never-ever-****-with-my.net

End of last week, NIST published four Draft Special Publications on e-mail security, intrusion detection and prevention, web services security, and cell phone forensics.

According to the Web Application Security Consortium (WASC), XSS and SQL injection remain the most popular attack vectors being exploited in public incidents. Further details can be found in the Web Hacking Incidents Database (WHID), which was updated today.

The chart below illustrates the number of public incidents registered per year:

A broader list of vulnerabilities is listed in OWASP Top Ten, which ranks the most critical web application security flaws.

As reported by Computerworld and further to a previous post on the matter, Wal-Mart appointed Rolling Ford as its new CIO earlier this month. Ford used to be the company's executive vice president of logistics and supply chain.

A statement answered the open questions on his support of Wal-Mart's RFID Initiative and reaffirmed the company's commitment to the Electronic Product Code (EPC) standard.

Computerworld published a great article which makes a parallel between biology and IT security:

"When a new virus strikes, some of us might fall ill, some might die and others will survive.  That's the beauty of us each having a unique immune system.

It's a concept that the computer security industry should take to heart, said Stephanie Forrest, a professor of computer science at the University of New Mexico (...).

Diversity of systems and applications can play a key role in safeguarding computers and networks from malicious attacks, Forrest said.  Her team published a paper last year on a system dubbed RISE (Randomized Instruction Set Emulation) (PDF) that randomizes an application's machine code to stymie would-be attacks, such as those launched via binary code injection.

(...)

What really has Forrest worried about computer security today ties into another biological concept: evolution.  'We already have malicious code that can replicate and spread itself.  The only thing we're missing in terms of real Darwinian evolution is mutation,' she said."

Forrest's team is using virtualization software to overcome some of the issues it encountered during its research.

Computerworld reports that:

"Researchers at Australia's Edith Cowan University have proved that first-generation radio frequency identification (RFID) tags can be breached to cause a denial-of-service attack on the tags, using cheap store-bought radio transmitters."

Just as I read about VMWare Server Beta 2 release in my inbox, I saw in Computerworld that Microsoft made Virtual Server R2 free:

"Virtual Server 2005 originally cost $999 and $499 for the Enterprise and Standard editions, respectively, when released in September 2004. Microsoft then released Virtual Server R2 at $199 and $99 for the Enterprise and Standard editions, respectively, in December.

Longtime virtualization market leader VMware Inc., which already had a free product called VMware Player, responded in February by making its GSX Server free. Meanwhile, Linux-based vendors such as XenSource Inc. and Virtual Iron Software Inc. are readying new or updated versions of their virtualization software.

With today’s change, Microsoft is eliminating the Standard edition and making its Enterprise edition available for download at no charge."

FlexiSpy sells a monitoring application that records the activity of Symbian OS-based mobile phones (incoming/outgoing SMS as well as call history).

According to PC Inpact (in French), the publisher works on PocketPC and Blackberry ports of the application, and on a professional version that would record conversations.

Well, I now love my vintage Nokia phone even more.

As reported by Computerworld, three regional banks in the US were hacked in new spoofing attack:

"Earlier this month, attackers were able to hack servers run by the Internet service provider (ISP) that hosted the three banks' Web sites.  They then redirected traffic from the legitimate Web sites to a bogus server, designed to resemble the banking sites, according to Bob Breeden, special agent supervisor with the Florida Department of Law Enforcement's Computer Crime Center.

Users were then asked to enter credit card numbers, PINs (Personal Identification Numbers) and other types of sensitive information, he said.

According to Breeden, the affected banks are Premier Bank, Wakulla Bank, and Capital City Bank, all small regional banks based in Florida."

This interesting article (in French) outlines best practices to protect Blackberry devices.

Viviane Reding will love this: SecurityFocus reports that three researchers from the Vrije Universiteit in Amsterdam released a paper outlining the potential risks of viruses using the small amount of memory contained in everyday RFID tags. And yes, they have a proof of concept.

As reported by many web sites, Philip Zimmermann has a new project: Zfone. This beta software allows encryption of SIP-based VoIP systems (i.e. Gizmo, Wengo, etc.), without the need of a PKI. In the future, Zimmermann expects the underlying protocol will be integrated into standalone secure VoIP clients.

Currently, binaries are available for Mac OS X and Linux. A Windows build should be released around mid-April.

Update 2006/5/23: they finally have a Windows XP version. :-)

As reported by Computerworld, Wyse Technology and VMware announced they will work together to create virtualized PCs that can be hosted and managed on inexpensive Intel-based servers.

Computerworld reports on a press briefing at the CeBIT trade show in Hanover, Germany, where Viviane Reding, European commissioner for information society and media, declared that:

"RFID is very important to businesses and it is very important to citizens, but it also raises concerns about trust. (...) Citizens have to be sure they are in control of their data, and to have this control we must have worldwide legal certainty."

The bottom-line is the EC will consider revising the existing directive on e-privacy if new threats to EU citizens' privacy are identified.

Burton Group released a paper on Skype corporate usage three weeks ago, but my subscription does not include their Network & Telecom publications. Computerworld summarizes the findings: if the financial incentives and better integrated communications outweigh the risks inherent to proprietary P2P technologies, consider Skype as part of your overall communication strategy.

This interesting paper (Acrobat PDF) looks at worm propagation strategies in the 128 bits address space of IPv6.

Computerworld reports on a panel that took place at the RFID World conference where Wal-Mart gave feedback on one year of live RFID usage.

Wal-Mart claims a return on investment, even without extensive process changes (i.e. out-of-stock items that are RFID-tagged are replenished three times faster than before).

Computerworld published an interesting article where Red Hat engineer Brian Stein explains operating system virtualization, including three different ways of implementation and the pros and cons of each one.

CNET's News.com reports on a panel discussion at the RSA Conference 2006:

"We have recently seen a move away from stealing user name and passwords," Shipp said.  The new "bank-stealing Trojans" wait until the victim has actually logged in to their bank.  "It then just transfers the money out."

"All of the authentication, little keys you have to have in your hand, biometrical things, it doesn't matter.  The bad guy just waits until you're there and then takes the money out," Shipp said.

This new type of Trojan is on the rise and is currently No. 3 on the list of most common threats, according to Shipp who works at MessageLabs as senior antivirus technologist.

I guess we will all end up surfing with VMware's Browser Appliance.

This interesting article (in French) warns webmasters about the "latest" spammers' techniques to exploit e-mail forms (i.e. FromMail.pl).  It consists in injecting recipients in the From: field.  We told you before: you shall never trust user input. :-)