Feeds
13620 items (14 unread) in 75 feeds
-
Jeremy Zawodny's blog
-
Mozilla Webdev
-
Transcendental Technical Travails
-
Ian Bicking: a blog
-
Hackosis (2 unread)
WebSecurity
(10 unread)
-
Watchfire Application Security Insider
-
BlogSecurity
-
sirdarckcat
-
Google Online Security Blog
-
CGISecurity.com: Your Web Site and Application Security Resource
-
Switch/Twitch
-
mybeNi websecurity
-
cat slave diary
-
SecuriTeam Blogs
-
Curiouser and Curiouser
-
Alex's Corner
-
Billy (BK) Rios
-
Chris Shiflett
-
christian's weblog
-
funkatron.com
-
GNUCITIZEN
-
The Spanner
-
hackademix.net
-
Ruby on Rails Security Project
-
It's a shampoo world anyway
-
Web Security Blog
-
ha.ckers.org web application security lab
(10 unread)
-
Yet Another Infosec Blog
-
PHP Security Blog
-
Security Thoughts
-
Sunnet Beskerming Security Advisories
-
Disenchant's Blog
-
Sylvan von Stuppe
-
Larholm.com
-
The Turkey Curse
-
Jeremiah Grossman
-
Anurag Agarwal - Application Security Evangelist
-
Ivan Ristic
-
deep inside | security & tools
-
omg.wtf.bbq.
-
BlueHat Security Briefings
-
Tactical Web Application Security
-
.:Computer Defense:.
-
tssci security
-
Plynt Penetration Testing Blog
-
Michael Howard's Web Log
-
Security Retentive
-
BindShell.Net
-
Dominic White's .tHE pRODUCT
-
SecurityFocus News
-
Justice League
-
Schneier on Security
-
Rational Survivability
-
terminal23
-
1 Raindrop
-
hiredhacker.com
-
Matasano Chargen
-
-
Michael on Security - Musings on Information Security
-
Fortify blog
-
The Art of Software Security Assessment
-
GDS Security Blog
-
Vodun.org
-
Robert Penz Blog
-
Mark Curphey - SecurityBuddha.com
-
Liminal states
-
Security Ripcord
-
ModSecurity Blog
-
IBM Internet Security Systems Frequency X Blog
-
Suspekt...
-
extern blog SensePost;
-
Zero in a bit
SEO
(2 unread)
-
SEO BlackHat: Black Hat SEO Blog
-
busin3ss.name
(2 unread)
76 items tagged "IndustryNews"
CGISecurity.com: Your Web Site and Application Security Resource
-
Paper: Web Application finger printing Methods/Techniques and Prevention
Posted: July 21st, 2011, 3:51pm CDT by Robert A.
Tags: IndustryNews [edit]
Anant Shrivastava has posted a whitepaper providing a rundown of application fingerprinting methodologies, as well as comparisons of various tools such as W3af, BlindElephant, and Wapplyzer. "This Paper discusses about a relatively nascent field of Web Application finger printing, how automated web application fingerprinting is performed in the current scenarios, what are... -
How not to publish SCADA security advisories
Posted: March 22nd, 2011, 2:23pm CDT by Robert A.
Tags: IndustryNews [edit]
"Luigi Auriemma" has posted an interesting series of SCADA vulnerabilities to the bugtraq security list this morning. From his email "The following are almost all the vulnerabilities I found for a quick experiment some months ago in certain well known server-side SCADA softwares still vulnerable in this moment. In case someone doesn't... -
Tracking and understanding security related defects: Useful data points for shaping your SDLC program
Posted: January 11th, 2011, 11:34am CST by Robert A.
Tags: IndustryNews [edit]
In addition to CGISecurity, I also run a website called QASEC.com where I post SDLC related content. I've just published a lightweight article discussing tips and tricks for tracking software level vulnerabilities in larger organizations. Abstract: "If you work in infosec for a large organization it can be difficult to easily track... -
Multiple Adobe products vulnerable to XML External Entity Injection And XML Injection
Posted: February 22nd, 2010, 4:32pm CST by Robert A.
Tags: IndustryNews [edit]
I haven't really been posting advisories on this website for the past year, however a series of XML Injection/XXe vulnerabilities in Adobe products caught my eye. XML Injection is to web services, what XSS is to web pages (an attacker controllable application response able to perform abuses against the consumer). This advisory... -
Post on Abusing Windows Communication Foundation to Perform Remote Port Scans
Posted: February 17th, 2010, 12:10pm CST by Robert A.
Tags: IndustryNews [edit]
Brian Holyfield has published an entry on using Windows WCF to perform backend port scanning. This is possible due to the callback functionality WCF provides. From his article "Last weekend at Shmoocon, I demonstrated how an attacker can trick certain WCF web services into performing an unauthorized port scan of machines behind... -
Larry Suto Web Application Security Scanner Comparison Report Inaccurate Vendors Say
Posted: February 8th, 2010, 3:37pm CST by Robert A.
Tags: IndustryNews [edit]
Larry Suto published a report comparing the various commercial web application security scanners. As you'd expect the vendors are likely to respond about how inaccurate the report is, however in this case both HP and Acunetix argued valid points. From Acunetix "They were not found because Larry didn’t authenticated our scanner (didn’t... -
WASC Threat Classification to OWASP Top Ten RC1 Mapping
Posted: January 6th, 2010, 11:41am CST by Robert A.
Tags: IndustryNews [edit]
Jeremiah Grossman and Bil Corry have created a nice visual mapping between the OWASP Top Ten and the WASC Threat Classification v2. More Information: http://jeremiahgrossman.blogspot.com/2010/01/wasc-threat-classification-to-owasp-top.html -
Clientless SSL VPN products break web browser domain-based security models
Posted: December 1st, 2009, 11:59am CST by Robert A.
Tags: IndustryNews [edit]
A new CERT advisory has been published outlining a weakness in the way web based SSL clients operate, resulting in a Same Origin Policy breakage. Here's the meaty details. "As the web VPN retrieves web pages, it rewrites hyperlinks so that they are accessible through the web VPN. For example, a link... -
OWASP Issues 2010 Top 10 (RC1)
Posted: November 16th, 2009, 1:34pm CST by Robert A.
Tags: IndustryNews [edit]
At AppsecDC OWASP published the latest version of its top ten list. From the Top Ten "OWASP plans to release the final public release of the OWASP Top 10 -2010during the first quarter of 2010 after a final, one-month public comment period ending December 31, 2009. This release of the OWASPTop 10... -
Attacking Magstripe Gift Cards
Posted: October 26th, 2009, 12:36pm CDT by Robert A.
Tags: IndustryNews [edit]
Corsaire has published a rather lengthy paper on attacking gift card systems. While this is a little off topic it's a good read. "This paper is based on research conducted on a large number of UK gift cards. It has been created to complement the presentation “Stored Value Gift Cards: Magstripes Revisited”,... -
Metasploit sold to Rapid7
Posted: October 21st, 2009, 11:42am CDT by Robert A.
Tags: IndustryNews [edit]
It was announced this morning that Rapid7 has purchased metasploit, and hdmoore! That is all. Rapid7 Announcement: http://www.rapid7.com/metasploit-announcement.jsp Metasploit Blog: http://blog.metasploit.com/2009/10/metasploit-rising.html Metasploit Blog: http://blog.metasploit.com/2009/10/joining-team.html More Coverage http://www.andrewhay.ca/archives/1085 http://blog.ianetsec.net/perspective/2009/10/nick-selby-metasploit-acquisition-shakes-up-the-pentest-landscape.html http://darkreading.com/vulnerability_management/security/management/showArticle.jhtml?articleID=220800067 -
New open source web application layer firewall 'ESAPI WAF' released
Posted: September 23rd, 2009, 4:41pm CDT by Robert A.
Tags: IndustryNews [edit]
"The open-source ESAPI WAF is a departure from commercial, network-based firewalls, as well as ModSecurity's free WAF, says Arshan Dabirsiaghi, developer of the ESAPI WAF and director of research for Aspect Security. Dabirsiaghi will roll out the WAF at the OWASP Conference in Washington, D.C., in November. "WAFs today are deployed as... -
MS09-048: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution
Posted: September 8th, 2009, 3:50pm CDT by Robert A.
Tags: IndustryNews [edit]
Microsoft has just published a remote vulnerability in the windows TCP/IP stack. "This security update resolves several privately reported vulnerabilities in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. The vulnerabilities could allow remote code execution if an attacker sent specially crafted TCP/IP packets over the network to a computer with a listening service.... -
WASC Threat Classification v2 updates
Posted: August 24th, 2009, 1:25pm CDT by Robert A.
Tags: IndustryNews [edit]
We're nearing the completion of the WASC Threat Classification v2 (2 sections left!) and have added the following new sections since my last couple of posts. Null Byte Injection Integer Overflows We've also heavily updated the following sections Buffer Overflows (in depth discussion of heap vs stack vs integer overflows) SQL... -
Bypassing OWASP ESAPI XSS Protection inside Javascript
Posted: August 20th, 2009, 11:34am CDT by Robert A.
Tags: IndustryNews [edit]
"Everyone knows the invaluable XSS cheat sheet maintained by "RSnake". It is all about breaking things and features all the scenarios that can result in XSS. To complement his efforts, there is an excellent XSS prevention cheat sheet created by "Jeff Williams" (Founder and CEO, Aspect Security). As far as I... -
One In Two Security Pros Unhappy In Their Jobs?
Posted: July 24th, 2009, 11:28am CDT by Robert A.
Tags: IndustryNews [edit]
Darkreading posted the following article on a infosec job survey that I found highly intriguing. "Kushner and Murray say they were surprised by security's high number of unhappy campers -- 52 percent of the around 900 security pros who participated in the survey are less than satisfied with their current jobs.... -
Static Analysis Tools and the SDL (Part Two)
Posted: July 13th, 2009, 10:04am CDT by Robert A.
Tags: IndustryNews [edit]
"Hi, Bryan here. Michael wrote last week on static analysis for native C/C++ code, and this week I’ll be following up by covering the tools we use for managed static analysis. The SDL requires teams writing managed code to use two static analysis tools: FxCop and CAT.NET. Both of these tools... -
Static Analysis Tools and the SDL (Part One)
Posted: July 13th, 2009, 10:03am CDT by Robert A.
Tags: IndustryNews [edit]
"This is part one of a two part series of posts by myself and Bryan Sullivan; I will cover the static analysis tools we use at Microsoft (and make available publicly) for analyzing unmanaged (ie; Native) C and C++ code, and Bryan will cover managed code static analysis in a later... -
Masked passwords must go?
Posted: June 30th, 2009, 12:00pm CDT by Robert A.
Tags: IndustryNews [edit]
"Websites should stop masking passwords as users type because it does not improve security and makes websites harder to use, according to two of the technology world's leading thinkers. Usability expert Jakob Nielsen and security expert Bruce Schneier both think websites should stop blanking out passwords as users type them in.... -
Article: The Problem of "Too Many Problems"
Posted: June 25th, 2009, 3:12pm CDT by Robert A.
Tags: IndustryNews [edit]
Rafal has a good post on the challenges security folks/sdl folks have when presenting their findings to business folks. "The presentation the next day kicked off as expected... we presented our executive summary, the methodology of our product validation and moved on to the specific findings. In this case, since there... -
Understanding Microsoft's KB971492 IIS5/IIS6 WebDAV Vulnerability
Posted: May 27th, 2009, 4:37pm CDT by Robert A.
Tags: IndustryNews [edit]
Steve Friedl posted the following to bugtraq this afternoon. "There has been a fair amount written on the vulnerability itself, but there's a large cohort who has no idea if their systems are at risk ("What is WebDAV, and how do I know if I have or need it???"). So I've... -
OpenSSH Protocol Pwned
Posted: May 21st, 2009, 3:12pm CDT by Robert A.
Tags: IndustryNews [edit]
"The flaw, which lies in version 4.7 of OpenSSH on Debian/GNU Linux, allows 32 bits of encrypted text to be rendered in plaintext, according to a research team from the Royal Holloway Information Security Group (ISG). An attacker has a 2^{-18} (that is, one in 262,144) chance of success. ISG lead... -
Java Flaw still not fixed in Mac OS X
Posted: May 20th, 2009, 11:45am CDT by Robert A.
Tags: IndustryNews [edit]
"According to Julien Tinnes in the CR0 Blog, it appears that Apple's recent security update failed to fix a Java flaw that was reported to Sun back in August 2008 and patched by Sun way back in December 2008. The upshot: according to the blog (and I've yet to be able... -
IIS6.0 WebDav Unicode Remote Auth Bypass
Posted: May 18th, 2009, 1:36pm CDT by Robert A.
Tags: IndustryNews [edit]
Update: Microsoft has posted some additional information in multiple entries. A new unicode bug in IIS has been discovered which allows an attacker access to resources behind password protected sites. This issue only seems to affect IIS 6 (5 and 7 seem immune) and no fix has been issued at this... -
Researchers release Win 7 rootkit
Posted: May 8th, 2009, 11:45am CDT by Robert A.
Tags: IndustryNews [edit]
"Security researchers have released a proof-of-concept rootkit for Windows 7, in the hopes that its availability will assist in the prompt development of an antidote. Indian security researchers Vipin Kumar and Nitin Kumar demonstrated the toolkit, dubbed Vbootkit 2.0, at the Hack In The Box security conference in Dubai last month.... -
JavaScript flaw reported in Adobe Reader
Posted: April 29th, 2009, 11:13am CDT by Robert A.
Tags: IndustryNews [edit]
"The United States' Computer Emergency Readiness Team (US-CERT) warned users of the ubiquitous Adobe Reader to disable the program's use of Javascript after Adobe warned on Monday that a possible flaw had been found. In a post to its product security blog, the company said it was investigating reports of a... -
Open Source SSL Acceleration
Posted: April 15th, 2009, 6:44pm CDT by Robert A.
Tags: IndustryNews [edit]
"SSL acceleration is a technique that off-loads the processor intensive public key encryption algorithms used in SSL transactions to a hardware accelerator. These solutions often involve a considerable up front investment as the specialized equipment is rather costly. This article though looks at using off the shelf server hardware and open... -
Microsoft April patch tuesday addresses 8 security issues
Posted: April 14th, 2009, 6:39pm CDT by Robert A.
Tags: IndustryNews [edit]
"MS09-010 Vulnerabilities in WordPad and Office Text Converters Could Allow Remote Code Execution (960477) This security update resolves two publicly disclosed vulnerabilities and two privately reported vulnerabilities in Microsoft WordPad and Microsoft Office text converters. The vulnerabilities could allow remote code execution if a specially crafted file is opened in WordPad... -
Tool: XSS Rays
Posted: March 27th, 2009, 3:51pm CDT by Robert A.
Tags: IndustryNews [edit]
"I’ve developed a new XSS scanner tool that’s written in Javascript called XSS Rays for Microsoft. They have given me permission to release the tool as open source which is awesome because it can be used for other open source applications. I recommend you use it as part of the web... -
More companies seek third-party Web app code review, survey finds
Posted: March 27th, 2009, 3:46pm CDT by Robert A.
Tags: IndustryNews [edit]
"The OWASP Security Spending Benchmark Report surveyed about 50 organizations to determine their spending on secure coding; OWASP found that 61% of those surveyed had an independent third-party security review of software code to find flaws before Web applications are used live. The percentage surprised Boaz Gelbord, executive director of information... -
Web Application Security Spending Relatively Unscathed By Poor Economy
Posted: March 19th, 2009, 3:43pm CDT by Robert A.
Tags: IndustryNews [edit]
"First the good news: Despite the global recession, two-thirds of organizations either have no plans to cut Web application security spending, or they expect their spending to increase this year. Now the bad news: Spending for security applications is less than 10 percent of the overall security budget in 36 percent... -
Malware installing rogue DHCP server
Posted: March 19th, 2009, 1:43pm CDT by Robert A.
Tags: IndustryNews [edit]
Sans published an entry about a new piece of malware that installs a rogue DHCP server that specifies a rogue DNS server, presumably for phishing and malware deployment. I wouldn't be surprised if this concept is fairly old but it appears to be the first time a common piece of malware... -
Revisiting Browser v. Middleware Attacks In The Era Of Deep Packet Inspection
Posted: March 9th, 2009, 7:40pm CDT by Robert A.
Tags: IndustryNews [edit]
Dan Kaminsky has just published his latest paper on middleware attacks that I recommend checking out. "For CanSecWest this year, I thought it’d be interesting to take a look at the realm of Deep Packet Inspectors. It turns out we were doing a lot of this around 2000 through 2002, and... -
Dan Bernstein Confirms Security Flaw In Djbdns
Posted: March 5th, 2009, 3:14pm CST by Robert A.
Tags: IndustryNews [edit]
"Dan Bernstein has just admitted that a security issue has been found in the djbdns software, one of most popular alternatives for the BIND nameserver. As part of the djbdns security guarantee, $1000 will be paid to Matthew Dempsky, the researcher that found the bug. The bug allows a nameserver running... -
Caching bugs exposed in second biggest DNS server
Posted: March 2nd, 2009, 12:24am CST by Robert A.
Tags: IndustryNews [edit]
"For years, cryptographer Daniel J. Bernstein has touted his djbdns as so secure he promised a $1,000 bounty to anyone who can poke holes in the domain name resolution software. Now it could be time to pay up, as researchers said they've uncovered several vulnerabilities in the package that could lead... -
Security assessment of the Transmission Control Protocol (TCP)
Posted: February 12th, 2009, 4:51pm CST by Robert A.
Tags: IndustryNews [edit]
The following email was sent to Full Disclosure today. I haven't had a chance to read this monster 140 document yet but it sure sounds interesting."The TCP/IP protocol suite was conceived in an environment that was quitedifferent from the hostile environment they currently operate in.However, the effectiveness of the protocols led... -
Microsoft Security Bulletin MS09-002
Posted: February 10th, 2009, 7:06pm CST by Robert A.
Tags: IndustryNews [edit]
"Microsoft published four patches on Tuesday to close serious vulnerabilities in its Internet Explorer browser, Exchange e-mail server and Microsoft SQL server. The fixes, which were released on Microsoft's regular monthly schedule, close two Critical vulnerabilities in Internet Explorer 7 running on Windows XP that could allow a malicious Web site... -
Calling all Researchers! Send in the Top Web Hacking for 2008
Posted: February 2nd, 2009, 1:00am CST by Robert A.
Tags: IndustryNews [edit]
Jeremiah Grossman is looking to compile a list of top web hacking for 2008."It's time once again to create the Top Ten Web Hacking Techniques of the past year. Every year Web security produces a plethora of new and extremely clever hacking techniques (loosely defined, not specific incidents), many of which... -
'Human error' shuts down Google
Posted: January 31st, 2009, 6:10pm CST by Robert A.
Tags: IndustryNews [edit]
"THE world’s biggest internet search engine temporarily shut down today, leaving hundreds of millions of surfers stranded in cyberspace. Google broke down for forty minutes this afternoon, paralysing everything from internet-dating to people checking out the latest news. Anyone searching for a site using Google was blocked with the warning: “This... -
OWASP interviews Gary McGraw
Posted: January 26th, 2009, 12:12pm CST by Robert A.
Tags: IndustryNews [edit]
Gary posted the following to the SC-L list today."hi sc-l,OWASP just posted an interview with me as part of their budding podcast series. It's nice to have the tables turned after doing all the Silver Bullet (and Reality Check) interviews! It's also nice to be able to answer some of the... -
Oracle Releases Critical Patch Update With 41 Fixes
Posted: January 13th, 2009, 5:15pm CST by Robert
Tags: IndustryNews [edit]
"Oracle delivered 41 security fixes to its customers in its first critical patch update (CPU) of the year. Among those fixes are patches for serious flaws affecting Oracle WebLogic Server and Windows versions of Oracle Secure Backup. According to Oracle, a vulnerability in the WebLogic Server plugins for Apache, Sun and... -
Oracle Releases Critical Patch Update With 41 Fixes
Posted: January 13th, 2009, 5:15pm CST by Robert A.
Tags: IndustryNews [edit]
"Oracle delivered 41 security fixes to its customers in its first critical patch update (CPU) of the year. Among those fixes are patches for serious flaws affecting Oracle WebLogic Server and Windows versions of Oracle Secure Backup. According to Oracle, a vulnerability in the WebLogic Server plugins for Apache, Sun and... -
New DNSSEC Bind Flaw Patched
Posted: January 9th, 2009, 6:39pm CST by Robert
Tags: IndustryNews [edit]
"Security researcher Dan Kaminsky made headlines last year when he discovered a critical DNS flaw. If left unpatched it could have crippled vast parts of the Internet. As 2009 starts up, a new DNS (define) flaw has emerged, but the severity of the threat is less pronounced. ISC (Internet Systems Consortium)... -
Oracle to issue 41 patches on January 13th
Posted: January 9th, 2009, 3:05pm CST by Robert
Tags: IndustryNews [edit]
"Next Tuesday (13 January) promises to be a busy day for hard-pressed sys admins. Although Microsoft's regular monthly Patch Tuesday update promises only one bulletin, a critical fix for Windows1, Oracle's quarterly batch weighs in at 41 fixes. The updates fix vulnerabilities across "hundreds of Oracle products", an alert from Oracle... -
Security: The Number One Technology Failure of All Time
Posted: January 4th, 2009, 9:45pm CST by Robert
Tags: IndustryNews [edit]
"I was reading through an article last night about the 25 greatest blunders in technology history and was happily strolling through memory lane (what are Palm Pilots, PS/2s and Apple Newtons anyways? :p) and then got quite a surprise at the very end of the article. The number one technology failure... -
Computerworld Security predictions for 2009
Posted: December 31st, 2008, 12:42pm CST by Robert
Tags: IndustryNews [edit]
"My predictions for information security in 2009 are just predictions, not recommendations. I am trying to guess what will happen, not suggesting what should happen. As always, take these with a grain of salt. Though these predictions are based on primary research and many, many discussions with chief security officers, they... -
MS08-067 Worm on the Loose
Posted: December 31st, 2008, 12:19pm CST by Robert
Tags: IndustryNews [edit]
Dshield has published a report of a new MS08-067 worm spreading."It does various things to install and hide itself on the infected computer. It removes any System Restore points that the user has set and disables the Windows Update Service. It looks for ADMIN$ shares on the local network and tries... -
CastleCops Shuts Down
Posted: December 29th, 2008, 4:12pm CST by Robert
Tags: IndustryNews [edit]
"In a blow to anti-phishing efforts, the famed CastleCops organization dedicated to fighting spam and phishing quietly shuttered its site last week. The all-volunteer organization investigated phishing and malware scams, and was credited with successfully derailing many of these attacks and phishing sites. CastleCops itself was also a constant target of... -
It’s unanimous, Web application security has arrived
Posted: December 29th, 2008, 12:59pm CST by Robert
Tags: IndustryNews [edit]
Jeremiah Grossman has posted an entry discussing the various security reports and how they are labeling web application security as a primary concern. "It’s unanimous. Web application security is the #1 avenue of attack according to basically every industry data security report available (IBM, Websense, Sophos, MessageLabs, Cisco, APWG, MITRE, Symantec,... -
Top 9 Network Security Threats in 2009
Posted: December 29th, 2008, 11:35am CST by Robert
Tags: IndustryNews [edit]
"Malware, especially from compromised web sites, was a huge issue in 2008. Many legitimate sites such as MSNBC.com, History.com, ZDNet.com and many others suffered compromises, in some cases for days. Unlike the past, the sites looked normal, but unsuspecting web surfers with vulnerable systems were exploited when they visited these sites.... -
Google destroys SEO business by manually selecting sites
Posted: December 12th, 2008, 1:44pm CST by Robert
Tags: IndustryNews [edit]
"Google this week admitted that its staff will pick and choose what appears in its search results. It's a historic statement - and nobody has yet grasped its significance. Not so very long ago, Google disclaimed responsibility for its search results by explaining that these were chosen by a computer algorithm.... -
Microsoft to offer free Antivirus
Posted: November 19th, 2008, 11:11am CST by Robert
Tags: IndustryNews [edit]
"Microsoft on Tuesday said it plans to kill off its Windows Live OneCare subscription security service in favor of a free offering that will feature a core of essential anti-malware tools while excluding peripheral services, such as PC tune up programs, found in OneCare. The move could help the software maker... -
MS explains 7-year patch delay
Posted: November 17th, 2008, 12:03pm CST by Robert
Tags: IndustryNews [edit]
"Microsoft has explained why it took seven years to patch a known vulnerability. Fixing the bug earlier would have taken out network applications and potential exploits alike, it explained. Security bulletin MS08-068 fixed a flaw in the SMB (Server Message Block) component of Windows, first demonstrated by Sir Dystic of Cult... -
DNS inventor blames wrangling for insecure interweb
Posted: November 12th, 2008, 2:33pm CST by Robert
Tags: IndustryNews [edit]
"DNSSec (Domain Name System Security Extension), which uses digital signatures to guard against forged requests, offers a means of making internet naming systems more secure. But even 15 years after the standard was developed its adoption remains low. Mockapetris blames problems in making the technology easy to deploy, delays in developing... -
Visa Card Features Buttons and Screen to Generate CCV Dynamically
Posted: November 12th, 2008, 11:51am CST by Robert
Tags: IndustryNews [edit]
A co worker sent me this link yesterday afternoon. "Using what appears to be Visa's mutant hybrid of a credit card and a pocket calculator, users can enter their PIN into the card itself and have a security code generated on the fly. The method can stop thieves in two ways.... -
Obama Pwns Mcain in election, hacker pwns them both
Posted: November 5th, 2008, 5:51pm CST by Robert
Tags: IndustryNews [edit]
"The computer systems of both the Obama and McCain campaigns were victims of a sophisticated cyberattack by an unknown "foreign entity," prompting a federal investigation, NEWSWEEK reports today. At the Obama headquarters in midsummer, technology experts detected what they initially thought was a computer virus—a case of "phishing," a form of... -
Remote buffer overflow bug bites Linux Kernel
Posted: November 5th, 2008, 3:07pm CST by Robert
Tags: IndustryNews [edit]
"A remote buffer overflow vulnerability in the Linux Kernel could be exploited by attackers to execute code or cripple affected systems, according to a Gentoo bug report that just became public. The flaw could allow malicious hackers to launch arbitrary code with kernel-level privileges. This could lead to complete system compromise... -
Remote buffer overflow bug bites Linux Kernel Driver Wrapper
Posted: November 5th, 2008, 3:07pm CST by Robert
Tags: IndustryNews [edit]
"A remote buffer overflow vulnerability in the Linux Kernel could be exploited by attackers to execute code or cripple affected systems, according to a Gentoo bug report that just became public. The flaw could allow malicious hackers to launch arbitrary code with kernel-level privileges. This could lead to complete system compromise... -
Apache 2.2.10 Released to address XSS Vulnerability
Posted: November 3rd, 2008, 3:49pm CST by Robert
Tags: IndustryNews [edit]
"The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.10 of the Apache HTTP Server ("Apache"). This version of Apache is principally a bug and security fix release. The following potential security flaws are addressed: CVE-2008-2939: mod_proxy_ftp: Prevent XSS attacks when using... -
OpenBSD 4.4 Released
Posted: November 2nd, 2008, 4:33pm CST by Robert
Tags: IndustryNews [edit]
"Nov 1, 2008. We are pleased to announce the official release of OpenBSD 4.4.This is our 24th release on CD-ROM (and 25th via FTP). We remainproud of OpenBSD's record of more than ten years with only two remoteholes in the default install.As in our previous releases, 4.4 provides significant improvements,including new... -
OpenBSD 4.4 Released
Posted: November 2nd, 2008, 4:33pm CST by Robert
Tags: IndustryNews [edit]
"Nov 1, 2008. We are pleased to announce the official release of OpenBSD 4.4.This is our 24th release on CD-ROM (and 25th via FTP). We remainproud of OpenBSD's record of more than ten years with only two remoteholes in the default install.As in our previous releases, 4.4 provides significant improvements,including new... -
ICANN Terminates EstDomains Registrar Accreditation due to Fraud, Money Laundering Convictions
Posted: October 29th, 2008, 12:09pm CDT by Robert
Tags: IndustryNews [edit]
Gadi Evron posted the following link to the Full Disclosure list this morning which I thought was interesting. Read More: http://www.icann.org/correspondence/burnette-to-tsastsin-28oct08-en.pdf -
ICANN Terminates EstDomains Registrar Accreditation due to Fraud, Money Laundering Convictions
Posted: October 29th, 2008, 12:09pm CDT by Robert
Tags: IndustryNews [edit]
Gadi Evron posted the following link to the Full Disclosure list this morning which I thought was interesting. Read More: http://www.icann.org/correspondence/burnette-to-tsastsin-28oct08-en.pdf -
Yahoo Security Flaw Fixed in hours
Posted: October 28th, 2008, 3:47pm CDT by Robert
Tags: IndustryNews [edit]
"Hours after Web analytics firm Netcraft (www.netcraft.com) announced a flaw on a Yahoo (www.yahoo.com) website used to steal users' authentication cookies to gain access to Yahoo accounts, such as Yahoo Mail, the company blocked entry to hackers. In an email message to theWHIR Monday, Yahoo's HotJobs division stated that the cross-site... -
Yahoo Security Flaw Fixed in hours
Posted: October 28th, 2008, 3:47pm CDT by Robert
Tags: IndustryNews [edit]
"Hours after Web analytics firm Netcraft (www.netcraft.com) announced a flaw on a Yahoo (www.yahoo.com) website used to steal users' authentication cookies to gain access to Yahoo accounts, such as Yahoo Mail, the company blocked entry to hackers. In an email message to theWHIR Monday, Yahoo's HotJobs division stated that the cross-site... -
Why Microsoft's SDL Missed MS08-067 in their own words
Posted: October 23rd, 2008, 6:20pm CDT by Robert
Tags: IndustryNews [edit]
"No doubt you are aware of the out-of-band security bulletin issued by the Microsoft Security Response Center today, and like all security vulnerabilities, this is a vulnerability we can learn from and, if necessary, can use to shape future versions of the Security Development Lifecycle (SDL). Before I get into some... -
Emergency Microsoft Patch MS08-067 Issued, Exploit code in wild
Posted: October 23rd, 2008, 12:57pm CDT by Robert
Tags: IndustryNews [edit]
The Patch: Microsoft has released the patch to windows update. Details: "This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems,... -
What videogames teach us about security
Posted: October 22nd, 2008, 3:16pm CDT by Robert
Tags: IndustryNews [edit]
Forbes has an interesting interview with Gary McGraw on how computer games provide insight into the motives and mindset of an attacker. "What problem do these trust boundaries pose? In this case, the gamer is the attacker and what they're doing is cheating in the virtual world to generate wealth that... -
Silverlight 2 Released
Posted: October 19th, 2008, 3:41pm CDT by Robert
Tags: IndustryNews [edit]
From the asp.net blog. "Today we shipped the final release of Silverlight 2. You can download Silverlight 2, as well the Visual Studio 2008 and Expression Blend 2 tool support to target it, here. Cross Platform / Cross Browser .NET Development Silverlight 2 is a cross-platform browser plugin that enables rich... -
R.I.P. Captcha's: Gmail, Hotmail, Etc...
Posted: October 2nd, 2008, 4:59pm CDT by Robert
Tags: IndustryNews [edit]
XRumer was recently released putting another nail in the CAPTCHA Coffin. "The decline in CAPTCHA efficacy has been an ongoing story in 2008, as hackers and malware authors have steadily found ways to chip away at the protection these security practices were once thought to offer. Now, new findings indicate that... -
PHP 5.3 and Delayed Cross Site Request Forgeries/Hijacking
Posted: October 2nd, 2008, 3:26pm CDT by Robert
Tags: IndustryNews [edit]
"Although PHP 5.3 is still in alpha stage and certain features like the PHAR extension or the whole namespace support are still topics of endless discussions it already contains smaller changes that could improve the security of PHP applications a lot. One of these small changes is the introduction of a... -
Fyodor speculates on new TCP Flaw
Posted: October 2nd, 2008, 11:13am CDT by Robert
Tags: IndustryNews [edit]
Fyoder (the author of nmap if you've been sleeping under a rock) has posted a write up on the recent TCP Dos flaw. UPDATE: According to a post by Robert Lee this isn't the issue. "Robert Lee and Jack Louis recently went public claiming to have discovered a new and devastating... -
Mark Russinovich on the Future of Security
Posted: September 22nd, 2008, 3:25pm CDT by Robert
Tags: IndustryNews [edit]
"Windows IT people everywhere owe thanks to Dr. Mark Russinovich, now a technical fellow at Microsoft and his less-famous partner Bryce Cogswell. Russinovich is famous both as an author, making the technical details of Windows accessible to the rest of us who dare to think we are technical, and as a... -
Mark Russinovich on the Future of Security
Posted: September 22nd, 2008, 3:25pm CDT by Robert
Tags: IndustryNews [edit]
"Windows IT people everywhere owe thanks to Dr. Mark Russinovich, now a technical fellow at Microsoft and his less-famous partner Bryce Cogswell. Russinovich is famous both as an author, making the technical details of Windows accessible to the rest of us who dare to think we are technical, and as a... -
Off Topic: Hackers claim break-in to Palin's e-mail account
Posted: September 17th, 2008, 4:41pm CDT by Robert
Tags: IndustryNews [edit]
While this is off topic for this site I do find it amusing :) "Hackers broke into the Yahoo! e-mail account that Republican vice presidential candidate Sarah Palin used for official business as Alaska's governor, revealing as evidence a few inconsequential personal messages she has received since John McCain selected her... -
Off Topic: Hackers claim break-in to Palin's e-mail account
Posted: September 17th, 2008, 4:41pm CDT by Robert
Tags: IndustryNews [edit]
While this is off topic for this site I do find it amusing :) "Hackers broke into the Yahoo! e-mail account that Republican vice presidential candidate Sarah Palin used for official business as Alaska's governor, revealing as evidence a few inconsequential personal messages she has received since John McCain selected her...