Hackin9

InfoSec News

Tuesday morning, we received a number of reports from readers indicating that the SSL certificate used for settings.adobe.com was out of date. Initially, we had a hard time reproducing the finding. But some of our handlers in Europe were able to see the expired certificate.
The expired certificate was valid from Oct 6th 2009 to Oct 6h 2010. Which is somewhat unusual. Typically, we would expect a certificate that just expired yesterday and someone forgot to renew it. In this case, it looked more like someone installed an older certificate instead of the new one.
The correct certificate was pretty much exactly a year old and valid for another year. Everything indicated that the Adobe certificates indeed expire in the first week of October.
In the end, we narrowed the affected geography down to Europe and contacted Adobe. Adobe responded promptly and as of this evening, the problem appears to be fixed. Thanks everybody who helped via twitter narrowing down the affected geography and thanks to the readers reporting this initially.
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The new iPhone 4S unveiled Tuesday offers important wireless networking enhancements that its predecessor lacked, including dual-network world phone capabilities and redesigned antennas.
 
Time to get over the fact that Apple didn’t announce the iPhone 5, but instead introduced the iPhone 4S, which boasts a collection of upgrades nonetheless. Here’s a quick spin through what’s new.
 
If you are a Web designer, graphic designer, or other creative professional, most likely you work with the Adobe suite of products. Up until now, you haven't been able to migrate your work to your tablet PC of choice. That's about to change. Adobe on Tuesday announced two products available in the coming months that will drastically shift how creative professionals will work: Adobe Creative Cloud and Adobe Touch Apps for tablets.
 
McAfee buys NitroSecurity for its ePolicy Orchestrator while Big Blue has created a security division for its Q1 Labs acquisition.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
KDE KSSL Common Name SSL Certificate Spoofing Vulnerability
 
The company also pitches Project Avatar dynamic client effort and delays Java SE 8 to the summer of 2013
 
With its Napster acquisition this week, Rhapsody, the venerable U.S.-only digital music subscription service, is in battle mode as rival Spotify attempts to carry its strong momentum in Europe to America.
 
It's the last thing McAfee would want users to hear about one of its products, but the Firefox browser is advising users to disable McAfee's ScriptScan software, saying that it could cause "stability or security problems."
 
Apple has sold more than six million copies of Mac OS X 10.7, better known as Lion, since its debut in late July, CEO Tim Cook said today.
 
Shortly before Apple unveiled the iPhone 4S, the company's website went down.
 
Apple's new CEO Tim Cook and other company executives today introduced the new iPhone 4S, an upgrade to the existing iPhone 4 that features the same faster dual-core processor now used in the iPad 2.
 
Red Hat announced Tuesday that it is acquiring Gluster, which makes open-source software that clusters commodity SATA drives and NAS systems into massively scalable pools of storage, in a cash deal valued at about $136 million. Gluster is also a contributor to the OpenStack cloud project and Red Hat is promising this involvement will continue. Indeed, Red Hat is now uncharacteristically saying its support of OpenStack will grow even beyond Gluster to the next release of Fedora.
 
U.S. government officials need to put more pressure on their Chinese counterparts to stop a "pervasive" cyber-espionage campaign targeting U.S. companies, one U.S. lawmaker said Tuesday.
 
spidaNews 'id' Parameter SQL Injection Vulnerability
 
Google Chrome Prior to 14.0.835.163 Multiple Security Vulnerabilities
 
http://www.sans.org/critical-security-controls/control.php?id=3
Like the two prior controls, this is all about gaining control of your network. Control 1 and 2 identify all the hardware and software you own. With control 3, we now start configuring this software (and hardware) securely.
In my opinion, there are really two problems you have to solve here:
- establish a baseline configuration
There are a number of well respected organizations that publish standard configurations. For example the Center for Internet Security, the NSA and DISA hardening guides and of course guides provided from vendors like Apple and Microsoft. In most cases, these configuration guides will serve as a starting point, and you will have to adjust them to your local preferences and needs. Usually you will need a couple different configuration templates for different roles. A laptop traveling with a sales person from customer to customer needs to be configured differently then a server or a desktop in the IT department.
One you decided on a benchmark, and customized it, you can build standard images used to build new machines. If you are a large enough customer, you may be able to convince your vendor to deliver systems already preconfigured to your specifications. If you decide to go this route: You still need to verify that the vendor followed your guidelines.
Hardened configurations are known to cause problems with patching and some advanced software features. The closer you stick to one of the well established guidelines, the more likely you are going to find help in working around these problems.
- maintain the baseline configuration
Nothing is static, in particular in IT. Configurations will change, patches need to be applied and new threats will require you to reconsider some of the choices you made when originally setting your default system configuration. However, all changes made to systems need to be carefully controlled and need to be applied consistently. Configuration management tools will help getting this job done. The configuration needs to be monitored continuously with tools like Aide or Tripwire to identify unauthorized changes quickly.

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Following its preview at Apple's World Wide Developer Conference in June, iCloud has received an official debut date--October 12--at Tuesday's Let's Talk iPhone Apple event. It replaces the company's oft-maligned $99 MobileMe service, offering a central online repository for your mail; contacts; calendars; music, TV, app and book purchases; photos; documents; and backup--all for free. In addition, Apple introduced a new app called Find My Friends, for connecting with friends and family.
 
Apple has unveiled the iPhone 4S, shipping Oct. 14. What new hardware feature will earn the device a place in your toolkit?
 
Apple on Tuesday announced the iPhone 4S, a 3G smartphone with improved hardware designed to allow the device to run applications faster than its predecessor, the iPhone 4.
 
Microsoft announced several new automatic features aimed at cleaning up Hotmail accounts and helping users organize piles of so-called graymail.
 
This eGuide from the editors of Computerworld offers a look at technology shifts throughout the financial services industry. Insider (registration required)
 
rpm-python RPM File Handling Remote Memory Corruption Vulnerability
 
Even the most mature organizations are using multiple risk-management frameworks and various processes to make risk-based decisions.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Washington, D.C.amp-The U.S. departments of Commerce and Homeland Security (DHS) today discussed with other federal agencies and private-sector leaders in the information technology industry the need to create a voluntary industry code ...
 
An analysis of the cloud storage market, both public and private, released by Gartner today showed that the market is on pace to total $417.3 million in 2011, a 56% increase from 2010 and it will reach $1.4B by 2015.
 
Intel's McAfee unit is acquiring NitroSecurity in an effort to speed up risk and threat assessment capabilities via its security products, Intel said Tuesday.
 
Oracle's Exadata database machine can deliver the performance improvements the vendor claims, but also demands that IT shops and database administrators undergo a shift in thinking as well as attain new skills, a number of experts said this week at the OpenWorld conference in San Francisco.
 
Novell, which was acquired by The Attachmate Group in April, wants to regain its status as an IT icon and will try to do so by focusing its efforts on its core assets and rebuilding relationships with its huge installed base. Network World Editor in Chief John Dix recently caught up with Novell President Bob Flynn and VP of Product Management and Marketing Eric Varness for a briefing on their rebuilding plans.
 
A year after it pulled the plug on silent updates in Firefox 4, Mozilla said it will debut most of the behind-the-scenes feature by early next year.
 
Failing an audit sounds like the last thing any company wants to happen. But that's because audits are seen by many as the goal of a security program. In reality, audits are only the means of testing whether enforcement of security matches the policies. In the broader context, though, an audit is a means to avoid a breach by learning the lesson in a "friendly" exercise rather than in the real world. If the audit is a stress-test of your environment that helps you find the weaknesses before a real attack, you should be failing audit every now and then. After all, if you're not failing any audits there are two possible explanations:
 
Websites that accidentally distribute rogue code could find it harder to undo the damage if attackers exploit widespread browser support for HTML5 local storage and an increasing tendency for heavy users of Web apps never to close their browser.
 
New open source Security Framework
 
Red Hat is acquiring privately owned storage vendor Gluster for approximately $136 million in cash to boost its cloud offerings, it said on Tuesday.
 
IT budgets, salaries and staff turnover rates have returned to pre-recessionary levels, according to a new survey conducted by the Society of Information Management (SIM) that indicates increasing optimism among CIOs and IT executives nationwide.
 
CIOs continue to test the popular iPad tablet for enterprise applications. These pilots show potential, but the devices still have lots of limitations. Insider (registration required)
 
Microsoft will make no more Zune music players, building its future music strategy on applications incorporated in its Windows Phone and Xbox platforms, the company has confirmed.
 
Multiple vulnerabilities in SonicWall
 
vTiger CRM 5.2.x <= Multiple Cross Site Scripting Vulnerabilities
 
-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
For some time, PCWorld has advocated hybrid networks that support both Wi-Fi (for laptops, cell phones, and anything else you might want to use untethered to a power source) and a wired technology for streaming media to fixed-location devices. Ethernet is the best wired-network technology, but using it typically involves stringing cables through walls; if that isn't feasible, a HomePlug AV powerline network, which uses existing electrical circuits, can be a great alternative.
 
A couple of recent customer-service snafus by Netflix pushed many users to look for an alternative way to enjoy video services. First Netflix hiked its prices by 60 percent, and later it split its services into two different companies.
 
Joomla! Google Website Optimizer Component HTML Injection Vulnerability
 

CURRENT ISSUE
SearchSecurity.com
An InfoSec Leaders survey examines the impact of different certs on the security profession. by Joseph Granneman Networked medical devices introduce new risks but does a new standard go far enough in addressing the problem?

 
Perl Crypt-DSA Module Random Number Values Security Weakness
 
vtiger CRM Multiple Cross Site Scripting Vulnerabilities
 
Microsoft has invited 50 percent of eligible Windows Phone users to update to version 7.5, also known as Mango, Microsoft's Eric Hautala said in a blog post on Monday.
 
Oracle's introduction of its Big Data Appliance at the OpenWorld conference this week is an indication of the attention it is being forced to pay to NoSQL database technology.
 
Sure, today's end users are pretty tech-savvy, but do they have the technical and business chops needed to take full advantage of self-service technologies?
 
Symantec today said its new cloud-based single sign-on (SSO) service called O3 is available to enterprise customers to test.
 
Webroot has revamped its antivirus product line, moving to a cloud-based system that it says is better suited to detect the deluge of malicious software circulating on the Internet.
 
BITS, the U.S. financial industry's IT policy arm, has a new leader: Paul Smocer, an expert in email security and authentication.
 
Although much of the attention at today's Apple event will be on the new iPhone, what's going on behind the scenes with iCloud will affect users more, says columnist Michael deAgonia.
 
Offshoring has become so engrained in IT processes that 65% of businesses now do it for some aspect of their business, according to an annual survey of IT budgets and technology trends by the Society of Information Management.
 
Internet Storm Center Infocon Status