InfoSec News

r security information and event management vendor acquired. Well, O.K, the deals aren’t that frequent, but standalone SIEM vendors have become popular acquisition targets. On Tuesday, TIBCO Software announced that it inked a deal to acquire SIEM vendor LogLogic.

Last fall, IBM bought SIEM vendor Q1 Labs and McAfee acquired NitroSecurity. SolarWinds, an IT management software company bought TriGeo, a SIEM provider that targeted midsize companies. In 2010, HP bought Arcsight and Trustwave acquired Intellitactics.

The TIBCO-LogLogic deal is a bit unusual - TIBCO is an integration software company and an unfamiliar entity in the security market. Palo Alto, Calif.-based TIBCO said the deal will expand its operational intelligence offerings while giving customers the ability to monitor threats, assess risks and address threats. The company is also describing the deal as a big data play.

“Enterprises must be able to analyze big data, including machine data generated from across their various systems, to gain comprehensive, real-time insights into critical business questions relating to compliance, security and operations,” the company said. “LogLogic will build upon TIBCO’s proven capabilities in event processing and in-memory analytics.”

San Jose, Calif.-based LogLogic touts its ability to provide SIEM and log management capabilities in a single architecture.

SIEM suppliers such as HP and IBM have been talking up the technology’s future as providing analytics and a comprehensive view of an organization’s threat environment. Time will tell if their efforts - and now TIBCO’s - will pan out.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
A verdict against Megaupload in the U.S. would mean other cloud storage providers can be held criminally liable for illegal content stored by customers on their networks, an attorney representing the shuttered file-sharing site said on Tuesday.
Social networking service Path has upgraded the security of its mobile application in apparent response to a recent outcry over its data gathering practices.
Nearly 60% of smartphone users employ apps that access their location data despite having concerns about risks to their privacy and even personal safety, according to a survey conducted by ISACA, a nonprofit group that focuses on risk and security management.
Facebook will soon add place objects to its Open Graph API, making it easier for third-party developers to link their data about locations such as concert venues to Facebook users' personal posts.
This week, the U.S. began accepting H-1B applications for the next fiscal year. But the real battle, for now, is over the L-1 visa and this fight just got bigger
An optical scan vote tallying system, now used by some 300 U.S. municipalities, misreported the results of a Palm Beach County, Florida, municipal election last month.
RPM Multiple Denial of Service Vulnerabilities
Today?s security information management systems (SIM) are excellent forensics tools, but they haven?t yet achieved status as effective real-time security tools.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
IT departments can have a big impact on a firm's profits, more than similar spending on R&D and some marketing endeavors, according to a new study.
Many sales teams have access to automation tools for better visibility. However, when you consider that the average sales rep has from 20 to 50 open sales opportunities at any given time, using those tool have unintended consequences such as escalating the 'Big Data' problem. Cloud-based services may hold the answer.

Be careful with the links showed in this diary because they might still be live and could infect your computer if not handled properly

More and more scams are seen each day. I discussed in a previous diary a phishing attack sent to users so attackers can own their computers. I will show you today another attack using the same technique and the same malicious code.

I received today the following message:

The online reservation details link pointed to the link http://somostigreros.com.ve/s3JgEpEu/index.html. The document has a javacript pointing to four different URL:

The javascript downloaded is the same in all the four cases and points to another link:

We arrive to an obfuscated javascript. Let's see a snip of it:

After decoding the script, I got the same javascript analyzed in my previous diary, which performs the following:

Identification of the navigator being run.
Identification of Adobe Flash and Adobe Reader version.
Shellcode execution to download malware but this time it is downloaded from
Malware is the same DLL discussed in my previous diary, but at this time virustotal shows 30/42 detection ratio. Mcafee detects it as Generic.bfr!em, Symantec detects it as Suspicious.Cloud and TrendMicro detects it as TROJ_SPNR.11C912.

Additional to the measures previously discussed to mitigated this kind of threats, You can be a propagation vector for malware like the one being shown if you publish to the internet vulnerable servers. Many attackers no longer want to shutdown your server but to publish malware in not-visible locations inside your webserver or web application. Please keep in mind the following:

Install all available patches to your operating system and base software. If you cannot do this because your application will stop working, you definitely need to put in place additional controls like Host Intrusion Prevention System (HIDS) and Network Intrusion Prevention System (NIPS) .
Test your web applications for vulnerabilities before publishing them on the Internet. If you don't do this, the attackers will be happy to do it for you.
If you are unsure if your web server or web application have vulnerabilities, use a Web Application Firewall (WAF). I have found useful ModSecurity to place that kind of protection.

Have you received this kind of threat inside your network? Let us know using our contact form.
Manuel Humberto Santander Pelez

SANS Internet Storm Center - Handler

Twitter: @manuelsantander


e-mail:msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

It’s becoming a pretty safe bet that the reported Global Payments credit card security breach isn’t the only big breach out there. Visa and MasterCard, without naming Global Payments, reported a payment processor had been popped between Jan. 21 and Feb. 25. Global Payments Chairman and CEO Paul Garcia, however, said yesterday that his company discovered the hack in early March and that’s when it reported the breach to law enforcement and hired outside security help.

Likely there’s another shoe to drop. Brian Krebs has been killing it on this story, and he wrote yesterday on his blog and was quoted in an ABC News story that his initial report that 10 million payment records had been stolen could have been about a breach at another processor that has not been disclosed yet. Only 1.5 million have been attributed to the Global Payments breach so far.

Clearly, we’re not past the big data breach. Clearly, PCI DSS continues to be a joke and a money pit that isn’t about security, but at a minimum, point-in-time compliance.

Over the weekend, Visa and MasterCard delisted Global Payments as PCI compliant, which indicates something nasty is going on with this breach behind the scenes. Maybe there isn’t another processor involved but deeper penetration into Global Payments that isn’t being reported until investigators say so. Martin McKeay, a former PCI QSA, has a good blow-by-blow into what happens to card data from the time it’s swiped, and how it moves through merchant and processor networks. There are plenty of places where data is exposed and security can fall down, and processors such as Global Payments have to continuously check these access and egress points, not just when it’s time for the PCI auditor to show up.

Other processors have been delisted; Heartland Payment Systems and RBS WorldPay in 2009 and CardSystems, which soon after went out of business in 2005. Global Payments said the reported breach (it says only Track 2 data has been stolen—account numbers and encrypted PINs) has been contained and no fraudulent transactions have been reported. Yet there’s a specter hanging over this story and Global Payments. Chances are, they’re not out of the water yet and should it fall, a la CardSystems, it’s another reminder that basic security measures still count, and hiding in the weeds hoping not to get hacked is a fool’s errand.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

UPDATE: Apple just released Java for OS X 2012-001 and Java for Mac OS X 10.6 Update 7, which addresses this vulnerability. You can download the new versions from http://www.apple.com/support/downloads. More information about the release notes at http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html

If you own a MacOS computer, you might want to disable java for a while until Oracle develops a patch to solve CVE-2012-0507 vulnerability, because there is a Blackhole Exploit Kit version in the wild exploiting this vulnerability and it also can be exploited using metasploit.

If you want to disable java plugins in your MacOS computer, Marcus J. Carey created a video showing how to do it.

More information about this issue at https://www.f-secure.com/weblog/archives/00002341.html
Manuel Humberto Santander Pelez

SANS Internet Storm Center - Handler

Twitter: @manuelsantander


e-mail:msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Top coordinators of the OpenStack project shot back at Citrix for dropping its support for the open-source cloud development platform in favor of starting a separate open source project based on an Apache license.
The LG Viper 4G LTE smartphone will be available for pre-order April 12 with a price tag of $99.99, and a two-year service agreement and rebate, Sprint said.
Facebook has denied Yahoo's claims of patent infringement and shot back with counterclaims that Yahoo infringed 10 Facebook patents.
Outdated SIEM systems were difficult to deploy and costly to maintain, according to one expert. Today, CISOs are considering highly integrated, lightweight systems with more automation.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Securing computers against unlawful and malicious attacks is always important, but itamp's especially vital when the computers in question control major physical systemsamp-manufacturing plants, transportation systems, power grids. ...
The Associated Press in late March reported on the issue of employers asking job applicants for their Facebook passwords, citing new and old incidents. The story apparently hit a sore point because it was all over the press within a day or so and in short order politicians were posturing and reaching for the limelight by introducing legislation to ban the practice and sending letters to enforcement agencies demanding action.
StorSimple has introduced four cloud-connected storage appliances that offer better performance and more local capacity, the company said on Tuesday.
Sixteen U.S. senators have called on the U.S. Federal Trade Commission to focus on the use of pirated software by foreign manufacturers on the grounds that those companies unfairly compete with U.S. businesses.
Upromise, a Web service accused of collecting extensive information about its users without their consent, will be required to clearly disclose its data collection practices and obtain user consent before installing a browser toolbar on their computers.

ORLANDO - If you’re currently evaluating mobile device management software you may want to stop and instead conduct a thorough assessment to figure out your exact requirements before making that investment. In fact, two security experts at the 2012 InfoSec World Conference and Expo here in Orlando say some enterprises may not have an immediate need to buy a mobile device management (MDM) platform. In-house capabilities, such as Microsoft Exchange Active Sync (EAS), provide a foundation for mobile device protection and can already use certain Apple iOS and Google Android device security features.

There’s a trade-off, explained Lisa Phifer, owner and consultant of Core Competence Inc. EAS is severely limited in the control it provides to employee-owned devices. If all the organization needs is to enforce password and PIN length and have remote wipe capabilities for iOS devices, it works. Android capabilities are even more restricted, Phifer said. Depending on the Android firmware version and the carrier limitations placed on devices, companies may have the ability to use EAS for remote wipe, resetting the device to the factory default condition and enforcing the use of a device password.

During a session here in Orlando, Phifer and Diana Kelley, a consultant with Security Curve, demonstrated mobile device platforms from AirWatch and Fiberlink. The two platforms are one of dozens of mobile device management vendors vying for the attention of enterprises looking to gain visibility and control – some semblance of security to the whole bring your own device (BYOD) movement.

Kelley said early adopters of MDM platforms sometimes are convinced to buy and deploy it, but then suddenly realize they don’t know how to manage the tool or exactly what they want to get out of it. These enterprises sometimes lack any formal mobile device security policies or sometimes they’re mismatched, she said. Senior-level executives have few restrictions on their devices, while sales staff and other employees are given device limitations. Ultimately, an attacker will find a weakness, she said.

So what exactly are the benefits of an MDM platform? MDM tools can help bring those policy mismatches in line by managing what users require the most restrictions based on their role. They provide a common management umbrella for device diversity; they typically can embed additional security capabilities onto the device such as a third-party VPN, antimalware or a secure data container. They can also help monitor and enforce security policies – but those policies have to be well defined and communicated to employees, Kelley said. Let people know what the penalty is for violating that policy.

MDM platforms can also create a framework for the enterprise to provide troubleshoot, support and expense management capabilities. Self-service portals controlled by the enterprise enable employees to use certain trusted apps.

I think Phifer summed up mobile security well: It’s about managing the corporate assets on the device, not necessarily the device itself.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
As the IT silos come down, tech pros need to beef up their skills to stay relevant and maximize the business benefits of cloud computing, virtualization, unified networking and big data, according to Cisco and EMC, which have teamed to offer training targeted at tech's hottest data center disciplines.
Some enterprise customers just aren't comfortable throwing their data into a public cloud environment, says Ellen Rubin, vice president of cloud products for Terremark, which is owned by Verizon.
SAP is hoping to stake out some turf in the predictive analytics software market with a new application, BusinessObjects Predictive Analysis software, which was announced Tuesday.
Mozilla has blacklisted unpatched versions of the Java plug-in from Firefox on Windows in order to protect its users from attacks that exploit known vulnerabilities in those versions.
For the first time ever, and probably only temporarily, Microsoft can be counted as a key contributor to Linux.
HTC vs Samsung vs Motorola
IT managers in business and government can consolidate management of smartphones and tablets on BlackBerry, iOS and Android platforms with the new Blackberry Mobile Fusion launched Tuesday.
The breached credit card processor assured investors that the damage has been contained and its security procedures worked. But for nervous card holders with additional questions, a basic website statement will have to do.
Oracle Java SE Remote Java Runtime Environment Denial Of Service Vulnerability
Apache HTTP Server Solaris Event Port Pollset Support Remote Denial Of Service Vulnerability
Shaw reviews HP's TopShot LaserJet Pro M275.
The Internet's governing body, The Internet Corporation for Assigned Names and Numbers, holds three public meetings per year to discuss how ICANN can help make the network more secure and to encourage end-to-end interoperability. The most recent meeting in Costa Rica in March featured two rich information sharing sessions, one on the new generic top-level domains (gTLDs) program and the other on Domain Name System Security Extensions (DNSSEC).
Users need to become better at asking cloud providers questions about the finer points of availability and vulnerability management in contracts, according to a new guide from the European Network and Information Security Agency.
In the course of our careers, there are occasionally confluences of events. Those moments should be seized. (Insider; registration required)
Linux Kernel 'Clone()' Function 'CLONE_IO' Flag Multiple Denial Of Service Vulnerabilities
Citrix is giving its cloud deployment platform an Apache license, marking a migration away from the evolving OpenStack project and an embrace of Amazon Web Services offerings.
Dell said Tuesday it has purchased application modernization vendor Clerity Solutions, in its second enterprise software-related acquisition news this week.
Asavie Technologies launched a cloud-based secure VPN service for iOS devices for corporate workers to access data from anywhere in the world.
Tripadvisor and Expedia are the two latest companies to complain to Europe's competition regulators about Google.

New information security association launched
The Information Security Vendors Association (ISVA) will be launching its initial charter and kicking off its recruitment campaign at Infosec Europe in London later this month. ISVA has a stated aim to become a global organisation founded on democratic ...

Citrix has abandoned its Olympus OpenStack distribution and will focus instead on its open-source CloudStack operating system, which it has contributed as a project under the Apache Software Foundation.
Europe's top competition regulators have launched two antitrust investigations into Motorola Mobility.
Samsung's low-cost tablets, the Galaxy Tab 2 (7.0) and Galaxy Tab 2 (10.1), have been delayed, and will now start shipping in the U.K at the end of April, the company said Tuesday.
Google is responsible for misleading and deceptive ads that use the name of a company to direct traffic to a competitor's site, an Australian court ruled on Tuesday.
Terremark is offering enterprises a new private cloud service that includes the option to burst onto a public cloud.
A few simple changes can eliminate many of the irritating calls that drive users and call-center staffers alike up the wall.
When Amazon Web Services launched a few years ago, the venture capital community wasn't a big fan.
ARM is setting up a joint venture with security technology companies Gemalto and Giesecke & Devrient to arrive at a common security standard for connected devices such as tablets, smart-TVs, games consoles and smartphones, the company said Tuesday.
Sensing a change in the way customers store and analyze data, IBM has updated its flagship DB2 relational database management software to handle a wider range of data processing duties. The company has also updated its InfoSphere data warehouse software, IBM announced Tuesday.
Google has acquired TxVia, a payments technology company, to complement its own payments capability, the company said Monday.
Adobe Systems has released a malware classification tool in order to help security incident first responders, malware analysts and security researchers more easily identify malicious binary files.
Hitachi Global Storage Technologies today announced its first enterprise-class 4TB desktop hard drive, which offers one-third more capacity than its predecessor.
Nokia's Lumia 900 smartphone goes on sale April 8 in what many analysts see as a do-or-die moment for Nokia and Microsoft's Windows Phone OS in the key U.S. market.

Posted by InfoSec News on Apr 02


By Jeffrey Roman
Bank Info Security
April 2, 2012

At least 500 debit accounts in New Zealand have been linked to skimming
at five compromised ATMs owned by ANZ Bank and National Bank in
Auckland. And authorities say that's likely just a fraction of the total
damage, since some compromised accounts have not been detected or yet

ANZ Bank issued an alert on its website...

Posted by InfoSec News on Apr 02


By John Ribeiro
IDG News Service
April 2, 2012

Payments processing services company Global Payments said late Sunday
that information on as many as 1.5 million card numbers may have been
"exported" as a result of an unauthorized access into its processing

Visa and MasterCard are alerting banks across the country about a...

Posted by InfoSec News on Apr 02


By Daily Mail Reporter
2 April 2012

Al Qaeda has been dealt another blow after a number of the terror
organisation's web forums were shut down in an apparent cyber attack.

According to The Washington Post, five Al Qaeda websites promoting a
'jihad' or holy war against the West have been...

Posted by InfoSec News on Apr 02


By Jeff Byers
April 2, 2012

Washington, D.C.-based Howard University Hospital has sent a letter to
34,503 patients informing them of a potential disclosure of protected
health information that occurred in late January.

A former contractor’s personal laptop containing patient information was
stolen, according to a statement...

Posted by InfoSec News on Apr 02


By Samantha Stainburn
March 31, 2012

Switzerland has issued arrest warrants for three German tax inspectors,
the Associated Press reported. Their alleged crime: economic espionage
for buying the details of German tax evaders’ Swiss bank accounts.

The three civil servants could be arrested if they...
Internet Storm Center Infocon Status