News & Commentary
Content posted in March 2011
|
NSA Investigating Nasdaq Hack
Last month when we covered the attack on the Nasdaq's Directors Desk collaboration platform, we said the incident posed plenty of questions, while the Nasdaq proffered (at least publicly) few answers. It seems the National Security Agency agrees.
Lizamoon SQL Injection: Dead From The Get-Go
The latest round of headline-grabbing SQL injection attacks aren't new, and they aren't very effective; in fact, Lizamoon might as well be called the little injection that couldn't
Trend Micro Nukes Zeus Botnet Server
PayPal, eBay, and the customers of at least 15 banks were targeted by the eliminated botnet.
Microsoft Blames Poor Development Practices For Security Risks
Windows and Internet Explorer are at greater risk of attacks because developers don't use mitigation technologies built into the software, said Microsoft.
Most Windows Applications Use Microsoft's DEP
SDL Progress Report from Microsoft shows one-third of popular consumer apps using ASLR
Searching For Security's Yardstick
Despite rising threats, most security organizations still don't have clear metrics for measuring their performance -- or their enterprises' security posture
Comodo Hack Highlights Chinks In Net Infrastructure
The certificate authority's issuance of valid certs to a supposedly Iranian hacker causes experts to question the capability of the certificate infrastructure to respond to attacks
NASA Servers At High Risk Of Cyber Attack
Auditors were able to pull encryption keys, passwords, and user account information over the Internet from systems that help control spacecraft and process critical data.
Schwartz On Security: Online Privacy Battles Advertising Profits
Do businesses have the right to make money from the unregulated buying and selling of personal information?
Comodo Reports Two More Registration Authorities Hacked
The digital certificate issuer has deactivated the affected accounts and begun to implement security and validation reforms.
(Slightly) More Organizations Proactively Managing Security Efforts
Security vendor survey at the RSA Conference 2011 shows more organizations planning and coordinating their security efforts across security and IT operations teams and risk management groups. But don't plan on a party and fireworks celebration just yet - the improvements are minor.
BP Loses Laptop With Gulf Claimant Data
The missing computer, containing personally identifiable information on 13,000 people, was password-protected, but not encrypted.
'Silos' Of Security Processes Still Not Integrated, Study Says
Log management, compliance reporting, real-time monitoring, forensic investigation, and incident response still not coordinated, according to SenSage study
'Cree.py' Social Engineering Tool Pinpoints A Person's Physical Location
Free tool automates process of pulling geolocation, other information on 'targets'
SecurID Breach Warning Signs In The Audit Logs
SANS Internet Storm Center on what to look out for in your ACE server logs in the aftermath of the RSA SecurID breach
Rustock Takedown Cut Spam By 33%
Bagel and other botnets seem to be picking up the slack, according to Symantec.
In Ironic Twist, MySQL's Own Database Is Hacked Via SQL Injection
Open-source database company's customer names, passwords revealed following database attack
Do Not Track Momentum Mounts
Legislation to be proposed by Senator John Kerry and analysis of business comments to the FTC may point toward stronger privacy protections.
Bank Of America Customers In Michigan Report Account Theft
Thousands might be affected; origin of electronic theft still uncertain
Iranian Claims Credit For Comodo Hack
Mozilla apologizes for not publicizing the attack more quickly and criticizes Comodo's security.
'Comodo Hacker' Says He Acted Alone
The plot thickens: In an effort to back up his claims, alleged hacker dumps apparent evidence of pilfered database from breached Comodo reseller, as well as Mozilla add-on site certificate
Collecting The SSD Garbage
Solid state storage (SSS) is the performance alternative to mechanical hard disk drives (HDD). Flash memory, thanks to its reduced cost compared to DRAM, has become the primary way the (SSS) is delivered. Suppliers of flash systems, especially in the enterprise, have to overcome two flash deficiencies that, as we discussed in our last entry, will cause unpredictable performance and reduce reliability.
Netgear Intros Gateway Security Appliance For SMBs
The ProSecure UTM150 unified threat management appliance polices Web traffic to help protect company networks against employee-introduced risks from social media or malicious links.
Microsoft Wins A Botnet Battle
The Rustok botnet was estimated to be one million PCs strong, underlining the dangers that malware can cause to businesses and consumers.
"Trusted" Sites Fail To Clean Malvertising Scourge
Reports indicate that users of Facebook and the European music service, Spotify, have been exposed recently to malvertising attacks.
Shocker! (Not Really): Users Apathetic When It Comes To Mobile Security
Survey conducted by the Ponemon Institute shows just how lax users really are when it comes to securing their smartphone devices.
Cyber Attack Hits European Commission
Malware was blamed for the "major" breach, launched on the eve of a summit focusing on euro instability, the war in Libya, and nuclear safety.
Consumerization Of IT: Security Is No Excuse
At most companies, you can't just say "no" to consumer devices. Here's a plan to take the lead on information security issues.
McAfee Buyout of Sentrigo Sends Database Security Market In New Direction
Database security isn't just for database companies anymore, observers say
ANSI And Shared Assessments Launch Study On Financial Impact Of Breached Patient Data
Study could help healthcare companies justify additional security spending
Understanding SSD Vendor Talk
If you are either evaluating or getting ready to evaluate investing in solid state storage for your data center you are going to be faced with learning a new language, confronted with a new set of specs and a new set of debate around what features are most important. This will be the first entry in a series that will give you the decoder ring to understanding what Solid State Disk (SSD) vendors are talking about and what statistics are most important.
Consumerization Of IT: Security Is No Excuse
At most companies, you can't just say "no" to consumer devices. Here's a plan to take the lead on information security issues.
Dark Reading Report: How Malware Authors Battle To Evade Detection
A look at the new, ingenious ways bad guys use to frustrate analysts and evade automated security tools
Social Engineering 'Capture The Flag' Contest Returns To DefCon
Changes to this year's contest include some volunteer, high-profile target companies
Are Industrial Control Systems The New Windows XP
Earlier this week a security researcher posted nearly three dozen vulnerabilities in industrial control system software to a widely read security mailing list. The move has Supervisory Control and Data Acquisition systems (SCADA) system operators scrambling, and the US CERT issuing warnings.
Flawed Website Certificate Validation Process Led To Comodo Hack
Certificate authority points to Iran as likely attacker, while security experts say certificate registration and validation process needs repair
Gmail, Hotmail Pose Government Security Risk
Australian auditor recommends blocking Webmail on government networks to prevent insider and external threats.
DHS Outlines Cybersecurity Strategy
Automation, interoperability, and authentication are the building blocks for a secure network defense, says the Department of Homeland Security.
Iran Fingered For Fraudulent Comodo SSL Certificates
Gmail, Hotmail, and Skype are among the domains affected by fraudulently obtained digital certificates, said Comodo.
McAfee's DAM Acquisition
Sentrigo acquisition fills data center security hole in McAfee's offerings
SCADA Attack Code Released For 35 Vulnerabilities
Systems from Siemens, Iconics, 7-Technologies, and DATAC have security holes in their supervisory control and data acquisition software, leading the Industrial Control Systems Cyber Emergency Response Team to issue security warnings.
Federal Cyber Attacks Rose 39% In 2010
While total incidents reported to US-CERT were down, government networks experienced more attacks than in 2009, according to a Congressional report.
Hackers Take Schools To School
Nearly two-thirds of schools suffer two breaches or more per year, Panda Security study says
McAfee To Acquire Database Security Vendor Sentrigo
Intel's McAfee is taking on industry heavyweights Oracle and IBM with its move to shape an enterprise database security platform.
Schwartz On Security: Advanced Threats Persist And Annoy
APTs are today's normal threat, and companies such as RSA must do better, even as the odds against them keep increasing.
ICS-CERT Issues Warnings On Vulnerabilities In Siemens, Other SCADA Products
Researcher discloses 34 vulnerabilities, releases proof-of-concept attack code for four process control server software product lines
SecurID Customers Left To Assume The Worst
With scant details about RSA's hack, SecurID customers begin preparing to shore up defenses in case of multifactor authentication failure
Feds Bust Stock 'Pump And Dump' Botnet Scheme
Authorities said a group used hacking, spam, and malware to artificially inflate securities prices and then sell shares at a profit.
Adobe Patches Critical Security Flaw
With attackers actively exploiting the bug to remotely execute code, Adobe recommends that all Flash, Reader, and Acrobat users upgrade immediately.
Hospital Hacker 'GhostExodus' Sentenced To 9 Years
Contract security guard installed malware on sensitive hospital systems to attack the Anonymous hacking collective.
|
White Papers
Video
3 Comments
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database CVE-2018-19220
PUBLISHED: 2018-11-12
PUBLISHED: 2018-11-12
PUBLISHED: 2018-11-12
PUBLISHED: 2018-11-12
PUBLISHED: 2018-11-12
From DHS/US-CERT's National Vulnerability Database CVE-2018-19220
PUBLISHED: 2018-11-12
An issue was discovered in LAOBANCMS 2.0. It allows remote attackers to execute arbitrary PHP code via the host parameter to the install/ URI.
CVE-2018-19221PUBLISHED: 2018-11-12
An issue was discovered in LAOBANCMS 2.0. It allows SQL Injection via the admin/login.php guanliyuan parameter.
CVE-2018-19222PUBLISHED: 2018-11-12
An issue was discovered in LAOBANCMS 2.0. It allows a /install/mysql_hy.php?riqi=0&i=0 attack to reset the admin password, even if install.txt exists.
CVE-2018-19223PUBLISHED: 2018-11-12
An issue was discovered in LAOBANCMS 2.0. It allows XSS via the first input field to the admin/type.php?id=1 URI.
CVE-2018-19224PUBLISHED: 2018-11-12
An issue was discovered in LAOBANCMS 2.0. /admin/login.php allows spoofing of the id and guanliyuan cookies.
- Terms of Service
- Privacy Statement
- Legal Entities
- Copyright © 2018 UBM, All rights reserved
Tweet This