security

Cerulean Studios on Monday released a "highly critical" security update for its Trillian multi-protocol chat software.

Attackers could exploit vulnerabilities in the character encoding for Trillian 3.1.5.1--specifically, the word-wrapping handling of UTF-8, the Unicode Transformation Format used for encoding characters in e-mail, instant messages and Web pages, iDefense Labs warned in its security advisory. The vulnerabilities potentially could affect earlier versions of the Trillian software as well, iDefense said.

Trillian, which supports Yahoo's Instant Messenger, AOL's AIM, MSN Messenger, and Internet-relay chat and ICQ ("I seek you") instant-messaging protocols, could be … Read more

A congressional panel that has been none too pleased about various federal agencies' responses to cyber threats plans on Wednesday to put the Department of Homeland Security's chief information officer in the hot seat.

The title of the latest House of Representatives Homeland Security Committee hearing--"Hacking the Homeland: Investigating Cybersecurity Vulnerabilities at the Department of Homeland Security"--suggests another bruising may be on the horizon for CIO Scott Charbo and the oft-criticized agency chiefly responsible for overseeing the nation's cybersecurity efforts.

The event follows an April hearing that focused primarily on cyberattacks involving computers at the State and Commerce Departments. … Read more

It must be buying season in the security industry, because there seems to be a new acquisition announced each day. Two recent purchases grabbed my attention. Last week, IBM bought application firewall vendor Watchfire, adding the company to its Rational Software division. Not to be outdone, Hewlett-Packard on Tuesday grabbed application vulnerability tools vendor SPI Dynamics, adding value to another recent addition, Mercury. Why all the activity in the application security space?

1. Web applications are the binary equivalent of Swiss cheese. Many are written rapidly by developers who are paid to add new business logic and meet deadlines. Security … Read more

HP today announced its acquisition of SPI Dynamics. The company specializes in Web application security; and SPI Dynamics' technology is already integrated with HP Quality Center software.

According to HP, the acquisition adds quality management services to its software portfolio and builds on its Business Technology Optimization (BTO) strategy.

Privately held SPI Dynamics is headquartered in Atlanta, has 140 employees, and serves more than 1,000 customers in the federal government, financial services, and health care industries. Expected to close in the third quarter of 2007, the acquisition is subject to certain closing conditions. Upon completion, SPI Dynamics will become … Read more

Over the weekend, thousands of legitimate English-language Italian Web sites fell victim to one line of code. Taking advantage of the trust the users have in the sites they visit, the malicious code silently redirects browsers via JavaScript to servers containing a variety of drive-by exploits. If the visiting computer is unpatched for a variety of operating system, browser, and specific application flaws, malicious code is downloaded. Once installed, the new software can then be used to steal personal information or enlist a compromised machine in attacks on other machines. According to security vendor Websense, the attack now affects over … Read more

Security researcher Robert Swiecki, who two days ago disclosed a URL vulnerability within the new Safari 3.0 for Windows beta, has another. The new flaw requires a user to visit a specially crafted Web page. There, an attacker can write whatever name in the URL toolbar and fill the client browser window with arbitrary content. He provides an example (link should be viewed within Safari).

In response to other Safari 3.0 vulnerabilities, Apple yesterday released an updated version that addresses three of the public vulnerabilities. Swiecki says he tested this latest vulnerability on Safari 3.0.1 (522.… Read more

PayPal launched on Friday its security key fob, a little device designed to thwart password-stealing bad guys who are out to pilfer your online payment account.

PayPal, owned by online auction behemoth eBay, says its PayPal Security Key will generate a new security code every 30 seconds, which people will enter along with their log-in and password for their eBay and PayPal accounts.

PayPal, which initially announced in January plans to increase security via a password-generating key fob, will charge $5 to PayPal and eBay account holders in the U.S. The plan will be expanded internationally.

Various versions of … Read more

Security researcher Robert Swiecki disclosed yesterday another vulnerability within the new Safari 3.0 for Windows beta, bringing the total of public vulnerabilities to nine. The latest flaw allows an attacker to steal a cookie. The flaw exists in the Javascript's window.setTimeout()implementation where the content timer-triggered function is processed after window.location property is changed.

In response to other Safari 3.0 vulnerabilities, Apple today released an updated version that addresses three of the nine public vulnerabilities.

For its first major update in over two years, Lavasoft's Ad-Aware 2007 offers a redesigned interface and an overhauled detection engine, along with an enhanced Update Manager and a new Tracksweep feature that clears your browsing history for multiple applications with one click.

Take a quick tour of Ad-Aware 2007 with this First Look video.