Wednesday, September 9, 2009

Wednesday 09/09/09

7 Reasons Websites Are No Longer Safe
Many of the sites you visit regularly and think are secure are laden with data-stealing malware. Here are seven reasons why, and advice on how to protect your systems.
Read more

----------

Data Breaches: Patterns and Their Implications
What can we learn from statistical analysis of data breaches? Luther Martin digs in.
Read more

----------

Don't Worry, I Backed Up My Phone to the Cloud
Now Forrester's Robert Whitely can nuke his own phone remotely! Umm, is that good?
Read more

----------

Unpatched Microsoft Bugs Raise Red Flags
September 09, 2009 — IDG News Service —

Microsoft has released its security updates for the month of September, but a couple of unpatched flaws have some security experts wondering if the software company will be forced to release an emergency patch sometime in the month ahead.

Security researchers believe that an unpatched flaw in the SMB (Server Message Block) 2 software that ships with Windows Vista and Windows Server 2008 could turn into a major headache.

Proof of concept code showing how the bug could be leveraged to crash a Windows machine was posted Monday to the Full Disclosure mailing list by Laurent Gaffie.

----------

Microsoft Security Advisory 975497 Released
Posted Tuesday, September 08, 2009 4:35 PM by MSRCTEAM
We’ve just released Microsoft released Security Advisory 975497 that provides information about a new, irresponsibly reported vulnerability in SMB 2.0. Our investigation has shown that Windows Vista, Windows Server 2008 and Windows 7 RC are affected by this vulnerability. Windows 7 RTM, Windows Server 2008 R2, Windows XP and Windows 2000 are not affected by this vulnerability.

The Security Advisory outlines steps that Windows Vista and Windows Server 2008 customers can take to help protect themselves while we work on a security update for this issue.

----------

Assessing the risk of the September Critical security bulletins
Tuesday, September 08, 2009 9:57 AM
This morning we released five security bulletins, all of them having a bulletin maximum severity rating of Critical and two having a bulletin maximum exploitability index rating of "1" (Consistent exploit code likely). We wanted to just say a few words about each bulletin to help you prioritize your deployment this month.

----------

"Today vendors are finally releasing patches for the TCP vulnerabilities first publicized nearly a year ago that affect a huge range of networking products, including any device running a version of Cisco's IOS software, and a number of Microsoft server and desktop operating systems. Both Microsoft and Cisco released fixes for the vulnerabilities today. The Microsoft Patch Tuesday release included the fix for the TCP flaw, which affects Windows Server 2003 and 2008, as well as Windows Vista, both the 32-bit and 64-bit editions, and Windows 2000 SP4, for which no fix is coming. The TCP flaws were identified several years ago and were made public last year by two researchers at Outpost24, Jack C. Louis and Robert E. Lee. Louis, who has since died, developed a tool called Sockstress that tested for the flaw and was able to maintain extremely long-term TCP connections with remote machines using very little bandwidth."

----------

Microsoft: Patching Windows 2000 'infeasible'

----------

Future Firefox to Nag Users on Insecure Plug-ins

Mozilla says that the next version of Firefox will warn users if they are running insecure, outdated versions of the Adobe Flash Player, as part of a nascent effort to work with vendors of the most popular browser plug-ins to ensure users aren't falling behind on important security updates.

Beginning with Firefox 3.5.3 and Firefox 3.0.14, Mozilla will warn users if their Flash plugin is out-of-date. Mozilla said it is starting with Flash because if its ubiquity, but also in response to recent studies showing as much as 80 percent of users are running old versions of Flash.

----------

Demonstration of a Liquid Explosive
The BBC has a video demonstration of a 16-ounce bottle of liquid blowing a hole in the side of a plane.

----------

"Microsoft wants the engineers in its labs to manage their servers remotely, and is moving development servers from a bevy of computer rooms in labs to a new green data center about 8 miles from its Redmond campus. "I see today as a real transition point in our culture," said Rob Bernard, chief environmental strategist at Microsoft, who acknowledged that the change will be an adjustment for veteran developers but will save money and energy use. Microsoft expects its customers will run their apps remotely in data centers, and clearly expects the same of its employees."

----------

"Beijing is drawing up plans to prohibit or restrict exports of rare earth metals that are produced only in China and play a vital role in cutting edge technology, from hybrid cars and catalytic converters, to superconductors, and precision-guided weapons. A draft report by China's Ministry of Industry and Information Technology has called for a total ban on foreign shipments of terbium, dysprosium, yttrium, thulium, and lutetium. Other metals such as neodymium, europium, cerium, and lanthanum will be restricted to a combined export quota of 35,000 tonnes a year, far below global needs."

----------

US Government To Embrace OpenID, Courtesy Of Google, Yahoo, PayPal Et Al.
During the video interview with OpenID evangelist Chris Messina I recorded earlier this year at a German conference about the state of OpenID, he expressed his wish that the Obama administration would soon start to embrace the decentralized, single sign-on method as a way for citizens to engage with the U.S. government online. Four months later, it looks like his dreams are becoming reality.

Later this morning at the Gov 2.0 Summit, Federal Government CIO Vivek Kundra will talk about data.gov and other governmental transparency initiatives, and will also be making an announcement regarding the launch of a open identity initiative featuring the use of both OpenID and InfoCards in a special pilot program.

Make no mistake about it: this has the potential to change the way citizens participate in and communicate with the U.S. government.

----------

DNSSEC Secures Another Domain
Sep 08,2009
The .edu domain will adopt DNSSEC next March amid more concern over Domain Name System security

----------

No comments: