19-DEC-2006 security news wrapup

[Paul Vixie <paul () vix com>]

Demonstrating the Consequences of Cross Site Scripting (XSS) Vulnerabilities
http://www.oreillynet.com/onlamp/blog/2006/12/demonstrating_the_consequences.html

        ...

        In the case of Cross Site Scripting (XSS), it can be quite cumbersome
        for a security analyst to come up with a visual demonstration that
        clearly indicates the consequences of the vulnerability. Security
        analysts often demonstrate XSS by injecting JavaScript code such as
        alert('xss'); causing the vulnerable application to display a pop-up
        window with the word 'xss'.  From a technical perspective, such a
        demonstration does prove the existence of a XSS vulnerability, but it
        doesn't do much to visually convey the impact and consequence of the
        issue. While trying to find tools or methodologies that can automate a
        XSS demonstration, I came across the BeEf tool.

        ...

How Microsoft Fights off 100000 Attacks Per Month
http://www.osnews.com/story.php?news_id=16756

        Microsoft has long encouraged its employees to 'RAS' into the
        corporate network from home or from the road to access e-mail, shared
        files and applications. RAS, short for Remote Access Services, is an
        old Microsoft term for what most people now call a client VPN.
        Microsoft, of course, maintains valuable intellectual property on its
        internal network, including the source code to all its operating
        systems and applications. These are constant targets for hackers, and
        Microsoft tries to protect its most valuable assets with defenses in
        depth; they are behind firewalls and on networks segmented with
        IPsec. In addition, the entire network is monitored for suspicious
        activity, scanned for malware and so on.

Check Point to tack on NFR Security
http://news.com.com/2100-7350_3-6144782.html?part=rss&tag=2547-1_3-0-5

        Check Point Software Technologies announced on Tuesday that it plans
        to acquire NFR Security in a deal valued at $20 million.

        ...

        The merger is designed to combine Check Point's SmartDefense with
        NFR's hybrid detection engine. NFR, based in Rockville, Md., develops
        technology designed to guard against intrusions such as zero-day
        attacks and polymorphic buffer overflows.

Australia Rules Linking to Copyright Material Also Illegal
http://yro.slashdot.org/article.pl?sid=06/12/19/0521206

        "A recent ruling in Federal court upheld the ruling that the operator
        and ISP that hosted the site 'mp3s4free.net' were guilty of copyright
        infringement violations because they provided access to the copyright
        material.  From the article: 'Dale Clapperton, vice-chairman of the
        non-profit organization Electronic Frontiers Australia (EFA),
        explained the ruling as follows: "If you give someone permission to do
        something that infringes copyright, that in itself is infringement as
        if you'd done it yourself. Even if you don't do the infringing act
        yourself, if you more or less condone someone else doing it, that's an
        infringing act."'"
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.