InfoSec News

Posted by InfoSec News on Oct 19

http://www.computerworld.com/s/article/9191921/Hacker_hits_Kaspersky_website

By Robert McMillan
IDG News Service
October 19, 2010

Scammers who try to trick victims into downloading fake antivirus
software can strike almost anywhere. On Sunday they hit the website of
Kaspersky Lab, a well-known antivirus vendor.

Someone took advantage of a bug in a Web program used by the
Kasperskyusa.com website and reprogrammed it to try and trick visitors...
 

Posted by InfoSec News on Oct 19

http://bobarno.com/thiefhunters/2010/08/hotel-room-security-check/

By Bambi Vincent
Aug 18 2010

Bob and I sleep more nights in hotels than in our own home and, to date,
we have never been ripped off in a hotel room. True, we use a certain
amount of care, but our laptops are usually left out and sometimes
valuables are more hidden than locked. We stay in hotels ranked from six
stars to no stars, depending on our sponsors and our intentions....
 

Posted by InfoSec News on Oct 19

http://english.chosun.com/site/data/html_dir/2010/10/20/2010102000897.html

Oct. 20, 2010

Evidence points to North Korean hackers attempting to gather information
about water supply and drainage systems, pathways of toxic materials,
and traffic control near the venue of the G20 Summit in Seoul, according
to the Cyber Terror Response Center of the National Police Agency.

"We detected suspicious moves surrounding the G20 Summit recently...
 

Posted by InfoSec News on Oct 19

http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=227900305

By Tim Wilson
DarkReading
Oct 19, 2010

Incidence of theft of information and electronic data at global
companies has overtaken physical theft for the first time, according to
a study released yesterday.

According to the latest edition of the Kroll Annual Global Fraud Report,
the amount lost by businesses to fraud rose from $1.4 million to $1.7
million per $1...
 

Posted by InfoSec News on Oct 19

http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=227900157

By J. Nicholas Hoover
InformationWeek
October 18, 2010

When the federal government flips the switch to replace the government's
arduous paper-based cybersecurity compliance process with a web-based
one next month, agencies will be ready for the move, federal officials
said Friday, despite a survey released this month that showed misgivings
about...
 

Posted by InfoSec News on Oct 19

http://www.controlenguk.com/article.aspx?ArticleID=37383

Control Engineering UK
19 October 2010

There are reports that a new, more powerful, Stuxnet virus could be
unleashed very soon as code is posted on the internet for anyone to
copy. Manufacturing, infrastrucure and engineering industries are,
therefore being urged to take even tighter preventative measures to
protect themselves and not to delay doing this.

David Robinson, UK and...
 

Posted by InfoSec News on Oct 19

http://www.defense.gov/news/newsarticle.aspx?id=6131

By Cheryl Pellerin
American Forces Press Service
Oct. 18, 2010

With the creation of the U.S. Cyber Command in May and last week’s
cybersecurity agreement between the departments of Defense and Homeland
Security, DOD is ready to add cyberspace to sea, land, air and space as
the latest domain of warfare, Deputy Defense Secretary William J. Lynn
III said.

“Information technology...
 
When Steve Jobs talks, people listen. Of course, that's no guarantee they'll like what he says, especially when it's their business he's ragging on. The Apple CEO took advantage of his rare appearance on the company's quarterly financial results conference call to blast a number of competitors, including BlackBerry-maker Research In Motion and Google.
 
Will Office 365 help Microsoft translate its desktop productivity dominance into the cloud against Google Apps and other rivals?
 
Mozilla on Tuesday patched 12 vulnerabilities in Firefox, including a second patch for a "binary planting" problem in Windows that researchers publicized last year.
 
SAP customers will soon have more options and tools for deploying the company's software on private clouds, according to an announcement made Tuesday at the Tech Ed conference in Las Vegas.
 
Sprint Nextel Tuesday unveiled a Dell notebook and laptop computers that support WiMax 4G wireless networks.
 
Scammers who try to trick victims into downloading fake antivirus software can strike almost anywhere. On Sunday they hit the website of Kaspersky Lab, a well-known antivirus vendor.
 
Sprint Nextel executives acknowledged Tuesday that spotty coverage amid its initial WiMax deployments did lead to the loss of some customers.
 
Yahoo's revenue grew slightly in the third quarter, even though the online advertising market has rebounded this year, as the Internet pioneer's ability to turn its fortunes around remains in question.
 
Intel today announced plans to spend up to $8 billion to build a new chip manufacturing plans and upgrade four more as it prepares to produce next-generation processors.
 
CIO Australia editor, Georgina Swan, talks to the SAS co-founder and CEO about how CIOs can use analytics in business.
 
Microsoft made its long-awaited move to package the hosted version of Office with the hosted versions of Lync, SharePoint and Exchange with the unveiling on Tuesday of Office 365.
 
Metasploit Pro brings enhanced remote access and collaboration capabilities to the popular exploit framework.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Adobe's chief security executive said that there will be a bull's-eye on Reader X when the new version ships next month.
 
Project management remains one of the hottest career options for IT professionals. CIOs report quarter after quarter that project management skills are among the most sought after IT skills for their organizations.
 
Microsoft chief software architect Ray Ozzie's plan to retire, announced yesterday in a memo by CEO Steve Ballmer, marks the end of a five year tenure during which Ozzie helped steer the company to a cloud computing model and helped develop Windows Azure.
 
Nearly a third of the world's population will be online by the end of the year, according to a United Nations report.
 
Canada's privacy commissioner recommended that Google implement new policies to ensure that another "careless error" doesn't lead to a privacy breach like the one caused by the company's Street View vehicles.
 
In 2011, VMware will launch a development environment that aims to ease deployment of applications to the cloud
 
Western Digital today announced it is shipping the world's highest capacity SATA drive, a 2.5 and 3TB model for use as internal drives in desk tops and external disk storage systems.
 
Hewlett-Packard on Tuesday announced the next-generation Palm OS, calling webOS 2.0 the "most significant upgrade" since the mobile platform was introduced in 2009.
 
Microsoft made its long-awaited move to package the hosted version of Office with the hosted versions of Lync, SharePoint and Exchange with the unveiling on Tuesday of Office 365.
 
The co-chairman of the U.S. House Bi-Partisan Privacy Caucus are seeking information on the latest report of Facebook privacy problems from CEO Mark Zuckerberg.
 
Last time, we took the reporting up a level (http://isc.sans.edu/diary.html?storyid=9712) this time we need to take it up a notch. Weve been using scripts and email to limit the impact of abuse reporting on your time, and youve seen the results: its not having much of an effect on the number of attacks hitting your perimeter. This is not unexpected, since the normal abuse-reporting process hasnt cleaned these systems up already. Its time to roll up our sleeves and pick up the phone.
I know it is scary to pick up the phone and talk to human beings-- I dont like it myself. If we were people-people, most of us wouldnt be into computers.
Id like to split you up into two groups: people who are reporting attacks on your perimeter, and people who are carrying traffic from infected machines (in other words, the ISPs.)
If youre responding to attacks Id like you to identify the attacker thats closest to you. Most of the IPs hitting my perimeter are China and the US, so in my case, Id pick a US source. Look for IPs that have businesses or organizations identified in the contact information instead of large ISPs (we youre trying to build community here. Be helpful, because they really need it.
For the ISPs, I understand the common-carrier issue, but that shouldnt keep you from informing your customer that they have a pretty significant security issue. Im not asking that you roll out a full-blow user-notification process. With the volumes that Im seeing this is definitely a one-off process. Youre probably sitting in a pretty good position to not only contact the affected user, but also know their IT staff contacts already. Give them a friendly call and help them out. You might even get more business out of it.
Keep up the effort. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Tablet computers are bound to be big sellers, and the two largest U.S. wireless carriers are getting ready to embrace that trend with retail sales of the already popular iPad and the yet-to-be released Galaxy Tab later this fall.
 
Apple CEO Steve Jobs took shots at Google and rebutted claims by some analysts and developers that Android is a better bet for smartphones and tablet computers.
 
Microsoft made its long-awaited move to package the hosted version of Office with the hosted versions of Lync, SharePoint and Exchange with the unveiling on Tuesday of Office 365.
 
Western Digital today announced it is shipping the world's highest capacity SATA drive, a 2.5 and 3TB model for use as internal drives in desk tops and external disk storage systems.
 
Microsoft made its long-awaited move to package the hosted version of Office with the hosted versions of Lync, SharePoint and Exchange with the unveiling Tuesday of Office 365.
 
Botnets are a pivotal part of the global cybercrime problem and must be fought with collective defense actions, according to Microsoft's latest Security Intelligence Report.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
My company hired a new employee recently and as part of my responsibilities, I ran a basic background check for our new hire. If you've never seen a professional background check, you will most likely be shocked by the level of detail that can be gleaned from public records.
 
In order to help sourcing professionals define their role in the social adoption process, Forrester has identified five problem areas that marketing and other business professionals commonly overlook. We've then considered how sourcing can play an enabling role in addressing these problems.
 
Nokia Siemens Networks and Qualcomm have tested a new standardized feature that will improve smartphone performance while decreasing network congestion, the two companies said Tuesday.
 
Today we have a few diaries on VPN and Remote Access Tools. We invite your comments on any or all of these diaries.

=============== Rob VandenBrink Metafore =============== (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
It seems lately to me that in IT we no longer seem to have downtime, even in traditional 9 to 5companies. Laptops, smartphones, iPads and every other gadget out there all are internet connected, and more and more people seem to be online every waking moment. And if theyre online, chances are theyre VPNd in to keep tabs on things at work while theyre surfing social sites, playing flash games or whatever. This is especially true now that VPN access is so easy, in fact it's now included in a number of smart phones and tablets.



Which brings us to the poor folks in IT. Since everyone is online 24-7, and were seeing business sales offices or business partners from 12 timezones over with VPN connections in, this brings up a whole raft of problems:
When exactly can we do system maintenance? Im tired of waking up at oh-dark-early, only to find 6 users logged that you need to track down before you can start an upgrade. You cant seem to pick any time as a maintenance window without causing someone a problem. Who gets access to what. All too often people have skipped over the data classification and server zoning steps. Without those done, just exactly what is that business partner allowed to have when theyre VPNd in?


The prevalence of cheap laptops, tablets, phones and electronic doo-dads, all with internet access and VPN access (especially now that we have SSL VPNs) seriously starts to blur the line as to what the corporate desktop is. Worse yet, it blurs the line over who has bought and paid for that corporate desktop. No matter what our policies say, we have way too many personally owned devices out there that have VPN access to corporate resources, but dont have corporate security tools, logging or, well, anything else. But you can bet theyve got malware on them from the kids in the family ! (or the grown-up kids). And just exactly how do you enforce a VPN policy and deny access to someone who wants to work after hours for free? Its a real challenge to make that point to a senior manager.


Wed really like to hear about any challenges you have faced on the topic of VPN access, and how you have solved them. Even if in your view you lost the battle on one issue or another, please share someone else may have a different approach that might help you out. As always our comment form stands ready to field any and all comments, questions and answers !

=============== Rob VandenBrink Metafore (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 


With all the changes in remote access via VPN, other Remote Access technologies tend to get lost a little bit. Things like reverse SSL proxy access to terminal servers for instance. We still see lots of these out there, and they have a lot of technical advantages. For instance, depending on the architecture, often the station that is providing the screen and keyboard to the end user never has access to the internal network at all - this gets around a lot of the issues people have about non-corporate computers accessing corporate networks.



We're also seeing more and more functions that used to be delivered by remote access VPN, but are now offered up on the public internet for all and sundry as web applications, protected only by a userid and password. The fact that these apps are quite often not tested for secure coding as they are built is often completely overlooked. What is also overlooked is that the userids to these sites can usually be harvested from the company website or linkedin, and the passwords can often be harvested from the company website or from any of the standard (language specific) wordlists. Mind you, after taking SEC542, I'm starting to think that passwords are over-rated - in many cases on these applications you can simply bypass authentication completely !
=============== Rob VandenBrink Metafore =============== (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Theres been a recent shift in VPN architectures over the last few years were seeing new solutions being built that use SSL encryption rather than the traditional IPSEC for a VPN protocol.

The traditional VPN architecture involves a VPN concentrator (often located on the firewall, but in some cases its a dedictated box), which uses IPSEC protocols to authenticate, authorize and then encrypt all traffic between the end user and the corporate systems. What this normally means in practice is ISA (udp/500 and/or udp/4500) is used for authentication and authorization, and ESP (ip protocol 50) is used to encrypt the traffic. In most cases, NAT Transparency (NAT-T for short) is implemented, so that ESP is encapsulated within upd/500 to better deal with home firewalls (or hotel firewalls, coffee shop firewalls etc). IPSEC VPN tunnels generally need VPN client software installed, and often a file-based VPN profile to connect up.



SSL seems to be where everyone wants to go. The initial session establishment, authentication and authorization is done via the browser, and the VPN session itself is then done by downloading a VPN client in the browser (often java based), and running that. This has a few major attractions all the firewall issues go away, almost every firewall known is configured to pass SSL (tcp/443). SSL is also well known and is known to be secure of protocol in fact it is often configured to use more or less the same encryption protocols as the IPSEC VPN solutions (AES256 these days).



Finally, most SSL VPN solutions dont require a client to be installed in advance. Any home PC, kiosk or whatever can connect up to the VPN, do some business, then disconnect.

I bet you can see where Im going on this, and its all about policy. Many corporations have you can only connect with our hardware policy. Using home PCs, kiosks or whatever allows whatever malware is on those units to access your inside network (or whatever your VPN authorization allows them to access that is.)
Perisistence is strike 2 against SSL VPNs. Most SSL VPNs have a zero footprint option, that is supposed to delete all traces of the client after the session. But periodically, every vendor has trouble with this. We see problems where cached credentials or cached hashes allowing access are not properly deleted on exit, theyre left waiting on disk for a determined researcher (or their malware) to find.


A third strike is the fact that SSL, and SSL weaknesses, are well understood. There are loads of SSL Man in the Middle tools out there. Coupled with improper implementation, this can be a big problem. Dont forget that certificates server two functions encryption and trust. If you use a self-signed certificate, youve just defeated the trust side of things. If users see a I dont trust this certificate error every time they connect because the VPN Gateway was configured with a self-signed cert, theyll see that exact same error if theyve been compromised by a MITM attack. Not only that, but youve trained your user base to press OK on certificate errors, so now theyre all at risk every time they see such an error on a banking or online retail site.
Is it three strikes and youre out for SSL VPNs? Dont believe that for a second. Every vendor is pushing us in this direction, all the new client improvements seem to be coming for the SSL versions only IPSEC seems doomed to be the legacy protocol for remote access VPNs.



Do you use IPSEC or SSL VPNs in your environment? Are you transitioning to SSL, or are you staying with IPSEC for the short term (or long term)? Please, share you experience using our comment form.


=============== Rob VandenBrink Metafore =============== (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
In remote access VPN solutions, one of the long standing discussions is around split tunnelling. When a remote access VPN solution is built, there are two methods of routing traffic. A dedicated

tunnel is, in english when you are VPN'd in, all of your traffic goes through the VPN. A split tunnel, also in normal speak, is when you VPN in, your corporate traffic goes through the VPN tunnel, and your internet traffic goes the way it would go without any VPN at all.




Both approaches have pros and cons, with IT pros lining up on either side.
If you split tunnel, then your internet traffic does not go to head office then back out again. This should result in a faster internet session, especially if you are a few timezones over from theVPNgateway. The problem with this is that their direct internet access bypasses all the corporate controls on internet security. They are able to browse to any site, with no corporate firewall or IPS between them and the internet. In the worst case, your remote user might be directly attached to the internet with no firewall at all.
If you have a dedicated tunnel, you very likely have a proxy server on the inside network as well. This is because many firewalls will not take inbound VPN traffic and turn it around to send it back to the internet. In many cases, having a dedicated tunnel may mean that your users are forced to use a proxy for their browser. This means that they do not have internet access for their browser at all until they establish a VPN tunnel. This may seem great to a security expert, but if your user is at a hotel, trying to use the hotels web portal to get internet access in preparation for getting internet access, that poor user is in a catch 22. They wont get internet access for the browser until the vpn tunnel is established, but they need a general purpose browser session in order to authenticate to the hotels system before they have enough internet access to start a VPN session. To get around this, youll inevitably have to give some users at home and at work desktop icons, which will point to scripts that turn the proxy settings on and off. Microsoft Group Policy has some nifty features in this area, where if you are at work (ie on a corporate subnet), you can have one set of workstation firewall rules and proxy settings, and if you are away (on any other network), you can have a different set of firewall and proxy settings.


As in all things, the final approach that is taken is a trade-off between security requirements and usability for the users (aka the business requirement). What Ive laid out above is by no means the whole story Ive seen other problems and solutions, and Im sure you have as well. Wed be very interested in the approaches youve taken, challenges youve seen, and what your final solution ended up being. Please use our comment form to share.
=============== Rob VandenBrink Metafore (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Two-thirds of workers surveyed said they would take a 10% lower salary at their next job in return for being able to telecommute and use their personal wireless gear to do their jobs.
 
ZTE, one of China's largest network and phone suppliers, is making a bigger push in the tablet PC market by releasing five to six new devices next year.
 
Advanced Micro Devices plans to announce its second-generation of DirectX 11 graphics cards this week, and also to show off its latest hybrid Fusion chip as the company tries to jump ahead of rivals Intel and Nvidia.
 
Continuing to ride a wave of enterprise server virtualization, VMware on Monday reported a 46% increase in revenue for the third quarter, or $714 million, up from $456 million in the same quarter a year earlier.
 
Facebook contended that reports that the private data of users had been revealed to third party firms have been 'exaggerated.'
 
In this excerpt from the book Glitch: The Hidden impact of Faulty Software, you'll find ways to maximize IT governance resources -- and the top 10 ways to squander them.
 
These oddly useful alternative browsers offer such advantages as 3-D searching, social networking, easy scriptability, and powerful page manipulation
 
The Suffolk Superior Court in Massachusetts will soon decide if software vendor Netezza Inc should be allowed to continue selling a product used by the CIA in its Predator Drone program that another vendor claims is based on misappropriated technology.
 
There are a number of IT trends users will see in coming years, but one that's expected to rise to the top will be the need to migrate off Windows XP and Office 2003 as the end of support nears.
 
The latest tests of consumer of antivirus software released on Tuesday show the products are declining in performance as the number of malicious software programs increases, a trend that does not bode well for consumers.
 
InfoSec News: Gov promises 'transformative' cyber security programme: http://www.theregister.co.uk/2010/10/18/national_security_strategy_information_free/
By Lewis Page The Register 18th October 2010
The Coalition government sought today to suggest that the savings package for the national-security sector is all part of a joined-up plan [...]
 
InfoSec News: DOD, DHS working on one-two punch for cybersecurity: http://fcw.com/articles/2010/10/18/dod-dhs-cooperate-on-cyber-defense.aspx
By Henry Kenyon FCW.com Oct 18, 2010
The Defense and Homeland Security departments have launched an initiative to share analysts and coordinate their cyber operations. In a [...]
 
InfoSec News: [Dataloss Weekly Summary] Week of Sunday, October 10, 2010: ========================================================================
Open Security Foundation - DataLossDB Weekly Summary Week of Sunday, October 10, 2010
19 Incidents Added.
======================================================================== [...]
 
InfoSec News: 'Unprecedented wave' of Java exploits hits users, says Microsoft: http://www.computerworld.com/s/article/9191640/_Unprecedented_wave_of_Java_exploits_hits_users_says_Microsoft
By Gregg Keizer Computerworld October 18, 2010
Microsoft said Monday that an "unprecedented wave" of attacks are exploiting vulnerabilities in Oracle's Java software. [...]
 


Internet Storm Center Infocon Status