Security Alerts Vulnerabilities
An excellent Guide to secure your Facebook account and safeguard your privacy.
Facebook statistics show that it has 250 million active users each with an average 120 friends. More than 1 billion photos are uploaded every month by its users, over 70% of whom use applications like games and quizzes in Facebook. Unfortunately, most users don’t know the implications of entering personal information, making friends, and playing games on Facebook.
(IN)SECURE Magazine (a free digital security publication discussing some of the hottest information security topics) Issue 22 is out.
Articles in this issue include:- Using real-time events to drive your network scans
- Review: Data Locker
- The Nmap project: Open source with style
- Enterprise effectiveness of digital certificates: Are they ready for prime-time?
- A look at geolocation, URL shortening and top Twitter threats
- How “fake stuff” can make you more secure
- Making clouds secure
- Q&A: Dr. Herbert Thompson on security ROI and RSA Conference
- Book review – Cyber Crime Fighters: Tales from the Trenches
- Top 5 myths about wireless protection
- Securing the foundation of IT systems
- A layered approach to making your Web application a safer environment
- In mashups we trust?
- Adopting the security best practice of least privilege
- Is your data recovery provider a data security problem?
- New strategies for establishing a comprehensive lifetime data protection program
- Security for multi-enterprise applications
- EU data breach notification proposals: How will your business be affected?
- Book review – 97 Things Every Software Architect Should Know
- Safety in the cloud: How CIOs can ensure the safety of their data as they migrate to cloud applications
- Vulnerability management
Where is your computer vulnerable? Computer security consultants Izaac Falken and Brett Scudder answer critical questions most often asked about hacker threats.
Via: Digg
Report: Security Certifications Boost Pay – “IT professionals with security certifications—including all versions of the CISSP, CISA, GSE, CISM, SSCP and GCFA—earned 10 percent to 14 percent premiums on their base pay over their non-certified counterparts.”
New vulnerabilities hit Firefox and Internet Explorer – There are no patches yet available from either vendor. The most serious is MSIE page update race condition, and next most severe is Firefox Cross-site IFRAME hijacking.
Encrypt and sign Gmail messages with FireGPG – “It integrates nicely into Gmail’s interface and allows you to sign and encrypt not only email messages but also text snippets from any Web page.”
Google Desktop vulnerable to attack - RSnake has discovered a man-in-the-middle attack on Google Desktop.
An independent assessment of Windows vs. Linux. Microsoft Windows Server 2003 vs. Red Hat Enterprise Linux AS v.3 were examined to see which platform is more secure.
The results were not unexpected. Even by Microsoft’s subjective and flawed standards, fully 38% of the most recent patches address flaws that Microsoft ranks as Critical. Only 10% of Red Hat’s patches and alerts address flaws of Critical severity. These results are easily demonstrated to be generous to Microsoft and arguably harsh with Red Hat, since the above results are based on Microsoft’s ratings rather than our more stringent application of the security metrics. If we were to apply our own metrics, it would increase the number of Critical flaws in Windows Server 2003 to 50%.
Lessons From a Honeynet That Attracted 700,000 Attacks – The Continuous Processes of Vulnerability Management: Create security policies & controls, Track inventory / categorize assets, Scan systems for vulnerabilities, Compare vulnerabilities against inventory, Classify risks, Pre-test patches, Apply patches, Re-scan and confirm fixes.
Apple patches a dozen security holes – Apple released security updates to Mac OS X operating system and other software.
MS update patches patching – Microsoft this week pushed an update to patch their patching system.
OpenOffice virus reaches across platforms – “A virus writer with something to prove has written a proof-of-concept OpenOffice document to demonstrate a way to infect Windows, Linux and Mac OS X systems with a single script.”
Google Online Security Blog – Google has gone public with it’s new security blog. The first post says: “we’ve started this blog where we hope to periodically provide updates on recent trends, interesting findings, and efforts related to online security. Among the issues we’ll tackle is malware, which is the subject of our inaugural post.”
Top 10 vulnerabilities in Web applications in Q1 2007 – “In this study, Cenzic identified 1,561 unique vulnerabilities during the first quarter of 2007. Of the reported vulnerabilities, file inclusion, SQL injection, cross-site scripting and directory traversal were the most prevalent, totaling 63 percent. The majority of vulnerabilities affected Web servers, Web applications and Web browsers, with Cenzic classifying the bulk as easily exploitable.”
Top 15 free SQL Injection Scanners – “Checking for SQL Injection vulnerabilities involves auditing your web applications and the best way to do it is by using automated SQL Injection Scanners. We’ve compiled a list of free SQL Injection Scanners we believe will be of a value to both web application developers and professional security auditors.”
Mac Virus and On-Line Security FAQ – “These days it’s hard to avoid the dirty underbelly of the Internet, it’s not as bad as it seems out there if you have some common sense and know the facts Using a Mac helps too. In this little FAQ, I’ll pass on some tips and get you up to scratch regarding viruses, internet security, firewalls, on-line shopping and more.”
Ubuntu Security Resource – “If you’ve recently switched from Windows to the Linux distribution Ubuntu, you’ve probably experienced a decrease in spyware — and malware in general — on your system. But although Ubuntu is billed as the ultra-secure solution, you should know that even though Ubuntu’s default install has its flaws, like every other operating system.”
Firefox Surfers More Likely Patched Than IE Users – “New statistics released today indicate that people who use Mozilla’s Firefox Web browser are more likely to be cruising the Web with all of the latest security updates installed than those surfing with Microsoft’s Internet Explorer.”
I received an email from (ISC)2 yesterday about the new, stricter requirements for CISSP. The new experience requirements for the CISSP certification will be effective 1 October, 2007. Basically now you’ll need five years of work experience instead of four and the endorsement must be done by (ISC)2 certified professional. I can see that (ISC)2 is trying to maintain the high standards of CISSP. So, it means new CISSPs must find and interact with other CISSPs before they can earn the title. You can find more details about the new requirement on (ISC)2’s press release.
* The minimum professional experience requirement for CISSP certification will be five years of relevant work experience in two or more of the 10 domains of the CISSP CBK, or four years of work experience with an applicable college degree or a credential from the (ISC)2-approved list. The current requirements for the CISSP call for four years of work experience in one or more of the 10 domains of the CISSP CBK, or three years of experience with an applicable college degree or a credential from the (ISC)2-approved list.
* Candidates for any (ISC)2 credential will be required to obtain an endorsement of their candidature exclusively from an (ISC)2-certified professional in good standing. The professional endorsing the candidate can hold any (ISC)2 certification – CISSP, SSCP or CAP. Currently, candidates can be endorsed by an officer from the candidate’s organization if no CISSP endorsement can be obtained. The board believes that only an (ISC)2-credentialed professional bound by its Code of Ethics should provide a candidate endorsement.
According to Schneier the main reasons to conduct penetration testing are:
There are two reasons why you might want to conduct a penetration test. One, you want to know whether a certain vulnerability is present because you’re going to fix it if it is. And two, you need a big, scary report to persuade your boss to spend more money. If neither is true, I’m going to save you a lot of money by giving you this free penetration test: You’re vulnerable.
Now, go do something useful about it.
Loading ...