RSS Alerts

Share

More services

Related Stories

  • US standards drive Canadian information security
    An absence of legislation and the presence of the laissez-faire attitude has resulted in Canada being rather lax when it comes to information security compliance. Robin Arnfield looks at how US standards are driving the Canadian information security marketplace
  • From the Eye of the Storm: 2011 Information Security Predictions
    Last January, Infosecurity magazine published prognostications by the (ISC)² Advisory Board of the Americas (ABA) regarding the information security field in 2010. Unlike many who have attempted to envision the future, the ABA has gone back and reviewed the accuracy of its predictions and provided a letter grade for each. The ABA will then offer new predictions for 2011.
  • Social networking - a risk to information security?
    As the popularity of social networking sites continues to mount, it becomes increasingly important to consider the information security risks posed in the context of a wider data loss prevention and reputation management strategy. Cath Everett reports
  • US standards drive Canadian information security
    An absence of legislation and the presence of the laissez-faire attitude has resulted in Canada being rather lax when it comes to information security compliance. Robin Arnfield looks at how US standards are driving the Canadian information security marketplace
  • Comment: Rewards for Hacking – Good, Bad or Ugly?
    If a hacker finds a flaw in your program, then the bounty paid out might not be enough. Anthony Haywood of Idappcom gives his thoughts on the bug bounty trend

Top 5 Stories

News

Infosecurity - the week in brief

23 February 2009

Black Hat DC This week, Black Hat DC was on in Arlington, VA. Moxie Marlinspike announced a new attack against SSL that forces HTTPS traffic into HTTP to allow a man in the middle attack. Dan Kaminsky, who discovered the infamous DNS flaw last year and criticized SSL at the the time, reacts here. He also resolved at the conference to take two months off work to promote the adoption of DNSSEC - a more secure DNS standard that has not been widely implemented.

Researchers Matthew Flick and Jeff Yestrumskas also demonstrated a way to marry XSS with anonymous proxies, creating a proof of concept that would allow a cross-site scripting attacker to use the victim's browser to surf anonymously.

Researcher Vincenzo Iozzo also explained how to hack Apple's OS X without leaving any traces on the hard drive or affecting the kernel, using in-memory injection.

Conficker
Microsoft says that it has found another version of Conficker with new functionality. Unlike previous versions, Conficker.C leaves a back door open for the further exposure of MS08-067 (the vulnerability that originally allowed the worm to spread). The firm posits that it might be a way for the malware authors to update the worm following the Conficker Cabal's attempt to block the domain names it was originally using. Lurene Grenier of Sourcefire's research team also geeks out while dismantling the existing Conficker binary here.

related news:

Microsoft Conficker

Facebook
It hasn't been a good PR week for Facebook. After incensing users and backing down over its decision to retain information after accounts were closed, it had to clarify its position on the accounts of deceased members. Initially refusing to remove the account of a dead journalist, it later capitulated, says Consumerist .

related news:

Facebook moves to save face on T&Cs

Adobe flaw
Adobe reported a zero-day flaw in its PDF reader. Sophos has more details on the vuln, which could allow remote code execution, and Secunia has an advisory. Symantec is already seeing attacks in the wild. Adobe has promised a patch by March 11th, giving the attackers an unhealthy window of opportunity.

DShield, which collects firewall data, has started an alpha project to collect data on how web applications are being probed. The Web Honeypot will look for "background noise" that may or may not include malicious attacks, says the organisation.

Legislation
Legislation introduced into the Senate and House would require ISPs to retain records on the identity of network users for two years. This includes the identity of those using temporarily assigned network addresses, opening it up to users of mobile WiFi access points in addition to the dynamic IP addresses normally used on residential internet accounts.

Pittsburgh couple Aaron and Christine Boring lost a court case against Google after claiming that the firm’s Street View service infringed on their privacy. Last April, the couple asked for $25 000 in damages after claiming that the firm took pictures beyond a ‘private’ sign.

This article is featured in:
Compliance and Policy  • Identity and Access Management  • Internet and Network Security • Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012