| |
| Current Topic: Computer Security |
|
Q&A: Security top concern for new IETF chair - Network World |
|
|
|---|
| Topic: Computer Security |
11:46 am EDT, Jul 28, 2007 |
Russ Housley is the first chair of the IETF with a particular expertise in network security. Housley, who runs consulting firm Vigil Security, has been active in the IETF for nearly 20 years and helped write early e-mail security and public key infrastructure standards. Three months into his job as chair of the leading Internet standards body, Housley talked with Network World National Correspondent Carolyn Duffy Marsan about his strategy for bolting better security onto the freewheeling Internet.
Q&A: Security top concern for new IETF chair - Network World |
|
|
|---|
| Topic: Computer Security |
7:01 pm EDT, Jul 27, 2007 |
SummerCon 2007: August 24-26, 2007 Atlanta Where: Wyndham Garden Hotel
125 10th Street NE
Atlanta, GA 30309
1 404-873-4800
(corner of Peachtree St & 10th)
SummerCon |
|
|
|---|
| Topic: Computer Security |
10:08 am EDT, Jul 23, 2007 |
Fully working remote exploit plus malware! Wheee... Exploiting the iPhone |
|
RE: Dangerous Java flaw threatens virtually everything |
|
|
|---|
| Topic: Computer Security |
7:12 pm EDT, Jul 18, 2007 |
possibly noteworthy wrote: Google's Security team has discovered vulnerabilities in the Sun Java Runtime Environment that threatens the security of all platforms, browsers and even mobile devices. "This is as bad as it gets."
In general I try to keep stuff I do in the office out of this blog, but I thought it worth coming back to clarify that this particular bug does not impact the wide array of platforms indicated in this press report. The only OS I've confirmed that this impacts is Linux. It specifically does not impact Windows. It may or may not impact other operating systems. The fact that Java runs on lots of platforms does not immediately imply that bugs in Java impact all platforms. In this case as a POC was released it was really easy to verify that Windows was not impacted. I've stuck my foot in my mouth in communications with the press about technical issues in the past, so nothing personal to the people interviewed here, but they are wrong in this case, and the real story, frankly, is EEYE's bug, which is, well, also easy to "verify." RE: Dangerous Java flaw threatens virtually everything |
|
SPI Labs advises avoiding iPhone feature |
|
|
|---|
| Topic: Computer Security |
6:47 pm EDT, Jul 16, 2007 |
The Apple iPhone’s Safari web browser has a special feature that allows the user to dial any phone number displayed on a web page simply by tapping the number. SPI Labs has discovered that this feature can be exploited by attackers to perform various attacks, including: * Redirecting phone calls placed by the user to different phone numbers of the attacker’s choosing
* Tracking phone calls placed by the user
* Manipulating the phone to place a call without the user accepting the confirmation dialog
* Placing the phone into an infinite loop of attempting calls, through which the only escape is to turn off the phone
* Preventing the phone from dialing
SPI Labs advises avoiding iPhone feature |
|
|
|---|
| Topic: Computer Security |
12:54 pm EDT, Jul 16, 2007 |
Four teams of researchers from universities in the U.S., Canada, Poland and the United Kingdom begin competing today in Portland, Oregon, to win a prize for the best open-source voting system. The three-day University Voting System Competition, which ends July 18th, is sponsored by the National Science Foundation.
Some interesting approaches will be demoed here. Voting System Bakeoff |
|
Larholm.com - Me, myself and I ? Internet Explorer 0day Exploit |
|
|
|---|
| Topic: Computer Security |
1:58 pm EDT, Jul 10, 2007 |
There is an input validation flaw in Internet Explorer that allows you to specify arbitrary arguments to the process responsible for handling URL protocols.
This is the simplest way to get RCE from a browser that has ever been disclosed. Larholm.com - Me, myself and I ? Internet Explorer 0day Exploit |
|
How the Greek cellphone network was tapped |
|
|
|---|
| Topic: Computer Security |
1:39 pm EDT, Jul 10, 2007 |
From the cryptography@metzdowd.com list: A fascinating IEEE Spectrum article on the incident in which lawful
intercept facilities were hacked to permit the secret tapping of
the mobile phones of a large number of Greek government officials,
including the Prime Minister: http://www.spectrum.ieee.org/print/5280 Hat tip: Steve Bellovin. Perry
--
Perry E. Metzger perry@piermont.com
This is worth reading. An operation leverages the "lawful intercept" features of telephone switches, combined with rootkit malware specifically designed for the switches, and a collection of corrupt employees for some very unlawful intercepts. One, possibly two deaths. One of the most sophisticated computer intrusions I have ever heard of. Most likely a state intelligence organization. Americans widely suspected. How the Greek cellphone network was tapped |
|
|
|---|
| Topic: Computer Security |
10:06 am EDT, Jun 8, 2007 |
Generally speaking, vulnerability details have always been given to the vendor by responsible researchers free of charge. In exchange, vendors generally credit researchers with discovery or assistance. Often vendors will hire their own internal code audit teams instead of waiting for external security researchers to find bugs in their products. These people get paid, but they usually don't get credited for specific vulnerabilities. The bottom line here is that no one is attempting to extort money out of vendors by holding a gun to their head and demanding payment. Computer Security problems are real, and vendors do need to address them, either by waiting for people to disclose bugs in their products or paying for proactive security analysis, but thats reality. There are a lot of bad people in the world who put a lot of effort into finding and exploiting 0day vulnerabilities in order to deploy spyware or commit various kinds of espionage. These people will find and exploit vulnerabilities in your product if internal audit or external researchers don't get to them first. Generally speaking, the later is a preferable scenario for everyone. Now enter this company: We can work with you to generate and enforce intellectual property such as patents relating to fixes for newly discovered, private or zero day security vulnerabilities, weaknesses, or technical flaws that you have found.
We target the intellectual property against the vendors of the vulnerable products and other security providers such as suppliers of intrusion prevention technologies.
You share in the income.
These people are saying: "I have a way to break into networks run by your customers through a bug in your product, and I'm going to publishing it to the world in the patent database, where any criminal can look it up and use it, but you can't fix it unless you pay me." This seems very much like holding a gun to someone's head and demanding payment. Whats even more insidious about this idea is that the patent holder has the right to refuse to license their patent at any price... A criminal organization could find a vulnerability, patent it, and use their patent to prevent their victims from fixing the problem. I'd support legislation explicitly banning this practice. INTELLECTUAL WEAPONS |
|
SonicWall MAY have listened... |
|
|
|---|
| Topic: Computer Security |
9:57 am EDT, May 28, 2007 |
skullaria wrote:
Dear Customer, You submitted the following rating request to SonicWALL CFS Support:
Rate memestreams.net as "31.Web Communications" at 2007-05-26 00:25:00.393 The request has been reviewed and rated as:
"31.Web Communications" at 2007-05-28 03:14:05.533 You should see this rating change reflected within 1 to 3 business days. Thank you for your request,
SonicWALL CFS Support
It doesn't say anything about removing MemeStreams for the Hacking/Proxy Avoidance Category. Does anyone on MemeStreams have a Sonicwall? SonicWall MAY have listened... |
|
