InfoSec News

Well Fargo urged its customers on Thursday to visit bank branches or use telephone banking due to continuing problems with its website.
Facing user protests, Instagram has reverted the advertising section of its new privacy policy and terms of service to the original version in effect since the company launched its service.
Research In Motion will let its customers pick and choose individual BlackBerry services such as security and mobile device management after it introduces the long-awaited BlackBerry 10 platform next month.
The IT security skills required by some firms have become a lot more specific. The demand for security generalists is waning.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Research In Motion reported falling unit sales and revenue in its third fiscal quarter as it geared up for the introduction of its BlackBerry 10 OS next month.
Windows 7 may be the better choice as a PC operating system on new systems than the just-released Windows 8, Consumer Reports magazine said this week.
An Internet safety education campaign will point out scams and other online dangers with an initial target audience of children and seniors.
Oracle surprised many tech industry observers by announcing Thursday it would pay US$871 million for marketing automation software vendor Eloqua. The move seemed a bit unlikely given the amount of sales and marketing software Oracle already had.
Violence in video games and other aspects of pop culture in the U.S. will be among the areas examined as part of an investigation aimed at reducing gun violence in the country.
VMware has issued a patch for its VMware View product that fixes a security vulnerability that could allow an unauthorized user to access system files.

Earlier in the week weve mentioned that people should be on the lookout for fake charities trying to exploit the Sandy Hook tragedy. About 150 or so domains have been registered that are suspect and about a dozen I can safely say are fraudulent. Some basic steps we already know about how to deal with this:

Only deal with charities that are already known to you (i.e. the Red Cross) or that you have a personal relationship (your church or church-related organization, local civic group, etc).

Don affirmatively go to website to donate directly.

Always be sure to check for real contact information, if you dont see anything, dont donate.

That said, lets say you find a website and you want to verify whether it is suspect or not. There are several things you can do. Advance warning, this is US-centric mostly because I dont know charity laws in other countries, if someone would like to clue me in how to do similar in other countries, feel free to contact me directly.

Check the domain registration using WHOIS. One online WHOIS tool is here. If it is a private registration, it is suspect and move along.

Check with the IRS whether the organization is, in fact, tax exempt. Their lookup tool is here. If the website doesnt have an organization name, its suspect. If they are talking to you, try to get their tax ID (or FEIN) number. Ask for a copy of their IRS Form 990 (which they are required to disclose). Many states also require charities to register themselves and you can search those filings online as well.

Check with Guidestarwhich is sort of a Consumer Reports / Better Business Bureau for charities.

A couple of quick case studies. First, lets use an example where you have information about the charity in question. I havent found anything this detailed for Sandy Hook, but here is one that came up a little while ago during an unrelated matter.

I got this email forwarded to me recently which you can read at tinyurl.com -slash- vets4change. The organization purports to help veterans, and one of their newsletters quite helpfully it lists the address, Tax ID number and California business number. Plugging in either Veterans for Change or the Tax ID number at the IRS Websiteshows nothing. Plugging in the CA corporation ID number (3340400)at the website of the State of California Attorney Generalresults in some interesting records. Apparently, they tried to get registration information from the person running the charity and they simply ignored the State and were fined.

In this case, you have someone who is purporting some things which are obviously not true, so wed label this one suspect and move on. Perhaps filing a complaint or two with the appropriate authorities.

Now lets try one of the various domains registered after Sandy Hook. One such domain is hopefornewtown-dot-com. There is no identifying information on the website except a gmail email address. WHOIS shows the domain has a private registration and the PayPal donate button lists the name as Hope for Newtown. The time it takes to get tax exemption from the IRS is many months so there is no way its registered, but just in case, the IRS doesnt show such a registration either. File this one under suspect and move on.

If you see any such organizations, you can report to your local state attorney general (which in general is the one who regulates charities, though this may vary), IC3.gov, and you can feel free to send suspicious emails and websites to us using the contact form.


John Bambenek

bambenek \at\ gmail /dot/ com

Bambenek Consulting
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Security and compliance pros taking TechTarget's 2012 IT Salary Survey aren't complacent, indicating openness to new jobs, eagerness for a promotion.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Drupal Core Access Bypass and Arbitrary PHP Code Execution Vulnerabilities
Steven Sinofsky, the former Microsoft executive ousted as the head of its Windows group five weeks ago, yesterday said he would teach at the Harvard Business School this spring.
The holidays are nearly here and 2012 is on the way out. It's time to reflect on some of the most popular security stories and tips of the year as we prepare for 2013.
The U.S. Federal Communications Commission is advising smartphone users on how to protect their mobile devices and data from mobile security threats.
Another of the patents Apple relied on in a $1 billion infringement lawsuit against Samsung Electronics has been called into question by the U.S. Patent and Trademark office (USPTO). The move, if not successfully opposed by Apple, may help Samsung in its appeal against the judgment.
Your resume is your most powerful tool when trying to market yourself to IT employers. Are you doing everything you can to effectively communicate your message to them?
AMD appears to have found a "minor security vulnerability" in the auto-update notification feature of Catalyst Control Center

Re: Re: Microsoft Internet Explorer 9.x <= Remote Stack Overflow Vulnerability
Re: Microsoft Internet Explorer 9.x <= Remote Stack Overflow Vulnerability
For a short and very enjoyable history lesson, watch this Youtube video.
European regulatory authority is to charge Samsung over abuse of patents
Oracle has agreed to acquire Eloqua for about US$871 million in a bid to build out a set of marketing automation software.
Mozilla Firefox CVE-2012-4206 Arbitrary Code Execution Vulnerability
Samsung said Wednesday it is working on an update for a software flaw that could allow attackers to siphon personal data from a phone.
Oracle's second-quarter earnings announcement beat expectations in some respects, but also raised a number of interesting and in some cases, unanswered questions. Here's a look.
In the wake of his Belize neighbor's unsolved murder, John McAfee's lurch through the news damaged the reputation of his namesake, the security company McAfee Inc., a brand expert said Thursday.
Adobe plans in February to close a dangerous hole in its Shockwave application that causes the application to be downgraded when a user launches older multimedia content, allowing hackers to target years-old vulnerabilities.
Smart gun technology, which can discern between authorized and unauthorized users, has been around for more than a dozen years. Though it has lacked political support in the past, interest may again be building.
Google has launched a free iPad app to allow its paying business customers to edit Microsoft Office documents.
If you are making a list of tech predictions for next year, as this story does, it may be a good idea to put the solar maximum on this list. The next one is expected in 2013, says NASA.

Posted by InfoSec News on Dec 20


By Mat Honan
Threat Level

It feels a little bit like hacker Groundhog Day. After hijacking a
Westboro Baptist Church leader’s Twitter account on Monday, Wired has
confirmed that the 15-year-old hacker known as Cosmo the God took over
another account belonging to one of the of the same church members on

Posted by InfoSec News on Dec 20


By David Shamah
The Times of Israel
December 20, 2012

An Israeli company is responsible for nearly three quarters of the
wireless software updates for cell phones around the world. Red Bend,
which has developed a secure firmware over-the-air (FOTA) system, allows
users to get automatic operating system and firmware updates on their
cellphones. It’s used by...

Posted by InfoSec News on Dec 20


By Dan Goodin
The Register
Dec 19 2012

US Justice Department officials plan to bring criminal charges against
hackers, governments, and companies involved in nation-sponsored
computer intrusions on US companies, according to a published report.

"I'll give you a prediction," John Carlin, the principal deputy

Posted by InfoSec News on Dec 20

Forwarded from: <noreply (at) crypto.cs.sunysb.edu>

Stony Brook University (Multiple Tenure-Track Positions)

Stony Brook Computer Science invites exceptionally qualified applicants
for multiple tenure-track faculty positions for Fall 2013. Candidates
in the following areas are particularly encouraged to apply:
Cyber-security, Distributed Networking and Systems, Interactive Systems
(e.g., HCI, Virtual Reality), Smart Environments...

Posted by InfoSec News on Dec 20


By Antone Gonsalves
December 19, 2012

Oracle's latest update of the Java Development Kit fails to go far
enough in fixing the security-troubled platform, bringing only marginal
improvements instead, experts say.

Among the improvements in Java SE Development Kit 7, Update 10 (JDK
7u10) is the ability to use the control panel to prevent Java...
Zend Framework 'Zend_Feed' Component Information Disclosure Vulnerabilities
Internet Storm Center Infocon Status