The EU have made it clear, that Microsoft need to give users the choice as to what browsers they have installed.

This is all well and good, but users dont really know about all the other various options, and how to patch them and keep them up to date.

Personally I dont see the issue here, ok so all users have IE as standard, so we can argue that Microsoft has the browser monopoly, but who really cares. It doesnt stop people installing other browsers and having them as their default.

If only we could focus as much efforts on more worth while causes.

A recent survey shows that around 59% of staff that are made redundant or left their job have admitted to swiping confidential company data.

A web-based survey of 1,000 workers who lost or walked out of their jobs in 2008 by the Ponemon Institute and Symantec found the most commonly purloined records taken included email lists, employee records, and customer information (such as contact lists).
Of those who admitted to taking company data, three in five (61 per cent) admitted they harboured a grudge of one sort or another against their former employer.

Half of those who swiped data (53 per cent) burnt the information onto a CD or DVD, 42 per cent used a USB drive and 38 per cent emailed information to a personal email account.One in four (24 per cent) had access to their employer’s computer systems after they upped sticks and changed jobs.

This really shouldnt be a surprise to anyone, but its obvious that organisations still dont see the real risk of not controlling the use of removable storage media. This doesnt mean moving to the mandated use of encrypted devices, which is obviously a good move for authenticate data storage and loss provention, but companies really need to implement policies and technical solutions to log, monitor and control the use of devices and the flow of data.

As already blogged Kaspersky went Kerplunk, now its Symantecs turn for a visit from the Romanian Ethical Hacker. This continues to demonstrate that not even the IT Security Vendors can keep up with all the ongoing vulnerabilities, and perhaps sometimes miss judge the risks.

The hacker Uno has posted on blogs and forums of this latest website vulnerability testing, however Symantec are not in agreement.

Symantec responded to reports of the potential snafu with an assurance that its site was and remains secure. Uno had simply stumbled upon an error message, it said. Symantec was notified of a reported security vulnerability on a webpage within Symantec’s website. Upon notification of the potential vulnerability, Symantec immediately took the site down, conducted comprehensive testing and determined that the issue is not a security vulnerability. It appears that the individual who reported it based the report on an error message. Symantec has addressed this issue and the web page is back up and running. Symantec can confirm that no company or customer information was exposed.

Symantec adds that “upon thorough investigation, we have determined that the Blind SQL Injection is, in fact, not effective. The difference in response between valid and injected queries exists because of inconsistent exception handling routine for language options.”

Uno has now uncovered problems of varying seriousness involving the websites of F-secure, emea.symantec.com, usa.kasperky.com, and BitDefender. All the reported flaws involved SQL Injection techniques, a common class of vulnerability used to either attack websites or plant malicious code as part of a drive by download attack.

Finally if you have a look at Uno’s blog you can further read he has even had a little dabble with the UK Lottery, who knows…… It Could Be You 🙂

A recent survey carried out by the Freedom Dynamics shows some interesting results. I found this on The Register today, head over to read more.

Many organisations do not practice entirely what they preach, however. While nearly three quarters of IT staff were reputed to take security seriously (of course there couldn’t be any bias from our IT-professional Register audience), only a quarter of respondents reported that the general workforce in their organisations do the same. This is a little alarming, even if you take into account the possibly skewed opinions of our survey respondents.

To ensure that IT security isn’t deprioritised to the point of irrelevance, it’s worth reiterating how it can play its part. The first thing to keep in mind is that IT security is as much about securing business assets and resources using IT, as it is about securing the IT itself. Three broad areas need protection:

• Business processes, activities and people
• Business and technical information
• IT applications and services

I am a few days late posting on this as I have been abit busy. However on the 19th Feb 09 Adobe Published info on yet another Buffer Overflow Vuln in Adobe Reader.

A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited.

Adobe categorizes this as a critical issue and recommends that users update their virus definitions and exercise caution when opening files from untrusted sources.

A patch is expected early March, so until then keep an eye on your IDS and update virus signatures.

The kind people of Black Hat, have now made available selected presentation slides and white papers from Black Hat 2009.

You can view this now from the BH 09 Briefing Archives.