 |
Sun, Feb 05 2012
As many of us have seen in the media recently, the United States and other world governments are deeply entrenched in discussions over proposed cybersecurity legislation. There are many different flavors of legislation currently being discussed by governments across the globe, of which I dont intend to cover here. In the US it appears the government has finally started to address cybersecurity issues that have been discussed in this forum for years. One piece of the legislation currently being discussed is a proposal sponsored by Rep. Dan Lungren (R-Calif.) is House Resolution 3674 - the Promoting and Enhancing Cybersecurity and Information Sharing Enhancement Act of 2011 or PrECISE. The thrust of the bill is to amend the current Homeland Security Act of 2002 which will give additional authority to the USGovernment in the national cybersecurity effort. I want to highlight some of the ideas being presented in this bill and ... |
READ MORE |
 |
Sat, Feb 04 2012
Hacker Sentenced to 30 Months in Prison for Hacking into Marriott Systems to Extort Employment from the Company A hacker who tried to land an IT job at Marriott by hacking into the company’s computer systems and then unwisely extorting the company into hiring him, has been sentenced to 30 months in prison. read more |
READ MORE |
|
Sat, Feb 04 2012
Earlier today, Apple announced v 1.1 of the Security update 2012-001. The advisory announced the availability of Security Update for Mac OSX10.6.8 that addresses a compatibility issue, and the removal of security fixes that were present in original update for Snow Leopard. I am not confident why Apple removed security fixes from the original release, but maybe one of our readers can help us understand the issues behind the ImageIOsecurity fix removal. Below is the security advisory and we will link to the advisory once it is available on Apple's website. APPLE-SA-2012-02-03-1 Security Update 2012-001 v1.1 Security Update 2012-001 v1.1 is now available for Mac OS X v10.6.8 systems to address a compatibility issue. Version 1.1 of this update removes the ImageIO security fixes released in Security Update 2012-001. OS X Lion systems are not affected by this change. Update #1: Apple Support shows there were 3 different issues which ... |
READ MORE |
|
Sat, Feb 04 2012
(SOL4476) Important: The F5 software lifecycle support policy outlined in this Solution has been superseded for all products except FirePass. The FirePass product will continue to use the policy outlined in this Solution. For information about the current lifecycle support policy, refer to SOL8986: The F5 software lifecycle policy. Note: The F5 software lifecycle policy described in thisSolution also applies to Virtual Edition (VE) releases of the software. The F5 software lifecycle support policy defines |
READ MORE |
 |
Fri, Feb 03 2012
As virtual desktop infrastructure (VDI) has become more prevalent, point solutions have emerged to address associated delivery issues. These solutions burden IT infrastructure, but with little benefit. Organizations need a solution that can offer added security, network performance improvements, and vendor-specific optimizations, all while improving architecture for non-VDI systems. |
READ MORE |
|
Fri, Feb 03 2012
(SOL13363) Description The Web Scraping Detection feature may cause connections to be incorrectly reset, or in some cases generate TCL error messages. These issues are described in the following sections: Web Scraping Detection with standard (non-iRule based) load balancing: This issue occurs when all of the following conditions are met: Web Scraping Detection is enabled The Web Scraping Detected violation is set to Block in the security policy Blocking Settings When Web Scraping is enabled, the BIG-IP |
READ MORE |
|
Fri, Feb 03 2012
Last week Sophos released it 2012 Security Threat Report which highlighted some key finding from 2011: - Smartphones and tablets causing significant security challenges - Major data breaches and targeted attacks on high-profile companies and agencies - Hacktivism - A shift from hacking for money to hacking as a form of protest or to prove a point - Conficker worm is still the most commonly encountered pieces of malicious software seen is Sophos customers - Fake antivirus software is still the most common type of malware but in second half of the year appears to be on the decline - Spearphishing attacks on the rise Despite all this, some successes On March 16, 2011 a coordinated effort known as Operation b107 between Microsoft, FireEye, U.S. federal law enforcement agents and the University of Washington knocked Rustock offline. [1] The entire report available here. Handler Mark published a diary on some ... |
READ MORE |
|
Fri, Feb 03 2012
[SECURITY] [DSA 2403-1] php5 security update |
READ MORE |
|
Fri, Feb 03 2012
RFC 6528 on Defending against Sequence Number Attacks |
READ MORE |
|
Fri, Feb 03 2012
ESA-2012-010: EMC Documentum xPlore information disclosure vulnerability |
READ MORE |
|
Fri, Feb 03 2012
[ MDVSA-2012:013 ] mozilla |
READ MORE |
|
Fri, Feb 03 2012
The Open Web Application Security ProjectOWASP AppSec Research 2012http://www.appsecresearch.orgJuly 10-13th, Athens, GreeceCALL FOR PAPERSAims and ScopeThe objective of OWASP AppSec Research 2012 is to discuss and demonstrate the importance of security risks, threats, and countermeasures in software applications. The majority of recent high-profile security breaches are mainly attributed to application-level vulnerabilities. Additionally, recent surveys indicate that government applications demonstrate increased vulnerabilities and at the same time elevated risk, as they store and process critical information such as PII, health information, national security data and furthermore operate critical systems. Traditionally, the focus of the security community has been mainly placed on the network perimeter, ignoring, to a large extent, the increased risk of insecure software. In addition, the proliferation of the use of web-based applications and services from traditional desktop-based browsers to mobile devices, or even the “cloud” has only increased the potential surface of attack and overall complexity. As a ... |
READ MORE |
|
Fri, Feb 03 2012
Computers store every piece of text using a “character encoding,” which gives a number to each character. For example, the byte 61 stands for ‘a’ and 62 stands for ‘b’ in the ASCII encoding, which was launched in 1963. Before the web, computer systems were siloed, and there were hundreds of different encodings. Depending on the encoding, C1 could mean any of ¡, Ё, Ą, Ħ, ‘, ”, or parts of thousands of characters, from æ to 品. If you brought a file from one computer to another, it could come out as gobbledygook. Unicode was invented to solve that problem: to encode all human languages, from Chinese (中文) to Russian (русский) to Arabic (العربية), and even emoji symbols like or ; it encodes nearly 75,000 Chinese ideographs alone. In the ASCII encoding, there wasn’t even enough room for all the English punctuation (like curly quotes), while Unicode has room ... |
READ MORE |
|
Fri, Feb 03 2012
(SOL13373) The F5 software support policy described here applies to the F5 BIG-IP Edge Client and F5 BIG-IP Edge Portal application software available through the Apple iTunes Store and the Android Market. F5 supports the latest release and the two prior releases of the F5 BIG-IP Edge software. Releases prior to the current release will be supported for a period of one year from the release of the latest version. F5 recommends upgrading to the current release of the F5 BIG-IP Edge app to provide the latest |
READ MORE |
|
Fri, Feb 03 2012
(SOL8592) By default, all parameter-specific attack signatures that are enabled in the security policy are enforced on all user-input alpha-numeric parameters. Parameter-specific attack signatures that are disabled in the security policy are disabled for the specific parameter.Under certain circumstances, you may want to change an attack signature state for a given parameter. For example, you may want to disable an attack signature for the parameter while leaving it enabled for the rest of the security po |
READ MORE |
|
Fri, Feb 03 2012
CANCUN--For people who follow the developments in the security and research communities, it's easy to get discouraged by the current state of affairs, given the rash of serious hacks on certificate authorities, military networks and companies such as RSA and VeriSign. But, if you think things are bad there, you may not want to look at what's happening in the ICS and SCADA communities. It's getting ugly early.read more |
READ MORE |
|
Fri, Feb 03 2012
Google Highlights Security Processes for Android, Adds New Layer of Security On Thursday, Google outlined a few of their processes for protecting users and securing the Android Market. In addition, they highlighted some interesting facts, which seem to place the rash of mobile risk reports being pushed by security firms into perspective. read more |
READ MORE |
|
Fri, Feb 03 2012
We're putting the band back together. And by band, I mean team. And by "putting back together" I mean we're all going to be in the same place, physically. This is a rarity for our remotely distributed team, but next week it is happening, and that is a great thing. It means planning, policies, preparation, prognostication and many other things that don't begin with the same letter. It also means that there will be some new, cool things to look forward to in what will likely be the near future, from a DevCentral perspective. Rarely do we get the whole team together to brainstorm and plan without something hawesome coming out of it. For that, I recommend you keep your eyes peeled the next few weeks. In the meantime, however, there is nowhere near a shortage of killer content on DevCentral just waiting for your perusal. So much so, in ... |
READ MORE |
|
Fri, Feb 03 2012
On their blog, Verisign made the following statement, which I’ll quote in full: As disclosed in an SEC filing in October 2011, parts of Verisign’s non-production corporate network were penetrated. After a thorough analysis of the attacks, Verisign stated in 2011, and reaffirms, that we do not believe that the operational integrity of the Domain Name System (DNS) was compromised. We have a number of security mechanisms deployed in our network to ensure the integrity of the zone files we publish. In 2005, Verisign engineered real-time validation systems that were designed to detect and mitigate both internal and external attacks that might attempt to compromise the integrity of the DNS. All DNS zone files were and are protected by a series of integrity checks including real-time monitoring and validation. Verisign places the highest priority on security and the reliable operation of the DNS. This does not suffice to restore my ... |
READ MORE |
|
Fri, Feb 03 2012
It has been a while since I wrote an installment of Load Balancing for Developers, and now I think it has been too long, but never fear, this is the grad-daddy of Load Balancing for Developers blogs, covering a useful bit of information about Application Delivery Controllers that you might want to take advantage of. For those who have joined us since my last installment, feel free to check out the entire list of blog entries (along with related blog entries) here, though I assure you that this installment, like most of the others, does not require you to have read those that went before. ZapNGo! Is still a growing enterprise, now with several dozen complex applications and a high availability architecture that spans datacenters and the cloud. While the organization relies upon its web properties to generate revenue, those properties have been going along fine with your Application Delivery ... |
READ MORE |
|
Fri, Feb 03 2012
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. |
READ MORE |
|
Fri, Feb 03 2012
Just about a month ago, PHP 5.3.9 was released, which included a patch for the hash collision problem. The basic hash collision problem affected various languages, including php and .Net (Microsoft fixed the issue in an out of band patch 2011-100 in late December). PHP fixed the issue not by introducing a new hash function, but instead it limited the number of input parameters. Just like the php hardening patch suhosin did all along, PHP now supported a max_input_var parameter to limit the number of input parameters a request may send. The default limit was set to 1,000, plenty for most web applications. Sadly, the fix was implemented incorrectly, and introduced a more severe vulnerability, a remote code execution vulnerability. Thats right: An attacker could craft a request, that will execute code on a web server running PHP 5.3.9. Today, the PHP team released PHP 5.3.10 to address the issue. ... |
READ MORE |
|
Fri, Feb 03 2012
I get by with a little help from my friends… While cloud and virtualization primarily focus on improving the provisioning process, there is a lot more to managing a data center and its critical components than just deployment. There’s upgrades – both software and hardware – and migration to new solutions as well as tweaking knobs and buttons to optimize and troubleshoot issues. While public cloud computing may alleviate much of the pain associated with forward movement, private and hybrid environments as well as traditional data center models must face the reality of dealing with these admittedly often tedious tasks. It’s a foregone conclusion that new technology and devices like mobile, tablets, unified application delivery and cloud computing as well as an evolving threat spectrum put pressure on IT to maintain a healthy and modern set of services to ensure availability, performance, and security. As pressures increase on infrastructure services, ... |
READ MORE |
|
Fri, Feb 03 2012
What is it and why do I care? Clickjacking is a type of “web framing” or “UI redressing” attack. What that simply means in practice is that: 1. A user (victim) is shown an innocuous, but enticing web page (think watch online video) 2. Another web page (that generally does something important – think add friends on social network) is layered on top of the first page and set to be transparent 3. When the user thinks they are clicking on the web page they see (video), they are actually clicking on the higher layered (framed) page that is transparent This attack is clever, and there are some interesting specifics in the actual execution of an attack (For more info, see the references), but here, I’m concerned with preventing the attack. What should I do about it? There is still no perfect answer on clickjacking, but things are getting better, ... |
READ MORE |
