(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Facebook, Google and Yahoo on Monday filed petitions with the Foreign Intelligence Surveillance Court as part of a renewed collective effort to provide more information to their users about government data requests.

Matthew Green is a well-known cryptography professor, currently teaching in the computer science department of Johns Hopkins University in Baltimore. Last week, Green authored a long and interesting blog post about the recent revelations that the NSA has, among much else, subverted crypto standards. In his words, "The TL;DR ['too long; didn't read' version] is that the NSA has been doing some very bad things." And Green went on to speculate at some length about what those "bad things" were and what they might mean.

Today, Green's academic dean contacted him to ask that "all copies" of the blog post be removed from university servers. Green said that the move was not "my Dean's fault," but he did not elaborate. Were cryptology professors at Johns Hopkins not allowed to say, as Green had, things like:

I was totally unprepared for today's bombshell revelations describing the NSA's efforts to defeat encryption. Not only does the worst possible hypothetical I discussed appear to be true, but it's true on a scale I couldn't even imagine. I'm no longer the crank. I wasn't even close to cranky enough.

Was basic academic freedom on the line? Had the request even come initially from Johns Hopkins or from outside the school—perhaps someone at the NSA headquarters just up the road from Baltimore?

Read 5 remaining paragraphs | Comments


The Army is deploying Tableau Software to help it visualize and manage its supply chain, gradually replacing PowerPoint as the tool of choice for everyone from generals on down through the ranks.
Premier 100 IT Leader Catherine Bessant also answers questions on pursuing a master's degree and getting buy-in from the business.
Seagate announced that it has sold more than 1 million drives using a new recording technology that will offer consumers 5TB hard drives next year and possibly 20TB drives by 2020.
Linux Kernel 'perf' Utility CVE-2013-1060 Local Privilege Escalation Vulnerability

The latest revelation about the National Security Agency's (NSA) expansive surveillance program isn't really a revelation at all. It comes from Germany's Der Spiegel magazine, which reports that smartphones powered by Apple's iOS, Google's Android, and Blackberry's operating systems are among the devices government spies exploit when they want to intercept a target's communications.

Buried in Monday's ho-hum report, however, is this intriguing nugget:

The NSA analysts are especially enthusiastic about the geolocation data stored in smartphones and many of their apps, data that enables them to determine a user's whereabouts at a given time.

According to one presentation, it was even possible to track a person's whereabouts over extended periods of time, until Apple eliminated this "error" with version 4.3.3 of its mobile operating system and restricted the memory to seven days.

The lack of specifics in the article makes it hard identify the iOS bug, but it sure sounds like the one a pair of researchers reported in April 2011. It allowed anyone with physical access to an iPhone or iPad, or potentially a data backup of the device, to reconstruct a detailed account of the user's comings and goings, often down to the second, over an extended period of time. The geolocation data was stored in an easy-to-read file that was updated in real time, putting users at increased risk should their devices, computers, or backups ever fall into the hands of a hacker or government snoop who knew about the undocumented behavior.

Read 4 remaining paragraphs | Comments


Verizon Communications should be able to block its broadband customers from going to websites that refuse to pay the provider to deliver their traffic, a lawyer for Verizon told an appeals court Monday.
Microsoft will host an event Sept. 23 to introduce new Surface tablets, which are likely to go on sale on Oct. 18.
Facebook, Google and Yahoo on Monday filed petitions with the Foreign Intelligence Surveillance Court as part of a renewed collective effort to provide more information to their users about government data requests.
The National Science Foundation has awarded a $25 million grant to Harvard and Massachusetts Institute of Technology to study how the brain creates intelligence and how that process can be replicated in machines.
After a long battle, Carl Icahn and associates admitted they were fighting a losing battle and have stepped away from their attempt to buy Dell.
Amazon won't be ready to launch its much-anticipated Kindle smartphone until it builds up an ample portfolio of wireless-related patents and more relationships with mobile operators, an analyst said Monday.
SAP has unveiled a new version of its Business Objects BI software suite that features support for more than 140 data sources and the promise of more stable deployments.
After promising to bring power-efficient Haswell processors to tablets, Intel has now started shipping new low-power, fourth-generation Core i3 processors, including one that draws as little as 4.5 watts of power in specific usage scenarios.
After developers and IT pros pelted Microsoft with complaints, the company has backtracked and decided to grant them access to the latest Windows 8.1 build instead of making them wait until mid-October.
For this year's annual update to PostgreSQL, the developers behind the open source database have added several new ways to communicate with other databases and data storage systems.
Microsoft has piled up so many stresses on its corporate body in the last 10 months that it must beat almost insurmountable odds to remain healthy and viable, a business strategist said today.
European politicians on Monday called for a data sharing agreement between the United States and the European Union to be immediately suspended following more revelations of spying by the U.S. National Security Agency (NSA).

Five Minute Interview: Ross Baker, AppRiver
TechTarget UK
When I saw him at Infosec the following year I took great pleasure in saying (with a smile) “thanks for the best advice I never took.” I would add to that by stating the obvious advice which I was given when younger. Never burn your bridges. It is ...

Western Digital is continuing its acquisition spree of flash storage companies, announcing a definitive agreement to buy enterprise solid-state drive (SSD) vendor Virident for $685 million.
Because many enterprises have already upgraded their networks to the 802.11n standard, sales growth in the enterprise wireless LAN sector was cut in half during the second quarter, according to Infonetics Research.
Intel will launch a new family of SSDs at this week's Intel Developer Forum, offering security and remote management features for enterprise and small-business client devices.
Seagate has unveiled a new hard drive with up to 500GB of space that will give tablets PC-like storage, while offering the same power, performance and reliability of an SSD.
The U.S. National Security Agency is able to read messages sent via a corporate BlackBerry Enterprise Server (BES), according to a report by German news magazine Der Spiegel. The purpose of this spying is economic or political, and not to counter terrorism, the magazine hints.
Cisco Adaptive Security Appliance (ASA) Software Denial of Service Vulnerability
Oracle MySQL Server CVE-2013-3806 Remote Security Vulnerability
Oracle MySQL Server CVE-2013-3807 Remote Security Vulnerability
Oracle MySQL Server CVE-2013-3809 Remote Security Vulnerability
IT will benefit from BYOD if it has clear policies that limit its involvement in support. (Insider; registration required)
It is hard to ignore the recent news about government sponsored internet surveillance campaigns, which are alleged to involve decrypting SSL traffic. In light of these news, should you do anything differently? Does it matter to your network and how? Even if today only a small group possesses the knowledge and resources to decrypt SSL, chances are that this secret will leak like so many and the resources required to apply the techniques will only get cheaper and in turn become available to well funded advisories like organized crime. The information once decrypted may also be at risk from being compromised by anyone who compromised the organization that now holds the data. So does it matter? 
First of all, I don't think there is "proof" at this point that SSL in itself has been broken. SSL and the encryption algorithms it negotiates have seen many implementation issues in the past, and it is fair to assume that broken implementations, bad random number generators and sub-optimal configurations make breaking "real live" SSL a lot easier then it should be based on the strength of the underlying algorithms. Additionally, in many high profile attacks, SSL wasn't the problem. The end point or the SSL infrastructure was compromised instead and as a result, the encryption algorithm didn't matter.

Endpoint Security

None of the "APT" style data leaks had much to do with decrypting SSL. Instead, the end point was compromised either by exploiting a technical vulnerability in client software, or by using social engineering techniques to trick the user into installing malicious software. These techniques are old, constantly tweaked and not limited to sophisticated attacks. Each day, we see compromises ranging from the "trivial" fake UPS shipping e-mail over more clever compromised ad networks to highly targeted and well crafted "spear phishing" attacks. 

What is the "Endpoint"?

Many systems promise "end-to-end" encryption. In my opinion, end-to-end encryption means that a message is encrypted by the sender before it is transmitted and decrypted by the *final* recipient. The definition of *final* is critical here. Many encrypted messaging systems will decrypt the message on a server, then re-encrypt it for the recipient. This scheme will expose your message to intercept at the relay point. If you do not control the relay point, then your message is at risk from being intercepted. For example Skype. Skype uses a pretty solid encryption system. But in order to support features like gateways to other phone systems, the respective gateway has to be able to decrypt the message. Whenever your secure messaging system is able to communicate with insecure endpoints, someone else has to be able to decrypt the message. Similar with webmail systems. There are some attempts to built end-to-end encrypted web mail systems that use client side JavaScript or browser plugins to encrypt and decrypt the message. But these systems are not in wide use at this point. Cloud based messaging systems are of course in particular suspect and need to be designed carefully not to allow decryption "in the cloud", which in turn breaks features like search and indexing using cloud resources.

The SSL Infrastructure

There are two ways to "sniff" SSL: On the one hand you can record an SSL encrypted session and decrypt it offline. Without knowledge of the private keys or master keys involved, this process is very difficult if possible at all. The much more commonly used method to intercept SSL is to use a "Man in the Middle" attack. It again concerns the "end-to-end" concept. The attacker terminates the SSL connection and then re-encrypts it for the intended recipient. SSL provides signed certificates to prevent this attack, and clients will warn the user if an invalid certificate is used. The first problem is that the user may ignore the warning, given that too many "real" SSL certificates are not configured properly and produce this warning. Secondly, a browser will consider a certificate as valid if it is signed by a trusted certificate authority. Certificate authorities have been compromised in the past. Many governments control certificate authorities and are able to generate trusted certificates to impersonate other sites. Human factors around certificate authorities and attackers being able to obtain valid certificates are a much larger threat and SSL may have been considered broken for some time as a result. Tools like sslstrip will of course prey on the human interface component to again lead to a more "elegant" man in the middle attack.

So what should I do?

In network security, you always got limited time and limited resources to fight unlimited worries. First, focus on your end points. You are much more likely to suffer from a compromise due to a misconfigured endpoint then a brute-force decrypted SSL session. Secondly, double check the configuration of your SSL clients and servers. Are you using the strongest possible encryption algorithm? Are you using the longest possible keys? This is a tradeoff. For example, not all systems do support anything beyond TLS 1.0. Add respective upgrades to your roadmap. Finally: Encrypt everything. Even a sophisticated adversary has to use some finite resource to decrypt traffic. Increasing the work load by encrypting all traffic, not just "important" traffic is one way to extend the life span of your information. For closed networks that do not have to communicate with the outside world, consider building your own SSL infrastructure (NOT implement your own SSL library). Setup your own CA and only trust certificates signed by your own CA. But in the end, spend your time on problems that matter. It is all too easy to get distracted by the headline of the day.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
It's hard to get a good job in IT these days, but it's all too easy to lose one.
Going head-to-head with Apple and Google, Sony has launched the PlayStation Vita TV set-top box to bring video and games to TVs.
Wearable computing is coming, and combined with augmented-reality apps, it could bring some benefits for the enterprise.
Microsoft is expanding its Xbox Music service to iOS and Android devices, and also adding free streaming via the Web.

Sophos has reported a combination of vulnerabilties that can be used to perform a remote privilege escalation and gain unauthorised privileged access to the the device.  Details can be found here http://www.sophos.com/en-us/support/knowledgebase/119773.aspx . 

If automatic updating is enabled the fix should be applied without further intervention. 

Mark H

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Facebook revealed a new tool that enables news organisations to tap into user comments and display them online or on TV in real-time.
The WiGig high-speed wireless standard will power a new wireless version of USB through a deal between the Wi-Fi Alliance and the USB Implementers Forum.
Google's rivals on Monday called for a second full review of the search giant's latest proposed measures aimed at avoiding a fine from the European Commission for allegedly breaking competition rules.
pyOpenSSL SSL Client Certificate Validation Security Bypass Vulnerability
LibTIFF CVE-2013-4244 Out of Bounds Memory Corruption Vulnerability
NASA engineers have fixed a problem with the new lunar orbiter and the spacecraft is continuing its month-long journey to the moon.
Google's Chrome browser, in its five years of existence, has blossomed into one of the cornerstones of the company's online empire, boasting its own stable of Chrome Apps for the browser and even forming the foundation of Chrome OS, Google's netbook operating system.
Nissan is working on a smartwatch that will monitor both its Nismo cars and their drivers.
Demand for Windows 8 may be sluggish, but Dell still thinks it's the best operating system for business tablets and plans to roll out more Windows 8 products later this year.
Proving that data analytics is becoming a mainstay of U.S. politics, data scientists from the 2012 Obama and Romney campaigns have opened their own firms to offer their services to other candidates. Insider (registration required)
The heap of blunders that piled up at Microsoft under Steve Ballmer may have led to the earthshaking announcement that Bill Gates' former right-hand man and heir, as well as Microsoft's fiercest cheerleader, will step down as CEO within a year.
As development of self-driving car technology moves ahead, there's a growing faction of people in the blogosphere who say they won't let a computer usurp their driving independence.
The IT employment outlook has provided nothing but mixed signals. Tech employment is showing signs of slowing, but not everywhere. Now the Federal Reserve is saying that in some markets -- Boston and San Francisco -- demand for certain types of tech skills is outstripping supply.
A survey digs into IT pros' perceptions about their own profession.
There are problems with buying followers on social media sites.
Hardening the core will leverage many existing technologies.
Microsoft's move to acquire Nokia's devices and services business is a gamble that the company had to take to boost its flagging mobile business. For Nokia, it's an admission that it lacks the resources to compete with Samsung and Apple, say analysts.
Microsoft should have given up on Windows Phone while it could, instead of doubling down on the mobile OS with its Nokia acquisition.
TYPO3 File Abstraction Layer Remote PHP Code Execution Vulnerability

Network access control in the real world
IT-Director.com (blog)
At the Infosec Europe event in April this year, Quocirca chaired a panel session where three users of NAC from very different business sectors explained why they had invested in the technology, how it helps them overcome GRC challenges and better ...

[CORE-2013-0809] Sophos Web Protection Appliance Multiple Vulnerabilities

Posted by InfoSec News on Sep 09


By David Kravets and Robert McMillan
Threat Level

Six years ago, two Microsoft cryptography researchers discovered some
weirdness in an obscure cryptography standard authored by the National
Security Agency. There was a bug in a government-standard random number
generator that could be used to encrypt data.

The researchers, Dan Shumow and Niels Ferguson,...

Posted by InfoSec News on Sep 09


By Alastair Stevenson
06 Sep 2013

Inadequate bring-your-own-device (BYOD) policies are leaving small to
medium-sized businesses open to attack by cyber criminals, according to
security firm AVG.

AVG's SMB general manager Mike Foreman said despite progress in educating
SMBs about basic network security, they...

Posted by InfoSec News on Sep 09


By John Leyden
The Register
6th September 2013

Security researchers have discovery a vulnerability in mobile versions of
the Yahoo! Fantasy [American] Football app that created a means for
hackers to change team lineups and post imposter comments on message

Yahoo! has plugged the security hole, but users who fail to update their
mobile app to the most recent...

Posted by InfoSec News on Sep 09


By Jeff Lawrence
CTV British Columbia
September 6, 2013

An inactive email address was the back door an Abbotsford hacker needed to
hijack the social media accounts of pop sensation Carly Rae Jepsen, a
provincial court heard Friday.

Christopher David Long turned himself in to police last December after
Vancouver police received a tip...
Internet Storm Center Infocon Status