Hackin9

InfoSec News

-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected) (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected) (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected) (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected) (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

SYS-CON Media (press release) (blog)

Application Security is a Stack
SYS-CON Media (press release) (blog)
#infosec #web #devops There's the stuff you develop, and the stuff you don't. Both have to be secured. l7stack. On December 22, 1944 the German General von Lüttwitz sent an ultimatum to Gen. McAuliffe, whose forces (the Screaming Eagles, in case you ...

 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A planned network of regional patent offices and the effects of new legislation are expected to slow the recent proliferation of patent lawsuits between big-name tech companies, Rebecca Blank, U.S. acting secretary of commerce, said on Wednesday.
 
A hacked Colombian Transport website has been rigged to deliver a malware payload that is able to target Mac OS, Windows and even Linux systems, according to a report from F-Secure.
 
The changes Twitter is making to its API policies triggered a wave of protest among its developers, but they might be necessary for the strategy Twitter has laid out for itself to make money and keep growing its service.
 
Microsoft Windows CVE-2012-1890 Local Privilege Escalation Vulnerability
 
Linux Kernel IPv6 'nf_ct_frag6_reasm()' Remote Denial of Service Vulnerability
 
Linux Kernel Key Management CVE-2012-2745 Denial of Service Vulnerability
 
Tablets and smartphones continued to eat away at worldwide PC shipments, which remained flat during the second quarter, according to research released by Gartner on Wednesday.
 
All those years of playing Centipede in the video arcades of my youth, and I never knew that I was helping garden gnomes do battle against an onslaught of bugs. But that's the backstory introduced in Centipede: Origins, a re-imagining of the Atari arcade classic for the iOS era.
 
Although Lennox, the dog at the center of a global animal rights battle, was put to death on Wednesday, social networks proved to be a massive weapon for protestors.
 
(Image Caption: Stay.com offers guides to 120 cities, but its list view emphasizes your particular destinations.) If it's summertime, it's vacation time. And these days, iOS users have little excuse for getting lost, or not knowing what their options are when they hit town. Among the tools for having that information at one's fingertips is Stay.com which on Wednesday officially launched the latest version of its iPhone app.
 
This week is the annual SANSFire Conference in Washington DC. SANSFire is a SANS conference event like no other in that it is hosted and powered by the Internet Storm Center. All week the Internet Storm Center Handlers are providing insight and talks on all manner of security topics. If you, like me, were unable to attend in-person, most Handlers will be posting summaries of their presentations as diaries at the ISC.

I think this would also be a good time to point you to a number of other excellent security resources that are part of the SANSfamily.

Besides the Handler diaries hosted at the ISC, there are a number of other blogs hosted by SANS:

Digital Forensics Blog - http://computer-forensics.sans.org/blog
Penetration Testing and Ethical Hacking Blog - http://pen-testing.sans.org/blog
Software Security Blog - http://software-security.sans.org/blog
IT Audit Blog - http://it-audit.sans.org/blog
Cloud Security Blog - http://www.sans.org/cloud


Some other SANSrelated sites, although not blogs, also host some excellent free security resources:

The SANS/GIAC Reading Room - http://www.sans.org/reading_room/
Securing the Human - http://www.securingthehuman.org/
STI and Faculty Research - http://www.sans.edu/research/

Hopefully some of these can be of use to you in your continuing security education.

-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected) (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
VMware plans to make a beta version of an upgrade to its Zimbra Collaboration Server available for download on Wednesday, with shipments in final form scheduled for later this quarter, the company said.
 
Here's you how to use an HDMI cable to connect your Windows laptop to an HDTV so you can watch anything you can view on your laptop on your big HD screen. We'll also show you how to control your HD TV from your PC.
 
plow '.plowrc' File Buffer Overflow Vulnerability
 
Rhythmbox 'context' Plugin Insecure Temporary File Creation Vulnerability
 
ESA-2012-027: EMC Celerra/VNX/VNXe Improper Access Control Vulnerability
 
Our manager seeks a way to protect information on a network whose perimeter is blurring in the age of SaaS.
 
Security researchers from antivirus vendor Symantec identified two malware apps on Google Play that used a multistage payload delivery system in order to remain undetected.
 
Apple's new OS X, dubbed Mountain Lion, will exclude some older Macs that can run 2011's Lion, the company's website said.
 
The global market for business analytics software grew roughly 14% in 2011, fueled by pervasive hype about "big data" as well as new technological innovations, according to a report by analyst firm IDC.
 
Google will pull the plug for Chrome running on OS X 10.5, aka Leopard, after it releases version 21, which is currently in beta and will reach the browser's "stable" channel sometime next month, the company has announced.
 
Google this week pushed out a Google+ app for the Apple iPad.
 
WD today announced new consumer-class collaboration tools designed to work with its personal cloud products as well as an integrated backup tool to Dropbox.
 
Google's Nexus 7 tablet can now be ordered on more retail websites worldwide, but so far the less expensive US$199 model remains exclusive to Google's Play online store, according to current listings.
 
OpenJPEG Heap Based Buffer Overflow Vulnerability
 
OpenJPEG Gray16 TIFF Image File Memory Corruption Vulnerability
 
Cisco Security Advisory: Multiple Vulnerabilities in Cisco TelePresence Manager
 

Last month’s Amazon Web Services cloud outage sparked a lot of online discussion and debate over the viability of cloud services. According to published reports, an online dating company ditched AWS after massive storms caused power outages and knocked out service in one of Amazon’s U.S. East-1 Availability Zones June 29.

But Netflix – one of Amazon’s biggest cloud customers – said it remains “bullish on the cloud” despite the AWS outage. In a blog post Friday, Greg Orzell, software architect at Netflix and Ariel Tseitlin, director of cloud solutions at the company, wrote a post mortem of the outage, which they said was one of the most significant Netflix had experienced in over a year. The outage showed up things that both AWS and Netflix could do better, they wrote.

“Our own root-cause analysis uncovered some interesting findings, including an edge-case in our internal mid-tier load-balancing service,” they wrote. “This caused unhealthy instances to fail to deregister from the load balancer which black-holed a large amount of traffic into the unavailable zone. In addition, the network calls to the instances in the unavailable zone were hanging, rather than returning no route to host.”

Netflix is working to improve its resiliency and is working closely with Amazon on ways to improve the cloud provider’s systems, “focusing our efforts on eliminating single points of failure that can cause region-wide outage and isolating the failures of individual zones,” Orzell and Tseitlin wrote.

“While it’s easy and common to blame the cloud for outages because it’s outside of our control, we found that our overall availability over the past several years has steadily improved,” they wrote. “When we dig into the root causes of our biggest outages, we find that we can typically put in resiliency patterns to mitigate service disruption.”

Last summer, I attended a session at the Gartner Catalyst Conference 2011, on planning for resiliency in the cloud. Richard Jones, a managing vice president at Gartner, said the public cloud is a utility and utilities fail, making it critical that customers prepare for downtime. Enterprises often assume cloud services are reliable but they need to take responsibility for uptime, he said.

Seemed like sound advice to me. Other companies may want to look to Netflix for cues on planning for cloud resiliency.



Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Motorola Mobility and Microsoft have agreed to suspend their patent claims against each other in three U.S. cases until a November trial on Microsoft claims that Motorola has not lived up to promises to license some video and Wi-Fi patents on reasonable and non-discriminatory (RAND) terms.
 
Cisco Security Advisory: Multiple Vulnerabilities in Cisco TelePresence Multipoint Switch
 
Cisco Security Advisory: Multiple Vulnerabilities in Cisco TelePresence Immersive Endpoint Devices
 
Cisco Security Advisory: Multiple Vulnerabilities in Cisco TelePresence Recording Server
 
Microsoft has revoked more than two dozen digital certificates used to validate the authenticity of its software.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
The National Institute of Standards and Technology (NIST) has released a guide to help improve the design of electronic health records for pediatric patients so that the design focus is on the usersamp-the doctors, nurses and other ...
 
Facebook launched a feature that allows users to lock down their Facebook accounts and perform malware scans if they suspect that their computers might be infected.
 
Many enterprises use AirWatch systems to manage mobile devices on an individual, group and company level all at once. From configuration to monitoring to support, here are seven reasons why AirWatch ranks among the MDM leaders.
 
Multiple Cross-Site Scripting (XSS) in Kajona
 
The National Institute of Standards and Technology (NIST) has released a proposed update to its guidelines for securing mobile devicesamp-such as smart phones and tabletsamp-that are used by the federal government. NIST is asking for ...
 
Re: CitrusDB 2.4.1 - LFI/SQLi Vulnerability
 
Next-generation 'smart' electrical meters for residential and commercial buildings will have computerized operating systems just as laptops or mobile devices do. On July 10, 2012, the National Institute of Standards and Technology (NIST) ...
 
The National Institute of Standards and Technology (NIST) has released the second-round draft version of its updated security standard for identity credentials in the Personal Identity Verification cards (PIV cards) that all federal ...
 
Linux Kernel 'i915_gem_execbuffer.c' Multiple Integer Overflow Vulnerabilities
 
VMware plans to make a beta version of an upgrade to its Zimbra Collaboration Server available for download on Wednesday, with shipments in final form scheduled for later this quarter, the company said.
 
Weeks before the Republican and Democratic national conventions that will anoint each party's nominee for president, special equipment to boost cellular signals in each party's venues is already nearly installed.
 
WordPress WP-Predict Plugin 'index.php' Script Multiple SQL Injection Vulnerabilities
 
JBoss 'mod_cluster' CVE-2012-1154 Security Bypass Vulnerability
 
Business analysts, whether assigned to IT or embedded elsewhere in the organization, are in high demand. Here's how to manage the analyst relationship to your mutual advantage.
 
Just two weeks before researchers are to disclose bugs in Windows "gadgets" at Black Hat, Microsoft acknowledged unspecified security vulnerabilities in the small pieces of software supported by Vista and Windows 7.
 
OpenLDAP LDAP Search Request Remote Denial of Service Vulnerability
 

Posted by InfoSec News on Jul 11

http://www.guardian.co.uk/technology/2012/jul/10/us-master-hackers-al-qaida

By Rory Carroll in Monterey
guardian.co.uk
10 July 2012

Instead of prosecuting elite computer hackers, the US government should
recruit them to launch cyber-attacks against Islamist terrorists and
other foes, according to a leading military thinker and government
adviser.

The brilliance of hacking experts could be put to use on behalf of the
US in the same way as...
 
RETIRED: Microsoft July 2012 Advance Notification Multiple Vulnerabilities
 

In-depth security news and investigation
Krebs on Security
I was thinking about this question a lot, and what occurred to me is that I don't know too many people in infosec who chose infosec as a career. Most of the people who I know in this field didn't go to college to be infosec pros, it just kind of happened.

and more »
 

Posted by InfoSec News on Jul 11

http://news.cnet.com/8301-1023_3-57469950-93/obama-signs-order-outlining-emergency-internet-control/

By Dara Kerr
CNET News
July 10, 2012

President Barack Obama signed an executive order last week that could
give the U.S. government control over the Internet.

With the wordy title "Assignment of National Security and Emergency
Preparedness Communications Functions," this order was designed to
empower certain governmental agencies...
 

Posted by InfoSec News on Jul 11

http://blogs.csoonline.com/security-leadership/2252/black-hat-defcon-and-b-sides-survival-guide-2012

By Bill Brenner
Salted Hash
CSO.com
July 10, 2012

In two weeks a lot of us will head to Las Vegas for Black Hat, DefCon or
BSidesLV. Having been to many Black Hat and B-Sides events, along with
countless other events in the last eight years, I've learned plenty
about how to get the most from the experience. And so, for the
first-time...
 

Posted by InfoSec News on Jul 11

http://www.wired.com/threatlevel/2012/07/keyless-bmw-gone/

By Kim Zetter
Threat Level
Wired.com
July 10, 2012

You've recently spent $64,000 on your flash new BMW with keyless entry.
But when you wake up one morning, you discover, in a different kind of
flash, that it's gone, stolen by hacker thieves who used the car’s
keyless feature to pinch your luxury ride.

This is the reality for a growing number of BMW owners in the United...
 

Posted by InfoSec News on Jul 11

http://www.nextgov.com/cybersecurity/2012/07/threats-lurk-among-pentagons-sprawling-computer-networks/56700/

By Aliya Sternstein
Nextgov
July 10, 2012

The Pentagon’s thousands of networks are indefensible against
cyberattacks but no one there can keep track of all the vulnerabilities.
The military aims to change that within five years.

To say the Defense Department’s information technology departments are
disjointed is an...
 
Internet Storm Center Infocon Status