InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
OpenPAM 'pam_start()' Local Privilege Escalation Vulnerability
Gibbs wants to avoid a "Googlesplosion" ... Gmail Backup is the recipe for happiness.
A controversial bill to prevent online piracy by rogue foreign sites appears poised to pass a House committee despite strong opposition from some lawmakers.
Linux Kernel 'ext4_ext_insert_extent()' Local Denial of Service Vulnerability
Research In Motion said it won't start selling phones with its new software platform until the "later part" of 2012 and had to take a US$485 million inventory-related charge on its PlayBook tablet as part of another poor earnings report for the struggling smartphone maker.
Twitter announced an update to its mobile client last week that may render third-party, multi-account Twitter clients obsolete. Third-party Twitter mobile apps have always been a few steps ahead of Twitter when it came to ease of use and features, but that will no longer be the case.
The U.S. House of Representatives Judiciary Committee slowly moved toward approval of the controversial copyright enforcement bill Stop Online Piracy Act (SOPA), although the panel was able to debate only a handful of amendments Thursday.
Except from their website:

Acriticalvulnerability has been identified in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh. This vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that the vulnerability is being actively exploited in limited, targeted attacks in the wild against Adobe Reader 9.x on Windows.

We are in the process of finalizing a fix for the issue and expect to make available an update for Adobe Reader 9.x and Acrobat 9.x for Windows on December 16, 2011. Because Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X and Acrobat X for Windows with the next quarterly security update for Adobe Reader and Acrobat, currently scheduled for January 10, 2012. We are planning to address this issue in Adobe Reader and Acrobat X and earlier versions for Macintosh as part of the next quarterly update scheduled for January 10, 2012. An update to address this issue in Adobe Reader 9.x for UNIX is planned for January 10, 2012. For further context on this schedule, please see the correspondingASSET blog post.

Looks like we'll be patching Adobe Reader and Acrobat tomorrow against this newest threat that has been making the rounds over the past couple weeks.

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Greenpeace International has ended a long-running campaign calling on Facebook to "unfriend coal" as a source of energy for its data centers, after Facebook agreed to promote clean and renewable energy, the two said Thursday.
2011 was a tumultuously transitional year for Cisco. The company came to the realization that its strategy for growth by entering new markets spread it too thin, distracted it from core markets and impacted profits. It cost thousands of employees their jobs.
JP Morgan is expanding its use of supercomputers to speed up more of its fixed income trading operations.
Salesforce.com announced Thursday it will acquire cloud-based performance management vendor Rypple in a bid to enter the human resources software market.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The Office of the National Coordinator for Health Information Technology has partnered with the Surgeon General to launch the Healthy App Challenge, which invites developers to submit health, wellness, and fitness apps.
Adobe plans to release a patch Friday for an older version of the Reader PDF viewer to stymie attacks like those aimed at major defense contractors earlier this month.
A cancer diagnostics firm is using a single sign-on service to secure a growing pool of SaaS subscriptions.
New IETF I-Ds on Fragmentation-related security issues
Following a breach to a GlobalSign Web server, an extensive investigation found no evidence of an infiltration of its digital certificate infrastructure and no leakage of its certificate keys.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Google Chrome Prior to 16.0.912.63 Multiple Security Vulnerabilities
[ MDVSA-2011:188 ] libxml2
Seotoaster SQL-Injection Admin Login Bypass
Zoho unveiled a significant upgrade to its on-demand CRM (customer relationship management) software on Thursday with new features including an overhauled user interface and an integration with LinkedIn.
Virtustream's acquisition of Enomaly could help enterprises turn a drawback of private clouds--excess capacity--into a profit center.
Google offers its take on what technology and technologists most interested the online world this year.
Tablets are a tricky proposition for many IT departments since they have many of the content creation capabilities of laptops but lack mature security software. Insider (registration required)
RhinoSoft Serv-U FTP Server Directory Traversal Vulnerability
Dolibarr Multiple Cross Site Scripting and SQL Injection Vulnerabilities
BestShopPro 'str' Parameter Cross Site Scripting and SQL Injection Vulnerabilities
WHMCS Local File Include And Local File Disclosure Vulnerabilities
[ MDVSA-2011:187 ] php-pear
[RT-SA-2011-005] Owl Intranet Engine: Authentication Bypass
NGS00141 Patch Notification: Websense Triton 7.6 - Stored XSS in report management UI
NGS00140 Patch Notification: Websense Triton 7.6 - Unauthenticated remote command execution as SYSTEM
I've written for years that it is impossible to make a product too easy to use. But the industry has proved me wrong, by making products that are so focused on easy that they encourage sloppy, unmaintainable system configurations. In the pursuit of something easy enough for mortals to use (and sales reps to demo), some cloud vendors are paving the way for a big mess a few months after deployment.
Google's Chrome 15 has jumped into the number one spot, replacing Microsoft's Internet Explorer 8 as the world's most popular browser edition.
Pidgin SILC (Secure Internet Live Conferencing) Protocol Denial of Service Vulnerability
Pidgin Jingle Extension XMPP Protocol Denial of Service Vulnerabilities
PmWiki 'PageListSort()' Function PHP Code Injection Vulnerability

An InfoSec Holiday Survival Guide
E-Commerce Times
... as a founding partner of Security Curve. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure solutions development. An InfoSec Holiday Survival Guide.

and more »

InfoSec: Enterprise architecture building codes
ComputerworldUK (blog)
There are many types of criminals. These include thrill-seeking hackers, politically motivated hackers, organised criminals after financial gain, and state-sponsored groups after financial gain and intellectual property or both. ...
InfoSec: Enterprise Architecture Building CodesCSO (blog)

all 2 news articles »


Defining Infosec Jobs: A Helpful Tool
Ultimately, McDuffie says, the framework is intended to be a guideline to aid organizations that are trying to make decisions on how to invest in cybersecurity (see 7 Key Infosec Occupation Categories). "How do you measure the amount of money and funds ...


Help Net Security

NetWars to test the skills of infosec professionals
Help Net Security
At SANS London 2011, Europe's largest IT security training event, NetWars will be launched for the first time in the UK. NetWars participants compete in a mock enterprise environment to test their defensive, analytic, and offensive cyber skills ...


Why we still need infosec's weakest link
ZDNet Australia
Many agree that the weakest link in security lies with the end user, but, according to Check Point information systems vice president Jorge Steinfeld, you still need people for security if you don't want your business to grind to a halt. ...


Q2ebanking Names Jay McLaughlin Chief Security Officer, Senior Vice President ...
MarketWatch (press release)
McLaughlin is a regular speaker at industry events, including MIS Training Institute's InfoSec World, IDG's Storage Networking World, midTech IT Summit, and InnoTech. He has been quoted in various publications including ComputerWorld, CIO Magazine, ...

and more »

SYS-CON Media (press release) (blog)

2012 IT Staffing Crisis?
SYS-CON Media (press release) (blog)
Evening the bar of what skill set is needed is vitally important, because most companies can at least find some System Admins (2.8% unemployment) but may not find a Network Architect or InfoSec guy to implement the apps on the BIG-IP. ...



Security Analyst, Architect Head Top Career Opportunities
(see Infosec Joblessness Remains Steady, at 0%). John Reed, executive director at Robert Half Technology, an IT staffing firm, attributes the high growth to organizations becoming more security aware in light of cyber crimes, and needing hands-on IT ...

and more »

Galaxy Tab 10.1 hits American Airlines
ZDNet Australia
ANZ disables eStatements in security flap - ANZ Banking Group says it could take several weeks to fix a security pro... http://t.co/tdcubbc4 ANZ has disabled its eStatements functionality due to an #infosec problem it thinks could take weeks to solve. ...

and more »

ESET, the award winning infosec firm UK still waking up to
ComputerWeekly.com (blog)
By Warwick Ashford on December 15, 2011 6:47 AM | No Comments | No TrackBacks ESET is an award winning information security firm that dates back to the first computer viruses, yet it is still under the radar of most UK business and consumers. ...

and more »
Businesses should be formulating cloud strategies now that get the most out of their network providers to better support whatever cloud services they wind up buying, according to a prominent cloud-economics expert.
Facebook announced today that it's making its new Timeline feature available to users worldwide.
IBM has signed a deal to buy supply and contract management software vendor Emptoris in another bid to fill out its growing catalog of business-to-business and business-to-consumer commerce technologies, the company announced Thursday. Terms of the deal, which is scheduled to close in the first quarter of next year, were not provided.
Shaw reviews HP's TouchSmart Desktop 610 Quad series.
iOS 5 introduced iMessage, a new capability within your iOS device's Messages app that can send text, picture, and video messages to other iPhones without counting against your carrier's messaging plan. What's more, iMessages actually works with any device running iOS 5, meaning iPad and iPod touch owners can get in on the messaging fun, too.
Walking past laptop-toting digital nomads who huddle around the outlets lining the concourse, you arrive at your gate with 30 minutes to spare. You have a 6-hour flight in front of you, and a laptop and a smartphone that need a full charge to keep you working and listening to music throughout the flight. You stalk the gate area. The two available outlets on the payphone are taken. No outlets on the walls. The remaining minutes before departure click down. A baby is crying. (Please, please, please, you think, don't seat me next to the baby...). "Final call for boarding." Your laptop has an hour of life left, and so does your phone. When both are dead, your noise-canceling headphones will be useless. You board and approach your seat. You're in 16B. The baby, in 16C, is already crying...
Editor's Letter
Tablet sales at 18.1 million units during the third quarter were somewhat lower than expected, but stronger-than-expected demand during the rest of the year will give the market a boost, according to market research company IDC.
Network World's own Indiana Shaw goes through more than just the temple of doom to find gifts suitable for you or other techies on your list. Just like his more famous archeologist cousin who digs up ancient artifacts and treasures from around the globe, Indiana Shaw scours the globe and the Internet to dig up the greatest technology treasures. Insider (registration required)
Reflecting the growing need for automation tools in the enterprise, Quest Software has released a software package that could help Unix administrators better manage policy files that determine which users can access privileged material and programs on Unix and Linux systems.
Microsoft will silently upgrade Internet Explorer starting next month, arguing that taking the responsibility out of the hands of users will keep the Web safer.
Sony Ericsson is offering owners of its Xperia smartphones 50GB of free online data storage in partnership with cloud storage company Box, the smartphone maker said on Thursday.
iBahn, a provider of internet services to some 3,000 hotels worldwide, denied on Thursday a news report that its network was breached by hackers.
Last month, Google announced a plan to merge its Checkout and Wallet electronic payment services into a single product for both Web browsers and mobile devices. The announcement of the combined product, which will use the Wallet name, comes more than five years after the launch of Checkout, which back then was seen by some as a potential "PayPal killer". Checkout never came close to fulfilling that prediction, becoming instead a payment system primarily for Google sites. However, Google hasn't given up on the e-payments market and has high expectations for Wallet. IDG News Service recently had a chance to chat with Osama Bedier, the company's Payments vice president, about Google's plans for Wallet and vision of the e-payments market. An edited version of the interview follows.
The IT job market in 2012 shows some signs of improvement when it comes to hiring, but most companies still aren't expanding.
All 26 of Adventist Health System's hospitals rolled out computerized physician order entry systems -- the biggest barrier to attaining the U.S. government's meaningful-use certification -- in just 28 months.
The Sony PlayStation Vita is well-positioned to avoid the struggles of its main handheld rival, Nintendo's 3DS, the executive in charge of Sony's game business said Thursday.
In a reorganization of its mobile business, Intel said Wednesday it has formed a new group, called the Mobile and Communications Group (MCG) that will focus on phones, tablets, and other mobile devices.
Internet Storm Center Infocon Status