In this Google Tech Talk, Mike Andrews, a security consultant from Foundstone, discusses common techniques for exploiting weak spots in Web applications. (Running time: 1:26)
Malware that attacks mobile phones and other handheld devices has been the Next Big Threat for most of the last decade. And much like the Year of PKI, it’s never really materialized. Security experts have postulated that this is mainly because there’s not enough valuable data on these devices to attract the money-motivated attackers. But a new paper, “Understanding the Spreading Patterns of Mobile Phone Viruses,” from a group of scientists shows that the barriers are more likely market saturation and geography.
From InformIT (Gary McGraw)
This article originally appeared on InformIT.com as part of Gary McGraw’s Software [In]Security series.
Using the Software Security Framework (SSF) introduced in October, we interviewed nine executives running top software security programs in order to gather real data from real programs.Our goal is to create the Building Security In Maturity Model (BSIMM) based on these data, and we’re busy going over what we’ve built with the executives who run the nine initiatives (stay tuned here for more).
Dennis Fisher t[img_assist|nid=2479|title=|desc=|link=none|align=right|width=100|height=100]alks to Adam Shostack of Microsoft, about the evolution of thinking around “The New School of Information Security,” his new group blog and what surprised him most when he went to work at Microsoft.
The received wisdom in the security industry is that trying to qualitatively assess the security of a given piece of software is an incredibly difficult task. Some of the sharpest minds in software security–Gary McGraw, Brian Chess and Michael Howard among them–have spent years trying to nail down a framework for this task, with varying degrees of success. Not to worry, though. As Eric Rescorla writes, the government has now joined the fray with a proposal to develop standards for software security.
From Purdue University’s CERIAS
The economic crisis has affected virtually every facet of society, and information security is no exception. In a new report titled Unsecured Economies: Protecting Vital Information, researchers from Purdue University’s CERIAS security center lay out the fairly bleak view of what the tough times have done to corporate IT security.
From The Register (Dan Goodin)
Overlooked design weaknesses in a widely used type of wireless network are seriously jeopardizing the network security of the retailers and manufacturers [theregister.co.uk] that rely on them, a security expert has determined.
So-called FHSS, or frequency-hopping spread spectrum, networks are an early form of the 802.11 wireless data standard. Although transmission speeds, at about 2 Mbps, lag far behind more recent 802.11 technologies, they remain widely used by many Fortune 1000 companies, particularly those with large warehouses or factory floors. Read the full story [theregister.co.uk]
The DNS system is one of the key underpinnings of the Internet, but because the system isn’t owned by any one entity, no one is responsible for the security of the entire network. The owner of each DNS server secures it as he sees fit, but as the discussions at the recent Global DNS Security, Stability and Resiliency Symposium showed, there is a clear need for some leadership on DNS security.
Security researchers at Kaspersky Lab (our corporate sponsor) are warning about a new potentially unwanted program [viruslist.com] targeting Symbian-based smart phones.
The program, called iPornPlayer (screenshot at right), promises sexually-explicit content on handsets but there’s a hefty price attached because it calls international premium rate numbers.
Read the full story [viruslist.com]
The experts at SRI International, who have been tracking the Conficker worm as closely as anyone, have released the source code to the scanner they wrote to detect the active P2P scanning that Conficker-infected machines perform.