InfoSec News

The hacker who uses the handle Le0n B3lm0nt has been on a mission this week sql injection many exploitable sites, mostly forums and one of the most recent ones is from a Christian Ten forums website.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Microsoft has lowered the prices of some editions of the Office 365 cloud collaboration and communication suite, which was launched about eight months ago and competes directly with Google Apps and other similar products.
Mozilla Firefox, Thunderbird, and SeaMonkey Drag and Drop Cross Site Scripting Vulnerability
Knowing exactly how much and what type of cloud service a company needs is one of the more challenging aspects of deploying a cloud strategy, and most enterprises are getting it wrong, according to experts.
Google is planning major changes to its search engine in an effort to make it easier and faster for users to get the information they need.
EMC Documentum eRoom Multiple HTML Injection Vulnerabilities
WikyBlog Multiple Remote Input Validation Vulnerabilities
Apple's generic name for its new iPad -- that's the name, 'the new iPad' -- got the thumbs down in a just-concluded poll of more than 1,100 Internet users.
An expansion of a 15-year-old IT trade agreement could bring huge benefits to the U.S. economy, including about 60,000 new jobs, according to a study released Thursday.
GNU glibc 'nargs' Integer Overflow Security Bypass Vulnerability
Law enforcement agencies are looking for ways to mine social media to look for threats, but those speaking at a conference on Wednesday suggested that an equally important issue might be trying to control authorities who are causing problems by their use of Twitter, Facebook and other such applications.
While Intel and Advanced Micro Devices battle for the top two spots in the x86 microprocessor market, the third player, Via Technologies, saw a slip in its already-marginal market share, but it isn't ready to fold, research firm IDC said on Thursday.
Beyond Compare ZIP Archive Stack Buffer Overflow Vulnerability
WikyBlog 1.7.3RC2 XSS vulnerability

Security research firm Securosis has started a series of blog posts about how to protect enterprise data on Apple iOS smartphones.  Securosis’ Rich Mogull explains that companies are increasingly feeling pressure from employees to support iOS. But how does the IT security team ensure the protection of sensitive enterprise data on devices they have little control over?

ng to Mogull:

The main problem is that Apple provides limited tools for enterprise management of iOS. There is no ability to run background security applications, so we need to rely on policy management and a spectrum of security architectures.

Mogull’s first post in the series lays out the security capabilities in iOS and highlights some of the technical reasons why the iPhone has been relatively immune to malware and other threats.

It’s clear that a tightly controlled mobile device will have to use a combination of external security technologies and internal data protection capabilities. The NSA’s “Mobility Capability Package” (.pdf), a report outlining the first phase of its recommended Enterprise Mobility Architecture, could be the blueprint needed for the private sector, according to some experts I’ve recently talked to.

The NSA unveiled the report during the RSA Conference 2012 and held a session outlining its secure mobility strategy. While it’s extremely restrictive, I think the recommendations appear to be the way most of the security industry is headed.

Among the reports key recommendations:

  • All mobile device traffic should travel through a VPN.
  • All devices should use AES 256 full disk encryption.
  • Tight controls on the use of Bluetooth, WiFi, voicemail and texting.
  • GPS disabled except for emergency 911 calls.
  • Ability to prevent users from tethering.
  • Ability to disable over-the-air software updates.

A virtual private network (VPN) establishes a secured path between the user equipment and the secured access networks with a second layer of encryption required to access classified enterprise services.

Bruce Schneier highlighted the NSA mobile security guidance document recently on his blog post and eyed the VPN tunnel recommendation.  “The more I look at mobile security, the more I think a secure tunnel is essential,” Schneier wrote.

Full disk encryption (FDE) is currently available for Android devices. FDE for Apple devices currently falls short, but DARPA has been working on this, and according to Winn Schwartau, who serves as chairman of the Board of Directors at Atlanta-based mobile device security firm, Mobile Active Defense, well-implemented FDE for iOS devices is “weeks” away.

Apple introduced data encryption capabilities in iOS 4.0. As part of its data protection feature, Apple is enabling mobile application developers to store sensitive application data on-disk in an encrypted format. The first iteration only encrypted the files when the device was in a locked state. The phone-unlock passcode served as the encryption key. In iOS 5.0, security levels were added for protected files.

Under the NSA plan, smartphone users would be required to have an installed initialization program, which would immediately launch as soon as the smartphone is turned on. The program would check the device’s OS and ensure only authorized applications and operating system components are loaded. The device owner would be required to enter a PIN or passphrase to unlock the phone and then - as a second factor - a password would be needed to decrypt the device’s memory.

Once the memory is unencrypted, the user then starts the VPN, which establishes a tunnel from the device to the infrastructure. The device is then registered with the Session Initiation Protocol (SIP) server and a TLS connection is tunneled through the VPN connection.

Phone calls made by a smartphone user would be routed by the cellular carrier to mobility infrastructure maintained by the government. This device must have already established a secure VPN connection to be accessible, according to the paper.

To be clear, some of the capabilities recommended by the NSA will be easier to develop for Android devices since Google’s code base is publicly available. Under its Project Fishbowl, the agency is developing a hardened smartphone with its security requirements using a modified version of Android. But other capabilities, including FDE and the requirement of a VPN will be feasible and justifiable on any mobile platform. Exactly how this can be implemented, and more importantly, how it can be enforced by IT security teams, is an issue still being addressed by researchers. Mobile device management products typically require software running on the device and nearly all the technologies require end-user interaction and can be bypassed.

It’s going to be fun watching more robust mobile device security technologies emerge.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Toshiba will launch high-speed SD memory cards this year in Japan and abroad that can read data at up to 95MB per second and write at 90MB per second.
When the District of Columbia, led by its then CTO, the charismatic Vivek Kundra, bought Google Apps seats for its almost 40,000 municipal employees in 2008, many predicted that the city would soon ditch its more expensive, on-premise Microsoft software for e-mail and productivity applications.
Deutsche Telekom, Alcatel-Lucent and Airbus have tested data communication between an aircraft and the ground, using LTE, which helps make in-flight data access cheaper, the three companies said on Thursday.
Ardent users are clamoring for quick upgrades to Apple's Mac Pro, while an unstable hardware timetable for the high-end desktop has raised concerns about the company's commitment to professional users.
Mozilla has reiterated that it's still working on silent updates for Firefox, and said it should have the Chrome-like service in place by early June.
Despite the growing interest in big data platforms, it may be some time before organizations will be able to deploy a standardized big data software stack, concluded a panel of speakers Wednesday during a virtual panel hosted by GigaOm.
Security companies have recently identified multiple malware threats that use stolen digital certificates to sign their components in an attempt to avoid detection and bypass Windows defenses.
Bangladesh Cyber Army have posted another list of sites from India that have been defaced with strong demands and graphical images that are related to the on going border wars and other wars they are having each and every day.

zdnet.co.uk has reported that 14 people, 12 men and 2 women have been arrested for a phishing scam that has targeted just 1 women who was silly enough to give out personal details that allowed them to allegedly take over £1m.

Linux Kernel Regsets CVE-2012-1097 NULL Pointer Dereference Local Denial of Service Vulnerability

You don’t have to work in the infosec world for long before you hear strands of the unofficial industry anthem: “Let’s work together.” Arthur Coviello, chairman of RSA, the security division of EMC, practically sang the chorus in his keynote address at RSA Conference 2012. “We are in this fight together,” Coviello said. “Knowledge by one becomes power for all of us.”

Can security pros from different organizations really work together?

Andrew Rose, a principal analyst at Forrester Research, doubts it. In a blog post last month, Rose recounted meeting a representative of a European regulatory body. “(She believed) the future lay in open and honest sharing between organizations – i.e. when one is hacked, they would immediately share details of both the breach and the method with their peers and wider industry.”

But Rose believes this view is too idealistic, and organizations will refuse to share such information for fear of reputation or brand damage. “As a security professional, it’s tough to acknowledge in a public forum that you may even have something to share with colleagues at other firms, lest the press get hold of the information and twist it into a fictitious ‘XXXX Corp hacked!’ story,” Rose wrote.

There appears to be some hope for security information sharing between security pros within vertical industries. The Financial Services Information Sharing and Analysis Center (FSISAC) is one of 14 security information-sharing associations formed at the behest of the U.S. federal government. According to its website, FSISAC members receive “timely notification and authoritative information specifically designed to help protect critical systems and assets from physical and cybersecurity threats.”

Sounds good, right? But click on over to the FAQ page of the FSISAC website and read the question, “Why should my firm join?” The answer addresses protecting critical infrastructure, but then adds, “If the private sector does not create an effective information sharing capability, it will be regulated: This alone is reason enough to join.”

Clearly this is not the high-minded perspective Coviello had in mind. But then again, I wouldn’t count on a vendor’s call to action as the foundation for a security industry association. Vendor-neutral associations such as ISSA are probably our best hope.

We may never find a balance between our competitive, and somewhat paranoid, human nature on one hand, and values such as openness and honesty on the other. But it’s good to keep tugging on both ends of the rope, if only to keep the conversation going.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

You can view the current Infocon status at https://isc.sans.edu/infocon.html as well as in other areas of our site.

The intent of the 'Infocon' is to reflect changes in malicious traffic and the possibility of disrupted connectivity. Our handlers monitor DShield logs, emails and numerous other internet sources in order to determine if the Infocon level should be adjusted. There are 4 definition levels of the Infocon as outlined below.

Link To Current Infocon Status - https://isc.sans.edu/infocon.html#link

A text box, for easy copy/paste, contains the HTMLcode you need to display the current Infocon status graphic and link back to ISC site.
https://isc.sans.edu/infocon.txt - returns a text representation of the current Infocon level, you can include
https://isc.sans.edu/infocon.js - sets a javascript variable you can include in your code
https://isc.sans.edu/daily_alert.html - returns an HTML page of the current Infocon status as well as the title/link to the latest diary entry.

Applications and Widgets - https://isc.sans.edu/infocon.html#apps_and_widgets

There are a variety of additional ways to keep an eye on the Infocon level. Methods include Windows systray, OS Xwidget, KDE application, nagios alerts and Firefox extension.

Infocon Definition - https://isc.sans.edu/infocon.html#definition

Note:There is a Blue TESTstatus not used in everyday alert levels.

Green - Everything is normal
Yellow - Currently tracking a significant new threat
Orange - Major disruption in connectivity is imminent
Red - Loss of connectivity across a large part of the internet.

Infocon HIstory - https://isc.sans.edu/infocon.html#infocon_history

A list of Infocon changes by date with a reason and link where possible.

What ways and where do you use the Infocon? Share suggestions or feedback in the section below or send us any questions or comments in the contact form at https://isc.sans.edu/contact.html


Adam Swanger, Web Developer (GWEB, GWAPT)

Internet Storm Center (http://isc.sans.edu) (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Accountants fret about mobile device security and data loss
Infosecurity Magazine
The Noughties are behind us now, but memories of a decade of data breaches will continue to haunt the infosec professional. If only there was a way of knowing what the threat landscape would look like in the months to come. Well you're in luck as Davey ...

and more »
A large number of enterprises have not implemented automated server access controls, exposing themselves to risks ranging from insider fraud and corporate espionage to regulatory compliance issues and even nation-state sponsored attacks, according to a recent report by information security research firm Echelon One and enterprise access management specialist Fox Technologies.
A few decades ago, some genius had this outrageous idea: "Let's put everything online." Everything. Measureless reams of information all piled up on the World Wide Web. The audacity of this concept should not go unappreciated.
Two online banking fraud schemes are designed to defeat the one-time-password (OTP) authorization systems used by many banks.
Chinese vendor ZTE has conducted a field demonstration of optical networking equipment capable of transporting data at 1.7Tbps.
Like the iPad 2 before it, the new iPad is not a re-thinking of the original concept. Instead, Apple chose to focus on a few areas of improvement while keeping the overall package the same. In this case, Apple executes to perfection.
Cisco said it will acquire NDS Group Ltd., a provider of video software and content security systems for service providers and media companies, for $5 billion.
nginx fix for malformed HTTP responses from upstream servers
Re: Android wireless accepts fake response (No interaction requires) (Vulnerability ?)
At some point, calling your tech-savvy friends and relatives for help gets old. Or rather, they stop answering the phone, and you're left on your own to figure out why your Wi-Fi doesn't work.
NetDecision HTTP Server Stack-Based Buffer Overflow Vulnerability
Dell plans to set up over 20 data centers in Asia to meet growing demand from customers for a mix of private and public clouds, the head of the company's Asia Pacific and Japan region said.
A total of 112 government websites in India were hacked from December to February, a federal minister said Wednesday, reflecting India's continuing problem with online security.
Salesforce.com is set to unveil new products for employee performance management and rapid website development on Thursday during the Cloudforce conference in San Francisco.
Facebook, Apple, Twitter, Yelp and 14 other companies have been hit with a lawsuit accusing them of distributing privacy-invading mobile applications.
With the retail debut of the new iPad just a day away, Apple has joined a slew of other companies eager to buy used iPads.
Cloud-based file-sharing services like Dropbox have become popular, but organizations with sensitive data say they're reluctant to turn it over to cloud services. Instead, they're buying file-sharing products they manage on their own for bulk file transfers among business partners.
Presentation posted on the QCon conference website indicates plans for object capabilities and JVM and cloud improvements
What are the most useful browser add-ons for Web designers and developers? We ask more than 20 professionals to weigh in.
As the CIO of the Coca-Cola's Bottling Investments Group, Javier Polit has strong ideas about how to ensure that IT is in sync with the company's business needs.
A independent forum that has no association with the Iran government has been hacked and had a fairly large amount of accounts leaked onto pastebin.


Posted by InfoSec News on Mar 15


By David Kravets
Threat Level
March 14, 2012

Pattern-screen locks on Android phones are secure, apparently so much so
that they have stumped the Federal Bureau of Investigation.

The bureau claims in federal court documents that forensics experts
performed “multiple attempts” to access the contents of a Samsung
Exhibit II handset, but failed to unlock the phone....

Posted by InfoSec News on Mar 15


By Robert Booth, Mona Mahmood and Luke Harding
14 March 2012

Bashar al-Assad took advice from Iran on how to handle the uprising
against his rule, according to a cache of what appear to be several
thousand emails received and sent by the Syrian leader and his wife.

The Syrian leader was also briefed in detail about the presence of

Posted by InfoSec News on Mar 15


By Bob Brewin

Last fall, not long after someone stole computer tapes containing the
health records of 4.9 million TRICARE beneficiaries, some of the victims
discovered bogus charges on their credit card statements and
unauthorized bank transactions.

The tapes were stolen in September 2011 from the car of an employee with
TRICARE contractor Science Applications...

Posted by InfoSec News on Mar 15


By Dan Goodin
Ars Technica
March 14, 2012

Passwords that contain multiple words aren't as resistant as some
researchers expected to certain types of cracking attacks, mainly
because users frequently pick phrases that occur regularly in everyday
speech, a recently published paper concludes.

Security managers...

Posted by InfoSec News on Mar 15


By Taylor Armerding
March 14, 2012

Add one significant -- and different -- title to more than 30 current
and former employees of News International, the News Corp. subsidiary
that publishes Rupert Murdoch's British newspapers, who have been
arrested in a phone hacking scandal.

The Guardian newspaper reported yesterday that...
Internet Storm Center Infocon Status