Editor's News

  The open web application security protocol (OWASP) board has announced that it is to cancel its marketing agreement with RSA Conference, as well as a planned training programme.   In an announcement on the OWASP discussion board, Michael Coates, chair of the OWASP Board, said that OWASP would terminate the co-marketing agreement with RSA for RSA 2014. “This may place our training at risk, but if permitted we will still provide the free training...

Microsoft will release its lightest Patch Tuesday next week, with only four patches released.   Covering vulnerabilities in Windows, Office and Dynamics AX, all three are rated as “important”. The Office patch affects a remote code execution issue, the two Windows patches are both for elevation of privilege and the Dynamics AX is for a denial of service flaw.   Wolfgang Kandek, CTO of Qualys, said it expects one of the Windows patches to address...

Hackers were able to use the Amazon cloud in order to scrape data from LinkedIn profiles.   According to Arstechnica, the hackers employed a raft of techniques designed to bypass anti-scraping measures built into the network, including the creation of huge numbers of fake accounts. They also circumvented security measures that are supposed to require end-users to complete bot-defeating CAPTCHA dialogues when potentially abusive activities are detected.   Because of this, LinkedIn is suing the attackers over...

Malvertising is a consistent challenge which can see reputable websites having frames infected to serve up any matter of attack. After Yahoo beat down malicious advertisements which redirected users to the “Magnitude” exploit kit, which was enabled following the infection of a third party, Sean Power, security operations manager at DOSarrest, said that the problem is that many banner ad companies allow JavaScript or other code inside the advert. “This is something we have seen...

The first version of the FIDO Alliance standard has been published to enable service providers, enterprises and device manufacturers to offer stronger authentication that is more secure and easier to use. Removing the need for usernames and passwords, the FIDO Alliance 1.0 draft of its two specifications – Universal Authentication Framework (UAF) and Universal 2nd Factor (U2F), enables members to implement and market solutions around FIDO-enabled strong authentication, and non-members to freely deploy those solutions....

More time should be spent on training and enabling people and police and on sharing information to create a more secure United Kingdom. Speaking at the (ISC)2 EMEA Congress in London, former Home Secretary David Blunkett MP, said that we commonly find that simple solutions can work, and while companies do spend money, he asked if they are spending it wisely? He said: “Training is of critical importance, as you are only as good as...

Security experts have dismissed reports of a new ransomware campaign, calling it “a hype”.   Jamie Blasco, director of research at AlienVault Labs, said that what he had seen of PowerLocker and PrisonLocker was “a hype”, since the only information available was from one person who was supposedly developing it, but it was still not ready. “We don't know the status of the project but one thing is clear, there are no samples available of...

More industry speakers have dropped out of next month’s RSA Conference in San Francisco in protest against the company’s alleged $10 million deal with the NSA.   Following the likes of F-Secure chief research officer Mikko Hypponen and Jeffrey Carr, security commentator, Christopher Soghoian announced on Twitter that he had withdrawn from a panel session he was due to be speaking on.   According to the Washington Post, a further five speakers have pulled their...

The European Data Protection Directive is effectively dead, due to the infringement upon European citizens’ human rights. Speaking to IT Security Guru, privacy consultant Martin Hoskins said that the European Commission’s justice and home affairs legal team has deemed it to be “unlawful” as it breaches the human rights of customers as they may have to go to a foreign jurisdiction rather than their national privacy commissioner. “If the lead regulator was in Ireland, then...

Free applications may offer premium content at no cost, but they often require personal information to be surrendered.   According to Michael Sutton, director of security research at ZScaler, those privileges may allow a user to be monitored, and sensitive information potentially viewed and compromised. In the case of the owner of a company-owned device being allowed to download applications, they may download a free application that could monitor and access connections.   Sutton said...