A New Vector For Hackers - Firefox Add-Ons

Makers of some of the most popular extensions, or "add-ons," for Mozilla's Firefox Web browser may have inadvertently introduced security holes that criminals could use to steal sensitive data from millions of users.

Read the article HERE.

Who's Trading Your E-mail Addresses?

On April 14, 2007, I signed up for an AmeriTrade account using an e-mail address consisting of 16 random alphanumeric characters, which I never gave to anyone else. On May 15, I started receiving pump-and-dump stock spams sent to that e-mail address. I was hardly the first person to discover that this happens. Almost all of the top hits in a Google search for "ameritrade spam" are from people with the same story: they used a unique address for each service that they sign up with, so they could tell if any company ever leaked their address to a spammer, and the address they gave to AmeriTrade started getting stock spam.

Read the article HERE.

Patient information cards sold at auction

The Saskatoon Health Region apologized Tuesday after more than 2,000 patient information cards that were supposed to be treated as "very confidential" were accidentally sold at an auction of health region surplus material rather than shredded.

Read the article HERE.

After publishing another extensive list of information disclosures in Sundays "Your security is in danger" item, we have another demonstration of corporate stupidity. Although, I must admit, we have hit new lows here. I therefore bestow upon them the Vanish Order Of Stupidity.

The seemingly boundless capability of people to invent new ways of being stupid will never, ever cease to astound me.

Windows Vista no more secure than XP

A new report blasts Vista, saying that it's "equally at peril" compared to Windows XP. The report is instructive but also contains some considerable flaws that show the difficulty of assessing Vista's new security architecture.

Read the article HERE.

Internet security business is a con

No one has a business interest in catching identity thieves or malware writers. There's no money in it, so no-one's bothered. So how many spyware authors, malware writers, virus builders has Microsoft helped to apprehend in the thirty-odd years of its existence.

Well, directly? One, it seems. Read the article HERE.

Mobile phone viruses gathering pace

Mobile antivirus firm UMU claims to have demonstrated how easy it is to infect a mobile device with malware. However, Graham Cluley, senior technology consultant at Sophos, described the problem as a "raindrop in a thunderstorm". The security expert explained that the effort involved in creating and spreading these programs is not financially viable compared to targeting PC users.

I recall "experts" once telling us that PC viruses were also "raindrops in a thunderstorm".

Read the article HERE.

Phishers spreading multiple hooks

The number of unique phishing websites detected by the Anti-Phishing Working Group (APWG) rose by a factor of 2.5 to 55,643 between March and April 2007.

Read the article HERE.

Cyber Security Bulletins May 29, 2007

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) / United States Computer Emergency Readiness Team (US-CERT).

Read more HERE.

Is desktop security broken beyond repair?

At the AusCERT 2007 conference in Queensland last week, keynote speaker Ivan Krstić, who is the director of security architecture for the One Laptop Per Child (OLPC) project, told attendees that desktop security was fundamentally broken. We asked several security experts who attended the conference if they agreed and how the problem could be fixed.

Read the article HERE.

Quicktime Security Update for 7.1.6

A lot of people have written in telling us that 7.1.6 is the current version and there are no other updates. Yes, 7.1.6 IS CURRENT. This is a security update FOR 7.1.6.

Read the article HERE.

The latest update brings the Apple patch count for 2007 up to 111

Windows firewall squeezes into USB key

Yoggie Security Systems has squeezed a complete hardware firewall for Windows systems into a USB key sized form-factor. The "Yoggie Pico" runs Linux 2.6 along with 13 security applications on a 520MHz PXA270, a powerful Intel processor popular in smartphones and other high-end consumer devices.

Read the article HERE.

Google acquires 'sandbox' technology

GreenBorder claims to work with both Internet Explorer and Firefox to form a protective barrier to prevent malicious code from installing programs or accessing sensitive files on a PC. Web content is shunted into a secluded area - or "sandbox" - where files can be flushed away. This is similar to the way temporary files are disposed of once a user closes the application they are associated with.

Read the article HERE.

Encrypting Data is the Easy Part

One hesitates to tell the bad guys how to cover their tracks, but it isn’t like this information is secret. Chi Mak is a Chinese-born engineer that was convicted of exporting classified U.S. defense technology to China. Most of the government’s case was made after investigators were able to access the thousands of documents Chi had encrypted.

The moral here is that encrypting data is easy. Encrypting data so that it is nearly impossible to crack is easy. The hard part is doing it correctly. There are many things that can go wrong and defeat your efforts.

Read the article HERE.

China Crafts Cyberweapons

The People's Liberation Army (PLA) continues to build cyberwarfare units and develop viruses to attack enemy computer systems as part of its information-warfare strategy, the U.S. Department of Defense (DOD) warned in a [PDF] report released on Friday. China isn't alone in building the capability to attack an enemy's computer systems. The U.S. and other countries have developed similar abilities.

Read the article HERE.

Is encryption a thing of the past

Spying is big business, and avoiding being spied on an even bigger one. So imagine if someone came up with a simple, cheap way of encrypting messages that is almost impossible to hack into? American computer engineer Laszlo Kish at Texas A&M University in College Station claims to have done just that. He says the thermal properties of a simple wire can be exploited to create a secure communications channel, one that outperforms quantum cryptography keys.

Read the article HERE.

F-Secure new MS Content Security Provider

F-Secure announced today that it has been selected by Microsoft as the first data security vendor for Windows Home Server. F-Secure also unveiled the newest addition in its family of corporate data protection solutions: F-Secure Anti-Virus for Microsoft Exchange Version 7.

Windows Home Server is an upcoming Microsoft solution to help families easily centralize, share and protect their digital assets, such as photos, music and videos.

Read the article HERE.

The Google Crapplet

Like DRM, pre-installed garbage on your OEM PC may be leaving such a bad taste in people's mouths that even money-hungry vendors will shy away from it. This software, often called "crapware" or "crapplets" in the business, can be a real pain to users. They slow down new computers, make them unstable and can cause downright confusion.

Read the article HERE.

The 100 Best Products of 2007

PC World editors rank the best PCs, HDTVs, components, sites, and services. Plus: the products we're looking forward to next year, and which technologies are rising and falling.

See the list HERE.

Security Drives Vista Adoption

Most users migrate to Windows Vista because of its reputation as a secure operating system, a survey says; experts discuss whether that reputation is deserved.

Read the article HERE.

May 30 is D-Day for Firefox 1.5

Barring any “show-stopper issues” during the testing process, security and stability support for Mozilla Firefox 1.5 will expire on May 30.

Read the article HERE.

The Open University

The Open University is offering some of its course materials on the Internet for FREE. It has added some 509 hours of educational resources to its OpenLearn site.

Visit their website HERE.

Translated to English from the original article in The Inquirer

Your security is in danger

This is like a bad soap opera. As I have mentioned before, on more than one occassion, regardless of how diligent we are with our PC and personal security, we have no option but to supply our personal information to other organisations. We are then exposed, as we [sadly] see more and more stories of corporate negligence with our information.

Local authorities should conduct a risk assessment before sharing personal data with other public bodies. Sharing can be legitimate, but only when the benefits and risks have been weighed up.

The European Commission is to consider new identity fraud legislation in order to boost the fight against cyber crime. Australia and the USA are already littered with laws that are meant to deter not only this type of crime, but also spam [that one's working well] and other forms of cyber crime.

Germany has just passed antihacking law. Now most of us already realise that legislation does not stop any sort of crime. It just increases the penalty.

==============================================
register.com customers' credit cards compromised

Big hosting and domain name firm register.com sent an email to its customers saying a notebook containing credit card information was stolen.

Read the article HERE.

==============================================
UK database theft hurts customers

Cable & Wireless has served an injunction against a former executive following the theft of a 100,000 customer database, the BBC has learned.

Read the article HERE.

==============================================
DOT Security Breach Affects 25,000 Employees

A computer server holding the names and Social Security numbers of about 25,000 North Carolina Department of Transportation employees, contractors and other state employees had a security breach, officials announced Friday.

Read the article HERE.

==============================================
Medical records found in trash

Medical waste, including medical records, was piled several feet high outside a Rockwood doctor's office on Thursday. The records contained personal information such as names, addresses and Social Security numbers that could patients at risk of identity theft.

Read the article HERE.

==============================================
Energy reports losing 1,400 laptops

The [US] Energy Department notified Congress yesterday that it has lost 1,427 laptop PCs over the past six years. The department said none of the laptops contained classified information. Nine of the laptops used encryption software. None of the individuals whom the missing laptops were issued to received disciplinary actions for the misplacement of the laptops.

Read the article HERE.

Who's batting for the good guys

Security experts and law enforcement officers often talk about the fact that hacking is a full-time, 24-hour-a-day job for the bad guys. They have no hobbies, they don't go to movies or ball games or museum openings. All they do is dismantle code looking for new vulnerabilities, build exploits and attack your networks.

But the good news is that there are folks on the right side of the fence who are just as dedicated, smart and motivated as the attackers are. The last few years has seen an explosion in the number of researchers doing serious work on rootkits, hardware security, P2P malware and other advanced problems. Some of these people are...

Read the article HERE.

Pirates of the Carribbean attack

Anti-virus vendors Sophos and Panda have reported a new downloader Trojan that is presented as a convincing email offer of free tickets and a trailer for the movie Pirates of the Carribbean 3. Clicking on a link that supposedly plays the trailer runs the Trojan, resulting in an "unsupported codec" error message.

Read the article HERE.

Why Are CC Numbers Still So Easy To Find?

Frequent Slashdot contributor Bennett Haselton gives the full-disclosure treatment to the widely known and surprisingly simple technique for finding treasure-troves of credit card numbers online. He points out how the credit-card companies could plug this hole at trivial expense, saving themselves untold millions in losses from bogus transactions, and saving their customers some serious hassles.

Read the article HERE.

Weekend Reading

PKI: Public-Key Infrastructure

Encryption can help solve the problem of information hiding. It can turn text into randomized symbols. But what encryption cannot do on its own is to authenticate someone the user has never met. If you are using public keys accessible to everyone, it is quite impossible to figure out whether someone of an organization is actually the person or specific organization sending a particular public key. For this purpose, the Public-Key Infrastructure or PKI was created.

Take a look HERE.

==================================================================
How to secure VNC remote access with two-factor authentication

If you haven't already, you can download a copy of the WiKID open-source token client. The first time you launch the token client, you need to create a passphrase.

Take a look HERE.

==================================================================
Security Videos - 24 videos - 310 mins

Basic Socket Programming: (4 videos - 65 mins)
Packet Sniffing using Raw Sockets: (7 videos - 86 mins)
Packet Injection using Raw Sockets: (6 videos - 75 mins)
Architecture of a Proactive Security Tool: (4 videos - 43 mins)
Encryption Basics using RC4: (3 videos - 38 mins).

Take a look HERE.

==================================================================
The man who owns the Internet

Kevin Ham is the most powerful dotcom mogul you've never heard of, reports Business 2.0 Magazine. Here's how the master of Web domains built a $300 million empire.

Take a look HERE.

==================================================================
Microsoft Makes Windows XP Downgrades Tough

Microsoft has made it difficult for new PC buyers and channel partners to use Windows XP downgrade rights, system builders say. For example, some employees in Microsoft's global technical support team told some customers initially after Vista's release that they were not allowed to use downgrade rights to XP at all. But that was incorrect.

Take a look HERE.

###############################################
MEANWHILE : Where is our Vista upgrade?

Considering the widely held belief that the Microsoft Vista upgrade program has been an utter mess, we decided to test the system's abilities ourselves.

Take a look HERE.

==================================================================
Coolest Workspace Contest

It's finally here. The fifth and final week of the 2007 Coolest Workspace Contest. This week, to round out the contest, we're offering up a bit of a potpourri of cool workspaces.

Take a look HERE.

###############################################
MEANWHILE : Top 10 Multi Display Mac Setups

Here’s a list I have compiled of the top Top 10 Multi Display Mac Setups featuring Apple Cinema Display’s.

Take a look HERE.

==================================================================
Users' Most Hated Sales Pitches

They're the things that make you want to get up and walk out of a vendor's security sales presentation. The claims, the cliches, the mindless drivel. They make you want to scream, "Shut UP!"

Here are the comments we heard, in no particular order. Many of our respondents preferred not to be quoted -- ironically, they didn't want to tick their vendors off.

Read the article HERE.

Essential Bluetooth hacking tools

Bluetooth technology is great. No doubt. It provides an easy way for a wide range of mobile devices to communicate with each other without the need for cables or wires. However, despite its obvious benefits, it can also be a potential threat for the privacy and security of Bluetooth users (remember Paris Hilton?).

If you are planning to gain a deeper understanding of Bluetooth security, you will need a good set of tools with which to work.

Read the article HERE.

Wi-fi and RFID used for tracking

Wireless tracking systems could be used to protect patients in hospitals and students on campuses, backers of the technology said. The combination of Radio Frequency Identification (RFID) tags and wi-fi allows real-time tracking of objects or people inside a wireless network.

You would know where your people are at any given moment. You can set certain boundaries and parameters. If a certain device enters or leaves an area it could trigger an alarm.

Read the article HERE.

Spoofing technique evades anti-phishing filters

A reader has produced screen shots that demonstrate a powerful phishing technique that's able to spoof eBay, PayPal and other top web destinations without triggering antiphishing filters in IE 7 or Norton 360. Plenty of other PayPal users are experiencing the same ruse, according to search engine results.

Read the article HERE.

Apple Patches 17 Bugs

Apple on May 24 released patches for 17 vulnerabilities spanning a host of technologies and a slew of potential unpleasantness: from system takeover to denial of service to password snatching.

Read the article HERE.

BUT, just like a Microoosoft update, there are still a few problems.

Gone phishing with eBay

There I was, on Monday night, scanning eBay for car bits. Anyway, I spotted a real bargain, a 2007 Bentley Continental for 0.01 GBP. Since these usually retail for something in the region of £135,000 I felt that this represented a considerable saving.

Read the article HERE.

McAfee Avert Labs Blog

McAfee Avert Labs Blog has 3 great reads ib today's blog.

Rich Text Malware
Another Identity Theft Story
Are Spammers Giving Up on Image Spam?

Read the entire blog HERE.

Computer virus ‘cold war’

First came the virus. Then came the antivirus software. Ever since, virus programmers have been escalating their technology, trying to stay one step ahead of the computer security engineers and vice versa.

In collaboration with computer scientists at the University of California-Berkeley and Carnegie Mellon University, the two UW-Madison researchers have developed new software called the Static Analyzer for Executables (SAFE).

SAFE examines the behavior of a program without running it. Then it compares the behavior with a list of suspicious behaviors, such as reading an address book and sending e-mails. The programs that perform suspicious behaviors are considered malware.

SAFE requires updates only when viruses exhibit new behavior. It is proactive, rather than reactive. This is the next generation in malware detection.

Read the article HERE.

Skype worm leaps onto MSN

Malware miscreants have created the first worm targeting Skype that's also capable of jumping over to other instant messaging networks, such as MSN and ICQ.

Read the article HERE.

Phishing Attacks Soar

Some of the Web's most prolific organized online criminals are starting to step up the frequency and sophistication of phishing attacks, targeting commercial banks, job hunting sites and data brokers. Typically, phishing scams involve phony e-mails and counterfeit bank Web sites that try to lure unsuspecting users into disclosing user names and passwords. Lately, however, some of the more technically advanced phishing groups have started shifting their sights to higher-dollar targets.

Read the Security Fix article HERE.

Brinkster.com battens down the hatches

Web host Brinkster.com is requiring customers to change their account passwords because some of them may have been compromised, according to people who say they've received security bulletins. If confirmed, the breach is the latest example of sensitive information being lost en masse as a result of security lapses by a large service provider.

Brinkster's warning is part of a trend of security scares that seem to result from breaches not by individual users but by the service providers they hire. Late yesterday, UK-based ISP PlusNet took responsibility for a breach that exposed thousands of email addresses of subscribers and contacts to spammers. And according to a story on Security Fix, as much as a third of the sites hosted by IPOWER included code designed to install malware on the machines of those who visited them.

Read the article HERE.

Most WordPress Blogs Vulnerable

WordPress has become one of the most popular blogging packages on the Internet; this is largely due to its ease of use and its object oriented design which allows the user to easily extend its capabilities in the form of WordPress Plugins.

Unfortunately, "ease of use", and "security" are to often like lemon and milk. Security analyst David Kierznowski shocked bloggers yesterday with a survey showing that 49 out of the 50 WordPress blogs he checked seem to be running exploitable versions of the widely used software.

Read more HERE.

TechNet Magazine - June 2007

The June 2007 edition of the TechNet Magazine is now available online.

Read the magazine HERE.

===================================================
Just because you read it on the Internet, does not make it true

I came across a blog entry about Internet Explorer which draws assumptions about how the program stores 'autocompete' passwords that are simply wrong. For whatever reason, the blog's author seems to have come to the incorrect conclusion that because his "password managing program" was able to access and display his stord usernames and passwords that this therefore meant that IE stores autocomplete passwords in "a single flat-file that is unencrypted and can be easily read by a variety of program(s)".

Read the article HERE.

Latest test results from Andreas Marx

Andreas Marx of AV-Test.org has completed his latest tests on AV engines. We tested 29 products for the detection of most recently seen verified working Win32 PE malware of the last 12 month -- separated into the four categories backdoors, bots, trojan horses and worms.

Read the article HERE.

Cyber Crooks Hijack Large Web-Hosting Firm

Organized crime groups have modified a significant share of the Web sites operated by one of the Internet's largest Web hosting companies to launch cyber attacks against visitors. StopBadware has identified more than 90,000 sites that attempt to install malicious software on visitors' computers via Internet browser security holes or programming tricks.

Read the article HERE.

Network security vulns keep sysadmins busy

Sysadmins can look forward to clocking some overtime this week after Cisco warned of flaws in how its core operating system handles malformed Secure Sockets Layer (SSL) traffic. Several types of SSL messages (such as ClientHello and ChangeCipherSpec), when malformed, can crash vulnerable appliances running IOS, which are configured to accept SSL protocol packets. The scope of the vulnerability is confined to denial of service attacks. There's no code execution or snooping risk.

Read the article HERE.

10,000 Joost invites for readers

Ars Technica is happy to announce that we've teamed up with Joost to offer 10,000 invites to our readers. Joost, the free, on-demand P2P video service, is still in beta but is slowly expanding out its program to more users. We know that some of you have been very eager to try it out (at least that's what our inboxes are telling us), and so we hope that this program will help get the word out about a technology that we think is pretty cool and innovative.

Read more HERE.

Is 1024-bit Encryption Dead ?

Crypto-busting boffins have broken a new record in their quest to find the prime factors in large numbers, and may soon threaten part of the encryption system used to secure retail websites. Professor Arjen Lenstra of the Ecole Polytechnique Federale de Lausanne (EPFL) yesterday broke the news that computing clusters run by the EPFL, the University of Bonn, and NTT in Japan had managed to rip out the prime factors in a "whopping" 307-digit number.

Read the article HERE.

Google online security blog

Unfortunately, the scope of the problem has recently been somewhat misreported to suggest that one in 10 websites are potentially malicious. To clarify, a sample-based analysis puts the fraction of malicious pages at roughly 0.1%. The analysis described in our paper covers billions of URLs.

Read the article HERE.

New version of Opera released

Opera users are notorious for not updating their Web browser, leaving themselves exposed to security vulnerabilities. Be that as it may, eternal optimist that I am, I am pleased to advise that a new version of Opera that addresses a security vulnerability affecting Torrent files has been released. Please spread the word and get those who you know to use Opera to upgrade...please... to version 9.21.

Read the article HERE.

Want to Write a Virus? Take a Class.

A [US] college computer course that teaches students how to write computer viruses is riling up security companies once again, according to a story in a local California paper today.

Read the article HERE.

Cyber Security Bulletins May 21, 2007

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) / United States Computer Emergency Readiness Team (US-CERT).

Read more HERE.

Bugs With No Bite

The dirty little secret about security bugs is not every single vulnerability that gets reported is exploitable -- meaning there are some that an attacker can't use against you. So how do you know which threats to patch right away and which to ignore?

Read the article HERE.

And you can take that to the .bank

We've been pushing for an initiative to get a secure top-level domain (like ".bank" or ".safe") for some time now. See this post for original context. We've received lots of questions and also plain criticism over the whole idea – most notably, in Slashdot as well as from Larry Seltzer in his prominent blog. So let me collect the most typical challenges to the idea, and answer them.

Read the article HERE.

ARIN: It's time to migrate to IPv6

Today, the American Registry for Internet Numbers (ARIN) published a resolution its Board of Trustees had passed on IP number availability. In short, the resolution says that since IPv4 addresses are running out, ARIN should "take any and all measures necessary to assure veracity of applications to ARIN for IPv4 numbering resources" and "encourage migration to IPv6 numbering resources where possible."

Read the article HERE.

First look :

Windows Live Folders

Microsoft's new Windows Live Folders feature still isn't ready for public release, but LiveSide noticed when system showed up online briefly, giving folks a chance to see what the Redmond-based software company has planned for the future in online storage.

Read the article HERE.

==============================================
First look: Microsoft SharedView beta

When you write for an organization that spans multiple time zones and often involves collaborative effort between two or more people, one of whom might be in California while another is in New York, the concept of a collaborative online workspace can be quite attractive. Read the copy on Microsoft's SharedView web site, and it's clear Redmond is trying to attract the type of users who need multiple sets of eyeballs scanning the same document at the same time, but who are separated by a few hundred miles in any given direction. Check that copy!

Read the article HERE.

==============================================
Microsoft Popfly

Microsoft has announced the alpha version of Popfly, its new application creation, mashup enabling tool and social networking software for nonprogrammers. Popfly consists of two parts: Popfly Creator, which is a set of online visual tools for building Web pages and mashups; and Popfly Space, which is an online community of creators where you can host, share, rate, comment and even remix creations from other Popfly users.

Read the article HERE.

==============================================
Origami 2.0

Microsoft is bumping the specs for the next version of the Origami ultra-mobile PC. Smaller screens, higher resolution, and longer battery life sure does sound appealing, but what about the price?

Read the article HERE.

Windows Internet Explorer 7 may crash

Windows Internet Explorer 7 may crash when you use it to visit a Web site. This problem occurs when the following registry subkey is enabled:

Read the HOW TO FIX article HERE.

AND, while we are on the subject, and you are still up to your armpits in Registry alterations, there are two more you may like to examine. A problem with session cookies and the zoom feature have also had Hotfix information posted.

"Data storm" blamed for nuclear-plant shutdown

The U.S. House of Representative's Committee on Homeland Security called this week for the Nuclear Regulatory Commission (NRC) to further investigate the cause of excessive network traffic that shut down an Alabama nuclear plant.

Read the article HERE.

TinyURL implements "Preview Feature"

Recently I wrote about the potential danger in services like TinyURL and SnipURL being used to hoist off malware. Well, TinyURL recently came out with a “Preview” feature, which lets you preview the link before going to it.

Read the article HERE.

Windows Vista Security Blog is Back

'Look for more posts about Windows Vista security technologies soon. In the meantime, you can download our brand-new “Security Enhancements in Windows Vista®” whitepaper at

Read more HERE.

Why would you trust a logo?

If we look at any large brand phish site these days they have “the security logo”, some call it a seal, smart icon or security stamp. They are pretty easy to copy, even the ones with the custom text on could be faked easily.

Read the article HERE.

Symantec cripples thousands of Chinese PCs

A signature update to Symantec's anti-virus software crippled thousands of Chinese PCs Friday when the security software took two critical Windows .dll files for malware. "With these files removed, Windows XP will no longer start up, and even the system Safe Mode no longer functions," said one user writing to the alt.comp.anti-virus newsgroup this morning.

Symantec said. XP's recovery console is a command line-driven tool that gives limited access to the PC and its hard drive. Users writing on online forums recommended users copy the two .dll files from their Windows restore CD to the hard drive. A likely snafu in that scenario, however, is that many Chinese users don't have a restore CD because they're running pirated copies of Windows.

Read the article HERE.

Weekend Reading

Why VPN can’t replace Wi-Fi security

Every time the subject of wireless LAN security comes up, people ask me about VPN as a solution for securing Wi-Fi. (Wi-Fi is the common marketing name for 802.11 wireless LANs). I've always told people that VPN security shouldn't be a substitute for good Wi-Fi security, and I even posted a comprehensive guide to enterprise wireless LAN security, but a loyal group of VPN-only supporters has always argued for a VPN-only alternative. I'm going to explain VPN and Wi-Fi security as best I can and why there is a right time and right place for each architecture.

Take a look HERE.

==================================================================
Ross Anderson

Ross Anderson is the professor of security engineering at Cambridge. The Federal Reserve commissioned him to write a paper on fraud, risk and nonbank payment systems for their Santa Fe Conference on bank regulation. It turns out that phishing is made easier by payment systems like eGold and Western Union which make the recovery of stolen funds more difficult. He suggested suitable improvements in regulation.

Take a look HERE.

==================================================================
Linux too vanilla? Try this -

So, getting increasingly desperate, I thought I'd give PC-BSD a whirl. This is a distro of FreeBSD tweaked for an easy desktop install. It went on first time, no hesitation. Even booting from the install CD, it found the Cardbus slot, found my old Xircom RealPort Ethernet card, connected and went online - which is a damn sight more than Ubuntu could do until I'd apt-getted it into submission. It cheerfully ran the setup program in 1024x768, the native resolution of the LCD.

Take a look HERE.

==================================================================
Up Close With David Maynor

Today he's kind of a jack-of-all-trades hacker who digs into Microsoft software bugs as well as wireless driver vulnerabilities, such as the one he and fellow researcher Jon Ellch demonstrated at Black Hat USA last August. "I like focusing on things than can be used to break into your computer or steal information or do bad things to you. If you think about the typical, motivated hacker-for-hire, he's not going to be [an expert in] wireless-only. The enemy is cross-disciplinary, and so should you be."

Take a look HERE.

==================================================================
Threats “In the Wild” - ascertaining your true risk

Once upon a time, back when viruses were primarily created for reasons other than financial ones, there were quite a number of viruses which existed solely in the confines of virus research labs. That is to say, they had never infected a “real person’s” computer.

Take a look HERE.

==================================================================
The Essential Guide to Piracy

Piracy is an action sport. The ability to infringe copyright and steal valuable work induces a rush like no other. Whether you steal music, movies, books, applications, or whatever, it feels like breaking the law and it saves our wallets and purses from becoming empty. But not everyone is as fortunate as we are to know the ins and outs of the world of piracy. There’s so much to take in and only so much time for us to Google around for the answers to our questions. Luckily, you have a master pirate on deck to help you with understanding the basics that will get you downloading Spiderman 3 in no time.

Take a look HERE.

QuickTime copies go unpatched

Due to user negligence in keeping the media player's security patches up to date, one third of all QuickTime installations are vulnerable, highlighting end-user security issues. Although browsers are notoriously juicy targets for hackers, Apple's QuickTime is actually three times more likely to pose a threat than Internet Explorer 6 -- and six times more likely to be a threat than Firefox, Danish vulnerability tracker Secunia ApS said this week.

Read the article HERE.

Your Windows version of QuickTime should be 7.1.6
If not, get it HERE.

Seven Habits of Highly Malicious Hackers

You can't defend against the cyber enemy if you don't know his movements or how he thinks. Sanjay Bavisi, president of security certification, training, and education organization EC-Council, at Interop Las Vegas next week will demonstrate step-by-step how a typical black-hat hacker executes an attack -- from reconnaissance to covering his tracks -- in the "Seven Habits of Highly Malicious Hackers" presentation on Thursday.

Read the article HERE.

Metadata - The secret Iraq documents

With a couple of keystrokes, you too can read the hidden history of the Coalition Provisional Authority, America's late, unlamented occupation government in Iraq. My son made his discovery while impatiently waiting to play a computer game on my laptop. As part of a research project, I had downloaded 45 documents from a section of the CPA Web site known as Consolidated Weekly Reports. All but three of the documents were Microsoft Word. I had one of the Word documents up on my screen when my son starting toying with the computer mouse. Somehow, inadvertently, he managed to pull down the "View" menu at the top of the screen and select the "Mark up" option. If you are in a Word document where "Track changes" has been turned on, hitting "Mark up" will reveal all the deletions and insertions ever made in the document, complete with times, dates and (sometimes) the initials of the editors. When my son did it, all the deleted passages in a document with the innocuous name "Administrator's Weekly Economic Report" suddenly appeared in blue and purple. It was the electronic equivalent of seeing every draft of an author's paper manuscript and all the penciled changes made by the editors. I soon figured out that with a few keystrokes I could see the deleted passages in 20 of the 42 Word documents I'd downloaded. For an academic like myself it was a small treasure trove, and after I'd stopped hooting and hollering it took some time before I could convince my startled son that he hadn't done anything wrong.

Read the article HERE.

Missing CD with Employee Data Affects Thousands

Newly merged Alcatel-Lucent is warning thousands of employees and retirees that personal information such as Social Security numbers, names and addresses may have been exposed after a CD prepared by a vendor was reported missing. The unencrypted disc was crafted by one of the telecommunication company's vendors, Hewitt Associates. It contains names, addresses, Social Security numbers, dates of birth and salary data of Alcatel-Lucent employees on the U.S. payroll who worked for Lucent and their dependents. The disc contains the same information about Lucent retirees and their dependents as well.

Read the article HERE.

$16,000 Bounty for Zero-Day Flaws

Verisign’s iDefense is putting up a $16,000 prize for any hacker who can find a remotely exploitable zero-day flaw in six critical Internet infrastructure applications. The flaw bounty is the largest ever offered by the company’s VCP (Vulnerability Contributor Program).

Read the article HERE.

Firefox Surfers Safer Than IE Users

New statistics released today indicate that people who use Mozilla's Firefox Web browser are more likely to be cruising the Web with all of the latest security updates installed than those surfing with Microsoft's Internet Explorer.

Read the article HERE.

==============================================
Reader Poll: Is Firefox too bloated? - Lifehacker

The Firefox web browser was meant to be a lean, mean browsing machine, but a recent Wired magazine article says that's all changed:

Anecdotal reports of problems, from sluggishness to slow page loads and frequent crashes, have begun circulating in web forums, along with increasingly loud calls for Firefox to return to its roots. The alleged culprit: bloat, the same problem that once plagued Mozilla, the slow, overstuffed open-source browser spawned by Netscape that Firefox was originally meant to replace.

Read the responses HERE.

Pirates release fully cracked Vista install

The NoPE release has a major key difference to other previous pirated copies of Vista - it is completely cracked, the product appears activated, updates work, and no key needs to be entered, straight from the installation media without any effort on the part of the pirate.

Read the article HERE.

Fraudsters feast on credit card scam

Fraudsters are dining out on the proceeds of a new credit card scam. Con men are using credit card details harvested from a bogus (and now defunct) gadget website – called www.instant-av.co.uk – to fund huge restaurant orders

Meanwhile, consumers who forked out for goods such as iPods and consoles on offer through the bogus site are also being left out of pocket. None of the goods were ever delivered, while the credit card accounts of those ordering were being raided.

Read the article HERE.

Revision defeated a week before release

AACS LA's attempts to stifle dissemination of AACS keys and prevent hackers from compromising new keys are obviously meeting with extremely limited success. The hacker collective continues to adapt to AACS revisions and is demonstrating a capacity to assimilate new volume keys at a rate which truly reveals the futility of resistance. If keys can be compromised before HD DVDs bearing those keys are even released into the wild, one has to question the viability of the entire key revocation model.

Read the article HERE.

Microsoft tweaks Patch Tuesday advance notification

Microsoft is changing the way it documents its monthly security patches. The company will flesh out its vague Advanced Notification Alerts to include info on which programs and versions are being patched and the maximum severity rating.

Read the article HERE.

28% of all detected applications are insecure

Since its release in December of last year, the free, online Secunia Software Inspector has conducted over 350,000 inspections. These inspections have identified 4.9 million popular applications (as listed here), and out of those, 1.4 million applications were found to be lacking critical security patches from the vendors.

Read the Secunia "Security Watchdog" article HERE.

The Scourge of Image Spam

How the latest iteration of junk mail is beating filters and filling inboxes. Image Spam—an e-mail solicitation that uses graphical images of text to avoid filters—is not new. Recently, though, it reached an unprecedented level of sophistication and took off. A year ago, fewer than five out of 100 e-mails were image spam, according to Doug Bowers of Symantec. Today, up to 40 percent are. Meanwhile, image spam is the reason spam traffic overall doubled in 2006. It is expected to keep rising.

This article also has an excellent interactive graphic page which demonstrates the various methods used by image spammers and how it works.

Read the article HERE.

US 'war czar' to attack internet safe havens

The internet may be about to become a more dangerous place. Al-Qaida’s intangibles, according to Lute, consist primarily of its use of the Internet as a tool to conduct communications, training, and command and control. “They have a safe haven on the Internet,“ he said. “No one in the U.S. military has been tasked with the mission of attacking these intangibles. Until we do they will operate with impunity.”

In what would be a first for the US, it's to be hoped that Lute can manage to avoid any cases of friendly fire as he launches his digital assault.

Read the article HERE.

==============================================
The US copyright con is out of control

This morning the American government has seriously talked about locking people up for life for making illegal copies of Windows. We should not be too surprised, for the last two or three years this idea of stealing people's ideas, music or videos has been a major obsession, particularly with American law makers.

To an observer, the US legal system looks pretty much a pile of lunacy, where vengeful reactionary laws are bypassed by the rich. The Paris Hiltons of this world get their sentences cut and the poor end up being sentenced for years for the same offence. But it will finally reach the point of absurdity when you can be locked up for life because someone copies a bit of software or a song.

Read the article HERE.

Month of Search Engines Bugs

Purpose of this Month of Bugs is a demonstration of real state with security in search engines, which are the most popular sites in Internet. To let users of search engines and web community as a whole to understand all risks, which search engines bring to them. And also to draw attention of search engines’ owners to security issues of their sites.

Read more HERE.

==============================================
Why does Google retain data?

Google wants to know what you search for, and plenty of people have wondered why. The company's global privacy counsel, Peter Fleischer, recently posted an explanation to this question of Google's official blog, and his answers are quite simple:

Read the article HERE.

Wi-Fi Alliance program for Draft 2.0 gear

The Wi-Fi Alliance, the group responsible for certifying 802.11a/b/g products, has announced that it will begin officially certifying 802.11n Draft 2.0-compliant products beginning in June. Draft 2.0-compliant products will carry a new Wi-Fi Draft N certified logo, enabling shoppers to easily determine which 802.11n routers are fully Draft 2.0-compliant.

Read the article HERE.

Cyber Security Bulletins May 15, 2007

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) / United States Computer Emergency Readiness Team (US-CERT).

Read more HERE.

IBM - sensitive tapes go missing

Add IBM to the growing list of ostensibly tech-savvy organizations that has been bitten by its failure to encrypt sensitive information. A company spokesman has confirmed that computer tapes containing personal information on former employees has gone missing.

Read the article HERE.

Critical Unicode Flaw

US-CERT reports that 92 security products by different vendors, including Cisco, may have a serious security hole. Given these products' market share, most businesses could be affected.

The U.S. Computer Emergency Response Team is reporting a network evasion technique that uses full-width and half-width unicode characters to allow malware to evade detection by an IPS or firewall.

Read the article HERE.

Age verification - false security

"Age verification" has been a hot topic as of late as a means for keeping children safe on the Internet. Here's how the argument works: if sites such as MySpace and virtual worlds like Second Life used age-verification methods, they could magically cut down on the number of children being exploited by sexual predators online.

Read the article HERE.

MySpace : Analysis

In the beginning, MySpace was a place to meet new friends and get to know old ones even better by browsing their journals, photos and network of chums. But soon, Viagra marketers, pedophiles and hackers latched onto MySpace and rendered it as ineffective as most other net-based public forums. It came to resemble one of the many usenet discussion groups teetering on collapse from all the find-love-now messages - only it had pink borders and piped crappy R&B divas pining for lost love.

Read the article HERE.

Malware authors subvert Windows Update

This story, which was blogged here 3 days ago, receives an in depth analytical review by Brian Krebs at Security Fix, who writes that "Security experts have been predicting that virus writers would find a way to hijack Microsoft's security patch delivery process to slip their software onto users' computers. They were right."

Read the article HERE.

Does Secrecy Help Protect Personal Information?

Schneier on Security : Personal information protection is an economic problem, not a security problem. And the problem can be easily explained: The organizations we trust to protect our personal information do not suffer when information gets exposed. On the other hand, individuals who suffer when personal information is exposed don't have the capability to protect that information.

Read the article HERE.

Unintended consequences

Let’s face it: We are good at writing some pretty useless laws in this [USA] country. And one of the hall-of-famers was the CAN-SPAM act, which was a complete joke. The facts speak for themselves, as this graph from spamnation.info shows:

Read the article HERE.

Microsoft takes on the free world

Microsoft claims that free software like Linux, which runs a big chunk of corporate America, violates 235 of its patents. It wants royalties from distributors and users. Users like you, maybe.

Read the article HERE.

IE not welcome

Provocation.net says go away if you're using IE.... Webmaster says "You were landed on this page because you are using Microsoft Internet Explorer."

Read more HERE.

New Antivirus Rankings

These tests was made between 23 April-10 May 2007, using Windows XP Professional SP2. All programs tested had the latest versions, upgrades and updates [ All programs were updated on 22 April 2007 ] and they were tested using their full scanning capabilities e.g. heuristics, full scan etc. The default settings of each program were not used, in order for each program to achieve its maximum detection rate.

The 174770 virus samples were chosen using VS2000 according to Kaspersky, F-Prot, Nod32, Dr.Web, BitDefender and McAfee antivirus programs. Each virus sample was unique by virus name, meaning that AT LEAST 1 antivirus program detected it as a new virus.

See the results HERE.

Active Virus Shield, by AOL, uses the Kaspersky virus engine and is FREE. It has been on my "Essential Software" list since it was released. I realise that the letters "AOL" may frighten a few people, but this is virtually just a rebadged Kapersky anti virus programme.

And it ranks a strong THIRD in the list.

Online ads versus privacy

For advertisers, and in many ways for consumers, online advertising is a blessing. Customized messages rescue advertisers from the broad reach of traditional media. And consumers can learn about products and services that appeal directly to them.
To approach individuals with customized advertising, you have to know who they are. Or at least, you have to gather enough personal information about them that their identity could be easily figured out.

Read the article HERE.


You've seen it happen many times. I live in Adelaide, South Australia. I visit a US based website. The ads I see are for an Australian political party. But if I choose to disguise my location then I am presented with an ad aimed at an American audience. Is this an invasion of privacy - or just using the technology available to us to its best advatage? I guess we always have the option of surfing "under cover".

And don't even get me started on the [privacy] subject of the new [US] laws that require internet service providers to modify their networks and give the FBI access to the usage habits of customers. Internet’s big surveillance has begun. This, in a country where you can back up your SUV to a gunshop and load it with enough firepower to bring down a small nation.

Interview With SourceFire's Marty Roesch

The CTO of Sourcefire and inventor of Snort talks about the power of open-source deployment, taking the company public and why Wall Street analysts are a scary lot.

Read the article HERE.

You Can Switch to Linux!

Before you get started, you need to be prepared to be your own support system. While you can usually get help with Linux problems on different message boards on the web, before you do that, you need to make the effort to solve your own problems. Linux DIYers don’t have much sympathy for people who don’t make an effort to help themselves.

Read the article HERE.

Rethinking the Linux Distribution

This article ties together a number of exciting ideas in the Free/Open Source (FOSS) community, to suggest a new direction for the Linux distribution. Many of these ideas are also applicable to BSD-based systems.

Although there are several mature, high quality distributions available, Linux has had a very hard time breaking through in certain markets, such as the desktop. In addition, the internet, which has already dramatically transformed the environment for other content-creating industries, may now alter the established methods for software packaging and installation.

Read the article HERE.

Do we really need Bruce Schneier?

There's a sacred cow in security, a living sacred cow by the name of bruce schneier... a cryptography expert, a squid enthusiast, and a self-proclaimed media whore, bruce schneier is one of the biggest names in security and he's asked if we really need the security industry...

Read the article HERE.

Virtual Security, Virtually Here

As virtualization technology continues to emerge as a viable option for moving from development to production environments, the focus on the security implications of this new IT frontier will reach a tipping point.

Read the article HERE.

Top Ten Gripes about Microsoft

Last week, I promised a treat for all those folks who say I never say anything critical of Microsoft: a list of my top ten gripes about the company and their products. Now, I make no secret of the fact that, as a Microsoft Certified Systems Engineer (MCSE) and Microsoft Most Valuable Professional (MVP), I specialize in supporting Microsoft software. If I didn't like it, I wouldn't study it, work with it, and spend most of my days writing about it - I'm not a masochist. But there are certainly things about the company and its products that I don't like.

Read the article HERE.

Security Now : Episode #91

Leo and I talk with Marc Maiffret, co-founder of eEye Digital Security of Aliso Viejo, California. eEye has perhaps done more forensic and vulnerability testing research to increase the remote security of Windows than any other group, including Microsoft. They continue to find and report an amazing number of Windows security vulnerabilities.

See more HERE.

Weekend Reading

IPv6 firewalling knows no middle ground

If you have a router or home gateway that supports IPv6, make sure that it, too, filters IPv6. A stateful filter that allows outgoing connections and return traffic, but not incoming connections is closest to the IPv4 NAT filtering functionality.

Take a look HERE.

==================================================================
Masters of Their Domain

Online banking fraud is rampant because it’s easy.
Here’s a fix that will mean money in the bank.

Take a look HERE.

==================================================================
Hotmail redesign: Too hot to handle?

Microsoft had been tinkering with Windows Live Mail for months, but testers still weren't happy. The program was too slow to load, too different and, well, just not like the old Hotmail it was intended to replace. It was a painful realization for the more than 100 managers and developers on the project.

Take a look HERE.

==================================================================
Multiplying Hacks

No, I’m not talking about typing 53704 into your calculator and turning it upside down! I’m referring to the increasing popularity of inserting links to exploits into legitimate HTML pages in an attempt to infect users who visit the affected page, multiplying the effectiveness of the original infection. I’ll outline below the steps used in one such attack that we recently received in our lab.

Take a look HERE.

==================================================================
High-tech devices can make anyone a spy

Tucked away on a side street in Tel Aviv, the unassuming Golan Spy Shop is not something a pedestrian would just chance upon — and owner Moti Golan likes it that way. As a result, 85 percent of his customers are what Golan calls the “professional market” — soldiers, police officers, private investigators and civilian security officers. The rest are businessmen, who, for whatever reason, feel the need to own a microphone disguised as a shirt button or a radio frequency transmitter (i.e., a bug) hidden inside a clock.

Take a look HERE.

==================================================================
The May ‘State of Spam’ Report Highlights Some New Twists!

The May ‘State of Spam’ report [PDF] is now online. This month’s report highlights several interesting spam trends seen by Symantec, including the reduction in image spam, image uploading hosting solutions used in stock spam, company character assassination spam, and a new twist on the 419 spam technique.

Take a look HERE.

==================================================================
OpenPGP

A guide on setting up and using OpenPGP.
Based on Mozilla Thunderbird, but also applicable for other email clients.

Take a look HERE.

==================================================================
The digital home: Still a handyman's special?

The digital-home entertainment puzzle is still missing some pieces. But the entertainment center of most homes, the television, is for the majority of people disconnected from the computer, where they store their digital content. The question is: when will the PC and the TV easily interact, beyond what a handful of consumer products like the Slingbox and Apple TV allow gadget buffs to accomplish?

Take a look HERE.

==================================================================
Apple iPod and Windows Vista-based problem

Consider the following scenario. You have an Apple iPod that is connected to a Windows Vista-based computer through a USB connection. Then, you disconnect the iPod from the computer. In this scenario, the data on the iPod may become corrupted.

Take a look HERE.

==================================================================
Flash memory hard drives

For the last six to 12 months, there's been a big push across the computing industry to embrace flash memory as a means to augment existing hard drive technology.


Your hard disk already has a teeny bit of DRAM in it, to speed up its various activities - so why not a wee spot of flash as well, to improve reliability, startup speed at power-on, access times, and the chances of data survival in the event of power-loss?

Take a look HERE.

Google searches web's dark side

One in 10 web pages scrutinised by search giant Google contained malicious code that could infect a user's PC. Malicious programs are installed by visits to a booby-trapped site. To address the problem, the researchers say the company has "started an effort to identify all web pages on the internet that could be malicious".

Read the article HERE.

==============================================
The Ghost In The Browser

Analysis of Web-based Malware

Read the article [PDF] HERE.

F-Secure : News from the Lab

Just because it's Signed doesn't mean it isn't spying on you
While it has been rather peaceful on the mobile malware front, mobile spyware and spying tools have been active lately. This week, we have received samples of two new mobile spying tools – running on new platforms. There is now spyware for both Windows Mobile and Symbian S60 3rd Edition devices.

Advanced tools to handle stolen information
When analyzing one of the latest variants of LDPinch, an information stealing trojan, we found the drop-site used by the trojan to upload the stolen information. As you can see from the screenshot below ...

Read the articles HERE.

==============================================
F-Secure researcher calls for banks-specific domain

A researcher from security technology company F-Secure has called for a top-level domain to be created for banks, in a bid to help address the ever-increasing problem of internet banking fraud.

Read the article HERE.

Malware authors subvert Windows Update

Malware authors might be able to subvert components of Windows Update to distribute viruses, security researchers at Symantec warn. Analysis by the security firm reveals that a recent Trojan distributed by email at the end of March 2007 used a Windows component named "BITS" (Background Intelligent Transfer Service) to download files.

Read the article HERE.

Roche exposes medical details on website

The medical testing arm of pharmaceutical giant Roche has exposed the personal and medical details of UK customers on its website. The firm has admitted the security breach but has not explained how it happened. Customers who had registered their details with Roche Diagnostics received the first edition of an email newsletter on Wednesday which included a link via which they could update their personal details.

Read the article HERE.

Is paying hackers good for business?

It’s an interesting question, I feel, and one that seems to split both the IT security business and, well, business, asunder. I guess that some clarification is required before going any further, to save myself from needless big stick grief.

Read the article HERE.

Java Security Traps Getting Worse

At JavaOne last year, Fortify's Brian Chess discussed how to avoid Java security holes. A year later, with even Sun's manuals containing code with cross-site scripting vulnerabilities, we're actually worse off than ever.

Read the article HERE.

Microsoft should scrap Patch Tuesday

Patch Tuesday is perhaps the most anticipated and feared day of the month for network administrators and security managers. But they dread it too, and with good reason, given the massive amount of work involved in rolling out a dozen or more patches to thousands of systems.

Read the article HERE.

Windows Indexing Service

The Windows Indexing Service catalogues the contents of your hard disk, and even the contents of files, to make local searching faster. This service creates and later consults a number of small databases containing data about your disk's contents, including the actual contents of files, which can undermine the practice of good data hygiene. Indexing creates what amounts to a scattered secondary volume of your data, and your wipe utility might fail to erase all these related traces when it erases a file.

Read the article HERE.

VMware upgrade

VMware is scheduled to introduce a new version of its workstation virtualization product that supports Windows Vista, dual monitors and other features. Workstation 6 supports the new Vista OS from Microsoft Corp. as a guest or host OS. It also displays an image on multiple monitors, which is important for users in financial services, computer-aided design and other environments.

Read the article HERE.

M&S in ID theft flap over stolen laptop

Marks & Spencer has become the latest large organisation embroiled in an identity theft-related security flap. A laptop containing salary details, addresses, dates of birth, national insurance and phone numbers of some 26,000 employees has been stolen from a printing firm, which was tasked with the job of writing to workers about pension changes. M&S wrote to all staff whose names were on the laptop, warning them of the risk and offering free credit checks as a result.

Read the article HERE.

The Phisher King

You see phishing attack attempts nearly every day, but what you don't see is the face behind the attack. In a rare glimpse into the mind of a phisher, hacker and security expert RSnake recently engaged an attacker who says he makes $3,000 to $4,000 dollars a day and was willing to share a bit about himself and how he operates.

Read the article HERE.

McAfee Avert Labs Blog

Unsubscribe getting worse
Another Downloader-AAP

Read the articles HERE.

Google preparing to police web

Increasingly worried by the use of conventional web sites to distribute the viruses that turn innocent PCs into botnet "zombies," Google appears to be readying a plan to police the web.

Read the article HERE.

Patch Tuesday Plugs 19 Security Holes

Microsoft today issued software updates to plug at least 19 separate security holes in its Windows operating system and other software, including two vulnerabilities that criminals are actively exploiting to take control of Windows PCs.

Read the article at Security Fix or eWeek.

Five Security Flaws in IPv6

IPv6 presents a whole range of new security problems, experts say. French researchers recently found problems in the IPv6 protocol specification itself, namely in the routing header. Bottom line: The specification lets the sender add an arbitrary number of extra headers on IPv6 packets, and the IPv6-based routers or hosts must process these headers. It's a denial-of-service attacker's dream come true.

Read the article HERE.

Does JavaFX Spell The End Of AJAX?

You know all that AJAX code you've been writing and tearing your hair out over as you attempt to get the JavaScript working in both Internet Explorer and Firefox? Yeah, that AJAX code.

It's all going to be useless real soon. Sun Microsystems gave journalists a sneak peak at a new scripting language, JavaFX, which it will introduce at the annual JavaOne show in San Francisco today. JavaFX is a new extension to the Java platform that promises a consistent experience from desktop to handheld devices

Read the article HERE.

PHP (finally) releases fixed versions

The Month of PHP Bugs (MOPB) has come and gone, leaving 40+ identified PHP security problems in its wake. I've already analyzed the bugs themselves in my previous MOPB mid-month analysis and MOPB end of month full review. Now we were just waiting around to see how long it took the PHP team to release a new version with the fixes.

Read the article HERE.

Secure your laptop with LaptopLock

Don't let the creep who stole your computer paw through your private files, passwords and personal information. Free data protection and computer recovery service LaptopLock can keep sensitive files safe and prevent identity theft or worse after your computer's been lifted.

As soon as you report your computer stolen on their web site, the free Windows-only LaptopLock agent can wipe sensitive files into oblivion, encrypt files, launch programs, track IP addresses, or even send messages to the thief.

Read the article HERE.

Cyber Security Bulletins May 7, 2007

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) / United States Computer Emergency Readiness Team (US-CERT).

Read more HERE.

==============================================
Kaspersky Top 20 for April

The online scanner statistics provide a real snapshot of threats that are actually on end user machines at any given point in time, while the email ratings provide information about threats that were detected and blocked before they reached end users.

The April Online Scanner Top Twenty clearly shows that Trojan-spy programs and adware have been the dominant type of threat on end user machines during the past month.

Read more HERE.

Is your PC virus-free? Get it infected here!

Would you click on this Google ad?
No? Sure? Because 409 persons did!
How do I know?
Because I’ve been running this Google Adwords campaign for 6 months now.

Read the article HERE.

Security Isn't Just Avoiding Microsoft

We’ve all heard IT professionals imagine how secure their networks would be if they just didn’t have to use any Microsoft products. I’ve had to listen to clients kvetch for hours on end about how Microsoft makes their lives miserable and how everything would be better in a Microsoft-free world. Tony Bove wrote a whole book with that theme, Just Say No to Microsoft, and plenty of blogs have taken up the cry. It’s time for all the people who have entertained this fantasy to stop deluding themselves.

Read the article HERE.

Microsoft Launches Windows Live Hotmail

Microsoft today announced that Windows Live Hotmail, the successor to MSN Hotmail, is launching globally in 36 languages. The most significant upgrade for Hotmail since it pioneered the webmail industry in 1996, the new service has been built to be a vast improvement over the previous Hotmail offering, having incorporated input from more than 20 million beta testers.

Read the press release HERE.