InfoSec News

After coming under loud and unrelenting fire from angry users, Instagram announced late Tuesday afternoon that the company is going to try to clarify changes it's making to its Terms of Use policy.
Instagram vowed on Tuesday to revise new proposed terms of service following a strong backlash from users worried that it would use their photos in advertisements without their permission.
Oracle on Tuesday reported that net income jumped 18 percent to US$2.6 billion while revenue rose 3 percent to $9.1 billion for the second quarter, but the company's hardware revenue continued to show weakness.
Christopher Chaney, a Florida man who admitted to illegally accessing email accounts belonging to more than four dozen celebrities, was sentenced to 10 years in federal prison on Monday.
An attacker can exploit weaknesses in files intended to extend the functionality of Shockwave Player. No practical solution is available, US-CERT said.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Google, working in partnership with the Israel Antiquities Authority, posted about 5,000 images of the ancient Dead Sea Scrolls online Tuesday.
Among the raft of recent and upcoming Microsoft upgrades, Windows 8 towers in importance but its chances for success remain cloudy among enterprise customers.
Organizers played "Eye of the Tiger" and "We are the Champions" over the loudspeakers as participants in the SANS Institute's NetWars Tournament of Champions sat down at their laptops and prepared for action.
A former executive at Taiwanese LCD marker AU Optronics has been convicted of participating in a worldwide conspiracy to fix the prices of LCD panels, the U.S. Department of Justice said.
Eyeing greater use of the open source Postgres database in the cloud, hosting provider Open Hosting has launched a service that allows users to run an automated cluster of PostGres databases on the company's own servers.
Oracle on Tuesday reported that net income jumped 18 percent to US$2.6 billion while revenue rose 3 percent to $9.1 billion for the second quarter, but the company's hardware revenue continued to show weakness.
K. P. Unnikrishnan, APAC marketing director, Brocade, talks about the importance of SDN in the company's strategy and how they're emphasizing on training and certification for better service delivery.
In an exclusive interaction, Stephanie Boo, regional director, South Asia Pacific, FireEye, articulates the huge business opportunity for channel partners across APT market.
Apple today released an update for iOS that fixes an unspecified Wi-Fi bug in the iPhone 5 and iPad Mini.
Instagram has alerted its users to a change in its Terms of Use policy, and users are in an uproar about it.
Juniper Networks had a challenging 2012 as new product cycles were slow to take hold and global economic conditions took a toll on sales. The company also undertook a restructuring that saw 500 positions cut and the departure of four executive vice presidents. As the Sunnyvale, Calif.-based company looks to re-energize its business, particularly with an eye towards enterprises and data centers, CEO Kevin Johnson shared his lessons learned in leading Juniper since 2008, as well as what's ahead for the company in a discussion with IDG Enterprise Chief Content Officer John Gallant and Network World Managing Editor Jim Duffy. In this installment of the IDG Enterprise CEO Interview Series, Johnson also shared his thoughts on the hot topic of software-defined networks (SDN), Juniper's role in enabling cloud and competing against the industry's 800-pound gorilla, Cisco.
Cisco this week announced its intent to acquire BroadHop, a developer of network management servers and software for carriers.
Hewlett-Packard has updated its service virtualization software, giving developers a broader palette upon which to test their programs.
Wrapping up the Large Hadron Collider's first three years of work, CERN scientists are nearly positive they've found the elusive Higgs boson, also known as the "God particle."
Samsung is set to become the biggest cell phone maker in the world this year eclipsing Nokia, which has held the title for 14 straight years.
Microsoft yesterday pitched its Outlook.com email service to users of Gmail dismayed by Google's decision to abandon a popular enterprise synchronization service next month for new customers.
Samsung dropped all claims pending in European courts in which it asserted patents that are essential for mobile communication devices to prevent the sales of Apple products in Europe.
A credit card payment processing service aided a crime ring by processing payments made by scareware victims. The man who provided the service has now been sentenced to a four year jail term and was fined $650,000


It is a well established fact that insiders and employees can be the largest threat to an organizations information security. Management and organizational change and decisions can exacerbate these insider risks and due to poor management introduce new unanticipated threats as well. Organizational change can take many forms such as mergers, relocations, or closing of facilities.

During these changes risk profiles increase and technical staff who are responsible for managing these risks are often not as focused as they would be during more normal times. This is a situation that management has to recognize and plan for before contemplating change to the organization. Management is not well known for listening to technical staff on these topics.

Movement of a portion of a company when poorly planned and organized can lead to loss of key staff, additional poor planning, and loss if institutional knowledge, and ultimately loss of revenue related to loss of confidence by customers, or damaged customer relations.

The primary elements to organizational redesign are:

- Time line

- Key roles

- Project plan and milestones

Having a realistic time is the best place to start. Knowing what facilities are required, and where they are required and making sure they are in place when needed will smooth out any change. While not directly related to information security, planning for office moves which involving construction, have to include time lines for getting permits, and construction delays. Mitigation plans for facilities that are not ready are part of the up front planning as well. When people are relocating this can cause delays as well as a different attention level from staff as they make their own living preparations.

People will show up expecting to do their jobs the way they did prior to a move. Presumably people are either living in a new place, or new to the company. In either case certain processes will take longer due to the newness of location, office space, or integration of new employees.

Identifying key staff roles in advance is critical, this is a task best performed at lower levels, high level managers and owners dont have the visibility of what roles are really critical. Ensuring that continuity of key roles is preserved either the role is filled with either someone relocating or a new staff member with time to onboard and learn the organization before major change takes place reduces risk of significant changes, particularly when that change is within the new staff members department.

This entire process should really start by examining the steps and milestones that need to take place and ensure the amount of time needed for each step is clearly understood prior to embarking on the change path. The old adage that too much change at one time is poor engineering applies to many companies across the board.

To mitigate risks procedures and documentation needs to be maintained at all times rather than in the midst of change. This includes knowing who the key architects for information systems are, and ensuring that those roles are spread across multiple individuals. Planning for change needs to include staff members at all levels to make it successful. Additionally involving staff may even increase the number of staff members who make the transition as an added benefit.

Here is one research link:https://www.google.com/search?q=company+attrition+due+to+office+relocationoq=company+attrition+due+to+office+relocation

this is included rather than endorsing any of these articles or companies specifically.

To illustrate this point: I was recently involved in a team which at full strength had 6 engineers and a technical manager. Through normal attrition and a facility relocation, the team was down in strength to 2 members with time in service, and 1 new member. The team was required to maintain a full work load which at full strength required careful management. At this understrength level the team was expected to keep the full work load and relocate a primary datacenter (which had no alternate). The move was expected to take two days and be fully operational on the third. They pulled it off, working for three days straight with many challenges and making compromises in structure and probably security to get it done. Will they remember all the compromises they made and close them in a reasonable time? Will they be motivated to resolve any issues? As a business owner, manager, are you willing to bet your business on that fact?

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
We are establishing an environment that will help it happen. (Insider; registration required)
A group of operators including AT&T, Boingo Wireless, BT and China Mobile have joined forces to work on a common framework for Wi-Fi roaming to make it easier for users to access hotspots while travelling abroad.
Freeciv Multiple Remote Denial Of Service Vulnerabilities
Europe's top digital commissioner has called for an "Airbus for Chips" to boost the bloc's microelectronics sector.
Samsung dropped all claims pending in European courts in which it asserted patents that are essential for mobile communication devices to prevent the sales of Apple products in Europe.
Salesforce.com has tied its Sales Cloud CRM application into its Work.com employee performance management software, in a combination the company says can make average salespeople better and good ones great.
A US hacker who breached computers and email accounts belonging to a range of celebrities has received a ten year jail sentence. Among other things, his hacking netted private photos of actress Scarlett Johannson, which he then posted online


With the holidays coming up, you might think its time to stop thinking about security, malware and generally anything to do with work. Unfortunately, in the area of security, the holidays are not the time to let your guard down. Its always fun to see the up-tick in malware over significant holidays, because the malware authors plan for the time windows when their targets (thats you and yours) and the AV vendors are at reduced staff levels

So, what should Corporate IT folks be thinking about?

Before your users go home for the holidays, ensure that everyone has their Antivirus set up to auto-update over the web. In some corporate setups, AV clients update from a corporate server. If your user community is all offsite over the holidays, they wont get their updates when they need them the most. Which means that some of your users will come back in January infected, and (likely) with their AV turned off by the malware theyve picked up.

Similarly on the OS Side - if your users are using WSUS or some other central update service, you likely want them to either update over the internet, or force them to VPN in to get updates. Theres nothing like a zero day loose on your corporate network to make for an exciting January!

If you are on the security team, keep track of your system logs. In particular, keep track of backup logs and IPS logs. Even little stuff missed over the holidays does nothing but get worse over the two weeks we have off!

Think about spam. Were all expecting a flood of e-cards in our mailboxes from friends, family, customers, vendors, and other people we do business with. Mixed in with these expect to find some malware, and maybe even some new, ingenious malware. Its a good idea to send a note to your users to let them know to look out for spam that might get past the filters. Remind them that if a website or an email attachment tells them that they might be infected, they should close that window or maybe even instruct them to reboot to kill it (youd be surprised how many folks will press OK to close a window).

Think about new devices. Off-brand picture frames have come with malware in the past, but you could just as easily see malware on cameras or those keychain picture frames. Really, anything with a USB port that might be infected, even stuff you might not think about like USB powered remote control helicopters and cars - - yes, some of your users will plug these into their corporate laptops to charge, even if theres a charger in the box.

Your users will absolutely come to back to work with new tablets, mp3 players and phones - all of which must have a network connection. If you dont already have a plan (and a written policy) for dealing with these, you may have an uphill battle ahead of you (or maybe its a battle you might have already lost)

Whatever it is, if youre in IT, expect an evil present or two from your users in January.

What should you be thinking about if youre at home, and youre NOT in IT?

Well, all the same stuff. Be sure that all the computers at your house are updated, and have up-to-date AV protection. Think about e-cards and other holiday spam and malware when you open mail. Think about USB and network attached devices after it gets unwrapped and eveyone wants to start plugging cables in.

And think about your extended family who might be calling you after everything got really slow on our computer after Christmas, right after we uploaded our pictures to that new picture frame.

Because we all know that even if were not in the IT department at work, were certainly an IT department of one after we get home !

Have a good, safe holiday everyone !


Rob VandenBrink

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Europe's top data privacy agency has launched a formal investigation into Microsoft's privacy policy.
Sharp is readying a 6-inch digital notepad with 60 hours of battery life under continuous use.
A recent Java 7 update allows users to completely prevent Java applications from running inside browsers or to restrict how Web-based Java content is handled by the Java Runtime Environment client.
Samsung's Galaxy Grand smartphone has a 5-in. screen -- but the big display seems aimed at those with smaller budgets, according to an analyst.
The most recent Patch Tuesday came with a little extra in one of the patches - disappearing fonts for users of CorelDraw, QuarkExpress and PowerPoint

Apple may be eying a site in upstate New York for a manufacturing plant that would allow it to wean itself from relying on Samsung for the A-series chips that power Apple's iOS devices.
We look at 7 online videoconferencing services that help colleagues and friends keep in touch, share screens and collaborate on presentations.
In a new twist, spammers have built a botnet that sends SMS spam through infected Android phones, shifting the potentially pricey cost of sending spam to victims.
Google on Monday said that iOS users had downloaded more than 10 million copies of its revamped Maps app in the first two days of availability.
Harald Range, head prosecutor for the German Federal Court of Justice, does not currently believe there's a sufficient legal basis for listening in on online telephone services using trojans. Meanwhile, Skype have clarified their position on interception

A court in California has denied Samsung Electronics a retrial in a patent dispute with Apple, and also refused Apple a ban on the sale of some Samsung products.

Health body urges docs to boost infosec controls
SC Magazine Australia
The Royal Australian College of General Practitioners (RACGP) has urged general practices (GPs) to shape up their information security after a series of practices and surgeries were victim to ransomware scams. The warnings follow an attack on a Gold ...

Internet Storm Center Infocon Status