InfoSec News

Intel reported strong earnings for the second quarter of fiscal 2010, buoyed by strong microprocessor sales in the server segment.
 
Perhaps there is finally something to deter Chatroulette.com users from their more offensive behavior: University researchers say that users of the popular video-chat site may not be as anonymous, or as private, as they think.
 
Microsoft suffers from being a latecomer in the smartphone space as developers are not sold on the Windows Phone 7 platform
 
Despite the U.S. government's spending billions of dollars to encourage electric utilities to roll out the Internet-powered smart grid, the nation is at a critical stage for adoption of the next-generation electrical system and accompanying smart meters, experts saidy.
 
The Department of Health and Human Services today issued long-awaited rules to guide doctors and hospitals as they deploy electronic medical records and seek government reimbursements for their efforts.
 
Micro Express ships this lightweight, unassuming-looking, 15-inch laptop with a robust feature set and a moderate price. The $1199 unit boasts an Intel Core i7-620M high-end dual core CPU under the hood, switchable graphics, an 80GB Intel X25M solid-state drive, and 4GB of DDR3-1066 memory.
 
A few months back I told you how to add events to Google Calendar by sending text messages from your phone. Since then I've discovered more ways to get calendar and contact data into Google Calendar, Contacts, and Gmail. Read on for a whole new crop of tips.
 
Oracle apparently has no immediate plans to stop buying up companies, as indicated by a $3.25 billion debt issue it made this week.
 
Thieves are stealing credit-card numbers through skimmers they secretly installed inside pumps at gas stations throughout the Southeast, using Bluetooth wireless to transmit stolen card numbers, according to law enforcement officials.
 
Improved silicon and firmware from Ozmo Devices will turn a Wi-Fi-equipped Windows 7 laptop into a local hotspot for peripherals such as a keyboard and mouse.
 
Microsoft repairs a zero-day vulnerability being actively targeted in the wild. Also, a repair for Office Outlook should be deployed quickly, experts say.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Microsoft - Patch Tuesday - Zero day attack - Microsoft Office - Windows XP
 
Microsoft today patched five vulnerabilities in Windows and Office, including a bug hackers have been exploiting for almost a month.
 
A lawsuit filed against Facebook Inc. is raising the question of whether Mark Zuckerberg is the owner of the phenomenally popular social networking site.
 
Google has increased the controls that Apps administrators have over their end users' iPhone, Nokia and Windows Mobile devices, the company announced on Tuesday.
 
Microsoft repairs vulnerability being actively targeted in the wild. Also, a repair for Office Outlook should be deployed quickly, experts say.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Microsoft - Patch Tuesday - Zero day attack - Microsoft Office - Windows XP
 
Developing countries are benefiting from business process outsourcing jobs (BPO) that are of "reasonably good quality" by local standards, but the industry has some way to go to improve stressful working conditions, according to a study by the International Labour Organization (ILO).
 
Overview of theJuly 2010 MicrosoftPatchesand their status.
Important:with today's patches, support for XPSP2 officially comes to an end. There will be no more patches for XPSP2 after today.




#
Affected
Contra Indications
Known Exploits
Microsoft rating
ISC rating(*)


clients
servers





MS10-042
Vulnerability in Help and Support Center Could Allow Remote Code Execution


Windows XP SP2 and above, Windows Server 2003 SP2

CVE-2010-1885
KB 2229593
actively being exploited
Severity:Critical

Exploitability: 1
PATCH NOW!
Critical



MS10-043
Vulnerability in Canonical Display Driver Could Allow Remote Code Execution


Windows7 x64, Windows Server 2008 R2 x64

CVE-2009-3678
KB 2032276
no known exploits.
Severity:Critical

Exploitability: 2
Critical
Critical



MS10-044
Vulnerabilities in Microsoft Office Access ActiveX Controls Could Allow Remote Code Execution


Access 2003 SP3, Access 2007 SP1 and above

CVE-2010-0814

CVE-2010-1881
KB 982335
no known exploits.
Severity:Critical

Exploitability: 1,1
Critical
Critical



MS10-045
Vulnerability in Microsoft Office Outlook Could Allow Remote Code Execution (Replaces MS09-060 )


Outlook

CVE-2010-0266
KB 978212
no known exploits.
Severity:Important

Exploitability: 1
Critical
Critical






We will update issues on this page for about a week or so as they evolve.

We appreciate updates

US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:

PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
Critical: Anything that needs little to become interesting for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
Important: Things where more testing and other measures can help.
Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.


The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them



---------------

Jim Clausing, jclausing --at-- isc [dot] sans (dot) org

FOR408 coming to central OH in Sep, see http://www.sans.org/mentor/details.php?nid=22353 (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The Department of Health and Human Services today issued long-awaited rules to guide doctors and hospitals as they deploy electronic medical records and seek government reimbursements for their efforts.
 
GFI Software has acquired Sunbelt Software for an undisclosed price. The companies said the goal of the merger is to develop integrated security products for both on-premises use and the cloud.
 
CSO's Bill Brenner won't be making it to Las Vegas for the perfect storm of security events scheduled for later this month. But he's been to enough Black Hat confabs to offer these survival tips.
 
Verizon Wireless on Thursday will start selling Motorola's highly anticipated smartphone, the Droid X, a faster and multimedia-savvy successor to the original Droid that was introduced in October last year.
 
Amazon Web Services says its latest cluster computing service can provide the same results as custom-built infrastructures for high-performance applications at organizations that don't want to build their own.
 
Microsoft officials described how its Windows Phone 7 smartphones will perform within a network of Windows 7 PCs and Xbox gaming consoles through a new Windows Live cloud platform to make the mobile experience easier and more powerful for workers and consumers.
 

Avoiding Accidents Waiting To Happen
Katonda
There is no verification process to check if certificates are installed correctly, and in the event of a crisis everyone suddenly looks at the Infosec group ...

and more »
 
The folks at VMware folks have posted a new bulletin and update to address a privilege escalation in a non-default configuration of appliances created with VMware Studio 2.0.
---------------

Jim Clausing, jclausing --at-- isc [dot] sans (dot) org

FOR408 coming to central OHin Sep, see http://www.sans.org/mentor/details.php?nid=22353 (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
GFI Software buys Sunbelt Software and plans to integrate Sunbelt's VIPRE antimalware product to complement its current Web and email security offerings.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

sunbelt - gfi - Security - GFI Software acquires Sunbelt - Retailers
 
Integrated suite gives security teams greater visibility into the software development lifecycle while letting developers focus on creating code and fixing errors.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Software development process - Coverity - Software engineering - Software development - Security
 
Teo announced a unified communications platform that relies on a Linux-based server to provide multiple applications, including voice mail, across a variety of devices.
 
IBM took responsibility for a major IT system failure suffered by one of Singapore's largest banks on July 5, saying an employee's error caused the outage.
 
Even small companies can 'act big' by harnessing the power of supercomputing-in-a-cloud that they rent rather than own.
 
With scalability improvements, network and storage I/O control, and countless other enhancements, VMware continues to redefine the possibilities for server virtualization
 
Taiwanese chipset developer MediaTek will start rolling out low-cost chipsets designed for handsets that use Google's Android mobile software in the third quarter of this year, promising to drive down the cost of such handsets in China.
 
VMware has cut in half the price of a virtualization software package geared toward small and midsize businesses, and changed the way it prices management products to let customers avoid unnecessary charges.
 
InfoSec News: White House meeting will stress economic side of cybersecurity: http://thehill.com/blogs/hillicon-valley/technology/108203-white-house-meeting-will-stress-economic-side-of-cybersecurity
By Gautham Nagesh Hillicon Valley 07/12/10
Cyber czar Howard Schmidt will hold a meeting on Wednesday with Secretary of Commerce Gary Locke and Department of Homeland Security Secretary Janet Napolitano, where he is expected to discuss how to improve private-sector cybersecurity through economic incentives.
The stated purpose of the meeting is to discuss the activities since President Barack Obama unveiled the administration's "Cyber Space Policy Review" last May. Among those invited is Larry Clinton, president of the Internet Security Alliance, which represents a range of critical private security industries concerned about cybersecurity.
Clinton said the policy review was the first government document that began to address cybersecurity as an economic rather than operational issue.
"Cybersecurity obviously has technical components, but it's more of a strategic and operational problem. You have to look at things from that economic perspective," Clinton told Hillicon Valley on Monday. "For example, if you take a technical operational perspective, you're really focusing on how cyber-attacks occur, not why they occur."
[...]
 
InfoSec News: White hat hacker Maiffret returns to eEye: http://news.cnet.com/8301-27080_3-20010339-245.html
By Elinor Mills InSecurity Complex CNet News July 13, 2010
Security researcher and former Microsoft gadfly Marc Maiffret has returned to the company he started when he was a teenager, eEye Digital Security. [...]
 
InfoSec News: Don't be too quick to dismiss FISMA: http://gcn.com/articles/2010/07/12/cybereye-fisma-evolving.aspx
By William Jackson GCN.com July 12, 2010
The Federal Information Security Management Act has become the whipping boy for security vendors, chief information security officers and legislators, but we should not be too eager to abandon it, says a leading security researcher at the National Institute of Standards and Technology.
"We tend to want to make 'compliance' a bad word today," said NIST senior computer scientist Ron Ross. But regulatory compliance does not have to be a static checklist, and it is part of effective risk management, he said.
If the regulations are fundamentally sound and adaptable, they can evolve to address a rapidly changing security environment, and that is what is happening with FISMA, he said. "The fundamental reforms already are ongoing, coming from grass-roots activities," not from policy or legislative changes, Ross said.
As the head of NIST's FISMA implementation program, Ross, who spoke recently about changes in cybersecurity requirements at a forum hosted by InformationWeek, is hardly a disinterested observer. Since the passage of FISMA in 2002, a great deal of the resources of NIST's Computer Security Division have gone to creating standards, recommendations and guidelines on how to achieve compliance. That body of work has been praised as one of the accomplishments of FISMA while at the same time condemned as overly comprehensive and prescriptive.
[...]
 
InfoSec News: Finally -- a hacking conference just for kids!: http://www.infoworld.com/t/hacking/finally-hacking-conference-just-kids-818
By Paul F. Roberts InfoWorld July 12, 2010
Technology enthusiasts and the ranks of the curious have been trying for years to rescue the term "hacker" from its pejorative meaning. [...]
 
InfoSec News: [Dataloss Weekly Summary] Week of Sunday, July 4, 2010: ========================================================================
Open Security Foundation - DataLossDB Weekly Summary Week of Sunday, July 4, 2010
17 Incidents Added.
======================================================================== [...]
 
InfoSec News: FBI Raids 'Electronik Tribulation Army' Over Witness Intimidation: http://www.wired.com/threatlevel/2010/07/eta/
By Kevin Poulsen Threat Level Wired.com July 8, 2010
FBI agents have raided the homes of three alleged members of a hacker gang that harassed a security expert who helped put the group's leader in jail, according to a recently unsealed search warrant affidavit.
Jesse William McGraw, aka "GhostExodus," pleaded guilty in May to computer-tampering charges for putting malware on a dozen machines at the Texas hospital where he worked as a security guard. He also installed the remote-access program LogMeIn on the hospital's Windows-controlled HVAC system.
Last month's raids were prompted by the aftermath of McGraw's arrest. McGraw was the leader of an anarchistic hacking group called the Electronik Tribulation Army, and his bust led to a flood of harassment against the Mississippi computer-security researcher who discovered screenshots of the HVAC access online and informed the FBI.
"They set up website in my name to pose as me, and put up embarrassing content or things they thought would embarrass me, including a call-to-action to buy sex toys, and fake pornographic images," says R. Wesley McGrew, 30, of McGrew Security. "They harvested e-mail addresses from the university I work at and e-mailed it out to those."
[...]
 

The Tech Herald

New details offer link to security firm and threats against researcher
The Tech Herald
The content check for the book sparked a backlash in the InfoSec community, and it was due to this backlash that Riley sought out Evans. ...

 
InfoSec News: Call for Papers: CPSRT 2010 - Deadlines Extended!: Forwarded from: George Yee <gmyee (at) sce.carleton.ca>
DEADLINES EXTENDED!!
CALL FOR PAPERS (For HTML version, please visit http://CPSRT.cloudcom.org/)
INTERNATIONAL WORKSHOP ON CLOUD PRIVACY, SECURITY, RISK & TRUST (CPSRT 2010)
In conjunction with 2nd IEEE International Conference on Cloud Computing Technology and Science (CloudCom 2010), November 30 - December 3, 2010 Indiana University, USA, http://2010.cloudcom.org/
IMPORTANT DATES - EXTENDED!
Submission deadline: 15 August 2010 Author notification: 15 September 2010 Camera-ready manuscript: 1 October 2010 Author registration: 1 October 2010 Workshop date: 30 November 2010
WORKSHOP CHAIRS
Latifur Khan University of Texas at Dallas, USA email: lkhan (at) utdallas.edu
Siani Pearson Hewlett-Packard Laboratories, Bristol, UK e-mail: Siani.Pearson (at) hp.com
George Yee Carleton University, Canada e-mail: gmyee (at) sce.carleton.ca
WORKSHOP STEERING COMMITTEE (in progress)
Martin Gilje Jaatun, Department of Software Engineering, Safety and Security, SINTEF, Trondheim, Norway Chunming Rong, Center of IP-based Services Innovation (CIPSI), University of Stavanger, Stavanger, Norway Bhavani Thuraisingham, Cyber Security Research Center, University of Texas at Dallas, U.S.A.
WORKSHOP PROGRAM COMMITTEE
Carlisle Adams, University of Ottawa, Canada Andrew Charleswoth, University of Bristol, UK Giles Hogben, ENISA, Greece Paul Hopkins, University of Warwick, UK Latifur Khan, University of Texas at Dallas, USA Steve Marsh, Communications Research Centre Canada, Canada Christopher Millard, University of London, UK Andrew Patrick, Office of the Privacy Commissioner of Canada, Canada Siani Pearson, HP Labs, UK Simon Shiu, HP Labs, UK Sharad Singhal, HP Labs, USA Ronggong Song, National Research Council Canada, Canada Anthony Sulistio, Hochschule Furtwangen University, Germany George Yee, Carleton University, Canada
WORKSHOP OBJECTIVE
Cloud computing has emerged to address an explosive growth of web-connected devices, and handle massive amounts of data. It is defined and characterized by massive scalability and new Internet-driven economics. Yet, privacy, security, and trust for cloud computing applications are lacking in many instances and risks need to be better understood. Privacy in cloud computing may appear straightforward, since one may conclude that as long as personal information is protected, it shouldnt matter whether the processing is in a cloud or not. However, there may be hidden obstacles such as conflicting privacy laws between the location of processing and the location of data origin. Cloud computing can exacerbate the problem of reconciling these locations if needed, since the geographic location of processing can be extremely difficult to find out, due to cloud computings dynamic nature. Another issue is user-centric control, which can be a legal requirement and also something consumers want. However, in cloud computing, the consumers' data is processed in the cloud, on machines they don't own or control, and there is a threat of theft, misuse or unauthorized resale. Thus, it may even be necessary in some cases to provide adequate trust for consumers to switch to cloud services. In the case of security, some cloud computing applications simply lack adequate security protection such as fine-grained access control and user authentication (e.g. Hadoop). Since enterprises are attracted to cloud computing due to potential savings in IT outlay and management, it is necessary to understand the business risks involved. If cloud computing is to be successful, it is essential that it is trusted by its users. Therefore, we also need studies on cloud-related trust topics, such as what are the components of such trust and how can trust be achieved, for security as well as for privacy.
MISSION
This year, the CPSRT workshop will bring together a diverse group of academics and industry practitioners in an integrated state-of-the-art analysis of privacy, security, risk, and trust in the cloud. The workshop will address cloud issues specifically related to access control, trust, policy management, secure distributed storage and privacy-aware map-reduce frameworks.
TOPICS OF INTEREST
The workshop includes but is not limited to the following topics that refer to computing in the cloud: * Access control and key management * Security and privacy policy management * Identity management * Remote data integrity protection * Secure computation outsourcing * Secure data management within and across data centers * Secure distributed data storage * Secure resource allocation and indexing * Intrusion detection/prevention * Denial-of-Service (DoS) attacks and defense * Web service security, privacy, and trust * User requirements for privacy * Legal requirements for privacy * Privacy enhancing technologies * Privacy aware map-reduce framework * Risk or threat identification and analysis * Risk or threat management * Trust enhancing technologies * Trust management
These topics give rise to a number of interesting research questions to be discussed at the workshop, such as the following: * How can consumers retain control over their data when it is stored and processed in the cloud? * How can users' trust in cloud computing be enhanced? How can reputation management be used in a practical way? * How can transborder data flow regulations be enforced within the cloud? * How can solutions be tailored to a specific context? For example, how can privacy and security requirements be gathered and matched to service provisioning in an automated or semi-automated way, and on an ongoing basis? * How can adequate assurance be given about the way in which cloud providers process and protect data? * How can audit mechanisms be provided for the cloud?
Software demonstrations are welcome. We encourage submissions of greenhouse work, which present early stages of cutting-edge research and development.
SUBMISSION
The submission format must conform to the following: 10 pages maximum including figures, tables and references (see http://CPSRT.cloudcom.org/). Authors should submit the manuscript in PDF format. The official language of the meeting is English. Please submit your paper to the CPSRT 2010 Workshop submission server (https://www.easychair.org/account/signin.cgi?conf=cpsrt2010) via an EasyChair account.
DISSEMINATION
Peer-reviewed papers that are accepted for presentation at the workshop will be published in the CloudCom 2010 IEEE proceedings, and will be available in IEEExplore (EI indexing). The workshop organisers plan to invite the authors of selected high quality papers to revise and lengthen their papers for a special issue of a related journal or an edited book.
For further details, please visit the workshop Web site: http://CPSRT.cloudcom.org/
 

Posted by InfoSec News on Jul 13

Forwarded from: George Yee <gmyee (at) sce.carleton.ca>

DEADLINES EXTENDED!!

CALL FOR PAPERS (For HTML version, please visit http://CPSRT.cloudcom.org/)

INTERNATIONAL WORKSHOP ON CLOUD PRIVACY, SECURITY, RISK & TRUST (CPSRT 2010)

In conjunction with 2nd IEEE International Conference on Cloud Computing Technology and Science (CloudCom 2010),
November 30 - December 3, 2010 Indiana University, USA, http://2010.cloudcom.org/

IMPORTANT...
 

Posted by InfoSec News on Jul 13

http://thehill.com/blogs/hillicon-valley/technology/108203-white-house-meeting-will-stress-economic-side-of-cybersecurity

By Gautham Nagesh
Hillicon Valley
07/12/10

Cyber czar Howard Schmidt will hold a meeting on Wednesday with
Secretary of Commerce Gary Locke and Department of Homeland Security
Secretary Janet Napolitano, where he is expected to discuss how to
improve private-sector cybersecurity through economic incentives.

The stated...
 

Posted by InfoSec News on Jul 13

http://news.cnet.com/8301-27080_3-20010339-245.html

By Elinor Mills
InSecurity Complex
CNet News
July 13, 2010

Security researcher and former Microsoft gadfly Marc Maiffret has
returned to the company he started when he was a teenager, eEye Digital
Security.

Maiffret had been serving as chief security architect at antimalware
firm FireEye since December and will remain on the company's technical
advisory board, Maiffret said in an...
 

Posted by InfoSec News on Jul 13

http://gcn.com/articles/2010/07/12/cybereye-fisma-evolving.aspx

By William Jackson
GCN.com
July 12, 2010

The Federal Information Security Management Act has become the whipping
boy for security vendors, chief information security officers and
legislators, but we should not be too eager to abandon it, says a
leading security researcher at the National Institute of Standards and
Technology.

"We tend to want to make 'compliance' a bad...
 

Posted by InfoSec News on Jul 13

http://www.infoworld.com/t/hacking/finally-hacking-conference-just-kids-818

By Paul F. Roberts
InfoWorld
July 12, 2010

Technology enthusiasts and the ranks of the curious have been trying for
years to rescue the term "hacker" from its pejorative meaning. A new
conference that will teach kids the wonders of hacking may be one sign
that such efforts are paying off.

Hackid is a new conference designed to "raise awareness and...
 

Posted by InfoSec News on Jul 13

========================================================================

Open Security Foundation - DataLossDB Weekly Summary
Week of Sunday, July 4, 2010

17 Incidents Added.

========================================================================

DataLossDB is a research project aimed at documenting known and reported data loss incidents world-wide. The Open
Security Foundation asks for contributions of new incidents and new data for...
 

Posted by InfoSec News on Jul 13

http://www.wired.com/threatlevel/2010/07/eta/

By Kevin Poulsen
Threat Level
Wired.com
July 8, 2010

FBI agents have raided the homes of three alleged members of a hacker
gang that harassed a security expert who helped put the group's leader
in jail, according to a recently unsealed search warrant affidavit.

Jesse William McGraw, aka "GhostExodus," pleaded guilty in May to
computer-tampering charges for putting malware on a dozen...
 
The results of the SANSForensics Challenge (aka the 6th challenge from Jonathon Ham and Sherri Davidoff at http://forensicscontest.com) were announced last week at the SANSForensics and Incident Response Summit. The winning entry was submitted by Wesley McGrew and included a cool new tool, pcapline.py. The other finalists also came up with some interesting tools, so be sure to check out all of them.
---------------

Jim Clausing, jclausing --at-- isc [dot] sans (dot) org

FOR408 is coming to central OH in Sept, see http://www.sans.org/mentor/details.php?nid=22353 (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Internet Storm Center Infocon Status