Monday, July 20, 2009

PCI group releases wireless security guide

Merchants who need help in securing their wireless networks to comply with the PCI Data Security Standard now have a step-by-step guide.

The PCI Security Standards Council on Thursday released the wireless security guide, which was developed by its special interest group (SIG) on wireless technologies. The 28-page PCI DSS Wireless Guideline analyzes applicable PCI DSS requirements and provides recommendations for implementation.

Click the below link to download wireless security guide:

https://www.pcisecuritystandards.org/pdfs/PCI_DSS_Wireless_Guidelines.pdf

Source: techtarget

Thursday, July 16, 2009

Maturing cybercriminal economy buoyed by business savvy hackers

Buying and renting tools used by cybercriminals to conduct attacks and steal credentials is becoming much easier for the average person. "For Rent" signs hang on botnets, automated hacking toolkits are sold at bargain prices, and the data reaped by the criminal activity is sold and traded in online forums on a daily basis.

Researchers at networking giant Cisco Systems Inc. are warning of the increasingly sophisticated cybercriminal underground economy and how it could be attractive to those having trouble finding work or facing layoffs in a troubled global economy. Meanwhile, cybercriminals are borrowing some of the best strategies from legitimate companies and forming partnerships with one another to help make their illegal activities more lucrative, according to Cisco.

Read more about this info at:

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1361752,00.html?track=sy160

Mozilla warns of critical Firefox JavaScript vulnerability

Mozilla warned Tuesday that a critical flaw in its new Firefox 3.5 browser could be used to execute malicious code. 

The vulnerability is in Firefox 3.5's Just-in-time (JIT) JavaScript compiler, Mozilla reported on its security blog. The flaw, which was disclosed Monday, can be exploited by an attacker who dupes a user into viewing a webpage with the malicious code, according to Mozilla. 

Danish vulnerability clearinghouse Secunia rated the vulnerability highly critical in its security advisory. 

Mozilla is working on a fix for the flaw, but said it can be mitigated by disabling JIT in the JavaScript engine and provided instructions in its blog post. "Note that disabling the JIT will result in decreased JavaScript performance and is only recommended as a temporary security measure," the organization noted.

Researchers Rate All Six Microsoft Patches as Critical

Microsoft rated three of six Patch Tuesday issues as critical, but security researchers say the other three can quickly escalate. Wolfgang Kandek of Qualys said the ISA, Publisher and virtualization vulnerabilities can give a remote attacker control of a computer. Andrew Storms of nCircle hopes for a more complete ActiveX patch later.

Microsoft on Tuesday released six bulletins as part of its monthly patch cycle. Three of the bulletins cover critical flaws, including two unpatched zero-day vulnerabilities. Three other bulletins address important risks that security researchers said can quickly escalate to critical. 

Wolfgang Kandek, CTO of Qualys, said Microsoft's advisories should be addressed immediately because they allow an attacker to take complete control of a victim's computer.

Read more about this info at:

http://www.enterprise-security-today.com/story.xhtml?story_id=033002ET9D49

Tuesday, July 14, 2009

Microsoft warns of new Office Web Components vulnerability

Microsoft issued an advisory Monday, warning of a new vulnerability in Office Web Components being actively targeted by attackers.The Office Web Components allow users to view spreadsheets, charts and databases on the Web. Microsoft said the vulnerability is in the Spreadsheet ActiveX Control, which is used by Internet Explorer (IE) to display the data in the browser. It is remotely exploitable when a person browses with IE and visits a malicious website. If successfully exploited, an attacker could gain the same user rights as the local user and gain complete control of a system, Microsoft said.

Read more about this at:

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1361617,00.html?track=sy160


Cloud-based security services should start private

Many early stage cloud vendors have it backwards when it comes to offering cloud-based services. They implement Software as a Service (SaaS) first to demonstrate their vision and then develop enterprise integration features. But the right way to go about it is to support corporate clouds in early product releases.

IT is typically conservative about business risk and likes to retain control over sensitive data and applications. Security SaaS vendors may be better served by allowing IT to start by hosting its own private cloud service, integrated with existing data repositories and administrative systems and then provide a path to the full cloud application environment.

Read more about this at:

http://searchsecurity.techtarget.com/news/column/0,294698,sid14_gci1361637,00.html?track=sy160

Thursday, July 9, 2009

DDoS attacks hit U.S., South Korean government websites

Security researchers and government IT personnel are investigating a series of distributed denial-of-service (DDoS) attacks wreaking havoc against U.S. and South Korean government websites.According to security researchers, the attacks began last weekend and were responsible for taking out the websites hosting the Federal Trade Commission and Department of Transportation, among others. A spokeswoman for the FTC did not return a phone call seeking comment.

Read more about this on below link:

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1361258,00.html?track=sy160#

Wednesday, July 8, 2009

Researchers to demonstrate new EV SSL man-in-the-middle hacks

Two security researchers' assault on Extended Validation (EV) SSL certificates will continue next month at the Black Hat Briefings. Alexander Sotirov and Mike Zusman, building on work presented in March at the CanSecWest 2009 security conference, are expected to demonstrate new attacks, including an offline hack 
SearchSecurity.com:
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
that poisons a site protected by an EV certificate.

Read More about this at: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1361180,00.html?track=sy160

Tuesday, July 7, 2009

Microsoft Working on Patch for IE ActiveX Vulnerability

Microsoft has warned of an Internet Explorer vulnerability involving its Video ActiveX Control that could let an attacker take control of a PC. Microsoft said the vulnerability affects Windows XP and Windows Server 2003. It offered a workaround to the IE ActiveX hole that it said should also be used for Windows Vista and Windows Server 2008.

Microsoft Relevant Products/Services has warned of a vulnerability in its Video ActiveX Control that affects Windows XP and Windows Server 2003. The software giant said there have been limited attacks exploiting the vulnerability.

The flaw could be exploited by a visit to a malicious Web site and allow an attacker to take control of a PC. Microsoft said it is working on a security Relevant Products/Services update, and meantime advised that users prevent Microsoft Video ActiveX Control from running in Internet Explorer. 
click on the below link to read more:

http://www.enterprise-security-today.com/story.xhtml?story_id=012000VKGFV0

'BugDay' Planned To Fix Bugs in New Firefox 3.5

A "BugDay" has been set for the Mozilla community to focus on bugs in the just-released Firefox 3.5 The bugs in FireFox 3.5 include longer load times, crashes linked to the TraceMonkey JavaScript engine, and Windows XP compatibility. Mozilla plans to release Firefox 3.5.1 with the bug fixes later this month.

Mozilla is scrambling to fix bugs in its just-released Firefox 3.5 browser. Users are posting complaints about problems across the Web.

Those problems include longer load times and crashes linked to the TraceMonkey JavaScript engine. The browser also reportedly has problems with Windows XP. Mozilla has set a community "BugDay" for July 7 to address the bugs in open-source Firefox 3.5. 

Read more about this one below link:

http://www.enterprise-security-today.com/story.xhtml?story_id=012000VRLMP0&full_skip=1



Friday, July 3, 2009

nCircle statistics show rising Web application vulnerabilities

Web application security scanners are finding increasing numbers of coding errors, according to the latest statistics from compliance auditing vendor, nCircle.

The latest study by nCircle found that Web application vulnerabilities from 2007 to 2008 increased by 154% and are continuing to grow by 25% so far this year. But the growth occurred even as the total number of overall security flaws is decreasing, said the security vendor. 

Click the below link to read more:-

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1360879,00.html?track=sy160

Thursday, July 2, 2009

Twitter risks, Facebook threats trouble security pros

The explosive growth in social networking has positioned many security teams solidly between a rock and a hard place. On the one hand, conscientious security executives cannot ignore the data loss and regulatory compliance risks to the corporation; on the other hand, security cannot politically survive by categorically objecting to other organizations innovative use of new business tools.

Click on the below link to read more:

http://searchsecurity.techtarget.com/news/column/0,294698,sid14_gci1360757,00.html?track=sy160

Twitter vulnerability project highlights Bit.ly flaws

A security researcher highlighting vulnerabilities in third-party Twitter applications this month focused on several serious cross-site scripting (XSS) flaws in the popular Bit.ly link-shortening service.
Aviv Raff launched the Month of Twitter Bugs, showcasing the Bit.ly errors. Raff gave notice to Bit.ly programmers and in less than three hours the final flaw was patched.

Click on the below link to read more:

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1360772,00.html?track=sy160