Share |

InfoSec News

Apple's iPhone 4 and RIM's BlackBerry Torch 9800 both succumbed to hackers today at Pwn2Own, but two other smartphones running Android and Windows Phone 7 were unchallenged, the contest's sponsor said.
 
Many of us watch the events in the Middle East and North Africa unfold from afar. But for businesses with operations in these global regions of political unrest, protests, rebel uprising and deteriorating security often force difficult and immediate decisions for the sake of keeping employees out of harm's way.
 
Yes, we know--it's hard enough to remember to back up your desktop, your laptop, your smartphone, and your tablet, and now we want you to think about backing up your cloud-based e-mail account, too.
 
Microsoft on Thursday confirmed a delay to the Windows Phone 7 update that includes cut and paste, but the company said it is still on track to deliver an even bigger update by the end of the year.
 
About 300 years ago, the English playwright William Congreve wrote, "music has charms to soothe a savage breast, to soften rocks, or bend a knotted oak." This week we learned that it can also help hackers break into your car.
 
Oracle Weblogic CVE-2010-4437 Remote Session Fixation Vulnerability
 
WebKit Use-After-Free Remote Code Execution Vulnerability
 
Cisco IOS CVE-2010-2828 H.323 Unspecified Denial of Service Vulnerability
 
OpenLDAP Multiple Security Bypass Vulnerabilities
 
Brian McCarthy has been arrested for link aggregation.
 
Senators question how WikiLeaks obtained thousands of classified U.S. documents
 
Sales of Apple's iPad battered Acer's netbook and notebook sales so badly that Dell was able to regain its second-place position in the global PC market.
 
Laptops and desktops from Lenovo with the upgraded Windows 7 Service Pack 1 (SP1) will become available starting in early April, with Hewlett-Packard planning shipments of business PCs soon after, the companies said.
 
Talk about having some wealthy friends. Six people involved with Facebook made Forbes magazine's 2011 Billionaires List.
 
Tim Armstrong promised that 2011 will be the year AOL revenue starts growing again
 
Three top executives of mobile WiMax operator Clearwire are leaving the company, including CEO Bill Morrow, who will be replaced for the time being by Chairman John Stanton.
 
If you're planning to buy the iPad 2 during the expected rush on Friday afternoon, you might want to consider retailers such as Best Buy, Walmart and Target instead of the Apple retail stores or the two major U.S. carriers.
 
Mail-Box Perl Module Unspecified Security Vulnerability
 
Lazyest Gallery WordPress Plugin 'image' Parameter Cross Site Scripting Vulnerability
 
IBM WebSphere Application Server prior to 7.0.0.15 Multiple Security Vulnerabilities
 

The Mythical Beast That Hides in Your Closet
CSO (blog)
The term Advanced Persistent Threat (APT) permeated our lexicon some time ago and is now used as standard terminology for threats that cannot be stopped. A whole cottage industry has grown up around APT ...

 
Oracle customers on a range of significant releases have a choice to make this year: Upgrade, or potentially pay more for support.
 
Apple on Wednesday released iOS 4.3, giving iPhone, iPad and recent iPod Touch users an updated OS that includes nearly 60 security fixes, needed enhancements to AirPlay, a faster Safari and numerous smaller tweaks. Users should grab it, says columnist Michael deAgonia.
 
A British security researcher today said it took him six weeks to craft a three-exploit package that brought Microsoft's Internet Explorer 8 (IE8) to its knees at Pwn2Own on Wednesday.
 
If you've decided on Apple's iPad 2, your next decision is where to buy it: your local Apple store, online, from Verizon Wireless or AT&T? Here are the basics to help you decide which way to go on Friday.
 
Apple's rivals have lost headway in convincing American consumers to pick their tablets over the iPad, a market researcher said today.
 
Hewlett-Packard CEO Leo Apotheker and three directors broke company rules by participating in the nomination of five new board members, an investor advisory firm said.
 
In the wake of AOL's buying the Huffington Post, the company said Thursday that it will lay off 900 workers.
 
Google is adding a feature to its search engine that lets users block out all links from specific domains in their query results.
 
Re: HTB22875: XSS in Lazyest Gallery wordpress plugin
 
Re: Cross-Site Scripting vulnerability in Nagios
 
[security bulletin] HPSBMA02629 SSRT100381 rev.3 - HP Power Manager (HPPM) Running on Linux and Windows, Cross Site Request Forgery (CSRF), Cross Site Scripting (XSS)
 
Several companies, including Manpower and Tampa General Hospital, are announcing on Thursday their adoption of Microsoft BPOS applications, pointing to progress the software giant is making in the cloud realm and also to new features and pricing models users would like to see as such software becomes a bigger part corporate IT.
 
IT vendors spend $25 billion a year on lead generation, while CIOs have become skilled at the art of evasion. The technology marketplace is inefficient and often acrimonious. CIO.com talked to xPeerient CEO Mark Hall about why the IT marketplace is broken and what he thinks could fix it.
 
Reader Bill is having a problem with Internet Explorer 8 on his Windows XP system: Whenever he runs the browser, it pops open for just a second or two, then immediately closes again.
 
If you have decided on Apple's iPad 2, your next decision is where to buy it: your local Apple store, online, from Verizon Wireless or AT&T? Here are the basics to help you decide which way to go on Friday.
 
Apple's JavaScript enhancements show speed improvements for the mobile version of Safari on the iPad.
 
The CEO of mobile payment service startup Square called accusations that the company was distributing credit-card skimming devices inaccurate and unfair.
 
Microsoft .NET Runtime Optimization Service Local Privilege Escalation Vulnerability
 

Infosec Execs: Uncle Sam Wants You!
GovInfoSecurity.com (blog)
By serving as a loaned executive, executives will have an opportunity to make a difference in securing our nation. DHS seeks a special adviser for cybersecurity and communications integration planning, who would report to Michael Brown, a Navy admiral ...

and more »
 

GovInfoSecurity.com

State Infosec Unit Shifts Focus to Risk
GovInfoSecurity.com
Iowa CISO Jeff Franklin explains how collecting real-time information helps the state information security office transition its focus from technology to risk management. The state of Iowa's information security office is in transition, segueing its ...

 
Call for Papers: Passwords^11
 
[SECURITY] [DSA 2188-1] webkit security update
 
Cross-Site Scripting vulnerability in Nagios
 
HTB22874: Path disclosure in Lazyest Gallery wordpress plugin
 
Hewlett-Packard announced a new portfolio of services to determine and implement ways to cut energy costs and carbon emissions across organizations.
 
The original iPad really worked best when in a case, but as Steve Jobs lamented in launching the iPad 2, most iPads have had their beautiful design—toiled over by Apple’s finest aesthetes!—cloaked by cases made of fabric or leather. And cases don’t just hide that pretty iPad—they also add thickness and weight.
 
A year ago, nobody had an iPad. Then Apple sold 15 million of them in just nine months, creating a whole new category of technology product. The iPad may have become, in the words of Steve Jobs, “the most successful consumer product ever launched.”
 
BestCrypt ($60, 21-day free trial) is a file-encryption tool that focuses on the creation of encrypted containers. Each container file can be any size from a few megabytes to as large as an entire drive (on an NTFS drive; 4 gigabytes on FAT32). The user's individual needs will determine how they make containers, and where BestCrypt is strongest compared to competing programs I've tried (such as the free and open source TrueCrypt and FreeOTFE) is in the area of creating and managing multiple containers.
 
HTB22875: XSS in Lazyest Gallery wordpress plugin
 
HTB22879: Multiple XSS vulnerabilities in CosmoShop
 
HTB22880: XSS vulnerability in CosmoShop
 
[DCA-2011-0007] Air Contacts Lite (iPhone / iPod App Denial Of Service)
 

Security Experts:
SearchSecurity.com
It's your direct connection to some of the leading security specialists and practitioners in the infosec field. Our panel of information security specialists has been chosen by SearchSecurity.com editors for their knowledge of specific technologies ...

and more »
 
InfoSec News: Data Breach Affects 2,777 Henry Ford Health System Patients: http://www.eweek.com/c/a/Health-Care-IT/Data-Breach-Affects-2777-Henry-Ford-Health-System-Patients-415908/
By Brian T. Horowitz eWEEK.com 2011-03-09
The Henry Ford Health System in Detroit has started notifying by postal mail 2,777 patients affected by a missing flash drive. [...]
 
InfoSec News: U.S. agents charge ex-employee of N.J. technology company with giving China sensitive military data: http://www.nj.com/news/index.ssf/2011/03/federal_agents_charge_ex-emplo.html
By Jason Grant The Star-Ledger March 08, 2011
Federal agents today arrested and charged a former employee of a New Jersey-based division of a technology company with giving China [...]
 
InfoSec News: 35,000 Chinese websites hacked in 2010: http://english.people.com.cn/90001/98649/7315003.html
By People's Daily Online March 10, 2011
A total of 35,000 websites on the Chinese mainland were attacked by hackers in 2010, including 4,635 government websites, according to the Internet security report released by the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC) on March 9.
The report shows that the IP addresses of 5 million domestic host computers were infected with a trojan horse or corpse virus.
According to the report, government websites are vulnerable to hacker attacks and websites of financial institutions have become the main targets of hackers. According to the monitoring by the CNCERT/CC, 35,000 websites on Chinese mainland were victims of hackers in 2010, a decrease of 22 percent from 2009. Of them, however, 4,635 were government websites, an increase of 68 percent from a year earlier. Around 60 percent of ministerial-level websites have potential security risks to various degrees.
“Hackers use two main means to attack government websites. One means is to turn the homepage of government websites into that of hacker organizations in order to show off their skills and the other is to hide hackers' own pages on government Web sites before telling potential buyers that the servers and bandwidth of the government Web sites have been under their control and can be leased and transferred to criminals," said Zhou Yonglin, head of the Operation Department under the CNCERT/CC.
Furthermore, there is an increasingly evident profit-seeking trend for network criminal behaviors. websites of large-scale e-commerce operators, financial institutions and third party online payment service providers have become the main targets of phishing. Hackers have made knockoff websites and tempted users to log in and trade in order to steal their accounts and passwords, leading to losses.
 
InfoSec News: RECON 2011 CFP: Forwarded from: hfortier (at) recon.cx
/* + + + + + + + + + \ / + _ - _+_ - ,__ _=. .:. [...]
 
InfoSec News: New cyber espionage unit revealed: http://www.theage.com.au/technology/security/new-cyber-espionage-unit-revealed-20110309-1bo0y.html
By Dylan Welch The Sydney Morning Herald March 10, 2011
ASIO has created a unit to combat cyber spying, in the latest move by government to protect Australia's online networks. [...]
 
InfoSec News: Penn Mutual Says Employee Might Have Disclosed Customer Data: http://www.darkreading.com/insider-threat/167801100/security/privacy/229300663/penn-mutual-says-employee-might-have-disclosed-customer-data.html
By Tim Wilson Darkreading Mar 09, 2011
An employee of the Penn Mutual Insurance company gained unauthorized [...]
 
InfoSec News: Safari, IE hacked first at Pwn2Own: http://www.computerworld.com/s/article/9214002/Safari_IE_hacked_first_at_Pwn2Own
By Gregg Keizer Computerworld March 9, 2011
Apple's Safari and Microsoft's Internet Explorer (IE) both fell to the first hackers who tried their luck on the browsers at Wednesday's opening day of Pwn2Own. [...]
 
Google's latest update for its Android mobile OS appears to already have been subverted by hackers, according to the security vendor Symantec.
 
Google's $20,000 prize went untouched yesterday as no team of hackers at Pwn2Own tried to exploit the Chrome browser.
 
The latest version of Google's browser, Chrome 10, uses the new Crankshaft JavaScript engine to push performance higher.
 
Hewlett-Packard CEO Leo Apotheker and three directors broke company rules by participating in the nomination of five new board members, according to the Wall Street Journal.
 
AnDevCon developer conference bubbled with enthusiasm despite cloud of litigation hanging over Google's mobile platform
 
The Sony executive credited with turning the PlayStation into a money-maker, Kazuo Hirai, is in the lead to take over from Howard Stringer after he retires, the Sony chairman said Thursday. But Stringer noted that the race is not over yet.
 

Posted by InfoSec News on Mar 10

http://english.people.com.cn/90001/98649/7315003.html

By People's Daily Online
March 10, 2011

A total of 35,000 websites on the Chinese mainland were attacked by
hackers in 2010, including 4,635 government websites, according to the
Internet security report released by the National Computer Network
Emergency Response Technical Team/Coordination Center of China
(CNCERT/CC) on March 9.

The report shows that the IP addresses of 5 million...
 

Posted by InfoSec News on Mar 10

http://www.theage.com.au/technology/security/new-cyber-espionage-unit-revealed-20110309-1bo0y.html

By Dylan Welch
The Sydney Morning Herald
March 10, 2011

ASIO has created a unit to combat cyber spying, in the latest move by
government to protect Australia's online networks.

Known as the cyber espionage branch, it was formed in the past nine
months and is believed to be under the control of ASIO's
counter-espionage and interference...
 

Posted by InfoSec News on Mar 10

http://www.darkreading.com/insider-threat/167801100/security/privacy/229300663/penn-mutual-says-employee-might-have-disclosed-customer-data.html

By Tim Wilson
Darkreading
Mar 09, 2011

An employee of the Penn Mutual Insurance company gained unauthorized
access to customer information and might have disclosed it to others,
according to a breach disclosure notice filed with the state of New
Hampshire last month.

"When Penn Mutual learned...
 

Posted by InfoSec News on Mar 10

http://www.computerworld.com/s/article/9214002/Safari_IE_hacked_first_at_Pwn2Own

By Gregg Keizer
Computerworld
March 9, 2011

Apple's Safari and Microsoft's Internet Explorer (IE) both fell to the
first hackers who tried their luck on the browsers at Wednesday's
opening day of Pwn2Own.

The hacking challenge kicked off at 3:30 p.m. PT, slightly later than
scheduled, at the CanSecWest security conference, which runs March 9-11
in Vancouver,...
 

Posted by InfoSec News on Mar 10

http://www.eweek.com/c/a/Health-Care-IT/Data-Breach-Affects-2777-Henry-Ford-Health-System-Patients-415908/

By Brian T. Horowitz
eWEEK.com
2011-03-09

The Henry Ford Health System in Detroit has started notifying by postal
mail 2,777 patients affected by a missing flash drive.

The nonprofit health system, founded in 1915 by auto pioneer Henry Ford,
serves 102,000 patients annually.

The Henry Ford Health System on Feb. 8 began its...
 

Posted by InfoSec News on Mar 10

http://www.nj.com/news/index.ssf/2011/03/federal_agents_charge_ex-emplo.html

By Jason Grant
The Star-Ledger
March 08, 2011

Federal agents today arrested and charged a former employee of a New
Jersey-based division of a technology company with giving China
sensitive military technical data, federal authorities said.

Sixing Liu, 47 -- also known as Steve Liu -- was a senior staff engineer
at the company who helped work on precision...
 

Posted by InfoSec News on Mar 10

Forwarded from: hfortier (at) recon.cx

/*
+ + + +
+ + +
+ +
\ /
+ _ - _+_ - ,__
_=. .:. /=\ _|===|_ ||::|
| | _|. | | | | | | __===_ -=- ||::|
| ==| | | __ |.:.| /\| |:. | | | | .|| :...
 

Pentagon preps for Manning jail hack
ZDNet Australia
#infosec RT @darrenpauli: ASIO creates a cyber espionage unit http://bit.ly/hjesu4 It won't help the hacked, but it watch on with excitement. #infosec "Bradlow suggests differentiated classes of service on mobile networks will be inevitable at some ...

and more »
 
Apple released a new version of iOS for iPhone, iPad and iPod Touch devices. Besides some new features that are being introduced with this release of iOS, Apple also patched a number of security vulnerabilities.
You can see the whole list at http://support.apple.com/kb/HT4564 - some of these are really low risk but if you scroll down to Webkit fixes, you can see that Apple patched 49 (!!!) security vulnerabilities that, according to Apple may lead to an unexpected application termination or arbitrary code execution (in other words: having your device pwned).
While we are not aware of exploits of these vulnerabilities being abused, its always better to be safe and update your i* devices as early as you can.
--

Bojan

INFIGO IS (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Sony will reorganize its operations and shuffle executives on April 1 in a series of moves that maintains Howard Stringer's leadership and positions two executives to potentially succeed him one day as chairman of the electronics giant.
 
pywebdav MySQL Authentication Module SQL Injection Vulnerability
 
Arthur de Jong 'nss-pam-ldapd' Authentication Bypass Vulnerability
 
FreeBSD netgraph and bluetooth Local Privilege Escalation Vulnerabilities
 


Internet Storm Center Infocon Status