Hackin9

InfoSec News

Facebook has petitioned the U.S. courts to consolidate more than 30 lawsuits filed in connection with its ill-handled initial public offering.
 
Salesforce.com is rolling out a number of upgrades to its Force.com platform in conjunction with the Summer '12 update to the vendor's cloud CRM (customer relationship management) software, focusing on areas such as mobile application development, database tooling and easier upgrades.
 
Several questions remain after the Internet Corporation for Assigned Names and Numbers unveiled 1,930 applications for new generic top level domains this week, long-time ICANN observers said.
 
Facebook's chief technology officer, Bret Taylor, will leave the company later this summer, according to a post on his Facebook page Friday.
 
A 36-year-old Apple-1 personal computer, one of just six thought to be in working condition, sold for a record $374,500 at a New York auction today.
 
ARM has developed a new, entry-level version of its Mali graphics processor that could help expand the market for low-cost Android tablets.
 
[ MDVSA-2012:093 ] php
 
[ MDVSA-2012:092 ] postgresql
 
[ MDVSA-2012:091 ] libreoffice
 
IObit Protected Folder Authentication Bypass
 
If your resume can't get past the applicant tracking system, it might never be seen by human eyes.
 
[slackware-security] mozilla-firefox (SSA:2012-166-02)
 
[SECURITY] [DSA 2494-1] ffmpeg security update
 
Re: Bugtraq ID# 53694 is invalid/fake
 
[security bulletin] HPSBOV02774 SSRT100684 rev.1 - HP TCP/IP Services for OpenVMS, BIND 9 Resolver, Remote Denial of Service (DoS)
 
VMSA-2012-0011 VMware hosted products and ESXi and ESX patches address security issues
 
Nuked Klan SP CMS v4.5 - SQL injection Vulnerability
 
Interspire Shopping Cart v6 - Multiple Web Vulnerabilities
 
Virtualization software vendor VMware has released security patches for its Workstation, Player, Fusion, ESXi and ESX products in order to address two vulnerabilities that could allow attackers to compromise the host system or crash a virtual machine.
 
The U.S. National Telecommunications and Information Administration will step up work on an effort to develop mobile privacy standards on July 12, when the agency meets with mobile carriers, app developers and other stakeholders in the first of a series of meetings on online privacy.
 
The U.S. National Telecommunications and Information Administration will step up work on an effort to develop mobile privacy standards on July 12, when the agency meets with mobile carriers, app developers and other stakeholders in the first of a series of meetings on online privacy.
 
Some analysts are speculating that Microsoft will unveil a Windows RT-based tablet at a major media event the company has scheduled for Monday afternoon in Los Angeles.
 
Apple customers who purchase the company's new Retina MacBook Pro will pay more to replace the notebook's integrated, glued-down battery, according to Apple.
 
The Standard Performance Evaluation Corporation (SPEC), well known for its computer system benchmarks, is planning to extend its testing methodology to measure cloud deployments as well.
 
[ MDVSA-2012:090 ] openoffice.org
 
QuickBlog v0.8 CMS - Multiple Web Vulnerabilities
 
Boonex Dolphin v7.0.9 CMS & Mobile App - Multiple Web Vulnerabilities
 
[Suspected Spam] eSyndiCat Pro v2.4.1 - Multiple Web Vulnerabilities
 
Even though Apple fleshed out more details about OS X Mountain Lion at WWDC, it's obvious that questions about the enhancements and improvements remain. So we've got the answers.
 
Microsoft's search engine Bing will now feature content from Yelp, an online company that helps people find great restaurants, hotels and stores based on users' opinions.
 
Motorola Solutions acquired mobile computer maker Psion for $200 million, as the company moves ahead to distinguish itself following the Motorola split last year.
 
Big Data is exciting stuff, but don't take my word for it. Ask the Academy of Arts and Sciences, who nominated Moneyball -- a movie about Big Data -- for six Oscars. If Hollywood is on board, you know Big Data has gone mainstream. What's more, Tinsel Town managed to do what most industry commentators haven't: Spin a tale that is both interesting and illustrative of Big Data's transformative potential.
 
Apple isn't afraid to stir things up, making people to rethink how they use technology. In recent years, most of that kind of innovation has focused on the iPhone, iPad, and iOS. But the MacBook Pro with Retina display now directs attention back to the Mac.
 
Forrester surveys show that many enterprise IT leaders are embracing cloud services -- especially SaaS -- but tend to see cloud services as inferior to their own internal deployments. Sadly, this view is uninformed. Enterprises that have the most direct experience with cloud services report that clouds can deliver, superior security, performance, scalability, and cost efficiency than traditional IT. But only when the company acknowledges that it has a direct responsibility in configuring the service correctly to achieve these objectives. The bottom line: Business and IT need each other to get the most from cloud services, and only through collaboration does this lead to widespread success.
 
There's a right way and a wrong way to convey important information to your fellow executives. Our expert offers three things to keep in mind.
 
We got a lot of responses to yesterday's fake Verizon e-mail. This brings (again) up the topic of authenticating e-mail messages. If you are reading this post, you probably already realize that the From header, like anything else transmitted in a default email, doesn't do a thing to authenticate an e-mail message. There are a number of technologies that can be deployed to help this.
1 - SMTP over SSL
There are a number of methods to run SMTP and other mail related protocols over SSL (pop, imap...) . SMTP in particular frequently uses the STARTTLS protocol which can start an SSL connection on the fly if both servers support it. SSL however only protects the connection. The receiving mail server can verify the identity of the sending mail server, and the connection can be encrypted. In most implementations I have seen, the certificate is not verified, and the SSL connection is optional, which significantly reduces the value of this technique, in particular between mail servers. For mail clients sending e-mail to trusted mail servers, SMTPS can be a meaningful control if for example a VPN isn't available. But the main issue is that e-mail is forwarded from server to server, and the sender or recipient have no control if the path the email took was secure.
2 - DKIM
DomainKeys Identified Mail (DKIM) [1] is mostly an anti-spam feature. It will authenticate if a mail server is authorized to send e-mail on a particular domain's behalf. At this point, some major e-mail providers like Yahoo will implement DKIM. However, aside from its limited scope, DKIM suffers from a number of implementation issues. First of all, it is typically not a default component of mail servers, but has to be added on via a patch or additional software packages. Secondly, once implemented, e-mail for a particular domain has to be sent via authorized mail servers. A users working from home may no longer use his or her ISP's mail server, but has to send e-mail via the corporate mail server. In most cases, this is a good thing, but it can be difficult to implement. The neat part about DKIM is that keys are distributed via DNS, and that validation is done on the server without user involvement. Of course, the use of DNS also requires a secure DNS infrastructure.
3 - PGP
PGP is probably the oldest form of e-mail encryption and authentication. It does provide end-to-end verification of a message or part of a message. It is very flexible in that it can be used to verify the entire message, or just parts of it. Headers are usually not included in the signature, but since the signature is linked to an e-mail address, it can still be used to authenticate the sender. In my opinion, PGP (and GPG for that matter) suffers from two big problems: First of all, support is available for most e-mail clients, but usually not included by default, requiring users to install and configure additional software. Software for iOS for example is available, but poorly integrated with the default iOS mail client. Secondly, PGP key management is not intuitive to the average user. It lacks the use of a central certificate authority and leaves it up to the user to trust or not to trust a key. combined with the limited use of PGP in day-to-day e-mail use, this is a big challenge. Usually it is best to establish the validity of a PGP key by continuously using it for all e-mail, making it easier to spot unusual or different keys.
4 - S/MIME
S/MIME probably has the best chance at this point of gaining some acceptance. It does use certificate authorities, so unlikely PGP the decision to trust a certificate is removed form the user to some extend. But as other uses of certificate authorities have shown, this isn't all that safe either. However, I think for the average user (one that hasn't attended a key signing party yet), this is preferred over the decentralized method used by PGP. The main issue with S/Mime is that it does sign the entire message including headers, and there is no option to only sign part of the message. This leads to broken signatures if a message is forwarded to a mailing list or passes other remailers that change headers. But S/Mime has been widely implemented by default in many e-mail clients, including mobile clients.
I really wish more people would take advantage of any of these technologies to verify e-mail. Any e-mail, including e-mail sent by automated processes, should be signed. I think user awareness will follow once users see more signed e-mail. Most of the automated e-mail we sent for ISC/DShield uses PGP signatures and we are working on implementing it for more of our e-mail. DKIM hasn't been an option for us so far as our organization is too decentralized, and for our audience PGP has shown to work pretty well and easier to implement then S/Mime for our scripts. My personal e-mail is usually S/MIME signed.
[1]http://www.dkim.org/
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The Barnes & Noble Nook tablet's Web traffic overtook that of the Kindle Fire for the first time in early June, while Apple's iPad maintained its overall dominance of the market, according to Chitika, an online ad network and data analytics firm.
 
Apple isn't afraid to stir things up, making people to rethink how they use technology. In recent years, most of that kind of innovation has focused on the iPhone, iPad, and iOS. But the MacBook Pro with Retina display now directs attention back to the Mac.
 
While iPhoto for iOS has a lot of editing features for color photo enhancement, there's charm to spare in a simple black and white photo. This classic effect in iPhoto for iOS can add a touch of timelessness to your photos, or you can use it to show off dramatic shadows and color contrasts.
 
[Ask the iTunes Guy is a regular column in which we answer your questions on everything iTunes related. If there's something you'd like to know, send an email to the iTunes Guy for consideration.]
 
Microsoft will unveil a tablet computer running on Windows RT and manufactured by Microsoft on Monday at a Los Angeles event, according to entertainment Web site The Wrap.com.
 
A survey of large financial institutions shows they faced more attacks by hackers to take over customer banking accounts last year than in the two previous years, and about a third of these attacks succeeded.
 
New legislation in the U.S. Senate would outlaw most third-party charges on wireline telephone bills in an effort to combat unauthorized billing tacked onto bills, a common practice called cramming.
 
Hybrid drives, which combine NAND flash with spinning disk, are selling like molasses compared to SSDs and SSDs with cache, according to IHS iSuppli.
 
Enterprise business intelligence models that are too heavily IT-centric are unsustainable, a new report from Forrester Research cautioned this week.
 
A U.S. judge has scheduled an injunction hearing in a patent dispute between Apple and Motorola Mobility, after raising the possibility last week that the case may be dismissed as neither side had established a right to relief.
 
Vizio entered the PC business on Thursday, announcing new laptops and all-in-ones that all start at the same price, $898.
 
Facebook has started promoting security tips at the top of each user's home page, with a link to information about scams, passwords and how to stay safe on the social network.
 

Posted by InfoSec News on Jun 15

http://www.nextgov.com/cloud-computing/2012/06/policy-would-require-agencies-patch-cybersecurity-holes-within-72-hours-discovery/56271/

By Aliya Sternstein
Nextgov
June 14, 2012

The Homeland Security Department later this month will present to
federal computer contractors and remote cloud suppliers standards for
finding and fixing cyber threats within 72 hours, DHS officials
announced on Thursday.

The new approach aims to resolve what some...
 

Posted by InfoSec News on Jun 15

https://www.networkworld.com/news/2012/061412-banks-hackers-260208.html

By Ellen Messmer
Network World
June 14, 2012

A survey of large financial institutions shows they faced more attacks
by hackers to take over customer banking accounts last year than in the
two previous years, and about a third of these attacks succeeded.

The total number of attacks to try and break in and transfer money out
of hacked customer accounts was up to 314 over...
 

Posted by InfoSec News on Jun 15

http://www.theregister.co.uk/2012/06/14/pgp_seal_encrypted_communications/

By Iain Thomson in San Francisco
The Register
14th June 2012

Phil Zimmermann and some of the original PGP team have joined up with
former US Navy SEALs to build an encrypted communications platform that
should be proof against any surveillance.

The company, called Silent Circle, will launch later this year, when $20
a month will buy you encrypted email, text...
 

Posted by InfoSec News on Jun 15

http://www.darkreading.com/threat-intelligence/167901121/security/client-security/240002122/security-startups-focusing-on-threats-not-malware.html

By Robert Lemos
Contributing Writer
Dark Reading
June 14, 2012

Security consultant Dino Dai Zovi hacked Macs and co-authored a book on
how to secure them. Tillmann Werner researched ways to detect the
Conficker worm on infected networks and advocated an offensive approach
to dealing with the...
 

Posted by InfoSec News on Jun 15

https://www.computerworld.com/s/article/9228122/Have_LinkedIn_s_security_woes_permanently_damaged_the_social_network_

By Sharon Gaudin
Computerworld
June 14, 2012

After hackers last week breached the LinkedIn site, stealing more than 6
million user passwords, analysts are debating whether the attack will
cause long-term damage to the social network.

In the attack, users' passwords were posted publicly to a Russian hacker
forum. The...
 

How Israel's Top InfoSec Honcho Picks New Ventures
Forbes
Image via CrunchBase Shlomo Kramer is unrivaled when it comes to information security start-ups. Among his most successful ventures are Check Point ...

 
Internet Storm Center Infocon Status