nwsource.com

Microsoft engineers will detail new security approaches in Windows Vista at an important tech conference later this week. But when it comes to grabbing attention, it won’t be easy for them to top another session at the conference.

Its title: “Subverting Vista Kernel For Fun And Profit.”

No, this is not your ordinary industry confab. In a first for Microsoft, the company will present at the Black Hat Briefings — an annual gathering in Las Vegas where hackers, researchers, government officials and corporate technology specialists unveil and analyze emerging computer security threats.
More: http://seattlepi.nwsource.com/business/279432_software31.html

By Kurt Seifried (kurt@seifried.org)

The Apache Software Foundation has just corrected an off-by-one vulnerability in the mod_rewrite engine. It should be noted that many web applications, such as WordPress make use of mod_rewrite to create URL’s that are more easily indexed by search engines, meaning that although mod_rewrite is often disabled by default it is typically enabled and used on many sites.

http://httpd.apache.org/

This is of course a classic example of a technological risk. A least privilege approach with as many things disabled or otherwise removed as possible would result in a system that is not affected by this flaw, however because user’s want easily indexed URL’s, and the easiest way to accomplish this for a program such as WordPress is to use mod_rewrite you end up with numerous sites using mod_rewrite when it is not strictly necessary.

The US House of Representatives is poised to consider a bill that would make it more difficult for consumers to protect their credit from identity thieves.

Backed by the lucrative financial-services industry, the Financial Data Protection Act of 2005 would narrow the circumstances in which consumers could restrict their credit activity to prevent fraudulent borrowing, and it would undermine stronger state-based reporting rules for companies that holdand sell consumer data.
More: http://www.freepress.net/news/16671

This is an especially worrying bill as it makes it MUCH more difficult for US consumers to protect their credit ratings, and to prevent criminals from taking out credit cards, mortgages, etc in the victim’s name. The fundemental problem is that credit card companies profit hugely from consumers easy access to credit, anything that restricts access to credit will cost the industry money. It’s cheaper in the long run to pass the cost of fraud on to merchants and consumers than it is to fix the problem.

Watch where you leave your fingerprints–soon they could be the target of thieves looking to break into your bank account.

Although biometric security systems–using fingerprints, iris scans and facial recognition–are only just now entering the mainstream, they are likely to be common within a few years.

More: http://www.zdnetasia.com/toolkits/0,39047352,39376855-39094240p,00.htm

So you’re among the lucky owners who just paid $300,000 or more for a fully furnished, two-bedroom, two-bath unit in a soon-to-open “condominium/hotel” on a golf course near Tuscon, Ariz.

Life doesn’t get much sweeter — at least as long as you remember to properly secure your personal wireless access point, because failure to perform that little chore will land you in hot water with property management.

More: http://www.networkworld.com/community/?q=node/6415

Agencies must now report all security incidents involving personally identifiable information within one hour of discovering the incident, the Office of Management and Budget said in a memo tightening information security notification procedures.

More: http://www.gcn.com/online/vol1_no1/41334-1.html

With the recent debate on network neutrality raging, I thought it appropriate to mention some of what I think the information security implications of net neutrality are (if adopted). This is probably US-centric, but it shows how a policy if not fully thought through can negatively impact the ability of an organization to secure their environment.

More: http://isc.sans.org/diary.php?storyid=1467&rss