Date: 04/27/06 (Security)    Keywords: security, web

Latest updates don't sew up a hole exploited by attack code out on the Web, a security researcher has warned.

Source: http://news.zdnet.com/2100-1009_22-6065505.html

Date: 04/26/06 (Security)    Keywords: security

MasterCard holders affected by security breach; credit card company not disclosing how breach occurred.

Source: http://news.zdnet.com/2100-1009_22-6065267.html

Date: 04/29/06 (Security)    Keywords: software, security

Security industry vets develop software to block attempts by bad sites to drop malicious code onto your PC as you surf.

Source: http://news.zdnet.com/2100-1009_22-6066587.html

Date: 05/02/06 (WebDesign)    Keywords: css, html, java, security, web, hosting, shopping

Hello all-- hoping to get some advice about security, and/or online stores. I am designing a website for a friend of the family and she wants it not only to be informational but also for customers to be able to order products online. She really has no idea what she is asking for because she doesn't really know how any of this works. I am a graphic design student who is familiar with html, css and some java script but I don't know ANYthing about ssl or encryption or anything.

So, I have looked at websites like Verisign, who offer certificates and I have this question: what does that actually do for a business?

And I have viseted sites such as Networksolutions.com who offer secure hosting with a shopping cart pachage and what not for $99/month... and I am wondering is this pretty much standard for hosting? Can I do better?

I am sorry if these are all really obvious questions. I have read books and searched online but nothing is better than personal experience and advice.

If you don't know the answer, perhaps you know who I might ask who might... I was thinking perhaps the business owner could contact her credit card company (the service through which she accepts credit cards), and they could probably give her some idea as to what to do to accept credit cards online...

Anyhow. I have known this woman my whole life and I am doing this for free (because she is desperate and isn't making a lot of money yet and because I am so underqualified... obviously).

Source: http://community.livejournal.com/webdesign/1101886.html

Date: 05/03/06 (Java Web)    Keywords: security

The security vulnerabilities addressed are: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information and Denial of Service. Ubuntu has issued an update for thunderbird. It fixes vulnerabilities which can be exploited by to bypass security restrictions, conduct cross-site scripting attacks, disclose sensitive information and potentially compromise a user's system. via Secunia

Source: http://blog.taragana.com/index.php/archive/ubuntu-releases-thunderbird-patch-for-highly-critical-vulnerabilities/

Date: 05/04/06 (PHP Community)    Keywords: php, browser, security, web, google

I'm pretty new to php, and this may be the dumbest question ever asked, but it's freaking me out.

I have a contact form on a website in php and it works perfectly fine. Once in a while, however, I will get 5-6 emails at once, all sent from the form, with weird email addresses (i.e. with the domain name of my site) that fill in all fields with the email address and the message is some sort of garbled version of a story by Hans Christian Andersen -- (I only know this because I googled the lines).



I have the form automatically send me an email that fills in field so that I get an email like the following if someone has an issue with the website:


Someone has a website issue.

A user, $name, has an issue on the page $url

The issue is: $message

They are using $browser as a web browser and when asked if they would like a follow-up they said $followup.
Their email address is $email




But I will sometimes get emails like the following:


Someone has a website issue.

A user, blood7007@mydomain.com, has an issue on the page et
Content-Type: multipart/alternative; boundary=c4ac4da924461ca45d3cbd03ebe2afb9
MIME-Version: 1.0
Subject: a brother
bcc: bajfla2@aol.com

This is a multi-part message in MIME format.

--c4ac4da924461ca45d3cbd03ebe2afb9
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

what a struggle his soul had passed through. he disputation continued. ilhelm was in one of his eloquent moods. he doctor regarded the etters of the andering host as one of the most perfect books in
--c4ac4da924461ca45d3cbd03ebe2afb9--

.


The issue is: blood7007@mydomain.com.

They are using as a web browser and when asked if they would like a follow-up they said blood7007@mydomain.com.
Their email address is blood7007@mydomain.com.



All of the emails are also blank carbon copying to the same address, the aol one as listed above.


So, I'm wondering if anyone can tell me how and why these are sent, if it's a security issue, etc... and what I should have in place to prevent it, if it's possible.

Source: http://community.livejournal.com/php/446812.html

Date: 05/04/06 (Asp Dot Net)    Keywords: security, web

We're working on using Windows authentication on our intranet site. We're trying to block out users that do not have permission to various folders (NT security.) We don't like using the web.config allow/deny setting because we don't want to "prompt" the user for their information. We just want to either allow them or deny them. I'm trying to write authenication on the code side to check if the user is authorized. If the user is not authorized I want to throw the 401.2 Error Screen (Access is denied.) Does anyone know how to throw this specific error? My co-worker said that you can throw IIS errors in code, but I can't seem to find any information on this. Thanks.

Source: http://community.livejournal.com/aspdotnet/64894.html

Date: 05/04/06 (Security)    Keywords: software, security, microsoft

Microsoft's "Patch Tuesday" will include three security alerts with patches for Windows and the Exchange e-mail server software.

Source: http://news.zdnet.com/2100-1009_22-6068647.html

Date: 05/04/06 (Security)    Keywords: security, hosting, spam

The DDoS attack on the antispam campaigner was redirected to blog-hosting firm Six Apart, forcing it offline, a Net security firm says.

Source: http://news.zdnet.com/2100-1009_22-6068607.html

Date: 05/04/06 (Security)    Keywords: mysql, software, database, sql, security

Security patch is designed for the latest versions of MySQL's open-source database software.

Source: http://news.zdnet.com/2100-1009_22-6068514.html

Date: 05/08/06 (Open Source)    Keywords: security

The biggest problem remains disseminating those fixes throughout the community. Having every user's address and being able to force compliance with security fixes is the main advantage the proprietary world retains.

Source: http://blogs.zdnet.com/open-source/?p=646

Date: 05/09/06 (Security)    Keywords: security

Innovation is the key, says CEO John Thompson, adding: "We know more about security than they ever will."

Source: http://news.zdnet.com/2100-1009_22-6069941.html

Date: 05/10/06 (Security)    Keywords: software, security

Security software maker profits top average Wall Street forecasts, sending the company's shares up 3 percent

Source: http://news.zdnet.com/2100-1009_22-6070511.html

Date: 05/09/06 (Security)    Keywords: software, security

Trio of security updates includes two for critical flaws in Exchange e-mail server and third-party software in Windows.

Source: http://news.zdnet.com/2100-1009_22-6070350.html

Date: 05/12/06 (Security)    Keywords: security

Data thieves may have plundered Social Security numbers and other private info belonging to students and faculty.

Source: http://news.zdnet.com/2100-1009_22-6071505.html

Date: 05/12/06 (Security)    Keywords: security

Concerns over identity fraud spur politicians to promise new laws restricting some commercial uses of the Social Security number.

Source: http://news.zdnet.com/2100-1009_22-6071441.html

Date: 05/11/06 (Security)    Keywords: security

Anyone who holds personal data would be forced to report security breaches to law enforcement before telling affected consumers.

Source: http://news.zdnet.com/2100-1009_22-6071216.html

Date: 05/11/06 (C Sharp)    Keywords: software, asp, security

While the project to which this question applies is written in C#, this particular question is more of an architectural issue and less of a semantic/syntactic C# problem, for which I apologize. I was hoping I could still get some help.

In vague and general terms, here is my architectural problem du jour:

I am constructing a client-server application with a subscription model, in which the "server" component is an ASP facility owned/leased by my company. There are various levels of access granted to a given customer -- for the sake of simplicity, let's say there are two levels, "demo" and "purchased." The "demo" level allows the customer to run the client software on one PC at a time (I have the logic in the client and server software for this to happen, so it's not part of the scope of this question); the "purchased" level allows the customer to run the client software on some large number of PCs simultaneously. The application's value proposition depends somewhat on its large-scale deployability; it needs to be very simple for a "purchased" user to install the client-side software on a large number of PCs with very little effort or time investment. Therefore, a silent install is required -- an installation requiring absolutely no interaction from the user, aside from being launched. Progress/confirmation may be displayed, but no additional interaction would be required after launching the installation. I believe I can build such an installation mechanism without much weeping and gnashing of teeth, so that's not my question here.

The client software's mission in life is to transmit data periodically to the server, which customers can access to view the data in a valuable, money-saving, revolutionary fashion (that's the idea, anyway). However, the server needs a way to associate all of these clients' data streams with the computers from which they are originating, each time a transmission is made. This part is done -- using a series of hashes, the server is able to distinguish unique computer from unique computer when they transmit their data streams.

However, it is the next level of association with which I am having trouble. Each unique computer needs to be associated with one customer.

One solution I was imagining was a very computationally expensive process by which the registration of each new customer causes a recompilation of the MSI archive and setup application, bundling a new customer ID into the archive for each new customer. Then, when that customer downloads the client software to install on his target PC(s), the silent install notices this customer ID and transmits it with each data stream. The hashes I gather give me uniqueness among different computers within the same customer, while the customer ID gives me uniqueness among customers and ownership to each unique computer. However, this strategy would require the MSI compilation software installed on the ASP, which is a unique configuration that I'm not sure I could persuade many leased-ASP providers to support. "Someday," if the application is successful, I would have no problem colocating or owning the ASP myself, but in the beginning this would not be an option.

Another solution I can imagine is that each new computer the server notices that is not associated with a customer gets put in a pool of new computers, and the customers may select those computers which he wants to add to his account. Unfortunately, the type of this software would make such a model a vast security risk, so it is not an option.

Finally, I thought of a solution in which the customer is asked to provide details about the PC(s) he will be adding to his account, e.g. the public IP address from which they will be transmitting. However, this approach seems even more intrusive than asking the customer to type in a customerID every time he installs the client software on a local PC, so it's not feasible either.

Any of your help would be very much appreciated. Thanks for any thoughts or ideas, even if they're not completely fleshed out; they might give me the impetus I need to come up with a complete solution.

Source: http://community.livejournal.com/csharp/61406.html

Date: 05/13/06 (Security)    Keywords: security

Former computer security specialist at Department of Education gets five months for hacking into supervisor's PC.

Source: http://news.zdnet.com/2100-1009_22-6071928.html

Date: 05/16/06 (Security)    Keywords: security, microsoft

John Thompson thinks more folks should buy from Apple, worries Microsoft won't give him a fair fight in security.

Source: http://news.zdnet.com/2100-1009_22-6072540.html