InfoSec News

VMware may purchase Novell for its Linux assets, the Wall Street Journal reports
 
Microsoft is going all out to integrate IE9, which debuted Wednesday in beta form, with Windows 7 user interface features. Take a look at the design and judge for yourself whether it's a cleaner, simpler browser.
 
Verizon Wireless confirmed that the Android 2.2 update known as Froyo will not be made available for the Droid Eris smartphone, outraging some customers.
 
Verizon Wireless confirmed that the Android 2.2 update known as Froyo will not be provided for the Droid Eris smartphone, outraging some customers.
 
Yahoo will sharpen its search engine by providing richer results for news and entertainment-related queries, as well as revamp its webmail service by making it faster and more connected to Twitter and Facebook.
 
Oracle's first-quarter revenue jumped 48% over the same period last year to $7.5 billion, the company reported Thursday. Net income was up 20 percent to $1.4 billion.
 
Book retailer Barnes & Noble expects to generate $1 billion in revenue from sales of digital books, including e-books and e-textbooks, by 2013, the company said on Thursday.
 
Coming soon to a Twitter account near you: Embedded pictures and video, threaded replies and drill-downs. Look out, Facebook?
 
JPMorgan Chase is trying to move past three days of problems on its online banking site with an apology and an explanation that seems to put the cause on a third party.
 
Oracle's annual OpenWorld conference kicks off Sunday. Here's a look at some of the hottest topics and happenings at the event, which runs through next Thursday in San Francisco.
 
HP's design philosophy when it comes to the Envy series of laptops is to borrow liberally from Apple's Macbook line, then add some of its own flavor. The Envy 17 is no exception. At less than 8 pounds without the power brick, the Envy 17 is barely thicker than an inch and includes robust media playback capabilities - including Blu-ray movies.
 
MuleSoft has added cloud connectivity to its open-source enterprise service bus.
 

Intel CISO: The biggest threat to security is a misperception of risk
CSO
According to Malcolm Harkins, CISO of Intel, the biggest threat facing infosec is the misperception of risk. Harkins spoke Thursday at the Forrester ...

and more »
 
Google patched 10 vulnerabilities in Chrome this week, including one pegged critical on the Mac.
 
A report released this week by the non-partisan Brennan Center at New York University School of Law recommends the creation of a national database for reporting and storing information on e-voting machine defects.
 
I haven't used the Google Toolbar in a few years, but there's one thing I really miss about it: autofill. With just one click it would automatically fill out a Web form with my name, address, phone number, e-mail address, and/or other information.
 
Dell is opening new manufacturing facilities and customer support centers in China.
 
The eternal challenge of the data center is balancing the quality of the user experience against the economics of building and operating the data center. One of the most significant trends today is the use of infrastructure virtualization to improve the economics.
 
Avaya had barely unveiled its new portable video device on Wednesday when just about everybody started calling it the Flare Tablet.
 
Microsoft's next browser closes in on Chrome and Firefox with improvements in graphics rendering, HTML5 compatibility, security, and JavaScript performance
 
Microsoft may have a tough time building significant market share for its new Internet Explorer 9 (IE9) browser because it doesn't work on PCs running Windows XP.
 
Unified communications (UC) as we know it today is flawed. The initial investment is simply too high for the return, partly due to the cost of each component and the fact you need gateway servers and software to tie the disparate systems together. Even then there’s no guarantee the products will play nicely with one another, meaning you have to add an additional line item to the budget for troubleshooting.
 
The video surveillance industry is undergoing a sea change as older analog systems give way to IP-based systems.The change involves more than just physical layer communications. New high resolution IP cameras offer greater resolution and new application opportunities in both the security and process monitoring industries. Coupled with powerful digital video analytic software in the back-office, high resolution IP cameras can pick out license plates and faces from seemingly impossible distances.
 
Today's Web 2.0 technologies foster collaboration and ignite business innovation, Forrester Research says. Are you helping move your company toward a "need to share" culture?
 
A vulnerability in some random ad server software wouldn't be terrible big news, but in this case I decided to spent a couple minutes on it. OpenX is somewhat popular, and used by various sites to server ads. Not only that... the vulnerability is actively being exploited. And to make things worse:The OpenX.com site is down, so you can't download a patch or any details direct from the source.
We have seen compromised ad servers being used in the past to inject malicious content into various trusted pages and I am a bit afraid that we will see some of this with these OpenX vulnerabilities.
For more details: http://blog.sucuri.net/2010/09/openx-users-time-to-upgrade.html
(thanks to David of Sucuri for the heads up)

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
SCO hopes to protect UNIX system V customers by having another company manage the software.
 
When Data Robotics launched Drobo in 2007, the fully automated storage array made a rare splash in the storage industry. The company hopes to go public within five years and become the Apple of the storage array marketplace.
 
At a time when municipal governments are strapped for cash, the team at PublicStuff is hoping to provide them a boost by giving them a new way to streamline resources.
 
Pressured by law enforcement,advocacy groups, and Congress the popular site Craigslist said it would permanently remove adult services from its online classified ads in the U.S.
 
Verizon today announced that Android smartphones using its network can now run Good Technology's security and management software.
 
iOS 4.1 is so last week. Along with Wednesday’s announcement of AirPrint came the first iOS 4.2 beta release for registered members of Apple’s iOS developer program. Of the two software updates, iOS 4.2 is arguably the bigger release: not only does it finally bring the features of iOS 4 (and iOS 4.1) to the iPad, but it also finally unifies Apple’s mobile software platform across its devices. Plus it actually brings a couple of new, prominent features along with it.
 
Twitter's update to its homepage, that stresses community and multimedia content, is a welcome change to the staid site.
 
I am seeing a trend on Facebook recently, and I am not sure what to make of it. As we all know just too well, Facebook has a Like feature. This feature, a little button associated with a post, allows you to show agreement with a post. Lately however, Iam seeing more and more posts like the following:

I covered up the parts identifying the friend of mine who posted this. A few things make these posts look suspect: The post itself links to a domain x.co. This is not the only domain used for these posts and it isn't obvious if they are all related (but many are). Another domain associated with x.co is for example thelikepage.com.
Once you click on it, you are offered a large number of other provocative quotes and offered to like them. At this point, I am mostly asking what is the point? Is it just an attempt to direct Facebook users to ad-covered pages? Or is there something more sinister at play? I don't see any exploits like click-jacking or cross-site-request-forging used. These pages also do not phish your credentials like some other similar pages.If you got an opinion or any further inside, please let us know.
Update: Just a quick summary of some of the feedback we got so far. Too much to mention every single one (Thanks BTW!)
Nobody has seen anything malicious from these URLs yet, so it appears to be just Spam, maybe search engine optimization techniques to get these pages linked and ranked higher. A couple readers noted that unlike a regular like, it is not so easy to remove these notes from your profile. You need to go to your wall page and remove them. You can not remove them like normal Likes from your Newsfeed.


------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Not traveling this week, I got a bit extra time and decided to put up a couple packet challenges. If you are following me on twitter, you may have already seen them. If not... here they are:
First one (with solution): http://johannes.homepc.org/packet1.txt
The second one (posted yesterday): http://johannes.homepc.org/packet.txt (I think I only got one decent answer for it so far, so I will keep it up a bit longer...)
A third one will be posted later today. And BTW... got packets? We always like good and interesting packets.
update: just made the new challenge live. again at http://johannes.homepc.org/packet.txt
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Experts say the Stuxnet malware is groundbreaking technology that may have been created with the backing of a government.
 
Google's Android has blown by Microsoft's Windows Mobile to rank third among smartphone operating systems, according to ComScore's latest numbers.
 
When the VDI server maintains a virtual machine for every desktop user, a more PC-like experience results -- but weigh your choices carefully before you start
 
Sorting out software licensing terms in desktop virtualization deployments is so tough that even software vendors have a hard time keeping it straight.
 
InfoSec News: FBI Takes Control Of Troubled Sentinel Project: http://www.informationweek.com/news/government/enterprise-apps/showArticle.jhtml?articleID=227400495
By John Foley and J. Nicholas Hoover InformationWeek September 15, 2010
Following a July decision to freeze the last two phases of development on its Sentinel case-management system, the FBI now plans to take over management of the project from its primary contractor, Lockheed Martin.
The agency plans to use agile development processes to complete the project using its own employees and other technology partners, while reducing its reliance on Lockheed Martin. FBI CIO Chad Fulgham, in an interview with InformationWeek, described the move as "a significant change in the scope and responsibility" for Lockheed Martin.
The decision represents a bold move by the agency to salvage the Sentinel project, which is currently budgeted to cost $451 million, from multiple delays and rising costs. Fulgham said his goal is to complete the project on budget and without further delays.
FBI director Robert Mueller indicated in April that Sentinel, originally scheduled for completion in 2009, would be pushed back into 2011 due to delays and stop work orders. Fulgham now puts the target completion date at Sept. 2011, the end of the government's fiscal year, but acknowledges that agile development projects can be difficult to forecast. Development on Sentinel, currently paused, should begin again by October, Fulgham said.
The FBI awarded Sentinel to Lockheed Martin in March 2006 following the failure of an earlier effort (called the Virtual Case File system) to replace its outdated system for managing case records, saying it had learned its lessons from Virtual Case File's shortcomings. Sentinel was originally due to be completed over four phases. Two phases have been delivered to this point, with most of the system's hardware and software infrastructure in place. In July, the FBI released enhancements to the system's user interface, new electronic forms, digital signature features, and additional collaborative features, and more than 5,000 users now login to Sentinel weekly. However, much of the system's functionality, including a new case management database and some reporting capabilities, has yet to be put in place, and the existing outdated Automated Case Support system has yet to be retired.
[...]
 
InfoSec News: NSA product accreditations lag behind IT security advances: http://www.networkworld.com/news/2010/091510-nsa-accreditations.html
By Ellen Messmer Network World September 15, 2010
ORLANDO -- The National Security Agency wants to use commercially-built security products and the latest virtualization software. [...]
 
InfoSec News: Cyber-Attack Deploys In Israeli Forces: http://www.aviationweek.com/aw/generic/story_channel.jsp?channel=defense&id=news/dti/2010/09/01/DT_09_01_2010_p42-248207.xml
By David Eshel Tel Aviv Aviation Week Sept 15, 2010
Geopolitical concerns and two wars in recent years have put Israel at the forefront of cyberwar and cyber-defense. [...]
 
InfoSec News: Shaquille O’Neal slams lawsuit that says he’s a hacker, bully: http://www.bostonherald.com/sports/basketball/celtics/view/20100916shaquille_oneal_slams_lawsuit_that_says_hes_a_hacker_bully/
By Jessica Van Sack Boston Herald September 16, 2010
Basketball’s notorious Hack-a-Shaq strategy took on a new meaning yesterday as the Hub’s newest hoop homeboy slammed a lawsuit filed against him that claims he hacked into a computer and tried to frame a former employee for possessing child porn.
The sordid civil suit against Shaquille O’Neal, the Celtics [team stats]’ new No. 36, accuses him of “intentional infliction of emotional distress” upon Shawn Darling, a former employee of the NBA standout.
The 15-page complaint, filed in a Miami court last month, pelts all manner of allegations at the former MVP and portrays him as a serial philanderer and bully. Among the charges:
[...]
 
InfoSec News: Die-hard bug bytes Linux kernel for second time: http://www.theregister.co.uk/2010/09/15/linux_kernel_regression_bug/
By Dan Goodin in San Francisco The Register 15th September 2010
The Linux kernel has been purged of a bug that gave root access to untrusted users – again.
The vulnerability in a component of the operating system that translates values from 64 bits to 32 bits (and vice versa) was fixed once before – in 2007 with the release of version 2.6.22.7. But several months later, developers inadvertently rolled back the change, once again leaving the OS open to attacks that allow unprivileged users to gain full root access.
The bug was originally discovered by the late hacker Wojciech "cliph" Purczynski. But Ben Hawkes, the researcher who discovered the kernel regression bug, said here that he grew suspicious when he recently began tinkering under the hood of the open-source OS and saw signs the flaw was still active.
“I showed this to my friend Robert Swiecki who had written an exploit for the original bug in 2007, and he immediately said something along the lines of 'well this is interesting,'” Hawkes wrote. “We pulled up his old exploit from 2007, and with a few minor modifications to the privilege escalation code, we had a root shell.”
[...]
 
With the release of Windows 7, Microsoft famously unbundled certain programs that were previously built in--Windows Mail (which was Vista's replacement for XP's Outlook Express) among them.
 
Finding a Bluetooth headset that fits snugly in the ear and feels comfortable to wear can be tricky. Fortunately, the Plantronics M100 ($80, price as of 9/1/2010) satisfies on both counts. The M100 has other strengths, too; but a few weaknesses leave it in the middle of the pack.
 
If the most appealing aspects of a desktop replacement laptop for you are the large screen and keyboard, then Acer's affordable Aspire 7745-5632 is the machine you're looking for. Its 17.3-inch display is easy on the eyes and the full-sized keyboard is extremely type-able. Even the power button on this darkly handsome unit is large. However, at this price point--$600 - $700 at the time of review--something has to give, and that something is performance.
 

Posted by InfoSec News on Sep 15

http://www.informationweek.com/news/government/enterprise-apps/showArticle.jhtml?articleID=227400495

By John Foley and J. Nicholas Hoover
InformationWeek
September 15, 2010

Following a July decision to freeze the last two phases of development
on its Sentinel case-management system, the FBI now plans to take over
management of the project from its primary contractor, Lockheed Martin.

The agency plans to use agile development processes to...
 

Posted by InfoSec News on Sep 15

http://www.networkworld.com/news/2010/091510-nsa-accreditations.html

By Ellen Messmer
Network World
September 15, 2010

ORLANDO -- The National Security Agency wants to use commercially-built
security products and the latest virtualization software. But the slow
pace of getting products certified through NSA channels and the
lightening fast pace of change in the IT industry is causing
national-security heartburn.

The high-tech spy agency,...
 

Posted by InfoSec News on Sep 15

http://www.aviationweek.com/aw/generic/story_channel.jsp?channel=defense&id=news/dti/2010/09/01/DT_09_01_2010_p42-248207.xml

By David Eshel
Tel Aviv
Aviation Week
Sept 15, 2010

Geopolitical concerns and two wars in recent years have put Israel at
the forefront of cyberwar and cyber-defense. As the most computerized
country in the Middle East, Israel stands to lose a great deal if its
military and civilian networks prove vulnerable to...
 

Posted by InfoSec News on Sep 15

http://www.bostonherald.com/sports/basketball/celtics/view/20100916shaquille_oneal_slams_lawsuit_that_says_hes_a_hacker_bully/

By Jessica Van Sack
Boston Herald
September 16, 2010

Basketball’s notorious Hack-a-Shaq strategy took on a new meaning
yesterday as the Hub’s newest hoop homeboy slammed a lawsuit filed
against him that claims he hacked into a computer and tried to frame a
former employee for possessing child porn.

The sordid...
 

Posted by InfoSec News on Sep 15

http://www.theregister.co.uk/2010/09/15/linux_kernel_regression_bug/

By Dan Goodin in San Francisco
The Register
15th September 2010

The Linux kernel has been purged of a bug that gave root access to
untrusted users – again.

The vulnerability in a component of the operating system that translates
values from 64 bits to 32 bits (and vice versa) was fixed once before –
in 2007 with the release of version 2.6.22.7. But several months...
 

Internet Storm Center Infocon Status