalves
InformationWeek
September 12, 2009
A hacker accused of stealing tens of millions of credit and debit card numbers in one of the largest computer break-ins in U.S....
Hacker Hits RBS WorldPay Systems Database
Posted by InfoSec News on Sep 14
http://www.darkreading.com/database_security/security/app-security/showArticle.jhtml?articleID=220000005
By Kelly Jackson Higgins
DarkReading
Sept 11, 2009
A Romanian hacker well-known for discovering SQL injection vulnerabilities in high-profile Websites has struck again -- this time on...
Linux webserver botnet pushes malware
Posted by InfoSec News on Sep 14
http://www.theregister.co.uk/2009/09/12/linux_zombies_push_malware/
By Dan Goodin in San Francisco
The Register
12th September 2009
A security researcher has discovered a cluster of infected Linux servers that have been corralled into a special ops botnet of sorts and used to distribute...
Ex-emergency dispatch agency director given 6 months jail for illegal background checks
Posted by InfoSec News on Sep 14
http://www.suntimes.com/news/24-7/1764493,illegal-background-checks-sentence-091109.article
BY DAN ROZEK
Staff Reporter
Chicago Sun-Times
September 10, 2009
Steven R. Cordes wanted to help his girlfriend keep tabs on who her teenage daughter was dating and hanging out with.
So...
Linux Advisory Watch - September 11th 2009
Posted by InfoSec News on Sep 14
+----------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | September 11th, 2009 Volume 10, Number 37 | | | |...
Non-Profit Targets Cyber-Security in Plants
Posted by InfoSec News on Sep 14
http://www.managingautomation.com/maonline/news/read/NonProfit_Targets_CyberSecurity_in_Plants_33037
By Stephanie Neil
MA Editorial Staff
September 12, 2009
The move from proprietary, non-networked control systems in the plant to off-the-shelf, open applications that share information...
Les Hinton to give evidence to Commons phone-hacking inquiry
Posted by InfoSec News on Sep 11
http://www.guardian.co.uk/media/2009/sep/10/les-hinton-phone-hacking
By Leigh Holmwood
guardian.co.uk
10 September 2009
The Commons culture, media and sport select committee has confirmed that former News International executive chairman Les Hinton will give evidence to its inquiry into...
Related Searches
on Ask.com
Aural Messes: Lindsay Lohans Voicemail Life
Posted by InfoSec News on Sep 11
http://animalnewyork.com/2009/09/aural-messes-lindsay-lohans-voicemail-life/
By Bucky Turco
animalnewyork.com
September 10, 2009
In the spring of 2008, LiLo made the unfortunate decision to post her private information -- including her cellphone number- ac on Facebook which was soon...
Related Searches
on Ask.com
Apple unloads 47 fixes for iPhones, Macs and QuickTime
Posted by InfoSec News on Sep 11
http://www.theregister.co.uk/2009/09/11/apple_security_updates/
By Dan Goodin
The Register
11th September 2009
Apple has issued fixes for more than 47 security bugs in the Mac, iPhone and QuickTime media player, some that allowed attackers to take complete control of the underlying...
Related Searches
on Ask.com
Lax security left employees data vulnerable
Posted by InfoSec News on Sep 11
http://www.ajc.com/news/lax-security-left-employees-134909.html
By Aaron Gould Sheinin
The Atlanta Journal-Constitution
September 9, 2009
An audit of state government's accounting office found lax computer security that left thousands of state employees' personal information vulnerable...
Related Searches
on Ask.com
Printer makers mum on new security standard
Posted by InfoSec News on Sep 11
http://www.zdnetasia.com/news/security/0,39044215,62057613,00.htm
By Vivian Yeo
ZDNet Asia
September 09, 2009
New security guidelines that govern the features and use of devices such as printers, copiers and multifunction systems are available, but details about hardware compliant to...
NES to improve data safety
Posted by InfoSec News on Sep 11
http://news.scotsman.com/education/NES-to-improve-data-safety.5629254.jp
By LYNDSAY MOSS
The Scotsman
09 September 2009
NHS Education for Scotland (NES) has agreed to improve data security after the details of trainee doctors were left on a stolen laptop. The body informed the...
Related Searches
on Ask.com
Secunia Weekly Summary - Issue: 2009-37
Posted by InfoSec News on Sep 11
The Secunia Weekly Advisory Summary 2009-09-03 - 2009-09-10 This week: 73 advisories
========================================================================
...
How to measure security? NIST maps out the emerging field of IT metrology
Posted by InfoSec News on Sep 11
http://gcn.com/articles/2009/09/14/update-1-security-metrics-lacking-for-it-systems.aspx
By William Jackson
GCN.com
Sept. 10, 2009
Information technology security is a hot topic, but attention usually focuses on the lack of it. What is missing is an objective, quantifiable way to...
Related Searches
on Ask.com
Information technology security
InformationWeek Security News
InformationWeek
Consumers Accept Device Fingerprinting, Study Finds
By Thomas Claburn
To fight online fraud, consumers are warming to the idea of technology that identifies the device they're using.
Google Plans Private Government Cloud
By Thomas Claburn
As the government moves to adopt cloud computing and considers limited use of free consumer services, Google is trying to address lingering concerns about security and control in the cloud.
Google Plans Private Government Cloud
By Thomas Claburn
As the government moves to adopt cloud computing and considers limited use of free consumer services, Google is trying to address lingering concerns about security and control in the cloud.
Google Tops Bing, Yahoo In Bug Battle
By Thomas Claburn
A group of 1,100 software testers has rated Google the best search engine in terms of accuracy, speed, and relevance.
Google Tops Bing, Yahoo In Bug Battle
By Thomas Claburn
A group of 1,100 software testers has rated Google the best search engine in terms of accuracy, speed, and relevance.
Google Chrome Update Adds Speed, Themes, HTML 5
By Thomas Claburn
Browser Themes, faster JavaScript performance, and HTML 5 support can be found in the new stable release of Google Chrome.
Good Technology Adds Android Support
By Marin Perez
The company will also offer iPhone and Pre support to help companies whose employees use personal devices to access enterprise networks.
Good Technology Adds Android Support
By Marin Perez
The company will also offer iPhone and Pre support to help companies whose employees use personal devices to access enterprise networks.
IW500: Amazon CTO On Software Licensing, Cloud Security
By Mary Hayes Weier
Werner Vogels says EC2 customers should talk with software vendors about licensing -- something Amazon itself is already doing.
Government Embraces Cloud Computing, Launches App Store
By Thomas Claburn
Cloud computing is coming to government agencies, bringing the hope of cost savings, greater efficiency, and innovation.
IW500: Security Threats Pose New Challenges
By Mitch Wagner
New technologies such as cloud computing make security a challenge for enterprises, according to panelists at the <I>InformationWeek</i> 500 Conference.
IW500: Security Threats Pose New Challenges
By Mitch Wagner
New technologies such as cloud computing make security a challenge for enterprises, according to panelists at the <I>InformationWeek</i> 500 Conference.
Top Cyber Security Risks Revealed
By Thomas Claburn
A report issued by The SANS Institute finds enterprise security efforts focused on fixing low-priority flaws at the expense of serious application vulnerabilities.
Top Cyber Security Risks Revealed
By Thomas Claburn
A report issued by The SANS Institute finds enterprise security efforts focused on fixing low-priority flaws at the expense of serious application vulnerabilities.
InformationWeek 500: 20 Great Ideas To Steal
InformationWeek 500 innovators reveal some of their top projects. Could something similar work at your company? Let the brainstorming begin.
InformationWeek 500: 20 Great Ideas To Steal
InformationWeek 500 innovators reveal some of their top projects. Could something similar work at your company? Let the brainstorming begin.
Hacker Pleads Guilty In Major Credit Card Theft
By Antone Gonsalves
As part of his plea agreement, the 28-year-old agreed to forfeit more than $2.7 million and a Miami condo, 2006 BMW 30i, Tiffany diamond ring, and Rolex watches.
Hacker Pleads Guilty In Major Identify Theft
By Antone Gonsalves
As part of his plea agreement, the 28-year-old agreed to forfeit more than $2.7 million and a Miami condo, 2006 BMW 30i, Tiffany diamond ring, and Rolex watches.
Hacker Pleads Guilty In Major Identify Theft
By Antone Gonsalves
As part of his plea agreement, the 28-year-old agreed to forfeit more than $2.7 million and a Miami condo, 2006 BMW 30i, Tiffany diamond ring, and Rolex watches.
Popular News Topics Become Malware Bait
By Thomas Claburn
Curiosity about current events is being leveraged to spread malware.
Popular News Topics Become Malware Bait
By Thomas Claburn
Curiosity about current events is being leveraged to spread malware.
Google Groups Used To Direct Trojan Malware
By Thomas Claburn
Malicious software has been found looking to Google Groups for instructions on how to behave badly.
Gov 2.0: Roadblocks Remain For Transparency
By J. Nicholas Hoover
Speaking at the Gov 2.0 Summit, federal CIO Vivek Kundra said infrastructure upgrades will likely be required.
InSecurity Complex
Keeping tabs on flaws, fixes, and the people behind them.
Study: eBay, Yahoo among most trusted companies
By Elinor Mills
eBay is the most trusted company in terms of privacy, and Yahoo and Facebook are among the Top 10, according to a new report released on Wednesday.
Following eBay is Verizon, the U.S. Postal Service, WebMD, IBM, Procter & Gamble, Nationwide and Intuit, with Yahoo and Facebook in the ninth ...
New scam adds live chat to phishing attack
By Elinor Mills
Updated 4 p.m. PDT throughout with minor additional details.
Online scammers have created a phishing site masquerading as a U.S.-based bank that launches a live chat window where victims are tricked into revealing more information, researchers at the RSA FraudAction Research Team said on Wednesday.
After a ...
Ads--the new malware delivery format
By Elinor Mills
Instead of hacking into major online sites to embed malware, malicious hackers are going in through the front door by exploiting security holes in systems for delivering ads.
It happened just days ago, for instance, to the Web site of The New York Times. The newspaper company informed readers on Sunday ...
Hacker pleads guilty to ID thefts netting millions
By Elinor Mills
Albert Gonzalez
(Credit: U.S. Secret Service via Wikipedia)
A 28-year-old Miami man who made millions breaking into computer networks and stealing credit card numbers pleaded guilty on Friday and agreed to forfeit more than $2.7 million in restitution, as well as a condo, jewelry, and a car.
Albert ...
McAfee Avert Labs
Cutting edge security research as it happens.......
FakeAlert Malware Disguises as McAfee Product
By Abhishek Karnik on Uncategorized
“Illusion is needed to disguise the emptiness within.” – Arthur Erickson I thought this was the perfect quote for fake anti-malware software or FakeAlert threats. FakeAlert malware imposes an illusion of protection on its users, but all thats within is an empty hollow inside. It has become a common sight for malware to be spoofing program [...]
Searches for Patrick Swayze Info Could Lead to Malware
By Sam Masiello on Web and Internet Safety
Another celebrity death. Another recycled scareware tactic attempting to lure users to download malware by telling them that their PC is infected with a virus. We saw it after the deaths of Michael Jackson, Farrah Fawcett, and Natasha Richardson earlier this year. Now the attention of cyber criminals has turned to Monday’s death of Patrick [...]
From Targeted PDF Attack to Backdoor in Five Stages
By Dennis Elser on Vulnerability Research
As reported by Adobe in July, a Flash vulnerability is being actively exploited by targeted attacks against Adobe Reader. Yes, embedding Flash movies in PDF documents is supported in Adobe Acrobat 9. The idea of allowing Flash movies to be displayed within PDFs isn’t bad if you like your documents spiced up with a bit [...]
Google Trends Suffering Abuse Today
By Craig Schmugar on Web and Internet Safety
Wouldn’t you know it. Just the other day I blogged about rogue anti-virus software makers selectively targeting certain hot search terms. Since then the majority of top terms lead to poisoned links within the top 10-20 search results. Recently there have been some news stories about attackers targeting specific topics or terms, but from what I’m seeing they [...]
New Version of McAfee FileInsight
By Micha Pekrul on Web and Internet Safety
Today we released the new version 2.1 of McAfee FileInsight. You can download your free copy from the Avert Tools site. FileInsight is a handy integrated tool environment for web site and file analysis. Hex editing, syntax highlighting, and it comes with several built-in decoders, built-in calculator, a disassembler, JavaScript scripting support, a Python-based plugin [...]
Related Searches
on Ask.com
Related Searches on Ask.com: Version of McAfee FileInsight , McAfee Gateway Anti-Malware , McAfee Virus Scan , ActiveX Control , DirectShow Video
Network World on Security
The latest security news, analysis, reviews and feature articles from NetworkWorld.com.
New phishing attack chats up victims
With many who bank online now wary of phishing attacks, criminals are adding fake live-chat support windows to their Web sites to make them seem more real.
Google buys reCAPTCHA to boost book scanning efforts
Google plans to accelerate its massive efforts to scan tens of millions of books and periodicals with the acquisition on Wednesday of a company called reCAPTCHA.
Social Networking a Tool for More Secure ID Management?
At Digital ID World 2009, a Facebook platform engineer says social networking sites can be used to actually improve identity and access management. Why wasn't he laughed off stage by the skeptical security crowd before him? Read on.
Attack E-mails Use Fake Shipping Confirmation Ruse
A triple-payload e-mail attack that uses a fake shipping confirmation notice with a supposed attached label is making the rounds, according to Webroot.
SANS: Security Ignores the Two Biggest Cyber Risks
Two major cyber risks dwarf all others, but organizations are failing to invest in the proper tools to mitigate them, choosing instead to focus security attention on lower risk areas, according to a report released Tuesday by SANS Institute.
Microsoft offers tools for secure app development
The tools help developers add security and privacy provisions into the development lifecycle, but their enterprise usefulness is unclear as they are only for C and C++
Unpatched Applications Are Top Cyber Security Risk
Unpatched client software and vulnerable Internet-facing web sites are the most serious cyber security risks for business. Lesser threats include operating system holes and a rising number of zero-day vulnerabilities, according to a new study.
Phishing attacks go down by 45 percent: Symantec
Symantec observed a 45 per cent decrease from the previous month in all phishing attacks, according to its September State of Phishing report.
The IA Professional's Toolkit Part 4
A common comment from engineering and technical personnel is that if we can't measure something, we can't manage it effectively.
The other iPhone lie: VPN policy support
The iPhone OS 3.1 fixed false reporting about Exchange policy adherence. It turns out that a similar flaw existed for VPN policies, too
Technology issues on back burner in US Congress
With a huge fight over health-care reform unresolved, many observers of technology-related legislation before the U.S. Congress have low expectations that major bills will be passed in the remainder of 2009.
Data Debauchery That Happens in Vegas Doesn't Stay There
Digital ID World 2009: Organizations collect as much data as possible on people to verify their trustworthiness as a potential employee or customer. Here's why the practice isn't working.
Web server attacks, poor app patching make for lethal mix
A dangerous combination of a massive increase in Web server attacks and poor patching practices is a major cause of concern for experts, according to a report issued today by several security organizations.
Cloud security through control vs.ownership
Cloud computing makes auditors cringe. It's something we hear consistently from enterprise customers: it was hard enough to make virtualization "palatable" to auditors; cloud is going to be even harder. By breaking the links between hardware and software, virtualization liberates workloads from the physical constraints of a single machine. Cloud takes that a step further making the physical location irrelevant and even obscure.
Internet scammers leap on Patrick Swayze’s death
Malware ghouls took just a few hours to begin preying on the death of actor Patrick Swayze with a new version of a familiar phony anti-virus scam.
Company hosting Joe Wilson fundraising site recovers from DDoS attack
A company providing online payment-processing services for U.S. Rep. Joe Wilson (R-S.C) is back online after being disrupted by a distributed denial-of service attack over the weekend.
ArcSight repurposes application to fight financial fraud
Security company ArcSight has retooled one of their event-monitoring products and created an appliance designed to detect fraudulent bank and brokerage transactions.
Companies patch OS holes, but biggest priority should be apps
Corporations appear to be much slower in patching their applications than their operating systems, even though attackers are mainly targeting application vulnerabilities, according to a new report based on data from TippingPoint, Qualys and the SANS Institute.
Businesses turn to DNS service to filter the Web
For National Veterinary Associates, the decision to block the Web was sealed with a virus.
New York Times tricked into serving scareware ad
Scammers tricked the New York Times' Digital Advertising department into placing a malicious ad for fake antivirus software on the NYTimes.com Web site over the weekend, the company confirmed Monday.
DHS to review report on vulnerability in West Coast power grid
The U.S. Department of Homeland Security is looking at a report by a research scientist in China that shows how a well-placed attack against a small power subnetwork could trigger a cascading failure of the entire West Coast power grid.
Cloud security survey can help shape best practices
You can make a difference deciding what aspects of cloud security get the most attention in upcoming recommendations about best practices.
Meet Google's 'Data Liberation Front'
You say you want a revolution? Google's hoping you do -- at least, when it comes to being able to take your cloud-stored data wherever you want.
The high cost of Internet (de)fame
If it seems like Notes From the Field is turning into the Notes From the Land of Internet Defamation and Anonymity, my apologies. But this is a topic that I've sunk my teeth into and now I can't seem to unsink them.
Rise in World Cup related phishing scams expected
Symantec is warning football fans to be wary of purchasing tickets online for next year's World Cup, following England's qualification into the tournament last week.
Apple missed security boat with Snow Leopard, says researcher
Apple missed a golden opportunity to lock down when it again failed to fully implement security technology that Microsoft perfected nearly three years ago in Windows Vista, a noted Mac researcher said today.
Windows Bug Enables PC Hijacking, Microsoft Warns
Microsoft last week issued an advisory warning that a bug discovered in Windows Vista, Windows Server 2008 and the release candidates of Windows 7 and Windows Server 2008 R2 could be used to hijack PCs.
Symark International buys BeyondTrust
Security vendor Symark International has bought BeyondTrust, a Portsmouth, New Hampshire, software company that sells a privilege access product similar to Symark's.
Researchers slam fickle iPhone anti-fraud feature
The iPhone's newest defense -- aimed at preventing users from reaching phishing sites -- is inconsistent at best, a security researcher said today, with some users getting warnings about dangerous links, while others are allowed to blithely surf to criminal URLs.
Gonzalez pleads guilty to TJX, other data heists
Albert Gonzalez, who was described by federal authorities as the mastermind of the massive data thefts at TJX Companies Inc., Heartland Payment Systems and other retailers, pleaded guilty to charges of conspiracy, wire fraud and aggravated identity theft.
Trojan hides its brain in Google Groups
Virus writers keep getting sneakier. In an effort to evade detection, they've begun hiding their command and control instructions in legitimate Web 2.0 sites such as Google Groups and Twitter.
Steganography meets VoIP in hacker world
Researchers and hackers are developing tools to execute a new data-leak threat: sneaking proprietary information out of networks by hiding it within VoIP traffic.
Astonishing E-Mail Messages You'll Never Open
Spamming is an underappreciated art form. In fact, "hated" may be a more accurate adjective. Like mimes in a public square, spammers seek to capture the attention of people who actively try to avoid them. Thus they must strike fast and hard, bewildering their prey with astonishing bombast, no-holds-barred familiarity, and too-good-to-be-true promises. Much depends on the effectiveness of their initial pitch--the e-mail header--and in exploiting that space, they put practitioners of haiku to shame, delivering their come-on to the rubes (that is, us) in a single line and usually in far fewer than 17 syllables.
Powerful tool to scour document metadata updated
A Spanish company has released an upgraded version of a powerful software application that can be used to perform intelligence gathering on a company's Web site and network.
Hacker Gonzalez pleads guilty to 20 charges
Hacker Albert Gonzalez, accused of masterminding the massive data thefts at BJ's Wholesale Club, TJX and several other retailers, has pleaded guilty to 19 charges related to computer hacking and credit card fraud, the U.S. Department of Justice said.
The Register - Security
Biting the hand that feeds IT
Mozilla catches half of Firefox users running insecure Flash
Adobe's upgrade blues
More than half of all Firefox users ran an unsafe version of Adobe's Flash Player, according to statistics collected last week as users installed the latest release of the popular open-source browser.…
What is your recession sales strategy?
Inmate 'fesses to prison computer hack
Jailbreaking the HR system
A former US inmate has pleaded guilty to hacking into the prison's computer system to obtain the personal data of more than 1,100 prison service workers.…
White hats release exploit for critical Windows vuln
Microsoft not immune to Immunity
White-hat hackers have released reliable code that remotely exploits a critical vulnerability in the Vista and Server 2008 versions of Microsoft's Windows operating system.…
The power of collaboration within unified communications
Microsoft security tools give devs the warm fuzzies
Testing times
Microsoft has released a general-purpose software tool for assessing the security of applications, part of a growing suite of free offerings designed to help third-party developers design safer programs.…
Looking at the threat landscape
It’s getting scary out there...
Regcast Be it Botnets or targeted attacks, increasingly sophisticated threats to your organisation are lurking just around the corner. Stay bang up to date on the latest techniques and how to best combat them by tuning into The Register’s Understanding The Threat Webcast.…
Case Study: WhatsUp keeps Legoland turnstyles ringing
Database containing 1.8m UK postcode locations leaks online
Knock, knock. Who's there?
An alleged copy of the UK postcode list has tipped up on WikiLeaks.…
Power grid takedown: a new how-to
Domino effect could short-circuit US West Coast
A well targeted attack against a small power grid subnetwork might result in a cascading failure across the entire US West Coast electricity grid, according to a Chinese academic.…
Firms fail to focus on most dangerous security threats
Web and client side bugs top peril index
Enterprises are focusing their information security efforts in the wrong areas, leaving themselves more open to hacking attacks and malware infections as a result.…
Trial set for 'botnet for hire' duo
Zombies R' Us
A federal judge has cleared the way for the trial of two men accused of waging a cyber attack on a webhosting company so they could demonstrate the effectiveness of their botnet to potential customers.…
Australia mulls botnet takedown scheme
Excuse me mate, but you're spewing spam
Australia is considering the adopting of a code that would oblige ISPs to contact, and in extreme cases perhaps even disconnect, customers with malware-infested computers.…
Swayze death exploited to serve up fake anti-virus
I've had the crime of my life
Miscreants have moved swiftly to establish malicious websites designed to rip off users searching for more information on the death of actor Patrick Swayze on Monday.…
Malware lingers months on infected PCs
Resident evil
Malware stays around on infected PCs far longer than previously thought, according to the latest research from Trend Micro.…
FreeBSD bug grants local root access
Trivial exploitation
A security researcher has uncovered a security bug in the FreeBSD operating system that allows users with limited privileges to take full control of underlying systems.…
Microsoft purges AutoRun from older Windows
Still (woefully) incomplete
Microsoft has finally removed a function from earlier versions of its Windows operating system that has been widely abused by miscreants to surreptitiously install malware on users' computers.…
MS insists bodged fix didn't spawn Windows crash risk
Teardrop Explodes
Microsoft has denied claims that an unpatched flaw in a file and printer sharing feature was inadvertently introduced when it fixed an earlier, less severe problem in the software back in December 2007.…
Trojan taps Google Groups as command network
alt.news.botnet.control
Hackers have programmed a Trojan that uses Google Groups newsgroups to distribute commands.…
New York Times pwned to serve scareware pop-ups
Gray Lady gets goosed
The New York Times was co-opted into pushing fake anti-virus malvertisements after hackers broke into its banner ad feed over the weekend.…
Linux webserver botnet pushes malware
Attack of the open source zombies
A security researcher has discovered a cluster of infected Linux servers that have been corralled into a special ops botnet of sorts and used to distribute malware to unwitting people browsing the web.…
International hacker buried $1m in backyard
Albert Gonzalez fortune forfeited
The international hacker who confessed to stealing tens of millions of payment card numbers amassed a fortune worth more than $2.7m, including more than $1m in cash buried in his backyard in Miami.…
Related Searches
on Ask.com
Scareware scumbags exploit 9/11
Obviously an inside job
Updated Fraudsters have set up websites supposedly containing info about 9/11 but actually geared towards running fake anti-virus (scareware) scams.…
RBS WorldPay downplays database hack reports
'No access to either merchant or cardholder accounts'
Updated RBS WorldPay and a hacker are at loggerheads over the seriousness of a supposed breach on websites run by the payment processing firm.…
Sky News election petition defaced by prankster hackers
Windbag windup
Computer hackers with a grudge made merry at the expense of Rupert Murdoch after infiltrating the Sky News website.…
Related Searches
on Ask.com
SANS Information Security Reading Room
Last 25 Computer Security Papers added to the Reading Room
Security Incident Handling in High Availability Environments
Category: Incident Handling
Paper Added: September 15, 2009
Investigative Tree Models
Category: Incident Handling
Paper Added: September 15, 2009
SANS Internet Storm Center, InfoCON: green
Why is Rogue/Fake AV so successful?, (Thu, Sep 17th)
Rogue AV programs have become increasingly common in last two years. We at the SANS Internet Storm C ...(more)...
SMB2 remote exploit released, (Wed, Sep 16th)
Last week Guy posted a diary (http://isc.sans ...(more)...
IETF Draft for Remediation of Bots in ISP Networks, (Wed, Sep 16th)
A new IETFdraft document focused on how ISP's may detect botnet infections by their subscriber ...(more)...
Review the security controls of your Web Applications... all them!, (Wed, Sep 16th)
Are you applying consistent security controls to all the input vectors of your Web Applications? Att ...(more)...
Wireshark 1.2.2 (and 1.0.9) is out!, (Wed, Sep 16th)
The Wireshark team has released a new version of the famous graphical traffic sniffer and protocol a ...(more)...
SANS releases new Cyber Security Risk Report, (Tue, Sep 15th)
SANS today released a new Cyber Security Risks report. The report used data from Tippingpoint, Qualy ...(more)...
Windows autoplay behavior updated (improved) , (Sun, Sep 13th)
Microsoft has delivered on their promise to backport the improved autoplay behavior in Win7 to older ...(more)...
Information Leakage in Cloud Computing, (Sun, Sep 13th)
An interesting paper was published this last week discussing ways of determining the physical system ...(more)...
Apple Updates, (Sat, Sep 12th)
Microsoft had their monthly patch day this past Tuesday. Mozilla released new versions of Fire ...(more)...
OSSEC version 2.2 available, (Sat, Sep 12th)
This past week version 2.2 of one of our favorite free HIDSproducts, OSSEC, was released ...(more)...
SANS NewsBites
All Stories From Vol: 11 - Issue: 72
Proposed Legislation in California Clarifies Breach Notification Requirements (September 11, 2009)
Legislation awaiting the governor's signature in California would require that data breach notification letters include specific information about the incident, including what type of information was compromised, and entities experiencing breaches that affect 500 or more individuals provide a copy of the notification letter to the state attorney general's office.......
Report Shows Taking Down Small Power Subnetwork Could Cause Significant Outages (September 14, 2009)
The US Department of Homeland Security (DHS) is taking a close look at a report from a Chinese research scientist that posits that "a well-placed attack against a small power subnetwork could trigger a cascading failure of the entire West Coast power grid.......
Australia's Internet Industry Association Issues Draft eSecurity Code (September 11 & 14, 2009)
Australia's Internet Industry Association (IIA) has published a draft of an eSecurity Code aimed at protecting citizens from online threats.......
DoD Analyst Charged With Unauthorized System Access (September 14, 2009)
A US Defense Department analyst has been charged with gaining unauthorized access to a protected computer or exceeding authorized access and obtaining classified information.......
Ads on New York Times Website Serving Up Scareware (September 14, 2009)
The New York Times has warned that rogue advertisements on its website were serving scareware over the weekend.......
Trojan Horse Program Uses Google Groups as Command and Control Channel (September 11 & 14, 2009)
The Grups Trojan horse program uses Google groups as a command and control channel.......
Microsoft Update Limits AutoRun Functionality (September 14, 2009)
Last month, Microsoft issued "an update that changes the AutoRun functionality in Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.......
Linux Botnet (September 12 & 14, 2009)
A network of infected Linux servers is being used to distribute malware.......
Gonzalez Guilty Plea Settles Two of Three Indictments (September 11 & 12, 2009)
Albert Gonzalez has pleaded guilty to 20 charges of conspiracy, computer fraud, wire fraud, access device fraud and aggravated identity theft in connection to data thefts at TJX, BJ's wholesale club, OfficeMax, Barnes & Noble and other retailers.......
Attacker Claims to Have Exploited SQL Injection Vulnerability at RBS WorldPay (September 11, 2009)
A attacker claims to have exploited an SQL injection vulnerability in a web application to gain access to the RBS WorldPay database.......
Cyber Thieves Stole Payment Card Data From Indiana Bank Customers (September 11, 2009)
Investigators say that cyber thieves stole debit card numbers from customers of People's Saving and Trust Bank in Boonville, Indiana.......
Man Draws Six Month Sentence for Unauthorized Background Checks (September 10, 2009)
An Illinois man has been sentenced to six months in jail for abusing his position as director of a county emergency dispatch agency to conduct unauthorized background checks.......
Server Reliability Study (September 8, 2009)
An Information Technology Intelligence Corp.......
SearchSecurity: Security Wire Daily News
The latest information security news on IT threats, vulnerabilities and market trends from the award-winning SearchSecurity.com.
Experts rebuke programmers who use SQL injection as feature
By Robert Westervelt
Security experts point to online advertising campaigns that distributed faulty code to affiliates as the source of spikes in SQL injection attacks.
SANS: Application threats, website flaws pose biggest security threats
By Robert Westervelt
A new report from the SANS Institute calls flaws in client-side applications often the most ignored by IT professionals.
Brute force attacks target Yahoo email accounts
By Robert Westervelt
Attackers target a background Web services authentication application used by ISPs and Web applications to authenticate users.
Secure virtual desktop software enables remote client security
By Eric Ogren
Virtual desktops control endpoints and cut costs for an Atlanta-based financial company. The setup helps IT control core essentials and enforce acceptable use policy.
Melissa Hathaway urges more cooperation, government attention to cybersecurity
By Michael Mimoso
Former acting director for cyberspace Melissa Hathaway called for public-private cooperation on cybersecurity and pressed government to develop standards and foster innovation.
Symark acquires BeyondTrust
By Marcia Savage
Privileged access management provider expands beyond Unix and Linux environments to the Windows platform with acquisition.
DNSSEC deployment challenges can be overcome
By Robert Westervelt
Experts deploying DNSSEC across the .ORG domain share the issues encountered during the early-adoption of the technology. Key management remains an issue.
SecuriTeam
Welcome to the SecuriTeam RSS Feed - sponsored by Beyond Security. Know Your Vulnerabilities! Visit BeyondSecurity.com for your web site, network and code security audit and scanning needs.
Apple iPhone OS AudioCodecs Heap Buffer Overflow
The iPhone OS AudioCodecs library contains a heap buffer overflow vulnerability while parsing maliciously crafted AAC or MP3 files. The vulnerability may be exploited by an attacker to execute arbitrary code in the context of an application using the vulnerable library.
Protector Plus Local Privilege Escalation Vulnerability
Local privilege escalation vulnerability in Protector Plus antivirus software. Protector Plus range of antivirus products are known the world over for their efficiency and reliability.
Novell eDirectory Dhost Http Server Denial of Service Vulnerability
Novell eDirectory 8.8 SP5 is vulnerable to a denial of service attack. If a remote attacker sends Unicode strings with Http Request to "8028 port" ("8028" is the default port of Novell eDirectory Dhost Http Server), the attacker can cause the system to consume 100% of the CPU resources.
Apple QuickTime H.264 Nal Unit Length Heap Overflow Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
Apple QuickTime FlashPix Sector Size Overflow Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
Mozilla Firefox TreeColumns Dangling Pointer Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.
Security - RSS Feeds
Security - RSS Feeds
Fixing Security Flaws Isn't Just Microsoft's Responsibility
News Analysis: Microsoft gets hit hard with criticisms of its inability to adequately protect its users. But a recent study from the SANS Institute indicates users and software developers may also be at fault. It's time for IT managers and individual users to take responsibility for updating and patching all their applications and operating systems in a timely manner.
- In the world of PC computing, it's fashionable to beat on Microsoft for all the security issues that have plagued the space. Whether it's Apple mocking Windows security in its quot;I'm a Mac, I'm a PC quot; ads or countless security experts performing research on all the issues facing Windows, a...
Microsoft Releases Free Security Tools for Application Developers
Microsoft unveils a binary code analysis tool and a fuzzing program designed to help developers design secure applications.
- Microsoft on Sept. 16 unveiled two new tools to help developers build better security into their applications. The tools are available for download for free, and are designed to help developers extend Microsoft's SDL (Security Development Lifecycle) process into their organizations. The first o...
Google Buys ReCAPTCHA to Improve Security and Book Scanning
Google acquires ReCAPTCHA to improve security and bolster its book and newspaper scanning efforts.
- Google has acquired ReCAPTCHA, an open-source CAPTCHA service that the search engine giant will use to bolster security and its efforts to digitize books and newspapers. CAPTCHA technology is widely used to fight spammers by preventing them from using computers to automatically sign up for We...
New Apple iPhone Jailbreaking Tool Hits the Street
A new jailbreaking tool is available to allow users to unlock Apple iPhone OS 3.1. The tool was developed by the iPhone Dev-Team.
- The iPhone-Dev team has released a new tool to enable users to jailbreak and unlock Apple iPhone OS 3.1. With Pwnage Tool 3.1 for Mac OS X, users can jailbreak both iPhone 3G and the first editions of the iPhone and iPod Touch. The tool, however, does not support iPhone 3GS or the second or thir...
Lawmakers Pressure White House over Cyber-czar
Three months after President Obama promised in May to appoint a cyber-security czar, the co-chairs of the U.S. House Cybersecurity Caucus urge the White House to step up its efforts.
- Congress is beginning to grumble over President Obama's failure to appoint a cyber-security czar months after Obama promised he would do so. Obama issued his Cyberspace Policy Review on May 29 to great fanfare and pledged to name a cyber-czar, which he called a coordinator, to oversee the plan. ...
Top Cyber-Threats Tied to Application Patching Process
A new report from the SANS Institute, Qualys and TippingPoint underscores the fact that while the number of zero-day bugs is growing, the bigger threat comes from popular client-side applications such as Apple QuickTime and Adobe Reader.
- IT security has less to do with bracing for the inevitable zero-day vulnerability than some outside the industry may think. Truth be told, the biggest threats facing users and organizations today are unpatched client-side applications and unsecure Web programs - that is the message of a ...
Symark Buys BeyondTrust, Takes Its Name
Symark International announced today it acquired BeyondTrust to broaden its privileged access management portfolio to include Microsoft Windows desktops. Symark also announced it would now be known as BeyondTrust.
- Symark International has a new name and a new set of capabilities under its belt. The company announced today it has acquired BeyondTrust, and will henceforth be known by that name as it sharpens its focus by providing security and compliance for privileged user access for Microsoft Windows. Th...
Symantec: Google Groups Used to Send Commands to Malware
Symantec researchers have uncovered a Trojan using a private newsgroup within Google Groups as a command and control server. The move follows an attempt to use Twitter as a C C earlier this year.
- Symantec has uncovered a scheme to use a Google Groups newsgroup to sneak commands to malware on compromised computers. The move is another example of attackers looking for covert ways to communicate to their bots. Earlier this year, attackers were found using Twitter as a command and contr...
Apple iPhone OS 3.1 Phishing Protection Falling Short, Researchers Say
Security pros say the Apple iPhone OS 3.1's anti-phishing feature falls short, failing to block sites blocked by the desktop version of the Safari browser.
- The anti-phishing feature for the iPhone OS 3.1 isn't all it's cracked up to be, according to security researchers. For whatever reason, some researchers have found, phishing sites blocked by the desktop version of Apple Safari are not consistently blocked by the mobile version. Since Apple r...
Gonzalez Pleads Guilty to Massive Retail Hacks
The hacker who help mastermind cracking into the networks of TJX Companies, BJs Wholesale Club, OfficeMax, Boston Market, Barnes Noble and Sports Authority faces a minimum of 15 years and a maximum of 25 years in prison. The hacks netted more than 40 million credit and debit card numbers.
- Albert Gonzalez pleaded guilty Sept. 11 to hacking into the systems of major U.S. retailers including TJX Companies, BJs Wholesale Club, OfficeMax, Boston Market, Barnes amp; Noble and Sports Authority. More than 40 million credit and debit card numbers were stolen as a result of the hacking ac...
Security Fix
Brian Krebs on computer and Internet security
Data Breach Highlights Role Of 'Money Mules'
In Fraud
On Friday, Brunswick, Maine-based heating and hardware firm Downeast Energy & Building Supply sent a letter notifying at least 850 customers that the company had suffered a data breach. Downeast sent the notice after discovering that hackers had broken in and stolen more than $200,000 from the company's online bank account. The attack on Downeast Energy bears all the hallmarks of online thieves who have stolen millions from dozens of other businesses, schools and counties over the past several months. In every case, the thieves appeared more interested in quick cash than in pilfering their victims' customer databases. Nevertheless, the intrusions highlight an additional cost for victims of this type of crime: complying with state data breach notification laws. "This is something new to us, fortunately, but we have responsibilities under Maine statute to report these things to our customers and employees," said the company's president, John Peters, in an
Cyber Crooks Target Public & Private Schools
In Fraud
A gang of organized cyber criminals that has stolen millions from businesses across the United States over the past month appears to have turned its sights on public schools and universities. On the morning of Aug. 17, hackers who had broken into computers at the Sanford School District in tiny Sanford, Colorado initiated a batch of bogus transfers out of the school's payroll account. Each of the transfers was kept just below $10,000 to avoid banks' anti-money laundering reporting requirements, and went out to at least 17 different accomplices or "money mules" that the attackers had hired via work-at-home job scams. A school employee spotted the bogus payments on the morning of the 19th, when the school district learned that $117,000 had been siphoned from its coffers by cyber crooks. Sanford Superintendent Kevin Edgar said the school successfully reversed two of the transfers totaling $18,000, but that rest of the
Patches for Macs, and Advice for Mac Users
In New Patches
Apple last week released Mac OS X 10.6.1, the first security update for Snow Leopard users. Cupertino also issued a bundle of updates to fix more than 30 security flaws in its 10.4 and 10.5 OS X and OS X Server systems. Snow Leopard shipped with an outdated and insecure version of the Adobe Flash Player. The 10.6.1 update fixes that, patching at least nine vulnerabilities in Flash, and bringing the Snow Leopard Flash plug-in up to date with the current 10.0.32.18 version. The Tiger and Leopard security bundles also include the Flash update, along with security fixes for components like ColorSync and CoreGraphics. The updates are available through Software Update or via Apple Downloads. One final note: Over the weekend, a number of Security Fix readers who are also Mac users wrote in to ask for advice after being peppered with rogue anti-virus pop-ups. The readers complained they received
SecurityFocus News
SecurityFocus is the most comprehensive and trusted source of security information on the Internet. We are a vendor-neutral site that provides objective, timely and comprehensive security information to all members of the security community, from end users, security hobbyists and network administrators to security consultants, IT Managers, CIOs and CSOs.
Brief: iPhone anti-phishing sigs only slightly delayed
iPhone anti-phishing sigs only slightly delayed
Brief: Gonzalez pleads guilty to giant breaches
Gonzalez pleads guilty to giant breaches
Brief: Old patch introduced SMBv2 flaw, says finder
Old patch introduced SMBv2 flaw, says finder
TaoSecurity
Richard Bejtlich's blog on digital security and the practices of network security monitoring, incident response, and forensics.
Security Information and Event Management (SIEM) Position in GE-CIRT
By Richard Bejtlich
My team just opened a position for a Security Information and Event Management professional. This candidate will report to me in GE-CIRT but take daily direction from our SIM leader and our Lead Incident Handler. We're looking for a technical person who can not only administer our SIM, but also help our team implement our detection and response objectives and use cases in our SIM and related infrastructure.
This candidate will sit in our new Advanced Manufacturing & Software Technology Center in Van Buren Township, Michigan.
If interested, search for job 1087025 at ge.com/careers or go to the job site to get to the search function a little faster. I am available to answer questions on the role or forward them to our SIM leader. You can reach me by posting a comment here and providing an email address where I can contact you. Thank you.
Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
WindowSecurity.com
WindowSecurity.com provides Windows security news, articles, tutorials, software listings and reviews for information security professionals.
Windows 7 XP Mode: What are the Security Implications?
By deb@shinder.net (Deb Shinder)
What are the security implications of Windows 7's XP Mode?
Yahoo! News: Security News
Security News
Unpatched Applications Are #1 Cyber Security Risk (PC World)
In technology
PC World - Unpatched client software and vulnerable Internet-facing web sites are the most serious cyber security risks for business. Lesser threats include operating system holes and a rising number of zero-day vulnerabilities, according to a new study.
New York Times Tricked Into Serving Scareware Ad (PC World)
In technology
PC World - Scammers tricked the New York Times' Digital Advertising department into placing a malicious ad for fake antivirus software on the NYTimes.com Web site over the weekend, the company confirmed Monday.
Learning from the NY Times Attack Ad (PC World)
In technology
PC World - The NYTimes.com site warned Sunday that it had inadvertently displayed an "unauthorized advertisement" over the weekend that tried to use fake malware warnings to trick viewers into installing scareware.
NYTimes.com Warns of Malware on Site (PC World)
In technology
PC World - Online scammers have apparently found a new way to reach their marks:
Cyber criminals targeting small businesses (AP)
In technology
AP - Cyber criminals are increasingly targeting small and medium-sized businesses that don't have the resources to keep updating their computer security, according to federal authorities.
Patience, Grasshopper: Wait to Update Your Jailbroken iPhone to 3.1 (PC World)
In technology
PC World - If you have a jailbroken iPhone and were wondering if you should update to OS 3.1 via iTunes, do yourself a favor and just wait a few more days. As with every other major iPhone software update, 3.1 adds a slew of cool new features and bug fixes, as well as breaks the current jailbreak exploit. Nothing shocking here, as this cat-and-mouse game has been going on between Apple and the Dev-Team hackers since 1.1.1.
Trojan Hides Its Brain in Google Groups (PC World)
In technology
PC World - Virus writers keep getting sneakier. In an effort to evade detection, they've begun hiding their command and control instructions in legitimate Web 2.0 sites such as Google Groups and Twitter.
Hacker in payment card theft pleads guilty (Reuters)
In us
Reuters - A 28-year-old computer hacker pleaded guilty to some of the largest identity theft crimes on record on Friday and left a federal judge grappling with how to compensate millions of victims.
Hacker pleads guilty to huge theft of card numbers (AP)
In technology
AP - A computer hacker who was once a federal informant and was a driving force behind one of the largest cases of identity theft in U.S. history pleaded guilty Friday in a deal with prosecutors that will send him to prison for up to 25 years.
Hacker Gonzalez Pleads Guilty to 20 Charges (PC World)
In technology
PC World - Hacker Albert Gonzalez, accused of masterminding the massive data thefts at BJ's Wholesale Club, TJX and several other retailers, has pleaded guilty to 19 charges related to computer hacking and credit card fraud, the U.S. Department of Justice said.
Spanish security firm detects 'swine flu' computer virus (AFP)
In technology
AFP - Cyber criminals are taking advantage of swine flu fears with e-mails promising news on the illness which then infect computers with a virus, a Spanish computer security firm warned Friday.
Zero Day
Tracking the hackers
Phishers introduce 'Chat-in-the-Middle' fraud tactic
By Dancho Danchev on Spam and Phishing
Phishers don’t just want to “bank with you”, they also want to talk you into revealing the answers to your ’secret’ questions, next to more sensitive information that would help them gain access to your online bank account. A new ‘Chat-in-the-Middle’ fraud tactic was recently discovered by the RSA FraudAction Research Lab, according to which the [...]
Google + reCAPTCHA could raise bar in anti-bot, anti-spam battle
By Ryan Naraine on Web 2.0
Google buys an excellent crowd-sourcing tool and, by default, gets to raise the bar significantly in the fight against bots and spam.
The ultimate guide to scareware protection
By Dancho Danchev on Web 2.0
Throughout the last two years, scareware (fake security software), quickly emerged as the single most profitable monetization strategy for cybercriminals to take advantage of. Due to the aggressive advertising practices applied by the cybercrime gangs, thousands of users fall victim to the scam on a daily basis, with the gangs themselves earning hundreds of thousands [...]
9/11 related keywords hijacked to serve scareware
By Dancho Danchev on Web 2.0
Anticipating the logical peak of 9/11 related keywords on the 8th anniversary of the attacks, cybercriminals have hijacked the trending topic by occupying thousands of related keywords for the purpose of serving fake security software. None of the sites are currently marked as harmful by the SafeBrowsing initiative, due to the evasive tactics applied in the [...]
Posts
No comments:
Post a Comment