Hackin9

InfoSec News

There was a post on Ars Technica yesterday, that led back to another blog post from Sunday that suggests that Google Chrome will stop doing CRLchecks at some point in the not too distant future. This has led to some interesting debate because the CRLmechanism has largely been ineffective. For a public key infrastructure (PKI) such as HTTPS to work, there must be an effective way of verifying the validity of the certificates. Due to the number of Certificate Authority (CA) breaches in recent years we'd all like a fast and effective method of taking compromised certificates out of play. During the highest profile breaches, all the major browser vendors simply pushed new versions of the browser with the root certificates from the breached CAs removed, in part because the browsers by design fail open (allow the connection)if they are unable to verify the certificate. So, is this a big deal? Is it the right way to go? Is it time to rethink/redesign/replace SSLor HTTPS? What do you think?
References
http://arstechnica.com/business/guides/2012/02/google-strips-chrome-of-ssl-revocation-checking.ars
http://www.imperialviolet.org/2012/02/05/crlsets.html
---------------

Jim Clausing, GIAC GSE #26

jclausing --at-- isc [dot] sans (dot) edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
While organizations focus on mobile security and other emerging threats, an analysis of more than 2,000 penetration tests conducted by Trustwave found older threats often overlooked.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Google's launch Tuesday of Chrome for Android may be a move to accelerate the pace of browser updates, an analyst said.
 
As part of an ongoing effort to recover from a downward spiral, Yahoo said on Tuesday that four board members, including its chairman, will step down.
 
Once again an unknown hacker has attacked and hacked a Internet Marketing Strategies website known as Power-blog.com. The information that has been leaked comes in two parts and contains emails, usernames and encrypted passwords.


 
A cyber security news web blog has been hacked and had a huge amount of accounts leaked online by an unknown hacker.


 
An Anonymous hacker going by the handle of @Agentanonhacker has hacked the super bowl website and dumped a huge amount of data.


 
Well, we are back to publishing now and first off i must say i couldn't of picked any worse time to take time off and do IRL stuff, anyways this post is just a quick catch up for the past few weeks from what has been going on in the hacker world.


 
The National Institute of Standards and Technology (NIST) released its recommendations for a new, privately led steering group to tackle the complex policy and technical issues necessary to create an online environment where individuals ...
 
Users flock to online dating sites in ever greater numbers, but despite their marketing claims, services such as Match.com and eHarmony may not be offering potential mates chosen through rigorous scientific methods, a group of psychologists and sociologists have charged.
 
Enhancements to IBM's XIV Storage System include an SSD caching option that can increase system performance by up to three times.
 
Smartphones and tablets are dominating technology, and apps are among the top selling points for each mobile OS. With Apple's and Google's app stores each having over 500,000 apps and tens of billions of downloads, the desire to be a part of this growing market is strong. Apps can be useful for internal use by your company, or as a way to collaborate with clients, vendors, customers, and the public. Before deciding to develop an app for your business, though, take these considerations into account.
 
Overview

The ISC Security Dashboard can be found at https://isc.sans.edu/dashboard.html or https://www.dshield.org/dashboard.html and is an ideal tool for viewing summary DShield report data, ISCsite content and related security information all in one place. Some places to use the page could be simply an open browser tab, an embedded web page, a control center monitor and more! Let us know where you use the dashboard in the comments section below.



Features

The first section on the page contains the current UTC date/time and Refresh options. You can click to Refresh immediately or select to let the page auto-refresh every 5, 10, 20, 30 or 60 minutes. Additionally, when you select an interval, the reload will display a link you can bookmark to easily return to that timed refresh rate.
Row 1:

Column 1: World Map Country Report from https://isc.sans.edu/countryreport.html

Column 2: Latest Diaries from https://isc.sans.edu/diary.html and the ISC Search box that goes to https://isc.sans.edu/search.html

Column 3: Top 10 Source IPs from https://isc.sans.edu/reports.html#top10source



Row 2:

DShield live banner, showing Top attacked and port attacked, that links to https://www.dshield.org



Row 3:

Column 1: Top 10 Ports from https://isc.sans.edu/reports.html#top10ports

Column 2: Latest StormCast from https://isc.sans.edu/podcast.html#stormcast and ISC/DShield Google Groups link/box for subscribing to http://groups.google.com/group/iscdshield

Column 3: Top 10 Rising Ports Trends graph from https://isc.sans.edu/trends.html (NOTE: This graphic has location-sensitive click-able hot spots. Try it out!)



Row 4: Select Security News feeds



Row 5:

Column 1: Latest sans_isc tweets from https://twitter.com/sans_isc

Column 2: Select SANS Reading Room Papers from http://www.sans.org/reading_room

Column 3: Twitter list of tweets from ISC Handlers



Planned future improvements include html5 update which will allow blocks to be re-ordered and block location preferences saved to your ISC profile.



Let us know in the section below where you use, or are planning to use, the dashboard or if there's content you think would be a valuable addition to this page or send us any questions or comments in the contact form https://isc.sans.edu/contact.html



--

Adam Swanger, Web Developer (GWEB)

Internet Storm Center (http://isc.sans.edu) (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The National Institute of Standards and Technology (NIST) will host the 25th annual conference of the Federal Information Systems Security Educatoramp's Association (FISSEA) March 27-29, 2012, at its Gaithersburg, Md., ...
 
Video recordings of the Nov. 2-4, 2011 Cloud Computing Forum ampamp Workshop IV hosted by the National Institute of Standards and Technology (NIST) are now available for on-line viewing.The three-day November meeting featured, among ...
 
A lot of Americans took their holiday shopping online last year, which helped push e-commerce spending up 14% in the last quarter.
 
VMware has introduced a new software platform that makes it easier for service providers to wholesale their cloud-services infrastructure to other providers.
 
The FBI Tuesday reaffirmed its rule that all cloud products sold to to U.S. law enforcement agencies must comply with the FBI's Criminal Justice Information Systems security requirements.
 
Adobe next plans to tackle Microsoft's Internet Explorer in its ongoing work to "sandbox" its popular Flash Player within browsers, Adobe's head of security said today.
 
In late January, the European Commission published a proposal "on the protection of individuals with regard to the processing of personal data and on the free movement of such data."
 
AT&T and carrier equipment provider Sandvine released some interesting wireless and Internet usage figures from Sunday's Super Bowl victory for the New York Giants over the New England Patriots.
 

Digitaltrends.com

Anonymous publishes email exchange with Symantec over $50K payoff
Digitaltrends.com
Given that the investigation is still ongoing, we are not going to disclose the law enforcement agencies involved and have no additional information to provide,” within a public comment at Infosec Island. Assuming Paden's comment is true, ...

and more »
 
Motorola's Droid 4, with its physical QWERTY keyboard, arrives Friday for $200 to round out Verizon Wireless' 4G LTE smartphone roster.
 
PC maker Maingear is chasing the laptop performance crown with its latest Titan 17 laptop, which can be configured to include Intel's fastest desktop processor and up to 1.8TB of solid-state drive storage.
 
The U.S. Federal Trade Commission has sent warning letters to the makers of six mobile apps used for background checks, saying the apps may violate a consumer credit protection law.
 
The scoop: Canvio 3.0 Plus external hard drive, by Toshiba, about $180 (1TB version).
 
Nearly half a million jobs in the U.S. have been created because of the 1 million-plus applications designed for smartphones, tablets and other mobile devices, according to a new study.
 
 
With the release of its new LoadRunner in the Cloud application load testing solution, HP aims to provide the flexibility of software-as-a-service in tools that traditionally entailed substantial investments to implement.
 
Oracle's plan to drag its legal fight against rival SAP's defunct TomorrowNow subsidiary through a second trial is not surprising, analysts said Tuesday.
 
Motorola's Droid 4, with its physical QWERTY keyboard, arrives Friday for $200 to round out Verizon Wireless' 4G LTE smartphone roster.
 
Facebook users today are complaining that the social network and its mobile app are running very slowly.
 
Symantec today confirmed that the pcAnywhere source code published on the Web Monday by hackers who tried to extort $50,000 from the company was legitimate.
 
eFronts Community++ v3.6.10 - Cross Site Vulnerability
 
The U.S. Congress should scrap two controversial copyright enforcement bills and start over with attempts to target foreign websites accused of infringement and counterfeiting, more than 70 groups have said.
 
Acer has sued its former CEO and President Gianfranco Lanci in Italian courts for allegedly violating a non-compete clause, the company said Tuesday.
 
SAP on Tuesday announced the first products based on its HANA in-memory database aimed at small and medium-sized businesses, including a new Edge edition of the software as well as HANA-powered analytics for the Business One ERP (enterprise resource planning) suite.
 
[security bulletin] HPSBMU02736 SSRT100699 rev.2 - HP Business Availability Center (BAC) and Business Service Management (BSM), Remote Unauthorized Access to Sensitive Information
 
SQL Injection Vulnerability in Batavi 1.1.2
 
CVE-2012-0803: Apache CXF does not validate UsernameToken policies correctly
 
DEF CON 20 Capture the Flag Announcement
 
SimpleGroupware 0.742 Cross-Site-Scripting vulnerability
 
Websites don't build themselves. They require a considerable investment of energy, expertise, and design know-how to construct and launch. But building a site is only half the story: Websites also have to be hosted on servers, ready for--you hope--the thousands of people who are dying to read your content, hire your firm, or pay for your services.
 
Both the number and volume of distributed denial-of-service attacks are increasing, according to new reports from DDoS mitigation companies Prolexic and Arbor Networks.
 
Red Hat has announced the Virtual Storage Appliance for Amazon Web Services (AWS), which can take advantage of Amazon's cloud while at the same time offering excellent performance, the company said on Tuesday.
 
Microsoft has entered into a broad partnership with customer-service software provider 24/7 that the companies expect will yield a superior cloud-based platform that large companies can use to better address their customers' needs.
 
[SECURITY] [DSA 2403-2] php5 security update
 
[ MDVSA-2012:014 ] glpi
 
IBM has designed and helped to build a 900,000-square-foot data center in India that it says is the largest in that country in terms of size and power. It's also among the largest in the world.
 
Sony will merge its PlayStation online gaming service into its broader online platform from Tuesday.
 
Hewlett-Packard's LoadRunner performance validation software will become available on a hosted basis through HP partners, the company announced Tuesday.
 
The new Timeline layout introduces some changes that may mean you're suddenly sharing more than you should. Here's how to lock down Facebook without going overboard.
 
IPads are popping up in the military, at auto dealerships and at wineries and are now being tested out at customer tables by the Buffalo Wild Wings grill and bar chain
 
Amazon Web Services has cut the cost of storing data using its Simple Storage Service (S3) -- saving users with 50 TB stored on the service around 12 percent on their monthly bill, the company said on Monday.
 
Microsoft and others have already adopted this technology to extend JavaScript beyond the browser -- but it has limits developers must beware
 
The OnLive Desktop service shows just how wrong desktop virtualization can be
 

Safer Internet Day: Infosec managers should learn from security attitudes of ...
ComputerWeekly.com (blog)
By Warwick Ashford on February 7, 2012 9:53 AM | No Comments | No TrackBacks Young people treat their online safety far differently to their real world safety and this is likely to filter through to the workplace, says Tim Wilson, lead UK volunteer for ...

and more »
 

Posted by InfoSec News on Feb 07

http://www.ft.com/cms/s/0/6d082204-50b8-11e1-ab40-00144feabdc0.html

By Ben Fenton
Chief Media Correspondent
FT.com
February 6, 2012

The police team investigating corrupt payments by journalists to serving
officers is to be increased by 50 per cent because it is now looking
into the activities of The Sun, it emerged on Monday.

The senior officer leading a total of 150 staff in a series of inquiries
into alleged criminal acts by The News of...
 

Posted by InfoSec News on Feb 07

http://news.cnet.com/8301-1009_3-57372308-83/hackers-wanted-$50000-to-keep-symantec-source-code-private/

By Steven Musil
CNET News
Security
February 6, 2012

As part of a sting operation, Symantec told a hacker group that it would
pay $50,000 to keep the source code for some of the its flagship
security products off the Internet, the company confirmed to CNET this
evening.

An e-mail exchange revealing the extortion attempt posted to Pastebin...
 

Posted by InfoSec News on Feb 07

http://www.theaustralian.com.au/australian-it/reverve-bank-toughens-protection-against-ddos/story-e6frgakx-1226264118957

By Andrew Colley
The Australian
February 07, 2012

AUSTRALIA'S central bank has moved to bolster its resistance to a form
of cyber attack that has become an increasing menace to financial
institutions in recent months.

The Reserve Bank of Australia late last week invited computer security
providers to help prevent it...
 

Posted by InfoSec News on Feb 07

http://www.eweek.com/c/a/Security/State-of-SCADA-Security-Worry-Researchers-234517/

By Fahmida Y. Rashid
eWEEK.com
2012-02-05

CANCUN, Mexico -- Recent reports painted a bleak picture of the security
issues plaguing industrial control systems, but the situation is
exacerbated by the fact that administrators are naïve about the dangers,
researcher said.

Researchers presented some alarming findings about the state of security
for supervisory...
 

Posted by InfoSec News on Feb 07

http://www.darkreading.com/authentication/167901072/security/news/232600350/verisign-breach-may-actually-reaffirm-commitment-to-ca-model.html

By Ericka Chickowski
Contributing Writer
Dark Reading
Feb 06, 2012

Regardless of whether the SSL business VeriSign sold to Symantec was
compromised in the 2010 security breach that came to light last week,
security experts believe the breach still has Web authentication
ramifications. Some pundits say...
 
Hacker group Anonymous claimed late Monday that the source code of Symantec's pcAnywhere had been uploaded on The Pirate Bay site.
 
Oracle has chosen a new trial in its lawsuit against SAP for copyright infringement, rejecting the reduction of a jury verdict by about US$1 billion by a federal court in September last year.
 
Internet Storm Center Infocon Status