Fortinet, maker of unified threat management solutions, on Monday announced plans to go public. The Sunnyvale, Calif. company plans an initial public offering (IPO) of up to $100 million in common stock, according to a filing with the U.S. Securities and Exchange Commission. Many firms have steered clear of IPOs in recent months, but with the stock market again climbing, that may change, experts said. ArcSight was the last major security company to file for public status. — DK
Not enough emphasis is placed on the integrity of software, according to a software assurance group, which hopes to change that mentality with a new framework.
T-Mobile has confirmed that hackers were able to swipe data from its systems, but the wireless carrier is downplaying the threat to customers.
McAfee today announced the acquisition of dynamic whitelisting vendor Solidcore for approximately $33 million. The acquisition advances McAfee's endpoint security and risk management portfolio. Specifically, Solidcore enables McAfee to now provide security for automated teller machines (ATMs), point-of-sale (POS) systems, multifunction printers (MFPs), supervisory control and data acquisition (SCADA) systems, as well as mobile and other embedded devices. In addition, it will strengthen McAfee's virtualization solutions, the company said in a news release. — AM
Companies must develop better ways of evaluating the security and privacy practices of the cloud services they utilize, according to a report by Forrester released Friday.
Efforts of the North American Electric Reliability Corp. (NERC) to secure the nation's power grid against cyberthreats cannot substitute for additional emergency authority at the federal level, urged Richard Sergel, president and CEO of NERC, in testimony during a Senate hearing on cybersecurity Tuesday.
A hard disk containing the launch procedures for a U.S. military missile defense system was recently purchased on eBay.
Despite the financial crisis, companies are still putting forth money for IT security efforts while overall IT spending is less of a priority, according to a new survey conducted by strategy and business advisory firm MetroSITE Group, and Pacific Crest Securities, a technology investment bank.
The CERT Coordination Center at the Carnegie Mellon Software Engineering Institute in Pittsburgh on Thursday released a free, open-source tool that software developers can use to detect ActiveX vulnerabilities. Dubbed Dranzer, the tool was tested on 22,000 ActiveX controls produced by more than 5,000 organizations. Dranzer is designed for use during the quality assurance phase of software creation and can help prevent flaws, such as buffer overflows, from being shipped in software to the public. — DK
VMware has issued patches for a critical security vulnerability in its ESX and ESXi virtualization products.
The Open Web Application Security Project (OWASP), an open-source project, has announced a free, 216-page guide for how to review code for application vulnerabilities. The book complements the already released "OWASP Security Developer Guide" and the "Security Testing Guide." The latest publication is "part of OWASP's strategy to make application security visible and enable the market to support the development of secure application software," according to the organization. — DK
On its TechNet blog, Microsoft denied that a recently uncovered GDI+ EMF buffer overflow problem will result in a crash that is "exploitable for code execution." The flaw had been reported Tuesday by SecurityFocus. Microsoft said it was continuing its investigation, but that mitigating defenses already in place effectively counteract the threat, even when the flaw causes termination of an application. — CAM
Mozilla has addressed a notorious zero-day vulnerability discovered Wednesday that could have caused execution of malicious code if exploited. With the flaw, attackers could have modified Firefox source code. In its release notes for version 3.0.8, Mozilla identified the problem as an XSL parsing "root" XML tag remote memory corruption vulnerability, and lists the bug as "Resolved." — CAM
Security updates for Cisco Internetwork Operating System were released Wednesday to shield against a number of vulnerabilities.
The Internet Explorer 8 vulnerability demonstrated at the CanSecWest hacker conference on the beta version of the browser also exists in the final version.
To avoid hacking and malicious alteration of the application, software companies are turning to new anti-tamper solutions that will protect the entire application, as well as maintain code integrity.
The official release of Internet Explorer 8 is scheduled to be available at noon EST on Thursday. The new browser "offers leading-edge security features," including a cross-site scripting filter, clickjacking prevention, and per-site ActiveX, which enables users and administrators to manage where an ActiveX Control can run, Microsoft said. The download, in 25 languages, is at http://www.microsoft.com/ie8. — CAM
Sports fans might be eager for March Madness to begin on Thursday, but for cybercriminals, the games have already begun, security researchers said.
Time Warner Cable confirmed Thursday that distributed denial-of-service (DDoS) attacks against its DNS servers are to blame for the slower-than-normal service affecting its broadband customers, particularly those living in Southern California, for about the past week. The company said in a statement that the culprits likely are using botnets to deliver their traffic because the attacks are "larger and more difficult to contain than similar attacks in the past." — DK
A fourth security vendor website has been found to be insecure. In a post on hackersblog.org, a Romanian hacker, whose alias is "Unu," describes an insecure parameter in the Symantec Document Download Center that is vulnerable to SQL injection. The flaw supposedly exists on an SSL login page and permits access to company databases. According to the hacker, Symantec has been contacted but has not yet responded. The same hacker claimed to gain access to Kaspersky, F-Secure and BitDefender websites. — CAM
A Romanian hacker claims to have found a hole in the website for security firm BitDefender. According to a post by someone using the alias Unu on hackersblog.org, an SQL injection vulnerability persists in the site's news section. Recently websites belonging to security firms F-Secure and Kaspersky Lab were compromised. And a Portuguese partner site belonging to BitDefender also was hit. All three companies deny that any personal information was exposed to the attackers. — CAM
A forensic exam has confirmed Kaspersky Lab's initial findings that Romanian hackers did not compromise any personal data when they launched an SQL injection attack against the anti-virus company's U.S. support site. David Litchfield of Next Generation Security Software said in a Thursday report that other attackers, upon learning of the vulnerable site at usa.kaspersky.com, attempted to access data but also were unable. — DK
Identity fraud increased by 22 percent last year, but the burden on consumers is lessening, according to a new study.
A security services provider for the federal government is notifying employees, former employees and customers that its network was compromised by malware.
On Tuesday, a bid from Research In Motion bested VeriSign's offer for control of cryptography technology firm Certicom.
More than half the respondents of a recent poll said their organization does not have a policy on using Facebook.
Cybercriminals have begun using Google Video to help deliver victims to their doorstep.
A researcher has shown that the Google Chrome web browser also can succumb to clickjacking.
Companies around the globe are recognizing the second annual Data Privacy Day on Wednesday with seminars and other events aimed at educating users and generating discussion around the topic.
The criminal group behind the Waledac email worm, distributed last week in inauguration-related phishing attacks, is now leveraging Valentine's Day to distribute malware and expand a botnet.