InfoSec News

Alleged Anonymous, LulzSec hackers charged in connection with attacks on Sony, PBS, HBGary and others.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
With software-as-a-service and other types of cloud computing becoming de rigeur at many companies, CFOs should be bringing other business managers up to speed on the basics of contracting.
Luzr00t keeps gaining speed, with their numbers of hacks growing rapidly; this new group may become a serious threat to anyone in their way in the long run. Moments ago Lulzr00t hacker Apach3Z leaked 38 accounts linked to the Road Board of the Philippines website.  Including the root, and SQL Administrator accounts.   The leak [...]

Linux Kernel XFS Filesystem 'fs/xfs/xfs_acl.c' Integer Overflow Vulnerability
Too often, organizations jam all their compliance tasks into the quarter when the audit is due. Read advice for reducing compliance fatigue.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
The National Institute of Standards and Technology (NIST) has released in final form a guide to enhanced security for wireless local area networks (WLAN). A WLAN is a group of wireless networking devices within a limited geographic area, ...
Adobe Flash Player CVE-2012-0769 Remote Code Execution Vulnerability

Sydney Morning Herald

LulzSec Leader Turns Informant As Feds Arrest Key Members Of Hacking Group
Dark Reading
If you're running infosec, it's not time to take a deep breath. There are still a lot of attackers out there," says Josh Shaul, chief technology officer for Application Security Inc. "We've got to keep our guard up and remember what these people [who ...
FBI flips LulzSec's leader – uses him to target other membersThe Tech Herald

all 1,422 news articles »
Security experts say it's too early to tell how much damage has been done to the hacking groups that operate under the loose affiliation of Anonymous.
Google has cut the price of its Cloud Storage, a hosted service designed for enterprise developers who want to store their applications' data in the cloud, as opposed to in their own servers.
Social networking sites like Facebook and Twitter lit up this week, and conservative commentator Rush Limbaugh is feeling the effects.
Security analysts said that the today's FBI arrest of of several prominent members of LulzSec and Anonymous highlight the seriousness with which U.S. law enforcement is treating the hactivist activities espoused by such groups.
IT workers who have experience with five popular technologies may see significant salary increases this year, according to a study from IT staffing firm Bluewolf.
Two Republican lawmakers have asked President Barack Obama's administration to investigate whether agencies are regularly monitoring federal workers' private email accounts after reports of the U.S. Food and Drug Administration firing employees over comments made in personal email messages.

Traditional antivirus vendors are doing a good job detecting and blocking known mobile malware, according to Av-Test, a Germany-based independent service provider that tests antivirus and antimalware software.

The firm tested the detection capabilities of a variety of available Android mobile security apps using a malware set of 618 malicious application package (APK) files. Malicious apps that were discovered between August and December 2011 were included in the test set.

Avast, Dr.Web, F-Secure, Ikarus and Kaspersky rated highly, according to the firm’s latest analysis, Test: Malware Protection for Android 2012 (.pdf), issued today. Zoner and Lookout, two independent security firms with mobile security apps also performed well, Av-Test said. The apps had a detection rate of more than 90%.

Products that fell between 65%-90% included AegisLab, AVG, Bitdefender, ESET, Norton/Symantec, Quick Heal, Super Security, Trend Micro, Vipre/GFI and Webroot. Despite falling below 90%, Av-Test said the mobile security apps are still very good and should be considered.

“Some of these products just miss one or two malware families, which might be not prevalent in certain environments anyway,” Av-Test said in its report.

Mobile malware continues to make up about 1% of overall malware, but despite the threat currently being minimal, experts at RSA Conference 2012 have pointed to a variety of attacks, from banking Trojans to SMS fraud, which could pose a threat to enterprise networks. Some say attackers are not too far away from weaponizing applications to perform a variety of functions all aimed at collecting as much data as possible about the device owner.

Judging by the attendance at the mobile sessions during the conference, it’s clear that security professionals are concerned about mobile device security and are looking for ways to gain control and visibility into employee devices at the endpoint. Both Google Android and Apple iOS have been built with security features right into the platform.

“I would go as far as to say they are probably the most secure platforms ever built,” Kevin Mahaffey, CTO of Lookout told me in a mobile security interview at RSA Conference. Sandboxing and granular permissions that limit the device capabilities available to installed mobile applications make it much harder for an attack to be successful, Mahaffey said.

“We haven’t really seen malicious use of vulnerabilities on mobile devices yet, but plenty of researchers have demonstrated that it’s possible. There’s no magic pixie dust in iPhone or Android that makes it somehow immune from all the problems on the desktop,” Mahaffey said.

Anup Ghosh, founder and CEO of browser security vendor Invincea, shares a different view about the
Android platform. At RSA Conference, Gosh told me Android users should be concerned about mobile malware. Apple has done a good job of controlling its platform, keeping its ecosystem closed off to potential malware writers. Meanwhile, Android is using Java as part of its sandboxing strategy. It’s highly buggy, Ghosh said, with a lot of native interfaces to the underlying firmware.

According to Gosh: “When you download an app from the Android store you are giving explicit permissions, giving that app access to all kinds of system resources, which are all holes to that sandbox. It’s a fairly rich environment for adversaries to write malware. We’re still early as far as malicious code development goes, but they will follow the money.”

It doesn’t hurt to have a layer of security for protection. Mahaffey said a good mobile security app can protect device owners from malware or spyware, provide safe browsing capabilities and locate lost and stolen devices.

Av-Labs said that its test determined a grouping of 17 trustworthy mobile security apps. Even if a mobile security app performed poorly in its detection tests, some have other capabilities such as remote lock and wipe, backup and phone locating that may make them useful.

The firm tested the latest version of available mobile security apps using an Android emulator running the Gingerbread version of Android. The results were verified on a Samsung Galaxy Nexus running the latest Android version, Ice Cream Sandwich.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Twitter plans to make itself more user friendly and will add analytics tools to help companies track what customers and competitors are saying in Tweets, according Mike Brown, director of corporate development at Twitter.
The company, which has made many acquisitions in the last five years, faces integration challenges as it moves more broadly into SaaS, managed security services, analyst says.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Apple is expected to take the wraps off its next iPad at a special event Wednesday beginning at 1 p.m. ET (10 a.m. PT). Macworld will be liveblogging the event, and you can bookmark this link to view the news as it unfolds.
Intel on Tuesday announced the Xeon E5-2600 processors for 2- and 4-socket servers, which is the company's first major chip upgrade for industry standard x86 servers in close to two years.
Apple will not be able to meet demand for the new iPad when it goes on sale later this month, analysts said.
Microsoft has released to manufacturing the newest version of its relational database, SQL Server 2012, the company announced Tuesday. The software will be available for customer purchase on April 1.
In an attempt to learn how to use social media to bridge the divide between countries, Israeli President Shimon Peres visited Facebook's headquarters Tuesday.
Within three years the personal cloud will be ubiquitous on consumer devices, Gartner predicts in a research report released Tuesday.
A federal judge yesterday extended an operation that will keep hundreds of thousands of users infected with the "DNS Changer" malware connected to the Internet until they can scrub their machines.
As smartphones and tablets surge in number, mobile workers are less satisfied with their wireless network services, a new poll from iPass has found.
Google's consolidation of its many privacy policies hasn't shaken the foundations of individuals' privacy rights enough to bring them tumbling down.
Amazon Web Service has reduced prices for its infrastructure-as-a-service (IaaS) offerings, the 19th time the cost of cloud-based services from the market-leading company has dropped in six years.
Top server makers on Tuesday announced major product upgrades with Intel's new Xeon E5 processors and technologies that deliver better performance and throughput for robust virtualization and cloud deployments in data centers.
In an attempt to learn how to use social media to bridge the divide between countries, Israeli President Shimon Peres is visiting Facebook's headquarters today.
The Los Angeles Unified School District plans to turn many of its 700,000 students into "smart sensors," to help keep the school facilities running smoothly.
Adobe Flash Player update addresses two vulnerabilities that can be targeted by attackers to execute malicious code and obtain sensitive information.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
In a major break for law enforcement, several members of the LulzSec and Anonymous hacking groups were arrested this morning based on information provided by "Sabu," the shadowy LulzSec leader who was secretly arrested last year.
Towards the end of feb we did a post about a hacker who use's the handle Vicky-Cyber, the hacker had defaced a small amount of sites. Well now they have contacted us via a comment and posted a pastebin dump of 1300+ further sites that have been defaced.

[TSI-ADV-1201] Path Traversal on Polycom Web Management Interface
11in1 CMS v1.2.1 - SQL Injection Vulnerabilities
ESA-2012-013: RSA SecurID(r) Software Token Converter buffer overflow vulnerability
[TSI-ADV-1202] Polycom Web Management Interface O.S. Command Injection
Amazon Web Services has cut its prices for the 19th time in six years in a bid to fend off competition from the likes of Microsoft Azure and Rackspace.
Generations of gamers have created a pool of workers who enjoy problem-solving and innovating through the use of gamification apps, so much so that they'd rather gain social status through achievements than money.
Apache Struts Conversion Error OGNL Expression Evaluation Vulnerability
Etano Multiple Cross Site Scripting Vulnerabilities
IBM ILOG JViews Gantt Applet Viewer Cross Site Scripting Vulnerability

How security can add value to DevOps
CSO Magazine
There's no way with how infosec is currently configured that they can keep up with that. So, infosec gets all the complaints about being marginalized and getting in the way of doing what needs getting done. We have evangelized at the 2012 RSA ...

and more »
Were Anonymous supporters really duped into installing the Zeus botnet that steals their confidential information, including email login information, banking user names and passwords? Symantec says yes.
DevOps moves too fast to build security into the process, some say. Not true, say others who believe one just needs to get a little Rugged.
Gene Kim, award-winning entrepreneur, researcher and founder of security firm Tripwire, walks us through his vision.
Eastman Kodak has asked a bankruptcy court to decide on its patent dispute with Apple, thus opposing a motion by Apple for permission to resume the patent litigation in another court.
Taiwanese smartphone maker HTC is set to release what could be the first Windows Phone 7 handset for mainland China, a move that will finally bring the Microsoft mobile OS to a key market.
Rumored layoffs at Yahoo could offer a clue as to how the company's new CEO, Scott Thompson, plans to redirect the stumbling Internet giant.
As more employees bring personal devices to work, companies want to strike a balance between being agents of change and adaptation to mobile technology and safeguarding data. Rolling out mobile device management often means choosing unpopular rules.
Generations of gamers have created a pool of workers who enjoy problem-solving and innovating through the use of gamification apps, so much so that they'd rather gain social status through achievements than money.
Companies often assume data in the cloud is inherently discoverable, but is it? Know what questions to ask your cloud vendor so you can get your data back when required.
China has approved with conditions Western Digital's planned acquisition of Hitachi Global Storage Technologies (GST), requiring that the Hitachi entity operate independently for at least two years after the acquisition.
Well yet again, Microsoft has become a victim of hackers and as a result the Bosnia based website, microsoft.ba has been left defaced by Turkey Cyber Army with the above deface page which features the following message.

SAP has created a multitenant version of its Business One ERP (enterprise resource planning) suite, which will be sold exclusively through partners as Business One OnDemand, the company is expected to announce Tuesday during the Cebit conference in Hannover, Germany.
The new hacking group Lulzr00t is starting off strong, with their new Op “#OpAnonymousr00t.” But this is by far their biggest one yet. Earlier today they hacked and leaked the database of the Fort Lauderdale Hollywood International Airport. The leak read: Target: Fort Lauderdale Hollywood International Airport Location: 100 Aviation Boulevard  Fort Lauderdale, FL 33315 Number: [...]

The hacker N30_H4X0R has left the following statement on pastebin, in which is admits hacking the site and admits they are an ex employee, which in all is a bit silly because its only just going to make it much easier for authorities to capture and charge this person with these attacks.


Posted by InfoSec News on Mar 05


By Dan Goodin
Ars Technica
March 5, 2012

A Russian hacker dramatically demonstrated one of the most common
security weaknesses in the Ruby on Rails web application language. By
doing so, he took full control of the databases GitHub uses to
distribute Linux and thousands of other open-source software packages.

Egor Homakov exploited what's...

Posted by InfoSec News on Mar 05


By Bob Brewin

The Navy's premier institution for developing senior strategic and
operational leaders started issuing students Apple iPad tablet computers
equipped with GoodReader software in August 2010, unaware that the
mobile app was developed and maintained by a Russian company,
Good.iWare, until Nextgov reported it in February.

John Roberts, who runs the iPad...

Posted by InfoSec News on Mar 05


By Eric Chabrow
Bank Info Security
March 5, 2012

Imperva would neither confirm nor deny it helped defend the Vatican
website from an hacktivist assault last year, but the IT security
provider's director of security, Rob Rachwald, explains how such an
attack was constructed and defended.

Rachwald, in an interview with Information Security Media Group,
discusses a 25-day...

Posted by InfoSec News on Mar 05


Research Post-Graduate and Postdoctoral Program (RDPDPG)

Institution: National Security Agency (NSA)
Posted: February 17, 2012
Location: Maryland
Employment Level: Post-doc
Website: http://www.nsa.gov/careers/
Application Deadline: March 16, 2012
Category: Computer sciences/ technology, Engineering
Employment Status: Full-time
Salary: Commensurate with experience


The Research...
Internet Storm Center Infocon Status