[security bulletin] HPSBMA02363 SSRT080106 rev.1 - HP Enterprise Discovery Running on Windows, Remote Authorized User, Gain Extended Privileges

[ MDVSA-2008:180-1 ] libxml2

PacSec 2008 CFP (Deadline Sept. 1, Conference Nov. 12/13) and BA-Con 2008 Speakers (Sept .30/ Oct. 1)

Attackers are increasingly using encoding to sneak their SQL injection, cross-site scripting attacks past Web security

You would have a thought I would have blogged about IE8 Beta 1, but no! I have cleery been too busy to miss that headline!

… Seriously though the Beta 2 version of the new Internet Explorer 8 has been released. Meaning it is well on it’s way to being a full version.

Remember! Beta is not the full and complete version! It is undergoing testing and will have bugs! Install at your own risk!

Some links to consider:

• Internet Explorer 8 Beta Home Page
• Internet Explorer 8 Beta Features
• Internet Explorer 8 Beta Support

Also remember, you can always seek help and guidance in our forum. Speak to us about the new version of Internet Explorer. Tell us what you think!

Like this? Share it!

http://plan9.bell-labs.com/sources/plan9/sys/src/ape/lib/bsd/gethostbyname.c
just did a google codesearch for gethostbyname()
the 90's called, they want their bugs back!

It's easy. Those tubes are busted

More evidence that the intertubes are fundamentally broken has been served up by Wired.com in an article laying out a technique to surreptitiously hijack huge chunks of the internet and monitor or even modify unencrypted traffic before it reaches its intended destination.…

So if you are a fan of the iPhone and have it all synced to your Exchange server, I want to pass a word of caution to you.

Firstly, you SHOULD be locking your iPhone with a PIN. Not doing so makes it easy for anyone to look at your emails, contacts and calendar. It's another layer of defense which costs you nothing. Please use it.

However, I am sad to report that even if you do use it, the current PIN security in iPhone 2.0.2 is flawed. If you have used the "Favorites" feature in the phone, it is possible to break into the phone. :(

Here are the steps to do so:

1. Press the Home button to wake up the iPhone.
   
2. Slide to unlock
   
3. Click the "Emergency Call" button on the bottom left
   
4. Press the "Home" button two times fast. Your Favorites list will show up.
   
5. Click on the ">" circle of a contact that has an email address tied to it
   
6. Hit the email address to create a new email.
   
7. "Cancel" the new email.
   
8. You are now in the users Exchange mailbox, without knowing their PIN to unlock the phone.
   

This seems like a pretty interesting attack vector. I would have never expected the Emergency mode in an iPhone to be used so easily in this way.

Apple is aware of the security hole, and this will be circling around the Internet shortly. So keep those iPhones close until an update is available!!

UPDATE: Vlad reminded me to mention that if you DO lose your iPhone... make sure you wipe it. Ahhh the powers of Exchange!!! :-) Thanks for the tip Vlad.

New browser will allow user to better control access to surfing history, cookies

Laptops aboard the International Space Station have been infected with the W32.Gammima.AG worm. And it's not the first time this sort of thing has happened.

Think a friend’s latest post on your Facebook wall is a little odd? Trust your instincts. Social engineering scams are on the rise.

The latest round of attacks on Facebook include messages and comments on users’ walls that appear to come from friends. The fake messages include seemingly irresistible bait – a claim that a video of you in a compromising position has been posted is one of the currently popular lures. If you follow the link in the message, the page you’re taken to could infect your computer with "drive-by" malware that can download without your permission. In other cases, the page might claim that you need to download an additional plug-in to view the video. You guessed it: that plug-in turns out to be malware.

It’s hard to protect yourself against this kind of attack, when our assumption is that messages from our friends are trustworthy. But think back to the early days of email viruses. Remember being warned not to open an unexpected attachment, even from a friend, without checking that your friend really sent it? If you receive a message that just seems odd – maybe it doesn’t sound like your friend’s normal writing style, or your friend isn’t usually the type to be snapping videos at drunken parties – check it out with the friend before clicking the link. If their account has been compromised, you’ll be protecting your friend and their entire network, as well as yourself, by letting them know there’s a problem.

Want to read up on the latest social network scams? Kaspersky Lab has a post about the current Koobface worm on Facebook and Myspace, and Trend Micro blogs about a similar social engineering trick targeting users of MSN Live Messenger.

Unfortunately I couldn’t make Vegas this year. According to friends and the slides I have been going through it looked as if there were quite a few really good and interesting talks this year at both Blackhat and Defcon.

I will be attending the first Swedish based Sec-t security conference here in Stockholm which I think might actually turn out really well. It will be held between the 11th and 12th of September.

I will be speaking at the last slot on Friday about what administrators can do in order to reduce the impact of web application vulnerabilities ie. system and application hardening.

More information regarding the event is available at the official web site http://www.sec-t.org/

Close on the heels of David Ross' XSS defense in IE8 beta 2, my boss, Steve Lipner just posted an article looking at XSS filter from an SDL perspective.

While I'm on the subject of XSS and Dave, if XSS is an area of interest to you, you really should follow his blog. He's a member of our group focused mainly on browser and desktop-related defenses.

Cisco launches a universal edge quadrature amplitude modulation (U-EQAM) product converging high-speed, high-bandwidth data and video distribution at the cable network edge.

Learn about IP over dense wavelength-division multiplexing (IPoDWDM) for service providers and how you can fuse transport and packet technologies to eliminate inefficiencies.

Advanced line cards and intelligent software help install and provision a dense wavelength-division multiplexing system on the Cisco ONS 15454 Multiservice Transport Platform.

XPonder technology on the Cisco ONS 15454 Multiservice Transport Platform provides a converged, resilient, intelligent, and scalable solution for collecting Ethernet traffic.

A couple weeks ago a patch came out for WebEx Meeting Manager for Internet Explorer. Symantec's Security Response Blog is reporting sightings of exploits for this vulnerability in the wild.

Users running the vulnerable version of the Webex control who happened upon a Web site distributing the exploit would become infected. The first exploits that we have seen so far have been served via gaming sites that have had the exploit package injected on to them

Computers will be patched automatically if they connect to a patched WebEx server. Otherwise you can install WebEx Meeting Manager from the WebEx website or just uninstall via Add/Remove Programs in the Control Panel.

Trust is vital, and coming up with ways to multiply the trust factor is crucial for a successful malware campaign spreading across social networks. Excluding the publicly available malware modules for spreading across popular social networking sites, using the presumably, already phished accounts for the foundation of the trust factor, the recent malware campaigns spreading across Facebook and Myspace are all about plain simple social engineering and a combination of tactics.

However, in between combining typosquatting and on purposely introducing longer subdomains impersonating a web application's directory structure, there are certain exceptions. Like this flash file hosted at ImageShack and spammed across Facebook profiles, which at a particular moment in the past few days used to redirect to client-side exploits served on behalf of a shady affiliate network that's apparently geolocating the campaigns based on where the visitors are coming from.

img228.imageshack .us/img228/3238/gameonit4.swf redirects to ermacysoffer .info - (216.52.184.243) and to tracking.profitsource .net (67.208.131.124) that's also responding to p223in.linktrust .com (67.208.131.124). Just for the record, we also have halifax-cnline.co.uk parked at 216.52.184.243, 69.64.145.229 and 69.64.145.229, known badware IPs related to previous fraudulent activity.

Moreover, cross-checking this campaign with another Facebook malware campaign enticing users to visit whitneyganykus.blogspot .com where a javascript obfuscation redirects to absvdfd87 .com and from there to the already known tracking.profitsource .net/redir.aspx?CID=9725&AFID=28836&DID=44292, and given that absvdfd87.com is parked at the now known 69.64.145.229, we have a decent smoking gun connecting the two campaigns.

Facebook is often advising that users stay away from weird URLs, does this mean ignoring ImageShack and Blogspot altogether? The next malware campaign could be taking advantage of DoubleClick and AdSense redirectors - for starters.

Yes, they ARE possible.

This also remind me of "ROI for compliance" stuff.

"Hotel chain now says data of just 10 guests was exposed; newspaper claims 8 million" (here)

Can't they look at logs and know for sure? Hmmm...

Do they have logs?

Do they know whether they have logs?

Do they know what are logs?

Ehmmmm...

Best Western International and the Sunday Herald newspaper of Scotland are duking it out over a story which reports that a hacker stole the records of 8 million customers from the hotel chain's global network in the "the greatest cyber-heist in world history." Best Western says 10 people were affected at one hotel.

Attackers install a rootkit on the compromised systems to steal more SSH keys.

It's all about the captions:

...doctored photographs are the least of our worries. If you want to trick someone with a photograph, there are lots of easy ways to do it. You don't need Photoshop. You don't need sophisticated digital photo-manipulation. You don't need a computer. All you need to do is change the caption.

The photographs presented by Colin Powell at the United Nations in 2003 provide several examples. Photographs that were used to justify a war. And yet, the actual photographs are low-res, muddy aerial surveillance photographs of buildings and vehicles on the ground in Iraq. I'm not an aerial intelligence expert. I could be looking at anything. It is the labels, the captions, and the surrounding text that turn the images from one thing into another. Photographs presented by Colin Powell at the United Nations in 2003.

Powell was arguing that the Iraqis were doing something wrong, knew they were doing something wrong, and were trying to cover their tracks. Later, it was revealed that the captions were wrong. There was no evidence of chemical weapons and no evidence of concealment. Morris's mockery of the sweeping interpretations made in Powell's photographs.

There is a larger point. I don't know what these buildings were really used for. I don't know whether they were used for chemical weapons at one time, and then transformed into something relatively innocuous, in order to hide the reality of what was going on from weapons inspectors. But I do know that the yellow captions influence how we see the pictures. "Chemical Munitions Bunker" is different from "Empty Warehouse" which is different from "International House of Pancakes." The image remains the same but we see it differently.

Change the yellow labels, change the caption and you change the meaning of the photographs. You don't need Photoshop. That's the disturbing part. Captions do the heavy lifting as far as deception is concerned. The pictures merely provide the window-dressing. The unending series of errors engendered by falsely captioned photographs are rarely remarked on.

After I read Neil Rubenking’s blogpost on security software and the current geopolitical turmoil in Georgia (http://www.appscout.com/2008/08/russia_georgia_and_your_securi.php), I figured it was only a matter of time before we at Agnitum began to receive questions along these lines. Last week, I received an email sent using our general PR-form from a long-time Agnitum customer asking us to confirm that Agnitum and its products have no connections to Mr. Putin and that Mr. Putin does not own or control Agnitum, a Russia-based enterprise.

I was going to answer that the Russian prime minister has too small a share to have any influence over our activities, but then I thought that perhaps a guessing game amongst our readers would be more interesting.

So, who do YOU think owns Agnitum?

• Vladimir Putin
• Mikheil Saakashvili
• George W. Bush
• Eugene Kaspersky
• Other

Submit your answer using the form at http://www.agnitum.com/news/pr_contacts.php#mailform. The first three people to submit the right answer will receive a license for the upcoming free Spam-Terrier 2.0 and a tour of the Russian Business Network’s premises led by Agnitum’s leading employees!

Good luck!

Vitaly Yanko,
Marketing and Sales Director, Agnitum

'Off the record' browsing is go

Microsoft has outlined the new privacy tools available in its forthcoming browser Internet Explorer 8 (IE8).…

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security." Here is an issue #7, dated August 27th, 2008.

1. Sad, but VERY insightful story of Alan Shimmel getting 0wned (1,2,3,4, others on his blog)
2. A very good essay on security industry/market/community "Evolution is Punctuated Equilibria" ("Right now, Internet security is due for another period of rapid change.")
3. As I like to say, most everybody in out industry is confused about risk (myself included, in fact) - here is some nice reading about the subject: "Quant love", "What is Risk?" ("The probability of a threat overcoming security controls resistance to exploit a vulnerability that results in a loss.") While you are at it, check this blurb about risk and CVSS (BTW, CVSS is about "V" - vulnerability, not "R" for risk!)
4. Solid gold on "running IT as business" (and where it hits the wall) - Richard, the original CIO.com piece ("If you've tried managing an internal IT department as a bona fide business you already know that you can't take that very far, for the obvious reason that your IT department isn't a business.")
5. More fun stuff from Richard on insiders and why NOT look for them (sadly, same logic applies to not looking for owned boxes in your environment...).
6. Analyst firms shocking discovery: wireless MAY have security issues (I guess count it as humor...)
7. Fun read: "Challenges of Enterprise Cloud Computing" ("By moving the data into the cloud, enterprise, for now, will lose some capabilities to govern their own data set.")
8. Raffy on visualization. ("One of the dangerous things is if you don't understand the log file itself, don't assume you'll understand the visualization of it or even generate a visualization that makes sense") Amen to that! BTW, Raffy's book is finally out.
9. Compliance and checkbox mentality: fun pickup from my original "DLP and Compliance" post - Rich and TechTarget. Good stuff! ("Don’t Sell ‘Compliance’ If It Isn’t A Checkbox ")
10. RedHat is nicely 0wned (more info)
11. BGP hole to dwarf the DNS hole?
12. Chris continues the virtualization and PCI DSS theme here. The jury is still out on this one, even though the common sense approach (that virtualization is OK in regards to PCI) will probably win.
13. NEWS FLASH! Privacy dies. The date of death? 1967. While reading it, think just how visionary some folks are...
14. Finally, just for laughs: How to Spin Bad News

Enjoy!

BTW, I am saving some fun reading for dedicated posts soon :-)

I would like to share a few thoughts on the notion of being in direct control of your environment. This article is a continuation from my previous one and it aims to justify why nowadays individuals and organizations prefer to give away control in order to gain more agility. Needless to say, less control is often equal to less security.

Some of you who have been following the blog may be familiar with some of my other articles on the same topic. I’ve expressed many times my concerns about arriving concepts such as cloud computing, Web2.0, Applications on Demands, SaaS, etc. The more I was digging into them, the more aware I was of their advantages and disadvantages. And I saw the notion of using in the cloud technology as a moving factor for many business to come.

Cloud computing is an attractive and very intelligent concept and it makes total business sense. The idea is not very new but at the same time it is evolutionary. It is all about outsourcing whatever you can outsource. In today’s flat world, all of your life is outsourced although you may not realize it. I highly recommend getting your hands on a book called “The World is Flat” for more insights. People have less control of their lives than they did 20 or even 10 years ago. Therefore, we are slaves, but slaves who have gained something for being enslaved. That “something” is agility.

Let’s look at the following analogy. Did you know that you are more likely to die in a sports or a compact car than a mid-sized car? There are plenty of research papers to justify those claims but my purpose here is to argue that less control increases agility and reduces security. The faster you drive, the higher the chance of an incident happening. The faster you run, the higher the chance of injuring your legs. Let’s put all that in context: The less control you have, the more agile you become. The faster you grow as an individual or organization, the more vulnerable you will feel.

Cloud computing is all about that. You can grow your empire on top of services. It is easy. It is fast. However, when you gain something you usually lose something else. Perhaps security? Although, it is unfair to say that cloud technology is less secure. Using open source tools is a form of outsourcing. Typically, you won’t build a homegrown Web server in order to host a website. You won’t write your own operating system in order to do your work. You outsource that work from those that can do it and having trust in your local file system is as flawed logic as having trust in a remote service. Both are protected in their own way. Both are vulnerable to theft.

In summary, we cannot control everything. It is unreasonable to believe so. Perhaps we are more in control of our desires and thoughts but even they can be manipulated by interested parties (i.e. advertisers, government, etc.). If there is less control, there is less to lose when gaining agility. Therefore, individuals and organizations prefer to lose even more of what they have in order to gain something else that they do not have.

UK IT techies are putting in longer working hours without extra pay, according to a survey by online recruitment firm www.theitjobboard.co.uk.

I have been trying to contact the guys at SCO to report a serious vulnerability in their operating system as part of our SSD program, with very little success:

All the emails I send there return with this funny bounce message:

security -alert@sco.com
Sorry. Although I’m listed as a best-preference MX or A for that host, it isn’t in my control/locals file, so I don’t treat it as local. (#5.4.6)

A few other emails I sent to people I used to know there, bounced with the same message.

If anyone from SCO reads this post, or you know someone that can help me reach those guys, I would be grateful if you can contact me.

-

Expose the security holes in your products during development. Black Box Testing makes it safer!

"Just think about this: In four months, we will have an administration that actually believes in science!" said former Virginia Governor Mark Warner during his keynote speech at the 2008 Democratic National Convention. It didn't set the room on fire but Twitter was aflutter as its geek community celebrated a throwaway line.

------------------------------------------------------------------------ Pardus Linux Security Advisory 2008-31 security@pardus.org.tr ----

In Slate, Darshak Sanghavi argues against lowering the drinking age from 21 to 18. Sanghavi makes a reasonably convincing argument that raising the drinking age has suppressed teen drinking. That's not that surprising, seeing as it's a lot harder for a 17-year-old to impersonate a 21-year-old than an 18-year-old. And then he closes with:

Of course, in the end a lot of teens will binge-drink, no matter what the law says. But that's not an argument against making the legal age 21 years old to buy and consume it. (After all, a third of high-schoolers have smoked marijuana, and few people want to legalize it for them.) Rather, the current law is best viewed as a palliative medical treatment for an incurable condition. Chemotherapy can't cure terminal cancer, but it can make patients hurt a little less and perhaps survive a little longer. Similarly, the current drinking age undeniably reduces teen binge-drinking and death a little bit, without any bad side-effects. When there's no complete cure, though, desperate people are vulnerable to the dubious marketing hype of snake-oil peddlers--which is all the Amethyst Initiative is offering up now.

I don't really have a strong opinion on the right drinking age—though I seem to remember that when I was 16 I thought 18 sounded pretty good, and I wouldn't want to sign an affidavit that I never drank before I was 21. That said, it's not true that there are no "bad side-effects", unless, that is, you ignore the hedonic benefits to the teens in question from having a few drinks. But if course once you ignore hedonic benefits, why not jack the drinking age to 31 or 41 instead of 21?

The folks at Wired published a story earlier today titled Revealed: The Internet’s Biggest Security Hole.  I recall seeing a pointer posted to the NANOG mailing list a few weeks back with some slides that were presumably the DEFCON presentation associated with the talk.  After a terse look at the slides, I quickly moved on believing nothing new was being presented.  Well, given the Wired article, and some other coverage of the talk, this was apparently news to some folks.

In a nutshell, the work they present explains not only how to hijack some arbitrary chunk of address space in the global routing system (e.g., YouTube, or AFOL-KE), but also, how to “intercept” traffic bound for that address space, and then get it back to the intended recipient, presumably in a manner that’s largely transparent to the recipient (i.e., a MITM attack enabled by BGP route hijacking).

So, I’ll preface the following comments with this: If this work helps get more folks concerned about the overwhelming insecurities that exist in the Internet routing system, that’s fantastic and I’m happy about that.  That said, let’s take a bit of a deeper look at what they’re presenting and discuss how novel each component, or such a system actually is.

I suppose there are about four things one could do when hijacking Internet address space:

• Basic route hijack - announce someone else’s address space and drop the traffic on the floor when it enters your network.  This is what appears to have occurred with Pakistan Telecom’s hijacking of YouTube space earlier this year, triggered by a more-specific (/24) route announcement.  This result is essentially a denial of service, and could result from either misconfiguration or intentional malice.  If you’re announcing a more-specific or most folks are preferring a hijacked route that’s of the same size space, then the victim will likely be able to identify the attack as a considerable drop in traffic occurs.  This could possibly be a partial hijack as well, if route announcements of the same length were advertised from the attacker and the rightful address owner.
• Partial route hijack with termination - here, you’d see something a bit more sinister, perhaps. Basically, you’d announce some address space and start serving web pages, or DNS queries, or similar content from the space, likely in a manner much akin to that of the original victim, either to intercept transactions, or inject malware, or analyze data for market reasons, or perhaps something fancy like to violate a “cyber cease fire”.  Those queries may be the same, or may be falsified.  Optimizations such as Anycasting lend themselves to better obscured partial route hijacks, and they’re much more difficult to detect than full more-specific route hijacks.  Ohh, but who’d do this you ask?  Well, ask the L-root Internet root DNS server operators.  That’s right, just a few months ago some folks starting announcing Internet L-root name server address space AND responding authoritatively as a root DNS name server.  [sarcasm]Fortunately, this only happened for six months or so before it was remedied.[/sarcasm]  Another common use for this model is termination of known botnet command and control (C&C) IPs to detect, contain, and possibly instrument compromised end systems.  
• Full route hijack with proxy or snooping - this is sorta what Alex and Tony presented at DEFCON, although it wasn’t quite what I’d consider “full” since some networks necessarily discarded the hijack route announcement as a result of their AS intentionally being contained in the AS path of the hijack BGP announcements (a root operator was said to have “blocked” access to one of their address blocks from a particular network in just this manner several years ago).  If you didn’t read the slides, the reason for this is so that you can use those networks to “on-ramp” the traffic back to the legitimate destination once you’re done molesting it, without introducing some forwarding loop in the network.  This isn’t new, however, as inter-provider botnet C&C infiltration was performed in just this manner by large ISPs years ago - it’s just that no one published a paper on it - for obvious reasons.  Furthermore, many intelligent filtering or “scrubbing” solutions (e.g., Arbor’s TMS) for DDoS attacks have used route diversion (I suppose you could call it hijacking, but it’s typically done with the consent of the address owner) and any of an array of “on-ramping” techniques to get traffic back to the target systems for over 5 years now.  Detection techniques would involve route table monitoring for new origin AS numbers, the introduction of more specific routes in the routing system, the existence of new paths in the routing system, ingress traffic shifts, and perhaps additional transaction latency or increased one-way propagation delay.
• Targeted route hijack with proxy or snooping - I suppose if you were going to do this and attempt to go undetected, you’d need to be very targeted yet not introduce significant new traffic flows or detectable shifts, minimize latency, and not introduce more-specific route announcements into the routing system, all of which may well be easily detected IF folks are paying attention.  The most effective way to do this would likely be to employ a dual-homed attacker AS that has one connection to the network from which you would like to intercept traffic (AS a), and the other to the network from which you’d like to receive (AS b).  You could easily forge an origin AS in a route announcement, and since most providers, if they filter at all, do so based on prefixes and NOT AS path, you’d be OK if you registered the route, and origin detection systems would likely not pick up the change. Furthermore, you could easily scope the announcement to the AS a network, either with a NO_EXPORT style technique, or perhaps community mechanisms akin to those outlined in RFC 1998.  Furthermore, because ISPs usually prefer routes from customers over routes from peers (e.g., via BGP LOCAL_PREF) you don’t need to announce one or several more-specific routes for the target network, you could announce the same prefix length.  You could also use their routing policy capabilities to send the routes only to their customers, or keep it just within that AS, or whatever you’d like.  Or, considering most providers filter customers explicitly and peers implicitly (i.e., not at all), you could do this at an Internet exchange point (IXP) as a peer towards target networks.  I’d venture to say that so long as the adjacent AS accepts the route announcement, there are an array of ways you could scope it’s propagation.

• Layer 8
• The Limits of Running IT Like a Business
  If you've tried managing an internal IT department as a bona fide business you already know that you can't take that very far, for the obvious reason that your IT department isn't a business. It is, after all, a part of a business: a significant contributor to a value chain, not a self-contained value chain of its own.
• TaoSecurity: The Limits of Running IT Like a Business
  The Limits of Running IT Like a Business
• What is Risk? « Risktical Ramblings
• Networking data visualization not just for pointy-headed bosses
• OnSaaS » Blog Archive » Challenges of Enterprise Cloud Computing
• Regulatory compliance: Getting customers to look at the big picture — Channel Marker
• Andy, ITGuy: I'm not an expert in all things security, but I am a thinker
• Anton Chuvakin Blog - "Security Warrior": Anton Security Tip of the Day #16: Virtually There - Journey Into VMWare ESX Log Analysis

This is madness!
Madness?
THIS! IS! CRYPTOGRAPHY!

Hillary Clinton exhorts the members of her party to unite and rally behind former Democratic presidential nominee Barack Obama, saying that the nation can't afford to elect another Republican to the White House.

We were out the island on Sunday for the celebration of a baptism, and a day at the beach. (Say what you will about Robert Moses, he did know how to build a park — and parkways.) Before we left the restaurant to return home, our hosts asked if we knew the way back. Sure, just go back the way we came. Do you have a GPS? No, I have a map. You should get a GPS; they’re great.

Are we so afraid of getting lost? Or are maps that hard to read? I don’t much want a GPS receiver for my car. I want one for trail mapping, so I can concentrate on walking.

DIE IN A FIRE !!!1!1! Shirkdog ' or 1=1-- http://www.shirkdog.us Date: Tue, 26 Aug 2008 18:59:06 -0700 From: jason.kimmer2008@gmail.com To: full-d

test

Many IT staff would walk off with sensitive company data if they were made redundant, warns identity management specialist Cyber-Ark.

At the last BlackHat conference, there was an interesting presentation by some folks at Microsoft on new strategic initiatives from Microsoft to "Rock Your World".

If you haven't had a chance to see the presentation, consider checking out the slidedeck (link above). There is some interesting insight into Microsoft Vulnerability Research, the Microsoft Active Protections Program and even the new Exploitability Index recently announced.

Good stuff. Happy reading!

While Rich is off on a well deserved vacation with his wife, I’m joined by Mike Rothman, analyst, consultant, blogger, podcaster and friend. Mike and I recorded Monday night since I should be in a hotel somewhere in Southern California when this goes live.

Show Notes:

• Mike Rothman Security Incite Blog, The Pragmatic CSO Book and the Pragmatic CSO Podcast
• Road Tolls Hacked - Nate Lawson takes on FasTrak
• Summary of PCI-DSS 1.2 changes: You might want the actual summary.
• Google Streets: Google’s going down private roads in my own back yard.
• Tonight’s Music: Jim Armstrong with Two Shooting Stars

Network Security Podcast, Episode 117
Time: 30:34

The views of one man on security, privacy and anything else that catches his attention

Have you seen my identity?

The number of personal information leaks reported in the US this year have already exceeded the total amount in all of 2007, San Diego-based Identity Theft Resource Center said today.…

Stolen keys unlock back door

Attacks in the wild are under way against Linux systems with compromised SSH keys, the US Computer Emergency Readiness Team is warning.…

SWIMAGE Encore Master Password Information Disclosure Vulnerability