InfoSec News

The trade press is filled with stories about companies getting into big regulatory trouble over lost backup tapes [1][2]. The tricky part is that usually, one reason companies use backup tapes is the ability to archive backup tapes offsite for extended periods of time. Terabytes by Terabytes, rotating cheap SATA disks usually is cheaper and faster, but hard drives dont have the offline persistence of backup tapes.

But with offsite storage comes loss of physical control. You hire a reputable, but not too expensive, records company to pickup the tapes, and store them at what you hope to be a secure facility. So I was a bit surprised to find a drum full of backup tapes dumped into an alley close to my house. The drum was filled with LTO data tapes commonly used in backups. The tapes looked in good shape, but a bit wet due to being exposed to rain. I dont have a sacrificial reader to try them out (given that they are wet, I dont want to put them in a good reader that is still in use). There are no markings showing the owner of the tapes either on the drum or the tapes themselves, but a couple have pencil markings (like a letter and a number) indicating that they may be used.

At this point I can only speculate what the tapes contain. There are a number of hospitals in the immediate area (couple miles), and I have found medical supplies and lost/discarded patients before. But so far no records. The same pile of trash also includes a similar drum with an address label, and I have yet to be able to contact that company.

So do you audit whoever stores, and discards, your tapes? Would it make sense to identify the owner in case they are found? Or is this just increasing the risk? Do you encrypt backup tapes before sending them offsite?




Johannes B. Ullrich, Ph.D.

SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Attackers can read emails, contacts and other private data from the accounts of Yahoo users who visit a malicious page by abusing a feature present on Yahoo's Developer Network website, says an independent security researcher.
The SANS Institute NetWars CyberCity aims to boost critical infrastructure protection and incident response in a unique training environment.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Some security industry veterans fear regulatory overreach, others believe an executive order won't go far enough.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Ever since I started out in the enterprise IT industry, I've heard about two continual IT challenges businesses have seemed to battle with for years: hectic, repeated and complicated system downtime, and the short lifespan of workplace PCs, typically limited to just two to three years.
An effort by three U.S. senators to add an Internet sales tax amendment to a military spending bill has failed, at least for now.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Re: phpGiftReq SQL Injection
Re: [oss-security] Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday
Autonomy founder Mike Lynch has created a new website where he will apparently keep a running stockpile of his responses to Hewlett-Packard's allegations of accounting fraud at the vendor.
Popular online social networking site Tumblr was ravaged on Monday by an Internet worm that spewed racist and inflammatory messages across thousands of user accounts.
Google is offering Android application developers a chance to use some of the advanced mapping features it had previously made available only on Google's own applications.
[SECURITY] [DSA 2580-1] libxml security update
Re: [oss-security] Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday

Exploit code for two different implementations of SSH were made public yesterday. Tectia SSH (www.ssh.com) a commercial solution and freeSSH/freeFTP. I currently do not see any public announcements from the vendor, nor any CVEs for tracking.

More to come on this.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Generally speaking, if youre on the run from the authorities over a homicide, youre probably best laying low and not making too much noise. Sure, there is a case for trolling the man, but it usually comes back to haunt you.

Take the case of John McAfee who is currently on the run. A journalist for a shady website involving narcotics is apparently spending some time with him while hes on the run. It put up a post with a picture with John and the Editor-in-chief of said publication. (You can find it without too much effort, but its NSFW).

Well, if you download the picture and use any of the standard tools to get metadata (I use exiftool), it happily reports not only the make and model of the camera, but the GPS coordinates of where the picture was taken (today).)

A humorous post to point out something many of us dont realize, our smartphones and devices are increasingly location-aware and that information makes it into the media that those devices create.

UPDATE: The website with the original image has replaced it with images that do not have GPS coordinates in them.

See earlier SANS ISC posts on EXIF/location information:

Twitpic, EXIF and GPS: I Know Where You Did it Last Summer

Snipping Leaks


John Bambenek

bambenek \at\ gmail /dot/ com

Bambenek Consulting
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Fugitive anti-virus technology pioneer John McAfee, who is being sought by Belize authorities in connection with the murder of his neighbor there, described himself as a 'foolish man' in an interview televised on CNN on Sunday.
Microsoft's upcoming Surface Pro tablet sums up the company's seeming strategy with Windows 8: That business users can do with one device what they currently accomplish with two.
A week after downplaying reports of a major discovery on Mars, NASA announced that the rover Curiosity has found complex chemicals on the surface of the planet.
Re: [oss-security] Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday
Re: [Full-disclosure] MySQL (Linux) Heap Based Overrun PoC Zeroday
President Barack Obama took to Twitter today to try to build support for his tax plan.
SEC Consult SA-20121203-0 :: F5 FirePass SSL VPN Unauthenticated local file inclusion
Re: [Full-disclosure] MySQL (Linux) Heap Based Overrun PoC Zeroday
Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday
Samsung and Dell printers Firmware Backdoor Unauthorized Access Vulnerability
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2012-4213 Use After Free Memory Corruption Vulnerability
Mozilla Firefox, SeaMonkey, and Thunderbird HZ-GB-2312 Cross Site Scripting Vulnerability
President Barack Obama is taking to Twitter today to try to build support for his tax plan.
Just a few days after Ericsson filed several patent-infringement lawsuits against Samsung in the U.S., the Swedish mobile phone company also filed a complaint with the U.S. International Trade Commission (ITC), asking for an import ban of a wide range of Samsung products, including the Galaxy S III and the Galaxy Note.
OpenStack Keystone CVE-2012-5571 Security Bypass Vulnerability
OpenStack Token Expiration Security Bypass Vulnerability
tinymcpuk xss vulnerability
MySQL Denial of Service Zeroday PoC
MySQL (Linux) Database Privilege Elevation Zeroday Exploit
MySQL (Linux) Heap Based Overrun PoC Zeroday
Marvell's upcoming 8864 chipset for the 802.11ac Wi-Fi standard can achieve gigabit speeds thanks to multiple antennas for reception and transmission, but wireless routers and access points based on the component won't arrive until the middle of next year.
Free or open source databases run hundreds of millions of public-facing and private applications worldwide, but how effective is this technology and how do these products compare? For answers, we reviewed six popular free or open source database products: Microsoft SQL Server Express, PostgreSQL, Oracle's MySQL, MariaDB, Apache Derby and Firebird SQL.
AT&T said Monday it has upped its LTE wireless network reach to 109 markets, by adding six cities in Puerto Rico as well as Albuquerque, N.M., Reading, Pa. and Salt Lake City
FortiGate FortiDB 2kB 1kC & 400B - Cross Site Vulnerability
[SECURITY] [DSA 2577-1] libssh security update
Low severity flaw in RIM BlackBerry PlayBook OS browser
ESA-2012-052 RSA NetWitness Informer Cross-Site Request Forgery and Click-jacking Vulnerabilities
Apple today said that the iPhone 5 will reach retail in South Korea on Dec. 7 and another 54 countries later this month.
With online holiday shopping on the rise, and mobile-device shopping coming into its own, the need to be aware of the necessary security precautions has grown.
The developers of the MySQL clone MariaDB have fixed a recently discovered security vulnerability in the open source database. Another bug, they say, is actually just a result of server misconfiguration


At my last two speaking engagements, I asked a simple question: Have you, or anyone you know been infected with malware on you smartphone? So far, no one has raised their hand.

Id like to ask the same question here, since theres a much wider audience of people who have the skills/instinct to notice such an infection.

If you, or someone you know (no friend of a friend reports, please) have witnessed a mobile malware infection in the wild please leave a comment below or send in a report via our contact page.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The U.S. Senate failed to muster enough votes to move forward on the Cybersecurity Act.
In the test period between September and October, MSE narrowly missed the laboratory's certification criteria becoming the only product in the test to fail to be certified

Pope Benedict XVI will extend his online presence to Twitter and start answering questions put to him via the social network in English and seven other languages.
Nokia Siemens Networks is selling its optical networking business unit to private investment firm Marlin Equity Partners, the latest in a series of sell-offs as the vendor concentrates on mobile broadband networks.
Hewlett-Packard Monday released three platform upgrades that include new models of its Converged Storage platform, its StoreAll data archive and StoreOnce backup appliances.
IBM Director CIM Server Privilege Escalation Vulnerability


Backbone Security announces latest version of Steganography Application ...
You are here: Home » Business » Backbone Security announces latest version of Steganography Application Fingerprint Database for InfoSec and Digital Forensics. Backbone Security announces latest version of Steganography Application Fingerprint ...

and more »
Google has updated the Stable and Beta channels of its Chrome browser and Chrome OS. The Chrome update includes a fix for a vulnerability Pinkie Pie discovered in 64-bit Chrome

This holiday shopping season is being powered in part by demand for electronics, including boatloads of new tablets and smartphones, most of which will wash into enterprises in early January in a veritable bring-your-own-device (BYOD) tsunami.
Shaw reviews Brother's OmniJoin Web and videoconferencing service.
To a lot of people, it seems as if we geeks are always battling for supremacy in the Always-Need-to-Be-Right Club.
When two candidates look equally good on paper, how do you choose between them?
The CIO wants to know if rogue IT is a problem. 'Probably,' says our manager. Now he better find out how bad it is.
The problem is that far too many people have forgotten User Interface 101: Make it easy.
Headquarters staffers often belittle the importance of functions located elsewhere, and they just as often have things backward.
Hewlett-Packard vows to 'aggressively' seek recompense for alleged fraud on the part of U.K. software vendor Autonomy, which HP acquired in a $10.3 billion deal last year.
Budget woes are forcing the U.S. to extend by two to four years its target for finishing work on an exascale supercomputer, increasing the likelihood that the Chinese will get there first.
The scandal that caused the resignation of Gen. David Petraeus stands as a cautionary tale about how difficult it is to ensure email privacy.
Now that holiday gift-buying season is under way, IT managers should be prepared for a fair amount of that shopping being done at work.
Computer sellers have scaled back their expectations of the sales pop they'll get from Windows 8 this year, an analyst said recently.
On Advent Sunday, the hacker who goes by the name of KingCope released exploits that allow attackers to bypass access restrictions in MySQL and in two particular SSH servers

Hitachi has a system that can analyze how happy your organization is and maybe even re-engineer it to make it happier!
That there is nothing unusual about either of these anecdotes is what makes them so remarkable.

Posted by InfoSec News on Dec 03


By Rowan Scarborough
The Washington Times
December 2, 2012

The Pentagon’s top weapons tester has given a failing grade to the
Army’s premier battlefield intelligence processor, which troops in
Afghanistan have criticized as being too slow and unreliable in sifting
data to find the enemy.

A Nov. 1 memo from the Defense Department’s Operational Test...

Posted by InfoSec News on Dec 03


By Ida Torres
Japan Daily Press
December 3rd, 2012

Japan Aerospace Exploration Agency (JAXA) admitted last Friday that data
regarding an experimental rocket has been possibly stolen through the
use of a computer virus that infected one agency computer. In the
announcement, JAXA says that a computer at its Tsukuba Space Center
northeast of...

Posted by InfoSec News on Dec 03


By Dan Goodin
Ars Technica
Dec 2 2012

Be careful what you type on your computer while surfing the Web. It very
well could be funneled to a script kiddie who has appropriated a handful
of lines of code and inserted it into his site.

The hack has been possible for years, but two proofs of concept
published this month graphically...

Posted by InfoSec News on Dec 03


By Taylor Armerding
November 30, 2012

More than six years after the Veterans Administration (VA) suffered one
of the worst data breaches in history, it is still a long way from
closing off the vulnerability that made the breach possible: lack of

It was on May 3, 2006, that a laptop and external hard drive containing
an unencrypted national database with...

Posted by InfoSec News on Dec 03


By Steven Musil
Security and Privacy
December 2, 2012

The United States faces "the cyber equivalent of the World Trade Center
attack" unless urgent action is taken, a former U.S. intelligence chief

John "Mike" McConnell, who served as director of the National Security
Agency under President Clinton and...
Internet Storm Center Infocon Status