InfoSec News

Microsoft showed Thursday the next version of its Windows OS at a press event in Taipei, unveiling a completely new tile-based interface that it hopes will be better suited for the emerging world of tablet PCs.
 
Apple today took administrative control of the iCloud.com domain less than a week before CEO Steve Jobs is to unveil his company's new cloud-based service.
 
Facebook seems unable to stop scammers from circulating malicious Web links that install fake antivirus software on victims' computers.
 
HP is open to licensing the WebOS operating system, but only to very select companies, an executive said on Wednesday.
 
Get all the latest news and perspectives from Apple's Worldwide Developer's Conference: iCloud, iOS 5, Mac OS X Lion and more.
 
All we know for certain about iCloud so far is that Steve Jobs will tell us all just what the heck it is at next week's Worldwide Developer Conference. For now, only a few folks in Cupertino know precisely what iCloud will be. But plenty of us have an idea of what it could be.
 
As soon as I removed the new Barnes & Noble Nook from its box, I could tell that this petite e-reader was going to be a worthy challenger to the third-generation Amazon Kindle. Impressively, when I tested the Nook and its new touchscreen, I found that it does indeed out-Kindle the Kindle at its own game in some respects; but in others, the Nook falls shy of topping Amazon's e-reading staple.
 
HP's new EliteBook line looks much like models in the older EliteBook line, such as the EliteBook 8440w we reviewed 15 months ago. Yes, the external skin offers a more pleasing brushed aluminum aesthetic, but it's still a little clunky looking. You could call it the gray flannel suit of laptop computing.
 
Linux Kernel 'bcm_release()' NULL Pointer Dereference Denial of Service Vulnerability
 
Linux Kernel CIFS 'O_DIRECT' NULL Pointer Deference Local Denial of Service Vulnerability
 
Google has disrupted what it believes to be a targeted phishing campaign aimed at stealing e-mail from government officials, contractors and military personnel.
 
An 18-month-old cybersecurity research consortium organized by Northrop Grumman is making progress and should have technologies ready to deploy in about a year, officials said Wednesday.
 
Post Revolution Multiple HTML Injection and Denial of Service Vulnerabilities
 
The notification bill would supersede state laws and experts say they could help enterprises by setting one standard set of rules for breach notification.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
IT departments, long criticized as being too slow in offering new technologies and services, may be facing a grassroots rebellion in many companies over cloud services.
 
Google expanded it's Google +1 button to the full Web Wednesday, just a day after former CEO Eric Schmidt admitting missing the boat on social networking and Facebook's threat to the company.
 
Recent attacks against two defense contractors are fueling concerns about how badly RSA's SecurID two-factor authentication technology was compromised in a breach reported in March.
 
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Polycom has agreed to acquire the assets of Hewlett-Packard's Visual Collaboration business, including its Halo videoconferencing products and managed services, as part of a broad partnership for unified communications.
 
The gang responsible for a month-long plague of fake Mac security software has already updated their "scareware" to evade defenses Apple put in place late Tuesday, a security company confirmed today.
 
The U.S. Citizenship and Immigration Services has proposed changes to the H-1B visa application process that it hopes will prevent problems during times of heavy demand.
 
Cisco predicts large increases in broadband traffic and in connected devices between 2010 and 2015.
 
Twitter has revamped its search engine, improving relevance and adding multimedia content to results, and in a few weeks it will start letting users attach photos to their posts via a new native feature on Twitter.com.
 
Samsung has asked a federal judge to make Apple provide it with samples of its next-generation mobile devices. In May, Apple demanded and was granted that Samsung reveal several of its newest smartphones and tablets as part of an ongoing lawsuit. Should Apple be forced to show Samsung its next iPhone and iPad?
 
Google has released the source code for a technology that it hopes developers will use to embed real-time video and voice chat functionality in their Web applications.
 
Re: Ra-Guard evasion (new Internet-Drafts)
 
Cross-Site Scripting vulnerability in Icinga
 
Cisco Security Advisory: Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client
 
Cisco Security Advisory: Default Credentials for root Account on the Cisco Media Experience Engine 5600
 
NYSE Technologies announced the Capital Markets Community Platform, which it described as the financial services industry's first cloud computing platform.
 
One of the most powerful new Android 2.3 smartphones, the HTC Sensation 4G, will be available exclusively for T-Mobile USA networks and put on sale at some Wal-Mart stores as early as June 12.
 
Many operating systems use the EUI-64 algorithm to generate IPv6 addresses. This algorithm derives the last 64 bits of the IPv6 address using the MAC address. Many see this as a privacy problem. The last half of your IP address will never change, and with MAC addresses being somewhat unique, the interface ID becomes close to a unique cookie identifying your system.
As a result, RFC3041 introduces privacy enhanced addresses which will change and are created by hashing the MAC address. Of course, each operating system has its own way to enable privacy enhanced addresses.
Windows 7:
You can use netsh to enable and configure privacy enhanced addresses. Use

netsh interface ipv6 show privacy
to query the status, and

netsh interface ipv6 set privacy state=enabled
to enable it. In my testing, privacy enhanced addresses were enabled and I wasn't actually able to disable them (a possible bug?).
OS X:
OS X uses the sysctl command to change various kernel parameters, including privacy enhanced addresses. By default, EUI-64 is used.
To enable, run ifconfig en0 up). However, to have this setting survive a reboot, create a file called /etc/sysctl.conf and add the line:


net.inet6.ip6.use_tempaddr=1


------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Google Offers, Google's answer to Groupon and its entrance into the popular online coupon market, will begin a test run in Portland, Oregon, on Wednesday, the first step in an expected U.S. and global rollout.
 
Internet Explorer's usage share again dipped last month, even as Microsoft's newest browser, IE9, posted record gains, a Web metrics company said today.
 
After 25 space flights, NASA's space shuttle Endeavour returned to Earth from a 16-day mission early this morning, ending its storied career.
 
Intel officials say vendors are beginning to use Atom processors to power tablets not only because the chips can run Windows 7, but also because they allow the devices to run multiple OSes, providing an advantage over rival ARM Holdings.
 
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
HTB22999: Multiple SQL Injections in A Really Simple Chat (ARSC)
 
[ MDVSA-2011:105 ] wireshark
 
[ MDVSA-2011:104 ] bind
 
HTB22997: XSS in A Really Simple Chat (ARSC)
 
Lenovo is hoping to acquire a majority stake in German PC maker Medion Electronics, in an effort to grow its consumer market share in Western Europe.
 
[SECURITY] [DSA 2250-1] citadel security update
 
[SECURITY] [DSA 2249-1] jabberd14 security update
 
CodeMeter WebAdmin Cross-site Scripting (XSS) Vulnerability
 
IPv6 RA-Guard evasion (and neighbor discovery monitoring) vulnerabilities
 
More customers are implementing virtualization, but are opportunities increasing around virtualization security products? Observers say not just yet.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
The apps may be well thought out, but until security improves in the underlying security of the devices they run on, look out.
 
With breaches ever on the rise and software vulnerabilities at the heart of many security incidents, CSOonline decided to talk with noted software security expert Rafal Los. Los, currently security evangelist with Hewlett-Packard Software, is an industry veteran who has worked as a security consultant and even as information security officer in the Fortune 100. We wanted to get his thoughts on what organizations can do -- today -- to improve the security of the applications they develop.
 
Meraki's friendly, cloud-managed wireless LAN solution is a fantastic option for small businesses, distributed networks, and overworked admins
 
Netgear has a first-rate wireless LAN solution for business networks, as long as you don't need first-rate technical support
 
Though price competition and a weak public sector made Q1 difficult for Ethernet switch vendors, Hewlett-Packard and Juniper Networks managed to increase sales and market share, according to Canalys.
 
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
It's good to be a computer science major. Job prospects are rosy for today's graduates, who are entering the workforce at a time when tech hiring is on the rise and talent is hard to find.
 
Open jobs outnumber new computer science graduates in 18 U.S. states, Dice.com reports. In California, the number of open jobs is nearly triple the number of new computer science graduates.
 
Polycom, a maker of unified communications equipment, has joined several major carriers around the world to form the Open Visual Communications Consortium (OVCC), intended to make it easier to link one videoconferencing system to another.
 
Public clouds have a way to go if they want to be the top choice of businesses looking to put resources in a shared, centralized computing environment, according to a poll of 1,200 IT professionals.
 
Taiwan's Micro-Star International showed two new Android-based tablets at Computex this week that appear much sleeker than its previous WindPad tablets.
 
Intel on Wednesday said it has introduced a new Atom processor to bring down the price of netbooks in emerging markets to under $200, but the lower price may come at a performance penalty.
 
Advanced Micro Devices on Wednesday broke its silence around its tablet strategy, announcing its first low-power chip designed for these devices.
 
Hewlett-Packard plans to introduce a scorecard application that can visually summarize a wide swath of metrics taken from other HP software.
 
Acer will launch a 10-inch tablet at the end of this year using both Intel's Atom processor and its mobile operating system MeeGo.
 
Don't hold your breath for cloud standards to appear anytime soon. Until they do, here are some ways to get flexibility into your hybrid-cloud architecture.
 
For the second time in three months, Google yanked dozens of malware-infected smartphone apps from the Android Market.
 
Linux Kernel '/proc/[pid]/stat' Local Information Disclosure Vulnerability
 
Linux Kernel 'CAP_NET_ADMIN' Unauthorized Access Vulnerability
 

Check the terms of service before you order
Network World
In 1999, I posted an entry in my INFOSEC Year in Review (IYIR) database about one such a case: >For unknown reasons, the BUY.COM online store Web site listed a $588 Hitachi monitor at only $164.50 — and staff failed to notice the error until two days ...

 
Internet Storm Center Infocon Status