InfoSec News

Windows can do all sorts of amazing things, some of which you might actually want it to do. Unfortunately, the things you don't want it to do can slow it down. By turning off unnecessary programs, processes, and services, you can unburden Windows and help it live up to its full potential.
 
The Transportation Security Administration (TSA) will soon begin testing new software designed to better protect the privacy of individuals passing through its full body scanners at U.S. airports.
 
It's an interesting idea: a free app that can be configured to automatically download and install new versions for every piece of software you own. Where Verwolf's excellent idea fails is in the execution.
 
Based on its tracking of sales at nearly 6,000 wireless stores, ITG Investment Research found that the return rate of the Samsung Galaxy Tab has hit 16% since its U.S. debut in November.
 
WordPress TagNinja Plugin 'id' Parameter Cross Site Scripting Vulnerability
 
Apple's decision to reject Sony's e-reader application today sparked speculation that Apple would soon yank Amazon's popular Kindle software from the App Store.
 
A new high school competition aims to identify students interested in cybersecurity.
 
A press conference taking place on Thursday in Miami is expected to mark the last allocation of Internet Protocol, Version 4 addresses by the central authority that assigns them.
 
Cisco is projecting a huge increase in mobile data traffic through 2015.
 
SAP and Microsoft announced Tuesday what some observers see as a reboot of Duet, the strategy first formed by the companies in 2005 to tie SAP's ERP software with Microsoft Office.
 
Officials from Microsoft and Google sparred at an event Tuesday over Google's accusation that Microsoft copies Google search results and feeds them into its Bing search engine.
 
Cisco Security Advisory: Multiple Cisco WebEx Player Vulnerabilities
 
Redaxscript 'includes/password.php' Multiple SQL Injection Vulnerabilities
 
LightNEasy 'LightNEasy.php' Cross Site Scripting and HTML Injection Vulnerabilities
 
Google's Chrome and Apple's Safari posted record numbers in January while Microsoft's Internet Explorer (IE) lost ground for the sixth month running, Net Applications said today.
 
The rising tide of distributed denial of service attacks (DDoS) is being made much worse by a tendency to mis-deploy firewalls and intrusion prevention systems (IPS) in front of servers, a report by Arbor Networks has found.
 
Sophos today said it would soon roll out its Mobile Control package that will let enterprise customers apply security controls to all things mobile, from iPads and iPhones to the Android, Windows Mobile and Symbian devices.
 
EMC today introduced a free Community Edition of the its Greenplum Database, a high-performance massively parallel processing database product.
 
The GreenTouch Consortium demonstrated its work Tuesday into how using large-scale antenna systems and virtual modems, along with splitting mobile networks into two parts, can help reduce energy consumption of operator networks by a factor of 1,000.
 
LG will unveil the glasses-free LG Optimus 3D smartphone Feb. 14 at the Mobile World Congress in Barcelona.
 
I have a series of older 802.11 b/g Airport Expresses set up in several rooms of the house, to let me stream music; at the heart of it all is a Time Capsule (which uses 802.11 b/g/n). They all work fine, except in my son's room, which is furthest from the Time Capsule; his old Titanium laptop gets really poor reception.
 
Cisco WebEx WRF and ARF File Format Multiple Remote Buffer Overflow Vulnerabilities
 
Oracle Solaris CVE-2010-4435 Remote CDE Calendar Manager Service Daemon Vulnerability
 
Moodle 'PHPCOVERAGE_HOME' Cross Site Scripting Vulnerability
 
Egypt's decision to turn off the Internet and cell phones in an effort to stop Egyptians from talking with each other and plotting against the government has put businesses in that country in a fix.
 
Google has big plans for its Android 3.0 OS, code-named "Honeycomb," according to top Honeycomb designer Matias Duarte.
 
The HTC Inspire 4G goes on sale at AT&T stores and online on Feb. 13 for $99.99 with a two-year service plan.
 
TinyWebGallery: XSS + Directory Traversal
 
PostgreSQL 'intarray' Module 'gettoken()' Buffer Overflow Vulnerability
 
[USN-1053-1] Subversion vulnerabilities
 
[security bulletin] HPSBMA02627 SSRT090246 rev.1 - HP OpenView Performance Insight Server, Remote Execution of Arbitrary Code
 
HTB22798: Path disclosure in Pluck CMS
 
HTB22799: Path disclosure in Pluck CMS
 
The U.S. has one of the lowest relative rates of peer-to-peer (P2P) network use compared to the rest of the world, according to a new study.
 
The Dell Streak 7 is a study in contrasts. This Nvidia Tegra 2-based Android tablet counts smart and subtly sharp design among its strengths--unfortunately, its unimpressive display and inelegant software implementation constrain its appeal. T-Mobile's aggressive pricing--at $200 after a $50 mail-in rebate with a two-year contract (as of February 1, 2011), it's $100 less than the Samsung Galaxy Tab on the same carrier--may make the Streak 7 worth consideration, but the device's numerous weaknesses might not outweigh the value price.
 
A study by the Ponemon Institute found that the average total cost of compliance is more than $3.5 million.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Today, IANA announced that it had handed out two more /8 IPv4 assignments to APNIC. As a result, IANA is down to 5 /8s, triggering its special policy to hand out one address to each regional registrar (RIR). The 5 RIRs are AFRNIC (Africa), APNIC (Asia Pacific), ARIN (North America), LACNIC (Latin America) and RIPE (Europe). [1]
IANA hands IP address space to the RIRs in chunks of /8s, who then pass it on to ISPs, who then pass it on to end users. Some large end users may approach their RIR directly, and some legacy assignments are managed by IANA directly.
But in the end, what does this all mean?
(this FAQ is a work in progress)
A Quick FAQ To IPv4 Exhaustion
1 - Will the Internet stop working?
No. As a matter of fact, it is unlikely that the IPv4 internet will stop any time soon. It will likely happily exist next to the IPv6 internet. There are some transition mechanisms set up. While not pretty, the two internets can talk to each other via proxies and tunnels.
2 - Why do we run out of addresses?
IPv4 allows for about 4 billion addresses. There are about 6 billion people on the world... how many addresses do you need (phone, home, work...)? Its a simple math issue compounded by the fact that for efficient routing sake, we can't assign all addresses.
3 - A lot of IPv4 space is still unused. Why don't we use it more effectively?
The problem is not just that we are running out of addresses, even though that is the killer issue here. Assigning addresses more effectively would mean that assignments would become smaller and routing tables would become more complex. In order to make this work, we would have to essentially renumberthe internet, and still be out of addresses at some point.
4 - What about legacy space? Does Apple really need a /8?
In the beginning of the Internet, IPv4 address space was handed out very liberally. Remember it was just an experiment? Some of the original participants still have large IPv4 assignments which they don't use efficiently. However, even if all of them are handed back, it would delay the problem only by 1-2 years at great expense to the effected companies (and they have contracts giving them the rights to use the address space). Some legacy allocations have been returned in the past
5 - What do I need to do today?
Relax. Nothing is going to happen fast. the RIRs still have space left, depending on the region a few month to a year. After that, it will get tricky. You may already find it harder to get IP address space. Eventually, your ISP may ask for some space back as they can't get new addresses from the RIR. Over time, IPv4 will get more expensive then IPv6.
6 - So I can just wait and do nothing?
No. What you should do tomorrow (maybe today?) is setup a test lab to familiarize yourself with IPv6. It is easy to get going. Ask your ISPif they support it (or when), or setup a tunnel with a free tunnel provider like Hurricane Electric [2] or Sixxs [3] (there are others). You need a plan on how to deal with it. Even if you don't need IPv6, maybe your business partners start using it and you need to connect to them via IPv6.
7 - Can't I just ignore it?
Remember why you are using IP in the first place? It allows you to connect to customers, suppliers, branch offices. In short:It keeps you in business. Once these people expect IPv6 connectivity, you will likely have to move along with it. It is like any technology in that it ultimately has to support the business (and well... it is fun too!).
8 - What will change from a security point of view?
Everything and nothing. The most important change is probably the fact that NAT will become less important. Endpoint protection and carefully configured firewalls will become more important. Passive asset detection will become more important compared to active scanning. There is a lot of security gear you own that probably does a lousy job dealing with IPv6. Did I mention it requires a plan and testing?
[1] http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml

[2] http://www.tunnelbroker.net

[3] http://www.sixxs.net


------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
DataRush 5.0, which helps developers without parallel development experience create multithreaded apps, also backs new JVM languages
 
Oracle's database will be available in the second quarter as part of Amazon Web Services' Relational Database Service, the companies announced Tuesday.
 
Gary Loveland, a principal in PricewaterhouseCooper's advisory practice and head of the firm's global security practice, discusses the latest in cloud security issues.
 
PMB 'id' Parameter SQL Injection Vulnerability
 
EMC is offering a community edition of its Greenplum data warehousing platform, as well as algorithms and data mining tools for working with large data sets, at no charge, the company announced.
 
AT&T has 'systematically' overcharged iPhone and iPad owners with capped data plans by inflating the amount of data they download and adding 'phantom traffic,' a lawsuit claims.
 
Despite the best efforts of Internet activists who are trying to help Egyptians communicate with the outside world, ham radio isn't a viable option in this situation, experts said.
 
With the cap on H-1B visas reached last week, proponents have renewed calls for raising the cap. But two leading critics of the the program may be getting ready to seek new restrictions on the use of foreign labor.
 
Hit with an onslaught of users wielding high-definition electronics, Mozy said Monday that it's changing pricing for online storage and limiting the capacity that customers can purchase. One analyst said other providers are bound to follow suit.
 

Alternative security conferences plot European editions
Register
Infosec works well enough for marketing suits and channel sales staffers but its far less successful for journalists – except on occasions when high-profile ...

 
Joomla Component 'com_frontenduseraccess' Local File Include Vulnerability
 
Joomla! 'com_clan_members' Component 'id' Parameter SQL Injection Vulnerability
 

Posted by InfoSec News on Jan 31

http://www.dailymail.co.uk/sciencetech/article-1352271/Microsoft-security-flaw-affects-900m-people-using-Internet-Explorer.html

By Daily Mail Reporters
31st January 2011

Microsoft has issued a 'critical' security alert that affects 900million
people using its Internet Explorer web browser.

The computer giant warned of a newly-discovered flaw in Windows that
could be exploited by hackers to steal personal details or take over
computers.

The...
 

Posted by InfoSec News on Jan 31

http://www.computerworld.com/s/article/9207241/After_attack_SourceForge_speeds_move_to_new_security_model

By Jeremy Kirk
IDG News Service
January 31, 2011

The open-source software development site SourceForge is speeding up its
move to a new a security model following a targeted attack that may have
compromised the passwords of its large user base.

SourceForge, which hosts more than 260,000 projects, discovered the
attack last Wednesday. It...
 

Posted by InfoSec News on Jan 31

========================================================================

Open Security Foundation - DataLossDB Weekly Summary
Week of Sunday, January 23, 2011

1 Incidents Added.

========================================================================

DataLossDB is a research project aimed at documenting known and reported
data loss incidents world-wide. The Open Security Foundation asks for
contributions of new incidents and new data for...
 

Posted by InfoSec News on Jan 31

http://www.darkreading.com/security-monitoring/167901086/security/security-management/229200129/report-noncompliance-much-more-costly-than-compliance.html

By Kelly Jackson Higgins
Darkreading
Jan 31, 2011

If you're wondering whether the cost of complying with security
regulations is really worth it financially, think again, according to a
new report: Noncompliance costs organizations, on average, 2.65 times
more than meeting compliance...
 

Posted by InfoSec News on Jan 31

Forwarded from: Marius Minea <marius (at) cs.upt.ro>

CALL FOR PAPERS
[ PDF version at: http://crisis2011.cs.upt.ro/CRiSIS2011-CfP.pdf ]

The Sixth International Conference on
Risks and Security of Internet and Systems
CRiSIS 2011
Timisoara, Romania, 26-28 September 2011
http://www.crisis-conference.org/

IEEE Computer...
 

Posted by InfoSec News on Jan 31

http://www.theregister.co.uk/2011/01/31/ligatt_security_subpoena_quashed/

By Dan Goodin in San Francisco
The Register
31st January 2011

[More backround on Gregory D. Evans / LIGATT Security from Attrition.org
http://attrition.org/errata/charlatan/gregory_evans/ - WK]

A judge in Georgia has scolded a controversial security figure for
improperly subpoenaing Yahoo! and Twitter in an attempt to get user
names and passwords belonging to some...
 

Posted by InfoSec News on Jan 31

http://www.smh.com.au/technology/security/love-hate-and-hackers-plentyoffish-boss-stews-after-personal-files-stolen-20110201-1ac22.html

By Asher Moses
Sydney Morning Herald
February 1, 2011

It's one of the world's largest dating sites but its owner has just
discovered the relationship from hell.

PlentyofFish.com founder Markus Frind claims his site has been hacked
and he has been blackmailed. But the accused hacker, Chris Russo, says
it was...
 


Internet Storm Center Infocon Status