InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Recently attacks by the not so sophisticated persistent threat focused on e-mail security. In many cases, e-mail credentials were either brute forced, or retrieved from compromised databases (in some of these cases, password re-use was a contributing factor).
During Wednesday's threat update webcast, I would like to do a segment focusing on e-mail security, and was wondering what our readers do to secure e-mail. Some of the challenges I see:
- the use of cloud based e-mail services like gmail.

- mobile access to e-mail

- access to e-mail from multiple devices

- e-mail encryption and authentication (PGP/S-Mime)

- e-mail forwarding security (if someone has e-mail forwarded to a personal e-mail address)
Please let me know if you have any novel ideas to address these problems that I should cover, or if you would like me to cover any additional questions.

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
phpShowtime 'r' Parameter Directory Traversal Vulnerability
A few months ago, the good folks at No Starch Press sent me a review copy of Chris Sanders' book Practical Packet Analysis, Using Wireshark to Solve Real-world Problems, 2nd Edition. While this isn't something we normally do here, since it has been a rather slow day at the Internet Storm Center, I thought this would be a great opportunity to share a short review of the book. As many of our regular readers are probably aware, I tend to use command-line tools such as tcpdump, snort, tshark, scapy, or even Perl to perform packet analysis. I prefer the command-line tools because when possible I like to script my analysis and GUI tools don't lend themselves to that.
This book (actually, starting with the 1st edition) was one that had been on my list of books I wanted to read for quite some time, but I had never gotten around to buying it, so I jumped at this opportunity when it presented itself. I really wanted to love the book, but wasn't quite able to get there. if aimed at experienced networking folks, why bother with explaining the OSI model again). Even so, I did like the book. Starting with chapter 8 is where I think the book really becomes worthwhile. I especially like the idea of using real-world scenarios (even if sometimes a bit contrived) to teach the features of a tool. This is often one of the best ways to teach new techniques or concepts. I learned some new tricks for both wireshark and tshark which itself would have made it worth the price to me. I'm not going to give it stars or anything, but I do recommend this book to folks that aren't wireshark experts (and even those who have plenty of wireshark experience may pick up a new trick or two).

Jim Clausing, GIAC GSE #26

jclausing --at-- isc [dot] sans (dot) edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
EMC has big plans this year for the VFCache flash storage it introduced on Monday, with the coming enhancements including SSDs, 1TB cards, integration with VMware and less expensive MLC flash media.
Customer support organizations were the earliest of adopters for CRM systems. Thanks to call center software and the need to drive cost reductions and faster service turn-around cycles, the customer support organization developed solid business processes, comprehensive measurement and good discipline. But that's all so last-century.
With new CEO Rory Read at the helm for about six months, Advanced Micro Devices has turned its attention to the lucrative and burgeoning tablet market.
Adobe has launched the pubic beta of a new Flash Player sandbox feature for Firefox users, making attacks more difficult for cybercriminals.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Lenovo's ThinkPad Tablet will get an upgrade to Google's latest Android 4.0 OS starting in May, Lenovo said on Monday.
Oracle Solaris CVE-2012-0096 Remote Vulnerability
Google has failed in its latest attempt to keep a potentially damaging email out of the lawsuit Oracle filed against it over alleged Java intellectual-property violations in the Android mobile OS.
Ghostscript CVE-2010-4820 Library Search Path Local Privilege Escalation Vulnerability
A federal lawsuit filed in Massachusetts could test the question of whether individuals who leave their wireless networks unsecured can be held liable if someone uses the network to illegally download copyrighted content.
U.K.-based cash-transport firm G4S is trusting the security of Microsoft's Windows Azure cloud service to keep safe the application that tracks where the money is as it travels to and from customers and the company's vaults in armored trucks.
Microsoft will scratch the 17-year-old Start button from Windows 8, according to reports based on a purported leak of the latest beta build.
The global semiconductor market is showing signs of a healthy recovery after a rough 2011 in which year-over-year growth was flat, the Semiconductor Industry Association said.
Apple was the top seller of smartphones worldwide and in the U.S. last quarter, analysts said today.
Pennsylvania State University researchers have devised a technique for embedding an electronic junction directly into optical fiber, which potentially paves the way for more streamlined optical components.
Redbox and Verizon are working on a streaming video service to take on Netflix, but so far have said little about how it will work.
Speculation is circulating online that Facebook is getting ready to launch mobile ads, possibly as soon as next month.
Google on Monday released a video regarding its Solve for X project, which the company says is "a place where the curious can go to hear and discuss radical technology ideas for solving global problems."
A researcher calls the state of industrial control system security ?laughable? and warns of the consequences of unpatched critical infrastructure that is reachable over the Internet.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Contrary to reports, the Kelihos botnet has not crawled out of the grave, Microsoft said last week. But the company acknowledged that a new botnet is being assembled using a variant of the original malware.
Serious technical problems that have delayed the rollout of an upgrade to SAP's community portal are persisting, to the point where the company is no longer specifying a launch date.
Federal regulations forbid making calls from cell phones while aboard U.S. commercial planes in-flight, but Wi-Fi services could eventually permit voice and video calls over the Internet for a fee.
Rogue PHP pages that redirect users to work-at-home scams have been added to hundreds of websites hosted at DreamHost following a security breach suffered by the company in January, researchers from cloud security vendor Zscaler said.
The BitTorrent search engine BTJunkie has shut down its website, the latest file-sharing site to take defensive action following law enforcement's shutdown of MegaUpload last month.
IT professionals know that handing data over to a third-party is always risky, but cloud computing creates unique concerns for IP. Here are nine tips to protect critical corporate data wherever it goes
Do you think data breaches are up or down in 2011 compared to 2007 or 2008? The official answer may surprise you. According to DatalossDB and the 2011 Data Breach Investigations Report [PDF link] by Verizon, the number of records compromised per year has been decreasing since its 2008 peak. But these reports are missing something very important. It all comes down to what is reported. Last year I met with more than 450 CIOs and CSOs, and almost all of them said that incidents are way up. New breaches are constantly making headlines, so why is there a discrepancy between our perception and what these reports are finding?
[SECURITY] [DSA 2405-1] apache2 security update
[SECURITY] [DSA 2404-1] xen-qemu-dm-4.0 security update
[SECURITY] [DSA 2384-2] cacti regression
Microsoft is gearing up to release a phalanx of native mobile applications for its CRM software, with clients aimed at BlackBerry, Windows Phone 7, iOS, and Android 2.2 and higher devices, the company announced Monday.
Intel today started shipping its fastest solid-state drive to date, the 520 Series SSD, sporting its smallest 25nm NAND flash memory and SandForce's SATA 3.0 controller with 500MB/sec-plus performance.
Adobe security and privacy director Brad Arkin urges the security industry to develop technologies that make exploit writing costly.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

SANS Institute to Host Inaugural Mobile Device Security Summit
Sacramento Bee
6, 2012 /PRNewswire-USNewswire/ -- To help InfoSec professionals better prepare for and fend off security risks associated with mobile devices, SANS Institute will host its first Mobile Device Security Summit, March 12-15 in Nashville, TN.

and more »
Google has agreed before a court in Delhi to remove religious and other content considered objectionable, though some other Internet firms are likely to appeal the court's decision, plaintiff Mufti Ajiaz Arshad Qasmi said on Monday.
Symantec announced new versions of its flagship backup applications for SMBs and the enterprise adding more support for virtual machines, a cloud storage offering and integration of snapshot and backup management
After facing a disappointing financial fourth quarter, HTC has reviewed its under-performing products from last year, making changes in design and components for its future smartphones, according to its CFO Winston Yung.
Cacti Multiple Cross Site Scripting and HTML Injection Vulnerabilities
Backing up can be easier if you send your data to the cloud. We look at 5 of the most well-known online backup services to see how they compare.
Backing up can be easier if you send your data to the cloud. We look at five of the best-known online backup services to see how they compare.
Mozilla Firefox and SeaMonkey 'Firefox Recovery Key.html' Insecure File Permissions Vulnerability
Mozilla Firefox/SeaMonkey/Thunderbird Cross Domain Security Bypass Vulnerability
Launched four years ago, the use of Wi-Fi on U.S. commercial aircraft has yet to catch on, with estimates that the wireless technology is still used by only 7% of the flying public.
Many of training's benefits are intangible and won't show up in an ROI analysis. Insider (registration required)
Cacti Multiple Cross Site Scripting Vulnerabilities
Cacti Cross Site Scripting and HTML Injection Vulnerabilities
One of the most anticipated debuts of a startup company happens today when Nicira, a maker of network virtualization software, comes out of stealth mode.
Cloudyn is launching a hosted service on Monday that aims to monitor a company's cloud usage and recommend ways to optimize that usage in order to cut costs.

Posted by InfoSec News on Feb 05


By Shaun Waterman
The Washington Times
February 5, 2012

Hackers being hunted by police worldwide eavesdropped on FBI and
Scotland Yard officers investigating them.

The Internet outlaws, part of a loose coalition called Anonymous, got
access to a telephone conference call between U.S. and British
investigators and then posted a recording of their...

Posted by InfoSec News on Feb 05


By Kelly Jackson Higgins
Dark Reading
Feb 03, 2012

CANCUN, MEXICO -- Kaspersky Security Analyst Summit 2012 -- One of the
many challenges faced by law enforcement worldwide in investigating
cybercrime cases is the ability to efficiently share intelligence among
different nations and to disseminate it to the...

Posted by InfoSec News on Feb 05


By Bob Brewin

Large-scale Army battlefield network tests last summer did not include
mobile operation scenarios and did not feature robust attacks against
the networks, the Defense Department's test organization said in its
annual report to Congress.

The ambitious six-week Army network integration evaluation at White
Sands Missile Range, N.M., last summer, which...

Posted by InfoSec News on Feb 05


By Jaikumar Vijayan
February 3, 2012

A Hungarian hacker who attempted to extort money from Marriott
International Inc. by stealing confidential data from its computers and
threatening to expose it was sentenced to 30 months in prison.

Attila Nemeth, 26, will also serve three years of supervised release
following his...

Posted by InfoSec News on Feb 05


Bits The New York Times
February 3, 2012

Hackers claiming to be members of the loose hacking collective Anonymous
took credit for knocking the Citigroup and Citibank Web sites offline on
Friday. At times the sites were only sporadically available, and some
attempts to log into banking accounts were met with an error message.

Internet Storm Center Infocon Status