Ten Best Practices to Secure
Web Services
Enterprise
Systems
As more organizations embrace Web services
(which opens back-office processes to partners and the Internet),
a problem is emerging: who inside the organization is in charge of
Web services security?
by Mathew Schwartz
Who’s watching your Web services? As more
organizations embrace Web services, opening back-office processes
to partners, and the Internet, a problem is emerging: who’s in
charge of its security?
Too often, the answer is “nobody.” While Web
services development mirrors application development in many ways,
most developers aren’t trained in Web services security.
Likewise, overseeing secure code development isn't part of a
security-manager's duties. To discuss best practices for creating
a Web services security-aware organization, Security Strategies
spoke with Eugene Kuznetsov, chairman and chief technology officer
of XML-aware device manufacturer DataPower. More....
Google Desktop Search Tool
Raises Security Concerns
Enterprise
Systems
Free hard-drive indexing utility raises
corporate security and privacy questions
by Mathew Schwartz
With Google’s recent release of Google Desktop
(http://desktop.google.com/),
a free program for indexing hard drive contents, organizations may
want to evaluate the still-in-beta tool’s potential security and
privacy impacts, and adjust their corporate security policies to
explicitly permit or deny its use.
A number of information-retrieval tools, such as
Blinx, Copernic, Enfish, Lookout, and X1, already have similar
functionality—retrieving information from an array of file
formats via one interface. To be sure, such tools have been
available for years, though it’s only recently, as processor
speeds and available hard drive space has grown, that they’ve
become more widely used, and useful. Historically, most of these
indexing and search programs weren’t free; many organizations
limited their use. Likewise, many users choose to not deal with
the mandatory time these programs take to create and maintain an
index of contents, preferring to use in-program searching instead.
More....
Password
Memorability and Security
There has been much talk about what is
considered a secure password. So it was a true pleasure for me to
recently read a fascinating study on this topic that provided some
hard numbers to back up the claims.
The study was published in the current issue of IEEE Security and
Privacy and is titled "Password Memorability and Security:
Empirical Results" by Jeff Yan, Alan Blackwell, Ross Anderson
and Alasdair Grant
First some background. Per the article
"Human memory for sequences is temporally limited, with a
short term capacity of around seven, plus or minus two items. In
addition, when humans do remember a sequence of items, those items
be familiar chunks such as words or familiar symbols. Finally,
human memory thrives on redundancy-we're much better at
remembering information we can encode in multiple ways"
So what these folks did was have three separate
test groups: More....
Microsoft
Finds 22 New Flaws
Despite New Pack, Holes Remain
New Windows flaws prove that security managers
must continue to focus on patch management and protection of
client systems.
Oct 28, 2004 | By Curtis Franklin Jr.
Worried that you may have spent too much on your patch-management
system? Well, you can stop worrying, because that system is about
to earn its keep. Microsoft earlier this month issued seven
advisories warning of 22 new vulnerabilities found in Windows and
related software, including the just-released Windows XP Service
Pack 2 (SP2). And all of the new threats will require patches.
The critical security alerts detail
vulnerabilities in Windows, Internet Explorer, Excel, SMTP, NNTP,
Compressed Folders (.ZIP files) and the Windows shell.
Less-critical Threat Bulletins focus on facilities within
development systems or application frameworks, including the RPC
Runtime Library, DetDDE and the WebDAV XML Message Handler. Among
the various operating systems and versions of applications named
in the bulletins, Microsoft labeled 12 vulnerabilities
"critical," 11 "important" and another 11
either "moderate" or "not critical." More....
New versions of the Bagle worm rolled onto the
Internet Friday, prompting anti-virus companies to warn customers
about the threat and to push out software updates to spot the new
worms.
Three new versions of Bagle have been seen by
anti-virus companies, each similar to earlier forms of the worm,
which first stormed onto the Internet in January, spreading
through infected e-mail file attachments. McAfee rated two of the
new worms "medium" threats. Other anti-virus vendors,
including Symantec and Sophos, also reported intercepting many
samples of the new worms and advised customers to update
anti-virus signatures as soon as possible. More....
Gmail
accounts 'wide open to exploit' - report
By John Leyden
Published Friday 29th October 2004 16:50 GMT
Google's high profile webmail service, Gmail, is vulnerable to a
security exploit that might allow hackers full access to a user's
email account simply by knowing the user name, according to
reports.
The security flaw allows full access to users' accounts, with no
need of a password, Israeli news site Nana says . Using a
hex-encoded XSS link, the victim's cookie file can be stolen by a
hacker, who can later use it to identify himself to Gmail as the
original owner of an email account, regardless of whether or not
the password is subsequently changed. Following up a tip from an
Israeli hacker, journos from the site confirmed the attack and
verified the exploit with local security firm Aladdin Knowledge
Systems.
It's unclear whether the hole has been maliciously exploited.
Google has been notified of the issue and is reportedly working on
a fix. No-one from the company was available to update The
Register on the issue at time of going to press.
New
Caller I.D. spoofing site opens
By Kevin Poulsen, SecurityFocus Oct 27 2004 8:03PM
Web-based caller I.D. spoofing is back, and this time it's
available to everyone.
A new website offer subscribers a simple Web interface to a caller
I.D. spoofing system that lets them appear to be calling from any
number they choose.
Called "Camophone," the service functions much like the
Star38.com site that struggled with an abortive launch last month:
a user types in their phone number, the number they wish to call,
and the number they'd like to wear as a disguise. The system
instantly dials back and patches the call through with the
properly-forged caller I.D.
Camophone is being promoted in ads that appear when searching for
competitor "Star38" on Google. More....
Advisories Released in the last 15 days
