|
|
-
Microsoft is forwarding the notion of a language for security policy. Blair Dillaway of Microsoft Research, described the Security Policy Assertion Language at a recent Grid computing conference.  Speaking at GridWorld in Washington, D.C. earlier this month, Blair Dillaway described SecPal as a declarative, logic-based security language that supports distributed policy authoring and composition. It is said to be an XML dialect that works as a means for handling access control requirements, trust, authorization, and delegation policies. Presentation on SecPal - ggf.org [PPT]
|
-
The thawte Crypto Challenge gives you the chance to pit your wits against our code and other crackers around the world. If you have the skills, you too can be infamous (and win a prize while you’re at it). Crypto Challenge X is now open, so register to reveal the code and start cracking!
Go to the site.
|
-
"We need your expertise and input as we develop strategies to battle cybercrime in the 21st century," Daniel Larkin, a unit chief in the FBI's cybercrime division, said in his opening address at the annual Black Hat security conference here. As cybercrime has continued to become more sophisticated and organized, federal agencies have increasingly sought to partner with the private sector. Earlier this year, FBI Director Robert Mueller used the RSA Conference to send out a similar message. "The people we're going after are not just the script kiddies anymore. These people are making a lot of money," Larkin told the Black Hat audience of hackers and security professionals. "I am a recovering technophobe; I used to be really afraid of you all. But I realize that you all are really important." Read more at: news.com.
|
-
Using a custom-built data fuzzing tool, HD Moore
pinpointed more than 100 vulnerabilities in the ActiveX controls
included with the default installation of Microsoft's Windows XP
operating system. Data fuzzing tools combine knowledge of the input
parameters accepted by a software package with a tenacious and
systematic mangling of the data to discover how applications react to various permutations, whether valid or invalid.
Read more at SecurityFocus.
|
-
The Zone-H website recently reported on the defacements that took place. Websites run by NASA and other agencies have been frequent targets of attacks.
A Chilean cracking group called Byond Hackers Crew took credit
for the defacement of a pair of NASA servers. Those machines had their
home pages replaced with the picture of a young bombing victim's face
and the message "No war."
|
-
Fans of the website Digg.com have hacked the
Netscape.com
service using a cross-site scripting attack.
The site was recently relaunched as a
social book-marking
service. It is generally considered a copy of the popular
Digg.com
website.
Netscape visitors on Wednesday were presented with pop-up messages, one of
which stated: 'This site sucks. Go here instead'. Clicking on the message led
users to Digg.com.
|
-
-
H. D. Moore, creator of the Metasploit hacking tool, has crafted a search engine that finds malicious software using queries on Google. This "Malware" search engine finds Web sites hosting malicious files after a person enters the name of a virus or Trojan horse.
To find the malicious software the tool uses a fingerprint
of the executable and then searches for it. However, those who do try it won't find much. Google has
not indexed most malware yet and the signature database is still very small,
according to the Malware search site.
Launch of the site comes shortly after researchers at Websense Security Labs said they had been able to find thousands of examples of malicious code using Google's search technology.
Most of what Websense found were malicious files posted to newsgroups with false names, designed to trick a user.
Being able to find malicious software on Google shows the
potential to embed strings within binaries that
match search terms in order to dupe users into running malicious code,
Websense said in an alert last week.
|
-
Microsoft Threat Analysis & Modeling tool allows non-security subject
matter experts to enter already known information including business
requirements and application architecture which is then used to produce a
feature-rich threat model. Along with automatically identifying threats, the
tool can produce valuable security artifacts.
 The Threat Analysis and Modeling Tool
v2.0 is now available here.
These are the main features of the package: - TreeView Navigation with visibility to all nodes at all
times
- Wizard based threat model creation
- Default Attack library
with descriptive countermeasure guidance
- Automatic Threats and Use Cases
generation
- Consolidated Call Flow (System Flow), Attack Surface, Threat
Tree are some of the few visualizations available, which can all be exported to
Visio
- Exportable Analytics and Reports to HTML
- Import v1.0
Threat Model (models created using Torpedo v1)
- Export countermeasures
and attack test cases to Visual Studio Team Foundation Server
(TFS)
- Import SDM Deployment Reports from VSTA
- Copy Paste and
Drag-&-Drop features
- Enhanced Find Feature
- Video
Tutorials
Go to the Application Threat Modeling site, to get started.
|
-
This test tool helps developers of Windows Mobile applications test various security policies for Windows Mobile devices. It is designed as a desktop application that ships with a preset list of “security configurations”. 
A security configuration can be thought of as a template, which contains a collection of individual policies and settings. For example, a security configuration could define policies such as whether unsigned applications are allowed to execute, whether RAPI is disabled etc.
Using this tool, the developer can provision a Windows Mobile device with different configurations, and then test the application’s behavior under these configurations. This tool can be used either on an emulator or an unlocked Windows Mobile device.
You can download the tool here
source: http://blogs.msdn.com/mikehall/archive/2006/07/05/657436.aspx
|
-
Apple has released a security update to its OS X 10.4 operating  system. Some of the five patches in security update 10.4.7
address vulnerabilities that could allow a remote attacker to gain
access to a compromised system, and one addresses a buffer-overflow
flaw within ClamAV, a third-party antivirus application that is popular
among Mac users. The other vulnerabilities involve Launchd, a flaw
publicly exposed by the Mac virus InqTana.b earlier this year. Other vulnerablities involve OpenLDAP, ImageIO, and AFP. Additional information on the 10.4.7 patches can be obtained from Apple's security update site and from News.com.
|
-
Computer code that exploits a "critical" vulnerability in Windows has been released on the Internet, prompting Microsoft to issue a security advisory.
The attack code takes advantage of a flawed Windows routing and remote access  component for which Microsoft released a patch two weeks ago, the company said in its advisory published late Friday. The company is not aware of any actual cyberattacks that use the exploit code, it said.
Source: News.com
|
-
"PGP (Pretty Good Privacy), as most Slashdot readers know, is one of the most popular  software encryption programs ever. It is so good and so effective that in the early 1990s the FBI launched a multi-year investigation against Phil Zimmerman, the creator of PGP, for possible violation of federal export laws, especially ITAR (International Traffic in Arms Regulation). After many years of investigation, the FBI ultimately dropped its case against Zimmerman. Even though PGP is synonymous with end-user encryption, there have only been a few books written on the subject. Jump to 2006, and PGP & GPG: Email for the Practical Paranoid is a welcome title." Read the rest of Ben's review.
Source: http://slashdot.org/
|
-
Fyodor asked users from the nmap-hackers mailing list to share their favorite tools, and  3,243 people responded. This allowed him to expand the list to 100 tools, and even subdivide them into categories. Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with. You will discover several powerful new tools this way. Any newbie, not knowing where to start should go to this site.
|
-
Still young, but you want to be a codemaker or codebreaker? Check out the CryptoKids site.
|
|
|