[SecurityRatty] tag: us-cert

New surveillance program will turn military satellites on US

Mon, 06 Oct 2008 13:50:02 +0000

An appropriations bill signed by President Bush last week allows the controversial National Applications Office to begin operating a stringently limited version of a program that would turn military spy satellites on the US, sharing imagery with other federal, state, and local government agencies.

CRM Made Simple

Mon, 06 Oct 2008 09:02:02 +0000

WHEN:Wednesday, October 15th10 AM PT / 1 PM ET Join us today!SPONSORED BY: Microsoft Dynamics CRM OnlineJoin this FREE webinar to get 6 game plans to overcome 6 common CRM obstacles and fears CRM use...

The Results Are In: Real Savings with Deploying Global Telepresence & Multimedia Services

Mon, 06 Oct 2008 08:42:16 +0000

WHEN: Thursday, October 30th10 AM PT / 1 PM ET Join us today!SPONSORED BY: Nortel-PolycomJoin this FREE webinar to see how leading enterprises are effectively deploying global Telepresence to communi...

PCI Bans WEP SecurityStarting 2010

Mon, 06 Oct 2008 05:38:19 +0000

Version 1.2 for the PCI Data Security Standard was released last week.

One interesting outcome is that the insecure wireless WEP protocol will be banned…but not until June 2010. Says Ars Technica:

Although TJX has become the poster-child for consumer data theft over WiFi, it is (by far) not the only company to use insecure wireless technologies. Wireless security manufacturer AirDefense released a report in late 2007 saying that a quarter of the 4,748 retail access points it surveyed across the US had no security whatsoever, while another quarter only used WEP, “one of the weakest protocols for wireless data encryption.” Just under half (49 percent) of the surveyed hotspots used WiFi Protected Access (WPA) or WPA 2—much stronger encryption protocols than WEP.

If you’re wondering about what other impacts will have, you might want to read through the PCI site or sign up for the SecureWorks webcast on October 14th to learn more.

Change your passwords with your smoke detector batteries

Sun, 05 Oct 2008 08:26:43 +0000

If you’ve changed your smoke detector batteries more recently than you’ve changed your passwords, then you should think about changing some of them now. If you can change passwords more often, great. But I realize that some of us have upwards of 25 passwords to manage on a regular basis (click HERE). It’s not fun having [...]

Links for 2008-10-03 [del.icio.us]

Fri, 03 Oct 2008 20:00:00 +0000

Hackers Use Neosploit To Infect Around 80,000 Sites, Including BBC And US Postal Service

Fri, 03 Oct 2008 17:39:54 +0000

According to Ian Amit, director of security research at Aladdin Knowledge Systems, cybercriminals have used the latest version of Neosploit to booby-trap an estimated 80,000 legitimate sites with malicious code. Victims of the attack include government, Fortune 500, and a weapons manufacturing firm. Victims of the attack also included the US Postal Service, which has [...]

Mitigating Exploitation Techniques

Thu, 02 Oct 2008 20:07:00 +0000

Hi, Matt Miller from Microsoft’s Security Science team here to talk about exploitation & mitigation.

Over the past decade exploitation techniques have been developed and refined to the point that very little expertise has been needed to successfully exploit software vulnerabilities. These refinements have lowered the bar for attackers and drastically increased the probability that an attack will be successful. This has led to the need for mitigation techniques that can prevent or otherwise reduce the reliability of a given exploitation technique. In relation to one another, we can think about exploitation techniques as attempting to drive the probability of successful exploitation to 100%, whereas mitigation techniques attempt to drive the same probability to zero. While probability gives us a nice measure for the effectiveness of a mitigation technique, it doesn't give us immediate insight into the specific problems being solved by mitigations or the techniques that are being used to solve those problems.

Understanding the problems that are solved by mitigations is what provided the motivation for the presentation I will be giving at BlueHat. Many of the materials in this presentation were taken from my work with Leviathan Security Group and have been repurposed to focus on taking attendees on a journey through the technical evolution of the mitigation techniques developed by Microsoft. This evolution is illustrated in terms of the problems each mitigation technique is attempting to solve, the methods used to solve them, and how well each mitigation has stood the test of time thus far. The journey itself starts first with /GS and ends with a glimpse of the mitigation techniques we might expect to see in the future.

It is my hope that this presentation will illustrate that mitigations, when working in concert with one another, can be an effective method of helping to keep users secure by reducing the probability of a successful exploitation attempt for the majority of known exploitation techniques.

Links for 2008-10-02 [del.icio.us]

Thu, 02 Oct 2008 20:00:00 +0000

Crazy Consolidation Will Continue | Security Incite: Analysis on Information Security

Money meltdown, Ozzie's cloud, security worries

Thu, 02 Oct 2008 20:00:00 +0000

At least those of us who are fans of professional baseball have the playoffs to take our minds off the grim news this week (at least that's the case for fans of the teams that are winning). The U.S. financial system meltdown smacked world markets and set off a whole lot of worry, which tended to overshadow all the other news.