InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Apple and Samsung Electronics have until Monday to further boil down the number of claims to be considered in the sweeping intellectual-property lawsuit concerning their smartphone and tablet products, which is now scheduled to go to trial July 30.
Microsoft will retire the Windows Live brand as it gets ready to release what it describes as a more connected set of online consumer services with the launch of its Windows 8 operating system.
Mozilla Firefox/Thunderbird/SeaMonkey IDBKeyRange Use-After-Free Vulnerability
Microsoft's decision late last year to switch on 'silent' upgrades for Internet Explorer (IE) has moved some Windows users to newer versions, but has had little, if any, impact on the oldest editions, IE6 and IE7, according to usage statistics.
Facebook's year-old project to develop open-source hardware designs with the aim to build efficient data centers gained momentum on Wednesday, with some top technology companies joining the effort and introducing server designs.
Facebook officials continue to decline to respond to speculation on when the social networking company will pull the trigger on its highly-anticipated initial public offering
OpenConf 'edit.php' SQL Injection Vulnerability

eSecurity Planet

Sophos: 64 Percent of People Find Cloud Storage Services 'Scary'
eSecurity Planet
By Jeff Goldman | May 02, 2012 Security firm Sophos recently polled 214 conference attendees at Infosec Europe and found that while 64 percent of respondents thought cloud storage services like Dropbox are "scary," 45 percent are using the services at ...
45% use cloud services, but 64% find them 'scary'BCS
64% of people think cloud storage is risky, but 45% still go right ahead and ...Naked Security

all 4 news articles »

InfoSec Skills CEO Backs David Willets' "Hybrid" Approach to National Cyber ...
Technology Digital (press release)
InfoSec Skills' CEO, Terry Neal, has said that he fully supports the position David Willets described in a speech at Europe's biggest Information Security trade show last week. London, United Kingdom, May 01, 2012 --(PR.com)-- InfoSec Skills' ...

and more »
Coming in 120GB and 240GB capacities, and priced at $430 and $700 respectively, Elgato's Thunderbolt SSD is a solid-state drive that offers a nice speed boost over FireWire 800, but is overall slower than other Thunderbolt drives we've tested. (We tested the 240GB version.)
Google Drive raises several concerns about cloud storage. Many of these consumer-level questions -- who owns your data, how data can be used and what happens if the data is lost or stolen -- are ones enterprise IT executives should be asking, too.
As the jury deliberates its verdict in the copyright phase of Oracle's lawsuit against Google, both sides are watching for signs from the jury as to which way it is leaning. On Wednesday it might have given them one.
An online education organization backed and funded by MIT and Harvard University will use open-source technology to offer free classes over the Internet, the two schools announced Wednesday at a press conference.
The payment processor breach is believed to be under 1.5 million credit cards, but the company indicated on Tuesday that banks are issuing a ?wide net to protect customers

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
New PCI DSS guidance on point-to-point encryption outlines product testing requirements, and urges more merchant-acquirer collaboration.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Mozilla Firefox, SeaMonkey, and Thunderbird CVE-2012-0470 Heap Buffer Overflow Vulnerability
Researchers at the National Institute of Standards and Technology (NIST) have developed and published a new protocol for communicating with biometric sensors over wired and wireless networksamp-using some of the same technologies that ...
Should Oracle prevail in its intellectual-property lawsuit against Google over alleged Java patent and copyright violations in the Android mobile OS, it shouldn't result in the "industrial meltdown" some observers fear, Java creator James Gosling said in a blog post late Tuesday.
Reader, tech dabbler, and Weeds actor Andy Milder, occasionally contacts me for technical advice. In exchange, I drop his name. I'd additionally like to drop this bit of advice in response to his latest query:
Apple has reportedly been rejecting developer's iOS apps that use the Dropbox SDK.
Bugzilla Cross Site Request Forgery and Security Bypass Vulnerabilities
Local File Inclusion in PluXml
[SECURITY] [DSA 2463-1] samba security update
The National Institute of Standards and Technology (NIST) is hosting Cloud Computing Forum ampamp Workshop V on June 5-7, 2012, at the Department of Commerceamp's Herbert C. Hoover Building in Washington, D.C.Cloud computing is a model ...
Mozilla is working on a revamp of Firefox to synchronize its various versions -- desktop, tablet, phone and Windows 8 Metro -- into a single visual style, according to documents posted by members of its UI design team.
With Facebook's IPO looming just ahead, Twitter CEO Dick Costolo says his company is in no hurry to follow suit.
RubyGems SSL Certificate Validation Security Bypass Vulnerability
phpMyAdmin 'show_config_errors.php' Full Path Information Disclosure Vulnerability
[CVE-2012-1002] OpenConf <= 4.11 (author/edit.php) Blind SQL Injection Vulnerability
[security bulletin] HPSBMU02772 SSRT100603 rev.1 - HP System Health Application and Command Line Utilities for Linux, Remote Execution of Arbitrary Code
[security bulletin] HPSBMU02771 SSRT100558 rev.1 - HP SNMP Agents for Linux, Remote Cross Site Scripting (XSS), URL Redirection
[security bulletin] HPSBMU02770 SSRT100848 rev.1 - HP Insight Management Agents for Windows Server, Remote Cross Site Request Forgery (CSRF), Cross Site Scripting (XSS), URL Redirection, Unauthorized Modification, Denial of Service (DoS)

it for more details about the VMware ESX hypervisor source code leak, should they be panicking?

Well no, not yet, anyway. Without knowing exactly what source code was leaked, it’s hard to know the extent of the threat, security experts have said. However, the answer may come soon — there are rumors that hackers will release more source code on Saturday.

Until then, virtualization security experts are offering some advice for enterprises running ESX. As with most things in security, much of the advice has to do with simply following best practices. However, virtualization security best practices may not always be at the top of an organization’s to-do list; the code leak should provide some prodding.

First off, organizations should block all Internet access to the hypervisor platform — especially to the Service Console — which is something they should already be doing, according to Dave Shackleford, principal consultant at Voodoo Security and senior vice president of research and CTO at IANS. They should also make sure all VMs are patched and restrict any copy/paste or other functionality between the VM and ESX host, he said in an email. (On the patching front, organizations using ESX should pay attention to last week’s security bulletin from VMware about an update for the ESX Service Console Operating System (COS) kernel to fix several security issues).

“Finally, they could set up ACLs or IDS monitoring rules to look for any weird traffic to those systems from both internal and external networks, and do the same on any virtual security tools if they’ve got them,” Shackleford said.

Edward Haletky, owner of AstroArch Consulting and analyst at the Virtualization Practice, wrote in a blog post that organizations should follow virtualization security best practices to pre-plan for the release of the ESX hypervisor code.

“Segregate your management networks, employ proper role-based access controls, ensure any third-party drivers come from well-known sources, set all isolation settings within your virtual machine containers, at-rest disk encryption, properly apply resource limits and  limit para-virtualized driver usage,” he wrote.

Any attacks arising from the code leak will show up shortly after the code is made available, but won’t increase the risk beyond where it is today, Haletky wrote.

“The use of best practices for securing virtual environments is on the rise, but we are still a long way from our goal. Just getting proper management network segregation is an uphill battle. If there is currently a real risk to your virtual environment, it is the lack of following current best practices, not an impending leak of code,” he said.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

45% use cloud services, but 64% find them 'scary'
Despite a survey of 214 conference attendees at Infosec Europe - the continent's largest information security event - revealing that 45 per cent are using cloud services in the workplace, 64 per cent of those questioned said this type of technology is ...
64% of people think cloud storage is risky, but 45% still go right ahead and ...Naked Security

all 3 news articles »
Kaiser Permanente CIO Philip Fasano discusses how the electronic records 'bet' has paid off and how social and mobile technologies will advance the effort. He also offers advice on making big tech projects successful, how to encourage innovation, what it means for CIOs to be the 'CEO' of their organizations and why healthcare provider should be in the business of delighting customers and patients.
TraxItAll lets you track data and generate reports based on those results in an effort to chart your progress toward a goal. Whether you're tracking how often you go to the gym, how many glasses of water you drink daily, or how many pushups you can do consecutively, this $2 iPhone productivity app from TraxItAll wants to help you record it.
Europe's top court ruled on Wednesday that the functionality of a computer program and the programming language it is written in cannot be protected by copyright.
Nokia will start shipping the PureView 808 in May and has extended its deal with Carl Zeiss, which will result in further advancements in smartphone imaging in the coming months and years, the company said on Wednesday.
VMware will offer enterprise software that allows employees to access all their desktop Windows applications and online services from a single portal, the company announced Wednesday.
Motorola Mobility won an injunction on Wednesday preventing distribution of Microsoft products including Windows 7 and the Xbox in Germany, but it can't enforce the injunction yet. Microsoft will appeal the case and is confident it can keep doing business in Germany, the company said.
Sony is joining Intel's ultrabook push with the new Vaio T family, which includes models with 11.6-inch and 13.3-inch screens, the company said on Wednesday.
Teradata is planning to acquire digital marketing software maker eCircle in order to augment the capabilities it gained through its 2010 purchase of marketing management vendor Aprimo.
Crowdfunding sites like Kickerstarter are offering both established businesses and entrepreneurs a viable alternative to venture capitalists.
Salesforce.com said it had acquired real-time online collaboration platform company Stypi.
Microsoft has detected a new piece of malware targeting Apple OS X computers that exploits a vulnerability in the Office productivity suite patched nearly three years ago.
SolarWinds Storage Manager Server SQL Injection Vulnerability

Naked Security

64% of people think cloud storage is risky, but 45% still go right ahead and ...
Naked Security
by Lisa Vaas on May 2, 2012 | Leave a comment Nearly half of those polled at Infosec Europe last week reported that they use cloud storage services such as Dropbox, but an even bigger number think such services potentially open up security holes.

and more »
Expensive and specialized Fibre Channel SANs have been under assault as companies consolidate data traffic over Ethernet. With Fibre Channel disks already largely eliminated from the market by SAS, can networking gear be far behind?
A well-known theoretical physicist has taken direct aim at a key theory in the computer industry, saying Moore's Law is collapsing.
IT managers who grapple with Bring Your Own Device (BYOD) policies can expect to see an explosion of different devices used by their workers in the next few years.
Virtualization is so popular today that there is almost no company that does not use a virtualization platform. VMWare is definitely the most popular one (at least the most popular one I seem to be running into).
It is also not uncommon to see VMWare farms growing exponentially as people tend to throw more hardware and just create new VMs. In such cases, controlling what your administrators do is a must yet I also see that organizations auditing their VMWare farms (and especially administrator this is something a lot of SIEMs and similar log collection and analysis tools fail at. So lets see what we have to work with here and how we can improve things.
System components
For the sake of this diary, Ill write mainly about the typical setups today that consist of ESXi (or ESX, for older setups) host servers and one or more vCenter management servers.
ESXi is VMWares host operating system that actually runs the virtual machines. It is highly optimized and has a footprint of only 150 MB. This is what is usually installed on those big servers that today run 20+ virtual machines.
Of course, when you have more than one ESXi server, you want to manage it centrally, not only to make management easier but to also allow some more sophisticated processes such as vMotion and similar. This management is done through a vCenter server.
vCenter basically just runs on a normal Windows operating system machine that itself can be a VM as well. Administrators normally use the VMWare vSphere client application to connect to vCenter and to manage virtual machines (of course, depending on their role and permission).
The same client (vSphere client) can be used by an administrator to connect directly to an ESXi server and to manage VMs that are hosted on that server. As you can probably guess, this creates problems for activity auditing since, in this case, any changes are performed directly on the ESXi host server so vCenter will not see those activities directly.
Finally, if you are trying to troubleshoot some problems, you can allow SSH access directly to the ESXi hosts this access is disabled by default, but I found it quite often that organizations enable it and leave it enabled.
Log collection
We can see that there are multiple system components that generate logs that we should be collecting. While vCenter keeps its own logs and allows reviews from the console, ESXi hosts will also independently keep their logs that should be audited. Actually, when an administrator modifies something in vCenter, a task will be created that will cause vCenter to connect to the target ESXi host and issue the change.
At the moment Im usually recommending clients to collect logs from the following components:

Since vCenter is the brain we should collect all logs we can from the server it is running on. VMWare creates text log files (see http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKCexternalId=1021806 for information about VMWare logs) that are, unfortunately, not easy to read and often lack information.

What Ive found is that the VMWare SDK API allows much easier retrieval of logs that will be nice and structured but, if your SIEM does not support it directly, you will have to code a script to retrieve such logs yourself.

Of course, do not forget about the OS logs as well as the database logs since this server is the most important one, make sure that youve protected it accordingly and that you collect all other log files that might be important.

ESXi host logs are also very important since an administrator can connect directly to them (unless this has been prevented). With ESXi there arent many options and probably the best one is to configure a local Syslog to send logs to the central Syslog server, as shown in the picture below.

Keep in mind, though, that VMWare creates many multi-line logs which will eventually be broken due to size limits of Syslog so correlating them on the server side might be quite a bit difficult, if not impossible.
By using Syslog we will also take care of SSH logins, since these will be logged by the console and sent through Syslog to the central server.
Now that we have all the logs at one place, we can correlate them and setup alerts on suspicious activities.

Regular log reviews are very important. One of the things you should particularly take a look at is console access. For example, if the administrator that accessed a servers console through vCenter forgot to logout, any other vCenter administrator can access that servers console (if he has vCenter permissions to access it, of course).
Good log collection and correlation (remember to collect both vCenter logs as well as logs from all your guest servers) can tell you which servers consoles were accessed as well as if the administrator had to log in or not.
So check your VMWare environments today and see if you can answer these questions: who, from where and when logged in to my vCenter console, which VMs were migrated and which consoles have been accessed by which administrator in last 30 days?

Let us know what your experiences with collecting and analyzing VMWare logs are and if you did something youd like to share with our readers so everyone can benefit from your work.



(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Websense Triton 'favorites.exe' HTML Injection Vulnerability
Multiple Websense Products 'favorites.exe' Authentication Bypass Vulnerability
Websense Triton 'ws_irpt.exe' Remote Command Execution Vulnerability
Websense Triton Report Management Interface Cross Site Scripting Vulnerability

Posted by InfoSec News on May 01


By Sophie Curtis
01 May 2012

Security engineers at the University of Tulsa have found a way to
identify cyber attacks before they reach their target, enabling network
administrators to take pre-emptive measures to protect their IT systems.

In a report published in the International Journal of Critical

Posted by InfoSec News on May 01


TEHRAN, May 1 (MNA) -- National Police Chief Esmaeil Ahmadi-Moqaddam has said
that police have found clues about recent cyber attacks on a number of Iranian
ministries and companies.

In a statement issued on April 29, the Iranian Ministry of Science, Research,
and Technology said that it had repelled a cyber attack.

The ministry stated that no data had been lost as a result of the...

Posted by InfoSec News on May 01


By Ericka Chickowski
Contributing Editor
Dark Reading
May 01, 2012

April has been a brutal month for healthcare breaches, with three major
breaches disclosed accounting for nearly 1.1 million records lost. The
thread woven throughout each has been the role of insiders--both
malicious and inept--in triggering the...

Posted by InfoSec News on May 01


By Robert McMillan
Threat Level
May 1, 2012

The author of a software program credited with bringing war-driving to
the masses was Google’s Engineer Doe, the author of the company’s
controversial Street View Wi-Fi logging program, according to a report
in The New York Times.

The Google engineer who built the software, identified until now only as
“Engineer Doe,” is...

Posted by InfoSec News on May 01


Dr. Patrick Lin
The Atlantic
April 30, 2012

With the Cyber Intelligence Sharing and Protection Act (CISPA), we're in
a political tug-of-war over who should lead the security of our digital
borders: should it be a civilian organization such as the Department of
Homeland Security (DHS), or a military organization...
Internet Storm Center Infocon Status