InfoSec News

The makers of the mobile app Girls Around Me came under fire Monday for helping men to "stalk" unsuspecting women, but the incident also reveals how much we still have to learn about what social networks reveal about us.
With the end of the public comment and response periods on the LightSquared plan to operate a 4G LTE service near GPS frequencies, it's the FCC's turn to decide how to proceed.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Ethernet has gained speed many times, and now it may be about to lose weight.
Dell's plan to buy Wyse Technology is an effort to boost its client hardware portfolio and protect the company from the effects of the recent slowdown in PC sales, analysts said on Monday.
If, as reported, Facebook is building a search engine to rival Google's, then the competition between the two Internet giants has intensified further.
Questions remain over a computer intrusion at Global Payments that exposed data on at least 1.5 million credit and debit card holders.
A security expert warns organizations against buying the latest and greatest security technology and advocates for more effective pen testing at InfoSec World Conference and Expo 2012.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Following a breach that leaked approximately 1.5 million payment card numbers, Global Payments is now working to achieve PCI compliance once again.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Drupal Date Module SQL Injection Vulnerability
Thanks to increasingly sophisticated technology and ongoing economic uncertainty, all types of fraud are flourishing today, including check fraud. The prevalence of mobile and wireless technologies and the increasing ease of access to high-quality printing and duplication technology are making it easier for criminals to steal credentials, alter check numbers and create counterfeit checks.
Public-sector ERP (enterprise resource planning) software projects historically have experienced some of the industry's most dramatic cost overruns and delays, a fact that a new report by the U.S. Government Accountability Office brings into sharp relief.
A Massachusetts company is one step closer to delivering its flying car after testing a production prototype.
Fallout from the Global Payments fiasco that could affect potentially millions of credit cardholders continues. First, Visa over the weekend dropped the Atlanta-based credit card processor from its ranks as a partner "compliant" in accepted industry data security standards.
Oracle and Google have failed to settle their intellectual property dispute and appear headed to court on April 16.
Premier 100 IT Leader Brent Stahlheber also answers questions on coping with politics and jump-starting a fledgling career.
Last month Michael Dell let the world know that Dell is "not really a PC company." Today, Dell announced that it has reached an agreement with Wyse that extends Dell's portfolio of products and services even further beyond the traditional PC market.
Many law enforcement agencies across the U.S. track mobile phones as part of investigations, but only a minority ask for court-ordered warrants, according to a new report released Monday by the American Civil Liberties Union.
JRuby Hash Collision Denial Of Service Vulnerability
The Apache Software Foundation connects Hadoop to databases and data warehouses with Sqoop.
Our manager handles the quarterly SOX report himself after more layoffs.
LSI announced three new PCIe-based NAND flash cards that are aimed at three market segments -- primary storage on an application server, all-in-one application caching and a RAID data protection product.
Yahoo on Monday released an open-source Web application framework called Mojito that aims to make it faster for developers to write apps that can run on all major device platforms, including smartphones, PCs, iOS and Android.
A unpatched Java vulnerability is being exploited by cybercriminals to infect Mac computers with a new variant of the Flashback malware, say F-Secure researchers.
phpCAS Proxy Authorization Security Bypass Vulnerability
phpCAS Multiple Local Information Disclosure Vulnerabilities
NIST is currently in the final stages of defining a new secure hashing algorithm (SHA) [1]. The goal of the competition is to find a replacement for the current standard (SHA-2, aka SHA-256 and SHA-512). NIST attempts to be somewhat proactive in defining crypto standards, realizing that new standards need to be implemented well before the old once are considered broken.
The three popular hash functions, MD5, SHA1 and SHA2, all use variations of a particular hashing algorithm known as Merkle-Damgrd Construction. Attacks have been developed for MD5 and SHA1, and it is plausible that they will be extended to SHA2 in the future. As a result, the candidates for SHA-3 use different algorithms that are hopefully safe from similar attacks.
A good cryptographic hash will make it hard to come up with two different documents that exhibit the same hash. There are a number of variations of this attack. For example, weather or not one of the documents (or hashes) is provided. One attack in particular affects the Merkle-Damgrd based hashes, the length extension attack. This attack is in particular relevant if a hash is used to verify the integrity of a document.
In this attack, the hash is created by concatenating a secret and a file, then hashing it. The hash and the file (without the secret) at then transmitted to a recipient. The recipient uses the same secret to recreate the hash and to verify if the file is authentic. However, for ciphers susceptible to the length extension attack, an attacker may calculate a new hash, if the attacker knows the size of the original hashed document. However, the attacker can only add to the document.
To make this more specific, lets say I am sending you a contract. We agreed on a pre-shared secret. I am creating the hash of secret+contract and send the hash to you with the document. An attacker now intercepts the message, and adds a page to the contract, and calculates a new hash. All the attacker needs to know (guess?)is the length of the secret.
Current hashing functions can be used safely to authenticate messages, but the algorithm has to be slightly more complex. Instead of just appending the key, an HMAC algorithm has to be used, which essentially applies the key to the message by XOR'ing the message with the key before hashing (just use HMAC.. its a bit more complex then that and has to be done right)
But back to SHA-3: NIST has narrowed the field of potential candidates down to 5. All of them are safe with respect to the length-extension attack. However, they all take up more CPUcycles then SHA-2, unless in some cases where HMAC is required. In addition, at a recent IETF conference, it was pointed out that during the competition, SHA-2 turned out to be more robust then expected, reducing the need for SHA-3 to replace SHA-2.
So why should you care? There are a number of reasons why you should be concerned about encryption standards. First of all, many compliance regiments require the use of specific hashing and encryption algorithms. Secondly, while there may be equivalently strong algorithms, usually developers of libraries spent more effort in optimizing standard algorithms, and you may even find them in silicon in modern CPUs. I wouldn't be surprised to find a SHA-3 opcode in a future main stream CPU. At this point, SHA-256 or SHA-512 should be used if you are developing new software. However, if you find SHA-1, you shouldn't panic. Make sure you are using HMAC properly, and are not just concatenating secrets with documents in order to validate them.
[1] http://csrc.nist.gov/groups/ST/hash/sha-3/index.html

[2] http://www.ietf.org/proceedings/83/slides/slides-83-saag-0.ppt

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

SailPoint Continues to Demonstrate Thought Leadership on Governance-Based ...
MarketWatch (press release)
What: InfoSec World -- A New Era of Technologies Requires A New Approach to Identity Management When: Tuesday, April 3 at 1:45 pm Rolls will discuss how to address risks posed by the growing catalog of technologies in today's IT infrastructure with a ...

and more »
Top civil rights groups including the Electronic Frontier Foundation, Article 19 and Reporters Without Borders asked the Pakistan government on Monday to officially withdraw its plan for a national URL filtering and blocking system.
Dell has signed an agreement to acquire thin-client hardware and software company Wyse Technology, to expand its desktop virtualization offerings, Dell said Monday.
Now why would you do that? I mean really, why would you trust me?
In IT, failure is not an option. Not surprisingly, organizations have made it a high priority to develop and implement reliable business continuity plans to ensure that IT services are always available to internal users and outside customers.
In Star Wars, Coruscant is an entire planet that's a city. And in the movie, traffic flows in three dimensions as everyone flies around - without any accidents. As it's science fiction, there aren't even any traffic jams.
On most days, programming is a rewarding experience, with no problem too challenging to solve. Perseverance, intuition, the right tool -- they all come together seamlessly to produce elegant, beautiful code.
Information Builders has added a range of improvements to its WebFocus BI (business intelligence) platform that will make it more appealing to ISVs that want to offer it as a cloud service, the company announced Tuesday.
Amazon has added the ability for CloudFront to stream live content to Apple iOS devices and Microsoft Silverlight clients, the company said in a blog post on Sunday.
If you buy a cheap inkjet printer, you're going to pay a small fortune for the ink to run it (assuming that you use the ink that its manufacturer specially designed for it). Even so, the size of the bill depends to a great extent on which brand of printer you buy. Some printer makers, like Kodak, work hard to keep their ink prices reasonable, while others, like Dell, consistently charge top dollar.
Microsoft is moving its European distribution center form Germany to the Netherlands due to ongoing patent litigation, a company spokesman confirmed Monday.

SANS First Annual Survey Results on Mobility Security: Lack of Awareness ...
MarketWatch (press release)
SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, newsletters, and it operates the Internet's early warning system - the Internet Storm Center. At the heart of SANS are the many security ...

and more »

One tweet is all it takes
ComputerWeekly.com (blog)
By Warwick Ashford on April 2, 2012 2:11 PM | No Comments | No TrackBacks User education and awareness training are important elements of information security, most infosec professionals agree, but most o alsadmit their organisations are not investing ...


Entrust at InfoSec World Conference & Expo 2012 -- Security Expert Explores ...
MarketWatch (press release)
DALLAS, April 2, 2012 /PRNewswire via COMTEX/ -- Entrust Inc. product manager Mike Moir will explore consumerization in the enterprise -- including the latest trends and threats -- during the 2012 InfoSec World Conference & Expo in Orlando, Fla., ...

and more »
NTT DoCoMo said Monday a planned joint venture with Samsung Electronics, Fujitsu, NEC and other Japanese companies to design and sell chips for high-speed mobile networks based on the LTE (Long Term Evolution) standard has been abandoned.
Internet Explorer posted another major gain in share last month, the second in the first quarter of the year, perhaps signaling a turnaround in Microsoft's fortunes, a Web metrics company said Sunday.
The wave started last year when Time Warner Cable, the telecommunications company serving much of the Eastern United States, spent $230 million to purchase NaviSite, a provider of cloud services for businesses.
TYPO3 Core TYPO3-CORE-SA-2012-001 Multiple Remote Security Vulnerabilities
FreeRADIUS Revoked Certificate Authentication Bypass Vulnerability
A recently released study that found global temperatures may be rising faster than expected was developed with the help of thousands of PCs.
You work, you strive, you reach the top of your profession -- and then you leave? Sure, say these ex-CIOs. Read their take on life after IT. Insider (registration required)
IBM is developing new data management and analysis technologies for what will be the world's largest radio telescope. The Square Kilometre Array, due to become operational in 2024, will produce so much data that even tomorrow's off-the-shelf computers will have difficulty processing all of it, the company predicted.
libpng 'png_set_text_2()' Function Memory Corruption Vulnerability
Payments processing services company, Global Payments said late Sunday that information on up to 1.5 million card numbers may have been "exported" as a result of an unauthorized access into its processing system.
ioQuake3 Engine Multiple Remote Denial of Service Vulnerabilities
Internet Storm Center Infocon Status