Hackin9

InfoSec News

It's fairly easy to get started with iCloud if you use a single Apple ID solely on your own devices. But many families--including mine--share a single Apple ID across multiple people and devices, so that they can purchase apps and music once and give everybody in the family access. Must you all share that same Apple ID for iCloud, too?
 
Public companies may need to look more closely at their exposure to cyberattacks after new guidelines were released this week by the U.S. Securities and Exchange Commission.
 
Web inventor Tim Berners-Lee told RSA Europe attendees the future of IT security must include greater simplicity for users.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Wednesday, October 12, 2011 was D-Day (Download Day) for Apple users. I believe it will go down in history as the day Apple released more software than it has done in any single day before.
 
AMD's latest-and-greatest chip may lag slightly behind Intel's competing Core i5, as initial PCWorld performance-testing indicates. But these disappointing results hide benefits that AMD's "Bulldozer" FX CPU will likely offer, especially for cost-conscious small businesses.
 
If you're not using Google Picasa to manage your photos, I think you're missing out. It's one of the fastest and most versatile photo managers/image editors currently available, and you can't beat the price. (It's free.)
 
With the launch of its more successful Google+ social networking service, Google on Friday said it plans to shut down Buzz.
 
This year's Web 2.0 Summit will focus on the critical role that online data plays in the Internet economy and on how its use and misuse can make the difference between success and failure in markets like online gaming, Web advertising, search, social media and mobile.
 
Intel CEO Paul Otellini came to the defense of PCs at an industry conference Friday, but he also outlined his belief that the so-called ultrabook will do more to meet consumer and business needs.
 
Preliminary teardowns of Apple's iPhone 4S have confirmed what rumors claimed for months: The new smartphone is powered by the same dual-core processor used in the iPad 2.
 
The U.S. Department of Defense has been hit with a $4.9 billion lawsuit over a data breach involving TRICARE, a healthcare system for active and retired military personnel and their families.
 
The National University of Singapore and the Data Storage Institute have come up with a way to use NaCl (table salt) to increase the storage density on hard drive platters to 3.3 terabits per inch -- or more than five times what a Seagate 4TB hard drive is capable of today.
 
Dell is expanding its China services business one step at a time as it tries to overcome quirks associated with running a business in that market, a company executive said on Friday.
 
Verizon Wireless has equipped almost all of its fleet of test vehicles with 4G (fourth-generation) devices to test all the major U.S. 4G networks for speed and coverage.
 
Forget about building a popular social network. Google CEO Larry Page wants to use Google+ to transform the entire Google experience.
 
Apple's iCloud debuted this week with problems reminiscent of the MobileMe fiasco of 2008. Why did Apple have so many problems rolling out iCloud?
 
Apple's iCloud service, paired with iOS 5 and Lion, offers users a whole wealth of new sync features, access to purchased content, and geolocation fun. Unfortunately, as iCloud is the company's fourth online service iteration--fifth, if you count registering for base-level Apple IDs--trying to upgrade can be confusing at best, slam-your-head-against-a-wall-in-frustration at worst. To help ease the pain (and keep your walls dent-free), we've put together some common upgrading scenarios for migrating to iCloud.
 
In a couple of weeks the world could be forever changed by power too cheap to meter. Or not.
 
With many still reflecting on the contributions of Steve Jobs, being at Dell World this week almost feels like living in an alternative universe.
 
Four customers of Frontier Communications have filed a class action lawsuit against the broadband and digital voice provider over a $1 to $1.50 mystery charge on their monthly bills.
 
The SpyEye banking malware continues to plague computers across the world and is proving to be a difficult foe to detect and remove from infected Windows PCs, according to two researchers from EMC's RSA security division.
 
[PTResearch] SAP DIAG Decompress plugin for Wireshark
 
As it wrapped up its acquisition of Skype today, Microsoft again assured users that it would continue to develop versions for platforms other than Windows.
 
The Social Security Administration puts thousands of Americans at risk of identity theft each year by accidentally leaking their Social Security Numbers and other data, according to an investigative report by the Scripps Howard New Service.
 
A new computer security publication* from the National Institute of Standards and Technology (NIST) will help organizations understand their security posture against threats and vulnerabilities and determine how effectively their ...
 
The National Institute of Standards and Technology (NIST) will unveil the public draft of its U.S. Government Cloud Computing Technology Roadmap at the Cloud Computing Forum ampamp Workshop IV that it will host Nov. 2-4, in Gaithersburg, ...
 
Columnist Mike Elgan camps out in front of an Apple store in Silicon Valley to wait in line and be among the first to buy the new iPhone 4S. He also seeks answers to the question: Why do Apple fans all over the world do this?
 
Searching for Flash Player on Bing and Yahoo can lead to rogue pages distributing a hard-to-remove rootkit, according to security researchers from antivirus vendor GFI Software.
 
DC4420 - London DEFCON - October meet - Tuesday October 18th 2011
 
A judge at the district court in the Hague on Friday rejected claims that Samsung had made against Apple regarding four patents.
 
I happened upon a YouTube video last week that got me thinking a lot about humility contests. Uploaded by O'Reilly Media, this video is a 5-minute Ignite Great Lakes presentation by a talented Detroit violinist named Dixon. I won't spoil the fun by telling you what you'll encounter in the video. Go watch it and return here when you're done.
 
Sprint made its iPhone debut today when it started selling the iPhone 4S, and some of the carrier's longtime customers waited in line in the pouring rain for the latest Apple smartphone using Sprint's unlimited data plans.
 
[ GLSA 201110-11 ] Adobe Flash Player: Multiple vulnerabilities
 
[ GLSA 201110-10 ] Wget: User-assisted file creation or overwrite
 
[ GLSA 201110-09 ] Conky: Privilege escalation
 
[ GLSA 201110-08 ] feh: Multiple vulnerabilities
 
SAP said its third quarter revenue rose 14% year on year, and operating profit more than doubled according to International Financial Reporting Standards (IFRS), boosted by a recalculation of the sum set aside to settle litigation with Oracle over its SAP's former TomorrowNow subsidiary.
 
Sony Ericsson Mobile Communications barely broke even during the third quarter, and reported a small year-on-year drop in revenue as an increase in the average selling price of its phones was offset by a 9 percent fall in volume.
 
The Institute for Science and International Security in Washington has used imagery from Google Earth to conclude that India may be constructing a gas centrifuge plant for uranium enrichment for military purposes, reinforcing Indian fears that Google Earth can be misused to compromise national security.
 
A new wave of free blogging sites, headed by Posterous Spaces and Tumblr, encourage social networking and sharing. We test the two services head to head.
 
Hundreds lined the streets of Tokyo on Friday to be the first in the world to get their hands on the iPhone 4S, temporarily crashing the registration servers at one Japanese mobile operator.
 
Microsoft said Friday that it has closed its US$8.5 billion acquisition of Skype, the Internet telephony provider in Luxembourg, and the company will function as a new business division within Microsoft.
 
Dell's decision to hold its first-ever enterprise conference this week may have helped some of its customers see it as more than just a hardware company.
 
A new wave of free blogging sites, headed by Posterous Spaces and Tumblr, encourage social networking and sharing. We test the two services head to head.
 
Western Digital breaks new ground with its 1TB Scorpio Blue internal SATA hard drives for laptop computers.
 
This control, Continuous Vulnerability Assessment and Remediation is an important mechanism to detect known vulnerabilities, if possible patch them or use additional host or network controls to prevent exploitation until a patch or update is released. Preferably, the assessment tools should categorized the discovered vulnerabilities using industry recognized standards such as CVE to correlate and classify the data obtained with other network devices such as a SIM, to detect attempts or successful exploitation of the vulnerability.
There are a large number of vulnerability management tools available on the market (free and commercial) which can be used to evaluate system configuration on a continuous basis. A first step would be to run a daily discovery scan against network devices and run a full audit of the systems with credentials on a weekly basis, taking into consideration the impact on the network (i.e. when the network devices are the least busy). This would ensure that new found vulnerabilities are taken care of in a timely manner soon after they have been discovered. Whenever possible, it is important the patch be tested in an environment that mimics the production system before being pushed enterprise wide. If the patch fails the tests, other mitigating controls should be tested and put in place to prevent exploitation.
In order to put in place an effective continuous vulnerability assessment plan, the enterprise scanner should be able to compare the results against a baseline and alert the security team when significant changes are detected. This can be done via a ticketing system, with email, etc.
All system identified in CC1 should be scanned for known vulnerabilities and should alert the security team upon the discovery of new devices. To ensure CC10 is effective, the security team must conduct a periodic review that the daily and weekly assessments are working as configured and have completed successfully.
There are many more audit tools out there than those posted below, let us know what have been the most effective in your environment.
Commercial Audit Tools
Retina: http://www.eeye.com

GFI LanGuard: http://www.gfi.com

nCircle: http://www.ncircle.com

Nessus: http://www.tenable.com

Qualys: http://www.qualys.com
Freeware Audit Tools
IPScanner: http://www.radmin.com/products/ipscanner/index.php

PSI: http://secunia.com/vulnerability_scanning/personal/

Nmap: http://insecure.org

OpenVAS: http://www.openvas.org
[1] http://www.sans.org/critical-security-controls/control.php?id=10
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Posted by InfoSec News on Oct 14

http://news.cnet.com/8301-27080_3-20120215-245/when-a-hacker-deletes-all-your-gmail-messages/

By Elinor Mills
InSecurity Complex
CNet News
October 13, 2011

Many people are concerned about hacked e-mail accounts (even
celebrities), but what about when several years worth of your digital
file cabinet are deleted, say, by a malicious intruder?

That happened to Deb Fallows six months ago, and her husband, author
James Fallows, wrote a riveting...
 

Posted by InfoSec News on Oct 14

========================================================================

The Secunia Weekly Advisory Summary
2011-10-06 - 2011-10-13

This week: 76 advisories

========================================================================
Table of Contents:

1.....................................................Word From Secunia...
 

Posted by InfoSec News on Oct 14

http://www.v3.co.uk/v3-uk/news/2117100/government-attract-highly-skilled-staff-cyber-defence

By Dan Worth
V3.co.uk
13 Oct 2011

In a document submitted to parliament by the government in response to
concerns raised by the Intelligence and Security Committee's 2010-2011
report, the coalition said it understands the need to make sure it has
enough highly skilled IT professionals.

"The government shares the committee's concerns...
 

Posted by InfoSec News on Oct 14

http://www.computerworld.com/s/article/9220832/Former_HBGary_Federal_CEO_Barr_regroups_after_Anonymous

By Jeremy Kirk
IDG News Service
October 13, 2011

One might think that former HBGary Federal CEO Aaron Barr would stay far
away from anything associated with the hacking group Anonymous, which
waged an embarrassing hacking campaign earlier this year that resulted
in his resignation.

Barr, who is now director of cybersecurity for a company...
 

Posted by InfoSec News on Oct 14

http://www.eweek.com/c/a/Security/CyberCriminals-Targeting-Retailers-With-Nice-Pack-Exploit-Kit-SQL-Injection-108481/

By Fahmida Y. Rashid
eWEEK.com
2011-10-13

Retailers are seeing an uptick in Web attacks driven mainly by malware
exploit toolkits as cyber-criminals attempt to steal credit card
information, according to Dell SecureWorks.

Hacking attacks against retail customers were up 43 percent from January
to September, Dell SecureWorks...
 

Posted by InfoSec News on Oct 14

http://www.informationweek.com/news/government/security/231900741

By Elizabeth Montalbano
InformationWeek
October 13, 2011

A virus that attacked the system that controls U.S. military drones was
never an operational threat, but merely a "nuisance," the Air Force said
late Wednesday.

The statement was the first official one from the U.S. military after
Wired first reported of the virus last Friday.

The Air Force said it released...
 

Posted by InfoSec News on Oct 14

http://gcn.com/articles/2011/10/11/ausa-secure-andriod-kernel-technology.aspx

By Henry Kenyon
GCN.com
Oct 13, 2011

A research team from Google, George Mason University and the National
Security Agency have developed a hardened kernel for the Android 3.0
operating system that could solve the problem of using smart phones in
military operations and emergency response.

The kernel, which is in the final stages of certification testing, opens...
 

Posted by InfoSec News on Oct 14

http://risky.biz/minter

By Patrick Gray
risky.biz
October 14, 2011

Australian security researcher Patrick Webster has received a letter
from commercial law firm Minter Ellison demanding he turn over his
computer to its client First State Superannuation.

The legal threat follows Webster's disclosure of a serious and trivially
exploitable security vulnerability in First State Superannuation's
website to the company in September....
 

Survey finds dangerous gap in prevention
IDG News Service
However, as we noted in last month's cover story, What makes an infosec leader, organizations are not investing in the processes necessary to make certain those technologies are running in concert. For instance, only 43% of respondents have established ...

and more »
 
Internet Storm Center Infocon Status