Share |

InfoSec News


InfoSec: Regulatory Compliance Is Top Concern Of IS Professionals
CIO India
The information security organisation questioned 2400 members for a survey to be released at this week's InfoSec show in London. ISACA said the increase in regulations, data breaches and new technologies, such as cloud computing and the rise of ...

and more »
 

Wave to Host InfoSec Europe 2011 Workshop Featuring PricewaterhouseCoopers
Marketwire (press release)
LEE, MA--(Marketwire - Apr 19, 2011) - Wave Systems Corp. ( NASDAQ : WAVX) (www.wave.com) will attend InfoSecurity Europe 2011 this week, hosting a workshop that features customer PricewaterhouseCoopers (PwC). The two-hour event will give ...

 
Microsoft on Tuesday started rolling out software updates to users of the Windows Phone 7 phones including Samsung's Focus and LG's Quantum, following more than a month of delays.
 

Microsoft on Tuesday released its first security advisories for vulnerabilities its researchers found in third-party products: two in Google’s Chrome browser and one in Opera. Both have been fixed by the vendors.

The bug release was part of a broader announcement by Microsoft on its Coordinated Vulnerability Disclosure program, which it first announced last July. Under CVD, a security researcher reports security vulnerabilities to the affected vendor, a national CERT or other coordinator that will report the bug privately to the vendor; the researcher gives the vendor a chance to fix the problem or figure out a workaround before any party discloses it.

In addition to the security advisories, Microsoft on Tuesday also released a document that clarifies its approach to CVD as a vendor, vulnerability finder, and coordinator of vulnerabilities that affect multiple vendors, Matt Thomlison, general manager, Trustworthy Computing Security, wrote in a blog post.  The company also adopted an internal policy for vulnerability disclosure for employees to follow when finding security flaws in third-party products, he said.

The Microsoft Vulnerability Research program has privately notified third parties of vulnerabilities since it was established in 2008, he said. The advisories illustrate the company’s commitment to handling vulnerability disclosure in a coordinated way, Thomlison said.

“After a product or service is released, we feel security is a shared responsibility across the broad community. Collaboration between security researchers and vendors is ultimately about preventing attacks and protecting the computing ecosystem,” he said.  “By working together through coordinated efforts when vulnerabilities are identified, we can effectively minimize customer risk while a solution is developed.   We encourage others to adopt this philosophy in the interest of creating a safer and more trusted internet for everyone.”

Marc Maifrett, CTO of eEye Digital Security, said in a prepared statement that while Microsoft should be commended for taking an active role in vulnerability research, it and other technology companies should address larger problems that have led to security researchers to stop working with vendors.

First, he said vulnerability research isn’t easy and now they have a way to be compensated by selling zero-day vulnerabilities to buyers, both of good and bad intentions. Second, researchers are unsatisfied with the time it takes vendors to fix flaws that are reported to them.

“Microsoft, and other technology companies, still fail to set a time line of what the cut off period is for a researcher to wait for Microsoft to create a patch, after which point a researcher should be able to publish their details to help the community without not being vilified by Microsoft or other technology companies as being irresponsible, or uncoordinated as it is now,” Maifrett said.



Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 

The U.S. Department of Justice and FBI said they disabled a massive, international botnet that snatched user names, passwords and financial information used by criminals to steal money.

The Coreflood botnet is believed to have operated for nearly a decade and to have infected more than two million computers worldwide, they said.

In the action announced Wednesday, federal authorities seized five command-and-control servers and 29 domain names used by the botnet. The government also filed a civil complaint against 13 “John Doe” defendants, alleging wire fraud, bankfraud and illegal interception of electronic communications. In addition, the U.S. obtained a temporary restraining order that authorizes it to replace the C&C servers with substitute servers to prevent further infection to the compromised computers.

“These actions to mitigate the threat posed by the Coreflood botnet are the first of their kind in the United States and reflect our commitment to being creative and proactive in making the Internet more secure,” Shawn Henry, executive assistant director of the FBI’s Criminal, Cyber, Response and Services branch, said in a prepared statement.

“It appears the cybercriminals behind Coreflood were able to turn the botnet into a money-making machine. It is hard to estimate the actual loot, but the criminals likely made tens of millions of dollars, based on the estimates in the complaint filed by the Department of Justice,” Dave Marcus, McAfee Labs research and communications director, said in an email. “It is not outside of the realm of possibility that they netted more than US$100 million. The attackers were collecting personal information including bank account details over a period of time.”

he U.S. action completely disables the existing Coreflood botnet, it doesn’t stop criminals from trying to build another botnet using a different version of the Coreflood malware, authorities warned.



Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Yahoo's revenue and profit slid significantly in the first quarter, but the company's performance was in line with Wall Street's expectations and company officials said the results reflect solid execution toward its financial goals.
 
The Oak Ridge National Laboratory has been forced to shut down its email systems and all Internet access for employees since late last Friday, following a sophisticated cyberattack.
 
Mojolicious Directory Traversal Vulnerability
 
Microsoft today released a pair of security advisories for Chrome, the browser built by rival Google -- part of an expansion of the vulnerability disclosure policy Microsoft launched last summer.
 
Smartphones and tablets will be the first devices to use ARM's upcoming Cortex-A15 processor, and will be available starting late 2012 or early 2013, an ARM executive said this week.
 
Intel reported growth in revenue and income for the first quarter of 2011, driven by the addition of new products and strength in the enterprise market.
 
IBM on Tuesday reported quarterly sales growth across all its major divisions and raised its earnings outlook for the full year, the latest sign that business spending in the IT sector continues to recover.
 
Yahoo's revenue and profit slid significantly in the first quarter, but the company's performance was in line with Wall Street's expectations and company officials said the results reflect solid execution toward its financial goals.
 
Debian and Ubuntu Postfix Insecure Temporary File Creation Vulnerability
 
My mom likes to download photos my wife and I post to Facebook. Doing so used to be simple: She'd right-click on the image she wanted and select Save Image As from the contextual menu. Recently, though, Facebook changed the way it displays photos; if you right-click on one of them (the full-size original, not their thumbnail), you no longer get that Save Image option. Fortunately, Facebook offers an easy alternative--the new Download link below the photo. But there's another solution: I wouldn't necessarily recommend it to my mother, but if you'd rather copy the photo or just view it full-size without needing to download it first, it can indeed be done.
 
The attorney who argued Microsoft's case before the Supreme Court Monday downplayed the impact on patent law if the jurists rule for the company.
 
Skype videoconferencing will soon be supported in the LifeSize Passport business-class videoconferencing system.
 
Twitter's reported $50 million bid for TweetDeck comes after months of negotiations between the provider of a popular Twitter client and UberMedia.
 
Seagate's deal to buy Samsung's HDD business leaves only three main players in the industry, which will spur development of next-generation technology as well as boost sales of solid state drive and hybrid drives.
 
RT Versions Prior to 3.6.11/3.8.10 Multiple Remote Vulnerabilities
 
[security bulletin] HPSBMA02659 SSRT100440 rev.1 - HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows, Remote Unauthorized Access
 
HTB22938: Multiple XSS in Universal Post Manager wordpress plugin
 

Computerworld New Zealand

InfoSec: Regulatory compliance is top concern of IS professionals
CSO
The information security organisation questioned 2400 members for a survey to be released at this week's InfoSec show in London. ISACA said the increase in regulations, data breaches and new technologies, such as cloud computing and the rise of ...
InfoSec: Regulatory compliance is top concern of IS professionalsComputerworldUK

all 15 news articles »
 
TimThumb Multiple Denial of Service and Cross-Site Scripting Vulnerabilities
 
HTB22931: XSS vulnerability in InTerra Blog Machine
 
HTB22941: CSRF (Cross-Site Request Forgery) in Dalbum
 
HTB22940: XSS in SocialGrid wordpress plugin
 
[Annoucement] CHMag Call for Articles
 
HTB22935: Multiple XSS in WP-StarsRateBox wordpress plugin
 
HTB22932: Multiple XSS in webSPELL
 
HTB22934: SQL Injection in WP-StarsRateBox wordpress plugin
 
Attackers are choosing smaller targets with fewer protections in place. The value of account credentials and intellectual property on the black market is rising.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
High-profile arrests of cybercriminals and improved information sharing among global law enforcement officials has cut into the number of sensitive data records lost in breaches.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 

InfoSec 2011: Energy firms pummelled by DDoS attacks
IT PRO
Critical infrastructure providers (CIPs) have admitted to being consistently pounded by Distributed Denial of Service (DDoS) attacks, a McAfee report has shown. The full report now shows the sheer scale of attacks, ...

and more »
 

Infosec 2011: The economics of security
ComputerWeekly.com
A keynote panel session at InfoSecurity Europe has attempted to tackle the thorny issue of budget cuts on IT security spending. Cliff Saran reports. Paul Simmonds (pictured), a board member, of the IT security group Jericho Forum, and former CISO of ...

 
Sony Ericsson faces shortages of three new flagship cell phones after Japan's earthquake and tsunami disrupted supplies of key components, it said Tuesday.
 
Google Map Maker is finally available for the U.S., after debuting in 183 countries since its launch in 2008.
 

InfoSec 2011: Can risk be measured in monetary terms?
Computing
A monetary value should always be allocated to risk if IT departments want an effective information security strategy, according to a security chief speaking at InfoSec in London earlier today. Michael Colao, head of information ...

 
Ericsson Tuesday signed an agreement to acquire Telenor Connexion's machine-to-machine platform, in an effort to get more technology and know-how in the growing sector.
 
Tyr Chen, a 29-year-old resident of Beijing, is doing what many of his friends won't: He's establishing a startup.
 

Infosec 2011: Canon highlights security risk of improperly configured printers
ComputerWeekly.com
Canon has launched the first in its series of 'hardening guides' advising on best practice security configuration for its imageRunner Advance series of multifunctional devices (MFDs) at Infosecurity Europe 2011 in London. The security hardening guide ...

 

Round-up: InfoSec 2011
IT PRO
This week sees the return of Europe's biggest security conference - InfoSec 2011 - at Earl's Court, London. IT PRO is there bringing you all the news from this particularly vibrant tech sector.

 
Every network adapter has what is called a Media Access Control address that uniquely identifies it. Think of it as an ID. Having to manually go to every computer on the network, and taking the time to run tools to find out every device's MAC address is extremely time-consuming. And even then, it may not work, because people may have connected tablets or smartphones to the network, and you may not know every person who has done that. There's an easy way to do it : Get LizardSystems's Find MAC Address ($30 for business use, 30-day free trial; free for non-commercial use).
 

Infosec 2011: PCI DSS compliance has positive impact on data security, study finds
ComputerWeekly.com
The study found that in 2010, 99% of compliant organisations suffered no more than a single credit card related breach compared with 85% of non-compliant organisations, while 64% of compliant organisations had no breach at all compared with 38% of ...

and more »
 

InfoSec 2011: Laptop loss costing European firms billions
IT PRO
European companies are losing billions thanks to laptops going missing, an Intel and Ponemon Institute study reveals. By Tom Brewster, 19 Apr 2011 at 13:40 Lost laptops are costing Europe dearly, with thousands going missing over the last 12 months ...

and more »
 

Infosec 2011: Cisco announces new tools for securing the mobile enterprise
ComputerWeekly.com
Cisco has introduced new security products to its Borderless Networks portfolio to help IT departments manage mobile devices, changing workforce habits and the impact of video on the network. The new tools are designed to enable IT departments to ...

and more »
 
XML Security Library 'xslt.c' Arbitrary File Access Vulnerability
 
Cisco this week broadened the security and management capabilities of its enterprise products to help IT shops get a better grip on mobile devices, video and changing workforce habits.
 
When Google admitted last year that it had been targeted by sophisticated hackers, possibly from China, it introduced a new term into the high technology lexicon -- the advanced persistent threat. These attacks are sophisticated, targeted, and almost impossible to stop. But according to Verizon, they're also a lot less common than most people think.
 

InfoSec 2011: Can Government cope with IT consumerisation?
IT PRO
Lord Erroll looks at the challenges facing the Government when it comes to the consumerisation of IT. By Tom Brewster, 19 Apr 2011 at 11:36 There are numerous barriers the Government will have to overcome with the consumerisation of IT as ministers ...
Infosec 2011: Consumerisation of IT is a fact of security life, says Lord ErrollComputerWeekly.com

all 2 news articles »
 

ComputerWeekly.com (blog)

Infosec 2011: application (development) appetisers Part I
ComputerWeekly.com (blog)
For the average attendee, London's Infosecurity Europe (Infosec) event this week represents a chance to review the great and the good of the security industry's latest vendor offerings. ...

 
India’s Election Commission may give in to demands that its electronic voting machines should also have paper outputs of voting records
 
Samsung Electronics will sell its hard-disk drive operations to Seagate Technology for $1.375 billion.
 
Toshiba won't be able to meet its full-year revenue and profit forecasts due to the impact of the March 11 earthquake and tsunami in Japan, the company said Tuesday.
 

Computerworld New Zealand

InfoSec: Regulatory compliance is top concern of IS professionals
ComputerworldUK
The information security organisation questioned 2400 members for a survey to be released at this week's InfoSec show in London. Wikileaks - fearless whistleblowers or irresponsible nuisances? Keep up to date with the latest developments. ...
InfoSec: Regulatory compliance is top concern of IS professionalsCSO

all 17 news articles »
 
It's a matter of opinion which company makes the better operating system or is likely to grow its smartphone market share. But numbers don't lie -- or exaggerate.
 
Samsung Electronics will sell its hard-disk drive operations to Seagate Technology for $1.375 billion.
 
When it comes to IT, China likes to build big. Now, China is close to adding something else to its list of big tech things: the world's largest market for PCs.
 
Enterprise organizations are rushing to build iPhone, iPad, Android and BlackBerry applications to deepen their customer experiences and extend the ways their customers can purchase from them.
 
When manufacturing firm Cinram International migrated from Microsoft Exchange to Google Apps, the company saw 'a night-and-day difference,' according to Andrew Murrey, Cinram's vice president of IT Infrastructure.
 
Recently we have been all witnesses of two high profile incidents where the attackers exploited SQL injection vulnerabilities: the now infamous HBGary Federal hack and the Barracuda Networks hack. Whats even more worrying about these two incidents is that they happened to companies which are information security consultants/product developers.
SQL injection vulnerabilities have really been around for ages the first reference I can remember of was Rain Forest Puppys article for Phrack 54 NT Web Technology Vulnerabilities that was published back in 1998 (yes SQL injection is almost 13 years old!). However, as we can see from the examples that happened recently (and from many other cases just take a look at the mass SQL injection attacks that are performed automatically by malware these days) SQL injection vulnerabilities are unfortunately here to stay.
During my penetration testing engagements I often see various frameworks that are being used to develop web applications. These frameworks are really more and more advanced these days and can in many cases automatically protect the application against common attacks such as SQL Injection or Cross Site Scripting.
While this is good and frameworks definitely help make applications more secure (note that I didnt say secure), one thing that I always like to stress out to developers that they should still pay attention to all these vulnerabilities. If nothing else, you never know if your application will end up on a server that will have a different or misconfigured version of the framework you used which will suddenly make your application vulnerable!
Another thing to keep in mind is that web application firewalls arent almighty. While they can do a good job, Ive also seen too many misconfigured WAF products that were easy to bypass. The web technology is developing quickly and if you dont keep up with it, it is quite possible that in 6 months a new attack/language/whatever will be introduced that will allow one to bypass your (old) WAF. Take Adobe Flash for example not only for client side vulnerabilities but also for attacks such as Cross Site Flashing that are more and more common.
So are the bad guys any better? Unfortunately, the answer is YES. When I get my hands on, I always try to analyze server side scripts that the bad guys use these are usually scripts running on their CC servers that help them control infected machine, issue and schedule tasks and so on.
While previously we were seeing all kinds of bad code (both bad looking and full of vulnerabilities), today I can unfortunately say that the bad guys have much improved their game. Below you can see an excerpt of a server side script used by some malware. Its in PHP (the most popular platform for bad guys) and besides being nice and easy to read, notice how they nicely used the addslashes() call on all variables to make sure that any occurrence of a single quote, double quote, backslash and NULL byte characters is properly escaped.

So, if the bad guys can do it, we should be better to so please use couple of minutes to educate your developers about the dangers of writing insecure code.
--

Bojan

INFIGO IS (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
InfoSec News: Experts agree: Wind turbine 'hacker' is a fake: http://www.computerworld.com/s/article/9215913/Experts_agree_Wind_turbine_hacker_is_a_fake
By Robert McMillan IDG News Service April 18, 201l
An anonymous hacker who claimed to have broken into monitoring systems at a New Mexico wind turbine facility made the whole thing up, security [...]
 
InfoSec News: [Dataloss Weekly Summary] Week of Sunday, April 10, 2011: ========================================================================
Open Security Foundation - DataLossDB Weekly Summary Week of Sunday, April 10, 2011
15 Incidents Added.
======================================================================== [...]
 
InfoSec News: Leaked US cables finger Chinese army hackers for cyber-spying: http://www.theregister.co.uk/2011/04/18/byzantine_hades_cyber_espionage/
By John Leyden The Register 18th April 2011
Leaked US diplomatic cables have provided some of the first hard evidence that the US is engaged in a heated cyberespionage battle with [...]
 

Infosec 2011: Security software among the most insecure applications, study ...
ComputerWeekly.com
Two-thirds of software industry applications fail to meet acceptable security quality upon initial submission, a study of 4800 applications has revealed. This improves to a rate of 58% unacceptable when applications from all industries are taken into ...

and more »
 
InfoSec News: Recon 2011 - Accepted Talks , Training, Call For Papers Reminder - July 8 to 10, 2011 - Montreal, Quebec: Forwarded from: hfortier (at) recon.cx
+ + + + + + + + + \ / + _ - _+_ - ,__ _=. .:. [...]
 
InfoSec News: Southwest Ambulance reports data breach: http://www.azcentral.com/business/articles/2011/04/18/20110418southwest-ambulance-reports-data-breach.html
by Ken Alltucker April 18, 2011 The Arizona Republic
A former Southwest Ambulance employee took 581 patient records that included the names, financial and medical information from those [...]
 
InfoSec News: European Space Agency hacked, sensitive data released publicly: http://thenextweb.com/eu/2011/04/18/european-space-agency-hacked-sensitive-data-released-publicly/
By Matt Brian The Next Web April 18, 2011
It is reported that yesterday the European Space Agency (ESA) website was compromised by a hacker, opening up sensitive project logs and [...]
 
InfoSec News: Police nab 2 suspects in Hyundai Capital hacking scandal: http://english.donga.com/srv/service.php3?bicode=040000&biid=2011041995298
The Dong-A Ilbo April 19, 2011
Police have caught two men suspected of being hired to hack personal information from Hyundai Capital Services, Korea’s major lending company and a financial unit of Hyundai Motor Group. [...]
 
When Google admitted last year that it had been targeted by sophisticated hackers, possibly from China, it introduced a new term into the high technology lexicon -- the advanced persistent threat. These attacks are sophisticated, targeted, and almost impossible to stop. But according to Verizon, they're also a lot less common than most people think.
 

Posted by InfoSec News on Apr 18

http://english.donga.com/srv/service.php3?bicode=040000&biid=2011041995298

The Dong-A Ilbo
April 19, 2011

Police have caught two men suspected of being hired to hack personal
information from Hyundai Capital Services, Korea’s major lending company
and a financial unit of Hyundai Motor Group.

Three other suspects are known to have fled overseas, including a
37-year-old Korean hacker living in the Philippines.

The Seoul Metropolitan...
 

Posted by InfoSec News on Apr 18

http://www.computerworld.com/s/article/9215913/Experts_agree_Wind_turbine_hacker_is_a_fake

By Robert McMillan
IDG News Service
April 18, 201l

An anonymous hacker who claimed to have broken into monitoring systems
at a New Mexico wind turbine facility made the whole thing up, security
experts said Monday.

The hacker, who called himself Bigr R, said he broke into NextEra Energy
Resources' Fort Sumner wind facility in revenge for an...
 

Posted by InfoSec News on Apr 18

========================================================================

Open Security Foundation - DataLossDB Weekly Summary
Week of Sunday, April 10, 2011

15 Incidents Added.

========================================================================

DataLossDB is a research project aimed at documenting known and reported
data loss incidents world-wide. The Open Security Foundation asks for
contributions of new incidents and new data for...
 

Posted by InfoSec News on Apr 18

http://www.theregister.co.uk/2011/04/18/byzantine_hades_cyber_espionage/

By John Leyden
The Register
18th April 2011

Leaked US diplomatic cables have provided some of the first hard
evidence that the US is engaged in a heated cyberespionage battle with
China, a conflict diplomats reckon is showing few signs of cooling off.

Diplomatic cables, obtained by WikiLeaks and released to the media by a
third party last week, trace a series of...
 

Posted by InfoSec News on Apr 18

Forwarded from: hfortier (at) recon.cx

+ + + +
+ + +
+ +
\ /
+ _ - _+_ - ,__
_=. .:. /=\ _|===|_ ||::|
| | _|. | | | | | | __===_ -=- ||::|
| ==| | | __ |.:.| /\| |:. | | | | .|| :...
 

Posted by InfoSec News on Apr 18

http://www.azcentral.com/business/articles/2011/04/18/20110418southwest-ambulance-reports-data-breach.html

by Ken Alltucker
April 18, 2011
The Arizona Republic

A former Southwest Ambulance employee took 581 patient records that
included the names, financial and medical information from those
customers.

Southwest Ambulance recovered the records and notified affected
customers about the breach of their private medical records.

The...
 

Posted by InfoSec News on Apr 18

http://thenextweb.com/eu/2011/04/18/european-space-agency-hacked-sensitive-data-released-publicly/

By Matt Brian
The Next Web
April 18, 2011

It is reported that yesterday the European Space Agency (ESA) website
was compromised by a hacker, opening up sensitive project logs and
exposing hundreds of email addresses and passwords associated with some
of Europe’s top science institutes.

The hacker, known by the alias TinKode, posted a full...
 

Wave to Host InfoSec Europe 2011 Workshop Featuring PricewaterhouseCoopers
Einnews Portugal
Wave Systems Corp. (NASDAQ: WAVX) (www.wave.com) will attend InfoSecurity Europe 2011 this week, hosting a workshop that features customer PricewaterhouseCoopers (PwC). The two-hour event will give conference-goers an opportunity to hear firsthand how ...

and more »
 


Internet Storm Center Infocon Status