InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Exclusive: Emails show South Carolina's Security Sramble
I am not an INFOSEC expert. My expertise is taking a mission, assembling the right team, developing objectives, collecting data on the objectives, and arriving at option and recommendations," said Maley. "I will be assembling a team of subject matter ...

GoodSync is single-minded: It's intended to provide automatic synchronization and backup across folders and remote volumes. That narrow focus has two repercussions. First, the utility offers exhaustive, rich, and deep support for an array of services and options. Second, the learning curve for using the program to its best advantage is challenging. This program isn't for beginners, but other users will love it once they learn to use it--that is, if they learn to use it.
A man who exposed a major privacy weakness that divulged email addresses of iPad users on AT&T's network plans to appeal his conviction on two felony charges.


John Bambenek

bambenek \at\ gmail /dot/ com

Bambenek Consulting
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
SINAPSI eSolar Light Photovoltaic System Monitor Multiple Security Vulnerabilities
Facebook started encrypting the connections of its North American users by default last week as part of a plan to roll out always-on HTTPS (Hypertext Transfer Protocol Secure) to its entire global user base.
IT organizations continue to struggle with the details when it comes to enabling BYOD for applications beyond email, and a new study finds that while employees are eager to access corporate resources from their mobile devices, they have little tolerance for controls IT wants to impose.
The chairman of the U.S. Senate Judiciary Committee has not reversed course on email privacy and has not proposed to give U.S. agencies access to email and other electronic communications without search warrants, despite a news report to the contrary, an aide to Sen. Patrick Leahy said Tuesday.

PR Web (press release)

InfoSec Institute Review - Named Top 20 IT Training Company for 2012
PR Web (press release)
InfoSec Institute was chosen for the Top 20 IT Training companies the second year in a row in 2012 for demonstrating market leadership and by delivering tremendous customer value year after year. Congratulations to the InfoSec Institute team! Quote end ...

and more »
With Intel CEO Paul Otellini looking to retire next May, the company's board of directors is already on the hunt for his successor. The betting is that an insider will get the job.

Aussie infosec pros to talk SIEM
SC Magazine Australia
Australian information security professionals have gathered in Melbourne to attend the SC Magazine SIEM roundtable event. The open-format and vendor-neutral roundtable, sponsored by IBM, will see delegates from respected organisations ask experts ...


InfoSec Institute Review - Named Top 20 IT Training Company for 2012
DigitalJournal.com (press release)
For the second year in a row, InfoSec Institute has been honored with the Top 20 IT Training company of 2012 designation from Training Industry, Inc. Training Industry, Inc. continuously monitors the IT training marketplace looking for the best ...

Hewlett-Packard's bombshell revelation that it would take a $8.8 billion non-cash writedown after allegedly discovering major accounting fraud related to its Autonomy business unit has rocked the tech world.
A majority of the city council in Freiburg, Germany, has voted in favor of ditching the open source suite OpenOffice to return to Microsoft Office after severe problems and complaints from employees.
Apple will again offer discounts this week on 'Black Friday,' the mega shopping day after the Thanksgiving holiday in the U.S.
HTC's new Droid DNA has some standout hardware elements, but the Android smartphone suffers from significant drawbacks that make it difficult to recommend.
China will take the wraps off its latest 8-core Godson processor early next year to show its chip-making ability compared to Intel, Advanced Micro Devices and ARM.

A few people have written in within the past 18 hours about their NTP server/clients getting set to the year 2000. The cause of this behavior is that an NTP server at the US Naval Observatory (pretty much the authoritative time source in the US) was rebooted and somehow reverted to the year 2000. This, then, propogated out for a limited time and downstream time sources also got this value. Its a transient problem and should already be rectified. Not much really to report except an error at the top of the food chain causing problems to the layers below. If you have a problem, just fix the year or resync your NTP server.

Just goes to show how reliant NTP is that it is all but a fire and forget service once configured until bad things happen.


John Bambenek

bambenek \at\ gmail /dot/ com

Bambenek Consulting
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
NASA scientists may have made a big discovery on Mars. But other than offering that tantalizing tidbit to NPR, they're not saying anything more until they have more information.
Deceptive environments, phony data in the enterprise can fool attackers and increase the cost of hacking, says noted cybersecurity expert Paul Kurtz.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Sharing practical threat data can reduce the "dwell time" of an attacker and better detect and contain problems, said Tom Heiser, president of RSA.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
In the first U.S. implementation of smartphone ticketing for train passengers, Boston commuters can purchase and display tickets using the mTicket application for iOS and Android smartphones.
Last week Gen. David Petraeus, the director of the Central Intelligence Agency, resigned in response to what has turned out to be a much bigger scandal than it first appeared.
Version 12.11 of the Opera web browser closes two security holes, one of which is rated as high severity by the company as it could have allowed a remote attacker to execute malicious code on a victim's computer

"Trusted Computing" and "Secure Boot" technologies must be under the control of the user and only delegated with their informed consent, says a white paper that outlines the requirements for increased IT security

Wordpress Facebook Survey v1 - SQL Injection Vulnerability
OSSIM 4.0.2 open-source SIEM solution does not verify .deb signatures
FW: =| Security Advisory - TP-LINK TL-WR841N XSS (Cross Site Scripting) |=
Re: [SE-2012-01] Security vulnerabilities in Java SE (details released)
SonicWALL CDP 5040 v6.x - Multiple Web Vulnerabilities
Hewlett-Packard is planning to "aggressively" seek recompense for alleged accounting fraud related to the acquisition of its Autonomy unit, which resulted in the vendor taking a non-cash impairment charge of US$8.8 billion.
Microsoft's decision to put two user interfaces inside Windows 8 was a strategic mistake that fails novice and experienced computer users alike on both tablets and traditional PCs, a usability expert said Monday.
Hewlett-Packard is taking an $8.8 billion charge as a result of what it called serious accounting improprieties that occurred at U.K. software company Autonomy before it acquired the firm in 2011.
Facebook has started securing all data traffic on the social networking site by enabling HTTPS by default for users in North America. The change is expected to roll out to the rest of the world soon

Apple QuickTime CVE-2012-3755 Buffer Overflow Vulnerability
Geoloqi, a scrappy software development startup in Portland, Oregon, claims to be re-inventing the way companies build location-aware applications. Here's the story behind the company and geolocation technology.
Enterprises can now run Windows Server 2012 on the Amazon Web Services cloud, and take advantage of improved management features and new versions of IIS and the .Net framework.
Hewlett Packard released its fourth-quarter financial results ahead of schedule Tuesday morning, including a charge for $8.8 billion related to its acquisition of U.K. software firm Autonomy. HP says the bulk of the charge, for impairment of goodwill and intangible assets, is "linked to serious accounting improprieties, disclosure failures and outright misrepresentations at Autonomy Corporation plc that occurred prior to HP's acquisition of Autonomy."
WeeChat 'hook_process()' Function Remote Shell Command Injection Vulnerability
Pakistani hackers, Anonymous, Hamas – Israel's web sites are in their sights. The internet is now just another theatre in the Middle East conflict, though attacks have been ongoing since before the latest flare-up

The LTE high speed wireless data standard is not just quick, it's also quickly knocked out. According to a report from Virginia Tech, all that's required to do so is to disrupt the control signal, which can be achieved with hardware costing just a few hundred dollars

Microsoft Internet Explorer CTreePos Use-After-Free Remote Code Execution Vulnerability
Microsoft Internet Explorer CFormElement Use-After-Free Remote Code Execution Vulnerability
Microsoft Windows Briefcase CVE-2012-1527 Integer Underflow Remote Code Execution Vulnerability
The U.S. International Trade Commission has decided to review an earlier decision that Apple did not infringe four patents of Samsung Electronics in its mobile devices including the iPhone and iPad.
U.S. efforts to develop the next-generation high performance computing platform are lagging, which could give China an opening to develop an exascale system first.
After spending some time with Apple's new 13-in MacBook Pro with a Retina display, columnist Michael deAgonia is ready to dump his 15-in. laptop for good.
Japan's Sharp, struggling with deep losses and searching for a financial savior, has cut short an early retirement program after being flooded with volunteers.
Industry observers aren't optimistic, despite chatter about the possibility in OpenJDK circles
Western Digital today released a 4TB version of its highest performance desktop drive, the WD Black, a 3.5-inch, 7200rpm drive with 64MB of cache and SATA 6Gbps interface.
How well can you see into the cloud? For many IT professionals, the view into the cloud isn't very clear, but new techniques and tools make visibility across multiple cloud systems clearer.

Posted by InfoSec News on Nov 20


The New York Times
November 20, 2012

Scientists at Toshiba and Cambridge University have perfected a
technique that offers a less expensive way to ensure the security of the
high-speed fiber optic cables that are the backbone of the modern

The research, which will be published Tuesday in the science...

Posted by InfoSec News on Nov 20


By Robert Lemos
Contributing Writer
Dark Reading Nov 19, 2012

Jayson Street has few problems walking into businesses and getting
access to sensitive company data.

A vice president of information security for a bank by day, Street
moonlights as a penetration tester at Stratagem 1 Solutions, a job at
which he...

Posted by InfoSec News on Nov 20


By Lucian Constantin
IDG News Service
Nov 19, 2012

Hackers have compromised two servers used by the FreeBSD Project to
build third-party software packages. Anyone who has installed such
packages since September 19 should completely reinstall their machines,
the project's security team warned.

Intrusions on two machines within the FreeBSD.org...

Posted by InfoSec News on Nov 20


By David Shamah
The Times of Israel
November 19, 2012

Ever since the beginning of Operation Pillar of Defense, hackers have
been working overtime to strike a blow against the Israeli government’s
computer systems, Finance Minister Yuval Steinitz said Sunday. No fewer
than 44 million attacks have been recorded since the operation began
five days ago...

Posted by InfoSec News on Nov 20


By Tracy Kitten
Bank Info Security
November 19, 2012

Battered by Superstorm Sandy, North Jersey Community Bank maintained
operations and customer communications during the storm. CEO Frank
Sorrentino discusses the key elements of business continuity.

For North Jersey Community Bank, an $882 million community institution
based in Englewood Cliffs, N.J., a strong...
"I think I either hacked the Wii U Miiverse or I am stupid." The Wii U was released in North America on 18 November; shortly after, the Miiverse was hacked into – by accident

A denial-of-service vulnerability has been discovered in ColdFusion 10 on Windows and Adobe has released a hotfix update to remedy the issue

Internet Storm Center Infocon Status