InfoSec News

Microsoft on Wednesday showed off how Facebook friends will influence Bing users' search results, as part of a wide-ranging update on search that also showcased developments in its local and image search and maps offerings.
 
Microsoft Office Large SPID Read AV Remote Code Execution Vulnerability
 
A member of the group of hackers credited with uncovering more than 100,000 iPad users' e-mail addresses on AT&T's website worked hard to get the story covered by the media, according to recently unsealed court documents.
 
Linux Kernel 'hfc_usb.c' Local Privilege Escalation Vulnerability
 
Linux Kernel 'drivers/scsi/gdth.c' Local Privilege Escalation Vulnerability
 
Linux Kernel 'megaraid_sas' Driver Insecure File Permission Local Privilege Escalation Vulnerability
 
Sony's VPCZ137GX strikes a balance between portability, ergonomics, and performance that's hard to beat. It's not quite as light or as small as many of its ultraportable competitors, but it offers a 13.1-inch, 1600 by 900 display, great ergonomics, and the onboard DVD burner that's rare in the category. It's still smaller and lighter than your basic all-purpose 14 or 15 inch laptop, too. It's also looks great and is a fantastic performer.
 
Reader Donald (who describes himself as an "old books seller"--wonder if he's describing himself or the books?) is having a problem with his system: when he rouses it from Sleep Mode (a.k.a. Standby), his browser no longer works properly.
 
Multiple Mozilla Products Script Filename Cross Domain Information Disclosure Vulnerability
 
Mozilla Firefox, Thunderbird, and SeaMonkey 'nsTreeSelection' Remote Code Execution Vulnerability
 
Mozilla Firefox/SeaMonkey/Thunderbird Cross Domain Scripting Vulnerability
 
Even if I didn't have a faulty box, I have some reservations about the all-in-one nature and features of this box.
 
VMware customers run an average of 12.5 virtual machines on each physical server, but memory limitations may be preventing further progress.
 
The U.S. ranks 25th in the world in average Internet connection speed, a new report says.
 
Oracle has released version 5.5 of its open source MySQL database and is pushing it for for Web application duties.
 
Re: OpenBSD Paradox
 
OpenBSD Paradox
 
[security bulletin] HPSBMA02616 SSRT100231 rev.1 - HP Insight Management Agents Running on Linux and Windows, Remote Full Path Disclosure
 
The number of corporations arming workers with tablets will double early next year, a research firm said today, citing its recent survey of more than 1,600 IT buyers.
 
Oracle on Wednesday announced Cloud Office 1.0, a Web-based productivity suite that is set to give online applications from Microsoft and Google a fresh dose of competition.
 
Re: OpenBSD's IPSEC is Backdoored
 
[security bulletin] HPSBMA02615 SSRT100228 rev.1 - HP Insight Diagnostics Online Edition Running on Linux and Windows, Remote Cross Site Scripting (XSS)
 

An encoded user was identified in the HP StorageWorks MSA G3 P2000, which does not appear in the user management system, which allows an attacker to access sensitive information stored on the device and other connected systems.

Username: admin

Password: !admin

It is difficult to make any forecast on this type of vulnerability, we recommend maintaining security baselines for all the infrastructure implemented in accordance with the recommendations of each manufacturer. Thus, we can manage the risks arising from use of these platforms without affecting performance or the result of business processes.

More information at http://www.securityweek.com/backdoor-vulnerability-discovered-hp-msa2000-storage-systems.

-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Microsoft on Wednesday showed off how Facebook friends will influence Bing users' search results, as part of a wide-ranging update on search that also showcased developments in its local and image search and maps offerings.
 
SAP released a 'significant number' of security patches for its Business Suite applications and NetWeaver middleware platform on Tuesday, following an 'extensive scan of 280 million lines of coding with new, enhanced code scan tools,' according to the company.
 
Real Networks RealPlayer 'GIF87a' File Parsing Heap Overflow Vulnerability
 
[ MDVSA-2010:255 ] php-intl
 
Microsoft's Internet Explorer 9 (IE9) blocks more malicious sites and malware than any other browser, including its predecessor IE8, according to a report released Tuesday.
 
STEC today announced that for the first time a major equipment manufacturer, IBM, has incorporated its MLC-based SSDs into both high-end external storage arrays.
 
Google Urchin 'urchin.cgi' Local File Include Vulnerability
 
HP StorageWorks Hidden Admin User Unauthorized Access Vulnerability
 
Kryptos Logic Advisory: IBM Tivoli Storage Manager (TSM) Local Root
 
[security bulletin] HPSBOV02618 SSRT100354 rev.1 - HP OpenVMS Integrity Servers, Local Denial of Service (DoS), Gain Privileged Access
 
Re: hidden admin user on every HP MSA2000 G3
 
www.eVuln.com : BBCode CSS XSS in slickMsg
 
Mozilla will reward vulnerability hunters for critical flaws found on a dozen Mozilla websites.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Mobile broadband based on HSPA (High-Speed Packet Access) will in the future be able to offer download speeds of more than 650Mbit/sec., T-Mobile USA and Nokia Siemens Networks said.
 
The man behind the world's largest social network has been named Time magazine's Person of the Year.
 
IBM Tivoli Storage Manager Client Multiple Remote Vulnerabilities
 
Microsoft Internet Explorer Denial of Service Vulnerability
 
ASPR #2010-12-14-1: Remote Binary Planting in Windows Address Book
 
minor browser UI nitpicking
 
iDefense Security Advisory 12.14.10: Microsoft Internet Explorer CSS Style Table Layout Uninitialized Memory Vulnerability
 
The new Core Insight pen testing suite can lay out the history of testing campaigns and the relative threat level of an enterprise's systems.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
We received plenty of e-mail alerting us of a mailing list post [1] alleging a backdoor in the Open BSD IPSec code. The story is too good to pass up and repeated on twitter and other media. However, aside from the mailing list post, there is little if any hard evidence of such a backdoor. The code in question is 10 years old. Since then, it has been changed, extended, patched and copied many times. Ipersonally do not have the time nor the skill to audit code of the complexity found in modern crypto implementations. But my gut feeling is that this is FUD if not an outright fraud.
Keep using VPNs, if you are worried, limit the crypto algorithms used to more modern once. It is always a good idea to build additional defensive layers and review configurations from time to time. But at some point, you have to decide who you trust in this game and how paranoid you can afford to be.
[1] http://marc.info/?l=openbsd-techm=129236621626462w=2
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Eucalyptus System partners with Red Hat to offer private cloud integration.
 
PHP NULL Character Security Bypass Vulnerability
 
RDM Embedded Lock Manager 'lm_tcp' Service Buffer Overflow Vulnerability
 

One of the service components inside BlackBerry Enterprise Serveris the BlackBerry Attachment Service, which retrieves and converts attachments from Word, Excel, PowerPoint, WordPerfect, PDF, ASCII documents, HTML attachments, JPG, BMP, GIF, PNG and TIFF images and file types listed above archived in .zip format documents to the Universal Content Stream format for BlackBerry device. The specific component that handles PDF files is the PDF distiller, which could allow arbitrary code execution on the computer that hosts the BlackBerry Attachment Service due to buffer overflow errors.

PDF vulnerabilities have become very common and it is important that all those who have services with programs that depend on this format place additional controls to minimize the risk of malware and buffer overflows in the infrastructure.

More information at http://www.blackberry.com/btsc/search.do?cmd=displayKCdocType=kcexternalId=KB24761
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Microsoft and Google battle on a dizzying number of fronts.
 
Cisco and T-Mobile USA today announced Wi-Fi Calling for Business to help ensure reliable voice calls over Wi-Fi as well as seamless roaming of voice and data traffic between Wi-Fi and cellular networks for smartphone users.
 
Mozilla has expanded the scope of its vulnerability reward program and will now pay out for problems found within applications used across its Web sites.
 
Xfig '.fig' File Color Definition Stack Buffer Overflow Vulnerability
 
For mobile workers who need the fastest online connection available, Sprint's 4G service can provide up to seven times the speed of its 3G network.
 
A former government contractor says that the FBI installed a number of back doors into the encryption software used by the OpenBSD operating system.
 
If your company allows employees to use an iPhone, here are the productivity apps that you should install on the mobile devices
 
Microsoft said on Tuesday that it would backport an Office 2010 security feature to the older and more widely used Office 2003 and Office 2007 early next year.
 
Tablets are making such a mark in the computer market that they just might start giving the world's largest chip maker a good bashing.
 

eWEEK Europe UK

Cyber Security Challenge Won By Actor
eWEEK Europe UK
Paul Laverack from London has become the UK winner of the US Department of Defense DC3 Digital Forensics Challenge, which was first mooted at the Infosec ...

 
Asustek Computer, the Taiwanese computer maker that pioneered netbooks, believes it can take a double digit share of the global tablet PC market next year and ship as many as 20 million laptop PCs.
 
InfoSec News: China Likely Behind Stuxnet Attack, Cyberwar Expert Says: http://www.darkreading.com/vulnerability-management/167901026/security/attacks-breaches/228800582/china-likely-behind-stuxnet-attack-cyberwar-expert-says.html
By Kelly Jackson Higgins Darkreading Dec 14, 2010
Israel and the U.S. so far have been pegged as the most likely [...]
 
InfoSec News: Feds probe '100 site' data breach: http://www.theregister.co.uk/2010/12/15/silverpop_breach_probe/
By Dan Goodin in San Francisco The Register 15th December 2010
FBI agents looking into the theft of customer data belonging to McDonald's are investigating similar breaches that may have hit more [...]
 
InfoSec News: F.B.I. Memos Reveal Cost of a Hacking Attack: http://bits.blogs.nytimes.com/2010/12/14/f-b-i-memos-reveal-cost-of-a-hacking-attack/
By VERNE G. KOPYTOFF The New York Times Bits December 14, 2010
Repelling a hacker attack can be costly as PayPal, Visa and MasterCard undoubtedly found out last week as they tried – with mixed success – to [...]
 
InfoSec News: 'Tunneling' Used in HISD Hacking: http://www.myfoxhouston.com/dpp/news/scitech/101214-tunneling-used-in-hisd-hacking
By SALLY MACDONALD Reporter MyFox Houston 14 Dec 2010
HOUSTON - H.I.S.D. superintendent Terry Grier is revealing new information in the investigation of a serious computer hacking threat.
Dr. [...]
 
InfoSec News: Smartphone botnets? New report predicts mobile devices will be part of DDoS attacks: http://www.csoonline.com/article/646713/smartphone-botnets-new-report-predicts-mobile-devices-will-be-part-of-ddos-attacks
By Joan Goodchild Senior Editor CSO December 14, 2010
Smartphones could soon be used to launch distributed attacks, much like [...]
 
InfoSec News: Secrecy News -- 12/14/10 - JASON: SCIENCE OF CYBER SECURITY NEEDS MORE WORK: ---------- Forwarded message ---------- Date: Tue, 14 Dec 2010 09:15:22 -0500 From: Steven Aftergood <saftergood (at) fas.org> Subject: Secrecy News -- 12/14/10 (alt list)
SECRECY NEWS from the FAS Project on Government Secrecy Volume 2010, Issue No. [...]
 
InfoSec News: FBI allegedly backdoored OpenBSD IPSEC stack?: http://marc.info/?l=openbsd-tech&m=129236621626462&w=2
List: openbsd-tech Subject: Allegations regarding OpenBSD IPSEC From: Theo de Raadt <deraadt () cvs ! openbsd ! org> Date: 2010-12-14 22:24:39 Message-ID: 201012142224.oBEMOdWM031222 () cvs ! openbsd ! org
[Download message RAW] [...]
 
Six in 10 hiring manager and technology recruiters expect to do more hiring in the first half of 2011 than in the previous six months, according to the latest Dice report on IT hiring plans.
 

Posted by InfoSec News on Dec 14

http://www.darkreading.com/vulnerability-management/167901026/security/attacks-breaches/228800582/china-likely-behind-stuxnet-attack-cyberwar-expert-says.html

By Kelly Jackson Higgins
Darkreading
Dec 14, 2010

Israel and the U.S. so far have been pegged as the most likely
masterminds behind the Stuxnet worm that targeted Iran's nuclear
facility, but new research indicates China could instead be the culprit.

Jeffrey Carr, founder and CEO of...
 

Posted by InfoSec News on Dec 14

http://www.theregister.co.uk/2010/12/15/silverpop_breach_probe/

By Dan Goodin in San Francisco
The Register
15th December 2010

FBI agents looking into the theft of customer data belonging to
McDonald's are investigating similar breaches that may have hit more
than 100 other companies that used email marketing services from
Atlanta-based Silverpop Systems .

“The breach is with Silverpop, an email service provider that has over
105...
 

Posted by InfoSec News on Dec 14

http://bits.blogs.nytimes.com/2010/12/14/f-b-i-memos-reveal-cost-of-a-hacking-attack/

By VERNE G. KOPYTOFF
The New York Times
Bits
December 14, 2010

Repelling a hacker attack can be costly as PayPal, Visa and MasterCard
undoubtedly found out last week as they tried – with mixed success – to
keep their Web sites from being knocked offline by supporters of
Wikileaks.

How much money exactly? An unrelated attack several years earlier on...
 

Posted by InfoSec News on Dec 14

http://www.myfoxhouston.com/dpp/news/scitech/101214-tunneling-used-in-hisd-hacking

By SALLY MACDONALD
Reporter
MyFox Houston
14 Dec 2010

HOUSTON - H.I.S.D. superintendent Terry Grier is revealing new
information in the investigation of a serious computer hacking threat.

Dr. Grier says the hacker used a technique called tunneling to access
the district's computer records. The hacker looked at the private
information of at least one student,...
 

Posted by InfoSec News on Dec 14

http://www.csoonline.com/article/646713/smartphone-botnets-new-report-predicts-mobile-devices-will-be-part-of-ddos-attacks

By Joan Goodchild
Senior Editor
CSO
December 14, 2010

Smartphones could soon be used to launch distributed attacks, much like
traditional PCs are now used as parts of larger botnet networks,
according to a new report from ENISA, the European Network and
Information Security Agency. In research that details the many...
 

Posted by InfoSec News on Dec 14

---------- Forwarded message ----------
Date: Tue, 14 Dec 2010 09:15:22 -0500
From: Steven Aftergood <saftergood (at) fas.org>
Subject: Secrecy News -- 12/14/10 (alt list)

SECRECY NEWS
from the FAS Project on Government Secrecy
Volume 2010, Issue No. 99
December 14, 2010

Support the FAS Project on Government Secrecy with a donation:
http://www.fas.org/member/donate_today.html

** JASON: SCIENCE OF CYBER SECURITY NEEDS MORE WORK...
 

Posted by InfoSec News on Dec 14

http://marc.info/?l=openbsd-tech&m=129236621626462&w=2

List: openbsd-tech
Subject: Allegations regarding OpenBSD IPSEC
From: Theo de Raadt <deraadt () cvs ! openbsd ! org>
Date: 2010-12-14 22:24:39
Message-ID: 201012142224.oBEMOdWM031222 () cvs ! openbsd ! org

[Download message RAW]

I have received a mail regarding the early development of the OpenBSD
IPSEC stack. It is alleged that some ex-developers (and the company
they...
 
The Sheriff's Office in Mesa County, Colorado mistakenly posted to a publicly available site a database containing names, Social Security numbers and contact information on confidential drug informants, suspects, and victims in criminal investigations.
 


Internet Storm Center Infocon Status