InfoSec News

The PC giant plans to further boost its security portfolio in the future and remains committed to securing iOS and Android phones.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Apple announced a new update for iTunes today. PerAPPLE-SA-2012-06-11-1, this update addresses a problem when importing a maliciously crafted m3u playlist within iTunes and a problem within WebKit when visiting a maliciously crafted website.
The bulletin is available athttp://support.apple.com/kb/HT5318.
Scott Fendley ISC Handler (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Cisco Systems will get on board with Fusion-IO's flash storage modules later this year, becoming the latest server maker to offer the technology that is already available in servers from IBM, Dell and Hewlett-Packard.
A module found inside the original Stuxnet code base included the Flame malware toolkit.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Apple said today that it would ship OS X 10.8, or Mountain Lion, next month, for $19.99, a 33% price cut from last year's upgrade to Lion.
With Windows 8 in its final phase of development, Microsoft is encouraging commercial and in-house enterprise developers to start building Metro-style applications for Microsoft's new operating system for desktops, laptops and tablets.
Apple's next-generation iOS will allow FaceTime video chats over cellular connections, but analysts question whether 3G networks offer enough bandwidth for quality chats and say 4G network use could be pricey.
Security researchers have released details about a vulnerability in the MySQL server that could allow potential attackers to access MySQL databases without inputting proper authentication credentials.
Touch was the hot trend at last week's Computex trade show in Taipei, with computer makers showing off tablets and ultrabook-tablet hybrids with detachable or folding touchscreens. The devices ran either Windows 8 (for Intel processors) or Windows RT (for ARM processors), OSes due for release later this year that are designed for touch interfaces. Prices were not immediately available on most tablet or hybrid models, leaving questions about whether touch devices will be priced at a premium. For example, Dell has already said that it would price touchscreen devices higher compared to the non-touch counterparts.
The announcement by Apple that it is selling a flash-only MacBook, combined with native iCloud support, will likely lead to a drop in SSD prices and move other laptop manufacturers in a similar direction.
Apple CEO Tim Cook and a trio of top executives today outlined the new iOS 6, talked up this year's Mountain Lion upgrade for OS X and unveiled a new MacBook Pro laptop with a high-resolution "Retina" display.
NASA scientists are taking a risk, aiming to land its super Martian rover closer to its ultimate destination but near a hazardous mountain slope.
The GSA says cloud providers are lining up for FedRAMP certification, and its continuous cloud monitoring guidelines are a few weeks away.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Microsoft kicked off its TechEd North America conference with a wide-ranging keynote session that was short on "wow" news but heavy on positioning for Windows Server 2012, Windows Azure and server-side products as key components of what the company is calling "the era of the cloud OS."
Oracle and SAP will have to wait a bit longer to retry their corporate-theft lawsuit, according to a filing made Friday in U.S. District Court for the Northern District of California.
Google has struck a deal with two French organizations representing authors and book publishers, ending years of litigation over its unauthorized scanning of their books.
Coverity, a company that offers security testing tools for software developers, is extending its expertise to the world of Web application development.
Computerworld tweets will keep you updated on the latest from WWDC as Apple CEO Tim Cook and other executives unveil the company's plans for iOS 6, OS X Mountain Lion and, presumably, new hardware.
Security researchers today said that they have found a direct link between the notorious Stuxnet worm and the more-recently-discovered Flame espionage malware, indicating that the two teams cooperated and collaborated.
Fueled by an increasing number of tablet computers, the number of users of adult video content on tablets is expected to triple by 2015, Juniper Research said Monday.

Blaming the #Flame
CSO (blog)
One of my Twitter connections, a Brazilian infosec practitioner who goes by the handle @anchisesbr, is full of them this morning. #flame stole LinkedIn passwords (and #flame has a module to decrypt them!) #flamefacts -- @anchisesbr When Flame first ...


CSO (blog)

Poster: 20 Critical Security Controls for Effective Cyber Defense
CSO (blog)
Though I approach infosec from the journalistic side and not the far more technical trenches of an IT security shop, I'm still finding it to be quite useful. TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT ...

The Team Foundation Service, which had been invitation-only, is now open to anyone, but it still is in preview mode
The first quad-core smartphone from LG Electronics, the Optimus 4X HD, is now available for purchase in Europe, the company said on Monday.
One of the important features of last weeks Microsoft certificate patch was that the bad certificate was apparently used to subvert the Windows update process. The complex Windows update architecture represents a huge target to any attacker, and it has held up quite well so far. I do not expect any issues related to the lost certificate this week. However, this would be the last chance for the attacker to use these certificates, and it is a good opportunity to talk about patch security on the day before black tuesday.
I do recommend that you apply the certificate patch released a week ago today if you haven't done so already. This way, no patch signed by the bad certificate should be accepted tomorrow. Patch tuesday is one of the best dates to launch such an attack as you do expect patches anyway. Don't forget the WSUS patch:http://support.microsoft.com/kb/2720211
A couple of rules to harden your patch process:

Avoid patches while on the road. Apply them in your home / work network whenever possible. This doesn't eliminate the chance of a Man in the Middle (MitM) attack, but it reduces the likelihood. If you are on the road for extended periods of time, use a VPN connection. In particular hotel networks and public hotspots frequently use badly configured HTTP proxies that can be compromised and many users expect bad SSL certificates (because of ongoing MitM attacks... ironic, but well, sadly true) in these environments.
Always validate patches. For Microsoft, this means using Microsoft update which will validate the digital signature applied to patches. The bad certificate broke this process. But it is still a very difficult hurdle to overcome for an attacker.
Do not accept patches from unknown sources. This includes CDs/DVDs you receive unsolicited, and of course the famous USB stick you found in the parking lot. For Windows, only use Windows Update.
Patch Tuesday is also an opportunity to verify that other software you own is patched. Secunia PSI does a good job with that for home users, Mac users have MacUpdate (for a small annual fee). Qualys provides browsercheck.qualys.com which works great in particular for home users / less experienced users.
If you run your own WSUS server, make sure it is hardened and uses appropriate SSL certificates

Any other measures you apply to ensure the integrity of your patch process? Post a comment! In general, I usually advice people not to emphasize speed too much when it comes to patching. Instead, make sure you have a well tuned reliable and repeatable process. The biggest problem in my opinion (aside from organizations that don't patch at all) are patches that didn't get applied because it was never verified if the patch was actually applied, or patches that break systems because they didn't get tested sufficiently.
A patch is not applied until you verified that it got applied. Follow vendor guidance to check if the patch was applied, and if appropriate, check using a vulnerability scan.
Also see:http://support.microsoft.com/kb/2720211


Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Thanks to Jack for pointing this one out to us. I somehow missed this vulnerability this weekend.
MySQL fixed last week an authentication bypass vulnerability that is trivially exploitable [1]. The effect is that a user has a 1/256 chance of being granted access to MySQL even if the password is wrong. So in short: Brute forcing passwords will always work pretty quickly even if you got the wrong password.
The vulnerability does however depend on how your instance of MySQL was compiled. Chances are that you are not vulnerable, but just in case, there is a patch available, and it shouldn't be too hard to test. Write a script that attempts the same password many times, and see if you get logged after a while.
As an additional hardening measure, you may want to consider limiting access by IP address.

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The operating system is much more flexible than it was, but the Chromebook/Chromebox hardware remains too pricey to gain much traction.
BT Retail has deployed a new cloud-based, business intelligence system to help get the best out of its customer relationship management data.
Name: Michael Milligan
Android continues to grow, with over 900,000 devices based on the OS now being activated every day, according to Andy Rubin, who heads up development of the smartphone operating system at Google.
Select ThinkPad notebooks built with a 3G module inside now have access to a new no-contract mobile broadband service offered by Lenovo that will provide on-demand access to the Internet, the company announced on Monday.
Google is aggressively defending itself against accusations it manipulates its search results based on ad payments, and it is encouraging users to go elsewhere if they don't like what the company does.
Although speculation that Apple would wrap up work on its Mountain Lion Mac OS early has flopped, the company will likely narrow the launch date during its Worldwide Developers Conference today.
Combining geographic information with business analytics can be a powerful competitive tool.

Posted by InfoSec News on Jun 11


By Phil Muncaster
The Register
11th June 2012

The Indian government is stepping up its cyber security capabilities
with plans to protect critical national infrastructure from a
Stuxnet-like attack and to authorise two agencies to carry out
state-sponsored attacks if necessary.

Sources told the Times of India that the government’s National Security
Council, headed by...

Posted by InfoSec News on Jun 11


By Dan Goodin
ars technica
June 8, 2012

The Flame espionage malware that infected Iranian computers has
initiated a self-destruct command that removes all traces of itself on
infected machines that receive the instruction, researchers said.

The 20-megabyte piece of malware already had a self-destruct module
known as SUICIDE that removed all files...

Posted by InfoSec News on Jun 11


By Bill Brenner
Salted Hash
June 8, 2012

Follow these names on Twitter. Together, they make cyberspace a more
secure place. (copy and paste)

You'll find many of the same people as last time, but I've added several
new names. Apologies in advance to anyone I'm forgetting. There are so
many people worth...

Posted by InfoSec News on Jun 11


By Jeremy Kirk
IDG News Service
June 8, 2012

Kevin Young, a computer security expert who studies passwords, is nearly
at a loss for words. Literally.

Young and his colleagues are working to decode some 2.6 million
scrambled LinkedIn passwords, part of a total of 6.1 million released
earlier this week on a Russian password cracking forum....

Posted by InfoSec News on Jun 11


Trend News Agency
9 June 2012

Iranian computer experts have identified the nationality of those who
sought to hack the country's oil ministry computers in April, police
officials announced on Saturday, adding that the hackers were traced to
the US, FNA reported.

"2 American IPs were identified in the (cyber) attack against the oil
ministry," Head of Information Production and...
Internet Storm Center Infocon Status