"many users, both at work and at home, aren’t motivated to keep up with security because vulnerabilities are often unseen, leaving them unaware that they are risking their own operations — and the larger global system of networks, Schneier said. "I think things are getting worse, not better," he said. To change that, the ultimate…

trib e85@gma il.com quotes "Microsoft, Hacker Attack XSS JANUARY 22, 2007 | 5:30 PM — It’s an unlikely alliance, for sure. But a Microsoft engineer and RSnake, the founder of ha.ckers. org d sla.ckers.org — which have brought attention to the epidemic of cross-site scripting (XSS) vulnerabilities in major Websites — have begun informally swapping…

NGSEC has announced version 3 of their web application security challenge. "On each level you will be presented a form asking you to authenticate. You do not know the user and the password, the goal is to bypass the authentication mechanism." Challenge Link: http://quiz.ngsec.com/game3/

"Perhaps PHP should stand for Pretty Hard to Protect: A week after a prominent bug finder and developer left the PHP Group, data from the National Vulnerability Database has underscored the need for better security in PHP-based Web applications." … "The concerns come as attackers and security researchers have increasingly focused on finding flaws in…

"But in the rush to add interactive features, security has often been overlooked. Several high profile attacks have exploited weaknesses in sites using Web 2.0 technologies. The Yamanner worm hit Yahoo mail users, exploiting JavaScript and Ajax code to collect email addresses, while the Samy and Spaceflash worms spread among MySpace users changing buddy lists…

"According to Finjan Software, which has just released its latest Web trends report, caching technology used by search engines, ISPs and large companies has been discovered to harbour certain kinds of malicious code even after the website that hosted it has been taken down. Such "infection-by-proxy" code can remain in caches for as long as…

"Leading IT consultants have warned the US military, government and "critical infrastructure agencies" that their widespread use of outsourced commercial software is putting the nation more at risk from a cyber terrorist attack. Security experts at the Cyber Defense Agency (CDA) believe that central agencies as well as gas, electricity, telecoms and banking providers could…

Information weekly has written an article entitled "Web App Vulnerabilities Are Getting More Attention; Now's The Time For IT To Get Defensive" "Attacks designed to bring down networks are largely under control, even though companies still spend plenty of time defending against them. The latest addition to IT teams' worry lists: keeping Web apps from…

Apparently Microsoft, Oracle, Red Hat, and SAP have formed a vendor based security consortium titled "AppSIC" or the Application Security Industry Consortium. Quoting the article "Herbert Thompson, the consortium's chair and director of security technology at Security Innovation, says AppSIC members will meet monthly to exchange ideas and vet papers to be issued under the…

TheRegister has a little editorial outlining some of the highlights of the year 2005 including Sony's DRM, Microsoft OneCare, Viruses, Convictions, and phishing. Article Link: Rootkits, cybercrime and OneCare: The year in IT security (TheRegister)

Yahoo news has an interesting article on worm propigation via rss feeds. "David Sancho, senior anti-virus research engineer at Trend Micro, warned that RSS feed hijacking will become commonplace when Microsoft Corp. ships Internet Explorer 7, a browser refresh that will feature built-in RSS support. In a white paper titled "The Future of Bot Worms,"…