In this issue. The future of AV: looking for the good while stopping the bad Eight holes in Windows login controls Extended validation and online security: EV SSL gets the green light Interview with Giles Hogben, an expert on identity and authentication technologies working at ENISA Web filtering in a Web...
"At Drexel University and a handful of other colleges, students created computer scripts to sway the contest—an online vote to nominate a university to receive its own clothing line—in their campuses’ favor. Tim Plunkett, a junior at Drexel, created a script that could cast 1,500 votes per second, according to The...
I came across an interesting post at freedom-to-tinker discussing the impacts of google's flu monitoring program."My concern today is whether Flu Trends can be manipulated. The system makes inferences from how people search, but people can change their search behavior. What if a person or a small group set out to...
An article over at macworld discusses the anti phishing features in the new safari."The release of Safari 3.2 on November 13 displayed Apple’s penchant for cryptic release notes, as the company describes all three versions as featuring “protection from fraudulent phishing Web sites.” Let's decode that for you: Safari 3.2 offers...
David Litchfield has published a new tool and paper on forensics on Oracle Databases. From his email to the Websecurity mailing list."I've just posted a new tool and paper for Oracle forensics. The tool, orablock, allows a forensic investigator to dump data from a "cold" Oracle data file - i.e. there's...
Romain Guacher to the SC-L mailing list that the NSA has published a massive 298 page unclassified document on .NET 2.0 security. From the introduction."The purpose of this document is to inform administrators responsible for systems andnetwork security about the configurable security features available in the .NET Framework.To place some of...
"The team I work in uses both automated scanners, along with a few humans testing (minimum of 2)… A good tester should know the weaknesses of the automated testers.. The problem with automated testers, is, simply put, they are not human. That is they will not have intuition that a given...
"Contact: H D Moore FOR IMMEDIATE RELEASE Email: hdm[at]metasploit.com Austin, Texas, November 19th, 2008 -- The Metasploit Projectannounced today the free, world-wide availability of version 3.2 oftheir exploit development and attack framework. The latest versionis provided under a true open source software license (BSD) and is backed by a community-based development...
"Microsoft on Tuesday said it plans to kill off its Windows Live OneCare subscription security service in favor of a free offering that will feature a core of essential anti-malware tools while excluding peripheral services, such as PC tune up programs, found in OneCare. The move could help the software maker...
"On Oct. 14, 2008, Microsoft added another piece of information to the bulletin summary to better help customers with their risk assessment process: the Exploitability Index. This section is a brief overview to explain how customers can integrate the Exploitability Index with the Severity Rating system into their own risk assessment...
"An operating system used in military fighter planes has raised the bar for system security as a new commercial offering, after receiving the highest security rating by a National Security Agency (NSA)-run certification program. Green Hills Software announced that its Integrity-178B operating system was certified as EAL6+ and that the company...
"Microsoft has explained why it took seven years to patch a known vulnerability. Fixing the bug earlier would have taken out network applications and potential exploits alike, it explained. Security bulletin MS08-068 fixed a flaw in the SMB (Server Message Block) component of Windows, first demonstrated by Sir Dystic of Cult...
A handful of security vulnerabilities have been fixed in the latest version of firefox. Fixed in Firefox 3.0.4 MFSA 2008-58 Parsing error in E4X default namespaceMFSA 2008-57 -moz-binding property bypasses security checks on codebase principalsMFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violationMFSA 2008-55 Crash and remote code execution in nsFrameManagerMFSA 2008-54 Buffer overflow in...
"The paper introduces a new method that enables an attacker to change the.NET language, and to hide malicious code inside its core. It covers various ways to develop rootkits for the .NET framework, sothat every EXE/DLL that runs on a modified Framework will behavedifferently than what it's supposed to do. Code...
"DNSSec (Domain Name System Security Extension), which uses digital signatures to guard against forged requests, offers a means of making internet naming systems more secure. But even 15 years after the standard was developed its adoption remains low. Mockapetris blames problems in making the technology easy to deploy, delays in developing...
A co worker sent me this link yesterday afternoon. "Using what appears to be Visa's mutant hybrid of a credit card and a pocket calculator, users can enter their PIN into the card itself and have a security code generated on the fly. The method can stop thieves in two ways....
"Kaspersky reports that the crackers are adding a JavaScript tag to the html of hacked sites. This causes surfers visiting the site to pull content from one of six gateway sites, which redirect to a server hosting malware located in China. A range of exploits are hosted on this site designed...
"With the news that Google's Android shipped with an embarrassing security hole being followed by a simple two-step method to 'jailbreak' the OS, you'd think that the company had ironed out most of the remaining bugs – but you'd be wrong. According to ZDnet's Ed Burnette, the open-source Linux-based smartphone platform...
A new whitepaper 'Protecting a Web Application Against Attacks Through HTML Shared Files' discusses the risks of user uploaded HTML files. You'll notice this paper claims to have a 'patent pending' for the concept of splitting user uploaded files to another domain with a unique identifiers. "Many Web applications have a...
"The computer systems of both the Obama and McCain campaigns were victims of a sophisticated cyberattack by an unknown "foreign entity," prompting a federal investigation, NEWSWEEK reports today. At the Obama headquarters in midsummer, technology experts detected what they initially thought was a computer virus—a case of "phishing," a form of...
