News & Commentary
Content posted in December 2008
|
Apple Without Jobs: Who Secures A Company's Heart?
Very often a founder is the heart of a unique, successful company, or in the case of IBM it was actually the son of the founder, Thomas Watson Jr. All the focus this week on the likely departure of Steve Jobs from Apple has me thinking back about one of my very first jobs at Disney shortly after Walt died. In many ways these men embodied more than their companies' brands: They embodied a way of thinking about business that wasn't defined in dollars and cents; it was defined by imagination, carin
200 Sony PS3s Harnessed To Crack Secure Site Certification
A research group finds a way to forge certain digital certificates and create fake versions of popular e-commerce and banking sites.
'Curse Of Silence' Exploit Found For Nokia Handsets
A single malformed SMS message can prevent some handsets from sending and receiving further SMS and MMS messages, security researchers warn.
Four Threats For '09 That You've Probably Never Heard Of (Or Thought About)
What could keep you up at night in the new year may not be what you expect -- a look at some of the lesser-known threats predicted for 2009
Hundreds of Israeli Websites Hacked in 'Propaganda War'
Attackers deface sites with anti-Israeli and anti-U.S. messages as bombings escalate in Gaza; U.S. Webmasters warned to be vigilant
Top 10 Security Stories Of 2008
A spike in data breaches, the threat of malicious hardware, and alarming revelations about the Internet's vulnerabilities from security experts such as Dan Kaminsky all made headlines in 2008.
The (Not Quite) End Of Security On The Internet
Speaking at the 25th annual Chaos Communication Congress in Berlin, security researchers showed how they developed a rogue (forged) Certificate Authority digital certificate. Yes, this is a big deal. But no, the Internet isn't broken.
ID Theft and Police Scanners
When asked why he robbed banks, the flamboyant criminal Willie Sutton answered, "Because that's where the money is." That's the perfect example of how the principle of Occam's razor applies to crime: the simplest solution to a problem is often the best one. With the economic downturn, high unemployment rates, and the booming business of identity fraud, would-be criminals are on the lookout for easy methods to get access to personal information. And we stumbled across one such way during a rece
Security 2008: Bad Year, But Better Than What's Ahead
How bad were the security challenges in 2008? Bad! And a glance back over the year leads to the conclusion that 2009 is going to be worse.
Verizon Wins $33 Million In Cybersquatting Case
The telecom said this is the largest-ever cybersquatting judgment, but it may have a hard time getting the money from OnlineNIC.
New SSL Hack Imperils Secure Websites
Potentially deadly silent attack impersonating legitimate digital certificates revealed at hacker confab in Germany
Microsoft: The Windows Media Player Flaw That Wasn't
Microsoft refutes report of code execution vulnerability
Cloud Computing Security: What About It?
I'm always trolling the Web for insight into the latest technology trends, and how these trends could impact both how we use technology and how it may change how we secure our data. During my pursuit for knowledge, I'll often run into bone-headed comments and blogs, and when I do, for the most part, I just shrug them off. Today's experience isn't one of those times.
SIFT Workstation And Resources For Aspiring Forensic Examiners
Rob Lee of Mandiant and a faculty fellow from the SANS Institute gave the forensic community an early Christmas present with the release of version 1.2 of the SIFT Workstation. It is a Linux-based VMware appliance pre-configured with the tools needed to conduct a forensic examination. Rob has developed the SIFT Workstation for the SANS course he developed and teaches, which is ve
CastleCops Shuts Down
After years of fighting the good fight against spammers and phishers, the all-volunteer online community has pulled the plug
New Open Standard Arrives For Gauging Security of Web Apps, Services
OWASP releases Application Security Verification Standard for developers, security pros, and buyers
CastleCops Phish Fighters Close Site
Quietly, just before Christmas, six year old volunteer anti-phishing group CastleCops closed its Web site, noting in an open letter that "all things come to an end." True enough, but the example CastleCops set deserves to live on, and be emulated.
Infected Digital Picture Frames: They're Ba'aack
Last January, Insignia had to yank a line of 10.4-inch digital frames from Best Buy due to reports of infection. This year it's Samsung that has egg on its face.
Every Year Bogus Holiday Cards Flood In-Boxes: This Year is No Exception
If your in-box is like mine, you've been hit with numerous fake greeting card spams. Who knows what you really get if you click on the link: Phishing attack attempt? A keystroke logger? Worse? Keep it safe.
Yes, Virginia, There Will Be More Attacks
This is the time of year when the editor of a publication usually issues a warm and fuzzy holiday message that's supposed to make you want to gather around the fire with your family for a group hug.
Unless, of course, your publication has to do with information security.
Computer Security's Six Most Important Words Of 2008
For good or ill, these six words were top of mind for security pros -- and hackers -- in the past year
You're A Mean One, Ms. Grinch
Thief who steals holiday package contents from homes is now a star on YouTube
Second Zero Day Flaw Nails Microsoft In Two Weeks
For the second time in two weeks, Microsoft is rushing to fix a zero-day vulnerability. This time the flaw is in some versions of the software used to run corporate databases.
Zero-Day SQL Server Flaw Could Allow Remote Code Execution
Exploits of unpatched vulnerability have already been published, Microsoft warns
Microsoft Confirms New SQL Server Threat
The vulnerability could leave numerous versions of the database software vulnerable to cyberattack.
Check Point Buys Nokia's Security Appliance Business
Acquisition will expand Check Point's product line, execs say
Cloud Storage Is About Dispersion
Cloud storage is destined to be one of the hottest markets next year. It is one of those technologies that is actually aided by a down economy. As IT budgets remain flat or decline, the need for storage capacity will accelerate. The ability to buy that storage as you need it instead of all at once will be interesting. Additionally, Web 2.0 and other Internet-enabled services are supposed to continue to thrive, and all these will need storage as well.
WARNING: Old Windows SQL Server Flaw Exploit Code Published
Microsoft has issued an advisory that a known critical vulnerability in older versions of Windows SQL Server now has proven attack code, developed by a security firm weary of waiting for a patch to be released.
Researchers Point Out XSS Flaws On American Express Site
Flaws could jeopardize users' identities, researchers say
Quick Take: Check Point Frees Nokia To Be Nokia
To IT security industry watchers, the move announced today that Check Point Software Technologies is acquiring Nokia's security business is no shocker. And perhaps it will enable Check Point to start doing what it should have been doing all along: innovating more.
Database Breach Preparedness
A copy of "SQL Server Forensic Analysis," by Kevvie Fowler, arrived in my mailbox today. I'd been looking forward it to because it is a highly topical subject given all of the data breaches that have occurred in the past couple of years involving databases. David Litchfield has produced numerous whitepapers and presented on the topic of Orac
Couriers Take The Cake -- And Thousands Of Bank Records
Delivery drivers reroute thousands of bank records to major German newspaper
Holiday Security: While Employees Are Away, Don't Let Crooks Play
As the holidays approach, so do opportunities to tighten security in the workplace -- or have lax habits turn into disasters.
Has Microsoft's Trustworthy Computing Got Us Anywhere?
As we noted earlier this week, Microsoft learned of a vulnerability in IE 7 on "Patch Tuesday," Dec. 9, and had a fix published for download eight days later. Now, Microsoft's Michael Howard, from the security engineering team, takes an interesting look at the lessons learned.
Tech Insight: Finding Common Ground For Security, IT Teams
Tips for security and IT teams to better cooperate on hot-button issues of password policies, patch management, and network security
RIAA To Stem Tide Of Lawsuits Against Individuals
Recording association to approach ISPs in effort to protect copyrighted music, video
The 2009 Security Tsunami
Many in the United States think the party in power has sacrificed too much privacy and liberty in order to address security concerns, particularly in regard to terrorism. The incoming administration is likely to undo a lot of this, but, at the same time, a massive number of very upset people with and without tech skills are going to find themselves jobless.
Trust Trumps Price For Cybershoppers
The hope that tight economic times are driving shoppers Webward in search of better prices carries a caveat: By a factor of ten to one, online shoppers place a higher value on trust and security than on bargains, according to recent research from VeriSign.
IE7 Zero-Day Lessons
The recent zero-day IE7 vulnerability is a big deal. Hackers used it to hack into hundreds of thousands of machines, if not millions. Both IE7 and Vista are vastly more secure than their predecessors, yet this bug sliced right through them to give the hacker a robust exploit. We need to do a post mortem of this event to figure out what we should do in the future.
Researchers Hone In On 'Dropzones' For Stolen Credentials
One-third of "impersonation attack" victims from the U.S. and Russia, research finds
Royal Rip-Off: Fergie's Personal Laptop Stolen In Break-In
Sarah Ferguson, Duchess of York, finds herself the latest victim of laptop theft
Yahoo Rivals Urged To Limit Personal Data Retention
House Internet chairman says Microsoft and Google should follow Yahoo's lead on privacy.
Much Ado Over Microsoft's (Somewhat) Rare Out-Of-Band Patch
My advice: Patch this puppy, and don't worry about whether or not Microsoft should have published this update out of its normal monthly update cycle.
How Storage Latency Affects Performance
A few entries ago I introduced the subject of latency as impedance to storage performance. The biggest area of concern is what impact storage latency has on application performance. This is an area where solid state disk (SSD) solutions can make a difference that standard mechanical drive solutions struggle to solve.
Out-Of-Cycle Patches Test Maturity Of Patch Management Programs
With two out-of-cycle security updates from Microsoft this fall, organizations are getting the opportunity to evaluate the maturity of their patch management processes through trial by fire.
Patch 'Em Up! IE Releases Critical Patch, Firefox Patches Dozen Bugs
Microsoft has released the patch that closes an Internet Explorer vulnerability that's been exploited hundreds of thousands of times in the last few days. Mozilla has patched more than a dozen Firefox problems, many of them critical. Time to get Patching!
Microsoft Releases Critical Internet Explorer Patch
The out-of-band security update fixes a JavaScript-related vulnerability that's being actively exploited through hacked Web sites.
Survey: Collaboration Applications Not Sufficiently Secured
Rohati Systems' survey finds collaboration applications are secured mainly by passwords
The Five Coolest Hacks Of 2008
Not even your psyche was safe from hacking this year -- hackers found holes in the highway toll system, building security -- and, yes, your head
Researcher: Poor SSL Implementations Leave Many Sites At Risk
Major sites continue to operate with expired or misconfigured SSL certificates, according to a researcher at Canola & Jones
|
White Papers
Video
3 Comments
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database CVE-2018-19349
PUBLISHED: 2018-11-17
PUBLISHED: 2018-11-17
PUBLISHED: 2018-11-17
PUBLISHED: 2018-11-17
PUBLISHED: 2018-11-17
From DHS/US-CERT's National Vulnerability Database CVE-2018-19349
PUBLISHED: 2018-11-17
In SeaCMS v6.64, there is SQL injection via the admin_makehtml.php topic parameter because of mishandling in include/mkhtml.func.php.
CVE-2018-19350PUBLISHED: 2018-11-17
In SeaCMS v6.6.4, there is stored XSS via the member.php?action=chgpwdsubmit email parameter during a password change, as demonstrated by a data: URL in an OBJECT element.
CVE-2018-19341PUBLISHED: 2018-11-17
The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information via a U3D sample because of a "Read Access Violation near NULL starting at FoxitReader...
CVE-2018-19342PUBLISHED: 2018-11-17
The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information via a U3D sample because of a "Read Access Violation starting at U3DBrowser+0x00000000...
CVE-2018-19343PUBLISHED: 2018-11-17
The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read), obtain sensitive information, or possibly have unspecified other impact via a U3D sample because of a "Data from Faul...
- Terms of Service
- Privacy Statement
- Legal Entities
- Copyright © 2018 UBM, All rights reserved
Tweet This