Wednesday, March 31, 2010
Security Job
Installing Video Surveillance @ a residential home today. Hurry up and get your house protected! Lowest prices in town GUARRANTEED
Tuesday, March 30, 2010
Microsoft defends IE8 following hacking contest
Though Internet Explorer 8 was only one of several products hacked in a recent contest, Microsoft is standing up for its browser.
Microsoft's official Windows Security blog on Friday discussed the specific features that were hacked to win the contest, explaining that IE's security techniques aren't designed to thwart every attack forever, but more to slow down the bad buys and make it harder for them to exploit vulnerabilities.
Last Wednesday's annual Pwn2Own hacking contest at the CanSecWest security show in Vancouver, B.C., pitted security experts and researchers against each other to see who was the top hacker. The contestants managed to hack not just IE8 on Windows 7 but also a non-jailbroken iPhone, Safari running on Snow Leopard, and Firefox on Windows 7.
Peter Vreugdenhil, an independent security researcher who won $10,000 for bypassing the security in IE8, said he exploited IE8 by sneaking past two of its key defenses--ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention).
The Microsoft blog posted for Pete LePage, a product manager from the Internet Explorer team, mentioned the security researchers and addressed ASLR and DEP. ASLR is designed to stop hackers from getting memory addresses they can use to compromise code. DEP tries to prevent malicious code from running in memory where executable files are not supposed to run.
In describing the way these security defenses work, the blog compared a computer to a fire-proof safe. Without these defenses in place, "a fire-proof safe may only protect its contents for an hour or two. A stronger fire-proof safe with several 'defense in depth' features still won't guarantee the valuables forever, but adds significant time and protection to how long the contents will last." The blog said that both ASLR and DEP continued to be "highly effective protection mechanisms."
In hacking IE8, Vreugdenhil explained that the computer running the browser was compromised by visiting a Web site that launched the malicious code. He was then able to steal user rights on the PC, giving him the capability to run applications, such as the Windows calculator. The security researcher who hacked into Firefox said he also bypassed ASLR and DEP to gain control of the computer.
Microsoft's official Windows Security blog on Friday discussed the specific features that were hacked to win the contest, explaining that IE's security techniques aren't designed to thwart every attack forever, but more to slow down the bad buys and make it harder for them to exploit vulnerabilities.
Last Wednesday's annual Pwn2Own hacking contest at the CanSecWest security show in Vancouver, B.C., pitted security experts and researchers against each other to see who was the top hacker. The contestants managed to hack not just IE8 on Windows 7 but also a non-jailbroken iPhone, Safari running on Snow Leopard, and Firefox on Windows 7.
Peter Vreugdenhil, an independent security researcher who won $10,000 for bypassing the security in IE8, said he exploited IE8 by sneaking past two of its key defenses--ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention).
The Microsoft blog posted for Pete LePage, a product manager from the Internet Explorer team, mentioned the security researchers and addressed ASLR and DEP. ASLR is designed to stop hackers from getting memory addresses they can use to compromise code. DEP tries to prevent malicious code from running in memory where executable files are not supposed to run.
In describing the way these security defenses work, the blog compared a computer to a fire-proof safe. Without these defenses in place, "a fire-proof safe may only protect its contents for an hour or two. A stronger fire-proof safe with several 'defense in depth' features still won't guarantee the valuables forever, but adds significant time and protection to how long the contents will last." The blog said that both ASLR and DEP continued to be "highly effective protection mechanisms."
In hacking IE8, Vreugdenhil explained that the computer running the browser was compromised by visiting a Web site that launched the malicious code. He was then able to steal user rights on the PC, giving him the capability to run applications, such as the Windows calculator. The security researcher who hacked into Firefox said he also bypassed ASLR and DEP to gain control of the computer.
Monday, March 29, 2010
Cisco warns of 'highly critical' SIP flaw
Cisco Systems has issued a range of security advisories giving details of 11 vulnerabilities in IOS, the operating system on which many of its products run.
One of the vulnerabilities, described as "highly critical," could lead to a hacker compromising the affected system or launching a denial-of-service attack against it. The advisories, issued Wednesday, are part of Cisco's twice-yearly schedule of security updates for IOS.
The highly critical vulnerability affects IOS version 12 devices running SIP, a protocol used by many businesses to set up and tear down voice and video calls. IOS version 12 is widely deployed.
One of the vulnerabilities, described as "highly critical," could lead to a hacker compromising the affected system or launching a denial-of-service attack against it. The advisories, issued Wednesday, are part of Cisco's twice-yearly schedule of security updates for IOS.
The highly critical vulnerability affects IOS version 12 devices running SIP, a protocol used by many businesses to set up and tear down voice and video calls. IOS version 12 is widely deployed.
Thursday, March 25, 2010
Washingon's new U.S. Cyber Command is prepped and ready but is still waiting for Senate approval of its new commander before it can open for business.
The new command would unify and administer the U.S. Department of Defense's vast computer networks to better defend against cyberattacks. In June, Defense Secretary Robert Gates approved the creation of Cyber Command as a unified, sub-division of U.S. Strategic Command to operate the Defense Department's information resources of 15,000 computer networks across 4,000 military bases in 88 countries.
Cyber Command is seen within the Defense Department as a vital reorganization needed to integrate its vast network of computing resources, which are currently operated separately. Appearing last week before the House Armed Services Committee's subcommittee on strategic forces, Air Force Gen. Kevin Chilton, the commander of U.S. Strategic Command, stressed the need to move away from the current segregation of resources.
"This segregation detracts from natural synergies and ignores our experience in organizing to operate in the air, land, sea, and space domains," said. "The establishment of U.S. CyberCom will remedy this problem in the cyber domain."
Army Lt. Gen. Keith Alexander, currently the director of the National Security Agency at Fort Meade, Md., has been nominated to run U.S. CyberCom. If confirmed, Alexander would be charged with commanding both the NSA and CyberCom and be promoted to a full general.
Since CyberCom is an internal reorganization, the Defense Department does not need approval from Congress to establish it. The defense secretary has the authority to do this on his own. However, the Defense Department has taken the effort to brief the appropriate congressional committees on its plans for CyberCom, according to a representative from the House Armed Services Committee.
But the nomination of Alexander to be promoted to a 4-star general and assigned the role of commander does need Senate confirmation, a process that's ongoing.
Further, most concerns over the initial operating capability of CyberCom have been addressed, according to the spokesperson. But questions remain about its future role and makeup. How will someone balance the dual roles of CyberCom commander and NSA director? And though the House Armed Services Committee may feel Alexander is up to the task of juggling both jobs, will the Defense Department have a source of future 4-star generals qualified to take on this challenge?
The Senate Armed Services Committee has posed a variety of questions to the Defense Department concerning its plans for CyberCom, according to a statement from Lt. Col. Eric Butterbaugh, a spokesman for the Office of the Assistant Secretary of Defense for Public Affairs. In particular, the committee has asked about its pending relationship with the NSA and has requested answers to all its questions before it can consider Alexander's nomination.
In response, Defense Department officials have met with staff from the committee, said Butterbaugh, and remains committed to answering any future questions. On its end, the Defense Department is hoping for a quick confirmation.
"The DOD looks forward to establishing this critical command as soon as the Senate confirms Lt. Gen. Alexander as its first commander," said Butterbaugh. "Improving the protection of military information networks in the 21st century is an urgent priority for the DOD."
The new command would unify and administer the U.S. Department of Defense's vast computer networks to better defend against cyberattacks. In June, Defense Secretary Robert Gates approved the creation of Cyber Command as a unified, sub-division of U.S. Strategic Command to operate the Defense Department's information resources of 15,000 computer networks across 4,000 military bases in 88 countries.
Cyber Command is seen within the Defense Department as a vital reorganization needed to integrate its vast network of computing resources, which are currently operated separately. Appearing last week before the House Armed Services Committee's subcommittee on strategic forces, Air Force Gen. Kevin Chilton, the commander of U.S. Strategic Command, stressed the need to move away from the current segregation of resources.
"This segregation detracts from natural synergies and ignores our experience in organizing to operate in the air, land, sea, and space domains," said. "The establishment of U.S. CyberCom will remedy this problem in the cyber domain."
Army Lt. Gen. Keith Alexander, currently the director of the National Security Agency at Fort Meade, Md., has been nominated to run U.S. CyberCom. If confirmed, Alexander would be charged with commanding both the NSA and CyberCom and be promoted to a full general.
Since CyberCom is an internal reorganization, the Defense Department does not need approval from Congress to establish it. The defense secretary has the authority to do this on his own. However, the Defense Department has taken the effort to brief the appropriate congressional committees on its plans for CyberCom, according to a representative from the House Armed Services Committee.
But the nomination of Alexander to be promoted to a 4-star general and assigned the role of commander does need Senate confirmation, a process that's ongoing.
Further, most concerns over the initial operating capability of CyberCom have been addressed, according to the spokesperson. But questions remain about its future role and makeup. How will someone balance the dual roles of CyberCom commander and NSA director? And though the House Armed Services Committee may feel Alexander is up to the task of juggling both jobs, will the Defense Department have a source of future 4-star generals qualified to take on this challenge?
The Senate Armed Services Committee has posed a variety of questions to the Defense Department concerning its plans for CyberCom, according to a statement from Lt. Col. Eric Butterbaugh, a spokesman for the Office of the Assistant Secretary of Defense for Public Affairs. In particular, the committee has asked about its pending relationship with the NSA and has requested answers to all its questions before it can consider Alexander's nomination.
In response, Defense Department officials have met with staff from the committee, said Butterbaugh, and remains committed to answering any future questions. On its end, the Defense Department is hoping for a quick confirmation.
"The DOD looks forward to establishing this critical command as soon as the Senate confirms Lt. Gen. Alexander as its first commander," said Butterbaugh. "Improving the protection of military information networks in the 21st century is an urgent priority for the DOD."
Monday, March 22, 2010
A number of BitDefender users, whose 64-bit Windows systems stopped working or were unable to be rebooted after security program updates, vented their frustration by flooding the antivirus vendor's forum pages over the weekend.
According to an IDG report, users on forum boards started signaling the problem on Saturday evening. The complainants said several Windows files, as well as the security vendor's own program files, were identified as "Trojan.FakeAlert.5" malware after they performed an update for their BitDefender antivirus programs.
In an e-mail update Monday to ZDNet Asia, Vitor Souza, BitDefender's global communications director, explained that "multiple" BitDefender and Windows files which comprise .exe, .dll and other binary files, were incorrectly detected as malware and "moved to quarantine."
According to an IDG report, users on forum boards started signaling the problem on Saturday evening. The complainants said several Windows files, as well as the security vendor's own program files, were identified as "Trojan.FakeAlert.5" malware after they performed an update for their BitDefender antivirus programs.
In an e-mail update Monday to ZDNet Asia, Vitor Souza, BitDefender's global communications director, explained that "multiple" BitDefender and Windows files which comprise .exe, .dll and other binary files, were incorrectly detected as malware and "moved to quarantine."
Subscribe to:
Posts (Atom)
