security

Apparently even dire warnings about the threat of snooping by American spies aren't enough to keep some top French government officials from nursing CrackBerry addictions on the sly.

According to a report to be published in Wednesday's edition of the French newspaper Le Monde, bureaucrats continue to lament--and in some cases, quietly ignore--a warning dispatched 18 months ago from the head of France's national defense agency. Reissued recently, the notice reportedly bars certain categories of government officials from using their Research in Motion BlackBerries to circulate sensitive government information.

French security officials are still working on finding … Read more

As the automated Mpack attack continues to turn thousands of legitimate Web sites into compromised sites offering drive-by downloads of malicious software, security researcher Roger Thompson over at Exploit Prevention Labs reminds us there are other exploits compromising legitimate sites, and some are as easy to find as entering a simple search string on Google. For more than a week (starting before the current Mpack attack), Thompson has been posting a list of dangerous search strings on his blog site. I've collected these and indicated in parentheses some of the known exploits associated.

Cerulean Studios on Monday released a "highly critical" security update for its Trillian multi-protocol chat software.

Attackers could exploit vulnerabilities in the character encoding for Trillian 3.1.5.1--specifically, the word-wrapping handling of UTF-8, the Unicode Transformation Format used for encoding characters in e-mail, instant messages and Web pages, iDefense Labs warned in its security advisory. The vulnerabilities potentially could affect earlier versions of the Trillian software as well, iDefense said.

Trillian, which supports Yahoo's Instant Messenger, AOL's AIM, MSN Messenger, and Internet-relay chat and ICQ ("I seek you") instant-messaging protocols, could be … Read more

A congressional panel that has been none too pleased about various federal agencies' responses to cyber threats plans on Wednesday to put the Department of Homeland Security's chief information officer in the hot seat.

The title of the latest House of Representatives Homeland Security Committee hearing--"Hacking the Homeland: Investigating Cybersecurity Vulnerabilities at the Department of Homeland Security"--suggests another bruising may be on the horizon for CIO Scott Charbo and the oft-criticized agency chiefly responsible for overseeing the nation's cybersecurity efforts.

The event follows an April hearing that focused primarily on cyberattacks involving computers at the State and Commerce Departments. … Read more

It must be buying season in the security industry, because there seems to be a new acquisition announced each day. Two recent purchases grabbed my attention. Last week, IBM bought application firewall vendor Watchfire, adding the company to its Rational Software division. Not to be outdone, Hewlett-Packard on Tuesday grabbed application vulnerability tools vendor SPI Dynamics, adding value to another recent addition, Mercury. Why all the activity in the application security space?

1. Web applications are the binary equivalent of Swiss cheese. Many are written rapidly by developers who are paid to add new business logic and meet deadlines. Security … Read more

HP today announced its acquisition of SPI Dynamics. The company specializes in Web application security; and SPI Dynamics' technology is already integrated with HP Quality Center software.

According to HP, the acquisition adds quality management services to its software portfolio and builds on its Business Technology Optimization (BTO) strategy.

Privately held SPI Dynamics is headquartered in Atlanta, has 140 employees, and serves more than 1,000 customers in the federal government, financial services, and health care industries. Expected to close in the third quarter of 2007, the acquisition is subject to certain closing conditions. Upon completion, SPI Dynamics will become … Read more

Over the weekend, thousands of legitimate English-language Italian Web sites fell victim to one line of code. Taking advantage of the trust the users have in the sites they visit, the malicious code silently redirects browsers via JavaScript to servers containing a variety of drive-by exploits. If the visiting computer is unpatched for a variety of operating system, browser, and specific application flaws, malicious code is downloaded. Once installed, the new software can then be used to steal personal information or enlist a compromised machine in attacks on other machines. According to security vendor Websense, the attack now affects over … Read more

Security researcher Robert Swiecki, who two days ago disclosed a URL vulnerability within the new Safari 3.0 for Windows beta, has another. The new flaw requires a user to visit a specially crafted Web page. There, an attacker can write whatever name in the URL toolbar and fill the client browser window with arbitrary content. He provides an example (link should be viewed within Safari).

In response to other Safari 3.0 vulnerabilities, Apple yesterday released an updated version that addresses three of the public vulnerabilities. Swiecki says he tested this latest vulnerability on Safari 3.0.1 (522.… Read more

PayPal launched on Friday its security key fob, a little device designed to thwart password-stealing bad guys who are out to pilfer your online payment account.

PayPal, owned by online auction behemoth eBay, says its PayPal Security Key will generate a new security code every 30 seconds, which people will enter along with their log-in and password for their eBay and PayPal accounts.

PayPal, which initially announced in January plans to increase security via a password-generating key fob, will charge $5 to PayPal and eBay account holders in the U.S. The plan will be expanded internationally.

Various versions of … Read more