Mozilla has issued an update to the FireFox browser. This update resolves 2 security issues, o …(more)…

continue reading.....

Several of our observant readers have contacted us today regarding the diary content being from May …(more)…

continue reading.....

We have received numerous emails today regarding yet another round of spam hitting the cyberwaves.n …(more)…

continue reading.....

A reader alerted us to a bunch of malware that he had found after starting to unravel a pile of inte …(more)…

continue reading.....

I started implementing PGP signed e-mails across the web site. The goal is to have most of our autom …(more)…

continue reading.....

A vulnerability in PHP’s Win32std extension allows attackers to bypass the protection mechanism of the PHP environment and execute arbitrary programs.

continue reading.....

The pioout program is a setuid root application, installed by default under multiple versions of IBM AIX, that is used to interface with the printer driver.

continue reading.....

I have used real-time blacklists myself since a dozen or so years ago. I’ve worked for compani …(more)…

continue reading.....

Next week is a very famous pair of security conferences in the US. I imagine quite a few of ou …(more)…

continue reading.....

Several reports today of a zip file with an executable inside. The lure is some exciting fun w …(more)…

continue reading.....

In many ways vulnerability remediation is like a Track and Field race and the firing of the starters pistol is the public vulnerability announcement. The goal of the race is to be the first one to either exploit or patch a vulnerability. The participants in the race may include; 1) Organizations running the vulnerable application, 2) Attackers looking to exploit the vulnerabilty manually, or 3) The odds on favorite to win the race – an automated worm program. Oraganizations looking to mitigate or patch their systems are the long-shots to win this race. Let’s look at a breakdown of the challenges that organizations face:

Not Hearing the Starter’s Pistol

Unfortunately, many organizations don’t realize that they are even in a race! This can be attributed poor monitoring of vulnerability alerts. If you aren’t signed up on your Vendor’s mail-list or you don’t have someone checking out US-CERT or the SANS Internet Storm Center (ISC) daily then you are immediately giving the attackers a 50 yard lead in this race…

What Do You Mean We Don’t Have The Baton?

If you are running in a relay race, you need to have a baton to pass to each memeber of your team. In this case, the baton is the vendor’s security patch. You might be ready, willing and able to start the patching process, however if the vendor doesn’t release the patch, you can’t really start the race then can you?

Not Getting A Clean Handoff

Each leg of the relay could be though of as a step in the patching process such as installation on a test host, then pushing the patch out to development, then regression testing and finally out to production. As each phase completes its tasks, it then needs to notify the next group and “hand off the baton” so they can move forward with testing. If this doesn’t happen, then the patch will never make it to the finish line – which is when the patches are applied to production hosts. I can’t tell you how many times I have seen customers who have patches that make through one or two phases but then just seem to fall off the priority list.

Getting Disqualified

In a relay race, if you step outsite of your lane, then can be disqualified. Similarly, if a security patch ever causes any sort of disruption to normal service then the patch is usually not applied. If there are problems during regression testing, then odds are that the security patch will not make it to the finish line. In the end, functionality will always trump security.

Let’s Not Pull A Hamstring

Many organizations want to minimize being disqualified so they take a rather slow, methodical approach to the race and decide just to walk it. These are the organizations who only have quarterly downtime for patching. These companies may get a ribbon for participation but they will never win the race.

Don’t Have A Lane To Run In

What happens if you are not able to apply any patches at all to your web application? Two valid scenarios may be companies who have outsourced the development of their web application and/or who are using an older version of a COTS product where the vendor is no longer providing patches. What options are left for these companies to compete in this race?

Evening The Odds

So, where does that leave us then? Is there anything that organizations can do the even the playing field in this race? The answer is yes. Virtual Patching can help by providing immediate mitigations to the vulnerability. If an organization were to implement a Virtual Patch on a web application firewall, this will act as a stop-gap measure to prevent remote exploitation of the vulnerability until the actual patch is applied. Using the relay race analogy again, this would be like forcing the attackers to run a steeplechase type of race where there are water pits and 10 ft. tall hurdles in their lane while you are allowed to run a normal race without any obstacles. In this type of scenario, you have a much better chance of beating the attackers to the finish line and protecting your web applications.

Virtual Patching Webcast

If you would like to know more about Virtual Patching, Ivan Ristic and I will be jointly presenting a webcast on this topic very soon -

Date: Wednesday, August 8, 2007
Time: 8AM, Pacific DT
Registration Link

continue reading.....

It’s that time of year again everyone. Time to prep for Black Hat and Def Con!

For some strange reason I’ve been getting a lot of e-mails asking me what’s in my luggage for next week.

I wish I only made this stuff up.

Here’s the breakdown:

Laptop bag:

MacBook Pro 17″ Core2Duo
Power Adapter
Bluetooth Mighty Mouse
6

continue reading.....

The biggest malware threat were dealing with at the moment is definitely the Storm worm. Unl …(more)…

continue reading.....

Please pardon the interruption. If you manage the APEWS list, please contact us …(more)…

continue reading.....

The Internet Systems Consortium has announced updates to BIND that address CVE-2007-2926.
From thei …(more)…

continue reading.....

We have received several reports today from people that are getting flooded with SPIM on their IM ac …(more)…

continue reading.....

In reviewing the Top 10 Ports today atisc.sans …(more)…

continue reading.....

LinkedIn is “a business oriented social networking site, mainly used for professional networking”. Vulnerability in LinkedIn toolbar allows remote code execution on the client side.

continue reading.....

Amit Klein wrote about a paper he just released with details about a BIND 9 cache poisoning issue. T …(more)…

continue reading.....

One of the hardest things to deal with in this industry is the stigma associated with being involved in data security investigations. You know the stigma well, don’t you? You’re “the man”, “big brother”, “the all seeing eye”, or maybe “the evil one”. There’s a thousand or so of them I’m sure.

It doesn’t matter if you’re the 24×7 security monkey at work or a hacker-investigator for hire – you wear the scarlet “S” on your jacket.

You could be our friend Cornelius Root and

continue reading.....

Geek Test. Read the title. What video game pops into your head?

Although ‘knights’ weren’t a playable character in that game, one particular knight (our friend BlueKnight) found himself to be a pawn in a rather sadistic game of “Steal My Credit Card!”.

Take it Blue Knight…

Here’s a good story for you…

I love horses, but a nightmare ain’t one of ‘em.

Every once in a great while a stray charge (from someone else) will appear on the Visa statement and it’s easy to have re

continue reading.....