ARLINGTON, VA - A combination of poorly educated users, fewer security warnings in browsers, and sites that mix secured and unsecured content allow man-in-the-middle attacks that can sidestep the ubiquitous secure sockets layer (SSL) encryption used to pass login credentials...

The First SHA-3 Candidate Conference will be held at K.U. Leuven, Belgium, following the 16th International Workshop on Fast Software Encryption (FSE 2009) which is scheduled for February 22-25, 2009.

January 27, 2009 (Computerworld) The world's six largest computer drive makers today published the final specifications(download PDF) for a single, full-disk encryption standard that can be used across all hard disk drives, solid state drives (SSD) and encryption key management applications.

Windows Server 2008’s Service Pack 2 (SP2) Beta program allows administrators to check out the forthcoming service pack in test installations before the live deployment. This service pack brings a few important changes to a server installation — some of which most administrators may not prefer initially.

Cisco warns that the combination of Cisco Security Manager server and the IPS Event Viewer (IEV) may allow unauthorised access to the underlying MySQL database or the IEV server.

A vulnerability has been discovered in the driver of a Ralink wireless card that can be exploited to crash the computers involved. Secunia adds that it has the potential to allow arbitrary code to be run in kernel mode.

VeriSign said it plans to buy Certicom, just three days after Research In Motion's hostile bid for the security company unraveled. VeriSign will pay US$1.67 per share, or $73 million, for Certicom, which develops an elliptic curve cryptography technology.

A security expert has managed to transfer the digital signature of one Windows program to another, without invalidating the signature. Didier Stevens, who presented the attack in his blog, exploited the fact that Microsoft's Authenticode code signing standard accepts the vulnerable MD5 hash algorithm.

ACME Security has described a way to neutralise cold boot attacks. Such attacks exploit the fact that data in the DRAM are not immediately lost when power is removed, but remain there for a period that may last from a few seconds to a minute, or even longer if cooling is in use.

We already knew that MD5 is a broken hash function. Now researchers have successfully forged MD5-signed certificates. This isn't a big deal. The research is great; it's good work, and I always like to see cryptanalytic attacks used to break real-world security systems. Making that jump is often much harder than cryptographers think.