 |
|
| Dark Reading TV |
|
 |
|
Friend Me Satan! - 8/18/2008 2:00:00 PM
Social networks may be all the rage, but there are huge security risks. Researchers Shawn Moyer and Nathan Hamiel talk about these risks with CSI's Sara Peters. They break those risks into social (we're way more trusting online) and technical (the need to understand the security risk of a 3rd party Web apps). The researchers point out that social network sites don't get vetted with much rigor and hooks into the social networks are deep, and thus anything you submit can be queried by a developer, which means those sites must vet its developers |
|
 |
|
- 8/18/2008 1:30:00 PM
Dark Reading site editor Tim Wilson talks to Oliver Friedrich about the threats his research found on the presidential candidate Websites from earlier in the year up until now. The biggest threat was from typo squatting – the ability to take domain names similar to the candidate Websites, for staging attacks or simply getting publicity. Friedrich also talks about cross-site scripting vulnerabilities on the Barak Obama Website. |
 |
|
Browser Exploits - 8/18/2008 9:30:00 AM
DEP and ASLR are supposed to make exploits more difficult, but third-party software like Flash and Java is not compatible with those protections, making a mess of browser memory protection. Sara Peters, Senior Editor for CSI, speaks with Mark Dowd, a research engineer with IBM X-Force, and Alexander Sotirov, a software security researcher, about these vulnerabilities, presented at the Black Hat conference in Las Vegas in a session called "How to Impress Girls With Browser Memory Protection Bypasses." |
|
 |
|
Hacking The Body - 8/13/2008 2:05:00 PM
Fritz Nelson, the executive producer of TechWebTV, speaks with Kevin Fu, an assistant professor of computer science at the University of Massachusetts, Amherst about a futuristic concern: the ability for hackers to compromise implantable medical devices. These devices now have longer wireless read ranges, and are being used to treat new diseases. So now, there are many avenues to look at confidential information and compromise the integrity of the devices. While nobody has tried this yet, it's still early and time to plan for this now, experts say. One of the biggest issues, of course, is privacy, especially as it relates to social stigmas, like depression or sexual dysfunction |
|
 |
|
Four Horsemen of Virtualization Security - 8/8/2008 5:00:00 PM
Many chief security officers are wrestling with how to secure virtual environments. Dark Reading editor Kelly Jackson Higgins talks with Unisys CSO Chris Hoff about security in a virtual environment after his talk at Black Hat. Hoff's talk was titled: "The Four Horseman of the Virtualization Security Apocalypse." |
 |
|
Meet the Fed - 8/8/2008 5:00:00 PM
CSI director Robert Richardson talks to the Fed, namely Jim Christy, director of futures exploration at the Department of Defense Cyber Crime Center. Christy talks about the role of Feds/DOD at Black Hat (where he runs the 'meet the fed' session), which he compares to the cops going to the burglar convention. Christy says that intrusions are getting more sophisticated; you're starting to see more nation states and organized crime, and the perpetrators are more focused and know what they are looking for. |
|
 |
|
Storm BotNet Update - 8/8/2008 5:00:00 PM
Dark Reading's senior editor, Kelly Jackson Higgins, speaks with Joe Stewart, the director of malware research at SecureWorks. Stewart updates Dark Reading on Storm Botnt and how not much has changed about the nature of the botnet -- but it seems to be using peer-to-peer (BitTorrent) rather than email to spread the worm. That is, it's not the nature of the botnet that has changed, but the tactics -- the social engineering side is being developed. Stewart has also seen another botnet, CoreFlood, which is designed to steal your data rather than acting as spam. |
|
 |
|
Kaminsky on DNS - 8/7/2008 9:00:00 AM
Security researcher Dan Kaminsky unveiled his much-anticipated DNS vulnerability discovery at Black Hat 2008. He talks to site editor Tim Wilson about the nature of that vulnerability -- essentially the notion that a hacker can now try to compromise the delegation system of DNS servers repeatedly, thereby increasing his or her chance of success. Kaminsky also talks about the work done by him and the community behind the scenes to fix this flaw before it was publicly revealed. |
 |
|
Black Hat 2008 Keynoter Ian Angell - 8/7/2008 9:00:00 AM
Black Hat keynoter Ian Angell talks about the dangers of thinking that technology can solve everything, pointing to the example of the DNA database as a solution for fighting crime. Systems get overloaded, grow in complexity, and evolve. |
 |
|
Root Labs's Nate Lawson - 8/7/2008 9:00:00 AM
Root Labs's Nate Lawson found some major security and privacy implications with how FastTrak has been implemented. He opened up a transponder, found that there was a lot of undocumented behavior, and it lacked encryption. California Highway Officials have mostly been silent about this, despite Lawson's offer to help them fix the system -- for free! Lawson also revealed he has developed a 'kill switch' that you can enable for the tolls, but disable to protect your privacy. |
 |
|
Phishing the Phishers - 8/7/2008 9:00:00 AM
Security researchers Nitesh Dhanjani and Billy Rios set about to infiltrate the phishing ecosystem and found that there is no honor among them and a general lack of sophistication. For example, they found there is plenty of phisher-on-phisher crime, in which they are stealing information from each other. |
 |
|
Dan Kaminsky, Director - Penetration Testing, IOActive - 8/27/2007 4:15:00 PM
Researcher Dan Kaminsky turns his focus to vulnerabilities in Web 2.0 applications, but notes that many of today's most dangerous flaws have been around for years. In this interview, Kaminsky talks about new flaws, old flaws, and how he he has developed an unusual new technology that mixes music and IT security. |
 |
|
Adam Laurie, Freelance Security Consultant, http://rfidiot.org - 8/27/2007 3:15:00 PM
RFID expert Adam Laurie outlines the vulnerabilities inherent in the wireless technology, the exploits under development by black hats, and some common-sense advice on how to avoid the threats associated with RFID identification.
|
 |
|
Jim Christy, Director - Futures Exploration, Dept of Defense - 8/27/2007 3:00:00 PM
Jim Christy, director of futures exploration for the U.S. Department of Defense, talks about threats, preparedness, and his role in the newest "Die Hard" movie. On behalf of law enforcement, Christy also appeals to black hats to stop trying to beat law enforcement -- and join it instead. |
 |
|
Johnny Long, Computer Sciences Group - 8/27/2007 2:45:00 PM
Penetration tester and vulnerability researcher Johnny Long discusses methods for breaking through corporate defenses without having a hacker's credentials. Long takes viewers on a ride through old and new tactics, including dumpster diving, shoulder surfing, tailgating, and Google hunting. |
 |
|
The Great Rootkit Debate - 8/27/2007 4:30:00 AM
Researcher Tom Ptacek says he has tools that will detect any rootkit. Researcher Joanna Rutkowska says she's developed a rootkit that can't be detected by any security tool. Who's right -- and how will the answer affect the security research community? Check out this video, in which both experts offer their perspectives on this hot debate. |
 |
|
Richard Clarke, Chairman, Good Harbor Consulting - 8/27/2007 4:15:00 AM
Security and military expert Richard Clarke offers a real-life picture of threats currently in play against key elements of U.S. infrastructure and federal government defenses. Terrorists and rival nation-states present a real danger to U.S. defenses, Clarke warns -- a danger that many government agencies aren't prepared for. |
 |
|
Black Hat 2007 - 8/6/2007 3:55:00 PM
"Hats divide generally into three classes: offensive hats, defensive hats, and shrapnel." - Katharine Whitehorn. DRTV's round-up of goings-on in Las Vegas at Black Hat 2007, including a special report by undercover reporter 'Ac!d Crash' - that's not a real tattoo... |
 |
|
Graham Melville, Director of Product Marketing, Nokia - 12/1/2006 9:00:00 AM
With highly mobile devices, data that's often in transit, and a variety of end points that need to be secured, enterprises need the best management overview they can get. Nokia's Graham Melville explains the "contextualization" of security management information -- like how you weed out the false-positives from the information you need to act on. In the end, striking the right balance between useability and security will be the challenge -- and reward -- for enterprise IT professionals. |
|
 |
|
Steve Stasiukonis, VP & Founder, Secure Network Technologies - 12/1/2006 8:59:00 AM
It's easy for IT staff to get hyper-focused on the multitude of external threats that they overlook the negligence or malfeasnace that their own itnernal suers can wreak on the network. These come in the form of thumb drives, iPods, and even smarthpones that can carry away proporietary data, or perhaps worse, introduce malware across the enterprise. Some may respond by disabling USB ports on desktops, but controlling, managing, and monitoring them is the smarter way to go, Stasiukonis contends. |
|
 |
|
John Greiner, CTO, Legal Services of New York City - 12/1/2006 8:58:00 AM
Life at a nonprofit like Legal Services of New York requires an artful balance between keeping internal users secure and operational, without dipping into funds that might otherwise be used to hire more attorneys. While Greiner likes the promise of automating security functions like remote access and firewall management, the technology hasn't kept pace with his hopes. But he points to the growth of "knowledge management" workers in the legal industry as a means to bolster wider use of IT and security technology among law firms and service organizations. |
|
 |
|
Joseph Foran, Director of IT, FSW - 12/1/2006 8:57:00 AM
While the potential of network administration control (NAC) is both sizeable and attractive, truly useful implementations are about two years away. NAC's ability to integrate intrusion detection systems (IDS) in particular would go a long way to reducing the reams of data these must-have security systems generate on a daily basis, Foran tells DRTV. He also points to the "driving force" of HIPAA and other privacy- and security-related legislation as exerting a positive influence on the quality of services provided by FSW, a non-profit human services agency. |
|
 |
|
Lockdown: Securing Today's Enterprise Data - 11/28/2006 1:05:00 PM
As threats become increasingly more sophisticated, data security touches every aspect of systems, networks, and end devices. CMP leading editors and analysts peeled back the layers to identify enterprises' biggest challenges and what their options are to remedy them. This conference also looked at external threats that come from hackers, viruses, and phishers, as well as the growing internal risks from negligence or malice. |
 |
|
Cam Cullen, VP, Product Management, Reef Point - 8/3/2006
Security ramifications for voice over IP still not completely clear, says Reef Point’s Cam Cullen; carriers still need to take the proper precautions to protect their core networks as SIP security evolves and matures. And the proliferation of WiFi and mesh wireless networks means they’re also like to become targets for hacker attacks. |
 |
|
Simon Szykman, Director, National Coordination Office, NITRD - 8/3/2006
The U.S. government is looking at multiple areas to fund technology research and development -- detection of attacks, better authentication, and improved security for wireless, next-generation converged nets, and future architectures for the public Internet. Szykman also explains why the government has allocated more than a third of its R&D budget for 2007 to high-end supercomputing. |
 |
|
Kevin Simmons, Director, Technology Support, SkyWest Airlines - 8/3/2006
IT security’s a big enough challenge, but security management gets really interesting when you throw physical security into the mix at every airport in which SkyWest operates. Keith Simmons’ biggest security concerns? Viruses that can hop his firewalls, laptop users who might get a little lazy where security’s concerned, and keeping “dirty” devices separate from the “clean” ones. |
 |
|
Richard Stiennon, Chief Research Analyst, IT Harvest - 8/3/2006
Compliance regulations that require user privacy, secure records storage, or disclosure of potential data losses will continue to drive security management and security spending, says Richard Stiennon, Chief Research Analyst at IT Harvest. Find out why he’s predicting a widescale, distributed denial-of-service against a major stock exchange or financial services company in the not too distant future. |
|
|
|
|
|
|
|
|
|
|
|
|
 |
|
| ENTERPRISE VULNERABILITIES |
|
|
|
Vulnerability: Microsoft Visual Studio
Published: 2008-08-19
Severity: HIGH
Description: stack-based
buffer overflow in the
maskededit activex control
in msmask32.ocx 6.0.81.69,
and possibly other versions
before 6.0.84.18, in
microsoft visual studio 6.0
allows remote attackers to
execute arbitrary code via a
long mask parameter, as
exploited in t...
|
|
|
|
Vulnerability: Symantec Veritas Storage Foundation
Published: 2008-08-19
Severity: HIGH
Description: the
management console in the
volume manager scheduler
service (aka
vxschedservice.exe) in
symantec veritas storage
foundation for windows (sfw)
5.0, 5.0 rp1a, and 5.1
accepts null ntlmssp
authentication, which allows
remote attackers to execute
arbitrary ...
|
|
|
|
Vulnerability: speedbit download_accelerator_plus, jcomsoft anigif
Published: 2008-08-18
Severity: HIGH
Description: multiple
stack-based buffer overflows
in the animation gif activex
control in jcomsoft
anigif.ocx 1.12 and 2.47, as
used in products such as
speedbit download
accelerator plus (dap) 8.6,
allow remote attackers to
execute arbitrary code via a
long argument to t...
|
|
|
|
Vulnerability: Kayako SupportSuite
Published: 2008-08-18
Severity: HIGH
Description: sql injection
vulnerability in
staff/index.php in kayako
supportsuite 3.20.02 and
earlier allows remote
authenticated users to
execute arbitrary sql
commands via the
customfieldlinkid parameter
in a delcflink action.
|
|
|
|
Vulnerability: Kayako SupportSuite
Published: 2008-08-18
Severity: MEDIUM
Description: multiple
cross-site scripting (xss)
vulnerabilities in kayako
supportsuite 3.20.02 and
earlier allow remote
attackers to inject
arbitrary web script or html
via (1) the sessionid
parameter in a livesupport
startclientchat action to
visitor/index.php; (2) the <...
|
|
|
|
|
|
|
|
|
|
|
|
