InfoSec News

From £40000 to £45000 per year + Up to £55k for Bristol
Career Engineer
INFOSEC Engineer (Defence) SC Cleared, Stevenage / Bristol required in systems engineering of Security Risk Management & Accreditation Documents. Development & Accreditation of Tactical Systems, including bespoke Hardware / Software elements for ...

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Software security expert Gary McGraw provides actionable guidance based on analysis of dozens of software security firms.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Microsoft's October 2012 Patch Tuesday release, slated for Oct. 9, will address an RSA key-length certificate issue exposed by the Flame malware.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
FCC Chairman Julius Genachowski detailed plans on Thursday to free up more wireless spectrum that carriers say they need to offer high-speed mobile services.
As usual, Microsoft released its pre-announcement for the upcoming patch tuesday. The summary looks pretty much like an average patch tuesday with 7 bulletins total:
Only one of the bulletin rates as critical, and it affects Office as well as Microsoft Sharepoint and Microsoft Office Web Apps. Given the rating of critical, and the fact that it does affect desktop as well as server components, this is likely the patch to watch out for.
3 other patches, all rated important, are affecting Office (and Sharepoint). Two patches affect Windows and one patch affects SQL Server.
So get ready to reboot your systems. After a simple September, this one is more of a normal patch month. Also, don't forget that the weak certificate patch will be pushed out this month.

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Facebook, Mark Zuckerberg, one billion users, mobile, monetize mobile, mobile advertising, social network, IPO, Sharon Gaudin, tablet, smartphone, Google, SEC, Brad Shimmin, Enderle
Intel announced a NAS controller with support for two to six SATA drives that is powered by its new more powerful Atom processor.
Facebook's announcement that it now has more than a billion active users shows the resiliency of the social networking platform, analysts say.
AT&T will exclusively carry two Windows tablets for the holidays -- the Asus VivoTab RT and Samsung ATIV Smart PC, the carrier said Thursday.
Former Sun/Oracle engineer mostly talked about robotics venture, but his appearance could indicate he and Oracle are burying the hatchet
Two U.S. agencies have seized 686 websites accused of selling counterfeit and illegal medicines as part of an international crackdown on online sales of fake drugs.
Everyone involved with HTML5 on mobile devices needs to step up their efforts and solve issues with performance and monetization in order for the technology to reach its true potential, according to Facebook developer advocate Simon Cross.
Microsoft today announced it will deliver seven security updates, one critical, to patch 20 vulnerabilities in Office, SharePoint Server, SQL Server, Windows and other parts of its product lineup.
Acer announced the Oct. 26 availability of the Iconia W700 tablet, which will come with an 11.6-inch screen and Windows 8, and will start at $799.
Microsoft has bought multi-factor authentication specialist PhoneFactor with the goal of integrating the company's technology into its cloud services and on-premises applications.
Microsoft and Barnes & Noble have finalized the creation of a joint venture that will deliver e-reading applications, and the new company will be called Nook Media LLC, the book seller said on Thursday.
Security expert Jayson E. Street explains why security pros must learn to communicate effectively to gain trust from management and empower employees.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
After last night's presidential debate, the possible fate of Big Bird is now known. But the candidates gave no insight into the possible fate of exascale systems, the next generation of supercomputers.
Starbucks said its mobile app and Starbucks Card are now integrated with Apple's Passbook, enabling users with iPhones running iOS6 to use their phones for buying coffee.
In the 2012 presidential campaign, Twitter has become the new spin room.
AT&T confirmed Thursday it will carry two HTC smartphones, the One X+ quad-core smartphone and the dual-core One VX "in the coming months."
The Association of American Publishers and Google have reached a settlement to end seven years of litigation over the company's book-scanning project.
Reports that Microsoft could launch its own Surface smartphone next year have surfaced again, leading some tech experts to wonder why the company would do so.
Further emphasizing Larry Ellison's fresh enthusiasm for cloud computing, Oracle has updated its Solaris Unix operating system with a number of new capabilities to give it greater cloud capabilities, including a new distributed storage file system and SDN (software defined networking) features.
Working with startups requires a lot of legwork and knowing how to manage the risk. But the rewards can be great.
The FTC in the US has joined forces with government agencies in five other countries to proceed against companies that have pretended to be employees of well-known companies, telling callers that their computers have supposedly been infected with malware

Cerberus FTP Server CVE-2012-2999 Cross Site Request Forgery Vulnerability
Vulnerable MSVC++ 2008 runtime libraries distributed with and installed by Ogg DirectShow filters
XnView JLS File Decompression Heap Overflow
The recent iOS 6.0 release closes a critical security hole in the code for checking certificates that has been known about for nearly three years

[ MDVSA-2012:159 ] freeradius
Linux Kernel 'taskstats' Local Denial of Service Vulnerability
ANNOUNCE: RFIDIOt v1.0d released and code migration
One week left! CFP for ZeroNights Conference in Moscow 19-20 November 2012

More on the perils of BYOD
For a run-down of five specific risks that employee-owned devices bring to the enterprise, take a look at a post by Michelle Drolet at InfoSec Island. The operating systems on some employees' devices can be vulnerable to malware and hacking, and this ...

AT&T Thursday disclosed that it will sell the Nokia Lumia 920 and Lumia 820 smartphones for its 4G LTE networks sometime in November, along with other Windows Phone 8-based devices.
Reports that Microsoft could launch its own Surface smartphone next year have surfaced again, leading some tech experts to wonder why the company would do so.
More than 1 billion people now use Facebook each month, almost one-seventh of the world's population, the company announced Thursday.

Yesterday's announcement of a SHA-3 winner gives me a great intro to talk about yet another important security related standard as part of our cyber security awareness month theme. Crypto standards have been critical to develop secure systems for a couple of reasons:

Doing cryptography right is hard. Bit buckets are filled daily with bad crypto algorithms and implementations. Standards provide well vetted algorithms and implementations, as well as guidance on how to use these algorithms
Over the live time of a complex project, it is very likely that large parts of the code have to be transformed to a new platform or a different language. Using a standard encryption algorithm will make this easier because it is more likely that the algorithm is available in the new platform
One characteristic that affects the selection of a standard is performance. But beyond the plain computational cost of the algorithm, you may also see standards implemented in hardware (for example the AES opcode in some Intel CPUs). Even if other algorithms are in theory faster, these hardware implementations will likely make up for that difference, and it is unlikely that CPU designers will implement a non-standard algorithm.

So what are these standards? Lets break it down into 3 groups:
1 - Symmetric Ciphers
In 2001, NIST established the Advanced Encryption Standard (AES) [1] . It superseded the DES cipher that was used up to then. AES is also known as Rijndael , the name used for this cypher before it became known as AES. The cipher can be used with different length keys depending on the classification of the information.
2 - Asymmetric Ciphers
Again referring to NIST [2], there are three standard asymmetric ciphers:
DSA: Digital Signature Algorithm

ECDSA: Elliptic Curve Digital Signature Algorithm

RSA: Rivest, Shamir, Adleman Algorithm
Asymmetric Ciphers are much more expensive then symmetric ciphers, and require longer keys. As a result, they are usually used to setup symmetric ciphers (like in SSL) or used to encrypt digital signatures. Currently, RSA and DSA are the most commonly used algorithm, but elliptic curve algorithms are getting a lot of attention as they do provide some significant performance advantages.
3 - Hashing
Cryptographic hashes are usually used to prevent tampering with documents. Currently, SHA-2 (Secure Hash Algorithm) is the one that is the recommended standard, but as we learned yesterday, SHA-3 has just been announced. At this point of course, you may have a hard time implementing SHA-3. We will have to wait for it to be included in various libraries. A good cryptographic hash makes it very hard to intentionally create two different messages with the same hash value. These collisions are of course unavoidable is the message is larger then the hash, but it should be hard to find these collisions.
The big difference between SHA-1 and SHA-2 is that SHA-2 is a set of different hash function s (SHA-224, 256, 384, 512) which can be used depending on the scenario. FIPS-180 suggests the use of SHA-256 for messages smaller then 264-) ). But just as a quick list of pointers:
NIST is probably the best place to look for guidance and details on algorithms. NIST also publishes the Federal Information Processing Standard (FIPS) that includes a lot of details on what algorithms to use. Even if you are not US based, or not subject to any of the federal guidance (most private industry is not), you may find that your industry and national standards are closely aligned to the NIST standards. On an international level, ISO (International Organization of Standardization) is coordinating these efforts. The ISO is a member organization with representatives from various national standard bodies (e.g. ANSI in the US). IETF, the Internet Engineering Task Force, covers how these crypto algorithms are used in internet protocols.
Below you find links to some of the key standards mentioned here.




Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


InfoSec Training for IT Specialists
Delaware Chief Security Officer Elayne Starkey leads hundreds of information security officers, many of whom have technical expertise in areas other than security. What can financial institutions learn from her new certification program that provides ...

New attack tools make it easier to exploit vulnerabilities in Oracle databases, including some holes that have been known about for some time

GNU Automake Local Arbitrary Code Execution Vulnerability
OpenStack Keystone Token Validation Multiple Security Bypass Vulnerabilities
We take a close look at 3.0, the latest version of the open-source content-management system, which offers a new implementation that helps site developers design for the mobile platform.
The U.S.-based Electronic Frontier Foundation criticized new cybercrime legislation that went into effect Wednesday in the Philippines, which has sparked protests over its heavy-handed approach to speech on the internet.
A research team is demonstrating tablets that form local networks among the devices laid upon their surfaces, while also providing wireless charging, at the Ceatec electronics show in Japan.
Rohm is showing tiny hydrogen fuel cells meant for charging portable gadgets at the Ceatec exhibition in Japan.
Hewlett-Packard, ZTE and mobile operators such as AT&T and SK Telecom have pooled their LTE patents under a program led by Via Licensing, aiming to provide a one-stop shop for companies to license their technology.
The first presidential debate lit up social networks Wednesday night, even staggering Twitter throughout the one-and-a-half-hour debate.
Hewlett-Packard has no plans to launch a smartphone next year but will need to sell one eventually to avoid missing out on "a huge segment of the population," CEO Meg Whitman said Wednesday, clarifying remarks she made last month.
Many of the country's largest companies lashed out at Microsoft this week, claiming that its decision to turn on the 'Do Not Track' privacy feature in Internet Explorer 10 would 'harm consumers, hurt competition, and undermine American innovation.'
Though the platform has had issues lately, developers don't see them as deal breakers in Java deployments

Posted by InfoSec News on Oct 03


By Michael Lee
October 4, 2012

iiNet experienced a breach of its 3FL gaming forums in June this year,
just prior to its merger with Internode's games.on.net site, but failed
to inform its customers.

iiNet is alleged to have attempted to cover up the breach, with an
unnamed source forwarding to Australian tech news site Delimiter an...

Posted by InfoSec News on Oct 03


By Dan Goodin
Ars Technica
Oct 3, 2012

The attacks that recently disrupted website operations at Bank of
America and at least five other major US banks used compromised Web
servers to flood their targets with above-average amounts of Internet
traffic, according to five experts from leading firms that worked to
mitigate the attacks.

The distributed...

Posted by InfoSec News on Oct 03


By John Leyden
The Register
3rd October 2012

A US government agency has selected cryptographic hash function Keccak
as the new official SHA-3 algorithm.

The National Institute of Standards and Technology's decision to pick
the nippy system as the replacement for SHA-1 and SHA-2 marks the end of
a six-year competitive process. Five algorithms were left in the running
at the end, including...

Posted by InfoSec News on Oct 03


By Luke Allnutt
The Atlantic
Oct 3, 2012

As a lawyer not particularly immersed in the technology world, Jay
Leiderman first became interested in the hacker collective Anonymous
around December 2010. That was when Anonymous activists launched
distributed denial of service attacks (DDoS) against Mastercard and

Posted by InfoSec News on Oct 03


By Brittany Ballenstedt
Oct 3, 2012

October marks National Cybersecurity Awareness Month, and as part of
that effort, an advisory council at the Homeland Security Department has
put forth 11 recommendations for the government in how it can best
develop, recruit and retain sophisticated cybersecurity talent....
Internet Storm Center Infocon Status