Off The Wire Archive

News items for February 2008

Top 10 vulnerabilities in Web applications (Q4 2007)
The Cenzic Application Security Trends Report emphasizes the Top 10 Web application vulnerabilities from published reports in Q4 2007, illustrating tends among thousands of corporations, financial institutions and government agencies. [more]
Friday, 29 February 2008, 7:23 PM CET

How to hack into a Boeing 787
Last month, technology news sites and blogs breathlessly reported on a Federal Aviation Administration document suggesting that Boeing's new 787 Dreamliner passenger jet may be vulnerable to computer hackers. [more]
Friday, 29 February 2008, 7:20 PM CET

Create your own cross-platform backup server
Backing up your data on a regular basis is important, and turning a spare computer into a backup server is often the best way to make sure it gets done. [more]
Friday, 29 February 2008, 7:19 PM CET

The no-tech hacker
Hackers have a lot of fancy names for the technical exploits they use to gain access to a company's networks: cross-site scripting, buffer overflows or the particularly evil-sounding SQL injection, to name a few. But Johnny Long prefers a simpler entry point for data theft: the emergency exit door. [more]
Friday, 29 February 2008, 5:24 PM CET

Whitepaper - Open source security myths dispelled
Dispel the five major myths surrounding Open Source Security and gain the tools necessary to make a truly informed decision for your IT organization. [more]
Friday, 29 February 2008, 8:41 AM CET

Trawl for packets with Wireshark
If you want to keep your network secure then you need to know what traffic is passing through it. [more]
Friday, 29 February 2008, 8:38 AM CET

SSL configuration for IBM Tivoli Directory Server 6.0
Gain an overview of SSL configuration for IBM Tivoli Directory Server (ITDS) 6.0 on the AIX 5L operating system. Learn about command line configuration steps for SSL key database creation, certificate creation, certificate extraction, SSL authentication mechanisms, troubleshooting for SSL issues, and steps to perform LDAP client-server communication. [more]
Thursday, 28 February 2008, 4:50 PM CET

Air Force blocks access to many blogs
The Air Force is tightening restrictions on which blogs its troops can read, cutting off access to just about any independent site with the word "blog" in its web address. [more]
Thursday, 28 February 2008, 12:21 AM CET

Systems administration toolkit: log file basics
This article looks at the fundamental information recorded within the different log files, their location, and how that information can be used to your benefit to work out what is going on within your system. [more]
Thursday, 28 February 2008, 12:12 AM CET

Manage your online reputation
A rash of social media sites have arisen that give you more tools to help you manage your online reputation and become more findable. Let's take a look. [more]
Thursday, 28 February 2008, 12:06 AM CET

Extended validation certificates and XSS considered harmful
A cross-site scripting vulnerability on the popular SourceForge.net website shows how Extended Validation SSL certificates could be exploited by fraudsters. [more]
Wednesday, 27 February 2008, 4:33 PM CET

Using siproxd to allow VoIP through a firewall
Siproxd is a SIP proxy server that can help you with network connectivity issues for SIP clients behind firewalls. [more]
Tuesday, 26 February 2008, 3:30 PM CET

Worker snooping on customer data common
A landlord snooped on tenants to find out information about their finances. [more]
Tuesday, 26 February 2008, 3:28 PM CET

Book review - Apache Cookbook (2nd edition)
The Apache web server is to many the best web server solution out there. Currently available in three versions (1.3, 2.0 and 2.2), Apache has an enormous install base around the globe. There are quite a lot of quality books detailing all the Apache aspects and "Apache Cookbook" is a unique publication with its own twist. It doesn't go into all Apache specifics, but, better yet, it covers a set of problems and solutions Apache administrators can come across. [more]
Tuesday, 26 February 2008, 3:20 PM CET

Securing moving targets
What’s the best approach to protecting the business data on mobile computing devices? This article covers the three essentials that help you load and lock. [more]
Tuesday, 26 February 2008, 3:19 PM CET

Wiretapping made easy
Silently tapping into a private cell phone conversation is no longer a high-tech trick reserved for spies and the FBI. [more]
Friday, 22 February 2008, 8:47 AM CET

Google to store patients' health records
Google will begin storing the medical records of a few thousand people as it tests a long-awaited health service that's likely to raise more concerns about the volume of sensitive information entrusted to the Internet search leader. [more]
Thursday, 21 February 2008, 6:54 PM CET

Interview with Gregory Conti, Assistant Professor of Computer Science at the United States Military Academy
Besides his work as a professor and Director of the Information and Technology and Operations research center, Gregory Conti is also the author of the excellent book Security Data Visualization and the RUMINT visualization tool. In this interview he discusses the concept of security data visualization, its importance, various tools for the job, his book and more. [more]
Wednesday, 20 February 2008, 11:26 PM CET

DoS attack on WordPress.com blogs
The WordPress.com blog-hosting service suffered a DoS (denial-of-service) attack that began Saturday and was still preventing users from logging in or posting to their blogs on Tuesday. [more]
Wednesday, 20 February 2008, 8:49 AM CET

Create a backup server with Restore
Perhaps the number one reason why people neglect to back up their desktops is the lack of workable solution. [more]
Wednesday, 20 February 2008, 8:47 AM CET

Experts find fault with cyberdirective
When President Bush issued a classified cybersecurity directive early last month, he reversed 21 years of policy that had prevented the Defense Department and the National Security Agency from having oversight of civilian agency networks. [more]
Wednesday, 20 February 2008, 12:30 AM CET

Role-based access control in SELinux
Learn your way around this admin-friendly security administration layer. [more]
Wednesday, 20 February 2008, 12:18 AM CET

Book review - Network Security Hacks (2nd Edition)
O'Reilly's Hacks Series has been a major hit with the IT crowd. It covers basically anything a geek might be interested in: operating systems, online services, programming languages, astronomy, TiVo, gaming, podcasting, Google, security, and much more. The book we're taking a look at today has received a second edition and deals with network security. [more]
Tuesday, 19 February 2008, 11:45 PM CET

PHP Shell, for secure remote access when SSH isn't available
Without SSH you may think you'll have trouble executing commands on the hosted server. Not so -- PHP Shell allows execution of some commands without having SSH access to the LAMP server. [more]
Tuesday, 19 February 2008, 3:04 PM CET

SSH key authentication using seahorse (GUI)
Seahorse is a Gnome front end for GnuPG - the GNU Privacy Guard program. It is a tool for secure communications and data storage. [more]
Tuesday, 19 February 2008, 11:08 AM CET

Working with PGP and Mac OS X
The goal of this tutorial is to get you up and running with PGP through terminal and familiar with its operation. [more]
Tuesday, 19 February 2008, 6:50 AM CET

Tutorial - defending against SQL injection attacks
By taking this self-study tutorial, you can arm yourself with techniques and tools to strengthen your code and applications against these attacks. [more]
Tuesday, 19 February 2008, 6:42 AM CET

The future of encryption
In today’s world the protection of sensitive data is one of the most critical concerns for organizations and their customers. This, coupled with growing regulatory pressures, is forcing businesses to protect the integrity, privacy and security of critical information. As a result cryptography is emerging as the foundation for enterprise data security and compliance, and quickly becoming the foundation of security best practice. Cryptography, once seen as a specialized, esoteric discipline of information security, is finally coming of age. [more]
Monday, 18 February 2008, 6:33 PM CET

Secure RPC using DES authentication on AIX 5.3
Find out how to use Secure RPC using Data Encryption Standard (DES) authentication on AIX 5.3 to achieve a secure communication between the client and server. [more]
Monday, 18 February 2008, 9:51 AM CET

Interfacing VIM with GnuPG encrypted files
This blog post illustrates a ~/.vimrc tweak that allows vim to leverage GnuPG to decrypt a previously encrypted file, allow edits to be made, and then re-encrypted before it is written back to disk. [more]
Monday, 18 February 2008, 12:00 AM CET

Improving Wordpress security in five steps
Whilst Wordpress is a great publishing tool it does have it’s challenges and one of my greatest concerns is always security. [more]
Friday, 15 February 2008, 1:26 PM CET

The anonymity experiment
During a week of attempting to cloak every aspect of daily life, a correspondent found that in an information age, leaving no trace is nearly impossible. [more]
Friday, 15 February 2008, 12:00 AM CET

Use of rogue DNS servers on rise
They're called "servers that lie." [more]
Thursday, 14 February 2008, 9:49 AM CET

Domestic access to spy imagery expands
A plan to use U.S. spy satellites for domestic security and law-enforcement missions is moving forward after being delayed for months because of privacy and civil liberties concerns. [more]
Thursday, 14 February 2008, 9:47 AM CET

The need for a new security approach
Companies now more than ever are realizing that their confidential data is in many cases the lifeblood of their business and loss or theft of the data could be critical. [more]
Wednesday, 13 February 2008, 12:26 AM CET

Review - Spybot Search & Destroy
Spybot Search & Destroy is one of the most used standalone solutions for protecting against different malware threats. This is a review of version 1.5.2 that was released in late January. [more]
Tuesday, 12 February 2008, 4:38 PM CET

Podcast with Gartner security and privacy analyst
Do you know where to focus your security efforts? Learn the criteria to determine the right Secure Web Gateway for your organization. [more]
Monday, 11 February 2008, 10:37 PM CET

Three minutes with Facebook's privacy chief
Chris Kelly describes and defends the user-tracking Beacon function and balancing privacy and community. [more]
Monday, 11 February 2008, 9:52 AM CET

RealPlayer users held to ransom
It has been a couple of months now since a Russian security researcher, Evgeny Legerov, confirmed that the widely deployed media software RealPlayer was vulnerable to a zero-day exploit. [more]
Monday, 11 February 2008, 9:50 AM CET

sudo, or not sudo: that is the question
If you've dabbled even a little bit with security matters, you know that giving root rights or the root password to a common user is a bad idea. [more]
Friday, 8 February 2008, 10:04 AM CET

Clarity sought on electronics searches
A tech engineer returning from a business trip to London objected when a federal agent asked him to type his password into his laptop computer. [more]
Thursday, 7 February 2008, 4:57 PM CET

With iPhone, 'security' is code for 'control'
Computer companies want more control over the products they sell you, and they're resorting to increasingly draconian security measures to get that control. The reasons are economic. [more]
Thursday, 7 February 2008, 2:07 PM CET

Use dvdisaster to protect backups on optical media
Storing backups on optical media such as DVD-R discs suffers from two major drawbacks: DVD discs are easy to scratch, and the media itself degrades after a while. [more]
Thursday, 7 February 2008, 2:04 PM CET

The latest release of Nmap looks better than ever
At age 10, Nmap may be the most popular network security tool in the world. [more]
Wednesday, 6 February 2008, 10:41 AM CET

Security metrics - how often should we scan?
In this blog entry, we will discuss the many different reasons why people perform scans and what factors can contribute to their scanning schedule. [more]
Wednesday, 6 February 2008, 10:32 AM CET

Is PCI 6.6 good for web application firewalls?
PCI requirement 6.6, which endorses web application firewalls, raises the profile of this technology but leaves a lot to be desired. [more]
Wednesday, 6 February 2008, 12:00 AM CET

FBI wants palm prints, eye scans, tattoo mapping
The FBI is gearing up to create a massive computer database of people's physical characteristics, all part of an effort the bureau says to better identify criminals and terrorists. [more]
Tuesday, 5 February 2008, 10:34 AM CET

(IN)SECURE Magazine issue 15 has been released
(IN)SECURE Magazine is a free digital security magazine in PDF format. In this issue you can read about malware, advanced social engineering, Internet terrorism, visualization tools for security analysis, wireless security, insider threat, fraud mitigation, and much more. Download your FREE copy today! [more]
Tuesday, 5 February 2008, 1:12 AM CET

Book review - Computer Security Basics (2nd Edition)
Computer books usually tend to fit into two categories: immense titles that try to contain everything you might need or highly specialized books on a single topic. This book tries to provide you with enough details about a lot of computer security topics but it does it in just over 300 pages. Read on to discover what it brings to the table. [more]
Monday, 4 February 2008, 7:13 PM CET

iPhone security 101
After getting access to an iPhone Unix shell, you can observe that every process runs as root. [more]
Monday, 4 February 2008, 1:06 AM CET

Ettercap automates the malicious middleman
Man in the middle (MITM) attacks can be devastatingly effective, providing hackers with all kinds of confidential information and, just as seriously, giving them the opportunity to feed false information to victims. [more]
Monday, 4 February 2008, 12:03 AM CET

Research debunks common myths associated with IT risks
Despite traditional perceptions associating IT risk primarily with security risks, survey results indicate the emergence of a broader view among IT professionals. Of the survey respondents, 78 percent gave “critical” or “serious” ratings to availability risk as opposed to security, performance and compliance risks, with 70, 68 and 63 percent respectively. [more]
Friday, 1 February 2008, 1:56 PM CET

Whitepaper: Good architecture and security
The Good System puts security completely in the hands of IT managers and does not require users to set security parameters or make any security decisions. [more]
Friday, 1 February 2008, 1:55 PM CET

Efficient rsyncrypto hides remote sync data
The rsync utility is smart enough to send only enough bytes of a changed file to a remote system to enable the remote file to become identical to the local file. [more]
Friday, 1 February 2008, 11:22 AM CET

New NX APIs added to Vista SP1, XP SP3 and Windows Server 2008
In the interests of helping secure the platform, we want more people to opt-in to using Data Execution Prevention (aka DEP aka NX), and we have lowered the barrier to entry for application developers in Windows Vista SP1, Windows XP SP3 and Windows Server 2008. [more]
Friday, 1 February 2008, 12:03 AM CET

Threats from everywhere in 'Cyber Storm'
In the middle of the biggest-ever "Cyber Storm" war game to test the nation's hacker defenses, someone quietly targeted the very computers used to conduct the exercise. [more]
Friday, 1 February 2008, 12:00 AM CET

Spotlight

Is it time to professionalize information security?

Posted on 23 May 2013.  |  The issue of whether or not information security professionals should be licensed to practice has already been the topic of many a passionate debate.

Review: Logging and Log Management

Posted on 22 May 2013.  |  Every security practitioner should be aware of the overwhelming advantages of logging and perusing logs for discovering system intrusions. But logging and log management comes with its own set of difficulties.

Experts highlight top data breach vulnerabilities

Posted on 22 May 2013.  |  Hidden vulnerabilities lie in everyday activities that can expose personal information and lead to data breach, including buying gas with a credit card or wearing a pacemaker.

A closer look at Mega cloud storage

Posted on 21 May 2013.  |  Once a novelty, nowadays many cloud storage services are fighting for their piece of the market in the virtual world. Mega offers 50GB of free space with great pricing on Pro accounts.

The CSO perspective on healthcare security and compliance

Posted on 20 May 2013.  |  Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.