Linux Security Update: Privacy Risks And Exploits Overview

Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy.

A controversial remote administration program that a Pennsylvania school district installed on student-issued laptops contains a security hole that put the students at risk of being spied on by people outside the school, according to a security firm that examined the software.

Not long after I launched this blog, I wrote about the damage wrought by the Eleonore Exploit Kit, an increasingly prevalent commercial hacking tool that makes it easy for criminals to booby-trap Web sites with malicious software.

Results from a survey just released makes the interesting assertion that cloud computing - far from causing IT security problems in businesses - will actually improve security for most organisations.

Google has stopped deleting the personal data its Street View cars collected from open Wi-Fi networks, following what the company called "some uncertainty" over the deletion process.

Two developers have refined techniques for rummaging through browser histories to the extent that web sites can now find out what articles a user has recently read on news sites, their exact postcode and which search terms that have entered into search engines. The developers, Artur Janc and Lukasz Olejnik, have now refined their JavaScript code to carry out history stealing six times faster than previous methods.

Hackers have penetrated German underground forum carders.cc, copied login details, e-mail addresses and private e-mails from several thousand members and published them on RapidShare. According to a list seen by The H's associates at heise Security, the forum software had also logged the IP addresses of nearly one thousand members over a specific period. These have also been published.

The disclosure earlier this year of attacks originating in China and targeting Google and other large corporations proves that today's cybercriminals are sophisticated and out for financial gain, not bragging rights. These targeted, multipronged intrusions draw on a range of techniques and tools, including exploitable vulnerabilities, inside information, and attackers' sheer persistence.

Security practitioners are increasingly bent on better code security, as Microsoft SDL, BSIMM and Rugged demonstrate. Here's how it became Priority 1 for one of the nation's largest energy providers.

Yesterday, Patrick (aka Noxwizard, phpBB support team member) pointed me at the new malware attack that surfaced this week (first mentioned on May 16th).The attack creates/modifies .htaccess files to redirect site visitors that come from major search engines and popular websites (e.g. Twitter, Facebook, Wikipedia, Flickr, Ebay, etc) to scareware sites that aggressively push fake anti-virus software.

In a legal settlement over its 2008 security breach, Heartland Payment Systems has agreed to pay up to $41.4 million to MasterCard Worldwide and its card issuers to repay operational costs and fraud losses attributed to the breach.

In vulnerability assessment scanning, preparation and planning can make the difference between an accurate and illuminating scan and a big IT headache. Failure to account for and accommodate legacy hardware and software, port management strategies, traffic patterns, and usage schedules can all contribute to a vulnerability scan that has the potential for causing as many problems as it identifies.

Internet security experts at the U.S. Defense Advanced Research Projects Agency (DARPA) in Arlington, Va., are asking industry to develop ways to guarantee the military safe and anonymous access to the Internet amid hostile attempts to disrupt government cyber communications.

Over the past few months, Facebook has repeatedly found itself in hot water over its privacy protocols. But in the past week, the simmering resentment of many users burst into flames as the site's privacy protocol became even more complicated and it began linking user information to other sites.

Does business really have anything to learn from government? I pondered this notion, listening to Margaret Salter, one of the top encryption policy experts at the National Security Agency, on IE Radio this week.

Information security was always an esoteric field but with personal computing came personal security issues, culminating in the identity theft problem that concerns even the most techno-phobic of consumers. It's about to get much worse.

This is actually a very old flaw as it's part of the core HTTP standards, it's exploiting the very way in which the Internet works. Basically most browsers expose browsing history if probed in the right way, the fact was that it was just too resource intensive to get any useful data.

Are you responsible for one or more Windows computers? If yes then the odds are really good that you have had to deal with cleaning viruses and malware. Did you know F-Secure offers a free Rescue CD built on Knoppix for just this purpose? Let's take a look at how easy the F-Secure Rescue CD is to use.

An important weakness has been discovered in the technology of quantum key distribution (QKD), which is increasingly being used by military and government to secure sensitive communications.

The short answer: Updates are worthless if one does not apply them.Once again I find myself cleaning malware off of a home user's Microsoft based notebook PC. Once again, while it has anti-virus software installed it was infected by a "drive-by attack" from a web page.

New home secretary Theresa May has paused Gary McKinnon's extradition proceedings so she can fully consider the issues in his case.May has applied for a judicial review hearing, scheduled for Tuesday next week, to be adjourned, the Home Office said on Thursday.

There's no safe place on the Web, reports former hacker Marc Maiffret, who shared some interesting insights recently with CNET.com regarding Internet security.Nearly a decade after he exposed the vulnerability used by the Code Red worm, Maiffret gave Microsoft's security model high marks.

Julian Assange, the founder of the whistleblower website Wikileaks, has had his passport confiscated by immigration officials when he arrived at Melbourne Airport last week.

In case your boss ever questions whether security is big business... Symantec will pay US$1.28 billion to acquire VeriSign's security business.The two companies confirmed the rumored acquisition, saying it would give VeriSign the opportunity to focus on its more-profitable domain name business, while allowing Symantec to broaden its growing portfolio of enterprise security products.l.

Google co-founder Sergey Brin says the company "screwed up" when it equipped its world-roving Street View cars with software code that spent three years capturing personal data from open Wi-Fi networks.

Think this guy's a democrat? A former college student has been charged with using the school's computer network to control a botnet and launch distributed denial-of-service (DDoS) attacks against conservative websites belonging to Bill O'Reilly, Ann Coulter and Rudy Giuliani.

The penetration testing world saw a couple of exciting announcements yesterday. The first one I want to mention because it's one of my favorite tools--Burp Suite Professional. It's a great tool for Web application penetration testing and a new update was just released. But, of course, the big news that has everyone talking, however, is the Metasploit releases.

Even without cookies, popular browsers such as Internet Explorer and Firefox give web sites enough information to get a unique picture of their visitors about 94 percent of the time, according to research compiled over the past few months by the Electronic Frontier Foundation.

Released last week, version 3.4.8 of the free Samba file and print server fixes various holes including two denial of service (DoS) vulnerabilities which allow attackers to remotely crash the Smbd service. One of the problems is caused by a null pointer dereference when processing a certain series of SMB headers that include a specific combination of flags.

This is the first in a series of posts detailing the journey and experiences of Joseph Sokoly as a first time speaker in InfoSec.Continuing on the "things I learned from speaking" track, the next step is why I did what I did. What would prompt someone to speak at their first InfoSec con ever? And for that, it's time for a story.

Outsourcing Web security functions sounds good on paper, but how do you make hosted services work in your organization? A new Dark Reading report offers some answers.

Even without cookies, popular browsers such as Internet Explorer and Firefox give Web sites enough information to get a unique picture of their visitors about 94 percent of the time, according to research compiled over the past few months by the Electronic Frontier Foundation.

One of open source's promises is to minimize vendor lock-in. However, it's not so apparent that this value proposition holds when using software as a service (SaaS) or cloud-based platform services. The implication is clear: So-called open source cloud platforms, like the recently announced VMforce, are no more open than proprietary clouds -- and believing otherwise will trap you into unintended lock-in.

At its core the PCI Data Security Standard is nothing more than a series of guidelines that constitute security best practices. But companies that institute programs to better protect cardholder data can also leverage and extend these efforts throughout their business, ensuring that other sensitive customer, employee and partner data is better protected.

Scots computer hacker Gary McKinnon is set to avoid extradition and be tried in Britain, the Scottish Sunday Express can reveal.The 43-year-old's family expects confirmation from the new Government within days that the decision to send Gary to the USA has been overturned.

Amazon.com just posted my three star review of Masters of Deception by Michelle Slatella and Joshua Quittner. From the review:Masters of Deception (MOD) by Michelle Slatella and Joshua Quittner tells the tale of the self-proclaimed Masters of Deception, a phone phreaking and proto-computer hacker crew from the early 1990s.

Google has admitted that it mistakenly collected data sent over WiFi networks using its Street View cars gathering images for Google's controversial Street View service.

In recent years, software manufacturers appeared to be increasing the transparency of communication about bugs. The Internet has allowed for rather rapid delivery of software patches, and Microsoft Corp. even releases details in its security bulletins and accompanying Webcasts. However, all is not what it seems...

William wrote in to let us know that the changelog to upcoming release to MySQL, version 5.1.47, has been released, and it appears this release fixes several critical vulnerabilities and probably should be applied as quickly as is reasonable.

A security breach that has compromised the credit and debit cards of recent customers at the Mellow Mushroom in Warner Robins is believed to have occurred outside the restaurant, police and the restaurant's lawyer said Friday.