InfoSec News

In September representatives from India, Brazil and South Africa (IBSA) got together to talk about the Internet. Their conclusion: The 'Net needed help from the United Nations in the areas of developing policies, technical standards, operation, dispute resolution and crises management.
People who want to limit the behavioral advertising and tracking they are subjected to on the Web aren't well served by some popular privacy tools, according to a Carnegie Mellon University study.
Since its first day serving the corporate finance community, nine months ago, CFOworld has been dedicated to helping clear up questions about cloud computing. But rather than asking the same tech-based questions that the CIO might ask, we've been putting ourselves in the shoes of finance chiefs.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Security researchers said Tuesday the Duqu Trojan used a Word document that exploits a Microsoft zero-day vulnerability in order to infect computers. Microsoft said it’s working to address the flaw.

Researchers at the Laboratory of Cryptography and System Security (CrySys) in Budapest, Hungary, uncovered the installer file, the Word document, which Symantec researchers said exploits a previously unknown kernel vulnerability. Symantec issued a report last month that detailed the similarities between Duqu and the notorious Stuxnet malware. Designed to steal data, Duqu was discovered on the systems of industrial component manufacturers.

In an email statement, Jerry Bryant, group manager of response communications for Microsoft Trustworthy Computing, said, “Microsoft is collaborating with our partners to provide protections for a vulnerability used in targeted attempts to infect computers with the Duqu malware. We are working diligently to address this issue and will release a security update for customers through our security bulletin process.”

According to Symantec, the Word document was designed to target specific organizations. Symantec researchers noted that this installer is the only one recovered to date; attackers may have used other methods to spread Duqu. There are no robust workarounds but most security vendors already detect and block the main Duqu files, Symantec said in a blog post Tuesday.

The number of confirmed Duqu infections remains limited, but have been confirmed in six possible organizations in eight countries, including France, India, and Iran, according to Symantec.

According to Reuters, computer investigators in India have seized the computer equipment believed to have hosted the command-and-control server connected to Duqu.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
The U.S. Commerce Departments National Institute of Standards and Technology (NIST) has released for public comment a draft 'roadmap' that is designed to foster federal agencies adoption of cloud computing, support the private sector, ...
When the U.S. Department of Homeland Security receives information about potential threats to the U.S., agents may turn to social networking sites like Facebook and Twitter.
Oracle Hyperion Financial Management TList6 ActiveX Control Remote Code Execution Vulnerability
XSS and SQL Injection Vulnerabilities on Symphony CMS 2.2.3
XSS Vulnerabilities in eFront
[ MDVSA-2011:162 ] kdelibs4
The Duqu trojan infects systems by exploiting a previously unknown Windows kernel vulnerability that is remotely executable.
The odds are that Microsoft won't patch the Windows kernel bug next week that the Duqu remote-access Trojan exploits to plant itself on targeted PCs, a researcher said today
GDTelcom Speedtest ActiveX Control "FTPDownLoad Class"-ActiveX.dll Remote Denial of Service Vulnerability
[ GLSA 201111-01 ] Chromium, V8: Multiple vulnerabilities
IBSng all version Cross-Site Scripting Vulnerability
Linux Kernel 'clock_gettime()' Local Denial of Service Vulnerability
[security bulletin] HPSBMU02712 SSRT100649 rev.1 - HP OpenView Network Node Manager (OV NNM), Remote Execution of Arbitrary Code
The Duqu trojan infects systems by exploiting a previously unknown Windows kernel vulnerability that is remotely executable.
Microsoft's Internet Explorer last month lost the largest amount of browser usage share in three years, according to data from Net Applications.
There's a wealth of data out there companies can use to better understand customers and identify emerging business opportunities and threats. But how to access and work with all that data? An emerging type of service called data as a service, or DaaS, promises to help. Insider (registration required)
Calxeda on Tuesday announced its EnergyCore, an integrated server chip with an ARM processor that could provide the groundwork for ARM to challenge Intel's dominance in the server market.
The U.S. Air Force is close to making decisions on the future of a sprawling Oracle ERP project that is supposed to remake the military branch's worldwide supply chain, according to a recently released document.
Google has updated Gmail with an updated look, cleaner message strings, customizable navigation and advanced search.
Facebook has apparently fixed a vulnerability in its social-networking site after insisting it wasn't a weakness and didn't need to be remedied.

Wisegate's Information Security Pros Join Forces to Counter Escalating Hacker ...
EON: Enhanced Online News (press release)
In a recent poll from Wisegate's community of security experts, 100% of CISOs and senior security practitioners from leading companies in financial services, healthcare, consumer products, automotive, and government agencies said that “Infosec ...

and more »
Richard S wrote us and asked what information we could offer regarding languages frameworks that are more suitable for developing secure applications, along with what attributes differentiate them over their less secure counterparts.
I'll treat this as a starting point for a run on reader comments but will set the ground rules, and throw out some core elements to get the conversation under way.
In the interest of full disclosure, I am not a developer (good at break and assess but not create) and I work for Microsoft.
As such I recuse myself from all but a few strong convictions.

First, let's not go for the this language is so much better than that language or that framework s**ks approach. Instead, let's recognize that there are a wide variety of options and that the approach should be about secure development practices first and foremost.
in general terms, what works and why you believe your language/framework of choice is secure to the extent that it is.

Above all else, I espouse following an SDL/SDLC practice to include code review and threat modeling, as well as static and runtime analysis, with security checkpoints woven into to delivery schedules. I am of the opinion that this practice precedes the language or framework being used.
One can obviously write terrible code in the same language with which another developer can write the digital equivalent of Fort Knox.
As Swa Frantzen pointed out in a comment on theCritical Control 7 - Application Software Security diary he posted on my behalf, consider embracing a bottom-up security framework such as OWASP ESAPI (Enterprise Security API).
OWASP ESAPI is available for Java EE, .NET, Classic ASP, PHP, while others are pending release (ColdFusion, C, C++).

Richard's line of questions is focused on web application development, and he posed the point that
there is much literature on design patterns the importance of validation etc., but less on the subject of secure languages and frameworks.
Again, I contend that this is a function less of there being one or two highly touted languages/frameworks, and more about those that have security-centric libraries to be leveraged for product hardening as well as good developers to do so.

For your consideration (borrowed directly from Richard's inquiry):
1) If you take everything else being equal (defensively designed code with input validation, a hardened infrastructure, firewalls, TLS, so on) the question remains : how does the choice of language framework impact on the concept of security in depth?
2) What attributes of the language itself enhance security?
3) If compiled offers an advantage over scripted in this respect, do the likes of C# have an advantage given the resources dedicated to supporting securing it? Are compiled apps less vulnerable than scripted apps as a function of source code exposure post-compromise?

Also on the table are the challenges around 3rd party plugins for given platforms. I believe that this is always the soft spot in what may be otherwise splendid armor. Insert your favorite weakest link analogy here.

I believe a follow-up post will be required here to include references from industry studies that discuss:

Number of organizations that use each framework or language for 'secure' applications
Availability number of security elements built in to the core language / framework
Availability number of 3rd party security elements built (can they be identified as trustworthy)
Number of vulnerabilities identified (per month, per year)
Time to fix

So bring it on: tell us via the comment form what works for you and why (don't hesitate to include favorite static/runtime analysis tools).
Russ McReeTwitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
IBM WebSphere Application Server Administration Console Information Disclosure Vulnerability
Researchers from Stanford University have developed an automated tool that is capable of deciphering text-based anti-spam tests used by many popular websites with a significant degree of accuracy.
The U.S. Department of Energy will debut in November one of the fastest networks ever built: a 100Gbps Ethernet network that will enable researchers to create more complex, real-world simulations in climate change, particle physics, astronomy and other scientific fields.
Apple will launch the iPhone 4S in Hong Kong, South Korea and 13 other countries on Nov. 11, with pre-orders starting this Friday.
Hewlett-Packard is developing servers based on a low-power microprocessor design from ARM Holdings, and claims it can slash power and space requirements by as much as 90 percent for companies running certain Web-based applications, HP announced Tuesday.
ISC BIND 9 DNSSEC Query Response Additional Section Remote Cache Poisoning Vulnerability
ISC BIND 9 DNSSEC Bogus NXDOMAIN Response Remote Cache Poisoning Vulnerability
Multiple Vendor OpenSSL 'DSA_verify' Function Signature Verification Vulnerability
Akamai Technologies CSO Andy Ellis talks about some of the things organizations need to consider in order to better manage risk.
Help is on the way for anyone who has ever been puzzled by Google's choice of ads in their Gmail messages and their search results pages.
It goes without saying that the Internet isn't a safe place--it's a veritable jungle. In the world of browsers, we, the users, are seen as a delicious and commonly exploited target by many adversaries. Much like in the real jungle, we most often fall prey to lurking predators that bring us down using spear phishing, drive-by downloads and all manner of malware.
vBulletin Multiple Remote File Include Vulnerabilities
Can security information and event management systems be the foundation for comprehensive IT data analytics? Powerful correlation engines and sharper analytical capabilities are forthcoming, analysts say.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
The new version of iPass' Open Mobile platform has added security and more controls for enterprises to keep track of data usage, the company said on Tuesday.
Sybase is hoping its IQ analytic database can make its mark in the burgeoning "Big Data" market with an array of new features, including native integration with the open-source MapReduce and Hadoop programming frameworks for large-scale data processing.
A tiny projector that plugs into an iPhone's docking slot and can throw a 25-inch image about a meter away has gone on sale in Japan and China.
Linux Kernel '/mm/oom_kill.c' Integer Overflow Vulnerability
Domain Shop 'index.php' Cross Site Scripting Vulnerability

Computer equipment from a data center in Mumbai have been seized as part of an investigation into the Duqu Trojan, which shares code with the notorious Stuxnet worm.

Reuters has reported that computer investigators in India have seized the computer equipment that is believed to have hosted the command-and-control server connected to the Duqu Trojan.

Investigators from India’s Department of Information Technology traced the malware communications to a server at a web-hosting company called Web Werks, according to two workers at the firm. The investigators took several hard drives and other components from a server, Reuters said.

Symantec Corp. issued a report last month detailing how the Duqu Trojan is closely linked to the Stuxnet worm. The authors of the malware are believed to have had access to the Stuxnet source code. Unlike Stuxnet, which is intended to seek out Siemens supervisory control and data acquisition (SCADA) software and disrupt industrial processes, Duqu was designed to steal data. Duqu was discovered on the systems of industrial component manufacturers.

Once a system is infected with Duqu, additional malware is downloaded to record keystrokes and steal other details about the infected system. It can take screenshots, record network information and explore files on all drives, including removable drives.

Security researchers don’t know how the malware spreads. They are seeking the installer, which will yield clues as to how systems are initially infected. Currently, antivirus and antimalware engines can detect the Trojan.

The Dell SecureWorks Counter Threat Unit issued a Duqu report last week calling much of the early Duqu analysis “pure speculation.” Many of the techniques used by Duqu share similar characteristics as Stuxnet, but they have also been used in other unrelated malware, the CTU research team said. Still, Symantec said its binary analysis of the Duqu code concluded that the two pieces of malware shared the same code based.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Infrastructure-as-a-service provider GoGrid is adding a dedicated line service between its facilities so users can be sure of fast and secure transfers.
Yahoo spinoff company Hortonworks has released a preview edition of what will be a fully open source distribution of the Apache Hadoop data analysis platform, called the Hortonworks Data Platform, the company announced Tuesday.
Adobe Systems has acquired privately owned Auditude in order to boost its video offerings with an advertising platform, the company said on Tuesday.
It's not easy to walk the line between locking down the desktop and providing some flexibility for employees to do their jobs. Here's what has worked for some shops.
The devastating floods in Thailand will cause a 28 percent quarter-on-quarter drop in hard disk drive (HDD) production in the fourth quarter, potentially affecting notebook production in early 2012, research firm IHS iSuppli said on Monday.
Phil McKinney, vice president and chief technology officer of Hewlett-Packard's Personal Systems Group, will retire from the company at the end of this year, he wrote in a blog post on Monday.
You can add MarkLogic to the growing list of database vendors rushing to embrace the open-source Hadoop programming framework for large-scale data processing.
Breast cancer survivor Pam Crum received treatment at Georgetown University Medical Center both before and after it had electronic medical records. So she knows how paper records can create arduous tasks for patients and how an electronic, networked system can streamline treatment.

Posted by InfoSec News on Nov 01


By Richard Chirgwin
The Register
26th October 2011

The FBI’s Shawn Henry says the world needs a second Internet for
critical systems -- apparently never having been told what a “private
network” is when you don’t prefix it with the word “virtual” – and the
idea is taking off in other quarters.

Here’s why it’s a dumb idea: it won’t work.

It’s not just that...

Posted by InfoSec News on Nov 01


By Gregg Keizer
October 31, 2011

Attackers used an off-the-shelf Trojan horse to sniff out secrets from
nearly 50 companies, many of them in the chemical and defense
industries, Symantec researchers said today.

The attack campaign -- which Symantec tagged as "Nitro" -- started no
later than last July and...

Posted by InfoSec News on Nov 01


By John E Dunn
31 October 2011

The design similarities between the recently-publicised Duqu malware and
the infamous Stuxnet worm that caused widespread alarm more than a year
ago have been hugely exaggerated, an analysis by Dell SecureWorks has

The essence of the company’s strip-down analysis is that despite...

Posted by InfoSec News on Nov 01


The Canberra Times
01 Nov, 2011

A Lyneham man who pleaded guilty to hacking into two ATMs to steal
$10,400 was already on bail for stealing thousands more dollars from
cash machines to feed a gambling addiction, a court has heard.

Luke Angus McLaren, 23, posed as a technician when he hacked into the
machines at the...

Posted by InfoSec News on Nov 01


Star Tribune
October 30, 2011

Big banks, hospitals and insurance companies worry about computer
security because they handle so much personal information.

Now, in the age of outsourcing, they also have to worry about whether
their partner firms are secure. And that's created a new kind of
business consultant: The information security auditor who determines how

Los Alamos National Laboratory Wins National Cybersecurity Innovation Award ...
Sacramento Bee
SANS offers a myriad of free resources to the Infosec community including consensus projects, research reports, newsletters, and it operates the Internet's early warning system - the Internet Storm Center. At the heart of SANS are the many security ...

Seagate announced that it's bumping the platter rotation speed in all of its Barracuda hard drives from 5400 rpm to 7200 rpm.
Internet Storm Center Infocon Status