Share |

InfoSec News

Texas Instruments on Monday announced it has agreed to acquire semiconductor company National Semiconductor for $6.5 billion in an all-cash transaction.
Epsilon Interactive says that about 50 customers were affected in security breach
Texas Instruments on Monday announced it has agreed to acquire semiconductor company National Semiconductor for US$6.5 billion in an all-cash transaction.
GNU glibc 'fnmatch()' Function Stack Corruption Vulnerability
GNU glibc 'addmntent()' Mount Helper Local Denial of Service Vulnerability
For the fist time, a federal appellate court has been asked to consider the appropriateness of the damages being sought by the RIAA against individual copyright infringers.
To avid Apple watchers, the company's latest ad for the iPad 2 isn't really anything new: It eschews celebrity endorsements, outrageous claims, and pretty young things that tweak your atavistic impulses in favor of simply showing the product in use.
FFmpeg Integer Overflow and Denial of Service Vulnerabilities
Texas Instruments on Monday announced it has agreed to acquire semiconductor company National Semiconductor for $6.5 billion in an all-cash transaction.
Tablets are the culmination of what Steve Jobs wanted to create at Apple from the beginning, Apple co-founder Steve Wozniak said Monday.
The software that helped IBM's Watson computer reign victorious on the Jeopardy game show in February could also help the financial industry assess risk more effectively, a pair of IBM executives stated on Monday at a high-performance computing conference.
An appeals court Monday dismissed Verizon's challenge of the U.S. Federal Communications Commission's December net neutrality ruling, calling it premature.
Texas Instruments on Monday announced it has agreed to acquire semiconductor company National Semiconductor for $6.5 billion in an all-cash transaction.
BT Home Hub and Thomson/Alcatel Speedtouch 7G Multiple Vulnerabilities
Apple's supply of the iPad 2 edged closer to demand today as the company's online store showed a two-to-three week shipping delay.
Meru Networks claims to have been the first company to deliver an 802.11n access point and is now riding that technology's popularity as enterprises move increasingly to high-speed wireless networks. In this installment of the IDG Enterprise CEO Interview Series, Meru President and Ihab Abu-Hakima speaks with IDGE Chief Content Officer John Gallant about what sets Meru apart from bigger competitors.
Indian IT services providers hire relatively few U.S. workers -- U.S. citizens hold about 10% of their U.S.-based jobs, according to a study by an Indian industry group.
Debian tex-common 'shell_escape_commands' Directive Remote Code Execution Vulnerability
As the day progresses more and more Epsilon clients are notifying their customers that their details have been compromised, I got to thinking about what information is readily given to third parties for many different purposes. The outsourcing of certain specialist tasks is nothing new. What I've found in the past though is that information is often handed over without really thinking through any of the consequences should the information be compromised. So here are some of the things Ibelieve you should be doing when handing over client information to third parties. as per usual feel free to add your own experiences and suggestions.
Before handing over any information over you may want to ask the following:

What is the minimum amount of information that is needed in order to perform the tasks requested? - We often find that people are handing over substantial amounts of data when all that is really required is an email address and a first name. This will of course depend on what the third party is doing for you, but having a think about what they really need is a good starting point. Then it can be risk assessed and a decision taken.
How are you protecting my information? - Likely you will get a warm fuzzy answer and you will have to sift through it to find out what the real answer is. What you want to look for are things like operational security processes. How are they going to notice if there was a breach? Do they utlise IDS/IPS. Do they have firewalls (and yes sometimes you will get the answer of no we don't need a firewall
Do you have the right to audit? - The answer to this will often give an indication as to what the real answer is to the previous question. If the answer is no, well ...
Do they have an incident response process?
What steps will be taken in the event of a breach and when will you be notified? - i.e. how long will they sit on the compromise before they will let you know that it is gone?
What happens if the breach is at a subcontractor of the organisation? - Many companies subcontract processes to others.
Who will carry any additional costs? - In some jurisdictions there is a notification requirement. In some cases this may need to take the form of snail mail, those stamps can be expensive, who will pay for that.
You may need to communicate any special security requirements you have for your information. You will need to communicate these clearly to the provider so they can meet your expectations.

Collect the answers and have it put into the contract/agreement, that way nobody can forget who would do what and when.
That's my quick start list before handing information over.
Mark H

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Attack hijacks sensitive data using newer Windows features
The attack will also work against Apple's OS X for Macs, although the proof-of-concept has not been tested on that platform, said Jack Koziol, a program manager at InfoSec Institute, an information security services company. ...

An appeals court Monday dismissed Verizon's challenge of the U.S. Federal Communications Commission's December net neutrality ruling, calling it premature.
Pandora and possibly other makers of popular smartphone applications are being questioned by a federal grand jury about their privacy practices.
Computerworld's Salary Survey 2011 is out, and despite the strengthening economy IT workers say they are under pressure, underpaid and nearing a breaking point. Are you worse off than last year?
A developer today released a tool that lets adventurous Windows Phone 7 owners upgrade their smartphones' operating system now rather than wait for their carrier to offer the update.
[USN-1104-1] FFmpeg vulnerabilities
[USN-1103-1] tex-common vulnerability
[USN-1102-1] tiff vulnerability
Re: Xymon monitor cross-site scripting vulnerabilities
Developer Chris Walsh has apparently done what software giant Microsoft has failed to accomplish: Let anyone with a Windows Phone 7 device install the first two operating system updates.
[ MDVSA-2011:064 ] libtiff
Re: DC4420 - London DEFCON - April meet - Wednesday 20th April 2011
DC4420 - London DEFCON - April meet - Wednesday 22nd April 2011
ZDI-11-116: Novell File Reporter Agent XML Parsing Remote Code Execution Vulnerability
Security experts today warned users to watch for targeted email attacks after a breach at a major marketing firm that may have put millions of addresses in the hands of hackers and scammers.
Laptops and desktops with Advanced Micro Devices' A-series chips will become available from PC makers this quarter, the company's CEO said.
Data caps on nearly all wireless and wired networks in the U.S. seem likely to be in place soon, even though Verizon Wireless and Sprint continue to make unlimited data offers.
Oracle 11g Express Edition, the free-of-charge version of Oracle's flagship database, is now in beta.
Xymon monitor cross-site scripting vulnerabilities

Cyber Defenses - Bloodied, Battered and Bruised
CSO (blog)
Bloodied, battered and bruised is the fighter who bobs and weaves trying to anticipate and block the opponent's moves. Eventually, he is worn down, the opponent laying combination after combination to the ...

EMC Corp. today announced it has acquired NetWitness Corp., security company that makes the NextGen visibility monitoring system to detect electronic threats and malware-based attacks. EMC said NetWitness will operate as part of RSA.
Sendmail NULL Character CA SSL Certificate Validation Security Bypass Vulnerability
NASA has pushed back the final launch of space shuttle Endeavour by 10 days, because of a scheduling conflict at the International Space Station.
Private equity firm Apax Partners is buying Epicor and Activant in a deal that will create one of the world's largest ERP software vendors, the companies announced Monday.
Google is bidding $900 million in cash for thousands of patents that Nortel will auction off as part of its bankruptcy proceedings, the companies said Monday.
[SECURITY] [DSA 2210-1] tiff security update
[SECURITY] [DSA 2209-1] tgt security update
[ MDVSA-2011:063 ] xmlsec1
Stored and Reflective XSS in Yaws-Wiki 1.88-1 (Erlang)
Two waves of email attacks targeted small groups of RSA employees, the company said in a blog post last week revealing the first details of the attack since the breach was announced March 22.

Add to digg Add to StumbleUpon Add to Add to Google
Standards organization IEEE has decided to get involved in cloud computing, starting with two development projects related to cloud interoperability, it said on Monday.
Cisco last week added more detail to its data center fabric story by rolling out a bevy of new products that provide extra touch points to use when comparing Cisco's strategy to the fabric plans of Juniper and Brocade.
Private equity firm Apax Partners is buying Epicor and Activant in a deal that will create one of the world's largest ERP software vendors, the companies announced Monday.
[ MDVSA-2011:060 ] ffmpeg
Aruba Networks is introducing the first fruits of its acquisition of Azalea Networks this week, boosting the speed of the wireless mesh gear with IEEE 802.11n technology and integrating it into the Aruba MeshOS management system.
Lawson Software is hoping to entice its customer base to deploy their applications in Amazon's Elastic Compute Cloud, and has a marquee customer to show it can be done successfully.
Lawson Software is taking a cue from Apple, Amazon and others, announcing on Monday the Lawson Marketplace, an online store where customers can use a credit card to buy a range of add-on tools for their ERP (enterprise resource planning) applications.
Huawei Symantec today released its first line of modular storage area network arrays that offer up to 2.88PB of capacity and data snapshot, migration and replication features all under a single user license.
Oracle's decision to stop developing software for Itanium-based machines could force IT managers to launch expensive hardware and/or software upgrades.
Facebook plans to start using microservers to enable inexpensive growth and quick failover at its massive data centers.
SOA remains alive and relevant as a software design strategy, says a new Forrester Research report.
Security is now so mainstream, it can be the punchline for a network comedy.
By 2016, some new PCs will combine flash memory and traditional hard disk drives for cost and performance reasons, a SNIA report says.
Compare IT salaries across a sampling of industries and job titles.
The majority of respondents say they deserve more money for the work they do, yet they're happy with their decision to stay in IT
A majority of IT workers say they're under pressure to increase productivity and take on new tasks. But the vast majority are still happy they picked IT as their career.
Some companies are starting use new tools to analyze so-called big data to find ways to better keep track of the activities, habits and whereabouts of their online customers.
One or more of these wild-eyed approaches could save you a lot of money -- and not cost you much
At this point in the evolution of cloud computing, the public cloud is probably not IT's first choice when it comes to core enterprise workloads. But there's still a place for public cloud services, and it's up to IT to determine what that is.
The first step is to evaluate your workloads, says Mark White, CTO for Deloitte Consulting's technology practice.
If you're interested in achieving the benefits of a private cloud, but aren't sure you want to devote the time and resources to build one from scratch, there is an alternative - cloud-in-a-box.
As researchers at The University of Texas MD Anderson Cancer Center work at "making cancer history," they're doing so with the help of compute power and storage capacity from a private cloud.
libTIFF ThunderCode Decoder Heap Buffer Overflow Vulnerability
As cloud computing moves from hype to reality, certain broad trends and best practices are emerging when it comes to the public cloud vs. private cloud deployment debate.
Only about a third of more than a thousand respondents to a Network World online survey believe it's always wrong to use company equipment to host private video game sessions for groups of players.
The 'Net is just one hack away for disaster
AMAG's IT needs are more efficiently and cost effectively served by public cloud providers, including infrastructure-as-a-service (IaaS) and software-as-a-service (SaaS), than by internal systems and applications.

Internet Storm Center Infocon Status