Security News Curated from across the world
“Organisations and the individuals they employ have to take mobile security seriously while still ensuring that they can take advantage of the benefits,” said the report.
However, the study concluded that if security is managed properly, the risks are acceptable given the possible gains for a company.
http://www.vnunet.com/vnunet/news/2165203/managers-snub-mobile-security
Oracle counts auditing and compliance applications as part of its security arsenal as well. In fact, compliance has been a big driver of the security business, Thomas Kurian, Oracle’s senior VP of server technology said Wednesday.
“Customers said they want to let their users search like it’s Google but without giving them access to information they shouldn’t see,” Oracle Co-President Charles Phillips said.
For Investors Bank & Trust, a wholly-owned subsidiary of Investors Financial Services Corp. that already makes use of Oracle E-business applications and databases, convenience can’t be overlooked in Oracle’s appeal as a security provider.
http://www.informationweek.com/news/showArticle.jhtml?articleID=193006361
Virtualized IPS acts as a filter scanning network traffic for known vulnerabilities and virus signatures and blocks them from the virtual machine level before they reach the physical operating environment, he said. The Virtual Security Solution will enable IT to keep vital security processes isolated from potential problems with the main operating system, giving IT managers better control of endpoint security. Malicious disabling or reconfiguring of security safeguards are becoming more prevalent among targeted attacks, said Gregory Bryant, general manager, digital office platform at Intel.
A recent survey of Canadian IT security managers and personnel revealed that between 63 per cent and 79 per cent are concerned about the disabling or misconfiguring of security systems by hackers and Trojans, by employees or by operating system and application patches. According to the report, IT managers’ concern about employees disabling system defences is rising among 27 per cent of Canadian respondents.
http://www.itworldcanada.com/Pages/Docbase/ViewArticle.aspx?ID=idgml-580e3312-4e56-4ff3-bcff-3c3f483c9bc9
As an example, consider a hypothetical gourmet food e-commerce web site. This site displays a map of the world to the user, and as the user navigates the mouse pointer over each country, the page uses Ajax programming to connect back to the web server and retrieve a list of goods originating in that country. SQL injection vulnerabilities allow attackers to execute their own SQL queries and commands against the database, rather than those that the developers of the web site intended. The entire database, including customer names, addresses, and credit card numbers, could be downloaded by such a command.
The average QA engineer typically will be much more thorough. He might even set up an automated test script that will mouse over every single pixel on the screen, and he will check to see if there are any errors in the Ajax programming or underlying page code. But, even this extreme level of thoroughness won’t be enough to find the SQL injection vulnerability. By using a web browser (or automated script recorded from a web browser) as his test tool, the tester has limited his potential requests to only those which the browser can send, and the browser is itself limited by the source code of the web page.
In order to successfully defend against the hacker using SQL injection or some other attack, the QA engineer has to think like the hacker. They use tools that operate at a much lower level, tools that are capable of sending raw HTTP requests to an address and displaying the raw HTTP response. Like programming in standard hyperlink navigation or form submission, Ajax programming actions always have an HTTP request and response. So, armed with his low-level HTTP requestor tool, the hacker is now free to make attacks on the application that could never be possible with a browser alone.
In order to successfully defend against the hacker using SQL injection or some other attack, the QA engineer has to think like the hacker. An even better approach is to use an automated security analysis tool that performs these tests.
http://www.it-observer.com/articles/1242/testing_security_age_ajax_programming/
All departments are affected by breaches to information security — it’s much more than just an IT issue, it’s a business issue.”
Mr. Murray was surprised to find that 61 per cent of Canadian respondents surveyed have limited or no security training for the end-users of technology — their employees.
“Over the long term, organizations need to create a culture of security in the workplace, where employees recognize the threats to their organization’s information security and how they can combat them,” he says.
When it came to staffing, almost two-thirds of Canadian organizations were found to be dedicating two or less full-time employees or equivalents to information security.
http://www.ottawabusinessjournal.com/287132340207207.php
“There is no safe browser,” said Vincent Weafer, senior director with Symantec Security Response.
Legitimate companies such as 3Com’s Tipping Point and Verisign’s iDefense pay for this information, and there is also a growing black market for exploits. “Everyone has realised that targeting the applications on the desktop is a better way to break into businesses and consumers and steal things than server flaws,” he said.
Businesses and consumers may both be targets, but home users are the victims in about 86 percent of all attacks, according to Symantec.
And the US is the biggest source of online attacks, thanks to its large number of compromised machines with broadband connections, Weafer said.
Microsoft may lag as a browser patcher, but when it comes to operating systems, the company leads the pack, according to Symantec.
http://www.techworld.com/security/news/index.cfm?newsID=6955