security

It must be buying season in the security industry, because there seems to be a new acquisition announced each day. Two recent purchases grabbed my attention. Last week, IBM bought application firewall vendor Watchfire, adding the company to its Rational Software division. Not to be outdone, Hewlett-Packard on Tuesday grabbed application vulnerability tools vendor SPI Dynamics, adding value to another recent addition, Mercury. Why all the activity in the application security space?

1. Web applications are the binary equivalent of Swiss cheese. Many are written rapidly by developers who are paid to add new business logic and meet deadlines. Security … Read more

HP today announced its acquisition of SPI Dynamics. The company specializes in Web application security; and SPI Dynamics' technology is already integrated with HP Quality Center software.

According to HP, the acquisition adds quality management services to its software portfolio and builds on its Business Technology Optimization (BTO) strategy.

Privately held SPI Dynamics is headquartered in Atlanta, has 140 employees, and serves more than 1,000 customers in the federal government, financial services, and health care industries. Expected to close in the third quarter of 2007, the acquisition is subject to certain closing conditions. Upon completion, SPI Dynamics will become … Read more

Over the weekend, thousands of legitimate English-language Italian Web sites fell victim to one line of code. Taking advantage of the trust the users have in the sites they visit, the malicious code silently redirects browsers via JavaScript to servers containing a variety of drive-by exploits. If the visiting computer is unpatched for a variety of operating system, browser, and specific application flaws, malicious code is downloaded. Once installed, the new software can then be used to steal personal information or enlist a compromised machine in attacks on other machines. According to security vendor Websense, the attack now affects over … Read more

Security researcher Robert Swiecki, who two days ago disclosed a URL vulnerability within the new Safari 3.0 for Windows beta, has another. The new flaw requires a user to visit a specially crafted Web page. There, an attacker can write whatever name in the URL toolbar and fill the client browser window with arbitrary content. He provides an example (link should be viewed within Safari).

In response to other Safari 3.0 vulnerabilities, Apple yesterday released an updated version that addresses three of the public vulnerabilities. Swiecki says he tested this latest vulnerability on Safari 3.0.1 (522.… Read more

PayPal launched on Friday its security key fob, a little device designed to thwart password-stealing bad guys who are out to pilfer your online payment account.

PayPal, owned by online auction behemoth eBay, says its PayPal Security Key will generate a new security code every 30 seconds, which people will enter along with their log-in and password for their eBay and PayPal accounts.

PayPal, which initially announced in January plans to increase security via a password-generating key fob, will charge $5 to PayPal and eBay account holders in the U.S. The plan will be expanded internationally.

Various versions of … Read more

Security researcher Robert Swiecki disclosed yesterday another vulnerability within the new Safari 3.0 for Windows beta, bringing the total of public vulnerabilities to nine. The latest flaw allows an attacker to steal a cookie. The flaw exists in the Javascript's window.setTimeout()implementation where the content timer-triggered function is processed after window.location property is changed.

In response to other Safari 3.0 vulnerabilities, Apple today released an updated version that addresses three of the nine public vulnerabilities.

For its first major update in over two years, Lavasoft's Ad-Aware 2007 offers a redesigned interface and an overhauled detection engine, along with an enhanced Update Manager and a new Tracksweep feature that clears your browsing history for multiple applications with one click.

Take a quick tour of Ad-Aware 2007 with this First Look video.

Stung by the harsh reception to Safari for Windows (beta), Apple today released Safari 3.0.1 for Windows (beta), addressing three flaws. The updated version patches CVE-2007-3186, a command-injection vulnerability that may lead to arbitrary code execution; CVE-2007-3185, an out-of-bounds memory read issue that may lead to an unexpected application termination or arbitrary code execution; and CVE-2007-2391, a race condition that may allow cross-site scripting. The patches are issued for Windows XP and Windows Vista users; these issues do not affect Mac OS X systems.

The latest version can be downloaded from Apple here.

The FBI today released a press release summarizing the bureau's efforts so far to shut down botnets. In the release, the FBI acknowledges the work of the CERT Coordination Center at Carnegie Mellon University, Microsoft, and the Botnet Task Force, for either contacting victims or reporting criminal activity. Through an ongoing investigation known as Operation Bot Roast, the bureau has uncovered many botnets, collections of compromised desktop PCs worldwide, that have been used for various criminal activities.

In the release, the bureau cites the recent arrests of James C. Brewer of Arlington, Texas, who is alleged to have operated … Read more