InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Google CEO Larry Page tried to put a positive spin on his company's poor third-quarter financial results, which were released prematurely Thursday and triggered a panicked stock sell-off before trading was abruptly halted.
Google today reported a drop in profit and revenue for the third quarter, an unexpected slip that highlighted its struggle to make money on a growing mobile market.
Chip company Advanced Micro Devices on Thursday said it would lay off 15 percent of its workforce as it tries to inch back to profitability at a time when the PC market is slumping.
Many vendors have security hardening guides - step-by-step guides to increasing the security posture of one product or another. We alluded to the Cisco guides earlier this month (Day 11), Microsoft also makes a decent set of hardening guides for Windows server and workstation products, as do most Linux distros - you'll find that most vendors have documents of this type.
VMware's vSphere hardening guide is one I use frequently. It's seen several iterations over the years - the versions considered current are all stored at: http://www.vmware.com/support/support-resources/hardening-guides.html

The initial guide for ESX 3.x (back in the day) was mostly CLI based, with commands executed mostly within the Linux shell on the individual ESX hosts. Things have changed quite a bit since then (and no, that wasn't a reference to the amount of grey in my hair!), the current version (5.0) covers the entire vSphere environment, it discusses settings for the ESXi hosts, the Virtual Machine guests, the Virtual Network (and physical network), the vCenter management platform and vCenter Update Manager.
From an both an auditor and a system administrator perspective, there are a number of oh so cool factors to this standard that make it a great example for vendor security documentation:
There is a clear description of why you might make any specific configuration change. The security exposure is clearly explained for each setting discussed, along with the severity.

Every setting is not a recommended setting. They are very clear that some security changes are recommended in all cases. Others might only be recommended for DMZ settings, or some other exceptional circumstances. For each setting, they discuss in what situation that change would be deemed neccessary

Some security changes will break functionality that you might be expecting, for instance it might disable something in vcenter, or it might break vCLI (a remote cli command line api) functions. If a setting affects functionality, it is clearly spelled out.

There are several ways to get the job done. For each benchmark setting, several methods for effecting that change are discussed. Often there'll be a setting to tweak within vCenter, but whenever possible they'll also discuss how to accomplish the same task from a remote command line, either from Powershell (using the PowerCLI api) or from a remote windows or linux command line (using their VCLi api command set). For instance, for something as simple as setting NTP (Network Time Protocol), they cover off:

How to set NTP services up for the ESXi host in the vSphere Client application
What config file is updated (/etc/ntp.conf)
From the vCLI (Virtual Command Line), how to audit this setting using vicfg-ntp. Note that all the vCLI commands are run from a remote host (Linux or Windows), so this is a great audit tool!
How to update this setting using the vCLI, again, using vicfg-ntp
How to list the NTP settings from all hsots in an environment using PowerCLI, vMware's Powershell API. Again, this is remotely run from a Windows host with PowerShell and the VMware PowerCLI installed.
How to update all hosts in an environment using PowerCL
And finally, am external link for more information

Audit is not neglected in this document. Not only do they tell you how to make each change, they show you how to audit that change, to get the current value of the affected settings. Again, whenever possible, they discuss how to do the audit steps from as many toolsets as possible. You'll find that if you are an auditor looking at 10 servers, or a consultant working with a different client each week, the CLI approaches have a lot of appeal. Not only are they much quicker, but they are less prone to error, and you don't have to rekey anything.

So, if you are an auditor, or a consultant who sees many clients, or a System Administrator who just wants to keep tabs on their environment, from this guide you can easily and simply create your own audit scripts. With these scripts in hand you are able to get accurate, repeatable security assessments (based on a published standard) of a vSphere environment.
This means that you are delivering exactly the same security assessment for each client's environment. However, while the assessment is the same each time, the recommendations will not be - remember that there is a severity value for each assessed value, and also a discussion of in which situation each setting is recommended - the recommendations will vary quite a bit from one client to the next. Even if you are an auditor within a single organization, you'll find that results will vary from one audit to the next. Remember that this is an evolving standard - recommended settings change from one version of the guide to the next. You'll also find that when you combine security assessments with risk assessments (this is almost always desired), the risk equation will change depending on how the impacts are phrased, what has happened in the organization recently, or who is involved in the discussion.

Security is unique in the fact that while the questions will be consistent over time and between organizations, the answers will change. You'll see them vary over time, across versions of a product, in different deployment situations and between organizations. I think this benchmark is a good example of a standard that is well equipped to handle this shifting landscape.

(You'll find the vSphere Hardening Guide covered cover-to-cover in SANSSEC579)
If you have any stories this article, or on this or other vendor security guides, please share - use our comment form.

Rob VandenBrink

Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
ModSecurity POST Parameters Security Bypass Vulnerability
HP has agreed to transfer 3,000 of its employees to the General Motors payroll, as the automaker moves IT operations in-house, the two companies announced Thursday.
Hewlett-Packard and Dell have published compatibility lists of printers and multifunction devices for the upcoming Windows 8 and RT tablet OSes, with a large number of models listed as bring incompatible with Windows RT.
Anyone even loosely following SAP lately should know that the company's goal is to reorient its entire product family around the HANA in-memory database, which first became generally available last year. According to SAP, HANA provides a level of performance improvement that can be nothing short of dazzling.
Sometimes agents of change have to turn up to volume. And sometimes not.
Microsoft will open the floodgates for Windows RT tablets at a release event Oct. 26 in New York City. The Surface tablet from Microsoft will be available on launch, with more tablets from Asus, Dell, Samsung, Lenovo and Acer coming in the following weeks.
Come Oct. 26, when Microsoft is set to stage a release party in New York City, consumers may have to choose between a tablet with Windows 8 or Windows RT. The operating systems look and feel the same, but devices will differ on performance, price, battery life, usage and application support.
Facing a sluggish PC market and deferring revenue from sales of its upcoming Windows 8 OS, Microsoft reported US$4.47 billion in net income for its first fiscal quarter of 2013, a 22 percent decline from the same period a year earlier.
Verizon Wireless' Share Everything plan, introduced in June, has helped boost the average Verizon wireless phone bill by 6.5% to $145 a month.
OpenStack Swift 'loads()' Arbitrary Code Execution Vulnerability
Apple yesterday started scrubbing most Macs of older Java browser plug-ins, a move that will force users to download the software from Oracle.
Some say the Android malware problem is out of hand, and it appears Google is taking additional steps to block attacks in its Google Play store.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Multiple Vulnerabilities in Campaign Enterprise <= 11.0.538
CA20121018-01: Security Notice for CA ARCserve Backup
Google surprised Wall Street today by prematurely releasing a lackluster earnings report hours ahead of schedule. The company's stock dove more than 9% before trading was suspended.
Dell on Thursday will outline the next phase of its strategy to move up the IT value chain and sell higher-value systems that combine hardware and software for building out data center infrastructure.
Oracle Java SE CVE-2012-5073 Remote Java Runtime Environment Vulnerability
You're a security officer in your corporation and you've been informed your company is moving a datacenter from California to Chicago, Illinois. The applications generate over 50 million in revenue yearly. What advice do you follow and where do you start?
A series of initiatives are under way at SAP with the goal of bringing its business applications much closer to the ease of use and eye-catching visuals provided by consumer applications, particularly ones made amid the boom in mobile computing.
The recently launched Adobe Reader and Adobe Acrobat XI come with new security features and an improved sandbox that will make the products harder to attack and exploit.
Google today announced a new low-priced clamshell-style Samsung Chromebook computer for $249 that runs the Chrome OS.
Public Wi-Fi usage has gone up significantly in the past year, and many people are using insecure hotspots to access work information.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Spammers have spoofed shortened URLs designed to validate redirects to several states including California, Iowa, Indiana and Vermont.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Oracle Java SE CVE-2012-5072 Remote Java Runtime Environment Vulnerability
Oracle Java SE CVE-2012-3216 Remote Java Runtime Environment Vulnerability

Rob VandenBrink
Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Using its country-specific content-blocking tool for the first time, Twitter has shut down access to a neo-Nazi group's account in Germany.
HP's DL380p Gen8 dances through virtualization workloads and server administration with compelling mix of speed and ease
Verizon Communications reported 3.9% growth in revenue for the third quarter and 21.2% growth in net income, driven by gains in mobile revenue and customer additions for its Fios broadband and television services.
Sprint Nextel has increased it ownership in Clearwire and now has a 50.8% stake, according to a U.S. Securities and Exchange Commission filing.
Canonical upgrades Ubuntu Linux, and the client-side version features the controversial search capability
Internet Explorer 9 XSS Filter Bypass
It's two OSs in one, and a bridge between two worlds.
Oracle Java SE CVE-2012-5079 Remote Security Bypass Vulnerability
Nintendo said on Thursday the company was investigating how underage interns were employed at a Foxconn factory in China, which assembles products for the Japanese gaming company.
Canonical has released both the server and desktop editions of 12.10 Ubuntu, which offers a glimpse of how this Linux distribution will evolve in the next few years.
Acer on Thursday announced a low-cost tablet starting at $230 with a 7-inch screen and Google's Android 4.1 OS, code-named Jelly Bean.
Nokia continues to struggle as its third-quarter smartphone unit sales dropped by 63 percent compared to last year, while some warn that expectations for the arrival of its first phones based on Windows Phone 8 should not be too high.
The Metasploit developers have published an information disclosure vulnerability in Novell ZENworks Asset Management that allows remote attackers to read information stored in the application

At the 45th ICANN meeting in Toronto, government representatives announced plans to develop recommendations concerning the disadvantages of domain name blocking

Oracle Java SE CVE-2012-5086 Remote Java Runtime Environment Vulnerability
Oracle Java SE CVE-2012-5084 Remote Java Runtime Environment Vulnerability

'Four horsemen' posse: This here security town needs a new sheriff
The "Four Horsemen of the Impending Infosec Apocalypse" - prospective candidates for the (ISC)2 election who not included on the official slate - have put themselves forward for election. Only one of the four - Dave Lewis (@gattaca) - made the cut.

and more »
Staffing shortages are holding back companies ready to dive into big data. Here are three ways they're coping with the talent gap. Insider (registration required)
AOL offered a limited preview Thursday of a new cloud-based email service that sorts content automatically to help combat "inbox fatigue" and doesn't force users to get a new address.
The actress shown in a controversial anti-Islam video has filed before a federal court in the U.S. for a temporary restraining order (TRO) on Google to pull down the YouTube video.
Amazon.com launched a free online tool that will help schools and businesses centrally control and distribute content on Kindle devices to their students and staff.
DreamWorks Studios is busy producing eight to 10 films at any given time, and each film produces 120,000 frames of film and uses 200TB of storage. In recent years, 150 engineers have been working on creating software that can take advantage of 25,000 CPUs in a parallel fashion.
Apple has become more responsive to patching its Java when Oracle patches Java, and in the latest update has taken the step of removing its Java applet plugin; Applet users will need to install Oracle's Java for Mac OS X

Oracle Java SE CVE-2012-5087 Remote Java Runtime Environment Vulnerability
Oracle Java SE CVE-2012-5076 Remote Java Runtime Environment Vulnerability
Microsoft confirmed that owners of Windows RT hardware, including the company's own Surface RT, must acquire a commercial license for Office 2013 to use those devices' bundled Office apps at and for work.

Posted by InfoSec News on Oct 18


By Jeremy Kirk
IDG News Service
October 17, 2012

From Google Maps, the U.S. National Security Agency's parking lot has a
larger footprint than the building itself. And for the high secrecy
surrounding what goes on inside, there is plenty of information flowing
just outside.

In a demonstration on Wednesday at the Breakpoint security...

Posted by InfoSec News on Oct 18


By Peter Pierce
The Age
October 13, 2012

By Andrew Croome
Allen & Unwin, $27.99

YET another Vogel award winner for the best unpublished first novel has
kicked on: after Document Z (2009), his fictionalised account of the
Petrov affair of 1951, Andrew Croome has followed up with a taut,
exciting and complex thriller, Midnight Empire....

Posted by InfoSec News on Oct 18


October 18, 2012

NATO considers Russia one of the key potential cyber-aggressors for the
North Atlantic alliance, the Kommersant business daily reported, citing
its sources in NATO's headquarters.

NATO plans to hold its Cyber Coalition 2012 war game on November 13-16.
In line with the exercise’s scenario, NATO members Hungary and Estonia
come under large-scale cyber attacks...

Posted by InfoSec News on Oct 18


By David Talbot
Technology Review
October 17, 2012

Computerized hospital equipment is increasingly vulnerable to malware
infections, according to participants in a recent government panel.
These infections can clog patient-monitoring equipment and other
software systems, at times rendering the devices temporarily inoperable.

While no injuries have...
Oracle Java SE CVE-2012-5079 Remote Java Runtime Environment Vulnerability
Internet Storm Center Infocon Status