RSA chief: The job of security guy is not to be 'Doctor No' IT security managers should enable cloud computing by learning how to manage risk, says RSA chief Art Coviello. Read more...
----------
Adobe patches 13 critical PDF bugs in first quarterly update
Adobe fixes security bugs in Reader, Acrobat
The patches were released Tuesday, the same day as Microsoft's monthly security update, making for a hectic day of patching for some system administrators. Microsoft patched a record 31 bugs, including critical flaws in Windows, Office, and Internet Explorer.
Adobe's software has increasingly been targeted by attackers who have found ways to use bugs in the code to install malicious software on computers. They do this by tricking a victim into opening a maliciously encoded .pdf file. "These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system," Adobe said in its security advisory Tuesday.
----------
T-Mobile data was not taken by hacking, company says
On Saturday, hackers posted what appear to be logfiles taken from T-Mobile's network to the Full Disclosure mailing list, claiming to have hacked the carrier. "We have everything, their databases, confidential documents, scripts and programs from their servers, financial documents up to 2009," they wrote.
According to T-Mobile, however, these claims are false. The hackers did manage to get legitimate T-Mobile data, but they didn't do it by hacking into the company's network, the company said. "The document in question has been determined to be a T-Mobile document though there is no customer information contained in the document," the company said in a statement. "There is no evidence to indicate that the T-Mobile security system was hacked into nor any evidence of a breach."
----------
Microsoft sets record with monster Windows, IE, Office update
Microsoft Update Removes Rogue Antivirus Program at PC World – Tue Jun 9, 4:30 pm ET
Microsoft has taken aim at a rogue antivirus program called Internet Antivirus Pro.
----------
Spam drops 15% after FTC pulls plug on rogue ISP
"Spam dropped 15% across the board," said Bradley Anstis, director of technology strategy at Marshal8e6. "We especially noticed [the drop] over the weekend," he said, adding that the decline picked up steam slowly.
Last Tuesday, a federal court ordered the plug pulled on 3FN, an ISP operated by Belize-based Pricewert, after the FTC complained that the company hosts spam botnet command-and-control servers, as well as sites operated by child pornographers, identity thieves and other criminals.
----------
New Weapon Against Drive-by Downloads Emerges
As more employees visit social networking sites while at work, network managers are seeing a rise in accidental malware infections.
----------
Researcher: Popular Internal IP Addressing Scheme Could Leave Enterprises Vulnerable
Jun 09,2009
Flaws in RFC 1918 could be exploited to gain access to enterprise networks, says Robert "RSnake" Hansen
... The problem, Hansen observes, is that some enterprises and technologies use private IP addresses as a means of securing themselves -- they assume that because RFC 1918 addresses are used only internally, an external attacker would not be able to take advantage of them. But Hansen points out that the spectrum of RFC 1918 addresses is so limited that a hacker might be able to create parallel environments that also use RFC 1918, and then exploit IP address collisions between the networks to compromise the enterprise's internal environment.
----------
Java 6 update 14 released
Sun has updated Java to 6u14. Details can be found here:
http://java.sun.com/javase/6/webnotes/6u14.html
Do note that while the list of bugs fixes is impressive, they also state: "This feature release does not contain any new fixes for security vulnerabilities to its previous release".
----------
Adobe June Black Tuesday upgrades
June yielded just one bulletin:
apsb09-07
Affects Acrobat (Reader) on Windows and Mac to Adobe Reader 9.1.2 and Acrobat 9.1.2. Also available are Acrobat 8.1.6 and Acrobat 7.1.3.
This fixes following CVE names:
CVE-2009-0198, CVE-2009-0509, CVE-2009-0510, CVE-2009-0511, CVE-2009-0512, CVE-2009-0888, CVE-2009-0889, CVE-2009-1855, CVE-2009-1856, CVE-2009-1857, CVE-2009-1858, CVE-2009-1859, and CVE-2009-1861.
Note that the bulletin states "Additionally, this update resolves Adobe internally discovered issues".
Among the list are a number of JBIG2 filter vulnerabilities.
JBIG2 filter vulnerabilities have been exploited in the past, so you really want this upgrade.
----------
Palm Pre Cheat: upupdowndownleftrightleftrightbastart
engadget.com — We couldn't believe it either, but as it turns out, from the launcher screen of your Pre, simply type in the phrase "upupdowndownleftrightleftrightbastart" -- which if you parse with spacing might be more easily recognizable as the infamous Contra / Konami code (look it up) -- and up comes a hidden app called "Developer Mode Enabler."More…
----------
Cisco report: the exaflood will be televised
June 10, 2:34 p.m. UTC - by Jon Stokes Posted in: Uptime
A new report from Cisco puts some numbers behind the "future of IP traffic is video" thesis that drove their recent purchase of PureDigital. The company expects for IP traffic to grow by a factor of four in the next five years, at which point video will make up 90 percent of Internet traffic.
Read more
----------
Lawyers plan class-action to reclaim "$100M+" RIAA "stole"
June 10, 11:06 a.m. UTC - by Nate Anderson Posted in: Law & Disorder
Lawyers in this year's two highest-profile file-sharing cases have joined forces, and they plan to file a class-action lawsuit against the recording industry later this summer to claw back the "$100+ million" that the RIAA "stole."
Read more
----------
Open source, digital textbooks coming to California schools
June 10, 3:19 a.m. UTC - by John Timmer Posted in: Law & Disorder
The cash-strapped Golden State has decided that, starting next school year, schools will be able to use open source, digital textbooks for a number of math and science subjects. Ars talked with Brian Bridges, the Director of the California Learning Resources Network, which will be reviewing the texts, to find out more about what the program entails.
Read more
----------
June 2009 Bulletin Release
Posted Tuesday, June 09, 2009 10:29 AM by MSRCTEAM
Summary of Microsoft’s monthly security bulletin release for June 2009.
----------
MS09-019 (CVE-2009-1140): Benefits of IE Protected Mode, additional Network Protocol Lockdown workaround
Benefits of IE Protected Mode
One of the vulnerabilities addressed in MS09-019, CVE-2009-1140, involves navigating to a local file via a UNC path, ex: \\127.0.0.1\c$. This roundabout way of navigating to a file is necessary to execute local content such that it runs in the Internet Explorer Internet zone, where scripting is enabled.
As it turns out, versions of IE that are running with the Protected Mode feature turned on (Vista & Windows Seven) are protected against this attack.
----------
Linux kernel 2.6.30 has been released. The list of new features includes NILFS2 (a new, log-structured filesystem), a filesystem for object-based storage devices called exofs, local caching for NFS, the RDS protocol (which delivers high-performance reliable connections between the servers of a cluster), a new distributed networking filesystem (POHMELFS), automatic flushing of files on renames/truncates in ext3, ext4 and btrfs, preliminary support for the 802.11w drafts, support for the Microblaze architecture, the Tomoyo security MAC, DRM support for the Radeon R6xx/R7xx graphic cards, asynchronous scanning of devices and partitions for faster bootup, the preadv/pwritev syscalls, several new drivers and many other small improvements.
----------
Tuesday the Public Interest Registry announced that they'd signed the .org zone on an experimental basis. Theirs is the first "open" generic top-level domain to be signed, as well as the largest signed zone. That's obviously great if you run a subdomain of .org and are keen to sign it, but it's even good for folks with subdomains of other gTLDs, since it'll put pressure on their registries to sign those zones, too.
Then on Wednesday, the National Telecommunications and Information Administration, or NTIA, part of the U.S. Department of Commerce that has responsibility for oversight of the root zone, announced that they'd work with ICANN and VeriSign to sign the root by the end of the year.
----------
Apple Safari jumbo patch: 50+ vulnerabilities fixed
----------
IBM's Devil's Triangle: An enterprise software soap opera
Michael Krigsman: IBM faces lawsuits and public embarrassment in the Philippines over a failed government project involving the company's DB2 database product.
----------
Supreme Court Won't Hear Case Over Computer Tech's Right To Search Your Computer
A few years back, we wrote about the case where a guy was arrested for possessing child pornography after techs at Circuit City found child porn on his computer, while they were installing a DVD player. The guy insisted that the evidence shouldn't be admissible since the techs shouldn't have been snooping through his computer -- and a lower court agreed. The appeals court, however, reversed, noting that the guy had given Circuit City the right to do things on his computer -- including testing out the newly installed software (which is how the tech claims he found the video). The guy appealed to the Supreme Court, who has declined to hear the case, meaning that the ruling stands for the time being. So, basically, if you hand your computer over to someone else for repairs, at least in some jurisdictions, they may have pretty free reign in terms of what they're allowed to access on your computer.
----------
Elsevier Reveals More Details About Its Fake Journal Division
Remember how Elsevier and Merck were caught putting out a fake journal that had articles favoring Merck drugs, implying peer reviewed articles that weren't? Soon afterwards, it came out that Elsevier had a whole division for such things. However, following an internal investigation, it looks like Elsevier is backtracking a bit and saying that, while the group's practices were problematic, most weren't as egregious as the "Australasian Journal of Bone and Joint Medicine (AJBJM)" that was created by Merck and Elsevier. Instead, most of the others were sponsored by multiple companies, rather than just one. Still, the company admits that it never should have called the custom publications "journals" and is changing its publication rules -- having editors from its real journals create the guidelines for any custom publication offerings. Either way, this whole episode is a serious black mark on Elsevier and the reputation of any of its journals -- real or "fake."
----------
US Officials Finally Going After Online Organized Criminals In Other Countries
It's no secret that Eastern Europe has become the center of an awful lot of organized crime online. Various phishing and scam rings tend to work from a variety of different Eastern European countries without much fear of law enforcement or prosecution. Most of the enforcement in the US to date has been on the few unfortunate Americans who got involved in such scams -- but such targets were almost always small-time scammers compared to the big players across the ocean. However, there are some signs that's starting to change. Forbes details the first case of a foreign cybercriminal being extradited to the US, noting that greater cooperation between foreign governments and the US means that we should be seeing more of this. However, the article also notes that this is only one small attempt, and officials haven't really been able to do any damage to some of the bigger organized crime groups online. Still, given how little the US gov't had been able to do to actually go after the real criminals, it is a good sign that at least they're looking for ways to reach across boundaries to find them.
----------
Judges Divided On Right Of Schools To Punish Students For Mocking Principals Online
We've had a number of different stories over the years about students making use of social networks to make fun of or taunt teachers, principals and administrators -- which often ended with schools disciplining those students. However, for years, courts have held that schools have no right to discipline students for speech that occurs off-campus. The Supreme Court muddied the waters on this issue recently in its decision on the "Morse case," better known as the "Bong Hits 4 Jesus" case, where a student was disciplined for unfurling a banner with that phrase on it at a school-sponsored Olympic torch rally. The Supreme Court indicated that the fact that the event was school-sponsored gave the school the right to discipline the students -- but that's opening up plenty of questions in two separate cases in the same circuit where it looks like judges are somewhat split on the issue (via Michael Scott). The key issue, of course, is what constitutes a school-related event. If students are passing out the info on such fake social networking websites to classmates, is it school sponsored? That seems to be the claim some administrators are making, saying that if it influences activities at the school, then the school can discipline the students. With so many different opinions, it seems almost certain that this issue is going to show up a lot more before the courts finally settle the matter.
----------
DHS appoints former hacker, Black Hat founder to council
Angela Moscaritolo June 08, 2009
Jeff Moss, a former hacker who founded the Black Hat and DEFCON conferences, was one of 16 people appointed to the U.S. Department of Homeland Security Advisory Council.
----------
Bullion and Bandits: The Improbable Rise and Fall of E-Gold
... Despite the shackle, Jackson’s conviction isn’t black and white. In a twist still unacknowledged by prosecutors, Jackson turned E-Gold for a time into one of law enforcement’s most productive honey pots, providing information that helped lead to the arrest and conviction of some of the web’s most wanted credit card thieves and hackers. He’s now working with regulatory agencies to try to bring back E-Gold, steps he says he would have taken voluntarily years ago if authorities had given him a chance.
----------
2009 Top Urban Legends in IT Security
There are lots of IT Security related urban legends floating around the Internet. Some have malicious intent and others are just for fun. Some have been with us for years but still refuse to die. Here is a list of my top IT Security Urban Legend picks for this year.
No comments:
Post a Comment