News & Commentary
Content posted in June 2008
|
Apple Plugs Growing List Of Security Holes
If you're an OS X user, and have yet to download today's 59-MB set of security patches, right now would be a good time to run Software Update. The vendor has patched 25 vulnerabilities, and some are fairly nasty at that.
Microsoft Internet Explorer Vulnerability Warning Issued
The flaw focuses on IE's inline frames, often used for serving ads, which typically come from a different domain than content that appears on the same Web page.
Part One -- SMB Lessons
As I've been following the devastating floods in the Midwest and specifically Iowa, I can't help but say something from a disaster recovery viewpoint. Clearly my heart goes out to the personal losses being suffered by thousands of people in the area, but part of my nature is always to look for ways that companies survive. I have seen a number of stories with company's stock price being affected by not being able to maintain business operations. In some cases, this makes sense, especially in agri
Security Spending: Dollars Up, Safety Down?
IT security is spending more to deliver less or, at best, hold the line against a growing threat universe, according to major new Informationweek survey.
Cracking Physical Identity Theft
Social engineering expert reveals brick-and-mortar identity theft risks in banks, ISPs, and other firms
Survey: Unstructured Data a Security Nightmare
New Ponemon Institute report finds organizations don't have a grip on access to data on file servers, network-attached storage
Catalyst Conference 2008: The State Of Federated Identity Management
At last week's Catalyst conference in San Diego, I had a chance to sit down with identity management executives from IBM and CA to discuss the state of federated identity management. It appears while the federation of identities hasn't taken off as expected, there is still life in the technology.
Cloud Storage 101 - Part One
It seems like the hype-o-meter on cloud computing and cloud storage has been turned up a few notches lately. How real is this emerging market and how will the players begin to settle in? At its most simplistic, cloud storage is disk at the end of a wire that resides outside of your data center. It creates a "storage as a service" model that is delivered over the Internet. Many are positioning this as storage for your older digital assets, essentially an archive.
TV Guide/Comcast Joint Venture Gets NAC
GuideWorks adds mobile, visiting users to its network with TippingPoint appliance
How to Control Spam Infiltration in the Enterprise
New report from Forrester outlines the latest anti-spam best practices for businesses
Catalyst Conference 2008: GRC Is A Four Letter Word
If you work anywhere near the risk management functions within your company, whether it be as an executive, manager, auditor, or IT security practitioner, you've probably heard from many vendors trying to sell you a "GRC solution." Burton Group analysts say you just may be better off covering your ears.
Hacking the Call Center
PCI, breach fears shine light on dark corners of call center insecurity
ISPs Join Hands to Battle Botnet-Driven Spam
Messaging Anti-Abuse Working Group (MAAWG) maps out best practices for nailing spam without accidentally blocking legitimate email
TPM: A Matter Of Trust
The Trusted Platform Module never releases its internal key outside itself, so it becomes its own root of trust.
A Tipping Point For The Trusted Platform Module?
To achieve widespread adoption, TPM must overcome challenges to encryption key management.
NAC Plus Smart Switches Equals Better Control
New capabilities make the technology better than ever for access control and compliance reporting.
Tech Road Map: EKMI
Oasis' open Enterprise Key Management Infrastructure initiative promises less-complex encryption. But will vendors get on board?
Catalyst Conference 2008: Virtualization Security, Myths Vs. Reality
At Burton Group's Catalyst Conference, here in San Diego, security and virtualization analyst Alessandro Perilli explained what he sees as some of the greatest challenges to securing virtualized environments.
Central Office IT Neglects Mobile Security: CDW Survey
Mobile security is very much a moving target -- one that too many businesses are either missing or not aiming at altogether, according to a newly released study.
3 Ways That Storage Virtualization Can Save You Money
Storage virtualization is often billed as what I call a "Time To" product, meaning that it reduces the time it takes IT to respond to demands on the business. Virtualization shortens the amount of time that it takes to respond to a provisioning request, allowing for more rapid deployment of storage assets. IT departments also should consider storage virtualization if they need to flatten or shrink their budget.
Another Security Threat Aimed At Macs Found On The Web
Security vendor Intego said the latest malware masquerading as a program for Mac OS X is called "PokerGame."
Google, Microsoft Back Security & Privacy Framework for Online Health Data
The Common Framework for Networked Personal Health Information defines best practices for protecting patient data for online access
Startup Promises to Slow Software Tampering
Metaforic says its anti-hacking tools aren't invulnerable, but definitely will make software exploits less fun
Target's (The Retailer) Swipe At Privacy
Why don't retailers care more about how they handle your personal information?
Sybase Adds To Mobile Security Line
Sybase iAnywhere has expanded its mobile security portfolio to include handheld antivirus and firewall capabilities.
Watch Those Wikis: Small Public Posts Can Cause Big Business Problems
Inside knowledge, much less insider knowledge can be a dangerous business thing. Just ask the wiki-poster who got fired for leaking early news of Tim Russert's death.
Malicious Spam Traffic Triples in One Week
Sudden massive bot recruitment campaign by Srizbi botnet drives malicious spam up 9.9%, according to researchers at Marshal
Report: China Hosts Most Malware-Infected Sites
StopBadware.org report shines new light on where the world's malware-ridden sites reside
DNS Alerts-as-a-Service
New DNS alert service lets organizations customize, control notification of DNS problems and vulnerabilities
Citect Doesn't Get 'IT' When It Comes To Application Security
Citect, the Sydney, Australia-based maker of Supervisory Control And Data Acquisition (SCADA) software, CitectSCADA, doesn't seem to understand IT security, or why applications that run things like pharmaceutical plants, water treatment facilities, and natural gas pipelines should be inherently secure.
Agent-Based Data Movers
In last week's entry I discussed Global Name Spaces as a data mover for moving data to and from a disk-based archive. In addition to a Global Name Space there are other tools to move data to and archive. I find that the other solutions typically fall into one of two camps; Agent-based data movers or crawl-based data movers. There's also another category of monitoring tools that don't actually move the da
New Web Threats Imperil OS, Other Apps
IBM researchers release proof of concept for new cross-environment hopping (CEH) attack methods
Microsoft, Novell, Oracle, PayPal, Others Launch New Digital ID Forum
Nonprofit Information Card Forum established to unite various industry efforts for building online information identities to replace the username/password model
Failing The Basics Will Get You Hacked
Information security firm Sophos evaluated 580 PCs over a 40-day period and found businesses of all sizes can't tackle even the most basic things when it comes to IT security.
Microsoft Reissues Critical Security Fix For Windows XP
The original patch worked on Windows Vista, but failed to accomplish its task in Windows XP SP2 and SP3, the Microsoft Security Response Center said.
Apple Fixes Security Flaw In Windows Version Of Safari
The patch changes Safari so it will first seek permission from a user before downloading an application from a Web site to the desktop.
Global Name Spacing
In speaking with an IT manager the other day, he was complaining about running out of drive letters and the difficulty that moving away from using drive letters was causing his users. He was looking into Microsoft DFS and was looking for other solutions since he had a mixed environment of Unix and Windows. Global Name Space solutions like those available from Acopia or built into OnStor NAS products are ideal for solving the
Security Staff Snoops: Who's Watching Your Watchers (And What Are Your Watchers Watching?)
Fully a third of IT staffers recently surveyed admitted to taking unauthorized, inappropriate, and often illegal looks at confidential files and e-mails. Maybe that lets them get their peeping Tom jollies off -- but it may also leave your business on very shaky and un-jolly legal ground.
Filling Out Forms: Still a Dangerous Game
Despite upgrades and fixes, most browsers are still vulnerable to attacks via Web forms, researcher says
Tech Insight: Finding Security-Sensitive Data - on a Shoestring Budget
Thanks to open-source tools, discovering the heart of your data doesn't always mean paying an arm and a leg
New Worm Spawns More Than 8M Spam Messages
Fake news come-ons lead to infected porn site
Mozilla Confirms TippingPoint's Cheap Shot (Whoops. I Meant Vulnerability Announcement)
Mozilla security chief Window Snyder says that there is, in fact, a security flaw in the foundation's just-released Firefox 3.0 Web browser. Her announcement confirms the sucker-punch swung by TippingPoint Technologies just hours after Firefox's release.
Court Rules Employee Text Messages Are Private
A Court of Appeals ruled in favor of a police officer and others who claimed that the city of Ontario, Calif., violated their Fourth Amendment rights.
Fraud-Fighting Community Launches in US
Subscribers share information about fraudulent online transactions in online service
Neocleus Nabs $11M for Virtual Security
Startup takes aim at virtual desktops with Xen-based software
|
White Papers
Video
1 Comments
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations ProgramAs cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
How Enterprises Are Developing Secure Applications
IT security and application development are disparate processes that are increasingly coming together. Here's a look at how that's happening.
Twitter Feed
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database CVE-2019-12184
PUBLISHED: 2019-05-19
PUBLISHED: 2019-05-18
PUBLISHED: 2019-05-17
PUBLISHED: 2019-05-17
PUBLISHED: 2019-05-17
From DHS/US-CERT's National Vulnerability Database CVE-2019-12184
PUBLISHED: 2019-05-19
There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136.
CVE-2019-12173PUBLISHED: 2019-05-18
MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, with a .app pathname, in the HREF attribute of an A element. This is different from CVE-2019-12138.
CVE-2019-12172PUBLISHED: 2019-05-17
Typora 0.9.9.21.1 (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\ on macOS or Linux, or file://C| on Windows. This is different from CVE-2019-12137.
CVE-2019-12168PUBLISHED: 2019-05-17
Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code execution via the Command Shell (aka Administration > Commands) screen.
CVE-2019-12170PUBLISHED: 2019-05-17
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PH...
- Terms of Service
- Privacy Statement
- Legal Entities
- Copyright © 2019 UBM, All rights reserved
Tweet This