InfoSec News

A former U.S. Transportation Security Administration contractor will serve two years in prison for messing with sensitive government databases used to identify terrorists as they try to enter the U.S.
 
WebMatrix, a site-building tool for beginners, is being introduced this week along with a Model View Controller upgrade
 
Given MySpace's primary audience of tweens, describing its rise and fall in high school metaphors--at death's door--seems apt.
 
Though it's limited to partition recovery operations (damaged or overwritten), [email protected] Partition Recovery could be all you need to recover your data. In some cases, when the only portion of the hard drive that's damaged (or overwritten) is the partition table, simply restoring a partition will magically bring back all your data. Actually, the data isn't brought back--it was there all along, but without any OS-recognizable indication to its existence. Recovering the partition just makes it possible to see it again.
 
In an effort to find missing children faster, Facebook will deliver Amber Alerts to all U.S. users.
 
Worldwide PC shipments were slower than expected during the fourth quarter of 2010, hurt by competition from tablets and a slowdown in consumer spending, IDC said in a study released on Wednesday.
 
TinyBB 'Profile' SQL Injection Vulnerability
 

7 Cyber Crime Facts Executives Need to Know
PC World
Some companies are "budgeting" for ERM and/or InfoSec, but never actually committing the money. Or alternately, the companies claim they are continuing to ...

and more »
 
The possibility of an iPhone running on Verizon's LTE network has shown a spotlight on a loophole in the open access provision the U.S. Federal Communications Commission set on spectrum Verizon uses to offer the network.
 
Gibbs is impressed by Apple Support but not by his iPod or the Insignia Infocast
 
Sprint Nextel on Wednesday sent out official invitations to a Feb. 7 wireless showcase event in New York promising an 'industry first.'
 
A huge decline in memory prices could hurt DRAM vendors this year, with overall revenue projected to decline by 11.8% in 2011, research firm IHS iSuppli said in a study released Wednesday.
 
Symantec Web Gateway Management GUI SQL Injection Vulnerability
 
After a holiday hiatus, spammers have returned to ply their trade boosting bogus products, security researchers said.
 
Recent data breaches at two banks underscore what's becoming a gnarly problem for companies that handle sensitive information: When does a hacked PC become a data breach?
 
The number of companies planning to invest in their ERP (enterprise resource planning) systems will drop slightly this year, according to a Forrester Research report, even as IT spending overall is expected to rise.
 
Three sites identified as being engaged in digital piracy in a new paper from brand protection firm MarkMonitor and the U.S. Chamber of Commerce object to the label.
 
The possibility of an iPhone running on Verizon's LTE network has shown a spotlight on a loophole in the open access provision the U.S. Federal Communications Commission set on spectrum Verizon uses to offer the network.
 
The departure of long-time Microsoft executive Bob Muglia is a troubling sign because he was held in high esteem by the company's technical talent, an analyst said today.
 
PHP-Nuke Search Module Cross-Site Scripting Vulnerability
 
Apple co-founder also analyzes Oracle's acquisition strategy, the tablet business, and trends in enterprise memory
 
[SECURITY] [DSA-2141-4] New lighttpd packages fix regression
 
Global spending on retail banking technology is expected to increase 24% over the next five years to $132 billion, according to market research firm Ovum.
 
Microsoft and Google fight the HTML5 video standards to be used in the next generation of Web browsers.
 
Verizon will sell and support a new version of the iPad that can directly connect to the carrier's 3G data network, according to a report by Bloomberg.
 
[security bulletin] HPSBMA02621 SSRT100352 rev.2 - HP OpenView Network Node Manager (OV NNM), Remote Execution of Arbitrary Code
 
[Onapsis Security Advisory 2011-002] SAP Management Console Information Disclosure
 
[Onapsis Security Advisory 2011-001] SAP Management Console Unauthenticated Service Restart
 
A survey of 500 security professionals found that although the compliance initiatives are burdensome, they are improving security at most organizations.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Lifestream? Yet another Aggregated Personal Data Feed?



We have a report from a reader that AOL Lifestream service seems to have data from .Mac and or Mobile Me accounts. After some checking, my .Mac feed has some stream information in it as well.



You have an account created for you if you have a .Mac or MobileMe account. This seems to be an automated process. For me, it only had my twitter feed but it is a service that I did not ask for.
You can either log into your account with your .Mac credentials or you can find your feed with http : // lifestream dot aol dot com / stream / [email protected]



If you enter into account - Settings you can restrict this feed however I did not find a place to delete the account.

Then click on the AOLLifestream pull down menu and select which setting you desire.In my case Iselected No one - Private.

And in the interest of being thorough, you can adjust your Who can commentsettings.In this case I selected Only you..

Thanks Thomas for the report on this. There is a feedback button that you can submit if you want to comment to AOLLifestream.

Richard Porter
--- ISC Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Microsoft plans to release WebMatrix, an application for quickly ramping up Web sites and lightweight Web apps, this week.
 
Little CMS Monochrome Profiles Null Pointer Dereference Denial of Service Vulnerability
 
Call for Papers: DIMVA 2011 - Extended Deadline Jan 21
 
[USN-1043-1] Little CMS vulnerability
 
SECURITY ADVISORY IBM Cognos 8 Business Intelligence 8.4.1
 
[USN-1009-2] GNU C Library vulnerability
 
Microsoft Data Access Components Data Source Name Buffer Overflow Vulnerability
 
BlackBerry-maker Research In Motion issued two separate security advisories warning both BlackBerry smartphone users and corporate BlackBerry Enterprise Server (administrators of newly discovered security flaws in many versions of RIM's BlackBerry handheld software and in BES.
 
RETIRED: concrete5 'controller.php' Remote File Include Vulnerability
 
All iPhones will reportedly have the Personal Hotspot capability similar to what Verizon Wireless announced on Tuesday for its iPhone coming Feb. 10.
 
SAP is acquiring software and related assets from its partner SECUDE in order to provide improved security for its customer base, the company said.
 
Sony Computer Entertainment has launched legal action against five hackers who recently released a set of tools that allows illegally copied games to run on the PlayStation 3 game console.
 
Years ago cell phone companies began offering "family plans" that provided a common bucket of voice minutes for use by anybody in the family who owned a cell phone. Now, in 2011, many voice devices have been replaced by data devices -- little computers, such as smartphones and tablet PCs, that require data connections. In response, wireless carriers are currently thinking hard about offering a new type of "family plan," a data-service (Internet-access) plan that covers a family of devices, allowing users to purchase a single bucket of bits for sharing among devices of their choosing.
 
High failure rates. Shutdowns. Divestitures. Author and researcher Dr. Ilan Oshri explains why, despite it all, the wholly-owned offshore service center is coming back -- and here to stay.
 
Storage company NetApp has entered into an agreement to acquire privately held Akorri Networks, which specializes in optimizing server, storage and application performance, the company said on Wednesday.
 
How Many Loyalty Cards do you carry?



Join our loyalty program and we will give you discounts is the way most vendors convince you to give away your contact information. Now this grant of information is supposed to be in return for loyalty discounts. What most vendors seem to be doing (assumption here with no hard facts) is raising the base median price of high volume products and then in turn discount said item.



This topic, one of frustration, was brought about from a trip to my local supermarket for soap and paying through the self-checkout line. All four automated check out machines were echoing over and over Have you scanned your club card yet?



According to my vendors loyalty card agreement vendor xyz does not sell, lease or provide personal information (i.e., your name, address, telephone number, and bank and credit card account numbers) to non-related companies or entities.



Non-Related companies or entities, what does that mean? Depends on your local country law regarding privacy but.



http://www.privacyrights.org/online-information-brokers-list



Looking at that list of Information Brokers leads me to think that non-related could mean? We dont partner with them. Or could mean they dont share.



In this Facebook world we live in data protection and leakage becomes far more relevant to the individual along with corporate entities.



PCI Compliance places a standard around protecting credit card data and most countries have relevant privacy laws regarding health care data but what about personal data that is given or granted freely?



https://www.pcisecuritystandards.org/security_standards/documents.php



With regards to personal data, it can no longer be said Its not that important or there is nothing critical on my computer. Profile data on you is important.



Richard Porter
--- ISC Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
According to a blog post by Neal Ungerleider from Monday Jan 10, 2011 the Tunsinian Government may be harvesting or hacking information from Gmail accounts and or Facebook accounts.



This goes to show the moment it is in the cloud it is no longer private. If you want something private, encrypt it. Most of us at the ISC follow the front page rule. If you write it, treat it like the information is on the front page of your national newspaper.



http://www.fastcompany.com/1715575/tunisian-government-hacking-facebook-gmail-anonymous



Going back to last year, the US National Security Agency considers their network untrustworthy.



http://www.net-security.org/secworld.php?id=10333


Richard Porter
--- ISC Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
KingView Heap Based Buffer Overflow Vulnerability
 
Will the iPhone swamp the Verizon network, just like it did to AT&T's network? Should you wait for the iPhone 5 that may or may not run on faster 4G networks? CIO.com breaks down the network battle.
 
Since her election to Congress in 2007, U.S. Rep. Gabrielle Giffords has quickly established herself as an emerging leader on tech issues, and she led by example.
 
The National Institute of Standards and Technology has established a new Web site fleshing out the Obama Administration's plans for a National Strategy for Trusted Identities in Cyberspace.
 
The Computer History Museum this week opens a $19 million, 25,000-square-foot building expansion and an exhibition titled 'Revolution: The First 2000 Years of Computing.'
 
The Computer History Museum's new 25,000 square-foot exhibit entitled "Computer History: The First 2,000 Years" opened this week and includes media and artifact-rich galleries with an in-depth focus on more than 20 major areas of computer history. Also, a Web-based Cyber Museum experience will feature a broad and compelling interpretation of computing history, the museums extensive digital archive and its warehoused collection of artifacts.
 
Microsoft is asking the U.S. Patent and Trademark Office to deny Apple a trademark on the name "App Store," saying the term is generic and competitors should be able to use it.
 
InfoWorld's 2011 Technology of the Year Awards recognize the best products at the forefront of today's top data center, desktop, mobile, and programming trends
 
InfoSec News: UTSA receives $1.25M from National Science Foundation to support cyber security students: http://www.utsa.edu/today/2011/01/cybergrant.html
By Christi Fish Public Affairs Specialist Jan. 10, 2011
The University of Texas at San Antonio has been selected to receive a four-year, $1.25 million grant from the National Science Foundation (NSF) Federal Cyber Service: Scholarship for Service program to support UTSA undergraduate, master's and doctoral students committed to pursuing careers in computer and information security.
UTSA students selected for the program will receive up to $56,000 during their last two years of study to cover the cost of tuition and fees, room and board, books and additional expenses. In exchange, they must agree to work as employees in the federal security sector for two years following graduation.
Established in 2006, the Scholarship for Service program seeks to generate a pipeline of qualified professionals to meet the cyber-security needs of the federal government. UTSA is one of 34 institutions participating in the program.
"Ninety-nine percent of the students who go through this program find immediate placement in federal jobs following graduation," said Kleanthis Psarris, professor and chair of the UTSA Department of Computer Science, who will oversee the program and its graduates along with Greg White, associate professor of computer science and director of the UTSA Center for Infrastructure Assurance and Security (CIAS). "We expect this program to have an extremely positive impact on the San Antonio security sector."
Because many UTSA students come from the surrounding region, Psarris and White realize students may not want to relocate to Washington, D.C., to secure federal employment following graduation. To support students who want to remain in San Antonio after graduation, the professors will work with local government agencies to identify qualifying federal jobs in the Alamo City.
"We will provide many opportunities for students in this program, so we expect it to be very competitive," said White. "Students will have access to job fairs, mentors and training, and research and federal internship opportunities. These are the students that could go on to work for the FBI, CIA or Department of Defense. We are looking for the very best students to fill these spots."
UTSA is recognized by the National Security Agency and Department of Homeland Security as a Center for Academic Excellence in Information Assurance Education (CAE). The CAE program reduces vulnerability in the U.S. information infrastructure by promoting higher education and research in information assurance and by supporting a growing number of professionals with information assurance expertise. UTSA also is one of the few schools to hold the prestigious CAE-R designation. The CAE-R program in information assurance aims to increase the understanding of robust technologies, policies and practices through research to enable the United States to effectively prevent or respond to a catastrophic cyber event.
Beginning with a fall 2011 cohort, UTSA will recruit seven computer science students to join the program each semester. Students will pursue a degree with a concentration in cyber or information security and must maintain a minimum 3.0 GPA. Scholarships for Service applicants must be U.S. citizens who can pass a background check and are eligible for federal employment.
To learn more about the program or to apply, visit the NSF Scholarship for Service website or contact Greg White at 210-458-2166.
 
InfoSec News: Microsoft patches critical Windows drive-by bug: http://www.computerworld.com/s/article/9204600/Microsoft_patches_critical_Windows_drive_by_bug
By Gregg Keizer Computerworld January 11, 2011
Microsoft today patched three vulnerabilities in Windows, one that could be exploited by attackers who dupe users into visiting a malicious Web site. [...]
 
InfoSec News: DISA creates DMZ to boost security on unclassified network: Forwarded from: Richard Forno <rforno (at) infowarrior.org>
This is the funniest thing I've read in a long time.
Apart from the fact this article reads like a DISA press release, are they really proud of the fact the agency is rolling out a network DMZ as a security design? [...]
 
InfoSec News: After Bellagio heist, how slack security can cost Las Vegas casinos: http://www.lasvegassun.com/news/2011/jan/11/how-slack-security-can-cost-casinos/
By Liz Benston Las Vegas Sun Jan. 11, 2011
In the 2001 movie “Ocean’s Eleven,” a gang of criminal masterminds uses con games, physical might and explosives in an elaborate plan to steal [...]
 
InfoSec News: Springs man sent to prison for hacking into TSA computer: http://www.gazette.com/articles/damage-110969-judge-springs.html
By JOHN C. ENSSLIN THE GAZETTE January 11, 2011
A federal judge Tuesday sentenced a Colorado Springs man to two years in prison for trying to damage a high-security government computer system used to screen airline passengers. [...]
 
InfoSec News: Exploits Target SAP Applications: http://www.darkreading.com/database-security/167901020/security/application-security/229000524/exploits-target-sap-applications.html
By Kelly Jackson Higgins Darkreading Jan 11, 2011
A researcher at next week's Black Hat DC will show how attackers can [...]
 
InfoSec News: Hacker Code Lingered on Home Depot Website: http://www.foxnews.com/scitech/2011/01/11/home-depot-website-compromised/
By Jeremy A. Kaplan FoxNews.com January 11, 2011
The website for do-it-yourself giant Home Depot has been … well, screwed.
An IT analyst has uncovered the lingering remnants of a 2009 breach of [...]
 
InfoSec News: Malware on Laptop Caused Security Breach at PenFed: http://www.depositaccounts.com/blog/2011/01/malware-on-laptop-caused-security-breach-at-penfed.html
[PenFed is short for Pentagon Federal Credit Union - WK]
By Ken Bank Deals Guy DepositAccounts.com January 11, 2011
PenFed had a laptop infected with malware that permitted unauthorized [...]
 
Nokia Multimedia Player '.npl' File Heap Buffer Overflow Vulnerability
 

Posted by InfoSec News on Jan 12

http://www.depositaccounts.com/blog/2011/01/malware-on-laptop-caused-security-breach-at-penfed.html

[PenFed is short for Pentagon Federal Credit Union - WK]

By Ken
Bank Deals Guy
DepositAccounts.com
January 11, 2011

PenFed had a laptop infected with malware that permitted unauthorized
access to a database containing personal data of certain members. The
security breach appeared to only affect PenFed members with credit
cards. Fatwallet...
 

Posted by InfoSec News on Jan 12

http://www.utsa.edu/today/2011/01/cybergrant.html

By Christi Fish
Public Affairs Specialist
Jan. 10, 2011

The University of Texas at San Antonio has been selected to receive a
four-year, $1.25 million grant from the National Science Foundation
(NSF) Federal Cyber Service: Scholarship for Service program to support
UTSA undergraduate, master's and doctoral students committed to pursuing
careers in computer and information security.

UTSA...
 

Posted by InfoSec News on Jan 12

http://www.computerworld.com/s/article/9204600/Microsoft_patches_critical_Windows_drive_by_bug

By Gregg Keizer
Computerworld
January 11, 2011

Microsoft today patched three vulnerabilities in Windows, one that could
be exploited by attackers who dupe users into visiting a malicious Web
site.

The company also debuted a new defensive measure to help users ward off
ongoing attacks that are exploiting a known bug in Internet Explorer
(IE).

The...
 

Posted by InfoSec News on Jan 12

http://www.lasvegassun.com/news/2011/jan/11/how-slack-security-can-cost-casinos/

By Liz Benston
Las Vegas Sun
Jan. 11, 2011

In the 2001 movie “Ocean’s Eleven,” a gang of criminal masterminds uses
con games, physical might and explosives in an elaborate plan to steal
millions from the Bellagio vault.

The real-life version of the crime that played out on the casino’s
security cameras last month was as daring as anything dreamed up by...
 

Posted by InfoSec News on Jan 12

http://www.gazette.com/articles/damage-110969-judge-springs.html

By JOHN C. ENSSLIN
THE GAZETTE
January 11, 2011

A federal judge Tuesday sentenced a Colorado Springs man to two years in
prison for trying to damage a high-security government computer system
used to screen airline passengers.

Judge David M. Ebel also ordered Douglas James Duchak to pay $60,587 in
restitution to the U.S. Transportation Security Administration for
repairs...
 

Posted by InfoSec News on Jan 12

http://www.darkreading.com/database-security/167901020/security/application-security/229000524/exploits-target-sap-applications.html

By Kelly Jackson Higgins
Darkreading
Jan 11, 2011

A researcher at next week's Black Hat DC will show how attackers can
target an enterprise's Web-enabled SAP applications by exploiting the
way enterprises have misconfigured them, as well as some inherent design
issues in the enterprise resource management...
 

Posted by InfoSec News on Jan 12

http://www.foxnews.com/scitech/2011/01/11/home-depot-website-compromised/

By Jeremy A. Kaplan
FoxNews.com
January 11, 2011

The website for do-it-yourself giant Home Depot has been … well,
screwed.

An IT analyst has uncovered the lingering remnants of a 2009 breach of
security on the website of the major retailer: secret code hidden on the
website that redirected the user's browser to a site that served up
malware.

"Somebody managed...
 

Posted by InfoSec News on Jan 12

Forwarded from: Richard Forno <rforno (at) infowarrior.org>

This is the funniest thing I've read in a long time.

Apart from the fact this article reads like a DISA press release, are
they really proud of the fact the agency is rolling out a network DMZ as
a security design? Is this so groundbreaking in nature, even bt
government standards, that it must be spoken of in such awed terms by
the quoted DISA representatives? The way...
 
Bip `bip_on_event()` NULL Pointer Dereference Remote Denial Of Service Vulnerability
 


Internet Storm Center Infocon Status