InfoSec News

To the handlers who authored the daily Cyber Security Awareness Month diaries and to the readers who added comments and discussion - THANKSVERYMUCH! Your collaborative spirit is what makes the SANSInternet Storm Center a true community effort, and a valuable resource to the broad Internet user community.
For this last day of the 2010 awareness month diaries we are providing links to all of the diaries we published this year, plus links to the previous years' summaries. Please feel free to go back and re-read the diaries and add more comments at the bottom. Again, this is a community project so the more thinking we get from everybody the stronger we are as a team.
In 2007 we covered a large range of subjects based on what our readers submitted as ideas. In 2008 we took a closer look at the six steps of incident handling. In 2009 we examined 31 different ports/services/protocols/applications and discussed some of the major security issues. This year we borrowed an idea from Lance Spitzner and focused on ways to Secure the Human. In other words, we discussed Layer 8, the carbon layer.
If you have additional comments on any of these diaries feel free to add them directly to the bottom of the diary (you have to log in first) or if you want to remain anonymous you can send them to us via our contact form.

Week One (Oct 1-9) Parents and extended family

1 - Securing the family PC

2 - Securing the family network

3 - Recognizing phishing and online scams

4 - Managing email

5 - Sites you should stay away from

6 - Computer monitoring tools

7 - Remote access and monitoring tools

8 - Patch management and system updates

9 - Disposal of an old computer

Week Two (Oct 10-16) Children, schools, and young friends

10 - Safe browsing for pre-teens

11 - Safe browsing for teens

12 - Protecting and managing your digital identity on social media sites

13 - Online bullying

14 - Securing a public computer

15 - What teachers need to know about their students

16 - Securing a donated computer

Week Three (Oct 17-23) Bosses

17 - What a boss should and should not have access to

18 - What you should tell your boss when there's a crisis

19 - Remote access tools

Remote user VPN tunnels - to split or not to split?

VPN architectures SSL or IPSec?

Remote user VPN access are things getting too easy, or too hard?

VPN and remote access tools

20 - Securing mobile devices

21 - Impossible requests from the boss

22 - Security of removable media

23 - The importance of compliance

Week Four (Oct 24-31) Co-workers

24 - Using work computers at home

25 - Using home computers for work

26 - Sharing office files

27 - Social media use in the office

28 - Role of the employee

29 - Role of the office geek

30 - Role of the network team

31 - Tying it all together





Marcus H. Sachs

Director, SANS Internet Storm Center
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Despite prognostications otherwise, Microsoft's Silverlight development platform has a future at the company, the company says
 
CVS CVE-2010-3846 RCS File Heap Buffer Overflow Vulnerability
 
Apache Tomcat 'Transfer-Encoding' Information Disclosure and Denial Of Service Vulnerabilities
 
FreeType Versions Prior to 2.4.0 Multiple Remote Vulnerabilities
 
FreeType Rendering Engine Position Value Heap Buffer Overflow Vulnerability
 
FreeType Stack Buffer Overflow and Memory Corruption Vulnerabilities
 
Call for Papers: The International Conference on Cyber Conflict, Estonia
 
Enomaly has launched a compute market that will let anyone shop for low-cost, no-frills compute power offered by a variety of providers.
 
While many businesses tightened their IT budgets during the recent recession, a growing number of organizations are deploying unified communications solutions -- integrated voice, data, messaging, conferencing and collaboration services over converged networks -- as confidence creeps back and budgets expand. The driver? Return on investment.
 
Reader LK wants to know if Microsoft Security Essentials (which I've championed in these pages many times) can be installed alongside other anti-virus and/or anti-malware programs.
 
Android-powered smartphones outsold iPhones in the U.S. by almost 2-to-1 in the third quarter, a research firm said today.
 
Following up on a successful bug bounty program that pays hackers for finding security flaws in its Chrome browser, Google now says that it will pay cash for security bugs reported on its websites.
 
Call for Papers -YSTS V - Security Conference, Brazil
 
Joomla 1.5.21 | Potential SQL Injection Flaws
 
'WSN Links' SQL Injection Vulnerability (CVE-2010-4006)
 

We have received reports that Checkpoint UTM-1 devices performed and unscheduled reboot. Did this happen to you? Let us know.

Check some reports at http://www.cpug.org/forums/check-point-utm-1-edge-appliances/14606-all-edge-firewalls-rebooted-10-30-2010-8-58-p-m.htmland http://jackofallit.wordpress.com/2010/10/30/checkpointsofaware-flashforward/

UPDATE: Read Checkpoint's response here.
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Remember the vulnerability we discussed in https://isc.sans.edu/diary.html?storyid=9835 It appears to be there is an exploit for CVE-2010-3654 in the wild. While Adobe publishes the security patches, consider mitigation measures published in APSA10-05 advisory.
More information at http://blog.fortinet.com/fuzz-my-life-flash-player-zero-day-vulnerability-cve-2010-3654/
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

The topic of today for the role of the office geek. For those who are responsible for the information security in the company, we find people who are continually trying to commit fraud within the organization. Although in such cases many organizations have already established an incident response process and the corresponding regulations to sanction these types of behaviors, we find another type of user who does not seek to commit illegal actions and although he does not have a comprehensive conception of information security, has an above-average skills, loves technology, study on their own and because of his actions he can cause us some problems in our daily operation.

I can name an example that occurred in my company: a economist leading the process of imports of goods and services was sent to a Microsoft Office course. As this employee loves technology, decided to study a little bit more and decided to use Microsoft Access to carry in a database all the information needed to handle the import procedures. In a very short time became the main database for the management of imports from the company, and any content on a computer with 1 GB of RAM with Windows XP and 80 GB disk.

When we realized the existence of this database? When we perform a penetration testing on the workstation infrastructure, as you might imagine because the database did not have the necessary security settings and apart from that had some vulnerabilities due to lack of patches.

What to do with these people? They are a double-edged sword and although they can provide ideas and feedback to the process of IT, it is necessary to channel and enforce at all times the guidelines established in the security policy information.

As always,your comments are welcome. Please remember our contact form.
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Jury selection for Oracle's corporate theft lawsuit against SAP got under way Monday in a California courtroom, where potential jurors were warned they would have to refrain from posting on Facebook or Twitter about the case if they are selected to take part in the trial.
 
HP Insight Control Virtual Machine Management Unspecified Remote Denial of Service Vulnerability
 
cforms WordPress Plugin Cross Site Scripting Vulnerability - CVE-2010-3977
 
Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-4086
 
The performance of applications across the WAN are beset by a range of problems – latency, congestion, chatty applications, contention with other apps, low bandwidth – that can be addressed in a variety of ways.
 
Although Yahoo shuttered the GeoCities Web hosting service last year, many of the sites that used the service have been made newly available by groups that archived them.
 
Execs and managers are desperately seeking instant BI application satisfaction, and IT is trying to keep up. Here's why it may be a losing battle for CIOs, project managers and developers.
 
Did you know that when you "delete" files from your computer, they can still remain on your hard disk? In many cases, deleted files can be recovered with little effort because most computer operating systems will only delete links to the data so they no longer appear to you, but the actual data remains on the disk. Getting access to the deleted data is as simple as restoring the links.
 
Republicans are poised to take majority control of the U.S. House of Representatives after Tuesday's election, but it will be business as usual for many technology policy issues in Congress.
 
Microsoft, SAP and Bamboo Solutions are being sued by a Virginia company that claims some of the companies' software products infringe on its patented "novel technique for associating the modules of a multi-module computer program."
 
Will your new mobile enterprise app crumble under the weight of poor design and performance when you roll it out? Automated testing solutions for mobile apps are coming to market.
 
Auto CMS Multiple PHP Code Injection Vulnerabilities
 
[ MDVSA-2010:219 ] mozilla-thunderbird
 
H2HC 2010 - Final Speakers List Available
 
[security bulletin] HPSBMA02598 SSRT100314 rev.2 - HP Insight Control Virtual Machine Management for Windows, Remote Cross Site Scripting (XSS), Denial of Service (DoS), Cross Site Request Forgery (CSRF)
 
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Microsoft's claim that its Internet Explorer 8 and IE9 browsers beat the usage share gains posted by Chrome last month don't hold up, according to the data the company cited Monday.
 
Adobe today unveiled a new version of Adobe Connect, which includes an updated user interface, and eases integration with third party technologies.
 
Memory maker Super Talent Technology introduced its lowest-priced USB 3.0 flash drive, the Express Duo, which sells for $14 for 8GB of capacity and $29 for a 16GB model.
 
[ MDVSA-2010:218 ] php
 
Secunia Research: SonicWALL SSL-VPN End-Point ActiveX Control Buffer Overflow
 
Secunia Research: Adobe Shockwave Player "DEMX" Chunk Parsing Vulnerability
 
Secunia Research: Adobe Shockwave Player "pamm" Chunk Parsing Vulnerability
 
Xerox 4595 Copier/Printer Unspecified Remote Denial of Service Vulnerability
 
Adobe Shockwave Player 'IML32.dll' CVE-2010-4089 Memory Corruption Vulnerability
 
Adobe Shockwave Player 'IML32.dll' CVE-2010-4087 Memory Corruption Vulnerability
 
Adobe Shockwave Player 'dirapi.dll' CVE-2010-4088 Memory Corruption Vulnerability
 
A network hardware failure knocked PayPal offline for all of its users worldwide Friday, and the recovery and failover systems didn't spring into action as quickly as they were supposed to.
 
A big part of Microsoft CIO Tony Scott's job in Redmond is to personally use all of Microsoft's technologies, including its cloud products. Microsoft types call this "eating your own dog food."
 
Facebook is punishing several application developers for passing certain information to a data broker in the latest move by the social networking site to control growing concerns over privacy.
 
I continue answering Lee's question about increasing the number of Windows System Restore points.
 
Your fingers may have to learn some new habits. A number of common keyboard shortcuts changed between Entourage 2008 and Outlook 2011, and some even took on the opposite meaning!
 
If you've already upgraded to Microsoft Office 2011 from an earlier edition--or are considering doing so--you probably know that e-mail, calendars, and contacts are now handled by a new application called Outlook ( Macworld rated 4 out of 5 mice ) rather than Entourage ( Macworld rated 4 out of 5 mice ). Switching to Outlook need not be traumatic, but it's different enough that you may be disoriented at first, or have trouble figuring out how to do a few basic tasks. These tips will get you started.
 
Python Multiple Denial of Service Vulnerabilities
 
Python 'rgbimg' RLE Decoder Multiple Buffer Overflow Vulnerabilities
 
Python Asyncore Module 'accept()' function Remote Denial of Service Vulnerability
 
Python 'rgbimg' Module ZSIZE Value Buffer Underflow Vulnerability
 
Home FTP Server Directory Traversal Vulnerability
 
Dovecot Access Control List (ACL) Multiple Remote Vulnerabilities
 
Dovecot Access Control List (ACL) Plugin Security Bypass Weakness
 
yPlay '.mp3' File Remote Buffer Overflow Vulnerability
 
People who use the Firesheep Firefox add-on to snoop on fellow computer users might be breaking federal wiretapping laws, legal experts said.
 
IE9 Platform Preview 6 gains on Google Chrome and Firefox with big improvements in HTML5 compatibility and JavaScript performance
 
A bug in the iPhone's operating system resulted in alarms going off an hour late as Europe changed from daylight saving time.
 


Internet Storm Center Infocon Status