InfoSec News

The leader of a security research firm and AT&T traded angry words Monday in the wake of last week's data breach that exposed the e-mail addresses of 114,000 iPad 3G users. The carrier called the behavior of Goatse Security "malicious," while the security firm countered that AT&T was "being dishonest about the potential for harm." But both sides have plenty to answer for in how they've handled this security situation.
 

Code Security: SAFECode report highlights best practices
NetworkWorld.com
The report reflects a growing trend in the infosec community that relies less on bolt-on defenses and more on well-written software code. ...

and more »
 
Oracle is hoping to make a big splash with its upcoming Fusion Applications launch, but in the meantime has the perennial and less glitzy task of persuading users to upgrade from older releases of E-Business Suite.
 
Reader Freddie showed us a Sophos report of an application that has gone rogue by spamming your contacts once you add it to your profile. The application claims to give you access to a video named Teacher nearly killed this boy.
Facebook users: please be careful on the links you visit and applications you add to your profile, even if they claim to give you access to shocking content like this one. Always use applications that comes from a trusted source or you might be helping without knowing a future malware to spread around the world.
More information at: http://www.sophos.com/blogs/gc/g/2010/06/14/teacher-killed-boy-rogue-spamming-facebook-app-large/
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Infosec volunteer group's new project to tackle the cloud
SC Magazine US
The all-volunteer Open Security Foundation (USAF) later this month plans to launch "Cloutage," a new project that will track incidents involving the cloud. ...

 
Reader Daniel Shanefield finds that his iPad lacks a favorite iTunes feature. He writes:
 
CIO magazine Editor in Chief Maryfran Johnson discusses what CEOs want from their CIOs and how the latter earns a seat at the boardroom table.
 
Former San Francisco network administrator Terry Childs is slated to be sentenced today for shutting down the city's FiberWAN network for 10 days in 2008.
 
The best-of-breed vs. integrated suite battle has been ongoing since integrated enterprise resource planning software first came on the scene. In the early days, buyers were forced to choose between stand-alone systems that performed one function very well (e.g., accounting, production planning) or one integrated system that offered modules for each function, but with varying degrees of functional depth.
 
CEOs want CIOs who know their industries, think like customers and can envision new business opportunities.
 
Samsung today said it will begin selling three new drives next month, each representing higher performance or the smallest form factor for a product.
 
The birthday paradox, a classic illustration used in probability theory, states the probability that in a set of randomly chosen people, a pair will have the same birthday. The magic number is 23, which means that with 23 people, there is more than 50 percent probability that some pair of them will have the same birthday. As Wikipedia notes, such a result is counterintuitive to most people. Want to get to a 99 percent probability a pair will share a birthday? All you need is 57 people.
 
CEOs want to learn how much a potential CIO is focused on business strategy and market growth. If you want the job, be ready to answer these questions.
 
The ability to think like a CEO, focusing on how a company engages with customers and its industry, makes for a better CIO-CEO partnership.
 
The Khronos Group has ratified OpenCL 1.1, a programming standard for parallel execution of tasks across multicore processors, the standards-setting organization said on Monday.
 
A coalition of security companies and researchers have agreed on guidelines for how security software products should be tested, which may help put an end to long-running disputes about different testing methodologies.
 
AT&T might get its biggest headlines for its exclusive deal to sell the iPhone, but the company is bolstering its lineup with a new Android 2.1 smartphone exclusive, the HTC Aria, and the Pantech Ease messaging phone, which is focused especially on seniors.
 
A coalition of security companies and researchers have agreed on guidelines for how security software products should be tested, which may help put an end to long-running disputes about different testing methodologies.
 
Free unlimited Wi-Fi is coming to nearly 7,000 company-operated Starbucks stores in the U.S. beginning July 1, Starbucks CEO Howard Schultz said today.
 
Former San Francisco network administrator Terry Childs is slated to be sentenced today for shutting down the city's FiberWAN network for 10 days in 2008.
 
Reader Edward pointed us a interesting link showing there is a small lot of Olympus Stylus Tough 6010 shipped with a malware insidetheirinternal memory. More information at: http://www.sophos.com/blogs/gc/g/2010/06/08/olympus-stylus-tough-camera-carries-malware-infection/
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Patrick wants a Web-based mail service to be his default email.
 
The hackers who harvested more than 100,000 Apple iPad 3G owner e-mail addresses blasted AT&T as "dishonest" today, and said the group has an exploit it or others could have used against all iPad owners.
 
Twitter's persistent and disruptive service outages entered a second week, as the company scrambles to bring its site availability back to acceptable levels.
 
After applications recently started disappearing from the Android Market, Google continued to have reliability issues with the online store as developers over the weekend experienced issues with erroneous download counts.
 

Code Security: SAFECode report highlights best practices
CSO
The report reflects a growing trend in the infosec community that relies less on bolt-on defenses and more on well-written software code. ...

 
AT&T issued an apology on Sunday for a hack that exposed thousands of iPad customers' e-mail addresses last week and vowed to work with law enforcement to prosecute those responsible.
 
Even if your work is humdrum, your documents shouldn't be. The latest version of Microsoft Office makes it easier than ever to create handsome documents, thanks to some cool new tools for dressing up text, displaying images, and embedding video. (Of course, the ability to create better-looking documents isn't the only reason to upgrade to Office 2010. For a detailed review of the entire suite see "Office 2010 Review: Inside Microsoft's Newest Suite.")
 
I recently crossed the country to help my parents set up their new computers. The trip was well worth the time: They got to switch from slow, old Windows XP machines to fast, fresh Windows 7 PCs. And in exchange, I got to eat lots of genuine New York pizza. When the weekend upgrade was complete, what single Windows 7 feature do you think they most loved? Not the Libraries, or HomeGroup, or the snazzy new taskbar. Nope, they loved the desktop slideshow.
 
A new open-source plug-in provides the capability for the jQuery library.
 
Barring an unforeseen patch in the next four weeks, users running Windows XP Service Pack 2 have seen their last security update for Internet Explorer.
 
The path to the top slot in IT isn't always straight and narrow -- good news for job changers, dreamers and wanderers.
 
SeaMicro has developed a server that packs in 512 low-power Intel Atom processors on miniature motherboards the size of credit cards, the company announced.
 
Attendees to next week's Enterprise 2.0 conference in Boston may find that businesses' use of social-networking and collaboration technologies is slowly starting to take off.
 
I saw this interesting project that wants to create a python virtual machine to run inside a microcontroller without an underlying OS. This couldbe the gate to obtain soon a pythonhardware processor.
More information at:http://code.google.com/p/python-on-a-chip/
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Are you a security professional that needs to learn the basis of metasploit but haven't found a source? Darknet consulting (http://darknet-consulting.com/) hasdone a nice video that shows how to use it.
Download the video here: http://darknet-consulting.com/video/vector2/meta101.wmv
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
I am a fan of modsecurity (http://www.modsecurity.org/) as a fast and cheap way to get decent protection for application layer attacks. But,as you know, risks are increasing andwhenthe risk analysisperformed to your organization shows that applicationdisruptions have a big impact tothe core business,it's time tostrengthen controls and think about delivering protection from the code itself. I have founduseful PHPIDS library, whichdetectsXSS, SQL Injection, header injection, directory traversal, DoS and LDAP attacks. Since it works from code, you can get the output and send it to your favorite alert vault to correlate security events.
Version 0.6.4 was recently released. Moreinformation athttp://php-ids.org/2010/06/06/phpids-0-6-4-is-ready/
Want to use same functionality in perl? Tryhttp://search.cpan.org/dist/CGI-IDS/lib/CGI/IDS.pm.It isbasedon php-ids.
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Google engineer Tavis Ormandy releases details on a new zero-day vulnerability affecting the Windows Help and Support Center. Microsoft acknowledges the hole.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Windows XP - Microsoft - Operating system - Microsoft Windows - Zero day attack
 
InfoSec News: 1,000+ webpages poisoned in latest mass malware hack: http://www.theregister.co.uk/2010/06/11/mass_webpage_attack/
By Dan Goodin in San Francisco The Register 11th June 2010
Yet another mass compromise is hitting poorly configured websites, and at least one of the afflicted is a security site that plays up its [...]
 
InfoSec News: Linux Trojan Raises Malware Concerns: http://www.pcworld.com/businesscenter/article/198686/linux_trojan_raises_malware_concerns.html
By Tony Bradley PC World June 13, 2010
[Author's Note: The article has been modified to correct the assertion that Unreal IRC has any relation to Unreal--the first-person shooter [...]
 
InfoSec News: AT&T e-mail apologizes for iPad breach: http://news.cnet.com/8301-1009_3-20007564-83.html
By Steven Musil Security CNet News June 13, 2010
AT&T sent an e-mail to iPad owners Sunday explaining a security breach that occurred on its site and laying much of the blame with the group that discovered the hole. [...]
 
InfoSec News: Microsoft confirms critical Windows XP bug: http://www.computerworld.com/s/article/9177966/Microsoft_confirms_critical_Windows_XP_bug
By Gregg Keizer Computerworld June 11, 2010
Microsoft on Thursday confirmed that Windows XP and Windows Server 2003 contain an unpatched bug that could be used to infect PCs by duping [...]
 
InfoSec News: Famous hacker suddenly finds himself infamous, in some quarters: http://www.sacbee.com/2010/06/13/2818601/famous-hacker-suddenly-finds-himself.html
By Sam Stanton The Sacramento Bee June 13, 2010
On Thursday afternoon, Adrian Lamo sat quietly in the corner of a Starbucks inside the Carmichael Safeway, tapping on a laptop that [...]
 

Posted by InfoSec News on Jun 13

http://news.cnet.com/8301-1009_3-20007564-83.html

By Steven Musil
Security
CNet News
June 13, 2010

AT&T sent an e-mail to iPad owners Sunday explaining a security breach
that occurred on its site and laying much of the blame with the group
that discovered the hole.

The e-mail, which was signed by AT&T Chief Privacy Officer Dorothy
Attwood, blamed "self-described hackers" for uncovering a hole in the
company's Web site...
 

Posted by InfoSec News on Jun 13

http://www.computerworld.com/s/article/9177966/Microsoft_confirms_critical_Windows_XP_bug

By Gregg Keizer
Computerworld
June 11, 2010

Microsoft on Thursday confirmed that Windows XP and Windows Server 2003
contain an unpatched bug that could be used to infect PCs by duping
users into visiting rigged Web sites or opening attack e-mail.

The company said it has seen no active in-the-wild attacks exploiting
the vulnerability.

The bug in...
 

Posted by InfoSec News on Jun 13

http://www.sacbee.com/2010/06/13/2818601/famous-hacker-suddenly-finds-himself.html

By Sam Stanton
The Sacramento Bee
June 13, 2010

On Thursday afternoon, Adrian Lamo sat quietly in the corner of a
Starbucks inside the Carmichael Safeway, tapping on a laptop that
requires his thumbprint to turn on and answering his cell phone.

The first call, he said, came from an FBI agent asking about a death
threat Lamo had received.

The second was from...
 

Posted by InfoSec News on Jun 13

http://www.theregister.co.uk/2010/06/11/mass_webpage_attack/

By Dan Goodin in San Francisco
The Register
11th June 2010

Yet another mass compromise is hitting poorly configured websites, and
at least one of the afflicted is a security site that plays up its
prowess in warding off the very type of attack it has been smitten by.

At least 17 pages on idera.com were hit by a quick-moving SQL injection
attack on Friday, including one titled...
 

Posted by InfoSec News on Jun 13

http://www.pcworld.com/businesscenter/article/198686/linux_trojan_raises_malware_concerns.html

By Tony Bradley
PC World
June 13, 2010

[Author's Note: The article has been modified to correct the assertion
that Unreal IRC has any relation to Unreal--the first-person shooter
developed by Epic Games.]

I've got good news and bad news for those of the misguided perception
that Linux is somehow impervious to attack or compromise. The bad news
is...
 
Many researchers have tried unsuccessfuly to use artificial intelligence(AI)to program bots to interact with humans and gather information, because the human party detects the bot very soon and drop the conversation. Well, there is now a man-in-the-middle bot that relays messages between two people to avoid detection by the parties involved in the conversations. Also detects gender of the people involved in the conversation and alters the messages accordingly. Pretty cool stuff.
Want to read the paper? Check the following document: http://seclab.tuwien.ac.at/papers/autosoc-leet2010.pdf
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Internet Storm Center Infocon Status