InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Kaspersky Lab on Thursday suspended distribution of its tool to remove the Flashback malware attacking Mac computers, saying the tool itself was making unacceptable alterations to user computers. A replacement is expected soon.
Google's profit soared 61 percent in the first quarter, but the average "cost per click" paid to Google by advertisers declined for the second quarter running, the company reported Thursday.
The new business unit, called Microsoft Open Technologies, will address the gap between Microsoft and non-Microsoft technologies
This Java security update removes the most common variants of the Flashback malware. Java for OS X Lion 2012-003 delivers Java SE 6 version 1.6.0_31 and supersedes all previous versions of Java for OS X Lion. [1] Java for Mac OS X 10.6 Update 8 delivers Java SE 6 version 1.6.0_31 and supersedes all previous versions of Java for Mac OS X v10.6. [2]
Apple recommends that all Mac users install this update where Java is installed.
OS X Lion v10.7.3, OS X Lion Server v10.7.3

Impact: The Java browser plugin and Java Web Start are deactivated if they remain unused for 35 days
For OS X Lion systems

Download file: JavaForOSX.dmg
Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.3, OS X Lion Server v10.7.3

Impact: A Flashback malware removal tool will be run
For Mac OS X v10.6 systems

Download file: JavaForMacOSX10.6.dmg
Java for OS X 2012-003 and Java for Mac OS X 10.6 Update 8 is available via the Software Update pane in System Preferences or via the Apple web site here.
[1] http://support.apple.com/kb/HT5242

[2] http://support.apple.com/kb/HT5243

[3] http://www.apple.com/support/downloads/
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The folks at Caelo Software, makers of some excellent tools for organizing your Outlook email, are at it again with Track Your Sent. Unlike the company's NEO Pro, Track Your Sent is not an overall email organizer. Instead, it takes aim at a narrow part of your email experience: the messages you send. Although plenty of email utilities help bring order to your inbox, your sent items folder is often overlooked, left to drown under the weight of its own unorganized mess. Not anymore.
In the latest installment of the CIO Interview Series, Louie Ehrlich, CIO and president of Chevron Information Technology Company, talks about the most important things he's learned leading a giant, global IT team through massive change. His answers may sound simple, but they're hard-won lessons for Ehrlich, the top tech executive for the nearly $250 billion energy company, whose transformation effort has yielded the better part of a billion dollars in payback for Chevron. Insider (registration required)
The open-source OpenStack cloud infrastructure stack has gained a number of additional powerful allies, as IBM and Red Hat have both agreed to support the OpenStack Foundation, organizers behind the soon-to-be-created organization announced Wednesday.
A new development platform announced Thursday by startup Heirloom Computing will allow companies to move legacy applications written in the venerable, but still-viable, COBOL language, which often run on mainframes, to a variety of cloud computing services.
Barnes & Noble's new Nook Simple Touch with GlowLight offers readers the ability to read comfortably in sunlight and in the dark. But can it otherwise compete?
Nokia's Lumia 900 won't be free much longer. A $100 discount being offered on the $99.99 smartphone (with two-year service contract required) will expire at the end of business on April 21, Nokia said.
Oracle is planning to release 88 patches on Tuesday, covering vulnerabilities affecting a wide array of its products, according to a pre-release announcement posted to its website on Thursday.
A former judge hired to settle a protracted legal dispute between Marin County, Calif., and Deloitte Consulting over a botched SAP project last week dismissed all charges made by the county in one of two lawsuits.
When Google rolled out significant changes to Google+ on Wednesday, it did so without first warning developers on the platform, and at least one prominent developer is fuming.
Splashtop on Thursday released a new tablet application that replicates the Windows 8 touch-driven Metro user interface on the iPad, which should help developers test applications for Microsoft's next OS without investing in a Windows tablet.
The VA plans to stop requiring that patients make co-payments for in-home video telehealth care. The move could cut costs and spur adoption among commercial healthcare providers.
More than 600,000 Macs have been infected with a new version of the Flashback Trojan horse that's being installed on people's computers with the help of Java exploits. How does this infection affect Apple's reputation for security?

InfoSec Skills CEO Criticizes how ICT is taught in Schools
Virtual-Strategy Magazine
In an interview this morning, Terry Neal of InfoSec Skill, a niche ICT training company specialising in Information Security training, said the recent commentary by Education Secretary Michael Gove on the state of teaching ICT in schools was fully ...

and more »
Microsoft Internet Explorer CVE-2012-0170 OnReadyStateChange Remote Code Execution Vulnerability
Microsoft Internet Explorer CVE-2012-0171 SelectAll Remote Code Execution Vulnerability
Microsoft Internet Explorer CVE-2012-0169 JScript9 Remote Code Execution Vulnerability
[SE-2012-01] Security weakness in Apple Quicktime Java extensions

Student stiffs penetration tool BackTrack Linux with 0-day
The previously undiscovered (hence zero-day) privilege escalation bug in the network penetration-testing distro was discovered during an ethical hacking class organised by the InfoSec Institute. Jack Koziol, security programme manager at the institute, ...
0-day in Backtrack Linux found, patchedHelp Net Security
Zero-day security hole in BackTrack Linux uncovered by studentInfosecurity Magazine

all 4 news articles »

ISACA issues latest version of COBIT infosec governance framework
Infosecurity Magazine
ISACA, the not-for-profit IT security association, has issued COBIT 5, the latest version of its IT security reference guide. ISACA explained that COBIT 5 provides globally accepted principles, practices, analytical tools, and models designed to help ...

If the Department of Justice has its way, ebook prices are about to drop.
A new ransomware variant prevents infected computers from loading Windows by replacing their master boot record (MBR) and displays a message asking users for money, according to security researchers from Trend Micro.
[waraxe-2012-SA#086] - Local File Inclusion in Invision Power Board 3.3.0
[ MDVSA-2012:057 ] freetype2
[SECURITY] [DSA 2449-1] sqlalchemy security update
Cloud and SaaS services are rapidly gaining traction with enterprises and SMBs -- yet IT, which is usually responsible for negotiating contracts with these service providers, may fall short in critical areas of contract negotiation and legal skills. The stakes are high. In a worst case scenario, you can simply realize that you made a mistake, and that you must get out of a contract. In less dire cases, you can find yourself relying on a vendor that doesn't execute to your business SLAs as your internal staff would. The best way to set expectations is by laying them out clearly in the contract that you sign with your vendor. This provides a platform for ongoing discussions about service levels.
The number of Macs infected with the Flashback malware has plummeted in the last few days, antivirus vendor Symantec said today.
A recent data breach that exposed the Social Security numbers of more than 255,000 people in Utah has once again highlighted the longstanding but often underestimated risks posed to organizations by weak and default passwords.
[ MDVSA-2012:056 ] rpm
Netjuke 1.0 RC1 - SQL Injection Vulnerabilities
[Suspected Spam] DHTMLX Suite v.3.0 - Multiple Web Vulnerabilities
It doesn't seem entirely accurate to describe Windosill as a game. Games, after all, evoke things like rules and objectives and winning. And while there's certainly a goal to strive for in the $3 iPad app from Vectorpark.com--solve one puzzle to move onto the next one until you've completed all 11 vignettes--the real joy in Windosill comes in the journey, not the destination.

How do you define a security threat? If you’re like most IT security professionals, your security threat definition is probably: “The potential occurrence of an attack against an organization’s infrastructure and assets.”

If this was a pop quiz, you could get half credit for that answer. It’s partly true, but it’s not the whole answer, and it’s not the answer your executive leaders and board of directors need to hear.

Christopher Armstrong, CISO of Livermore, Calif.-based Allgress Inc., popped this quiz on the audience during a business risk session at SecureWorld last month, and almost everyone gave the IT-centric answer above. But Armstrong made a strong case for changing our perspective when we talk about security threats.

When you talk to a CEO or a board member about the threats to his or her organization, Armstrong said, there’s no need to go into great detail about the type of attack that may occur, the motivation of the attacker, etc. All he or she really wants to know is: What will it cost us? And, what’s the probability it will happen? 

Telling the CEO or the board that a widespread threat could steal your sensitive customer data isn’t likely to get you the funding you need to stop that threat. But tell them the threat could cost the organization $10 million and there’s a 50% chance it will happen, and they just may open the checkbook for you.

By looking at security projects from a board member’s perspective, as well your own infosec perspective, you’re more likely to get the resources you need to advance your security initiatives.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Help Net Security

0-day in Backtrack Linux found, patched
Help Net Security
A zero-day vulnerability affecting the last version of Backtrack Linux has been spotted by a student during an Ethical Hacking class organized by the InfoSec Institute. The discovery was made public on InfoSec's own website and detailed by the student ...

EMC, along with Cisco, Brocade, Intel, Citrix and others, announced a pre-configured private cloud architecture that it plans to sell exclusively through channel partners.
Because Nivio is still in by-invitation beta, with elements such as a native iPad app not ready in time for this article, it's a bit premature to develop a formal opinion on Nivio. An ambitious attempt to adapt Windows--and Windows applications--for mobile devices, Nivio could turn into a powerful service, but right now it's just too darn complicated to use.
OnLive Desktop uses technology developed for its parent OnLive gaming service, which lets you stream high-end video games (that you rent or purchase) to your PC in much the way you'd get an on-demand movie from Netflix. Instead of games, OnLive Desktop streams a virtual Windows desktop outfitted with Word, Excel, PowerPoint, Adobe Reader, Internet Explorer, Windows Paint and Calculator, and Microsoft Surface Collage.
The day after its January 5 debut, CloudOn became the number one app in the iTunes App Store, says CloudOn CEO Milink Gadekar. That's not surprising: It was the first app to let you run virtualized versions of Microsoft Word, Excel, and PowerPoint on the iPad, and it was free. It still is, at this writing, but since CloudOn is paying software-as-a-service licensing fees to Microsoft, it will have to generate income somehow, so don't expect the free ride to last forever.
Certec atvise webMI2ADS Web Server Multiple Remote Vulnerabilities
PHP EXT/Session HTTP Response Header Injection Vulnerability
TeamSHATTER Security Advisory: Privilege escalation via internal sql injection in RESTORE DATABASE command
EMC, along with Cisco, Brocade, Intel, Citrix and others, announced a pre-configured private cloud architecture that it plans to sell exclusively through channel partners.
Fusion-io today announced the availability of a PCIe-based flash card for workstations that is less than half the price of its flash card for servers.
Ultrabooks are expected to sell better this year, due to a larger selection of models slated to arrive on the market. But pricing and competition from tablets will continue to temper consumer interest in ultrabook devices, according to analysts.
Amazon has issued a software upgrade for the Kindle Touch, which adds more languages and usability improvements, the company said on Wednesday.
If you have a popular blog, it can be difficult to keep control of the conversation. We look at 3 comment platforms -- Disqus, IntenseDebate and Livefyre -- that can help.
Former Goldman Sachs programmer Sergey Aleynikov did not violate the National Stolen Property Act and the Economic Espionage Act when he allegedly uploaded proprietary source code to a server in Germany, the U.S. Court of Appeals for the Second Circuit said.
Intel said on Wednesday it will release its first Xeon server chips with 3D transistors this quarter, in a move that analysts said would intensify the cloud hardware battle with rival Advanced Micro Devices.
The financial services industry saw nearly triple the number of DDOS attacks during the first three months of this year compared to the same period last year.
Microsoft has extended the mainstream support period for Office 2007 by six months to align the suite's lifecycle with a little-known provision in the company's support policy.
Sony's new CEO wants to bring back the magic.
Amazon Web Services has introduced CloudSearch, which allows users of its cloud to integrate fully managed and highly scalable search functionality into their applications, the company said on Thursday.
Remote access to data center functions, including server and network operations, are now routine in many facilities. But users still worry about security.
Intel on Thursday announced new solid-state drives with storage of up to 800GB.

Posted by InfoSec News on Apr 11


By Nicole Lewis
April 11, 2012

A new tally of files stored on a server that contained Medicaid information at
the Utah Department of Technology Services (DTS) reveals that 780,000
individuals have been affected by the theft of sensitive information. That's
far worse than initial estimates.

The data breach occurred on March 30, when a configuration...

Posted by InfoSec News on Apr 11


By Seattle Times business staff
April 11, 2012

Boeing declined to comment Wednesday on reports that the hacker group Anonymous
had brought down the company's website for two hours or more.

"I believe the website is up and running now," said spokesman Todd Kelley. He
wouldn't say whether it had been functioning earlier, saying the...

Posted by InfoSec News on Apr 11


By Aliya Sternstein

President Obama's top cybersecurity official on Wednesday said utilities must
pinpoint security gaps in their electricity delivery systems on a regular

The Energy Department, in cooperation with the White House, Homeland Security
Department and power companies, this month is expected to test a voluntary
reporting model that assesses an...

Posted by InfoSec News on Apr 11


By Lucian Constantin
IDG News Service
April 11, 2012

The developers of Samba, the open source software that enables file and print
sharing between Linux, Windows and Mac OS X computers, released security
patches on Tuesday to address a critical vulnerability that can be exploited by
remote attackers to execute arbitrary code on systems where the...

Posted by InfoSec News on Apr 11


By Timothy B. Lee
ars technica
April 11, 2012

A federal appeals court has thrown out the conviction of a former Goldman Sachs
programmer who stole source code from the firm's high-frequency trading (HFT)
system. The court holds that the defendant's actions did not fit the
definitions of the federal crimes for which he had been convicted. "We...
Internet Storm Center Infocon Status