InfoSec News

With an eye towards updating the World Wide Web to better accommodate complex and bandwidth-hungry applications, the Internet Engineering Task Force has started work on the next generation of HTTP (Hypertext Transfer Protocol), the underlying protocol for the Web.
Oracle CEO Larry Ellison made a vigorous sales pitch on Tuesday for his company's next-generation Fusion Applications and underlying technology platform, saying they constitute a more modern approach to cloud-based software than offerings from rivals like Salesforce.com.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Oracle has finally answered a big question hovering over its emerging family of cloud services: What do they cost?
Google has dropped one part of its wide-ranging patent-infringement battle against Apple, withdrawing a complaint to the U.S. International Trade Commission in which it had sought to block iPhones, iPads and iPod Touch models at the border.
Lenovo on Tuesday said it will open its first computer manufacturing plant in the U.S., where it will make laptops, PCs and tablets sold under its Think brand.
Aiming to reduce the administrative overhead of both Web administrators and digital marketers, Google has launched a service that will manage their website tags.
The National Institute of Standards and Technology (NIST) is offering a strong finale to National Cybersecurity Awareness month with its the third annual National Initiative for Cybersecurity Education (NICE) Workshop, Oct. 30 through ...
The operator of a mutual fund has pleaded guilty in U.S. court to charges that he operated a $13 million scheme to sell shares of Facebook and Groupon stock before their initial public offerings.
Microsoft co-founder Paul Allen today called Windows 8 'puzzling' and 'confusing initially,' but assured users that they would eventually learn to like the new OS.
Oracle is planning to broaden the footprint of its cloud software portfolio with seven new services covering developer team services, analytics, collaboration and other areas.
A U.S. judge has imposed a judgment of $163.2 million against a defendant accused by the U.S. Federal Trade Commission of being part of an operation that sold software to people it tricked into thinking their computers were infected with malicious software.
A pricing battle is looming in the desktop chip market after Advanced Micro Devices shipped aggressively priced Trinity desktop chips, which might prompt a price-reduction response from Intel, analysts said.
University researchers are studying the brains of honey bees in an attempt to build an autonomous flying robot
Using an Android phone taking opportunistic photographs, a proof of concept malware app has enabled researchers to build 3D models of rooms without attracting attention

Deutsche Telekom is in talks with MetroPCS Wireless on a possible deal to combine T-Mobile USA with that carrier, MetroPCS confirmed in a statement on Tuesday.
Citrix XenServer CVE-2012-4606 Local Privilege Escalation Vulnerability
Microsoft's temporary, or 'pop-up,' stores will open Oct. 26 and will sell the Surface tablet, according to the company's website.
XSS Vulnerabilities in phpFreeChat
Security expert Jason E. Street explains why security pros must learn to communicate effectively to gain trust from management and empower employees.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
WordPress CSS Plus Plugin Multiple Unspecified Security Vulnerabilities
Reminder: ClubHack2012 Call for Papers Closing Soon
The display on the Samsung Galaxy S III is thinner and has a greater range of colors than those on the iPhone 5's display, an IHS iSuppli teardown analysis revealed.
Samsung Galaxy S III's display is thinner and has a greater range of colors than that of the Apple iPhone 5, an IHS iSuppli teardown analysis revealed Tuesday.
[ MDVSA-2012:155-1 ] xinetd
[ MDVSA-2012:156 ] inn
[ MDVSA-2012:152-1 ] bind
[security bulletin] HPSBUX02814 SSRT100930 rev.1 - HP-UX Running OpenSSL, Remote Denial of Service (DoS)
Steve DelBianco is worried that the U.S. Congress will soon pass a law allowing states to collect sales taxes from most online sellers.
Amazon Web Services has expanded its free service tier to include its Relational Database Service (RDS), the company said on Tuesday.
Box announced on Tuesday a set of new and improved enterprise security and IT management features for its cloud-based file sharing and storage service.
Alfresco on Tuesday announced an API that will allow developers to integrate applications with the company's cloud-based content management service.
The United States ambassador to the E.U. on Tuesday told European telcos why the U.S. will not support their proposals to change International Telecommunications Rules.
HTC has upgraded its flagship smartphone, the One X, with a faster processor, twice the integrated storage capacity and a bigger battery, the company said Tuesday.
What would Cyber Security Awareness Month with a Standards theme be without discussing some semblance of PCI-related content? Carefully avoiding the debate over the benefits and drawback of PCI DSS, I'll instead focus on a recent read with a quick summary of PCI Mobile Payment Acceptance Security Guidelines for Developers. This guideline hit my radar on 14 SEP courtesy of Ian's Dragon News Bytes and was intriguing as I had just published Mobile application security best practices in a BYOD world a couple of weeks earlier in Information Security.
After discussing the security risks of mobile devices the guidelines describe three core objectives:

Prevent account data from being intercepted when entered into a mobile device (crypto or trusted path)
Prevent account data from compromise while processed or stored within the mobile device (sandbox)
Prevent account data from interception upon transmission out of the mobile device (crypto)

Good start. Additional wisdom includes:

Prevent unauthorized logical device access (PIN, password, biometrics)
Create server-side controls and report unauthorized access (ACLs, monitor and log abnormal or an anomalous events)
Prevent escalation of privileges (ixnay on the jail-break)
Create the ability to remotely disable the payment application (remote wipe/disable)
Detect theft or loss (location services, GPS)
Harden supporting systems (secure configuration)
Prefer online transactions
Conform to secure coding, engineering, and testing (SDL/SDLC)
Protect against known vulnerabilities (patching)
Protect the mobile device from unauthorized applications (trusted source), malware (AV), and unauthorized attachments (not that kind of attachment, what the device hooks up to or connects with. Think evil near field comms here)
Create instructional materials for implementation and use (security awareness)
Support secure merchant receipts (opsec)
Provide an indication of secure state (like the padlock in your browser)

All common sense, but in my opinion not nearly enough substance to this 20 page document. Some section are single sentences: 4.7 Prefer online transactions - When the mobile payment-acceptance application on the host is not accessible, the mobile device should neither authorize transactions offline nor store transactions for later transmission. Agreed, no doubt, but a bit more detail might be in order. Something along the lines of guidance.
If you're looking for more depth to this conversation, consider SANS SEC575: Mobile Device Security and Ethical Hacking. This course is recent addition and was designed to help organizations struggling with mobile device security by equipping personnel with the skills needed to design, deploy, operate, and assess a well-managed secure mobile environment. From practical policy development to network architecture design and deployment, and mobile code analysis to penetration testing and ethical hacking, this course will help you build the critical skills necessary to support the secure deployment and use of mobile phones and tablets in your organization.
With device proliferation rampant and emerging technologies such as near field communication (NFC) used for payment transactions, standards in the mobile development and deployment space are already essential. Make use of them at earliest.
Let us know how you're addressing these issues in your enterprises.
Russ McRee | @holisticinfosec

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Samsung Electronics filed a motion in a U.S. federal court on Monday to add Apple's latest smartphone, the iPhone 5, to its patent lawsuit. Also on Monday, a judge lifted a sales ban on the company's Galaxy Tab 10.1.
Good Technology has acquired AppCentral, and plans to use the new technology to improve its ability to manage and secure mobile enterprise applications.
Former Pirate Bay host PRQ.se went down in the middle of a police raid on Monday, affecting hundreds of hosted sites and thousands of users of PRQ's other services. But the raid and the outage are unlikely to be related, according to PRQ's owner.
Toyota is demonstrating a new single-seater concept car at this year's Ceatec electronics show that works as a giant extension of the driver's smartphone.
Sharp is displaying for the first time tablet displays based on its IGZO technology at the CEATEC electronics show outside of Tokyo, amid persistent rumors Apple will use the displays in its upcoming tablets.
Facebook said that data collected from its partnership with loyalty-card tracker Datalogix shows people are swayed to make purchases after merely viewing an ad, even if they did not click on it.
Oracle touted what it called strong early adoption of its next-generation Fusion Applications, but also discussed how it will continue to support and add new features to the company's other business software lines, such as E-Business Suite and JD Edwards.
More Mac users took to OS X Mountain Lion last month even as the explosive growth of August slowed dramatically, Web measurement company Net Applications said Monday.
Tools are the least of your worries. Federal and other regulations, and internal policies, must be addressed before you buy anything to help automate the situation.
HTC has upgraded its flagship smartphone, the One X, with a faster processor, twice the integrated storage capacity and a bigger battery, the company said on Tuesday.
Security expert Brian Krebs has adopted a new approach to comparing the security of web browsers: counting active attacks. In his analysis, Internet Explorer fares far worse than a pure look at vulnerability numbers would suggest

Monday marked the start of the 2013 federal fiscal year, and with it the release of a new batch of H-1B visas. But a job ad by IBM India has
Apple has received rare praise from a leading rights advocacy group for incorporating important new privacy enhancing features in its recently released iOS 6 operating system.
GNU glibc Multiple Local Stack Buffer Overflow Vulnerabilities
DM FileManager 'album.php' Remote File Include Vulnerability
Tyler Simpson knows a lot about reviewing tech products. The Seattle 14-year-old and his friend, Brandon Keller, have created several YouTube channels, including ThatAppleGeek, where they review products and report on technology.

Survey: What attack vector concerns you? Does infosec policy work?
SC Magazine Australia
In our latest survey – sponsored by Trustwave – we ask what your business considers the most significant threat vectors, and whether you belive policy can mitigate risk. Fill out your responses to each of the five questions, plus add your contact ...

Internet Storm Center Infocon Status