InfoSec News

Since Certificate Authorities (CAs) are on many people's minds nowadays, we asked @sans_isc followers on Twitter:

How do browser makers (Microsoft, Mozilla, Google, Opera) decide which CAs to put into the product?

Several individuals kindly provided us with pointers to the vendors' documentation that describe their processes for including CAs in web browser distributions:

Microsoft describes its Root Certificate Program (thanks, @leftistqueer)
Mozilla maintains a CA Certificate Inclusion Policy (thanks,@ypatiadotca and @rik24d)
Apple documents the requirements for its Root Certificate Program (thanks, @GothAlice)
Opera clarifies how to get a root certificate included in its browser (thanks, @Chasapple)

If you have a pointer to Google Chrome certificate-inclusion practices, please let us know.

-- Lenny
Lenny Zeltser focuses on safeguarding customers' IT operations at Radiant Systems. He also teaches how toanalyzeandcombatmalware at SANS Institute. Lenny is activeon Twitterand writes adaily security blog.
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
I know, I know, this title sounds like heresy. The IT and Infosec villagers are charging up the hill right now, forks out and torches ablaze! I think I can hear them - something about test first, then apply in a timely manner?? (Methinks they weren't born under a poet's star). While I get their point, it's time to throw in the towel on this Ithink.

On every security assessment I do for a client who's doing their best to do things the right way, I find at least a few, but sometimes a barnful of servers that have unpatched vulnerabilties (and often are compromised).

Really, look at the volume of patches we've got to deal with:

From Microsoft - once a month, but anywhere from 10-40 in one shot, every month! Since the turnaround from patch release to exploit on most MS patches is measured in hours (and is often in negative days), what exactly is timely?

Browsers - Oh talk to me of browsers, do! Chrome is releasing patches so quickly now that I can't make head or tails of the version (it was 13.0.782.220 today, yesterday is was .218, the update just snuck in there when I wasn't looking). Firefox is debating removing their version number from help/about entirely - they're talking about just reporting days since your last confession ... er ... update instead (the version will still be in the about:support url - a nifty page to take a close look at once in a while). IE reports a sentance-like version number similar to Chrome.
And this doesn't count email clients and severs, VOIP and IMapps, databases and all the stuff that keeps the wheels turning these days.
In short, dozens (or more) critical patches per week are in the hopper for the average IT department. I don't know about you, but I don't have a team of testers ready to leap into action, and if I had to truly, fully test 12 patches in one week, I would most likely not have time to do any actual work, or probably get any sleep either.

Where it's not already in place, it's really time to turn auto-update on for almost everything, grab patches the minute they are out of the gate, and keep the impulse engines - er- patch velocity at maximum. The big decision then is when to schedule reboots for the disruptive updates. This assumes that we're talking about reliable products and companies - Microsoft, Apple, Oracle, the larger Linux distros, Apache and MySQL for example - people who *do* have a staff who is dedicated to testing and QA on patches (I realize that reliable is a matter of opinion here ..). I'm NOT recommending this for any independant / small team open source stuff, or products that'll give you a daily feed off subversion or whatever. Or if you've got a dedicated VM that has your web app pentest kit, wireless drivers and 6 versions of Python for the 30 tools running all just so, any updates there could really make a mess. But these are the exceptions rather than the rule in most datacenters.

Going to auto-pilot is almost the only option in most companies, management simply isn't paying anyone to test patches, they're paying folks to keep the projects rolling and the tapes running on time (or whatever other daily tasks count in your organization). The more you can automate the better.

Mind you, testing large roll up patch sets and Service Packs is still recommended. These updates are more likely to change operation of underlying OS components (remember the chaos when packet signing became the default in Windows?).

There are a few risks in the turn auto-update on and stand back approach:

A bad patch will absolutely sneak in once in a while, and something will break. For this, in most cases, it's better to suck it up for that one day, and deal with one bad patch per year as opposed to being owned for 364 days. (just my opinion mind you)

If your update source is compromised, you are really and truly toast - look at the (very recent) compromise ( for instance. Now, I look at a situation like that, and I figure - if they can compromise a trusted source like that, am I going to spot their hacked code by testing it? Probably not, they're likely better coders than I am. It's not a risk I should ignore, but there isn't much Ican do about it, I try really hard to (ignore it

What do you think? How are you dealing with the volume of patches we're faced with, and how's that workin' for ya? Please, use our comment form and let us know what you're seeing!


Rob VandenBrink

Metafore (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Yahoo's board ousted Carol Bartz from her CEO chair this week, and with her out of the way analysts say Yahoo must refocus or it will die. Can the Web giant turn things around?
Google hoped at one time to codevelop Android with Sun, and was prepared to offer Sun a share of its mobile service revenue in return for making Java open source, according to newly released documents in Oracle's lawsuit against Google.
Armed with new patents transferred from Google, HTC has filed a new lawsuit against Apple and amended two previous legal complaints.
IBM is working on both super-fast and super-dense storage media that should reach enterprises before the end of this decade, and demand in some industries looks likely to keep pace with the advances.
Microsoft, Google, Amazon and Cisco, take notice: Despite the near-constant hype about cloud computing services, most mid-market companies are still viewing cloud as a complement, not a replacement.
For years, Facebook users have been clamoring for better privacy controls and clarity, while Facebook engineers oscillate between improvements and major privacy snafus. Every now and then a new wave of exasperated users cry out "That's it, I'm leaving". Up to now, users really didn't have anywhere to go after quitting, so they effectively quit the social media scene, self-ostracized (MySpace is equivalent to being exiled, perhaps worse). Now that they have somewhere else to go (Google+), Facebook is ramping up it's privacy controls and seems to be taking privacy more seriously. Let the privacy competition begin!
Lawson Software is embroiled in the latest instance of an allegedly failed ERP software project to become public.
The Dutch government is trying to minimize the effect of the DigiNotar hack on its IT infrastructure but warned it's a time-consuming process: Not all the SSL certificates can be replaced on the fly.
Online retailer is reportedly redesigning its Web site, which sells everything from books to electronics and handbags, with a focus on supporting tablet computer users.
Google and Oracle will send top executives to mediation in front of a magistrate judge, in a last-ditch attempt to settle their differences over Google's use of Java in the Android OS.
The Honeynet project presented an excellent opportunity to improve your and the community's approaches for analyzing mobile device malware. The group's Forensic Challenge 9gives you the opportunity to respond to a security incident that involved a smart phone. Honeynet'sChristian Seifert provided us with the following description of the scenario:

This challenge offers the exploration of a real smartphone, based ona popular OS, after a security incident.You will have to analyze the image of a portion of the file system,extract all that may look suspicious, analyze the threat and finallysubmit your forensic analysis. From File System recovery to Malwarereverse-engineering and PCAP analysis, this challenge will take you tothe world of Mobile Malwares.

Christian also pointed out that theHoneynet Project--as aresult of its participation in Google Summer of Code--released two tools for analyzing mobile device malware. According to him:
DroidBox, authored by Patrick Lantz, is a sandbox for the Androidplatform. It focuses on detecting information leaks that were derivedfrom performing taint analysis for information-flow tracking on Androidtrojan applications. DroidBox is capable to identify information leaksof contacts, SMS data, IMEI, GPS coordinates, installed apps, phonenumbers, network traffic and file operations.
APKInspector, authored by Cong Zheng, isa full blown static analysis tool for the Android platform. It hasresemblance of tools like IDAPro. Some functionality highlights are:

Graph-based UI displaying control flow of the code.
Links from graphview to source view.
Function/Object - Method list and filter.
Strings list and Filter.
Flow in/out from a given point.
Function and variable renaming.

For additional resources that may help you analyze Android malware, see8 Articles for Learning Android Mobile Malware Analysis. If you know of additional tools and references, please leave a comment.
-- Lenny
Lenny Zeltser focuses on safeguarding customers' IT operations at Radiant Systems. He also teaches how toanalyzeandcombatmalware at SANS Institute. Lenny is activeon Twitterand writes adaily security blog.
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
GlobalSign, a certificate authority (CA) based out of Belgium temporarily stopped issuing certificates. This action was taken in response to a message on Pastebin, in which the anonymous poster claimed the responsibility for the recentDigiNotar breach and singled out GlobalSign as another CA that he or she compromised.
According toGlobalSign's press release, the company is investigating the report and decided to temporarily cease issuance of all Certificates until it assesses the claim that its security was breached.
An ISC reader shared with us a response that GlobalSign provided to his company regarding this matter. In that message, the company explained that it paused the issuance of certificates to allow the systems to undergo a forensic audit while they are off-line. The company reportedly downplayed the risk of the existing active certificates being at risk, referring to its security practices that involve keeping the root CA off-line. Yet, with the intermediate CAs being on-line, the risk is there in a way that is similar to the DigiNotar scenario: An attacker may be able to use intermediate CAs to issue false certificates. This couldalso allow an attacker to spoof certs that have already been issued.
Note, however, that we have yet to see evidence of GlobalSign being compromised. The Pastebin notice might prove to be unauthentic or otherwise false. It's not uncommon for malicious hackers to put forth claims of conquest that later turned out to be unsubstantiated... just for LOLs.
-- Lenny
Lenny Zeltser focuses on safeguarding customers' IT operations at Radiant Systems. He also teaches how to analyze and combat malware at SANS Institute. Lenny is active on Twitter and writes a daily security blog. (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
HDS today announced it has purchased high-end NAS vendor BlueArc. The deal builds on a 5-year reseller agreement the companies already had.
Hackers are using a new trick to cloak malicious files by disguising their Windows file extensions to make them appear safe to download, a Czech security company warned today.
IBM WebSphere Application Server Administration Console Information Disclosure Vulnerability

Navigating the vendor merger and acquisition binge
Prior to TechTarget, Darrow worked at CRN where she focused on channel issues and software news. She has also written for InfoWorld, ComputerWorld, Network World, InfoSec Magazine, eWeek and other publications. Contact her at [email protected]

and more »
Presidential candidate Mitt Romney Tuesday released an economic plan that would make it easier for foreign college graduates with advanced degrees in math, science and engineering to work in the U.S.
Carving out a space in the growing market for cloud computing, Hewlett-Packard has launched a beta IaaS (Infrastructure-as-a-Service) offering, called HP Cloud Services, the company announced Wednesday.
Senators suggest a U.S. cybercrime law should be narrowed to avoid criminal charges for violations of terms of service or computer use policies.
Hacker, claiming responsibility for the DigiNotar attack, named GlobalSign as one of four CAs that have been successfully breached.

Add to digg Add to StumbleUpon Add to Add to Google

Presented By:
Cisco and the Future of the Internet
  The Internet will be a different place in a few years. Data will be created and consumed in new ways. Will your network be ready to handle the load? Visualize tomorrow, today, with Cisco.

Ads by Pheedo

While Oregon officials have had success with a cross-government compliance program, standardizing federal requirements is another matter.

Add to digg Add to StumbleUpon Add to Add to Google
Analysts at an Israeli company that infiltrates online forums to identify terrorists often claim responsibility for attacks to bolster their credibility, according to a recently-leaked cable from the U.S. Department of State.
The speedy Motorola Droid Bionic smartphone will go on sale from Verizon Wireless for $299.99 on Thursday.
With Yahoo languishing in the face of competition from the likes of Google and Facebook, the Tuesday ouster of CEO Carol Bartz gives the company a chance to refocus and reinvigorate itself, analysts said.
Adobe has announced Carousel, a new photo editing and sharing application that spans the desktop, tablet, and smart phone.
Perl Data::FormValidator Module 'results()' Security Bypass Vulnerability
Squid Proxy Gopher Remote Buffer Overflow Vulnerability
Mongoose PUT Request Remote Buffer Overflow Vulnerability
Cisco Security Advisory: Cisco Nexus 5000 and 3000 Series Switches Access Control List Bypass Vulnerability
XSS in Zikula
Seagate is preparing to ship the industry's first 4TB external drive. The drive also represents the first product redesign for Seagate's GoFlex family.
If your company suffered a data breach, would you know what to do to comply with state, federal and local law? Start-up Co3 Systems is offering a software-as-a-service (SaaS) application to tackle that unhappy task, tracking how a corporate data-loss incident is handled.
MasqMail Multiple Local Privilege Escalation Vulnerabilities
Apache Tomcat AJP Protocol Security Bypass Vulnerability
Embarcadero ER/Studio XE2 Server Portal Tom Sawyer's Default GET Extension Factory ActiveX Control Remote Code Execution
Arbitrary File Upload in '1 Flash Gallery' Wordpress Plugin
[slackware-security] seamonkey (SSA:2011-249-03)
[slackware-security] mozilla-thunderbird (SSA:2011-249-02)
Windows server 2008 R1 local DoS
Lawson Software and its parent company Infor are adding governance capabilities to their ERP software with the acquisition of Approva. Terms of the deal, which closed Sept. 1, were not disclosed.
Today's workers want faster computing speeds and more storage, management wants it all under budget, and IT professionals are scrambling to save money and improve productivity. The tools of choice to achieve these goals are typically virtualization, cloud computing and data center consolidation, but IT may be overlooking a simple but effective fix: storage area network (SAN) and local area network (LAN) convergence.
While you might cringe at the steep price, the dual-core TI OMAP processor paired with Verizon’s superspeedy LTE network makes for one fast phone. But the Bionic falls short in its display and call quality, making that high price tag seem a bit unreasonable.
Open-source software continues the march toward world domination, but the bright open promise dims.
Ten years after the terrorist attacks of Sept. 11, 2001, the nation faces a critical threat to its security from cyberattacks, a new report by a bipartisan think tank warns.
Consumers may be flocking to tablets, but laptops are holding their own in the enterprise, where they're viewed as the mobile device most likely to get the work done.
Symantec's Norton Internet Security 2012 has added a number of new and improved features, including a startup manager and better site monitoring, among others.
Pthreads-win32 'quserex.dll' DLL Loading Arbitrary Code Execution Vulnerability
Advanced Micro Devices said activation keys for the game "Dirt 3" that shipped with some of its products were compromised, potentially causing a delay before the vouchers can be redeemed.
The Chinese government has renewed Google's Internet Content Provider (ICP) license, a company spokesman said on Wednesday, giving the company another year to operate its local website in the country.
On Wednesday, Registrar ICM Registry announced that the dot-XXX sponsored top-level domain (sTLD) for the adult entertainment industry is open for registration.
Xen 'x86_64 __addr_ok()' Local Denial Of Service Vulnerability
SAP is to buy 3-D visualization toolmaker Right Hemisphere in a bid to improve the user interfaces of its various lines of business software, the companies announced Tuesday. Terms of the deal were not disclosed.
Ten years after the terrorist attacks of Sept. 11, 2001, the nation faces a critical threat to its security from cyberattacks, a new report by a bipartisan think tank warns.
Consumers may be flocking to tablets, but laptops are holding their own in the enterprise, where they're viewed as the mobile device most likely to get the work done.
Browser makers have generally been quick to react to the computer compromise at digital certificate issuer DigiNotar, but that hasn't been the case for all mobile phone makers.

Posted by InfoSec News on Sep 06

By J. Nicholas Hoover
September 06, 2011

The National Security Agency is moving to open source a secure database
technology, Accumulo, that it has been developing internally since 2008.

The spy agency over the weekend submitted the project, constructed of
about 200,000 lines of mostly Java code, to the Apache Foundation for


Posted by InfoSec News on Sep 06

By Robert McMillan
IDG News Service
September 6, 2011

Digital certificates issued by GlobalSign have come under scrutiny after
a hacker's claim that he broke into the company's computer systems. If
true, it would be the second such compromise in the past few weeks.

The hacker, known as Comodohacker, said on Monday he had...

Posted by InfoSec News on Sep 06

By Fahmida Y. Rashid

Philip Reitinger, former director of the United States National
Cyber-Security Center, a division of the Department of Homeland
Security, will be joining Sony as a chief information security officer,
Sony said Sept. 6.

The appointment is effective immediately and Reitinger will become a

Posted by InfoSec News on Sep 06

By Gavriel Queenann
Israel National News

Amid the current diplomatic impasse between Ankara and Jerusalem,
Turkish hackers hijacked some 350 Israeli websites on Sunday evening,
launching a Domain Name System (DNS) attack on dozens of other websites
as well.

Israeli IT analysts said Tuesday the DNS hijacking is likely to be, in
fact, a "test-run" ahead of a major...

Posted by InfoSec News on Sep 06,0,1114251.story

By Henry Chu
Los Angeles Times
September 6, 2011

London -- Media executive James Murdoch knew of a damaging piece of
evidence three years ago that phone hacking was practiced by more than
one reporter at the News of the World tabloid, despite his statements to
the contrary, two of his former colleagues said Tuesday.

The assertion by Colin Myler, the...
Internet Storm Center Infocon Status