InfoSec News

Google plans to sell the TV set-top box business of its Motorola Mobility subsidiary to Arris Group, a broadband device vendor, for $2.35 billion.

Today, the White House published its new national strategy for information sharing and safeguarding. See http://www.whitehouse.gov/sites/default/files/docs/2012sharingstrategy_1.pdf for the full PDF (15 pages).

The document touches a key point that has in the past often stymied cooperation and information sharing between the government and the private sector. In my experience, the gov organizations were always very open to receive and soak up information shared with them by private enterprise, but were far less forthcoming with returning the favor. Very rarely did I ever receive intel from government contacts that wasnt either mostly public knowledge, or that I hadnt received already anyway from peers in the industry.

Almost ironically, it is a security problem and security trade-off decision in itself to determine how much realtime security intel can be shared, and with whom, to maximize the benefit without incurring undue additional risk by the intel leaking to the attackers side. We are - as security professionals - supposed to be good at this kind of judgment call, but our ingrained paranoia often gets into our way. The result is that we tend to be over-cautious with sharing intel, which in turn hurts our peers and ourselves, and helps the bad guys.

As such, I was positively surprised to read in the new national strategy that collecting intel seems to slowly but steadily be supplanted by collecting intel and making timely use of it, which is definitely an improvement for everyone.But the Top Five priorities on the summary page 14 seem to me to rather reflect the approach of old again, where guidelines were developed and frameworks were established, but nothing really changed in the real world outside of the Beltway. Which was a bit of a letdown after reading the front portion of the document... but in general, I still find it quite refreshing that the trade-off between sharing and safeguarding is officially recognized, and that there is also a hint of self-reflection in the document that suggests to me that not all is lost :)

If you have any comments on the content of the White House paper, or on security intel information sharing in general, please let us know via our contact form, or use the comments field below.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Cerberus FTP Server Web Admin Multiple HTML-Injection Vulnerabilities
Dell SonicWALL SonicOS Cross-Site Request Forgery Vulnerability
Loadbalancer Enterprise R16 Multiple HTML Injection Vulnerabilities
A survey conducted by database security vendor GreenSQL found a high level of distrust in cloud services, despite the perception that transparency is increasing.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
MIT researchers are using nanotechnology to help doctors detect cancer in their patients sooner, increasing their odds of beating the disease.
EMC Avamar: World writable cache files
Multiple XSS vulnerabilities in Cerberus FTP Server <= [CVE-2012-6339]
[ MDVSA-2012:181 ] python-django
It has been a big year for some tech luminaries, with several of them getting a nod from editors picking Time Magazine's Person of the Year.
Java 6 will be retired from security support in less than two months, and users and businesses should prepare now for its demise, experts said today.
Computers and mobile devices store, process and transfer highly valuable information. As a result, your organization most likely invests a great deal in protecting them. Protect the end point and you protect the information. Humans also store, process and transfer information -- people are in many ways are nothing more than another operating system, the Human OS.
US-CERT has warned that a security hole exists in Adobe's Shockwave Player. The player uses a custom Flash runtime that is based on an obsolete, insecure version of Flash and represents a security threat

Dell said the addition of Credant bolsters its data protection strategy by adding encryption capabilities for laptops and mobile devices.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Multiple vulnerabilities in Banana Dance
Firefly MediaServer Multiple Remote DoS Vulnerabilities
Multiple SQL Injection Vulnerabilities in Elite Bulletin Board
Researchers at MIT and other institutions have demonstrated a new type of magnetism, only the third kind ever found, and it may find its way into future communications, computing and data storage technologies.
Websites, mobile apps and online advertising networks targeting children will be required to follow new privacy regulations, including getting a parent's permission before collecting geolocation information and photographs from kids, under new rules announced Wednesday by the U.S. Federal Trade Commission.
Microsoft Internet Explorer 9.x <= Remote Stack Overflow Vulnerability
Enterpriser16 LoadBalancer v7.1 - Multiple Web Vulnerabilities
SonicWall SonicOS WAF - POST Inject Vulnerability
Apache CXF Child Policies Security Bypass Vulnerability
Oracle Mojarra 'FacesContext' Information Disclosure Vulnerability
In a move to expand its portfolio of information governance software, IBM is acquiring e-discovery software vendor StoredIQ.
A nearby Sun-like star is host to a planet that may be capable of supporting life, according to an international group of astronomers.
Cloud-based security services provider Zscaler has released an implementation for Internet Explorer of the HTTPS Everywhere browser security extension.
The German police authority warns that criminals have replaced payment terminals with manipulated devices in Hamburg retail outlets. Apparently, the attackers swap out the devices for legitimate ones after some time has passed

Samsung SmartPhones Local Privilege Escalation Vulnerability
LibTIFF 'DOTRANGE' Tags Handling Remote Buffer Overflow Vulnerability

Coming up with meaningful anti-phishing advice is hard, in part because even the most pragmatic tips cannot be practical in all situations. Scams where the attackers data-collection form resides at a Google Docs (now Google Drive) are especially difficult to warn users about. After all, the malicious webpage resides at the trusted google.com domain. The effect is especially severe for organizations using Google Apps as a collaboration platform.

Using Google Docs for hosting phishing forms isnt new.F-Secure published several examplesGFI shared additional screenshotsSophos outlined some examplesin May 2012.

To understand why such scams arent going away any time soon, consider the example that came to our attention this month. The malicious email arrived with the subject Message From I.T Service Helpdesk and alerted the user, Your mailbox is almost full.

Recipientswho clicked the CLICK HERE link were directed to the following IT HELPDESK SERVICE page, which prompted for logon credentials that the attacker wanted to capture.

Although the landing page had a very basic look to it, it resided at the domain that most people trust: google.com. The attacker was likely using a compromisedGoogle Apps account of another organization to create a Google Docs spreadsheet and expose its data entry form in the manner shown above.

The use of the Google domain is what lends credence to the phishing scams that make use of Google Docs. The targeted individuals can no longer rely on the advice we often give: Examine the URL bar to confirm that you are at a trustworthysite. This problem is especially severe for individuals whose organizations use Google Aps for email, calendaring and file management needs. In such cases, administrative communications are expected to come through or reside at the google.com domain.

What anti-phishing advice could we offer to potential Google Docs phishing scam victims? Theres the more general suggestion of being vigilant and looking out for anomalies, be they an unusual signature line in the email message or an unexpected look-and-feel of the web page. A more specific recommendation might be: Avoid clicking on email links when you need to take important actions that require logging in. Relying on a previously-saved bookmark is safer.

Is that practical advice? Not for all situations. This is what makes anti-phishing advice so challenging to provide.

-- Lenny Zeltser

Lenny Zeltserfocuses on safeguarding customers IT operations at NCR Corp. He also teaches how toanalyze malwareat SANS Institute. Lenny is activeon Twitterand writes asecurity blog.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Google isn't getting coal in its stocking this year, but Santa's helpers have decided to ditch the popular Google Maps for Microsoft's Bing service.
Global LTE smartphone shipments will triple next year, allowing the technology to take off on a grander scale and driving down device prices.
ownCloud Multiple Cross Site Scripting and Arbitrary File Upload Vulnerabilities
Citrix is many different things to many people. It's a cloud company, it's a virtualization player, it's a mobile technologies vendor and it's a collaboration products provider. But according to Mark Templeton, Citrix CEO since 2001, all of that blends together and fits with where enterprise IT shops are headed. Here, speaking with IDG Enterprise Chief Content Officer John Gallant, Templeton dishes on Citrix's overall strategy, its relationships with Cisco, Microsoft and Apple, its rivalry with VMware, and its controversial take on open source cloud computing.
The holidays are here and 2012 is on its way out, ending a huge year for Big Data. It's time to reflect on the most popular Big Data stories and tips of the year.
For the second day in a row, Microsoft on Tuesday pitched one of its products to customers abandoned by arch-rival Google.
I have to admit I was skeptical about Greenshot, a free, open-source screenshot tool that claims to be as full-featured as similar paid programs. But after using it, I'm a believer: Greenshot may not be perfect, but this free tool has me wondering why I'd ever pay for one like it again.
PhotoSnack is an entirely Web-based slideshow creator, no software downloads required. To get started, you simply sign in with your Facebook, Google, or Twitter account or your email address. Like Smilebox, Photosnack offers a free but limited version; it brands your slideshows with a watermark if you'd like to publish them. If you'd like to publish your slideshow without this mark, you have two choices: You can pay $14 per month for a VIP membership or you can buy points, which you purchase as needed to publish slideshows. Points range in price from $1.90 to .86 each, depending on how many you buy. You need six points to remove the watermark and get a code to embed your slideshow elsewhere; buying just six points will cost you $11.40.
PhotoPeach is a Web-based slideshow builder that makes it easy to get started. The service directs you to upload your photos, either from your computer or an online service. But where rival PhotoSnack supports a whole host of online services, PhotoPeach is limited to Facebook and Picasa. That limitation would be acceptable if PhotoPeach's connection with those services worked, but I had trouble accessing any photos from Facebook: PhotoPeach bounced me to that site to log in, but never let me access my photo albums. The connection with Picasa worked flawlessly, though.
An administrative law judge at the U.S. International Trade Commission has ruled that Apple did not violate a Motorola Mobility patent relating to a sensor controlled user interface for a portable communication device.
NEC's new high-end server contains swappable battery packs, intended to provide backup power without the need for an external uninterruptible power supply (UPS) in data centers.
An administrative law judge at the U.S. International Trade Commission has ruled that Apple did not violate a Motorola Mobility patent relating to a sensor controlled user interface for a portable communication device.
Although there are not many infections, a simple botnet designed to send out SMS spam from Android phones whose owners have responded to spam offering free games could have dire consequences, for phone bills at least

Yahoo's music service for China will close in January, after once being accused of supporting music piracy.
An administrative law judge at the U.S. International Trade Commission has ruled that Apple did not violate a Motorola Mobility patent relating to a sensor controlled user interface for a portable communication device.
Trend Micro has updated its mobile security software to detect potential attacks on several Samsung Electronics devices that have a flaw that could allow a malicious application to access all of the phone's memory.
Penguin Group has become the latest book publisher to reach a settlement with the U.S. Department of Justice in a lawsuit that alleges that Apple and five publishers had conspired to raise e-book prices.
Microsoft's cloud wows with great price-performance, Windows toolchain integration, and plenty of open source options
Apple has continued to dominate the Japanese smartphone market in recent months, new data shows, and analysts say it is likely to stay strong through the new year.
Dell has made a deal to acquire data-protection vendor Credant Technologies and plans to add the company's technology to its enterprise IT security offerings.
To understand where the technology is going, it's helpful to understand where it's been. And a bit about how it works, too.
Near Field Communication will become widespread at some point, most observers agree, especially if Apple eventually puts NFC in an iPhone.
If Congress doesn't avert the fiscal impasse, automatic budget cuts could reduce federal IT spending by $66 billion in the fiscal year that began Oct. 1, according to an analysis by the industry group CompTIA.
The latest update to the Opera browser fixed several stability issues and a security hole that allowed attackers to execute code hidden in a specially prepared GIF file

Linux Kernel CVE-2012-5517 NULL Pointer Dereference Local Denial of Service Vulnerability

Five Ways to Hire an InfoSec Consultant
SYS-CON Media (press release) (blog)
This is not a nice post. This is not a post about posing great interview questions or how to tell if someone can actually do the job. No, this is a post about how to watch out for people you want to hire to help your company. You know the ones – the ...


Posted by InfoSec News on Dec 18


By Dan Goodin
Ars Technica
Dec 18 2012

On the second-to-last Monday of 2010, Brian Byrd was playing video poker
on his Dell Inspiron laptop when someone knocked on the door of his home
in Casper, Wyoming. The visitor, who drove a truck from the local
Aaron's rent-to-own store that furnished the PC five months earlier,
said the...

Posted by InfoSec News on Dec 18


By Luke Gale
Dec 17, 2012

Health IT’s integration into clinical practice will continue growing and
it’s time for healthcare to commit to making a connected health
landscape safer, according to Tim Zoph, keynote speaker at the Privacy
and Security Forum hosted by the Health Information and Management
Systems Society...

Posted by InfoSec News on Dec 18


By Grant Gross
IDG News Service
December 18, 2012

Organizers played "Eye of the Tiger" and "We are the Champions" over the
loudspeakers as participants in the SANS Institute's NetWars Tournament
of Champions sat down at their laptops and prepared for action.

About 200 cybersecurity professionals, and about 30 high school...

Posted by InfoSec News on Dec 18


By Kelly Jackson Higgins
Dark Reading
Dec 18, 2012

It's no Stuxnet or Wiper, but the latest data-destroying malware
targeting specific computers in Iran still wreaks some serious damage.

Iran's CERT on Sunday first issued an alert about the relatively
rudimentary malware,...

Posted by InfoSec News on Dec 18


By Willard Foxton
Tech business
The Telegraph
December 18th, 2012

While our fumbling politicians and toothless regulators aren't having
much success at dealing with out-of-control, too-big-to fail-banks, it
seems that online cyber-jihadis are having some success in damaging

Last week, a group calling itself the "Izz ad-Din al-Qassam Cyber
Internet Storm Center Infocon Status