Security & Privacy

With the release of its Apple SA-2008-10-09 security update on Thursday, the Cupertino, Calif.-based computer company provided patches for nearly two dozen software flaws.

Some of the fixes included in the update, which can be obtained from Apple's Software Downloads page, are specific to Apple features, such as Single Sign On, Finder, and ColorSync. But the release also addresses an error introduced in Mac OS X 10.5.5. Other fixes are updates to open-source projects, including Apache, ClamAV, PHP, and Tomcat.

Apache This patch affects users of Mac OS X v10.5.5 and Mac OS X … Read more

On Thursday, Microsoft announced four security bulletins for next week. The announcement is intended as a heads-up for IT departments before Patch Tuesday. Four fixes are considered critical, six important, and one is moderate as ranked by the software giant.

Starting this month, Microsoft is sharing the technical details of new vulnerabilities to give software developers a catch to update affected products before the public announcement. And on Tuesday, Microsoft is expected to provide with each bulletin an "exploitability index" to help system administrators prioritize the patches.

Among the critical patches one each affects Windows, Internet Explorer, Microsoft … Read more

Imagine finding the perfect gift via Google and then purchasing it in one click without typing in your password or credit card information. On Thursday, Parity, an information management company, announced a new Web service called CardPress that makes issuing online information cards a little easier.

Information cards are online equivalents of physical ID cards, such as a driver's license. Online customers would have an electronic wallet with various information cards, bypassing the need to type in user names and passwords. A student accessing a university network, for example, would simply present his or her electronic student information card. … Read more

Virtualization could end expensive long-term software licensing in favor of a pay-per-use model, according to Symantec.

Executives at the company said that years- or months-long licenses covering multiple machines could be slashed using virtualized applications to licensing deals structured as pay per day, per hour, or even per second.

Virtualized or streaming applications, where software is run on a central machine and streamed to computers over a network, allows monitoring of precisely how long each instance of the software is used.

"You can detect application usage so you can cut the number of licenses down to what is being … Read more

There was an interesting article recently in The New York Times about getting locked out of a Gmail account.

In August, blogger Alan Shimel of StillSecure wrote about his problems regaining access to a Yahoo e-mail account. Suffice it to say that if someone learns your Web mail password, it's a very difficult situation--one that may not end well.

For one thing, the Web mail provider may not know enough about you to determine the true account owner. Worse still, anyone using a free Web mail account from Google (Gmail), Yahoo, or Microsoft (Hotmail) can't expect to talk … Read more

Botnets are proving to more resilient and harder to shut down.

That's largely due to an increased use of methods people use to obscure the domain by constantly mapping to different bots within the network, according to a recently released study (PDF).

The study's authors, Jose Nazario of Arbor Networks and Thorsten Holz of the University of Mannheim, tracked the traffic of 900 fast-flux domain names used by botnets within the first six months of 2008. "Fast-flux" is a term to describe how the botnets use constant changes in the mapping of the hard-coded domain name … Read more

On Wednesday, HBGary announced that Andy Purdy has joined their advisory board.

Purdy, while a member of the White House, co-drafted the 2003 edition of the National Strategy to Secure Cyberspace, then joined the Department of Homeland Security. There, he served on the tiger team that helped to form the National Cyber Security Division (NCSD) and the U.S. Computer Emergency Readiness Team (US-CERT). He went to head both organizations and was dubbed by the media as the "cyberczar" of the United States until DHS appointed Greg Garcia as assistant secretary for cybersecurity and communications.

In 2006, Purdy … Read more

On Tuesday, Adobe issued a workaround for a serious issue that could allow attackers to change the security settings within Flash.

Termed "clickjacking," the process gives "an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable," wrote WhiteHat Security CTO Jeremiah Grossman in a blog posting last month. He went on to say that while "guarding against Clickjacking was largely the browser vendors' responsibility," both he and Robert Hansen agreed to withhold further information and even canceled their talk recently at OWASP NYC AppSec 2008 Conference at … Read more

WASHINGTON--The federal government is trying to find better ways to standardize and coordinate personal information about American citizens that is currently spread across thousands of databases, according to a White House official.

There are more than 3,000 programs or databases in the federal government that hold personal information--Social Security numbers, addresses, fingerprints, and so on--yet the government is only beginning to develop a plan for collecting, protecting, and using such information.

"You have a lot of duplication of data" among various agencies, said Duane Blackburn, a policy analyst in the White House's Office of Science and Technology Policy. … Read more