Date: 03/01/05 (Security)    Keywords: security, web

The variant, BagleDl-L, is said to hurt security applications and attempts to connect with a number of Web sites.

Source: http://news.zdnet.com/New+Bagle+damages+security+software/2100-1009_22-5594201.html?part=rss&tag=feed&subj=zdnn

Date: 03/01/05 (Security)    Keywords: security

Online financial firm offers password-generating key fobs to major account holders.
Photo: E*Trade's new security key

Source: http://news.zdnet.com/E*Trade+adopts+additional+security+for+traders/2100-1009_22-5594914.html?part=rss&tag=feed&subj=zdnn

Date: 03/02/05 (Security)    Keywords: security

A new Bagle Trojan horse that hurts security applications is spreading rapidly.

Source: http://news.zdnet.com/Watchdog-attacking+Bagle+ramps+up/2100-1009_22-5594201.html?part=rss&tag=feed&subj=zdnn

Date: 02/17/05 (Java Web)    Keywords: security

ChoicePoint is working with the California authorities on this, assuming that the impact is on Californian residents only. However security experts diasgree. It would be surprising if the impact is limited to California only. A company that collects consumer data warned thousands of Californians that hackers penetrated the company's computer network and may have stolen credit [...]

Source: http://blog.taragana.com/index.php/archive/major-id-theft-uncovered-affecting-thousands-of-californians/

Date: 03/02/05 (Mozilla)    Keywords: security

I just upgraded my Firefox to 1.0.1, and my ForecastFox extension to version 0.7. I'm trying to get the forecast to display to the left of the statusbar display, the way my old version did, but it's not working... so now I have this huge line-up of stuff (i.e. Gmail Notifier, FoxyTunes, and now the forecast) that moves around when I'm loading pages and the security certificates (or whatever) show up, and it's driving me nuts!

Any ideas on how to remedy this? There's a setting in the ForecastFox options on the position to put it in, and nothing I've tried thus far seems to put it where I want it.

Source: http://www.livejournal.com/community/mozilla/256700.html

Date: 02/25/05 (Mozilla)    Keywords: security

Firefox 1.0.1 Download (windows) (all systems).

Recommended for a bunch of bugfixes and a couple of security holes plugged.

Source: http://www.livejournal.com/community/mozilla/254461.html

Date: 01/20/05 (IT Professionals)    Keywords: html, security, web

You can just go to the list from the Defcon web site for some of these:
http://defcon.org/html/links/other-conventions.html



Here are some I found interesting from there, and some other research I did for my travel plans this year:

SANS LoneStar 2005, Mar 10 - 16th - Houston
http://www.sans.org/lonestar05/

Notacon, April 8-10 - Cleveland, Ohio
http://www.notacon.org/

NAB, Apr 18-21 - Las Vegas (I scored a free pass for show floor - woot!)
http://www.nabshow.com/

LayerOne 2005, April 23 & 24 - Los Angeles, California Pasadena Hilton
http://layerone.info/

DallasCon, May 2-7 - Dallas, Texas The Richardson Hotel
http://www.dallascon.com/

Blackhat, July 23-28 - Las Vegas, NV
http://www.blackhat.com/html/bh-link/briefings.html

DEFCON 13, July 29-31 - Las Vegas, Nevada The Alexis Park
http://www.defcon.org/html/defcon-13/dc-13-index.html

USENIX Security Symposium, August 1-5 - Baltimore, MD
http://www.usenix.org/events/sec05/

Nebraska CERT, Aug 9 - 11 - Omaha, NE
http://www.certconf.org/



Dates not announced yet:
Interzone West, in early October - San Francisco Bay Area

ToorCon, end of September - San Diego
http://www.toorcon.org/


Will I see any of you there?


x-posted to gothicgeek, infosec, it_admin, itprofessionals, itsecurity, & lj2600

Source: http://www.livejournal.com/community/itprofessionals/2122.html

Date: 01/17/05 (IT Professionals)    Keywords: security

discuss: LJ outage & disaster recovery

From Slashdot: LiveJournal Servers Go Down
From Something Positive, some humor on the downtime

For those of us in the Information Security realm, disaster recovery is one of those things we think (worry) about and home we never have to put the plans into action. Evidently someones plans did not work as expected. Any thoughts or insight into LJ's disaster & recovery plan? What went wrong?

Did this give you any fears or ideas with your recovery plans?


x-posted to infosec, it_admin, and itprofessionals

Source: http://www.livejournal.com/community/itprofessionals/800.html

Date: 02/25/05 (Web Hosts)    Keywords: security

Firefox 1.0.1 Download (windows) (all systems).

Recommended for a bunch of bugfixes and a couple of security holes plugged.

Source: http://www.livejournal.com/community/webhosts/23727.html

Date: 12/27/04 (SQL Server)    Keywords: software, sql, security

Does anyone know of a quick reference I could provide to the it security folks at my work that outlines what file extensions, ports, and dll's sql server uses? They've gone hog wild with 'security' software here to the point that they invariably end up shutting down one behavior or another within SQL each time they do a 'security upgrade'. Grrrr.

Source: http://www.livejournal.com/community/sqlserver/13319.html

Date: 02/06/05 (C Sharp)    Keywords: security, google

Hey folks, I've recently popped into the community, as I've been rather yearning a place where I can talk to anyone else who develops in .NET (C# specifically, but I've gotten less picky, as I know about ONE person besides me who codes in .NET) so I can bounce some of my more interesting questions off them. So yeah, thanks for being here. ;)

Anyways, I'm developing an application that can be best described as a file mirroring program: a file is synchronized between two computers when a change is made on one of them. For example, a Quicken file kept on both a laptop that travels heavily and a workstation or home PC, so when a change is made to the Quicken file, it's mirrored to the other PC. I've written my own file transfer protocol with MD5 verification (works fantastic in LAN testing so far) and most of the UI design and implementation is completed.

However, the problem I now hit comes with dealing with encryption. Because of the potentially sensitive nature of data being sent, I'm conscious of the reality that the data could be intercepted, and I feel an encrypted stream option or mandate is pretty much a requirement for this program. This is where I haven't sufficient exposure, though. Going through the MSDN library and many, many Google searches and newsgroups, it seems to me that using RSA encryption for the local components (e.g. configuration file encryption) is the best, as I can store the keys in a CspContainer so they persist and are at least better secured than if I were to try storing them myself. The bigger problem comes up when I try to come up with a reasonable solution for encrypting the TCP stream itself between two clients. So far, it would seem that Rijndael or DES are more suited for these tasks, but how am I going to reasonable get the Key and IV between the two systems?

So far, my best solution to this is the following:

• Add in another command to the server to allow a client to request the server's public RSA key.


• Create a thumbprint file that has the generated Rjindael or DES Key and IV as well as the needed information about the file to be synced, and encrypt it using the provided public key.


• Have the thumbprint sent to the remote system, either by simply transferring the file via TCP (easiest) or having it placed on a floppy or flash drive and physically moved (safest).

Source: http://www.livejournal.com/community/csharp/25039.html

Date: 11/02/04 (C Sharp)    Keywords: templates, security, microsoft, google

// Assembly someassembly, Version 1.0.1692.12511

[assembly: AssemblyVersion("1.0.1692.12511")]
[assembly: AssemblyKeyName("")]
[assembly: AssemblyKeyFile("")]
[assembly: AssemblyDelaySign(false)]
[assembly: AssemblyTrademark("")]
[assembly: AssemblyCopyright("")]
[assembly: AssemblyProduct("")]
[assembly: AssemblyCompany("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyTitle("")]

// Assembly System.ServiceProcess, Version 1.0.5000.0

[assembly: AssemblyVersion("1.0.5000.0")]
[assembly: AssemblyDescription("System.ServiceProcess.dll")]
[assembly: CLSCompliant(true)]
[assembly: AssemblyDefaultAlias("System.ServiceProcess.dll")]
[assembly: AssemblyKeyFile(@"E:\DNA\public\tools\common\security\FinalPublicKey.snk")]
[assembly: AssemblyDelaySign(true)]
[assembly: AssemblyConfiguration("Microsoft .NET Framework build environement is Retail.
 SafeSync counter=0")]
[assembly: AssemblyTitle("System.ServiceProcess.dll")]
[assembly: ComVisible(false)]
[assembly: NeutralResourcesLanguage("en-US")]
[assembly: SatelliteContractVersion("1.0.5000.0")]
[assembly: AssemblyInformationalVersion("1.1.4322.2032")]
[assembly: AssemblyTrademark("Microsoft and Windows are either registered trademarks or
 trademarks of Microsoft Corporation in the U.S. and/or other countries.")]
[assembly: AssemblyCopyright("Copyright (C) Microsoft Corporation 1998-2002. All rights
 reserved.")]
[assembly: AssemblyProduct("Microsoft (R) .NET Framework")]
[assembly: AssemblyCompany("Microsoft Corporation")]
[assembly: SecurityPermission(SecurityAction.RequestMinimum, SkipVerification=true)]

1. A general Google search which will return lots of empty AssemblyInfo.cs files
2. And very little guidance from Microsoft in a site limited Google search.
3. An example of a good AssemblyInfo.cs file from a blog.

Source: http://www.livejournal.com/community/csharp/20491.html

Date: 03/02/05 (Security)    Keywords: software, security, virus, spyware

Software that combs through files for viruses, worms and spyware brings the security company a U.S. patent.

Source: http://news.zdnet.com/Detection+tool+lands+Symantec+a+patent/2100-1009_22-5596656.html?part=rss&tag=feed&subj=zdnn

Date: 03/04/05 (Security)    Keywords: security

Commetary--Industry watcher Jon Oltsik says that the security business is undergoing profound changes, and not all players are created equal.

Source: http://news.zdnet.com/Where%27s+the+security+leadership/2100-1009_22-5599534.html?part=rss&tag=feed&subj=zdnn

Date: 03/04/05 (Computer Geeks)    Keywords: browser, security, microsoft

How Firefox Works link - click here. Below is an excerpt from the page:       "Chances are, you're reading this article on Internet Explorer. It's the browser that comes already installed on Windows operating systems; most people use Windows, and most Windows users don't give a second thought to which browser they're using. In fact, many people aren't aware that they have an option at all."   - I seriously wish that Windows (Microsoft) would be more fair and offer users the option to choose the browser they want. I mean, they already sold the customer an Operating System, what possible harm would it be to let users know that they have a choice? Oh, wait. Those security vulnerabilities were put there on purpose so big businesses can exploit them to sell their wares to unwitting users. sigh.

Source: http://www.livejournal.com/community/computergeeks/620472.html

Date: 01/01/70 (Webmaster View)    Keywords: browser, security, web

Opera released the second Beta version of its next browser (8.0 Beta 2). It includes an answer to the recent security debate over Web site spoofing.

Download Opera (8.0 Beta 2)

Opera has created a whitelist of safe Top-Level Domains for IDN. TLDs are considered safe if they have implemented anti-homographic character policies or otherwise limited the available set of characters to prevent spoofing. Current whitelist contains .no, .jp, .de, .se, .kr, .tw, .cn, .at, .dk, .ch and .li. List is updated automatically in the Opera version check. Domain names from other top-level domains that contain characters outside Latin 1 will be displayed in punycode.

What else to look for in Opera's Beta 2:

• Easier customization and skinning
• Online Certificate Status Protocol (OCSP) verifies that the certificate has not been revoked by the certificate authorities
• Atom newsfeeds

Related: Firefox 1.0.1 (Security Update)

Comments

Source: http://www.webmasterview.com/security_and_privacy/opera_fixes_idn_spoofing_bug

Date: 01/01/70 (Webmaster View)    Keywords: security

Firefox 1.0.1 is released. This is a security update. IDNs are now displayed as punycode.

Get Firefox

Here's what's new in Firefox 1.0.1:

• Improved stability
• International Domain Names are now displayed as punycode. (To show International Domain Names in Unicode, set the "network.IDN_show_punycode" preference to false.)
• Several security fixes.

Comments

Source: http://www.webmasterview.com/browsers/firefox_101_security_update

Date: 01/01/70 (Webmaster View)    Keywords: security, spam

Using mod_security to kill comment spam.

• ModSecurity.
• mod_security rule generator.

Comments

Source: http://www.webmasterview.com/blogging/mod_security_and_comment_spam

Date: 01/01/70 (Webmaster View)    Keywords: php, security, web

The PHP Security Consortium is officially launched. The group's flagship project is a PHP Security Guide

Via Web Security Blog

Comments

Source: http://www.webmasterview.com/programming/php_security_guide

Date: 03/05/05 (Computer Geeks)    Keywords: security, virus, antivirus

Hi,

I recently bought a Packard Bell laptop that came with Norton Internet Security and AntiVirus preinstalled but no media. I get Sophos Antivirus free through work and prefer ZoneAlarm for security so would really like to uninstall Norton. I've tried going through Control Panel!Add/Remove Programs and looking for an uninsrall icon but there doesn't seem to be one. I've disabled them both but each time I reboot I get prompted to to re-enable them.

Anyone know how I can remove them? (I'm used to UNIX where everything is open and honest; no hidden stuff, it's all in text files where you can see it)

TIA

Source: http://www.livejournal.com/community/computergeeks/623030.html