InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The California assembly passed a bill on Thursday that prevents employers from demanding job applicants' passwords for accounts on Facebook or other social networking sites.
The U.S. Federal Trade Commission has launched a probe of Facebook's proposed acquisition of Instagram that could delay the closing of the deal, the Financial Times reported on Thursday.
I am a Mac user. Which means my daily browser is Safari. This has been the case for a number of years, until version 5.1.4 was released in mid March. Since that time I have experienced excessive memory consumption upwards of 1GB as cost of using Safari. Prior to that release, no noticeable hit to my resources was observed.

I updated my Mac book yesterday and noticed an improvement today. We'll have to see how long that lasts. It's been less than 24 hours, so it really is too early to tell.
After all that blather is stated, an interesting feature can be noted on this most recent release of Safari. Out of date Adobe Flash Players will be auto-disabled. [1] Use the link below to get a little more info on it. There is not much more, but it explains how to re-enable an out of date Flash player.

If you are unsure what plugin versions you have in your browser, then you can mosey over to google and look for a popular browsercheck website. I would try out the link provided by a vendor that begins with a Q. It is a slick tool that I've used to check on my browser plugin versions.

Feel free to leave us a comment or remark about your Safari travels and experience with this new feature.



ISC Handler on Duty

[1]http://support.apple.com/kb/HT5271?viewlocale=en_USlocale=en_US (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Microsoft has revamped the way Windows 8 monitors hard disk operations and detects problems in an effort to make the diagnostic and repair process less intrusive and disruptive, even as disk capacity continues to balloon.
Intel finally entered the smartphone market last month but the company is not sitting still, with plans to quickly release chips that improve performance and power efficiency on smartphones.
Bing will soon include a search interface that offers social search results in a separate column to the right of the returned links, Microsoft said on Thursday.
Adobe's head of security is applauding Apple's move to block outdated versions of his company's Flash Player.
Apple on Wednesday patched 36 vulnerabilities in Mac OS X, most of them critical, plugging a hole that revealed passwords used to encrypt folders with an older version of FileVault.
Intel CEO Paul Otellini on Thursday said that the company has an advantage over its rival ARM on Windows 8 for tablets because of decades of developing x86 chips that support the Windows operating system.
Research in Motion's BlackBerry 7 smartphones have been approved for use by the Department of Defense, the company announced this week.
RoundCube Webmail Denial of Service Vulnerability
RoundCube Webmail Remote Mail Relay Vulnerability
The trial pitting Google vs. Oracle on the claim of intellectual property infringement by Google in Android has reached almost a tabloid like feel. Outside the courtroom feels like the red carpet as tech giant after tech giant emerge from limos and town cars to testify. Insider (regisration required)
Dual monitors improve productivity, but it can be hard to get laptops to use multiple displays. It's not impossible, though. Check out these six tips for connecting laptops to external monitors.
An important PHP developer dismissed the validity of Tiobe's language survey, which has C continuing to displace Java as the most popular language
Analysts say eEye?s vulnerability and configuration management capabilities are a good fit with BeyondTrust?s privilege management and AD integration.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Drupal Take Control Module Cross Site Request Forgery Vulnerability
The deals are getting smaller, with new pricing models, while security and cloud computing become hot topics.
Mozilla yesterday accused Microsoft of withholding APIs necessary to build a competitive browser for Windows RT, and said the behavior "may have antitrust implications."
American Express will enable its credit cards to work with the Isis Mobile Wallet system once the technology is deployed in Salt Lake City and Austin this summer.
EMC today confirmed that it is buying out XtremIO, the maker of flash devices, in a deal pegged at $430 million.
Amid growing interest in small cells, widely seen as an inevitable tool for carriers to deal with booming mobile data demand, there are now signs that it may be hard to derive the expected benefits from them in some cases.
[ MDVSA-2012:068-1 ] php
Drupal 7.14 <= Full Path Disclosure Vulnerability (Update)
Preparing for its entry into the market for IaaS (Infrastructure-as-a-Service), Hewlett-Packard on Thursday launched a second beta program of cloud computing services it plans to offer commercially.
I always like to see audio products seemingly come out of nowhere to wow both headphone enthusiasts and reviewers. Such was the case with the $90 Realvoice headset, which was released to wide acclaim by Spider, a company formerly called Spider Cable and originally known for audio and video cables.
Re: Drupal 7.14 <= Full Path Disclosure Vulnerability
APPLE-SA-2012-05-09-1 OS X Lion v10.7.4 and Security Update 2012-002
[SECURITY] [DSA 2468-1] libjakarta-poi-java security update
Mac users should be more than acquainted with PDFpen, the feature-packed PDF offering from Smile Software, that's become a credible alternative to Adobe's Acrobat PDF creation software. Now iPad owners can enjoy all that PDFpen has to offer on their devices as well.
Security researchers report that incorrectly configured hypervisors can lead to a separation of data issue in multi-tenant environments that can expose data remnants. However, you can prevent hosting your data on 'dirty disks.'
Drupal 7.14 <= Full Path Disclosure Vulnerability
[SECURITY] [DSA 2465-1] php5 security update
Adobe Shockwave Player Remote Code Execution (CVE-2012-2031)
Adobe Shockwave Player Remote Code Execution (CVE-2012-2030)

In the world of financial cybercrime, there are three primary groups of fraudsters at work. First up are the developers who write the applications to grab credit card and bank account data. In the middle are the “carders” who sell the ill-gotten data to, if you will, end users. The final group consists of these users or buyers who pay for the hot data and use it to make purchases or move funds to their own accounts.

Those fighting the battles have to make tough decisions about where to focus their resources. Should they go after the developers, the carders or the end users of the stolen financial data? The answer is surely a multi-pronged approach, with different tactics aimed at flushing out and stopping each group of criminals.

Law enforcement officials recently trained their sights on the middle group. In Operation Wreaking hAVoC, the FBI worked with the Serious Organized Crime Agency (SOCA) in the U.K. and authorities in other countries to shut down 36 carder sites. (The word hAVoC reflects the Automated Vending Carts, or AVCs, which are websites used by carders to sell financial information.)

SOCA said the successful operation will reduce international financial crime by ₤500 million (or more than $800 million) in the coming years. A SOCA representative told me they came to this figure by considering the average cost of the damage that could be incurred from each piece of stolen financial data. Credit card numbers with CVV codes have a damage value of up to $500 in the U.S. or ₤200 in the U.K., he said. If a full data dump from the card’s magnetic strip is included, or if bank account details are associated with the card, the potential damages go up significantly.

Operation hAVoC is a good example of the effective ways law enforcement agencies around the world can work together to successfully combat global networks of cybercriminals. But they won’t be able to bask in their success for long. Other carders are probably already dusting off their wares and pulling their vending carts onto the streets.   

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
London's Court of Appeal has dismissed Nokia's attempt to overturn a ruling that it infringed on an IPCom patent. Nokia said the decision won't affect its current products.
Big data is an IT buzzword nowadays, but what does it really mean? When does data become big?
The Crucial Adrenaline SSD cache drive will enable you to easily improve your PC's performance for less than $100.
None of the recently leaked Twitter logins and passwords came from within the company, according to a message posted on the Twitter Japanese blog Thursday.
Evernote launched a Chinese version of its popular note-taking service on Thursday, marking the U.S. company's entrance into a key country.
Internet Corporation for Assigned Names and Numbers hopes to reopen on May 22 its system that will allow people to apply for a variety of new generic top-level domains.
A security company specializing in the Domain Name System has released a Windows version of a tool that encrypts DNS requests, which could be spied on to reveal a user's browsing activity.
After spending a couple of years and a couple of million dollars, researchers and graduate students released intelligent water sensors into the Sacramento River on Wednesday.
Facebook said Wednesday that it will launch an App Center where users can browse "high-quality" mobile apps that integrate with the social-networking site.
Summer 2012 promises to be the season of tablet experimentation. Just about every tablet maker is expected to announce a new product in the next four months. The devices are likely to be smaller in the case of Apple, bigger in the case of Amazon.
[SECURITY] [DSA 2464-2] icedove regression update
Re: rssh security announcement

Posted by InfoSec News on May 10


By Ann Binlot
May 9, 2012

We recently got hold of a piece of mail bearing bad news from the edgy
boundary-pushing boutique Opening Ceremony stating that "a hacker placed
malicious software on our website."

The letter -- dated May 4 and signed by Carol Lim, CEO and co-founder of the
company -- says that the incident in...

Posted by InfoSec News on May 10


By Ellen Messmer
Network World
May 09, 2012

BeyondTrust, a software firm that specializes in identity and access
management for the enterprise, has announced the acquisition of eEye
Digital Security, which makes products for vulnerability management,
patch remediation, malware defense and configuration compliance.

BeyondTrust, based in Carlsbad, Calif., and eEye, in...

Posted by InfoSec News on May 10


By Eduard Kovacs
May 9th, 2012

A few days ago, Access Kenya, one of the country’s leading internet
solutions and data services providers, revealed the introduction of a
new, more secure, authentication system designed to protect their

After hearing the news, Rwandan hackers took a crack at the company’s

Posted by InfoSec News on May 10


By William Jackson
May 09, 2012

Microsoft’s new operating system builds on existing code from previous
versions and represents a step forward in security, said security
researcher Chris Valasek, who has been examining early releases of
Windows 8.

“As a security practitioner, I like the thing they have put in place to
make it harder to exploit,” he said....

Posted by InfoSec News on May 10


By Desire Athow
08 May, 2012

A new type of wallpaper, which has been developed by scientists from the
"institut polytechnique Grenoble INP" and the "Centre Technique du
Papier", will go on sale in 2013 after a Finnish firm, Ahlstrom acquired
the license.

What looks like a bog standard wallpaper roll...
Internet Storm Center Infocon Status