QuoteThe company plans to announce tomorrow that it's expanding its Xfinity Home Security service. Last year the company began testing the service in Houston. Now it's adding six more cities. Additional cities that will get the new service include parts of Philadelphia; Portland, Ore.; Jacksonville, Fla.; Sarasota/Naples, Fla.; Chattanooga, Tenn.; and Nashville.
The Xfinity Home Security service offers traditional home security features, such as police and fire alarm protection with 24-hour monitoring. It also offers some home automation functions, such as the ability to adjust thermostats and lights remotely. And when people are not home, they can also watch live video streams from wireless cameras that are positioned in and around their home.
The technology behind the system is slightly different from traditional home security systems from companies, such as ADT. The Comcast Xfinity Home Security system works over a broadband connection rather than a phone connection. And as a result it's able to offer the video service and remote management. The company uses cellular networks as a back up to the broadband connectivity to ensure uptime.
QuoteThe volume of attacks that target the Android mobile operating system has increased by 400% since the summer of 2010. Also in that timeframe, one in 20 enterprise mobile devices has gone missing.
Those two findings come from the "Mobile Malicious Threats" report released Tuesday by Juniper Networks, which sells networking hardware and security products.
While significant, the four-fold increase in malware targeting Android isn't unexpected. "You don't have to be extraordinarily smart to write mobile malware these days because most devices don't have any security tools to stop the malware," said Dan Hoffman, chief mobile security evangelist at Juniper Networks, in a telephone interview.
QuoteSony has announced the PlayStation Network has begun restoration today. The PSN will be restored in a series of phases with phase one restoring access to the PSN, online gaming for the PS3 and PSP, access to Netflix, Hulu, MLB.com and PlayStation Home. The remaining features, such as the ability to make purchases from the PSN Store will return soon.
QuoteAs a wholly owned subsidiary of Intel, McAfee will become part of the company's Software and Services Group, run by senior vice president Renee James. McAfee president Dave DeWalt will report directly to James.
McAfee will continue to offer its own branded line of security products and maintain its own customers. The two companies said they're prepping the "first fruits" of their partnership to hit the market later this year.
The need for greater security across a greater array of devices was the driving force behind Intel's bid to pick up McAfee.
Pointing to the growing number of connected devices, from PCs to mobile phones to TVs to medical devices, the two companies have said that today's approach to security isn't enough. And with the mounting threat of cyberattacks, a new security framework that combines hardware, software, and services is needed.
QuoteUpon execution the ransomware will change the Desktop’s wallpaper to the “Warning! Piracy detected!” background.
It will then make sure the warnings appear every time the end user restarts PCs. In between, it will lock down the end user’s Desktop, featuring the “Copyright violation: copyrighted content detected” window
Mathias Krause discovered that the Linux kernel did not correctly handle missing ELF interpreters. A local attacker could exploit this to cause the system to crash, leading to a denial of service. (CVE-2010-0307)
Marcelo Tosatti discovered that the Linux kernel's hardware virtualization did not correctly handle reading the /dev/port special device. A local attacker in a guest operating system could issue a specific read that would cause the host system to crash, leading to a denial of service. (CVE-2010-0309)
Sebastian Krahmer discovered that the Linux kernel did not correctly handle netlink connector messages. A local attacker could exploit this to consume kernel memory, leading to a denial of service. (CVE-2010-0410)
Ramon de Carvalho Valle discovered that the Linux kernel did not correctly validate certain memory migration calls. A local attacker could exploit this to read arbitrary kernel memory or cause a system crash, leading to a denial of service. (CVE-2010-0415)
Jermome Marchand and Mikael Pettersson discovered that the Linux kernel did not correctly handle certain futex operations. A local attacker could exploit this to cause a system crash, leading to a denial of service. (CVE-2010-0622, CVE-2010-0623)
QuoteSecurity Update 2007-009 (10.5.1) is recommended for all users and improves the security of the following components:
Flash Player Plug-in
QuoteUnless a school using the tool has firewalls on the borders of its network designed to block unsolicited Internet traffic -- and a great many universities do not -- that Web server is going to be visible and accessible by anyone with a Web browser. But wait, you say: Wouldn't someone need to know the domain name or Internet address of the Web server that's running the toolkit? Yes. However, anyone familiar enough with the file-naming convention used by the toolkit could use Google to search for the server. But surely there are ways a network administrator might keep this information from being available to the entire Web, right? Yes. The toolkit allows an administrator to require a username and password for access to the Web server. The problem is that the person responsible for running the toolkit is never prompted to create a username and password. What's more, while Apache includes a feature that can record when an outsider views the site, that logging is turned off by default in the MPAA's University Toolkit.
QuoteCase in point: A hacker's diversion of traffic from a California county government Web site to a porn purveyor spiraled into IT chaos yesterday after a countermeasure applied from Washington essentially "deleted the ca.gov domain." Order was restored only after seven hours of frenzied coast-to-coast communications and a "forced propagation" of ca.gov network systems, according to Jim Hanacek, public information officer for the California Department of Technology Services. "We don't for sure have the whole picture, but as we understand it, there was some event at the Transportation Authority of Marin Country where their site got hacked," Hanacek told me this afternoon. Traffic was being redirected from that site to one featuring pornography.
QuoteA computer program was used to access the employers' section of the website using stolen log-in credentials. Symantec said the log-ins were used to harvest user names, e-mail addresses, home addresses and phone numbers, which were uploaded to a remote web server. The stolen data could be used to send phishing and spam e-mails. "This remote server held over 1.6 million entries with personal information belonging to several hundred thousands of candidates, mainly based in the US, who had posted their resumes to the Monster.com website," reported Symantec.
QuoteAccording to the Chinese Internet Security Response Team (CISRT), users of Norton Antivirus, Norton Internet Security 2007 and Norton 360 who installed an antivirus signature update released by Symantec on May 17 could not reboot their PCs. The update reportedly mistook two Windows system files--"netapi32.dll" and "lsasrv.dll"--as the Backdoor.Haxdoo Trojan horse. The two files were subsequently quarantined. CISRT said the flawed Symantec update only affects users of the Simplified Chinese version of Windows XP Service Pack 2 that have been patched with a particular Microsoft software fix available since November 2006. CISRT noted that this issue has been "huge." According to CCTV.com, which is part of China's largest national TV network, the problem has affected millions of PCs and was not completely resolved as of Wednesday.
QuoteDHS has maintained that the Real ID concept is not a national identification database. While it's true that the system is not a single database per se, this is a semantic dodge; according to the DHS document, Real ID will be a collaborative data-interchange environment built from a series of interlinking systems operated and administered by the states. In other words, to the Department of Homeland Security, it's not a single database because it's not a single system. But the functionality of a single database remains intact under the guise of a federated data-interchange environment. The DHS document notes the "primary benefit of Real ID is to improve the security and lessen the vulnerability of federal buildings, nuclear facilities, and aircraft to terrorist attack." We know now that vulnerable cockpit doors were the primary security weakness contributing to 9/11, and reinforcing them was a long-overdue protective measure to prevent hijackings. But this still raises an interesting question: Are there really so many members of the American public just "dropping by" to visit a nuclear facility that it's become a primary reason for creating a national identification system? Are such visitors actually admitted?
QuoteThe number of Web sites engineered to exploit the problem has jumped considerably since the vulnerability was publicly disclosed by Microsoft on March 29. It will likely continue to rise until patches are applied across corporate and consumer PCs, said Ross Paul, senior product manager for Websense.
QuoteMicrosoft says you have to buy Vista because it makes you much safer online than XP, or any of its previous operating systems. Do you believe that?
Thompson: Consumers should not be confused. Vista is not a security solution. Vista is an operating system, and Vista provides some very important advances from Microsoft's perspective and for the industry's point of view on building a more stable, more reliable, more secure operating platform, but people still need the efficacy that comes with the products that Symantec and others in the industry build, and so we should not be confused by the marketing rhetoric with what Vista is. It's a hopefully much better product than XP or any of its predecessors, but it's not a security solution.
Quote"Krstic's system, known as the BitFrost platform, has only one user prompt (turning on the camera) and imposes limits on every program's powers. Under BitFrost, every program runs in its own virtual machine with a limited set of permissions. Thus a picture viewer can't access the web, so even if a hacker comes up with an exploit that lets him control the program, he couldn't use it to grab all the photos on the laptop and upload them to the internet. Programs downloaded to the computer can't "request a set of permissions that let (them) do bad things," Krstic said, unless that software has been certified by a trusted authority, which will be either One Laptop Per Child or one of the countries signed onto the project. Users can, however, manually assign more power to a particular program through the security control panel. While the idea of limiting permissions program by program dates back as far as 1959, according to Krstic, it's not been adopted widely because it puts the burden on application writers to deal with security. Other Linux/Unix-based systems -- including Apple's Mac OS -- run programs with authority limited to a local user, but that's not enough, said Krstic, because the program can still delete user files, even if it can't touch the underlying system files. Krstic's no fan of Microsoft's security, either -- despite Vista's imposition of limited permissions on programs, and its isolation of Internet Explorer in a virtual sandbox. "Vista's sandboxing is trying to impale sandboxing on something broken," Krstic said. Still, Krstic admits there's a drawback to his system: It limits interactions between applications."
QuoteDue to recent attacks on the SHA-1 hash function specified in FIPS 180-2 , Secure Hash Standard, NIST is initiating an effort to develop one or more additional hash algorithms through a public competition, similar to the development process for the Advanced Encryption Standard (AES). Two workshops (see menu at left) have been held to assess the status of the NIST-approved hash functions, to discuss possible near- and long-term options, and to discuss hash function research in preparation for launching such a competition. In addition, NIST has published its policy on the use of the current hash functions, and has proposed a tentative timeline for the competition.
QuoteThat promise turned out to be untrue, according to a report published Friday by DHS' privacy office. The commercial data "made its way directly to TSA, contrary to the express statements in the fall privacy notices about the Secure Flight program," the report says. The report, and a second one critiquing a government database called Matrix, was released on the last business day before Christmas, a tactic that federal agencies and publicly traded companies sometimes use to avoid drawing attention to critical findings. Neither report appears on the DHS.gov or TSA.gov home pages, or even on the home page of the DHS privacy office, but rather was linked to from a subpage on the DHS privacy site.