"The next generation tool for rapid handling of emerging threats"
Secunia, the No.1 provider of reliable and actionable Vulnerability Intelligence, Vulnerability Assessment, and Patch Management, today announced significant enhancements to the award-winning Secunia Vulnerability Intelligence Manager (VIM).
The Secunia VIM is compliant with the vulnerability database requirements as given in the NIST Interagency Report 7511 Revision 1 (Draft), Security Content Automation Protocol (SCAP) Version 1.0 Validation Program Test Requirements (Draft), April 2009*, and includes support for Common Platform Enumeration (CPE). A primary feature is the revised reporting functionality that has been rebuilt into a modular structure, allowing for even greater customisation of reports. Additional flexibility and usability is provided by a comprehensive report configuration wizard, giving the option of including tickets or advisories within customised reports.
The enhanced Secunia VIM represents further commitment by Secunia to continuously provide the industry's best-in-class Vulnerability Intelligence and Vulnerability Management solutions. The release is opportunely timed with a major Microsoft Patch Tuesday, so that Secunia VIM customers can gain a complete overview of the vulnerability threat landscape and effectively handle the thousands of third-party programs that could potentially compromise their IT infrastructures if left unpatched.
Continued : http://secunia.com/company/blog_news/blog/206/
Reply 1 : NEWS - April 12, 2011
Barracuda Networks, a California-based security company that focuses on WebAppSec as well as Spam, Malware, and other network protection, suffered a breach this weekend by a Malaysian group known as HMSec.
The group published the details of its raid, including database schemas, email addresses, and hashed passwords, after executing an SQL Injection attack on the Barracuda domain.
In terms of applicable M.O., HMSec gathers online in a forum that discusses a wide range of topics, including Information Security. Ironically, the standard statement to visitors of the forum explains that the group's "policy is clearly to not do any damage" or otherwise cause harm to a page that it does not own.
However, while the Barracuda domain remains intact, clearly this policy does not include downloading data and publishing it for the whole world to see.
In truth, the incident looks as if it were executed to prove a point. Most of the posts on the HMSec forum are information based and, while some do deal with gray areas, most do not appear to be criminal. Likely, HMSec's actions are similar to what Unu of Hackers Blog did some time ago, when SQL Injection flaws on Kaspersky, Symantec, BitDefender, the International Herald Tribune, and The Wall Street Journal were disclosed to the public in order to have them fixed.
Continue : http://www.thetechherald.com/article.php/201115/7044/Malaysian-group-hits-Barracuda-Networks-Update
Related: Hack attack spills web security firm's confidential data
The group published the details of its raid, including database schemas, email addresses, and hashed passwords, after executing an SQL Injection attack on the Barracuda domain.
In terms of applicable M.O., HMSec gathers online in a forum that discusses a wide range of topics, including Information Security. Ironically, the standard statement to visitors of the forum explains that the group's "policy is clearly to not do any damage" or otherwise cause harm to a page that it does not own.
However, while the Barracuda domain remains intact, clearly this policy does not include downloading data and publishing it for the whole world to see.
In truth, the incident looks as if it were executed to prove a point. Most of the posts on the HMSec forum are information based and, while some do deal with gray areas, most do not appear to be criminal. Likely, HMSec's actions are similar to what Unu of Hackers Blog did some time ago, when SQL Injection flaws on Kaspersky, Symantec, BitDefender, the International Herald Tribune, and The Wall Street Journal were disclosed to the public in order to have them fixed.
Continue : http://www.thetechherald.com/article.php/201115/7044/Malaysian-group-hits-Barracuda-Networks-Update
Related: Hack attack spills web security firm's confidential data
Reply 2 : NEWS - April 12, 2011
From Barracuda Network's Product Management Blog:
Wow. What a weekend. In case you haven't heard, Barracuda Networks was the latest victim of a SQL injection attack on our corporate Web site that compromised lead and partner contact information. The good news is the information compromised was essentially just names and email addresses, and no financial information is even stored in those databases. Further, we have confirmed that some of the affected databases contained one-way cryptographic hashes of salted passwords. However, all active passwords for applications in use remain secure.
So, the bad news is that we made a mistake. The Barracuda Web Application Firewall in front of the Barracuda Networks Web site was unintentionally placed in passive monitoring mode and was offline through a maintenance window that started Friday night (April 8, 2011) after close of business Pacific time. Starting Saturday night at approximately 5pm Pacific time, an automated script began crawling our Web site in search of unvalidated parameters. After approximately two hours of nonstop attempts, the script discovered a SQL injection vulnerability in a simple PHP script that serves up customer reference case studies by vertical market. As with many ancillary scripts common to Web sites, this customer case study database shared the SQL database used for marketing programs which contained names and email addresses of leads, channel partners and some Barracuda Networks employees. The attack utilized one IP address initially to do reconnaissance and was joined by another IP address about three hours later. We have logs of all the attack activity, and we believe we now fully understand the scope of the attack.
This latest incident brings home some key reminders for us, including that:
Continued : http://blog.barracuda.com/pmblog/index.php/2011/04/12/waf-importance/
Wow. What a weekend. In case you haven't heard, Barracuda Networks was the latest victim of a SQL injection attack on our corporate Web site that compromised lead and partner contact information. The good news is the information compromised was essentially just names and email addresses, and no financial information is even stored in those databases. Further, we have confirmed that some of the affected databases contained one-way cryptographic hashes of salted passwords. However, all active passwords for applications in use remain secure.
So, the bad news is that we made a mistake. The Barracuda Web Application Firewall in front of the Barracuda Networks Web site was unintentionally placed in passive monitoring mode and was offline through a maintenance window that started Friday night (April 8, 2011) after close of business Pacific time. Starting Saturday night at approximately 5pm Pacific time, an automated script began crawling our Web site in search of unvalidated parameters. After approximately two hours of nonstop attempts, the script discovered a SQL injection vulnerability in a simple PHP script that serves up customer reference case studies by vertical market. As with many ancillary scripts common to Web sites, this customer case study database shared the SQL database used for marketing programs which contained names and email addresses of leads, channel partners and some Barracuda Networks employees. The attack utilized one IP address initially to do reconnaissance and was joined by another IP address about three hours later. We have logs of all the attack activity, and we believe we now fully understand the scope of the attack.
This latest incident brings home some key reminders for us, including that:
Continued : http://blog.barracuda.com/pmblog/index.php/2011/04/12/waf-importance/
Reply 3 : NEWS - April 12, 2011
..Comptroller Server
"Unencrypted personal records of 3.5 million Texans were left exposed for more than a year after they were copied onto a public FTP server, said the Texas comptroller."
The Texas Comptroller's Office has disclosed that sensitive personal information belonging to at least 3.5 million residents have been accidentally exposed, adding more uncertainty about phishing attacks and identity theft to people already jittery after Epsilon.
Social Security numbers, birthdates, driver's license numbers, addresses and other personal information belonging to 3.5 million residents were posted on to a publicly available server, Susan Combs, the Texas comptroller, said April 11. Most of the information was available for more than a year, but there was no indication that any of the information had been misused, Combs said.
An undisclosed number of employees in the comptroller's office were fired after the breach was discovered at the end of March, according to R.J. DeSilva, the agency's spokesperson. He declined to identify them.
"We take information security very seriously, and this type of exposure will not happen again," Combs said in a written statement.
The exposed details also included information on 1.2 million education employees and retirees from the Teacher Retirement System of Texas, the Texas Workforce Commission's 2 million residents, and the Employees Retirement System of Texas's 281,000 state employees and retirees. Data included current and former state agency employees with benefits and retired state employees who were in the system in April 2010.
Continued : http://www.eweek.com/c/a/Security/Personal-Data-for-35-Million-Texans-Exposed-on-State-Comptroller-Server-196592/
"Unencrypted personal records of 3.5 million Texans were left exposed for more than a year after they were copied onto a public FTP server, said the Texas comptroller."
The Texas Comptroller's Office has disclosed that sensitive personal information belonging to at least 3.5 million residents have been accidentally exposed, adding more uncertainty about phishing attacks and identity theft to people already jittery after Epsilon.
Social Security numbers, birthdates, driver's license numbers, addresses and other personal information belonging to 3.5 million residents were posted on to a publicly available server, Susan Combs, the Texas comptroller, said April 11. Most of the information was available for more than a year, but there was no indication that any of the information had been misused, Combs said.
An undisclosed number of employees in the comptroller's office were fired after the breach was discovered at the end of March, according to R.J. DeSilva, the agency's spokesperson. He declined to identify them.
"We take information security very seriously, and this type of exposure will not happen again," Combs said in a written statement.
The exposed details also included information on 1.2 million education employees and retirees from the Teacher Retirement System of Texas, the Texas Workforce Commission's 2 million residents, and the Employees Retirement System of Texas's 281,000 state employees and retirees. Data included current and former state agency employees with benefits and retired state employees who were in the system in April 2010.
Continued : http://www.eweek.com/c/a/Security/Personal-Data-for-35-Million-Texans-Exposed-on-State-Comptroller-Server-196592/
Reply 4 : NEWS - April 12, 2011
Internet users in New Zealand have reportedly received emails, spreading a sick hoax that claims an earthquake is predicted to hit the city of Auckland on Sunday, April 17th.
A typical email reads:
Next earthquake announced April 17 will hit Auckland
There is about 88% chance within the next days Auckland will be hit by an earthquake according to National Earthquake Information Center from New Zealand. This news was released today after more predictions related to the Christchurch earthquake. Read more here or on www.nzherald.co.nz
However, the email has been debunked by the NZ Herald newspaper, which has confirmed that it is a hoax.
Residents of New Zealand would obviously be highly alarmed by such a warning, as the country is recovering from a devastating earthquake which hit the South Island city of Christchurch in February.
Internet users are advised to be suspicious of unsolicited messages, making predictions of natural disasters. If you receive such an email, do not click on any of its links (as they may be malicious) and instead turn to legitimate news outlets for information.
Continued : http://nakedsecurity.sophos.com/2011/04/12/auckland-earthquake-email-hoax-debunked-by-new-zealand-media/
A typical email reads:
Next earthquake announced April 17 will hit Auckland
There is about 88% chance within the next days Auckland will be hit by an earthquake according to National Earthquake Information Center from New Zealand. This news was released today after more predictions related to the Christchurch earthquake. Read more here or on www.nzherald.co.nz
However, the email has been debunked by the NZ Herald newspaper, which has confirmed that it is a hoax.
Residents of New Zealand would obviously be highly alarmed by such a warning, as the country is recovering from a devastating earthquake which hit the South Island city of Christchurch in February.
Internet users are advised to be suspicious of unsolicited messages, making predictions of natural disasters. If you receive such an email, do not click on any of its links (as they may be malicious) and instead turn to legitimate news outlets for information.
Continued : http://nakedsecurity.sophos.com/2011/04/12/auckland-earthquake-email-hoax-debunked-by-new-zealand-media/
Reply 5 : NEWS - April 12, 2011
Police in the UK have arrested and jailed several people over the last week in connection to financial crimes leveraging Malware.
According to a report from Her Majesty's Revenue & Customs (HMRC), an illegal Ukrainian immigrant, Oleg Rozputnii, and a high street bank manager, Nikola Novakovic, worked together to siphon nearly £3.2m GBP from the government in a scam that lasted nearly two years.
The pair registered more than a thousand fictitious taxpayers on the Income Tax Self Assessment System, and funneled the repayments through a series of bank accounts opened under false names.
Police say that the personal information used on the tax assessments and the identities needed to open the bank accounts came from data stolen from computers compromised by an unidentified Trojan.
"These men ran an audacious scam stealing millions of pounds. They set up hundreds of false bank accounts using viruses to hack into personal computers to gain information. They used their illegal profits to fund lavish lifestyles buying performance cars, including Porches, Mercedes and Jaguars," commented Joe Rawbone, assistant director of HMRC Criminal Investigation, in a statement.
Continued : http://www.thetechherald.com/article.php/201115/7039/Law-&-Order-UK-hands-out-jail-time-for-Malware-related-fraud
Also: Ukrainian Pair Jailed Over £3.2 Million Tax Fraud
According to a report from Her Majesty's Revenue & Customs (HMRC), an illegal Ukrainian immigrant, Oleg Rozputnii, and a high street bank manager, Nikola Novakovic, worked together to siphon nearly £3.2m GBP from the government in a scam that lasted nearly two years.
The pair registered more than a thousand fictitious taxpayers on the Income Tax Self Assessment System, and funneled the repayments through a series of bank accounts opened under false names.
Police say that the personal information used on the tax assessments and the identities needed to open the bank accounts came from data stolen from computers compromised by an unidentified Trojan.
"These men ran an audacious scam stealing millions of pounds. They set up hundreds of false bank accounts using viruses to hack into personal computers to gain information. They used their illegal profits to fund lavish lifestyles buying performance cars, including Porches, Mercedes and Jaguars," commented Joe Rawbone, assistant director of HMRC Criminal Investigation, in a statement.
Continued : http://www.thetechherald.com/article.php/201115/7039/Law-&-Order-UK-hands-out-jail-time-for-Malware-related-fraud
Also: Ukrainian Pair Jailed Over £3.2 Million Tax Fraud
Reply 6 : NEWS - April 12, 2011
Facebook has fixed a bug in the site's password reset feature that could have been exploited to expose passwords of a small number of users who also use Hotmail.
"We can access password of any facebook user who uses hotmail email address as their facebook account," Turkish security researcher Serkan Gencel, wrote in an e-mail to CNET this weekend. "If you have any hotmail account and if it is used as facebook account, we can change and send you your new password:)."
A Facebook spokesman released a statement today confirming the bug and saying it had been fixed.
"We were notified of this vulnerability by a Turkish security researcher via our white hat queue, and we worked to quickly resolve the problem," the statement said.
"When properly notified, we will quickly investigate all legitimate reports of security vulnerabilities and fix potential problems, and have adopted a responsible disclosure policy to encourage notifications," the statement said. "We encourage security researchers who identify security problems to embrace the practice of notifying Web site security teams of problems and giving them time to fix the problems before making any information public."
Continued : http://news.cnet.com/8301-27080_3-20052926-245.html
"We can access password of any facebook user who uses hotmail email address as their facebook account," Turkish security researcher Serkan Gencel, wrote in an e-mail to CNET this weekend. "If you have any hotmail account and if it is used as facebook account, we can change and send you your new password:)."
A Facebook spokesman released a statement today confirming the bug and saying it had been fixed.
"We were notified of this vulnerability by a Turkish security researcher via our white hat queue, and we worked to quickly resolve the problem," the statement said.
"When properly notified, we will quickly investigate all legitimate reports of security vulnerabilities and fix potential problems, and have adopted a responsible disclosure policy to encourage notifications," the statement said. "We encourage security researchers who identify security problems to embrace the practice of notifying Web site security teams of problems and giving them time to fix the problems before making any information public."
Continued : http://news.cnet.com/8301-27080_3-20052926-245.html
Reply 7 : NEWS - April 12, 2011
Google has pulled the plug on Street View in Germany in spite of a recent court victory that declared the photo mapping project to be within the laws of the country. That means there won't be any new 360-degree photos added to Google's maps of Germany. However, the 20 German cities that have already been photographed will remain online and accessible.
A Google spokesman told Search Engine Land that the company has shifted its priorities for Street View.
"Our business priority is to use our Google cars to collect data such as street names and road signs to improve our basic maps for our users in a similar way that other mapping companies do."
In March, a German court ruled that it was legal for Google to photograph private property from streets. Even with the court's approval, the Internet giant has decided to shutter the project. One possible reason is that Street View has proven to be particularly unpopular with the German public. Last October, Google announced that nearly 250,000 German households had opted-out of Street View. Those residences subsequently were blurred out of Street View photos.
Google has also received criticism after it was revealed that the vehicles that it uses to photograph locations had hoovered up personal information from Wi-Fi networks around the world. In March, France announced that it had fined Google $142,000 for the Wi-Fi data collections. Google has said that the information was gathered by accident and has issued apologies to a number of countries.
Continued : http://www.digitaltrends.com/computing/google-mysteriously-halts-street-view-in-germany/
A Google spokesman told Search Engine Land that the company has shifted its priorities for Street View.
"Our business priority is to use our Google cars to collect data such as street names and road signs to improve our basic maps for our users in a similar way that other mapping companies do."
In March, a German court ruled that it was legal for Google to photograph private property from streets. Even with the court's approval, the Internet giant has decided to shutter the project. One possible reason is that Street View has proven to be particularly unpopular with the German public. Last October, Google announced that nearly 250,000 German households had opted-out of Street View. Those residences subsequently were blurred out of Street View photos.
Google has also received criticism after it was revealed that the vehicles that it uses to photograph locations had hoovered up personal information from Wi-Fi networks around the world. In March, France announced that it had fined Google $142,000 for the Wi-Fi data collections. Google has said that the information was gathered by accident and has issued apologies to a number of countries.
Continued : http://www.digitaltrends.com/computing/google-mysteriously-halts-street-view-in-germany/
Reply 8 : NEWS - April 12, 2011
From Graham Cluley at Sophos:
I can't be the only nostalgic nerd to feel a flutter of excitement at the news that a home computer from yesteryear is making a comeback.
The Commodore 64, the classic retro home computer which was initially released in 1982, is reportedly making something of a return as the company is squeezing a Windows PC inside the original shell.
The new computer will run Windows 7, but will also include an emulator capable of playing classic games from the 1980s.
How neat is that!?
So, to all intents and purposes - it looks just like an old Commodore 64 computer... [Screenshot] ..well, until you have a look around the back at least. The USB slots and HD TV connections are a bit of a giveaway in my opinion.. [Screenshot]
And memories of the Commodore 64 got me thinking. What about computer viruses?
Although viruses were largely a PC and Mac issue in the latter half of the 1980s, there was also malware written for other types of computers. And the Commodore 64 is no exception.
For instance, the C64/BHP-A virus appeared in 1986. It wasn't just a virus capable of infecting files on Commodore 64s, it was also fully stealth - effectively exploiting the Commodore 64's memory structure to "act invisible".
These were the days before financially-motivated malware, of course, and the BHP virus's payload was to display a message on the screen surrounded by a colourful border: [Screenshot]
Continued : http://nakedsecurity.sophos.com/2011/04/12/commodore-64-viruses-time-for-a-come-back/
I can't be the only nostalgic nerd to feel a flutter of excitement at the news that a home computer from yesteryear is making a comeback.
The Commodore 64, the classic retro home computer which was initially released in 1982, is reportedly making something of a return as the company is squeezing a Windows PC inside the original shell.
The new computer will run Windows 7, but will also include an emulator capable of playing classic games from the 1980s.
How neat is that!?
So, to all intents and purposes - it looks just like an old Commodore 64 computer... [Screenshot] ..well, until you have a look around the back at least. The USB slots and HD TV connections are a bit of a giveaway in my opinion.. [Screenshot]
And memories of the Commodore 64 got me thinking. What about computer viruses?
Although viruses were largely a PC and Mac issue in the latter half of the 1980s, there was also malware written for other types of computers. And the Commodore 64 is no exception.
For instance, the C64/BHP-A virus appeared in 1986. It wasn't just a virus capable of infecting files on Commodore 64s, it was also fully stealth - effectively exploiting the Commodore 64's memory structure to "act invisible".
These were the days before financially-motivated malware, of course, and the BHP virus's payload was to display a message on the screen surrounded by a colourful border: [Screenshot]
Continued : http://nakedsecurity.sophos.com/2011/04/12/commodore-64-viruses-time-for-a-come-back/
Reply 9 : NEWS - April 12, 2011
Yesterday, Adobe issued Security Advisory APSA11-02. The advisory states that:
"A critical vulnerability exists in Flash Player 10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 10.2.156.12 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems."
And? this new vulnerability is currently being exploited in the wild:
"There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Word (.doc) file delivered as an email attachment, targeting the Windows platform."
Flash files in embedded in Office?
This attack vector prompted the following question from Brian Krebs: Does anyone know of a reliable way to disable the rendering of Flash objects in MS Office files across the board?
Our thought is why disable what you can easily uninstall?
We don't generally use Internet Explorer, so we don't need the IE version of Flash Player enabled at all. For Flash on the Web, you can use a designated browser (other than IE). Do you really need Flash enabled for Office?
This is what Microsoft Office will prompt when opening a document/spreadsheet/presentation containing embedded Flash content with no ActiveX version of Flash installed. [Screenshot]
The "Non-IE" versions of Flash Player are of course still vulnerable to exploit, but it's harder to image a successful targeted attack (via e-mail) against them, which is probably why current attacks are using Office.
Incidentally, it looks as if the next version of Flash Player (10.3) will include a control panel applet:
Continued : http://www.f-secure.com/weblog/archives/00002140.html
Related : New Adobe Flash Zero Day Being Exploited?
"A critical vulnerability exists in Flash Player 10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 10.2.156.12 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems."
And? this new vulnerability is currently being exploited in the wild:
"There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Word (.doc) file delivered as an email attachment, targeting the Windows platform."
Flash files in embedded in Office?
This attack vector prompted the following question from Brian Krebs: Does anyone know of a reliable way to disable the rendering of Flash objects in MS Office files across the board?
Our thought is why disable what you can easily uninstall?
We don't generally use Internet Explorer, so we don't need the IE version of Flash Player enabled at all. For Flash on the Web, you can use a designated browser (other than IE). Do you really need Flash enabled for Office?
This is what Microsoft Office will prompt when opening a document/spreadsheet/presentation containing embedded Flash content with no ActiveX version of Flash installed. [Screenshot]
The "Non-IE" versions of Flash Player are of course still vulnerable to exploit, but it's harder to image a successful targeted attack (via e-mail) against them, which is probably why current attacks are using Office.
Incidentally, it looks as if the next version of Flash Player (10.3) will include a control panel applet:
Continued : http://www.f-secure.com/weblog/archives/00002140.html
Related : New Adobe Flash Zero Day Being Exploited?
Reply 10 : NEWS - April 12, 2011
By Moxie Marlinspike:
In the early 90's, at the dawn of the World Wide Web, some engineers at Netscape developed a protocol for making secure HTTP requests, and what they came up with was called SSL. Given the relatively scarce body of knowledge concerning secure protocols at the time, as well the intense pressure everyone at Netscape was working under, their efforts can only be seen as incredibly heroic. It's amazing that SSL has endured for as long as it has, in contrast to a number of other protocols from the same vintage. We've definitely learned a lot since then, though, but the thing about protocols and APIs is that there's very little going back.
Generally speaking, all secure protocols need to provide three things: secrecy, integrity, and authenticity. If any of these break, the whole protocol breaks. SSL doesn't do any of the three very elegantly by today's standards (and in many cases just barely squeaks by), but most of the practical attacks we've seen over the past ten years have focused on the authenticity piece. The designers of SSL chose to use Certification Authorities as a key component of the authenticity process, and we've been stuck with that decision even after having long since outgrown the circumstances in which it was originally imagined.
Lately, however, the general perception of Certification Authorities seems to be shifting from the old vibe of "total ripoff" to a new vibe of "total ripoff and also insecure." So there has been a growing amount of talk about changing the authenticity piece of SSL. I'd like to take a moment to discuss the problem, though, so that we don't accidentally make the same mistake twice.
Defining The Problem
At the moment, there seems to be a general consensus that the CA system is not long for this world, and that's a major step forward. But while almost everyone seems to agree that we should develop something else, the exact problem with what we have is not entirely well defined. Let's look at what people have suggested the problem might be.
Continued : https://www.threatpost.com/en_us/blogs/ssl-and-future-authenticity-041111
In the early 90's, at the dawn of the World Wide Web, some engineers at Netscape developed a protocol for making secure HTTP requests, and what they came up with was called SSL. Given the relatively scarce body of knowledge concerning secure protocols at the time, as well the intense pressure everyone at Netscape was working under, their efforts can only be seen as incredibly heroic. It's amazing that SSL has endured for as long as it has, in contrast to a number of other protocols from the same vintage. We've definitely learned a lot since then, though, but the thing about protocols and APIs is that there's very little going back.
Generally speaking, all secure protocols need to provide three things: secrecy, integrity, and authenticity. If any of these break, the whole protocol breaks. SSL doesn't do any of the three very elegantly by today's standards (and in many cases just barely squeaks by), but most of the practical attacks we've seen over the past ten years have focused on the authenticity piece. The designers of SSL chose to use Certification Authorities as a key component of the authenticity process, and we've been stuck with that decision even after having long since outgrown the circumstances in which it was originally imagined.
Lately, however, the general perception of Certification Authorities seems to be shifting from the old vibe of "total ripoff" to a new vibe of "total ripoff and also insecure." So there has been a growing amount of talk about changing the authenticity piece of SSL. I'd like to take a moment to discuss the problem, though, so that we don't accidentally make the same mistake twice.
Defining The Problem
At the moment, there seems to be a general consensus that the CA system is not long for this world, and that's a major step forward. But while almost everyone seems to agree that we should develop something else, the exact problem with what we have is not entirely well defined. Let's look at what people have suggested the problem might be.
Continued : https://www.threatpost.com/en_us/blogs/ssl-and-future-authenticity-041111
Reply 11 : NEWS - April 12, 2011
NSS Labs, Inc., the leading independent security testing organization, today announced the release of its Network Firewall Comparative Group Test Report for the Q1 of 2011.
Key findings from the report show:
• Three out of six firewall products failed to remain operational when subjected to our stability tests. This lack of resiliency is alarming, especially considering the tested firewalls were ICSA Labs and Common Criteria certified.
• Five out of six vendors failed to correctly handle the TCP Split Handshake spoof (aka Sneak ACK attack), thus allowing an attacker to bypass the firewall.
• Measuring performance based upon RFC-2544 (UDP) does not provide an accurate representation of how the firewall will perform in live real-world environments.
Firewalls are well understood as the main barriers between an organization's internal and external networks. Over the past 25 years, they have become the foundation of perimeter security and are considered to be commodity products. Now as another generation of firewall technology is taking hold, NSS Labs has begun testing both traditional network firewalls and so-called next generation firewalls. Known for its rigorous testing that mimics modern cyber criminals, NSS Labs engineers have discovered serious flaws in these products, despite the maturity of the market and their certification by two other major certification bodies.
Continued : http://www.nsslabs.com/company/news/press-releases/nss-labs-finds-holes-in-majority-of-leading-network-firewalls.html
Key findings from the report show:
• Three out of six firewall products failed to remain operational when subjected to our stability tests. This lack of resiliency is alarming, especially considering the tested firewalls were ICSA Labs and Common Criteria certified.
• Five out of six vendors failed to correctly handle the TCP Split Handshake spoof (aka Sneak ACK attack), thus allowing an attacker to bypass the firewall.
• Measuring performance based upon RFC-2544 (UDP) does not provide an accurate representation of how the firewall will perform in live real-world environments.
Firewalls are well understood as the main barriers between an organization's internal and external networks. Over the past 25 years, they have become the foundation of perimeter security and are considered to be commodity products. Now as another generation of firewall technology is taking hold, NSS Labs has begun testing both traditional network firewalls and so-called next generation firewalls. Known for its rigorous testing that mimics modern cyber criminals, NSS Labs engineers have discovered serious flaws in these products, despite the maturity of the market and their certification by two other major certification bodies.
Continued : http://www.nsslabs.com/company/news/press-releases/nss-labs-finds-holes-in-majority-of-leading-network-firewalls.html
Reply 12 : NEWS - April 12, 2011
Microsoft has released its April Patch Tuesday fixes, a large group of patches that includes updates for several critical holes in Internet Explorer as well as a patch that finally fixes the SMB client bug that disclosed publicly in February.
The most critical of the 17 bulletins that Microsoft released on Tuesday is MS11-018, which fixes a total of five vulnerabilities in Internet Explorer. Among those bugs is one that was used to compromise IE 8 at the Pwn2Own contest last month at CanSecWest. Microsoft security officials said that they are aware of some targeted attacks against that vulnerability (CVE-2011-0094), as well as another IE vulnerability, an object management memory corruption flaw (CVE-2011-1345).
"It took three vulnerabilities to successfully compromise IE8 and meet all the requirements of the organizers. The vulnerability we are fixing today, a use-after-free which does not affect IE9, was the primary vulnerability used to gain code execution. A second vulnerability was used to make the exploit more reliable and a third was used to escape IE's protected mode," Fermin J. Serna of the MSRC Engineering Team wrote in a blog post.
Continued : https://www.threatpost.com/en_us/blogs/april-patch-tuesday-fixes-critical-ie-smb-bugs-041211
Also:
Microsoft delivers monster security update for Windows, IE
Microsoft patches 64 security vulnerabilities
The most critical of the 17 bulletins that Microsoft released on Tuesday is MS11-018, which fixes a total of five vulnerabilities in Internet Explorer. Among those bugs is one that was used to compromise IE 8 at the Pwn2Own contest last month at CanSecWest. Microsoft security officials said that they are aware of some targeted attacks against that vulnerability (CVE-2011-0094), as well as another IE vulnerability, an object management memory corruption flaw (CVE-2011-1345).
"It took three vulnerabilities to successfully compromise IE8 and meet all the requirements of the organizers. The vulnerability we are fixing today, a use-after-free which does not affect IE9, was the primary vulnerability used to gain code execution. A second vulnerability was used to make the exploit more reliable and a third was used to escape IE's protected mode," Fermin J. Serna of the MSRC Engineering Team wrote in a blog post.
Continued : https://www.threatpost.com/en_us/blogs/april-patch-tuesday-fixes-critical-ie-smb-bugs-041211
Also:
Microsoft delivers monster security update for Windows, IE
Microsoft patches 64 security vulnerabilities
Reply 13 : NEWS - April 12, 2011
The removal of administrator rights from Windows users is a mitigating factor in 75 percent of Critical Windows 7 vulnerabilities.
Microsoft and its partners regularly identify new security vulnerabilities in Microsoft software. In 2010 Microsoft published over 100 security bulletins documenting and providing patches for 256 vulnerabilities.
BeyondTrust examined and analyzed all of the published Microsoft vulnerabilities in 2010 and all of the published Windows 7 vulnerabilities to date, allowing their report to accurately quantify the continued effectiveness of removing administrator rights at mitigating vulnerabilities in Microsoft software.
The results of BeyondTrust research demonstrate that as companies migrate to Windows 7 they'll need to implement a desktop Privileged Identity Management solution, to reduce the risks from unpatched Microsoft vulnerabilities without inhibiting their users' ability to operative effectively.
Key findings from this report show that removing administrator rights will better protect companies against the exploitation of:
Continued : http://www.net-security.org/secworld.php?id=10886
Microsoft and its partners regularly identify new security vulnerabilities in Microsoft software. In 2010 Microsoft published over 100 security bulletins documenting and providing patches for 256 vulnerabilities.
BeyondTrust examined and analyzed all of the published Microsoft vulnerabilities in 2010 and all of the published Windows 7 vulnerabilities to date, allowing their report to accurately quantify the continued effectiveness of removing administrator rights at mitigating vulnerabilities in Microsoft software.
The results of BeyondTrust research demonstrate that as companies migrate to Windows 7 they'll need to implement a desktop Privileged Identity Management solution, to reduce the risks from unpatched Microsoft vulnerabilities without inhibiting their users' ability to operative effectively.
Key findings from this report show that removing administrator rights will better protect companies against the exploitation of:
Continued : http://www.net-security.org/secworld.php?id=10886
Reply 14 : NEWS - April 12, 2011
"A security researcher warns there is lax oversight of law enforcement requests for electronic communications"
Law enforcement organizations are making tens of thousands of requests for private electronic information from companies such as Sprint, Facebook and AOL, but few detailed statistics are available, according to a privacy researcher.
Police and other agencies have "enthusiastically embraced" asking for e-mail, instant messages and mobile-phone location data, but there's no U.S. federal law that requires the reporting of requests for stored communications data, wrote Christopher Soghoian, a doctoral candidate at the School of Informatics and Computing at Indiana University, in a newly published paper.
"Unfortunately, there are no reporting requirements for the modern surveillance methods that make up the majority of law enforcement requests to service providers and telephone companies," Soghoian wrote. "As such, this surveillance largely occurs off the books, with no way for Congress or the general public to know the true scale of such activities."
That's in contrast to traditional wiretaps and "pen registers," which record non-content data around a particular communication, such as the number dialed or e-mail address that a communication was sent to. The U.S. Congress mandates that it should receive reports on these requests, which are compiled by the Administrative Office of the U.S. Courts, Soghoian wrote.
Continued : http://www.networkworld.com/news/2011/041211-us-police-increasingly-peeping-at.html
Law enforcement organizations are making tens of thousands of requests for private electronic information from companies such as Sprint, Facebook and AOL, but few detailed statistics are available, according to a privacy researcher.
Police and other agencies have "enthusiastically embraced" asking for e-mail, instant messages and mobile-phone location data, but there's no U.S. federal law that requires the reporting of requests for stored communications data, wrote Christopher Soghoian, a doctoral candidate at the School of Informatics and Computing at Indiana University, in a newly published paper.
"Unfortunately, there are no reporting requirements for the modern surveillance methods that make up the majority of law enforcement requests to service providers and telephone companies," Soghoian wrote. "As such, this surveillance largely occurs off the books, with no way for Congress or the general public to know the true scale of such activities."
That's in contrast to traditional wiretaps and "pen registers," which record non-content data around a particular communication, such as the number dialed or e-mail address that a communication was sent to. The U.S. Congress mandates that it should receive reports on these requests, which are compiled by the Administrative Office of the U.S. Courts, Soghoian wrote.
Continued : http://www.networkworld.com/news/2011/041211-us-police-increasingly-peeping-at.html
Reply 15 : NEWS - April 12, 2011
A New York man who claims he's entitled to a sizable stake in Facebook has amended his initial complaint, adjusting his ownership claim and providing additional documents, including e-mails he allegedly exchanged with Mark Zuckerberg.
Paul Ceglia now claims that he owns 50% of Facebook, a stake he alleges he contractually acquired by investing $1,000 in the venture back in April 2003, when the social-networking site was an early stage project and idea Zuckerberg was working on.
Should Ceglia succeed in his claim, his $1,000 investment would net him a stake worth about $25 billion, according to the most recent Facebook valuation, in what is now one of the most popular and successful websites in the world.
In addition to a copy of a contract he and Zuckerberg allegedly signed back then, Ceglia has now also provided the text of a series of e-mails the two men exchanged between 2003 and 2004.
In the messages, portions of which are contained in the amended complaint filed on Monday with the U.S. District Court for the Western District of New York, Ceglia seeks updates on the project, then called The Face Book, and he and Zuckerberg discuss plans for the site's design and business model.
Continued : http://www.computerworld.com/s/article/9215745/N.Y._man_presses_Facebook_ownership_claims
(Me, too. Me, too.
)
Paul Ceglia now claims that he owns 50% of Facebook, a stake he alleges he contractually acquired by investing $1,000 in the venture back in April 2003, when the social-networking site was an early stage project and idea Zuckerberg was working on.
Should Ceglia succeed in his claim, his $1,000 investment would net him a stake worth about $25 billion, according to the most recent Facebook valuation, in what is now one of the most popular and successful websites in the world.
In addition to a copy of a contract he and Zuckerberg allegedly signed back then, Ceglia has now also provided the text of a series of e-mails the two men exchanged between 2003 and 2004.
In the messages, portions of which are contained in the amended complaint filed on Monday with the U.S. District Court for the Western District of New York, Ceglia seeks updates on the project, then called The Face Book, and he and Zuckerberg discuss plans for the site's design and business model.
Continued : http://www.computerworld.com/s/article/9215745/N.Y._man_presses_Facebook_ownership_claims
(Me, too. Me, too.
)Reply 16 : NEWS - April 12, 2011
Online security company Websense has issued a warning to Facebook users over a saucy video scam that has already conned nearly 300,000 people.
The scam teases visitors with a suggestive picture, urging them to click on a link to 'The Hottest & Funniest Golf Course Video - LOL' and tricking them not only to 'Like' the page, but also to share it with their friends - all by exploiting standard Facebook APIs.
Users clicking on the link are taken to another page, but before they can watch the promised video, they're asked to fill out a pop-up survey - allowing scammers to nab email addresses and other details, and leaving users vulnerable to spam or even ID theft.
And once they've done all that, it turns out there's no video after all.
In a blog post released late on Friday, Patrik Runald, senior research manager at Websense Security Labs, wrote:
"During the 15 minutes it took to write our Security Alert over 7,000 new users were tricked to 'like' The Hottest & Funniest Golf Course page so it's clear this is a successful campaign. The attackers haven't even bothered to change the title of the payload site.
"The title still says 'Look What Happens When a Father Catches her Daughter on Webcam' which is another scam that went around Facebook months ago. As always, if a video forces you to like, share, or install an app to view it, DON'T DO IT!"
Continued : http://www.thinq.co.uk/2011/4/11/facebook-sexy-video-scam-tricks-300000-users/
The scam teases visitors with a suggestive picture, urging them to click on a link to 'The Hottest & Funniest Golf Course Video - LOL' and tricking them not only to 'Like' the page, but also to share it with their friends - all by exploiting standard Facebook APIs.
Users clicking on the link are taken to another page, but before they can watch the promised video, they're asked to fill out a pop-up survey - allowing scammers to nab email addresses and other details, and leaving users vulnerable to spam or even ID theft.
And once they've done all that, it turns out there's no video after all.
In a blog post released late on Friday, Patrik Runald, senior research manager at Websense Security Labs, wrote:
"During the 15 minutes it took to write our Security Alert over 7,000 new users were tricked to 'like' The Hottest & Funniest Golf Course page so it's clear this is a successful campaign. The attackers haven't even bothered to change the title of the payload site.
"The title still says 'Look What Happens When a Father Catches her Daughter on Webcam' which is another scam that went around Facebook months ago. As always, if a video forces you to like, share, or install an app to view it, DON'T DO IT!"
Continued : http://www.thinq.co.uk/2011/4/11/facebook-sexy-video-scam-tricks-300000-users/
Reply 17 : NEWS - April 12, 2011
Sens. John Kerry (D-Massachusetts) and John McCain (R-Arizona) proposed online privacy legislation Tuesday that for the first time would give web users the right to demand they not be tracked in cyberspace.
Still, the measure was met with resistance from privacy advocates who said the Commercial Privacy Bill of Rights Act of 2011 did not go far enough.
The bipartisan legislation would allow consumers to demand particular websites stop tracking and selling their online behavior. As it now stands, internet surfers are bound by lengthy and often hidden terms-of-service agreements by which a company dictates how one's surfing habits and data will be used.
The legislation comes as Microsoft, Mozilla and Google implement "do-not-track" features in their browsers.
Kerry told a news conference that Americans' online activity is being tracked, stored and shared "on an almost unimaginable scale."
Kerry added that internet companies "can do virtually anything they want with our information and we have no legal way to make them stop."
The measure does not prohibit online companies from producing and selling cyber dossiers on consumers. Instead, the bill requires consumers to take a proactive step and demand it be stopped - likely by finding links on websites and on ads to opt out.
Continued : http://www.wired.com/threatlevel/2011/04/online-privacy-law/
Still, the measure was met with resistance from privacy advocates who said the Commercial Privacy Bill of Rights Act of 2011 did not go far enough.
The bipartisan legislation would allow consumers to demand particular websites stop tracking and selling their online behavior. As it now stands, internet surfers are bound by lengthy and often hidden terms-of-service agreements by which a company dictates how one's surfing habits and data will be used.
The legislation comes as Microsoft, Mozilla and Google implement "do-not-track" features in their browsers.
Kerry told a news conference that Americans' online activity is being tracked, stored and shared "on an almost unimaginable scale."
Kerry added that internet companies "can do virtually anything they want with our information and we have no legal way to make them stop."
The measure does not prohibit online companies from producing and selling cyber dossiers on consumers. Instead, the bill requires consumers to take a proactive step and demand it be stopped - likely by finding links on websites and on ads to opt out.
Continued : http://www.wired.com/threatlevel/2011/04/online-privacy-law/
No comments:
Post a Comment