InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Oracle has just released their critical patch update http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
Quite a number of products are being patched also for those of you subject to PCIDSS there are a significant number of patches addressing issues with a CVSS score of 4 or higher, which must be patched under the standard.
They have also released a critical patch update for Java http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html
The info in the Oracle bulletin is comprehensive and should allow you to identify what needs to be done fairly easily. Both bulletins have the following wording in the work around section Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. For most of us not new (at least not on the java side), but maybe a strong argument if you get pushback on patching.
Happy patching, as always test before you implement.
Mark H - shearwater

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Oracle Java SE CVE-2012-5068 Remote Java Runtime Environment Vulnerability
Oracle Java Virtual Machine (JVM) CVE-2012-4416 Remote Information Disclosure Vulnerability
U.S. officials today expressed dismay over the U.K. government's refusal to extradite British hacker Gary McKinnon, but insisted the broader extradition relationship between the two countries remains strong.
Laptops and desktops with Intel's next-generation Core processor, code-named Haswell, will be available in the first half of next year, Intel CEO Paul Otellini said during a financial conference call on Tuesday.
Oracle Agile PLM for Process CVE-2012-3200 Remote Security Vulnerability
For its most recent financial quarter, IBM experienced declining revenue and flat income, though it still managed to deliver increased earnings per share.
Qualcomm CEO Paul Jacobs will give the opening keynote at the giant Consumer Electronics Show in January, a logical choice for an event whose focus is increasingly mobile, but one that might not garner the attention of a Bill Gates or Steve Ballmer appearance.
The W3C (World Wide Web Consortium, w3.org) is responsible for defining standards around HTML. One of the most prominent current developments is HTML 5.
HTML 5 is not just about the HTML mark-up language. The standard includes extensive extensions to Javascript APIs around geolocation, storage, media access and other features.
In addition, HTML is defined by the WHATWG (Web Hypertext Application Technology Working Group), an organization not associated with W3C. The WHATWG was created by Apple, Opera and Mozilla after the companies felt that the W3C's HTML Working Group (HTMLWG) didn't move fast enough.
These days, the HTMLWG and the WHATWG are working together, but they are taking a different approach to the future development of HTML. The WHATWG is defining HTML as a constantly developing, living standard. The HTMLWG is taking various snapshots of the WHATWG standard, and defining them as an HTML version.
Here are some of the more recent notable additions to HTML, which are usually kept under the umbrella of HTML 5:
- Access to hardware sensors: Most browsers already support GPS geolocation, or access to other geolocation APIs of the hosts (e.g. via WiFi). But sensors like accelerometers commonly found in mobile devices are supported as well. Recently, support for the access to cameras and microphones emerged but support is still spotty.
- Extended storage options: Traditionally, web applications had to store data in cookies. Cookies are rather limited in size, and wouldn't scale to a larger size as they are sent with each request. With HTML 5, web applications can store up to 20 MB on the browser, and if that's not enough, they can ask the user for permission to store more data.
- Offline applications: An application may provide a manifest listing all files (HTML, Javascript) that are required to run an application offline
- Video/Audio codecs: the video and audio tags allow for the playback of audio without the help of plugins like Flash or Java. However, not all browsers support the same codecs.
- Client input validation: Many web applications use javascript to validate user input on the client. In HTML 5, this can be done within the input tag by specifying a regular expression. Just like the javascript client validation, this should never be used for security purposes, but can make an application more usable.
There are many more features that are part of the most recent HTML specs, and browsers are starting to implement them. Which features you will find depends on the browser you are using.
But with great power comes great responsibility. All these features need to be implemented correctly in order to avoid security vulnerabilities in the browser. The browser is also very exposed constantly downloading code and executing it from various sites. The fundamental problem in HTML is that data (HTML) and code (Javascript) isn't well separated from each other. This missing separation opens the door to issues like XSS.
There is also no good way to sign a piece of javascript like you would sign a desktop application. The best you can do is to protect the transit via SSL.

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Intel on Tuesday said its revenue and profit dropped during the third quarter of fiscal 2012 compared to the same period a year earlier, and blamed a tough economy for poor sales of its products.
U.S. officials today expressed dismay over the U.K. government's refusal to extradite British hacker Gary McKinnon, but insisted the broader extradition relationship between the two countries remains strong.
Oracle Database Authentication Protocol CVE-2012-3137 Security Bypass Vulnerability
MediaWiki Multiple Security Vulnerabilities
A new software test suite developed at the National Institute of Standards and Technology (NIST) allows local and federal agencies and other users of the NISTs revised biometric standard to gain higher confidence that the correct ...
As mobile network and device makers explore many paths to using wireless spectrum more efficiently, one possible solution is still hard to achieve: Sending and receiving data on the same frequency at the same time, in the same space.
Patents on software and on business methods are fueling a huge war in the mobile industry and holding back innovation, a group of patent experts said Tuesday.
SAP laid out broad details of a new cloud-based application development platform powered by the HANA in-memory database during the Tech Ed conference in Las Vegas on Tuesday.
LinkedIn has redesigned the Profile page of its members' accounts, tweaking the layout and adding features in order to simplify viewing and editing as well as increase engagement among users.
What not to do when creating passwords for online accounts Infographic via SecurityCoverage, makers of Password Genie.
Microsoft's pricing of its Surface RT tablet was called 'aggressive' by some analysts today, 'mystifying' by others, even as they remained skeptical that it's low enough to make inroads on the dominant player, Apple's iPad.
When addressing Web application threats and vulnerabilities, security teams need to look out for design flaws, says Mike Shema of Qualys, Inc.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Mike Chapple discusses recently updated NIST incident response guidelines and explains how to incorporate the changes into an incident response plan.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Microsoft has reached a deal to acquire cloud-integrated storage company, StorSimple.
HAProxy Trash Buffer Overflow Vulnerability
Developers can sell apps built with the company's drag-and-drop Web design platform geared to small businesses
Tablet computers are popping up just about everywhere, even in Haverhill, Mass., where workers at the local water treatment plant use the devices to monitor its systems.
Apple today issued invitations to an Oct. 23 event in San Jose, Calif. where it's expected to unveil a smaller tablet, tagged as the "iPad Mini" by most.
SAP has made its HANA in-memory database available on Amazon Web Services at an hourly rate, giving customers and partners a new way to try out the platform quickly without investing in hardware and perpetual software licenses, the company announced Tuesday at the Tech Ed conference in Las Vegas.
Home secretary Theresa May has announced that "UFO hacker" Gary McKinnon will not be extradited to the US. The government is currently deciding whether McKinnon will be tried in the UK instead

Visual Tools DVR multiple vulnerabilities
If your IT security team must comply with regulations like PCI-DSS or HIPAA, you need to know who accesses your data and what they do with it, even if they're using a mobile device to do it. But performing forensic investigations on mobile devices is trickier than it is on PCs.
Sprint will start selling the quad-core LG Optimus G smartphone on Nov. 11 for $199.99 and a two-year contract, nine days after AT&T put its version on sale for the same price.
Attackers can abuse the way browsers and other applications handle steam:// protocol URLs in order to exploit serious vulnerabilities in the Steam client or games installed through the platform, according to researchers from startup vulnerability research and consultancy firm ReVuln.
Ericsson has unveiled a Wi-Fi access point and controller for offloading cellular traffic in densely populated areas such as stadiums.
Yahoo CEO Marissa Mayer appointed another former Google employee as her COO on Monday, her first day back since the birth of her baby.
The man who has set himself the task of saving the world has announced an extra-secure Kaspersky-developed operating system designed primarily for controlling industrial systems

Microsoft today briefly posted prices of $499 to $699 for the Surface tablet, but then pulled the listings from its online store.
Silver Peak VX virtual appliance matches physical WAN appliances in both features and performance
Sprint will begin selling the Samsung Galaxy Note II on Oct. 25 for $299.99 with a two-year contract, the carrier announced early Tuesday.
Following up on reports, The H has confirmed that Santander's retail web site stores customer passwords in plain text in a session cookie. It is also likely that credit card information is similarly stored


Gal Shpantzer takes on infosec's 'cool kids'
CSO (blog)
In the infosec world, social networking is at its best when real issues are debated. Yesterday, my friend Gal Shpantzer contributed to that effort when he asked his Facebook connections: "What do y'all think of cliques and cool kids in infosec ...

Gary McKinnon, indicted in 2002 on charges of hacking into U.S. government computers, will not be extradited to the U.S., the U.K. Home Secretary Theresa May said.
Electronics manufacturer Foxconn Technology Group said on Tuesday that students as young as 14, below the legal working age, were found employed at a company factory in China that has been said to make products for Japanese gaming firm Nintendo.
Citrix Systems has released an enhanced GoToMyPC app for Android devices allowing anyone with an Android phone or tablet, including Amazon's Kindle Fire family, to access their Internet-connected Mac or PC over a mobile network.
European privacy authorities have asked Google to tweak the unified privacy policy it introduced on March 1, but have stopped short of asking it to undo all its changes. They set no firm deadline for Google to make the tweaks, and will leave it to national data protection authorities to decide whether to take regulatory or legal action..
Following up on reports, The H has confirmed that Santander's retail web site stores customer passwords in plain text in a session cookie. It is also likely that credit card information is similarly stored

Seagate today announced three new enterprise-class hard disk drives aimed at traditional data centers and emerging private and public cloud infrastructures.
Almost half of IT managers in a survey last month said that they plan to standardize their company's mobile platform on devices running Microsoft operating systems, including smartphone OSes Windows Phone 7.5 and Windows Phone 8 and tablet OS Windows RT, according to ThinkEquity, a research and institutional investment banking services firm.
Scientists studying Earth system processes, including climate change, are now working with one of the largest supercomputers on the planet.
An 89-year-old woman used to find computers intimidating. Today, she's not only using a computer, she's on a social network, emailing with her family and getting pictures from her grandson in Australia.
A blogger in New Zealand discovered that any visitor to the Ministry of Social Development's employment offices had access to a plethora of data, such as invoices that included names of patients and children in care programs


Posted by InfoSec News on Oct 15


Call For Abstracts

The Call for Papers for the 3rd BayThreat security conference is open!

BayThreat is a 2 day event in Sunnyvale, CA, December 7th and 8th. The
theme for BayThreat is a new spin on the dichotomy of attacking and
defending in information security. We're calling out all of the
attackers and defenders that are on the front lines of the battle. We'll
analyse the latest attack...

Posted by InfoSec News on Oct 15


By Michael Lee
ZDNet News
October 16, 2012

Software developers are ignoring their responsibilities to protect and
design infrastructure that is properly secured, according to Oracle
Chief Security Officer Mary Ann Davidson.

Speaking at the Australian Information Security Association's National
Conference 2012 in Sydney today, Davidson said that...

Posted by InfoSec News on Oct 15


By Kim Zetter
Threat Level

Researchers have uncovered new nation-state espionage malware that has
ties to two previous espionage tools known as Flame and Gauss, and that
appears to be a “high-precision, surgical attack tool” targeting victims
in Lebanon, Iran and elsewhere.

Researchers at Kaspersky Lab, who discovered the malware, are calling
the new...

Posted by InfoSec News on Oct 15


By Dan Goodin
Ars Technica
Oct 15 2012

The US Department of Homeland Security is warning of critical
vulnerabilities in a computerized control system that attackers could
exploit to sabotage or steal sensitive data from operators of the solar
arrays that generate electricity in homes and businesses.

A slew of vulnerabilities in a variety of products,...

Posted by InfoSec News on Oct 15


By Beth Walsh

A mix-up by a janitorial services firm is the source of a data breach at
a Springfield, Mo., radiology group practice. Nineteen-member Litton and
Giddings Radiological Associates (LGRA) has notified about 13,000
patients who had billing activity between July 23 and Aug. 2, 2012.

Internet Storm Center Infocon Status