InfoSec News

Oracle Java SE CVE-2012-5085 Remote Java Runtime Environment Vulnerability
Mobile payments with Google Wallet are growing fast, but the road to wide acceptance of NFC in the U.S. will be slow, the head of Google's payments unit said Friday.
RETIRED: Mozilla Firefox/Thunderbird/SeaMonkey MFSA 2012-88/89 Multiple Vulnerabilities
Members of the Communications Workers of America and the International Brotherhood of Electrical Workers have voted to ratify four-year contracts with Verizon Communications after contentious negotiations dating back more than a year.
Joomla! Multiple Cross Site Scripting Vulnerabilities
The Windows division's share of Microsoft's revenue last quarter dropped to a four-year low as Windows 7 sales stalled before the launch of Windows 8, financial data released by Microsoft yesterday showed.
Groups of companies in the same industry could pool infrastructure resources to help each other mitigate the effects of cyberattacks and work together on security issues, a senior official in the U.S. Department of Homeland Security suggested on Friday.
Microsoft's upcoming Windows 8 will mark "the end" of the computer industry's dominant OS due to increasing competition and choice sparked by alternatives, Salesforce.com CEO Marc Benioff predicted Friday.
Old Habits Die Hard: Cross-Zone Scripting in Dropbox & Google Drive Mobile Apps
CMSQLITE v1.3.2 - Multiple Web Vulnerabiltiies
It's not clear if the Federal Trade Commission is throwing up its hands at the problem or just wants some new ideas about how to combat it, but the agency is offering $50,000 to anyone who can create what it calls an innovative way to block illegal commercial robocalls on landlines and mobile phones.
Create the key you need with a 3D printer in real life or with the help of a dedicated database, Adobe's Reader secures its sandbox, statistics on zero days, and jailbreaker mail fails

The Rubicon has not been crossed, relations have been cordial. The public will nonetheless now be left guessing as to the nature of serious security vulnerabilities, which are to be kept under wraps for a little longer

Mozilla Firefox/Thunderbird/Seamonkey CVE-2012-3982 Memory Corruption Vulnerability
Piwigo 'username_or_email' Parameter Cross Site Scripting Vulnerability
Vivekenand Venugopal, VP & GM, Hitachi Data Systems, talks about the firm's storage strategy, its BlueArc acquisition, big data, and in the process, takes a dig at the competition.
Apparently, a US government investigation has not uncovered any evidence to indicate potential spying activities by Chinese hardware supplier Huawei. However, the US security experts have not given the all-clear

Debian OpenSSL Package Random Number Generator Weakness
Back when I started DShield.org, one of the challenges was dealing with variations in log formats. 10+ years laters, this problem hasn't really changed, even though there are some promising solutions (which isn't that different form 10+ years ago).
Firewall logs are a pretty simple example. The basic information captured is pretty similar across different firewalls: Packet header data. Some log formats are more verbose then others, but the idea is the same and it is not too hard to come up with a standard to express these logs. For DShield, we used a smallest common denominator approach. It wasn't our goal to collect all the details offered by different firewalls. For an enterprise log management system however, you may need to preserve this detail, and the simple tab delimited format we came up with for DShield wouldn't be extensible enough.
One of the logging standards that is gaining some steam is CEE, or Common Event Expression [1]. To be successful, a logging standard has to address a number of different problems:

Log format: This is the basic syntax used to express logs. This problem is actually the easier one to solve, and the current approach is to use XML to express the logs. XML isn't exactly efficient, but it is extendable and there is a rich set of libraries and database technologies to create and parse XML. I see it as the ugly default solution. A more compact binary format may be preferred, but would have a much higher cost to get started.
Taxonomy: This is the hard problem. The magic strings we assign different events. For firewall logs, this is pretty easy usually. But think about antivirus! You could log the MD5 hash of the sample that was detected as malicious. But this wouldn't be as meaningful as knowing what malware family this sample belongs to. But there is no agreement as to what constitutes a malware family or what to call different families. If you have to correlate logs from different vendors, you will need to translate the name each vendor assigns to a particular piece of malware.
Vendor Acceptance: There are a lot of great proposals in this space that solve the first two problems. But unless you want to implement it yourself, you need a vendor to support a particular solution. In order for a standard to catch on, there has to be customer demand first. Secondly, the solution has to be economical to implement. It helps if the standard is open and not associated with licensing fees. But first of all, the standard needs to be easy to implement.

So how does CEE solve these issues?
Log Format
CEE supports two different formats: XML and JSON. XML is the primary standard allowing for the most flexibility, but JSON, due to its simple structure, is easier to parse and sufficient in many applications. It is also not terribly hard to convert JSON to XML.
CEE doesn't really solve all of this problem, but it starts by defining common labels and data types (like src.ipv4 for the IPv4 address of a source). In part, CEE refers to other standards like CVE to come up with a vocabulary to use to identify events.
Log Transport
I didn't list this problem above, but it is certainly important to consider how logs are transported. In the Unix world, various versions of syslog have become the de-facto standard for log transport. But once you leave Unix based systems, syslog support is no longer a given. CEE addresses various issues like support for compression and protecting log integrity (which plain old syslog doesn't do well at all)
I do think CEE is certainly a standard to watch out for. Right now, the standard is labeled as beta. The tricky part will be vendor support. The CEE board does include representatives from a number of important vendors, but I don't see a lot (any?) log management vendors on the list. Of course CEE would help the most if devices generating logs would support it.
Learn more about log management during my class at CDI in Washington DC (Dec 15/16)

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
OpenSSH CBC Mode Information Disclosure Vulnerability
IBM Remote Supervisor Adapter II CVE-2012-2187 Security Bypass Vulnerability
The Department of Defense wants access to private computer systems in the name of cybersecurity. In addition to being a privacy nightmare, CIO.com columnist Rob Enderle says a centralized information sharing system will actually make the United States more susceptible to cyber attacks and suggests an alternate approach to cybersecurity.
Tata Consultancy Services on Friday reported strong revenue and profit growth in the third quarter, citing a pick-up in discretionary spending by customers.
Google's new $249 Samsung Chromebook finally gets the price right -- so what's the cloud-centric laptop actually like to use?
Ericsson has launched the world's first WebRTC-compatible browser for mobile devices, which will allow developers to integrate voice and video communications in their Web-based applications.
Microsoft has published several arbitrary code execution vulnerabilities in FFmpeg. The holes have been fixed in newer versions of the software and users are advised to upgrade

Computer Associates ARCserve Backup Remote Code Execution and Denial of Service Vulnerabilities
Salesforce.com said it has significantly expanded the social analytics options available to customers who use its Marketing Cloud, in its latest move in a race with Oracle to offer businesses the best tools for mining the social Web.
Microsoft's free Virtual Machine Converter (MVMC) tool is now available for download. The tool is used to convert virtual machines that today run on VMware products into a format compatible with Microsoft's own virtualization environment, Hyper-V, the company said in a blog post on Thursday.
IBM WebSphere Application Server LPTA Tokens Security Bypass Vulnerability
Oracle Java SE CVE-2012-5081 Remote Java Runtime Environment Vulnerability
Chip company Advanced Micro Devices on Thursday said it would lay off 15% of its workforce as it tries to inch back to profitability at a time when the PC market is slumping.
Following a DDoS attack on the service yesterday, the web site for the GitHub collaboration service was taken down temporarily. On the same day, web portals belonging to UK bank HSBC were also targeted by attackers

The Cloud Data Management Interface has been approved as a standard by the International Organization for Standardization, clearing the path for adoption among vendors and government agencies alike.
We drop-tested (and videoed) 7 laptop bags -- two backpacks, two messenger bags, two soft briefcases and a hard case -- to find out whether they can keep your equipment from harm.
Sony said its current round of job cuts will include workers in its struggling TV business and at its headquarters in Tokyo, and it will close a mobile phone and lens factory in central Japan.
In too many apps, researchers have managed to crack the software's encrypted network traffic and harvest information such as users' bank and credit card details

Oracle Java SE CVE-2012-5075 Remote Java Runtime Environment Vulnerability
Intuit recently underwent a change management overhaul with respect to how it responded to service requests from its business stake holders. The result was requests that had taken eight weeks to fulfill dropped to one day.

Posted by InfoSec News on Oct 19


By Markus Jakobsson

Security is not just about strong encryption, good anti-virus software,
or techniques like two-factor authentication. It’s also about the
“fuzzy” things ... involving people. That’s where the security game is
often won or lost. Just ask Mat Honan.

We -- the users -- are supposed to be responsible, and...

Posted by InfoSec News on Oct 19


By Jordan Press
Postmedia News
October 18, 2012

OTTAWA -- A 28-year-old man faces computer crime charges for allegedly
hacking the Quebec government’s website in April while he was on
contract for both the RCMP and the House of Commons.

According to the RCMP, the hack originated from the House of Commons
network when someone...

Posted by InfoSec News on Oct 19


By Alexander Abad-Santos
The Atlantic Wire
Oct 18, 2012

Cue the conspiracy theories: an 18-month, Reuters says it got its hands
on "a White House-ordered review of security risks posed by suppliers to
U.S. telecommunications companies" that cleared Chinese telecom giant
Huawei of allegations of actively...

Posted by InfoSec News on Oct 19


By CBR Staff Writer
19 October 2012

Only 27% have heard about Stuxnet and 13% about Duqu

About 52% of IT specialists believe that enterprise networks will be
increasingly targeted by hack attacks, posing serious challenge to IT
administrators, according to a survey conducted by B2B International in
July 2012.

One third of those...
The famed iPhone hacker "Comex," who engineered ways to hack Apple's mobile operating system, is no longer doing work for the company, according to Twitter postings.
Internet Storm Center Infocon Status