Ryan Naraine

Internet Explorer 8 includes a bevy of security features

By Robert Westervelt, SearchSecurity.com
Microsoft has officially released Internet Explorer 8 today [microsoft.com] with a number of new security features to improve privacy and protect against phishing and cross-site-scripting attacks.  From the article:

Q&A: CanSecWest hacker Charlie Miller

At the CanSecWest security conference in Vancouver BC, I got a chance to sit down with Charlie Miller, the researcher who won the Pwn2Own hacking contest by exploiting a fully patched MacBook Air machine using a Safari code execution vulnerability.
We discuss the state of Web browser security, the marketplace for software vulnerabilities and the need for better anti-exploit mitigations on modern operating systems.
Read the full interview [zdnet.com]. Image via TippingPoint.

New iPhone features prompt security concerns

By Eric Ogren, SearchSecurity.com

Apple has a knack for producing consumer friendly technology, and they have done it again with its Apple iPhone OS 3.0 software [apple.com], which will be available later this summer. But in the process they’ve exposed the smartphone to new areas for hackers to target. The new iPhone software has many exciting new features for consumers. Features such as landscape editing, viewing of email and text files and access to corporate applications through browsers, means this handheld device will be a significant issue for security teams.


The backers of the non-profit StopBadware.org consortium have launched a Web site where ordinary people can band together to fight computer viruses and adware. The online community site, called BadwareBusters.org, launched Tuesday and is sponsored by Harvard University’s Berkman Center, which runs StopBadware.org, and Consumer Reports WebWatch, an online information source for Web users.

Gartner security analyst Neil MacDonald thinks there are five levels to the discussion [gartner.com] about whether Microsoft should be in the security business.   They include secure coding (obviously), secure functionality in the platform at no cost (of course), add-on security products at a fee (maybe) and paid cloud-based security services (sure).

All three major Web browsers —  Microsoft’s Internet Explorer 8, Mozilla Firefox and Apple’s Safari — failed to survive the hacker onslaught at this year’s CanSecWest Pwn2Own contest.

A security researcher named “Nils” (he declined to provide his full name) performed a clean drive-by download attack against the world’s most widely used browser to take full control of a Sony Vaio machine running Windows 7.  He also scored hits against Firefox and Safari.

We recently conducted a project focused on confidential data security [enterprisestrategygroup.com] that will be published soon. However, here are some interesting advance results that support this venerable security dictum. ESG asked 308 North American and European security professionals from large organizations (i.e. 1,000 employees or more) a number of questions about data security risks, policies, and technology safeguards. When asked to define the most important measures for protecting confidential data, nearly half of all respondents said, “communicating and training users on confidential data security policies.” This was the top response followed by, “physical security,” and “access controls for private data.”

By Bob McMillan, ComputerWorld
Diebold has released a security fix for its Opteva automated teller machines after cybercriminals apparently broke into the systems at one or more businesses in Russia and installed malicious software.