Information Security News
by Peter Bright
Daniel Cid, a developer of a cloud-based firewall/proxy system, was surprised to discover that his product was blocking requests from Google-owned IP addresses. This was unusual, because few websites want to block Web crawlers, as search engines are so important as a method of site discovery. Cid and his colleagues strive to make sure that their product's default rules don't block Google.
The Google IP address was determined to be legitimate: the traffic was from a Google Web crawler. It was being blocked because it appeared malicious, like it was an attempt at SQL injection. Further examination of the firewall logs showed other, similar requests from Google IP addresses also being blocked.
SQL injection is a technique for exploiting poorly-written Web applications. Applications routinely take parameters embedded in URLs and use them to query databases. Well-written applications do this in a way that ensures that the parameters can never be interpreted as actual SQL commands. Badly-written applications—which are, unfortunately, abundant—do not. This allows attackers to trick the application into executing SQL commands of their choosing. This can compromise both data and entire systems.
by Dan Goodin
Microsoft and Facebook are sponsoring a new program that pays big cash rewards to whitehat hackers who uncover security bugs threatening the stability of the Internet at large.
The Internet Bug Bounty program, which in some cases will pay $5,000 or more per vulnerability, is sponsored by Microsoft and Facebook. It will be jointly controlled by researchers from those companies along with their counterparts at Google, security firm iSec Partners, and e-commerce website Etsy. To qualify, the bugs must affect software implementations from a variety of companies, potentially result in severely negative consequences for the general public, and manifest themselves across a wide base of users. In addition to rewarding researchers for privately reporting the vulnerabilities, program managers will assist with coordinating disclosure and bug fixes involving large numbers of companies when necessary.
The program was unveiled Wednesday, and it builds off a growing number of similar initiatives. Last month, Google announced rewards as high as $3,133.70 for software updates that improve the security of OpenSSL, OpenSSH, BIND, and several other open-source packages. Additionally, Google, Facebook, Microsoft, eBay, Mozilla, and several other software or service providers pay cash in return for private reports of security vulnerabilities that threaten their users.
Antivirus provider Kaspersky has designed its products to detect all malware, even if it's sponsored by the National Security Agency or other government entities under programs espoused to target terrorists or other threats.
"We have a very simple and straightforward policy as it relates to the detection of malware: We detect and remediate any malware attack, regardless of its origin or purpose," officials with the Moscow-based company wrote in a statement issued Wednesday. "There is no such thing as 'right' or 'wrong' malware for us."
The officials went on to cite Kaspersky researchers' track record in helping to uncover Flame and Gauss, two pieces of highly advanced, state-sponsored malware that infected thousands of computers, mostly in Iran and other Middle Eastern countries. The officials also recounted their efforts to detect espionage malware that targets human rights advocates and political dissidents.
by 7954m yorkville bomber
by casquette moncler
by moncler chine
very useful article. author thanks much! hope that the author will continue to provide us with this similar post. You can also see some additional information at:
by moncler collection
by moncler parka
by Toronto Parajumpers