InfoSec News

The check is in the mail for nearly a million LifeLock customers, after the provider of identity-theft protection services settled accusations of deceptive advertising.
 
Like most iPhone owners, I snap a lot of photos. I also capture a lot of screenshots. Unfortunately, the only way to copy those images to my PC is with a sync cable and all the usual Windows Explorer hoop-jumping.
 
A few months ago, I had an irritating symptom where, after selecting to put my Mac Pro to sleep, it would immediately reawaken. As detailed in a prior Bugs & Fixes article, I had to select the Sleep command a second time before the Mac would finally stay down.
 
The season of party after party is fast approaching. We recommend branding your events like a Madison Avenue mogul with Black Jack (free), a modern brush script by Canadian designer Ronna Penner. Black Jack's style harks back to an era when men were mad and advertising still reveled in hand lettering (among other things).
 
Samsung's RF710 desktop replacement notebook is a capable unit with a strong mix of components, but it ultimately seems to underperform relative to other systems in this class. On the other hand, it's a relatively attractive unit, all muted dark gray and silver, and it's relatively light at 7.5 pounds with power brick.
 
Google SketchUp 3DS File Remote Memory Corruption Vulnerability
 

The Mysterious $133 Million VA Infosec Contract
Nextgov
The Veterans Affairs Department has a world class Technology Acquisition Center in Eatontown, NJ, capable of running all ...

 
This week's news took a political slant, with a panel discussing how the new U.S. political landscape will affect IT legislation and security experts telling Congress that new threats require a more robust approach to security. This intersection of politics and technology wasn't limited to the U.S. Special interests tainted India's 2G spectrum auction, with licenses going to favored companies and resulting in the loss of billions of dollars. Finally, this week's Web 2.0 conference produced some noteworthy news, including Facebook's effort to retool Web messaging.
 
Apple Mac OS X ATSServer CFF 'CharStrings' Index Sign Mismatch Remote Code Execution Vulnerability
 
The Ares Trojan -- for sale via anonymous online money transfer -- is being propagated by its unidentified developer as customizable to each of its buyers.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Talk that China hijacked 15% of the Internet earlier this year is overblown, a researcher said today.
 
A June 2010 hacking incident that compromised a network at the Federal Reserve Bank of Cleveland happened on a test system and not the bank's production servers.
 
Cisco Systems is quietly developing a mobile application that profiles how users work and communicate, with the aim of helping them work better together.
 
An incident in April in which a large chunk of global Internet traffic was rerouted through servers in China was almost certainly not aimed at U.S. government or military networks, according to Renesys, an Internet network monitoring firm.
 
IBM said it has created a new distributed computing architecture that is twice as fast as existing clustered file systems and that provides management and advanced data-replication techniques.
 
Problems with its SAP system are forcing San Diego to delay a city budget audit for six months. It is the latest tale of woe for the troubled ERP project.
 
Apple will roll out a second-generation iPad next April, a year after the original's launch, a Wall Street analyst said today.
 
After an unsuccessful first outing, Microsoft's second-effort Kin phones are available from Verizon, this time with a different operating system, slightly different pricing options and without their most popular feature.
 
 
DATAC RealWin HMI Service Multiple Remote Buffer Overflow Vulnerabilities
 
RETIRED: Apple Mac OS X Apple Type Services 'CFF' Font Remote Code Execution Vulnerability
 
Dell has taken steps to improve support and services, but past episodes of poor customer support are coming back to hurt the company, an analyst said on Friday.
 
Apple's iPhone continues to dominate rival smartphones in customer satisfaction, ChangeWave Research said today.
 
WebKit Element Scrollbars Use-After-Free Remote Code Execution Vulnerability
 
X.Org X Server RENDER Extension 'mod()' Remote Memory Corruption Vulnerability
 
Adobe released the Reader X version today. This is the version of Reader that has sandbox feature built-in, there is now a degree of separation between the OSand the potentially malicious PDF files. The same sandbox mechanism had been implemented in Google Chrome and also MSOffice. Containment of the harmful files lessen the damage should a successful attack were to happen. Given the amount of 0-day attacks on this software, we recommend our readers on Windows platform to upgrade to this version of Reader soon to leverage the sandbox technologies. While it does not prevent all exploitation, every little bit helps.
Adobe has written a series of blog entries explaining the sandbox mechanism. A good read if you are curious how it helps to protect against attacks. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Customers eyeing Microsoft's Lync 2010 unified communications server need to take a step back and evaluate what's really new and whether they need it right now, down the road or not at all, experts say.
 
Sen. Ron Wyden (D-Ore.) vowed to fight attempts to pass a controversial copyright protection bill that would allow the U.S. government to shut down Web sites suspected of hosting infringing materials.
 
Google released Street View imagery for 20 more German cities on Friday, saying it has improved the process used to blur the properties of those who object to the service.
 
Customers eying Microsoft's Lync 2010 unified communications server need to take a step back and evaluate what's really new and whether they need it right now, down the road or not at all, experts say.
 
Some Nokia N8 smartphones are turning themselves off or refusing to turn on after charging. Nokia has identified a manufacturing problem and has promised to replace the small number of affected phones it said in a blog post on Thursday.
 
InfoWorld news quiz: Nov. 19, 2010: iTunes meets The Beatles, Facebook fails to move the needle
 
VUPEN Security Research - Apple Safari Selections Handling Use-after-free Vulnerability (VUPEN-SR-2010-246)
 
VUPEN Security Research - Apple Safari Scrollbar Handling Use-after-free Vulnerability (VUPEN-SR-2010-245)
 
[eVuln.com] Cookie Auth Bypass in Hot Links SQL
 
Symantec PGP Desktop OpenPGP Message Data Insertion Vulnerability
 
[ MDVSA-2010:239 ] php
 
Fostering security awareness is a controversial topic and a difficult challenge, but as Senior Site Editor Eric B. Parizo writes, the methods may not be as important as the passion to succeed.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Fujitsu Interstage Multiple Products IP Evasion Security Bypass Vulnerability
 
The Windows operating system turns 25 this week. Take a trip down memory lane as we showcase the most notable Windows versions released since 1985.
 
Arm Holdings will unveil new plans for processing cores that support 64-bit computing within the next few weeks, and has already shown samples at private viewings, sources close to the company said at an Arm technology conference in Taipei.
 
Three of the largest U.S. wireless carriers and the companies behind Android and BlackBerry smartphones gave Near-Field Communications for mobile payments a boost this week as they expect the technology to be widely adopted.
 
Arabian Youtube Script 'v' Parameter SQL Injection Vulnerability
 
ViArt SHOP Multiple Remote Security Vulnerabilities
 
Three California men have pleaded guilty charges they built a network of CAPTCHA-solving computers that flooded online ticket vendors and snatched up the very best seats for Bruce Springsteen concerts, Broadway productions and even TV tapings of Dancing with the Stars.
 
FreeNAS Remote Shell Command Execution Vulnerability
 
Penetration tests and vulnerability assessments are becoming more common across the whole industry as organizations found that it is necessary to prove a certain level of security for infrastructure/application. The need to exchange test result information is also increasing substantially. External parties ranging from business partners, clients to regulators may ask for prove of tests being done and also results of the test (aka. Clean bill of health).



The sharing of pentest information can create a huge debate, just how much do you want to share? There are at least a couple ways to get this done. The most seemingly easy way to do this is to share the whole report including the summary and also the detailed findings. While this seems easy, the party sharing out the report may be exposing too much information. Pentest reports can be like treasure map to attack an infrastructure and/or application. The detailed report usually include ways to reproduce the attack and effectively documenting a potential attack path in a step by step manner. It is true that vulnerabilities should be fixed as soon as possible after the pentest is done. Consider this scenario, the day after pentest is done, the regulators shows up and ask for the most recent test result. If you are not above the law, you should be yielding the latest report that is full of unfixed flaws.



Another way to share pentest result is to only share the executive summary portion. This portion of the test report usually gives a good overall view to what was done in the test and what sort of overall security posture the test subject is in. While this protects the party sharing out the test result, this may not grant the reviewer the right kind of information. Some executive summary does not contain sufficient information especially those ones done by less competent testers. Aside from that, one of the trend I am noticing is the less experience the receiver of test result, the more him/her want to see the whole report, they just dont know how to determine the security posture based on the executive summary alone.



There is no current industry standard for this kind of communication, it seems that all the exchange and sharing currently done are on ad-hoc basis. Some like it one way and others like it another way. I consider the current baseline for this kind of communication to be a well written executive summary containing actual summary information of the test with the methodologies used and also the high level view of the vulnerabilities that was found to be sufficient for giving a decent view into overall security posture. This obviously can escalate into a full report sharing if the quality of the executive summary just isnt there.



If you have any opinions or tips on how to communicate this kind of information, let us know. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
InfoSec News: Secunia Weekly Summary - Issue: 2010-46: ========================================================================
The Secunia Weekly Advisory Summary 2010-11-11 - 2010-11-18
This week: 64 advisories [...]
 
InfoSec News: South Korea attacks force DDoS bunker creation: http://www.zdnetasia.com/south-korea-attacks-force-ddos-bunker-creation-62204520.htm
By Darren Pauli ZDNet Australia November 19, 2010
South Korea has installed digital "bunkers" to prevent a repeat of the massive distributed-denial-of-service (DDoS) attacks that crippled parts [...]
 
InfoSec News: [HITB-Announce] HITB2011AMS -- Call For Papers now Open: Forwarded from: Hafez Kamal <aphesz (at) hackinthebox.org>
The Call for Papers for the second annual HITBSecConf in Europe is now open! Taking place from the 17th - 20th of May at the NH Grand Krasnapolsky in Amsterdam, HITB2011AMS will be a quad-track conference [...]
 
InfoSec News: Unencrypted thumb drive causes breach at VA: http://fcw.com/articles/2010/11/18/data-breach-va-veterans.aspx
By Alice Lipowicz FCW.com Nov 18, 2010
Two recent privacy breaches at the Veterans Affairs Department involved employees who disregarded information security protocols they were trained to follow, said Roger Baker, assistant secretary for information and technology at VA.
One incident involved an employee who plugged a personal unencrypted thumb drive into his computer at work and used it to inappropriately store Social Security numbers and other personal data for 240 veterans. The thumb drive was then lost inside a VA facility, found by a VA security guard, taken home by the guard and finally returned to VA officials, who declared the events a security breach.
In the other incident, a VA employee printed out Social Security numbers and other personal information on 180 veterans and took the papers home, where he typed the information into a Microsoft Word file on his home computer. When he tried to send the file to his work account via e-mail, VA's system flagged the message, resulting in discovery of the breach.
[...]
 
InfoSec News: Auditor flags security flaws in N.S. gov't computers: http://www.ctv.ca/CTVNews/Canada/20101118/ns-auditor-sees-security-flaws-101118/
The Canadian Press Nov. 18, 2010
HALIFAX -- Security weaknesses in computer systems operated by Service Nova Scotia and Municipal Relations place a wide range of personal and [...]
 
InfoSec News: ACNS 2011 CfP: Forwarded from: claudio soriente <csoriente (at) fi.upm.es>
*** Apologies for multiple copies ***
C a l l F o r P a p e r s
9th International Conference on Applied Cryptography and Network Security (ACNS 2011)
June 7-10, 2011 Nerja, Malaga, Spain
http://www.isac.uma. [...]
 
InfoSec News: Malaysian charged with hacking Federal Reserve, others: http://www.computerworld.com/s/article/9197220/Malaysian_charged_with_hacking_Federal_Reserve_others
By Robert McMillan IDG News Service November 18, 2010
A Malaysian man has been charged with hacking into major U.S. corporations, including the U.S. [...]
 

Posted by InfoSec News on Nov 18

Forwarded from: claudio soriente <csoriente (at) fi.upm.es>

*** Apologies for multiple copies ***

C a l l F o r P a p e r s

9th International Conference on Applied Cryptography and Network Security
(ACNS 2011)

June 7-10, 2011
Nerja, Malaga, Spain

http://www.isac.uma.es/acns2011/

Original papers on all aspects of applied cryptography as well as
computer/network security and privacy are solicited. Topics of interest
include, but...
 

Posted by InfoSec News on Nov 18

http://www.computerworld.com/s/article/9197220/Malaysian_charged_with_hacking_Federal_Reserve_others

By Robert McMillan
IDG News Service
November 18, 2010

A Malaysian man has been charged with hacking into major U.S.
corporations, including the U.S. Federal Reserve Bank of Cleveland and
FedComp, a company that processes financial transactions for credit
unions.

Lin Mun Poo, 32, was arrested on Oct. 21, just hours after flying into
New...
 

Posted by InfoSec News on Nov 18

========================================================================

The Secunia Weekly Advisory Summary
2010-11-11 - 2010-11-18

This week: 64 advisories

========================================================================
Table of Contents:

1.....................................................Word From...
 

Posted by InfoSec News on Nov 18

http://www.zdnetasia.com/south-korea-attacks-force-ddos-bunker-creation-62204520.htm

By Darren Pauli
ZDNet Australia
November 19, 2010

South Korea has installed digital "bunkers" to prevent a repeat of the
massive distributed-denial-of-service (DDoS) attacks that crippled parts
of the country last year.

The nation was floored after huge streams of junk Internet data poured
across South Korea's networks last year, targeting the...
 

Posted by InfoSec News on Nov 18

http://fcw.com/articles/2010/11/18/data-breach-va-veterans.aspx

By Alice Lipowicz
FCW.com
Nov 18, 2010

Two recent privacy breaches at the Veterans Affairs Department involved
employees who disregarded information security protocols they were
trained to follow, said Roger Baker, assistant secretary for information
and technology at VA.

One incident involved an employee who plugged a personal unencrypted
thumb drive into his computer at work...
 

Posted by InfoSec News on Nov 18

http://www.ctv.ca/CTVNews/Canada/20101118/ns-auditor-sees-security-flaws-101118/

The Canadian Press
Nov. 18, 2010

HALIFAX -- Security weaknesses in computer systems operated by Service
Nova Scotia and Municipal Relations place a wide range of personal and
business information at risk, the auditor general concluded in a report
released Wednesday.

Jacques Lapointe said he found problems in the way passwords are
controlled, computer accounts...
 

Posted by InfoSec News on Nov 18

Forwarded from: Hafez Kamal <aphesz (at) hackinthebox.org>

The Call for Papers for the second annual HITBSecConf in Europe is now
open! Taking place from the 17th - 20th of May at the NH Grand
Krasnapolsky in Amsterdam, HITB2011AMS will be a quad-track conference
line up featuring keynote speaker Joe Sullivan (Chief Security Officer
of Facebook) and a special keynote panel discussion on 'The Economics of
Vulnerabilities'!

HITB2011AMS...
 


Internet Storm Center Infocon Status