Well, being buried in meetings this week I missed this announcement from Wednesday. And so ends another the life of another website in the security space. Securityfocus has announced that it has come to the end of its run. The content from SecurityFocus will ultimately be assimilated folded up into the Symantec Connect site.

From SecurityFocus:

…the time is right for SecurityFocus to focus more on its core components. Beginning March 15, 2010 SecurityFocus will begin a transition of its content to Symantec Connect. As part of its continued commitment to the community, all of SecurityFocus’ mailing lists including Bugtraq and its Vulnerability Database will remain online at www.securityfocus.com There will not be any changes to any of the list charters or policies and the same teams who have moderated list traffic will continue to do so. The vulnerability database will continue to be updated and made available as it is currently. DeepSight and other security intelligence related offerings will remain unchanged while Infocus articles, whitepapers, and other SecurityFocus content will be available off of the main Symantec website in the coming months.

Fair thee well.

For more on this read the full posting.

Article Link

There are few things that annoy me than when a vendor bends the truth to try and sell product. Here is part of an email that I received yesterday.

Dear Dave,

As you are most likely aware, last week David Litchfield from NGS has blessed the world with another cyber attack announcement on Oracle databases that allows an attacker to take complete control of an Oracle database system. No fix is available by Oracle.

Litchfield has been infamous for doing something similar with the slammer worm that affected millions of companies a few years back. This irresponsible move has even more companies worried today about a potentially greater new security risk.

$VENDOR sent out an announcement last night. If you did not receive it please let us know and we will get you the information.

$VENDOR is the only company globally capable of fixing this issue. The details are in the announcement:

Ah, the joy of getting half the story.

What David did at Black Hat in the summer of 2002 (and I was in the room for it) was show a proof of concept for what eventually became slammer more than 6 months later. The inference in the email was that he had released the worm. Not sure if that was intended but, that was my take away.

This is not the way to win customers. Tell me why your product stands on its own two feet. If you want to sell your product don’t play the Coke vs Pepsi nonsense. And for all that’s good and holy…don’t tell me that only $VENDOR can fix it.

Don’t piss on my leg and tell me it’s raining.

Rant off.

(Image used under CC from John Markos O’Neill’s Flickr feed)

Ah, yes. The shareholders. Landmines aplenty. Pesky creatures

It turns out that there are some folks that are less than amused with the announced proposal of the HP acquisition of 3COM.

From Worcester Business Journal:

Computer giant Hewlett Packard’s proposed $2.7 billion acquisition of Marlborough-based 3Com Corp. has hit some roadblocks, including a handful of shareholder lawsuits and a reported Securities and Exchange Commission investigation into insider trading.

At least five lawsuits have been filed against 3Com since the Nov. 11 announcement, including one filed by 3Com shareholder Edward Tansey of Maine. Tansey is asking the U.S. District Court in Boston to stop the deal, alleging that 3Com executives were not working in the best interest of shareholders.

Other cases include two that were filed by Richard Hall and Leonard Ahern in the Sussex County Delaware Court of Chancery, according to a clerk in that court. Those cases name 3Com, the company’s executives, and HP for breaching “fiduciary duties.”

I wonder if this will have any affect in the grand scheme of things or will this just be a side show? For more on this story read on.

Article Link

(edit: Thanks Innismir)

Well, nothing like an open source project being bought by a company to cure my writers block. That’s right the company Rapid7 purchased the Metasploit project. Now, before panic sets in, they have committed to keeping the project open source and community based. This will no doubt lead to some raised eyebrows as some will agonize over the corporate spectre on this project. I have had some people privately comment to me that they aren’t overly happy with this as they don’t feel like doing Rapid7’s work for them pro bono.

A different view is that now the project has the resources to commit to growing and improving the Metasploit project.

I myself have yet to formulate an opinion either way. I would like to say thanks to my tipsters that gave me a heads up earlier this week.

Most importantly, congrats to HD Moore for seeing his love child grow to fruition!

From Metasploit:

I created the Metasploit Project over six years ago as way to publish security information to those who needed it most, the security professionals in the field. The project has evolved from a personal web site, to a collaborative effort with a small group of friends, and finally to the robust community-driven project that we know today. This progress came at the cost of the evenings, lunch hours, early mornings, and weekends of countless contributors who donate their time for the benefit of the community. The volunteer nature of the project has lead to innovation in niche areas and has driven research across a wide range of topics.

Read on for the full post.

…now if I could just get some one to buy Liquidma…er, nevermind.

Article Link

Um, embarrassing, no?

From Heise:

According to an old proverb ‘The cobbler has the worst shoes’. It’s now been reported that Secure, McAfee’s security portal, has had poor shoes or rather poor security, because until recently it displayed a vulnerability to cross-site request forgery (CSRF).

McAfee Secure is a service that lets clients use the Hacker Safe tool to check their sites or online shops for security vulnerabilities and for compliance with the PCI Data Security Standard, which is important for credit-card transactions. If the check shows sites are OK, shop operators can include the McAfee Secure logo in their web site. This is supposed to reassure their customers that their data is well protected and there’s no danger lurking in transactions, such as making payments.

I’m not going to go on about this one. Here is more from others. But, I have renewed faith in the the Nate McFeter’s Certified and Scanless PCI programs.

Article Link

Budgets are a problem of late for a lot of people. They’re getting slashed and in many cases it’s just becoming too hard to make ends meet for security programs. One possible solution it GFI’s LANguard. The reason I bring this up is that I’ve gotten word that this Thursday GFI will be announcing a free version of their scanner. When you download the trial version, which gives you 10 days, it will switch to a full featured version after that for up to 5 IP addresses.

From GFI:

Top Features

* Identify security vulnerabilities and take remedial action
* Detect Virtual Machines
* Automatic remediation of unauthorized applications
* Automatic deployment of network-wide patch and service pack management
* Easily analyze and filter scan results

Sure, it’s not a lot but, five IP addresses for free isn’t too shabby. Look for the official announcement this Thursday.

Article Link

But, then there are the one’s that just make me smile. What better way to completely screw your competition than to slash your prices (or at least renewal licensing) by 50%.

A novel approach that will certainly win over a lunch and a pen.

From Network World:

Tough times could be driving increased competition in enterprise software with the news that BigFix is to undercut its rivals’ patch management renewal licensing by up to 50 percent.

The deal appears to be catch-free beyond the need for customers to license BigFix’s Patch Management software for a three-year period, and to use it to replace only those seats actually included in any current agreement. What this probably means is that rivals will privately have to match or better the cut when renewal time comes around, leading to further falls in per-seat overheads.

Congrats to BigFix for throwing down the gauntlet.

BigFix’s patch management promotion runs until 30 June this year, and is open to all North American and EU customers using a rival product.

Article Link

With companies such as Motorola, AMD and SUN all cutting their respective work force, just to name a few, it comes as little surprise that IBM might soon follow suit. IBM (full disclosure, I used to work for them) has been successful on the balance sheets since before this economic downturn took hold. Now expectations are that IBM will report its first quarterly loss in some time.

From Forbes:

Despite an expected drop in sales, analysts predict that IBM’s earnings will rise about 8% to $3.03 per share for the quarter. The company’s relatively healthy profits are a result of careful cost-cutting at the computing giant, largely in the form of a cut in its pension plans two years ago. And though it maintained its earnings target in its last earnings announcement, the company may still be preparing for tighter times. A rumor that as many as 16,000 layoffs are coming–the equivalent of 4% of the company’s workforce–has persisted on the independent IBM employee site IBMalliance.org AllianceIBM.org, though IBM hasn’t confirmed the job cuts.

4% of the work force might seem small but, we’re talking about a company with roughly 400,000 staff. This is yet again an example of a lot of good folks that are pacing a hole through the floor. Now they wait and wonder as to their potential fate. The writing may be on the wall.

Bear in mind that this has not yet been confirmed by IBM.

Article Link

UPDATE: (Jan 21, 2009) Well, I spoke about this on the 16th and it is hitting the fan now. Wall Street Journal has confirmed that IBM layoffs are underway.

I guess the world economy isn’t taking the piss out of everyone. Today we get word (thx tipster) that security firm Next Generation Security Software Ltd (“NGSS”) has been purchased by the NCC Group.

From the NCC Group Website:

NCC Group plc (LSE: NCC, “NCC Group” or “the Group”), the international, independent provider of Escrow Solutions, Assurance Testing and Consultancy, has acquired Next Generation Security Software Ltd (“NGSS”), a security and testing company, for a maximum consideration of up to £10.0m in cash.

This is the third acquisition by NCC Group in less than two years and as well as complementing its own capabilities in the network, testing and software security market; it will also substantially strengthen the Group’s position in this fast growing sector.

An all cash deal? Yup, the market is still good for some folks.

Congrats to David Litchfield and crew.

Article Link

Wait, what?

I almost fell over when I learned this morning that Microsoft was still issuing licenses and providing support for Window 3.x until November 1, 2008. This OS for those playing the home game is 18 year old. Time to kick the kid out the house.

From BBC News:

Microsoft maintained support for Windows 3.x until the end of 2001, and it has lived on as an embedded operating system until 1 November 2008.

As an embedded system, it was used to power such things as cash tills in large stores and ticketing systems.

One of its more glamorous uses as an embedded operating system is to power the in-flight entertainment systems on some Virgin and Qantas long-haul jets.

Not to mention the fact that I have seen this OS installed on numerous gate computers in airports.

Well, the long running movie has come to the credit reel. Read on for the full story.

Article Link