InfoSec News

Just a day before Microsoft drops support for Windows XP Service Pack 2 (SP2), the company announced on Monday that people running some versions of Windows 7 can "downgrade" to the aged operating system for up to 10 years.
 
Microsoft released a beta version of developer tools for Windows Phone 7 (WP7) to enable software makers build applications and games for WP7 devices.
 
Microsoft vice president Bob Muglia offers more details on the newly announced Microsoft Azure Appliance
 
Consumer Reports today said it won't recommend Apple's iPhone 4 because of major reception issues when users touch the external antenna.
 
A surge in third-party software vulnerabilities accounted for the bulk of a ballooning bug count in the first half of 2010, said Danish security firm Secunia today.
 
Oracle will release 59 patches to fix security weaknesses affecting hundreds of products, according to a notice on its Web site.
 
The ideal mobile ecosystem is still one that's partly closed, such as the iPhone App Store, but the trend is toward greater openness, AT&T Chief Technology Officer John Donovan said.
 

Friction-Free Security
Dark Reading (blog)
In Xavier's blog, "InfoSec Professionals: Come Down Off Your Pedestal," he ran into a similar problem where a co-worker had sent a message about the upgrade ...

 
BlackBerry-maker Research In Motion took the wraps off its latest offering for consumers, BlackBerry Protect, a free service meant to help noncorporate BlackBerry users secure and manage their smartphones.
 
Consumer Reports today said it won't recommend Apple's iPhone 4 because of major reception issues when users touch the external antenna.
 
A majority of women who use social media sites like Facebook and Twitter say theyre addicted to them, according to a survey.
 
Bilpet, planning a clean upgrade to Windows 7, asked the Answer Line forum how to transfer Outlook 2007 data and settings.
 
Microsoft CEO Steve Ballmer urges partners to stick with Microsoft for the new tablets and smartphones.
 
Microsoft today released the first public beta of Windows 7 Service Pack 1 (SP1), but warned consumers and end users to steer clear of the preview. The beta also includes a first-look at Windows Server 2008 R2 SP1.
 
The Droid X smartphone ships Thursday, after an unusual pre-sales publicity campaign designed to entice the savvy tech crowd that might also include some in the iPhone 4 camp as well.
 
Microsoft plans to take a cue from rival CRM vendor Salesforce.com with the upcoming release of CRM 2011, by adding a marketplace site where partners can sell complementary applications.
 

Twitter to hawk followers to make money
ZDNet Australia
Does #Microsoft's sharing of #sourcecode with #China and #Russia pose a #security #risk? http://bit.ly/bWQ5rO #cybersecurity #infosec.

and more »
 
What a difference a display can make. All it took was turning on the Amazon Kindle DX (Graphite) second-generation large-format e-reader to see that Amazon's claims of a higher-contrast display than its predecessor were true. The E-Ink display on the new Kindle DX ($380, price as of 7/9/2010) indeed reflects a significant improvement in contrast, as evidenced by the clarity of the crisp text, and the darker blacks of graphics and words alike.
 
With transformation looming, the tug of war between business and IT has both sides groping to define each other. How can IT help reframe the debate?
 
The fundamental problem is not with ITs current status or even its future, but with its mission.
 
Microsoft releases a version of Azure for internal data center use
 
Microsoft's hosted desktop management service Intune moves to the second beta stage
 

ViaSat Awarded Contract to Develop HAIPE IS Version 4 for Encryption and Cyber ...
FOXBusiness
For additional product information, call 888-VIASAT1, or send email to infosec@viasat.com. ViaSat produces innovative satellite and other digital ...

and more »
 
In last month's diary I asked two main questions.
How would I really know if there was malware on my smart phone?
How do we really know that mobile malware is not widespread right now?
So a poll was created asking for your experiences.
One reader commented asking what the definition of malware was. Given that most of the readers of this diary are sufficiently knowledgeable about security to dismiss tracking cookies and other such things, I have to believe that only true malware is being reported.
I hope you reported the cookies.
The results and some preliminary analysis follows:
DISCLAIMER: This is not a scientific poll, I am not a statistician and this should in no way be construed as an effort to spread FUD.
Of 540 respondents to date (the six respondents listing other have been removed as their methods and results were not described)
83 of 540 (15.3%) of respondents were scanning for malware.
15 of 83 (18.1%) who were looking for malware on their mobile device found it.
457 of 540 (84.6%) were not scanning their devices.
Now, 540 responses is not a particularly large sample, but I have been monitoring the statistics as responses are entered and the percentage of people reporting they found malware consistently ranged from 15-20% so 18.1% seems to be a reasonable number. Likewise the percentage of people who were not scanning ranged consistently from 82-86%
Based on those numbers, 83 of the 457 people who responded who were not looking for malware would be infected. Ouch.
How many mobile devices are out there right now?
How many in your office building? How many in your city, your state, your country?
How many in the world?
Let's say these numbers are double what would be seen in the population at large.
Even so, if 9% of all the smart phones were infected with malware (especially if we didn't know it), that would be cause (IMHO) for alarm.
I couldn't find any good numbers on existing smart phones but according to this ZD Net Article Credit Suisse projected that total smartphone sales for 2009 will end up at around 176 million units. In the years ahead, Credit Suisse expects the smartphone market to balloon to around 1.5 billion units. By comparison, worldwide unit sales of all mobile phones in 2009 will be about 1.2 billion and worldwide unit sales of all PCs in 2009 will be about 300 million.
Let's say the Credit Suisse was way, way off and we'll say there are only 100 Million smart phones in the world today.
And we'll say that even the 9% above was way off and it's half that, which would be only 25% of what the poll you responded to said.
4.5 Million infected devices.
1.5 Billion Units? I don't even want to think about it.
Do the math. Plug in your own numbers. Check your smart phones.
So my delayed, and corrected answer to the gentlemen at SANSFire who asked Will this year be the year that malware on mobile devices becomes a problem? is:

I think it is. We just don't know it.
}







Will you be following up with a site you can point your mobile app to that can scan it online?

I know my handy phone has started using it's entire battery life in under 12 hours - ever since I downloaded a ring tone. So I'm really worried.

By the way, how do you look and see what's running on a mobile app? I don't see any cmdline prompt.




Any recommendations for mobile AV?





Thanks Mikel











I don't know of any site that you can point your mobile device to and have it be scanned online. and I would think that data charges for that would be prohibitive unless you had a truly unlimited data plan.

As for recommendations, it's no secret I'm not a fan of signature based AV. However, this is a case where something is better than nothing.

A defense in depth approach would be to use a different vendor on your smart phone than you use for your PC AV and then if possible, scan your device either on insertion to your PC or manually.

I'm not sure what OS is on your device, but if it's Windows Mobile, task manager is there.





Christopher Carboni - Handler On Duty
http://twitter.com/ccarboni (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

ViaSat Awarded Contract to Develop HAIPE IS Version 4 for Encryption and Cyber ...
DigitalJournal.com (press release)
... on the battlefield with non-traditional coalition partners. For additional product information, call 888-VIASAT1, or send email to infosec@viasat.com.

and more »
 
Author David Perry explains how guerrilla marketing can dramatically cut your job search time.
 
Tuesday marks the end of patches for Windows XP Service Pack 2 (SP2). If you're still running that edition of XP, you can still take steps to protect your PC.
 
President Obama's approach to IT spending showed its teeth this week in a decision to end new spending on about 30 financial systems that cost about $3 billion in annual development.
 
The consumerization of IT is a big deal, but how many enterprises are really aware of the trend and ready to deal with it?
 
Most data has geographical references, which could make GIS a worthwhile investment. But there are challenges.
 
A new Intel R&D lab will focus on studying human-computer interaction 'to create the next generation of user experiences.'
 
DePaul University will offer a master's degree in predictive analytics, starting in September.
 
Thornton A. May comes to the defense of CIOs.
 
Two professors warn that the use of electronic health record systems could leave health care providers vulnerable to malpractice charges if those systems have software bugs or are used incorrectly.
 
An ordinary-looking data center must do some extraordinary work to keep a casino's gambling operations running smoothly.
 
InfoSec News: Huawei reportedly in line for major Sprint Nextel deal: http://www.totaltele.com/view.aspx?ID=456959
By Mary Lennighan Total Telecom 09 July 2010
Chinese vendor working on wireless broadband deal with U.S. operator in bid to further its North American ambitions.
Huawei is bidding to sell mobile network equipment to U.S. [...]
 
InfoSec News: Microsoft opens source code to Russian secret service: http://www.zdnet.co.uk/news/security/2010/07/08/microsoft-opens-source-code-to-russian-secret-service-40089481/
By Tom Espiner ZDNet UK 8 July, 2010
Microsoft has signed a deal to open its Windows 7 source code up to the Russian intelligence services. [...]
 
InfoSec News: Reverse engineer extracts Skype crypto secret recipe: http://www.theregister.co.uk/2010/07/09/skype_crypto/
By John Leyden The Register 9th July 2010
Cryptoanalysts have published what they claim is the secret recipe behind a Skype encryption algorithm.
A group of code breakers led by Sean O'Neil reckon they have [...]
 
InfoSec News: 10 years of work 'down the drain' after laptop stolen from firm: http://www.denbighshirevisitor.com/news/denbighshire-news/2010/07/07/10-years-of-work-down-the-drain-after-laptop-stolen-from-firm-105722-26797145/
By Brian Howes Denbigh Visitor July 7 2010
Reward for laptop
A REWARD is being offered for the safe return of a stolen laptop [...]
 
InfoSec News: Loophole May Have Aided Theft of Classified Data: http://www.nytimes.com/2010/07/09/world/09breach.html
By Thom Shanker The New York Times July 8, 2010
WASHINGTON -- The soldier accused of downloading a huge trove of secret data from military computers in Iraq appears to have exploited a loophole in Defense Department security to copy thousands of files onto compact discs over a six-month period. In at least one instance, according to those familiar with the inquiry, the soldier smuggled highly classified data out of his intelligence unit on a disc disguised as a music CD by Lady Gaga.
Criminal charges were filed this week against the soldier, Pfc. Bradley E. Manning, 22, who was accused of downloading more than 150,000 diplomatic cables, as well as secret videos and a PowerPoint presentation. Since his arrest in May, with initial accounts blaming him for leaking video of a deadly American helicopter attack in Baghdad in 2007, officials have sought to determine how he could have removed voluminous amounts of secret data without being caught.
A Defense Department directive from November 2008 prohibits the use of small thumb drives or larger external memory devices on any of the estimated seven million computers operated by the Pentagon and armed services. The order was issued to forestall the accidental infection of national security computer networks by viruses -- and the intentional removal of classified information.
Defense Department computers have their portals disabled to prevent the use of external memory devices that are ubiquitous in homes, offices and schools, officials said. A recent amendment to the order allows the rare use of thumb drives, but only with official approval as required by a current mission.
[...]
 
InfoSec News: Cyber Command lays groundwork for rapid deployment of resources: http://fcw.com/articles/2010/07/09/cyber-command-panel-afcea-symposium.aspx
By Amber Corrin FCW.com July 09, 2010
With the Cyber Command now the formally established presence of the armed forces in cyberspace, military leaders are pondering how best to move forward with cybersecurity. [...]
 
InfoSec News: Linux Advisory Watch: July 9th, 2010: +----------------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | July 9th, 2010 Volume 11, Number 28 | | | [...]
 
InfoSec News: Account Takeover: The New Wrinkle: http://www.bankinfosecurity.com/articles.php?art_id=2728
By Linda McGlasson Managing Editor Bank Info Security July 8, 2010
This year's disturbing trend of corporate account takeover incidents continues unabated - and with a new wrinkle.
Michele Marisco, owner of Village View Escrow Inc. [...]
 
Recently, a group of hackers was able to gain access to user's personal files on a file-sharing site via SQL injection flaws. The group was able to view and edit personal information further proving that SQL injection is a major problem.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Filesharing - SQL injection - Pirate Bay - Database - SQL
 
Microsoft plans to release four bulletins, next week, repairing an actively targeted Help and Support Center zero-day vulnerability in Windows XP and a display driver error.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Windows XP - Microsoft - Zero day attack - Operating system - Microsoft Windows
 
The pen-testing specialist offers a preview of its new product, which it says can automatically pinpoint second- and third-level exploits to avoid Heartland-style data breaches.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Core Security - Security - Penetration test - Consultants - General and Freelance
 
Browser-based add-on, Blitzableiter, cleans SWF files prior to running on a user's computer. The tool will be released at Black Hat 2010 in Las Vegas.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Add-on - Mozilla Firefox - Adobe Flash - Firefox - browser
 
BigFix provides IBM with software that can identify devices that fail to meet corporate IT policies.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

IBM - BigFix - Hardware - Mainframe - Operating Systems
 
Targeted attacks like Operation Aurora require organizations to change up their security strategy, experts say

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Operation Aurora - Security - Targeted threat - Business - Google
 
McAfee fully integrates its acquisition of MX Logic, rolling out a cloud-based antimalware Web filtering service aimed primarily at small- and mid-sized -businesses.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

MX Logic - McAfee - Services - Business - Security
 
A critical, out-of-cycle patch is set to repair a serious flash vulnerability in the software that is being actively targeted by attackers.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Adobe Acrobat - Adobe Systems - Flash - AdobeFlash - Multimedia
 
Security professionals must advise decision makers not to embark on new cloud computing projects without considering the security implications.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Cloud computing - Security - Computer security - Business - Consultants
 
The CISO for the city of Portland, Ore., advises that every enterprise be aware of one must-have secure Web gateway feature before buying.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Portland - United States - Oregon - Metro Areas and Regions - Portland-Vancouver Metro Area
 
Malicious hypervisors. Subversive virtual machines. Live migration impersonators. Welcome to the world of server virtualization, where the threats are new and the traditional security tools like firewalls and intrusion-prevention systems don't cut it anymore. Unfortunately, at many enterprises, security strategies haven’t kept pace with the shift to x.86 server virtualization http://www.networkworld.com/supp/2010/ndc2/032210-ndc-tools-trends.html?source=nww_rss. “Many companies that have virtualized environments haven’t contemplated the security ramifications of what they’re doing yet,” says Forrester analyst John Kindervag.
 
Some IT execs dismiss public cloud services as being too insecure to trust with critical or sensitive application workloads and data. But not Doug Menefee, CIO of Schumacher Group, an emergency management firm in Lafayette, La.
 
When it comes to sampling innovative technology, Schwan Foods, a multibillion-dollar frozen food producer, digs right in.
 
We focused on practical and usability characteristics of the products, specifically installation and ease of use, configuration, compatibility and interoperabiliy. The evaluation was conducted with firewalls from Cisco, Check Point, Juniper and Sonicwall.
 
Anyone running multiple firewalls in a complex, enterprise environment knows how difficult it can be to catch misconfigurations, avoid conflicting rules, identify vulnerabilities and meet auditing and compliance mandates.
 
The plan to "reduce cybersecurity vulnerabilities and improve online privacy protections" floated in June by Howard Schmidt, the Cybersecurity Coordinator and Special Assistant to the President, is comprehensive and an important step in the right direction.
 

Posted by InfoSec News on Jul 11

http://www.totaltele.com/view.aspx?ID=456959

By Mary Lennighan
Total Telecom
09 July 2010

Chinese vendor working on wireless broadband deal with U.S. operator in
bid to further its North American ambitions.

Huawei is bidding to sell mobile network equipment to U.S. operator
Sprint Nextel, despite security concerns from the U.S. government
regarding Chinese equipment makers, according to a press report.

Citing unnamed sources, the Financial...
 

Posted by InfoSec News on Jul 11

http://www.zdnet.co.uk/news/security/2010/07/08/microsoft-opens-source-code-to-russian-secret-service-40089481/

By Tom Espiner
ZDNet UK
8 July, 2010

Microsoft has signed a deal to open its Windows 7 source code up to the
Russian intelligence services.

Russian publication Vedomosti reported on Wednesday that Microsoft had
also given the Russian Federal Security Service (FSB) access to
Microsoft Windows Server 2008 R2, Microsoft Office 2010...
 

Posted by InfoSec News on Jul 11

http://www.theregister.co.uk/2010/07/09/skype_crypto/

By John Leyden
The Register
9th July 2010

Cryptoanalysts have published what they claim is the secret recipe
behind a Skype encryption algorithm.

A group of code breakers led by Sean O'Neil reckon they have
successfully reverse engineered Skype's implementation of the RC4
cipher, one of several encryption technologies used by the
consumer-oriented VoIP service. The proprietary...
 

Posted by InfoSec News on Jul 11

http://www.denbighshirevisitor.com/news/denbighshire-news/2010/07/07/10-years-of-work-down-the-drain-after-laptop-stolen-from-firm-105722-26797145/

By Brian Howes
Denbigh Visitor
July 7 2010

Reward for laptop

A REWARD is being offered for the safe return of a stolen laptop
containing 10 years of a company's work.

Thieves broke into DB Liquid Ltd in Ruthin and made off with two
laptops.

One contained specialised software in which the firm...
 

Posted by InfoSec News on Jul 11

http://www.nytimes.com/2010/07/09/world/09breach.html

By Thom Shanker
The New York Times
July 8, 2010

WASHINGTON -- The soldier accused of downloading a huge trove of secret
data from military computers in Iraq appears to have exploited a
loophole in Defense Department security to copy thousands of files onto
compact discs over a six-month period. In at least one instance,
according to those familiar with the inquiry, the soldier smuggled...
 

Posted by InfoSec News on Jul 11

http://fcw.com/articles/2010/07/09/cyber-command-panel-afcea-symposium.aspx

By Amber Corrin
FCW.com
July 09, 2010

With the Cyber Command now the formally established presence of the
armed forces in cyberspace, military leaders are pondering how best to
move forward with cybersecurity.

"We're in uncharted territory in cyber policy, cyber law and cyber
doctrine," said Air Maj. Gen. Paul F. Capasso, director, network
services,...
 

Posted by InfoSec News on Jul 11

+----------------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| July 9th, 2010 Volume 11, Number 28 |
| |
| Editorial Team: Dave Wreski <dwreski () linuxsecurity com> |
| Benjamin D. Thomas <bthomas () linuxsecurity...
 

Posted by InfoSec News on Jul 11

http://www.bankinfosecurity.com/articles.php?art_id=2728

By Linda McGlasson
Managing Editor
Bank Info Security
July 8, 2010

This year's disturbing trend of corporate account takeover incidents
continues unabated - and with a new wrinkle.

Michele Marisco, owner of Village View Escrow Inc., Redondo Beach, CA,
says her company fell prey to fraud after hackers were able to break
into the company's network, steal bank credentials and send 26...
 

Internet Storm Center Infocon Status