InfoSec News

A long-running lawsuit against Australia's second-largest ISP has ended in a defeat for the entertainment industry, which sought to hold the ISP liable for copyright infringement on its network.
Resale of Verizon Wireless's 700 MHz licenses could sway regulators to sign off on carrier's proposed partnership with cable companies, but plenty of groups are crying foul.
Oracle Database Server OCIPasswordChange API CVE-2012-0510 Security Bypass Vulnerability
Oracle Database Server OCIPasswordChange API Security Bypass Vulnerability
In a somewhat startling decision, the U.S. Court of Appeals for the Ninth Circuit last week ruled that several employees at an executive recruitment firm did not exceed their authorized access to their company's database when they logged into the system and stole confidential data from it.
Oracle Enterprise Manager CVE-2012-0512 SQL Injection Vulnerability
Oracle Enterprise Manager CVE-2012-0525 SQL Injection Vulnerability
Oracle Database Server CVE-2012-0528 Remote Session Fixation Vulnerability
Luminary Dan Geer says IT infrastructure risk can be reduced by boosting Internet resiliency and by planning backup processes should the Net go down.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
In a session at the SOURCE Boston conference, a PCI assessor and a CISO explain that there are ways to arrive at a report on compliance they can both appreciate.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Microsoft revenue grew across most of its businesses in the third quarter, with the exception of its entertainment division, but profit fell slightly, the company said on Thursday.
When you think about your company's websites -- whether internal or customer-facing -- you most likely picture the sites rendered on a computer screen, the environment Web development teams typically target. But there are more than 4 billion mobile phones in use worldwide, more than the total number of TVs and PCs combined, and that doesn't even include tablets. The reality today is your websites are being visited by people using hundreds of kinds of devices, the vast majority of which are mobile.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Apple is offering Mac users a free upgrade to OS X 10.6, better known as Snow Leopard, in an attempt to prep them for the June switch from MobileMe to the newer iCloud online sync and backup service.
Reports circulated Thursday that Facebook's initial public offering could arrive on May 17.
OpenSSL Encoded ASN.1 Data Integer Truncation Memory Corruption Vulnerability

Earlier today, the OpenSSL team released a fix for a recently discovered vulnerability that exposes applications, that use certain features of OpenSSL, to a heap overflow.

Since OpenSSL is used extensively, there is much speculation and discussion about who is vulnerable. Here are some highlights and links of the reading I've done today.

UPGRADE to the latest version as soon as you can.[1]
The SSL/TLS code of OpenSSL is *not* affected.[1]

Which means, OpenSSH is NOT vulnerable.
Read a good detailed explanation of the vulnerability by Tavis Ormandy. [2]

Tavis is credited with discovering the vulnerability.
If Apache is using PEM for certificates, and not parsing untrusted data, then you risks are lower.[1]

[1] http://www.openssl.org/news/secadv_20120419.txt

[2] http://lists.grok.org.uk/pipermail/full-disclosure/2012-April/086585.html

Feel free to post a comment to discuss anything not spoken for in this diary.



ISC Handler on Duty
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The explosive success of the social networking service Pinterest wouldn't have been possible without the easy scalability of the Amazon cloud services, an executive for Pinterest said.
EMC today reported another quarter of double-digit revenue in Q1, with revenues hitting $5.1 billion. VMware was, once again, a leader in product sales with 25% year-over-year revenue growth.
The cool new Internet ideas of yesteryear often create the headaches of today, and some startups at the Demo conference are starting to try to solve those problems.
New York state's attorney general has filed a lawsuit against Sprint Nextel, alleging that the mobile provider has deliberately under-collected US$100 million worth of state and local sales taxes on mobile phone service.
Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability
[ MDVSA-2012:060 ] openssl
Vulnerabilities in Samsung TV (remote controller protocol)
[CVE-2012-2273] Comodo Internet Security <5.10 BSOD (Win7 x64)
Oracle GlassFish Enterprise Server 'REST interface' Cross Site Request Forgery Vulnerability
Re: Squid URL Filtering Bypass
VUPEN Security Research - Adobe Flash Player NetStream Remote Code Execution Vulnerability (APSB12-07 / CVE-2012-0773)
Ruxcon 2012 Call For Papers
[SECURITY] [DSA 2453-2] gajim regression
A Microsoft developer evangelist has corrected his earlier comments that all Windows Phone 7 phones, including Nokia's new Lumia 900, will be upgraded to the next major version of the operating system, Windows Phone 8, dubbed Apollo.
Omissions from the feature set of Windows RT are leaving analysts increasingly skeptical that enterprises will gravitate toward tablets running the new forked version of Windows.
Verizon Communications posted revenue and net income gains for the first quarter of 2012, with mobile and broadband customer additions driving the numbers.
Use your contract to keep from being surprised when it's time to renew. (Insider; registration required)
Wireshark 'call_dissector()' NULL Pointer Dereference Denial Of Service Vulnerability
Wireshark 'ERF' data Denial Of Service Vulnerability
Wireshark MP2T Dissector Denial of Service Vulnerability
The history of a -probably- 13 years old Oracle bug: TNS Poison
ESA-2012-018: EMC Data Protection Advisor Multiple Vulnerabilities
Re: Squid URL Filtering Bypass
Re: Squid URL Filtering Bypass
1gynRat258 asked the Hard Drives, NAS Drives, Storage forum if one should scan a flash drive or an external hard drive for malware--such as a virus or Trojan.
Verizon Communications posted revenue and net income gains for the first quarter of 2012, with mobile and broadband customer additions driving the numbers.
The Technology Academy Finland has shortlisted Linus Torvalds for its 2012 Millennium Technology Prize, worth over $1.3 million.
It's easy to see why Evernote has legions of fans. It's like a digital brain for all your ideas, a way to capture and organize the volumes of information that might otherwise slip through your fingers.
Drupal Autosave Module Cross Site Request Forgery Vulnerability

Many IT managers in the U.K. are in a quandary right now as they decide how, and how far, to comply with the impending European “cookie law.” IT managers in the U.S. will soon face the same dilemma.

Beginning May 26, the U.K. Information Commissioner’s Office (ICO) will enforce the privacy and electronic communications regulations (PECR), requiring website operators to explicitly ask permission from visitors before placing a cookie in a visitor’s browser. As you can imagine, many organizations are unhappy about this. They believe asking permission for cookies will cause their customers to flee to other websites, and they worry about abandoning some established programs (such as Google Analytics), which require the use of cookies to function properly. As a result, many IT managers feel stuck between compliance (with the possible loss of customers and information) and non-compliance (with possible penalties from the ICO).

The dilemma doesn’t stop with the U.K. Other countries in the European Union will likely implement the PECR soon, so organizations operating anywhere in Europe will need to develop a cookie compliance strategy.  It’s not an easy task, though, when a lot of the details remain unclear. For example, it is not yet known how the ICO will find out about errant websites, or if the ICO will respond to non-compliance with fines or just warnings, at least at first.

U.S. organizations are equally baffled by the cookie law. Must a U.S.-based organization comply if it serves customers in the UK or anywhere in the European Union?  Does it matter where the website is hosted?  To answer these questions, we’ve recently published two articles offering advice for U.S. organizations contemplating the cookie law. But even our two expert contributors do not agree on the best course of action. One expert advises U.S. organizations to begin taking proactive steps toward compliance, while another suggests U.S. organizations hold off for now.

As the enforcement date draws near, SearchSecurity.co.UK will continue to bring you updated news and advice from a variety of expert perspectives so you can decide on the best strategy for your organization.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
UniOPC IP*Works! SSL Remote Code Execution Vulnerability
A bootable Mac OS X thumb drive comes in handy when you need to troubleshoot OS issues for yourself, your family, or your friends. It's also extremely useful for keeping your basic setup consistent across multiple computers, if you find yourself switching hardware regularly; and I've had fun in the past setting up a bootable USB keychain loaded with all the apps and files I need to turn any Mac-compatible computer into a viable media center quickly and easily.
The European Parliament approved a controversial data transfer agreement with the U.S. that has legislators sharply divided.
I recently reviewed the Mac OS X version of Byword, and developer Metaclassy has since released an iOS counterpart. With the same basic concept-providing a simple, minimal text and Markdown editor-the iOS version of Byword offers some unique features.
Spotify, the premium streaming music service, will soon release a redesigned Android app, but if you can't wait for it to hit Google Play, Spotify is offering a preview version you can install right now. The new Spotify for Android preview features full support for Android 4.0 Ice Cream Sandwich, high-resolution images, new slide-out navigation, and improved social features. Spotify's mobile apps are available to users with a $10 monthly premium subscription.
Amazon Web Services on Thursday announced a new online marketplace that allows customers to buy software and services from a variety of vendors at hourly rates through its cloud infrastructure platform.
Workday is rolling out version 16 of its cloud-based ERP (enterprise resource planning) software to customers this week, an update that includes upgrades to the financials component that could help it steal away deals with large enterprises from the likes of Oracle and SAP.
Malware writers have created fake Instagram websites to distribute Android Trojan horses, according to security researchers from antivirus firms Sophos and Trend Micro.
Not all Android apps are created equal, and most are far from perfect.
Google has warned 20,000 websites that they might be hacked and injected with JavaScript redirect malware, Google said.
Nokia reported a sales drop and a loss during the first quarter, as it struggles to sell cheap phones as well as Symbian-based smartphones, and Windows Phone sales remain small.

Multiple security threats create InfoSec opportunities
MicroScope (blog)
The growth in the number of security threats should provide the channel with plenty to talk about at next week's InfoSecurity show. Since the last event the rise in advanced persistent threats, often backed by foreign governments, has continued to rise ...

There is a shortage of Qualcomm Snapdragon S4 processors for tablets and smartphones due to a lack of manufacturing capacity available to make those chips, Qualcomm said on Thursday.
Samsung Electronics alleged in a counterclaim to an Apple patent infringement lawsuit in a federal court in California that the maker of the iPhone and iPad has infringed eight of its patents.
Google is introducing tools that measure the percentage of an online advertisement that is viewed and for what duration, to help advertisers measure the effectiveness of their campaigns beyond impressions and clicks.
A Russian national has been charged in the U.S. with allegedly hacking into brokerage accounts and executing fraudulent trades, which several brokerage houses claim caused $1 million in losses.
MIT and several other schools -- along with start-up Udacity -- have joined the open-education movement, which makes it easier for college students to access tech-related courses online. And it could revolutionize higher education.
With Google reportedly looking to launch its GDrive service soon, would-be customers of cloud storage providers should consider several important questions about any service and their needs.
Gajim CVE-2012-2093 Insecure Temporary File Creation Vulnerability
Microsoft Windows 'AFD.sys' Driver Local Privilege Escalation Vulnerability
Internet Storm Center Infocon Status