Planet Security

Abner StoriesCounterfeit Goods: The latest threat?

Product security now extends beyond the technology and into the supply chain. The NY Times on counterfeit networking gear. IDC's...

Schneier on SecuritySchneier Talks

Last month I gave a talk at InfoSecurity Europe in London. The title was "Reconceptualizing Security," or maybe "The Theater of Security," and it is a follow-on to my work on the psychology of security. I haven't yet written this work up, but you can listen to or watch my talk.

WifiNetNewsCan Azulstar Make WiMax Work without Buying Spectrum?

Azulstar once pinned its fortunes on city-wide Wi-Fi, but now looks to a special licensed spectrum band to make WiMax work where Wi-Fi failed: Azulstar has been the also-ran in Wi-Fi for some years, I'll just state bluntly and upfront. They built a network in Grand Haven, Mich., in 2003 that's one of--if not the--longest running metro-scale Wi-Fi networks in the world designed for public access. The mayor of Grand Haven since 2003, Roger Bergman, told me, "I got on board personally right away, and I am still on."

Azulstar soon answered several RFPs and partnered up with major firms to bring Wi-Fi to Rio Rancho, N.M., Winston-Salem, N.C., Sacramento, Calif., and most notably Silicon Valley--a set of dozens of cities along with county government and private enterprise all wanting some kind of tiered Wi-Fi across 1,500 sq mi.

While EarthLink, MetroFi, and even Kite Networks (with their extensive Arizona buildout in Tempe launched a bit before any other large competiting network) seized the headlines, and later made news about their stalls, failures, and exits, Azulstar seemed quietly to sink into the sand. The Wireless Silicon Valley deal fell apart, as did Sacramento after efforts to get stakeholder and outside investment seemed to fail to materialize, and the marquee partners--Cisco, IBM, and Intel--just wouldn't step up to the plate to make the project move forward. Azulstar was the lead techology firm, but the money just didn't come. (Both California projects are moving forward with a different set of partners and expectations now.)

Rio Rancho was perhaps one of the biggest letdowns. City manager Jim Payne explained in an interview a few weeks ago, "They had a number of things that were going against them from the start, and they did make an attempt to meet the requirements of the contract." But Rio Rancho voted to not just terminate the contract after years of attempts to make the network work, but rejected a proposal from Azulstar a few weeks ago to switch over equipment on the poles. Azulstar now has to remove all its devices.

All of this might make the typical company head a bit depressed about his firm's future, and less than sanguine about the potential for wireless broadband to work at all. Not so for Tyler van Houwelingen, Azulstar's chief, and I have to admit that he convinced me that the wireless provider has a fighting chance, due to a good combination of timing, spectrum policy, and a large dollop of can-do spirit.

Copyright ©2008 Glenn Fleishman. All rights reserved. Please notify us if you find this content anywhere but at wifinetnews.com or wimaxnetnews.com. Reproduction of full articles from RSS feeds is prohibited without permission.

1raindropRote Based Access Control

I think RBAC is, next to firewalls and SSL, the biggest silver bullet misconception in infosec. I cannot count how many times I have heard managers say if we just had rbac all our identity problems would be solved. These same managers work in companies that reorg every 6 months and outsource anything that moves. Not that RBAC is useless, it can solve some problems, but introduces some too, Pamela Dingle

Roles are indeed in the domain of the “identity weenie” — but alone, roles are nothing but a maintenance nightmare - they exist to be leveraged. Rules on the other hand, are the problem of the “authorization weenie” and are written (for example) as a WAM policy that says “All Production Accountant Level II resources can access the accounting SharePoint instance”. When you collect roles into a profile and collect rules into a policy and then evaluate for a given user, resource, and point in time, what you eventually get is an entitlement, ie “Jenny should get into the accounting SharePoint instance”. The goal is to have transitive logic between roles and rules, such that two different people can take on the two different statements being made. Jenny’s Manager can authoritatively state (through a workflow approval) that Jenny is indeed a production accountant. The owner of the Accounting Sharepoint instance can authoritatively state (through an authorization policy) that all production accountants should have access to their site. ... What happens when the system detects the static presence of two conflicting roles? What happens if one role is “truer” than another at some point in time?

The other silver bullet fallacy the RBAC introduces is the idea that objects, subjects, and sessions can be bundled so nicely enterprise wide. People look at their nice org charts and assume that you just plug that into your directory and go. Works great in a domain with hard edges like a call center where discreet groups of people execute the same tasks the same away across many sessions. Not so good once you step above the rote task level. Interestingly "God level" access works well with roles too, but we are not supposed to be building systems with that stuff any more, right?

Kim Cameron's Identity WeblogSatisfaction Guaranteed?

Francois Paget, an investigator at McAfee Avert Labs, has posted a detailed report on a site that gives us insight into the emerging international market for identity information.   He writes:

Last Friday morning in France, my investigations lead me to visit a site proposing top-quality data for a higher price than usual. But when we look at this data we understand that as everywhere, you have to pay for quality. The first offer concerned bank logons. As you can see in the following screenshot, pricing depends on available balance, bank organization and country. Additional information such as PIN and Transfer Passphrase are also given when necessary:

null

For such prices, the seller offers some guaranties. For example, the purchase is covered by replacement, if you are unable - within the 24 hours - to log into the account using the provided details.

The selling site also proposes US, Austria and Spanish credit cards with full information…

It is also possible to purchase skimmers (for ATM machine) and “dump tracks” to create fake credit cards. Here too, cost is in touch with the quality:

null

Many other offers are available like shop administrative area accesses (back end of an online store where all the customer details are stored – from Name, SSN, DOB, Address, Phone number to CC) or UK or Swiss Passport information:

null

Read the rest of Francois’ story here.  Beyond that, it’s well worth keeping up with the Avert Labs blog, where every post reminds us that the future of the Internet depends on fundamentally increasing its security and privacy.   [Note:  I slightly condensed Francois’ graphics…]

Schneier on SecurityMaking Security Cuddly

I don't know what I think of Sweet Dreams Security.

SecurityFocus VulnsBugtraq: [ GLSA 200805-06 ] Firebird: Data disclosure

[ GLSA 200805-06 ] Firebird: Data disclosure

SecurityFocus VulnsBugtraq: [ GLSA 200805-07 ] Linux Terminal Server Project: Multiple vulnerabilities

[ GLSA 200805-07 ] Linux Terminal Server Project: Multiple vulnerabilities

SecurityFocus VulnsBugtraq: [ GLSA 200805-08 ] InspIRCd: Denial of Service

[ GLSA 200805-08 ] InspIRCd: Denial of Service

SecurityFocus VulnsBugtraq: Oracle Application Server 10G ORA_DAV Basic Authentication Bypass Vulnerability

Oracle Application Server 10G ORA_DAV Basic Authentication Bypass Vulnerability

sunbeltblogFluc.com says it's not a spammer, it's the users who are spamming

Flucceo1238888


As a follow-up to my previous post on Fluc comment spamming, check out the increasingly bizarre comments, including my exchange with Tim Davis, Fluc CEO.

Alex Eckelberry

SecurityFocus NewsMark Rasch: Click Crime

Click Crime

>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
http://www.findtechinfo.com/as/acs?pl=781&ca=909

CNET News.com - SecurityWhy Apple should release a game console

Featured links from the CNET Blog Network

Why Apple should release a game console-- As more people trust and enjoy Apple products in the home, the company could easily capitalize on its success elsewhere and create a gaming console that could do the same.

Nvidia CEO discusses his beef with Intel--Jen-Hsun Huang describes his company as laser focused on just one thing: visual computing. This is leading to clashes with Intel, which is shifting its focus to this area. p>

Verizon Wireless and I are no longer friends--There are few things in life more infuriating than dealing with cell carriers.

DRM: it's like those zombie movies--No matter how many times the content owners wish it worked, DRM has a fundamental technical flaw: you have to give the key to the person you're trying to lock out! Microsoft gets this, even if the RIAA doesn't.

BufferOverrunZune headquarters mini-tour - Engadget

Engadget posted a photo tour of the Zune offices. Check it out:

Zune headquarters mini-tour - Engadget

Ever wonder where Zunes are designed? Well, right now it's all done in a fairly non-descript and temporary office building on Microsoft's sprawling campus in Redmond.

Technorati Tags: ,,,

Emergent ChaosCredit Bureaus and Outsourcing

The "I've Been Mugged" blog has a great three part series on outsourcing by credit bureaus: "Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 1)," "part 2" and "part 3."

He digs deep into how extensively TransUnion outsources, and where. I went looking, and was surprised to see that their privacy policy is at least honest. They make no claim that they care about your privacy, nor any that they apply the highest standards of security to your information.

SecurityFocus VulnsBugtraq: [ MDVSA-2008:099 ] - Updated ImageMagick packages fix vulnerabilities

[ MDVSA-2008:099 ] - Updated ImageMagick packages fix vulnerabilities

SecurityFocus VulnsBugtraq: Apache Server HTML Injection and UTF-7 XSS Vulnerability

Apache Server HTML Injection and UTF-7 XSS Vulnerability

SecurityFocus VulnsBugtraq: [USN-611-3] GStreamer Good Plugins vulnerability

[USN-611-3] GStreamer Good Plugins vulnerability

1raindropLearning from Ghana

Its always interesting to see where the developed world can learn from emerging economies. A lot of the best engineering work comes from having to deal with harsh constraints (opposite of architecture astronomics). I blogged awhile ago about using smart cards for digital cash in Africa


Ezwichcard

Looks like there is a new system in Ghana as well

E-zwhich smart launched

-ZWICH smartcard, a universal electronic system that facilitates easy access to and transfer of money has now become part of financial transactions in Ghana.

The new system which is also designed to remove the cumbersome and insecure processes of using cash, was launched in Accra yesterday by President J.A. Kufuor, with a call on corporate bodies and government agencies to use it to ensure transparency and integrity on payrolls.

E-zwich is an electronic payment system that allows one to make payments for goods and services or transfer money to others without having to carry physical cash.

Available at all banks countrywide, the system involves the loading of money onto the smart card after registering with any bank without necessarily having an accounts with that bank.

President Kufuor said the introduction of the system has the potential of transforming the payments landscape, the financial services industry and the general conduct of business in the country.

He said accessing the technology was an integral part of government’s overall vision of making Ghana the gateway to the West Africa sub-region and transforming her into a major financial hub.

The President said that globalisation has come with a major challenge of adopting best practices in all spheres of endeavour especially within the macro economy in order to survive in the market.

He said it was against that background that the government has pursued polices to develop and modernise the financial sector to enable it to play a key role in resource mobilisation for increased investment.

With the reforms and the stability of the macro-economy, President Kufuor said the nation was witnessing dramatic growth in the banking sector.

He pointed out, however, that inspite of the impressive growth of financial institutions, an estimated 80 per cent of the eligible population was still "un-banked" or "under-banked" and seemed not to have access to financial services.


Wonder when we will see US, UK, and other first world banks and brokerages catch up to Ghana and South Africa on these technologies? Is it really a good idea in 2008 to have everyone type their username and password into a web browser?

ModSecurity BlogModSecurity 2.6 RoadMap

ModSecurity 2.6 will likely be the last branch before ModSecurity 3.  The 2.6 branch will concentrate on polishing up the current 2.5 feature set, performance, ease of use, supporting arbitrary character sets, and better documentation.  I'll be posting 2.6 development releases periodically for users to test and comment on.  So that you know what is planned, I am publishing the roadmap for 2.6 below.

  • Enhancements
    • Enhance persistent storage:
      • Allow relative changes to counters to be atomic.
      • Optimize storage and retrieval.
    • Enhance audit log sanitization:
      • Allow partial data sanitization.
      • Allow the RESPONSE_BODY to be sanitized.
    • Enhance external auditing/alerting (mlogc):
      • Optimize data queuing to lower RAM usage.
      • Allow sensor metrics to be sent to the console.
      • Add connection throttling which can be dictated by the console.
    • Allow for more flexibility when writing complex rules:
      • Add the ability to determine which targets previously matched.
      • Straighten out how non-disruptive actions work with chained rules.
  • Performance
    • Add a high performance IP address/network matching operator capable of large lists.
    • Further tune the detection engine.
    • Enhance the detection engine cache with faster lookups.
    • Expose more performance metrics through the audit log.
  • Ease of Use
    • Enhance the build process:
      • Allow static linking of dependencies on UNIX like OSes.
      • Allow better support for non-gcc compilers.
    • Allow for fully automate updates of the Core Rules (and others).
  • Arbitrary Character Sets
    • Introduce decoding and validating of various character sets.
    • Allow for enhancing and expanding decoding in future versions.
  • Documentation
    • Write more/better examples.
    • Enhance ModSecurity internals documentation.
    • Better document the different modes of operation.

1raindropSun in Microsoft's Rearview Mirror on Software Security

James McGovern muses:

Good to run across Sun employees such as Gerald at OWASP chapter meetings. Hopefully for the next event, he can figure out how to bring down a dozen or so folks from Sun labs. After all, they probably understand the need for writing secure code more than the Microsoft crowd. This makes me wonder if Pat Patterson has ever attended OWASP meetings on his side of town?

Would be great to see Sun get involved with OWASP, but I see no evidence that they understand the need for writing secure code more so than Microsoft. In fact I see every evidence that Sun is several years behind Microsoft on software security. Let's do the list - Howard/Leblanc's work, threat modeling, software security patterns and practices, SDL, SecPal, BlueHat, OWASP guidance work and that is all before we get to identity stuff. From what I see its a yawning gap. Would be great if Sun would re-discover its engineering roots at some point, but right now I don't think they are even in the conversation.

McAfeee Avert Labs BlogGas Spam

In my role as an anti-spam researcher I get to see a lot of spam. Most of the spam I see can be categorized into a fairly small range of spam types. Common examples include pharmacy, stock and watch spam.

Over the last few weeks I have seen a new type of spam. This is spam which is trying to sell a product to save money on gas. Below is an example of a gas spam:

Gas Spam Example

Currently McAfee detect gas spam. Volume is low for this type of spam making up typically 0.2% of all spam.

Given the high price of oil it is not surprising that a spammer has started selling a product which claims to reduce gas bills.

Secunia - Latest Secunia Security Advisories[4/5] Cyberfolio "rep" File Inclusion Vulnerability

RoMaNcYxHaCkEr has reported a vulnerability in Cyberfolio, which can be exploited by malicious people to compromise a vulnerable system.


Be sure to check if your system is missing security updates or have insecure applications installed:
http://secunia.com/software_inspector/

Feature Overview - The Secunia Software Inspector:
* Detects insecure versions of applications installed
* Verifies that all Microsoft patches are applied
* Assists you in updating your system and applications
* Runs through your browser. No installation or download is required.

Secunia - Latest Secunia Security Advisories[4/5] Yahoo! Assistant yNotifier.dll ActiveX Control Code Execution

Sowhat has reported a vulnerability in Yahoo! Assistant, which can be exploited by malicious people to compromise a user's system.


Be sure to check if your system is missing security updates or have insecure applications installed:
http://secunia.com/software_inspector/

Feature Overview - The Secunia Software Inspector:
* Detects insecure versions of applications installed
* Verifies that all Microsoft patches are applied
* Assists you in updating your system and applications
* Runs through your browser. No installation or download is required.

InforworldVista as insecure as Windows 2000

Good news for users of Windows Vista. According to figures compiled by PC Tools, the OS has experienced only slightly more vulnerabilities than Windows 2000, which appeared eight years ago when malware was far less common.

sunbeltblogThe iPowerWeb Chronicles: Problems persist

iPowerWeb is getting better than they used to be in terms of hacked sites, but they still have problems. Monday, I wrote about DNS hacks they still have problems with (which Micheal Horowitz was kind enough to mention).

Some brief research shows the following iPowerWeb accounts hacked (most should still be live):

voyageofwhisper,com
toysnsilk,com
tnrnelson,com
stevenlin888,com
samplesofserenity,com
reviews-reviews,com
regulatory-compliance,com
pieinear,com
palmhaven,org
mohrfamily,com
midwestwrecker,com
magiciansmarket,com
jonathanfricke,com
jerniganhouse,com
gogosportingnews,com
enshunada,com
endofendo,com
dlar,us
dealindaddy,com
confessionsrus,com
angeleyes03,com
allvisualsigns,com

The typical format for the hack is (5 character string)/adult/adult_12.html, which leads to a page pushing malware. So, confessionsrus,com/cqbku/adult/adult_12.html might show a page like this:

Results12312388888


or this


Results12312388888a


or this


Results12312388888b


(Incidentally, these pages are only accessible through a Google search, you don’t get anything if you just go to the page itself.)

Alex Eckelberry

Freedom To TinkerDRM Not Dead, Just Temporarily Indisposed, Says RIAA Tech Head

The RIAA’s head technology guy says that the move away from DRM (anti-copying) technology by record labels is just a phase, according to a Greg Sandoval story at News.com:

“(Recently) I made a list of the 22 ways to sell music, and 20 of them still require DRM,” said David Hughes, who heads up the RIAA’s technology unit, during a panel discussion at the Digital Hollywood conference. “Any form of subscription service or limited play-per-view or advertising offer still requires DRM. So DRM is not dead.”

Last January, when Sony BMG became the last major recording company to sell DRM-free tracks at Amazon, plenty of observers considered the technology buried. Since then, a growing number of online stores have begun offering at least some open MP3s, including Walmart.com, Zune’s Marketplace, Amazon, as well as iTunes.

Not so fast, said Hughes, who predicted that DRM would reemerge in a big way. “I think there is going to be a shift,” he told the audience. “I think there will be a movement towards subscription services, and (that) will eventually mean the return of DRM.”

The imminent success of subscription services with DRM is more or less what the record industry was predicting several years ago. It didn’t happen, mostly because customers found the services clunky and inflexible — DRM at its worst. Nothing has changed to make DRMed subscription services more attractive. If anything, these services look even worse in light of the trend toward selling DRM-free tracks.

I can see the argument for selling large bundles of music rather than selling one track at a time. Bundling makes economic sense, given the huge storage capacity of today’s devices. The iPod of the future won’t be filled one track at a time.

But clunky DRM-based subscription services aren’t the only way to sell bundles of songs, and there are probably good ways to sell subscriptions without DRM. If you’re worried that a customer will subscribe for one month, download a zillion songs, cancel the subscription and keep the songs,then you can limit the number of downloads per month, or require a longer subscription period. If you can sell songs without DRM — and we know now that you can — there ought to be a way to sell a friendly subscription service too.

On this issue, the RIAA’s members may be ahead of the RIAA itself. There are encouraging signs that some of the major record companies are recognizing the need to rebuild their business strategy for the Internet era.

Secunia - Latest Secunia Security Advisories[3/5] Zarafa Script Insertion Vulnerabilities

Some vulnerabilities have been reported in Zarafa, which can be exploited by malicious people to conduct script insertion attacks.


Be sure to check if your system is missing security updates or have insecure applications installed:
http://secunia.com/software_inspector/

Feature Overview - The Secunia Software Inspector:
* Detects insecure versions of applications installed
* Verifies that all Microsoft patches are applied
* Assists you in updating your system and applications
* Runs through your browser. No installation or download is required.

eSecurityPlanetNeocleus Modifies Xen For Endpoint Security

But will users go along with multiple desktop operating systems?

Internet Security and ProgrammingVista security credentials tarnished in malware survey

Better off with a Win 2000 box Windows Vista is better at protecting against malware than XP but more easily infected than Windows 2000, according to a study by Australian anti-virus firm PC Tools.… Read more…

Schneier on SecurityCell Phone Spying

A handy guide:

A service called World Tracker lets you use data from cell phone towers and GPS systems to pinpoint anyone’s exact whereabouts, any time — as long as they’ve got their phone on them.

All you have to do is log on to the web site and enter the target phone number. The site sends a single text message to the phone that requires one response for confirmation. Once the response is sent, you are locked in to their location and can track them step-by-step. The response is only required the first time the phone is contacted, so you can imagine how easily it could be handled without the phone’s owner even knowing.

Once connected, the service shows you the exact location of the phone by the minute, conveniently pinpointed on a Google Map. So far, the service is only available in the UK, but the company has indicated plans to expand its service to other countries soon.

[...]

Dozens of programs are available that’ll turn any cell phone into a high-tech, long-range listening device. And the scariest part? They run virtually undetectable to the average eye.

Take, for example, Flexispy. The service promises to let you “catch cheating wives or cheating husbands” and even “bug meeting rooms.” Its tools use a phone’s microphone to let you hear essentially any conversations within earshot. Once the program is installed, all you have to do is dial a number to tap into the phone’s mic and hear everything going on. The phone won’t even ring, and its owner will have no idea you are virtually there at his side.

Secunia - Latest Secunia Security Advisories[4/5] Slackware update for thunderbird

Slackware has issued an update for thunderbird. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, or potentially compromise a user's system.


Be sure to check if your system is missing security updates or have insecure applications installed:
http://secunia.com/software_inspector/

Feature Overview - The Secunia Software Inspector:
* Detects insecure versions of applications installed
* Verifies that all Microsoft patches are applied
* Assists you in updating your system and applications
* Runs through your browser. No installation or download is required.

Secunia - Latest Secunia Security Advisories[3/5] Slackware update for php

Slackware has issued an update for php. This fixes some vulnerabilities, where some have unknown impacts and others can be exploited by malicious users to bypass certain security restrictions, and potentially by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system.


Be sure to check if your system is missing security updates or have insecure applications installed:
http://secunia.com/software_inspector/

Feature Overview - The Secunia Software Inspector:
* Detects insecure versions of applications installed
* Verifies that all Microsoft patches are applied
* Assists you in updating your system and applications
* Runs through your browser. No installation or download is required.

The Register - SecurityVista security credentials tarnished in malware survey

Better off with a Win 2000 box

Windows Vista is better at protecting against malware than XP but more easily infected than Windows 2000, according to a study by Australian anti-virus firm PC Tools.…

PerilocityNSL: Internet Archive Exposes Lack of Security in National Security Letters

Brewster_Kahle_20021120.jpg The Internet Archive has for a decade been a cornerstone of the Internet, and the FBI was foolish to try to break it:
The FBI has withdrawn an illegal National Security Letter seeking information from an online library and has lifted a gag order that until Wednesday prevented any discussion of the information request.

Lawyers from the American Civil Liberties Union and Electronic Frontier Foundation helped the Internet Archive push back against what they say was an overly broad and unlawful request for information on one of its users. The FBI issued its National Security Letter in November, but ACLU, EFF and Archive officials were precluded from discussing it with anyone because of a gag order they say was unconstitutional.

After nearly five months of haggling, the FBI eventually withdrew its NSL, which requested personal information about at least one user of the Internet Archive. Founded in 1996, the archive is recognized as a library by the state of California, and its collections include billions of Web records, documents, music and movies.

Watchdogs prompt FBI to withdraw 'unconstitutional' National Security Letter, Nick Juliano, therawstory, Published: Wednesday May 7, 2008

The article goes on to say that the FBI has issued 200,000 National Security Letters, that almost none of those NSL have been challenged, yet every single time someone has challenged an NSL in court, the FBI has withdrawn it.

How do these NSL represent "Security"?

In any case, National Security Letters were authorized by the mis-named Patriot Act. Brewster Kahle has shown us how a real patriot acts:

"The goal was to help other recipients of NSLs and other libraries to understand that you can push back on these," he said.

The FBI's letter demanded the "name, address, length of service, and electronic communication transactional records ... and all electronic mail (e-mail) header information," from the Archive about at least one user of the Web site.

Kahle said the Archive didn't keep any private information on its users aside from an unverified e-mail address, so he couldn't have handed any of that information over even if he wanted to. However, he called the FBI's attempts to gag him "horrendous" and unnecessary. He also worried about the overreaching implications of such demands, which prompted him to challenge the FBI's letter.

"As a library we know that we've long protected patrons from government intrusions," he said.

-jsq

Secunia - Latest Secunia Security Advisories[4/5] SazCart Multiple File Inclusion Vulnerabilities

RoMaNcYxHaCkEr has discovered some vulnerabilities in SazCart, which can be exploited by malicious people to compromise a vulnerable system.


Be sure to check if your system is missing security updates or have insecure applications installed:
http://secunia.com/software_inspector/

Feature Overview - The Secunia Software Inspector:
* Detects insecure versions of applications installed
* Verifies that all Microsoft patches are applied
* Assists you in updating your system and applications
* Runs through your browser. No installation or download is required.

Secunia - Latest Secunia Security Advisories[3/5] Maian Search Cross-Site Scripting and SQL Injection Vulnerabilities

Khashayar Fereidani has discovered some vulnerabilities in Maian Search, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks.


Be sure to check if your system is missing security updates or have insecure applications installed:
http://secunia.com/software_inspector/

Feature Overview - The Secunia Software Inspector:
* Detects insecure versions of applications installed
* Verifies that all Microsoft patches are applied
* Assists you in updating your system and applications
* Runs through your browser. No installation or download is required.

Secunia - Latest Secunia Security Advisories[2/5] Maian Guestbook footer.php Cross-Site Scripting Vulnerabilities

Khashayar Fereidani has discovered some vulnerabilities in Maian Guestbook, which can be exploited by malicious people to conduct cross-site scripting attacks.


Be sure to check if your system is missing security updates or have insecure applications installed:
http://secunia.com/software_inspector/

Feature Overview - The Secunia Software Inspector:
* Detects insecure versions of applications installed
* Verifies that all Microsoft patches are applied
* Assists you in updating your system and applications
* Runs through your browser. No installation or download is required.

Secunia - Latest Secunia Security Advisories[2/5] Maian Recipe Cross-Site Scripting Vulnerabilities

Khashayar Fereidani has reported some vulnerabilities in Maian Recipe, which can be exploited by malicious people to conduct cross-site scripting attacks.


Be sure to check if your system is missing security updates or have insecure applications installed:
http://secunia.com/software_inspector/

Feature Overview - The Secunia Software Inspector:
* Detects insecure versions of applications installed
* Verifies that all Microsoft patches are applied
* Assists you in updating your system and applications
* Runs through your browser. No installation or download is required.

LinuxSecurity.com - AdvisoriesGentoo: InspIRCd Denial of Service

LinuxSecurity.com: A buffer overflow in InspIRCd allows remote attackers to cause a Denial of Service.

LinuxSecurity.com - AdvisoriesGentoo: Linux Terminal Server Project Multiple vulnerabilities

LinuxSecurity.com: Multiple vulnerabilities have been discovered in components shipped with LTSP which allow remote attackers to compromise terminal clients.

Heise SecurityMassive media file trojan explosion

Downloader-UA.h continues to spread. Infections reported to Avert Labs are up by 60 per cent over the last three days.

Secunia - Latest Secunia Security Advisories[2/5] InfoBiz Server "keywords" Cross-Site Scripting Vulnerability

Russ McRee has reported a vulnerability in InfoBiz Server, which can be exploited by malicious people to conduct cross-site scripting attacks.


Be sure to check if your system is missing security updates or have insecure applications installed:
http://secunia.com/software_inspector/

Feature Overview - The Secunia Software Inspector:
* Detects insecure versions of applications installed
* Verifies that all Microsoft patches are applied
* Assists you in updating your system and applications
* Runs through your browser. No installation or download is required.

Heise SecurityHelper program for setting kill bits

AxBan, a free tool from David Maynor, can set kill bits for specific ActiveX controls containing known security vulnerabilities.

LinuxSecurity.com - AdvisoriesGentoo: Firebird Data disclosure

LinuxSecurity.com: Firebird allows remote connections to the administrative account without verifying credentials.

ItoolBox Networking and InfrastructureSupport apple, linux, windows and you have it made

Following locutus' thoughts on supporting Linux is more valuable to a company than supporting windows, I ran a quick salary survey at indeed.com to see how it stacks up in the heart of Redmond, using Microsoft's zip code.

Secunia - Latest Secunia Security Advisories[3/5] vShare YouTube Clone "tid" SQL Injection Vulnerability

Saime has reported a vulnerability in vShare YouTube Clone, which can be exploited by malicious people to conduct SQL injection attacks.


Be sure to check if your system is missing security updates or have insecure applications installed:
http://secunia.com/software_inspector/

Feature Overview - The Secunia Software Inspector:
* Detects insecure versions of applications installed
* Verifies that all Microsoft patches are applied
* Assists you in updating your system and applications
* Runs through your browser. No installation or download is required.

Secunia - Latest Secunia Security Advisories[2/5] Maian Uploader Multiple Cross-Site Scripting Vulnerabilities

Khashayar Fereidani has discovered some vulnerabilities in Maian Uploader, which can be exploited by malicious people to conduct cross-site scripting attacks.


Be sure to check if your system is missing security updates or have insecure applications installed:
http://secunia.com/software_inspector/

Feature Overview - The Secunia Software Inspector:
* Detects insecure versions of applications installed
* Verifies that all Microsoft patches are applied
* Assists you in updating your system and applications
* Runs through your browser. No installation or download is required.

Secunia - Latest Secunia Security Advisories[3/5] Maian Music Cross-Site Scripting and SQL Injection

Khashayar Fereidani has reported some vulnerabilities in Maian Music, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks.


Be sure to check if your system is missing security updates or have insecure applications installed:
http://secunia.com/software_inspector/

Feature Overview - The Secunia Software Inspector:
* Detects insecure versions of applications installed
* Verifies that all Microsoft patches are applied
* Assists you in updating your system and applications
* Runs through your browser. No installation or download is required.

ItoolBox Networking and InfrastructureTop Six Database Hacks Used Today

If you are wondering just how hackers are working their way into your back end databases, Dark Reading has a list of the top six database hacks being used in the field today.

ItoolBox Networking and InfrastructureWhat a Botnet Map looks like

CSO has one of the most interesting maps you will see all day, a scrollable map of a botnet that Researcher David Vorel mapped out.

Heise SecurityPlease touch: access token transmits signals via human skin

Human Area Networking reportedly has one major advantage over wireless ID verification systems such as RFID: the signals are hard to tap.

Heise SecurityUpcoming Microsoft patch day: three critical updates planned

Four updates, three of which are critical, will close holes in Office, the Jet Engine and Microsoft's anti-malware tools.

Darknet HackersWant Some COFEE? Microsoft Computer Online Forensic Evidence Extractor

Microsoft helping the good guys eh? I had someone ask me if I can get a hold of this so I did some checking up on.. I’d guess MS is doing this to sell additional software and services, but either way its a good thing to make a portable, easy to use and effective forensics toolkit. Would [...]SHARETHIS.addEntry({ title: "Want Some COFEE?...

Read the full post at darknet.org.uk

Secunia - Latest Secunia Security Advisories[3/5] TFTP Server SP Long Error Message Buffer Overflow

tixxDZ has discovered a vulnerability in TFTP Server SP, which can be exploited by malicious people to cause a DoS or compromise a vulnerable system.


Be sure to check if your system is missing security updates or have insecure applications installed:
http://secunia.com/software_inspector/

Feature Overview - The Secunia Software Inspector:
* Detects insecure versions of applications installed
* Verifies that all Microsoft patches are applied
* Assists you in updating your system and applications
* Runs through your browser. No installation or download is required.

Secunia - Latest Secunia Security Advisories[2/5] OpenKM Document Export Security Issue

A security issue has been reported in OpenKM, which can be exploited by malicious users to disclose potentially sensitive information.


Be sure to check if your system is missing security updates or have insecure applications installed:
http://secunia.com/software_inspector/

Feature Overview - The Secunia Software Inspector:
* Detects insecure versions of applications installed
* Verifies that all Microsoft patches are applied
* Assists you in updating your system and applications
* Runs through your browser. No installation or download is required.

Secunia - Latest Secunia Security Advisories[3/5] Ubuntu update for gst-plugins-good0.10

Ubuntu has issued an update for gst-plugins-good0.10. This fixes a vulnerability, which can potentially be exploited by malicious people to compromise an application using the library.


Be sure to check if your system is missing security updates or have insecure applications installed:
http://secunia.com/software_inspector/

Feature Overview - The Secunia Software Inspector:
* Detects insecure versions of applications installed
* Verifies that all Microsoft patches are applied
* Assists you in updating your system and applications
* Runs through your browser. No installation or download is required.

Secunia - Latest Secunia Security Advisories[4/5] Ubuntu update for vorbis-tools

Ubuntu has issued an update for vorbis-tools. This fixes a vulnerability, which can potentially be exploited by malicious people to compromise a user's system.


Be sure to check if your system is missing security updates or have insecure applications installed:
http://secunia.com/software_inspector/

Feature Overview - The Secunia Software Inspector:
* Detects insecure versions of applications installed
* Verifies that all Microsoft patches are applied
* Assists you in updating your system and applications
* Runs through your browser. No installation or download is required.

Secunia - Latest Secunia Security Advisories[3/5] Ubuntu update for speex

Ubuntu has issued an update for speex. This fixes a vulnerability, which can potentially be exploited by malicious people to compromise an application using the library.


Be sure to check if your system is missing security updates or have insecure applications installed:
http://secunia.com/software_inspector/

Feature Overview - The Secunia Software Inspector:
* Detects insecure versions of applications installed
* Verifies that all Microsoft patches are applied
* Assists you in updating your system and applications
* Runs through your browser. No installation or download is required.

ItoolBox Networking and InfrastructureThe Information Security Risk of Globalization

Strategic military infrastructure is typically kept within the host country's national boundaries. However, economic systems may be distributed globally, operating in a variety of environments with critical information processed by both data owner and outsourced systems. If the target of the first cyber-war is destruction of economic stability, how vulnerable are we?

Footnotes