InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Information about sales, profits and margins for specific Apple products should be made public, the judge hearing the company's lawsuit against Samsung Electronics ruled on Wednesday, though a higher court's decision could keep the data from ever being revealed.
Oracle Java SE CVE-2012-5070 Remote Java Runtime Environment Vulnerability
Oracle Java SE CVE-2012-5074 Remote Java Runtime Environment Vulnerability
Oracle Java SE CVE-2012-5088 Remote Java Runtime Environment Vulnerability
Google is offering a look inside its data centers with a series of stunning photographs that would be more at home in an art gallery than a technology manual.
Reader Steven Lange loves his new MacBook Air except for one little thing. He writes:
Zero-day exploits are typically used in targeted attacks, but public disclosure of unpatched flaws significantly increases the use of the exploits.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
NIST recently updated its incident response guidelines. Find out how to comply with these changes and incorporate them into an incident response plan.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
MitM-vulnerability in Palo Alto Networks GlobalProtect
[waraxe-2012-SA#092] - Multiple Vulnerabilities in Wordpress Slideshow Plugin
[IMF 2013] 3rd Call for Papers: Deadline Extended
[SECURITY] [DSA 2559-1] libexif security update
[waraxe-2012-SA#093] - Multiple Vulnerabilities in Wordpress Social Discussions Plugin
SEC Consult SA-20121017-2 :: Multiple vulnerabilities in Oracle WebCenter Sites (former FatWire Content Server)
The U.S. Federal Communications Commission has voted to approve an agreement that will bring an end to a 15-year fight over interference concerns over mobile broadband service in the 2.3GHz band of spectrum.
If there's a brush fire or earthquake in California's Ventura County, city officials could be getting critical information from Twitter and residents could be receiving warnings on their smartphones.
Microsoft today said it will ship a preview of Internet Explorer 10 (IE10) for Windows 7 next month, but would not commit to a timetable for a final release.
The Isis mobile wallet network will launch Monday in Salt Lake City and Austin, Texas, the Isis consortium announced Wednesday, after an earlier delay in the launch.
General Electric (GE), founded 125 years ago, is one of the USA's iconic corporations. The firm has 300,000 employees working in areas ranging from aviation, healthcare, transportation, financials, and energy. The firm employs about 5,000 IT staff outside the USA."
Microsoft's pricing of its Surface RT tablet was called 'aggressive' by some analysts, 'mystifying' by others, even as they remained skeptical that it's low enough to make inroads on the dominant player, Apple's iPad. What do you think -- is Microsoft's Surface tablet pricing competitive with the iPad?
Like technologies deployed in a corporate environment, those used in healthcare are meant to improve services and productivity. On its new clinical management system (CMS 3), the Hospital Authority aims to create new modules to meet patient needs and reduce risk in patient care.
A word that I'm hearing a lot these days from clients is Risk. And yes, it has a capital R. Every time.

Folks tend to think of any risk as unacceptable to the business. Every change control form now-a-days has a Risk Assessment and Risk Remediation sections, and any issue that crops up that wasn't anticipated now becomes a process failure that needs to be addressed.

Don't get me wrong, I'm all for some rigor in Risk Assessment, but every risk can't be an 11 on a scale of 1 to 10. Enter ISO/IEC 27005:2011 - Information technology - Security techniques - Information security risk management.

ISO 27005 allows system administrators (change requestors) and managers (change approvers) to use a common approach, the same language and come to an agreement on risk. Most importantly, this helps parties like this come to an agreement quickly if youve ever had a change approver who has trouble saying either yes or no, youll understand why this is so important.

This standard starts by defining a framework and a flowchart to manage risk (below). Like all good methodologies, theres decision points and iteration, so youll need to ensure that you identify decision makers who will actually decide, or youll never escape!

Once inside the flowchart, I found that I was impressed with the emphasis on business and organizational language this standard is written to get buy-in from management (this is a good thing).

Theyve also got the obligatory section on qualitative and quantitative risk, but more importantly, in the appendices there is some clear direction on how to use both approaches. More importantly (in my books anyway), they have examples of taking a qualitative assessment and quantifying it, allowing you to apply numeric values to fuzzy situations. This makes the job of the System Administrator easier when proposing a change, you can use this approach to assign actual values to things,

The Risk Treatment section ensures that a final decision is made. Too often we see managers decide not to decide following this standard ensures that everyone understands that this is not an option - there are a few choices to make, and yes, assuming the risk is a valid choice. When all the ducks are lined up and its decision time, then a decision there will be!

I cant cover every aspect of a 68 page standard in 1 page, but suffice to say that this one is well worth the purchase price yes, its an ISO standard so youll have to buy it to use it.

If you've got a risk managementwar story, or a comment on this post, please use our comment form, we'd love to hear from your!

In SANS SEC579, we use the ISO 27005 methodology and apply it to the ENISA Cloud Risk document (see references below) to contrast the risks of Public and Private Cloud deployments to your organization.


(2011). ISO/IEC 27005 - Information technology - Security techniques - Information security risk management (ISO/IEC 27005:2011). Geneva, Switzerland: International Standards Organization

(2009). Cloud Computing: Benefits, risks and recommendations for information security. Crete, Greece: ENISA - European Network and Information Security Agency.


Rob VandenBrink

Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Tech issues, including high-skilled jobs creation, outsourcing, manufacturing and research investment, emerged in Tuesday's presidential debate, offering contrasts between President Barack Obama and his Republican challenger, Mitt Romney.
APPLE-SA-2012-10-16-1 Java for OS X 2012-006 and Java for Mac OS X 10.6 Update 11
Less widespread, but extremely precise and created for a small number of important targets: that's Kaspersky's analysis of Flame's little brother. The trojan likes to use commands such as "Elvis", "Barbara" and "Tiffany"

RETIRED: Oracle Java SE Critical Patch Update October 2012 Advance Notification
Microsoft has exhausted its initial supply of the lowest-priced Surface RT tablet, which now is backordered by three weeks.
I have met with many, many security leaders in the 10 years since we launched CSO. They continue to do great and amazing things to manage their organizations' risks, advance the profession and develop the next generation of security leaders.
Samsung Mobile said it would start rolling out Android 4.1, code-named Jelly Bean, to Galaxy S III smartphones in the U.S.

Rob VandenBrink
Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Citrix Systems is giving back to IT departments some control over personal cloud-based storage with ShareFile StorageZones, which allows user content to be stored in enterprises' own data centers, the company announced at the Synergy conference in Barcelona.
Among other things, Valve's Steam platform is used to distribute games and functions as a central hub of the company's DRM concept. It registers a steam:// URL protocol that can apparently allow attackers to infect PCs with malware

Oracle Java SE CVE-2012-5083 Remote Java Runtime Environment Vulnerability
Oracle Java SE CVE-2012-5077 Remote Java Runtime Environment Vulnerability
Citrix Systems has started to detail the future of Windows desktops and applications in its virtual environments with tech previews of Excalibur and Merlin, the first versions of its Project Avalon.
RETIRED: Oracle October 2012 Critical Patch Update Multiple Vulnerabilities
OpenStack Keystone CVE-2012-3542 Unauthorized Access Vulnerability
Oracle Java SE CVE-2012-5089 Remote Java Runtime Environment Vulnerability
MiniFlame is highly specific espionage malware, but experts indicate that financially motivated cybercriminals could make the threat more widespread.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

There is nothing wrong with a debate about our community
CSO (blog)
Yesterday I put out a post about what I saw as a worthy discussion over cliques and cool kids in infosec. A spirited Twitter discussion followed and -- as often happens on Twitter -- it devolved into a bunch of spitting in the echo chamber. Someone ...

Imagine processing massive amounts of video data from surveillance cameras and rapidly churning out usable and reliable information on pick-pockets, drunken hooligans, criminals or even terrorists.
Facebook is rethinking the way its process for storing data to cope with the 7 petabytes of new photos uploaded to the social network every month.
Distributed denial-of-service (DDoS) attacks with an average bandwidth of over 20Gbps have become commonplace this year, according to researchers from from DDoS mitigation vendor Prolexic.
ARM's efforts to jump from smartphones and tablets to servers received a vote of confidence from chip company Calxeda, which announced it has ramped up efforts to push 64-bit ARM processors into servers by 2014.
The console provides developers with stats about how well their apps are doing in the Play online store
RETIRED: P1 Modem Default Password Security Bypass Vulnerability
Russian security firm Kaspersky Lab is developing a secure operating system for industrial control systems, its chairman and CEO Eugene Kaspersky said.
Nissan will soon sell cars that drive like a video game, with sensors and software that assist or even take over for drivers in emergencies.
Take a look at the technology of mobile touch screen displays -- resistive vs. capacitive, single-touch vs. multitouch and how companies are working to reduce weight while improving quality.
HTC said it will launch a new smartphone with a full-HD 5-inch screen in the Japanese market from December.
Google's CEO Larry Page spoke for the first time in public in months, addressing the company's annual Zeitgeist conference in Paradise Valley, Arizona on Tuesday, a spokesman confirmed.
Several topics raised in Tuesday night's presidential debate caused such a stir on Twitter that the site was briefly overwhelmed.
With Intel reporting a year-over-year drop in revenue and profit for its third quarter, industry analysts say the company isn't in trouble but it needs to ward it off -- and now.
Oracle's Critical Patch Update fixes nearly 140 vulnerabilities in many of its products. Despite closing 30 holes, however, Java remains vulnerable


SYS-CON Media (press release) (blog)

Security Shortage? Look Internal.
SYS-CON Media (press release) (blog)
Stop looking for the best InfoSec people you can find. Start training good internal employees in InfoSec. You all know this is the correct approach. No matter how good you are at Information Security, familiarity with the network or systems, or ...


Posted by InfoSec News on Oct 17


By Jeremy Kirk
IDG News Service
17 October, 2012

Pacemakers from several manufacturers can be commanded to deliver a
deadly, 830-volt shock from someone on a laptop up to 50 feet away, the
result of poor software programming by medical device companies.

The new research comes from Barnaby Jack of security vendor IOActive,
known for his analysis of other...

Posted by InfoSec News on Oct 17


By Ericka Chickowski
Contributing Writer
Dark Reading
Oct 17, 2012

Systems administrators on all IT fronts will have their hands busy
patching Oracle vulnerabilities across the software giant's portfolio
with the release this week of the company's quarterly Critical Patch
Update. Security...

Posted by InfoSec News on Oct 17


By Mathew J. Schwartz
October 15, 2012

Who's behind the continuing series of attacks against the websites of
numerous U.S. banks? A flurry of news reports Friday pointed the finger
squarely at Iran.

"They have been going after everyone--financial services, Wall Street,"
a senior defense official, speaking...

Posted by InfoSec News on Oct 17


By Justin Kmitch
Daily Herald

Hackers who recently compromised the security of Naperville’s website,
email and other online services not only put the city into an
informational black hole but also a financial black hole.

City council members on Tuesday approved spending as much as $673,000 to
acquire network security hardware and software, computer servers, and...

Posted by InfoSec News on Oct 17


By Simon Sharwood, APAC Editor
The Register
16th October 2012

Analyst group Gartner has detailed how it prepares its
sometimes-controversial magic quadrants, revealing that a two-hour demo
is sometimes part of the research process.

Gartner already offers a detailed explanation of how it compiles its
Magic Quadrants here.

But in an exchange with...
Pacemakers from several manufacturers can be commanded to deliver a deadly, 830-volt shock from someone on a laptop up to 50 feet away, the result of poor software programming by medical device companies.
Japan's Sharp said it will soon launch a 7-inch tablet with its new IGZO displays, a week ahead of an Apple press event that is widely expected to reveal a mini tablet also linked to the new power-saving technology.
From Google Maps, the U.S. National Security Agency's parking lot has a larger footprint than the building itself. And for the high secrecy surrounding what goes on inside, there is plenty of information flowing just outside.
Internet Storm Center Infocon Status