Share |

InfoSec News


Wave to Host InfoSec Europe 2011 Workshop Featuring PricewaterhouseCoopers
Marketwire (press release)
LEE, MA--(Marketwire - April 19, 2011) - Wave Systems Corp. ( NASDAQ : WAVX) (www.wave.com) will attend InfoSecurity Europe 2011 this week, hosting a workshop that features customer PricewaterhouseCoopers (PwC). The two-hour event will give ...

and more »
 
Apple has sued Samsung for allegedly copying the iPad, iPod and iPhone with its Galaxy Tab and Galaxy handsets.
 
Twitter may be trying to pull the rug out from under a potential new direct competitor.
 
An anonymous hacker who claimed to have broken into monitoring systems at a New Mexico wind turbine facility made the whole thing up, security experts said Monday.
 
In a move that is unlikely to win it any new friends in the privacy community, Yahoo has announced that it will retain consumer search data for a substantially longer period of time than it does today.
 
Apple has sued Samsung for allegedly copying the iPad, iPod and iPhone with its Galaxy Tab and Galaxy handsets.
 
Toshiba's web site promotes its Satellite L635 line of laptops as being "for kids," but what the company really seems to mean is that it's for parents who don't want their kids to engage in serious PC gaming. While moderately priced ($780 as of April 15, 2011) for a portable with a 13.3-inch widescreen LED-backlit display, built-in DVD recorder and integrated webcam, the Satellite L635-S3104 we tested turned in mediocre PC WorldBench and gaming scores, with only so-so video and pretty poor audio quality.
 
When it was founded in 1997, a Taiwanese firm with the drab, generic name High-Tech Computer did what almost everyone on the island does: It made its money doing contract manufacturing work for bigger-name brands.
 
--
John Bambenek
bambenek at gmail /dot/ com
Bambenek Consulting (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
TweetBackup does exactly what its name implies: backs up your Twitter posts (a.k.a. tweets). It's a free and easy service, and it has the potential to prove very handy.
 
Laptops with Intel's new Core i3, i5 and i7 processors have started shipping to consumers, and include features that bring longer battery life and new levels of graphics and application performance to PCs.
 
Wordpress reported mid last week that they suffered a compromise that involved an attacker getting root access to some of their servers. They haven't released much in the way of specifics of what has happened but indicate that usernames and passwords could have been compromised for those with accounts with the Wordpress site itself (as distinct from people who simply run Wordpress to power blogs on their on systems). This, once again, brings to the fore the need of using strong passwords for online sites and for using unique passwords for each site.
The bigger issue, however, is with the multiplicity of online sites and social media, the amount of accounts that individuals needs to maintain is vast. I counted my own list of accounts and just for the non-professional ones, I have 23 or so logins. Strong passwords help (particularly if they are over 12 characters) but there becomes the problem of remembering them all. Combine that with the fact most online sites use the e-mail address as the username, there is a big problem.
What mitigates this is deployment of decentralized authentication and OpenID is a good example. At that point, a user can keep a strong password in one place (and even better, use two-factor authentication) that is trusted. As far as I can tell, Wordpress.com doesn't allow OpenID to register a blog but can be set up if you maintain your own wordpress installation. The takeaway is, if you run an interactive online website, investigate using OpenID to register authorize users. If you get breached, you no longer have a password that can be stolen to assume someone's online identity.
For users, where you can, use OpenID (or similar) schemes that let you maintain your online identity in one place. Facebook and twitter have similar features if you don't mind giving those companies the ability to data-mine what sites you interact with. Many sites still need you to create an account with a password before you can switch to OpenID. In that case, create the account, set up OpenID, then change the password to be strong and long and store it somewhere safe (in the off chance you need the actual password some day). A malicious individual still could proxy off an existing session and do bad things if they already compromised your PC, but you would not have to worry about the mass compromises that have hit Wordpress, Gawker and others recently.
--

John Bambenek

bambenek at gmail /dot/ com

Bambenek Consulting (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Social networking websites are fast becoming a staple of corporate recruiting. Depending on which studies you read, anywhere from 39 to 65 percent of companies use social networking websites to identify and screen potential candidates for open positions.
 
You must view cloud computing as part of a complete IT strategy, argues Peder Ulander, CMO of Cloud.com. He shares five guidelines to use as you identify the right areas for cloud adoption your business.
 
U.S. Supreme Court justices questioned Monday whether they should side with Microsoft and weaken the legal standard needed to invalidate a patent, with some justices suggesting there are alternatives to changing established law.
 
Wireshark Versions Prior to 1.4.5/1.2.16 Multiple Remote Vulnerabilities
 
Microsoft VBScript And JScript Scripting Engines Remote Code Execution Vulnerability
 
ESA-2011-014: RSA, The Security Division of EMC, announces the release of Adaptive Authentication (On-Premise) Flash File Security Patch
 
Re: Does anyone know how to contact OpenSSH non-public?
 
EMC today announced a major upgrade to its Avamar deduplication backup software, which includes an integration with its Data Domain deduplication appliance, allowing admins to manage both products from a single UI.
 
Attorneys for Microsoft and a small Canadian company argued before the U.S. Supreme Court today, each hoping to gain an advantage in a long-running patent infringement lawsuit.
 
One of my biggest beefs with Safari on iOS is that when I tap the Safari icon on my Home screen, instead of being able to use Safari immediately, I often must wait for the browser to reload the last page I was viewing--usually hours, or even days, earlier. (This is less of an issue on the iPhone 4 and the iPad 2, as the additional memory in these models means Safari doesn't flush its page cache as often, but it still happens frequently.) Similarly, if I previously closed all Safari windows, the next time I open Safari, it pops up my bookmarks list instead of letting me immediately enter a URL.
 
ESA-2011-013: EMC NetWorker arbitrary code execution with elevated privileges vulnerability
 
LibTIFF Multiple Buffer Overflow Vulnerabilities
 
Linux Kernel 'sound/oss/midi_synth.c' Memory Corruption Vulnerability
 
Linux Kernel ROSE Protocol Multiple Memory Corruption Vulnerabilities
 
Linux Kernel 'sound/oss/opl3.c' Local Privilege Escalation Vulnerability
 
[USN-1113-1] Postfix vulnerabilities
 
An Iranian military commander accused the German electronics giant Siemens with helping U.S. and Israeli teams craft the Stuxnet worm that attacked his country's nuclear facilities.
 
This month's Premier 100 IT Leader also has advice on knowing what interviewers are looking for, and more.
 
In data center upgrade planning, backup power is often among the last considerations and the first budget item redlined. Many companies purchase an uninterruptible power system (UPS) only as they add equipment -- what we call a segmented approach. Before long, data center managers can find themselves with an inefficient power system that is difficult to maintain and daunting to improve, yet doing so can offer big returns.
 
Microsoft is expanding the beta testing program of its Office 365 cloud collaboration and communication suite, almost doubling the number of countries and languages it's available in, the company said on Monday.
 
ikiwiki 'htmlscrubber' Plugin Cross Site Scripting Vulnerability
 
--
John Bambenek
bambenek at gmail /dot/ com
Bambenek Consulting (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

eWEEK Europe UK

Security Conference Season Set To Break All Records
eWEEK Europe UK
While Infosec is expecting 12.500 delegates over three days, the one-day B-Sides has aimed at around 200 and was sold out in January. Infosec has keynote speakers from industry names like Symantec, Kaspersky, Websense and BT. ...

 
Thumpergdi asked the Windows forum for advice on desktop hardware updates.
 
Open-source security company Sourcefire has announced an entry-level Intrusion Prevention System.
 
SAP executive John Wookey, who was charged with developing a SaaS strategy for large enterprises, is leaving the vendor after about two-and-a-half years, the company said Monday.
 
A question-and-answer session on what topics will be hot at this year's SIPNOC conference.
 
Microsoft is expanding the beta testing program of its Office 365 cloud collaboration and communication suite, almost doubling the number of countries and languages it's available in, the company said on Monday.
 
Announcement: ClubHACK Magazine Issue 15-April 2011 released
 
python-feedparser Denial of Service and Security Bypass Vulnerabilities
 
python-feedparser 'feedparser/feedparser.py' Cross Site Scripting Vulnerability
 
Re: DC4420 - London DEFCON - April meet - Wednesday 20th April 2011
 
Does anyone know how to contact OpenSSH non-public?
 

Corero sets out Top Layer channel ambitions
MicroScope (blog)
Ahead of this week's Infosec show, buy-and-build security outfit Corero, the new owner of IPS and DDOS solutions vendor Top Layer, has been setting out its ambitions in the channel after signing distie VADition for the UK market. ...

 
WAN optimization has grown from a way to squeeze more out of corporate bandwidth to an enabler of data-center consolidation and now is helping move those data centers into the cloud.
 
The International Justice Mission's payoff for using WAN optimization is measured not in dollars but human lives.
 
Google brushed aside an anti-competition claim in South Korea on Monday, saying mobile OEMs can decide what to install on the Android phones they sell or make.
 
BigACE Multiple Arbitrary File Upload Vulnerabilities
 
Cloud computing might ultimately usher in an era where more IT assets and functions live off premise, but one of the things that jumped out of a recent survey about outsourcing is there is still a lot of customer churn when it comes to relying on IT service suppliers.
 
Now's your chance to try Microsoft's revamped, online versions of Exchange, SharePoint, and Lync for yourself, so don't miss it
 
13 open source development projects making waves in the enterprise
 
Skype has acknowledged a 'privacy vulnerability' in its Skype for Android App that lets criminals gain access to personal information from smartphones.
 
Networking makes a comeback at Interop to meet the demands of virtualization and cloud computing.
 
Interop Las Vegas will focus on virtualization, cloud computing, the impact of social technologies and smartphones on work, and much more.
 

UK businesses fear security risks surrounding cloud computing
RealWire (press release)
... that our customers can maximise the benefits of the cloud while minimising the risks.” To learn more about what Kaspersky Lab will be discussing at InfoSec, please visit http://www.kaspersky.co.uk/infosec2011 and stop by and see us at Stand C41.

and more »
 
Now that technology has pervaded almost every facet of the enterprise, the number of ways in which IT interacts with users has expanded significantly.
 
The federal government's Standard Occupational Classification system is outmoded and does a poor job of capturing the state of IT employment, says IT workforce analyst David Foote. He explains why this matters.
 
SITA, the IT group owned by the air transport industry, plans to launch a 'community cloud' for airlines and airports at regional data centers.
 
Hospitals and private physician practices can today begin submitting to the federal government data collected on electronic health records systems in order to receive tens of thousands or even millions of dollars in reimbursement funds.
 
U.S. State Department cables still being released by WikiLeaks show how people in various countries are attempting to fraudulently obtain H-1B visas.
 
Facebook is sharing some of the secrets that help make the custom-built servers and power systems in its Prineville, Ore., data center among the most efficient in the world.
 
As the market for cloud services grows, big enterprise IT vendors are moving swiftly to develop cloud offerings that can attract the attention of large enterprises that have so far been slow to embrace the technology.
 
A Gartner analyst worries that employees may face even more information overload if companies adopt 'activity streams' that combine status updates from a wide variety of corporate systems and social networks into a single feed.
 
Our manager's company has shockingly little oversight on the security of software code written for it by third parties.
 
The Obama Administration's release of the final version of the National Strategy for Trusted Identities in Cyberspace (NSTIC) was greeted on Friday with caution by privacy advocates who see it as a well-intentioned effort that is still years away from fruition.
 
InfoSec News: Whitehats pierce giant hole in Microsoft security shield: http://www.theregister.co.uk/2011/04/18/windows_heap_exploit_shield_pierced/
By Dan Goodin in San Francisco The Register 18th April 2011
In late December, Microsoft researchers responding to publicly posted attack code that exploited a vulnerability in the FTP service of IIS [...]
 
InfoSec News: Cyber attack in Canberra: http://www.smh.com.au/technology/security/cyber-attack-in-canberra-20110415-1di3c.html
By Dylan Welch The Sydney Morning Herald April 16, 2011
SILENCE reigns in Canberra over the latest allegations of cyber espionage, with the government refusing to discuss claims foreign [...]
 
InfoSec News: White House draft bill would put DHS in charge of civilian computer networks: http://thehill.com/blogs/hillicon-valley/technology/156293-white-house-draft-bill-would-put-dhs-in-charge-of-civilian-networks
By Gautham Nagesh The Hill 04/15/11
The White House is circulating a piece of draft legislation that would give the Department of Homeland Security oversight over cybersecurity at civilian agencies, according to a report from FedNewsRadio.
The proposed legislation combines the comprehensive cybersecurity bill introduced last year by the Senate Homeland Security Committee with the administration's memo from July 2010 to expand DHS's responsibilities over non-military networks, according to the report.
Like the Homeland Security bill sponsored by Sens. Joe Lieberman (I-Conn.), Susan Collins (R-Maine) and Thomas Carper (D-Del.), the bill would create a White House cybersecurity office that reports to the Secretary of DHS on day-to-day matters.
But the legislation also goes beyond the Homeland Security bill by giving DHS authority over .gov domains that is similar to the authority enjoyed by U.S. CyberCommand, the military's cybersecurity unit, over the .gov domain.
[...]
 
InfoSec News: SSA exposed SSNs, names, birth dates for 36, 000 people, IG says: http://fcw.com/articles/2011/04/14/ssa-privacy-breach-death-master-file.aspx
By Alice Lipowicz FCW.com April 14, 2011
The Social Security Administration publicly made available the names, dates of birth, Social Security numbers and other sensitive personal [...]
 
InfoSec News: Anonymous hacker claims he broke into wind turbine systems: http://www.computerworld.com/s/article/9215879/Anonymous_hacker_claims_he_broke_into_wind_turbine_systems
By Robert McMillan IDG News Service April 17, 2011
Claiming revenge for an "illegitimate firing," someone has posted screenshots and other data, apparently showing that he was able to break [...]
 
InfoSec News: 'Banks unaware of data outsourcing risks': http://www.koreatimes.co.kr/www/news/biz/2011/04/123_85363.html
By Kim Tong-hyung Korea Times 04-17-2011
Korea, a country fascinated with e-this and e-that, touts itself as the planet’s information technology (IT) capital. But the self-awarded title [...]
 
InfoSec News: EVT/WOTE '11 Submission Deadline is Wednesday, April 20: Forwarded from: Lionel Garth Jones <lgj (at) usenix.org>
We're writing to remind you that the submission deadline for the 2011 Electronic Voting Technology Workshop/Workshop on Trustworthy Elections (EVT/WOTE '11) is quickly approaching. Please submit your work by [...]
 

Cassidian showcases unique cyber security and cryptography technology at ...
Bapco Journal
The defence and security expert will this week unveil a number of innovative technology solutions. Head of Cyber Security at Cassidian Andrew Beckett will be showcasing the technology and talking about the current challenges in the area of cyber ...

 
Microsoft might not be the first name you think of when considering enterprise cloud offerings. But then again, the company does handle 10 billion Hotmail and Windows Live messages a day and has a 15-year history of deploying and managing massive data centers.
 

Posted by InfoSec News on Apr 18

http://www.koreatimes.co.kr/www/news/biz/2011/04/123_85363.html

By Kim Tong-hyung
Korea Times
04-17-2011

Korea, a country fascinated with e-this and e-that, touts itself as the
planet’s information technology (IT) capital. But the self-awarded title
is beginning to look ironic as the ineptitude of banks and other
financial companies in cyber security has customers wondering whether
their money will be safer in a shoebox.

The alarm over...
 

Posted by InfoSec News on Apr 18

http://www.smh.com.au/technology/security/cyber-attack-in-canberra-20110415-1di3c.html

By Dylan Welch
The Sydney Morning Herald
April 16, 2011

SILENCE reigns in Canberra over the latest allegations of cyber
espionage, with the government refusing to discuss claims foreign
hacker-spies have stolen sensitive correspondence between ministers and
resource companies operating in China.

The claim relates to an acknowledged intrusion into the...
 

Posted by InfoSec News on Apr 18

http://thehill.com/blogs/hillicon-valley/technology/156293-white-house-draft-bill-would-put-dhs-in-charge-of-civilian-networks

By Gautham Nagesh
The Hill
04/15/11

The White House is circulating a piece of draft legislation that would
give the Department of Homeland Security oversight over cybersecurity at
civilian agencies, according to a report from FedNewsRadio.

The proposed legislation combines the comprehensive cybersecurity bill...
 

Posted by InfoSec News on Apr 18

http://fcw.com/articles/2011/04/14/ssa-privacy-breach-death-master-file.aspx

By Alice Lipowicz
FCW.com
April 14, 2011

The Social Security Administration publicly made available the names,
dates of birth, Social Security numbers and other sensitive personal
information on more than 36,000 people from May 2007 to April 2010
despite being warned about the privacy risks, according to a report from
SSA's Office of the Inspector General....
 

Posted by InfoSec News on Apr 18

http://www.theregister.co.uk/2011/04/18/windows_heap_exploit_shield_pierced/

By Dan Goodin in San Francisco
The Register
18th April 2011

In late December, Microsoft researchers responding to publicly posted
attack code that exploited a vulnerability in the FTP service of IIS
told users it wasn't much of a threat because the worst it probably
could do was crash the application.

Thanks at least in part to security mitigations added to...
 

Posted by InfoSec News on Apr 18

Forwarded from: Lionel Garth Jones <lgj (at) usenix.org>

We're writing to remind you that the submission deadline for the 2011
Electronic Voting Technology Workshop/Workshop on Trustworthy Elections
(EVT/WOTE '11) is quickly approaching. Please submit your work by
Wednesday, April 20, 2011, at 11:59 p.m. PDT.

EVT/WOTE brings together researchers from a variety of disciplines,
ranging from computer science and human-computer...
 

Posted by InfoSec News on Apr 18

http://www.computerworld.com/s/article/9215879/Anonymous_hacker_claims_he_broke_into_wind_turbine_systems

By Robert McMillan
IDG News Service
April 17, 2011

Claiming revenge for an "illegitimate firing," someone has posted
screenshots and other data, apparently showing that he was able to break
a 200 megawat wind turbine system owned by NextEra Energy Resources, a
subsidiary of Florida Power & Light.

The data was posted to the...
 
tmux '-S' Option Incorrect SetGID Local Privilege Escalation Vulnerability
 
One day after a hacker posted screen shots and data to a hacking mailing list, saying he had broken into a New Mexico wind turbine facility, the company that runs the turbines says it has seen no evidence of a computer intrusion.
 
Gibbs has had it with users!
 
Fish Multiple Remote Buffer Overflow Vulnerabilities
 


Internet Storm Center Infocon Status