InfoSec News

Amazon.com is getting into the movie business by opening Amazon Studios, with the goal of using the Internet to put fresh movies on the big screen.
 

GovInfoSecurity.com

Infosec Seen as NASA Management Challenge
GovInfoSecurity.com
NASA's inspector general designated information technology security as one of eight top management and performance challenges the space agency faces. ...

 
A San Ramon, California, man is facing charges he stole valuable technology from his former employer in hopes of building competitive location-aware products.
 
This site initially started by Brian Carrier is now maintained by a team of volunteers, contains a large repository of open source digital forensics tools, papers, images and procedures on digital forensics. If your favourite open source tool is not listed on this site, you can submit it to get added to the list. [1]
[1] http://www2.opensourceforensics.org
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A report being prepared for the White House calls on the Obama Administration to examine whether the Federal Trade Commission should be vested with new rulemaking authority on Internet privacy matters.
 
Digium Zaptel Multiple Local Privilege Escalation and Denial of Service Vulnerabilities
 
Openswan 'XAUTH' Remote Buffer Overflow and Command Injection Vulnerabilities
 
Yahoo is developing technology to help publishers personalize their websites, in much the same way that it helps them to populate their sites with ads, Yahoo CEO Carol Bartz said on Tuesday.
 
Intel today announced it has invested $32 million in an Israeli start-up that is about to release an SSD product based on consumer NAND flash but that is robust enough for enterprise-class data centers.
 
The estimated growth in data traffic on AT&T's mobile network has slowed, the carrier's CTO said Tuesday, though it remains explosive at more than 3,000 percent over the past three years.
 
LFI and XSS vulnerability in openEngine
 
[ MDVSA-2010:236 ] freetype2
 
Adobe released security updates for Adobe Reader 9.4 (and earlier versions) for Windows, Macintosh and UNIX, and Adobe Acrobat 9.4 (and earlier 9.x versions) for Windows and Macintosh. It could potentially allow an attacker to either crash the application or take control of the system. [1]
This update address CVE-2010-3654 noted in a previous Security Advisory APSA10-05 and CVE-2010-4091 referenced in the Adobe PSIRT blog, it also includes the Adobe Flash Player update noted in Security Bulletin APSB10-26.


[1] http://www.adobe.com/support/security/bulletins/apsb10-28.html
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Palm Chief Executive Jon Rubinstein told the Web 2.0 Conference that his company lost some momentum after it was acquired by Hewlett-Packard in April. But Palm will get its mojo back, he says, thanks in part to a host of WebOS devices including smartphones, tablets, and devices he "can't talk about yet."
 
Facebook's revamped Messages will be a very attractive target for spammers, scammers and malware makers, security experts said today.
 
Facebook says its new Messages service is no Gmail killer, and Google's CEO has said he is not concerned. Should Google, Yahoo and Hotmail be worried about Facebook?
 
Quick update on Google Chrome's Math.random() predictability by Amit Klein, Trusteer
 
[ MDVSA-2010:237 ] perl-CGI
 
[security bulletin] HPSBPI02575 SSRT090255 rev.1 - HP LaserJet MFP Printers, HP Color LaserJet MFP Printers, Certain HP LaserJet Printers, Remote Unauthorized Access to Files
 
Encryption has become generally accepted in the industry, said Larry Ponemon, founder of the Ponemon Institute LLC.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Android faces a new threat with a lawsuit that Vertical Computer Systems filed Monday against Samsung and LG.
 
It's surprising that Juniper will admit to being two years behind arch-rival Cisco at anything, let alone a development related to IPv6, the next-generation Internet Protocol.
 
More than 500 million people will be using mobile health applications through smartphones within five years; for vendors, much of the revenue will come from remote sensing devices, according to a new report.
 
After Facebook's struggle with one privacy issue after another this year, some in the industry are raising privacy questions about Facebook's new messaging system.
 
Black Duck Software announced Tuesday it is acquiring the assets of application development toolmaker SpikeSource. Terms were not disclosed.
 
A flaw has been found in the OpenSSL TLS server extension affecting OpenSSL 0.9.8f through 0.9.8o, 1.0.0 and 1.0.0a. This vulnerability has been assigned CVE-2010-3864
The following applications are affected by this vulnerability:
Any OpenSSL based TLS server is vulnerable if it is multi-threaded and uses OpenSSL's internal caching mechanism. Servers that are multi-process and/or disable internal session caching are NOT affected.
In particular the Apache HTTP server (which never uses OpenSSL internal caching) and Stunnel (which includes its own workaround) are NOT affected. [1]
[1] http://openssl.org/news/secadv_20101116.txt
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Adobe today issued an emergency update for its popular Reader PDF software that patched two critical vulnerabilities, including one attackers have exploited for weeks.
 
Yahoo announced new and enhanced products and services intended to improve the company's offerings in local search and social media.
 
Advanced Micro Devices on Tuesday said it will start shipping next-generation Opteron server chips based on the new Bulldozer architecture starting in the third quarter next year.
 
In the early, heady days of e-readers, the term "e-reader" was synonymous with an electronic paper-based device. The Barnes & Noble NookColor explodes that narrow definition: The first LCD-based e-reader optimized around reading, the NookColor ($249, price as of November 16, 2010) delivers a superbly integrated, largely satisfying, and (for now) unique e-reading experience. Better yet, it has the potential to deliver far more as Barnes & Noble's library of periodicals and children's books grows.
 
Violin today announced its first NAS caching device for NFS environments, a NAND flash array that it said is capable of boosting data read operations by 10 to 50 times the speed of standard disk drive arrays.
 
Three of the four largest mobile phone carriers in the U.S. have formed a joint venture to turn phones into digital wallets, allowing subscribers to pay for groceries and other retail items using their phones, instead of credit cards or other methods.
 
Yahoo announced new and enhanced products and services intended to improve the company's offerings in local search and social media.
 
Apple today added the Beatles' catalog to its iTunes online music store, making it the first to sell digital downloads of the Fab Four's tracks.
 
Service providers can win business by demonstrating that clients will get solid security treatment
 
Trend Micro has released a tool that administrators can use to scan dozens of computers at a time for Stuxnet, the malicious software program that has raised widespread concern for its targeting of industrial systems made by Siemens.
 
Europe needs strong and effective data protection, the European data protection supervisor said.
 
Spectacular flameouts have much to teach managers about the right way to run projects
 
Rogue antivirus suppliers are posing as Adobe updates in phishing scam.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Irregular allocations of 2G licenses and spectrum in 2008 to some Indian operators may have cost the country about US$39 billion, according to a report by the country's comptroller and auditor general of India (CAG) that was tabled in India's Parliament on Tuesday.
 
Android-based smartphones with Near Field Communication will help turn mobile phones into wallets, though some issues still must be solved, analysts say.
 
Eclipse IDE | Help Server Local Cross Site Scripting (XSS) Vulnerability
 
VMSA-2010-0016 VMware ESXi and ESX third party updates for Service Console and Likewise components
 
[ MDVSA-2010:235 ] freetype2
 
As companies resurrect projects that will offer high returns, they'll be looking for tech workers with the right mix of skills. Columnist John Reed highlights the IT positions that are expected to be in high demand the year ahead.
 
Unseating an entrenched market leader is tough, even when one pours hundreds of millions of dollars into product development and marketing. That's what Microsoft has found with its aggressively marketed and technologically improved Bing search engine.
 
SearchSecurity editors talk about how enterprises can respond to Firesheep and employee use of public WiFi. Also, a discussion on Microsoft's ISP NAC plan and Google's bug bounty.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
The University of New Mexico's patent arm, STC, filed a lawsuit against Intel on Monday alleging the infringement of a patent related to advanced chip manufacturing.
 
Intel has been working with industry experts to improve the safety of football helmets, including an idea to put its tiny Atom microprocessors inside football helmets to measure and feed real-time impact data to medical personnel on the sidelines of a game.
 
U.S. supercomputing dominance is being challenged in ways it has not seen before, and that may be the best thing to ever happen to this field, particularly in Washington's climate of cost-cutting.
 
PC buyers who want the slickest high-end computers no matter what the price tag can find them at these boutique builders.
 
Facebook's new messaging system may not be a Gmail killer, but it's definitely another blow in the growing battle between two Internet bigwigs.
 
InfoSec News: Clues Suggest Stuxnet Virus Was Built for Subtle Nuclear Sabotage: http://www.wired.com/threatlevel/2010/11/stuxnet-clues/
By Kim Zetter Threat Level Wired.com November 15, 2010
New and important evidence found in the sophisticated “Stuxnet” malware targeting industrial control systems provides strong hints that the code [...]
 
InfoSec News: Aussie forces ready, but cyberwar is chaff: http://www.zdnet.com.au/aussie-forces-ready-but-cyberwar-is-chaff-339307244.htm
By Darren Pauli ZDNet.com.au November 16th, 2010
Australia's military and defensive structures place it in a better shape to defend itself against cyber attacks than the United States, according to a senior analyst. [...]
 
InfoSec News: 'Super-secret' debugger discovered in AMD CPUs: http://www.theregister.co.uk/2010/11/15/amd_secret_debugger/
By Dan Goodin in San Francisco The Register 15th November 2010
A hardware hacker has discovered a secret debugging feature hidden in all AMD chips made in the past decade.
The password-protected debugger came as a shock to reverse-engineers who have hungered for an on-chip mechanism for performing conditional and direct-hardware breakpoint operations. Although AMD has built the firmware-controlled feature into all chips since the Athlon XP, the company kept it a closely guarded secret that was only disclosed late last week by a hacker who goes by the name Czernobyl.
“AMD processors (Athlon XP and better) have included firmware-based debugging features that expand greatly over standard, architecturally defined capabilities of x86,” the hacker wrote. “For some reason, though, AMD has been tightly secretive about these features; hint of their existence was gained by glancing at CBID's page.”
To put a chip into developer mode, a user must first enter what amounts to a password -- 9C5A203A -- into the CPU's EDI register. Czernobyl was able to deduce the secret setting by brute forcing the key.
[...]
 
InfoSec News: Cybercriminals, Insiders May Work Together To Attack Businesses: http://www.darkreading.com/insiderthreat/security/perimeter/showArticle.jhtml?articleID=228200983
By Robert Lemos Contributing Writer DarkReading Nov 15, 2010
For 19 months, an employee at Johns Hopkins Hospital allegedly stole patients' identities, feeding the information to four outsiders who used the data to charge more than $600,000 in goods on store credit. Jasmine Amber Smith, 25, has been charged with using her inside access to fuel the identity theft ring.
Employees working with cybercriminals might not be the norm for security breaches, but it's not a rare crime, either, experts say. It's not unusual for cybercriminals to gain inside access through bribery and solicitation -- two components of social engineering, according to Verizon Business' Data Breach Investigations Report. Social engineering accounted for 28 percent of breaches analyzed in the report, with solicitation and bribery leading to nearly a third of those breaches.
"These were scenarios in which someone outside the organization conspired with an insider to engage in illegal behavior," the report says. "They recruit, or even place, insiders in a position to embezzle or skim monetary assets and data, usually in return for some cut of the score."
While stolen data can cause public relations headaches and lose the goodwill of customers, a company's customer data may not be its most valuable asset. Companies' proprietary knowledge and corporate secrets [...]
 
InfoSec News: Trade group wants Congress to focus on tax credit, security: http://www.computerworld.com/s/article/9196619/Trade_group_wants_Congress_to_focus_on_tax_credit_security
By Grant Gross IDG News Service November 15, 2010
The U.S. Congress should focus on extending a research and development tax credit and on passing data breach notification regulations and other cybersecurity legislation during a brief session this month, a large technology trade group recommended.
Congress returns to Washington, D.C., this week for a so-called lame-duck session lasting about three weeks, and TechAmerica wants lawmakers to focus on some technology issues, in addition to income-tax and budget issues, officials of the 1,200-member trade group said Monday.
There's broad agreement that the research and development tax credit needs to be extended, as well as strong support for a national data breach notification law and updates to the U.S. Federal Information Security Management Act (FISMA), said Phil Bond, TechAmerica's president and CEO.
"These are priorities that have been voiced and supported by the [congressional] leadership on all sides," Bond said. "There is no debate about the need for an R&D tax credit. Our hope is that we can get some of the consensus issues done."
[...]
 
InfoSec News: [Dataloss Weekly Summary] Week of Sunday, November 7, 2010: ========================================================================
Open Security Foundation - DataLossDB Weekly Summary Week of Sunday, November 7, 2010
6 Incidents Added.
======================================================================== [...]
 
InfoSec News: Institutions Reject Claims that Malware Shut Down ATMs, Sites: http://www.bankinfosecurity.com/articles.php?art_id=3096
By Tracy Kitten Managing Editor Bank Info Security November 15, 2010
The ATM and online banking outage that allegedly struck several of the nation's top financial institutions, including Bank of America, Chase, U.S. [...]
 

Posted by InfoSec News on Nov 15

http://www.wired.com/threatlevel/2010/11/stuxnet-clues/

By Kim Zetter
Threat Level
Wired.com
November 15, 2010

New and important evidence found in the sophisticated “Stuxnet” malware
targeting industrial control systems provides strong hints that the code
was designed to sabotage nuclear plants, and that it employs a subtle
sabotage strategy that involves briefly speeding up and slowing down
physical machinery at a plant over a span of...
 

Posted by InfoSec News on Nov 15

http://www.zdnet.com.au/aussie-forces-ready-but-cyberwar-is-chaff-339307244.htm

By Darren Pauli
ZDNet.com.au
November 16th, 2010

Australia's military and defensive structures place it in a better shape
to defend itself against cyber attacks than the United States, according
to a senior analyst.

Gartner research director Andrew Walls said the nation's military and
intelligence agencies, including the armed forces and the secretive
Defence...
 

Posted by InfoSec News on Nov 15

http://www.theregister.co.uk/2010/11/15/amd_secret_debugger/

By Dan Goodin in San Francisco
The Register
15th November 2010

A hardware hacker has discovered a secret debugging feature hidden in
all AMD chips made in the past decade.

The password-protected debugger came as a shock to reverse-engineers who
have hungered for an on-chip mechanism for performing conditional and
direct-hardware breakpoint operations. Although AMD has built the...
 

Posted by InfoSec News on Nov 15

http://www.darkreading.com/insiderthreat/security/perimeter/showArticle.jhtml?articleID=228200983

By Robert Lemos
Contributing Writer
DarkReading
Nov 15, 2010

For 19 months, an employee at Johns Hopkins Hospital allegedly stole
patients' identities, feeding the information to four outsiders who used
the data to charge more than $600,000 in goods on store credit. Jasmine
Amber Smith, 25, has been charged with using her inside access to fuel...
 

Posted by InfoSec News on Nov 15

http://www.computerworld.com/s/article/9196619/Trade_group_wants_Congress_to_focus_on_tax_credit_security

By Grant Gross
IDG News Service
November 15, 2010

The U.S. Congress should focus on extending a research and development
tax credit and on passing data breach notification regulations and other
cybersecurity legislation during a brief session this month, a large
technology trade group recommended.

Congress returns to Washington, D.C.,...
 

Posted by InfoSec News on Nov 15

========================================================================

Open Security Foundation - DataLossDB Weekly Summary
Week of Sunday, November 7, 2010

6 Incidents Added.

========================================================================

DataLossDB is a research project aimed at documenting known and reported
data loss incidents world-wide. The Open Security Foundation asks for
contributions of new incidents and new data for...
 

Posted by InfoSec News on Nov 15

http://www.bankinfosecurity.com/articles.php?art_id=3096

By Tracy Kitten
Managing Editor
Bank Info Security
November 15, 2010

The ATM and online banking outage that allegedly struck several of the
nation's top financial institutions, including Bank of America, Chase,
U.S. Bank, Wells Fargo, Compass, USAA, SunTrust, Chase, Fairwinds Credit
Union, American Express, BB&T on the East Coast and PNC, over the
weekend of Nov. 6, may have been...
 
Hitachi today announced its first solid state drive family, a line of SAS/Fibre Channel flash drives built jointly with Intel and are aimed at enterprise data centers.
 
BridgeSTOR emerged from quiet mode today to unveil its first product, an appliance that performs deduplication and compression while running other third-party backup software.
 
Verizon Business today announced a hosted service to help customers develop and deploy applications such as CRM software across multiple devices such as the iPhone, Symbian, Windows Phone 7 and, soon, Android.
 


Internet Storm Center Infocon Status