Share |

InfoSec News

Company warns customers that SecurID product data was stolen in sophisticated attack.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Chris Mohan --- Internet Storm Center Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 


Normal
0




false
false
false

EN-AU
X-NONE
X-NONE









































































































































































/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}


RSA have announced that they have discovered a breach in to their systems.



This open letter from RSA's Executive Chairman, Art Coviello, http://www.rsa.com/node.aspx?id=3872 alludes to the attack extracting data on their RSA's SecurID two-factor authentication products.



Information on the attack and what other information may have been extracted by the attack is limited to this RSA open letter so far.



RSA have also sent out an email to a number of their customers with a similar warning and notification of the breach.


Chris Mohan --- Internet Storm Center Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
EMC's RSA Security division says the security of the company's two-factor SecurID tokens could be at risk following a sophisticated cyber-attack on the company.
 
Sales of HTC's ThunderBolt smartphone kicked off Thursday, but it isnt clear that faster speeds it offers on Verizon Wireless's LTE (Long Term Evolution) network are exciting buyers, possibly because of their concerns about battery life.
 
At TheServerSide Java Symposium, JCP execs discussed what can be done to help maligned standardization body
 
Oracle Java SE and Java for Business CVE-2010-4468 Remote Java Runtime Environment Vulnerability
 

GovInfoSecurity.com

Experts Paint Grim Picture of Infosec Readiness
GovInfoSecurity.com
Key government and non-government IT networks remain vulnerable to attack, undermining confidence in the nation's information systems and the information collection and sharing processes, top civilian, military and private-sector IT security experts ...

and more »
 
Apple on Thursday disputed independent tests by Blaze Software that showed the Android-based Nexus S smartphone browsed the Web 52% faster than the iPhone 4, saying the tests were "flawed."
 
A New Jersey man filed a lawsuit charging that outsourcer Infosys listed job ads on Monster.com that automatically discrimated against older workers.
 
Researchers at a Canadian university are using nanotechnology and a tiny remote-controlled magnetic sphere to deliver cancer-fighting drugs directly to where they need to go.
 
Apple's decision to shave the iPad 2's profile and reduce its weight may mean a slight increase in broken screens, a repair expert said today. Others analysts, however, think the new design will prevent shattered screens.
 
Free tool to help find and lock lost devices also will be more broadly available
 
[TEHTRI-Security] Quick BlackBerry Security Check
 
Whenever the topic of security is mentioned in the context of cloud computing, it is usually discussed as the "big barrier" to adoption. The perceived or actual lack of security in the cloud makes it impossible for businesses to make the leap into this new computing paradigm. I propose a different perspective: Security will rescue cloud computing.
 
Dell met with Computerworld to explain how it plans to integrate its recent acquisitions of Exanet and Ocarina with its Compellent and EqualLogic products.
 
Adobe Flash Player CVE-2011-0609 'SWF' File Remote Memory Corruption Vulnerability
 
[USN-1079-3] OpenJDK 6 vulnerabilities
 
[ MDVSA-2011:046 ] pure-ftpd
 
Robert Courteau, SAP's new president for North America, talked about the trends driving the ERP market, trends he says SAP is fully prepared to handle.
 
SAP plans to offer a version of its HANA (High-Performance Analytic Appliance) software that will allow customers to upload data to the vendor's own cloud setup for processing, rather than deploy related infrastructure in-house, a senior executive of the company said.
 
Deferral Announcement for the March 2011 Cisco IOS Software Security Advisories
 
Google has enhanced its online tools to support information discovery and relief efforts in Japan.
 
A large network of hacked computers called Rustock, which was responsible for a great volume of spam, has shut down, perhaps as a result of another coordinated take down by security researchers.
 
Dell on Thursday started shipping new Inspiron and Vostro laptops powered by Intel's latest Sandy Bridge processors with prices starting at $499.
 
A lawsuit filed against Infosys by an employee sheds light on the questionable use of B-1 visas for foreign workers.
 
libcgroup Heap Based Buffer Overflow Vulnerability
 
A dangerous vulnerability affecting the BlackBerry browser can be used to gain access to sensitive data or steal the phone's contact list and image database.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
HTB22889: XSS in Rating-Widget wordpress plugin
 
HTB22890: XSS in Rating-Widget wordpress plugin
 
HTB22891: XSS in Rating-Widget wordpress plugin
 
HTB22892: Path disclosure in Smen Social Button wordpress plugin
 
[SECURITY] [DSA 2193-1] libcgroup security update
 
What do you do when you receive an antivirus alert on your home system?
You're checking your mail in the morning before heading to work, you click on a link sent to you by a friend and your AV throws up an alert. What do you do next?
Is it time to start from scratch and rebuild the system?
In that particular scenario, probably not. The antivirus was likely successful in thwarting the attempt to compromise your system. You can most likely get away with booting up in safe mode (we're talking about windows here not your smartphone) updating signatures and running a full scan. A quick look at autoruns (http://technet.microsoft.com/en-us/sysinternals/bb963902) or hijackthis (http://free.antivirus.com/hijackthis/) output would also be a sound step-- in fact, you should do that before you have an alert, just to get a baseline.
Then look into how you were exposed and report that appropriately.
When is the Worst Time to Get an Alert?
Having an alert pop-up in the middle of your Internet activities is one thing. Yet it's worse to receive alerts right after the signatures have been updated. Now you don't have much information on how long you've been compromised, and the odds that the chain-of-compromise (http://isc.sans.edu/diary.html?storyid=9880) was complete is much larger.
This is when it's time to have a serious discussion with yourself about rebuilding your system.
What Does that Alert Tell You Anyway?
Not all AV alerts are created equally. There are alerts that are sensitive, alerts that are specific, and alerts that are precise. Sensitive alerts are good at finding malware, viruses don't easily get by it. The problem is that sensitive alerts will also flag non-malicious files in its zeal to detect viruses, leading to False Positive errors. Specific alerts, on the other hand, are very good about being certain that a detection is actually malicious. Its caution can create scenarios where it will miss viruses, aka False Negatives. A precise rule will tell you what virus you have, not simply that you have a virus. Just remember to not confuse precision with correctness. Your alert may tell you SillyFDC instead of a generic Trojan Horse, but it could still be a false positive or simply categorize anything that creates autorun.inf on all USB devices as SillyFDC instead of differentiating SillyFDC from a Stuxnet spreader.
As you can see it's a delicate balancing act to get the sensitivity, specificity and precision right in anti-virus solutions-- or any rule/signature based system for that matter. Are you aware of any anti-virus solutions that allows the client to tune these values?
How this Gets Tricky in the Workplace
It's one thing to make a clean-versus-rebuild decision based on your first-hand knowledge about how the system was exposed (i.e. Did I see the cause that led to the detection, or did this detect an old infection?) but yet another when you're sitting at the console receiving alerts from tens-of-thousands of systems in your organization. How do you make the clean-or-rebuild decision in that situation? How do you differentiate the broken compromise-chains from detections of successful-infections?
Like most difficult questions, the answer is: it depends. It's also a question best left answered by a security professional familiar with your environment, since they will have a better handle on your firm's needs and how to find the right balance point between the need to clean versus the need to rebuild.
What Alerts Could Include to Help the Situation
The anti-virus alert itself could include a little bit more information to help address the precision problem and equip the full-time analyst with better information to answer the clean-versus-rebuild question.
Not having a centralized collection point for quarantined files sometimes causes me headaches at the day job. Having a simple way to recover the identified file is always a plus for large organizations that can afford and justify the costs of malware analysis and reverse-engineering. There are not a lot of organizations that are in that position, so I'm not surprised when this feature isn't available. Mostly I see quarantines used to recover gracefully from False Positive events.
You can eliminate the need to deploy a technician or a remote-agent to perform a live-response on a machine if the alert delivers a little more information than just the signature name, filename, and file location that most solutions provide. Ideally the report would include:

Size of the file in bytes
MD5 or other hash value of the file (even a fuzy hash like ssdeep, http://ssdeep.sourceforge.net/, while we're asking for the moon)
The Modified, Accessed and Created times from the file (http://msdn.microsoft.com/en-us/library/ms724290(VS.85).aspx)

With the MD5 and the size of the file an analyst could leverage existing malware collections like virustotal (http://www.virustotal.com/search.html) or threat expert (http://www.threatexpert.com/) to gain more insight into the malware which would improve the precision of the results. The value could also be compared to known-good lists such as Bit9 (http://fileadvisor.bit9.com/Services/search.aspx)
Fuzzy hashes could be compared to other files in the day's alerts or recent events to determine similarity to other malware events.
Using the time of the alert and the MAC times of the file, an analyst would be better equipped to determine if the compromise-chain was broken or if this detection followed soon after a signature update.
Conclusion
Antivirus alerts can be a very useful source of intelligence for your firm. Don't ignore them because AV took care of the problem.
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Teenage rampage: What Anonymous can teach us about the youth
CSO (blog)
Recent speculation in the infosec community is that the Anonymous attacks against HBGary have been fueled by some youthful energy. The security community has been particularly obsessed with Anonymous since the attack on HBGary. ...

and more »
 
The latest Android smartphone loaded Web pages 52% faster than iPhone 4 running iOS 4.3, according to thousands of independent field tests released today by Blaze Software.
 
Originally scheduled to ship last November, Firefox 4 will wrap up a development cycle that started in February 2010 with several developer previews, but began in earnest last July when Mozilla released the first of what would eventually be a dozen betas.
 
Taiwan's economic ministry expects semiconductor and display panel industries on the island to take a hit from the earthquake in Japan last week as supplies are suspended due to factory damage or transportation snarls, translating in some cases to higher manufacturing costs.
 
Visa announced on Wednesday it is planning a new service that will let U.S. customers send money directly to one another, presenting new competition to PayPal.
 
The International Telecommunication Union is sending satellite phones to Japan to help rescue work and to reconnect communities cut off by last Friday's earthquake.
 
Linux Kernel 'fs/partitions/osf.c' Information Disclosure Vulnerability
 
Git gitweb 'diff.external' Local Privilege Escalation Vulnerability
 
Git Snapshot Generation and Pickaxe Search Arbitrary Command Injection Vulnerability
 
Git Parameter Processing Remote Denial Of Service Vulnerability
 
InfoSec News: CarolinaCon-7 - Apr 29th thru May 1st 2011 - Raleigh NC: Forwarded from: Vic Vandal <vvandal (at) well.com>
We're baaaaaaack!!! CarolinaCon-7 will be held on April 29th thru May 1st 2011 in Raleigh NC. For the cheap price of your average movie admission with popcorn and a drink YOU could get a full weekend of the following instead. [...]
 
InfoSec News: Is This The Girl That Hacked HBGary?: http://blogs.forbes.com/parmyolson/2011/03/16/is-this-the-girl-that-hacked-hbgary/
By Parmy Olson Disruptors Forbes.com March 16, 2011
Next time you see a flock of teenage girls in the mall, note that one of them might be Kayla. As your average 16-year-old, she regularly hangs [...]
 
InfoSec News: Hospitality Industry On Mission To Curb Cyberattacks: http://www.darkreading.com/authentication/167901072/security/attacks-breaches/229301147/hospitality-industry-on-mission-to-curb-cyberattacks.html
By Kelly Jackson Higgins Darkreading March 16, 2011
Three major hospitality trade associations have banded together to warn [...]
 
InfoSec News: Security Experts: 'A Wake-up Call for the Rest of the World': http://www.bankinfosecurity.com/articles.php?art_id=3432
By Tracy Kitten Managing Editor Bank Info Security March 16, 2011
The crisis in Japan shows the world is an increasingly smaller place.
On Tuesday, stocks in the U.S. and Europe took hits, as the impact of [...]
 
InfoSec News: RIM urges BlackBerry users to turn off JavaScript: http://www.networkworld.com/news/2011/031611-rim-blackberry-javascript.html
By Brad Reed Network World March 16, 2011
Research in Motion is recommending that IT departments and users disable JavaScript on their BlackBerry devices, citing a vulnerability unearthed [...]
 
With Japan devastated by last week's 9.0-magnitude earthquake and tsunami, the business aftershocks may rock various parts of the tech industry for months to come.
 
Which smartphone OS will suit you best? We compare three top mobile environments, and let you know what they're each best at.
 
Which smartphone operating system will suit you best? We compare the three top mobile environments, and let you know what they're each best at.
 

Posted by InfoSec News on Mar 17

http://blogs.forbes.com/parmyolson/2011/03/16/is-this-the-girl-that-hacked-hbgary/

By Parmy Olson
Disruptors
Forbes.com
March 16, 2011

Next time you see a flock of teenage girls in the mall, note that one of
them might be Kayla. As your average 16-year-old, she regularly hangs
out with friends, works part time at a salon and hopes one day to be a
teacher.

Behind the scenes though, she’s a big time supporter of Anonymous, the
loosely knit...
 

Posted by InfoSec News on Mar 17

Forwarded from: Vic Vandal <vvandal (at) well.com>

We're baaaaaaack!!! CarolinaCon-7 will be held on April 29th thru May
1st 2011 in Raleigh NC. For the cheap price of your average movie
admission with popcorn and a drink YOU could get a full weekend of the
following instead.

ESTEEEMED PRESENTERS / FASCINATING TALKS:

- sec0ps - The Failure that is Penetration Testing
- Gerry Brunelle - Dissecting the Hack: Malware Analysis 101
- G....
 
CUPS 'cupsDoAuthentication()' Infinite Loop Denial of Service Vulnerability
 

Posted by InfoSec News on Mar 17

http://www.darkreading.com/authentication/167901072/security/attacks-breaches/229301147/hospitality-industry-on-mission-to-curb-cyberattacks.html

By Kelly Jackson Higgins
Darkreading
March 16, 2011

Three major hospitality trade associations have banded together to warn
hotels nationwide about the rise in cyberattacks on their industry and
to spell out the specific security measures the establishments should
take ASAP to protect credit and...
 

Posted by InfoSec News on Mar 17

http://www.bankinfosecurity.com/articles.php?art_id=3432

By Tracy Kitten
Managing Editor
Bank Info Security
March 16, 2011

The crisis in Japan shows the world is an increasingly smaller place.

On Tuesday, stocks in the U.S. and Europe took hits, as the impact of
Japan's disaster response continues to spread throughout the global
financial market. U.S. stock prices fell 2 percent. In Europe, shares in
nuclear-related utilities, luxury...
 

Posted by InfoSec News on Mar 17

http://www.networkworld.com/news/2011/031611-rim-blackberry-javascript.html

By Brad Reed
Network World
March 16, 2011

Research in Motion is recommending that IT departments and users disable
JavaScript on their BlackBerry devices, citing a vulnerability unearthed
at this year's Pwn2Own hacker challenge.

According to RIM, the vulnerability could allow a hacker to access a
device's user data through the BlackBerry Browser if the user visits a...
 
ember 'LD_LIBRARY_PATH' Local Privilege Escalation Vulnerability
 


Internet Storm Center Infocon Status