InfoSec News

Hundreds of popular websites -- including Google, Facebook, Yahoo and Bing -- are participating in a 24-hour trial of a new Internet standard called IPv6 on June 8, prompting worries that hackers will exploit weaknesses in this emerging technology to launch attacks.
 
Apple outlined the changes that iOS 5, due for release this fall, will bring to iPhone, iPad and iPod Touch users. The devices are being cut free from computers and tied more closely into new cloud services.
 
Thanks to two brief demonstrations of Microsoft's next-generation operating system, third-party Microsoft Windows developers are expressing frustration over what they consider a lack of clear direction on how to develop applications for Windows 8.
 

GovInfoSecurity.com

DHS Issues New Metric to Assess Gov't Infosec
GovInfoSecurity.com
A lot has been made over the past few years about the ineffectiveness of federal agencies filling out forms to determine whether government IT systems are truly secure. What many IT security experts feel is needed is automated, continuous monitoring of ...

and more »
 
A battle is in full swing on Wikipedia over Sarah Palin and her recent take on Paul Revere's historical ride.
 
With congressional hearings on data theft following the Sony PlayStation data breach of 100 million records, and news from companies such as Epsilon, HB Gary, RSA and Barracuda Networks about recent cyberattacks, security of data in an online, interconnected world has become a mainstream topic.
 
Verizon Wireless is violating FCC rules by blocking users from using third-party tethering applications on Android smartphones, media reform group Free Press said in a complaint to the agency Monday
 
Analyst firm IDC has lowered its expectations for the global PC market this year, blaming the drop on the demand for tablets computers, the economy and a bad first quarter.
 
Apple CEO Steve Jobs today took the stage at his company's annual developers conference to tout the new iOS 5, the upcoming Lion edition of Mac OS X and the firm's new cloud service, iCloud.
 
In a move that could help eBay improve its tools for online store developers, it has acquired Magento, the maker of an open source e-commerce platform.
 
While directory-focused security initiatives and database-driven customer data integration (CDI) projects might seem to have little in common, a look under the hood reveals they begin with the same need, and would both benefit from a common infrastructure -- an "identity and context service."
 
Hewlett-Packard announced a series of upgrades to its storage products, including the addition of data snapshots, and a portfolio of pre-configured storage systems.
 
Motorola is backtracking on comments its CEO made last week about the impact Android apps have on phone performance.
 
OProfile 'opcontrol' Utility 'set_event()' Local Privilege Escalation Vulnerability
 
libxml2 Invalid XPath Multiple Memory Corruption Vulnerabilities
 
Java HotSpot Cryptographic Provider signature verification vulnerability
 
Apple today said it would ship Mac OS X 0.7, aka "Lion," next month, and sell it exclusively through its own Mac App Store for $29.99.
 
The People's Daily newspaper, run by the Communist party of China, today published a front page editorial criticizing Google's contention that the country's government was behind a recent phishing attack on hundreds of Gmail users.
 
Adobe Flash Player CVE-2011-2107 Cross Site Scripting Vulnerability
 
[SECURITY] [DSA 2255-1] libxml2 security update
 

NetClarity NACwall NextGen Appliances Now Control All Untethered Netbook ...
San Francisco Chronicle (press release)
NetClarity, Inc., the leading provider of Next Generation (NG) Network Access Control technology in the marketplace today, on the heels of receiving the "Most Innovative New Security Product for 2011" award from InfoSec Products Guide, unveiled NACwall ...

and more »
 
Left unsaid--typically, anyway--in most discussions about cloud computing is the implicit threat that it will be the cause of job losses. The clamorous suspicion that many IT groups display toward public cloud services seems to have a large emotional component to it, and highly-charged negative emotions typically reflect visceral fear. It's difficult to conclude that some (if not much) of the resistance from internal IT groups to the use of public cloud resources boils down to simple worry about unemployment.
 
Software asset management (SAM) covers a complex cross section of IT and business and can pose an integration problem between IT, purchasing and finance. For this reason the focal point of license management is transparency. And consistent transparency can only be realized through consistent data quality management.
 
Apple is expected to tout iCloud, talk up iOS 5 and Mac OS X 10.7, better known as Lion, at its Worldwide Developers Conference. Macworld is on hand for today's keynote address by CEO Steve Jobs.
 
Hewlett-Packard will show off multiple systems built for specific purposes at its user conference this week in Las Vegas.
 
Autonomy KeyView Applix Document Filter Buffer Overflow Vulnerability
 
Fetchmail STARTTLS Remote Denial of Service Vulnerability
 
Drupal Color Module HTML Injection Vulnerability
 
Drupal Private File and Node Module Security Bypass Vulnerability
 
ESA-2011-009 (revised): RSA, The Security Division of EMC, announces new fix for potential security vulnerability in RSA(r) Access Manager Server.
 
Adobe today confirmed that the Flash Player bug it patched Sunday is being used to steal login credentials of Google's Gmail users.
 
Google's Android continued as the top smartphone operating system in the U.S. in ComScore's latest ranking, while Apple's iPhone displaced the BlackBerry for second place.
 
Apple is expected to tout iCloud, talk up iOS 5 and Mac OS X 10.7, better known as Lion, at its Worldwide Developers Conference. Macworld is on hand for today's keynote address by CEO Steve Jobs.
 
While many enterprises have been able to creatively manage IT demand through the recession without much infrastructure change, exponential data growth is driving the need for infrastructure consolidation and optimization.
 
Squiz Matrix - Cross-Site Scripting Vulnerability
 
PopScript Multiple Vulnerabilities
 
[SECURITY] [DSA 2254-1] oprofile security update
 
RSA Access Manager Server CVE-2011-0322 Security Bypass Vulnerability
 

NetClarity NACwall NextGen Appliances Now Control All Untethered Netbook ...
DigitalJournal.com (press release)
NetClarity, Inc., the leading provider of Next Generation (NG) Network Access Control technology in the marketplace today, on the heels of receiving the “Most Innovative New Security Product for 2011” award from InfoSec Products Guide, unveiled NACwall ...

and more »
 
IBM kicks off its annual Innovate Conference with a slew of updated software life-cycle management tools to support software-development teams on a large scale.
 
Sprint said it will start selling an HTC 4G tablet and the Evo 3D smartphone on June 24.
 
The 2011 Marconi Prize, sometimes described as the Nobel Prize in Information Technology, has been awarded to two major contributors to cellular communications: Qualcomm Co-founder Irwin Jacobs and the late information theorist and professor Jack Wolf.
 
fetchmail security announcement fetchmail-SA-2011-01 (CVE-2011-1947)
 
Adobe issued an update Sunday repairing the Flash Player flaw in the wake of targeted email attacks attempting to exploit the flaw.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 

GovInfoSecurity.com

Dearth of Experts Puts IT at Risk
GovInfoSecurity.com
The 2011 survey of 205 government IT security professionals also reveals that by a 2-to-1 margin they feel it is difficult or somewhat difficult to recruit qualified infosec experts to hire. "Finding qualified IT security specialists is one of the ...

and more »
 
Panelists debate what it will take to get the JVM language into enterprises
 
Oracle this year has dramatically slowed its growth-by-acquisition strategy to concentrate instead on integrating Sun into the company, finishing work on the long-awaited Fusion Applications and filling gaps in its product portfolio.
 
Most EU countries are ignoring a new privacy law on website cookies.
 
Medco and Verizon Wireless released a mobile application that guides smartphone users to locations where they can purchase the lowest-cost prescription drugs.
 
Much of SaaS purchasing comes from business groups outside of the IT department, according to a Forrester Research report.
 
Toyota teams up with Salesforce.com and Microsoft to create a social network for buyers of Toyota electric cars.
 
Volkswagen is realigning its IT operation so it can play a bigger role in the automaker's effort to build a new generation of cars that are infused with intelligence, connectivity and many other new capabilities.
 
The Pentagon is expected to announce a cyberstrategy this month that concludes a cyberattack on the U.S. can be an act of war, and while the damage from such an assault may warrant that position, hopefully this just amounts to loud barking given the perils involved.
 
Several factors have combined to make the iPhone's and iPad's operating system into what is arguably the most secure commercial OS -- desktop or mobile
 
Silver Peak today announced the release of its fastest WAN optimization appliance, which offers up to 2.5Gbit/sec of bandwidth for disaster recovery as well as cloud and virtual environments.
 
Windows 7's market share is expected to pass XP in the third quarter 2012, just when Windows 8 is expected to arrive.
 

I live in a country where theft by electronic means are at fairly high levels. There are criminal organizations that are responsible for using various techniques to steal users and passwords for online banking web pages, doubling the bank web pages on sites that have security problems by allowing upload files and are used by attackers to mount them.

I want to discuss in this diary a very commonly used technique, which corresponds to spoof a URL in the status bar of browsers and links sent by e-mail. At the end of this text will find the Spanish version, which is a translation of this text in English.

For demonstration purposes, we will use the following URL: http://xeyeteam.appspot.com/media/agh4ZXlldGVhbXINCxIFTWVkaWEY-cIwDA/spoof_StatusBar.html. When passing the mouse over the URL, you can see the website www.google.com. If you click it, it leads to a different place. If you see the source code, the browser is fist recognized using javascript. After that, the status bar is modified using javascript that writes information using the properties in the style sheet customized for each browser:





Let's see another example. If you use http://handlers.dshield.org/msantand/spoofexample.html, you will get a link pointing to youtube. If clicked, it will get you to SANS Institute website. If you see the source code, when the mouse is not over the link the URL is modified using the href property of the element:



Unfortunately, at this time the code used on both examples are legitimate to browsers and they are executed as any other code. The only solution is to enforce user awareness and make them keep in they mind that they won't be asked by legitimate companies or people for personal information by e-mail or websites and that they should not click any link sent by e-mail.

------------------------------------------------START OF SPANISH VERSION------------------------------------------------

Vivo en un pas en donde los robos utilizando medios electrnicos se encuentran en niveles bastante altos. Existen organizaciones criminales que se encargan de robar mediante diversas tcnicas los usuarios y las claves de acceso de las sucursales bancarias en lnea, duplicando las pginas web de los bancos en sitios web que poseen problemas de seguridad permitiendo subir archivos y son utilizados por los atacantes para montar estas fachadas fraudulentas.

Quiero discutir en este diario una tcnica que es comunmente utilizada, la cual corresponde a falsificar un URL en la barra de estado de los navegadores o de los enlaces enviados por correo electrnico. Utilicemos el siguiente URL de demostracin: http://xeyeteam.appspot.com/media/agh4ZXlldGVhbXINCxIFTWVkaWEY-cIwDA/spoof_StatusBar.html. Al pasar el mouse sobre el URL, aparece el sitio web www.google.com. Si usted da click, lo lleva a otro sitio distinto:



Observemos otro ejemplo. Si usted accede la pgina http://handlers.dshield.org/msantand/spoofexample.html, encontrar un enlace apuntando al sitio web de youtube. Si le da click, lo llevar al sitio web de SANS Institute. Si usted observa el cdigo fuente, cuando el mouse no se encuentra sobre el enlace, este ltimo es modificado utilizando la propiedad href del elemento



Desafortunadamente el cdigo mostrado para ambos ejemplos es legtimo para los navegadores y por esto se ejecutan como cualquier otro cdigo. La nica solucin para este problema es reforzar la concienciacin y sensibilizacin al usuario, haciendo que siempre tenga claro en su mente que nadie legtimo le va a solicitar datos personales por correo o sitios web y que no deben hacer click en ningn enlace que reciban por correo electrnico.

------------------------------------------------END OF SPANISH VERSION------------------------------------------------
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Anonymization and cryptography technologies, virtual cash, and drug dealer reputation tracking creates a new marketplace
 
When David Lafferty arrived at Tidewell Hospice two years ago as the care provider's first CIO, customer relationship management was a bit of what he calls a "milk crate" operation.
 
As most parents and teachers can attest, teenage students have a tendency to procrastinate - not a particularly endearing characteristic, especially if you're a company that helps students with their college applications.
 
Capgemini CTO Joe Coyle lists six must-ask questions for prospective IAAS providers
 
Making the leap to a public cloud infrastructure requires careful planning.
 
A colleague recently sent around this quote from a university CTO he interviewed for an upcoming article: "We're not building some generic Joni Mitchell cloud. The thing we're trying to do is build a cloud that is really infrastructure and services, not some vanilla, virtualized blah, blah, blah."
 
These days, companies are applying the software-as-a-service (SaaS) model to just about everything, from core business functions, including IT, to industry-specific processes. This list, compiled with the help of SaaS trend watchers and users, provides a representative look at what types of software you'll find offered in the cloud.
 
Subversion 'mod_dav_svn' Multiple Denial of Service and Information Disclosure Vulnerabilities
 

'Confessions of a security professional'
InformationWeek India
Here are some harsh truths why an information security professional may not be the happiest person at the workplace: While it isn't necessarily on anyone's personal goals' list to be the most popular chap around the water-cooler, but infosec ...

 
Internet Storm Center Infocon Status