InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
We had a one linerabout the Firefox 9 update already. But Iwanted to take a couple more lines to highlight some of the flaws fixed in Firefox 9, which I think belong in the we told you so category. By we I am not referring to the ISC, but to the large number of articles talking about HTML 5 security.
One problem that was pointed out by various people is the fact that the addition of the video and audio tags requires the inclusion of respective file format parsers in the browser. These parsers have been known in the past to be the source of various security issues. Some of the Firefox 9 fixes illustrate this problem:
MFSA 2011-58: Crash scaling video to extreme sizes (effects OGG formated videos)
MFSA 2011-56: nsSVGValue out-of-bounds access
These two vulnerabilities are rated as critical by Mozilla.

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Mobile startup LightSquared wants the FCC to declare that it has the right to use spectrum next to the GPS band and that navigation device makers do not.
Acer is reportedly planning to introduce a 15-inch Ultrabook to expand its current line of ultrathin laptops.
Free Mp3 Player '.mp3' File Remote Buffer Overflow Vulnerability
Zope 'cmd' Parameter Remote Command Execution Vulnerability

IG: VA Biased in Awarding Infosec Contract
The Department of Veterans Affairs may have been biased when it awarded last year a high-bid, $133 million IT security services contract to the incumbent provider, the consultancy Booz Allen Hamilton, the VA inspector general said in a just-issued ...

and more »
Spear phishing attacks from attackers in China were likely the key in the U.S. Chamber of Commerce breach, experts say.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
lighttpd 'http_auth.c' Remote Denial of Service Vulnerability
Zope 2.12.20/2.13.6 and Prior Unspecified Security Vulnerability
After years of stagnant or lackluster growth, Extreme Networks tapped Oscar Rodriguez to bring new life to the switch maker in 2010. He scrutinized global operations, streamlined the product line and brought a new focus that he says will really come through this spring with a new wave of switches.
The clock is ticking. Google has extended its revenue agreement with Mozilla for another three years. Last year, 98 percent of Mozilla’s funds were from Google, and without it, development of Firefox would be severely hampered.
Microsoft today announced that next month's Consumer Electronics Show (CES) will its last as an exhibitor.
Verizon says subscribers should expect its LTE services to come back online soon after a nationwide outage knocked them offline Wednesday morning.
Chinese hackers broke into computers at the U.S. Chamber of Commerce and had access to everything on the organization's systems, including information on about 3 million of its members.
Amazon on Wednesday issued a software update for its Kindle Fire tablet that it said addresses some of the most vocal complaints about the device, including a sluggish response to touch and a lack of parental controls.
Moodle Multiple Security Vulnerabilities
t1lib Type 1 Font Parsing Remote Code Execution Vulnerability
CPAN PAR::Packer Module Insecure Temporary Directory Creation Vulnerability
RETIRED: Perl PAR and PAR-Packer Modules Insecure Temporary File Creation Vulnerability
Multiple vulnerabilities in epesi BIM
Multiple vulnerabilities in OBM
The Samsung Galaxy Nexus smartphone is going to get a software update that will adjust the device's signal strength indicator, Verizon Wireless confirmed on Wednesday, less than a week after the new Android 4.0 phone began shipping.
Mozilla Firefox and SeaMonkey 'about:blank' Window Chrome Privilege Escalation Vulnerability
[SECURITY] [DSA 2368-1] lighttpd security update
post-XSS landscape
TWSL2011-018: Authentication Bypass Vulnerability in IBM TS3100/TS3200 Web User Interface

Money controversy could make B-Sides into something better
CSO (blog)
B-Sides was the result of a deep hunger infosec pros were feeling for something different. Naturally people would storm the gates trying to get in. But I couldn't help but wonder if it was time to scrap Bsides and start a Csides or something. ...

Mozilla on Tuesday shipped Firefox 9, claiming that the new browser processes JavaScript up to 36% faster than its predecessor.
Facebook plans to change how it retains data and revamp some privacy controls following the release Wednesday of a critical audit from Ireland's data protection authority.
Chinese hackers broke into computers at the U.S. Chamber of Commerce and had access to everything on its systems including information on about 3 million of its members, according to a report in today's Wall Street Journal.
Verizon Wireless customers have taken to the carrier's support forums and social media sites such as Twitter to complain about what appears to be a nationwide 3G/4G wireless data outage.
The next version of Nokia's Symbian OS will be called Nokia Belle, the company said ina blog post on Wednesday.
IBM today said it has signed IT service agreements with five African banks that are upgrading core systems or expanding products.
Imation today announced it has acquired deduplication technology from Nine Technology.
Jira Mobile Connect for iOS and Android platforms will send error reports to app makers via the Jira issue-tracking tool
The holidays are upon us and that means fixing all the trouble ridden IT equipment belonging to all those we visit. Family IT security consultancy is a full time occupation, as those of us that will be providing ad-hoc technical support to friends, family and random neighbours during the holiday break will find out or know already.

well, at least in a digital sense. Anyone who looks at logs or watches packet captures can see the sharp elbow of a bunch of crafted packets, a wickedly aimed knee of drive by downloads or the full on head butt of a port scan on all 65353 - UDP and TCP!

The average person, like those near and dear to you, isnt going to be aware of this non-stop, unrelenting pitched battle our connected, online devices face from being part of a global network. Sure they have been told about firewalls, anti-virus and this newfangled thing called patching, which is a bit like being encasing the in body armour to ward off the blows, but why not opt for something a simple, clean, environmental-friendly and cost saving method approach?

I submit this holiday break we suggest something radical to offer an unparalleled level of protection from online attacks to our less technically aware family, friends and even the crazy neighbour across the road that like using WEP.
Tell them to:

Switch off your router at night.

Then turn off your computer.

Only turn them back on when you need to use them.

I realise this may be an insane statement to make to the multitude out there reading this, those need no sleep and capture every bit that enters or leaves their systems but does the rest of humanitys really need to be a target while they sleep or are out at the shops? Flipping the off switch or having a timer killing the power on the IT gadgets before going to bed is going to provide the normal person a base of eight hours of being off the internet, and that equates to eight hours of not being pinged, poked, prodded, and outright attacked. Best fights are the ones we avoid [1].

We still need tell people to not click on links, to keep everything patched, check credit card statements and up to date any anti-malware software but sometimes applying common sense and offering the simple option is the best option. Turning off the computer and then the home router is something everyone can do, is easy to introduce to the bed time routine and is a great security principle of reducing the attack surface without any technical ability required [2].

Remember: This is only aimed at home users. If you decide to turn off your corporate router serving a couple of thousand staff when you go to bed, well, I guess thats one way reducing the companys attack surface. This will probably lead to increasing your free time by a sudden ejection from your day job.

[1] Mr. Han, Karate kid 2010 Mr Miyagis Wax on... wax off. Wax on... wax off. just didnt cut it here.
[2] The off switch. It's like a free security gift to all and it's already built in. No extra charge or upgrades required!
Chris Mohan --- Internet Storm Center Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
As the tools used to create printable objects get easier, the technology could find acceptance outside the traditional niches.
3D printers are a lot less expensive than they were, but it still pays to shop around. Here's a comparison of the most popular models.
A U.S. government office has removed China's largest search engine Baidu from its latest list of the world's "notorious markets", which identifies major offenders for supporting or selling pirated and counterfeit goods.
The rapid adoption of the newest mobile devices -- especially the Apple iPhone and iPad and the Google Android-based equivalents -- will be a huge disruptive force in enterprise security next year. Not only will there be pressure to decide how to protect and manage these devices, which are growing as malware targets, the complexity of this task is magnified many times over because companies are allowing employees to use their own personal smartphones and tablets for business purposes -- what's sometime called "bring your own device" (BYOD).
Microsoft Windows Kernel Invalid Trap-Frame CVE-2011-2018 Local Privilege Escalation Vulnerability
Microsoft Excel CVE-2011-3403 Remote Code Execution Vulnerability

Posted by InfoSec News on Dec 21


By George V. Hulme
December 20, 2011

Like most big organizations with complex infrastructures, the Nuclear
Regulatory Commission (NRC ) is having trouble consistently maintaining
its vulnerability and risk management programs.

That was the key takeaway of a recently published report that detailed
the findings of an independent...

Posted by InfoSec News on Dec 21


By Choi He-suk

Armed forces reinforce cyber security, monitoring of movement

South Korean military’s information operations condition or INFOCON
level was raised to four following the announcement of Kim Jong-il’s
death, the Ministry of National Defense revealed Tuesday.

In a report to the National Assembly’s defense committee, the...

Posted by InfoSec News on Dec 21


By Iain Thomson
The Register
20th December 2011

The final report into the 2008 Qantas flight QF72, which unexpectedly
dived twice during a routine flight, has blamed a combination of
software and hardware errors for the incident.

On 7 October 2008, the Australian-owned A330-303 aircraft was cruising
at 37,000 feet when the autopilot disengaged and the aircraft rose,...

Posted by InfoSec News on Dec 21


By Kim Zetter
Threat Level
December 20, 2011

Accused WikiLeaker Bradley Manning sat in the same room with the man who
undid his life on Tuesday, when former hacker Adrian Lamo took the stand
on the fifth day of Manning’s pretrial hearing.

Lamo, who turned Bradley Manning into the FBI and Army for allegedly
leaking hundreds of thousands of sensitive government...

Posted by InfoSec News on Dec 21


By Mathew J. Schwartz
December 20, 2011

The FBI is set to receive more cyber special agents.

According to the draft of the Departments of Commerce and Justice, and
Science, and Related Agencies Appropriations Bill for 2012, released
earlier this month, the bureau will see increased funding for a number
of types of investigations, including computer intrusions...
Microsoft Windows Media Player And Media Center '.dvr-ms' Files Remote Code Execution Vulnerability
Chris Mohan --- Internet Storm Center Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Microsoft Windows OLE Property CVE-2011-3400 Remote Code Execution Vulnerability
Internet Storm Center Infocon Status