Fuzbolero .'s Library tagged vulnerability →  View Popular

Robin Wilton, a corporate architect for federated identity at Sun, described OpenID's reliance on the integrity of the Domain Name System (DNS) as a "multi-factor problem" in light of the discovery of a fundamental flaw in DNS by security researcher Dan Kaminsky.

"You may have seen the recent announcements about DNS cache poisoning, and the potential effect of this on all kinds of Internet-based applications' security," Wilton wrote in a blog post on Friday. "One area in which it can have a particularly significant impact is OpenID."

But the Pentagon's decision to hold back during past conflicts for fear of the potential collateral damage -- revealed in a Saturday report in The New York Times -- seems justified, security experts say.

The prospective national ID card was broken and cloned in 12 minutes, the Daily Mail revealed this morning.

The newspaper hired computer expert Adam Laurie to test the security that protects the information embedded in the chip on the card.

Using a Nokia mobile phone and a laptop computer, Laurie was able to copy the data on a card that is being issued to foreign nationals in minutes.

He then created a cloned card, and with help from another technology expert, changed all the data on the new card. This included the physical details of the bearer, name, fingerprints and other information.

• Advisory ID: DRUPAL-SA-CORE-2009-005
• Project: Drupal core
• Version: 5.x, 6.x
• Date: 2009-April-29
• Security risk: Moderately critical

Just days ahead of an April 1st activation date for the Conficker worm squirming through the Windows operating system, security researchers at the Honeynet Project have scored a major breakthrough, finding a way to fingerprint the malware on infected networks.

Now, with the help of Dan Kaminsky and Rich Mogull, off-the-shelf network scanning vendors have the ability remotely (and anonymously) detect Conficker infections.

“You can literally ask a server if it’s infected with Conficker, and it will tell you,” Kaminsky explained.  “Usually, we get to scan for a vulnerability but, because Conficker actually changes the way that Windows looks on a network, we now get to scan and get a “this box is infected” message which is pretty rare.”

Anti-virus provider Kaspersky Lab on Monday moved to reassure customers that none of their personal information was accessed during a 10-day security lapse that exposed a database used to run a support site for its US users.

The company also apologized for the blunder and said it was bringing in database security expert David Litchfield to conduct an independent audit of Kaspersky's website and to publicly share his findings.

In some implementations of FTP daemons, the PORT command can be
misused to open a connection to a port of the attacker's choosing on a
machine that the attacker could not have accessed directly. There have
been ongoing discussions about this problem (called "FTP bounce") for
several years, and some vendors have developed solutions for this
problem.

The CERT/CC staff urges you to install a comprehensive patch if one
is available. Until then, we recommend the wu-ftpd package identified
in Section III.B. as a workaround.