InfoSec News

How did things get this messed up? Windows has slowed to a crawl. Programs won't run. The free firewall you installed last year won't update or uninstall itself.
 
Google gave the world a first look at its new Chrome OS laptop Tuesday and according to CEO Eric Schmidt it's very much like the Network Computer devices that he was pitching while chief technology officer at Sun Microsystems 13 years ago.
 
Ok, so maybe the title is a bit extreme, but I've had this tablet for a few months and I've started noticing that it's changing things up for me.



First of all, books are WAY simpler. I pretty much expected this, it's why I bought the thing in the first place. The first thing I did once i got the tablet was get electronic copies of almost every book I own. Fiction, Reference, Non-fiction, books for work, everything. So now if I travel, there's no need to choose what to bring. If I'm at work, and find myself saying - if only I had Cricket Liu's DNS and Bind book, I could explain it to my customer and give them a good citation (page number etc), no problem, it's there.
If I'm building something that I haven't done before, like the FCOE switches that I'm working on this week, I'm not alt-tabbing to the vendor documentation, I have the book / vendor web page / whatever open to the right page, and it's right there.



The best part of having a tablet is that it's not a computer. Sure, it has a browser and everything, but the form factor makes it fundamentally different. If my wife and I are watching TV, a laptop has that screen popped up that says don't talk to me - a tablet sits in my lap and is generally way less obtrusive than any laptop, it has a lower profile than lots of hardcover books in fact. Using a tablet instead of a laptop has done a fair bit for marital harmony on that front ....



But it's enough of a computer to do some useful things. I wrote all of my study notes for SEC542 on this thing, and it was just as easy in Docs2Go as in Excel, which I normally use for notes of this type. The nice thing is that when I was done, it IS in Excel. Picking the right apps makes your data portable. Picking the wrong apps puts your data in data jail, it'll never leave the tablet - this is really something to consider before deciding on any new app.
There seems to be lots of effort to turn data into prisoners of the tablet with proprietary file formats, or prisoners of one vendor or another's e-reader software. It's just too easy to browse to a book vendor, click the book and have it a minute later. The problem is, moving that book to a different tablet might be easy, or it might be a real pain when the time comes later. I've been trying to keep as many of my books as possible in portable formats - in my case, PDF and ePub formats. Formats where I have a choice in the application that reads them, that are easily portable to my laptop or a different tablet or different OS. Especially for reference books, a search function is a real help - this isn't always there on captive reader applications.
On a different topic, I'm seeing that people (not me so far I hope) are a lot less lax on security once they get a tablet.



Open access points seem to be fair game for a lot of people now - if there's an open AP, then it's seen as free, fast internet and away they go. I dropped a 3G card into mine - I find that this is pretty cheap, and while not as fast as a lot of home DSL or cable uplinks, it's always there. If I'm pulled over on the side of the road, no problem. If I'm at a client site, I don't need keys or certs to get online. There's a lot of risk in using someone else's open AP - not only is it illegal, it's pretty easy to set up an evil AP, often to harvest credentials or credit card info.



I invested in a tiny little access point (yes, also from Apple, sorry - Linksys stopped making theirs). This now travels with me as well. If I'm at a client site with secure wireless (ie - I can't use it), I can generally plug in my trusty AP and get the tablet (and phone and laptop for that matter)online through their ethernet for a faster connection.
For some reason, people don't seem to care as much about their passwords on a tablet as they otherwise would. They can be in the middle of something totally unrelated, a window will pop up asking for their iTunes password, and they'll just key it in, no questions asked. We had a spirited discussion at the ISC's secret conference room last week about this. I think the consensus was that it'd be pretty simple to embed and hide a password harvester that takes advantage of this behaviour into an app, and that as long as you didn't get too greedy or obvious, it'd probably slide right past any check anyone would want to do. If you have information that might indicate otherwise, we'd be really interested in your input - please use the comment form for this.



I'm also not really keen on how most passwords on this device echo back to me - - only one character at a time, but still pretty easy to shoulder-surf.



Credit card security likewise seems to have fallen by the wayside a bit. People get really used to a embedding their credit card info into every music and book vendor they deal with. I'm guilty of this - frankly it's tough anymore to keep track of just who's got my credit card info (I keep a file, but still get surprised every now and then). People also are used to having LOTS of small transactions on their monthly bill. When my statement comes, how certain am I all that each and every one of those $2, $3 and $10 charge are legit, and their mine? Me, not so much. I get an email confirmation for every CC and Paypal transaction I make, but do I add them all up and check against my monthly bill? Ummm .. sometimes? Really, life is too busy to do this most months.
On the topic of enterprise use, so far I've taken care to not store customer or other confidential info on my tablet, until I've got the time to do a thorough review of risk, proper controls and mitigations. I've been told that the Apple iPad Security overview ( http://images.apple.com/ipad/business/pdf/iPad_Security_Overview.pdf) is pretty good, but haven't had the time to review it myself yet. There may be an equivalent or better Android doc, or better IOSguidance. If anyone has further info on this topic please use the comment form.
How have you seen that tablets have changed your life at work or at home?

Do these changes have a security-related story behind them?

Please, share your experiences - I for one am really interested in how these things are changing how we work / play / whatever.
Not to mention that killer app that'll make the tablet that much more useful ...

=============== Rob VandenBrink, Metafore ==================== (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

GRC over information security?
CSO (blog)
Info sec risks and policies nicely plug into GRC processes/frameworks/tools, and GRC helps you to manage info sec risks and policies. Plugging info sec into ...

and more »
 
E-mail is supposed to increase our productivity, but all too often, managing e-mail becomes a job in itself. NEO Pro, now available in version 5, can help. This handy Outlook add-on cuts down on the time you spend dealing with your inbox, though it takes a bit of time to get fully up to speed with it yourself.
 
Apple QuickTime FlashPix Image (CVE-2010-3801) Memory Corruption Remote Code Execution Vulnerability
 
Apple QuickTime PICT File 'PackBits()' Memory Corruption Remote Code Execution Vulnerability
 
The industry reached a "virtual" tipping point in 2009 when, according to IDC, the number of newly installed virtual machines surpassed the number of newly installed physical servers. This inflection point is having a profound impact on how we manage, secure and provision IT resources. No doubt the network will look completely different in just a few years too, but here are five predictions for how virtualization will change networking in 2011.
 
Informatica introduces a low-cost service for integrating data into Salesforce.com's cloud
 
Apple QuickTime Movie File Memory Corruption Vulnerability
 
Amazon.com demonstrated its update of Kindle for the Web, which will appear 'in the coming months,' allowing the full reading and annotation of Kindle books from a Web browser on any device.
 
Most iDEN handsets are built to withstand rougher treatment than your average cell phone, but the venerable network itself will finally bite the dust within the next few years.
 
Google and Amazon cross swords with new e-book applications and services meant to lure readers into buying online.
 
Oracle will halve the number of cores in its next Sparc processor and instead improve its single-thread performance, a weak area for the chip but one that's important for running large databases and back-end applications.
 
Microsoft today said that the next major milestone of Internet Explorer 9 (IE9) will let users determine who tracks their movement and behavior online, its response to calls for more consumer control over the practice.
 
A former FCC chairman predicts commissioners will approve a net neutrality proposal this month.
 
As expected, Google launched its Chrome Web Store today, offering users of its browser free and paid Web apps.
 
ImageMagick 'configure.c' Configuration File Loading Local Privilege Escalation Vulnerability
 
Python Paste 'paste.httpexceptions' Multiple Cross Site Scripting Vulnerabilities
 
PHP 'getSymbol()' Function Denial of Service Vulnerability
 
Survey finds some enterprises are overburdened with compliance issues and are using piecemeal patch testing and deployment processes.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Winamp 'in_midi' Component MIDI Timestamp Stack Buffer Overflow Vulnerability
 

The Tech Herald

Security firm fights racism in InfoSec while apparently profiting from it
The Tech Herald
However, within IT, the InfoSec community cares little for such things. This is why the previous claims and recent actions taken by Ligatt Security have ...

 
Consumer Reports today named AT&T as the worst U.S. mobile service provider, but said its reader survey puts Apple's iPhone, which only uses AT&T, in a tie for first place with a trio of Samsung smartphones running Android.
 
Samsung announced today that it is ready to release a new set of 8GB DIMMs that takes advantage of stacking memory chips vertically to achieve 30% fewer memory sockets.
 
Novell iPrint Client 'ienipp.ocx' ActiveX 'GetDriverSettings()' Buffer Overflow Vulnerability
 
OpenSSL Ciphersuite Downgrade Security Weakness
 
OpenSSL J-PAKE Security Bypass Vulnerability
 
WikiLeaks' chief spokesman Julian Assange was arrested on Tuesday by U.K. police after surrendering to authorities and was denied bail later in the day after being deemed a flight risk.
 
A number of different technologies are being developed or improved to offer higher speeds for fixed and mobile broadband networks, as operators are preparing to compete with each other and carry video traffic in 3D and at higher resolutions.
 
VMware is teaming up with LG to sell Android smartphones that are virtualized, allowing a single phone to run two operating systems, one for business use and one for personal use.
 
Salesforce.com announced Chatter Free, a version of its social collaboration software that includes a Facebook-like "invite" feature that enables paying users to invite anyone, even non-Salesforce.com customers, to use Chatter.
 
I was all set to put this "Windows Explorer Explained" series to rest for a while, but then reader Martin wrote in with a question that comes up a lot: in Windows 7, how do you reveal the hidden file extension for each filename?
 
IT organizations that are adopting cloud computing don't have any fundamentally new WAN technology that they can leverage to respond to the associated challenges.
 
www.eVuln.com : XSS vulnerability in WWWThreads (php version)
 
VMSA-2010-0019 VMware ESX third party updates for Service Console
 
Salesforce.com is getting into the cloud database business with a new on-demand service, Database.com, set to be announced Tuesday at the Dreamforce conference in San Francisco.
 
Hoping to steal a little thunder from rival browser maker Google, Mozilla late Monday said its cross-browser Web app store would launch early next year.
 
Google's chief Android engineer on Monday showed a glimpse of a forthcoming tablet from Motorola, a potential competitor to Apple's iPad with a more powerful processor.
 
Google may have shutdown its China-based search engine months ago, but the U.S. company is still keen on providing new web services for users in the country.
 
OpenSSL Multiple Vulnerabilities
 
Samba SID Parsing Remote Buffer Overflow Vulnerability
 
An anonymous, loosely affiliated group that has been responsible for a series of recent distributed denial-of-service attacks against entertainment industry Web sites over copyright issues, has started attacking organizations viewed as being hostile to WikiLeaks, says a PandaLabs researcher.
 
President Barack Obama is calling for more investment in science and technology, and said the 'Sputnik moment is back' for the U.S., referring to the 1957 Soviet satellite now synonymous with any foreign challenge to America's technical dominance.
 
Take a gander at the best tablets, smartphones, e-readers, laptops, HDTVs and other tech gadgets to give and get this year.
 
In response to Computerworld readers' holiday wish lists, we've gathered the best tablets, smartphones, e-readers, laptops, HDTVs and other tech gadgets to give and get this year.
 
WikiLeaks' chief spokesman Julian Assange surrendered to authorities in the U.K. on Tuesday and was arrested, the Metropolitan Police said in a statement.
 
InfoSec News: Navy serviceman accused of trying to sell classified military documents: http://www.washingtonpost.com/wp-dyn/content/article/2010/12/06/AR2010120607109.html
By Ellen Nakashima Washington Post Staff Writer December 6, 2010
A Navy intelligence specialist at the Joint Special Operations Command has been accused of taking top secret documents from military networks [...]
 
InfoSec News: Wireless Monitoring And Security Lags In Government Agencies: http://www.darkreading.com/security-monitoring/167901086/security/news/228600091/wireless-monitoring-and-security-lags-in-government-agencies.html
By Ericka Chickowski Contributing Writer Darkreading Dec 06, 2010
Many federal agencies are not doing a good enough job securing and [...]
 
InfoSec News: Chinese hackers 'slurped 50 MB of US gov email': http://www.theregister.co.uk/2010/12/06/wikileaks_chinese_hacking/
By Dan Goodin in San Francisco The Register 6th December 2010
The Chinese government may have used its access to Microsoft source code to develop attacks that exploited weaknesses in the Windows operating [...]
 
InfoSec News: [Dataloss Weekly Summary] Week of Sunday, November 28, 2010: ========================================================================
Open Security Foundation - DataLossDB Weekly Summary Week of Sunday, November 28, 2010
4 Incidents Added.
======================================================================== [...]
 
InfoSec News: What it's like to be a woman in a mostly male industry: http://www.csoonline.com/article/641615/what-it-s-like-to-be-a-woman-in-a-mostly-male-industry
By Bill Brenner Senior Editor CSO December 01, 2010
In the second decade of the 21st Century, it's easy to think that career success no longer hinges on gender and race. [...]
 

Posted by InfoSec News on Dec 07

http://www.washingtonpost.com/wp-dyn/content/article/2010/12/06/AR2010120607109.html

By Ellen Nakashima
Washington Post Staff Writer
December 6, 2010

A Navy intelligence specialist at the Joint Special Operations Command
has been accused of taking top secret documents from military networks
and offering to sell them to an investigator posing as a foreign agent.

Petty Officer Bryan Minkyu Martin was arrested last week by the Naval
Criminal...
 

Posted by InfoSec News on Dec 07

http://www.darkreading.com/security-monitoring/167901086/security/news/228600091/wireless-monitoring-and-security-lags-in-government-agencies.html

By Ericka Chickowski
Contributing Writer
Darkreading
Dec 06, 2010

Many federal agencies are not doing a good enough job securing and
monitoring their wireless networks, even amid efforts to improve
continuous monitoring across agencies, according to a report (PDF)
released last week by the...
 

Posted by InfoSec News on Dec 07

http://www.theregister.co.uk/2010/12/06/wikileaks_chinese_hacking/

By Dan Goodin in San Francisco
The Register
6th December 2010

The Chinese government may have used its access to Microsoft source code
to develop attacks that exploited weaknesses in the Windows operating
system, according to a US diplomatic memo recently published by
Wikileaks.

The June 29, 2009 diplomatic cable claims that a Chinese security firm
with close ties to the...
 

Posted by InfoSec News on Dec 07

========================================================================

Open Security Foundation - DataLossDB Weekly Summary
Week of Sunday, November 28, 2010

4 Incidents Added.

========================================================================

DataLossDB is a research project aimed at documenting known and reported
data loss incidents world-wide. The Open Security Foundation asks for
contributions of new incidents and new data for...
 

Posted by InfoSec News on Dec 07

http://www.csoonline.com/article/641615/what-it-s-like-to-be-a-woman-in-a-mostly-male-industry

By Bill Brenner
Senior Editor
CSO
December 01, 2010

In the second decade of the 21st Century, it's easy to think that career
success no longer hinges on gender and race. But Marisa Fagan knows what
it's like to be a woman in the security industry, and it's not the
utopia of equality some people might expect.

To succeed in security, Fagan says...
 
Have you ever been asked if You got a sec? by a friend via Facebook chat?
Well, one of our readers wrote in asking if we've seen this before. The scenario described to us is such:

A Facebook chat pops up from a friend with:

Hey [your name] you got a second?
If / when you reply, immediately a message returns similar to

I can't score higher than 600 on the quiz, do you think you can? [link provided]
If you click...

Although, I have not personally experienced this type of incident, it smells of spam and or an app from the dark side. It is important to understand this could be any number of things. If you experience an incident like this, then do not click andagood approach would be to run Ad-Aware or similar scan on your system and review your Facebook application lists for anything suspicious. In addition, BitDefender has a service in BETA called safego which works as an app on Facebook with your profile and Norton Safe Web is free service that rates websites.
So if you've seen this before, then please share it with the rest of uswith a comment.
Update
Read more about safego and protecting your Facebook activity on fellow handler Lenny Zeltzer's blog.
blog.zeltser.com/post/2132741436/facebook-antivirus-protection
--

Kevin Shortt

ISC Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

PayPal, PostFinance Hit by DoS Attacks, Counter-Attack in Progress
eWeek
... which can produce an automated DoS attack from a single low-spec computer, according to Anthony M. Freed, of security site Infosec Island. ...

and more »
 


Internet Storm Center Infocon Status