Hackin9

InfoSec News

http://www.sans.org/critical-security-controls/control.php?id=5



The next control on the list is boundary defence. It has been recognised by many organisations that protecting the perimeter, whilst important, is no longer what it is all about. Many organisations have what what we generally consider a hard crunchy outside and a soft squishy centre. The internal network is expanding into people's homes via VPN, onto mobile devices, into partner organisations and more. So boundary protection is nowadays more appropriate than perimeter protection. This is reflected in some of the standards that are around (think PCI and various government specific standards). A few years ago internal network segmentation was not very common. Today we are starting to see more network segmentation within organisations and people are exercising more control over traffic that flows through the network.



Many of the more spectacular breaches in the past year or two have been traced back to client side attacks. This is where good boundary defences can help reduce the risk. For example an organisation that has thought about the different types of uses for their network, the location of their data and how that data is to be accessed can start segmenting the network. They can implement measures to control the traffic or monitor it at the different boundaries. Client side attacks may still work, but the exfiltration of data may be detected and the impact of the breach is reduced as the infected machine no longer has full access to whole network.



When thinking about boundary defence it also pays to think about how traffic is supposed to flow through the environment. As part of this make sure you have policies in place that help you enforce this flow, e.g. no direct connections to the internet, all traffic must flow through a DMZ, etc. Once you have the architecture straight and you understand how information flows within the environment and how people access it, then it is time to start adding controls.



To control flows between network segments:

Firewalls, external facing and internal.
Routers with ACLs (Ok for certain internal uses, but you might want to steer clear of using this as you only defence at the perimeter).
Intrusion Prevention System (IPS)
Consider jump servers for management of sensitive network segments.





Controlling specific Traffic flows:

Web traffic - Web filter to detect malware, filter access to malicious domains, perform URL filtering.
Mail - Mail relay in DMZ, Implement Sender Policy Framework (SPF) and/or DKIM to help others identify your authorised mail senders. Use AV/Malware and Anti SPAM filtering in the DMZ. (you might want to do the same on the internal mail filter)
Remote Access - Use 2 factor authentication, and control network traffic





Visibility

DLP solutions - Monitor all traffic for information regarding your crown jewels.
Intrusion Detection - look for threats in traffic flows on the network or use a host IDS to identify specific host threats.
Central logging and review (e.g. SIEM).



There are many other ways of defending the boundary, let us know what you have found to be effective.



Mark (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Scott McNealy, the former chairman and CEO of Sun Microsystems, would have accepted the job of running Hewlett-Packard if he had been asked, he said this week.
 
Not only might companies have ethical, civic and legal obligations to alert authorities to cyberthreats, businesses may find that the authorities can be helpful, law enforcement agents and prosecutors said on Friday.
 
Prosecutors call it the biggest identity theft bust in U.S. history. On Friday, 111 bank tellers, retail workers, waiters and alleged criminals were charged with running a credit-card-stealing organization that stole more than US$13 million in less than a year-and-a-half.
 
Scott McNealy has never been shy about sharing his opinions; now he wants everyone else to do the same.
 
IBM WebSphere Application Server Unspecified Cross Site Request Forgery Vulnerability
 
Imation today unveiled a new line of storage appliances aimed at small and mid-sized enterprises that store data in a "near-line" state or can offload it to removable hard drives for archive.
 
President Obama Friday issued an executive order that aims to reform rules for the sharing and securing data by federal agencies.
 
Traffic hit near-record levels on Twitter Wednesday after news spread of Apple co-founder Steve Jobs' death.
 
Countries need to take steps to upgrade critical infrastructure for protection from attacks by cybercombatants or rival countries conducting cyberwarfare, security experts said at a panel discussion this week.
 
Reinforcing an announcement make more than a year ago, an HP fellow this week proclaimed that his company will have a its Memristor non-volatile memory chip read to challenge NAND flash within 18 months.
 
Antitrust regulators in the European Union today approved Microsoft's $8.5 billion acquisition of Skype, the online telephone and chat giant.
 
Committing cybercrime these days is as easy as building a fantasy football team, FBI and Secret Service agents said on Friday.
 
Members of a hacking think-tank called Blackhat Academy claim that Facebook's URL scanning systems can be tricked into thinking malicious pages are clean by using simple content cloaking techniques.
 
Users of Delicious now have another venue to report problems and seek information about the bug-ridden relaunch of the social bookmarking site.
 
The next version of Canonical's Ubuntu Linux distribution, to be released next week, will be the first to run on the Arm architecture, as well as the first edition to offer a new cloud service orchestration engine, called JuJu.
 
BlazeVideo HDTV Player PLF File Heap Buffer Overflow Vulnerability
 
Microsoft yesterday announced it will ship a third and final service pack update for Office 2007 before year's end.
 
Twitter down, Twitter outage, Twitter crash, fail whale, Keynote Systems, Sharon Gaudin, tweet, tweet surge, New York Yankees lose, Detroit Tigers, baseball playoffs,
 
Sprint officials today announced an accelerated rollout of LTE wireless technology on Friday -- and that it will continue to support its millions of Wimax smartphone and device customers beyond 2012.
 
VUPEN Security Research - Google Chrome WebKit Engine Child Tag Deletion Stale Pointer Vulnerability
 
Low severity flaw in various applications including KSSL, Rekonq, Arora, Psi IM
 
Medium severity flaw with Ark
 
In mid-2010, as the number of Windows 7 betas spread and the clock ticked down to October, when the long-awaited replacement for XP would officially ship, computer vendors and analysts painted expected that a major new operating system would revive spending on x86-based PCs and servers, which had taken a hit since the recession began in 2008.
 
Sprint officials said the carrier is ready to handle the increased data demand from its sales of the iPhone as the carrier continues a nationwide network consolidation project called Network Vision.
 
Secunia Research: Autonomy Keyview Ichitaro Text Parsing Buffer Overflow
 
Secunia Research: Autonomy Keyview Ichitaro QLST Integer Overflow Vulnerability
 
VUPEN Security Research - Google Chrome WebKit Engine Ruby Tag Stale Pointer Vulnerability
 
Secunia Research: Autonomy Keyview Ichitaro Object Reconstruction Logic Vulnerability
 
Microsoft?s eight security bulletins address flaws in Internet Explorer, Windows, Forefront UAG and the .NET Framework. Two bulletins are rated ?critical.?

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Attackers used SQL injection against Sony?s website to gain access to its internal server and steal sensitive data.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
(ISC)2 Executive Director W. Hord Tipton discusses (ISC)2 training, strategy, new initiatives and how it?s helping women in information security.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Massachusetts? Advanced Cyber Security Center (ACSC) was launched Tuesday to develop future cybersecurity technologies and strategies to protect the nation?s IT infrastructure.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Trend Micro Inc. has uncovered a new Android malware variant that uses a blog site with encrypted content as its command-and-control server and disguises itself as an e-book reader app.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
What can IT learn from Steve and Apple?
 
After wrestling with DSL modems for the last two issues, Gibbs finally gets to check out the QNAP T-1079 Pro NAS and he likes what he finds.
 
The battle for the living room is heating up, and Sony needs to take over Sony Ericsson in order to better compete with the likes of Samsung and a more aggressive Apple as home electronics sector products become increasingly converged, according to analysts.
 
Facebook is ignoring a serious shortcoming in the way it limits application developers' access to information about Facebook users, according to a pair of hackers.
 
Desktops don't have to be big and bulky power-hungry monsters. This PC build guide will show you how to put together a slim, energy-efficient desktop PC perfect for your living room or small office.
 
WordPress Eventify Plugin 'npath' Parameter Remote File Include Vulnerability
 
Verizon Wireless today beat Apple and its carrier rivals to the iPhone 4S pre-order punch, kicking off sales just after midnight PT.
 
Mango, the latest version of Microsoft's Windows Phone 7, adds new social networking features and other useful tweaks to the OS.
 
WordPress Flowplayer Plugin Cross Site Scripting Vulnerability
 
About 30% of the federal government's IT spending is being used to support data center infrastructure and the U.S. hopes to save billions down the road as it moves to consolidate its data centers.
 
Autonomy KeyView Filter 'jtdsr.dll' Multiple Buffer Overflow Vulnerabilities
 
Multiple A-Form Products Cross Site Scripting and Security Bypass Vulnerabilities
 

Posted by InfoSec News on Oct 07

http://techcrunch.com/2011/10/06/zero-day-vulnerability-on-american-express-website-now-closed/

By Sarah Perez
TechCrunch
Oct 6, 2011

American Express say it shut down the webpage that left a portion of its
website open for anyone to access in what’s being a called a zero-day security
vulnerability, the company says in statement. The security issue was first
discovered by developer Niklas Femerstrand, who attempted to reach out to...
 

Posted by InfoSec News on Oct 07

http://www.computerworld.com/s/article/9220626/Stanford_Hospital_blames_contractor_for_data_breach

By Jaikumar Vijayan
Computerworld
October 6, 2011

Stanford Hospital & Clinics this week blamed a third party billing contractor
for a data breach that exposed the personal data of some 20,000 patients.

Stanford release a statement blaming the contractor just a week after it was
hit with a $20 million lawsuit related to the breach, which the...
 

Posted by InfoSec News on Oct 07

http://www.wired.com/threatlevel/2011/10/m00p-takedown/

By Kim Zetter
Threat Level
Wired.com
October 5, 2011

It’s rare that malware-writing crews get arrested for creating the tools that
criminals use.

But a presentation at the Virus Bulletin conference in Spain this week
described an extensive operation in which law enforcement agents worked
successfully with the Finnish anti-virus firm F-Secure to catch two members of
the M00p gang,...
 

Posted by InfoSec News on Oct 07

http://www.theregister.co.uk/2011/10/07/unix_time_zone_database_destroyed/

By Dan Goodin in San Francisco
The Register
7th October 2011

The internet's authoritative source for time-zone data has been shut down after
the volunteer programmer who maintained it was sued for copyright infringement
by a maker of astrology software.

David Olson, custodian of the Time Zone and Daylight Saving Time Database, said
on Thursday he was retiring...
 

Posted by InfoSec News on Oct 07

http://www.bloomberg.com/news/2011-10-05/ubs-says-equities-co-heads-gouws-bouhara-resign-over-unauthorized-trading.html

By Elena Logutenkova and Ambereen Choudhury
Bloomberg
Oct 6, 2011

UBS AG (UBSN), Switzerland’s biggest bank, said Francois Gouws and
Yassine Bouhara resigned as co-heads of global equities following last
month’s $2.3 billion loss from unauthorized trading.

“Their resignations come as they assume overall responsibility...
 

Posted by InfoSec News on Oct 07

========================================================================

The Secunia Weekly Advisory Summary
2011-09-29 - 2011-10-06

This week: 83 advisories

========================================================================
Table of Contents:

1.....................................................Word From Secunia...
 

Posted by InfoSec News on Oct 07

Forwarded from: Lawrence Pingree <geekguy (at) geek-guy.com>

I knew Gene and had lunch with him recently and had hung out with him at RSA.
What an amazing, generous, loving and passionate man. He was a great influencer
of security and contibuted greatly in the same 'behind the scenes' way that
many of us in security do. He never had anything bad to say about anyone and
spoke about how proud he was of his family, he will be...
 
Internet Storm Center Infocon Status