Should Employers Ban Facebook at Work?

2009 has indeed been the year of social networks like Facebook, Twitter, and LinkedIn. But some say that social networking at work has become too costly in terms of lost productivity and too risky from a security standpoint. Is it time for a complete ban on social networking in the office, or are guidelines and productivity goals a better solution?

Should employers ban access to social networking sites like Facebook at work? If you look at the potential security risks alone, the answer would be resounding yes for most enterprises. Aside from the security risk, there's the huge hit that social networking has had on employee productivity One estimate -- from IT consulting company Morse -- figures employee use of social-networking sites cost employers $2.25 billion a year in lost productivity.

Yet even with the productivity and security challenges caused by social media, there is no still easy answer to the Facebook ban question. There are, however, plenty of opinions and guidelines that can help your company make a sound decision around the use of social networking from 9 to 5.

Read more about this @

http://www.enterprise-security-today.com/story.xhtml?story_id=12300AYS00HU

Hackers block Microsoft Cofee law enforcement software

Hackers have released software designed to attack a Microsoft tool used by law enforcement agencies.

According to a report on The Register the hack known as Decaf automatically launches countermeasures to Computer Online Forensic Evidence Extractor (Cofee), which provides tools used in the collection of digital evidence.

Last month copies of Cofee appeared on file sharing websites.

Microsoft said last month it does not expect cyber criminals to be able to use the software to their advantage. It said Cofee is just a collection of digital forensic tools which are already available.

Read More about this @

http://www.computerweekly.com/Articles/2009/12/15/239700/Hackers-block-Microsoft-Cofee-law-enforcement-software.htm

Illegal copies of Microsoft Cofee spills onto the web

Microsoft software that is designed to help the police access encrypted data is loose on the web.

The software, known as Computer Online Forensic Evidence Extractor (Cofee), has been put on file-sharing site, according to reports on the web. It is illegal for unauthorised people to use the software or download it.The software helps law enforcement agencies access details about crimes before criminals can wipe the information.

"Cofee brings together a number of common digital forensics capabilities into a fast, easy-to-use, automated tool for first responders. And Cofee is being provided [free] to law enforcement around the world," said Microsoft.

Read More about this @

http://www.computerweekly.com/Articles/2009/11/09/238474/Illegal-copies-of-Microsoft-Cofee-spills-onto-the-web.htm

Twitter hacked by 'Iranian Cyber Army'

The popular microblogging Web site Twitter was hacked overnight, leaving the millions who use the site tweetless.Those who tried to access Twitter were redirected to a site that had a green flag and proclaimed "This site has been hacked by Iranian Cyber Army."

Read more @ http://www.cnn.com/2009/TECH/12/18/twitter.hacked/

Take a Little Care While Christmas Shopping Online

Legitimate businesses use encryption that protects your credit card data as it travels from your computer to the merchant. This means the Web address for sending in the order will begin with https instead of the familiar http. The change from http to https may not happen until you move to the page that actually processes your order.

So today we'll talk about a shopping topic where I can truly help -- showing you how to dodge some of the hazards of shopping online. This is the peak time of the year for online shopping and, for those of us who get a little dizzy just thinking about navigating mall crowds, online shopping can be an attractive notion. 

There are ways to do it that reduce the chance of broken hearts and busted bank accounts.

Read more about this article @ 

http://www.enterprise-security-today.com/story.xhtml?story_id=101003HE7GX5

The world’s top 5 riskiest top-level domains

McAfee’s 3rd Annual “Mapping the Mal Web” report highlights the top-level domains with the most road hazards. 

Like the auto industry, the Internet wasn’t designed with seatbelts and airbags. It took years and some determined people to get the auto industry to make safety changes. McAfee’s latest report highlight’s why so many security vendors are offering add-on safety features to protect your browsing experience. In today’s Web, attackers are poking holes in legitimate websites to set up drive-by downloads, typosquatters are waiting for someone’s fat fingers to mistype a URL and many are using search engine optimization to get their mischievous sites listed prominently in search results.

Read More about this @

http://itknowledgeexchange.techtarget.com/security-bytes/the-world’s-top-5-riskiest-top-level-domains/

Yahoo login credentials at risk to hijacking attack

A new phishing attack attempts to steal Web hosting login credentials from Yahoo Inc. and other service providers.

Read more @ 

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1376209,00.html?track=sy160&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+techtarget%2FSearchsecurity%2FSecurityWire+%28SearchSecurity+%3A+Security+Wire+Daily+News%29

Putting a Fair Internet Use Policy in Place

There are real security problems and many, many threats, not only from e-mail but also from web browsing. Your employee could be browsing online, come across a link, click on it, and download a little file. That's how some piece of malware finds its way onto the machine and from there it gets into all the machines on the network.

More than half of employees who have Internet access at work say they will shop for holiday gifts from the office, according to a November poll conducted for Shop.org, a division of the National Retail Federation. While online shopping may be more efficient than braving the crowds at lunch hour, employee shopping can compromise both security and productivity, says David Kelleher of GFI Software, which sells remote monitoring and management software primarily to small and medium firms. He spoke recently about this topic with Smart Answers columnist Karen E. Klein. Edited excerpts of their conversation follow.

Read more about this @

http://www.enterprise-security-today.com/story.xhtml?story_id=012000108410

E2 Labs accused of cheating | Deccan Chronicle

Click the below link to read:

E2 Labs accused of cheating | Deccan Chronicle

And then listen to this phone conversation....
http://www.vimeo.com/7430206

HP-UX System Getting restarted on scan

Details for HP-UX system I did the scan.

HP-UX OS Version -11.31 Integrity superdome and Itanium CPU.

Cluster version: Service Guard version 11.19

I have further checked and found that this problem is caused by a missing patch PHSS_40145 on HP-UX 11.31 server which I scanned. During the port scanning phase, Nessus/(any port scan can cause) initiated the reboot of the server.

PHSS_40145: 11.31 Serviceguard A.11.19.00
ABORT PANIC If cmcld receives unexpected data cmcld may hang
resulting in a node TOC. The following messages will be logged in flight
recorder
log SEC:01: Event - Unknown message version

Fix is available via below patches
PHSS_40144 Serviceguard A.11.19 on HP-UX 11.23
PHSS_40145 Serviceguard A.11.19 on HP-UX 11.31

So it is recommended to apply these patches before doing any scans and Please ensure the scans are conducted during the non-bussiness hours.

https://discussions.nessus.org/message/3808#3808

METASPLOIT UNLEASHED - MASTERING THE FRAMEWORK

A free information security training is brought to you in a community effort to promote awareness and raise funds for underprivileged children in East Africa. Through a heart-warming effort by several security professionals.

Source: http://www.offensive-security.com/metasploit-unleashed/

Need of Social Engineering Tests

Social engineering is an art by which trick the working class or an organization and getting comply with your wishes. The basic goals of social engineering are to get unauthorised access to systems or information in order to commit fraud, industrial espionage, identity theft, or simply to interrupt the system or network.
Social engineering is in essence the practice of obtaining confidential information or coercing people into performing a particular action from users of your network. Social engineering techniques are also used to gain access to premises and other company assets.
'Social Engineering' is a threat, often overlooked but regularly exploited; to take advantage of what has long been considered the 'weakest link' in the security chain of an organization – the 'human factor'.

Everyone should want to be security conscious because not only does the company benefit from being aware, but that mentality will carry over into their personal lives as well, which will help prevent them becoming a victim of identity theft and a number of other crimes.

A company can spend billions of dollars on all kinds of security equipment, but it only takes one person for a company’s security to be compromised.

It is important to be familiar with Social Engineering techniques to reduce the likelihood of success. By having this knowledge, one can ensure appropriate (preventative, detective and corrective) measures are implemented to protect the staff and assets of an organization.

Information Gathering, observing human behavior, Shoulder surfing, Checking the rubbish (Dumpster diving), By acting like an helpless user or by acting like an user from technical support or by acting like an important user, By sending fake mails to get important information like credit card details, phishing, Telephone etc.

A company will obviously have to have a social engineering training plan made to fit the Company’s needs. A great social engineering strategy plan may be short lived if it is not reinforced with occasional mock social engineering attempts or short little tips emailed or posted regularly in a bulletin that everyone receives. Procedures and guidelines should be in place specific to your companies function to minimize the threat of social engineering.

Everyone should want to be security conscious because not only does the company benefit from being aware, but that mentality will carry over into their personal lives as well, which will help prevent them becoming a victim of identity theft and a number of other crimes.

                                                                   - Ratheesh Kannan

No Emergency Patch For Latest Windows Exploit

Another reason for Windows users to hate the Microsoft Patch Tuesday policy,

The exploit isn’t 100% reliable but it’s still fairly significant, as it is a critical vulnerability and can be used for code execution.

To read more, click on the link below:

http://www.darknet.org.uk/2009/10/no-emergency-patch-for-latest-windows-exploit/

Microsoft Confirms Hotmail Data Posted on Web Site

Thousands of usernames and passwords from hotmail.com, msn.com and live.com accounts were posted on a third-party site (http://pastebin.com), Microsoft has confirmed. The Windows Live Hotmail data leak was not due to a phishing scheme and not a data breach, Microsoft said. The Hotmail users affected appeared to be mostly based in Europe.

Source: http://www.enterprise-security-today.com/story.xhtml?story_id=011000DNMYLW

XSS Worm on Reddit.com

Reddit (reddit.com) is a social news website, and it's much better than Digg or Slashdot.

However, it got hit  by a XSS worm that was spreading via comments on the site.

Read more about this at: http://www.securityfocus.com/blogs/2318

Effectively Protecting Your Customers' Data

Contact center staff are on the data security front lines. Properly trained they can thwart intrusion. Unfortunately contact centers too frequently have environments that foster data loss and theft. Employees are typically low-paid and have minimal or no benefits, are often poorly supervised, rushed to meet metrics, and face enormous stress.

Today's organizations depend and thrive on data for marketing, customer service and staff management, and like anything that is valuable, criminals have been seeking it to commit ID theft, blackmail or other crimes. 

The 2009 Identity Fraud Survey Report by Javelin Strategy and Research reports that the number of identity fraud victims has increased 22 percent to 9.9 million adults in the U.S., while the total annual fraud amount increased by seven percent to $48 billion over the past year. The reasons include profitability, safety and simplicity, explains Greg Young, research vice president, Gartner.

Read more about this article at: http://www.enterprise-security-today.com/story.xhtml?story_id=131004IMXRIW

Microsoft Security Essentials Available for Download

Microsoft has released its Security Essentials antivirus software as a free download to protect against malware, viruses and spyware. Microsoft said its goal is to remove cost barriers that leave PCs unprotected. The free Microsoft Security Essentials could result in wiping out software from competitors, including Arbor Networks, Symantec and McAfee.

After introducing its antivirus software to 75,000 beta testers in June as Microsoft Security Essentials Beta, Microsoft has made its Security Essentials antivirus software available as a free download.

Click on the below link to download MS Secuirty Essential :>

http://www.microsoft.com/Security_essentials/

Security challenges with cloud computing services

If you entrust a cloud provider with your data, how is encryption handled, if at all? What about user authentication? What about data breach liability? 

Those were some of the issues raised during a panel discussion on the security challenges with cloud computing services at last week's Bay Area SecureWorld in Santa Clara, Calif. "We're not saying the cloud is bad. There is a lot of good there, but we want to bring the challenges to your attention," said panelist Tim Mather, a security advisor and a founding member of the Cloud Security Alliance (CSA). 

One of the major cloud security issues is encryption, he said. If data is processed in the cloud it needs to be decrypted, while some providers don't even offer encryption. And if encryption is used, key management becomes a big issue, he said: "Who manages the keys"?

Read more at:

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1368905,00.html?track=sy160

Brute force attacks target Yahoo email accounts

Attackers, willing to do anything to hijack webmail accounts to boost their spam campaigns, are bypassing the traditional Web login interface page to seek out a backdoor into accounts. 

Those attackers have targeted Yahoo and are successfully cracking account passwords by focusing automated password cracking scripts on a Yahoo Web services-based authentication application thought to be used by Internet service providers (ISPs) and third-party Web applications.

That was the finding of the Web Application Security Consortium Distributed Open Proxy Honeypot project, maintained by researchers at Breach Security Inc. The honeypot is tracking an extensive series of brute force attacks successfully targeting account credentials of Yahoo email users.

Read more about this at:-

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1368227,00.html?track=sy160

Microsoft Telnet Vulnerable to Remote Code Execution

The vulnerability reported for Microsoft Telnet could allow an attacker to obtain credentials and then use them to log back into affected systems.The vulnerability could allow an attacker to obtain credentials and then use them to log back into affected systems. The attacker would then acquire user rights on a system identical to the user rights of the logged-on user. This scenario could ultimately result in remote code execution on affected systems. An attacker who successfully exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Click on the below link for more information:-

http://www.microsoft.com/technet/security/bulletin/ms09-042.mspx?pubDate=2009-08-11

The legal risks of uncontrolled IM use

Instant Messaging (or "IM") is one of the newest forms of electronic communication and it is rapidly gaining ground as a form of mainstream business communication. Your organisation may have embraced IM wholeheartedly, perhaps installing enterprise versions of IM and opening up its gateways to business associates using public IM networks. While many businesses are aware of the possible benefits of IM, such as its ability to promote real-time communication amongst work colleagues and customers, most organisations have been slow to assess the likely impact of IM on their corporate risk profile, and therefore have no agreed policy on its use.

Click on the below link to download the white paper:-

http://whitepapers.theregister.co.uk/paper/view/977/legal-risks-im.pdf

World War 3.0: 10 Critical Trends for Cybersecurity

The Internet, private networks, VPNs, and a host of other technologies are quickly weaving the planet into a single, massively complex "infosphere." These connections cannot be severed without overwhelming damage to companies and even economies. Yet, they represent unprecedented vulnerabilities to espionage and covert attack.

These are the 10 Critical Trends for Cyberwar published on Enterprise security today website.

• Technology Increasingly Dominates Both the Economy and Societ
• Advanced Communications Technologies Are Changing the Way We Work and Live
• The Global Economy Is Growing More Integrated
• Research and Development Play a Growing Role in the World Economy
• The Pace of Technological Change Accelerates with Each New Generation of Discoveries and Applications
•  The United States Is Ceding Its Scientific and Technical Leadership to Other Countries
• Technology Is Creating a Knowledge-Dependent Global Society
• Militant Islam Continues to Spread and Gain Power
•  International Exposure Includes A Growing Risk of Terrorist Attack
• The World's Population Will Grow To 9.2 Billion by 2050

To Read more about this in detail click on the below link:-

http://www.enterprise-security-today.com/story.xhtml?story_id=013000G50S4W&page=2

The Standard of Good Practise.

The Standard of Good Practice for Information Security (the Standard) is the foremost authority on information security. It addresses information security from a business perspective, providing a practical basis for assessing an organisation’s information security arrangements.
   
The Standard represents part of the ISF's information risk management suite of products and is based on a wealth of material, in-depth research, and the extensive knowledge and practical experience of ISF Members worldwide.
   

The Standard is updated at least every two years in order to:
   
• respond to the needs of leading international organisations
• refine areas of best practice for information security
• reflect the most up-to-date thinking in information security
• remain aligned with other information security-related standards, such as ISO 27002 (17799), COBIT v4.1 and PCI/DSS
• include information on the latest ‘hot topics’.

 The Standard is aimed at major national and international organisations that recognise information security as a key business issue. However, the Standard will also be of real, practical use to any type of organisation, such as a small- to medium-sized enterprise.

Before downloading the standard I request you to go through the ISFsecuitystandard website to get the Practical suggestions for using the Standard.

To download the standard click on the below link:-

https://www.isfsecuritystandard.com/SOGP07/index.htm

Top 10 windows secuirty Configuration

There are always top 10 lists that grab your attention; and this one should be no different. Windows provides many settings, options, and areas of configuration. In reality, this might be a Top 100 list, but there is only room for 10. This list is created from years of educating and asking myself questions like, “what do administrators do and not do when it comes to security?” This list seems to be where administrators fail to look and setup security. It also includes a few settings that are not all that well known, but certainly have huge rewards for securing your Windows environment. 

Click on the below link to get the Top 10 windows secuirty Configuration:

http://www.windowsecurity.com/articles/Top-10-Windows-Security-Configurations-Where-How-Part1.html

Data breach avoidance begins with security basics, panel says

Companies can spend money fixing coding errors or invest millions in the latest and greatest security technologies, but still leave the business at risk to a major security breach if employees aren't properly trained and appropriate policies aren't set and enforced.

The biggest mistake leading to a data security breach is often pinpointed by investigators as a fundamental security error, according to a panel of experts who discussed the topic of data breaches Wednesday. The panel discussion, sponsored by security vendor, Bit9 Inc., included Bob Russo, general manager of the PCI Security Standards Council, Rich Baich, partner at Deloitte and Touche and former CISO of ChoicePoint and Tom Murphy, chief strategist of data protection vendor, Bit9.

Read More about this article at:

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1365454,00.html

Hacker Used Twitter To Control Infected PCs

Criminals are finding inventive ways to exploit legitimate social networking services to help with their dirty work. One reason social networks are an attractive target for crooks is because their content is hard to monitor, and because people click on lots of links inside their accounts, which is a key way computer infections are spread.

Read more: http://www.enterprise-security-today.com/story.xhtml?story_id=11000CC0BPBO

Three indicted for Hannaford, Heartland data breaches

A federal grand jury has indicted a Miami man and two Russian hackers for their involvement in an international scheme to steal more than 130 million credit and debit card numbers from five companies. 
The indictment alleges the men conspired to conduct the largest credit and debit card data breach ever charged in the United States. 
The Department of Justice issued a statement today about the indictment, which accuses Albert Gonzalez, 28, and two unnamed Russian citizens of stealing data from Heartland Payment Systems Inc., 7-Eleven Inc. and Hannaford Brothers Co. Two other companies remain unnamed because their breaches have not been made public, the DOJ said.

Read more about this at:

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1365091,00.html

Patch management study shows IT taking significant risks

The latest research around patch management is a good reminder for security teams to move patch diligence up the stack to applications and to resist disabling signature checking for performance in UTMs. 

Qualys Inc. presented an update at the recent Black Hat USA 2009 briefings to their Laws of Vulnerabilities research, a timely statistical review in light of the increase in Microsoft Internet Explorer, Microsoft Office, Adobe Reader, and Apple QuickTime application level attacks. The study, first conducted in 2004, is based on years of accumulated vulnerability scanning data of the Qualys installed base.

Read more about this article at:

http://searchsecurity.techtarget.com/news/column/0,294698,sid14_gci1364525,00.html?track=sy160

Patch Tuesday: August, 2009: 4 workstation holes and a little something for everyone else

There’s plenty to keep us busy this month. Most of the vulnerabilities have Microsoft’s exploitability index of 1 meaning they expect consistent exploit code likely in the next 30 days. Half are workstation vulnerabilities. There’s one denial of service vulnerability for IIS web servers. One vulnerabilities affecting your WINS servers and then 3 that could impact workstation but would mostly be found on servers.

Click on the above Patch chart for enlarged view.

Source: Ultimate windows Security                                                 

Link:http://www.ultimatewindowssecurity.com/Default.aspx

                                                                  

Microsoft fixes Office Web Components vulnerability, kill-bit bypass

Microsoft repaired critical Office Web Components vulnerabilities being actively exploited in the wild since they were first acknowledged by the software giant last month. 

Microsoft also released an additional critical update to repair ActiveX vulnerabilities in its Active Template Library. The errors enable an attacker to bypass kill-bits, a feature commonly deployed by Microsoft to block attackers from exploiting complex interoperability vulnerabilities without addressing the underlying flaw. 

In all, Microsoft issued nine security updates Tuesday, including six rated critical, affecting Windows and Office Web Components.

Source: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1364308,00.html

Vulnerabilities, regulatory compliance drive data protection market

In this difficult economy -- some say because of the economy -- data security remains a spending priority. Companies still must meet regulatory compliance requirements; layoffs, and the specter of impending layoffs, have exacerbated corporate concerns about employees taking sensitive information out the door.

It's true that every information security technology in some way involves the data protection market -- everything from network firewalls and desktop antivirus to application security products (Web application firewalls, code review tools, etc.) However, there are two critical markets that deal with data directly and are generating some serious business: mobile data security (laptop encryption and portable device control), which Forrester Research Inc. pegs at a $1 billion-plus business, and data leakage (or loss) prevention (DLP). Forrester estimates the DLP market will be between $200 million and $250 million this year, while Gartner estimates around $300 million.

Readmore:http://searchsecuritychannel.techtarget.com/news/article/0,289142,sid97_gci1361847,00.html

Corporate Web 2.0 Threats - FAQ

In this expert video, you will learn about Web 2.0 software, the threats it poses, and whether the benefits outweigh the risks. Key areas covered include the threats posed by services like Facebook, MySpace, and LinkedIn, as well as wikis and blogs.

Source: Techtarget

Link: http://searchsecurity.techtarget.com/video/0,297151,sid14_gci1352690,00.html

Microsoft to address critical vulnerability in Office Web Components

Microsoft will issue five critical security bulletins in its August Patch Tuesday release next week, including one that affects Microsoft Office, Microsoft Visual Studio, Microsoft ISA Server and Microsoft BizTalk Server, and another for both Windows and the Windows Client for Mac.

In its advance noticeissued Thursday, Microsoft said that the critical bulletin affecting Microsoft Office, Microsoft Visual Studio, Microsoft ISA Server and Microsoft BizTalk Server addresses a vulnerability in Microsoft Office Web Components, first raised in security advisory 973472. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, remote code execution is possible and may not require any user intervention.

Read more at below link:

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1363924,00.html?track=sy160

Denial-of-Service Attack Strands Twitter Users

A distributed denial-of-service attack took Twitter offline for several hours, preventing millions of users from tweeting. Security experts said the Twitter attack came through botnets via Sweden and Europe. While usershad withdrawal pangs, businesses got pinched and experts said Twitter needs more protection from DDoS attacks.

Say it isn't so! The Twitter bird's beak was closed Thursday as Twitter fought a distributed denial-of-service attack that shut it down for several hours. 

With the mini-blogging site down from 9 a.m. Eastern time until noon, its millions of members were unable to tweet by Web and by mobile phone. A tweet test brought an error message that the "network request failed."

Read more at below link: 

http://www.enterprise-security-today.com/story.xhtml?story_id=012000EWBOGO

How can you handle risks that come with social networking?

Social networking — whether it be Facebook, MySpace, LinkedIn, YouTube, Twitter or something else — is fast becoming a way of life for millions of people to share information about themselves for personal or business reasons. But it comes with huge risks that range from identity theft to malware infections to the potential for letting reckless remarks damage corporate and personal reputations.

I found an intresting article on "networkworld" website which talks about social networking sites and risks related to it. click on the below link to read the full article.

http://www.networkworld.com/news/2009/042709-burning-security-social-networking.html

Chinese Hackers Crack Windows 7 Activation Codes

The pirated version even tricks the computer and Microsoft's servers into believing it is a genuine copy, allowing it to avoid Microsoft's validation safeguards. The report said that the copied software was hacked via a disc stolen from Chinese computer maker Lenovo, but that the pirated version would work just as well on Dell and HP computers too. 

Chinese hackers have cracked the activation codes for Windows 7, less than a month after Microsoft Relevant Products/Services released the first copies of the new operating system to computer makers, technology news site CNET reported Thursday.

The crack will allow fully functional, copied versions of the Ultimate Version of Windows 7 to be distributed over file-sharing sites even before the operating system is released to the public in October. 
Read More about this at: http://www.enterprise-security-today.com/story.xhtml?story_id=00200059ERIC

PCI group releases wireless security guide

Merchants who need help in securing their wireless networks to comply with the PCI Data Security Standard now have a step-by-step guide.

The PCI Security Standards Council on Thursday released the wireless security guide, which was developed by its special interest group (SIG) on wireless technologies. The 28-page PCI DSS Wireless Guideline analyzes applicable PCI DSS requirements and provides recommendations for implementation.

Click the below link to download wireless security guide:

https://www.pcisecuritystandards.org/pdfs/PCI_DSS_Wireless_Guidelines.pdf

Source: techtarget

Maturing cybercriminal economy buoyed by business savvy hackers

Buying and renting tools used by cybercriminals to conduct attacks and steal credentials is becoming much easier for the average person. "For Rent" signs hang on botnets, automated hacking toolkits are sold at bargain prices, and the data reaped by the criminal activity is sold and traded in online forums on a daily basis.

Researchers at networking giant Cisco Systems Inc. are warning of the increasingly sophisticated cybercriminal underground economy and how it could be attractive to those having trouble finding work or facing layoffs in a troubled global economy. Meanwhile, cybercriminals are borrowing some of the best strategies from legitimate companies and forming partnerships with one another to help make their illegal activities more lucrative, according to Cisco.

Read more about this info at:

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1361752,00.html?track=sy160

Mozilla warns of critical Firefox JavaScript vulnerability

Mozilla warned Tuesday that a critical flaw in its new Firefox 3.5 browser could be used to execute malicious code. 

The vulnerability is in Firefox 3.5's Just-in-time (JIT) JavaScript compiler, Mozilla reported on its security blog. The flaw, which was disclosed Monday, can be exploited by an attacker who dupes a user into viewing a webpage with the malicious code, according to Mozilla. 

Danish vulnerability clearinghouse Secunia rated the vulnerability highly critical in its security advisory. 

Mozilla is working on a fix for the flaw, but said it can be mitigated by disabling JIT in the JavaScript engine and provided instructions in its blog post. "Note that disabling the JIT will result in decreased JavaScript performance and is only recommended as a temporary security measure," the organization noted.

Researchers Rate All Six Microsoft Patches as Critical

Microsoft rated three of six Patch Tuesday issues as critical, but security researchers say the other three can quickly escalate. Wolfgang Kandek of Qualys said the ISA, Publisher and virtualization vulnerabilities can give a remote attacker control of a computer. Andrew Storms of nCircle hopes for a more complete ActiveX patch later.

Microsoft on Tuesday released six bulletins as part of its monthly patch cycle. Three of the bulletins cover critical flaws, including two unpatched zero-day vulnerabilities. Three other bulletins address important risks that security researchers said can quickly escalate to critical. 

Wolfgang Kandek, CTO of Qualys, said Microsoft's advisories should be addressed immediately because they allow an attacker to take complete control of a victim's computer.

Read more about this info at:

http://www.enterprise-security-today.com/story.xhtml?story_id=033002ET9D49

Microsoft warns of new Office Web Components vulnerability

Microsoft issued an advisory Monday, warning of a new vulnerability in Office Web Components being actively targeted by attackers.The Office Web Components allow users to view spreadsheets, charts and databases on the Web. Microsoft said the vulnerability is in the Spreadsheet ActiveX Control, which is used by Internet Explorer (IE) to display the data in the browser. It is remotely exploitable when a person browses with IE and visits a malicious website. If successfully exploited, an attacker could gain the same user rights as the local user and gain complete control of a system, Microsoft said.

Read more about this at:

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1361617,00.html?track=sy160

Cloud-based security services should start private

Many early stage cloud vendors have it backwards when it comes to offering cloud-based services. They implement Software as a Service (SaaS) first to demonstrate their vision and then develop enterprise integration features. But the right way to go about it is to support corporate clouds in early product releases.

IT is typically conservative about business risk and likes to retain control over sensitive data and applications. Security SaaS vendors may be better served by allowing IT to start by hosting its own private cloud service, integrated with existing data repositories and administrative systems and then provide a path to the full cloud application environment.

Read more about this at:

http://searchsecurity.techtarget.com/news/column/0,294698,sid14_gci1361637,00.html?track=sy160

DDoS attacks hit U.S., South Korean government websites

Security researchers and government IT personnel are investigating a series of distributed denial-of-service (DDoS) attacks wreaking havoc against U.S. and South Korean government websites.According to security researchers, the attacks began last weekend and were responsible for taking out the websites hosting the Federal Trade Commission and Department of Transportation, among others. A spokeswoman for the FTC did not return a phone call seeking comment.

Read more about this on below link:

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1361258,00.html?track=sy160#

Researchers to demonstrate new EV SSL man-in-the-middle hacks

Two security researchers' assault on Extended Validation (EV) SSL certificates will continue next month at the Black Hat Briefings. Alexander Sotirov and Mike Zusman, building on work presented in March at the CanSecWest 2009 security conference, are expected to demonstrate new attacks, including an offline hack 
SearchSecurity.com:
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
that poisons a site protected by an EV certificate.

Read More about this at: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1361180,00.html?track=sy160

Microsoft Working on Patch for IE ActiveX Vulnerability

Microsoft has warned of an Internet Explorer vulnerability involving its Video ActiveX Control that could let an attacker take control of a PC. Microsoft said the vulnerability affects Windows XP and Windows Server 2003. It offered a workaround to the IE ActiveX hole that it said should also be used for Windows Vista and Windows Server 2008.

Microsoft Relevant Products/Services has warned of a vulnerability in its Video ActiveX Control that affects Windows XP and Windows Server 2003. The software giant said there have been limited attacks exploiting the vulnerability.

The flaw could be exploited by a visit to a malicious Web site and allow an attacker to take control of a PC. Microsoft said it is working on a security Relevant Products/Services update, and meantime advised that users prevent Microsoft Video ActiveX Control from running in Internet Explorer. 
click on the below link to read more:

http://www.enterprise-security-today.com/story.xhtml?story_id=012000VKGFV0

'BugDay' Planned To Fix Bugs in New Firefox 3.5

A "BugDay" has been set for the Mozilla community to focus on bugs in the just-released Firefox 3.5 The bugs in FireFox 3.5 include longer load times, crashes linked to the TraceMonkey JavaScript engine, and Windows XP compatibility. Mozilla plans to release Firefox 3.5.1 with the bug fixes later this month.

Mozilla is scrambling to fix bugs in its just-released Firefox 3.5 browser. Users are posting complaints about problems across the Web.

Those problems include longer load times and crashes linked to the TraceMonkey JavaScript engine. The browser also reportedly has problems with Windows XP. Mozilla has set a community "BugDay" for July 7 to address the bugs in open-source Firefox 3.5. 

Read more about this one below link:

http://www.enterprise-security-today.com/story.xhtml?story_id=012000VRLMP0&full_skip=1

nCircle statistics show rising Web application vulnerabilities

Web application security scanners are finding increasing numbers of coding errors, according to the latest statistics from compliance auditing vendor, nCircle.

The latest study by nCircle found that Web application vulnerabilities from 2007 to 2008 increased by 154% and are continuing to grow by 25% so far this year. But the growth occurred even as the total number of overall security flaws is decreasing, said the security vendor. 

Click the below link to read more:-

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1360879,00.html?track=sy160

Twitter risks, Facebook threats trouble security pros

The explosive growth in social networking has positioned many security teams solidly between a rock and a hard place. On the one hand, conscientious security executives cannot ignore the data loss and regulatory compliance risks to the corporation; on the other hand, security cannot politically survive by categorically objecting to other organizations innovative use of new business tools.

Click on the below link to read more:

http://searchsecurity.techtarget.com/news/column/0,294698,sid14_gci1360757,00.html?track=sy160

Twitter vulnerability project highlights Bit.ly flaws

A security researcher highlighting vulnerabilities in third-party Twitter applications this month focused on several serious cross-site scripting (XSS) flaws in the popular Bit.ly link-shortening service.
Aviv Raff launched the Month of Twitter Bugs, showcasing the Bit.ly errors. Raff gave notice to Bit.ly programmers and in less than three hours the final flaw was patched.

Click on the below link to read more:

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1360772,00.html?track=sy160

Protect Yourself on Facebook

Most of us are well know about facebook. Many are addicted to social networking sites for various reasons.

Love them or hate them; social networking sites are here to stay. And the users are going to find ways to use them from home, from work, from smart phones, from shared computers, or from anywhere else they care to.

The whipped cream is out of the can. Now what can we do about it?

I found some intresting article on esecurityplanet site which talks about "How to Protect Yourself on Facebook"

Read the article on below link:

http://www.esecurityplanet.com/views/article.php/3816266/Protect-Yourself-on-Facebook.htm

Trojans are fastest-growing data-stealing malware

Most of the rise in cybercrime can be linked to data-stealing malware, and trojans are the fastest growing category, according to a report released Monday by Trend Micro.
For example, in 2007, 52 percent of data-stealing malware were trojans; in 2008, that number increased to 87 percent, according to the report, titled Focus Report: Data Stealing Malware.

As of the first quarter of 2009, 93 percent of data-stealing malware were trojans.

Click below mentioned link to read more about this article:

http://www.scmagazineus.com/Trojans-are-fastest-growing-data-stealing-malware/article/139252/

New Trojan stealing FTP credentials, attacking FTP websites

Security researchers have discovered a new Trojan that has harvested as many as 80,000 unique FTP server logins and is now beginning to target domains, injecting malicious scripts into compromised FTP sites.

o far up to 74,000 unique FTP sites are affected, according to security vendor Prevx, which discovered a server containing the FTP credentials. The list of FTP websites contains some high profile names, including software resellers of security vendors Symantec and McAfee, Bank of America, Amazon.com and others have been compromised.

Click on the below link to read more:

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1360524,00.html?track=sy160#

Most Dangerous Web Searches

In a new report, McAfee identifies what popular search keywords are most likely to lead to malware. The answers may surprise you, and give you pause as you search for your favorite song lyrics on Google. Last year, Google detected one trillion unique URLs on the Web at once. The vehicle that gets users to those places is search, but within those trillion URLs are a lot of dark alleyways that are home to attackers.

To read more click on the below link:

http://www.eweek.com/c/a/Security/McAfee-IDs-Most-Dangerous-Web-Search-808302/

Record-Breaking Patch Tuesday Announced

In a record-breaking Patch Tuesday, Microsoft issued 10 security bulletins and two security advisories this month. The bulletins address a total of 31 vulnerabilities, 17 of which are rated as critical. The previous record was 28 last December. Analysts said enterprises need all hands on deck to get systems patched as quickly as possible.
Of the patches issued this month, the most significant appear to be several that affect Internet Explorer, as the Web continues to be a preferred method of exploit by cybercriminals, according to Ben Greenbaum, senior research manager at Symantec Security Response.
"The four Internet Explorer fixes that address HTML object memory corruption vulnerabilities-the first ever patch for Internet Explorer 8 being among these-are of particular interest," Greenbaum said. "These weaknesses actually appear to be quite simple to exploit and we have observed malicious code being offered in malware toolkits that have taken advantage of very similar vulnerabilities."

Read more about this : http://www.enterprise-security-today.com/story.xhtml?story_id=023000SJXSYP