InfoSec News

CSO Security Standard: DHS wants you (for a little while, at least)
CSO (blog)
Mark Weatherford, undersecretary of cybersecurity for the Department of Homeland Security, says more infosec talent is needed at his agency. Posted September 10, 2012 to Security Leadership | . If you're a so-called computer geek who likes to break ...

and more »
Mozilla Firefox, SeaMonkey, and Thunderbird Information Disclosure Vulnerability
The unique identifiers of 1 million Apple iOS devices that hackers leaked last week were stolen from the servers of a Florida-based digital publishing firm called Bluetoad.
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2012-1959 Security Bypass Vulnerability
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
GoDaddy restored some services on Monday as the company battled online attacks that severely impacted its hosting and domain-name registration operations.
Mozilla Firefox/Thunderbird/Seamonkey MFSA 2012-42 Multiple Memory Corruption Vulnerabilities
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2012-1967 Privilege Escalation Vulnerability
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2012-1962 Memory Corruption Vulnerability
Pinterestclones Security Bypass and HTML Injection Vulnerabilities
Hewlett-Packard's layoff just got a little bigger. The company, in a U.S. Security and Exchange filing, said it will eliminate 29,000 positions, an increase of 2,000.
DHS Secretary Janet Napolitano Monday renewed the call for guidelines that enable public-private cybersecurity intelligence information sharing.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
[SECURITY] [DSA 2545-1] qemu security update
[SECURITY] [DSA 2544-1] xen security update
[SECURITY] [DSA 2543-1] xen-qemu-dm-4.0 security update
[SECURITY] [DSA 2542-1] qemu-kvm security update
Update: GoDaddy appears to make some progress getting services back online. The web site is responding again. DNS queries appear to be still timing out and logins into the site fail. (17:30 ET)
GoDaddy is currently experiencing a massive DDoS attack. Anonymous was quick to claim responsibility, but at this point, there has be no confirmation from GoDaddy. GoDaddy only stated via twitter: Status Alert: Hey, all. We're aware of the trouble people are having with our site. We're working on it.
The outage appears to affect the entire range of GoDaddy hosted services, including DNS, Websites and E-Mail. You may experience issues connecting to sites that use these services (for example our DShield.org domain is hosted with GoDaddy).
At this point, I would expect GoDaddy to keep its users up to date via it's twitter feed (http://twitter.com/GoDaddy ). I am not aware of a reachable network status page for GoDaddy.

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
GoDaddy said it was working to restore service. A person claiming to be a member of Anonymous has claimed responsibility.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Cybercriminals use Anime character Anaru to lure users into downloading an app that collects personal information, Symantec says.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Premier 100 IT Leader Jacqueline Lucas also answers questions on working with a negative person and the factors that influence a career.
IaaS provider CloudShare deployed Splunk to correlate machine-generated data and provide insight into every aspect of its business.
Sprint Nextel will launch 4G LTE service in more than 100 cities, including New York, Los Angeles, Chicago and Miami, in the coming months, the carrier said Monday.
When Apple announces its next iPhone as expected Wednesday, analysts predict it will have faster LTE wireless capability along with other improvements, including a larger 4-in. display, more powerful processor and overall design changes to woo expectant buyers.
Popular domain name registrar and Web and email hosting provider GoDaddy is experiencing a severe outage, one that appears to have taken out not only its hosted services, but even those websites that have registered their domain names through GoDaddy.
Oracle has sued former partner CedarCrestone on grounds it has been providing third-party support for Oracle's software in an illegal fashion, a move that echoes previous actions Oracle took against former SAP subsidiary TomorrowNow and Rimini Street.
EarthLink will resell wireless broadband on Clearwire's WiMax network starting early next year and later will launch a service based on that company's planned LTE network.
Western Digital announced what it said is the industry's thinnest hybrid drive for Ultrabooks, a 5mm-thick model that has 500GB capacity.
Wiliam "Bill" Moggridge is the man responsible for designing the folding screen and clamshell design of the modern laptop.
Microsoft today said it would open nearly three dozen 'pop-up' stores this fall in U.S. and Canadian malls and shopping centers to sell its own hardware and software.
Intel said it is developing high-performance server chips that in the future will serve up faster results from cloud services or data-intensive applications like analytics, all while cutting electricity bills in data centers.
Version 5.4 of Foxit Software's proprietary PDF Reader application closes a security hole that could have been exploited by an attacker to compromise a victim's system

When nearly 69,000 fans crowd into Gillette Stadium for the New England Patriots NFL home opener on Sept. 16, a new multimillion-dollar, high-density, bowlwide Wi-Fi network will be fired up for its first public use.
According to a report, the UK government plans to place restrictions on the sales and export of commercial spyware software from Gamma International, which sells the FinFisher trojan to governments for use by security agencies

MyCalendar Mobile, by K-Factor Media, is a simple iOS app with one purpose--to help you remember your friends' birthdays. It's primarily focused on Facebook friends, but it can also gather birthdays from the Contacts stored on iPhone, iPod touch or iPad (though it's not optimized for that last device), as well as accept birthdays that you enter manually into the app.
Worldwide IT spending remains on course to grow by 6% in 2012 despite the grim economic situation in Europe, thanks to strong software, storage, smartphone and tablet sales, according to IDC.
RETIRED: MobileCartly 'savepage.php' Arbitrary File Create Vulnerability
SAP on Monday is set to unveil a line of cloud-based EPM (enterprise performance management) applications that run on top of its HANA in-memory database platform.
Epicor is ready to make a bigger play in cloud-based ERP software, with its offering now available to midsized manufacturers, the company announced Monday.
The Android version of mobile messaging application WhatsApp uses the host device's unique ID to identify the user. This can be prone to misuse


HDFC Bank's ISO 27004 compliant security metrics a boost toward GRC
TechTarget IN
When HDFC Bank's infosec initiative reached critical mass in early 2010, CISO Vishal Salvi felt the time had come for finding a way to measure the effectiveness of the program for security to function effectively and optimally. To this end, the bank ...

We only expect two bulletins from Microsoft tomorrow [1]. Both bulletins are rated important. The first one affectsMicrosoft Visual Studio Team Foundation Server 2010 Service Pack 1, and the second one affectsMicrosoft Systems Management Server 2003 Service Pack 3 as well asMicrosoft System Center Configuration Manager 2007 Service Pack 2.
While these are popular software packages, they are far less popular then some of the usual suspects (Office, Windows, Internet Explorer). In part, the low number of bulletins appears to be intentional, to not distract from the more complex issue which will affect Windows users starting with the October update set: Windows will no longer allow SSL certificates with RSA keys that are less then 1024 bits in length. The update is already available to allow for testing, but in October, it will be pushed as a patch.
The reason Microsoft is so careful with this update is that it will not just effect certificates issues by Microsoft and other well known certificate authorities, but it will also affect internal certificates. For example if you are using an internal certificate authority, and created certificates with insufficient key sizes to sign e-mail messages via S/MIME, these certificates will no longer work after you applied the update [3].
As a first step, you should install the patch on a test system, and watch for any problems. You should also carefully inventory your certificates, in particular if you are using non-standard (internal) certificate authorities. As you are recreating new certificates, DO NOT create 1024 bit RSA keys. Windows will still accept them, but 1024 bits is an absolute minimum size, and not necessarily sufficient. 2048 or 4096 bits is the size you should try to use.




Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Hewlett-Packard has added four new all-in-one PCs with Windows 8 to its portfolio, including the HP SpectreONE, which lets users control Microsoft's new OS with a wireless trackpad instead of touching the screen directly.
Microsoft last week began providing European consumers a "browser ballot screen" for Windows 8, a move that may be just the first of several steps the company will take to head off a new antitrust investigation.
Hewlett-Packard has found new leadership for its Autonomy information management software division in the form of Microsoft executive Robert Youngjohns, HP announced Friday.
Microsoft has not yet updated the Flash Player that is integrated into Internet Explorer under Windows 8. As a consequence, those who use the new operating system continue to be exposed to risks that Adobe has already eliminated

Xen CVE-2012-4411 Local Security Bypass Vulnerability

Comment: The Death of the CISO?
Infosecurity Magazine
Chief information security officers (CISOs) are increasingly adding risk management to their ever expanding portfolio of responsibilities, according to a new report by infosec social networking site Wisegate. The evolving role of the CISO – new study ...

Today's re-engineering is all about quickly and continually refining and enhancing the hundreds of end-to-end steps involved in developing new products, acquiring and retaining customers and making money. More often than not, it's now starting with IT.
From choosing a mobile app platform to deciding if your back-end cloud is up to the task, here are some factors to consider. Insider (registration required)
IBM's latest mainframe, the zEnterprise EC12, was built with data analytics and hybrid clouds in mind -- and analysts say that's a good thing.
Thanks to advances in computing power and storm-surge modeling systems, Louisiana officials bracing for Hurricane Isaac had more detailed data about the storm's potential impact than they had when they were girding for Katrina seven years ago.
The FAA is reassessing its rules about the use of portable electronic devices on airplanes.
The outcome of next year's America's Cup yachting competition could come down to which boat has the fastest computer.
Windows 8's learning curve isn't as steep as some have claimed, according to PC Helps, an enterprise IT training company.
As IT becomes inexorably woven into everything a business does, it's crucial to have a CIO who act as a translator between the two worlds. A nontechie just might be the right person for the job. Insider (registration required)
When nearly 69,000 fans crowd into Gillette Stadium for the New England Patriots NFL season opener on Sept. 16, a new multimillion-dollar, high-density, bowlwide Wi-Fi network will be fired up for its first public use.
CEO Meg Whitman insists that HP is in the 'early stages of a turnaround' despite its dismal third-quarter results.
A controversial patch for the open source Apache HTTP daemon ignores the do-not-track header sent by Microsoft's Internet Explorer 10 because, the developers say, IE deliberately ignores the open standard

Oracle VM VirtualBox Local Denial of Service Vulnerability
The company best known for its free service which scans file samples for malicious content with over forty virus scanners has been acquired by Google

Xen 'XENMEM_populate_physmap' CVE-2012-3496 Denial of Service Vulnerability

Posted by InfoSec News on Sep 10


By Timothy B. Lee
Ars Technica
Sept 7, 2012

A federal judge in Illinois has ruled that intercepting traffic on
unencrypted WiFi networks is not wiretapping. The decision runs counter
to a 2011 decision that suggested Google may have violated the law when
its Street View cars intercepted fragments of traffic from open WiFi
networks around...

Posted by InfoSec News on Sep 10


By Patrick Ouellette
EHR Intelligence
September 6, 2012

Back in August, there was a bring your own device (BYOD) survey done by
Coalfire Labs that revealed some strong reasons for healthcare CIOs not
to allow BYOD in their practices without having everyone on board with a
security plan.

While this survey wasn’t limited to just healthcare professionals,...

Posted by InfoSec News on Sep 10


By Kim Zetter
Threat Level

It’s been more than two years since Google broke corporate protocol by
revealing that it had been the victim of a persistent and sophisticated
hack, traced to intruders in China that the company all but said were
working for the government.

And it turns out the hacker gang that hit the search giant hasn’t been
resting on...

Posted by InfoSec News on Sep 10


By Jake Davis
The Observer
8 September 2012

The last time I was allowed to access the internet was several moments
before the police came through my door in the Shetland Isles, over a
year ago. During the past 12 months I have pleaded guilty to computer
misuse under the banners of "Internet Feds", "Anonymous" and "LulzSec".

Posted by InfoSec News on Sep 10


By Gregg Keizer
September 7, 2012

An elite hacker group targeting defense industry sub-contractors has an
inexhaustible supply of zero-days, or vulnerabilities that have yet to
be publicized, much less patched, Symantec said today.

In a blog post, the security firm said, "The group seemingly has an
unlimited supply of...
Internet Storm Center Infocon Status