Home | Contact Us


Security Port

Security Forums
Security Articles
Security Port Blog
Security Blogs
Security Books
Security Glossary
Security Definitions
Security Directories
Security Wikis
Security Tradeshows
Security Newsletters
Security Alerts
Buyers Guides
Security Newsgroups
Security Organizations
Submit Security Sites
Security Magazines
Security Feeds
Security News
Security Software
Security Products
Search Databases

Security Port
Contains relevant information that pertains to security related issues and solutions.

Security Port

Internet Security News
Despite Recent Threats American Infrastructure is Still Vulnerable to Cyber Attack
02/04/2012

When most people think of cyber crime and cyber terrorism, they think of credit card information being stolen, identities being compromised, and, most recently, massive DDOS attacks by organizations like Anonymous and Lulzsec. What they don't tend to think of is the water coming from their faucet, the lights in their home and the gas heating their houses. Yet the ramifications of attacks on these basic utilities could far outweigh those of identity fraud. And these attacks are on the rise.

Despite Recent Threats American Infrastructure Is Still Vulnerable To Cyber Attack
Despite Recent Threats American Infrastructure Is Still Vulnerable To Cyber Attack

In 2010 the Homeland Security Department responded to only 116 requests for assistance from it's Control System Security Program cyber experts. By September of 2011 there were 342. All of these attacks aren't domestically originated, either. On Nov. 8 an IP address originating from Russia attacked an Illinois based water utility company, managing to control a Supervisory Control And Data Acquisition system, resulting in a burnout of the associated pump. These types of real world results to cyber attacks are not unknown. In 2007 hackers managed to attack a diesel generator, causing it so self destruct.

At this time, companies in the sights of these types of attacks can only prevent between 67% and 76% of these types of attacks. They could prevent more but there's one thing holding them back: money. Right now these companies spend $5.3 billion on cybersecurity. To reach a 95% prevention rate they would have to increase that amount to more than $46 billion, an increase they say their customers won't approve.

With the very real and national threat posed by cybersecurity some would like the government to step in and foot the bill for these improvements. Others may think that this is a private sector issue and the government need not intervene. However, Glenn Derene said it best in his October 2009 article, "The next world war might not start with a bang, but a blackout."

Pwn2Own Contest Puts Bounty on Browser Vulnerabilities
02/04/2012

Dog the Bounty Hunter, known for his shirtless leather vest approach to dressing and his less than tactful approach to apprehending bail jumpers, may not be ready for the next round of bounties coming down the pike. This year, at the CanSecWest in Vancouver, companies like HP and Google are offering rewards for hackers and research teams who can exploit zero-day vulnerabilities within the most common browsers.

Pwn2Own Contest Puts Bounty On Browser Vulnerabilities
Pwn2Own Contest Puts Bounty On Browser Vulnerabilities

This contest, known as Pwn2Own, has been an annual event at CanSecWest since 2007. Though in past years it has been criticized for randomly drawing participants and removing browsers once it had been exploited, this year the browsers will be fair game until the end with points awarded to the participant for each successful attack. In addition, the prize money offered is substantially larger, paying out $60,000 for first place, $30,000 for second and $15,000 for third. Google will also offer strictly Chrome based awards, paying $20,000 for a successful sandboxed exploitation and $10,000 for other unique attacks.

The goal of Pwn2Own, of course, is to find the vulnerabilities so they can be patched in the future. Though some may take issue with this methodology, it's common practice these days. As has been said far too many times in literary history, it takes a criminal to catch a criminal. This is simply the software version of hiring an ex theif to expose the weaknesses in your home security system. And while I hope none of the participants come with Dog's cliche catch them then try to recuperate them in the backseat of his car methodology, the increased prize money is sure to attract a plethora of hacker bounty hunters.

AVG makes its first IPO of $125 million
02/04/2012

AVG technologies is the maker of one of the most successful pieces of anti-virus software in the world, and they are going public.

AVG Makes Its First IPO Of $125 Million
AVG Makes Its First IPO Of $125 Million

Founded in 1991, and based in the Netherlands, AVG not only offers their widely used free anti-virus software, but they also offer various premium software and services for those who require a bit more protection. Apparently in the 9 months of the last fiscal year, the company's revenue rose a full 24%, or to $191 million. They also more than double their profits from the last year to 68.8 million dollars, which is amazing considering the fact that so much of their manpower goes into free software.

Big name companies such as JP Morgan, Goldman Sachs, Morgan Stanley, and even Intel have chosen to back the growing company. They will be trading under the ticker symbol AVG, so make sure you keep an eye out because this company is making big moves.

Amazon gains new cloud security partner
02/04/2012

Amazon Web Services has made the decision to team up with Check Point Software Technologies to offer their customers reliable security services.

Amazon Gains New Cloud Security Partner
Amazon Gains New Cloud Security Partner

Check Point announced the release of the Virtual Appliance for Amazon Web Services, which according to Check Point, "enables customers to extend their security to the cloud with the full range of protections using Check Point Software Blades." Up until now, Amazon Web Services only provided very basic security measures for users of their services, but that's not the case anymore.

Any user of the EC2 cloud services can get the Virtual Appliance directly from Amazon and set it up. Check Point describes many of the individual blades on as shown below:

"The Firewall and IPS Software Blades protect services in the public cloud from unauthorized access and attacks. The Application Control Software Blade helps prevent application layer denial of service attacks and protects your cloud services. The IPsec VPN Software Blade allow secure communication into cloud resources. The Mobile Access Software Blade allows mobile users to connect to the cloud with an SSL encrypted connection with two factor authentication and device pairing. The DLP Software Blade prevents data breaches with unique User Check technology to allow real-time user remediation."

Both companies want to attract a wide range of potential customers, especially small companies and startups that are building their infrastructure in the cloud. They seem to realize that most people see it as a very risky move to have sensitive data there, so this should be accessible for just about everyone. According to an article from SecurityWeek.com, the base price for these services is $2000, and that comes with the firewall and virtual gateway. Everything else is icing on the cake and will cost you more money on top of that, but hopefully not too much.

HashDOS: Important Vulnerability Coming into the Spotlight.
02/04/2012

A presentation at a German security conference has many people worried about a this newly realized vulnerability that is present is most web frameworks.

HashDOS: Important Vulnerability Coming into the Spotlight.
HashDOS: Important Vulnerability Coming into the Spotlight.

According to a post from Sophos, "The type of hashing used by PHP, Java, Python and JavaScript in this attack is not a cryptographic hash, it is a simple mathematical hash used to speed up storing and retrieving data posted to web pages."

Under normal circumstances, the collisions in the hashes are managed by built-in language constructs and are not really an issue. However, in these types of attacks, the attacker can send pre-calculated values that will result in all of the hash values being the same, which will crash the majority of servers. On that same Sophos post, they stated that, "An example given showed how submitting approximately two megabytes of values that all compute to the same hash causes the web server to do more than 40 billion string comparisons." which is an nearly inconceivable for just looking some data for a webpage.

Apparently the keepers of the language Perl, went ahead and did something about this vulnerability some time ago, but nobody else followed suit, so they are all at risk. Hopefully, the people behind PHP, Python, and other applicable languages will actually pay attention this time and go ahead and make the necessary changes.

Mobile Security Will (Probably) Always Be More Difficult
02/04/2012

When is comes to security for mobile platforms, there is a very serious learning curve to getting it right and keeping it strong.

Mobile Security Will (Probably) Always Be More Difficult
Mobile Security Will (Probably) Always Be More Difficult


Every day that goes by, mobile devices are getting smaller, sleeker, and more powerful, and to some people out there, that just means the they are new and vulnerable. This is a huge problem considering the rate at which people are acquiring smart phones for personal and business use, which also tend to hold sensitive data.

Large corporations are steadily gaining the power to do something about the situation, and most are taking advantage. Many products have come out lately that allow these corporations to monitor the mobile devices given to their employees for business use. Most also allow administrators to delete/block unwanted applications, block malicious incoming data, and disable the device completely. This is fantastic for new phones and ones that haven't been compromised yet, but what about the ones that aren't so lucky?

According to Lookout, a leading mobile security firm, mobile botnets are going to be one of the biggest problems for mobile platforms in the coming year. In fact, some of these have already been created, like the DroidDream scam that was removed from the marketplace not too long ago. One issue that I always like to bring up when talking about mobile security is the universal fragmentation of the world of Android, which is a huge part of the reason attacks like DroidDream can occur. The vast majority of the Android enabled devices out in the market right now are 2-3 OS releases behind, which poses a huge security threat whether your phone is actively tracked by a company admin or not. There will always be third-party solutions for fighting off attacks, but the issue will not be resolved until the Android (and is some ways, Apple) actually does something about it.

Widespread Xbox Live phishing scams plague gamers
02/04/2012

Users of the popular online gaming service have been getting phony emails from sites claiming to give away Microsoft points (the online currency for Xbox Live).

Widespread Xbox Live Phishing Scams Plague Gamers
Widespread Xbox Live Phishing Scams Plague Gamers

These emails are made to look very official and many unwary consumers have been getting dragged in to the scam. These emails redirect to these sites where people are asked to enter sensitive information that can be used to purchase more points. Many users have been making reports of checking their bank statements and finding many charges on these cards that they did not make. The transactions are generally very small and they victims don't actually notice until it has already been going on for some time.

This is apparently not the first time something like this has happened with the service, as hackers have shown in the past to have multiple methods of getting customer information. While it is clearly wrong on the part of the cyber-criminals to participate in these activities in the first place, it is also the victims fault in this case. Unlike other, more direct methods of stealing customer information, such as directly from a database, this method requires the customer to give away their info. So, what that means is that any savvy user can avoid such situations by simply paying attention to what they are doing.

DO NOT GIVE YOUR INFORMATION AWAY TO STRANGE WEBSITES. This is something every company offering web services should remind their customers just to make sure that they are safe. As these customers have trusted the companies to protect their information, their should actually be a little effort on both sides. However, if you or anybody you know has already been affected by these scams, go here to the Xbox site to report the incident.

Facebook Gets Hacked!
02/04/2012

Recently Facebook, headed up by billionaire entrepreneur Mark Zuckerberg, was hacked and violent, pornographic photos were posted on millions of users profiles.

Facebook Gets Hacked!
Facebook Gets Hacked!

Apparently, this attack did not actually compromise any user data, but at the same time, that does not mean it wasn't serious. With over 800 million active users, Facebook is responsible for protecting a lot of personal data. Currently, the company is blaming the attack on a flaw in certain browsers. Apparently, users were tricked by the hacker(s) into inserting malicious javascript code into their address bars which granted the hacker(s) access to their profiles.

Obviously the people at Facebook aren't just sitting around not doing anything about this. According to a spokesperson for the company, "Protecting the people who use Facebook from spam and malicious content is a top priority for us, and we are always working to improve our systems to isolate and remove material that violates our terms," which is somewhat relieving. However, many are still surprised and upset that this happened in the first place.

What the public needs to understand is that Facebook is not the only major company out there that has been hacked recently. Sony, Valve, Google, Lockheed Martin, and others have all been victim to major attacks in the past few months. Facebook is trying their best to control the situation and is advising its members not to enter anything into their address bar that they don't know is safe.

Online Game Service Steam gets Hacked!
02/04/2012

Valve corporation, make of many popular game series' such as Half-Life, Team Fortress and Portal, had its popular video game on-demand service hacked on November 6th, although it is not yet known whether they all were taken or not . Apparently an outrageous 35 million possibly had their personal information compromised in the attack. According to the BBC, "The attackers used login details from the forum hack to access a database that held ID and credit card data" which could now be used for any number of purposes. Valve issued a statement letting users know the extent of the situation:

Online Game Service Steam Gets Hacked!
Online Game Service Steam Gets Hacked!

"We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating."

Adding this as well:

"We don't have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely."

They alerted customers that they will have to change their forum passwords the next time they login, and suggested that they change their Steam passwords (which are apparently separate) as well. This is not a great time for this to happen to Steam, as many high profile titles such as Modern Warfare 3 and The Elder Scrolls: Skyrim, have come out this week, and this may make users a bit more wary about using the service now and in the future.

October is National Cybersecurity Awareness month
02/04/2012

Since 2004, October has been deemed Cybersecurity Awareness month in an attempt to spread information about this increasingly important subject.

October Is National Cybersecurity Awareness Month
October Is National Cybersecurity Awareness Month

As time goes on and our livelihoods are more and more dependent internet-related technology, it is necessary for the general public to understand some of the risks involved when using the internet. This has become even more important since the internet has moved past just desktops and laptops, but to phones, tablets, games consoles, and sometimes even things like refrigerators. You have access to information from the workplace, you can control you finances, and even control the security of your home from these devices. The people behind NCSAM have come up with the slogan STOP. THINK. CONNECT., which they see as the steps you should take when using the internet to always make sure you stay secure. On the Site they are described as such:

  • STOP: Before you use the Internet, take time to understand the risks and learn how to spot potential problems.
  • THINK: Take a moment to be certain the path ahead is clear. Watch for warning signs and consider how your actions online could impact your safety, or your family's.
  • CONNECT: Enjoy the Internet with greater confidence, knowing you've taken the right steps to safeguard yourself and your computer.
This effort has been considered important enough for even the Department of Homeland Security to back it, as they want to keep out nations cyber infrastructure intact, which starts with securing all of the end-users. If you would like more information on NCSAM or any of the entities backing this effort, please visit http://www.staysafeonline.org/ and get informed.





Current Blog

2011 Security Blog Archive
December Archive
November Archive
October Archive
September Archive
August Archive
July Archive
June Archive
May Archive
April Archive
March Archive
February Archive
January Archive

2010 Securty Blog Archive
December Archive
November Archive
October Archive
September Archive
August Archive
July Archive
June Archive
May Archive
April Archive
March Archive
February Archive
January Archive

2009 Securty Blog Archive
December Archive
November Archive
October Archive
September Archive
August Archive
July Archive
June Archive
May Archive
April Archive
March Archive
February Archive
January Archive

2008 Security Blog Archive
December Archive
November Archive
October Archive
September Archive
July-August Archive
May-June Archive
April Archive
March Archive
February Archive
January Archive

2007 Security Blog Archive
December Archive
November Archive
October Archive
September Archive
August Archive
July Archive
June Archive
May Archive
April Archive
March Archive
February Archive
January Archive

2006 Security Blog Archive
December Archive
November Archive
October Archive
September Archive
August Archive
July Archive
June Archive
May Archive
April Archive
March Archive
February Archive
January Archive


Security Alerts
Locate security alerts, and security feeds via a security rss feed directory.

Home | Password Software | Military Supply | Prepare for Emergency | Security Logos | Security Templates | Security PowerPoint Templates | Golf Gifts | Business Cards

Copyright DR Management 2005 - 2010::