InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
I've enabled a new poll today in honor of this month's Patch-Tuesday. In your organization is it easier for you to set aside that 2nd week of the month to focus on security patching, or is it easier for you to integrate security patching into your everyday system administration? I've always felt that if your environment was large enough to have it's on vulnerability management team, a steady stream of security advisories was preferable to the shock of all arriving at the same day. However, not everyone is that size, so it may be easier to schedule widespread reboots on Tuesday nights, saving Wednesday for dealing with any consequences (which seem to be happening less often, thankfully.)
Which would you prefer in your environment? (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
MasterCard WorldWide announced a digital wallet on Monday that consumers will be able to use for purchases in stores, on the Web and on their mobile phones.
A jury has found that Google infringed Oracle's Java copyrights in Android but could not decide unanimously if the the infringement was protected by "fair use."

While we patiently await the arrival of this month's patches from Microsoft (and everyone else who publishes today) I have a little thought experiment for you. We all know that the internet doesn't work too efficiently if DNS isn't working or present. NTP is just as critical for your security infrastructure. Without reliable clock synchronization, piecing together what happened during an incident can become extremely difficult.

Consider a hypothetical services network and DMZ: there's an external firewall, a couple of webservers, an inner firewall with a database server behind it. Let's also assume that something bad happened to the webservers a couple of months ago and you've been brought in as a consultant to piece together the order of events and figure out what the attacker did. The web administration team, and the database team, and the firewall team have all provided your request for logs and you've got them on your system of choice.
More About NTP
For a complete background on NTP I recommend: http://www.ntp.org/ntpfaq
There are two main types of clock error that we are concerned with in this example:

Clock Skew an error of 0.001% causes a clock to be off by nearly one second per day. We can expect most clocks to have one second of drift every 2 days. The oscillator used in computer clocks can be influenced by changes in local temperature, and the quality of the electricity feeding the system.
Today's Challenge

How do you begin order the events between the systems? First I'll solicit general approaches via comments and email, later I'll summarize and provide some example data to illustrate the most popular/promising approaches. (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
A U.S. judge has declined to lift an unusual order that prevents Motorola Mobility from enforcing a ban in Germany on the sale of Microsoft's Windows 7 OS and XBox 360.
A U.S. judge has declined to lift an unusual order that prevents Motorola Mobility from enforcing a ban in Germany on the sale of Microsoft's Windows 7 OS and XBox 360.
The United States Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued a warning about an active "spear phishing" campaign targeting companies in the natural gas pipeline sector.
The market for software related to the Hadoop and MapReduce programming frameworks for large-scale data analysis will jump from $77 million in 2011 to $812.8 million in 2016, a compound annual growth rate of 60.2 percent, according to analyst firm IDC.
Apple today shipped iOS 5.1.1 for iPhone, iPad and iPod Touch owners that dealt with connectivity issues on the tablet, fixed bugs in AirPlay's video playback and patched four vulnerabilities in the mobile operating system.
Members of the NoChokepoints Coalition will ask the U.S. Federal Communications Commission to stop Verizon Communications from raising the rates for middle-mile broadband connections that many businesses rely on.
I remember when I bought my first new Mac. The label on the box read something like "Assembled for Apple in California." Famously, that has now changed.
ImageMagick Multiple Denial of Service Vulnerabilities
ImageMagick Buffer Overflow and Denial of Service Vulnerabilities
Apple released iOS 5.1.1 for iPod, iPhone, iPad (exclude Mac OS X) only available through iTunes. The updates address Safari and WebKit for iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2. At the time of this writing, the advisory was still not posted (APPLE-SA-2012-05-07-1) but the update is available through iTunes.
[1] http://support.apple.com/kb/HT1222
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
PaidPiper, a startup that will debut at the CTIA Wireless show this week, is developing a mobile money transfer system suited to developed economies where the credit-card infrastructure is dominant.
A U.S. senator has urged the U.S. Department of Justice and the U.S. Federal Communications Commission to investigate whether Comcast is violating conditions imposed in its early 2011 merger with NBCUniversal.
On Tuesday, May 22, 2012, the National Institute of Standards and Technology (NIST) and the Office of the National Coordinator for Health IT (ONC) will host amp"Creating Usable Electronic Health Records: A User-Centered Design Best ...
Reader Robert Zavod would like greater access to his photos from his iPhone. He writes:
A jury has found Google liable for copyright infringement in its use of Java in Android, but has not managed to decide whether that infringement was protected by rules governing 'fair use.'
On the heels of Western Digitial's release of the industry's first 12Gbps SAS SSD, Seagate this week said it would demo one of its own for the enterprise market.
Chris Camacho, information security officer at The World Bank Group in Washington D.C., explains how the Red Sky alliance helps member organizations safely share information.
Oracle and Google have each tried to jettison potentially damaging testimony in their intellectual-property dispute over Android, as a jury deliberates over Oracle's copyright allegations and prepares to move on to the patents part of the case.
Facebook launched its IPO roadshow in New York, with CEO Mark Zuckerberg pitching the company's stock to potential investors.
Unless Apple changes its security update practice, nearly half of all Mac users will be adrift without patches sometime this summer.
Bad software and malicious software are two different issues that are easily confused, says software security expert Gary McGraw.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Echoing the words of science fiction author Arthur C. Clarke, former YouTube user experience director Margaret Gould Stewart advised an audience of design researchers to think about creating magical experiences for their users.
Asterisk 'ast_parse_digest()' Stack Buffer Overflow Vulnerability
AT&T on Monday announced another low-priced Windows Phone, the $49.99 Samsung Focus 2, which will run on 4G LTE and will go on sale May 20.
Online trading in options and futures at NYSE Euronext in Amsterdam was disrupted for hours on Monday morning due to unspecified "technical problems," the stock exchange said.
OCZ today announced a firmware upgrade that boosts performance about 15MB/sec on its Vertex 4 SATA 3.0 SSDs. The company also touted a new 64GB Vertex 4 SSD aimed at mobile applications or for use as a boot drive.
AT&T plans to begin trials of a home automation and security service in Atlanta and Dallas this summer.
P100 IT Leader Allan Hackney also has advice on abandoning IT, résumé writing and more.
HTC and Verizon Wireless announced that the Droid Incredible 4G LTE smartphone will go on sale 'in the coming weeks.'

Cloud API Security Panel at Infosec
ProgrammableWeb (blog)
Cloud API Security was the topic for a panel discussion at the Infosec conference in London April 26th. After a brief introduction of what APIs are, how companies are becoming platforms and what security implications this has the discussion mostly ...

The row over Yahoo's leadership intensified over weekend as another major investor called for CEO Scott Thompson to be fired.
As a kid, I really wanted a cat. My parents, however, were firmly opposed. Would that I had been able to seek refuge in something like Microsoft's Kinectimals for iOS, which provides plenty of the benefits of pet ownership without the need for the manifold downsides--like cleaning out a litter box.
Recursive deletes, deep-sixing servers, bugs that become rewarding features -- let he who is without IT sin cast the first bits
As technology becomes easier to use, it becomes more complex internally. That means IT is less necessary in some ways and more essential in others.
Online trading in options and futures at NYSE Euronext in Amsterdam was disrupted for hours on Monday morning due to unspecified "technical problems," the stock exchange said.
The PHP Group plans to release new versions of the PHP processor on Tuesday in order to patch two publicly known critical remote code execution vulnerabilities, one of which was improperly addressed in a May 3 update.
Google has dramatically raised the bounties it pays independent researchers for reporting bugs in its core websites, services and online applications.
Micron on Monday said that DDR4 memory -- the successor to DDR3 DRAM -- will reach computers next year, and that the company has started shipping samples of the upcoming DDR memory type.
Adobe last week released a new beta of Flash Player that includes silent updates for Macs
Apple is disputing ownership of the iphone5.com domain, sparking speculation that the company will use the long-rumored name for its next smartphone.
Japanese conglomerate Hitachi on Monday launched a new data center business that includes everything from planning to construction to IT support.
Chinese PC maker Lenovo plans to invest more than $796 million to build facilities for the development and production of tablets, smartphones, and other mobile devices, it said Monday.
Most of the 250 customers that have licensed Oracle's recently-launched Fusion Applications to date have chosen a hosted deployment model, according to a senior executive at the software vendor.
The first batch of Intel processors based on Intel's Ivy Bridge microarchitecture -- 13 quad-core chips designed to run high-end desktop and laptop computers -- were finally unveiled late last month. Insider (registration required)
With the explosion of unstructured data, companies are looking for more options for enterprise search. Here's a look at the benefits and limitations of open-source search-enabled applications.
Arthur M. Langer, chairman and founder of Workforce Opportunity Services, describes the outsourcing model his nonprofit organization uses to train and match up economically disadvantaged youth with hard-to-fill positions in IT.
Here's a look at the growing list of open-source platform-as-a-service providers and how IT managers can decide where the technology fits best in their organizations.
Microsoft has revealed that Windows 8 tablets powered by ARM chips will be no easier to manage in the enterprise than iPads are.
When the company data center moves to various cloud configurations, the provisioning of servers will need to be addressed.

Posted by InfoSec News on May 07


By Nick Hopkins
3 May 2012

Computer hackers have managed to breach some of the top secret systems
within the Ministry of Defence, the military's head of cyber-security
has revealed.

Major General Jonathan Shaw told the Guardian the number of successful
attacks was hard to quantify but they had added urgency to efforts to
beef up...

Posted by InfoSec News on May 07


The Secunia Weekly Advisory Summary
2012-04-27 - 2012-05-04

This week: 25 advisories

Table of Contents:

1.....................................................Word From Secunia...

Posted by InfoSec News on May 07


By Jeb Boone
May 4, 2012

The Anonymous hacker collective is now targeting Activision CEO Eric
Hirshberg after the release of trailers for Call of Duty: Black Ops 2 in
which Anonymous is implied to be America’s new enemy in a dystopian
future war scenario.

The video flashes images of the Guy Fawkes mask...

Posted by InfoSec News on May 07


By Nick Hopkins
May 4, 2012

Hackers who break through the social networking site's firewalls can be
rewarded, thanks to the company's White Hat program.

On one of the lesser visited pages of Facebook, there is a list of 109
hackers who have found ways of getting through the company's security

Facebook is not...

Posted by InfoSec News on May 07


By Jonathan E. Skillings
Security & Privacy
May 6, 2012

Last update: 1:20 p.m. PT

Users of the Lion version of Mac OS X will probably want to update their log-in

Security researcher David Emery warns of a new vulnerability involving the
FileVault feature in Mac OS X Lion, version 10.7.3, which allows for encryption
of certain...
Internet Storm Center Infocon Status