InfoSec News

TippingPoint's disclosure team will give vulnerable vendors six months to create a patch.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Vulnerability - Security - Microsoft - TippingPoint Zero Day Initiative - Services
 
TippingPoint's vulnerability disclosure team will give vulnerable vendors six months to create a patch.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Vulnerability - Security - Microsoft - TippingPoint Zero Day Initiative - Services
 
It's not even the holiday season yet, and we've got a bunch of boxes coming in daily. This also means that I need to catch up on writing about some items that have been sitting here lately. These are cool items that are easy to talk about quickly without writing a full review.
 
Gray-haired system administrators dominate the hallways and meeting rooms at the IBM Share conference, and not always by choice. Businesses haven't been hiring a lot of new IT employees and, in some cases, retirements have been put off as a result of the downturn.
 
Two labor unions have asked Dell shareholders to withhold their votes for Chairman and CEO Michael Dell to remain as a director on the company's board following a $100 million accounting practices settlement the company made with the U.S. Securities and Exchange Commission.
 
RIM's new BlackBerry Torch 9800 may not pull iPhone or Android users, but it will make BlackBerry loyalists happy
 
Reports are circulating that Intel is in talks to buy Infineon's wireless chip unit, which could be a boost to Intel's efforts to gain footing in the smartphone market.
 
Research In Motion executives on Tuesday said the company isn't ignoring Flash, but continuing to work with Adobe Systems on bringing support for the multimedia platform on its mobile devices.
 
Samsung today announced a three-platter hard drive that is still capable of holding up to 2TB of data, while lowering the power consumption over previous four-platter drives.
 
Two labor unions have asked Dell shareholders to withhold their votes for Chairman and CEO Michael Dell to remain as a director on the company's board following a $100 million accounting practices settlement the company made with the U.S. Securities and Exchange Commission.
 
Although some had hoped that Microsoft would violate its own patching policy, the company yesterday stuck to its guns and declined to provide a fix for a critical bug to users running Windows XP Service Pack 2.
 
Kingston Technology is offering its first water-cooled DDR3 memory, a dual-channel and triple-channel product that has greater reliability and longevity than its air-cooled memory products.
 
Google has fixed a flaw in its Audio CAPTCHA software that could have given scammers a way to automatically set up phony accounts with the company's services.
 
A comment to my earlier lightning diary pointed out that NOAA warned of a large solar eruption that happened on Sunday (August 1st). NOAA monitors Space Weather [1] in an effort to protect satellites. In this case, the effect may be large enough to cause some problems on the ground as well.
These events are not all that unusual, and in most cases there is little ground based damage if any. Long distance radio transmissions and satellite communications are usually affected first. Given our reliance on systems like GPS, an outage may have indirect ground based affects. Sensitive electronics may be affected and outdoor radiation levels may be higher then normal. Long distance power lines may also be affected by the associated changes in earths magnetic field as well as charged particles.
On the fun site: This may lead to more northern lights. Maybe check them out after dark for the next couple of days.
[1] http://www.swpc.noaa.gov/today.html

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Consulting, systems integration and outsourcing vendors must prepare themselves for life in the cloud, too, says Forrester Research. For traditional IT service providers, cloud is bad news in the short term, but is it really good news in the long term?
 
Do you have more than one Google (or Gmail) account? If so, you've undoubtedly encountered the hassle of juggling them in your browser. You have to sign out of one in order to sign into another, and on and on. Major pain.
 
Microsoft will beta a version of Visual Studio for business managers, called Visual Studio LightSwitch
 
The reported problems Amazon had last week in negotiating a contract with Eli Lilly point to a disconnect between what cloud providers offer and what large enterprises expect -- though some analysts say they also reflect a lack of flexibility at Amazon.
 
Research In Motion and wireless carrier AT&T officially announced the new 3G BlackBerry Torch 9800 smartphone at a media event in New York City.
 

Remote iPhone Jailbreak Using PDF Exploit Should Serve as Wake-Up Call
TrustedSource (blog)
I do this for many reasons, but mainly for console-level access and the darn cool infosec tools that are available through Cydia. Like many iPhone users, ...

and more »
 
The exploit used to jailbreak Apple's newest iPhone operating system is both "beautiful" and "scary," a noted vulnerability researcher said.
 
In almost any CRM system, there's a field in the leads object that indicates the source of the lead. In most systems, that lead source field is carried along as the lead is converted to a contact and an opportunity. Clean — simple — and wrong.
 
Data-leak prevention is growing at 10% a year, a bit slower than anticipated but still pretty fast compared to other security technologies. In this year's research we see DLP use or active evaluation among 36% of research participants. The primary driver is compliance, as with most security funding. In looking at DLP deployment over time we noticed something very interesting: quite a few companies that deployed DLP last year pulled back on their deployments because of a backlash from users and management.
 
This weekend, I had a pretty bad lightning strike hit my house. The kind of where you see spark hitting the street in front of the house and your dog jumping in your lap lightning strike. Overall, lightning is a pretty common phenomenon around here. I live in Florida, which appears to be #1 in lightning strikes and casualties in the US [1] . For the 5+ years I live here, the power grid has actually been rather stable during lightning storms, but lately, I had a string of bad luck and would like to share some lessons learned:
So far, I had no damage to equipment completely protected by a UPS/surge protector. I use various types of UPSs, and all performed well so far. Some are rather old and have hardly any battery live left. But they do still work well enough for power spikes/dips as they show up during electrical storms.
The damage I had, in particular in the last storm, affected exclusively network equipment and networking interfaces. I assume that the surge entered the network. Ilost two switches and the wired network interfaces in two PCs. Otherwise, the PCs work fine. So far Ihad not used any network surge protectors, but now started to use the surge protectors provided by the UPS. This appears to work fine, but in some cases, the network now works as half duplex and no longer in duplex mode. I looked into stand alone network surge protectors for some devices, and it turned out to be a bit hard to find one that supports gigabit ethernet. But they are available. The UPS network surge protection is only supposed to work up to 100 Base-T but synced fine at Gigabit (no duplex).
A thunderstorm a couple months ago, caused some interesting damage to my cable modem. Iwas only able to upload 1MByte in a single connection. This was very weird as it also applied to connections inside VPN tunnels, the cable modem shouldn't really see what was happening. But sure enough, swapping the modem fixed the problem. Iadded a surge protector for the cable line as well. One reason I had not done this before was that I had bad experience with surge protectors and cable modems in the past. But my new cable modem (like many others) provides a status screen and the signal-to-noise number did not suffer significantly after adding the surge protector. The surge protector replaced a simple straight through connector which may have caused a similar loss.
Couple other hints:
- do not plug surge protectors into a UPS. If they UPS runs on batteries it will usually generate a step sine wave which may destroy surge protectors (in particular tricky to find power strips without surge protector)

- do not plug a UPS into a UPS (same reason as above)

- lightning damage can be subtle. None of my equipment has any visible damage

- proper grounding of all lines entering the house is important (around here, I find that utility companies are pretty good about that)

- once the power is out, turn off the main fuse to the house. But be ware the main fuse can be hard to flip. Depending on the nature of the outage you may have some surges and unstable power until the damage is repaired (if you want to know when power comes back, just flip all the individual fuses other then one or two that only power lights)
If you consider a backup generator: Ilooked at many options, but haven't been able to justify one so far. This last outage was 10 hrs long and was by far the longest I have seen. My backup plan is a well charged laptop and a 3G data card to keep me connected. If you consider backup power for a server room, don't forget the AC! For the generators I looked at, the cost to install was almost as much if not more then the cost of the generator. If you do use a portable generator to power individual devices, make sure you do NOT plug the generator into your house wiring before disconnecting the main fuse.
As a quick summary: Surge protectors work. They will probably not save your equipment if the lightning storm rips the electrical wiring out of your walls, but they can help against some pretty nasty strikes. Unplugging your equipment (and WiFi :) ) is better, but not always feasible.
[1] http://www.srh.noaa.gov/mlb/?n=lightning_stats
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Using The 36 Stratagems For Social Engineering
Dark Reading (blog)
Each copy was signed by many wonderful members of the infosec community, and I was the lucky winner of the Hackers for Charity copy. ...

 
This coming week I will have waited more than 200 days (more than six months) for my $100 Motorola Droid rebate from Verizon. I bought this phone in late December 2009, and submitted the rebate request on January 10, 2010. Verizon acknowledges that they received the rebate request, but they have not managed to send me a usable rebate yet. I did receive a rebate money card from them, but this card could not be redeemed because I received the card after Verizon had canceled it as a nonreceived money card. The replacement card, promised to me about three weeks ago, has yet to show up.
 
Legally, do you dare trust your business's data to the cloud?
 
Some BlackBerry users in the United Arab Emirates will get to choose a new, free replacement smartphone as a result of the U.A.E. government's decision to suspend data services on Research In Motion's smartphones, mobile operator Etisalat announced on Tuesday.
 
Apple's iOS has reached the point where iPhones and iPads can be safely deployed for most enterprises, according to a new report from Forrester Research.
 
If the word "smartphone" has ever struck you as ironic, you aren't alone. Thank your lucky stars these horrors didn't happen to you
 
Techies share their most noteworthy IT experiences in InfoWorld's Off the Record blog
 
We looked at four 15.5-in. laptops that cost around $700 and found that you get a lot for your dollars.
 
Cisco Systems has settled a 2008 lawsuit in which independent network maintenance company Multiven charged that Cisco forced customers to buy its SMARTnet service plan in order to get bug fixes and software updates.
 
Hewlett-Packard has reached a settlement with the U.S. Department of Justice over allegations that HP paid kickbacks to systems integrators in order to help it secure government contracts, the company said on Monday.
 
A secretive volunteer group that tries to track terrorists and criminals on the Internet went to the Defcon hacker conference this past week in hopes of recruiting information security experts, but it will first have to overcome some skepticism.
 

Internet Storm Center Infocon Status