Network and Computer Security

The january 15th issue of Bruce Schneier’s Crypto-Gram newsletter is out.

Automated Targeting System
Surveillance Cameras Catch a Cold-Blooded Killer
Crypto-Gram Reprints
Auditory Eavesdropping
Tracking Automobiles Through their Tires
Licensing Boaters
Wal-Mart Stays Open During Bomb Scare
News
NSA Helps Microsoft with Windows Vista
Microsoft Anti-Phishing and Small Businesses
Not Paying Attention at the Virginia DMV
More on the Unabomber’s Code
BT Counterpane News
Radio Transmitters in Canadian Coins
Choosing Secure Passwords
Comments from Readers

The december issue of Bruce Schneier’s CRYPTO-GRAM Newsletter is out.

I didn’t have time to read it yet, but there’s no good reason to believe it’s not as interesting than the previous issues Here are the topics covered:

Revoting
Real-World Passwords
Crypto-Gram Reprints
Tracking People by their Sneakers
Notary Fraud
News
Separating Data Ownership and Device Ownership
BT Counterpane News
Fighting Fraudulent Transactions
Cybercrime Hype Alert
Comments from Readers

Happy reading!

The November 15th issue of Bruce Schneier’s Crypto-Gram newsletter is out. In those mid-terms voting times, this newsletter appropriately contains 4 very good and comprehensive (as usual) articles about electronic votes and voting in general.
Here’s the full newsletter summary:

Voting Technology and Security
More on Electronic Voting Machines
The Inherent Inaccuracy of Voting
The Need for Professional Election Officials
Perceived Risk vs. Actual Risk
Crypto-Gram Reprints
Total Information Awareness Is Back
Forge Your Own Boarding Pass
News
The Death of Ephemeral Conversation
Airline Passenger Profiling for Profit
Counterpane News
Architecture and Security
The Doghouse: Skylark Utilities
Heathrow Tests Biometric ID
Please Stop My Car
Air Cargo Security
Cheyenne Mountain Retired
Comments from Readers

A vulnerability has been reported in Microsoft XML Core Services, which can be exploited by malicious people to compromise a users system.

The vulnerability is caused due to an unspecified error in the XMLHTTP 4.0 ActiveX Control.

Successful exploitation allows execution of arbitrary code when a user e.g. visits a malicious website using Internet Explorer.

Microsoft Advisory & Suggested Workarounds: http://www.microsoft.com/technet/security/advisory/927892.mspx

Microsoft today released ten patches to fix at least 26 separate security holes, including a whopping 16 flaws in Microsoft Office and its constituent apps.

According to Washingtonpost.com’s Security Fix blog, this is the most number of patches ever released by Redmond outside of a Windows service pack.
Also of note, six of today’s updates apply to fully patched Windows XP systems, and two of the flaws are actually present in Windows Vista.

The September 15th issue of Bruce Schneier’s Crypto-Gram newsletter is out. As usual, it’s a very good read. This issue is very much targetted to security in general and not only computer security. In particular terrorist threats and the current paranoia in the airports are very well described, as well as how counter-productive it is.

Here’s the full newsletter summary:

What the Terrorists Want
Details on the British Terrorist Arrest
More Than 10 Ways to Avoid the Next 9/11
Fifth Anniversary of September 11, 2001
Crypto-Gram Reprints
Educating Users
Human/Bear Security Trade-Off
Land Title Fraud
News
Is There Strategic Software?
Media Sanitization and Encryption
What is a Hacker?
Counterpane News
TrackMeNot
USBDumper
Microsoft and FairUse4WM
Comments from Readers

Less than 1 month after the discovery of a very serious vulnerability in Internet Explorer, EEyes has just published an advisory concerning a very similar (through different) vulnerability in the lastest IE.

Here’s the overview:

“eEye Digital Security has discovered a second heap overflow vulnerability in the MS06-042 cumulative Internet Explorer update that would allow an attacker to execute arbitrary code on the system of a victim who attempts to access a malicious URL. Windows 2000, Windows XP SP1, and Windows 2003 SP0 systems running Internet Explorer 5 SP4 or Internet Explorer 6 SP1, with the MS06-042 patch applied, are vulnerable; unpatched and more recent versions of Internet Explorer are not affected.”

The actual problem lies in URLMON.DLL, here’s a link to the full advisory.

Michael Sutton has up an interesting post on the security vulnerabilities that we really need to be concerned about.

According to Sutton, it’s not the new ones that are scary, it’s the old ones that have long since been forgotten.

He illustrates his point by walking through an example where he uses Google and Yahoo! to identify 50 web servers that are wide open to attack. The list includes an ivy league school, various colleges and a company traded on the NYSE. Definately a must-read and very well documented article!