Targeted spear phishing attacks   17 Apr 2008 06:33 GMT
A colleague of mine, Dave Wong, from Ernst & Young's Advanced Security Center in New York, pointed me to a really interesting article on targeted spear phishing attacks by John Markoff of the New York Times.  Phishing has been really interesting to me lately, as I've seen a wave of discussions,...
Source: ZDNet

Apple releases Safari 3.1.1 security update   17 Apr 2008 03:16 GMT
Under cover of darkness, Apple released Safari 3.1.1 via Software Update tonight. In typical Apple form the description is purposefully vague, recommending the update "for all Safari users" and telling us that it "includes improvements to stability, compatibility and security." A-ha. Apple's About the security content of...
Source: ZDNet

Mozilla patches Firefox JavaScript bug   16 Apr 2008 13:00 GMT
It was a light patch collection for Firefox on Wednesday, as Mozilla pushed out repairs for just one critical security vulnerability. The bug was not, however, patched in Thunderbird -- even though the e-mail client uses the same engine.

Source: Computerworld

Okla. agency site plugs coding error that left data exposed   16 Apr 2008 13:00 GMT
For three years, anyone with a basic knowledge of SQL could submit their own SQL query to pull the data of their choice from the underlying database of an Oklahoma Department of Corrections Web site.

Source: Computerworld

Internet retailer sues Yahoo for $1 million   16 Apr 2008 13:00 GMT
Online retailer Bigreds.com is suing Yahoo for $1 million, claiming it was overcharged because it was the victim of click fraud.

Source: Computerworld

Payment industry receives first version of application security standard   16 Apr 2008 13:00 GMT
The PCI Security Standards Council announced the first version of its standard relating to payment applications used by retailers and other companies that accept credit card transactions.

Source: Computerworld

Compliance, Protection, Recovery: A Layered Approach to Laptop Security   16 Apr 2008 13:00 GMT
(Source: Absolute Software)A missing computer can result in compliance and privacy issues that can be very costly to an organization. This paper examines the strong relationship between computer theft, regulatory compliance and data security, and reviews how IT professionals can strengthen their security infrastructure by combining policy, encryption and management of remote IT assets.

Source: Computerworld

Taking ownership (pwnership) of content: Cross-site Scripting Google   16 Apr 2008 11:58 GMT
My good friend Billy Rios (pictured to the right) published another interesting exploit recently.  It's a cross-site scripting exposure in spreadsheets.google.com, which is interesting because it's exploited by using the content-type returned by spreadsheets.google.com and a caching flaw on the part of Google.  Here's some details from Billy's blog: I was...
Source: ZDNet

Q&A: Bob Russo talks about the PCI Council   16 Apr 2008 11:09 GMT
Bob Russo, the general manager of the PCI Security Standards Council, spoke with Computerworld's Jaikumar Vijayan about the organization's current thinking on the PCI standard, what's changed since he took the helm in 2007, and what he makes so far of the Hannaford and Okemo Ski Resort data breaches.

Source: Computerworld

Malicious microprocessor opens new doors for attack   16 Apr 2008 11:09 GMT
A team of security researchers at the University of Illinois at Urbana-Champaign demonstrated on Tuesday a hack that, by compromising a remarkably small number of circuits on a microprocessor, gave them back-door access to the machine in which the chip was running. It's a lot of work to execute... for the moment.

Source: Computerworld