InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Viking Technology announced a new memory module that combines DRAM, NAND flash and a super capacitor to automatically backup data in the event of a power failure.
Ross Levinsohn, Yahoo's executive vice president for the Americas, on Monday downplayed the notion that the recent firing of CEO Carol Bartz has the company in an upheaval.
RETIRED: Apple Safari Prior to 5.1.1 Multiple Security Vulnerabilities
For Google+ to unseat Facebook as social networking leader, Google would have to deliver a steady stream of innovations and Facebook would need to let its site deteriorate, Internet icon and Facebook shareholder Sean Parker said on Monday.
Google Monday unveiled an expanded Google Wallet that adds coupon redemption and other features to its mobile payments capabilities.
An update of Microsoft's Windows Intune offers a batch of new features meant to simplify how administrators track and manage company-owned PCs and software.
The biggest threat cloud computing providers present to IT organizations is that they raise the bar for IT management. If a cloud provider can get a server up in eight seconds when it takes the IT organization two weeks, IT will be seen as hopelessly ineffective--and ripe for a complete teardown.
High performance computer system vendor SGI plans to offer pre-built clusters running the Apache Hadoop data analysis platform, the company announced Monday.
Polycom has acquired ViVu, a provider of software for embedding videoconferencing in websites, for an undisclosed sum.
The economics of much of the Internet is built on two valuable commodities: your time, and your content.
Microsoft Internet Explorer 'SwapNode()' CVE-2011-2000 Memory Corruption Vulnerability
Apple Safari CVE-2011-3230 'file://' Remote Code Execution Vulnerability
Google and Sun Microsystems' discussions to co-develop Android ultimately broke down because of disagreements over control of the platform, Google wrote in a trial brief late last week related to its dispute with Oracle.
Reaction was somewhat positive to Research in Motion's compensation offer to its customers after last week's global BlackBerry outage that lasted as long three days for some users.
Health-care business services provider MedSynergies has sued Lawson Software and hosting company Velocity Technology Solutions over a rash of alleged problems with an ERP (enterprise-resource-planning) application project, but Lawson and Velocity say MedSynergies is just trying to get out of a contract it inherited through an acquisition.
Consumer advocates as well as many business groups have attempted to get federal laws adopted in the United States that would mandate disclosure of security breaches in which some types of private information about identifiable people are exposed. In spite of the obvious logic of having a national standard, these efforts so far have failed.
The shutdown of production at a Chinese manufacturer may affect inventories of Apple's popular MacBook Pro and MacBook Air notebooks, an analyst said.
Dell announced it has ended a decadelong reseller relationship with EMC this month through which it sold more than a billion dollars worth of midrange and entry-level storage products.
A Microsoft analysis found malware targeting zero-day flaws making up only 0.12% of all exploit activity in the first half of 2011, but firms that lack zero-day defenses could be the next target.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
WordPress Light Post Plugin 'abspath' Parameter Remote File Include Vulnerability
[ MDVSA-2011:155 ] systemtap
ZDI-11-290 : Microsoft Internet Explorer SetExpandedClipRect Remote,Code Execution Vulnerability
Plug it in and turn it on? Next-generation firewalls just aren't that simple. Here's advice from the experts on choosing the right device and getting the most it. Insider (registration required)
If IT is to successfully move into the future it's going to need to blow up its current way of thinking and the way it supports mature technologies.
Research firm Gartner Inc. sees another recession coming that will lead to tightened IT budgets at the same time that technology is being forced to respond to social and collaborative computing trends.
India's largest outsourcer, Tata Consultancy Services, reported on Monday strong revenue and profit growth in the quarter ended Sept. 30, despite difficult economic conditions in some of its key markets in the U.S. and Europe.
GNU gzip LZW Compression Remote Integer Overflow Vulnerability
Microsoft Internet Explorer Virtual Function Table CVE-2011-2001 Memory Corruption Vulnerability
[ MDVSA-2011:154 ] systemtap
AST-2011-012: Remote crash vulnerability in SIP channel driver
[ MDVSA-2011:153 ] libxfont
ZDI-11-289 : Microsoft Internet Explorer swapNode Handling Remote Code,Execution Vulnerability
EMC and the Virtual Computing Environment alliance Monday announced upgrades that more tightly integrate its management interface with VMware's vCloud director and vCenter Server tools.
Seeking more medium-sized enterprises as customers, Microsoft has expanded the number of capabilities of its Intune PC subscription management service to address issues of remote management.
Major U.S. mobile carriers will begin offering free usage alerts to customers in an effort to help them avoid surprise charges on their bills.
[Announcement] ClubHack Magazine - Call for Articles
WordPress Plugin BackWPUp 2.1.4 - Security Advisory - SOS-11-012

The U.S. Securities and Exchange Commission released guidelines to help companies determine when and what information on security breaches should be disclosed to potential investors.

By Hillary O’Rourke, Contributor

The U.S. Securities and Exchange Commission released guidelines last week that aid public companies in deciding when and what should be disclosed to investors regarding even the potential of security breaches.

The initiative by SEC’s Division of Corporation Finance intends for companies to “disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky,” according to the guidelines.

In the statement, the SEC explains that it would like to see a discussion of possible security risks and what the consequences of those risks entail, how the company plans to counteract possible attacks, descriptions of previous attacks, what would happen if an attack went undetected for a period of time and insurance details.

To determine whether they must disclose information, a company should “evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents.”

“For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur,” said the guidelines. Instead, the company should discuss the possibility of the attack occurring again and the previous as well as potential consequences that the company could experience.

According to the release, it is not intended to be a rule or a regulation and it’s “neither approved nor disapproved” by the Commission. It’s simply a “roadmap” for those who seek guidance in security efforts in a time of an augmented number of cyber incidents.

From the SEC risk factor disclosures should include:

  • Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
  • To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
  • Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
  • Risks related to cyber incidents that may remain undetected for an extended period; and
  • Description of relevant insurance coverage.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Apple today said that it had sold more than 4 million iPhone 4S smartphones since the device reached retail last Friday.
Scripting languages are the hot technology today for application and Web development -- no longer the backwater afterthought of the early days running in a pokey interpreter. Nor are scripting languages any longer merely the tool used for quick-and-dirty patching (someone once called Perl the duct tape of the Internet, and it stuck so well that Perl lovers wear the label proudly). No, today, scripting languages are popular for "real" programming work. In fact, entire systems and large-scale enterprise-grade projects are built from them.
Major U.S. mobile carriers will begin offering free usage alerts to customers in an effort to help them avoid surprise charges on their bills.
[ MDVSA-2011:151 ] libpng
DAEMON Tools IOCTL local denial-of-service vulnerability
foofus.net Security Advisory - Toshiba eStudio Multifunction Printer Authentication Bypass
Re: [Full-disclosure] Breaking the links: Exploiting the linker
Google is reported to be in the process of building an online music store to rival Apple's and Amazon's popular services.
Enterasys Networks this week unveiled a switching fabric designed to unify the data center, campus and wired and wireless enterprise edge.
[ GLSA 201110-12 ] Unbound: Denial of Service
[slackware-security] httpd (SSA:2011-284-01)
[ MDVSA-2011:149 ] cyrus-imapd

Both Account Monitoring and Account Control are things that slide by in many organizations, and come up over and over (and over) again in security assessments.

Things that get often missed or overlooked:

Too many Administrative Accounts. All to often, we see everyone in the IT group has Administrator equivalent rights in Active Directory. If you are an application developer, you don't need Admin (every). If you mainly reset passwords, you also do not need Admin rights.

Using the Administrator or Root Account directly. To add to the first point, everyone who needs admin rights should have a named account that has those rights. So, for instance, Jane Doe might have an account jdoe for day-to-day application use, but and admin account of admin.jdoe. If people use the administrator accounts directly, then there is no way of ever finding out who did what in the event that you need that information (and believe me, someday you will need that information). If you can do this with a single admin account for multiple platforms (for instance, an Active Directory account) , it also means that when an admin leaves the company, you can revoke their access by deactivating their account from a single location.

Using an Admin level account for day-to-day tasks. Let's paint a scenario - if you check your email with an admin level account, and some malware gets past your SPAM filter (like that doesn't happen every day), the malware now has admin rights in your domain. If it's a keylogger, and you now SSH to a router or fire up vCenter to admin your VMware Infrastructure, they've now got credentials and access to a whole lot more of your Datacenter. Really, use sudo or su in Linux, or use run as administrator in Windows to flip back and forth. Or if you really need admin, keep a VM running that has that right so you can flip back and forth easily!

Work with HR for account creation and deletion. In all too many cases we see dozens of accounts (sometimes hundreds) that haven't been used in months, only to find that people have left the organization and the IT group wasn't told. Even if their account data needs to be kept around, create a data transition procedure to move data to the person who needs it next after someone leaves.

Shared accounts are EVIL (really). Too many times we see clerical accounts that are shared between dozens of people in a group. These folks generally have direct access to customer information and to data input that affects prices. I've seen one example where a temp wasn't sure what a field was, so they put 1 in to close out orders. Unfortunately, it was the dollars per square foot value for the material selected - it took accounting weeks to untangle that mess! Without named accounts, it would have been impossible to figure out who was making this error ! Shared email accounts can create similar problems with accountability.

Password Complexity is a must-have anymore. While we can have a flame-fest about if complex passwords or passphrases are better (I'd lean towards passphrases, but it's not workable in every environment), you simply can't have people use password, or their kid's names anymore for access - it's simply too easy to crack.

Account Lockout is a must have. If someone is trying to brute-force your CEO's webmail account, yes, you do want the account locked until you can speak with them. Better they lose access for an evening, as opposed to having their account compromised and confidential information be disclosed (next years products, mergers or acquisitions, salaries etc).

If you don't have a Password Policy (or have it covered in your Acceptable Use Policy), it's probably time that you put one together that covers all of these issues, as well as enforcement of periodic changes. Make sure that whatever is in the policy, that you can enforce your policy it in the OS (it's not a bad thing to mirror the default Windows Password Complexity setup, that way enforcement and audit are built into the OS)

While you are at it, try to put one-way encryption into your password policy. We recently had a lively discussion about user passwords for an application being stored in a database, in case someone needed it. You should never need a user's password. If you do, you need to revisit how your application is being written. If you keep users' passwords, they immediately have deniability for anything that happens. This could mean that system administrators could then be suspected or found liable in the case of illegal activity. So, really, get with the 90's and use the OS passwords wherever possible, or, second choice, use hashes and salts to govern your app accounts.

You can and enforce and monitor for all of this with issues with native logging and controls in the Operating System of most popular OS's (Windows, Linux, Unix). If you have a legacy system that does not do this, it's probably a system that should be revisited.

As always, any tools you might use, solutions you may have found or war stories you'd like to share are welcomed - please use our comment form !

PS - a handy su for Windows is shown below (if you have a neater su or sudo solution, please share via our comment form):
Update: Reader Stefan noted (correctly) that as a best practice, the path should be fully specified for both RUNAS and for CMD.EXE in our SU.CMDbatch file. Also, it's important to fully spell out the file name and extension (you can for instance execute a file named cmd with no extension on it). These updates are reflected in the script below.
While this is indeed a best practice, if you suspect that your machine is compromised, it's files like RUNAS.EXE and especially CMD.EXEthat are popular targets. If you suspect that your machine is compromised, it's best to execute files from trusted read-only media, or, better yet, boot from optical and run your investigation from there.
If you need to do true forensics (as in admissible in court), a whole entire other methodology is required (image the machine, only work with copies of the data, maintain chain of custody, the works). SANSSEC408 and SEC508 are both good courses to consider if you want to get your feet wet with forensics.

========== su.cmd ==============

@echo off

if %1 == goto HELP

if %1 == ?}

%SystemRoot%\System32\runas.exe /env /user:%1 %SystemRoot%\System32\Cmd.Exe



echo ===========================================================

echo SU.CMD - start a shell as another user (usually admin)

echo Usage: su USERID

echo Where USERID is the target user

echo It is recommended that you do NOT SU to or login as native

echo Administrator accounts

echo ===========================================================




Rob VandenBrink

[email protected]

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
With cheap storage readily available, the temptation to build vast libraries of music, movies, photos, and documents is ever present. But when each PC in your home is packed to its aluminum gills with gigabytes upon gigabytes of digital goods, managing all of that data can be a hassle.
The developer of the widely used Firefox extension NoScript has released a version for the Android and Maemo operating systems.
Following last week's major service disruptions, Research in Motion is offering free applications and support as compensation, the company said Monday.
NEC said it has developed a new lithium-ion battery technology that doubles the life span of conventional models.
Apple has as yet to launch its new iPhone 4S in China, but the device is already selling in Beijing's gray market at whopping prices of up to about $2,000, reflecting the popularity of the iconic device in the country.

The Tech Herald

Security teams left in the dark by current technologies and practices
The Tech Herald
RedSeal, a network security assessment vendor based in San Mateo, California, conducted a series of Q&As during BlackHat and Cisco Live!, which shows that InfoSec teams are in the dark, and feel out gunned by ...

New to Microsoft Excel 2010? Find your favorite commands from earlier versions of Excel with these charts. Insider (registration required)
Whether you're upgrading from Excel 2007 or an earlier version, we've got the goods on how to find your way around Microsoft Excel 2010 and make the most of its new features. Insider (registration required)
Samsung launched another volley in its global legal battle with Apple on Monday, filing claims to block the sale of the iPhone 4S in Australia and Japan.
We've got an array of screenshots to help you find your way around Excel 2010 and learn about the best new features.
Internet Storm Center Infocon Status