InfoSec News

SuccessFactors is alleging that rival human-resources-software vendor Halogen Software concocted a fraudulent and covert scheme in order to obtain competitive information from it, according to a lawsuit filed in U.S. District Court for the Northern District of California.
A U.S. lawmakers introduces a bill to create an online do-not-track tool for all U.S. Internet users.
The deal between Nokia and Microsoft hurts Intel's plans to enter the market for smartphones, in which the company has virtually no presence, analysts said on Friday.
Computerworld teams up with the IDG News Service and our sister publications to bring you comprehensive coverage of the big international mobile event.
As Egypt's embattled President Hosni Mubarak gave up power Friday, analysts and some of the Egyptian protestors said he'd still be in charge if not for the power of social networking.
Symantec researchers today said that the notorious Stuxnet worm targeted five separate organizations -- all with a presence in Iran -- and that attacks began in June 2009, more than a year before experts raised the alarm.
Adobe Shockwave Player 'dirapi.dll' Module Input Validation Remote Code Execution Vulnerability
Adobe Shockwave Player CVE-2010-4093 Memory Corruption Remote Code Execution Vulnerability
Adobe Shockwave Player 'TextXtra' Module Input Validation Remote Code Execution Vulnerability
Adobe Shockwave Player 3D Assets Module Input Validation Remote Code Execution Vulnerability
During a recent trip to Germany, Dean Hachamovitch, Microsoft corporate vice president responsible for the development of Internet Explorer, discussed the difference between expected and creepy tracking, Tracking Protection in IE9, market share and how hard it is to get rid of Internet Explorer 6.
Consumer interest in tablets is behind a surge in NAND flash memory use that is expected to increase almost five-fold this year alone, according to a report by HIS iSuppli.
Linux Kernel GFS2 File Attribute Security Bypass Vulnerability
Linux Kernel 'tipc' Module Local Denial of Service Vulnerability
Adobe Flash Player CVE-2011-0575 DLL Loading Arbitrary Code Execution Vulnerability
Linux Kernel NFS Automount 'symlinks' Denial of Service Vulnerability
Microsoft yesterday accused a former manager of taking hundreds of megabytes of confidential company material when he left the firm for a new position at CRM rival
OpenSSL 'dtls1_retrieve_buffered_fragment()' Remote Denial of Service Vulnerability
OpenSSL 'ssl3_get_record()' Remote Denial of Service Vulnerability
Apache Tomcat Windows Installer Insecure Password Vulnerability
Chinese hackers who were "incredibly sloppy" still managed to steal gigabytes of data from Western energy companies, a McAfee executive said today.
Oracle Java SE and Java for Business CVE-2010-0088 Remote Java Runtime Environme Vulnerability
Oracle Java SE and Java for Business CVE-2010-0085 Remote Java Runtime Environment Vulnerability
Oracle Java SE and Java for Business CVE-2010-0090 Remote Java Web Start Vulnerability
Oracle Java SE and Java for Business CVE-2010-0089 Remote Java Web Start Vulnerability
Developers who had built a business coding apps for Symbian smartphones were put on notice Friday that they should pick another platform, as Nokia announced its switch to Microsoft's Windows Phone 7. Other platforms will be maneuvering to win them over.
The broad strategic partnership announced Friday between Nokia and Microsoft in which the Windows Phone OS would run on Nokia smartphones sounds like good news for both companies because of their struggles in the smartphone market.
Technically, Nokia's E7 smartphone is a better option for enterprises than Windows Phone 7 phones, according to market researcher Gartner. But Nokia's announcement Friday that it will adopt Microsoft's Windows Phone as its primary smartphone OS means users have to prepare to switch OSes.
Want to save an image of what's on your computer screen? That's called a screenshot, and savvy users know that one tap of the Prt Scr key will copy the entire screen to the clipboard, where you can then paste it into the image editor of choice. (Even savvier users press Alt-Prt Scr to capture just the active window.)
Gibbs doesn't believe self-styled social media experts are.
Asustek Computer's revenue for 2010 grew 29% over the previous year, largely on the strength of traditional laptop computer sales, the world's sixth-largest PC maker said on Friday.
Samsung Electronics announced a new brand name for a processors used in mobile phones, tablets and other mobile devices on Friday, Exynos.
Attorneys for WikiLeaks founder Julian Assange put forth their final arguments before a British judge on Friday, seeking to block an extradition request from Sweden to question him on sexual assault allegations.
France Télécom and Deutsche Telekom plan to collaborate on the technology they use to build and operate their telecommunications services.
Feb. 11, 2011: AOL buys HuffPo, HP gives tablets a go
The head of Cisco Systems' consumer products business is leaving the company less than two years after he arrived with the acquisition of Flip camcorder maker Pure Digital Technologies.
Nokia will adopt Microsoft's Windows Phone as its primary smartphone strategy, the company said on Friday, after days of speculation on what it would do to compete with Apple's iPhone and Google's Android.
Offshore IT service providers continue to rank among the largest employers of H-1B visa workers, according to U.S. data.
One couple, two nerds -- a recipe for disaster or love, sweet love? Self-proclaimed geeky couples share their secrets.
Visa has excluded U.S. businesses from a worldwide program that incents merchants to deploy more secure payment terminals, because of what it claims is the uncertainty surrounding new debit card rules.

Posted by InfoSec News on Feb 11

By Jaikumar Vijayan
February 10, 2011

A broad spectrum of IT people, including those close to security
functions, appear to have little awareness of key security issues
impacting their organizations, a new survey shows.

The survey, which polled 430 members of the Oracle Application Users
Group (OAUG) conducted by Unisphere Research and...

Posted by InfoSec News on Feb 11

By John Leyden
The Register
10th February 2011

Computer scientists have discovered that password re-use is far more
prevalent than previously thought after comparing a sample of matched
passwords that spilled out at a result of the revenge attack by
Anonymous against security researchers HBGary with the earlier Gawker
password breach sample set.

Hackers affiliated with...

Posted by InfoSec News on Feb 11

By Kevin Casey
February 10, 2011

IT pros at small and midsize businesses (SMBs) spend 127 hours every
month managing their on-premises security infrastructure, according to a
new survey released by Webroot.

That equates roughly to 16 eight-hour workdays devoted to tasks such as
updating software and hardware, reimaging infected machines,...

Posted by InfoSec News on Feb 11

By Andy Greenberg
The Firewall
Feb. 10 2011

Cellphones may be helping to connect and organize the pro-democracy
protesters massing in the streets of Cairo and Alexandria. But they’re
also offering a new method for authoritarians to track those protesters
and monitor their communications.

So one company, Whisper Systems, is...

Posted by InfoSec News on Feb 11


The Secunia Weekly Advisory Summary
2011-02-03 - 2011-02-10

This week: 81 advisories

Table of Contents:

1.....................................................Word From...

Posted by InfoSec News on Feb 11

By Daily Mail Reporter
10th February 2011

America's top intelligence chief warned Congress today that the cyber
warfare facing the U.S. is increasing in scope and scale.

James Clapper said its impact was difficult to 'overstate' as he
outlined the threat posed by al-Qaeda and its splinter groups and the
proliferation of...

Posted by InfoSec News on Feb 11

Forwarded from: "M. Carmen Fernandez Gago" <mcgago (at)>

Call for Papers

7th International Workshop on SECURITY and TRUST MANAGEMENT (STM'11)
Copenhagen, Denamrk
27-28 June 2011

in conjunction with IFIPTM 2011

STM (Security and Trust Management) is a working group of ERCIM
(European Research Consortium in Informatics and Mathematics). STM'11 is
the seventh workshop in this series and...
Nokia will adopt Microsoft's Windows Phone 7 as its primary smartphone OS, and partner with Microsoft in areas including mobile mapping, advertising and app development, the companies announced Friday.
Nokia will adopt Microsoft's Windows Phone as its primary smartphone strategy, the company said on Friday, after days of speculation on what it would do to compete with Apple's iPhone and Google's Android.
Sun Java Runtime Environment XML Parsing Denial of Service Vulnerability

Google announced earlier that they are now offering two-factor authentication to all of their users. More information is available at the Google Blog. This is an extension to the service offered to their Apps customers last month. While normally I would think that advertising a service wouldnt fit in this diary, this is a little more then the regular new feature. In mind opinion, its a big change in how people think about two-factor authentication.

We have known for years that passwords are one of the weakest points in our security controls. Users pick weak ones or share them with anyone who asks nicely. Even security consulting firms will fall for simple social engineering attacks and reveal them. One answer that has been proposed often, but is shot down almost as often. Clients often tell me that the cost is to high to roll out a solution, which I have always felt was the wrong answer. Of course, I am the paranoid security nerd. When this happens, I propose one of two solutions that try to help lower the cost.

The first is where the site or organization passes on the cost to the user. Blizzard does this for their accounts. If the user feels that they should use two-factor authentication, they can either pay for a fob (the token generator) or install a smart-phone application. Of course I always laugh that my virtual gold in my World of Warcraft account is safer then my real gold in my bank account.

The second route is the one Google has chosen. When a user activates the system, their log on process has an extra step. After entering their password, they receive a phone call or an SMS that has the token. They enter this into the form and if its correct, they gain access to their account. This lowers the cost of deployment because it removes the needs for a fob to be sent to every user.

So the questions are pretty simple. First, how do you think two-factor authentication should be implemented and how do you deal with the cost?-)

Kevin Johnson

Secure Ideas
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Internet Storm Center Infocon Status