Security News Curated from across the world
Some major hosts have no TTLs or very low TTLs and, for those servers, you gain very little, he said.
“If we can’t override them — can’t override high TTLs — those sites go down for a very long time,” Kaminsky said.
“I never claimed my one-character patch would fix all bugs in bind (sic) — I don’t have that kind of power,” Somlo joked on the mailing list.
http://www.securityfocus.com/brief/808
The target information included CEO passwords, customer database, research and development plans, financial reports, M&A plans and the company’s list of privileged passwords.
Identity management firm Cyber-Ark conducted the survey of 300 IT professionals in its annual review ‘Trust, Security & Passwords’.
The survey also found that one third of IT staff admitted to snooping around the network, looking at highly confidential information, such as salary details and people’s personal emails.
http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?newsid=10734
“If you look at log files or system events to understand what is going on in your machines or in your network, a lot of people look at their textual logs.” The goal is to take network traffic, intrusion defense system and firewall data and begin visualizing pieces of it to create an overall picture of the company’s security posture. When you start developing the appropriate chart or graph to better flesh out the data, you can begin to see patterns and sometimes certain pieces of information stand out, Marty said.
Firewall log files would be useless with little domain expertise on staff to help generate graphs.
Marty has released a Linux CD called Data Analysis and Visualization Linux (DAVIX).
“With firewall log files, you don’t need to know what specific IP address is connecting to me from the outside,” Marty said. “You can cluster it to get a general idea of what happened and then if you want to drill down you can open up that cluster.” For example, a chart or graph could help visualize violations per Payment Card Industry Data Security Standard (PCI DSS) requirement, helping companies determine where they fall short of the standard. It can be used to audit large database management systems, such as Oracle and Microsoft’s SQL-Server to figure out who accessed a particular table, and whether the database table was altered.
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1327341,00.html
The technology, known as DNSSEC, promises to secure the domain name system (DNS) against attempts to subvert the infrastructure, such as the cache poisoning attack found by researcher Dan Kaminsky earlier this year.
Because of the technical hurdles — and the political problems in designating companies or governments to hold the keys to the domain-name system — both governments and private sector companies have held off deploying DNSSEC for more than a decade.
The OMB has set a deadline for initial implementation plans of September 5, with mutually agreed on final plans completed by October 24, 2008.
http://www.securityfocus.com/brief/807
“If more states would publish breach notification lists, there would be more information to study and to help us understand this growing concern,” she said.
Additionally, more companies are starting to audit their security and network systems and use readily available security measures.
The group highlighted a recent massive breach caused by a retailer using unsecured or poorly secured networks to store customer data. Early this month, the US Attorney General’s office indicted members of a hacking ring that allegedly lifted 40 million credit and debit card numbers from retailers TJX, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21, and DSW.
Feds estimate the hackers netted about 45.7m payment cards from TJX (which operates T.J. Maxx stores) alone.
http://www.theregister.co.uk/2008/08/27/itrc_data_breaches_2008_beat_2007/
While the company reported that overall vulnerability counts have started to decline, the most common vulnerabilities listed in the report will seem familiar to those who follow Web security.
A new entry to the top 10 was cross-site request forgery, which allows an attacker to force a victim’s browser to make an authorized Web request.
WhiteHat CTO Jeremiah Grossman also recommended that developers practice input validation and output filtering properly.
http://www.eweek.com/c/a/Security/WhiteHat-Report-Finds-Web-Site-Security-Vulnerabilities-Persist/?kc=rss