Share |

InfoSec News

Attackers target social networks using phishing attacks and social engineering tactics to steal user names and passwords.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
An improvement of software development practices and quality control across the industry has contributed to a decline in vulnerability disclosures 2010.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Thoma Bravo adds to its investment portfolio, which includes Entrust and LANDesk Software and SonicWall.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Google is trying to recruit college students who used the company's Apps for Education suite in school to become evangelists for the business version of the product as they move on to the workplace.
 
Adobe has released an important update to its Flash Player software that fixes critical security flaws and gives users a better way of controlling whether they are being tracked on the Web.
 
To help its hundreds of millions of users prevent unauthorized access to their accounts, Facebook has added an optional verification step to its log-in process.
 
Business outcomes from technology investments are all that really matter. The CIO's challenge is finding new ways to prove IT's worth.
 
IT-business alignment is no longer the conversation, finds CIO magazine Editor in Chief Maryfran Johnson. Today's top IT executives know it's all about creating business value.
 
Delays hitting Microsoft's hosted e-mail service have been mitigated, the company said, following more than 100 posts on a forum about mail slowdowns and outages since Tuesday.
 
Harley-Davidson Canada road tests a video analytics system to better target its marketing to customers in its stores
 
Logistics company adopts containerization model, but is still searching for all-in-one solution
 
Twitter today updated its Mac desktop software, the first time the micro-blogging service has refreshed the program since it launched last January.
 
Google today jumped the gun by updating its Chrome browser with a new version of Flash Player that Adobe won't release until later today.
 
The Adobe security team have released security updates available for Flash Player, RoboHelp, Audition, and Flash Media Server
Three are marked critical:
APSB11-09 Security update available for RoboHelp (Important Severity)

APSB11-10 Security update available for Audition (Critical Severity)

APSB11-11 Security update available for Flash Media Sever (FMS) (Critical Severity)

APSB11-12 Security update available for Flash Player (Critical Severity)
Please read the Adobe security blog fore more details:

http://blogs.adobe.com/psirt/2011/05/security-updates-available-for-flash-player-robohelp-audition-and-flash-media-server.html
Thanks to Diary reader Toby for bring this to our attention

Chris Mohan --- Internet Storm Center Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Adobe Acrobat and Reader CVE-2011-0589 Remote Memory Corruption Vulnerability
 
Delays hitting Microsoft's hosted e-mail service have been mitigated, the company said, following more than 100 posts on a forum about mail slowdowns and outages since Tuesday.
 
Google is trying to recruit college students who used the company's Apps for Education suite in school to become evangelists for the business version of the product as they move on to the workplace.
 
Linux Kernel 'AGPIOC_RESERVE' and 'AGPIOC_ALLOCATE' IOCTL's Local Denial of Service Vulnerabilities
 
CORE-2011-0204: Adobe Audition vulnerability processing malformed session file
 
HTB22978: XSRF (CSRF) in Argyle Social
 
HTB22979: Multiple XSS (Cross Site Scripting) vulnerabilities in Argyle Social
 
A new bill would allow copyright owners to seek court orders requiring ISPs and search engines to block access to websites accused of infringing copyright.
 
Microsoft plans to increase the pace of releases for its Dynamics CRM software, according to a new "statement of direction" document from the vendor.
 
Harley-Davidson Canada road tests a video analytics system to better target its marketing to customers in its stores
 
Logistics company adopts containerization model, but is still searching for all-in-one solution
 
Twitter today updated its Mac desktop software, the first time the micro-blogging service has refreshed the program since it launched last January.
 
As companies look to keep every bit of data generated in-house and by customers for analytics as well as legal and regulatory compliance, the roles of those who manage it are changing as are the tools they use.
 
Data released today by Microsoft showed that Windows 7's malware infection rate climbed by more than 30% during the second half of 2010, even as the infection rate of the 10-year-old Windows XP fell by more than 20%.
 
Google today jumped the gun by updating its Chrome browser with a new version of Flash Player that Adobe won't release until later today.
 
Facebook has been caught hiring a well-known PR firm to plant anti-Google stories in the media.
 
The United States needs a big, public technology event to show off our IT innovations.
 
Why does your competitor have your latest research or financial figures? It must be an insider -- or is it?
 
In just one week, privacy advocates have seen two major proposals to promote consumer privacy on the Internet. In California, SB-761, a "Do-Not-Track" bill regulating tracking cookies, passed through committee clearing a major hurdle to adoption. Simultaneously, Sen Rockefeller introduced a very similar bill in the US Senate. Both bills would require companies to honor a "Do-Not-Track" preference set by consumers, usually as a browser setting. The bills represent a significant step forward in online privacy and should be strongly supported by voters.
 
eyeOS Image File Handling HTML Injection Vulnerability
 
[security bulletin] HPSBMA02661 SSRT100408 rev.3 - HP SNMP Agents Running on Linux and HP Insight Management Agents Running on Windows, Remote Cross Site Scripting (XSS), URL Redirection, Information Disclosure
 
Booming PC use in developing countries has driven the market value of pirated software to record levels, an annual IDC study for the Business Software Alliance (BSA) industry lobby group has claimed.
 
Can desktop virtualization make Chrome OS a full replacement for Windows?
 
Samsung's sleek, 10.1-inch Galaxy Tab is finally an Android tablet that even an Apple fanboy could love.
 
HTB22980: XSRF (CSRF) in Open Classifieds
 
[Bkis] sNews 1.7.1 XSS vulnerability
 
CORE-2010-1118: Oracle GlassFish Server Administration Console Authentication Bypass
 
After a cyberattack put Sony's protection of personal information under a microscope, the company has announced increased security measures and enhanced customer data protection.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Hang on, folks, because mobile computing has just got a bit more interesting. Google’s Chrome OS is finally ready for the wild--two years after its launch—and the Samsung Chromebook Series 5, due out on June 15, will be one of two laptops to showcase Google’s Web-based operating system.
 
For years now, security professionals have been in agreement that a security metrics program is an increasingly important tool to manage the security posture in an environment. We like to cite too-true cliches like "you can't manage what you don't measure" and sing "Kumbaya" together about the virtue and benefits of programs. And yet there really aren't many success stories out there.
 
It’s true that you can use your iPad instead of your Mac to take care of many common computing tasks. But unless you’re ready to ditch Mac OS X entirely, you’ll still need to transfer files back and forth between your iPad and your Mac if you’re going to get work done.
 
PHProjekt Cross Site Scripting And Information Disclosure Vulnerabilities
 
Grey, maybe black and rack mounted, with a digital LED (orange?) display showing a number that may change once in a while. That's how most people probably envision SCADA systems, the automated controls that make civilization possible. After all, that's what it looked like in Dr. Evil's lair and this is about as close as most of us will ever come to these systems. Who knew that what we really have is PCs, running Windows, and systems programed to take advantage of ActiveX and browser controlls. While you are running the latest version of Power Plant Sim in one browser window on Facebook, your other window is controlling the real thing.
US-CERT (actually the part of it called the ICS-CERT, or the Industrial Control System Cyber Emergency Response Team) alerted its constituency that a commonly used set of ActiveX controls is vulnerable to a good old stack overflow. Stack overflows are not all that hard to exploit typically, and it doesn't come as a big surprise that according to ICS-CERT, an exploit is publicly available.
If you are running a power plant, a refinery or any other system using ICONICS' GENESIS32 and BizViz software, stop playing on Facebook for a while and please patch your plant.
http://www.us-cert.gov/control_systems/pdf/ICSA-11-131-01.pdf

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Symantec Backup Exec System Recovery 'GEARAspiWDM.sys' Denial of Service Vulnerability
 
SlimPDF Reader Buffer Overflow Vulnerability
 
Apache APR 'apr_fnmatch()' Denial of Service Vulnerability
 
Thirty-five percent of Android and iPhone owners in the U.S. use apps such as Facebook on their smartphone before even getting out of bed, according to a survey conducted by telecommunications equipment vendor Ericsson.
 
Intel and its partners in the Open Data Center Alliance are working to extend cloud computing so the technology can overcome criticism from Internet guru Vinton Cerf and others.
 
Via Technologies announced a new quad-core x86 processor on Thursday, saying it is "the lowest power quad core processor on the market today."
 
LAS VEGAS -- Businesses need to look at security as a military exercise and can benefit from strategies that have proved useful in battle, a former military security expert told an Interop audience this week.
 
Google took another step toward the enterprise this week when executives unveiled the 'Chromebook,' a notebook PC that could boost both its new operating system and cloud-based apps.
 
Visa's plan to launch a digital wallet system in the U.S. and Canada this fall is by far the most ambitious of any such initiative announced so far.
 
sNews Multiple Cross Site Scripting Vulnerabilities
 
Apple's possible move from Intel x86 chips to ARM processors for its MacBooks is feasible, but not practical over the next few years because of technical and performance issues, analysts said this week.
 
We have received reports of another JavaScript-based spam scam doing the rounds in Facebook.
This one involves a friend's profile posting a link to your wall.
Should you click on the link in the friend's post , the JavaScript code send spam to your Friends list and so the snowball spam effect grows.
TrendMirco's malware blog had a good write up of the attack method here:
http://blog.trendmicro.com/dubious-javascript-code-found-in-facebook-application/
Sounds like introducing friends and family to NoScript Firefox extension [1] would be one way to avoid a large number of phone calls of Help! over the next few days.
Thanks to reader Roseman and others for writing in with details.
[1] http://noscript.net/

Chris Mohan --- Internet Storm Center Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Oracle GlassFish Server Administration Console Remote Authentication Bypass Vulnerability
 
Chasys Media Player '.m3u' File Processing Buffer Overflow Vulnerability
 

Posted by InfoSec News on May 12

http://www.mirror.co.uk/news/top-stories/2011/05/10/england-2018-chiefs-hired-undercover-agents-to-spy-on-bid-rivals-115875-23119513/

By Martin Fricker
Daily Mirror
05/10/2011

ENGLAND football chiefs hired a team of spies to snoop on rival bidders
for the 2018 World Cup, it was claimed yesterday.

Undercover agents were paid by the FA to infiltrate Zurich hotels where
Fifa committee members were staying last December and report what they...
 

Posted by InfoSec News on May 12

http://www.ksl.com/?nid=148&sid=15493695

Lori Prichard reporting
produced by Kelly Just
May 10th, 2011

SALT LAKE CITY -- A pattern of long-term and ongoing problems inside the
regional headquarters of the FBI in Salt Lake City could have
catastrophic consequences to national security, sources connected to the
FBI say.

Nearly a dozen self-described whistleblowers -- including those with
strong ties to the FBI’s Salt Lake field office...
 

Posted by InfoSec News on May 12

http://www.theregister.co.uk/2011/05/12/critical_iconics_scada_bug/

By Dan Goodin in San Francisco
The Register
12th May 2011

The US Computer Emergency Readiness Team is warning oil refineries,
power plants, and other industrial facilities of a bug in a popular
piece of software that could allow attackers to take control of their
computer systems.

The vulnerability in the Genesis32 and BizViz products made by
Massachusetts-based Iconics...
 

Posted by InfoSec News on May 12

http://online.wsj.com/article/SB10001424052748704681904576317571066403808.html

By VICTORIA MCGRANE AND SIOBHAN GORMAN
The Wall Street Journal
MAY 12, 2011

A group of U.S. lawmakers wants the Securities and Exchange Commission
to push companies to disclose when they have fallen victim to
cyberattacks.

Three weeks after Sony Corp. was forced to shut down its PlayStation
network by hackers who stole users' information, the group, which...
 

Posted by InfoSec News on May 12

http://federalnewsradio.com/?nid=35&sid=2376861

By Suzanne Kubota
Senior Internet Editor
Federal News Radio
May 10, 2011

Within the chairman's mark of the 2012 Defense Authorization bill is
language that would allow DoD to carry out clandestine operations in
cyberspace against targets located outside the United States and to
defend against all attacks on DoD assets.

Released Monday, chairman of the House Armed Services Committee,...
 


Internet Storm Center Infocon Status