Viral movies possible with RealPlayer flaw

Posted on by admini

The problem means that fake movie files could be created that, when played by vulnerable Real software, would run a program instead.

The flaw appears in RealPlayer 10 for Windows and Mac OS X, the RealOne Player for Windows and Mac OS X and the Real Helix Player for Linux.

“Anyone who has RealPlayer is affected, and there are many people with RealPlayer,” said Marc Maiffret, chief hacking officer at software security company eEye Digital Security, the company that discovered the security issue.

RealNetworks could not be reached for comment.

The flaw occurs in a component of Real’s software that handles Real movie files with the .rm extension, according to eEye’s advisory.

Similar to the recent flaw in Windows applications that handle the JPEG image format, this vulnerability affects a widespread piece of software and could be used to create a virus.

“It’s similar to the JPEG flaw in the sense that just by viewing the file, or having the file ‘force viewed’ through a Web browser, your system can be compromised,” Maiffret said.

“I think both this JPEG vulnerability and the RealPlayer vulnerability are good examples of a type of threat that is becoming more prevalent: client-side vulnerabilities.”

Rather than finding a security hole in the operating system and gaining direct access to a computer, attackers are now increasingly looking at exploiting widely used applications.

Latest Bagle variant attempts download of potentially infected JPEG file alternatives other than patching,” Maiffret said.

http://news.zdnet.com/2100-1009_22-5393139.html?tag=default

Read more

A Seven-Step Plan For Protecting Corporate Data

Posted on by admini

Enterprise Rights Management (ERM) is an umbrella term for products that mix elements of intellectual property protection with document control.

Unlike digital rights management technologies that strive to manage consumer use of published media, ERM focuses on business documents and data, seeking to control their creation, use and distribution. Rights management systems typically rely on servers operating in the background performing such functions as applying policies to content, authenticating users and granting rights. Rights management vendors and products have differing approaches and architectures.

In a nutshell, rights products can:
– Encrypt content;
– Assure that only the intended recipient can open the content;
– Control the recipient’s ability to copy, print, forward, alter or otherwise tamper with the information;
– Revoke access rights or expire the content itself to prevent further access; and
– Log all of the above to an audit trail.

Rights management vendors and products have differing approaches and architectures. SealedMedia, for example, works on the premise that content sent to external users gets returned to the sender once the sharing process is done. Liquid Machines sees rights management as enabling collaboration among trusted parties and focuses on usability — the idea that policy application and consequent document access should be as unobtrusive to processes as possible.

Some products — usually those that require server connectivity — allow rights to be changed even after the recipient has accessed the content.

Rights management shouldn’t be confused with records management. Although access rights to content can be expired using a rights management system, the content itself isn’t always destroyed, as it can be by a records management system. Losing the encryption key on a rights-protected document, for example, disables the recipient’s access to it, but the document itself may stay on the recipient’s drive.

Vendors such as PSS Systems offer a records management foundation and concentrate on applying company policy to internal documents so they can be controlled from creation to disposition, regardless of where they reside.

The Plan:
– Define the risks;
-Determine what content is worth protecting;
-Identify levels of trust and appropriate controls;
-Prescribe appropriate security for the content and the situation;
-Determine what assurance must be provided that content reaches only the intended recipient(s);
-Determine what should happen when content should no longer be shared; and
-Describe who has the authority to apply policies and what happens if policies conflict.

http://www.securitypipeline.com/49400427

Read more

Botnet-related crime is beginning to indicate to the experts what they might expect next

Posted on by admini

“When you see the creation of zombie networks, you can almost see the life cycle of a spam and virus attack,” said Malcom Seagrave, head of security strategy for Energis. “It’s the same with DDoS [denial-of-service] attacks and those who steal data. We can’t prove it, but we think they are related. The attacks are well-organised and they are beating the security industry.”

Seagrave said combined threats, such as keystroke-logging Trojans embedded in spam, were causing serious damage to company networks. “Some of their methods, we just can’t work out,” he said. “But the most important way to stop this is user education.”

Botnets are readily available for hire on the Internet. According to anti-spam campaigner Steve Linford of Spamhaus, botnets are first set up for spammers to hire and then sold on — often for DDoS attacks – when they have been blocked by anti-spam firms.

Seagrave said he thought that online retailers needed to beef up their security in time for Christmas: “You’ll almost certainly see a DDoS attack coming before Christmas. Retailers will have to be wary as you can expect a growth in attacks this year”. The National Hi-Tech Crime Unit agreed that retailers face a security challenge this winter.

http://news.zdnet.co.uk/communications/networks/0,39020345,39168639,00.htm

Read more

Feds fund secure ID project

Posted on by admini

The National Highway Traffic Safety Administration, part of the U.S. Department of Transportation, will give Digimarc a $1 million grant to collaborate on the study with states.The program will examine the possibility of creating licenses with embedded digital watermarks that can be read by machines operated by police officers, retailers and other people.

“Part of the value is that this shows good cooperation between federal and state governments, a number of which are already deploying the technology,” said Reed Stager, a Digimarc vice president. “This can be used to increase highway safety; it can reduce underage drinking…and also has potential to help reduce ID theft and fraud.”

Although driver’s licenses are ordinarily overseen by each state, the federal government is exploring ways to make such identification more secure, as part of an effort to improve highway safety and reduce counterfeiting. The federal drive for more secure ID has also been given impetus by concerns about homeland security. Many state driver’s licenses already have magnetic strips containing data, such as age, about their holders. This technology is built to commonly available specifications and is relatively easy to counterfeit, however.

Digimarc says its “covert watermarking” technology would provide an additional layer of security, since it would be harder to mimic. The Beaverton, Ore.-based company said it plans to use the $1 million grant to help fund state implementations of the watermarking technology, as well as to help establishments such as state-owned liquor stores to purchase card readers.

The pilot program is expected to be completed in late 2005, the company said.

http://news.zdnet.com/2100-1009_22-5390619.html?tag=default

Read more

Upgrades, HR costs squeeze British tech budgets

Posted on by admini

A survey of 168 organizations in the United Kingdom found that more than half expected IT spending to increase over the next year by an average of 1.9 percent. The annual Benchmark of IT Spending was conducted by Britain’s National Computing Centre. That figure of 1.9 percent varies widely over different sectors.

In central government, manufacturing and finance, overall IT spending is predicted to actually fall over the next year. Ian Jones, head of content and publishing at the NCC, described the outlook of IT buyers as “cautiously optimistic.”

The bulk of IT budgets is still taken up by running and maintaining the existing infrastructure, with operational costs making up 68 percent of total spending. Fresh investment in IT only accounts for 28 percent, with the rest accounted for by end users and other sources within the organization. Again, the figures differ in each sector, with IT investment greater in central government and finance, and lower in construction and manufacturing.

IT staff remain the single largest budget item, accounting for almost a third of overall budgets. The average level of IT staffing is 26.5 techies per 1,000 end users in a company, which is slightly down from 31 last year. The finance sector has the highest ratio, at over twice this year’s average.

Desktop replacement is the most important IT department activity, and 42 percent of Windows systems are expected to be upgraded over the next two years, mainly to Windows XP. The proportion of sites running Linux desktops remains low, though strong growth is predicted. Jones said the Linux vendors had come in for “a real kicking” after all the rhetoric and hype about open source on the desktop. “It has really made no impact whatsoever on the desktop,” he said. “The Linux vendors need to raise their game.”

The big area highlighted by user organizations is thin-client desktops. These are currently only used in 16 percent of firms, but that is expected to rise to 24 percent over the next two years. Laptops and PDAs are also expected to grow proportionately much faster than desktops, at just more than 50 percent over two years, though the actual numbers remain a lot smaller.

The Windows 2003 server upgrade is also a major project on the table for many companies, while the decline of the mainframe continues apace.

http://news.zdnet.com/Upgrades%2C+HR+costs+squeeze+British+tech+budgets/2100-3513_22-5386982.html?part=rss&tag=feed&subj=zdnn

Read more

Why security is an information problem

Posted on by admini

Rather than thinking about the value of their mobile or laptop, employees need to be trained about the value of information to their company,” said Perry.

Esther George, policy advisor for the Criminal Prosecution Service (CPS), said that the authorities are limited in what they can do when it comes to prosecuting criminals by a general reluctance on the part of companies to admit to hack attacks.

During the debate, some criticism was made of the lack of new legislation to tackle hacking but George argued that despite the lack of new laws, older ones were wide enough in scope to be applied to modern Internet crimes.

Martin Jordan, a senior manager from KPMG, said that despite the best efforts of the security community, end users would always be playing catch-up to hackers and criminals — what companies need to decide is how far they are want to lag behind.

During the debate, some criticism was made of the lack of new legislation to tackle hacking but George argued that despite the lack of new laws, older ones were wide enough in scope to be applied to modern Internet crimes.

Computer Associates’ Perry said that another key factor in combating hacking is for home users to take security as seriously as business users, because many new viruses and spyware are propagated on personal machines.

http://news.zdnet.co.uk/internet/security/0,39020375,39168216,00.htm

Read more