March 30, 2006
USA TODAY
By Jon Swartz
Monday, March 27, 2006
SAN FRANCISCO -- The latest in computer security is a throwback to old-fashioned safety.
Recent thefts of laptops with sensitive corporate data have prompted more companies and individuals to snap up everything from locks to tracking software to protect data from PC snatchers.
They're buying hardware and software to "create layers of deterrence," says John Livingston, CEO of Absolute Software.
It makes software that tracks a computer's location when it's logged onto the Internet. source:
http://security.ittoolbox.com/
Robert Lemos, SecurityFocus 2006-03-28
The third-party patches are the latest fixes to be released by companies other than Microsoft, when the software giant's response is perceived to leave customers at risk.
In January, an independent software programmer released a patch for a critical flaw in the Windows Meta File (WMF) format that also affected users of Internet Explorer. The companies, and the researcher that released the WMF patch, do not refer to the fixes as permanent solutions but temporary workarounds.
Microsoft did not recommend that Windows users install the patches, said Stephen Toulouse, security program manager for Microsoft.
"While the IE team is working on an update to address the problem,
we certainly recommend a defense- in-depth strategy that involves third party tools such as antivirus or IDS/IPS (intrusions detection/prevention system) solutions," Toulouse said in a blog posting. "However we cannot recommend third party solutions that modify the way the product itself operates."
Source:
http://www.securityfocus.com/
Harden your computers' defenses with the tips in these Microsoft studies.
April 2006 • by Greg Shields
Security vs. Usability
Always remember that hardening your servers is a delicate balancing act of securing them and keeping them useable. It's your responsibility to enable only the most appropriate security policies.
For example, it's entirely possible -- and actually recommended in the guide -- to configure software restrictions on your network for default Disallowed. This means that no executables can run on your network unless you specifically permit them.
Source:
http://www.redmondmag.com/
Randomness makes for secure comms
By Lester Haines
Published Thursday 30th March 2006 10:08 GMT
Japanese scientists are proposing the use of random radio pulses emitted by quasars as "one time pads" for the encryption of sensitive messages, New Scientist reports.
Source:
http://www.theregister.co.uk/
By Edmund X. DeJesus, Contributor
30 Mar 2006 | SearchSecurity.com
Last week, Sun Microsystems Inc. announced the debut of its Sun Grid Compute Utility, available at www.network.com. The world's first grid available for public, commercial use, Sun Grid was created to serve customers big and small needing inexpensive, simple access to large-scale computing resources.
But within hours, Sun Grid was brought to its knees by a distributed denial-of-service (DDOS) attack, necessitating an emergency login procedure change. While grid computing may very well revolutionize enterprise computing, the incident underscores the security risks that could prove quite harrowing for enterprises that rely on grid computing.
Source:
http://searchsecurity.techtarget.com/
Posted Mar 29, 2006 - 12:36 PM
DRM is a catch-all term for a variety of methods used to limit content sharing. Techniques include digital encryption of songs and encoded limits on the number of times content can be accessed. But DRM technologies are far from foolproof, and the ones developed so far have been easily circumvented by adept hackers, said Ian Brown, a senior research manager at the Cambridge-MIT Institute in England.
Source:
http://www.dvd-recordable.org/
By Kevin J. Vella, Uniblue Systems Ltd
Wednesday, 29 March 2006 13:23 EST
Robert Morris, son of a computer security expert for the National Security Agency, sent malicious code through ARPANET, affecting about 10% of the connected computer hosts. The code reproduced itself and filtered through network computers; consequently, the size of the files filled computers' memories, thus disabling numerous machines.
Source:
http://www.it-observer.com/
Frank Washkuch Jr. 22 Mar 2006 22:37
A new web browser vulnerability made a tough week a little bit tougher for Microsoft.
For the second time in as many days, security researchers discovered a new flaw in Internet Explorer, the latest of which can be employed by a malicious user to compromise a user's PC.
The newest flaw, rated "highly critical," "is caused by an error in the processing of the 'createTextRange()' method call applied on a radio button call," said Secunia. "This can be exploited by e.g. a malicious website to corrupt memory in a way that allows the program flow to be redirected to the heap."
Source:
http://www.scmagazine.com/
March 29, 2006
My Information Is Leaking, Eh!Posted 3/6/2006 by SecurityMonkey (Information Security Investigator)
"My Information Is Leaking, Eh!" The screams of 77,000 Canadians could be heard recently as they discovered that their medical records were auctioned off.In a press conference, B.C. Labour Minister Mike de Jong recognized that a man bought some supposedly blank backup tapes from a government auction, only to find that:
[the tapes] contained records such as HIV status, substance abuse history and mental illness...Source:
http://networking.ittoolbox.com/
Posted 10/19/2005 by Robert C. Mullins
Why programmers are generally rude:
1. Because most other people are stupid!...
2. Mountain Dew, Jolt Cola, Pork Rinds and Day-old Pizza!...
3. Coders are anti-social....
4. Coders are under-appreciated!...
Source:
http://blogs.ittoolbox.com/pm/change/archives/006205.asp
Today, my friend forward it to me...
Three Women – one German, one Japanese and a hillbilly – were sitting naked in a sauna. Suddenly there was a beeping sound. The German woman pressed her forearm and the beep stopped. The others looked at her questioningly. “That was my pager”, she said. “I have a microchip under the skin of my arm.”
A few minutes later, a phone rang. The Japanese woman lifted her palm to her ear. When she finished, she explained, “That was my mobile phone. I have a microchip in my hand”.
The Hillbilly woman felt decidedly low Tech, not to be outdone. She decided she had to do something just as impressive. She stepped out of the Sauna and went to the bathroom. She returned with a piece of toilet paper hanging from her behind. The others raised their eyebrows and stared at her.
The Hillbilly woman finally said, “Well, will you look at that, I’m getting a fax.”Souece:
http://www.gonebuddy.com/search.php?q=naked
Users can send suspicious e-mails purportedly from the IRS to phishing@irs.gov
News Story by Linda Rosencrance
MARCH 28, 2006 (COMPUTERWORLD) - The U.S. Internal Revenue Service has set up an e-mail address, phishing@irs.gov, that taxpayers can use to send in copies of suspicious e-mails they have received that claim to be from the IRS.
In a statement, the IRS provided precise instructions about how to properly submit copies of possibly fraudulent e-mails. However, because of the volume of correspondence the IRS expects, it says it can't acknowledge receipt of the e-mails or reply to taxpayers who submit them.
Source:
http://www.computerworld.com/
The Trojan, called MetaFisher, relies on a Windows Metafile exploit
News Story by Jaikumar Vijayan
“This is one of those big, under-the-radar threats that we’ve been concerned about” for some time said Ken Dunham, director of the rapid response team at VerSign Inc.'s iDefense unit. “There has been a trend away from big-bang attacks to very targeted and sophisticated attacks that take place right under your nose. This is one of them."
Sourse:
http://www.computerworld.com/- or -
http://enterprisesecurity.symantec.com/
Factors impacting email management the over the last few decades include:
Increasing size of business person-to-person email volume sent annually worldwide. Volumes increased 59 percent from 2003 to 2004 (Source: IDC,Worldwide Email Usage 2005-2009 Forecast, IDC #34504, December 2005)
...
Source: Symantec Yellow Book™, Introducing Symantec™ Email Security and Availability for Microsoft® Exchange,2006.
http://enterprisesecurity.symantec.com/
March 28, 2006
By Leslie Kramer, Wall Street & Technology
InformationWeek
Mar 27, 2006 12:00 AM
... But most IT shops don't properly test applications for security flaws during the development life cycle, resulting in apps riddled with vulnerabilities. Too often, security and application development are viewed as separate disciplines. Part of the problem is that security teams often are called in to add security to software post-development, rather than working alongside developers during the development process.
Source:
http://www.informationweek.com/
Will Dormann and Jason Rafail
CERT Coordination Center
--------------------------------------------------------------------------------
This paper will help you configure your web browser for safer internet surfing. It is written for home computer users, students, small business workers, and any other person who works with limited information technology (IT) support and broadband (cable modem, DSL) or dial-up connectivity. Although the information in this document may be applicable to users with formal IT support as well, organizational IT policies should supersede these recommendations.
Source:
http://www.cert.org/
The managed string library was developed in response to the need for a string library that can improve the quality and security of newly developed C-language programs while eliminating obstacles to widespread adoption and possible standardization. As the name implies, the managed string library is based on a dynamic approach; memory is allocated and reallocated as required. This approach eliminates the possibility of unbounded copies, null-termination errors, and truncation by ensuring that there is always adequate space available for the resulting string (including the terminating null character). The one exception is if memory is exhausted; that is treated as an error condition. In this way, the managed string library accomplishes the goal of indicating either success or failure. The managed string library also protects against improper data sanitization by (optionally) ensuring that all characters in a string belong to a predefined set of "safe" characters.
Source:
http://www.cert.org/
By Jeremy Kirk, IDG News Service
Digital rights management (DRM) technology has deep flaws despite the hope of content providers that encrypted files will deter illegal file sharing, a computer security researcher said Monday.
DRM is a catch-all term for a variety of methods used to limit content sharing. Techniques include digital encryption of songs and encoded limits on the number of times content can be accessed. But DRM technologies are far from foolproof, and the ones developed so far have been easily circumvented by adept hackers, said Ian Brown, a senior research manager at the Cambridge-MIT Institute in England.
Source:
http://www.macworld.com/
Rainbow tables reduce the difficulty in brute force cracking a single password by creating a large pre-generated data set of hashes from nearly every possible password. Rainbow Tables and RainbowCrack come from the work and subsequent paper by Philippe Oechslin. The method, known as the Faster Time-Memory Trade-Off Technique, is based on research by Martin Hellman & Ronald Rivest done in the early 1980’s on the performance trade-offs between processing time and the memory needed for cryptanalysis. In his paper published in 2003, Oechslin refined the techniques and showed that the attack could reduce the time to attack 99.9% of Microsoft''s LAN Manager passwords (alpha characters only) to 13.6 seconds from 101 seconds. Further algorithm refinements also reduced the number of false positives produced by the system.
Source:
http://www.windowsecurity.com/
March 27, 2006
'Is Your Cat Infected with a Computer Virus?' - a technical paper delivered during a conference on 15 March, in Pisa, Italy - claimed that RFID tags can be used to corrupt databases and even potentially to spread computer viruses. However AIM Global, the trade association for automatic identification and mobility, is now questioning the validity of the methodology used by the researchers behind the report.
Source:
http://issj.sys-con.com/
New F-Secure World Virus Map Offers Current Global Perspective at a Glance
By: ISSJ News Desk
Mar. 4, 2006 09:00 AM
'The world virus map is an excellent resource for quickly understanding the virus situation at any given time,' said Mikko Hypponen, Chief Research Officer at F-Secure said, as his company introduced the concept of 'virus maps' - a visual representations of virus infections worldwide. 'For anybody interested in understanding the 'bigger picture' behind a virus in the news and charting its course, this is a good place to start.'
Source:
http://issj.sys-con.com/
March 25, 2006
BOSTON -- The names, addresses and Social Security numbers thousands of customers were compromised when a laptop was stolen from the largest mutual fund company in the world two weeks ago.
Boston-based Fidelity Investments notified almost 200,000 people about the breach.
The stolen information contained details of pension and 401K plans of Hewlett Packard employees and related-plans, Fidelity said.
Source:
http://www.thebostonchannel.com/
By Gregg Keizer Courtesy of TechWeb News
Visa confirmed Monday it has issued an alert warning that some point-of-sale software may be storing PINs in violation of industry rules, leading to suspicions that the root of the recent debit card debacle may have been out-of-date or misconfigured software.
"….we provided a confidential alert to a limited number of financial institutions advising them that a particular configuration of certain software could cause it to store cardholder data," Visa said in a statement e-mailed to TechWeb. "We further advised them of the existence of a software upgrade designed to address the problem."
On Friday, the Wall Street Journal said it had seen a copy of the alert, which the newspaper claimed identified two point-of-sale (POS) programs created by Fujitsu Transaction Solutions Inc., a Frisco, Texas-based subsidiary of Japan's Fujitsu Ltd. In some settings, those programs -- RAFT and GlobalStore -- were retaining customer information.
Source:
http://www.securitypipeline.com/
By Gregg Keizer Courtesy of TechWeb News
One of the most sophisticated bot Trojans ever has been infecting machines for months, a security company revealed Wednesday, and has compromised an estimated one million PCs in an ongoing effort to pillage personal bank accounts.
According to Reston, Va.-based iDefense, multiple variants of a Trojan dubbed "MetaFisher," a.k.a. "Spy-Agent," has been spreading for months under the proverbial radar.
Source:
http://www.securitypipeline.com/
...While past attacks were designed to destroy data, today’s attacks are increasingly designed to silently steal data for profit without doing noticeable damage that would alert a user to its presence. In the previous Internet Security Threat Report, Symantec cautioned that malicious code for profit was on the rise, and this trend continued during the second half of 2005. Malicious code threats that could reveal confidential information rose from 74 percent of the top 50 malicious code samples last period to 80 percent this period.
Source:
http://www.symantec.com/
March 23, 2006
My sister forward it to me ...
Source:
http://www.joe-ks.com/
By: Simson L. Garfinkel
Center for Research on Computation and Society
Harvard University
March 6, 2006
About 1000 used drives/day sold on eBay.
With 150 hard drives purchased on eBay we found:
• Thousands of credit card numbers
• Financial records
• Medical information
• Trade secrets
• Highly personal information
Source:
http://www.simson.net
by: (C) Simson L. Garfinkel MMV. All rights reserved.
It is widely believed that security and usability are two antagonistic goals in system design. This thesis argues that there are many instances in which security and usability can be synenergistically improved by revising the way that specific functionality is implemented in many of today’s operating systems and applications.
Source:
http://www.simson.net
By Mike Langberg
Mercury News
How do you build the next Yahoo or Google?
Perhaps the best way is to get admitted to the graduate program at Stanford University's department of computer science, or be invited to join the department's faculty.
Stanford has always been Silicon Valley's secret sauce, drawing the brightest scientists, engineers and business minds from around the world.
Source:
http://www.mercurynews.com/
I think this cartoon is so interesting, i get it from one of the lecture I am taking, it is about Security management ... By Elisabeth Antonsson.
Source:Ii cant find the exact source of the cartoon, any one who knows pls put it as a comment
March 20, 2006
by Krishnan Viswanath10/06/2005
The default RMI communication mechanism—the Java Remote Method Protocol (JRMP)—is not secure. It is possible to secure the communication by writing custom socket factories using Java Secure Socket Extension (JSSE). But this approach puts the burden of writing additional code on the developers, who must take care of securing data exchange using cryptography. Java 5.0 alleviates this issue by introducing two new classes, javax.rmi.ssl.SslRMIClientSocketFactory and javax.rmi.ssl.SslRMIServerSocketFactory, that provide the ability to secure the communication channel between the client and the server using the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) protocols.
Source:
http://today.java.net
March 18, 2006
Your private life? Not anymore Know what a "petabyte" is? One of those Computer Age terms made up to de scribe numbers the average mind cannot comprehend, a "petabyte" is a unit that measures memory or storage capacity.
Source:
www.cleveland.com
Project Higgins - which is being managed by the Eclipse open source foundation -- is developing software for "user-centric" identity management, an emerging trend in security software. It enables individuals to actively manage and control their online personal information, such as bank account, telephone and credit card numbers, or medical and employment records -- rather than institutions managing that information as they do today. People will decide what information they want shared with trusted online websites that use the software.
Source:
http://www.ameinfo.com/
By Christine Evans-Pughe -- Electronics Weekly, 3/6/2006
By monitoring standard characteristics such as execution time, power consumption and electromagnetic radiation and then applying statistical analysis techniques, hackers have very quickly extracted security keys from microprocessors, DSP, FPGA and ASIC-based encryption systems.
Source:
www.reed-electronics.com
By Brian Krebs
washingtonpost.com Staff Writer
Thursday, March 16, 2006; 12:22 PM
Watching While You Type--------------------------------------------------------------------------------
Keyloggers are fast becoming among the most prevalent and insidious online threats: More than half of the viruses, worms and other malicious computer code that Symantec now tracks are designed not to harm host machines but to surreptitiously gather data from them.
Source:
www.washingtonpost.com
March 17, 2006
Modern technology has made the business use of computer technology essential. Computers help businesspeople produce of work, share information with co-workers, archive documents and files, and manage operations, along with other typical business functions. As technology has continued to evolve and progress, more emphasis is placed on safeguarding an organization's or a company's information.
Source:
www.worldwidelearn.com
Three security gurus speaking at IBM’s PartnerWorld 2006 conference said that smaller businesses may actually be a more likely target than, say, IBM. The reason, said Howard Schmidt, president and CEO of R&H Security Consulting LLC, is that password management is a challenge for small companies.
Source:
www.itbusiness.ca
Using a hardware keylogger to record keystrokes is as simple as plugging it in between the keyboard and PC. This can take anyone with little or no experience under 5 seconds to learn and do.
Source:
www.keyghost.com
If you want to stop hackers from invading your network, first you've got to invade their minds.
Computers around the world are systematically being victimized by rampant hacking. This hacking is not only widespread, but is being executed so flawlessly that the attackers compromise a system, steal everything of value and completely erase their tracks within 20 minutes.
Source:
www.eccouncil.org
