InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Yahoo acknowledged on Thursday that its new CEO, Scott Thompson, does not hold a degree in "accounting and computer science" as his resume and the company's financial filings claimed, and instead majored only in accounting.
VMware Thursday announced that its SocialCast sharing tool will now work with Lithium Technologies tools to capture and integrate external customer data.
Facebook will be valued at US$85 billion to $95 billion, rather than the $100 billion that had been widely rumored, The Wall Street Journal reported reported Thursday.
Oracle and SAP are at odds over whether the concept of "hypothetical" software license fees can be factored into damages in the upcoming retrial of Oracle's intellectual-property lawsuit against SAP, and the outcome could sharply affect the scope of any judgment in the case.
A group representing authors in a copyright case slammed Google in court on Thursday, saying the company's book-scanning project has hurt millions of authors whose works have been digitized.
A Windows developer, upset at the likely demise of Windows Live Writer as part of Microsoft's move to retire the Live brand, has launched an online petition drive to save the tool.
Apple's iPad reclaimed a larger share of the global tablet market last month, in part because of a more-serious-than-expected slump in sales of the hot Kindle Fire in the first quarter, IDC analysts said today.
Microsoft said a member of its confidential Active Protections Program leaked information that prompted an exploit targeting a flaw patched in March.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Samsung on Thursday unveiled a larger Galaxy S III smartphone in London, and said the phone would be sold in the U.S. this summer after launching in Europe on May 29.
Microsoft said it plans to address flaws in Windows, Office, Silverlight and the .NET Framework.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Users of mobile apps need more information about the ways those apps use their personal information, a group of experts agreed Thursday, but they didn't agree on who is most responsible for protecting user privacy.
Microsoft today said it would ship seven security updates next week, three critical, to patch 23 bugs in Windows, Office and its Silverlight and .Net development platforms.
Recognizing that health information exchanges will be built by public and private efforts, the U.S. government office in charge of healthcare IT said it wants to promulgate HIE adoption by developing technical standards and offering incentives to healthcare companies.
[waraxe-2012-SA#088] - Reflected XSS in Joomla 2.5.4 admin sysinfo page
Following an ongoing industry trend, Sage Group is moving a number of its ERP software products to Microsoft's Azure cloud service.
Although the U.S. Interior Department plans to replace its on-premise email servers with Google Apps' cloud-based Gmail, the agency will retain Microsoft Outlook and Office as its standard e-mail client and desktop office productivity software for end users.
FreeBSD Security Advisory FreeBSD-SA-12:01.openssl
Advisory: Android SQLite Journal Information Disclosure (CVE-2011-3901)
----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
[SECURITY] [DSA 2464-1] icedove security update
VMSA-2012-0009 VMware Workstation, Player, ESXi and ESX patches address critical security issues

OpenX Promises Fix for Rogue Ads Bug
Krebs on Security
This problem first came to my attention after I read a blog post by infosec researcher Mark Baldwin, who wrote late last month about finding an unauthorized administrative account called “openx-manager” on one of his clients' OpenX 2.8.8 installations, ...

and more »
Cisco announced Thursday that it plans to acquire network analytics company Truviso for an undisclosed amount, in an effort to help users hone operational efficiencies.
Research in Motion executives practiced staying "on message" at BlackBerry World, repeating a series of mantras about the company's directions and product plans. Yet the simple message is running into the hard practicalities of enterprise IT customers, and they want details and nuance.
WordPress Zingiri Web Shop Plugin HTML Injection and Cross Site Scripting Vulnerabilities
Drupal Core URI Redirection Vulnerability
For the first time, cybercriminals are using compromised websites to conduct drive-by attacks targeting Google Android users.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
PluXml Unspecified Cross Site Scripting Vulnerability
The thrill of riding a roller coaster comes from when the feeling of danger you get from every gravity-defying loop-to-loop. In Chillingo's lovably-addictive platformer, Madcoaster, that danger is very reala| if PG rated.
ioSafe's Solo G3 is the latest addition to the company's line of fire- and water-proof hard drives, and is an updated version of the ioSafe Solo ( Macworld rated 4 out of 5 mice ). The Solo G3 has a new case design, replaces the USB 2.0 interface on the original Solo drive with USB 3.0, and has also gotten rid of the internal fan, allowing the G3 to operate in silence. The Solo G3 comes in 1TB, 2TB, and 3TB capacities and retails for $300, $350, and $400. respectively.
Oracle's argument about copyrighting APIs would be a problem for the entire industry, observers say
Xamarin has ported Android to C# in an effort to improve its own development tools and show that the OS doesn't have to be dependent on Java.
What happens when your helpdesk gets a call from a frantic staff member whos positive his computer isbeing hacked by Government X this very second?

The IT helpdesk is the face, voice or automated greeting that most staff and/or customers get to deal with when calling for help*. Most IT helpdesk staff have run sheets or scripts to walk the caller through common problems or perform basic tests. With scripts and the frequency of typical requests, helpdesk staff can become very slick and effective making everyone lives easier. But what happens when a call comes through and it might be a security issue?
Here are some questions to pose to your organisation:

Has there ever been any discussion between the helpdesk and security teams on what should be done if the call is security related?
Is this scalable in time and work load to get every security related possible call routed to the security team answer?
Should the IT helpdesk staff be provided scripts for basic security procedures other than Tell them to touch nothing and you call me!?

Each work place and environment has its own unique factors on how security related call are handled but lets imagine the security team doesnt want to field every call that may or may not be anything to do with a security issue. This is where a helpdesk team could,with guidance and coaching,be invaluable in saving time and effort to all parties.
A crucial first step is to define what the helpdesk should do and what they should definitely not do. This sets clear lines of demarcation, stopping any misunderstanding that can occur in the heat of the moment with someone attempting to do what they believe is the right thing and it ends up causing an awful mess.

On the do lists are:
- Get a clear description of the problem
- Provide standard details on the caller (username, computer details, IP address, location and so on)
- Record only the facts.

On the should not do lists are:
- Connect to the system to try and fix it themselves
- Offer advice on how to fix the problem
- Jump to unsupported conclusions
- Any other actions that may cause harm or impact.

From this point onwards both the security and helpdesk teams have some ground rules and can work together without causing problems.

Feel free to add any comments, thoughts or suggestions on your experiences, good or bad, onsolving this problem.

Chris Mohan--- Internet Storm Center Handler on Duty

* Help this coversactual questions on topics the IT helpdesk staff are trained inrather thanthose random questions such as why isnt the fridge working. In case you were wondering, the correct answerwas the fridges fuse had blown. Obvious really... (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form


Adam Swanger, Web Developer (GWEB, GWAPT)

Internet Storm Center https://isc.sans.edu
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Hackers are always hunting to find business-logic flaws, especially on the Web, in order to exploit weaknesses in online ordering and other processes. NT OBJECTives, which validates Web application security, says these are the top 10 business-logic flaws they see all the time.
If you have an Amazon account, you also have five gigabytes of free online storage for your files at your disposal through the Amazon Cloud Drive service. You may not have known that, though, because accessing that space hasn't been as easy as it is with services like Dropbox and SkyDrive.

It often seems security pros place great expectations on users, and are amazed when they fall for an obvious security trap or common social engineering attack. But instead of being amazed, the more appropriate response may be to recognize that traditional information security awareness training programs often don’t work.

According to Bob Rudis, director of enterprise security at Boston-based Liberty Mutual Group, too many companies rely on the computer-based security training courses that each employee must complete once a year to meet compliance requirements. Speaking at the Source Boston conference last month, Rudis shared some more creative ideas he has used to elevate security awareness and reduce security incidents at his company.

For example, Rudis’ team created some simple Flash-based game applications for employees to play. Players win the games by making correct security choices. Even though the games were voluntary, about 25% of Liberty Mutual employees played each game at least once.

For companies that don’t have the budget to create games, Rudis offered cheap, outside-the-box security awareness ideas.  For example, consider your computer-based training (CBT), which probably contains slides showing photos of people working at computers. Rather than using stock images of people in your CBT, Rudis suggested taking photos of your company’s own employees, such as a photo of one of your IT people scratching their head and looking puzzled, or a photo of one of your help desk people looking tired but triumphant. Seeing actual colleagues helps users feel more connected to the training material and thus more likely to remember what they’ve learned. Plus, it will make stars of your staff - an added benefit.

As a security manager, you are competing with so many other demands for users’ attentions, from their own job responsibilities to Facebook and Pinterest and Angry Birds. Making your security lessons visually compelling and a little more fun may go a long way toward ensuring security awareness messages stick in users’ minds for a long time.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Mobile apps that use your location to offer services are no longer new. But are they truly useful to businesses? We look at Facebook, Foursquare, Google Latitude and Yelp to see how they're doing.
Microsoft is opening a research lab in New York City that aims to benefit from interaction with the academic and tech communities in the metropolitan area, as well as attract new talent to Microsoft, the company said.
The U.S. Federal Communications Commission has begun the process to get competitive bids for new mobile broadband subsidies designed to bring 3G or 4G service to areas in the country that do not have it.
Barnes & Noble will distribute its free Nook Metro app through Microsoft's Windows Store, putting to rest talk of Microsoft embedding the program in Windows 8.
Hackers claimed to have breached the systems of the Belgian credit provider Elantis and threatened to publish confidential customer information if the bank does not pay $197,000 before Friday.
Dell EqualLogic SSD and SAS hybrids highlight no-muss, no-fuss, fast storage tiering across multiple arrays
The federal government may not be renowned for its operational speed or agility, and certainly IT is no exception, but federal agency CIOs and their employees have gradually been warming to the new model of cloud computing, according to a panel of industry executives speaking at a conference on Wednesday.
Smartphone screens are getting larger, although vendors will likely continue to offer many sizes to woo a wide variety of users.

Posted by InfoSec News on May 02


By Ericka Chickowski
Contributing Writer
Dark Reading
May 02, 2012

Last week Oracle bumped heads with the database security community in a
communications blunder that caused a proof of concept to be released for
an unpatched four-year-old vulnerability in the database's TNS Listener
service. This week Oracle...

Posted by InfoSec News on May 02


By Tracy Kitten
Bank Info Security
May 2, 2012

Evidence is mounting that Global Payments Inc. may have been breached
months earlier than initially reported.

One affected card issuer told BankInfoSecurity that Visa issued an
updated alert about the breach on April 26, noting that the window for
compromise could date back to June 7, 2011. Another card issuer says the...

Posted by InfoSec News on May 02


By Darlene Storm
Security Is Sexy
May 2, 2012

While the White House officially confirmed the existence of the CIA's
drone targeted killing program, something that the CIA would previously
neither deny nor confirm in ACLU lawsuits, a glimpse into the future of
using drones for targeted killings can be seen...

Posted by InfoSec News on May 02


By Aliya Sternstein
May 2, 2012

The government is witnessing an uptick in assaults on the computers that
control industrial operations such as power transmission and
transportation, the top Homeland Security Department cybersecurity
official said Monday.

Mark Weatherford, the first-ever deputy undersecretary for cybersecurity...

Posted by InfoSec News on May 02


By a staff reporter
The Gulf Today
May 03, 2012

SHARJAH: In line with the objectives of the Telecommunications
Regulatory Authority (TRA) to spread awareness about the Information and
Communications Technology (ICT) sector, the UAE Computer Emergency
Response Team (aeCERT), a TRA initiative, organised two workshops in
Sharjah University and Al Thait Girls School in Ras Al...
Internet Storm Center Infocon Status