InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Apple on Wednesday patched four security vulnerabilities in Safari and blocked outdated versions of Adobe's Flash Player from running in its browser.

Hacker, rootkit find place in new novel by infosec journalist
ZDNet (blog)
By Ryan Naraine | May 9, 2012, 11:31am PDT Summary: Dennis Fisher finds a way to embed information security subplots into a new novel. With hacking groups like Anonymous and LulzSec stealing headlines and hackers from China, Brazil and everywhere else ...

and more »
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Oracle was dealt a minor setback in its lawsuit against Google on Wednesday when a judge denied its motion to toss out one of Google's key defenses against copyright infringement.
libpng Malformed cHRM Divide-By-Zero Denial of Service Vulnerability
Full coverage of Apple's groundbreaking iPhone.
The company that is a target in a federal probe on its use of visas, Infosys, says it is assuring customers that the government investigation -- despite its unknown outcome -- will not impact its business.
A recent crackdown by SAP AG on companies that it considers are indirectly accessing its software without paying for it could spell trouble for some longstanding customers of the software vendor, an analyst firm said this week.
Adobe Shockwave Player APSB12-13 Multiple Memory Corruption Vulnerabilities
What is Facebook's secret to keeping the world's largest user base content? Sticking to well-proven software design principles, one study has concluded.
Crediting a strategy that exploits users' move to cloud computing, Cisco Systems on Thursday reported record net sales of US$11.6 billion for the quarter ending April 28, up 6.6 percent from the year-earlier period.
Salesforce.com's Heroku division this week rolled out two entry-level tiers for its Postgres-based cloud database service, hoping to cater to applications with lower data-volume requirements as well as helping startup developers make an easier jump into production.
Apple has launched the next generation of its tablet computer, the iPad 2. Computerworld has it covered.
Of all the things discussed and analyzed surrounding Facebook's upcoming initial public offering, perhaps the most surprising -- or just plain funniest -- is co-founder Mark Zuckerberg's hoodie.
Apple may release OS X 10.8 Mountain Lion earlier than expected, according to a report by a popular blog and clues found within the release dates of the three developer previews of the new operating system.
Keep up with the latest news, features, opinions and more about technology in the enterprise.
Sprint Nextel's methodical rollout of new cell sites with LTE may not win the deployment race, but each market that gets the upgrade will see competitive speeds and more complete coverage than other carriers may offer, executives said Wednesday.
Features, how-tos, practical advice and special reports, selected by Computerworld editors.

eleased some interesting findings from a survey the company conducted with the Cloud Security Alliance at the CSA Summit in February. The survey went beyond the usual sorts of basic questions to delve into organizations’ knowledge of cloud security. The results - albeit from a small sample size (128 respondents) — were a bit curious.

While 63% rated their cloud security efforts as good, 58% said their staff isn’t well prepared to secure their use of public cloud services. And although 68% said they think cloud security training is important for their organizations’ ability to use public cloud services, less than half (48%) planned to attend cloud security training over the next year. Eighty-six percent of respondents said protecting their organizations’ data was the top factor driving them to cloud security training.

In a blog post, Dave Elliott, senior product marketing manager of global cloud marketing at Symantec, summarized the survey findings:

“In short, what this survey reveals is that it’s important to have your own security for the cloud but that IT staff are not yet well prepared to secure the cloud.”

He added, “Cloud security needs leadership, and it requires standardized training and skills that will enable IT staff to confidently move into the cloud.”

Now, Symantec has a vested interest in promoting cloud security training - it’s partnered with the CSA to offer training for the CSA’s Certificate of Cloud Security Knowledge (CCSK). But if organizations don’t feel prepared for securing cloud computing deployments, it’s a little strange more aren’t seeking out cloud security training for their staff.

I recall seeing a discussion on LinkedIn a few months ago in which security pros debated the value of the CCSK. Some noted that employers don’t recognize the relatively new certification. That will probably change sooner than later, though, as cloud services become more prevalent in the enterprise.

Interestingly, 56% of respondents to the Symantec-CSA survey said advancing their careers was a major factor in their decision to attend cloud security training.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Adobe Flash Player CVE-2011-2454 Remote Memory Corruption Vulnerability

Hackers, rootkit find place in new novel by infosec journalist
ZDNet (blog)
By Ryan Naraine | May 9, 2012, 11:31am PDT Summary: Dennis Fisher finds a way to embed information security subplots into a new novel. With hacking groups like Anonymous and LulzSec stealing headlines and hackers from China, Brazil and everywhere else ...

and more »
Google's engineers never studied other companies' patents while developing Android for fear of allowing those patents to influence their design decisions, Google's Android chief Andy Rubin testified on the stand Wednesday.
Two Microsoft Research projects presented at the Conference on Human Factors in Computing Systems used unique methods, completely absent of any cameras, to sense gestures.

When Microsoft issued version 12 of its Security Intelligence Report (.pdf) last month, its marketing machine had one message it wanted journalists to communicate to businesses: Conficker worm infections are a serious concern.

Conficker was extremely strong. Prior to a briefing with a Microsoft executive, reporters were given a slide deck largely void of information except for data about Conficker; Microsoft’s 126-page report had been boiled down to 16 slides. Microsoft proclaimed Conficker as “the No. 1 threat facing businesses over the past 2.5 years.” It was “detected on 1.7 million machines in the fourth quarter of 2011; it was “detected almost 220 million times since 2009;” and there has been a 225% increase in quarterly detections since 2009, Microsoft said.

It sounds alarming, but that’s just marketing at its worst.

Conficker has no payload. There are no cybercriminals controlling it. The worm itself was designed to spread quickly to establish the infrastructure for a botnet. Once it’s installed on an infected machine it opens connections to receive instructions from a remote server. But that function has been neutralized by the Conficker Working Group, which uses the worm’s broken domain algorithm to block it from receiving data.

If Conficker isn’t a serious threat, what is? Here are a few data points to consider from the Microsoft SIR that may be more important than Microsoft’s Conficker message:

Windows exploits rise significantly:  Operating System exploits, specifically targeting Microsoft Windows, skyrocketed by 100% in 2011.

Despite a security update in August 2010 addressing a publicly disclosed vulnerability in Windows Shell, attackers have been successfully targeting the flaw using malicious shortcut files. Exploits against the vulnerability and several others that were detected by Microsoft increased from 400,000 in the first quarter of 2011, to more than 800,000 in the fourth quarter of 2011. The statistics point to the Ramnit worm as the culprit targeting the flaw. It was recently detected transforming into financial malware capable of draining bank accounts.

The other Microsoft Windows flaw being targeted was a Microsoft Windows Help and Support Center vulnerability that can be targeted via a drive-by attack. It was repaired in a security update issued in July 2010.

Windows Vista infection rate higher than Windows XP: The infection rate for 32- and 64-bit editions of Windows Vista SP1 and the 64-bit edition of Windows Vista SP2 outpaced Windows XP SP3. Microsoft says attackers are targeting the newer platforms because companies are migrating to them. Infection rates for the 64-bit editions of Windows Vista and Windows 7 have increased since the first half of 2011, Microsoft said.

Microsoft said the increase is also due to detection signatures it added to its Malicious Software Removal Tool for several malware families in the second half of 2011. “Detections of these families increased significantly on all of the supported platforms after MSRT coverage was added,” the company said in its report. In addition, a security update addressing the Windows Autorun feature in Windows was issued last year and was likely a major factor in driving down the infection rate in Windows XP, the software maker said.

Java exploits are out of control: Java, which is platform independent, has no doubt become a favorite attack tool of cybercriminals. Combined, the top six Java exploits represented millions of unique infections, according to the Microsoft SIR. Exploits delivered through HTML or JavaScript skyrocketed in the second half of 2011. A single Sun Java Runtime vulnerability is responsible for 1.4 million infections in the fourth quarter of 2011. There was an explosion of infections in the fourth quarter of a single Java vulnerability using a MIDI file with a malicious MixerSequencer. Most of the activity is driven by the Black Hole Exploit Kit.

Adobe Reader, Acrobat attacks: While not out of control, it continues to be a favorite attack method of cybercriminals. “Exploits that affect Adobe Reader and Adobe Acrobat accounted for most document format exploits detected throughout the last four quarters.” There were nearly 1 million of them.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

There are bogus order cancellation emails going around claiming to be from Amazon like this:

Dear Customer,
Your order has been successfully canceled. For your reference, here's a summary of your order:
You just canceled order 15-6698-2492 placed on May 9, 2012.Status: CANCELED

1 Mulberry 2006, Special Edition
By: Sorcha Stewart

Sold by: Amazon.com LLC


Thank you for visiting Amazon.com!

Earth's Biggest Selection

The 15-6698-2492 in the copy I received linked to the URL http://repdesign.pt/requires.html which contains this is in the body:

script type=text/javascriptwindow.location=http://leibypharmacylevitra.com/script

the web server seems to be down:

--2012-05-09 13:43:19-- (try: 7) http://leibypharmacylevitra.com/Connecting to leibypharmacylevitra.com||:80...

It is probably safe to assume that the content of that site is not user friendly.
Here is the full content of the page at repdesign.pt:

htmlheadscript type=text/javascriptwindow.location=http://leibypharmacylevitra.com/script/headbodya href=http://leibypharmacylevitra.comClick/a/body/html

Handler ISC

**Thanks to readerJim Smuda for bringing this to my attention early today.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Pogoplug launched a service today that allows small and medium-sized businesses, as well as home users, to turn their PCs and servers into pools of storage accessible from the Web.
Complying with the act is consuming more and more time and detracting from real security work.
Amazon Web Services (AWS) now allows ASP.NET developers to take advantage of Elastic Beanstalk, which has been developed to make it easier to roll out cloud-based applications, the company said on Tuesday.
A ransomware application that locks computers and asks their owners to pay fines for allegedly violating several laws through their online activity is targeting U.S. and Canadian users, malware experts from security firm Trend Micro said on Wednesday.
A major Yahoo investor fired another shot at the company's CEO, saying Scott Thompson's apology wasn't enough and that he should be replaced immediately.
Microsoft Windows CVE-2012-0181 Local Privilege Escalation Vulnerability
This is my first diary entry in several years. I am returning as a handler after a lengthy hiatus. I joined an organization which took too much time and did not permit this kind of interaction. It was worth it. That ride is coming to a close and I am happy to be able to return to this fine organization.

Today many of us are working through the monthly onslaught of patches and updates. Between the Microsoft May 2012 updates, PHP, ESX, and some Adobe updates there is quite a bit to think about. This is a monthly occurrence though. There are a number of steps organizations can take to prepare for this recurring event. A simple one is to mark the second Tuesday on a team calendar. Start to clear the deck on the Friday before and make sure that test systems on ready to go following the Tuesday release.

I have seen a number of approaches to patch preparation. At one extreme all critical systems are replicated in a lab, patches applied and a QA team validates key functions. At the other extreme, patches are just applied and then organization deals with the fall out. Not being an extremist I like to somewhere in the middle depending on organization size, mission, and capability.

There is also the triage effort for reviewing updates and determining how long to wait to get updates applied. I have seen one organization which waited 10 days after the MSFT release then applied all release patches counting on the forums and general buzz about the updates to call out any problems with them. This of course can leave the organization open to many other risks if an exploit is in the wild.

I advocate a more hands on approach especially with key systems. The organization just mentioned ran into a problem recently where two RADIUS (IAS) servers were taken offline by a patch which modified the CA cert. This brought the IAS servers down impacting wireless access for several hours while the problem was identified and investigated and resolved. Testing or patching one system at a time could have prevented or mitigated this outage.

What are some that work and some that dont work? Care to share?



MADJiC.net (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Experts suggest patience when dealing with this month?s round of Microsoft updates.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
The HTC Evo 4G LTE smartphone from Sprint will go on sale May 18 for $199.99 with a two-year contract.
Reader Catherine Bailey is interested in marking her territory. She writes:
A ransomware application that locks computers and asks their owners to pay fines for allegedly violating several laws through their online activity is targeting U.S. and Canadian users, malware experts from security firm Trend Micro said on Wednesday.
The PHP Group has released PHP 5.4.3 and PHP 5.3.13 on Tuesday in order to address two remote code execution vulnerabilities, one of which is being actively exploited by hackers.
I hope we can all agree that it's good that video cameras no longer burn the date and time into footage as they used to. If you missed this particular piece of video history, cameras had an option to include the date and time on every frame of video. (Many cameras can still do this.)
Those looking to build a substantial following on Twitter would do well to stick to one particular topic, rather than use Twitter to discuss a wide range of subjects, a Carnegie Mellon University researcher has advised.
Adventure Bar Story from RideonJapan looks like a classic JRPG, but with a crucial difference. You're not an adventurer who happens to take part in a cooking/crafting mini-game--you're a chef who goes on adventures to support her restaurant business. Wandering the wilderness and killing monsters yields ingredients to toss in the oven once you get back home. Characters don't gain levels through combat, but through eating the food you prepare. Your first nemesis is not an evil sorcerer, but a rival restauranteur.
Google is seeking a new trial on copyright claims in Oracle's intellectual-property lawsuit against it over the Android mobile OS, according to a filing made late Tuesday in U.S. District Court for the Northern District of California.
The Yahoo director who led the search committee that hired embattled CEO Scott Thompson said Tuesday she will will step down from the board.
Botnet activity is on the rise around the globe, and to help understand this problem the National Institute of Standards and Technology (NIST) is hosting a free, day-long workshop May 30, 2012, at its Gaithersburg, Md., campus. Technical ...
PHP CVE-2012-1172 Directory Traversal Vulnerability
Apple's online store scored the highest satisfaction rating of any computer-related company, and handily beat rival Microsoft, a consumer pollster said today.
Google is testing a long-awaited full-text search API (application programming interface) for the Google App Engine, the company said on Tuesday.
RETIRED: Microsoft May 2012 Advance Notification Multiple Vulnerabilities
From California and Utah to Ohio, Massachusetts and Maine, state and local governments are using the cloud to update antiquated systems, but the hurdles are high.
Trust is central to mobile operators' relationships with consumers, and carriers may have their work cut out for them in restoring that trust, based on executives' comments during a keynote session on Tuesday at CTIA Wireless.
Apple supplier Foxconn plans to set up headquarters in China, as part of the company's growing expansion in manufacturing and commercial operations.
Sony Mobile Communications has launched two new Android-based LTE smartphones for the Japanese market; the light-weight Xperia SX and the Xperia GX, which has a 13-megapixel camera.
Adobe Photoshop CVE-2012-2028 Remote Buffer Overflow Vulnerability
Serendipity 1.6 Backend Cross-Site Scripting and SQL-Injection vulnerability
rssh security announcement
[security bulletin] HPSBMU02775 SSRT100853 rev.1 - HP Performance Insight for Networks Running on HP-UX, Linux, Solaris, and Windows, Remote SQL Injection, Cross Site Scripting (XSS), Privilege Elevation
PayPal and Softbank said Wednesday they will form a new joint venture to pursue online transactions business in the country.
Tablet makers are moving toward selling only models equipped with cellular radios and away from having separate Wi-Fi-only units, as the added cost of 3G hardware falls below $30, an AT&T executive said Tuesday.
Hewlett-Packard announced new Envy Ultrabooks on Wednesday, but also a new aggressively priced thin-and-light brand of laptops called Envy Sleekbooks, which boast starting prices that are $150 lower than ultrabooks.

Posted by InfoSec News on May 08


By John Leyden
The Register
8th May 2012

Security researchers have discovered a strain of malware that uses the
geolocation service offered by an adult dating website as an easy way to
determine the location of infected machines.

Thousands of infected machines in a zombie network all phoned home to
the URL promos.fling.com/geo/txt/city.php at the adult hookup site

Posted by InfoSec News on May 08


By Ericka Chickowski
Contributing Writer
Dark Reading
May 07, 2012

Security and risk pundits have long lamented the practice of going
through the motions just to satisfy security regulations and standards
like PCI, SOX, and HIPAA. Phoning it in may keep the auditors in check,
but it won't mitigate the risks of attack....

Posted by InfoSec News on May 08


By Tom Field
Bank InfoSecurity
May 3, 2012

The information security profession is a 'war for talent' today, says
recruiter Kathy Lavinder. But to win the war requires specialized skill
sets. Here are today's top requirements.

High atop the list: Deep technical skills, particularly in hot areas
such as incident response.

"The technical piece in many...

Posted by InfoSec News on May 08


By Dawn Lim
May 8, 2012

House Armed Services Committee chairman Rep. Howard McKeon has called
for legislative language to clarify that the Pentagon can launch secret
cybersecurity operations to support military efforts and guard against
network attacks.

In a release of his draft bill of the National Defense Authorization Act...

Posted by InfoSec News on May 08


By Alastair Stevenson
08 May 2012

US and Chinese defence ministers have met in an effort to quell growing
rumblings that the two countries are on the brink of cyber war and
instead promote their work together on cyber issues affecting both

US defence secretary Leon Panetta and Chinese general Liang Guanglie met
in Washington on Monday and...
Internet Storm Center Infocon Status