Articles about Security

FBI offers advice during new National Cyber Security Awareness Month

This October has been declared National Cyber Security Awareness Month, a month in which Americans are encouraged to learn more about the "national security priority" that is the US communications infrastructure.

"Cyber attacks and their viral ability to infect networks, devices, and software must be the concern of all Americans," President Barack Obama said yesterday. "This month, we highlight the responsibility of individuals, businesses, and governments to work together to improve their own cybersecurity and that of our Nation. We all must practice safe computing to avoid attacks. A key measure of our success will be the degree to which all Americans educate themselves about the risks they face and the actions they can take to protect themselves and our Nation's digital infrastructure."

Continue reading

P2P warning bill passes House committee, will go to the floor

Perhaps the most oft-used defense by defendants charged with the proliferation of unauthorized files -- including some which actually belonged to them or were entrusted to their care -- by way of P2P file-sharing programs has been, "I didn't know." That was the defense invoked by US government employees, and even their direct reports, when classified documents turned up on LimeWire two years ago.

If P2P technology truly can and should be used for legitimate purposes, as many of its engineers and practitioners believe, then the very least it can do for users is inform them of what and where files will be shared. That's the aim of a House bill re-introduced last March by Congresswoman Mary Bono Mack (R - Calif.), the widow of entertainer and Congressman Sonny Bono. After over a year's deliberation (taking the bill's predecessors into account), Rep. Bono's bill -- the Informed P2P User Act -- passed the House Energy and Commerce Committee yesterday, and is on its way to a full House floor debate.

Continue reading

Opponents of ICANN plan fear expedited domain takedowns

Just days prior to the expiration of the final Joint Project Agreement between the Internet Corporation for Assigned Names and Numbers and the US Dept. of Commerce, effectively letting the DOC's oversight over ICANN lapse, the CEO of ICANN, Rod Beckstrom, informed ranking Republican members of the House Judiciary Committee and its key Subcommittee on Courts and Competition, that ICANN had no intention of terminating its long-term relationship with the US Government. But Beckstrom's lack of detail in response to a direct question from Reps. Lamar Smith (R - Texas) and Howard Coble (R - N.C.) suggested that neither he nor ICANN was in a mood to extend -- or in the congressmen's words, "memorialize" -- the relationship between the private, non-profit entity in charge of the Internet's Domain Name System (DNS), and the government body that gave rise to it.

"It is important to note that the conclusion of the [Joint Project Agreement] is not a termination of ICANN's relationship with the United States Government," Beckstrom wrote the congressmen (PDF available here, courtesy Domain Name Journal), "nor is ICANN an advocate of that possibility. I am in discussion with the NTIA [division of the DOC] to establish a long-standing relationship to accommodate principles including the beliefs that ICANN should remain a non-profit corporation based in the United States, and should retain an ongoing focus on accountability and transparency."

Continue reading

Sweeping content security enhancements tested on Firefox 3.7

Initial development is nearly complete on an entirely new kind of Web browser code execution policy management system, which may yet become part of Firefox 3.7 (the point release following the next one in line), a Mozilla spokesperson informed Betanews. When implemented, browsers such as Firefox will be capable of restricting certain classes of embedded code from execution, and Web sites can advertise to browsers in advance which classes of code its pages contain.

The end result, the developers of Mozilla's Content Security Policy (CSP) hope, is that policy-enhanced browsers will be completely immune from cross-site scripting (XSS) attacks from malicious sources, by virtue of restricting themselves to either only executing inline code from trusted, certified sites, or not executing any such code at all.

Continue reading

US gov't, ICANN declare joint agreement concluded, international era begins

The US Dept. of Commerce will no longer have a direct oversight role over the independent corporation responsible for maintaining the Internet's domain name system (DNS) and top-level domain (TLD) registry. This announcement came from ICANN on the very day -- essentially, the last minute -- of the Commerce Dept.'s official oversight of the group.

Under the terms of an Affirmation of Commitments document released by ICANN today, the United States will maintain a seat on ICANN's Government Advisory Committee, an 109-member league of nations, not all of which actively participate. But that's it. The periodic review process for accountability that ICANN underwent since its establishment by the DOC in 1998, will now shift to what new ICANN CEO Rod Beckstrom describes as "an international committee of parties chosen by the chairman of our Governmental Advisory Committee."

Continue reading

McAfee makes strides in the DRM business with Adobe partnership

On the surface, it might seem that a company whose principal business is malware detection and eradication would eschew the thought of associating itself directly with digital rights management technology. But the job of protecting one's assets in an enterprise setting, more than ever before, directly involves being able to identify to whom an asset belongs.

For that reason -- among some others, as you'll see in a moment -- commercial anti-malware software provider McAfee this morning announced its partnership with Adobe for the distribution of data loss prevention (DLP) technology. DLP is a more politically correct, socially conscious phrase for the category of software that protects data against theft and misuse. In a way, DLP leverages much of the existing technology base that McAfee had already built up for itself for malware detection, including critical patents for data file fingerprinting including this one. Ostensibly, such a patent refers to the ability for an anti-malware program to detect infected files within encrypted and packed structures, especially when the encryption can almost completely obfuscate a Trojan file's signature.

Continue reading

Symantec launches Norton Security 10 and Quorum technology

With ID theft reaching increasingly alarming proportions, Symantec this week rolled out a battery of new tools geared to helping PC users fight victimization, at a press event Wednesday in New York City.

The company's latest round of heavy artillery includes new Quorum technology, integrated into the now available Norton Internet Security 10 and Norton Antivirus 10, plus a free tool known as the Norton Online Risk Calculator.

Continue reading

Microsoft: SMB 2.0 hole does affect Vista, not Windows 7

A security advisory issued by Microsoft late yesterday takes to task a security consultant for a British ISP who apparently, and possibly even accidentally, discovered a way that the Server Message Block 2.0 driver can trigger an instant Windows crash. Rather than report the incident directly to Microsoft, Laurent Gaffié went public with his findings first, in such a way that appears to have triggered the enthusiasm of the black-hat side of the security community.

"Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk," reads yesterday's Security Advisory 975497. "We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests."

Continue reading

Vista SMB 2.0 exploitable hole points to need for new filters

Nearly two years ago, I proclaimed Microsoft's adoption of Server Message Block version 2 the #6 of ten best new features of Windows Server 2008. Essentially, it provides a way for servers utilizing the Common Internet File System to utilize modern filing tools such as symbolic links and transaction batches, to expedite the process of sending large files over the Internet.

It has taken this long for anyone to find what was described earlier today as a glaring hole in Windows SMB 2.0 security, but it's an embarrassing little hole nonetheless: A security researcher discovered that if you get the order of the words in the SMB 2.0 message headers wrong, in such a way that you end up sending an ampersand (&), where a zero should be in the high word of the Process ID field, then you can end up sending a message block that could literally crash the remote recipient. Conceivably, an exploit could be crafted that could remotely crash a Vista-based client.

Continue reading

Google makes a quick U-turn on Books privacy amid FTC inquiry

A mere three days after explaining to the Federal Trade Commission in an open letter (PDF available here) that it could not draft a complete privacy policy for its Google Books site since the services such a policy would protect have yet to be invented, Google issued its first privacy policy update specifically for Google books.

But the policy addendum itself actually questions its own need to exist. "Google Books operates a lot like Web Search and other basic Google web services, so there are relatively few privacy practices that are unique to the Google Books product," reads the actual text of the policy statement.

Continue reading

Diebold finally rids itself of electronic voting business

If you ask Diebold, there is a such thing as bad press. For years, the company has endured brand-eroding criticism about its electronic voting machines, and earlier this year in a hearing, publicly admitted they had serious design flaws.

Now, the company can finally move on from its e-voting debacles, as it sold the business unit to competitor Election Systems & Software, Inc. for a mere $5 million.

Continue reading

'Macs don't get viruses' myth dissolves before public's eyes

Apple never said OS X was invulnerable to viruses. Well, not in so many words.

It's just one of those things that the media hungry --but security disinterested-- public has turned into an axiom.

Continue reading

Financial institutions vulnerable to phishing-by-CD, says security report

The National Credit Union Administration this week issued an alert warning credit unions of an innovative form of scareware that utilizes traditional postal mail and a piece of malware that the user actively installs.

Some NCUA member credit unions have reportedly received letters that claimed to be from the NCUA which contained CDs of important "training materials" that would help inform users about phishing scams. Running the discs, naturally, loaded up credit union computers with a bunch of malware.

Continue reading

Latest SQL injection attack quickly spreads malicious JavaScript

One of the more bizarre architectural elements of HTML that may still be excused with the phrase, "This behavior is by design," is the ability for a floating text frame using the <IFRAME> element to be rendered effectively invisible (or so miniature as to not be seen), and then to run JavaScript code. It's a trigger for a disaster; and pressing that trigger tens of thousands of times today is a particularly virulent SQL injection attack, the evidence of which can be detected through a simple Google search: Wednesday afternoon, Betanews discovered about 82,800 compromised pages appearing in Google's index just for one of the actual malicious triggers -- probably just a fraction of the actual number of cases. And there are multiple triggers.

The plague was first reported last Friday by security services provider ScanSafe. In an update filed today, its engineers report that as the number of infected sites grows, their geography becomes more pronounced instead of less. It's as if the source of the injection, whatever it is, is targeting Chinese sites.

Continue reading

Mozilla credited with discovering exploitable Google Chrome 2 flaw

Google is not saying much today about a flaw discovered in the V8 JavaScript engine of its Chrome 2 stable Web browser, one which triggered an update that is being rolled out to Chrome users today. Amid what it is sharing today, however, is a surprising fact: Mozilla Security is being credited with the discovery.

Malicious JavaScript, Google says, can cause the Chrome browser to run arbitrary code, although that code may still be protected by the browser's "sandbox" -- its protected area of memory where running code has no access to system resources. However, it's conceivable that code running within the sandbox could provoke the user (by social means, perhaps by feigning a crash or system bug) to perform an action that may trigger a more damaging process delivered through a different payload, so Google treated the issue with a "High" severity rating.

Continue reading

© 1998-2026 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.