Vulnerabilities & attacks

Defense contractors eye cybersecurity bonanza

The industry side of the military industrial complex is on the scent of the federal government's cybersecurity dollars.

Bloomberg has a year-end rundown on the efforts of the big defense contractors to tap into a market that could swell to $11 billion by 2013. Boeing and Lockheed, for instance, both set up new cyberdefense business units in the last six months, the news agency says, while Raytheon in the last 18 months has acquired a trio of network security providers and is looking to boost the number of its certified security engineers by 50 percent in 2009.

"The … Read more

Web browser flaw could put e-commerce security at risk

By Jonathan Stray

Updated at 3:30 p.m. PST with Microsoft comment, at 1:50 p.m. PST with VeriSign comment, at 10 a.m. PST with comment from cryptography expert Paul Kocher, and at 9 a.m. PST to reflect that presentation has taken place and include comment from cryptography expert Bruce Schneier.

BERLIN--A key piece of Internet technology that banks, e-commerce sites, and financial institutions rely on to keep transactions safe suffers from a serious security vulnerability, an international team of researchers announced on Tuesday.

They demonstrated how to forge security certificates used by secure Web sites, … Read more

Microsoft denies vulnerability in Windows Media Player

Updated: at 10 a.m. January 5 to correct alleged vulnerability to denial of service.

Microsoft on Monday denounced reports that a vulnerability exists in Windows Media Player that could pose a security risk for users.

Microsoft said in a company blog post that it had investigated reports that surfaced on the Internet last week and found them to be "false." The flaw is "reliability issue with no security risk to customers," the company said on its Security Vulnerability Research & Defense blog.

The investigation followed claims published Wednesday on the Bugtraq security mailing list by … Read more

Taking the classical approach to security

Ari Juels' fascination with numbers is the stuff of fiction, literally.

The chief scientist and director of RSA Laboratories recently completed a novel in which the protagonist is hired by the U.S. government to counter the efforts of Pythagoreans, a Greek group that believed in the supremacy of numbers--subscribing to the notion that by mastering numbers, one could understand and control the forces of the universe.

That concept, he told ZDNet Asia during a recent visit to Singapore, had been "a little silly" until cryptography developed to a stage where "mastery of certain mathematical problems could in principle lead to considerable power over computing resources and consequently over our lives."

The book, which will be launched at the RSA Conference 2009 in San Francisco in April, was in essence, the coming together of two of Juels' interests--computer security and classical literature. He graduated from Amherst College in 1991 with degrees in Latin Literature and Mathematics.

Thirty-eight-year-old Juels, who joined RSA in 1996, shed some light on recent RFID (radio frequency identification) issues in e-passports, identity documents, and transport-related systems, as well as how to balance security and privacy.

Q: What are you currently working on? Juels: With the acquisition of RSA by EMC, we've turned our attention to some of the special security problems that storage systems present. In particular, we've looked at...the ability of a client to verify that a file that is stored on remote servers is still there--intact. We've been able to develop a protocol which accomplishes the seemingly paradoxical property of enabling a client to verify that a file is completely intact--that every bit is there, not a single bit has been changed--without downloading the file. In fact, the archiving service can send a very short proof--some tens of bytes--and that's enough for the client to establish that the file is completely retrievable. That's been a major area of research for us.

Is there a name for this concept? Juels: There've been several names. I guess the most recent is an acronym called HAIL, for High Availability and Integrity Layer.… Read more

MIT students to help Boston secure subway fare system

Three MIT students who were sued by the Massachusetts Bay Transit Authority over their research into subway card vulnerabilities are now working with the transit authority to improve the fare collection system.

The lawsuit against the students was dismissed after a judge lifted a gag order in August that prevented the students from discussing their work. The students had planned to present their research at the Defcon hacker conference in Las Vegas on August 10, but canceled their presentation after a judge granted the MBTA's request for an injunction the day before.

"This is a great opportunity for … Read more

Looking ahead at security trends for 2009

In spite of the global economic recession, information security will continue to be a dominant IT priority in 2009. Why? There are simply too many threats and vulnerabilities creating a perpetual increase in IT risk.

With that, here is my top-10 list (in no particular order) of technologies and trends to watch for in the new year:

1. The evolving definition of endpoint security: Some analysts have declared that, antivirus software is dead. I disagree and submit that endpoint security is simply evolving as a function of the changing threat landscape. This is the primary reason why Sophos (a legacy antivirus company) bought Utimaco (… Read more

Microsoft probing SQL Server vulnerability

Microsoft is investigating reports of a flaw that could allow someone to remotely execute code on a system running certain versions of SQL Server.

"Microsoft is aware that exploit code has been published on the Internet for the vulnerability addressed by this advisory," the company wrote in a security advisory published on Monday. "Our investigation of this exploit code has verified that it does not affect systems that have had the workarounds listed below applied. Currently, Microsoft is not aware of active attacks that use this exploit code or of customer impact at this time."

Affected … Read more

Microsoft warns of SQL Server vulnerability

Microsoft issued an advisory late Monday confirming a remote code execution vulnerability affecting its SQL Server line.

The vulnerability affects Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon).

Not affected by this issue, Microsoft said, are systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008.

From Microsoft's advisory:

Microsoft is aware that exploit code has been published on the Internet … Read more

Check Point to acquire Nokia's security appliance business

Check Point Software Technologies announced Monday it plans to acquire the security appliance business of cell phone giant Nokia.

With the acquisition, the security software maker plans to use Nokia's security appliance business to broaden its footprint in the security appliance market.

Check Point, which is predominately known for its security firewall business, has branched out into the security appliance business over the past five years, beginning with its VPN-1 Edge device.

Nokia's security appliance business currently serves 23,000 customers throughout the world and is already designed to work with Check Point's firewall, virtual private network (… Read more