InfoSec News

Oracle refused to provide critical bug fixes for customers who run its software on Hewlett-Packard's Integrity servers, in a bid to coerce them to switch over to Oracle hardware, HP alleged in a lawsuit it filed Wednesday.
Microsoft Object Linking and Embedding (OLE) Automation WMF File Remote Code Execution Vulnerability
A Michigan court has ruled that Comerica Bank is liable for a US$560,000 cyberheist, saying the bank should have done a better job to spot millions of dollars in fraudulent transactions after one of the bank's customers was tricked in a phishing attack two years ago.
The CIAs main public facing web site appears to have been taken down by hacking group LulzSec earlier today.
LightSquared has asked for another two weeks to compile a report on possible interference between its planned cellular network and the GPS system.
The company's large database of user-generated information could be an appealing source about the best and worst places to go in a city, Foursquare co-founder Dennis Crowley said at the opening day of the 140 Characters Conference.
What does $3000 get you in a business laptop these days? With the Dell Latitude E6420 ATG, it buys top-flight computing speed and nearly half a day's battery life packed into a feature-rich chassis with a fortified case that might stop some bullets.
When Dell means business, it doesn't kid around. The Dell Latitude E5420 is one of the toughest-looking corporate laptops I've seen that isn't specifically designated as ruggedized. From its dark grey, brushed anodized aluminum case to its magnesium-based insides and sturdy-looking hinges and lock, everything about it screams "hard-core business tool."
LightSquared said it may ask for another two weeks to compile a report on possible interference between its planned cellular network and the GPS system, as a Wednesday deadline for the report loomed.
Nagios 'expand' Parameter Cross Site Scripting Vulnerability
Adobe Shockwave Player CVE-2011-0335 Multiple Remote Memory Corruption Vulnerabilities
Nagios 'layer' Parameter Cross-Site Scripting Vulnerabilities
Adobe Shockwave Player 'IML32.dll' CVE-2011-2116 Remote Memory Corruption Vulnerability
Adobe Shockwave Player CVE-2011-2114 Multiple Memory Corruption Vulnerabilities
Tomboy 'tomboy-panel' LD_LIBRARY_PATH Environment Variable Local Privilege Escalation Vulnerability
TPTI-11-11: Adobe Shockwave Lnam Chunk Parsing Remote Code Execution Vulnerability
TPTI-11-08: Adobe Shockwave iml32.dll DEMX Chunk GIF Parsing Remote Code Execution Vulnerability
TPTI-11-07: Adobe Shockwave iml32.dll CSWV Chunk Parsing Remote Code Execution Vulnerability
TPTI-11-06: Oracle Java ICC Profile rcs2 Tag Parsing Remote Code Execution Vulnerability
Google has launched a tool to help people monitor online mentions of their names and take action to protect their reputation when they find objectionable references and information.
A laptop containing unencrypted medical data for 8.63 million people has reportedly gone missing from a storeroom of a health authority in London, potentially the biggest data loss disaster ever to befall the NHS.
Adobe has switched on silent updating for its popular Reader PDF viewer, the company announced Tuesday.
Carbonites small business solutions charges a flat rate of $229 per year for 250GB of storage.
LexisNexis is planning to release its internally developed supercomputing platform as open source, providing developers with an alternative to the Hadoop framework for large-scale data processing, the company said Wednesday.
Two lawmakers today proposed a bipartisan bill that would regulate how law enforcement agencies and companies can access and use geo-location data gathered from cell phones, tablets and other mobile devices.
Cloud computing may be most cost-effective when restricted to smaller jobs, a USENIX researcher notes
Shaw reviews Xperia Play, by Sony Ericsson.
An analysis of nearly 40,000 passwords stolen from Sony Pictures by the LulzSec crew shows that people are still re-using passwords, a dangerous practice given frequent Web site break-ins, a researcher said today.
Oracle Java SE and Java for Business CVE-2010-4447 Remote Java Runtime Environment Vulnerability
Adobe Acrobat and Reader Font Parsing Remote Memory Corruption Vulnerability
Apache HttpComponents 'HttpClient' Information Disclosure Vulnerability
Worried you're going to miss today's lunar eclipse? Google has a solution for you.
Microsoft Windows 'win32k.sys' OpenType Font Parsing Remote Code Execution Vulnerability
Adobe LiveCycle Data Services and BlazeDS Remote Denial of Service Vulnerability
Oracle Java SE and Java for Business CVE-2011-0865 Remote Java Runtime Environment Vulnerability

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Oracle Java SE and Java for Business Remote Code Execution Vulnerability
PMC-Sierra announced a new serial-attached SCSI (SAS) controller that doubles the throughput between storage devices and their disk arrays, compared with its previous products, offering up to 750,000 I/Os per second
A flood of simple computing devices is hitting the market, aimed at pushing the cloud outside of the enterprise. Samsung and Acer have announced Chromebooks. Startup ITWin is offering a USB device that helps users access files on remote computers. And Panasonic has shown a Viera tablet for its TVs.
Adobe Flash Player CVE-2011-2110 Remote Memory Corruption Vulnerability
[SECURITY] [DSA 2261-1] redmine security update
NSFOCUS SA2011-01 : Microsoft Internet Explorer Link Property Processing Memory Corruption Vulnerability
HTB23005: Multiple XSS in N-13 News
HTB23010: Multiple XSS & Local File Inclusion in Free Simple CMS

How LulzSec Hackers Outsmart Security Gurus
From an ethos standpoint, the band parallels other loosely affiliated hacking groups, such as GOBBLES, and more recently Anonymous (from which LulzSec is rumored to have arisen), said Jack Koziol, director of information security training firm Infosec ...

and more »
Google's Chromebooks and Chrome OS have landed. Our reviewer found the Chromebook a useful addition but not a replacement for his PC. But Google says the new devices are more focused on the business market. Are Chromebooks right for the enterprise?
Microsoft Internet Explorer Link Properties Uninitialized Memory Remote Code Execution Vulnerability
[BGA - SignalSEC Advisory]:Adobe Shockwave Player Remote Code Execution
ZDI-11-219: Adobe Acrobat Reader 3difr.x3d Multimedia Playing Remote Code Execution Vulnerability
ZDI-11-218: Adobe Acrobat Reader tesselate.x3d Multimedia Playing Remote Code Execution Vulnerability
ZDI-11-217: Adobe Shockwave Font Structure Parsing Remote Code Execution Vulnerability

Should enterprise IT fear Apple iCloud?
"[iCloud] would need to conform to data classification policy and Apple would have to pass our infosec assessment for all SaaS providers," said Christian Reilly, IT director for a large multinational firm. His firm already has an iPad app deployed to ...

and more »
Right as the new school year comes up, it dawns on you: Your laptop is hopelessly outdated. Maybe you're accustomed to using the family computer at home, and will need one of your own as you head off to college. Or perhaps you're a high school student who just can't take another year of sharing your computer with relatives. Whether you're a parent purchasing for your child or a student spending your own limited funds, you should look for a few key things when buying a laptop for academic life. With our list of what to consider and what to avoid, the dizzying array of choices just might seem less overwhelming.
Apple's blazing-fast, elegant, and economical everything-in-one goes where ordinary desktops can't
The netbook's day in the sun was short-lived, and it took Apple to show the way with 'tweener devices.
[SECURITY] [DSA 2259-1] rails security update
GIMP PSP Image Parsing Heap Buffer Overflow Vulnerability
Justice Ministers across Europe want to make the creation of hacking “tools” a criminal offence, but critics have hit back at the plans saying that they are unworkable.
The U.S. State Department questioned the Chinese government about a cyberattack that had temporarily shutdown after the site held a petition urging Chinese authorities to release artist Ai Weiwei from custody.
For the second time in nine days, Adobe on Tuesday patched a critical vulnerability in Flash Player that hackers were already exploiting.
Mobile startup LightSquared may go from the frying pan to the fire on Wednesday when it releases a report on potential interference between its planned network and GPS.
The hacking group known as LulzSec called it Titanic Takeover Tuesday. Gamers called it by a variety of names, many of which cannot be reprinted here. But for system administrators at a handful of gaming companies, Tuesday was a nightmare: the day their websites went down under an online attack.
Ethernet vendors will need to develop faster products more quickly to keep up with the demand being created by mobile and cloud computing, some participants at an industry group meeting said.
Silicon Valley's Representative in Congress, Zoe Lofgren, has proposed a sweeping reform of the H-1B visa and green card programs in a new bill released Tuesday.
Enterprises got some much needed clarification on the implementation of PCI requirements in virtualized environments on Tuesday.
Samsung and Acer have shipped their Chromebooks, which use Google's new Chrome OS to trade the desktop for the cloud. We take a close look at the hardware and the OS.
WordPress Real WYSIWYG Plugin 'insert_file.php' Arbitrary File Upload Vulnerability
Internet Storm Center Infocon Status