bites

From gadgets that slide-show pictures of vacations past to calendars that show events in the future, Google Gadgets look cool. But they also have the potential to contain vulnerabilities like anything else within Web 2.0.

By design, Google Gadgets allow scripted code to be uploaded by the end user, creating interesting new attack vectors for those with malicious intent.

CNET's Robert Vamosi talked with Robert Hansen (aka Rsnake), chief executive of SecTheory, and Tom Stracener (aka Strace) of Cenzic. Both will be presenting a talk called "Xploiting Google Gadgets: Gmalware and Beyond" at the annual Black … Read more

For years, one of the arguments for using open-source software instead of proprietary software held that open source was more secure. After all, having thousands of eyes looking at the code can't but help find and mitigate potentially dangerous bugs. A new report from Fortify challenges that assertion.

Open-source software can be found in over half of the enterprises today. And open source code can be found within the Mac OS 10 operating system. But how are open source vulnerabilities and, more importantly, their patches handled?

This week a report from Fortify found that, while vulnerabilities exist and are … Read more

To put it simply, the concept of "white listing" is to define a set of software, a set of vendors, and allow only those trusted applications or files from those vendors to run on your machine. If a file or application is not approved, it will not run. This is the opposite of how we've blocked malware from our machines in the past.

In 2007, Symantec detected more than 1 million viruses, with two-thirds created within the calendar year. Loading 1 million antivirus signatures or even a percentage of that if generic signatures are used is a … Read more

Below is a transcript of my interview with Dan Kaminsky. The podcast can be heard here.

Me: You mentioned that you didn't expect to discover this particular vulnerability, the DNS vulnerability. What goes through your mind when you hit upon something that you think might be a vulnerability?

Dan Kaminsky: If you look at lot of my research I'm generally looking for interesting capabilities that are within the system. So really what goes through my mind when I find some new interesting capability with the system and just unfortunately the reality of things is, I can do X. … Read more

In the middle of a flood of news surrounding a serious vulnerability within the fundamental structure of the Domain Name System (DNS) is the story of how researcher Dan Kaminsky chose to handle his discovery and, hopefully, it's mitigation. What Kaminsky did was coordinate several vendors in a multiparty, simultaneous release of a patch--a patch that he feels doesn't lend itself to easy reverse engineering.

For the moment, Kaminsky is not talking details. He's hoping that people will apply the various patches, update their DNS servers and clients, and do so before the bad guys can craft … Read more

McAfee released on Tuesday the results of a monthlong spam experiment. The security company provided 50 people worldwide with a clean laptop armed only with antivirus protection (no anti-spam protection) and a brand new domain for e-mail. McAfee then asked them to surf the Net and blog about their experiences.

Within the first 24 hours, the individuals received their first spam e-mail in the S.P.A.M. (Spammed Persistently All Month) Experiment.

Over the course of 30 days, McAfee's test subjects accumulated 104,000 spam e-mails, or roughly 70 spam messages per day per recipient. Put another way, … Read more

I guess this is what Disney would consider edgy: the company has reportedly acquired Ideal Bite, a "sassy" eco-focused e-mail newsletter that explicitly states it's "not for readers under age 18." The price was about $15 million, PaidContent reported. That's a lot smaller than Club Penguin, which Disney acquired for $350 million last year.

Ideal Bite is small even as far as e-mail lists go--it's no DailyCandy--but its demographic was likely of interest to a buyer like Disney. The site's median household income is $82,000, press materials state; the median … Read more

This week, I had a chance to talk by phone with Ari Takanen, co-founder and CTO of Codenomicon. Takanen's company doesn't engage in vulnerability research but instead creates the tools by which enterprises can check their own software for vulnerabilities.

Which raises a question. On previous shows I've interviewed independent researchers who, outside of a given company, have identified and made public serious vulnerabilities. One would think an independent voice might be better than one located inside a company.

Below is a transcript of part of my interview. The entire podcast can be heard here.

Q: What … Read more

Following the February 5 presidential primary, several county clerks in New Jersey asked an independent researcher to study the vote results on the state's electronic voting machines. The vendor, Sequoia, has threatened legal action, but so far hasn't taken any. Initial results suggest that there were some inconsistencies in vote tallies, although none were enough to reverse the election results themselves.

Since last year, several states have requested audits of electronic voting systems. In California, the audits resulted in some systems being scrapped for the 2008 presidential primaries. As we turn our attention to the fall 2008 presidential … Read more