News & Commentary
Content posted in January 2009
|
Web Applications: Achilles' Heel Of Corporate Security
Custom-built software is more likely to garner an online attack and less likely to be disclosed in bug reports, IBM reveals.
Despite Economy, IT Security Salaries Are On The Rise
Pay for certified security professionals is among the fastest-growing in IT, study says
Primary Storage's Three Faces
Primary storage has three faces. There is active data and inactive data; both of these data sets actually consume space, which we can compress and then remove. Then there is the third face, with the capacity that is allocated but not in use. Each needs to be handled in a different way.
Account & Identity Mismanagement
Companies' lack of proper identity management and account revocation never ceases to amaze me. Why aren't these things integrated with the human resources hiring process and subsequent exit procedure when an employee leaves or is fired?
Tech Insight: How to Pick The Right Web Application Vulnerability Scanner
There's more to a "black box" scanner than the number of vulnerabilities it can detect
Google Chrome Patch Released
Google has released an important patch for its Chrome browwer. If you're running Chrome, patch now.
Fannie Mae Logic Bomb Makes Case For Strong IDM
The indictment of an IT contractor working at Fannie Mae, who schemed to destroy the data on 4,000 servers, confirms what we know: bad economic times and layoffs are perilous, and identity and access management has never been more important.
Are We In A Tech 'War' With Russia?
I was reading the withering comments Vladimir Putin made to Michael Dell in response to Dell's offer to help Russia. Though Putin is Russia's prime minister, he clearly is also the guy who is running the country. Reading between the lines, I think it is likely he is driving a technology w
IT Worker Indicted For Setting Malware Bomb At Fannie Mae
IT contractor deployed highly malicious script before his administrative rights were terminated
Report: Intellectual Property In Peril Worldwide
Companies aren't sufficiently protecting their intellectual property in this global economy, suffering $1 trillion in losses last year, new McAfee report says
SQL Server Database Hack Tricks Forensics
Black Hat researcher will show how the bad guys can use a database's own features against it
Startup Of The Week: FireEye
FireEye deploys virtual victims to uncover new malware.
Click Fraud Rises As Economy Sinks
Fake clicks on ad links are climbing as fast as the economy falls,up a full percentage point in the last three months of 2008, according to pay per click monitoring company Click Forensics.
Nokia Fixes 'Curse Of Silence' Exploit
The vulnerability could crash millions of Nokia handsets' SMS system with a single malformed text message.
Web Malware Infects Fast, Dies Young
The number of new infected Web sites grew by 66%, from 100,000 to 200,000 per day to 200,000 to 300,000 per day in the past three months, according to AVG Technologies.
The Inevitable Has Occurred: Heartland Payment Sued
The payment processor Heartland Payment Systems just got served with a lawsuit over the allegedly massive data breach.
Microsoft SharePoint: A Weak Link In Enterprise Security?
Popular collaboration tool is easy to deploy, but hard to secure, experts say
Microsoft Study: Users Worry About Privacy But Know Little About Threats
The second annual International Data Privacy Day finds many users unaware of privacy controls at their disposal
Simulated Wi-Fi Worm Infects Thousands Of Routers Overnight
University study demonstrates potential impact of virulent attack on Wi-Fi networks
Hardware Vendor-Induced Vulnerabilities
During a recent penetration test, a friend encountered some really strange findings that he asked me to review. Several of the desktops located in one of the departments had a process listening on an ephemeral, nonstandard TCP port. He provided his Nmap and Nessus findings, which both reported an Apache Web server was running on this mysterious port. The fact they were all running Apache was cert
IE8 Security: Some Questions Answered, Others Raised
Internet Explorer 8, which Microsoft has now labeled "Release Candidate 1," meaning it's ready to be tried out by (or on) the public, promises some leaps in browser security. Does it deliver? Yes and, depending on who you ask, not quite.
The Death Of PCI DSS? Don't Be Silly
Yes, in the past year two big retailers, who were apparently compliant to the Payment Card Industry Data Security Standard, were breached. Does that mean PCI DSS has grown increasingly irrelevant? That's absurd.
Microsoft Study Finds Consumers Want Control Over Data
The software vendor's commissioned research will be revealed during a panel discussion with leaders from the California Office of Privacy Protection, Intel, and MySpace.
How To Celebrate Privacy Day (And How Not To)
Wednesday, Jan. 28, has been designated International Data Privacy Day, and I'm still not sure how to celebrate. Should I invite all of my friends and family over, then go in the bathroom, lock the door, and make an entry in my personal diary? Or maybe we should all put on funny hats and go outside with noisemakers, screaming, "It's none of your friggin' business!!" Ah, those holiday traditions.
Former Energy Worker Admits Trying To Sell Nuclear Secrets
Janitor pleads guilty to offering next-generation nuclear materials to France in exchange for $200,000
Microsoft Releases Security-Enhanced Internet Explorer 8
Latest version of the browser adds clickjacking, cross-site scripting protection
NFS On VMware, Not NetApp's Sole Domain
Using NFS to store and boot virtual machine images is becoming an attractive option, and for obvious reasons NetApp has been promoting the use of its solutions as the perfect complement to a VMware on NFS strategy. However, NFS isn't the sole domain of NetApp any longer. It now has company from a variety of vendors, including EMC, ONStor, BlueArc, and
Survey: Consumers, SMBs Slack On Privacy Protection
One-third of U.S. and U.K. consumers and SMBs say they've lost USB sticks, and nearly three-fourths leave data unprotected overall
USB Drives Dropped Off With Laundry: Whole New Meaning For "Clean Data"
9,000 USB drives were left in clothes dropped at UK dry cleaners last year. With numbers that high, you can bet that some, and maybe most, of those drives held private, sensitive, confidential data.
Software Piracy Places Everyone At Risk
On Monday, the United States claimed victory in a World Trade Organization case against China for that country's alleged lax stance toward software piracy. What's that have to do with IT security? Plenty, as the recent Downadup outbreak, as well as a number of new Trojans to hit the Mac OS X platform, highlight.
Monster.com Hit With Possible Monster-Sized Data Breach
The company declined to cite the number of affected accounts, raising the possibility that every Monster user could be affected.
Monster.com Reports Another Breach Of Its User Database
Attackers accessed username and passwords, as well as email addresses and phone numbers, popular job-hunting site says
Mac OS X Trojan Found In Pirated Photoshop CS4
About 5,000 people have downloaded the OSX.Trojan.iServices.B-infected, unauthorized software from BitTorrent and other peer-to-peer networks.
Famed British Hacker Gets Another Stay On Extradition To U.S.
Gary McKinnon now says he hacked 97 U.S. government computers because he was looking for UFOs
OS X Trojan Resurfaces In Photoshop CS4
I guess too many people got wind of the iWork 09 Trial Trojan application that was circulating in some peer-to-peer networks. The bad guys have changed their strategy: they're now targeting people downloading pirated versions of Adobe Photoshop.
Get Your Pentesting Permission Slip
As infosec professionals, we are often tasked with performing duties that would be considered illegal if we did not receive proper authorization beforehand. For example, if you were performing a penetration test against a system that you or your employer doesn't own, or for which you don't have authorization to access, then you could be violating a number of laws leading to termination and possible criminal prosecution.
Monster.Com Loses Millions MORE Job Seekers' Records
Monster.com has been hacked again, with possibly millions of customer records -- including names, phone numbers, e-mails, passwords and more -- stolen from its obviously poorly protected database. The company's handling of the news of the breach (the third in less than two years!) is as sloppy as its security.
Netgear ProSecure Brand Launches With New Security Appliances
Netgear -- well known for its networking products -- is moving into the SMB security arena with its new ProSecure brand and a new line of Security Threat Management (STM) Web and Email Threat Management Appliances.
Spread Of Downadup Worm, New Apple Mac Trojan
Security firm Symantec notes that the Downadup worm has swept through China, Argentina, Taiwan, Brazil, India, Chile, and Russia. The infection doesn't even register in the United States. Why?
White House Web Site Revisits Privacy Policy
Staffers address privacy concerns after a 1-by-1-pixel image file loaded by Web page code for tracking purposes is revealed.
Report: Law Enforcement Closing In On Heartland Breach Perpetrator
Secret Service, DoJ reportedly pinpoint location of cybercriminal outside North America
Phishing Doesn't Pay, Microsoft Finds
Lured by bad math and get-rich-quick pipe dreams into a life of cybercrime, those phishing for dollars confront a problem not unlike that faced by traditional anglers: too few fish in the sea.
Journalism School 'Ricochets' Spam Messages
If you get a message this weekend from RJICONTACTS as part of the Missouri School of Journalism, don't reply. It's the result of a mail server snafu.
Trojan Steals Cash From Symbian Phones
A Trojan targeting Indonesian Symbian users hijacks the SMS system to transfer funds from the user's account to one held by criminals.
Text Message Attack Steals Money From Bank Accounts
New mobile phone Trojan discovered by Kaspersky Lab is similar to a banking Trojan targeting PCs, but does its dirty work via text message
U.K. Orders ISPs To Archive Private E-mail Records
Critics say the plan amounts to an unwarranted invasion of privacy.
Downadup Worm Infects 1 In 16 Of World's PCs, Adding A Million A Day
The rapid (to say the least) spread of the Downadup (also known as Confickr) worm is getting worse fast, with security companies noting that one in every sixteen of the world's PCs is infected. And that number may be very conservative.
Cloud Storage Matures
The cloud is becoming tangible and definable. Customers are beginning to store data on it and companies like Bycast, Cleversafe, Amazon and Nirvanix have real customers paying real money to use their products or services. Companies like EMC and HP are bringing legitimacy to the co
Trojan Attack Masquerades As Airline E-Ticket Notice
Realistic-looking email messages from Northwest, United actually bear data-stealing malware, researcher warns
The Trouble With Phishing
Any person who is familiar with even the basics of modern computer threats will know the term phishing. It is an example of the more generic threat known as social engineering, or using psychology as a primary attack vehicle. In general, people tend to be trusting and helpful (although, of course, we can all quickly bring to mind those who are neither). Phishing and other social engineering attacks make use of these traits to trick computer users into giving up valuable information, fr
|
White Papers
Video
3 Comments
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database CVE-2018-19349
PUBLISHED: 2018-11-17
PUBLISHED: 2018-11-17
PUBLISHED: 2018-11-17
PUBLISHED: 2018-11-17
PUBLISHED: 2018-11-17
From DHS/US-CERT's National Vulnerability Database CVE-2018-19349
PUBLISHED: 2018-11-17
In SeaCMS v6.64, there is SQL injection via the admin_makehtml.php topic parameter because of mishandling in include/mkhtml.func.php.
CVE-2018-19350PUBLISHED: 2018-11-17
In SeaCMS v6.6.4, there is stored XSS via the member.php?action=chgpwdsubmit email parameter during a password change, as demonstrated by a data: URL in an OBJECT element.
CVE-2018-19341PUBLISHED: 2018-11-17
The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information via a U3D sample because of a "Read Access Violation near NULL starting at FoxitReader...
CVE-2018-19342PUBLISHED: 2018-11-17
The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information via a U3D sample because of a "Read Access Violation starting at U3DBrowser+0x00000000...
CVE-2018-19343PUBLISHED: 2018-11-17
The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read), obtain sensitive information, or possibly have unspecified other impact via a U3D sample because of a "Data from Faul...
- Terms of Service
- Privacy Statement
- Legal Entities
- Copyright © 2018 UBM, All rights reserved
Tweet This