InfoSec News

Aaron Swartz, the brilliant Internet pioneer, passionate political activist and computer programming prodigy, committed suicide on Friday as he faced hacking-related charges that could have landed him in jail for decades, according to published reports.
Shortages of touch-enabled Windows notebooks led to a steeper-than-expected decline in PC sales last quarter, according to research firm IDC.

As a data loss control many organisations now ensure that laptops are mitigated by installing full disk encryption or by having a partition / area of disk which is encrypted.

However, laptops are not the only way to pick up and carry out of your organisation the data which you are meant to be protecting. Various products also address this space of the toolset to mitigate data loss risk.

Walter has e-mailed in with the heads up that various Canadian news media are highlighting a report that a portable disk containing583,000 Canadians who were clients of the Canada Student Loans program from 2000 to 2006 has been lost. If you were lucky enough to borrow money through this program but you were from Quebec, Nunavut and the Northwest you were lucky this time.The data lost includes:

Student names, social insurance numbers, dates of birth, contact information and loan balance of Canada Student Loan borrowers.

Personal contact information for 250 Human Resources and Skills Development Canada(HRSDC)employees.

So when doing the risk assessment of your organisations data loss mitigation please consider the end to end lifecycle of the data and how that data can move to and from your staff members hands. That can also include portable media which, if allowed at all through a technology or physical security control, should be access controlled and any data be encrypted when data is allowed to be written to it.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Oracle has publishedthe pre-release information for this coming Tuesdays Oracle Patch Tuesday.

Of special note this months is Oracles CVSS2 scoring of a 10.0 for Mobile Server of Oracle Database Mobile/Lite Server.

A large number of products are patched this month including:

Oracle Database 11gRelease 2, versions,

Oracle Database 11gRelease 1, version

Oracle Database 10gRelease 2, versions,,

Oracle Database Mobile Server, version

Oracle Database Lite Server, version

Oracle Access Manager/Webgate, versions,,

Oracle GoldenGate Veridata, version

Management Pack for Oracle GoldenGate, version

Oracle Outside In Technology, version 8.3.7, 8.4

Oracle WebLogic Server, versions 9.2.4, 10.0.2, 10.3.5, 10.3.6, 12.1.1

Application Performance Management versions 6.5, 11.1,

Enterprise Manager Grid Control 11gRelease 1, version

Enterprise Manager Grid Control 10gRelease 1, version

Enterprise Manager Plugin for Database 12cRelease 1, versions,

Oracle E-Business Suite Release 12, versions 12.0.6, 12.1.1, 12.1.2, 12.1.3

Oracle E-Business Suite Release 11i, version

Oracle Agile PLM Framework, version

Oracle PeopleSoft HRMS, versions 9.0, 9.1

Oracle PeopleSoft PeopleTools, versions 8.51, 8.52

Oracle JD Edwards EnterpriseOne Tools, versions 8.9, 9.1, SP24

Oracle Siebel CRM, versions 8.1.1, 8.2.2

Oracle Sun Product Suite

Oracle VM Virtual Box, versions 4.0, 4.1, 4.2

Oracle MySQL Server, versions 5.1.66 and earlier, 5.5.28 and earlier

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The ISC has covered Java recently a number of times with Johanness commentary and the January 2013 OUCH! heads-up by Adam of the issues with Java 7 update 10 and the current 0-day doing the rounds.

However, the guys over atImmunity have released their analysis(PDF) of the MBeanInstantiator.findClass 0-day. Other than the excellent review of the 0-day they comment that:

This vulnerability affects JDK 6 (at least from update 10 and greater) up to the latest JDK 7 update 10.The comments in the source code state that these classes MBeanInstantiator and JmxMBeanServer are available since JDK 5, but we did not check versions before JDK 6 update 10.

So, this tells us that if you are using JDK 6 this 0-day likely now includes you as a potential target, and maybe even if you have systems with JDK 5 installed.

Lets hope Oracle patching this one soon, and if the article is correct, completely this time.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The latest critical vulnerability in Java to be exploited through the browser sees Mozilla and Apple moving quickly to block Java in the browser. US and German security authorities say users should disable Java plugins now

As the dust settles over Las Vegas, it's becoming clear that this year's International CES ushered in a new era of in-the-air gesture control, says Mike Elgan.
In the week ending 12 January - Systemd 197, Open webOS ported to the Nexus 7, NASA open source project slowed by commercial vendor, VMware stakes IP claim on Vert.x and Compiz lead developer sees no future under Wayland

Internet Storm Center Infocon Status