In matters of food and wine, the Europeans have this concept of "AOC", based on the originally French "Apellation d'origine contrôlée". It means that, say, Bordeaux wine actually comes from there, and is not re-bottled Malbec from Patagonia. The point I'm trying to make, albeit poorly, is that it is sometimes important to know where things are coming from, which implies traceability to the source.

In matters of IT, we are currently losing this AOC. Only three years ago, we likely knew exactly, down to the server room cabinet and shelf, where our mail server was located. These days, with "cloud" services proliferating rapidly, we might know who *sold* us the service, but we only have a vague idea of its real origin or location.

The question recently came to light again when Codespaces (http://www.codespaces.com/) went down after a hacking attack back in June. As they say on their web page "In summary, most of our data, backups, machine configurations and offsite backups were either partially or completely deleted". I wonder how many (if any) of Codespaces' customers had actually done the due-diligence, while signing up, to determine that all of Codespaces' services were hosted at Amazon EWS, *including* the backups. That's AOC!  You might know from where you buy your SVN or GIT hosting, but - unless you negotiate hard, forbid any sub-subcontracting, and ruthlessly enforce your right to audit - you might never learn where your SVN/GIT hoster actually hosts the service. And, not even with your right to audit, will you ever find out where *that* hoster draws their services from. Because you don't have a contract relationship with the hoster (only with the SVN service on top), and if the hoster, at their discretion, decide that they can operate more cheaply by re-selling Virtual Machines from Patagonia instead of running their own .. that's what's going to happen.

If you like this concept, I have a stellar 1961 Bordeaux that I'm willing to part with for a good price. Please don't worry about the penguins and the Spanish language on the label :).

In all seriousness though - it is overdue that "cloud" providers provide a bit less cloud, and a bit more sunlight. It might hurt their bottom line a little, but the kind of "AOC" end-to-end transparency, with traceability to the source, is vital and paramount for the customer to assess and mitigate any resulting risk.

If you have any stories on how you determine the "AOC" of your penguin wine (or not), please share below.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Storage has always affected how fast software runs, but IT shops now have more tools they can bring to bear on the problem.
Seattle city council members voted Monday to legalize ride-hailing apps like Uber, Lyft and Sidecar, despite concerns from one council member about the adequacy of insurance coverage provided by the companies.

The US Secret Service is warning hotel operators to be on the lookout for malware that steals passwords and other sensitive data from guests using PCs in business centers, according to a published report.

The non-public advisory was issued on last Thursday, KrebsOnSecurity reporter Brian Krebs reported Monday. Krebs said the notice warned that authorities recently arrested suspects who infected computers at several major hotel business centers around Dallas. In that case, crooks using stolen credit card data to register as hotel guests used business center computers to access Gmail accounts. From there, they downloaded and installed keylogging software. The malware then surreptitiously captured login credentials for banking and other online services accessed by guests who later used the compromised PCs.

The report is a poignant reminder why it's rarely a good idea to use public PCs for anything more than casual browsing of websites. Even when PCs are within eyesight of a business center employee, librarian, or other supervisor, and even when it is locked down with limited "guest" privileges, there are usually a host of ways attackers can compromise machines running either Windows or Mac OS X. Krebs wrote:

Read 1 remaining paragraphs | Comments

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Most of us would love a break on our health insurance. We would generally appreciate the convenience of seeing ads for things we're actually interested in buying, instead of irrelevant "clutter." A lot of us would like someone, or something, else keeping track of how effective our workouts are.
The National Institute of Standards and Technology (NIST) has issued for public review and comment a draft report summarizing 65 challenges that cloud computing poses to forensics investigators who uncover, gather, examine and interpret ...
Vizio's two-year run in the PC market has hit a wall, and its existing laptops, desktops and tablets are quickly disappearing as the company re-evaluates its product mix.
Microsoft channel partners need to urgently redefine and evolve their businesses so that they can resell the company's cloud computing products, according to Chief Operating Officer Kevin Turner.
Apple's chief of Internet software and services, Eddy Cue, has put himself up on the charity auction block.

Over the last couple of days, we have been seeing a number of quite credibly looking phishing emails that impersonate toll-road providers in the US. The agency affected by the current wave is E-ZPass, a toll charging system used mainly in the Northeast. Adapting the template to match the colors and fonts of other organizations, like Florida's SunPass, would be easy to accomplish for the scammers though, so chances are that we will see more of this.

Since toll road agencies can impose stiff fines for violations or if road and bridge charges are not paid in time, people might fall for it and click on the link just to make sure. In the samples at hand, the link was pointing to www . ruckon . pl (spaces added to de-fang), and returned a ZIP with an EXE or directly an EXE. Hat tip to ISC reader Wayne for providing the latest sample.


If you receive similar emails that impersonate other toll road providers, please let us know.


(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Forty-five years after Neil Armstrong stepped on the moon, NASA scientists are looking forward to the next giant leap for mankind, and that next leap is likely to be on Mars.
A new Trojan program designed to steal log-in credentials and other financial information from online banking websites is being advertised to cybercriminal groups on the underground market.
Cisco Adaptive Security Appliance ASA CVE-2013-6691 Remote Denial of Service Vulnerability
Dell's only Chromebook is at least temporarily unavailable for online purchase through the company's website, only seven months after the model started shipping.
After a successful Sunday launch, the Cygnus cargo spacecraft is on its way to the International Space Station, carrying a Google 3D smartphone, along with a flock of tiny satellites.
Microsoft COO Kevin Turner acknowledged today that his company's operating systems power only a small fraction of all devices worldwide.

For almost two years, Ars has advised readers to use a software-based password manager to ease the password fatigue that comes from choosing and securing dozens of hard-to-guess passcodes that are unique to each site or service. A research paper scheduled to be presented at a security conference next month underscores the hidden dangers of selecting the wrong products.

The researchers examined LastPass and four other Web-based managers and found critical defects in all of them. The worst of the bugs allowed an attacker to remotely siphon plaintext passcodes out of users' wallets with no outward sign that anything was amiss. LastPass and three of the four other developers have since fixed the flaws, but the findings should serve as a wakeup call. If academic researchers from the University of California at Berkeley can devise these sorts of crippling attacks, so too can crooks who regularly case people's online bank accounts and other digital assets.

"Widespread adoption of insecure password managers could make things worse: adding a new, untested single point of failure to the Web authentication ecosystem," the researchers wrote in their paper, titled The Emperor's New Password Manager: Security Analysis of Web-based Password Managers (PDF). "After all, a vulnerability in a password manager could allow an attacker to steal all passwords for a user in a single swoop. Given the increasing popularity of password managers, the possibility of vulnerable password managers is disconcerting and motivates our work."

Read 7 remaining paragraphs | Comments

The National Institute of Standards and Technology (NIST)apossprimary external advisory board today released a report callingfor the agency to increase its staff of cryptography experts and implement moreexplicit processes for ensuring ...
Each and every spring/summer, keeping track of all the various new-iPhone-related rumors becomes a challenge that even the most dedicate iPhan would struggle to meet.
IBM InfoSphere Information Server CVE-2013-4057 Cross Site Request Forgery Vulnerability
IBM InfoSphere Information Server CVE-2013-3034 Unspecified HTML Injection Vulnerability
SAP is set to announce its preliminary second-quarter results Thursday and apart from a look into its finances, the occasion also presents a chance for media and analysts to probe SAP's top executives for clues to the company's future plans and strategies.
Oracle has dispelled rumors that the upcoming security update for Java 7 and those it will release in the future might not work on Windows XP.
An association of more than two dozen technology companies including Facebook, Google, Twitter and Netflix urged the U.S. Federal Communications CommissionA on Monday to create strong, enforceable net neutrality rules for wired and mobile networks.
When people learn that I run marathons in addition to covering healthcare IT, it doesn't take long for them to ask, "Where's your fitness tracker?"
QNAP TS-469U Turbo NAS Insecure File Permissions Vulnerability
Cisco ASA Inspection And Filter Features Remote Denial of Service Vulnerability
[KIS-2014-08] OpenCart <= (cart.php) PHP Object Injection Vulnerability
[slackware-security] php (SSA:2014-192-01)
[ MDVSA-2014:138 ] asterisk
[SECURITY] [DSA 2978-1] libxml2 security update

Oracle has released a preview of patches to be released, seen here, on Tuesday, July 15, 2014, and includes updates to business critical systems, such as Oracle Database, WebLogic server, and Fusion.  The most concerning aspect of the majority of vulnerabilities discussed is the one phrase “may be exploited over a network without the need for a username and password”.  The most critical update, imho, that is being released Tuesday is the Java fixes that are being released (20 security fixes!), which give the vulnerability a pristine CVSS Base Score of 10!!  Woohoo, way to go Oracle and Team Java!

But please don’t take my word for all of this, go take a look for yourself, and see what the week ahead has in store.

tony d0t carothers --gmail

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
LinkedIn is an invaluable social network for business. Just last week, I landed a new gig by simply congratulating a former client on his new position via LinkedIn.
Microsoft has restored service to its security advisory mailing list, but it has buried the sign-up form and made it hard to find.
Microsoft shifts its attention cross-country this week, from its Washington state headquarters, overcast with uncertainty, to Washington, D.C., where company leaders will try to make sunny optimism shine at its annual partner conference.
Microsoft CEO Satya Nadella demoted Windows to a handful of terse mentions deep in his 3,100 all-hands strategy email of last week.
Microsoft Windows Journal File Processing CVE-2014-1824 Remote Code Execution Vulnerability
Wi-Fi technology continues to evolve as wireless devices proliferate and demand for video and other data explodes.
Companies including MITRE are looking at privileged access and how to better lock it down -- without stopping employees from doing their jobs.
Popular password manager LastPass said it fixed two vulnerabilities that were found last year. The disclosure comes just ahead of a security conference where a research paper describing the problems is due to be presented.
Yahoo has acquired online video streaming company RayV with the aim of distributing content to more people, particularly via mobile devices.

Posted by InfoSec News on Jul 14


13 July 2014

J. Keith Mularski's world has expanded greatly since he stopped selling
discount furniture to join the FBI 1998. Especially since he transferred
from Washington, D.C., in 2005 to fill a vacancy in the Pittsburgh,
Pennsylvania's field...

Certified pre-pw0ned devices are nothing new. We talked years ago about USB picture frames that came with malware pre-installed. But for the most part, the malware was added to the device accidentally, or for example by customers who later returned the device just to have it resold without adequately resetting/wiping the device.

But more recently, more evidence emerged that everything from network gear [1] to inventory scanners [2] may be infected deliberately in order to penetrate otherwise hard to reach networks. Typically, there is little a customer can do to verify that a device is not infected. Standard practices, like malware scanners and verifying installed software doesn't always work if you don't have "shell access" or the ability to install software on the device. 

This leaves careful network monitoring as one option to  detect and disrupt command and control channels used by these devices. However, in order to do so accurately, it is important to characterize "normal" network traffic from the device, which can be challenging in particular if the device connects to cloud services for updates or intentional data exchange.

The large number of these devices entering our networks asks for a scalable solution. We can't add security devices and personal proportional to the number of devices deployed. The security features included in these devices (host based firewalls, encryption technologies, ability to manage and limit installed software/"apps") varies widely and frequently there are no enterprise configuration tools available. 

What kind of network segmentation and on-boarding procedure do you apply to new devices introduced into the network? 

[1] http://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/
[2] http://www.trapx.com/news/press/trapx-discovers-zombie-zero-advanced-persistent-malware/

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Docker CVE-2014-3499 Local Privilege Escalation Vulnerability

Posted by InfoSec News on Jul 14


July 12, 2014

Welcome to Scott Air Force Base, 2.0.

As the Air Force downsizes many traditional career fields, it is investing
massively in one of its top priorities -- cybersecurity.

And Scott, the nearly century-old air base outside Mascoutah, is poised to
benefit enormously for many years to come from its rapidly growing role as

Posted by InfoSec News on Jul 14


By Chris Kanaracus
IDG News Service
July 11, 2014

Oracle is planning to release 115 security patches for vulnerabilities
affecting a wide array of its products, including its flagship database,
Java SE, Fusion Middleware and business applications.

The update includes fixes for 20 weaknesses in Java SE, all of which can
be exploited by an attacker remotely,...

Posted by InfoSec News on Jul 14


By William Knowles
Senior Editor
InfoSec News
July 11, 2014

InfoSec News has learned that notification letters have been sent last
week to some former students of the University of Illinois at Chicago
College of Business Administration whose personal information, including
Social Security number, was recently found to have been publicly...

Posted by InfoSec News on Jul 14


By Leigh Thomas and Jim Finkle
July 14, 2014

PARIS/BOSTON, July 14 (Reuters) - Insurers are eagerly eyeing exponential
growth in the tiny cyber coverage market but their lack of experience and
skills handling hackers and data breaches may keep their ambitions in

High profile cases of hackers seizing sensitive customer data from...
OpenStack Nova CVE-2014-0167 RBAC Security Bypass Vulnerability

Infosec still a concern for state's Auditor-General
Brisbane Times
Information security remains an area of concern for the state's Auditor-General. Photo: Michele Mossop. Information security remains an area of concern for Queensland's Auditor-General, with the number of “significant control weaknesses” identified ...

and more »
Samsung Electronics has temporarily suspended business with one of its Chinese suppliers, after a labor watchdog group accused the factory of hiring five underage workers.
Internet Storm Center Infocon Status