InfoSec News

Lenovo has shown off its first tablet computer, the LePad, and will launch more tablets later this year in a bid to carve out some share in the emerging market dominated by Apple's iPad.
 
WARNING: Overclocking is not for the faint of heart. Do not attempt to hack your phone unless you understand and accept the risks of turning it into a useless "brick."
 
Netbook pioneer Asustek Computer unveiled four new tablet devices on Tuesday, including the 10.1-inch touchscreen Eee Pad Slider with the latest version of Google's Android mobile OS, Honeycomb, and the 12-inch touchscreen Eee Slate E121, which has Microsoft's Windows 7 OS.
 
The company whose late-night commercials promised to 'make your computer run fast the way it's supposed to,' will pay tens of thousands of dollars in fines and refunds to settle charges that it engaged in deceptive advertising.
 
Netbook pioneer Asustek Computer unveiled four new tablet devices on Tuesday, including the 10.1-inch touchscreen Eee Pad Slider with the latest version of Google's Android mobile OS, Honeycomb, and the 12-inch touchscreen Eee Slate E121, which has Microsoft's Windows 7 OS.
 
PHP 'php/ext/xml/xml.c' Integer Overflow Vulnerability
 
A Cisco survey found that only 18% of respondents to the worldwide poll said they are using the cloud in any capacity.
 
The war is over and USB has won ... or has it? At CES this week a new wireless SATA interface will try to dethrone SuperSpeed USB by offering speeds of up to 6Gbps vs. USB 3.0's max of 5Gbps.
 
As 2010 drew to a close, I received a note from a colleague reflecting on the year part and thanking me for my mentorship and counsel. Reading his note reminded me that often the best path forward starts by looking back. As we welcome a new year full of ambition and opportunity, this is the perfect time to reflect on the previous year(s) to set the stage for a productive and successful 2011.
 
A botnet fingered for stealing a treasure trove of information last year has struck again, harvesting sensitive documents from dozens of government agencies and contractors, according to security experts.
 
Don't you hate having to look outside whenever you want to know the weather? Talk about a hassle!
 
Companies have turned to Internet videos to leap ahead of rivals in announcing their new products at the International Consumer Electronics Show (CES) this year, or at least to create buzz around their launches.
 
A U.S. appeals court restores a jury verdict in a patent infringement case against Microsoft.
 
Microsoft said a publicly disclosed vulnerability affects the Windows Graphics Rendering Engine in Vista, Windows Server 2003 and Windows XP.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
The Bank of America has created a team of internal and external experts to create a damage control plan to be put into place if WikiLeaks releases insider documents it's said to hold.
 
Microsoft today confirmed an unpatched vulnerability in Windows just hours after a hacking toolkit published an exploit for the bug.
 
Samsung has completed development of the industry's first DDR4 DRAM module; it has twice the performance of today's DDR3 DRAM.
 
Apache Subversion Server Component Multiple Remote Denial Of Service Vulnerabilities
 
Micron Technology today announced a new line of solid-state drives (SSDs) with up to 512GB of capacity.
 
Linux Kernel 'net/' Subsystem Socket Filter CVE-2010-4161 Local Information Disclosure Vulnerability
 
Xen 'blkback/blktap/netback' Leaked Kernel Thread Local Denial Of Service Vulnerability
 
Microsoft Windows 'CreateSizedDIBSECTION()' Thumbnail View Stack Buffer Overflow Vulnerability
 
Microsoft published KB Article 2490606 [1] . It describes a vulnerability in the Windows Graphics Rendering engine that could lead to remote code execution. The vulnerability has been assigned CVE # 2010-3970.
All current versions of Windows, with the exception of Windows 7 and 2008 R2, are vulnerable.
The vulnerability is exploited via malicious thumbnail images that may be attached to various documents (e.g. Microsoft Office documents). The most likely exploit vector would use e-mail attachments. However, it is also possible to use network shares.
There is currently no patch available. However, it is possible to modify the access control list on shimgvw.dll to prevent rendering of thumbnails (this would affect all thumbnails, not just malicious once). See the Microsoft advisory for details.
This particular vulnerability was disclosed in December 2010 by Moti and Xu Hao at the Power of Community conference. The conference presentation outlines in some detail how to create a file to exploit this vulnerability. The thumbnail itself is stored in the file as a bitmap. The vulnerability is exploited by setting the number of color indexes in the color table to a negative number (biClrUsed).
The published slides do provide hints on how to exploit this vulnerability including bypassing SafeSEH and DEP.
Update: There is now an MSRC blog about this issue [3]
Update #2 (by jcb):There is also a metasploit module out to exploit this vulnerability.
[1] http://www.microsoft.com/technet/security/advisory/2490606.mspx

[2] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3970

[3] http://blogs.technet.com/b/msrc/archive/2011/01/04/microsoft-releases-security-advisory-2490606.aspx

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Motorola Mobility Holdings, maker of the Droid and Defy smartphones, has completed a spinoff from parent company Motorola.
 
Dell said the "strategic investment" helps it offer managed security services including network intrusion prevention and detection capabilities to midsize businesses.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
DRAM chip prices reached a one-year low on Tuesday and approached their cheapest ever due to a post-holiday oversupply. The cheap memory chips are pushing PC prices lower too, a Taiwan-based trading platform said.
 
Picsel Smart Office (approximately $9.54) is one of many apps that attempt to remedy Android's pitifully weak office-document support. Picsel can view and edit Word, PowerPoint, and Excel files, and can view but not edit PDFs. As a document viewer it performs well, rendering most formatting perfectly. A toolbar at the top of the screen features a Find button to search text. A Reflow button optimizes the view for the small screen, while a Help button gives quick access to an instruction manual.
 
Dell is purchasing security services vendor SecureWorks, expanding its range of IT management offerings. Terms were not disclosed.
 
[DCA-00017] LinkSys BEFSR41 Multiple Stored Xss
 
Security researcher Michal Zalewski said his new cross_fuzz has helped identify about 100 bugs in prominent browsers that include Internet Explorer, Firefox and Opera.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
We kick off 2011by offering some outsourcing resolutions for the party on the other side of table -- the IT service provider.
 
Mathematica8 on Linux /tmp/MathLink vulnerability
 
InfoSec News: 58 Banking Breaches in 2010: http://www.bankinfosecurity.com/articles.php?art_id=3220
[That we're aware of... - WK]
By Linda McGlasson Managing Editor Bank Info Security December 30, 2010
There have been 58 reported banking-related data breaches so far in 2010, according to the Identity Theft Resource Center -- slightly fewer than the total of 62 breaches in 2009. But it is possible that additional 2010 breaches will be reported after the new year.
Of the 58 breaches tracked by the ITRC:
* 9 are related to insider theft; * 6 are related to missing paper documents; * 8 were linked to card skimming attacks; * 5 resulted from stolen or missing hardware; * 8 are blamed on cyberattacks or outside network intrusions; * 4 are related to the exposure of data on the Web; * 6 are linked to an accidental breach; * 3 were of unknown origin.
[...]
 
InfoSec News: U.S. DHS goes after Vietnamese hackers, identity thieves: http://www.computerworld.com/s/article/9203080/U.S._DHS_goes_after_Vietnamese_hackers_identity_thieves
By Robert McMillan IDG News Service January 3, 2011
The U.S. Department of Homeland Security is cracking down on a international criminal ring, based in Vietnam, that is thought to have [...]
 
InfoSec News: [Dataloss Weekly Summary] Week of Sunday, December 26, 2010: ========================================================================
Open Security Foundation - DataLossDB Weekly Summary Week of Sunday, December 26, 2010
28 Incidents Added.
======================================================================== [...]
 
InfoSec News: Accidental Leak Reveals Chinese Hackers Have IE Zero Day: http://www.darkreading.com/vulnerability-management/167901026/security/vulnerabilities/228901665/accidental-leak-reveals-chinese-hackers-have-ie-zero-day.html
By Kelly Jackson Higgins Darkreading Jan 03, 2011
A renowned Google researcher who this week released a new free fuzzer [...]
 
InfoSec News: Military hushed up loss of confidential file: sources: http://english.yonhapnews.co.kr/national/2010/12/30/53/0301000000AEN20101230008100315F.HTML
Yonhap News Agency 2010/12/30
SEOUL, Dec. 30 (Yonhap) -- A USB memory drive containing military secrets has been missing for months, but authorities are refusing to [...]
 
With so many Web sites demanding passwords, no one, but no one, can really be expected to remember all the ones they need.
 
Microsoft says it has fixed a problem with its Windows Live Hotmail service that temporarily deleted the e-mail of more than 17,000 users.
 
Norwegian company Opera Software will unveil the first public preview of its browser for tablets at the International Consumer Electronics Show.
 
After years of talks and demonstrations, Advanced Micro Devices started shipping Fusion processors for netbooks, laptops and small desktops priced between $200 and $599.
 
The U.S. Department of Homeland Security is cracking down on an international criminal ring, based in Vietnam, that is thought to have stolen hundreds of millions of dollars from online merchants using hacking and identity theft.
 
Intel's Sandy Bridge chips, 4G smartphones, Android-based tablets, PCs that support USB 3.0, and smaller and cheaper SSDs will all be featured at the Consumer Electronics Show in Las Vegas this week.
 
With Facebook now flush with cash, the social networking phenom has the muscle to better duke it out with tech bigwig Google.
 

Posted by InfoSec News on Jan 04

http://www.bankinfosecurity.com/articles.php?art_id=3220

[That we're aware of... - WK]

By Linda McGlasson
Managing Editor
Bank Info Security
December 30, 2010

There have been 58 reported banking-related data breaches so far in
2010, according to the Identity Theft Resource Center -- slightly fewer
than the total of 62 breaches in 2009. But it is possible that
additional 2010 breaches will be reported after the new year.

Of the 58 breaches...
 

Posted by InfoSec News on Jan 04

http://www.computerworld.com/s/article/9203080/U.S._DHS_goes_after_Vietnamese_hackers_identity_thieves

By Robert McMillan
IDG News Service
January 3, 2011

The U.S. Department of Homeland Security is cracking down on a
international criminal ring, based in Vietnam, that is thought to have
stolen hundreds of millions of dollars from online merchants using
hacking and identity theft.

Last month, agents from the DHS's Immigration and Customs...
 

Posted by InfoSec News on Jan 04

========================================================================

Open Security Foundation - DataLossDB Weekly Summary
Week of Sunday, December 26, 2010

28 Incidents Added.

========================================================================

DataLossDB is a research project aimed at documenting known and reported
data loss incidents world-wide. The Open Security Foundation asks for
contributions of new incidents and new data for...
 

Posted by InfoSec News on Jan 04

http://www.darkreading.com/vulnerability-management/167901026/security/vulnerabilities/228901665/accidental-leak-reveals-chinese-hackers-have-ie-zero-day.html

By Kelly Jackson Higgins
Darkreading
Jan 03, 2011

A renowned Google researcher who this week released a new free fuzzer
that so far has found around 100 vulnerabilities in all browsers says
Chinese hackers appear to have gotten their hands on one of the same
bugs he discovered with...
 

Posted by InfoSec News on Jan 04

http://english.yonhapnews.co.kr/national/2010/12/30/53/0301000000AEN20101230008100315F.HTML

Yonhap News Agency
2010/12/30

SEOUL, Dec. 30 (Yonhap) -- A USB memory drive containing military
secrets has been missing for months, but authorities are refusing to
launch an investigation and trying to keep the case under wraps, inside
sources said Thursday.

An Army major at a front-line battalion in Gangwon Province lost the
portable drive in...
 
The world's largest chip maker will show off its most advanced line of microprocessors ever at the International Consumer Electronics Show (CES) in Las Vegas on Wednesday, complete with a range of laptop and desktop PCs with the chips inside.
 


Internet Storm Center Infocon Status