News & Commentary
Content posted in September 2008
|
End Users Lax With Company Data
A new security study shows end users from around the world treat data and corporate systems with little respect for the potential consequences. When it comes to corporate data, which is actually often customer data, there's little regard for security.
New DoS Attack Is a Killer
Things are a-brewin' in Sweden. Sweden is not just home of the infamous bikini team, it is also the home of Outpost 24, an equally sexy software-as-a-service network scanning service, and the employer of my friend Robert E. Lee and his colleague Jack C. Louis. These guys are the inventors of UnicornScan, a user-land TCP stack turned into a port scanner. Never heard of it? Use Nmap exclusively? Well if you run Linux, I suggest checking
Can You Prove Compliance In The Cloud?
Whether you're in the midst of an audit or a forensic investigation, thorough logs are the key to proving compliance with security regulations. So how do you prove your organization is/was compliant when you aren't able to maintain logs? This is the nagging question that gnaws hungrily at my weary brain every time I ponder cloud computing.
Study: Routine Misbehavior by End Users Can Lead to Major Data Leaks
Many end users don't understand the risks associated with breaking company security policies, report says
Attackers Mix Online, Offline Exploits to Mask Financial Fraud
Cybercriminals split the attack cycle into pieces that may appear unrelated in order to evade detection
A Simple Sync Can 'Sink' Your PC
Researchers release proof-of-concept for attack on Windows' ActiveSync 4.0
Scareware Purveyors To Get Legal Thrashing
We've previously warned about the rising number of scareware threats attempting to scam Internet users. Now Microsoft and the state of Washington are gnashing their legal teeth. Will it work?
Microsoft, Washington State Launch Legal Assault On Scareware
The lawsuit against Registry Cleaner XP is trying to halt pop-up ads that look like Windows system messages and falsely claim that a critical system error has occurred.
InfoBlox Upgrades DNS Appliance
The new software rev of makes DNS infrastructures more resistant to cache-poisoning attacks.
Free Cloudmail Continuity Offer From LiveOffice
Snailmail may be immune to rain, sleet snow, etc. but heavy weather can wreak heavy damage -- and outright interruption and downtime -- on your e-mail traffic. A new free service from LiveOffice argues that the solution to storm clouds' potential for disruption lies in the digital Cloud.
CSRF Flaws Found on Major Websites
Princeton University researchers reveal four sites with cross-site request forgery flaws and unveil tools to protect against these attacks
The Death Of The Dual Controller Architecture?
Clustered storage is everywhere; are we seeing the end of the dual controller architecture?
Yahoo! Japan Auctions Compromised, Report Says
Thieves may have accessed Web auction site as many as 1.5 million times since May
Theft at RAF Facility Endangers Personal Data of 50,000
Data on British air force hard drives wasn't encrypted; old facility 'wasn't that secure,' reports say
Mozilla Fixes Password Management Gaffe
Just after Mozilla released Firefox version 3.0.02, which fixed a bevy of security problems, the foundation had to issue a notice to users about a flaw that could keep users from accessing and even creating passwords under some conditions.
Archive Needs To Succeed For SSD To Dominate
In my last entry I wrote that speed is solid state disk's "killer app," but for SSD to really become the primary storage mechanism in tier one, the archive tier needs to be fully established.
'Clickjacking' Attack Prompts Warning To Disable Browser Plug-Ins
The flaw affects Apple Safari, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, and Opera and could trick a user into clicking on content from another page.
ISPs Call For Industry Standards On Behavioral Targeting
Verizon, AT&T, and Time Warner Cable pledge to Congress to only monitor activity if users choose to opt in.
Portrait Of A Computer Forensic Examiner
While data can be recovered from any computer, expert Ives Potrafka believes that corporate IT departments have far less control over what happens on PCs used for work.
Adobe PDF Reader Vulnerable, U.S. CERT Warns
The government's standard precautionary advice: Don't open files from sources you don't trust, and keep your antivirus software and patches up to date.
Astaro Debuts E-mail Spam Fighter For SMBs
Everybody hates spam. It clogs inboxes and online traffic, cuts productivity, and holds out false hope of riches, romance, and hair. Astaro's new Mail Gateway is designed to help your company deal with spam and other e-mail issues without spending a lot of money.
Survey: Virtually No Security in Enterprises' Virtual Systems
Enterprise survey shows few companies have secured their virtual environments
New ID Theft Service Crawls the Web on Consumers' Behalf
For $15, Affinion penetrates hacker chat rooms and warns users when their data is for sale
DeviceLock Enhances Portable Storage Security
Its endpoint security, access-control software is designed to keep crucial company information from walking out the door
Senate Committee Approves Updated FISMA Bill
The Senate Homeland Security and Government Affairs Committee just approved S.3474, which will update the Federal Information Security Management Act (FISMA), in the hope of lifting federal security efforts beyond what many have deemed a paperwork shuffle that does little to boost security.
One In Ten Computer Users Don't Have A Clue About Security
They've got computers, they've got apps and they've almost undoubtedly got confidential data, but a new study from privacy company Steganos found that nearly 10 percent of computer users didn't know if they had anti-virusware installed. And it gets worse...
Time To Send Out For Security Help?
Providers are looking to provide everything from e-mail security to log management, all from the cloud.
Locking Down The Cloud: Why DNS Security Must Be Improved
What's in a domain name? Everything, when your data is at stake.
Envysion Makes A Strong Case For Managed Video As A Service
Tests show the package is versatile enough to use for far more than monitoring PoS.
Tiger Team Member Attacks Developers, Not Apps
Expert shows how he can get into a Web app without touching the application itself
Laptops Stolen From DHS Transportation Worker ID Program Office
TSA's New Haven, Conn., office was broken into over the weekend and two laptops that handle applications for new biometric IDs for port workers were stolen
India's Government Claims BlackBerry Crypto Crack
After months of wrangling with Research In Motion to hand over its crypto keys, the country now claims to have attained the ability to snoop on some RIM users in that country.
Sarah Palin E-Mail Hacking Grand Jury Returns No Indictment
A Tennessee Democratic state representative's son was linked last week to involvement in the breach of the Republican vice presidential candidate's Yahoo Mail account.
Speed Is The SSD 'Killer App'
In a recent blog entry I provided a time line on when I thought SSD would become the dominant storage type for what is currently the active storage tier. One of the key enablers of this will be the increasing need for speed and mechanical hard drives' lack of ability to deliver it in a cost- effective manner.
Shadowserver to Build 'Sinkhole' Server to Find Errant Bots
New initiative will emulate IRC, HTTP botnet traffic
Many PC Users Remain Unaware of Security, Privacy
More than a tenth of users don't know whether they have an antivirus, firewall; majority don't know what privacy settings they're using
North American Companies Embracing Security Outsourcing
The U.S. managed security services market is booming, and set to double in size in the next few years? MSSPs have been around, in one iteration or another, for as long as I can remember. Why is the market set to rock now?
Risky Employee Web Use: Cloud Storms Gathering
How are you going to keep them on task when they can go to the Web? is not only a productivity question, it's a growing security concern. A new study indicates the concern is growing fast.
For US Enterprises, Computer Crime Starts at Home
Despite perceptions about overseas hackers, attacks increasingly emanate from domestic sources, studies say
Phony Pop-Up Warning Messages Dupe Most Users
New research from NC State University shows how even savvy users fall for malicious system error messages
Man Indicted for Hacking & Blackmailing Luxury Automaker
Sixty-year-old hacker threatened Maserati North America with exposing his theft of customer data from carmaker's Website
Information Cards Are Awesome; But Are Identifying Parties Really Ready To Do This Right?
Perhaps the greatest thing about information cards is that they might finally free us from the purpose-defeating and idiotic practice of using Social Security numbers as a nigh-universal identifier. But it won't work unless the Identifying Parties find a way to balance security with portability, and can smartly manage distribution, expiration, and destruction.
'Profiler' Hacks Global Hacker Culture
Former notorious Italian hacker releases initial results of research identifying different types of hackers and their behaviors on and offline
McAfee Secures Place In UTM Market With $465 Million Acquisition
There's still big demand for unified threat management (UTM) devices, especially in the SMB part of the market, and with its $465 million acquisition McAfee is making a big move that will shore its network security products.
McAfee Acquires Secure Computing
McAfee is buying Secure Computing for $465 million, rounding out its network security business and strengthening its security risk management offerings among companies of all sizes.
Cloud Storage 2.0
Cloud storage 1.0 as it exists today has one primary service; it stores data. Not very exciting. Cloud storage 2.0 will have to provide the ability to do more with that data than just store it.
Untangle Offers Free Open Source Security
Untangle's new open source security gateway aims to free small and midsized businesses from dedicated security machines -- and to do so for free.
US-Based Malware Network Shuts Down
Network that served large numbers of hackers is no longer in service, observers say
Brocade Enhances Storage Mgt. Software, Adds Encryption Engine
Fibre Channel specialist enhances management capabilities to include products gained from McData acquisition
Employees Still Flouting Security Policies, Study Says
Three in 10 enterprises say their business' security is being compromised by personal use of corporate systems
|
White Papers
Video
0 Comments
Current Issue
Flash Poll
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security — even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database CVE-2018-10839
PUBLISHED: 2018-10-16
PUBLISHED: 2018-10-16
PUBLISHED: 2018-10-16
PUBLISHED: 2018-10-16
PUBLISHED: 2018-10-16
From DHS/US-CERT's National Vulnerability Database CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.
- Terms of Service
- Privacy Statement
- Legal Entities
- Copyright © 2018 UBM, All rights reserved
Tweet This