Staying on top of the latest in software/hardware security research, vulnerabilities, threats and computer attacks.
Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of security. He is the author of three books and thousands of published articles and many more unpublished, private reports. Larry has been Technical Director at several test laboratories where he both directed and ran product testing, with a special interest in test automation. Larry began his career as a Software Engineer at the now-defunct Desktop Software Corporation in Princeton, NJ, on the team that wrote the NPL 4GL query language. He also worked on corporate IT and software development at Chase Econometrics. Larry is a graduate of the University of Pennsylvania with a degree in Public Policy.
Ms. Violet Blue (tinynibbles.com, @violetblue) is a freelance investigative reporter on hacking and cybercrime at Zero Day/ZDNet, CNET and CBS News, as well as a noted sex columnist. She has made regular appearances on CNN and The Oprah Winfrey Show and is regularly interviewed, quoted, and featured in a variety of publications that includes ABC News and the Wall Street Journal. She has authored and edited award-winning, best selling books in eight translations and has been a sex columnist for the San Francisco Chronicle. She has given keynote talks at such conferences as ETech, LeWeb, and the Forbes Brand Leadership Conference, and has given two Tech Talks at Google. In 2010, the London Times named Blue one of “40 bloggers who really count.” Ms. Blue is the author of The Smart Girl's Guide to Privacy. Violet Blue bio courtesy of TTI Vanguard.
If you use Google Calendar to set up corporate meetings or private conference calls, you might want to be careful about how that data is available to the rest of the world.
Online criminals have pounced on the unpatched Windows DNS Server service vulnerability, using the security hole to seed and replenish for-profit botnets. The latest twist in the ongoing attacks comes less than a week after Microsoft's pre-patch advisory provided clues for hackers to write and release detailed exploit code.
Oracle has released its quarterly "critical patch update" with fixes for a total of 37 security holes in its database and application server products. One of the bugs fixed in this patch batch dates back to 2003.
How's this for a new twist on the old responsible disclosure debate: Hackers are taking advantage of information released in Microsoft's pre-patch security advisories to create exploits for zero-day vulnerabilities.The latest zero-day flaw in the Windows DNS Server RPC interface implementation is a perfect example of the tug-o-war within the MSRC (Microsoft Security Response Center) about how much information should be included in the pre-patch advisory.
In an advisory issued earlier today, Microsoft issued several workarounds/mitigations for the Windows DNS server service zero-day attacks, including a recommendation that network admins completely disable remote management of RPC capability for DNS Servers.The recommendation included instructions on registry key edits but if you're in charge of a large-scale Windows shop with numerous domain controllers, Microsoft only gave you the switch but no way to automate the registry changes.
The crime ring behind the latest Storm Worm-related malware attack (Techmeme discussion) is using new tactics to slip malicious executables past anti-virus defenses, serving up another black eye to an industry that already uses questionable tactics to find new customers.Arbor Networks researcher Jose Nazario flagged the poor anti-virus detections of the Storm Worm Trojan in a blog entry that noted the use of password-protected ZIP files to hide .
An zero-day vulnerability in the DNS server service in Windows is under attack, Microsoft warned in a security advisory.The "limited attacks" are exploiting a stack overflow error in the Windows Domain Name System (DNS) Server's RPC interface implementation when processing malformed requests sent to a port between 1024 and 5000.
Microsoft is urging Windows users to be very careful when opening ".hlp" attachments.
A new version of the Opera browser has been released with patches for a range of security vulnerabilities. The new Opera 9.
The carefully crafted image of Windows Vista as the most secure operating system of all time is beginning to take a beating.For the second time this month, Microsoft has shipped a security bulletin with patches for a "critical" Vista vulnerability that puts millions of users at risk of code execution attacks.
Microsoft just can't seem to keep pace with hackers finding serious flaws in Office applications.Several new security bugs in the desktop productivity suite have been found and released to the public, including proof-of-concept Word 2007 .
Apple has rolled out a firmware update to fix a pair of security vulnerabilities in the Airport Extreme Base Station.The most serious of the two -- a weakness in the way the default configuration of Airport Extreme handles IPv6 connections -- could allow remote hackers to bypass certain access restrictions.
At the height of the animated cursor(.ani) attacks last week, there were two different groups using different motives to hit a different set of targets.
A few weeks ago, I wrote about a Windows kernel vulnerability that was reported to Microsoft on October 22, 2004 and remained unpatched for more than two years. This is a bug I've been following closely since last November when Cesar Cerrudo, the hacker who found it, got tired of waiting for a fix from Microsoft and published details during the MoKB (Month of Kernel Bugs) project.
The best of ZDNet, delivered
- 1 Hackers: Here's how Apple's iMessage surveillance flaw works (video)
- 2 The top ten most common database security vulnerabilities
- 3 Symantec releases simplified Norton Security line
- 4 15 tips for staying safe online and preventing identity theft
- 5 Six Clicks: How do you keep track of all your passwords?