News: Web surfers, it's time to patch

Web surfers, it's time to patch

News: Breach-notification laws not working?

Breach-notification laws not working?

News: Ransomware resisting crypto cracking efforts

Ransomware resisting crypto cracking efforts

>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
http://www.findtechinfo.com/as/acs?pl=781&ca=909

News: Boycott spotlights antivirus testing issues

Boycott spotlights antivirus testing issues

Brief: Apple closes holes in Mac OS X, Safari

Apple closes holes in Mac OS X, Safari

ST05-013: Guidelines for Publishing Information Online

Guidelines for Publishing Information Online

ST05-012: Supplementing Passwords

Supplementing Passwords

SA08-162B: Microsoft Updates for Multiple Vulnerabilities

Microsoft Updates for Multiple Vulnerabilities

SA08-162C: Apple QuickTime Updates for Multiple Vulnerabilities

Apple QuickTime Updates for Multiple Vulnerabilities

SA08-150A: Apple Updates for Multiple Vulnerabilities

Apple Updates for Multiple Vulnerabilities

Say it ain't so AVG, say it ain't so: AVG LinkScanner = Badware?

The Register covered a very interesting story about AVG.  Apparently AVG is spamming the Internet with traffic that looks to be coming from Internet Explorer.  AVG software pre-crawls search results to try to protect users, but uses a user agent that makes the software appear to be Internet Explorer.  This pre-crawling is flooding websites with...

On deck from MS: Four 'important' patches but nothing for IE

Next Tuesday, Microsoft plans to ship four security updates for multiple flaws affecting Windows, Microsoft SQL Server and Microsoft Exchange Server but the absence of fixes for publicly known Internet Explorer issues is causing raised eyebrows among security professionals. According to the company's advance notice for July's...

Apple caught neglecting iPhone security

If you're waiting on iPhone 2 to standardize your business on the awesome new device (yeah, I'll be on line to buy one), you might want to pay attention to the conspicuous absence of iPhone security patches over the last four months. As WaPo's Brian Krebs reports,...

Opera patches serious code exection flaw

Opera Software has joined the list of browser vendors shipping fixes for serious remote code execution vulnerabilities. The company's new Opera 9.5.1 patches at least four security issues, the most serious being a flaw reported by Microsoft's Billy Rios that could be used to execute arbitrary code....

Airport security part 4: Attack of the body scanners!

If you read my blog postings semi-often, you know that I'm very, very critical of problems with airport security.  Nicole Wong of the Boston Globe reported that Boston's Logan International Airport will become the next airport to implement full-body scanners (thanks for the link from the LiquidMatrix guys!) that can see...

Antitrust review of Google-Yahoo deal no surprise

News reports this week that the U.S. Department of Justice is formally reviewing a proposed advertising deal between Google and Yahoo came as no surprise to some tech trade groups and advocacy groups based in Washington, D.C.

Opera patches multiple bugs in flagship browser

Opera Software patched the newest version of its flagship browser for the first time Wednesday when it released Opera 9.5.1 to fix several flaws.

Expect iPhone, Fourth of July scams, security firm says

4Apple's launch of its new iPhone 3G will produce a flurry of spam and scams, a security company warned Thursday.

Critical vulnerability found in VLC Media Player

Security company Secunia has found a flaw in the VLC Media Player that could allow an attacker to gain control of someone's PC.

Google gives away free Web app security scanner

Google has released for free one of its internal tools used for testing the security of Web-based applications.

Google gives away free Web-application security scanner

Google has released for free one of its internal tools used for testing the security of Web-based applications.

Buffalo ships low-cost encryption drive

Buffalo Technology has become the latest vendor to announce a USB hard drive featuring built-in, hardware-backed encryption. Almost as interesting is that is costs almost the same as the same drive without security.

Google blurs faces to protect privacy in French StreetView

Google has chosen to blur the faces of people caught on camera by the French edition of its StreetView service.

Critical vulnerability found in popular VLC media player

Danish security company Secunia has found a flaw in the VLC media player that could allow an attacker to gain control of someone's PC.

Equifax bolsters border security

Equifax, the company that compiles credit reports, has chosen network-access-control technology to make sure contractors and employees access its network with machines that meet the firm's security requirements.

MS08-036 – Important: Vulnerabilities in Pragmatic General Multicast (PGM) Could Allow Denial of Service (950762)

Bulletin Severity Rating:Important - This security update resolves two privately reported vulnerabilities in the Pragmatic General Multicast (PGM) protocol that could allow a denial of service if malformed PGM packets are received by an affected system. An attacker who successfully exploited this vulnerability could cause a user’s system to become non-responsive and to require a restart to restore functionality. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests.

MS08-035 – Important: Vulnerability in Active Directory Could Allow Denial of Service (953235)

Bulletin Severity Rating:Important - This security update resolves a privately reported vulnerability in implementations of Active Directory on Microsoft Windows 2000 Server, Windows Server 2003, and Windows Server 2008; Active Directory Application Mode (ADAM) when installed on Windows XP Professional and Windows Server 2003; and Active Directory Lightweight Directory Service (AD LDS) when installed on Windows Server 2008. The vulnerability could be exploited to allow an attacker to cause a denial of service condition. On Windows XP Professional, Windows Server 2003, and Windows Server 2008, an attacker must have valid logon credentials to exploit this vulnerability. An attacker who successfully exploited this vulnerability could cause the system to stop responding or automatically restart.

MS08-034 – Important: Vulnerability in WINS Could Allow Elevation of Privilege (948745)

Bulletin Severity Rating:Important - This security update resolves a privately reported vulnerability in the Windows Internet Name Service (WINS) that could allow elevation of privilege. A local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts.

MS08-033 – Critical: Vulnerabilities in DirectX Could Allow Remote Code Execution (951698)

Bulletin Severity Rating:Critical - This security update resolves two privately reported vulnerabilities in Microsoft DirectX that could allow remote code execution if a user opens a specially crafted media file. An attacker who successfully exploited either of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS08-032 - Moderate: Cumulative Security Update of ActiveX Kill Bits (950760)

Bulletin Severity Rating:Moderate - This security update resolves a publicly reported vulnerability for the Microsoft Speech API. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer and has the Speech Recognition feature in Windows enabled. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes a kill bit for software produced by BackWeb.

Cybersecurity Research Challenges

Today’s most prevalent and widely discussed attacks exploit code-level flaws such as buffer overruns and type-invalid input. We need to anticipate tomorrow’s attacks and think beyond buffer overruns, beyond code-level bugs, and beyond the horizon. To be ready for threats of the future, we need to be doing more basic research in cybersecurity today. This talk will outline a few suggestions for important research directions in cybersecurity: the foundations of trustworthy computing, security architectures, privacy, usability, and security metrics.

NSF Response to 2007 Summit Final Report

The Cybersecurity Summit meetings have proven to be a useful forum to foster dialog between awardees, cybersecurity experts and NSF. NSF will provide feedback on the 2007 Summit meeting and discuss best practices in cybersecurity that might be useful to large facilities.

Community Updates

Community updates from EDUCAUSE/Internet2 Security Task Force, InCommon, OpenScience Grid, Research and Education Networking Information Sharing and Analysis Center (REN-ISAC), TeraGrid, and the U.S. Department of Energy Computer Incident Advisory Capability.

EDUCAUSE Now - Show #4 – Cybersecurity, Cyberinfrastucture, Fear 2.0

EDUCAUSE Now is a monthly podcast, focusing on the intelligent use of information technology in higher education. Each episode features a variety of stories, interviews, and views that relate to IT in higher education.  Let us know what you would like to hear at podcast@educause.edu.

Subscribe to EDUCAUSE NOW RSS feed

This episode of EDUCAUSE Now features:

• Lessons Learned in Cybersecurity
  (01:37―07:24)
  We speak with security professionals from Ohio University about their highly publicized 2006 security breach and what they've learned from the experience. The presented a session at the EDUCAUSE 2008 Security Professionals Conference entitled, " The Lifecycle of a Security Breach."
  
  
• New Research Study―" Higher Education IT and Cyberinfrastructure: IntegratingTechnologies for Scholarship"
  (08:04―14:09)
  Cyberinfrastructure is a term that has confounded and confused many of us in higher education. We speak to ECAR Fellow Mark Sheehan about this new study on how institutions are using cyberinfrastructure successfully and what you need to know about it.
  
  
• A Commentary from EDUCAUSE President Diana Oblinger
  (14:10―17:01)
  Diana considers a few of our assumptions about new and old technologies in a changing world.
  
  
• ELI in Conversation: "Fear 2.0"
  (17:20―22:35)
  A conversation from the ELI 2008 Annual Meeting. A group of higher ed professionals discusses Web 2.0 tools and how they are shifting education. Participants include:
  • Laura Blankenship, Senior Instructional Technologist, Bryn Mawr College
  • Martha Burtis, Director, Teaching and Learning Technologies, University of Mary Washington
  • Barbara Ganley, Lecturer in English and Writing Program, Middlebury College
  • Leslie Madsen-Brooks, Teaching Resources Center, University of California, Davis
  • Barbara Sawhill, Director Cooper International Learning Center, Oberlin College

This is an excerpt of a longer conversation.

• Music for EDUCAUSE Now:
• "Groove IT" by Denis Kitchen
• "Zune 2" by Sebastian6
• "MOAQ" & "Kalimbabumbum" by Kelly Walker
• "Amber" by Dan Tharp

Security is Number One IT Issue According to 2008 Current Issues Survey Report

EDUCAUSE has published the results of the 2008 Current Issues Survey, and this year Security edged out Funding IT as the top strategic challenge.

The latest EDUCAUSE Quarterly article, "Current Issues Survey Report, 2008", states:

It is no wonder that IT security has again emerged as the top strategic issue for colleges and universities given the increasing amount of critical data and new services that are available electronically and need to be protected. The persistence of security incidents and reported data breaches, and a growing number of compliance requirements including security-related state and federal regulations and contractual obligations, make this a central and acute concern of all IT organizations, no matter their institutions' sizes and missions. College and university personnel have a daunting task to ensure the security of information resources while operating within a culture of openness and decentralization. In addition, the changing nature of the threats continues to challenge IT organizations.

The article goes on to suggest security issues that institutions need to address. Security-related resources are available as part of the 2008 Current Issues Resources.