Talk about throwing out the baby with the bath water. The Financial Times reported on Monday that Google has begun telling new employees that they are no longer able to request Windows PCs, giving them the choice of Mac or Linux systems. Google has long offered its employees their choice of work operating system but will no longer do so. According to a Google employee, any exceptions will require will require CIO approval. [ I find that assertion questionable though ].

Google is apparently making this decision in response to the hacking attacks on late last year in China. The attackers  used vulnerabilities  in Microsoft’s Internet Explorer 6 to go after Google’s intellectual property, believed to be source code.  One could argue that if they had updated their browsers, the attacker would have had to find other vectors for attacks.

Could this be a strategic move by Google to prove that an Enterprise can survive WITHOUT Microsoft? With Google’s Chrome OS on the horizon, this may just be the warm-up act.

Source: http://www.ft.com/cms/s/2/d2f3f04e-6ccf-11df-91c8-00144feab49a.html

As more vendors dive into the cloud computing market, every possible claim regarding the supposed benefits of moving to a cloud-based service is being made.  I ran across an article titled ” Why Cloud-based Monitoring is more reliable and secure than Nagios. ” The auth0r, who represented a cloud-based network monitoring company, contended that the Software-as-a-Service (SaaS) model offered by his company was better for companies than Nagios and other open source products.

The question is not  Cloud Computing vs. Open Source.  In fact, there are open source SaaS providers like MindTouch out there.  If considering a product like Nagios, a better comparison would be open source vs. commercial.  In many cases, cost is the determining factor for companies to look  to open source technologies. Other considerations include flexibility and security.

The more relevant  comparison would be hosting and managing a network monitoring system on site vs. moving to a SaaS provider. For many organizations,  IT is considered overhead and not the primary function of the organization. Companies move to the cloud for most of the same reasons companies out-source.  Can someone else do it better for less?  Cost is ually the easier consideration. Companies have to grapple with the ‘better’. Does it mean more security, availability, capacity? Many cloud providers would say ‘yes’ to all and then some.  Organizations have to really consider and make that determination themselves. Make a real comparision between their options and not just follow the typical vendor hype.

McAfee will provide restitution to businesses hit by a faulty virus definition update that rendered computers unusable, the company has confirmed.

“Enterprise customers will get compensation tailored to each individual customer and will receive a combination including products, services and support,” a McAfee spokesman told ZDNet UK on Tuesday.

The concept of companies paying for damages caused by buggy software has been often discussed. Is this a step in that direction or is McAfee  just doing some good customer management ?

Source: http://www.zdnet.co.uk/news/security-management/2010/04/27/mcafee-to-compensate-businesses-for-buggy-update-40088779/?s_cid=938

Saw this coming a mile away. Why didn’t Ubisoft?..

I couldn’t wait to get my hands on Assassin’s Creed II. It’s nice to be able to unwind for an hour or so at night, running across rooftops in 15th Century Venice, leaping on an unsuspecting Templar and burying my dual hidden blades in his neck. Well, it would be nice accept my wireless signal in my bedroom isn’t all that great (or maybe it’s a laptop hardware issue) and the game hangs every 2 mins for about 30 seconds because I lose my connection. Thanks to the Ubisoft’s always-online DRM. I have to be online at all times to play the game.

“Hackers have overcome Ubisoft’s controversial DRM system that relied on constant connection to the internet for games to function.

A crack for Ubisoft’s anti-piracy system published by a group called Skid Row allows gamers to circumvent the controls.  A message from the group on a gamers’ forum sets out the group’s agenda: allowing legitimate copies of PC games to be played without an internet connection, rather than facilitating piracy. Skid Row cheekily thanks Ubisoft for posing an interesting intellectual challenge.”

I understand Ubisoft’s desire to protect its products from pirates but this causes a great inconvenience to legitimate customers like myself. Not to mention, it only took about a a dayto crack it. It causes me all this aggravation with controls that only held up for 24 hrs ?

Silent Hunter NFO:

Ü ß               ßÜ    ÜþßßßþÜ      Û                ÜþßßßþÜ
°   ÛÜ     ²Ü     °    ÜÛÝ  ß       ²Ü     ßßÛÛÛÜÜ     ° ÜÛÜ     ²ÛÜ
ßÛÛÛÜ ²ÛÛÜ     ÜÜÛÛÛÜÜß    °   ²ÛÛÜÜÜÜÜÜÜÛÛÛÛÛÜ ° ÜÛÛßÛÛÜ ° ²ÛÛ²  °     Ü
ÜÛÛÛÛßßßßßß ²ÛÛ²  ²ÛÛÛÛßÛ²²²Û  ÜÜÜÜÜܲÛÛ² ²ÛÛ²  ²ÛÛ²ß ÜÛÛ²   ²ÛÛÜ ²ÛÛ² °°°  ÜÛ²
ßßßßßß²²²²Üß²²²ßß²²²Ü   ßßß  Û²²²ß  ²²²² ²²²²ßß²²²ÜÜ ²²²² ° ²²²² ²²²² °°° ²²²²
±±±±±  Þ±±±±ÛÞ±±  Þ±±±± ²²²²²Þ±±±± ° ±±±± ±±±±  Þ±±±±Ûܱ±± ° ±±±± ±±±± °°° ±±±±
°°°°° ° °°°°°Ý°° ° °°°°°°°°°°Þ°°°° ° °°°° °°°° ° °°°°°°°°° ° °°°° °°°°  Ü  °°°°
±±±±± ° ±±±±±Ý±± ° ±±±±±Ü±±±±±±±±± ° ±±±± ±±±± ° ±±±±±Ý±±± ° ±±±± ±±²ßÜÛÛÛÜß²±±
Þ²²²² °Þ²²²²²²²² °Þ²²²²²Ý²²²²Þ²²²²Ý  ²²²² ²²²² °Þ²²²²²²²²² ° ²²²² ²²²²²ß ß²²²²²
ßÛÛ² ÜÛ²ÛÛßÜÛÛß  ²ÛÛÛÛ²ÛÛÛß  ²ÛÛÛ²ÜܲÛ۲ܲÛß   ²ÛÛÛ² ßÛÛ²   ²ÛÛß ²ÛÛß ° ° ßÛÛ²
°  ßÜÛÛßß   Ûß   ÜÛ²ÛÛß Ûß  °  ÛÛÛÛÛßßß   ß  ° ÞÛÛ²ÛÝ ° ßÛÛÜÛÛß ° ²ß   °     ßÛ
Üßß    °     ÜÛÛÛßß  ° ßþÜÜþß ßßÛÛÛÛÜÜÜþß  °  ßßÛÛÛÜÜÜÜÜÛÛß Eboy
ßÜÜþß     þßß                                     ßßßßßß
S   K   i   D   R   O   W

Üß               ->  T H E   L E A D i N G   F O R C E   <-                 ßÜ
ßÜ                                                                          Üß
ßßßßßßßßßßßßßßßßßßß ßßßßß  ß proudly presents ß  ßßßßß ßßßßßßßßßßßßßßßßßßß
° ÛÛÛ²²²²±±°° Silent Hunter 5: Battle of the Atlantic / Ubisoft °°±±²²²²ÛÛÛ °
±ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜܱ
²                                                                           ²
²   RELEASE DATE : 03-03-2010               PROTECTION : Ubisoft DRM        ²
²   GAME TYPE    : Submarine Simulation     DISKS      : 1 DVD              ²
°                                                                           °
ßÛ²ßßßßßßßßßßßßßßßßÛÛßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ßßß  ß
ßÛÝ Release Notes: ßÛÜ                                               ° Û
Üþ  Þ² ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛÛÜ                                             ± Û
Û   ÜÛß Û                                                                ² Û
ßßß  ° Û The Skid Rowdies are looking new blood to fill up the ranks.   Û Û
± Û We're a professional team of dedicated sceners with big mark   Û Û
Û Û under sceners. We believe on the ground idealism of the root   Û Û
Û Û of the real old school scene. We do all this for fun and       Û Û
Û Û nothing else. We don't earn anything on our hobby, as we do    Û Û
Û Û this for the competition and the heart of what got the scene   Û Û
Û Û started in the mid eighties.                                   Û Û
Û Û                                                                Û Û
Û Û If you think you got something to offer, then don't hold back  Û Û
Û Û on contacting us as soon as possible.                          Û Û
Û Û                                                                Û Û
Û Û  _______  __     ___     _____   /__                          Û Û
Û Û      / |/ /_/_|         _  / /_ /  /                   Û Û
Û Û  / /| / / //| |     //_// / / / / / /                   Û Û
Û Û /   |   /  | |_   / / / /_/ / /// /                    Û Û
Û Û ____/|_|___/|___/ / /_/_/__/_/____/                     Û Û
Û Û     twice the fun   / double the trouble                      Û Û
Û Û                                                                Û Û
Û Û ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Û Û
Û Û                                                                Û Û
Û Û On with the game release information:                          Û Û
Û Û                                                                Û Û
Û Û Silent Hunter 5 hails the return of the number one submarine   Û Û
Û Û simulation. For the first time the player will be able to play Û Û
Û Û & feel as U-boat captain leading his crew from a first person  Û Û
Û Û view in a true dynamic campaign.                               Û Û
Û Û                                                                Û Û
Û Û Operate against Allied shipping on a vast area all across the  Û Û
Û Û Atlantic Ocean and Mediterranean Sea and participate in famous Û Û
Û Û encounters with strong enemy warships. Can you do better than  Û Û
Û Û the best U-boat aces?                                          Û Û
Û Û                                                                Û Û
Û Û Silent Hunter 5 raises the levels of interactivity and         Û Û
Û Û immersion inside the U-boat and outside                        Û Û
Û Û                                                                Û Û
Û Û For the first time the player will walk through highly         Û Û
Û Û detailed submarines in FPS view and be able to access every    Û Û
Û Û inside & outside part of the U-boot                            Û Û
Û Û                                                                Û Û
Û Û With the help of an advanced order system the player will      Û Û
Û Û interact with the submarine crew, watch them doing their daily Û Û
Û Û jobs and experience the tension & fear inside the U-boot.      Û Û
Û Û                                                                Û Û
Û Û Player actions will impact the outcome of battles and the      Û Û
Û Û scenario evolution in campaign. Depending on his approach the  Û Û
Û Û player can open new locations with upgrade and resupply        Û Û
Û Û possibilities, while the Allied response adjusts dynamically   Û Û
Û Û                                                                Û Û
Û °                                                                Û °
ßÛ²ßßßßßßßßßßßßßßßßÛÛßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ßßß  ß
ßÛÝ Install Notes: ßÛÜ                                               ° Û
Üþ  Þ² ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛÛÜ                                             ± Û
Û   ÜÛß Û                                                                ² Û
ßßß  ° Û 1. Unpack release                                              Û Û
± Û 2. Mount image or burn it                                      Û Û
Û Û 3. Install                                                     Û Û
Û Û 4. Copy the content from the SKIDROW folder on the DVD to your Û Û
Û Û    installation directory and overwrite                        Û Û
Û Û 5. Play the game                                               Û Û
Û Û                                                                Û Û
Û Û Additinal Notes:                                               Û Û
Û Û                                                                Û Û
Û Û Don't install/use Ubisoft launcher, or simply block any        Û Û
Û Û connection to internet.                                        Û Û
Û Û                                                                Û Û
Û Û Install game and copy crack, it's that simple!                 Û Û
Û Û                                                                Û Û
Û Û Support the companies, which software you actually enjoy!      Û Û

Source: http://www.theregister.co.uk/2010/04/28/ubisoft_drm_cracked/

Yesterday, OWASP released its list of top ten web application security risks for this year. The list, which was first unveiled in November at the OWASP conference, is a departure from OWASP’s previous lists, which ranked the most commonly found weaknesses and vulnerabilities in Web applications. OWASP’s new list features the most exploitable and likely security risks found in these apps. The list includes:

• A1: Injection
• A2: Cross-Site Scripting (XSS)
• A3: Broken Authentication and Session Management
• A4: Insecure Direct Object References
• A5: Cross-Site Request Forgery (CSRF)
• A6: Security Misconfiguration
• A7: Insecure Cryptographic Storage
• A8: Failure to Restrict URL Access
• A9: Insufficient Transport Layer Protection
• A10: Unvalidated Redirects and Forwards

Download the full report here.

German’s official cyber-security response team is advising surfers not to use Firefox pending the release of a patch to defend against a critical unpatched vulnerability. This is the second time in two months that Germany has taken such a step. Earlier in January, the German government issued a similar warning to IE users. I did a post about it titled Germany warn users against Internet Explorer.

The zero-day vulnerability in the latest full version 3.6 of Firefox was discovered by security researcher Evgeny Legerov last month.  Legerov controversially offered to sell exploit code he developed.  Mozilla acknowledged the security vulnerability on Thursday and promised the the next version of 3.6.2, due at the end of the month, would plug the hole.

I have to applaud the German government for taking such a proactive approach to online security of it’s citizens. I have to wonder what would be the response to such an approach my the US government here. As to the advice given, I’m of two minds really. Whereas home users are at liberty to switch browsers as often as their underpants, corporate users may not have that luxury. Whole scale software migrations in a corporate setting is no small undertaking. Ig it were, I doubt Google would have gotten hacked for using IE6.

Vulnerabilities in all browsers are discovered over time. Corporate users, does the musical browser approach really work even if it were possible? I think not. My advice: Test and Upgrade as soon as is feasible.

The newly released Safari 4.0.5 reportedly fixes a number of security issues on the Windows and Mac OSX platform versions of its browser, and includes remediations for a total of 16 security vulnerabilities.

Some of these vulnerabilities allows your system to be compromised simply by browsing a page with an infected image file so upgrade without delay.

According to Brian Cluley of Sophos , “It doesn’t matter whether you own a Mac or PC, if you run Safari the message is clear: It’s time to update your browser and ensure that you are protected against hackers exploiting the security holes detailed in the security advisory on Apple’s website”

Today is the last day of RSA Conference 2010. If you didn’t make it,  CSOonline.com has provided a recap of the highlights:

RSA COVERAGE

RSA 2010: Infosec Pros Get Raises Despite Recession An (ISC)2 survey suggests salary increases and hiring went up for many security practitioners in the last year despite the Great Recession. Ironically, the recession may be WHY it’s happening.

RSA 2010: Why 41 Percent of You Would Fail a PCI Audit Miscellaneous news bytes from the RSA 2010 press room: QSAs tell Ponemon Institute that 41 percent of companies would bomb their PCI security audit; hackers industrialize their sinister revolution and VeriSign opens a new compatibility lab.

RSA 2010: Can Adobe Stop the Hate? Security pros are unhappy with Adobe Systems over recent flaws and attacks. Adobe Security Chief Brad Arkin on what the company is doing about it.

RSA Conference 2010: 4 Survival TipsFor the newcomer, the RSA security conference can be overwhelming. Follow these four strategies to get the most from it.

Social Networking is Risky Business From Computerworld: A panel discusses the risks associated with social networking sites.

Chertoff: Tracking Attacks to the Source is Key for Cybersecurity From Computerworld: An exclusive interview with former DHS leader Michael Chertoff.

RSA PODCASTS

RSA 2010: Microsoft’s Plan for Cloud Security Audio: Microsoft VP Jim Jones explains his company’s approach for securing its services in the cloud.

RSA 2010: Verizon Releases Its Threat Report Recipe Verizon Business will share the research framework used for its Data Breach Investigations Reports so companies can create reports tailored to their specific environments.

SECURITY B-SIDES COVERAGE

Security B-Sides: Perfect Authentication Remains Elusive Everyone realizes passwords have their shortcomings. But alternatives like two-factor authentication are not as powerful as one would expect. The problem? As always — human behavior.

One Man’s Life on the Security D-List At Security B-Sides, infosec author Andrew Hay explains the four pillars for moving from the bottom of the IT security shop to a place of respect, and why getting to the A-list isn’t all it’s cracked up to be.

Security B-Sides: Rise of the ‘Anti-conference’ The RSA 2010 conference had some nearby competition. Here’s the story of Security B-Sides as the conference alternative.