Hackin9

InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Google Co-Founder and CEO Larry Page made clear on Thursday the lofty expectations the company has for its new social networking site Google+.
 
Kevin Finisterre isn't the type of person you expect to see in a nuclear power plant. With a beach ball-sized Afro, aviator sunglasses and a self-described "swagger," he looks more like Clarence Williams from the '70s TV show "The Mod Squad" than an electrical engineer.
 
Attorneys for Apple and Samsung Electronics gave arguments before a U.S. federal judge on Thursday in a patent infringement suit over Samsung's Galaxy tablets, and the judge is now set to issue a written order on Apple's request to have sales of those tablets blocked.
 
For the full description, please see: http://www.sans.org/critical-security-controls/control.php?id=9
Whenever we are talking security, and assigning access control lists, the principle of least privileges comes up. Our firewalls should block all ports, but the once we need to do business. The same is true for file access control lists (ACLs). We should only allow read, or write, access to files as needed.
The principle of least privileges is very fundamental to information security, and closely related to the idea of the need to know. This term tends to be used more in government and military contexts, but it is very valid in commercial networks as well.
For example, in order to obtain certain information, a user needs a certain clearance (usually a position in the company) AND a need to know the information. In a hospital setting for example, all nurses likely are considered trusted enough to read any patients information. However, they still only should access information for patients they deal with.
Fine grained access controls like this are critically linked to the correct labeling of data. In most cases I have seen, the labeling of data is actually the main problem. Consider a spread sheet with patient data in a hospital. In order to provide proper access control, the access control system needs to take into account which patients are listed in the spread sheet, then later it will compare that list to a list of patients a nurse is associated with before providing access. Realistically, this is not going to happen. Data needs to be properly segmented and once data of various classifications ends up in the same spot (like an Excel spreadsheet), it is usually too late.
As a start, one should probably first define different rolls in the organization, and figure out what each roll needs to know to get their work done. Later, the rolls may be refined and access control may be further restricted. The same is true for data labels. Initially, you may break data down in rough categories and as your system is refined, you may want to come up with closer categories.
But don't rush this. Nothing is more frustrating then security getting in the way of normal business processes and this is probably the fastest way to loose steam for your initiative. This control should be considered a control for a more mature organization that already covered most other controls. Start this one slowly, and consider implementing detective controls first before implementing enforcement.
For example to go back to our hospital case. If you come into the emergency room bleeding, your priority is that the nurse will have fast and proper access to your medical record. You getting proper help fast is more important (at least at that time) then your patient record confidentiality. Instead of focusing on enforcing access controls, a hospital may deploy log analysis to monitor nurses who accessed more files then others, or for example to review who accessed the records of a celebrity visiting the hospital.


------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Virtual machines are the best way to accommodate different application needs in a datacenter environment. Whether you need to run your apps on a specific platform, or just need to meet scaling requirements, virtualization is the solution to a lot of IT manager's problems, thanks to fast and cheap memory.
 
The big Google-Samsung event to launch Ice Cream Sandwich -- postponed at CTIA earlier this week -- will take place next Wednesday in Hong Kong, according to an invitation sent by the two companies.
 
LightSquared and a partner, Javad GNSS, showed off a filter and an antenna on Thursday that they said would solve the anticipated GPS interference problem that has plagued the carrier's plan to deploy an LTE network in frequencies near those used by GPS.
 
F5 is touting new DNS capabilities in its BIG-IP v11 software as a way for service providers to save money, stave off distributed denial-of-service attacks and scale to support rapidly expanding IP services.
 
iDefense Security Advisory 10.12.11: Apple Mobile OfficeImport Framework Word Document Parsing Memory Corruption Vulnerability
 
iDefense Security Advisory 10.12.11: Apple MobileSafari Attachment Viewing Cross Site Scripting Vulnerability
 
Dell is implementing networking, storage, software and hardware technologies it has gained from recent acquisitions in products that can help it move beyond servers to deliver more end-to-end solutions.
 
Cloudmark is among the first messaging vendors to tackle the vexing issues related to integrating large-scale e-mail services with the next-generation Internet Protocol called IPv6.
 
Data center consolidation continues to be a hot topic, and with good reason. It has proven to be an effective way to reduce costs and complexity, setting organizations on a course for more efficient IT management. But while the benefits are proven, the path to success takes careful navigation.
 
Google grew its sales and profits in the third quarter, exceeding Wall Street's expectations along the way, as the search company's advertising business continued on a strong growth path.
 
After being noticeably absent from his company's own social network, Google Executive Chairman Eric Schmidt finally has joined the ranks of Google+ users.
 
Among the 84,000 open tech positions currently listed on Dice.com, there are roughly 1,400 job listings that say an MBA is preferred, and they come from a variety of industries. Insider (registration required)
 
/*



The news that Dennis M. Ritchie, the creator of the C Programming language and well known for contributing to the creation of the UNIX Operating System, died on October 8, 2011, hit the Internet headlines today.



Also very well known to all UNIX/C Programmers for his co-authoring of the book The C Programming Language [1]. I will not profess to know much of Dennis M. Ritchie to speak here. I do recognize his contribution to my career and all the UNIX that flows through my blood stream.



I have read many stories today covering the life of Dennis M. Ritchie. The one I found most credible and interesting to read, was ironically an autobiography [2]. Take a moment of appreciation and read through it when you have a chance. Bell-Labs also hosts a page for dmr [3]. Those pages are my recommended reading for the day.



The loss of Steve Jobs last week is recognizably an enormous loss to society and the world. A few days later, we have lost Dennis M. Ritchie. It is an understatement that Steve Jobs and all like him have been standing on Dennis M. Ritchie's shoulders for years. Dennis M. Ritchie was a giant and can be recognized as such.



Simply put, this world is a better, more productive and richer place because of Dennis M. Ritchie. We all owe a bit gratitude.



*/



#include stdio.h



int main () {



printf(goodbye, dmr. RIP.\n



}



/*



[1] http://cm.bell-labs.com/cm/cs/cbook/index.html

[2] http://cm.bell-labs.com/cm/cs/who/dmr/bigbio1st.html

[3] http://cm.bell-labs.com/who/dmr/



-Kevin



--

Kevin Shortt

ISC Handler on Duty



*/



$ gcc dmr.c

$ ./a.out

goodbye, dmr. RIP.

$





(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
While representatives of the online advertising industry questioned whether new laws are needed to protect consumer privacy online, several U.S. lawmakers on Thursday called for new regulations targeting online tracking.
 
Want to know how some top tech journalists were responding on Twitter to Apple's new mobile announcements this week? Check out our data visualization.
 
Quanta Computer, the Taiwanese contract computer manufacturer, is now the ninth company to license patents from Microsoft for its Android devices, the companies said Thursday.
 
For the second time in two months, a major open-source project has been breached. This time, the victim is the WineHQ project, which manages Wine, an open-source technology that lets users install and run Windows applications on Linux, Mac, Solaris and other operating systems.
 
Yahoo plans to open a site that lets people see on an interactive world map the volume of e-mail that the company's Mail service is processing.
 
One might think that former HBGary Federal CEO Aaron Barr would stay far away from anything associated with the hacking group Anonymous, which waged an embarrassing hacking campaign earlier this year that resulted in his resignation.
 
Jumio plans to soon introduce a new kind of payment processing service that uses cellphones but doesn't require any additional hardware.
 
Gibbs discusses the latest iteration of a product he didn't think could be easily topped
 
The launch of Apple's new iCloud service has been reminiscent of the fiasco three years ago when the company debuted MobileMe, according to users' complaints that describe a sweeping range of problems.
 
Linux Kernel 'CHELSIO_GET_QSET_NUM' Information Disclosure Vulnerability
 
Dennis Ritchie, the software developer who brought the world the C programming language and Unix operating system, has died at the age of 70.
 
Apple has released a massive security update for Mac OS X along with a new version of its OS, however, installing the patches could render computers unbootable, according to several reports.
 
Mozilla has responded to Microsoft's new browser security test with jabs against Internet Explorer.
 
Linux Kernel Reliable Datagram Sockets (RDS) Protocol Local Integer Overflow Vulnerability
 
Improperly configured network devices and the inability to measure the network security posture make most IT organizations incapable of finding gaps in their systems, according to a new survey.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Presented By:
Thomson Reuters Unleashes Game-changing Products
  Improving products to stay ahead of competition is the norm. Developing a product that changes the game for your industry is rare. How did leveraging a cloud infrastructure enable Thomson Reuters to alter the legal research process so that customers report getting teary eyed? Read their story at
NetApp.com/BuiltOn

Ads by Pheedo

 
RSA revealed a ?nation state? was behind the SecurID attack in March. Twitter and Facebook are still banned at RSA.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
In an exclusive interview, SUSE president and GM Nils Brauckmann talks about strategic partnerships, building clouds, and whether the economic downturn presents an opportunity for open source. Insider (registration required)
 
Cloud-based applications tend to focus the users' creative impulses on what the vendors are calling "declarative programming:" point-and-click specification of behavior, plus configurations, settings, rules, and formulas. These are good choices for ease of use, containing multi-tenant workloads, and testability. But if your cloud app has large user counts or sophisticated use cases, declarative development will take you only so far: soon enough, you'll be merrily coding in both the presentation layer (view) and the business logic (controller). In some cloud environments, you'll even be working directly with metadata and the transaction layer (model).
 
phpPgAdmin Multiple Cross-Site Scripting Vulnerabilities
 
Multiple G-WAN vulnerabilities
 
If you ask IT execs why they're hesitant about moving to the public cloud, security comes up at the top of the list. But security vendors are responding to these concerns with a raft of new products. Here are four interesting cloud security tools that we tested. Insider (registration required)
 
BlackBerry service is fully restored for 70 million customers worldwide after three days of outages, Research in Motion announced today.
 
The legal battle between Apple and Samsung has reached fever pitch, with Apple getting an injunction to stop the sale of the Galaxy 10.1 tablet in Australia as Samsung launches new versions of its smartphones to keep them on sale in the Netherlands. Both companies are also preparing for a hearing in California scheduled for Thursday.
 
SEC Consult SA-20111012-0 :: Client-side remote file upload & command execution in Microsoft Forefront UAG Remote Access Agent (CVE-2011-1969)
 
VMSA-2011-0012 VMware ESXi and ESX updates to third party libraries and ESX Service Console
 
Security-Assessment.com Advisory: Destination Search Admin Console Access Control Bypass
 
Two Remote Code Execution Vulnerabilities in Internet Explorer
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Cloud backup services have existed for years, and if you’re just looking to back up the files on your computer, you have plenty of options to choose from. But more and more of the files we want backed up the most are on our mobile devices or online where traditional backup tools aren’t helpful.
 
Microsoft Internet Explorer Option Element CVE-2011-1996 Memory Corruption Vulnerability
 
Microsoft Forefront Unified Access Gateway 'MicrosoftClient.Jar' Remote Code Execution Vulnerability
 
Research in Motion founder and Co-CEO Mike Lazaridis today apologized to millions of customers hit by three days of global BlackBerry service outages.
 
SOS Online Backup today announced a cloud backup service for Facebook, mobile devices and desktop computers that allows web-based access to files as well as unlimited multiple versions of those files.
 
Microsoft Internet Explorer Select Element CVE-2011-1999 Memory Corruption Vulnerability
 
Citrix Systems has acquired ShareFile for an undisclosed sum, in an effort to break into the cloud-based data sharing market, the company said on Thursday.
 
Phone design in China is done much like being served snake, chicken, fish and frog when eating a single meal in the country, according to Hagen Fendler, the chief design director for handsets at Chinese smartphone maker Huawei.
 
Severe floods in Thailand have disrupted production of electronics including hard disk drives and semiconductors, with a number of factories suspending operations.
 
Lenovo passed Dell to become the second-largest worldwide PC vendor behind Hewlett-Packard in the third 2011 quarter, pushing back rival Dell.
 
Laced throughout Dell's first enterprise user conference, either directly or indirectly, will be talk about HP and its very public consideration of either spinning off or selling its personal systems group.
 
Although the look of iOS 5 hasn't changed, much of what's under the hood has, says columnist Michael deAgonia. Not only does it allow you to cut the cord to your Mac or PC, the free upgrade delivers scores of welcome updates and new features.
 
Internet Storm Center Infocon Status