Hackin9

InfoSec News

Japan's Softbank, which is in negotiations to make a major investment in U.S. operator Sprint Nextel, is also mulling a competitive bid for MetroPCS, Japanese media reported Friday.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Today I'll provide an overview of what is often the elephant in the room. The Payment Card Industry Data Security Standard (PCI DSS). Unlike ISO 27001 where shades of grey are acceptable, in PCI DSS things are very much black and white, with some wiggle room although limited and realistically only if you can convince the QSA that what you are doing is ok. It boils down to you either comply with a requirement, or you don't. There is no kind of.


Background

Each of the payment brands has a set of information security requirements that must be met by its merchants. This meant that in order to process VISA transactions you needed to comply with Visas Cardholder Information Security Program (CISP). When dealing with MasterCard you needed to comply with MasterCards Site Data Protection (SDP) and so on for American express, Discover and JCB issued cards. In order to simplify the requirements on merchants and to align the different programs the founding members developed PCI DSS and the PCI Security Standards Council was created to manage the various different standards.



Founding members and their various compliance requirements:

American Express: www.americanexpress.com/datasecurity
Discover Financial Services: www.discovernetwork.com/fraudsecurity/disc.html
JCB International: www.jcb-global.com/english/pci/index.html
MasterCard Worldwide: www.mastercard.com/sdp
Visa Inc: www.visa.com/cisp
Visa Europe: www.visaeurope.com/ais

The main standard most people will need to comply with is PCI DSS. The other standards have a specific scope.

PA-DSS applies to those that are selling an application that accepts, processes, stores or transmits credit card information.
PCI PTS applies to the actual pin pad devices many of us are familiar with and
PCI P2PE (Point-to-Point Encryption) which deals with encryption in point to point solutions.



PCI DSS applies to any organisation that accepts, process, store or transmit credit card information. It unfortunately does not matter how small or large you are, you have to meet all the requirements of PCI DSS, although there are some small differences in the standard depending on whether you are a merchant or a service provider. If you accept credit cards, you have to comply.
Depending on the number of transaction you may be considered a level 1, 2, 3, or for some payment brands even a level 4 merchant or service provider. In a nutshell if you are a level 1 merchant or service provider, you will need to have an on-site assessment annually and Quarterly Authorised Scanning Vendor (ASV) scans. Lower levels may only require you to validate using a self assessment questionnaire (SAQ) and have quarterly ASV scans. The main thing to remember though is that the number of transactions you do only determines the validation requirements, not the compliance requirements. You will always have to comply with all requirements outlined in the standard, unless they are really not applicable to your situation.



Just to make it slightly more complicated the number of transactions that determines what level you are depends on each payment brand. You can be a level 1 merchant for Visa, Level 2 for MasterCard and level 3 for Amex. The best place to find the specific levels is via one of the links above. To make it even more complicated your acquirer or the payment brand themselves may specify that you have to validate as a level 1 merchant or service provider. Some service providers will always have to validate as a level 1 regardless of the number of transactions processed, depending on the type of service being provided. So life can get confusing



What happens if you don't comply, well that depends on the acquiring bank that you deal with as a merchant or service provider. Ultimately the Acquirer caries the risk, they are the ones that get yelled at and have to provide evidence of their merchants' compliance (i.e you) with the standard. When you are not compliant they may impose additional fees on your organisation until you are compliant, they may refuse services. I have see both happen in the past twelve months. Should there be a breach you may also be held liable for the costs associated with the breach. Typically the acquirer or payment brand will bring in their own investigative team and perform an analysis as to how the breach occurred. If, at the time, of a breach you are not compliant with PCI DSS they may try and recover their costs. It is therefore important that once you are compliant you make sure you are able to maintain it.



A longish background I know, but it is important to get these things straight before you try and tackle the rest of the standard.



Scope and scope reduction

Possibly the most difficult thing to do is scoping of the PCI environment and the one area where the as a QSA you get the most questions from people. Scoping can be a pain, but there are a few rules of thumb you can work with that might make it easier for you.

Electronic world

If the system accepts, stores, processes or transmits credit card information it is in scope.
If you use tokenization the systems interacting with the tokenization services are in scope.
If you can access systems that process card information you are in scope. For example if I have a web server that shows some static pages (nothing to do with buying anything or processing cards), but it is in the same network segment (i.e. it has access to the other web server) as those web servers dealing with credit card information, then it is in scope.


Paper world

If it has a credit card written on it, it is in scope



If you are slightly freaked out by those broad rules and you are thinking OMG that means my entire worldwide network is potentially in scope, then you are starting to get it. PCI DSS is the elephant in the room or bigger than Ben Hur is quite appropriate as well. Which is where scope reduction comes into play.



PCI DSS is concerned with specific pieces of information, the cardholder data. Credit card number, Name, expiry date, CVV/C2V, and authentication data. Some of which you are allowed to store and use prior to authorisation of a transaction and not after. Some of it must never be stored (e.g. authentication data, unless you are an issuer of course). So by reducing the information kept, you may be reducing the impact of PCI DSS on the organisation.

The main mechanisms for reducing scope are:

don't store card details. If you do not need the card number for anything, get rid of it once the transaction is complete.
Network segmentation is also a common method for reducing the scope. Basically those servers and other devices that accept store and process card details are segmented off from the main network and has very limited interaction between the cardholder environment and the rest of the network. If done correctly the scope for PCI may be reduced and finally,
get someone else to do it. Many organisations reduce scope by getting a service provider to certain tasks for them, such as store credit card details. Third party tokenization services are quite common. Likewise having a third party scan forms, redact the credit card number prior to it being sent to your organisation is very common. Depending on how it is implemented having someone else do the work may reduce your scope.

The how and why is a bit beyond this intro to the standard. Either way if doing scope reduction exercises keep your QSA briefed and they can provide advice as to what you are doing will help your situation or not.



Requirements

There are twelve requirements in the standard. A number of them have been introduced as a result of breach investigations, the remainder are fairly typical security practices that hopefully you are already doing anyway. Following are brief explanations of the requirements and some general observations regarding the requirement based on PCI based engagements over the years.

Requirement 1: Install and maintain a firewall configuration to protect cardholder data


This requirement outlines the processes that need to be in place with regards to the management of firewalls and routers used in the Cardholder Data Environment.

Most organisations have this reasonably under control. There are however documentation requirements that are not often met and there are those pesky ANY rules (you can have them, but it typically increases the scope).

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters


Systems are often compromised through the use of default passwords and other default configuration items. This section addresses requirements such as default passwords, but also security/hardening configuration of devices used, such as server configuration standards for servers and network devices.

This varies from organisation to organisation. Basic build documents are usually available, but they do not often address the requirements of the standard. Default passwords are usually changed, but the simple ones are not (public, private ring a bell?).

Requirement 3: Protect stored cardholder data


This requirement addresses the storage requirements for cardholder information and what can be stored and what cannot be stored. It also addresses encryption requirements and outlines the related documentation requirements.

This is probably the most difficult requirement for most organisations. Encrypting and managing the keys can be a big challenge.

Requirement 4: Encrypt transmission of cardholder data across open, public networks


This requirement addresses the interaction between the organisation and third parties as well as donors/customers.

Usually easily met by most organisations as they often already have VPNs or SSL based applications.

Requirement 5: Use and regularly update anti-virus software or programs


This requirement addresses the malware management of the environment and helps ensure that malicious software does not adversely affect the environment.

If you don't have this sorted, PCI will be the least of your problems. Most organisations do OK with this, just read the requirement for regular scanning carefully.

Requirement 6: Develop and maintain secure systems and applications


This requirement addresses patching and change control as well as the development and testing of applications used to accept and process cardholder information.

The main issues we find relate to the lack of security training or awareness for developers as well as a deficiency in security related testing of internal and external facing applications. On the patching side, if it has a CVSS score of 4 or higher, you must patch.

Requirement 7: Restrict access to cardholder data by business need to know


Requirement 7 relates to access and privilege management and the processes involved for providing access the cardholder data. This includes the authorisation process and documentation, typically role based.

Most of the time the deficiencies relate to documentation.

Requirement 8: Assign a unique ID to each person with computer access.


Users have individual accounts on the various systems and password controls are applied, but not documented.

Userid and password management is often fine, however privileged accounts management and the use of root in some organisations can be challenge.

Requirement 9: Restrict physical access to cardholder data.




In order to protect the cardholder information physical security must be considered.

Usually OK, the most problems we come across relate to dealing with visitors.

Requirement 10: Track and monitor all access to network resources and cardholder data.


As part of management of cardholder data it is important to have visibility in the environment and have the ability to track activities.

The daily review of logs and file integrity monitoring is where most people struggle

Requirement 11: Regularly test security systems and processes.


Under PCI DSS it is expected that the security of systems and applications be tested regularly to ensure that cardholder information is safe.

The quarterly wireless checks for rogue devices is usually the main stumbling block as all sites have to be done. Likewise the difference between a penetration test and a vulnerability scan is sometimes confused and causes issues.

Requirement 12: Maintain a policy that addresses information security for employees and contractors.




Policies are the cornerstone of compliance as they outline the requirements to be followed within the organisation.

Usually policies are OK, however monitoring of the PCI status of your service providers is often not well developed.


Becoming compliant

If you are in the process of becoming compliant, then the first step should really be to see where you are at. So perform a gap analysis, have a look at all the of the requirements and see how your organisation stacks up against these. The council has two documents available here https://www.pcisecuritystandards.org/security_standards/documents.php that will help. Firstly there is the navigating the PCI DSS v2.0 document. It provides guidance on the requirements. Secondly there is the prioritised approach for PCI DSS Version 2.0 document and spreadsheet that will help with remediation by assisting in prioritising your efforts. Acquirers have been know to ask for completion of this spreadsheet so they can track your compliance efforts.
Be aware of the self assessment trap that people tend to fall into. Remember all those quizzes in magazines. Can you run 100m in 12 seconds?, sure. Can you bench press your own weight at least ten times? no problem. We tend to over estimate our abilities. So when doing the gap analysis, for each requirement you look at, add the following how can I prove it? That should bring answers back into reality. For example requirement 1.1.1 Verify that there is a formal process for testing and approval of all network connections and changes to firewall and router configurations how can I prove it?. What the QSA will be looking for is a document that states must be approved, must be tested, etc then typically they'll ask to see the approval for a particular change to a network device. Who approved it, who executed it, etc. If that is not possible, then you are not compliant.



After the gap analysis and the remediation you are ready for either the on-site assessment, if needed, or the self assessment. There are a number of different self assessment questionnaires that can be completed depending on your situation. Usually the acquirer stipulates which SAQ needs to the be completed. Just remember the magazine quiz trap when completing the SAQ, it is easy to say yes when the answer is really no.



A bit longer than Ihad initially intended, so that's where we'll leave it for today. Comments always welcome I would suggest that for specific questions you use the contact form.



Cheers

Mark H - www.shearwater.com.au
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The next version of Microsoft Office is complete and will start to reach enterprise customers next month, with general availability planned for early next year, Microsoft said Thursday.
 
Cisco WebEx WRF File Format Multiple Remote Memory Corruption Vulnerabilities
 
Advanced Micro Devices on Thursday cut its revenue forecast for the third quarter, saying a challenging economy hit demand for all its products.
 
Mobile carriers and app providers do not consistently or clearly disclose to customers how they use location information and other personal data, according to a new report from government auditor the U.S. Government Accountability Office (GAO).
 
Attempting to arrive at a solution to a complicated issue, the Linux Foundation has introduced a possible way that smaller Linux distributions can be run on machines using UEFI (Unified Extensible Firmware Interface) technology.
 
If members of the U.S. military and their families have seen major changes in their lives because of the Internet and related technologies, then they should expect even more upheaval, a group of tech experts said Thursday.
 
Mozilla re-released Firefox 16 today after pulling the browser from distribution Wednesday when one of its developers found a critical bug that could be used by attackers to hijack machines.
 
Linux Kernel 'fs/proc/root.c' Remote Denial of Service Vulnerability
 
Even Apple has been hit by the computer sales tailspin in the U.S., research firms IDC and Gartner said yesterday.
 
Employees who access corporate networks and download data onto their mobile devices may not be as much of a security risk as those who bring consumer hotspots into the corporate environment.
 
Zenphoto 'admin-news-articles.php' Cross Site Scripting Vulnerability
 
KDE Konqueror Multiple Security Vulnerabilities
 
Apache Axis2 XML Signature Wrapping Security Vulnerability
 
The Center for Internet Security (CIS) is best known for it's Security Benchmarks. These are security standards for hardening various products and services, making them more resistant to attack, setting them to log and alert better and so on. There are a few attractions to using benchmarks from an organization like CIS:

The benchmarks are written by volunteers, most of whom do not work for the vendor in question. This means that each security setting will have seen scrutiny from many people who are NOT the vendor. Recommended security settings will often match the vendor's recommendations, but you'd be surprised how much further a group of dedicated volunteers will take things!
The benchmarks are written collaboratively by consensus. There may be a project lead (or leads), but most points see spirited debated before they reach their final form. A change doesn't get committed to the final document until everyone is convinced that it is the right thing to do, presented the right way.
The benchmarks will usually discuss specific situations where any change is appropriate (or just as important, not appropriate)
As each recommended change is considered in the document, there's a discussion about how making that change might affect the service delivered
Recommended settings or changes will usually have references for additional background and reading

Discussion of the CISBenchmarks is particularly timely, as they released updates to several benchmarks earlier this week, for:

CIS Apache HTTP Server 2.2.x
Google Android 4.0
IBM AIX 5.3-6.1
Microsoft IIS 7.5
Oracle Solaris 10

The focus today will be on the Cisco Device benchmarks, which I use almost daily. These include standards for both IOS based Routers/Switches and for Firewalls from Cisco.



The benchmark is divided into 2 sections (these are pasted right from the benchmark document):



Level-1 Benchmark

The Level-1 Benchmark for Cisco IOS represents a prudent level of minimum due care.

These settings:

Can be easily understood and performed by system administrators with any level of security knowledge and experience

Are unlikely to cause an interruption of service to the operating system or the applications that run on it



Level-2 Benchmark

The Level-2 Benchmark for Cisco IOS represents an enhanced level of due care for system security.

Enhance security beyond the minimum due care level, based on specific network architectures and server function

Contain some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments
Each section is in turn divided up in hierarchical fashion, breaking each area of configuration into logical groups. Each specific setting has a description of the change, the rationale for the change (usually describing any attack vector), as well as the configuration command to make the change. An audit command is also included, to verify if the setting in question has been made successfully or not. Finally, references are included for each change - these give you additional reading on other sites and documents such as the NSA's Security Configuration guide, the Cisco documentation site (of course, for the complete documentation of the commands being discussed), or the Cisco Guide for Hardening IOS Devices.



A final win is the Router Assessment Tool (RAT), which is an audit tool that accompanies the benchmark. RAT will take a saved configuration and assess it against each of the Benchmark settings, either at Level 1 or Level 2. RATcan also be configured to collect configurations from live devices prior to the audit. The completed audit ends up being a colour coded HTML doc, which can be used to help in remediation of the platform (Red for non-compliance really gets the attention of the non-technical folks).
As always, NEVER implement everything in a hardening guide without some serious care and homework. Many of the changes described in the CIS Benchmarks for Cisco Devices will disable features, or require matching changes in peering devices (such as WAN Service Provider Routers or ISP routers), breaking things like routing protocols until the other party catches up and matches your change. You'll want to review each change carefully for impacts to your environment. If you proceed with any change, be sure to follow proper change control procedures, in particular have scheduled change windows, risk assessments and a proper backout plan.



As with most standards of this type, the recommendation is to either:

Audit your environment against the benchmark documents
Make changes to your environment as suggested in the document, considering each change individually on it's own merits with an eye towards how it will affect both security and service delivery (ie - a risk assessment).

What you DON'T want to do is implement changes from any security benchmark without this risk assessment - as discussed, going this route can have some dire consequences!
Often organizations will take several security documents like this, and distill them down to a single Corporate Standard for Internal Compliance and Auditing. This is a great approach, but it also means that the internal standard will need to be re-addressed as the source documents see updates and changes.
Happy auditing everyone !



Related Links:

The CIS home page == http://www.cisecurity.org/

Security Benchmarks available for Download == https://benchmarks.cisecurity.org/en-us/?route=downloads.multiform

Benchmark Assessment Tools (includes RAT) == https://benchmarks.cisecurity.org/en-us/?route=downloads.audittools

NSA Router Security Configuration Guide == http://www.nsa.gov/ia/_files/routers/C4-040R-02.pdf

Cisco Guide to Harden Cisco IOS Devices == http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml


===============

Rob VandenBrink

Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
[ MDVSA-2012:164 ] libxslt
 
[ MDVSA-2012:163 ] firefox
 
Last reminder for ClubHack 2012 : Call for Papers
 

So much outrage, so little time
CSO (blog)
But since the corporate world rarely heeds the advice of infosec professionals the first time around, some points need to be repeated often. In that spirit, let's begin with Scot A. Terban (@krypt3ia), who listed a number of pet peeves: "Lack of ...

 
A panel of mobile wallet experts at MobileCon today predicted slow pathway to user adoption of technologies such as Near-Field Communication in the U.S.
 
Microsoft is suing Motorola Mobility in Germany over a mapping patent that Microsoft alleges covers the Google Maps app that ships on Motorola phones. The two parties meet each other in court on Thursday, the regional court of Munich said.
 
In 2001, Nippon Telegraph and Telephone had just started DSL broadband Internet service and was taking its first steps toward reaping the benefits of an ambitious and costly plan to string fiber-optic cable along every street in the country. Then along came Softbank.
 
libvirt 'virNetServerProgramDispatchCall()' Function Remote Denial Of Service Vulnerability
 
Hard-coded credentials and command-injection vulnerabilities on BigPond 3G21WB
 
[slackware-security] bind (SSA:2012-284-01)
 
Thanks Mike and others for digging in to the security fixes and changes in the recent Firefox 16 and Thunderbird 16 updates (earlier this week). Find these details here:
https://www.mozilla.org/security/known-vulnerabilities/firefox.html
https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html

.. And thanks to our reader Paul, who let us know that this latest update has been pulled (if you download the lastest version right now, it's 15.0.1). It seems that a critical security vulnerability slipped past in 16.0. (version 15.0.1 is not affected). Good on the Firefox / Mozilla teams for pulling it so quickly, and posting on it immediately. More info here:
https://blog.mozilla.org/security/2012/10/10/security-vulnerability-in-firefox-16/
Final Update (we hope):
Another reader has just let us know that 16.01 has just been posted - this should get us all back on track! Happy updating everyone! The two original links (above) have the security-specific info for version 16.01
===============

Rob VandenBrink

Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The Massachusetts Institute of Technology is aiming for a leadership position in mobile technology with the launch on Thursday of its latest research center, [email protected]
 
A ban on imports of Samsung's Galaxy Nexus into the U.S. was reversed by a U.S. appeals court Tuesday.
 
U.S. marketers spent 14% more in online advertising in the first half of the year, compared with the same period in 2011, hitting $17 billion, according to a study sponsored by the Interactive Advertising Bureau (IAB) and conducted by PwC US.
 
Allowing employees to bring their own devices to work is causing new challenges, including what happens when a device needs to be wiped or employees want to sell their smartphone or tablet.
 
Google announced on Thursday what the company terms the "biggest ever update" to its popular and controversial Street View map imagery Web-based service.
 
LG's new Optimus G Android smartphone, which will be available from both Sprint and AT&T, offers a fast processor, a brilliant display and some powerful productivity features.
 
The Black Hole attack toolkit is fueling many of the exploits targeting the vulnerabilities, according to Microsoft.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
FileBound - Privilege Escalation Vulnerability - Security Advisory - SOS-12-010
 
VMSA-2012-0014 VMware vCenter Operations, CapacityIQ, and Movie Decoder security updates
 
ESA-2012-025: EMC NetWorker Module for Microsoft Applications (NMM) Multiple Vulnerabilities
 
Los Angeles World Airports (LAWA), the department that oversees three airports in the LA area, recently implemented a business continuity and disaster recovery plan for the Los Angeles International Airport (LAX). As part of the effort, the organization conducted a tabletop exercise on what would happen if an earthquake struck LAX.
 
If you haven't heard yet, this is CSO magazine's tenth anniversary. Let me be the first to let you in on a little secret (in case you've been living in a cave somewhere): A lot has changed in ten years.
 
If Japan's third-largest wireless carrier Softbank negotiates successfully to buy a majority interest in Sprint, the deal could be a good fit for their technologies and attention to customer service, analysts said.
 
Japanese mobile operator NTT DoCoMo's subscribers will be able to make mobile payments when travelling abroad next year, thanks to a collaboration with MasterCard.
 
Microsoft is suing Motorola Mobility in Germany over a mapping patent that Microsoft alleges covers the Google Maps app that ships on Motorola phones.
 
Sharp said Thursday it will soon launch a smartphone with its new IGZO display, a power-efficient technology that allows the device to last two days on a single charge and that is rumored to be Apple's choice for its upcoming tablets.
 
Cloud adoption means that companies are increasingly signing pay-as-you-go SLAs and renting servers. This means traditional software and hardware vendors must dramatically reconsider their business models, columnist Bernard Golden says.
 
LG is making the next Google Nexus smartphone and plans to launch it on Oct. 29, according to a French newspaper and others.
 
Japan's Softbank, the country's third-largest carrier, is in negotiations to acquire U.S. mobile operator Sprint in a deal worth over $30 billion, the Japanese business newspaper Nikkei reported.
 

New General Dynamics TACLANE-MultiBook Delivers Classified and ...
Sacramento Bee
For a complete list of features, benefits and specifications visit, www.gdc4s.com/MultiBook. For additional information or to order the MultiBook call INFOSEC sales & support at 1-888-897-3148 or email Infosec@gdc4s.com. General Dynamics C4 Systems is ...

and more »
 
Japan's Softbank, the country's third-largest carrier, is in negotiations to acquire U.S. mobile operator Sprint in a deal worth over $30 billion, the Japanese business newspaper Nikkei reported Thursday.
 
Companies seeking to enable enterprise-wide data analytics need a chief analytics officer to lead the effort, analysts say.
 
Version 2.0 of the IPv6 tool suite adds a new scanning tool, new denial-of-service (DoS) attacks and a number of other feature enhancements


 
Mozilla yesterday took the unusual step of yanking Firefox 16 from distribution just a day after its release.
 
Microsoft's first-time move Tuesday to update Windows 8 before the OS launches is a sign of the company's continued edging toward practices long held by rivals Apple and Google.
 
The end of the world may or may not be nigh, but in the tech industry, many of these possibilities could easily become reality
 

From £50000 to £60000 per year + £50k - £60k
Career Engineer
Senior Infosec Engineer : International Defence Organisation based in Stevenage, Hertfordshire is currently looking to recruit 2x Senior Infosec Engineers. Please Note: you must be eligible for SC (Secret Level) Security Clearance. The salary on offer ...

 
The House intelligence report issued Monday will bring more scrutiny to joint efforts and agreements by U.S. and China technology companies at least, but trade problems can't be ruled out either.
 
A trio known for their prowess in hacking Apple's iPhone software indicated on Thursday they may be edging closer to breaking the improved security measures in iOS 6.
 
Just one day after releasing Firefox 16, Mozilla has temporarily pulled the latest update to its open source web browser after finding a browser-history-exposing bug


 
Symantec Ghost Solutions Suite Backup File Memory Corruption Vulnerability
 
The notorious malware known as the Conficker worm still infects computers, a sort of wild horse with no rider, but investigators appear no closer to finding its creator.
 
Mozilla has temporarily removed Firefox 16 from the current installer page after it found a security vulnerability in the new version of its browser, it said on Wednesday.
 

Posted by InfoSec News on Oct 11

http://arstechnica.com/security/2012/10/google-chrome-exploit-fetches-pinkie-pie-60000-hacking-prize/

By Dan Goodin
Ars Technica
Oct 10 2012

Google Chrome exploit fetches "Pinkie Pie" $60,000 hacking prize A win
for Pinkie Pie and Google, as a fix is released within 12hrs of the
exploit.

A hacker who goes by "Pinkie Pie" has once again subverted the security
of Google's Chrome browser, a feat that fetched him a...
 

Posted by InfoSec News on Oct 11

http://www.theinquirer.net/inquirer/news/2216038/rsa-europe-2012-cyber-crooks-and-state-hackers-work-together-on-threats

By Alastair Stevenson
The Inquirer
Oct 10 2012

CRIMINAL AND STATE SPONSORED HACKERS are starting to collaborate to
create ways to steal data, according to RSA executive chairman Arthur
Coviello.

During a conference at RSA Europe 2012 on Tuesday, Coviello claimed that
the company has already seen evidence that criminals...
 

Posted by InfoSec News on Oct 11

http://www.theregister.co.uk/2012/10/10/huawei_canada_network/

By Brid-Aine Parnell
The Register
10th October 2012

The Canadian government has said that it will be invoking a "national
security exemption" as it hires firms to build a secure network, hinting
that Chinese telco Huawei could be excluded.

The exemption allows the government to kick out of the running any
companies or nations considered a security risk, which coming in...
 

Posted by InfoSec News on Oct 11

http://www.theglobeandmail.com/news/politics/naval-intelligence-officer-sold-military-secrets-to-russia-for-3000-a-month/article4603089/

By STEVEN CHASE and JANE TABER
The Globe and Mail
Oct. 10 2012

A Canadian naval intelligence officer has pleaded guilty to spying for
Russia, a public admission of an embarrassing espionage scandal that has
damaged Canada’s reputation among allies and will likely reverberate for
years.

In a Halifax court...
 

Posted by InfoSec News on Oct 11

http://www.networkworld.com/news/2012/101012-a-better-reason-not-to-263231.html

By Jeremy Kirk
IDG News Service
October 10, 2012

Security researcher Felix "FX" Lindner has a more compelling reason to
steer clear of routers from Huawei Technologies than fears about its
ownership.

While the company blasted for its opaque relationship with China's
government in a U.S. intelligence report released Monday, a bigger worry
for some...
 
Ruby '#to_s' Method Incomplete Fix Security Bypass Vulnerability
 
Internet Storm Center Infocon Status