Next Page >>
data protection
[ Apologies if you receive multiple copies of this announcement. Please
pass it on to your colleagues and students who might be interested in
contributing. ]
Ninth Annual Conference on Privacy, Security and Trust
------------------------------------------------------
July 19-21, 2011
Montreal, Quebec, Canada
http://www.unb.ca/pstnet/pst2011
[ Apologies if you receive multiple copies of this announcement. Please
pass it on to your colleagues and students who might be interested in
contributing. ]
Ninth Annual Conference on Privacy, Security and Trust
------------------------------------------------------
July 19-21, 2011
Montreal, Quebec, Canada
http://www.unb.ca/pstnet/pst2011
contributing. ]
NOTICE: due to several received requests, we extended the paper submission
deadline to April 3, 2011.
Ninth Annual Conference on Privacy, Security and Trust
------------------------------------------------------
July 19--21, 2011
Montreal, Quebec, Canada
http://www.unb.ca/pstnet/pst2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ESA-2012-018: EMC Data Protection Advisor Multiple Vulnerabilities
EMC Identifier: ESA-2012-018, DPA-14718
CVE Identifier: CVE-2012-0406
CVE Identifier: CVE-2012-0407
Severity Rating: CVSS v2 Base Score: See below for CVSS Base Scores for individual issues.
check file permissions. A local attacker could overwrite append-only files,
leading to potential data loss. (CVE-2010-2066)
Dan Rosenberg discovered that the swapexit xfs ioctl did not correctly
check file permissions. A local attacker could exploit this to read from
write-only files, leading to a loss of privacy. (CVE-2010-2226)
Gael Delalleu, Rafal Wojtczuk, and Brad Spengler discovered that the memory
manager did not properly handle when applications grow stacks into adjacent
memory regions. A local attacker could exploit this to gain control of
certain applications, potentially leading to privilege escalation, as
check file permissions. A local attacker could overwrite append-only files,
leading to potential data loss. (CVE-2010-2066)
Dan Rosenberg discovered that the swapexit xfs ioctl did not correctly
check file permissions. A local attacker could exploit this to read from
write-only files, leading to a loss of privacy. (CVE-2010-2226)
Gael Delalleu, Rafal Wojtczuk, and Brad Spengler discovered that the memory
manager did not properly handle when applications grow stacks into adjacent
memory regions. A local attacker could exploit this to gain control of
certain applications, potentially leading to privilege escalation, as
Details follow:
Joel Becker discovered that OCFS2 did not correctly validate on-disk
symlink structures. If an attacker were able to trick a user or automated
system into mounting a specially crafted filesystem, it could crash the
system or exposde kernel memory, leading to a loss of privacy.
Ben Hutchings discovered that the ethtool interface did not correctly
check certain sizes. A local attacker could perform malicious ioctl calls
that could crash the system, leading to a denial of service. (Only Ubuntu
10.04 LTS was affected.) (CVE-2010-2478, CVE-2010-3084)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ESA-2011-010: EMC Data Protection Advisor Collector arbitrary code execution with elevated privileges vulnerability
EMC Identifier: ESA-2011-010
CVE Identifier: CVE-2011-1420
Severity Rating: CVSS v2 Base Score: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C)
check file permissions. A local attacker could overwrite append-only files,
leading to potential data loss. (CVE-2010-2066)
Dan Rosenberg discovered that the swapexit xfs ioctl did not correctly
check file permissions. A local attacker could exploit this to read from
write-only files, leading to a loss of privacy. (CVE-2010-2226)
Suresh Jayaraman discovered that CIFS did not correctly validate certain
response packats. A remote attacker could send specially crafted traffic
that would crash the system, leading to a denial of service.
(CVE-2010-2248)
(CVE-2010-0435)
Dave Chinner discovered that the XFS filesystem did not correctly order
inode lookups when exported by NFS. A remote attacker could exploit this to
read or write disk blocks that had changed file assignment or had become
unlinked, leading to a loss of privacy. (CVE-2010-2943)
Dan Rosenberg discovered that several network ioctls did not clear kernel
memory correctly. A local user could exploit this to read kernel stack
memory, leading to a loss of privacy. (CVE-2010-3296, CVE-2010-3297)
down. A local attacker could exploit this to cause the system to crash or
possibly gain root privileges. (CVE-2010-2954)
Brad Spengler discovered that the wireless extensions did not correctly
validate certain request sizes. A local attacker could exploit this to read
portions of kernel memory, leading to a loss of privacy. (CVE-2010-2955)
Tavis Ormandy discovered that the session keyring did not correctly check
for its parent. On systems without a default session keyring, a local
attacker could exploit this to crash the system, leading to a denial of
service. (CVE-2010-2960)
exploit this to crash the system or possibly execute arbitrary code as
the root user. (CVE-2010-3874)
Vasiliy Kulikov discovered that the Linux kernel X.25 implementation did
not correctly clear kernel memory. A local attacker could exploit this to
read kernel stack memory, leading to a loss of privacy. (CVE-2010-3875)
Vasiliy Kulikov discovered that the Linux kernel sockets implementation did
not properly initialize certain structures. A local attacker could exploit
this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-3876)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ESA-2011-021: EMC Data Protection Advisor sensitive information disclosure vulnerability.
EMC Identifier: ESA-2011-021
CVE Identifier: CVE-2011-1742
Severity Rating: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
========================================================================
Workshop on Security and Artificial Intelligence (AISec 2009)
http://www.aisec.info/
This workshop is to facilitate an exchange of ideas between these AI
and Security and promote security and privacy solutions that leverage
AI technologies. Topics of interest include, but are not limited to
AI-informed approaches to: Spam and botnet detection, malware
identification, insider threat detection, incentives in
security/privacy systems, phishing, and others.
3rd Workshop on Security and Privacy in Social Networks
Call for Papers
Third International Workshop on Security and Privacy in Social Networks 2012 (SPSN-2012) in conjunction with IEEE SocialCom 2012, Amsterdam, The Netherlands, September 3-6, 2012
http://spsn12.media.mit.edu/index.html
Scope of Workshop:
The workshop aims to bring to the forefront innovative approaches for analyzing and enhancing the security and privacy dimensions in online social networks. In order to facilitate the transition of such methods from theory to mechanisms designed and deployed in existing online social networking services, we need to create a common language between the researchers and practitioners of this new area, spanning from the theory of computational social sciences to conventional security and network engineering.
UPR Security Notice UPRSN-08_01 December 04, 2008
several vulnerabilities
###########################################################
Ubuntu Privacy Remix (UPR), based on Ubuntu 8.04 (LTS), is a live,
read-only CD that seals off your private data from the outside world. It
does this using encryption and isolation methods. This method of booting
off a read-only CD provides a isolated and unmodifiable system that is
exceedingly difficult to compromise by spyware.
The following security issues affect the "Ubuntu Privacy Remix" releases
MSA-09-0004, MSA-09-0007)
It was discovered that the HotPot module in Moodle did not correctly
filter SQL inputs. An authenticated remote attacker could execute
arbitrary SQL commands as the moodle database user, leading to a loss
of privacy or denial of service. (CVE-2008-6124, MSA-08-0010)
Kevin Madura discovered that the forum actions and messaging settings
in Moodle were not protected from cross-site request forgery (CSRF).
If an authenticated user were tricked into visiting a malicious
website while logged into Moodle, a remote attacker could change the
UPR Security Notice UPRSN-09_01 September 19, 2009
several vulnerabilities
###########################################################
Ubuntu Privacy Remix (UPR), based on Ubuntu 9.04, is a live,
read-only CD that seals off your private data from the outside world to
offer protection against spying measures such as the german
„Bundestrojaner“, with which the German government and federal police
tries to spy on its citizens.
UPR does this using encryption and isolation methods. This method of
certain iovec buffers. A local attacker could exploit this to crash the
system or possibly execute arbitrary code as the root user. (CVE-2010-3865)
Vasiliy Kulikov discovered that the Linux kernel X.25 implementation did
not correctly clear kernel memory. A local attacker could exploit this to
read kernel stack memory, leading to a loss of privacy. (CVE-2010-3875)
Vasiliy Kulikov discovered that the Linux kernel sockets implementation did
not properly initialize certain structures. A local attacker could exploit
this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-3876)
incorrectly parsed facilities. A remote attacker could exploit this to
crash the kernel, leading to a denial of service. (CVE-2010-3873)
Vasiliy Kulikov discovered that the Linux kernel X.25 implementation did
not correctly clear kernel memory. A local attacker could exploit this to
read kernel stack memory, leading to a loss of privacy. (CVE-2010-3875)
Vasiliy Kulikov discovered that the Linux kernel sockets implementation
did not properly initialize certain structures. A local attacker could
exploit this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-3876)
used to decrypt the HTML file attachment is stored on a local
IronPort Encryption Appliance, PostX software installation or the
Cisco Registered Envelope Service, which is a Cisco-managed software
service.
PXE Encryption Privacy Vulnerabilities
+-------------------------------------
The IronPort PXE Encryption solution is affected by two
vulnerabilities that could allow unauthorized individuals to view the
contents of secure e-mail messages. To exploit the vulnerabilities,
Organization Considerations in Security Policy Formulation and
Implementations, Digital Forensics and
Crimes, Biometrics, Cyber Security
3. Ubi/Cloud Computing
Authentication and Access Control for Data Protection in Ubi/Cloud
Computing, Context-Awareness
and its Data Mining for UbiCom, Data Grids, Distributed Information
Systems, Human-Computer
Interface and Interaction for UbiCom, Ubiquitous Systems, USN/RFID
Service, Smart Homes and its
UPR Security Notice UPRSN-08_03 January 16, 2009
several vulnerabilities
###########################################################
Ubuntu Privacy Remix (UPR), based on Ubuntu 8.04 (LTS), is a live,
read-only CD that seals off your private data from the outside world to
offer protection against spying measures such as the german
„Bundestrojaner“, with which the German government and federal police
tries to spy on its citizens.
UPR does this using encryption and isolation methods. This method of
UPR Security Notice UPRSN-08_02 December 22, 2008
###########################################################
Ubuntu Privacy Remix (UPR), based on Ubuntu 8.04 (LTS), is a live,
read-only CD that seals off your private data from the outside world. It
does this using encryption and isolation methods. This method of booting
off a read-only CD provides a isolated and unmodifiable system that is
exceedingly difficult to compromise by spyware.
The following security issues affect the "Ubuntu Privacy Remix" releases
[HSC] McAfee SecurityCenter Privacy Service HTML Execution Vulnerability
McAfee provides a proactive PC and Internet security service that helps you avoid
online attacks and protects what you value from hackers, identity thieves and other
online criminals.
A HTML execution vulnerability may allow an attacker to execute HTML scripts on
the system under the context of the user. These scripts can perform any action that the
user would. The flaw lies in the processing of filtering that is saved after exiting.
Note: Since the venue is a restricted area, it is mandatory for each participant to register via email with dharmeshmm at mastek dot com. This would help generating gate passes for all individuals for the event. Else participant will not be able to attend the same.
Interested in Speaking at the event??
1. The topic of the event should be on "Privacy in the 21st Century", so all talks should be related to it (we should be addressing the Web Application side of Privacy (for example what happens to Privacy with SQL Injection, XSS and issues like pdp's Snoop)
2. All events are recommended to have the same panel discussion on the subject "What is the current state of Privacy on Web Application Security? and what should we be focusing on?").
3. Drop in a mail to dharmeshmm at mastek dot com to confirm your presentation.
Naval Postgraduate School
============================================================
TECHNICAL PROGRAM HIGHLIGHTS
Featuring 58 technical papers, on Applied Cryptography, Attacks, RFID,
Privacy, Anonymization, Formal Techniques, Cloud Security, Security of
Mobile Services, Security for Embedded and Mobile Devices, Systems and
Networks Security, Software Security, Designing Secure Systems,
Malware and Bots topics. The program also includes 5 tutorials, 12
workshops, and poster/demo session.
============================================================
* Knowledge Management
* Embedded Systems
* Defence Systems
Ubi/Cloud Computing:
* Authentication and Access Control for Data Protection in Ubi/Cloud
Computing
* Context-Awareness and its Data Mining for UbiCom
* Data Grids
* Distributed Information Systems
* Human-Computer Interface and Interaction for UbiCom
Knowing the path of the home directory of an unknown host has little, if any, value. Even if you know the host, you would have to get the user to run code interactively to leverage this "privacy issue" in addition to ensuring that the interactive user was indeed the same user that created the PDF doc. And that code would have to be written specifically for that particularly host/user, which is inefficient (barring network based home directory settings). Any time I've needed local user path for proof-of-concept code, I simply parse the HOMEPATH environmental variable to ensure the code runs properly and that it can be easily applied to any host.
t
-----Original Message-----
From: Inferno [mailto:inferno@securethoughts.com]
Sent: Monday, November 23, 2009 7:46 AM
To: bugtraq@securityfocus.com
Subject: Millions of PDF invisibly embedded with your internal disk paths
. Libpurple >= 2.6.0 (Pidgin >= 2.6.0)
6. *Vendor Information, Solutions and Workarounds*
The default privacy settings allow any remote entity to contact an MSN
user, so the attacker is not required to be in the victim's buddy list.
The attack can be mitigated by setting the privacy settings for MSN
accounts to "Allow only the users below" (by default, the list of people
on the buddy list).
Next Page>>
|
