DHS to State Its Case to Business

Improving cyber-security may be in the public interest, but to persuade the commercial owners of the country's critical infrastructure to invest in more secure networks, the Department of Homeland Security next year plans to show them the bottom line.

[eWEEK Technology News]

IE 6 Gets IE 7 Phishing Filter

Microsoft has quietly backported one of the security improvements slated for the new Internet Explorer 7 browser into IE 6.0, but the giveaway comes with a small catch.

[eWEEK Technology News]

Deciphering the world of crypto

It's the computational magic for scrambling data to keep it secret, and in the U.S., the best-known cryptographic algorithms go by names such as Triple-DES and AES. But in other countries, such as South Korea, Russia and Japan, it is SEED, GOST and Camellia that say security, say nothing of specialized cryptos such as CAVE and A5/1.

[Latest standards news from Network World.com]

Exploit Code Released for Oracle Hole

This code, posted on the Full Discloure mailing list, can crash both patched and unpatched Oracle 10g databases.

[eWEEK Technology News]

Regulators: Banks Must Beef Up Web Security

Internet banking requires two-factor authentication--in other words, with both hardware and software--by the end of next year, one group says.

[All InformationWeek Stories]

Report: 80% Of Enterprises To Upgrade Or Deploy New VPNs

IPsec-based networks continue to be the most popular remote access technology, according to a new report from Forrester Research.

[All InformationWeek Stories]

Tempted by blogs, spam becomes 'splog'

The scourge of e-mail--spam--has reinvented itself for the world of blogs, in a phenomenon experts have dubbed "splog." And Google is in the hot seat.

Splog

Exploit Against Popular 'Snort' Network Utility Close At Hand

Security researchers say it is imperative that users patch or apply a work-around for a intrusion detection system vulnerability announced earlier this week.

[All InformationWeek Stories]

Group Announces VoIP Security Taxonomy

By defining the kinds and nature of threats, the organization hopes to provide a common reference point to deal systematically with VoIP security issues.

[All InformationWeek Stories]

Hackers, Scammers Hide Malicious JavaScript On Web Sites

Crooks are using a new technique, called "JS/Wonka," to obfuscate their code, and it's spreading fast.

[All InformationWeek Stories]

Trojan masquerades as Skype update

Cybercriminals are trying to lure e-mail users into installing a Trojan horse by making the malicious code look like a Skype update.

[CNET News.com]

Microsoft Consults Ethical Hackers at Blue Hat

The company encouraged visiting "white hat" hackers to crack away during a security conference intended to improve its development process.

[eWEEK Technology News]

OpenSSL.org Issues Patch for Server Vulnerability

The flaw could allow a hacker to force an OpenSSL-enabled site to use the outdated—and potentially insecure—SSL version 2.0 protocol.

[eWEEK Technology News]

3-Minute WEP Crack

"At a recent ISSA (Information Systems Security Association) meeting in Los Angeles, a team of FBI agents demonstrated current WEP-cracking techniques and broke a 128 bit WEP key in about three minutes."

[Network & Infrastructure Blogs]

Security Adviser: Belated thanks for jobs well done

Times are a-changing. Check Point is purchasing Sourcefire. Nessus is going commercial.  I would like to take a moment and thank some of the most important free resources I have used over the past five years...

[InfoWorld: Columnists]

Rootkits Sprout on Networks

The programs are becoming increasingly common on enterprise computer networks and are even being used to create undetectable download servers for pirated movies and MP3s, according to anti-virus experts.

[eWEEK Technology News]

Reactivity unwraps single sign-on

Reactivity this week is reinforcing its Web services gateway appliances with support that will help users integrate Windows logon credentials into single sign-on projects for Web services.

[Network World on Web Services]

Symantec readies "Big Brother" database security monitor

Symantec is currently testing a new database security appliance that sits on the network and monitors database traffic for "inappropriate" queries. Is this the future of network security?

[Ars Technica]

New Hacker Targets: Cell Phones And PDAs

Vendors offer security technologies, but it's not enough

[InformationWeek Mobile and Wireless News]

5,259 phishing sites in August 2005

 

http://blogs.zdnet.com/ITFacts/?p=9183&part=rss&tag=feed&subj=zdblog

Anti-Pbhishing Working Group found the number of reported new phishing campaigns declined in August 2005, but the number of new phishing sites reached an all-time high of 5,259. In July, 4,564 sites were reported.

[IT Facts -- Your Daily Research Synopsis]

CGI Helps Set the Bar on Technology Integrity and Assurance

 

The CGI Information Technology Security Evaluation & Test Facility (ITSETF) in Ottawa, Canada has just been awarded a contract by Sun Microsystems Inc. of Palo Alto, California, to conduct a Common Criteria security evaluation of their flagship SOLARIS-10 UNIX operating system. This evaluation involves extensive documentation and code reviews, as well as vulnerability assessment and testing.

 

This is the second such evaluation to be conducted by CGI. Last year our ITSETF lab successfully completed a Common Criteria evaluation of the Sun Microsystems SOLARIS-9 UNIX operating system. That evaluation result in that system being certified to EAL4+ by the Communications Security Establishment, the Canadian federal certifying body in this internationally recognized security evaluation scheme. A major user of this operating system is the US Department of Defense, who now requires this certification.

 

Previously, this work had been done in the UK by LOGICA. With the successful work to date, and the positive working relationship that has been established between our lab and Sun, CGI has now become the de facto Common Criteria lab of choice for the Solaris division. CGI is hoping to grow this business with Sun, extending it to other product lines beyond the SOLARIS division.

 

For Additional Information, Contact Burns MacDonald at CGI Ottawa

 

 

 

Snort Gets Bought; Check Point to Acquire Sourcefire For $225M

Internet security pioneer and leader Check Point Software Technologies has agree to buy privately held Sourcefire, creator of Snort, for $225M - helping Check Point expand its strategy from primarily offering perimeter gateway security solutions to provide a fully integrated architecture for perimeter, internal, Web and endpoint security.

[Latest Articles From STORAGE & SECURITY JOURNAL]

Identity management in action

Think you’re ready to deploy IDM (identity management) in your organization? John Aisien, vice president of marketing at IDM vendor Thor Technologies, won’t kid you about the realities.

[InfoWorld: Networking]

Security Viewpoint: Are Your Systems Too Available?

I often think like I'm paranoid. I get paid for it. So when I think about availability, I can conjure up an amazing array of things that can go wrong. But, instead of discussing the many security-related aspects of your storage systems availability, let's talk about how your systems may be too available. That's right - too available.

[Latest Articles From STORAGE & SECURITY JOURNAL]

A Directory Of Security-Products Reviews

From ZoneAlarm 6.0 to GhostSurf 2005, from Norton to McAfee, don't miss this laundry list of security products reviews from the TechWeb Pipelines.

[All InformationWeek Stories]

Security Adviser: Malicious attack trends: good, bad, and worse

(InfoWorld) - So, who is the enemy? When fighting malicious hackers and malware, it helps to know who the enemy is. Symantec’s Internet Security Threat Report, Vol. VIII is a good place to start. Its findings echo InfoWorld’s own security survey and report.

Even though the Symantec report represents just one vendor’s view on the changing threat space, Symantec is pulling its data from 24,000 sensors in more than 180 companies participating in its DeepSight Threat Management System and Symantec Managed Security Services. Here are some of the most interesting points...

[InfoWorld: Columnists]

BlackBerry secured by PGP

Partnership includes e-mail encryption, decryption, digital signature, and verification services.

[CNET News.com]

Google Plugs Cross-Scripting Security Hole

The bug could have allowed attackers to grab a Google user's cookie.

[All InformationWeek Stories]

Phishers Zero in on E-Banking

Screen-scraping attacks are becoming more common as scammers adapt their techniques to target online banks and their increasingly sophisticated security technology.

[eWEEK Technology News]

Infocus: Packet forensics using TCP

 

This article looks at TCP packet forensics and examines why sequence and acknowledgement numbers can be useful during an investigation.

 

[SecurityFocus News]

What's New in Security for CLR v2.0

 

There's a ton of new and enhanced security features coming with the v2.0 release of the CLR.  However, finding a definitive list of them all can be a somewhat challenging task.  Dominick Baier has an excellent slide deck detailing some of the changes and some demo code as well.  You can find both linked from his blog entry here.  Keith Brown also highlighted Security Enhancements in the .NET Framework 2.0 in his Security Briefs column for January's MSDN magazine.

Although there's no official list of new security features anywhere, here's some of the highlights of what we've added.  I've covered most of these in this blog before, but some of the big ones (like transparency) have yet to show up.  You can look for those over the next few weeks.  In no particular order:

• Transparency
• Simple Sandboxing API
• ClickOnce
• AppDomainManager / HostSecurityManager
• Permission Evaporation
• PermCalc
• FullTrust means FullTrust
• XML Encryption
• Enhanced X509 support (via X509Certificate2)
• Support for larger SN keys
• Enhanced SecurityException
• Managed ACLs
• PKCS7 support
• FIPS enforcement
• RFC 2898 PBKDF 2  
• Full trust GAC
• CasPol -s off changes
• Visual Studio enhancements, such as debug in zone, and enhanced support for debugging security exceptions.

Performance work was also one of the security team's main focuses during the v2.0 release.  And of course there were numerous bug fixes, and other odds and ends.  From the number of entries with no links above, it looks like I've got quite a few more blog posts to get writing :-)  When I write something on each topic, I'll try to come back and update this post with the link ... there's a lot of great stuff up there -- I can't wait to finally ship this product so that everyone can start using it!

 

 

[.Net Security Blog]

SSH Claims for New Secure Shell Draw Open-Source Ire

SSH Communications Security claims that its new Secure Shell program is far superior to open-source alternatives draws free-software developers'ire.

[eWEEK Linux]

Cisco unveils new security products

Company's latest products expand its relationship with antivirus software maker Trend Micro.

[CNET News.com]

Securing Web Services with Tivoli Access Manager

This article describes a solution for securing Web services used for internal and business-to-business application integration. We show how you can implement robust Web services security for n-tier applications without incurring significant IT management overhead and without requiring intrusive application modifications using Tivoli Access Manager for e-business.

[developerWorks : SOA and Web services : Technical library]

Hackers Step Up Attacks on IM Networks

Messaging malware attacks are on the rise, according to a report from IM security vendor Akonix. In the recent quarter, the rate rose to one attack a day.

[eWEEK Technology News]

The weakest security link: Users

INS issued the results of a survey that found, you guessed it: End-users, and "their unwillingness to follow good security practices is the primary barrier to improving protection against malicious code." Before you toss this study into the "I don't need a report to tell me something that obvious" pile, though, INS did come across some noteworthy tidbits....

[InfoWorld TechWatch]

Security Adviser: The full disclosure debate

(InfoWorld) - As the new InfoWorld security columnist, I’ve not backed away from controversy. I have intentionally picked hot topics in order to generate reader interest and feedback. And nothing generates more debate than the topic of full disclosure.

[InfoWorld: Columnists]

Unattended PCs Security Risk Underestimated

Lonesome PCs pose a security risk that enterprises underestimate, a research firm said this week. Making matters worse, corporations just don't pay attention to the major security hazard of unattended workstations, according to Gartner research vice president Jay Heiser.

[All InformationWeek Stories]

Microsoft Says Security Efforts Showing Fruit

Microsoft's chief security executive says the company is keeping pace with faster-on-their-feet attackers.

[All InformationWeek Stories]

PostX Announces Encryption Device

PxAppliance promises encrypted messages that can be read anywhere, anytime, and on any device, among other features.

[All InformationWeek Stories]

Audio eavesdropping added to list of computer security threats

Researchers at the University of California Berkeley have found a way to decipher passwords and other private information by listening to clicks from a computer keyboard....

[InfoWorld TechWatch]

Name that worm--plan looks to cut through chaos

Plethora of different handles for the same threat can confuse security efforts. Common-identifier scheme looks to fix that.

[CNET News.com]

New Phishing Scam Deceives With Phony Certificates

The new form of phishing makes use of a digital certificate to fool consumers.

[All InformationWeek Stories]

ITU standardizes NAT/firewall traversal for videoconferencing

For videoconferencing vendors and users alike, one of the biggest hurdles to connecting a call between organizations is getting through a firewall or NAT implementation because of the way the H.323 protocol is designed. The major players have had individual systems for getting around the issue, but no standard exists. Until now.

[Latest standards news from Network World.com]

Finding Flaws In Old Application Code

Two risk-management and auditing service providers next week will unveil a framework to help customers deal with vulnerabilities in old application source code.

[Systems Integration Pipeline]

Microsoft Scraps Old Encryption in New Code

Microsoft is banning functions that use algorithms that have become "creaky at the edges."

[eWEEK Technology News]

On Security, Is Oracle the Next Microsoft?

Oracle, despite being a database software giant, is widely accused of having lackluster security, and experts suggest the company clean up its act in the same vein as Microsoft.

[eWEEK Technology News]

Introduction to Intrusion Detection With Snort

After a brief discussion of intrusion detection systems (IDS), this article focuses on a pattern-matching network-based IDS, Snort.

[Solaris Technology Headlines]