Date: 03/17/06 (Security)    Keywords: security

Attacks targeted 1,500 IP addresses and delivered a heftier blow than normal DOS threats, VeriSign security chief says.

Source: http://news.zdnet.com/2100-1009_22-6050688.html

Date: 03/16/06 (Security)    Keywords: security

A congressional analysis of federal agencies gave failing grades to eight, with Homeland Security receiving its third F in a row.

Source: http://news.zdnet.com/2100-1009_22-6050520.html

Date: 03/17/06 (Security)    Keywords: security

Update apparently designed to address installation problems with patch released earlier in week, say security experts.

Source: http://news.zdnet.com/2100-1009_22-6050892.html

Date: 03/18/06 (Security)    Keywords: security

No need to worry so much about tweezers--airport screeners are focusing on explosives now, Homeland Security chief Michael Chertoff said.

Source: http://news.zdnet.com/2100-1009_22-6044713.html

Date: 03/22/06 (Security)    Keywords: security

New, unpatched security flaw could allow an attacker to gain control over a vulnerable Windows computer.

Source: http://news.zdnet.com/2100-1009_22-6052396.html

Date: 03/27/06 (Algorithms)    Keywords: software, database, asp, security, web

Hello

I am a software engineer in MA for a small internet company. Currently I am working on a webservices API our product and have been struggling with the authentication model. I read around and found an article that talked about WSSE authentication This seems relatively easy to implement and I kind of have a mock demo set up, but there is a problem with my demo, that I am not sure how to fix, as I am not a cryptologist and though I use crypt() and know how to compare a plain text password to a crypt encrypted password, more advance topics are beyond me. So this is my problem I will refer to the ideas in the article so I recommend you giving it a quick read.

In the artcle it discusses creating a "password digest" using a "Created Date" a "nonce" and the "password string". as a Base64 encoded sha1 string(i'll probably ise md5). the sha1 string is "nonce"+"created date"+"password string". They then pass the nonce and create date in the header and assume that you have the password on the other end and can piece it back together creating another sha1 string to compare it too and verify authentication.

I have a test ap, and here is the problem problem I am running into. Say I have my api, and I have a company writing an app to use it. I tell them to use the above method and to use crypt to create their password string from their user inputed password. I get their data parse the headers and have the 3 aspects. I decode the base64 string to the sha1 string, but when I compare them it fails. The problem being that they are not encrypted with the same salt when crypt was used. Therefore the encrypted password they put in their string is different than the encrypted version in my database. This can be fixed if they know my salt, but that's a security risk. So I am not sure how to get around this problem.

Suggestions?

Source: http://community.livejournal.com/algorithms/74647.html

Date: 03/27/06 (Web Development)    Keywords: database, asp, security, web

Currently I am working on a webservices API our product at work and have been struggling with the authentication model. I read around and found an article that talked about WSSE authentication This seems relatively easy to implement and I kind of have a mock demo set up, but there is a problem with my demo, that I am not sure how to fix, as I am not a cryptologist and though I use crypt() and know how to compare a plain text password to a crypt encrypted password, more advance topics are beyond me. So this is my problem I will refer to the ideas in the article so I recommend you giving it a quick read.

In the artcle it discusses creating a "password digest" using a "Created Date" a "nonce" and the "password string". as a Base64 encoded sha1 string(i'll probably ise md5). the sha1 string is "nonce"+"created date"+"password string". They then pass the nonce and create date in the header and assume that you have the password on the other end and can piece it back together creating another sha1 string to compare it too and verify authentication.

I have a test ap, and here is the problem problem I am running into. Say I have my api, and I have a company writing an app to use it. I tell them to use the above method and to use crypt to create their password string from their user inputed password. I get their data parse the headers and have the 3 aspects. I decode the base64 string to the sha1 string, but when I compare them it fails. The problem being that they are not encrypted with the same salt when crypt was used. Therefore the encrypted password they put in their string is different than the encrypted version in my database. This can be fixed if they know my salt, but that's a security risk. So I am not sure how to get around this problem.

Suggestions?

Source: http://community.livejournal.com/webdev/309704.html

Date: 03/27/06 (Security)    Keywords: security

The new service, IBM's latest offering for the IT security market, is designed to monitor worm attacks.

Source: http://news.zdnet.com/2100-1009_22-6054234.html

Date: 03/30/06 (Security)    Keywords: software, security

Software hides itself on phones to secretly capture data, leading one security company to label it a Trojan horse.

Source: http://news.zdnet.com/2100-1009_22-6055760.html

Date: 03/31/06 (Security)    Keywords: security

Last-minute extension prevents a gap in security update detection for users of the MBSA vulnerability assessment tool.

Source: http://news.zdnet.com/2100-1009_22-6056142.html

Date: 03/31/06 (Security)    Keywords: security

RSA Security's newly acquired Cyota overwhelms phishing sites with fake usernames, passwords and credit card info.

Source: http://news.zdnet.com/2100-1009_22-6056317.html

Date: 04/01/06 (Security)    Keywords: security

Controversial law hinders warnings to consumers on matters like Sony rootkits, security researchers say.

Source: http://news.zdnet.com/2100-1009_22-6056616.html

Date: 04/02/06 (Security)    Keywords: software, security

New "Total Protection" products for businesses aim to simplify purchase, installation, management and running of security software.

Source: http://news.zdnet.com/2100-1009_22-6056805.html

Date: 04/05/06 (Asp Dot Net)    Keywords: browser, asp, security, web

In Visual Studio 2005 I’m writing in VB for an ASP.NET website, when I Build my website and copy the files to a server I get error...
It says that I can not view the site I just wrote... however when I’m on the PC and I run it with debug or F5 the pages work correctly... What could be the problem?

The server is on the same LAN at my work and has our Intranet website running on it just fine…




Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.

Details: To enable the details of this specific error message to be viewable on remote machines, please create a tag within a "web.config" configuration file located in the root directory of the current web application. This tag should then have its "mode" attribute set to "Off".

Source: http://community.livejournal.com/aspdotnet/59935.html

Date: 04/05/06 (Computer Geeks)    Keywords: security, virus, google

Ok guys, me again for another question

I've just cancelled my yearly subscription to McAfee Anti-Virus and Security Suite. I'm currently using Zone-Alarm for a free firewall solution, but I'm haven't found a free AV solution yet.

Are there any sites or products that you guys can recommend to me? I've heard a lot of Avast and AntiVir Personnal, but are there any other reputable and reliable ones? Is there any online studies and comparison between the various detection rules and whatnot?

I'd like to google for it... but I found more questionable content and products than anything...

Source: http://community.livejournal.com/computergeeks/907395.html

Date: 04/05/06 (Security)    Keywords: security

Security giant acquires SiteAdvisor, which helps fortify defenses for people before they browse potentially malicious sites.

Source: http://news.zdnet.com/2100-1009_22-6057923.html

Date: 04/06/06 (Security)    Keywords: software, security

Security hole in software for Color LaserJet printers could open a door for cybersnoops.

Source: http://news.zdnet.com/2100-1009_22-6058284.html

Date: 04/06/06 (Security)    Keywords: browser, security

Next week will see five security updates for Windows and Office, including a fix for a browser flaw being used in cyberattacks.

Source: http://news.zdnet.com/2100-1009_22-6058548.html

Date: 04/10/06 (Security)    Keywords: technology, security

"Secure Blue" adds encryption technology to processors, promising better security for data on PCs and portable devices.

Source: http://news.zdnet.com/2100-1009_22-6059276.html

Date: 04/10/06 (Security)    Keywords: security, microsoft

Firm's president says McAfee will compete with Microsoft OneCare Live because security can't be done "part-time."

Source: http://news.zdnet.com/2100-1009_22-6059389.html