‘Rich forwarded me the RSA Wireless Security Survey for 2008 that was just released this morning. The cities that they scanned were Paris, London & New York.
Holy 0day Batman!
What started as a quiet week definitely got a little more interesting yesterday as Microsoft released an out-of-band patch for a critical vulnerability affecting most versions of Windows. It’s been a while since MS had to push out an emergency fix like this, and boy was it a whacky vulnerability. For those of you who haven’t kept up on it, it is a flaw in the RPC service that allows remote code execution without authentication. What’s really interesting is that this flaw is in…
I was asked about the recent post by Pete Finnigan regarding the APEX vulnerability that he discovered, was part of the recent Oracle CPU, and Pete elaborated upon in a recent post. Pete is one of the best in the business at Oracle security, so when he lists something as a vulnerability, people usually react. The question was why had I recommended applying the new Oracle CPU under normal patch cycles when this looked like a reasonably serious vulnerability. Why wait? You don’t need to wait, but…
If you don’t already know, Microsoft is releasing an out of band critical update today. Rumor is it is not related to the TCP DoS issue, and may involve an 0day with remote code execution.
Want to talk about electronic voting? We did. So we invited Jacob West from Fortify to talk with us about a paper he just published with a couple of engineers at Fortify. Guess what- they found electronic voting using DRE voting machines are the least secure way to vote. Makes me feel good going into the election. It’s a good thing we’re fairly self-policing when it comes to time; this is a conversation that could have gone on for a couple of hours.
I’ve been slowly catching up on my reading after months of near-nonstop travel, and this post over at Imperviews caught my eye. Ignoring the product promotion angle, it raises one of my major pet peeves these days. I’m really tired of the Web Application Firewall vs. secure coding debate, never mind using PCI 6.6 to justify one over the other for security effectiveness. It’s like two drunk cajuns arguing over the relative value of shrimp or pork in gumbo- you need both, and if either is spoiled…
I missed including this in the Friday summary. The Electronic Frontier Foundation is challenging the legality of telecom’s being granted immunity in their participation of NSA’s warrant-less spying on US citizens, claiming the executive branch of the government has overstepped it’s authority. Indirectly they will open the entire program up for scrutiny as well.
What did you think of the new MacBook? I think they are nice, I don’t want a new one bad enough to upgrade. I bought my MacBook last month knowing full well that they were going to release the new models on the 14th of this month, but the advancements would not be enough for me to wait. Most of the articles & analysis I read were a little harsh, with much of the focus on the price drop, or lack of drop, when I was focused on usability. Maybe they are right, and with the economic slowdown the…
On the surface endpoint encryption is pretty straightforward these days (WAY better than when I first covered it 8 years ago), but when you start matching all the options to your requirements it can be a tad confusing.
Rich is off to see Jimmy Buffet in southern California and get some R&R, so I have blog duties this week. It’s briefing season in the analyst community. I probably should not be surprised given we typically launched our PR tours with my previous employers this time of year, but even Rich has been a little surprised with the volume of discussions. We have been in full swing with a packed calendar during the last couple of weeks and it shows no sign of letting up through November. If I am a…