InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Megaupload founder Kim Dotcom appeared in Auckland High Court on Wednesday as part of a judicial review of the police raid on his rented Coatesville mansion in January. This followed a ruling last month that the search and seizure operation was unlawful.
MetroPCS said late Tuesday it had launched a commercial voice-over-LTE service, claiming a win in the international race for the next generation of mobile voice.
The new line of CS400 and ES-series arrays are being targeted at users running performance-intensive applications such as OLTP and VDI.
WSO2's API Manager tool also features an API store and governance capabilities
Drupal Ubercart AJAX Cart Module Information Disclosure Vulnerability
Drupal Protected Node Module Access Bypass Vulnerability
Drupal SimpleMeta Module Cross Site Request Forgery Vulnerability
Most weather apps try to convince you to ditch the default Weather offering in iOS by adding more features. Solar takes the opposite approach, stripping down its weather report to essentially offer time, temperature, and condition-appropriate color patterns. Whether Solar tops what you already get for free from Apple's built-in app depends on the value you place on aesthetics.
Illinois has become the third state in the country to pass a law prohibiting companies from asking employees and job candidates for usernames and passwords to their social media accounts.
Verizon Wireless Tuesday revealed that there are five additional data tiers over and above the six tiers announced with its Share Everything plans earlier this summer.
Microsoft today said users of Windows 8 will be able to change the default setting for the "Do Not Track" privacy feature in Internet Explorer 10 when they first run the new operating system.
NASA's rover Curiosity completed its first full Martian day, releasing photos and video, and functioning perfectly, officials said.
It is interesting to note that in most economies a significant percentage of the national Gross Domestic Product (GDP) is actually generated by small and mid-sized businesses. Why is this relevant to information security you might ask? SANS was recently asked if there are existing providers of IT security services to this market? If not, what would be the prerequisites to starting and running one? My response follows:

Yes, I am aware of some businesses that provide IT Security services to SOHO, small, and mid-sized organizations. They tend to be rather small themselves and servicing a local area. The skills and certifications they have varies widely from none to quite advanced. Some are extensions of an existing computer repair shop for example that is branching out. Others are

actual IT Security professionals that are attempting to tap into this market area.

I would expect that the skills required would tend to consist of Intrusion Detection, Incident Response, Firewalls,

Anti-Malware, as well as general network and systems security. Certifications might include GCIA, GCIH, GCFW, and other more generic or vendor specific ones.

In my experience most small businesses do not have competent or mature IT support, the probability of them having IT Security is slim to none. The businesses owners might not perceive the threats, or do not believe they can afford to do anything about it.

One of the bigger hurdles such a provider might face is scalability while remaining financially viable.

Which brings us to an important question. If these small businesses are critical to our national economies and ongoing growth, are they adequately protected against attack that may target them? What about collateral damage from bots and other malware? Do they have the people and technologies required to defend their computers, networks, and information assets?

A question to the SANS Internet Storm Center readers is, what can be done for small business?
Please let us know wht you think using the comments below, or the contact form http://isc.sans.edu/contact.html.


Adrien de Beaupr

Intru-shun.ca Inc.

I will be teaching SANS Sec560 in Montreal this September, and Sec542 in Vancouver this December.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The most serious Android mobile malware uses SMS premium messages to make cybercriminals money, a tried and true attack method.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Users dealing with social notification overload might get some relief from the latest version of NewsGator's Social Sites enterprise social networking (ESN) add-on for Microsoft SharePoint.
A Federal Communications Commission-led initiative has launched a program that will allow U.S. organizations to donate used computers to low-income people.
A typical Web application is the target of an attack at least one in three days on average, according to a report released by data security firm Imperva.
[security bulletin] HPSBMU02781 SSRT100617 rev.2 - HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows running PostgreSQL, Remote Execution of Arbitrary Code, Denial of Service (DoS)
Apple will not include a YouTube app in iOS 6, the next operating system for the iPhone and iPad, the company confirmed yesterday. YouTube is owned by rival Google.
It takes more than technology to defeat a threat from inside the company. The ongoing WikiLeaks saga, and the associated, repeated unauthorized disclosures of information, is more than an escapade against the government. These leaks dramatically document the exposure that confronts all enterprises from trusted individuals, be they careless or malicious.
Sprint has cut the price of the 16 GB iPhone 4S by $50 to $149.99.
Google has staked some cash on the market for digital signatures on electronic documents with a venture capital investment in DocuSign, the companies announced Tuesday.
IT professionals have always sought out certifications to give them a leg up in their career advancement efforts. But anecdotal evidence suggests that in today's job market, having a broad array of certifications is even more important for giving job-seekers a needed edge.
If it is left to the politicians, the door to the nation's utilities might be left open. Almost telling terrorists, like in those motel commercials, "We'll leave the light on for you."
False reports on the situation in Syria appear to have been published on Reuters journalist blog because there was an old and known-to-be vulnerable edition of WordPress running on the site

Sprint has cut the price of the 16 GB iPhone 4S by $50 to $149.99.
Users dealing with social notification overload might get some relief from the latest version of NewsGator's Social Sites enterprise social networking (ESN) add-on for Microsoft SharePoint.
A short, low resolution video captured the final minutes of Mars rover Curiosity's descent onto the planet. At the beginning of the clip the 15-foot wide heat shield can be seen separating from the capsule carrying the rover.
U.S. tablet buyers were most influenced by the availability of applications and device price during the second quarter, according to a survey conducted by comScore.
nullcon International security conference Delhi 2012 Highlights
Oracle Business Transaction Management Server FlashTunnelService Remote File Deletion
Oracle Business Transaction Management Server FlashTunnelService WriteToFile Message Remote Code Execution
FreeBSD Security Advisory FreeBSD-SA-12:05.bind
Indian outsourcer Infosys Tuesday unveiled a package of services and technologies that aim to help companies deploying hybrid clouds.
In Android 4.1 (Jelly Bean), purchased apps are encrypted when stored on users' devices, the aim being to make life more difficult for potential pirates. This has, however, caused problems with some apps, with the result that Google has now been forced to backtrack

Opera Web Browser HTML Injection Vulnerability
Opera Web Browser Cross Site Scripting Sanitizer Security Bypass Vulnerability
The disruptive innovation that is the cloud has given developers significantly more influence than they, and their organizations, are used to having. This means the agile, sometimes unstructured world of the developer is increasingly coming into contact with more rigid business groups. Making everyone happy may mean reengineering IT processes.
Microsoft has opened Windows Phone Dev Center, a new portal for smartphone developers that promises better performance and ease of use along with more markets and support for PayPal, the company wrote in a blog post on Tuesday.
Opera Web Browser Unspecified Security Vulnerability
Cisco ASA 5500 Series CVE-2012-2474 Denial of Service Vulnerability
Hackers say they wanted Mat Honan's Twitter handle and gained access by first hacking Honan's Amazon account then his Apple iCloud account. In the process, they wiped Honan's iPhone, iPad and MacBook and deleted his Google account

Oracle Business Transaction Management Server Arbitrary File Write Vulnerability
Advanced Micro Devices on Tuesday launched new FirePro processors that include CPUs and graphics processors, a change from previous FirePro chips that only had graphics processors.
Networking equipment company Brocade Communications Systems said late Monday that a jury in California had found competitor A10 Networks responsible for intellectual property infringement and unfair competition, awarding the company a US$112 million verdict.
Japan's Elecom said Tuesday it will launch the world's first smartphone keyboard that uses NFC touch-card technology to link with Android handsets.
Over the past three years, about 21 million patients have had their medical records exposed in data security breaches that were big enough to require they be reported to the federal government.

Posted by InfoSec News on Aug 07


By Ericka Chickowski
Contributing Writer
Dark Reading
Aug 06, 2012

The connectivity to enterprise data spurred by today's mobile and cloud
movements have not only helped organizations to put their employees in
touch with business critical data that improves the way they work, but
has also enabled...

Posted by InfoSec News on Aug 07


By Lucian Constantin
IDG News Service
August 6, 2012

Criminals are sending malicious emails that purport to come from payroll
services firms in order to infect with malware the computers of payroll
administrators from various companies, according to researchers from the
SANS Internet Storm Center (ISC).

"For the past...

Posted by InfoSec News on Aug 07


By Beth Walsh
August 6, 2012

Yet another hospital has suffered a data breach. The administration at
Oregon Health & Science University Hospital (OHSU) in Portland is
sending letters to the families of 702 pediatric patients after a USB
drive containing some of their patient information was stolen. In...

Posted by InfoSec News on Aug 07


By Mat Honan
Gadget Lab
August 6, 2012

In the space of one hour, my entire digital life was destroyed. First my
Google account was taken over, then deleted. Next my Twitter account was
compromised, and used as a platform to broadcast racist and homophobic
messages. And worst of all, my AppleID account was broken into, and my
hackers used it to remotely erase...

Posted by InfoSec News on Aug 07


The Economist
Aug 5th, 2012

ASK Nico Sell who makes use of her and Robert Statica's Wickr
secure-communication app and she can honestly say, "We don't know who
our users are." The free iPhone and iPad app uses well-tested
strong-encryption techniques to prevent anyone snooping on text
messages, images and video, or voicemail exchanged between its...
According to a report by The Economist, Chinese telecommunications company Huawei is working with GCHQ to vet its devices before they are installed in telecommunication infrastructure across the UK


The Gap Between Knowledge and Leadership; are CISOs Failing to Reach their ...
PR Web (press release)
Too frequently, infosec professionals speak in terms of threats or vulnerabilities or technology. They need to learn to speak in terms that business leaders understand, and the one thing they understand is risk." To be fair, the communication problem ...

and more »
Internet Storm Center Infocon Status