Share |

InfoSec News

An e-book from the editors of Computerworld on technology's progress in the healthcare industry.

The myth of the infosec silver-bullet
Secure Computing
Until recently, the cybersecurity industry was a disparate group of vendors claiming their respective solutions, tools, systems, modules and platforms would ensure bulletproof protection against malicious cyber activity. ...

The CEO of password management company LastPass says it's highly unlikely hackers gained access to his millions of users' data--but that he doesn't want to take any chances.
LastPass, an online password management provider, is forcing its users to change their master passwords after detecting what it described as a "traffic anomaly" on one of its database servers.
NIST Documentation Warrior
This is going to be a short review. Not because the free and open-source S.M.A.R.T. Monitoring Tools aren't useful, but simply because they're, well, simple. Run from the command line, they tell you everything you need to know about your hard drive's health, i.e., the S.M.A.R.T. (Self-Monitoring, Analysis, and Reporting Technology) info and you can even instruct them to initiate your drive's S.M.A.R.T. self-test.

Game time!
A realistic infosec career simulator. Not super fun. Collect as many red flags as you can while dodging red herrings and HR bombshells. Add life points by finding Maalox bottles to improve internal controls. Case-management interface is a bit kludgy, ...

and more »
Google said its Android 3.0 operating system running tablets now supports the display of buildings in 3D through Google earth.
The open-source Mozilla project said Thursday it won't comply with a U.S. Department of Homeland Security request to remove a Firefox add-on that helps redirect Web traffic for sites that have been seized by the government.
Intel's new 3D transistor technology should position the chip maker to grab a piece of the burgeoning tablet market that it's been missing out on.
Python CGIHTTPServer Module Information Disclosure Vulnerability
Widelands Arbitrary File Overwrite Vulnerability
Apple's iPhone is inching closer to Nokia's top spot in smartphones globally, according to first-quarter 2011 results reported by IDC on Thursday.
Responding to criticism of its management structure after consecutive quarters of uninspiring performance, Cisco this week restructured operations in an effort to streamline sales and engineering in five product areas.
Microsoft today said it will patch a critical bug in its Windows server software and two other vulnerabilities in PowerPoint, the presentation maker bundled with Office.
A new report produced by noted security researcher Marc Maiffret outlines free steps companies can take to greatly reduce the attack surface.

Add to digg Add to StumbleUpon Add to Add to Google
Microsoft will revamp its Exploitability Index this month when it issues Patch Tuesday bulletins addressing flaws in Microsoft Windows and Office PowerPoint.

Add to digg Add to StumbleUpon Add to Add to Google
Sony Ericsson unveiled the Xperia Mini and Xperia Mini Pro smartphones in London on Thursday. Each runs Android 2.3 and is powered by a 1GHz Snapdragon processor.
IDC on Thursday predicted that ARM will capture a 15 percent share of the PC microprocessor market by 2015, as the company dials up development of processors for laptops and desktops.
Google said its Android 3.0 operating system running tablets now supports the display of buildings in 3D through Google earth.
A look at why DTCC deployed identity and access management software from Hitachi ID Systems to automate its password management processes.
House Republicans say existing antitrust laws are enough to protect broadband customers from selective blocking by providers.
As Red Hat grows, it attracts more lawsuits from patent trolls and has to settle many of them, CEO says.
PR10-13: Multiple XSS and Authentication flaws within BMC Remedy Knowledge Management
The hacking group Anonymous has denied responsibility for the attack on Sony's networks, claiming that it has "never...engaged in credit card theft."
Cloud computing will require less implementation skills but more architecture chops, according to IT executive panel discussions on cloud computing at Wired magazine's CIO Leadership Forum.
Mozilla Firefox/SeaMonkey CVE-2011-0076 Privilege Escalation Vulnerability
Mozilla Firefox WebGLES library Multiple Memory Corruption Vulnerabilities
HTB22969: CSRF (Cross-Site Request Forgery) in VCalendar
Mozilla Firefox/Thunderbird/SeaMonkey Out-Of-Memory Memory Corruption Vulnerability
Mozilla Firefox/Thunderbird/SeaMonkey Double Free Memory Corruption Vulnerability
HTB22968: XSS in PHP Directory Listing Script
Barnes & Noble will bring a new Nook to the e-reader wars later this month, according to a filing with the U.S. Securities and Exchange Commission.
t2'11: Call for Papers 2011 (Helsinki / Finland)
HTB22971: XSRF (CSRF) in PHPDug
HTB22970: Multiple XSS vulnerabilities in PHPDug
Cisco Security Response: Cisco IOS Software Denial of Service Vulnerabilities
Scott writes:
It seems that LastPass is claiming a possible breach and has taken extraordinary measures that may be causing a bigger issue.
Users are reporting the inability to get access to their data, and when I finally completed the REQUIRED migration process, my data appears corrupted and unusable. A second has already reported the same coruption. So this is not an isolated case.
There is no followup from support yet, so who knows, but I strongly suspect my data is irrevocobaly lost, as that was a one time data reencrytion process (with no option to perform a backup!)
Recommendation for other LastPass users - wait until support comes back with an update.
John sent us a link to a Brian Krebs article on the topic

Leave a diary comment and let us know what you think about password managers and how you (hopefully) manage unique usernames and passwords for every site you visit.

Personally, I have an algorithm I've developed that allows me to determine a unique username and password for every online account I have, that I can figure out when arriving at the site.

Christopher Carboni - Handler On Duty (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Global spending on enterprise software grew 8.5% in 2010 to $245 billion following a 2.5%drop-off in 2009.
Two Motorola developed Android smartphones were unveiled today by the manufacturer and carrier Sprint.
PHP Calendar Extension 'SdnToJulian()' Remote Integer Overflow Vulnerability

CERT Societe Generale has released a nice cheat sheet for Windows incidents.

You can find this cheat sheet and other information on CERT Societe Generale at:

Take a look at it and let us know if you find it useful.

Christopher Carboni - Handler On Duty (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Opera Software has released Dragonfly, a development and debugging tool integrated into its browsers, the company said.
China's largest search engine Baidu is preparing to offer free legal music downloads, as part of a push by the company to move away from its reputation as a provider of pirated content.
Microsoft said it will not help Windows Phone users who updated their smartphones last month with an unsanctioned tool and are now unable to apply a security update.
Free Android phone tethering apps found in Android Market are said to be found this week to be blocked by AT&T, Verizon Wireless and T-Mobile. Are you OK with the move?
A new crop of software tools lets Volkswagen and other companies show their wares to customers in 3D and more effectively train service techs.
The possibility of Facebook entering China has started to draw political scrutiny, with U.S. senator Dick Durbin questioning whether a rumored tie-up between the U.S. social networking site and Chinese search engine Baidu would affect users' free speech and privacy.
California is a step closer to getting the first Do Not Track legislation in the U.S., aimed at protecting Internet users from invasive advertising.
Netflix has fired a call center worker for stealing credit card numbers from customers of the online movie service.
SSSD Kerberos Ticket Renewal Cached Password Security Bypass Vulnerability

Internet Storm Center Infocon Status