Security

On Wednesday, Cisco Systems issued three patches for critical vulnerabilities affecting Cisco Internetwork Operating System (IOS). The most serious of these affects the Cisco Voice Portal and the Secure Shell server (SSH) implementations.

Cisco says the first patch covers a vulnerability that exists in the Cisco Unified Customer Voice Portal (CVP) , which provides customer voice and video self-service integration. If the vulnerability is exploited, an authenticated user can create, modify, or delete a superuser account. In other words, successful exploitation may result in full control of the system.

The second patch covers the Secure Shell server (SSH) implementation in Cisco … Read more

I can't say for certain that ISPs, online advertising networks, and other big Web companies are already tracking our Web use and sending us ads and other information based on conclusions they draw from our unique browsing history.

But it wouldn't surprise me one bit if they were. And if they aren't already, I know it's only a matter of time.

Web sites have been using persistent cookies to remember you from session to session for a long time. Usually, sites know only the site you arrived from and the site you go to when you … Read more

On Wednesday, Core Security announced three vulnerabilities within iCal, the personal calendar application that ships with the Mac operating system. The vulnerabilities affect iCal version 3.0.1 on MacOS X 10.5.1.

ZDNet's Ryan Naraine quotes an as-yet unpublished Core Security announcement as saying: "The vulnerabilities are caused due to iCal not properly sanitizing certain fields on iCal calendar files (.ics). This can be possibly exploited to crash iCal (first two bugs) or possibly execute arbitrary code (third bug) via malicious calendar updates or by importing a specially crafted calendar file."

Apple was rumored to … Read more

We've seen banks, even eBay and PayPal, all targeted by phishers. Now they've turned their attention to iTunes, creating a bogus site that reportedly looks like an iTunes billing page asking for current credit card information.

"We've never seen Apple as the target," Proofpoint's Andrew Lochart told Computerworld on Tuesday. "It's probably indicative that the bad guys see Apple's online presence as large enough to be a target."

In addition to asking for credit card information, the phony iTunes page also asks for one's social security number and mother'… Read more

I used to think the last thing I needed was another browser toolbar. But now I gladly sacrifice a little screen real estate to find out who owns the sites I visit, where they're located, and whether they pass muster with the security checkers.

That's what you get with CallingID, an add-on for Internet Explorer and Firefox that adds a multi-hued toolbar to the browsers. Along with use of green, yellow, and red to signify the site's safety, the toolbar shows the owner and location of the site.

Whenever you attempt to enter a name and password … Read more

One year ago, the Estonian government moved a war memorial honoring Russian-Estonians who died fighting the Nazis, a move that may have triggered what some believe is the first instance of a sustained, international cyberwar.

Now, Gadi Evron, a former Israeli Government CERT manager who was in Estonia at the time of the attacks, has revisited the events with an article in the Georgetown Journal of International Affairs and reprinted here online (PDF).

Evron said what could be described as a "flash mob" created the disturbances in the Estonian Internet during May 2007. "Not only did the … Read more

For years, biometric finger scanners have been used in ATMs and at the cash register. But there are problems with finger scanners. Researchers have demonstrated how a flat photograph or molded fingertip can easily fool these devices into giving a false approval. And while face recognition is improving, especially 3D facial mapping, these devices aren't yet in wide use today.

Fujitsu PalmSecure is another option. Already in use in hospitals and government offices, the device reads the hand's vein pattern using near-infrared light. On this week's Security Bites podcast, I spoke with Joel Hagberg, vice president of … Read more

In a joint operation with Romanian authorities on Monday, U.S. Department of Justice officials announced racketeering and other charges against 38 individuals living in the United States and Romania.

In addition, the Justice Department executed nine arrest warrants, while Romanian authorities simultaneously executed several search warrants. Total losses associated with today's arrests and charges, unsealed in California and Connecticut, are said to be in the millions of dollars.

Speaking in Bucharest, Romania, Deputy Attorney General Mark R. Filip stressed the importance of multinational agencies working together to fight international crime.

Filip said the nine people arrested were charged … Read more

A new attack on PayPal could have allowed users who thought they were on a trusted page to access a fraudulent page and possibly expose personal information. On Friday, Finnish researcher Harry Sintonen reported the vulnerability on an IRC chat room.

In an interview with Netcraft, Sintonen said the issue was critical. "You could easily steal credentials." He added that in this case you can't trust the URL http://www.paypal.com.

A few weeks ago PayPal announced it would block users whose browsers did not support EV SSL. Sintonen, who is credited with finding an XSS attack on Barack Obama's Web site … Read more