Bringing TippingPoint technology to the masses.
3Com is jumping into the unified security business, with branch office and SMB gateways that include enterprise-grade security technology from its TippingPoint subsidiary.
Read more at rcbarnett
Seattle man also charged with selling faulty software
A Seattle man authorities describe as a “spam king†has been arrested for alleged illegal spamming.
Popularity: unranked [?]
Read more at rcbarnett
The Java runtime keeps track of the sequence of Java calls that are made as a program executes. When access to a protected resource is requested, the entire call stack, by default, is evaluated to determine whether the requested access is permitted.
As mentioned earlier, resources are protected by the SecurityManager. Security-sensitive code in the Java platform and in applications protects access to resources via code like the following:
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(perm);
}
where perm is the Permission object that corresponds to the requested access. For example, if an attempt is made to read the file /tmp/abc, the permission may be constructed as follows:
Permission perm =
new java.io.FilePermission("/tmp/abc", "read");
The default implementation of SecurityManager delegates its decision to the java.security.AccessController implementation. The AccessController traverses the call stack, passing to the installed security Policy each code element in the stack, along with the requested permission (for example, the FilePermission in the above example). The Policy determines whether the requested access is granted, based on the permissions configured by the administrator. If access is not granted, the AccessController throws a java.lang.SecurityException.
Figure 4 illustrates access control enforcement. In this particular example, there are initially two elements on the call stack, ClassA and ClassB. ClassA invokes a method in ClassB, which then attempts to access the file /tmp/abc by creating an instance of java.io.FileInputStream. The FileInputStream constructor creates a FilePermission, perm, as shown above, and then passes perm to the SecurityManager’s checkPermission method. In this particular case, only the permissions for ClassA and ClassB need to be checked, because all system code, including FileInputStream, SecurityManager, and AccessController, automatically receives all permissions.
In this example, ClassA and ClassB have different code characteristics?they come from different locations and have different signers. Each may have been granted a different set of permissions. The AccessController only grants access to the requested file if the Policy indicates that both classes have been granted the required FilePermission
The access control architecture in the Java platform protects access to sensitive resources (for example, local files) or sensitive application code (for example, methods in a class). All access control decisions are mediated by a security manager, represented by the java.lang.SecurityManager class. A SecurityManager must be installed into the Java runtime in order to activate the access control checks.
Java applets and Javaâ„¢ Web Start applications are automatically run with a SecurityManager installed. However, local applications executed via the java command are by default not run with a SecurityManager installed. In order to run local applications with a SecurityManager, either the application itself must programmatically set one via the setSecurityManager method (in the java.lang.System class), or java must be invoked with a -Djava.security.manager argument on the commandline.
When Java code is loaded by a class loader into the Java runtime, the class loader automatically associates the following information with that code:
This information is associated with the code regardless of whether the code is downloaded over an untrusted network (e.g., an applet) or loaded from the filesystem (e.g., a local application). The location from which the code was loaded is represented by a URL, the code signer is represented by the signer’s certificate chain, and default permissions are represented by java.security.Permission objects.
The default permissions automatically granted to downloaded code include the ability to make network connections back to the host from which it originated. The default permissions automatically granted to code loaded from the local filesystem include the ability to read files from the directory it came from, and also from subdirectories of that directory.
Note that the identity of the user executing the code is not available at class loading time. It is the responsibility of application code to authenticate the end user if necessary (for example, as described in Section 6). Once the user has been authenticated, the application can dynamically associate that user with executing code by invoking the doAs method in the javax.security.auth.Subject class.
While not perfect, Mod Security does offer some form of protection that as they say, is better than nothing. While there will certainly be a small level of performance hit, in the four odd weeks that I’ve been using it, I have not really noticed any significant performance degradation.
On a side note with regards to the audit_log file, do note that setting the SecAuditEngine to On instead of RelevantOnly can result in a very HUGE log clogging up your system especially for high traffic sites. With the parser in place, I had over a million records in the database in less than 2 weeks (and we all know MySQL really starts to drag at this point without some serious SQL optimization). You have been warned.
There is no such thing as an “international copyright†that will automatically protect an author’s writings throughout the entire world. Protection against unauthorized use in a particular country depends, basically, on the national laws of that country. However, most countries do offer protection to foreign works under certain conditions, and these conditions have been greatly simplified by international copyright treaties and conventions. For further information and a list of countries that maintain copyright relations with the United States, request Circular 38a, International Copyright Relations of the United States.
Any or all of the copyright owner’s exclusive rights or any subdivision of those rights may be transferred, but the transfer of exclusive rights is not valid unless that transfer is in writing and signed by the owner of the rights conveyed or such owner’s duly authorized agent. Transfer of a right on a nonexclusive basis does not require a written agreement.
A copyright may also be conveyed by operation of law and may be bequeathed by will or pass as personal property by the applicable laws of intestate succession.
Copyright is a personal property right, and it is subject to the various state laws and regulations that govern the ownership, inheritance, or transfer of personal property as well as terms of contracts or conduct of business. For information about relevant state laws, consult an attorney.
Transfers of copyright are normally made by contract. The Copyright Office does not have any forms for such transfers. The law does provide for the recordation in the Copyright Office of transfers of copyright ownership. Although recordation is not required to make a valid transfer between the parties, it does provide certain legal advantages and may be required to validate the transfer as against third parties. For information on recordation of transfers and other documents related to copyright, request Circular 12Recordation of Transfers and Other Documents.
The notice for phonorecords embodying a sound recording should contain all the following three elements:
1. The symb l CÂ (the letter P in a circle); and
2. The year of first publication of the sound recording; and
3. The name of the owner of copyright in the sound recording, or an abbreviation by which the name can be recognized, or a generally known alternative designation of the owner. If the producer of the sound recording is named on the phonorecord label or container and if no other name appears in conjunction with the notice, the producer’s name shall be considered a part of the notice.
Top Sources of Attacks Table 5 lists the top sources of attacks between October and December 2005. To determine the top sources of attacks, we looked at data from our Managed Security Services customers during this timeframe. We excluded all packets from private and unallocated internet addresses (such as RFC1918 addresses) from our analysis. We focused only on packets dropped by firewalls, and excluded packets accepted by firewalls
(most of which were legitimate) to produce our statistics. We found that 68.8% were from the United States, ten times the traffic from the next country on the list (China, at 6.6%).
Source Verisign
Today, it is difficult for an Internet user to understandwhat information they are disclosing, and to whom
they are disclosing that information. Many anti-phishing solutions try to improve this situation by
making stolen passwords less useful, or by helping users identify legitimate sites. One method for addressing phishing is by adding multi-factor authentication. Most web sites require only single-factor authentication to log in: an end user types in their user name and password to authenticate. Multi-factor authentication requires an additional
factor: a one-time password (OTP) value, a digital certificate (usually through a smart card or USB token), or a biometric identifier. The idea of two factor authentication is to require “something you know†with “something you have.†If an attacker captures a username and password, that will not be sufficient to log in because the attacker doesn’t have the right OTP value or digital certificate. If an attacker steals a user’s OTP value or digital certificate, they will not be able to log in because they don’t know the user’s password.
Source Verisgn
So you think your company is safe online. Well the truth, unfortunately, is that it probably isn’t. Bet you that got your attention!
Well just three weeks ago we found a way in to a hotel booking engine that their web development company had left open to attack. We discovered a foreign government website showing us depratment spending levels. And we found a world famous University that published staff wages on their website by mistake.
Oh and did we mention that all these things we found with the use of Google, Yahoo! and MSN.
Sometimes small mistakes cost big to companies. Online environment is very sensitive the organisations should take deep care in this area.
Well the truth is maybe not. Unless you know how to shut off your website effectively from Google and protect your information. I’ve spent years developing lists of Google hacks some of which give security holes for specific website systems, other that search for password files, others that seek financial information that can all easily be found in Google. Often these results can be found in Yahoo! and MSN – though Google seems to find information more quickly. Oh did we mention that you can find passwords and user names for secure sites on some sites too!