Archived Industry Notes: Technology
Published in 2009
N-O
Netbooks may offer hackers private data gateway
Low-cost netbooks could be a high-speed gateway into people’s lives, bank accounts, passwords and other personal data. Netbooks have made headlines since their 2007 launch, making PCs accessible to millions of non-traditional users. But their cheap cost could also carry a steep price tag due to lax security that makes them easier prey for viruses and hackers. Since their introduction less than two years ago by Taiwan’s Asustek, nearly all major PC makers, including Hewlett-Packard, Dell, Acer, and Lenovo, have jumped on the netbook bandwagon. But their no frills nature, combined with low computing power and relative lack of sophistication among their users could combine to create the perfect storm for hackers and virus creators looking for easy targets, analysts say. “The Internet is full of dangers, regardless of what computer you are using,” said the greater China marketing manager at anti-virus software maker Symantec. “But keeping in mind that the netbook is primarily used to surf the Internet, those dangers are possibly multiplied many-fold, especially if there is no anti-virus software installed in the machine.”
Details Here
first published week of: 03/09/2009
New advocacy group pushes OSS for the USA
A group of commercial open source software vendors and various nonprofit advocacy organizations have joined forces to encourage broader use of open source software and open standards in government IT. The coalition, called Open Source for America (OSA), aims to educate government officials and promote procurement policies that give open source software solutions equal priority to proprietary competitors.
The group has not yet disclosed a lot of specific details about how it will pursue its mission, but it is actively seeking volunteers who are willing to contribute to the effort. The organization’s Web site has a registration form that prospective participants can use to gain OSA membership. The registration form describes several ways that members can help, including open source software development, organizing town hall meetings, and assisting with recruitment activities. The OSA clearly intends to grow its ranks and leverage community-driven grass-roots activism as a vehicle for encouraging open source adoption.
Details Here
first published week of: 07/27/2009
Newfangled cookie attack steals/poisons website creds
A security researcher has discovered a weakness in a core browser protocol that compromises the security of Google, Facebook, and other websites by allowing an attacker to tamper with the cookies they set. The weakness stems from RFC 2965, which dictates that browsers must allow subdomains, such as www.google.com, to set and read cookies for their parent (google.com). The specification also states that if a cookie for a subdomain does not already exist, the browser should use the cookie belonging to the parent instead. The arrangement makes it possible for attackers to steal or even alter the cookies that websites use to authenticate their users. Attackers would first have to identify an XSS, or cross-site scripting, bug in some part of the site they are targeting. But because virtually any subdomain will suffice, the scenario is not unrealistic, two web security experts said. “Most websites actually will store session IDs in a cookie and that’s actually how they keep track of users throughout the use of their website,” said a senior researcher for Foreground Security who first documented the flaw at last month’s Toorcon hacker conference. “Using the same techniques to attack those cookies, I can really damage sessions and cause some problems.” The researcher’s paper goes on to demonstrate how he used the technique to bypass a feature Google recently implemented to beef up security on Gmail and other properties. By exploiting a minor vulnerability in sites.google.com, he was able to falsify the contents of his global Google cookie. Google has since fixed the XSS hole in the subdomain.
Details Here
first published week of: 11/09/2009
NIST, DOD, Intelligence Agencies Join Forces to Secure U.S. Cyber Infrastructure
The National Institute of Standards and Technology (NIST), in partnership with the Department of Defense (DOD), the Intelligence Community (IC), and the Committee on National Security Systems (CNSS), has released the first installment of a three-year effort to build a unified information security framework for the entire federal government. Historically, information systems at civilian agencies have operated under different security controls than military and intelligence information systems. This installment is titled NIST Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations.
“The common security control catalog is a critical step that effectively marshals our resources,” says Ron Ross, NIST project leader for the joint task force. “It also focuses our security initiatives to operate effectively in the face of changing threats and vulnerabilities. The unified framework standardizes the information security process that will also produce significant cost savings through standardized risk management policies, procedures, technologies, tools and techniques.”
Details Here
first published week of: 08/03/2009
No user action required in newly discovered PDF attack
Merely storing, without opening, a malicious PDF file can trigger an attack that exploits the new, unpatched zero-day flaw in Adobe Reader, a researcher has discovered. A researcher and IT security consultant with Contrast Europe NV on March 9 released a proof-of-concept demonstration that shows how a file infected with the Adobe flaw can trigger a new attack when the machine uses Windows Indexing Services. And the user does not even have to open or select the document. In addition, the researcher last week released a proof-of-concept demonstrating how PDF files could be exploited with minimal user interaction, just saving it to the hard drive and viewing it in Windows Explorer. But this latest attack vector is more risky, he says, because the user does not have to do anything with the file at all. “It requires no user interaction, and for the Windows Indexing Service, it can lead to total system compromise [with] privilege escalation,” the researcher says.
Details Here
first published week of: 03/16/2009
--Page 1 of 2--
Next -> Last ->>
Volume 31
GIS News Snippets Industry Notes Featured ArticlesGIS Books
Will You Get Advantages From The New Easy To Get SQL Server Professional Certification?
Can’t Navigate Out of a Paper Bag
Titusville, FL GIS Case Study
Trade Show Exhibitors:
Tips For Newbies
Homeland Security and GIS
What is GIS?
Contact GIS Supplier Links
About
![](\"http://www.assoc-amazon.com/s/noscript?tag=theharlowrepo-20\")
-->