Small and medium businesses are constantly at risk of being targeted by cybercriminals, simply because they are smaller than large corporations. The bigger a company is, the more money they have to invest in higher-tech security systems and larger, more involved IT departments. For smaller companies, it is easy to focus on trying to expand business and let security sit on the back-burner. This is where the partnership between Dell and Trend Micro comes in. They have come up with an easy way for small and medium sized businesses to manage their security needs without breaking the bank. Dell Collaborates with Trend Micro Trend Micro’s Business Security Services include several desirable features to make the security portion of running a business much easier. First and foremost, is a set of web-based tools which make administration extremely easy. There is no need for a dedicated in-office server (or any company owned server at all), and the administration panel can be accessed from anywhere with an internet connection. There is also a remarkably low system performance impact, thanks to the fact that once a scan is complete, the results are processed in the “Smart Protection Network” run by Trend Micro. For companies with little or no IT staff on hand, the system comes pre-configured security parameters and runs automatically, so there is less worry about having something set up improperly. Both desktops and laptops are secured with this software, even if they are used outside the office. Anytime the computer is connected to the internet, it is being actively protected. This has the biggest impact on users who travel with their work, as many do. This is a big step forward for one of the top PC suppliers in the world. The fact that this software can come pre-installed on systems shipped to its commercial clients means that they can offer security and piece of mind to a large group of people.

Here is the original: 
Dell Collaborates with Trend Micro

Earlier this week, HP announced that it will soon be adding Fortify to its list of recently acquired companies. This will be a huge advantage for HP in the security market. HP to Acquire Fortify Fortify Software is a company that specializes in software security. Founded in 2003, it has continued to grow and supply Software Security Assurance (SSA) to government agencies and fortune 500 companies in many different industries. Their best known software suite, Fortify 360, is a tool that can root out security issues in software, as well as fix those issues and prevent future vulnerabilities. In February of this year, HP and Fortify released their most recent collaboration, “Hybrid 2.0″ which goes to show that there has been no problems between these companies working together in the past. Once the deal is finalized, Fortify will continue to run as a stand-alone company. Eventually though, they will be slowly integrated into HP’s Software and Solutions business. This will allow HP to put a much larger focus on software security in every aspect of the application life cycle. “Businesses operate in a world of increasing security and compliance challenges, and the applications and services that they rely on are core to the problem and the solution,” said Bill Veghte, the executive VP of the Software and Solutions branch, in the official HP statement on the acquisition. “With Fortify’s leadership in static application security analysis combined with HP’s expertise in dynamic application security analysis, organizations will have a best-in-class solution to improve the security of their applications and services.” This is not the only company HP has had its eye on. Just last month, HP finalized its purchase of Palm, Inc. This was meant to increase their connection to the rapidly growing mobile device market. This past April, HP bought 3Com for its computer network hardware capabilities. These companies were purchased for $1.2 billion and $2.7 billion dollars respectively. The details of the deal between HP and Fortify have not yet been disclosed.

See the original post here:
HP to Acquire Fortify

Both Apple and Adobe have shipped out relatively large collections of security patches this past week, Apple fixing up OSX and Adobe locking down it’s Shockwave player. Both sets of patches have been given a security rating of ‘critical,’ which means that there is the possibility of malicious code execution on an unprotected system. Apple And Adobe Both Roll Out Large Security Updates Apple’s update this week fixes code execution attacks when viewing maliciously crafted PDF or PNG files, or even just viewing a document with a maliciously crafted font installed. There is also the possibility for network administrators to abuse their positions by intercepting sensitive data through the use of an anonymous TLS/SSL connection, or to use a similarly named web address to impersonate a legitimate site and steal information that way. For instance, if they are in possession of the domain name www.example.com, they are able to impersonate www.example.com due to the lack of checking the final letter in the certificates. There are also updates for the newest versions of PHP and ClamAV which both claim to include necessary security updates. These updates can be applied via the “Software Update” option in OSX or downloaded from Apple’s support site . Adobe has updated their Shockwave Player to fix several security holes, including 16 memory corruption vulnerabilities which could lead to code execution. These vulnerabilities affect version 11.5.7.609 and earlier, and it is recommended that anyone running these versions immediately upgrade to the most recent version (11.5.8.612) of the software found on Adobe’s website . The memory corruption vulnerabilities and four more issues are all labeled as ‘critical’ in the Severity Rating System. The other issues include two denial of service attacks, one of which could potentially lead to code execution. Also there is a pointer offset vulnerability and an integer overflow vulnerability which can grant one with malicious intent access to plant code in a user’s memory.

Go here to see the original:
Apple and Adobe Both Roll Out Large Security Updates

Patch Tuesday has come and gone, and with it came the biggest Microsoft Update ever seen since they began their monthly update cycle in 2003. The Windows Operating System as well as Internet Explorer, MS Office, MS Office for Mac, MS Works, Silverlight 2 and 3, the .NET Framework and Movie Maker are all affected. Microsoft Issues Record Breaking Security Update There are 14 new security bulletins released this week, 8 of which are labeled as “critical” and the remaining 6 are labeled “important”. These numbers do not include the link vulnerability patch that was released last week, although the Security Bulletin Summary does include that patch with the others. Microsoft is assuring people that of these new vulnerabilities, none have been seen exploited in the wild as of yet. Of the 8 “critical” bulletins, 4 are listed as high-priority, meaning that they should receive immediate attention. MS10-052 - This bulletin addresses a vulnerability in Microsoft’s MPEG Layer-3 audio codecs. Remote code can be executed through specially crafted media files or streaming content from a website or web application. MS10-055 - This bulletin addresses a vulnerability in the Cinepak Codec. Remote code can be executed through specially crafted media files or streaming content from a website or web application. MS10-056 - This bulletin addresses 4 different vulnerabilities in MS Office. An attacker can gain privileges equal to that of the user if that user opens or previews a specially crafted RTF email message. MS10-060 - This bulletin addresses 2 different vulnerabilities in the .NET Framework and Silverlight. Remote code can be executed when viewing a specially crafted web page in a browser which can run XAML Browser Applications or Silverlight Applications, or if the user runs a specially crafted .NET application. More information on these 4 bulletins, as well as the other bulletins, can be found via the Microsoft Security Bulletin Summary for August 2010 .

Read more here:
Microsoft Issues Record Breaking Security Update

Microsoft has released a non-standard update to the Windows Operating System. This unusual move was prompted by a slew of highly critical viruses taking advantage of a vulnerability in shortcut links. Microsoft Fixes Most Recent Vulnerability On July 16, Microsoft Security Advisory (2286198) was published to Microsoft’s website. It explains a problem with the way Windows handles .LNK and .PIF files, which are symbolic links to legitimate programs on a computer. Basically, when the link image was rendered, it allowed the malware embedded in the file access equal to that of the current user and executed malicious code with those abilities. Obviously, users who insist on running with administrative permissions were at a higher risk than those who log on with a regular account. There are several viruses that have been exploiting this security hole. The first known use of this vulnerability was the Stuxnet worm, which spread via USB drives and stole information from computers running software from Siemens. Since then, there have been other viruses to exploit this same problem. Microsoft blogged about these viruses, including one particularly nasty one known as Sality.AT. Microsoft stated that Sality is “highly virulent,” and works by infecting other files, copying itself to removable media, disabling security and finally downloading other malware onto the infected system. Earlier this week, Microsoft released Microsoft Security Bulletin MS10-046 , which is the patch to fix this particular vulnerability. This “out of band” patch came a full week before the regularly scheduled update, due to concern for customers’ security. Everyone who has Automatic Updates turned on will already have the patch installed and their system is secured against this particular threat. The only people who need be concerned are those who check for updates manually and those who are still running Windows 2000 or XP Service Pack 2 or earlier, as they are no longer supported by Microsoft.

Read the original post:
Microsoft Fixes Most Recent Vulnerability

After all the debate about disclosing security vulnerabilities within software, Google is trying to reshape the process for fixing bugs. There has always been discussion on whether or not responsible disclosure was actually responsible or not, but it came to a head (at least from a media standpoint) last month with the Microsoft/Tavis Ormandy occurance. Google Pushing To Redefine ‘Responsible Disclosure’ This post from the Google Online Security Blog discusses what Google would like to see changed in the current “responsible disclosure” model. Currently, when a security researcher finds a vulnerability in a piece of software, that researcher is supposed to inform the software vendor privately of the risk. The bug is not supposed to be released to the public until a fix is released. According to Google’s blog post, “The emotionally loaded name suggests that it is the most responsible way to conduct vulnerability research - but if we define being responsible as doing whatever it best takes to make end users safer, we will find a disconnect. We’ve seen an increase in vendors invoking the principles of “responsible” disclosure to delay fixing vulnerabilities indefinitely, sometimes for years; in that time frame, these flaws are often rediscovered and used by rogue parties using the same tools and methodologies used by ethical researchers. The important implication of referring to this process as “responsible” is that researchers who do not comply are seen as behaving improperly. However, the inverse situation is often true: it can be irresponsible to permit a flaw to remain live for such an extended period of time.” This does not seem like the best system to have in place for protection of the end user. Basically, this is saying that because security researchers are not allowed to release details of a bug to the public until there is a fix, there is no reason for the vendor to take action. It also takes notice of the fact that by using the term ‘responsible’ disclosure, it is barring anyone from breaking with the mold by labeling them as irresponsible. Despite what it may seem like, Google is not trying to plunge us into a state of anarchy by proposing a full-disclosure method of dealing with bugs. They want to find a balance, where end users receive security updates in a timely manner, and software vendors have enough time to provide those fixes to the users. Their suggestion? A 60 day window between being informed of the vulnerability and having a fix available to to the public. In this situation, everybody wins.

Here is the original:
Google Pushing to Redefine ‘Responsible Disclosure’