InfoSec News

Adobe Systems announced Flash Player 11 and Adobe Air 3 software Wednesday to help developers build more sophisticated applications with dozens of new features across smartphones and tablets as well as desktop computers.
Chris Mohan

--- Internet Storm Center Handler on Duty (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
An out of cycle Flash Player update is expected on September 21, 2011. Abode reports exploitation in the wild in targeted attacks.
See more:


Swa Frantzen -- Section 66 (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
iScripts MultiCart 'refund_request.php' SQL Injection Vulnerability
LaCie today announced its first external hard drive that's compatible with the new, high-speed Thunderbolt interconnect that's being used on Apple's next generation computers.
HP has started laying off workers associated with last year's billion-dollar acquisition of Palm, as it closes down the mobile device business.
Red Hat Xen Hypervisor Implementation Local Guest Denial Of Service Vulnerability
Linux Kernel Generic Receive Offload (GRO) CVE-2011-2723 Denial of Service Vulnerability
Businesses aren't rushing to create paperless offices; in fact, some are relying on paper documents more than ever, according to a new study by CompTIA.
For the eighth year running, Apple again beat rival computer makers that sell Windows PCs in an annual customer satisfaction survey, a researcher said today.
Verizon Wireless will begin selling the new HTC Rhyme smartphone for $199.99 starting Sept. 29.
Risk assessment is the topic of the newest special publication from the National Institute of Standards and Technology (NIST). Guide for Conducting Risk Assessments (NIST Special Publication 800-30, Revision 1), an extensive update to ...
A Chinese government official today denied any involvement in the attack that compromised scores of servers belonging to Mitsubishi Heavy Industries, Japan's largest defense contractor.
Verizon Wireless named 21 more cities that will get its faster LTE service starting Oct. 20.
Despite the increasing use of smartphones at work, more than one-third of companies still don't provide any support for personal phones or still outright prohibit their use at the office.
Trapped between budget constraints and security fears, government agencies are increasingly opting for private clouds.

Add to digg Add to StumbleUpon Add to Add to Google
Advisory: Dolphin Browser HD Cross-Application Scripting
Advisory: Opera Mobile Cache Poisoning XAS

Startup Co3 Systems leapt out of stealth mode last week with a software-as-a-service offering that helps organizations automate their response after a data breach. The company, launched by security veterans John Bruce (Symantec, Counterpane, Authentica) and Ted Julian (Arbor Networks, @stake), says its SaaS offering eliminates manual processes and significantly reduces incident response time post-data breach.

“No one is focused on post-incident scenarios,” chief marketing officer Julian said in explaining the company’s positioning.

The tool helps organizations map incident response internally and simplifies communication with the media, customers, regulators and others required by law to be notified in the event of a breach. It can also run through possible attack scenarios and simulations and estimate losses and notification costs bad on pre-loaded templates of different regulatory mandates.

Julian said the service can provide an organization with a response play in fewer than 20 minutes. In addition to helping organizations conduct dry runs of an incident response plan, the tool helps define the scope of a breach and identify data that could be impacted. Security and incident response teams can also get an at-a-glance and up-to-date look at regulatory requirements, deadlines and penalties in the event of a breach, as well as a visual workflow of incident response tasks and the ability to track responsibilities for different members of an IR team.

Co3 is offering a three-month trial of its service, priced at $450 a month. Customers then have different price levels based on the number of annual incidents expected.

Add to digg Add to StumbleUpon Add to Add to Google
A top NSA cybersecurity official says the growing cybersecurity threat landscape requires that good guys think like attackers.

Add to digg Add to StumbleUpon Add to Add to Google
One expert says before implementing secure software development benchmarks, take stock of the security of existing applications.

Add to digg Add to StumbleUpon Add to Add to Google
Companies without a mobile device security policy risk not only losing data, but also running afoul of the law.

Add to digg Add to StumbleUpon Add to Add to Google
"Don't screw up. When you do good, no one pays attention, but if you screw up, the weight of the world will be dropped on your shoulders."
Frustrated by "the whale" on Twitter that pops up on your screen when you're trying to access the site but it can't respond because it's overwhelmed by traffic? Relief may soon be in sight.
OpenTTD Multiple Buffer Overflow Vulnerabilities and Denial of Service Vulnerability

Chris Hoff, Leads UNITED Security Summit Award Winners
Newsday (subscription)
The UNITED Security Summit Awards winners for 2011 are as follows: The Innovation Award: recognizing the organization, individual or project that has demonstrated exemplary innovation in addressing infosec challenges. This winner of this year's ...
Chris Hoff, Leads UNITED Security Summit Award WinnersEON: Enhanced Online News (press release)

all 6 news articles »
Several of the souped-up Samsung tablets Microsoft handed out to 5,000 developers at last week's BUILD Windows conference are for sale on eBay at prices as high as $3,500.
Windows Server 8 looks promising enough that Cisco it is queuing up two new products designed to extend its network controls to Hyper-V virtual environments when Microsoft releases Windows Server 8 sometime next year.
In November 2009 the European Parliament approved a directive on Internet privacy that, among other things, required user opt-in before websites could install cookies on the user's computer.
I've got a lot of music in my collection, and some of it in box sets of varying sizes. From a 37-disc set of Schubert's lieder, to an 80-disc set of all of Glenn Gould's recordings, to a 98-disc set of Shakespeare's plays, to a 172-disc set of Bach's complete works. With all these box sets, my shelves are full. Recently, another one arrived: a 73-CD set of the Grateful Dead's Europe '72 tour; all 22 concerts recorded during the tour.
I've often wished I could draw. My drawing abilities stopped evolving in kindergarten, so my drawings of people remain the stick figure variety. That's why I like the fact that I can capture portraits with my digital camera--no drawing skills are required. And for those occasions when I want something that looks like a drawing, I can easily take a full-color portrait and turn it into something that looks like a pencil sketch with just a few clicks.
Recent attacks could reverberate and undercut the public's faith that the Internet is a trustworthy medium for doing business.
Developer Martin Odersky discusses origin and plans for Scala, a statically typed language that can be used to build Android apps
Everyone has their own I-just-bought-a-new-PC ritual. Some folks start by loading their pristine PC down with all their utilities and apps. Others immediately jump into the new games their old machine couldn't handle. A few others install Linux.
Healthcare organizations should make better use of the 'significant risk of harm' exemption in the federal law.
Gerd Tentler Simple Forum 'sfText' Parameter Cross Site Scripting Vulnerability
NETGEAR Wireless Cable Modem Gateway Auth Bypass and CSRF - SOS-11-011
MetaServer RT Multiple Remote Denial of Service Vulnerabilities
Startup CrowdFlower is taking the crowdsourcing concept to large businesses with a systematic cloud-supported service designed to be cheaper than hiring people to do massive e-commerce evaluations, fact-checks and related work.
Enterprises can gain significant long-term benefits by applying predictive analytics to their operational and historical data, analysts and IT managers said at Computerworld's BI & Analytics Perspectives conference.
In the latest installment of this seemingly never-ending saga, a Dutch court in Haarlem (NL) declared DigiNotar bankrupt.
Read more: [Dutch]

The CA business is all about selling trust. After all a CA is supposed to be a trusted third party. Let's hope all the remaining ones get the right message: it's not about not getting caught being hacked. On the contrary: it's about doing the right thing once you have been hacked. Let's hope it leads to more transparency and public scrutiny of the CAs we trust explicitly or implicitly though the choice of some of our vendors.

Swa Frantzen -- Section 66 (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Gerry GuestBook 'gbText' Parameter Cross Site Scripting Vulnerability
NETGEAR Wireless Cable Modem Gateway Cross Site Request Forgery and Security Bypass Vulnerabilities
As regulatory requirements push healthcare organizations to roll out new technology, CIOs, CTOs and other managers see more value in some certifications than others. But they're also looking for "hybrid IT employees" who can translate technology into business value.
From over-the-air power to neural computer control, each of these technologies has the ability to fundamentally alter the digital landscape.
In an experiment that began in January, servers, networking gear and storage systems have been running in a simple shed without failure. Takeaway: IT equipment may be a lot tougher than you think.

Posted by InfoSec News on Sep 19

By Lucian Constantin
The Inquirer
Sept 19, 2011

MITSUBISHI HEAVY INDUSTRIES has admitted that unknown hackers have
managed to infect tens of its computers with information stealing
malware in possible cyber espionage attempts.

The Daily Yomiuri newspaper reports that eight different strains of
malware were found on around 80 computers located at...

Posted by InfoSec News on Sep 19

By Dan Goodin in San Francisco
The Register
19th September 2011

Researchers have discovered a serious weakness in virtually all websites
protected by the secure sockets layer protocol that allows attackers to
silently decrypt data that's passing between a webserver and an end-user

The vulnerability resides in versions 1.0 and earlier of TLS, or
transport layer...

Posted by InfoSec News on Sep 19

Travel News
September 19, 2011

Producers of local New Zealand comedy Wanna-Ben have reportedly
confirmed they are speaking with police in relation to a security breach
at the airport.

On Saturday a man entered the airport dressed in a white shirt with
epaulets on his shoulders and a dark cap with a silver...

Posted by InfoSec News on Sep 19

By Lauren Gibbons Paul
September 18, 2011

For a security industry leader, Tim Williams is a pretty modest guy. As
the former head of ASIS International and now as global security
director for the $42.5 billion construction equipment manufacturer
Caterpillar, Williams has won his share of recognition, which he doesn't
take lightly.

But Williams...

Posted by InfoSec News on Sep 19

By Tom Avril
Inquirer Staff Writer
Sept. 19, 2011

When a team of University of Pennsylvania computer scientists set out to
test the security of the encrypted two-way radios widely used by federal
agents, they were in for an unnerving surprise:

For a small but significant part of the time, the radio traffic was not
even encrypted.

All they had to do was turn on a store-bought...
Internet Storm Center Infocon Status