LATEST NEWS
 DDoS-for-hire service is legal and even lets FBI peek in, says a guy with an attorney
May 21st 2013
Paying a site to DDoS other sites is perfectly legal, the proprietor behind one such outfit told security journalist Brian Krebs.
Besides which, he says, his service, called RageBooter, even features a nifty backdoor that lets the FBI monitor customer activity.
The conversation took place recently between Krebs and Justin Poland, the US man from Memphis, Tennessee whom Krebs sniffed out via WHOIS lookup and Facebook.
Click here for full story. Sophos Naked Security
____________________________________________________________________________________________________________________
22 million user IDs may be in the hands of hackers, after Yahoo Japan security breach May 20th 2013
The call has gone out to Yahoo Japan's 200 million users to change their passwords, after the company warned that it suspected hackers had managed to access a file containing 22 million user IDs.
Yahoo Japan says that it detected an attempt to gain unauthorised access to its administrative systems on Thursday at approximately 9pm local time.
Although the information taken from Yahoo Japan's servers is said not to contain passwords, or other personal identifying information required to hijack an account (such as the answers to secret questions), the site has decided that users should reset their passwords regardless.
Click here for full story. Sophos Naked Security
____________________________________________________________________________________________________________________
Sophos Ups UTM Mobile Endpoint Protection As Quadsys Turns Golden May 17th 2013
 Security vendor Sophos has added a web endpoint feature to its unified threat management (UTM) offering in a bid to simplify and speed up security checks on all networks used by SMEs.
At the company’s channel partner meeting in Athens this week, Sophos CEO Kris Hagerman maintained that good security practice is all about simplicity, but the increasing complexity of mobile networking and the cloud have made that a difficult discipline to practice. “We’ve worked hard to make it look easy,” he said. “All the complexity has been engineered into a simple appliance.”
Gold award
Meanwhile, IT security supplier Quadsys has become the first UK company to win Sophos Gold Solution Partner status. It means it can offer the vendor’s entire range of security products as well as consultancy, design, installation and support services.
Oxfordshire-based Quadsys offers IT security and infrastructure services.
Quadsys MD Paul Cox said the firm had grown substantially recently and the award was a reflection of the commitment and support it got from Sophos. “Their Partner Programme encourages enthusiastic partners to achieve the accreditation needed at the highest level,” said Cox.
Click here for full story. Channelbiz.co.uk
____________________________________________________________________________________________________________________
Interview with 'We are Anonymous' author Parmy Olson May 17th 2013
I had the privilege of interviewing Forbes journalist and author Parmy Olson after the RSA Conference in San Francisco in February.
We sat down in the beautiful Yerba Buena Gardens to discuss her book "We are Anonymous" and her thoughts on the upcoming (at the time) sentencing of the LulzSec hackers.
We also discussed her recent visit to Mobile World Congress in Barcelona and her thoughts on Firefox OS.
Click here for full story. Sophos Naked Security
____________________________________________________________________________________________________________________
Jail for the LulzSec hacking gang members May 16th 2013
Members of the notorious LulzSec hacking gang have been sent to jail.
Here are the sentences that each of them have received:
The judge apparently took Mustafa Al-Bassam's age at the time of the offences into consideration when choosing to give him a suspended sentence.
If you have an opinion on these sentences, leave a comment below or take part in our poll: Have your say - LulzSec: Helpful, harmless or hideous?
Click here for full story. Sophos Naked Security
____________________________________________________________________________________________________________________
Think enterprise software is complex? Check out the licences May 9th 2013
Analysis Enterprises shouldn't be surprised to discover they're having trouble understanding their enterprise licensing agreements. While Oracle, SAP and other big players publicly tout transparency and fairness in their licensing and pricing policies, customers often disagree when they get to the bargaining table or open the results of an audit.
Oracle and SAP are in unique positions as the two biggest and most respected enterprise software companies in the world. Combined, they account for more than 40 per cent of the worldwide ERP market. No other enterprise software vendors offer software lineups that are as broad and deep as those of Oracle and SAP.
And with billions of dollars invested in R&D every year, customers of these two firms have come to expect a steady stream of technological innovations that give customers real competitive advantages, such as SAP's HANA database and Oracle's Exadata database appliance.
Click here for full story. The Register
____________________________________________________________________________________________________________________
Facebook to design an open source switch May 9th 2013
As part of the Open Compute Project (OCP), Facebook's network engineering team is leading a project to develop an open source networking switch.
"It's our hope that an open, disaggregated switch will enable a faster pace of innovation in the development of networking hardware," wrote Frank Frankovsky in a blog post announcing the project. Frankovsky is chairman and president of OCP, as well as Facebook vice president of hardware design and supply chain operations.
Facebook's network engineering team head Najam Ahmad will lead the project, and engineers from Broadcom, Intel, VMware and Cumulus Networks, among others, will participate in the development of the specification.
Click here for full story. Techworld
____________________________________________________________________________________________________________________
Name.com suffers breach, credit card data accessed, encryption in place (phew!) May 8th 2013
"Dear John" used to be a euphemism for the letter that an ex-girlfriend wrote to break off a relationship.
It was the sort of letter no-one really wanted to get, but such is the way of the world that many young men ended up receiving one anyway.
The modern version of a "Dear John" - the email everyone hopes to avoid but which many have experienced - comes not from your erstwhile Significant Other, but typically from your ISP, or a social network, or some other online company.
The "Dear Johns" of 2013 usually contain something like this:
Dear %CUSTOMER%, We recently discovered a security breach...so we have %ACTION% your account. You will need to %RESPONSE% next time you log in. We are sorry. Your security is %ADJECTIVE% to us. At least, it is now.
Indeed, we've written about a number of high-profile breaches recently, for example at online coupon site LivingSocial, and search-result tweakers Reputation.com
Now it's the turn of domain registrar and web hosting company Name.com, part of the Demand Media group, to suffer a breach.
Click here for full story. Sophos Naked Security
____________________________________________________________________________________________________________________
German ministry replaced brand new PCs infected with Conficker worm, rather than disinfect them May 1st 2013
If your computers become infected by malware, do you simply chuck them on the garbage heap and buy a new one?
I hope your answer would be no. After all, most malware infections can either be removed by decent anti-virus tools, or infected drives can be wiped clean and restored from a recent backup.
There really should be no need to dump the hardware entirely.
And yet, it has come to light that after computers at German teacher training institutes in Schwerin, Rostock and Greifswald became infected with the notorious Conficker worm in September 2010, 170 of them were disposed of and replaced with new equipment at the taxpayers' expense.
In all, the replacement of the infected computers (some of which were considered brand new), and subsequent restoration of data, cost 187,300 Euros.
Click here for full story. Sophos Naked Security
____________________________________________________________________________________________________________________
CERN Geneva celebrates 20 years of the World Wide Web May 1st 2013
It was twenty years ago today that the World Wide Web came out to play, with CERN Geneva officially putting the Web, and the early client and server side software that made it work, into the public domain.
Naked Security colleague Graham Cluley emailed me remind me that CERN had celebrated by putting an early version of the first website back online at its original URL.
But Graham couldn't get much further.
"If you follow the link and try to access the actual original first webpage," he wrote, "It's inaccessible, presumably because everyone is trying :)"
So I thought I'd look into things when the dust had settled a little.
And since everyone else seems to be writing intellectually meaningful pieces about what this great anniversary reminds us about the evolution of our post-modern, always-on, interconnected, map-reduced, object-oriented, long-tailed, hypermedial global village, I thought I'd just show you a sequence of pictures.
Click here for full story. Sophos Naked Security
____________________________________________________________________________________________________________________
How to rate a comparative anti-virus test - a six-step guide May 1st 2013
In my last article, I discussed anti-virus tests, particularly certification schemes. Today I'll focus on comparatives and group tests.
This is a much murkier area of the testing world, with certifications tending to be limited to well-known, usually well-respected expert testers.
On the other hand, it sometimes seems like anyone with a computer and more than one brain cell feels qualified to do comparative testing.
There are a lot of pitfalls to look out for, which often trip up unwary would-be testers, and regularly lead to wonky data and biased, inaccurate and occasionally completely off-the-wall conclusions.
Click here for full story. Sophos Naked Security
____________________________________________________________________________________________________________________
Infosec 2013: cyber security sector failing to attract new talent April 24th 2013
The cyber security sector in the UK is failing to attract young people into the industry – especially women – according to research released this week by e-skills UK.
The research, carried out in partnership with information security recruitment consultancy Alderbridge Consulting, found that only 7 percent of information security professionals are aged 20-29, compared to 31 percent in the 30-39 age group and 21 percent in the 40-49 age group.
Meanwhile, there is a substantial lack of female talent in the industry, with only 10 percent of those who hold non-commercial positions being women.
Click here for full story. Techworld
____________________________________________________________________________________________________________________
Viber flaw bypasses lock screen to give full access to Androids April 24th 2013
Lacking the lightning-fast reflexes needed to get past the Samsung Galaxy Note 2's lock screen?
Hampered by pesky morality that forces you to forego the placing of bogus emergency calls so as to hack iPhone passcodes?
Not that you should want to do any of that, mind you, but just to pile onto the spate of recently revealed smartphone hijacking methods, a new flaw in Viber allows hackers to more easily bypass Androids' lock screens than these previous finger-twisters.
Click here for full story. Sophos Naked Security
____________________________________________________________________________________________________________________
Beware Twitter "password check" sites - there are fakes, and there are fake fakes! April 24th 2013
After a widely publicised hack or data breach, you'll often find "password check" sites springing up.
Some of them are legitimate, asking only for your email address and checking it against a list of known data dumps.
→ Dumps are the files that typically circulate on the Underweb after a hack, containing as much or as little personally identifiable information (PII) as the thief cares to share; legitimate password check sites collect these to build a list of probably-hacked email addresses.
But other "password check" sites are as bogus as they sound on the surface.
They ask you to type in your login details, either into a clone of a regular site's login page, or into a nicely-worded "you can trust us, honest, guv" page of their own.
That sounds like phishing, doesn't it?
And the reason it sounds like phishing is that it IS phishing!
Click here for full story. Sophos Naked Security
____________________________________________________________________________________________________________________
Windows 8: How to solve the Start Button dilemma April 18th 2013
The top complaint about Windows 8 is that Microsoft got rid of the Start Menu and even the Start Button, and innovators have stepped in to provide a wealth of ways to restore it.
The solutions range from plug-ins to full applications both free and for pay and can prove useful for those who personally prefer the Start Menu as well as for IT pros trying to make Windows 8 less painful for their end users to learn.
Alternatively, it's easy enough to create a custom Start Menu workaround. Create shortcuts to all or frequently sought applications and place them in a folder, then pin that folder to the Windows 8 start screen or desktop. One click and you're inside the folder. This lacks search and other conveniences of an actual Start Menu, but it may serve the purpose adequately.
Click here for full story. Techworld
____________________________________________________________________________________________________________________
IT supply-chain security standard aims to prevent counterfeits, tampering April 17th 2013
The danger of counterfeit and tampered IT products is well known, and to fight it, the Open Group has published a technical security standard aimed at supply-chain safety. It's anticipated that by year-end there will also be an official process under way for accreditation so technology suppliers can prove adherence to the standard, according to some involved, which include IBM and Cisco.
The Open Group's Trusted Technology Forum (OTTF) has published the standard, called the "Open Trusted Technology Provider Standard (O-TTPS)," as a 32-page document available on the Open Group website. It's described as "a set of guidelines, requirements and recommendations that, when practically applied, create a business benefit in terms of reduced risk of acquiring maliciously tainted or counterfeit products for the technology acquirer."
It seeks to lay out best practices in design, sourcing, building, fulfillment and other facets of supply chain distribution, including for integrators. It addresses the huge concern that fake or tampered electronics, hardware and software is being sold, a concern that has been voiced specifically by the U.S. government and the Department of Defense in particular.
Click here for full story. Techworld
____________________________________________________________________________________________________________________
Oracle and Apple ship critical Java updates - get yours today! April 16th 2013
Both Oracle and Apple published critical updates for Java on Tuesday, 16 April 2013.
The security-beleaguered Java ecosystem usually gets updates just once every four months, in February, June and October.
But this year, Oracle has adapted that schedule a number of times to deal with the exigencies of modern cybercriminality.
• February's planned update was brought forward about two weeks, due to in-the-wild exploits against Java's browser plugin.
• An interim update, curiously and somewhat inaccurately known as out-of-band in patching jargon, appeared in March 2013.
• The latest update, which appeared as announced on 16 April 2013, was slotted into the official cycle in addition to the usual once-every-four-month updates.
Click here for full story. Sophos Naked Security
____________________________________________________________________________________________________________________
Met Police has sacked seven staff for social media use April 12th 2013
The Metropolitan Police has sacked seven staff since 2009 for misuse of social media sites, with another eight leaving the force after facing complaints.
It has been revealed that a total of 38 police officers had been found to have misused social media sites over a four year period between 2009 and 2012, and that 12 civilian staff have also been found to have misused social media up to early 2013.
A Freedom of Information request was made into disciplinary procedures brought against officers and civilian staff under the Metropolitan Police’s social media policy.
Click here for full story. Techworld
____________________________________________________________________________________________________________________
UK investigates unfair trade in children's game apps April 12th 2013
The UK Office of Fair Trading (OFT) has launched an investigation into free children's game apps to explore whether these games are misleading, commercially aggressive or otherwise unfair.
Children could be unfairly pressured by Web and app-based game makers to pay for additional content in games, the OFT said in a news release on Friday.
Typically, players can only access parts of free games and are offered new levels or features for money. Paid upgrades can include faster game play, virtual currency like coins, gems or fruit, or upgraded memberships, the consumer and competition authority said.
Click here for full story. Techworld
____________________________________________________________________________________________________________________
How to stop your friends' Facebook apps from accessing *your* private information April 3rd 2013
Many internet users are wary of sharing their personal information willy-nilly with the world, but did you know that sometimes it's your friends who might be unwittingly passing your private details on?
Take Facebook, for instance.
You might believe that you have carefully controlled what people you choose to share your photos and personal information with on the social network. And maybe you're really careful about what third-party Facebook applications you allow to have access to personal details such as your birthday, your status updates and educational and work history.
As we have explained many times before on Naked Security, you should always be careful about which Facebook apps you allow to connect with your account, as they can collect varying levels of information about you.
If you aren't comfortable with the information a Facebook app wants to access, don't install the app.
But it seems that some Facebook users aren't aware that - unless you have locked down your privacy settings correctly - the apps, games and websites that your *friends* use can also access your personal details, photos and updates.
Click here for full story. nakedsecurity
____________________________________________________________________________________________________________________
Firefox 20 arrives - new version, some security improvements, no known vices April 2nd 2013
Firefox 20.0 was released today.
The buglist page enumerates 3054 official changes.
Despite the title buglist, these aren't all flaws that needed fixing.
The updates run from the benign-sounding bug #819202 ("attempting to open a new public window when a private window is focused opens a new private window") to enhancement #800085 ("complete gecko testing for identity SignInToWebsiteController").
Amongst this month's changes, however, are eleven patched vulnerabilities.
All of them, at least at the time of writing, are shown on the official vulnerabilities page with their Security Advisory links coloured in red, denoting a Critical impact.
Click here for full story. nakedsecurity
____________________________________________________________________________________________________________________
Mobile device security in the US military comes under fire April 2nd 2013
On March 26th, the Inspector General released a report on the effects of BYOD (bring your own device) on the U.S. military.
Among the report's findings:
 Mobile devices were not secured to protect stored information.
The US Department of Defense (DOD) did not have ability to wipe devices that were lost or stolen.
Sensitive data was allowed to be stored on commercial mobile devices acting as removable media.
DOD did not train users and did not have them sign user agreements.
The Army CIO was unaware of more than 14,000 mobile devices used throughout the Army.
Ouch.
This from an entity that seems to have policies and regulations for everything.
The Army did implement a good policy regarding geotagging a while back, realizing the risk that came with soldiers taking pictures that automatically had location information embedded in metadata.
Click here for full story. nakedsecurity
____________________________________________________________________________________________________________________
The 'What's Worse Security Championships' March 27th 2013
With March Madness Basketball in full swing in America, we thought it might be fun to try and adapt the concept of sport championships to the land of IT security.
So here's is what we are thinking: we have come up with eight security issues and divided them into groups of two. In each group, you select which you feel is worse and then click the Vote button.
That's it. It shouldn't take more than 25 seconds. Who knows? It might be thought-provoking....or just a teeny tiny spot of fun.
Next week, after Easter break, we will present the What's Worse Security Championship semi finals.
Without further ado....
Click here for full story. nakedsecurity
____________________________________________________________________________________________________________________
Five Slovenians arrested for $2.5M email banking fraud March 26th, 2013
Slovenian police on Thursday raided 12 homes and arrested five Slovenian citizens in connection with sending malware-packed email to small and medium businesses' accounting departments.
The email was spoofed to look like it came from a local bank or, in one case, the state tax authority, and it typically warned of a late payment.
The fake tax letter fictionalized a change of legislation that would financially affect the targeted victim. The email came with an attachment that carried a trojan.
The RAT (Remote Administration Toolkit) contacted a controlling server that frequently changed network location.
Once a target clicked on the attachment and installed the RAT, the cybercriminals could observe activity on the infected system.
With stolen credentials and, sometimes, if the victim didn't remove the smart card containing a bank-issued certificate from a reader after use, the victimized companies' bank accounts were laid wide open for ransacking.
According to a release from SI-CERT (the Slovenian national CERT [Computer Emergency Response Team]), the gang usually raided bank accounts on Fridays or the day before a national holiday.
Click here for full story. nakedsecurity
____________________________________________________________________________________________________________________
17-year-old arrested for hacking into phones, stealing and distributing explicit images of children March 25th 2013
A US teenager has been charged with distributing child pornography he allegedly hacked out of minors' cellphones with a bogus mobile text ad that installed phone-controlling malware.
Michael William Cook, 17, of Acworth, Georgia, was arrested on March 13 on eight counts of cruelty to children and one count of sexually exploiting children.
Cobb County Police Sgt. Dana Pierce told news outlets that Cook was arrested the previous Wednesday while at school.
Police accused Cook of posting photos of his victims to a child pornography website between November 2012 and January 2013.
According to 9News.com, Sgt. Pierce claimed that Cook sent text messages to victims from a company called "Maxi Focus Photography".
When victims clicked on a link in the text message, it installed malware that essentially gave Cook access to all information stored on the phones.
Click here for full story. nakedsecurity
____________________________________________________________________________________________________________________
AT&T hacker "Weev" sentenced to 41 months in prison, after obtaining the email addresses of iPad users March 20th, 2013
Andrew Auernheimer, self-described internet troll and so-called "freedom fighter," has been sent to prison for the federal crimes of obtaining the personal data of more than 100,000 iPad owners from AT&T's publicly accessible website and disclosing them to a reporter.
Auernheimer, aka "Weev," was sentenced on Monday to 41 months in prison followed by three years of probation. He and fellow hacker Daniel Spitler have also been ordered to pay $73,000 in restitution.
Auernheimer, 27, in 2010 found a security flaw in an AT&T server that allowed his Goatse Security hacking group to collect 114,000 email addresses belonging to iPad 3G users.
He turned over that information to the gossip site Gawker, which posted some partially redacted addresses, prompting an FBI investigation.
Click here for full story. nakedsecurity
____________________________________________________________________________________________________________________
Budget 2013: IT industry criticises lack of technology focus March 20th, 2013
The IT industry in the UK has bemoaned the lack of specific reference to the technology industry in today's budget announcement, questioning whether the bold claims made in last year's budget were simply hot air.
In the 2012 budget, Chancellor George Osborne unveiled a series of incentives to support the UK’s technology industry, including cutting the tax on small businesses to 20 percent, funding ultra-fast broadband rollouts in the UK’s 10 largest cities, ensuring protection for the £100 million science budget and opening twenty four enterprise zones across England.
While today's budget showed that the government is willing to continue to support start-ups and SMEs, with an extension to the Funding for Lending scheme and the announcement of £75 million of new funding for venture capital to support start-ups, no measures were announced to ensure that this credit flows to companies in the technology sector.
Click here for full story. Techworld
____________________________________________________________________________________________________________________
LinkedIn is down, then up, then down again Wednesday morning March 20th, 2013
LinkedIn, the professional social media network, is suffering intermittent service disruptions Wednesday morning.
Frustrated LinkedIn users began airing their grievances on Twitter before the start of the regular East Coast business day. Shortly after 8:30 a.m. ET on Wednesday, LinkedIn posted an update on Twitter saying, "We're aware the site is currently down, and our team is working on it right now. Stay tuned."
[REMEMBER THIS? LinkedIn confirms breach, urges members to change compromised passwords]
A variety of third-party web tracking tools also reported LinkedIn was experiencing a service disruption. www.DownRightNow.com reported that LinkedIn was down beginning just before 8 a.m.
At around 8:50 a.m. ET LinkedIn reported that the issue had been resolved. "The issues you may have experienced with our site earlier have been cleared," the company posted on its official Twitter page.
Click here for full story. Techworld
____________________________________________________________________________________________________________________
VMware and partners to build uber-vCloud to take on Amazon March 13th, 2013
Rumors have been going around since late last year that server virtualisation juggernaut and cloud wannabe VMware was working on building its own infrastructure public cloud, said to be called Project Zephyr, and it turns out to be true. Mostly. Maybe.
In a financial analyst meeting held in New York by EMC, VMware's majority shareholder and its virtualisation minion, the company confirmed that it was indeed building a public infrastructure cloud based on its virtualisation, cloud controller, and storage and network virtualisation technologies. VMware CEO Pat Gelsinger told the Wall Street analysts in attendance that this was something that VMware's customers were asking it to do.
The details were a bit sketchy, but contrary to some of the rumors that have been going around, it doesn't look as though VMware will be literally building one or more data centers and Amazon AWS-style infrastructure clouds that customers will run their ESXi-packaged workloads upon.
Click here for full story. The Register
____________________________________________________________________________________________________________________
Chess CAPTCHA - a serious defence against spammers? March 12th, 2013
by Graham Cluley
CAPTCHAs - the questions that a website asks you to answer to prove if you're a human being or not - come in many shapes and forms.
Although they most commonly ask you to decipher some words hidden in a distorted graphic, there are more elaborate versions which can ask you to solve some complicated mathematical calculation or ask you to add toppings to a pizza in an attempt to stop automated bots leaving spammy messages.
As a keen chess player, I was interested to see this CAPTCHA being used on an online chess forum:
Okay, so it's not much of a challenge if you're a chess player, but it also clearly locks out any users who do not know how to play chess. (For those of you can't see the checkmate, the answer is upside-down at the bottom of this article - and make sure to realise that Black is playing from the bottom).
Click here for full story. nakedsecurity
____________________________________________________________________________________________________________________
Microsoft Patch Tuesday - seven bulletins, four critical, three RCEs, and even a fix for Macs March 12th, 2013
SophosLabs has just published its assessment of the March 2013 Microsoft Patch Tuesday updates.
There are seven bulletins this month, dealing with twenty documented vulnerabilities.
Four of the bulletins are deemed critical by Microsoft, and three deal with vulnerabilities that could lead to remote code execution.
Here are the results in one-stop tabular form:
RCE stands for remote code execution, where attackers may be able to trick the vulnerable software into running program code of their choice by feeding in maliciously-crafted data from the outside.
EoP means elevation of privilege, where a user or process with limited powers uses a software bug to trick an application or the operating system into carrying out operations that would usually be blocked.
(RCEs often only give remote cybercrooks the same system privileges as the current user; mix in an EoP as well and an attacker may be able to acquire administrative access from afar.)
Leak means an information disclosure flaw: a possible avenue for an attacker to bypass Access Control Lists (ACLs) or database security settings and view information that is supposed to be private.
Click here for full story. nakedsecurity
____________________________________________________________________________________________________________________
How to protect yourself from debit-card fraud March 6th, 2013
How's this for a phone call you don't want on a Sunday night: Visa's fraud unit, calling to ask whether you're aware that $1,371 has been wired from your bank account via Western Union.
Lisa Rokusek was definitely not aware of this transaction, since she hadn't initiated it.
The US woman, from St. Louis, Missouri, was last month one of many victims of credit card or debit card fraud, according to the St. Louis Post-Dispatch.
Rokusek is far from alone.
Click here for full story. nakedsecurity
____________________________________________________________________________________________________________________
Evernote speeds up two-factor authentication drive after hack March 6th, 2013
Evernote is speeding up its plans to offer two-factor authentication to users following a recent data breach that exposed user names, email addresses and encrypted passwords.
The company, which makes note-taking software, disclosed on its blog on Saturday that an attacker accessed its internal network, which forced it to reset 50 million user passwords. Payment information was not accessed, Evernote said.
The company had planned to roll out two-factor authentication to users eventually but is now accelerating those plans, according to an Evernote spokeswoman.
Click here for full story. Techworld
____________________________________________________________________________________________________________________
Five new flaws found in the latest version of Java March 6th, 2013
Long battle for Oracle to secure the code.
A week after disclosing two Java vulnerabilities, a Polish security firm reported finding five more in the latest version of Java. When used together, the new holes could bypass the technology's sandbox in order to install malware.
Security Explorations notified Oracle Monday of the vulnerabilities in Java SE 7 Update 15. Along with details of the flaws, Security Explorations also supplied proof of concept code.
Oracle did not respond to a request for comment.
Click here for full story. Techworld
____________________________________________________________________________________________________________________
New IBM storage chief Ambuj Goyal: I like all-flash and I cannot lie March 6th, 2013
Just two months into the job and IBM's newest storage general manager Ambuj Goyal is putting his stamp on the business.
He told El Reg that Big Blue plans to move all transaction data away from disk to all-flash arrays; that he's not that keen on object storage; and that he envisages an IBM that sells "less storage".
He gave Vulture Central storage desk the run-down in an interview which covered flash and storage consolidation and object storage. Goyal has been making an introductory round of meetings with customers, business partners, analysts and hacks after his appointment.
Returning to the data centre flash storage topic, flash is not the death knell for IBM's primary data-storing disk drive arrays that it might seem, said the new storage chief.
Click here for full story. The Register
____________________________________________________________________________________________________________________
Adobe tells users to update Flash Player for the third time this month February 27th, 2013
How many times has Adobe Flash had to be updated on your computer with a new security patch?
Probably more times than you can count, right?
Well, let me make the question easier. How many times has Adobe Flash had to be updated on your computer this month?
The (perhaps surprising) answer is three. And let's not forget that February is the shortest month of the year.
Adobe has published a security bulletin telling users that they need to patch their Flash installations once again (the security updates issued previously on February 7th and February 12th aren't sufficient) to protect themselves against "targeted attacks" that are being "exploited in the wild".
Once again, the vulnerability isn't fussed about what operating system you run on your computer - so Windows, OS X and Linux users are all potentially in the firing line. Click here for full story. nakedsecurity
____________________________________________________________________________________________________________________
Microsoft ships IE10 for Windows 7 February 26, 2013
Microsoft today released a final version of Internet Explorer 10 (IE10) for Windows 7, nearly two years after it introduced the browser at a company conference.
Customers who had earlier installed the IE10 preview will be the first to receive the upgrade through Windows Update. Others running IE9 on Windows 7 will be automatically upgraded "in the weeks ahead," according to the company, which did not get more specific than that about a timetable.
That day can't come too soon for many Windows 7 users, who have taken almost every opportunity to ask Microsoft -- most often in comments on company blogs -- when the new browser would reach them.
Click here for full story. Techworld
____________________________________________________________________________________________________________________
McAfee and Check Point turn to sandboxing to fend off APTs February 26, 2013
The effectiveness of antivirus protection has never been under greater scrutiny but McAfee and Check Point believe they have found a new story to counter some of the the doubt – sandboxing.
McAfee’s story at this week’s RSA Show is built around its recently-acquired ValidEdge, a small startup that came with an appliance for carrying out binary-level analysis and reverse-engineering of suspected malware files to see how they might affect endpoints such as PCs.
Importantly, the analysis involves actually running the application in a sandbox to see what it does in real time, an onerous procedure that requires full kernel isolation.
Click here for full story.
Techworld
____________________________________________________________________________________________________________________
Oxford University blocks Google Docs because of phishing attacks.. for 2.5 hours February 22, 2013
Earlier this week it was being widely reported that Oxford University had taken the drastic step of completely blocking Google Docs, after it had seen a dramatic increase in the number of phishing attacks exploiting the service, targeting staff and students.
What wasn't so widely reported was that the University's block was short-lived. Click here for full story Naked Security
____________________________________________________________________________________________________________________
Dell out to beat Cisco in enterprise and cloud security February 21, 2013
Dell can trump Cisco in the information-technology security market, say Dell's executives in describing how the company with its multifaceted approach will hold an edge against some powerful rivals that also include HP and IBM.
"Cisco is a great competitor, but they don't have our holistic view," said Patrick Sweeney, executive director product management at the Dell SonicWall division which markets firewalls and other security gear as he described a strategy to optimize the identity management assets gained through Dell's acquisition of Quest last September for $2.4 billion. Cisco isn't Dell's only major security competitor HP and IBM also loom large when it comes to winning large customers. One reason Dell wants to articulate an IT security strategy now is because the company earlier this month announced a buy-out agreement in which Michael Dell and equity investor Silver Lake would acquire Dell for $24.4 billion -- and Dell enterprise customers are eager for information about the implications of this.
Click here for full story Techworld
____________________________________________________________________________________________________________________
UK lacks FTTH incentives, says Shadow Cabinet Minister February 21, 2013
The UK government is failing to put in place incentives for investment in fibre-to-the-home (FTTH) broadband, inhibiting innovation and potentially damaging the economy, according to Shadow Cabinet Office Minister Chi Onwurah.
Speaking at the FTTH Council Europe's annual conference in London, Onwurah said that digital infrastructure is the platform for innovation, both now and in the future.
She bemoaned the decision by European Union leaders to cut the Connecting Europe Facility (CEF) by 85 percent, claiming that this is “not a positive signal for the investment priorities of Europe”. Click here for full story Techworld
____________________________________________________________________________________________________________________
| 
Click here for our News Archive
