October 31, 2006
Security Park - Malicious Code Injection Is Not Just for SQL Anymore: "However, while SQL is the most popular type of code injection attack, there are several others that can be just as dangerous to your applications and your data, including
LDAP injection and
XPath injection."
Voice biometrics coming to phone banking - Financial Services - Breaking Business and Technology News at silicon.com: "The product is designed to help fight telephone banking fraud, the company said. Christopher Young, an RSA vice president, said in the statement: 'As we are strengthening security for the web channel, phone banking is effectively becoming the next big target.'"
Australian spammer fined A$5.5m | The Register: "An Australian firm and its director have been fined a total of A$5.5m (£2.2m) after it was held responsible for sending out more than 230 million spam emails, 75 million of which were successfully delivered, during a two year spamming blitz."
'Less than zero-day' threats too often overlooked, analysts warn: "Attacks that target publicly unknown vulnerabilities continue to pose a silent and growing problem for companies. But the response to those threats has been largely misguided because of certain misconceptions about them, analysts said. "
Amnesty calls for action on internet freedom | The Register: "Amnesty International is calling on the bloggers of the world to unite to defend the freedoms of their brother bloggers in countries such as China, Iran, and Tunisia. The group says freedoms are under threat and the blog community should "get online and stand up for freedom of expression on the internet"."
8,500 victims in international data theft: "British electronic-crime detectives are investigating a massive data theft operation that stole sensitive information from 8,500 people in the U.K. and others in some 60 countries, officials said Tuesday."
M-Dollar: Microsoft pushes centralized identity management system: "
October 24, 2006 @ 7:18PM - posted by Matt Mondok
Microsoft pushes centralized identity management system
Today at RSA Conference Europe 2006, Microsoft introduced the second beta for its Certificate Lifecycle Manager (CLM). CLM is a new technology from Microsoft which will help organizations manage and deploy digital certificates and smart cards in a centralized environment. Smart card logon requirements, inventory management, card enrollment, and card revocation can all be controlled through the CLM."
Hacking contactless credit cards made easy | The Register: "US security researchers have demonstrated how easy it might be for crooks to read sensitive personal information from RFID-based credit and debit cards."
Irish passports go RFID, and naked | The Register: "The US government has gone to the trouble of fitting its passports with a layer of foil that interferes with skimming attempts when the document is closed. The Irish government has not. A local lobbying outfit called Digital Rights Ireland (DRI) has complained that the new passports are ripe for
remote privacy invasion. As of course they are."
Biometrics: 'More research needed' - Public Sector - Breaking Business and Technology News at silicon.com: "A senior Home Office advisor has warned that biometrics has a massive usability hurdle to overcome before systems can be rolled out."
[www.silicon.com] By Joris Evers: RSA Security has introduced a product that adds voice as a way for automated telephone banking services to identify users.
Source
[www.cfr.org]
Interviewee: Stephen E. Flynn
Interviewer: Eben Kaplan
Stephen E. Flynn, CFR's senior fellow for national security studies, considers the state of homeland security five years after the creation of the Office of Homeland Security, handing out grades in several key areas.
Source 1Source 2
October 26, 2006
[www.ajc.com] New threats never ending, students learn: By GEORGE CHIDI. "We teach them tools, teach them operating systems, but next year there will be another operating system," said Kilinc, program director for cyber crime classes. "You're always one step behind. All those tools out there check for what is known. They don't check for what's not known."
"You find yourself wondering if you should only use a credit card online, because if it's stolen, you can get your money back," said Ginger Boyll, a cyber-security student. "Or, maybe I should only use cash, so there's no record of my existence."
Source
[www.washingtonpost.com] By Ellen Nakashima. "Hackers have been breaking into customer accounts at large online brokerages in the United States and making unauthorized trades worth millions of dollars as part of a fast-growing new form of online fraud under investigation by federal authorities."
Source
[home.businesswire.com] “We generally think of computer security as a problem of technology, but systems often fail because of misplaced economic incentives, meaning the company that builds the operating system aren’t suffering the costs when vulnerabilities are exposed - the customers are,“ said Bruce Schneier. “If we make the manufacturers responsible for software vulnerabilities, we change the economic incentive and force companies to improve security as opposed to adding more technology.”
Source
October 22, 2006
Not enough students study computer technology to fit needs, an ISU expert says.
By DAVID ELBERT
REGISTER BUSINESS EDITOR
The "Y2K fizzle," the burst of the dot-com bubble and fears that computer technology jobs were all being outsourced overseas combined to discourage students from majoring in computer science, software engineering and other information technology fields, Jacobson said.
Source
by Cliff
"According to the
2006 Security Breaches Matrix, a large number of the data leaks were caused due to stolen/missing laptops. Mobile devices will be stolen or lost, but one way to easily mitigate the harm is to use Full Disk Encryption (FDE) on all mobile devices. So, why don't we encrypt all our HDDs?"
Source
In a company of 15,000 employees, 20 to 30 IT workers normally have access to executive-level e-mail
Bruce Hoard
At a time when external hacks are grabbing headlines, frequently unreported internal security breaches involving low-level administrators accessing high-level executive e-mail and other systems are driving efforts to limit access to only the most highly trusted personnel.
Source
BY JAMES MCNAIR | ENQUIRER STAFF WRITER
"In today's world, I would suggest it's a cyber or virtual threat ... " Drab said to an audience of about 40. "We have not begun to comprehend the implications of this - the digitization of assets, the warp speed of technology and a business model that puts our intellectual property all over the globe ... Information is money, pure and simple, and if you've got it, somebody's going to go after it."
Source
Pointing to MyLaptopGPS, an Oklahoma-based company that provides GPS tracking as a service, Robert Siciliano, a personal security and identity theft expert, encouraged organizations to stave off further portable computer thefts and losses by considering GPS tracking technology for their fleets of laptops.
Source
Filed under: Security
According to the survey, more than one in three enterprise users write down their passwords. And it gets worse: "Of the third of users that write down their passwords, one third of those do it on paper, such as a sticky note. Even more dangerous are the other two thirds: They keep their passwords as a text file on their laptop PC or mobile device, where it could be easily lost or stolen."
Source
October 21, 2006
Sumner Lemon
At Hack in the Box, Bruce Schneier had a little list
1. Information is more valuable than ever.
2. Networks are critical infrastructure.
3. Users do not necessarily control information about themselves.
4. Hacking is increasingly a criminal profession.
5. Complexity is your enemy.
6. Attacks are faster than patches.
7. Worms are more sophisticated than ever.
8. The endpoint is the weakest link.
9. End users are seen as threats.
10. Regulations will drive security audits.
Source
October 20, 2006
Jay Cline
"You have no expectation of privacy!" So say most corporate privacy policies for employees, like a bullying reminder of the obvious. But the recent boardroom scandal at Hewlett-Packard Co. involving Web bugs and "pretexting" has employees asking if they should be afforded some basic privacy protections in the workplace. Companies that want a dedicated and productive workforce shouldn't hesitate to extend to their employees their often-stronger customer privacy policies, disclosing in that policy all the monitoring they will -- and won't -- do to detect insider wrongdoing.
Source
Lillian Omariba
Nairobi - As much as 81 percent of computer software used in Africa had been pirated, costing governments and the hi-tech industry billions of dollars in revenue and choking growth, experts warned yesterday.
"We cannot sit back and watch our work being pirated"
Source
Commission at 'early stage' of bafflement
By John Lettice
Speaking after the meeting Franco Frattini, Justice & Home Affairs Commissioner, said that the Internet should be made a "hostile environment" for terrorists. "I think it's very important to explore further possibilities of blocking websites that incite to commit terrorist actions," The Times reported. Yes Franco, but how do you propose to do that,
exactly? Or even
approximately?
Source
Drivers' licences may be first to use new technology
Ian Bailey, The Province
Published: Monday, October 16, 2006
B.C. drivers' licences of the future could be imprinted with fingerprints or other biometric fixtures to make them more valid ID, says Solicitor-General John Les.
Source
Phishing, pharming targets of product refresh
By Elizabeth Montalbano
Symantec declared that it wants to focus on the latest and greatest security threats:
phishing, identity theft on the consumer side, internal data theft, and compliance.
Source
October 19, 2006
Nick Levay and Tom Cross from the Industrial Memetics Institute speak at the PhreakNIC 2005 hacker convention about the future of the social web. Topics include strengthening the Marketplace of Ideas, Reputation Systems, Social Network Analysis, Group Architecture, and Wikipedia Reliability issues. Future plans of the MemeStreams online community are discussed.
PhreakNIC is an annual convention held in Nashville, TN. Originally started as a "hacker convention," it has since grown to include all things of interest to the technology minded individual, such as sci-fi/fantasy, gaming, anime and other areas of tech culture. PhreakNIC is organized by the Nashville 2600 Organization and the Nashville Linux Users Group. There are technical presentations, cultural exhibits and panels, as well as plenty of socializing. It's great to be able to attend, but for those who can't, we put up videos from past years to
share with the rest of the world
Source
Your Source for GNU/Linux Web-Radio & Podcasts!
Source
Over the last several months, I've done my best to seek out every podcast related to computer security concepts. I started with a list of just under fifty podcasts and gradually eliminated the ones that consistently failed to offer interesting ideas or were simply too watered down.
Source
Money, money, money
By John Leyden
The message in the email informs recipients, "You've got a new song from
on MySpace!", and invites them to click on a link that directs them to a site claiming to sell MP3 music.
Source
Experts say wretched usability is scaring crypto newbies away
Rodney Gedda
Usability of security software is partly to blame for low protection levels in many computers, according to international security experts.
Source
Trusting your gut may make you look foolish ... until you're right
Ira Winkler
It would appear that "civilized" humans have lost a significant portion of our animal instincts -- instincts that could protect us. However, we have not completely abandoned our innate ability to sense trouble.
Source
October 14, 2006
There's a reason 2006 has kept you busy, and it won't get better
Ellen Messmer
January: Oracle (89); Microsoft (12); BEA Systems (12); IBM Lotus (11); Apple (10)
February: Microsoft (29); Linux kernel (14); Mozilla (12); IBM (11); myBB (9)
March: Microsoft (18); Linux kernel (14); Mac OS X (14); Mantis (6); HP (6)
April: Oracle (36); Ethereal (27); Mozilla (26); Microsoft (20); Apple (9)
May: Apple (32); Microsoft (13); BEA (11); Linux kernel (10); IBM (9)
June: Microsoft (27); Mozilla (13); Cisco (10); Particle Soft (9); MailEnable (7)
July: Oracle (65); Microsoft (55); Mozilla (14); Cisco (9); OpenCMS (9)
August: Microsoft (32); Informix (16); Mac OS (16); IBM (8); JetBox CMS (8)
Source
The humble Web bug has its day in the sun
Robert McMillan
The technology tool the company used, called a Web bug, is designed to allow e-mail senders to track the path a message takes, including whether a recipient opens the message and forwards it to another party. And it turns out the technology is widely used in e-mail newsletters to track readers and also by law enforcement in investigations, security experts say.
Source
As Roger put it to me after the workshop, “We’ve got to adjust some of our threat models.” In other words: internet cryptographers aren’t generally worried about parabolic microphones. They’re trying to enable secure transmissions in an insecure medium - the Internet - and generally assume that the people using their tools have control over their computers and the environments they’re using them in. In other words, while security researchers talk a lot about “Alice” and “Bob”, those crazy kids trying to send messages to each other without eavesdropper “Eve” listening in, we rarely consider secret policeman “Sam” arresting Alice and breaking her fingers until she caves and gives up her contact list. And if you want these tools to work in the real world, those are the sorts of concerns you have to take very seriously.
Source
Gis your e-wallet or the WeeMee gets it
By Chris Williams
The British public fear phishing and 419 scams more than car theft, burglary, and even mugging, according to figures unveiled by government-backed campaign Get Safe Online.
Source
Washington - Computer security crackers based in China have launched sustained attacks on the computers of a United States Commerce Department technology export office, a department official has said.
Source
The reality of IT security is dismal -- and there's little hope in sight for improvement
By Roger A. Grimes
Most malware exists to steal your money. No need to guess why you’re infected anymore; it ain’t to send greetz to teenage hacker friends. The average criminal hacker is making thousands of dollars a day, if not more, and will never be caught. The only ones we ever catch and prosecute are the dumbest ones.
Source
Listen to top insights from experts driving the development of log
management & intelligence solutions.
1.) Next Generation Log Management & Intelligence
2.) Logs and the Law
3.) New Thinking on Compliance
4.) Automating IT Controls & Compliance
Source
Problem affects gear used by 90% of Dutch voters
Robert McMillan Today’s Top Stories
Dutch researchers have found flaws in electronic voting systems used in the Netherlands, Germany and France.
Source
By Robert Lemos, SecurityFocus
Security professionals warned developers on Thursday that they need to be aware that their open-source repositories can now be easily mined, allowing attackers to target programs that are likely to be flawed. While Google could previously be used to look for specific strings, now the search engine riffles through code that much better.
"This is like giving everyone a telescope," Wysopal said. "It is making them more efficient. Lets just hope that they are using this for good."
Source
By Mark Ballard
Parents are preparing a legal challenge to schools that have fingerprinted their children without their consent.
Source:
http://www.theregister.co.uk/
October 07, 2006
But the sponsor of the RFID security bill vows to reintroduce itMarc Songini
California Gov. Arnold Schwarzenegger on Saturday vetoed legislation that would have created a security framework for the use of radio frequency identification (RFID) technology in the state's official documents and identification cards.
The bill, called the Identity Information Protection Act of 2006, would have mandated basic protections against the abuse of RFID data with technologies such as encryption. It also would have made skimming, or the reading of RFID data without consent, a crime.
Source:
http://www.computerworld.com/
October 05, 2006
By Paul Meller, IDG News Service
E.U. welcomes moves to reduce U.S. control of ICANN | InfoWorld | News | 2006-10-02 | By Paul Meller, IDG News Service: "The European Commission welcomed moves in the U.S. to free ICANN, the Internet domain name manager, from its historic ties to the U.S. government on Monday."
Source:
http://www.infoworld.com/
2006-09-29 | By Roger A. Grimes
Should Microsoft be in the anti-malware business? | InfoWorld | Column | 2006-09-29 | By Roger A. Grimes: "Many analysts are asking if Microsoft, which could be blamed for creating the very insecurities that Windows malware is exploiting, should be able to reap additional profit from closing those same holes? The company's worst critics are worried that key vulnerabilities could be left in Windows longer to benefit additional Microsoft revenue streams."
Source:
http://www.infoworld.com/
Measuring the Value of Metrics: "One topic most information security professionals hate is metrics. When I was working as a security analyst and later as a security engineer, I always hated when my boss asked me to pull logs or query the remedy ticketing system and then use the metrics to report on various aspects of what I did or how well our security infrastructure was protecting the company. "
Source:
http://www.computerworld.com/
Sorry Security: "I owe David Maynor and Jon Ellch an apology. Several weeks ago, in a column titled “Quack Hackers,” I described their presentation at this year’s Black Hat USA security conference as one of a pair of “hoax hacks” and “rigged demos of make-believe security holes.” At Black Hat, Maynor and Ellch (who hacks under the name “Johnny Cache”) showed how they could hack into a Macintosh laptop via Wi-Fi, as long as the Mac was using a no-name Wi-Fi card with buggy drivers. But Maynor and Ellch also told a Washington Post reporter they could pull the same trick on stock Mac Wi-Fi — a trick they refused to demonstrate. Baloney, I said. It’s bogus, a publicity stunt using Apple’s name to grab headlines. "
Source:
http://www.computerworld.com/
Intel and Symantec push security into firmware: "The perimeter isn't vanishing -- just shifting
Ben Ames Today’s Top Stories or Other Security Stories
ntel Corp. and Symantec Corp. plan to release a firmware-based PC security product in the first half of 2007 to stop hackers from disabling virus shields.
Source:
http://www.computerworld.com/
File-sharing software firm loses US case | The Register: "Another file-sharing software maker has been found guilty of causing copyright infringement. A US judge has said the Morpheus software produced by StreamCast breaks the law.
The ruling is another victory for the entertainment industry, which has had a string of recent victories and concessions. Just weeks ago Kazaa settled with the music industry for $100m."
Source:
http://www.theregister.co.uk/
By OUT-LAW.COM
Swedish pirates plan pan-European electoral assault | The Register: "'That we are pro-filesharing is a consequence of us being pro-civil liberties,' said Falvinge. 'We are pro-civil liberties for the exact same reason that the entertainment industry is against civil liberties, because they have a bottom line to protect.
'The entertainment industry is what drives today's witch hunt on civil liberties,' he said. 'DRM technologies is the large media cartels' way of writing their own laws to circumvent copyright laws and we do have an elected parliament to write such laws.'"
Source:
http://www.theregister.co.uk/
By William McKnight
Building Business Intelligence: RFID for the Information Management Professional, Part 1: "From what I've learned, I am impressed with the possibilities. With this technology, the next century has the potential to codify and make finite the seemingly infinite, potentially to the point of codification of life itself. It is that big. In this first part, I will give an overview of RFID. It is important to understand the uses and applications in order to architect properly."
Source:
http://www.dmreview.com/
Martin Heller
How to defeat the new No. 1 security threat: cross-site scripting: "Cross-site scripting, often abbreviated XSS, is a class of Web security issues. A recent research report stated that XSS is now the top security risk."
Source:
http://www.computerworld.com/
IT-Director.com - Managing Mobile Data Security: "Mobile email represents yet another security headache for administrators, a fait accompli due to its popularity with senior management, with encrypted attachments crossing the firewall, making inspection difficult or impossible. "
Source:
http://www.it-director.com/
Shops must use RFID with care | The RegisterBy OUT-LAW.COM
Shops which use RFID tags and CCTV cameras must tell shoppers every time an RFID tag is used and must tell shoppers how to remove them. The order comes in guidelines produced by the Information Commissioner's Office (ICO). RFID (radio frequency identification) tags are used for inventory management in many shops but are increasingly used on shop shelves to identify products. The ICO said that shops must comply with the Data Protection Act when RFID information is collected alongside personal identifying information, such as CCTV footage.
Source:
http://www.theregister.co.uk/
Security firm touts end of false positives - vnunet.com: "Security firm nCircle has been awarded its third patent by the US Patent and Trademark Office for an 'Interoperability of Vulnerability and Intrusion Detection Systems'.
NCircle uses the patented technology in its nTellect product, which integrates its risk management system with intrusion detection and intrusion prevention systems."
Symantec: Browser bugs rampaging in '06: "Symantec: Browser bugs rampaging in '06"
No software is safe -- even Safari is a target!
According to Symantec Corp.'s twice-yearly Internet Security Threat Report, hackers found 47 bugs in Mozilla Corp.'s open-source browsers and 38 bugs in Internet Explorer during the first six months of this year. That's up significantly from the 17 Mozilla and 25 IE bugs found in the previous six months.
Even Apple's Safari browser saw its bugs double, jumping from six in the last half of 2005 to 12 in the first half of 2006. Opera was the only browser tracked by Symantec that saw the number of vulnerabilities decline, but not by much. Opera bugs dropped from nine to seven during the period.
Source:
http://www.computerworld.com/
Protecting Data on Laptops and PDAs.
The Future of Integrated Threat Management.
Protecting Privacy & Confidentiality: How to secure email communication to address compliance and protect your brand.
The Security Imperative.
Source:
http://www.itworld.com/