Security News Curated from across the world
Open SSL Off-By-One Overflow
Java Web Start Bugs
Adobe Acrobat URI Handling Bug
IBM Lotus Notes Buffer Overflow
RealPlayer Input Validation Flaw
IBM WebShere Application Server Input Validation Hole
IBM WebShpere Input Validation Hole
PHP Buffer Overflows, Filtering Bypass and Configuration Bypass Bugs
Apache Input Validation Hole
Adobe Flash Player Bugs
http://www.net-security.org/secworld.php?id=5865
The logical answer to keeping your network and systems secure is to prevent unhealthy or unauthorized users on the network in the first place. Encryption may seem like an easy fix, but there is no easy answer to this complicated problem. In general, most state laws follow the basic tenets of California’s original law: Companies must immediately disclose a data breach to customers, usually in writing. Laws in other states are tough too, but some allow more exemptions or do not allow a private right of action.
When you click on a state on the map, you’ll see highlights of that state’s law, including specific instances where it might differ from the California law.
For example, the Massachusetts law pertains to paper record as well as computer data, as noted in the box. In California there is no such thing as an immaterial breach, while other states do have a definition of immaterial breach.
http://www.csoonline.com/read/020108/ammap/ammap.html
Critics point out that many of these tools are used by system administrators and security consultants quite legitimately to probe for vulnerabilities in corporate systems.
The problem is that anything from nmap through wireshark to perl can be used for both legitimate and illicit purposes, in much the same way that a hammer can be used for putting up shelving or breaking into a car.
Following industry lobbying the government has come through with guidelines that address some, but not all, of these concerns about “dual-use” tools. The guidelines establish that to successfully prosecute the author of a tool it needs to be shown that they intended it to be used to commit computer crime.
http://www.theregister.co.uk/2008/01/02/hacker_toll_ban_guidance/
In particular, Finjan investigated an attack that used zero-day exploits – malicious software for which there are no security patches – that was designed to steal confidential information.
On Saturday, The Times disclosed that the Director-General of MI5 had written to businessmen with a warning that they were being attacked by Chinese cyberspies. Ian Brown, of Oxford University, a cyber-espionage expert, said that British businesses were more vulnerable than they need to be because of the merger and planned job cuts. Critics say that leaves cybercrime and web-based industrial espionage too far down the agenda.
http://business.timesonline.co.uk/tol/business/industry_sectors/technology/article2994807.ece
“Vulnerabilities on the client side have exploded over the last year,” says Rohit Dhamankar, senior manager of security research at TippingPoint and project manager for the SANS study.
One of the most critical vulnerabilities to computer security is “gullible, busy, accommodating computer users — including executives, IT staff, and others with privileged access — who follow false instructions provided in spear phishing emails, leading to empty bank accounts, compromise of major military systems around the world, compromise of government contractors, industrial espionage, and much more,” the report states.
The number three vulnerability on this year’s list is “critical vulnerabilities in software on personal computers inside and outside enterprises (client-side vulnerabilities) allowing these systems to be turned into zombies and recruited into botnets — and also allowing them to be used as back doors for stealing information from and taking over servers inside large organizations.”
Enterprises may not be able to solve these two problems entirely, but they can reduce the risk by limiting administrative privileges and restricting users’ ability to download and install applications, SANS says.
As it did last year, SANS put Microsoft Windows vulnerabilities among the most serious on the list, but it is home-grown applications that present the greatest threat, according to the report.
http://www.darkreading.com/document.asp?doc_id=139984&WT.svl=news1_4
Several hundred attendees, ranging from established tech players to upstarts hoping to carve out a niche in this booming space, came in search of new ideas, potential business partners and maybe even a little validation of their emerging Web 2.0 strategies.
“What’s clear to me as I look out into this room is that I’m looking at the future of the software industry,” Donald Proctor, senior vice president of Cisco’s collaboration software group, said during his keynote address kicking off the conference.
Unified communications—the cobbling together of instant messaging, Web conferencing, e-mail, desk phones, mobile phones, blogs and all the other tools employees and businesses use to communicate into one central location or platform—and collaboration—the tools and processes needed for meaningful productivity—have replaced customer relationship management (CRM) (define) as the markets of choice for the SaaS crowd. That’s partly because those applications lend themselves so well to a browser-based distribution model and partly because they’re precisely the type of applications employees and companies need to manage their data and business processes online.
Cisco CEO John Chambers, during a conference call Wednesday with analysts following the company’s first-quarter earnings report, couldn’t have been more clear when he repeatedly said unified communications and collaboration will not only be the key to Cisco’s growth in the next 10 years but will “drive the next wave of productivity around the world.”
Cisco isn’t the only company that’s caught on this tectonic shift in communications. “It’s enabling people to collaborate on documents that matter,” said Erik Larson, director of marketing and product management for Adobe’s business productivity unit. Larson said boundaries such as time and physical locations or technology platforms and disparate browsers have impeded productivity for years.
http://www.internetnews.com/ent-news/article.php/3710121