InfoSec News

Cloud storage providers should bill by disk usage, not I/O a group of Usenix researchers contend
If you are ever curious, yes the handlers do participate in events that do not include keyboards, packet analysis tools or malware reverse engineering. At an event here in Phoenix, AZ, USA it was clear that a piece of technology in development deserves some attention. As a lead in to the discussion the event clearly posted, no filming. The Security staff were very helpful in taking photos of folks during intermission and when the event was not taking place but vigilant in telling participants to stop during the course of the event.
This may seem like a soft subject for a diary piece but each of the handlers is entrusted with access to information that our readers post. In turn we all hold each other and ourselves to a high level of professional and personal ethics. but ... Not everyone has the same opinion on what is right or what is wrong. That brings me to the technical piece of this entry that is relevant to the above topic.
Fox News [1] is running a story about how Apple has filed patent for technology that can disable iPhones from filming at live events. After some searching I found a good source for explaining the patent in more detail [2].
In summary, the device will be able to receive commands through the infrared receiver. Keep in mind, Apple has several patents that never seem to surface as technology but this one, due to events last night, strikes as a concept to follow.
At what point do you stop owning your technology? Opposite of that where is the line to cross when it comes to protecting intellectual property?
Considering the world of extreme disclosure we are in, technology like this could be greatly useful in classified spaces and in areas of high sensitivity. For security operators that control sensitive spaces this is a technology that could be excited and useful but be aware that this could be a sign of the times to come.

Richard Porter
--- ISC Handler on Duty
email: richard at isc dot sans dot edu
twitter: packetalien (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
A model of the Internet where the Pentagon can practice cyberwar games -- complete with software that mimics human behavior under varying military threat levels -- is due to be up and running by this time next year, according to a published report.
An Indian man has been charged with breaking into a company's Internet domain name registration account as part of a $1 million extortion attempt.
Huawei Technologies has rejected a charge by the head of the U.S. Export-Import Bank that it has an unfair advantage over rivals because of help from the Chinese government.
Microsoft XML External Entities Resolution CVE-2011-1280 Information Disclosure Vulnerability
Two German men were sentenced Thursday in a Duisberg court for hacking computers containing material belonging to Lady Gaga, Dr. Dre and other musicians, stealing their banking data and accessing e-mail accounts.
Cisco RVS4000/WRVS4400N Web Management Interface Information Disclosure Vulnerability
Cisco RVS4000/WRVS4400N Web Management Interface Remote Command Injection Vulnerability
Cisco RVS4000 and WRVS4400N Web Management Private/Public Key's Information Disclosure Vulnerability
Microsoft Active Directory Certificate Services Web Enrollment Cross-Site Scripting Vulnerability
[ MDVSA-2011:110 ] gimp
Facebook is just about set to offer its first app built for Apple's iPad tablet, according to a New York Times report.
Mozilla is working on a project that will add PDF rendering to Firefox using HTML5 and JavaScript, eliminating the need for users to run Adobe's own plug-in.
Hewlett-Packard is investigating reports that a Pakistani hacker has penetrated an FTP server and gained access to some 9GB of corporate data.
Only 21% of U.S. consumers say they want a smartphone equipped with a Near-Field Communication chip for mobile payments, according to a survey.
With Connecticut Attorney General George joining the brouhaha around Facebook's new facial recognition feature, it's possible the flap could get even bigger.
IBM WebSphere Application Server JAX-RPC WS-Security/JAX-WS Runtime Security Bypass Vulnerability
Mozilla Firefox WebGL Information Disclosure Vulnerability
RIM's first-quarter results included several disappointments to Wall Street, but analysts say the company remains popular in the enterprise and can return to favor if it makes a few smart moves.
BMC Software said Friday it has acquired a range of information management system database software and related customers from Neon Enterprise Software, which recently lost a legal battle with IBM over a mainframe-related product called zPrime. Terms of the deal were not disclosed.
Just three days after Microsoft patched 11 bugs in Internet Explorer (IE), hackers are exploiting one of those vulnerabilities, Symantec said Friday.
Sanbolic today unveiled an updated version of its data sharing and file management software that now includes dynamic data migration.
VUPEN Security Research - Microsoft Windows OLE Automation Integer Underflow Vulnerability (MS11-038)
This week brought a number of headlines related to Bitcoin--a peer-to-peer online currency that seems to be increasing in popularity. From the security perspective, the rise of Bitcoin offers a peak at the type of financial transactions that may need to be safeguarded in the future and also provides insight into the criminal activities associated with such transactions.
Malware has appeared to steal Bitcoin wallets, time is near where botnets will be used for Bitcoin mining and attackers are probably considering whether weaknesses in the Bitcoin design and implementation might be used to game the Bitcoin market.Just like Friendster was the precursor to today's on-line social networks and Napster foreshadowed modern online music distribution models, so too BitCoins might be a sign of upcoming approaches to distributed online financial transactions.
Here are a few articles for coming up to speed on Bitcoin and the recent incidents associated with it.
Getting Started With Bitcoin

Become familiar with the key Bitcoin concepts--what Bitcoin is, why it exists and how it is used--by reading the Bitcoin Wikipedia entry.
Understand some of the reasons for Bitcoin continuing to increase in value by reading SmartMoney's perspective on the currency's growth streak.
Take a look at the list of vendors who accept Bitcoin as a form of payment or who can exchange Bitcoins into traditional currencies.
Consider the perspective that the economic factors behind Bitcoin might be unsustainable and could resemble a Ponzi scheme. Read a related perspective on why Bitcoin might be a poor idea.

Bitcoin Mining

Understand the notion of Bitcoin mining--generating new Bitcoins by solving cryptographic problems. Consider the likely scenario of compromised computers being used for Bitcoin mining--a malicious practice that is not yet widespread, yet will inevitably rise in popularity.
Consider the Bitcoin mining tool written in JavaScript. It solves cryptographic problems to generate new Bitcoins while running in the browser of visitors to the miner's website. Could this approach provide a new way for legitimate websites to generate revenue without displaying traditional ads? Might such code running inside malicious Flash ads provide a new revenue stream for online attackers?

Recent Bitcoin Incidents

Read about Silk Road--an online marketplace for drugs such as LSD and Cannabis--that only accepts Bitcoin as the form of payment. This story brought Bitcoin to the attention of many people outside the tech community, including lawmakers.
Learn the details of the theft where 25,000 Bitcoins, potentially worth $500,000, were reportedly stolen from a person's PC. (Maybe the victim exaggerated the size of the stolen sum?)
Understand the nature of a recently-discovered trojan that was designed to steal the victim's Bitcoin wallet from the infected Windows computer. Also, read the forum discussion to understand how this malware was probably being distributed. (If you own Bitcoins, remember to safeguard the wallet.)

Potential Bitcoin Implications

Read the EFF's perspective on Bitcoin's potential to offer the kind of anonymity and freedom in the digital environment we associate with cash used in the offline world.
Consider the opportunities for financial arbitrage if the Bitcoin market could be manipulated through the sale of a large quantities of Bitcoins at once.

The notion of Bitcoin as a distributed and anonymous form of currency is capturing the world's attention. The readers of this blog will find it particularly interesting to consider the implications of the role that such currency can play in the criminal marketplace and online attack activities.
Perhaps Bitcoin might be ahead of its time and maybe its design and implementation is flawed--we will know soon enough. Regardless, it is an idea that will inspire creative thinking in the space of online payments. In the words of Edward Z. Yang, The future of Bitcoin depends on those who will design its successor. If you are investing substantially in Bitcoin, you should at the very least be thinking about who has the keys to the next kingdom.
(This diary is based on the text originally published on my blog.)
-- Lenny Zeltser
Lenny Zeltser leads a security consulting team and teaches how toanalyzeandcombatmalware. He is activeon Twitterand writes a dailysecurity blog.
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Essential PIM 4.22: MANY vulnerabilities in 3rd party libraries
[security bulletin] HPSBUX02657 SSRT100460 rev.1 - CIFS Server (Samba), Remote Execution of Arbitrary Code, Denial of Service (DoS)
Linux Kernel TIOCGICOUNT 'serial_core.c' Information Disclosure Vulnerability
JFreeChart - Path Disclosure vulnerability
EQDKP plus Cross Site Scripting and Bypass file extension

Czechs Find Balances in Electronic Security
Signal Magazine
Where many INFOSEC experts seemed resigned to residual risk acceptance, ANECT instead spent two years researching user-centric authentication to develop ALUCID. Company officials believe it ends the need for choosing between acceptable access ...



ProofPoint lures VARs with iPad demo scheme
These include Infosec Technologies, Synetix, Satisnet and Varidion. Under the promotion, customers will be handed an iPad 2 loaded with a ProofPoint application that allows them to monitor their email security's performance. ...

Connecticut Attorney General George Jepsen expressed concern that Facebook's "Tag Suggestions" face recognition feature compromises consumer privacy, and asked for a meeting with company officials.
Chip maker GlobalFoundries said two top executives have stepped down and been replaced by a new leadership team as the company looks to step up investments and boost chip manufacturing capacity through next year.
Two vulnerabilities found in industrial control system software made in China but used worldwide could be remotely exploited by attackers, according to a warning issued Thursday by the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
Next month Apple will ship Lion, giving customers the chance to upgrade to the company's newest edition of Mac OS X. Most customers, but not all.
Microsoft Internet Explorer DOM Editing Uninitialized Memory Remote Code Execution Vulnerability
Near Field Communication chips will prove to be a boon to merchants despite lengthy delays in U.S. adoption of the technology, analysts say.
Mobile hotspots provide a convenient way to get online when you're on the road. We put the latest models offered by AT&T, Sprint and Verizon to the test.
Internet Storm Center Infocon Status