Application Security

WabiSabiLabi may shut down its online marketplace for security vulnerabilities, focusing instead on the line of OneShield unified threat management (UTM) appliances it developed with Italian defense company EuroTech.

IBM, LexisNexis and the Secret Service are among a group of corporations, government agencies and academic institutions that has formed to study and help solve identity management challenges around cybercrime, terrorism and narcotics trafficking.

The vast majority of companies have little or no security in place for their virtual systems. That is a scary statistic revealed in a survey of attendees at the recent VMWorld 2008 conference in Las Vegas.

Malware has managed to get off the planet and onto the International Space Station, NASA confirmed yesterday. And it's not the first time that a worm or virus has stowed away on a trip into orbit.

Unless you're a dyed in the wool cryptographic geek you probably didn't know that there was a Crypto conference, or even a chain of worldwide crypto conferences that take place each year. Fortunately, for the most of us that aren't crypto geeks there are a handful of very highly skilled people who are; they can take the highly theoretical and complex mathematical proofs and arguments that make up most of modern cryptographic and cryptanalytic research and put it into plain language.

There were 6 a.m. calls from Finnish certificate authorities and also some pretty harsh words from his peers in the security community, even an accidentally leaked Black Hat presentation, but after managing the response to one of the most highly publicized Internet flaws in recent memory, Dan Kaminsky said Wednesday that he'd do it all over again.

Apple has taken the place of Microsoft for disclosing more vulnerabilities than any other vendor, according to an IBM security report.

A recent study of Web browser installations showed that far too few are up to date with the latest security patches. And browsers aren't alone; as my dear old mum can attest, it can be hard to keep up with OS and application patches when all you want to do is use your computer for work. It should come as no surprise that many PCs are vulnerable to security exploits that could otherwise be prevented.

The researcher whose speculation led to an early disclosure of information about a critical flaw in the Domain Name System (DNS), the Internet's traffic cop, wasn't the first to come close to the truth, said the security expert who found the bug and organized a massive patching effort.

Open source software is a significant security risk for corporations that use it because in many cases, the open source community fails to adhere to minimal security best practices, according a study released Monday.

Visitors to the Association of Tennis Professionals Web site have potentially been infected with spyware after apparent lax security allowed a malicious script to be injected across its pages.

Japan's Self Defense Force lost sensitive data pertaining to a joint US-Japan military exercise last year, the Ministry of Defense said Tuesday.

Microsoft and Hewlett-Packard on Tuesday unveiled free tools to help Web developers and site administrators defend against the rapidly growing number of SQL injection attacks that aim to hijack legitimate sites.

Mozilla's big plan on Tuesday to set a world record for downloads with the Firefox 3 browser hit a snag when its Web site would not work properly.

A hacker has posted attack code that exploits critical flaws in the Safari and Internet Explorer Web browsers.

The generation gap. It's a term that has been used for decades to describe the differences between people in various age groups. Corporations are constantly considering what makes different generations tick when it comes to recruiting and retaining employees. But security experts say companies also need to examine age-based perspectives and habits when it comes to risk assessment and policies.

If there is a Holy Grail in the information security industry, it surely is the answer to the question, "How secure is secure enough?"

Think your security staffers are trustworthy? Competent? Knowledgeable? Ask a security professional for horror stories and you might think again.

CAPTCHA used to be an easy and useful way for Web administrators to authenticate users. Now it's an easy and useful way for malware authors and spammers to do their dirty work.

For those of us who make our living behind a keyboard in IT, it's hard to imagine a more time-tested vulnerability than the end-user. Armed with network access, these IT viruses wreak havoc nearly everywhere you look -- havoc borne of tech idiocy.

To use an Internet-connected computer is to be insecure and place your privacy in danger. Spyware, viruses, Trojans and assorted malware are everywhere on the Net, trying to hop onto your PC and cause damage. Snoopers want to get at your personal information for nefarious purposes, such as identity theft.

Whether you hire outside consultants or do the testing yourself, here are some tips for making sure your time and money are well spent.

Security assessment and deep testing don't require a big budget. Some of most effective security tools are free, and are commonly used by professional consultants, private industry and government security practitioners. Here are a few to start with.

Web-based e-mail is booming. Services such as Gmail, Yahoo Mail and Hotmail are convenient, accessible and, best of all, free. Many of us have come to rely on them without giving it a second thought.

There are lots of ways business networks can be compromised, and more are developing all the time. They range from technology exploits to social engineering attacks, and all can compromise corporate data, reputation and the ability to conduct business effectively.

Bookmarking these sites will help you protect your network, comply with government regulations and stay ahead of all the latest threats.

Many companies spend a small fortune and deploy a small army to secure themselves from the many security threats lurking these days. But all those efforts can come to naught when making any of these common mistakes. The results can range from embarrassing to devastating, but security experts say that all are easily avoidable.

A recent string of high-profile ActiveX vulnerabilities caused the US Computer Emergency Readiness Team (US-CERT) to advise users to disable the ubiquitous Microsoft browser plug-in technology altogether. The vectors for these recent exploits include a third-party image uploading tool used on both the Facebook and MySpace social networking sites, and flaws found in Yahoo's Music Jukebox, Real Networks' RealPlayer, and Apple's QuickTime.

Companies that specialize in helping businesses speed delivery of their applications and Web content are increasingly involving themselves in IT security as the continued proliferation of systems-defense technologies has become a potential roadblock to the performance and quality of the services they already provide.

I'm a CISO who has worked in the US financial services industry both as a regulator and for a large services company. In this column I'm going to let you in on one of the biggest, dirtiest secrets in the industry: The companies that get the least amount of scrutiny from financial regulators actually present some of the greatest risks for systemic financial market manipulation and fraud. I'm talking about financial news and brokerage service companies.

The University of Western Sydney (UWS) has today gone live with a managed Intrusion Detection System (IDS) for its 5000 users.

What is true enterprise security and how do you get it? Bogus promises by vendors are all too common. In this interview, outspoken security analyst Nick Selby humorously tackles the truth about data leakage products, smartphone protection, hotspot threats and the word "solution." Nick Selby leads The 451 Group's Enterprise Security Practice. Selby also serves as The 451 Group's Director of Research Operations and is on the faculty of the Institute for Applied Network Security.

There are a few highly publicised vulnerabilities at the moment which haven't completely been disclosed and which, it is claimed, could threaten the whole Internet as-we-know-it. Only, when the vulnerabilities are finally disclosed, it seems that the whole incident has been somewhat Chicken Little.

Mac antivirus maker, Intego, have published an interesting alert about a potential OS X virus that an enterprising individual is trying to sell through auction. With absolutely no technical information to go on, the antivirus maker is treating the announcement with caution.

Version 3.0 of BackTrack has been released. BackTrack is a Linux-based distribution dedicated to penetration testing or hacking (depending on how you look at it). It contains more than 300 of the world's most popular open source or freely distributable hacking tools.

A less known part of the recent ARP attack against H D Moore's MetaSploit site was an attempted Denial of Service attack that coincided with the successful ARP attack.

Microsoft SQL server hasn't had a public vulnerability announcement since 2004. The SQL Slammer worm struck in 2005, but the hole the worm exploited had been patched six months before. The holes that MS-Blaster and Code Red worm attacked had been patched, too. But back just a few years ago, no one really cared about patching really. We just didn't patch.

In the adversarial environment of information security, new types of attacks emerge constantly. Just recently, a very highly targeted phishing attack against CEOs used the pretext of a federal grand jury subpoena to lure executives to a site hosting malware. Let's face it: Most of the innovation in this industry is on the other side, the "dark" side. We are unfortunately forced to keep reacting to new ingenious attacks every few years.

Microsoft's US general manager/chief security advisor for its National Security Team thinks like a true security professional: In every bit of good news, Bret Arsenault wonders what bad news could be lurking behind it.

Code writers now occupy the front line in the battleground of software security as the defense shifts from perimeter protection to prevention function that's built in during the application development phase.