| New User, Welcome! Login |
data loss
========================================================
Trend Micro Data Loss Prevention 5.2 (formerly LeakProof)
Data Leakage through certain HTTP/HTTPS channels
nitrus
http://www.brainoverflow.org
Mexico
###############################################################
I encourage you to take a look to the ilustrated advisory that you would
> The oldest documented vulnerability in computer security world is
> password file disclosure vulnerability from 1965, found by Mr. Ryan
> Russell.
>
> Open Security Foundation launched a competition in April to find the
> oldest documented data loss incident.
>
> They have announced that the last day to make a submission is next
> Friday - 15th May.
>
> The contest page is located at
Scans for spyware to ensure that malicious processes, keystroke
loggers, and Trojan horses are not installed on remote endpoints,
Connectra scans for these and other spyware through remote users’
browsers. By disabling spyware and enforcing baseline security
requirements before it grants SSL VPN access, Connectra stops identity
and password theft and prevents data loss."
URL: http://www.checkpoint.com/products/connectra/
Vulnerability overview/description:
Virtual Honey Pots - Thorsten Holz, Universitaet Mannheim
SCADA and National Critical Infrastructures: is security an "optional"? - Raoul Chiesa
Data Loss Protection - Hope or Hype? - Enno Rey & Angus Blitter
thanks,
Synopsis
========
Multiple vulnerabilities in JHead might lead to the execution of
arbitrary code or data loss.
Background
==========
JHead is an exif jpeg header manipulation tool.
Synopsis
========
Multiple vulnerabilities have been found in radvd which could
potentially lead to privilege escalation, data loss, or a Denial of
Service.
Background
==========
Impact
----------
An attacker can gain access to the PI Server databases, allowing him to:
1. Gain access to confidential operational information
2. Data tampering - permanent data loss or presentation of misleading
decision support data
3. Attempt to find additional vulnerabilities in the server to carry
out the "corporate network to control center" attack vector mentioned in
C4's S4 2008 paper "Control System Attack Vectors and Examples: Field Site
and Corporate Network" (http://www.c4-security.com/index-5.html).
======================================================================
3) Vendor's Description of Software
"Designed to provide centralized, automated data protection that can
help reduce the risks associated with data loss".
Product Link:
http://www-01.ibm.com/software/tivoli/products/storage-mgr/
======================================================================
The oldest documented vulnerability in computer security world is password file disclosure vulnerability from 1965, found by Mr. Ryan Russell.
Open Security Foundation launched a competition in April to find the oldest documented data loss incident.
They have announced that the last day to make a submission is next Friday - 15th May.
The contest page is located at
http://datalossdb.org/oldest_incidents_contest
Juha-Matti
In other words, discussing this in a more holistic way, perhaps
releasing test suites and recommending general mitigation schemes that
do not require the web to be done from scratch, might be a better
option. For example, even the approach taken by Chrome - letting
attackers take down their own tabs only - is a significant improvement
that prevents data loss pretty well in most such cases (though it's
definitely not perfect).
/mz
PS. We may argue over whether DoS attacks in browsers are a security
Impact
======
A remote attacker could send a specially crafted HTTP request to a
WEBrick server to inject arbitrary terminal control characters,
possibly resulting in the execution of arbitrary commands, data loss,
or other unspecified impact. This could also be used to facilitate
other attacks.
Workaround
==========
Virtual Honey Pots - Thorsten Holz, Universitaet Mannheim
SCADA and National Critical Infrastructures: is security an "optional"? - Raoul Chiesa
Data Loss Protection - Hope or Hype. - Enno Rey & Angus Blitter
--
Additional Pre-Con Latenight Talks
Several security vulnerabilities were discovered in MySQL, a database
management system. The vulnerabilities are addressed by upgrading
MySQL to a new upstream version, 5.1.61, which includes additional
changes, such as performance improvements and corrections for data
loss defects. These changes are described in the MySQL release notes
at: http://dev.mysql.com/doc/refman/5.1/en/news-5-1-x.html
For the stable distribution (squeeze), these problems have been fixed
in version 5.1.61-0+squeeze1.
SMC> But is that a vulnerability per se? It
SMC> almost becomes a "laws-of-physics" vulnerability - if you send too much
SMC> data to an underpowered system with a small pipe, then a DoS is going to
SMC> occur because you can't violate the laws of physics.
If you have not planed for that border case,for example the browser crashes or
the OS reboots and it creates "damage" as in Dataloss - yes it is a vulnerability.
Sorry, but stupidity or lack of effort has never protected somebody from
calling it what it is. Last time I checked, software code didn't respect the
laws of physics though. Pigs fly regularly in my "code".
SMC> At some point a line needs to be drawn, though I don't
>Ryan
>> Russell.
>>
>> Open Security Foundation launched a competition in April to find
>the
>> oldest documented data loss incident.
>>
>> They have announced that the last day to make a submission is
>next
>> Friday - 15th May.
>>
Impact
======
Local users could send arbitrary commands to the multipath daemon,
causing cluster failures and data loss.
Workaround
==========
chmod o-rwx /var/run/multipath.sock
|
|
|
