InfoSec News

Lenovo positions its ThinkPad Edge series as being slightly more stylish than the company's other lines while retaining the usability features that have long made ThinkPads popular with corporate users--and that's a pretty fair assessment. What the PR people don't mention is that performance may not be great--but for general business use, the ThinkPad Edge E420 we tested would certainly be adequate, and its price will appeal to small businesses and others in search of an affordable all-purpose portable with a 14.1-inch display.
 
Proving naysayers incorrect once again, Microsoft posted a banner fiscal 2011 year in revenue, as sales of Microsoft Office, server software and Xbox continued to drive growth, even as sales of Windows leveled off, according to the company.
 
In a defiant statement addressed largely at FBI director Steve Chabinsky, members of the Anonymous and LulzSec hacktivist groups vowed to continue with their hacking campaigns and dared law enforcement to try and stop them.
 
Advanced Micro Devices' revenue for the second fiscal quarter of 2011 sunk as the search for a new CEO continues, the company said on Thursday.
 
Apple said today that customers had downloaded more than one million copies of Mac OS X Lion from the Mac App Store in the upgrade's first day of availability.
 
Research In Motion may be getting close to releasing the Android app player it promised for the PlayBook, judging from an old version of the player found on the BlackBerry.com website.
 
 
logrotate Debian Linux 'var/log/postgresql' Symlink Local Privilege Escalation Vulnerability
 

Right to privacy puts eyes on infosec
CRN Australia
The Gillard Government spurred by recent data breaches will shortly issue a discussion paper seeking public opinion on introducing a right to privacy that will require increased attention to ...

and more »
 
The MSI FX620DX has a few nice features that help it stand out in a bleak, budget-y all-purpose world. Sure, it's no gaming superstar, but the 720p webcam and two USB 3.0 ports are sure to woo some shoppers on a budget.
 
Advanced Micro Devices' revenue for the second fiscal quarter of 2011 sunk as the search for a new CEO continues, the company said on Thursday.
 
As NASA's 30-year space shuttle program draws to a close, engineers at the space agency are focusing on building advanced robots that will delve deeper into space.
 
RETIRED: Apple Safari Prior to 5.1 and 5.0.6 Multiple Security Vulnerabilities
 
Oracle Outside In '.cdr' File Remote Code Execution Vulnerability
 
One of Sony's insurers has asked a New York court to absolve it of any responsibility for defending or indemnifying Sony against claims arising from recent data breaches at the company.
 
Proving naysayers incorrect once again, Microsoft posted a banner fiscal 2011 year in revenue, as sales of Microsoft Office, server software and Xbox continued to drive growth, even as sales of Windows leveled off, according to the company.
 
Research In Motion may be getting close to releasing the Android app player it promised for the PlayBook, judging from an old version of the player found on the BlackBerry.com website.
 
Oracle has purchased Ksplice, maker of technology that allows Linux administrators to apply important security updates without having to reboot the system, Oracle announced Thursday. Terms were not disclosed.
 
Apple is contributing more than half the total $4.5 billion price tag for Nortel patents, with partners including Microsoft and Sony combined kicking in the rest.
 
Oracle Secure Backup 'validate_login' Command Injection Remote Code Execution Vulnerability
 
Oracle Java SE and Java for Business CVE-2011-0815 Remote Java Runtime Environment Vulnerability
 
Security experts are leery of Google's decision to warn millions of users whose PCs it believes are infected with fake security software and other malware.
 
Data-integration vendor Informatica and a customer are embroiled in a legal dispute over $6.3 million in license fees that Informatica says it is owed due to noncompliance.
 
Oracle Java SE and Java for Business CVE-2011-0866 Remote Java Runtime Environment Vulnerability
 

Buying IT security products? Learn to recognize vendor hype
SearchSecurity.com
Not all infosec vendors are charlatans and snake oil salesmen. But how do you spot those who are? Here are some common scenarios and practical tips. Vendors love to tout how their new technology is the greatest thing since sliced bread. ...

 
Google Apps will become a more secure and easier-to-manage collaboration and communication suite now that Google has started integrating e-mail security features into it from its Postini suite.
 
Worldwide semiconductor revenue will grow at a slower rate next year, hurt by an uncertain economy in developed and emerging markets, research firm IDC said on Thursday.
 
T-Mobile is hoping to make it easier for businesses to use Android phones by reselling secure e-mail services from Good Technology.
 
The new malware alert feature is in response to unusual search traffic detected in the search engine giant’s servers.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
A new report notes a significant rise in the number of attacks against Adobe and Java vulnerabilities in the last six months.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
RETIRED: Oracle July 2011 Critical Patch Update Multiple Vulnerabilities
 
Foxit Reader Insecure Library Loading
 
ZDI-11-238: Oracle Secure Backup validate_login Command Injection Remote Code Execution Vulnerability
 
Alcatel-Lucent this week confirmed it is "exploring strategic options" for its Enterprise business, a non-core asset that's been reported to be shopped around for a possible sale.
 

Nata's Corner: Google+ Privacy Settings
Experts Exchange (blog)
Speaking of which, Infosec Island has the ABZs of Cybersecurity, but they're missing terms for the letters D,HL,O,P,Q,R,U,V and X. I'm open to suggestion, and I'll see if I can get someone to send out a coffee mug or something for the best terms that ...

and more »
 
As NASA's space shuttle Atlantis touched down for the final time early today, the 30-year space shuttle program came to a bittersweet end.
 
Microsoft Internet Explorer 'toStaticHTML' HTML Sanitizing Information Disclosure
 
Vbulletin 4.0.x => 4.1.3 (messagegroupid) SQL injection Vulnerability
 
Once you are over the online install experience, the upside down mouse gestures and all the other bling that comes as part of OS X Lion, it is time to look at what has changed from a security point of view. Apple doesn't exactly advertise security features, but Lion provides some significant security improvements.
Just an important note: Lion is just a day old now, so a lot of these features haven't exactly been tested yet by the large masses of users.
Address Space Layout Randomization (ASLR)
ASLR will make exploiting vulnerabilities significantly harder. In itself, it doesn't prevent any vulnerabilities. Snow Leopard introduced ASLR, but limited it to libraries. ASLR on Snow Leopard also missed randomizing the stack and the heap.
Automatic Security Updates
In Snow Leopard, like in most other operating systems, the user was told about updates, but had to manually approve / install them. In Lion, this is all going to happen behind the scenes. We will have to see how well this works as automatic or unmanaged updates may of course break incompatible applications
Sandboxing
Sandboxing is supposed to limit how individual applications can affect each other, and the underlying system. In particular for Safari it will be interesting how well this works and if it prevents exploitation of some vulnerabilities. Safari itself is even split into different parts and javascript or plugins will run in its own sandbox.
Encrypted Backups
Time machine backups can now be encrypted.
Air Drop
Air drop sounds a bit dangerous, and we will have to revisit this protocol. It essentially allows setting up quick peer-to-peer networks to exchange files. However, the file transfer is TLS encrypted according to Apple and authenticated using the users Apple ID (which has always been available as a client certificate). It also appears to set up appropriate firewall rules. Looks like they did think about the important issues, but this is very much a topic that needs further testing.
File Vault 2
The original file vault feature in Snow Leopard only encrypted the users home directory. It was rather clunky and didn't interoperate well with time machine. File Vault 2 implements full disk encryption. In addition, a number of additional features are implements. For example, one can instantly wipe the disk by deleting the key. If a users is afraid of losing the key, the key can be escrowed with Apple. Initial performance test have been pretty good.
Update: After experimenting with File Vault 2, I found that it can only be used if the installer was able to create a recovery partition, which it didn't do in my case. Also, File Vault 2 is encrypting the partition, not the entire disk like other products (e.g. PGP).
Privacy
Lion uses refined privacy preferences in particular limiting the access to location information
Apple ID for authentiation
Not sure Air Drop, but other authentication features leverage your Apple ID. As you sign up for an apple id, Apple will create a client certificate for you that you can now use to authenticate for file sharing, iChat and Screen Sharing. The certificate has existed in the past, and was used in iChat. But now it is used by other features of the OS.
Complete Feature List:http://www.apple.com/macosx/whats-new/features.html
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Worried that Web sites are snooping on you as you surf? Concerned that when you're at a public Hot Spot, such as at a café, a hacker can intercept everything you send and receive--including passwords and other personal information? Then you should give CyberGhost VPN Free a try. It creates a virtual private network (VPN) connection when you're on the Internet, so that you can be safe when you go online.
 
AT&T adds 5.6 million smartphones and a record number of other data devices to its mobile network during the second quarter.
 
The hacking collective Anonymous released a document on Thursday marked "restricted" and said to be from NATO.
 
Apple on Wednesday offered details about its free Lion upgrade offer, saying the deal also applies to Macs bought from authorized resellers after the new operating system's debut.
 
iDefense Security Advisory 07.20.11: Multiple Vendor WebKit frameset style Heap Corruption Vulnerability
 
Securstar - DriveCrypt - Local Kernel Denial of Service/Memory Disclosure/Privilege Escalation
 
[SECURITY] [DSA 2281-1] opie security update
 
iDefense Security Advisory 07.20.11: Multiple Vendor WebKit SVG animVal Memory Corruption Vulnerability
 
iDefense Security Advisory 07.20.11: Apple Safari innerText Use-After-Free Vulnerability
 
Cisco Security Advisory: Cisco SA 500 Series Security Appliances Web Management Interface Vulnerabilities
 
Cisco Security Advisory: Cisco ASR 9000 Series Routers Line Card IP Version 4 Denial of Service Vulnerability
 
Google has disabled a feature that could allow people to remove websites from its search index following a problematic discovery by an astute observer.
 
Nokia had a net loss in the second quarter following a dramatic decline in smartphone sales, it reported Thursday.
 
Outsourcing declined worldwide by 18% to $16.4 billion in the second quarter because of weak demand in the Americas and an overall drop in the number of large contracts awarded, sourcing data and advisory firm TPI said on Wednesday.
 
Apple Mac OS X ICU (CVE-2011-0206) Buffer Overflow Vulnerability
 
The software works very well, but its biggest problem is its cost. Only the largest enterprises will be able to use it.
 
Cassandra, CouchDB, MongoDB, Redis, Riak, Neo4J, and FlockDB reinvent the data store
 
Curious about what iOS features Apple has wrapped into its new desktop OS? Get up close with our visual tour.
 
Apple has finally unleashed OS X 10.7 'Lion,' the revamped operating system for the company's desktops and laptops. Columnist Michael deAgonia offers a hands-on look at Lion's new features and offers advice on whether you should upgrade.
 
While Congress debates the debt ceiling and the federal budget, the White House is accelerating its plans to close data centers as a means to trim billions of dollars from its IT budget.
 
Almost a month after Google announced its new social network, the Google+ iPhone app is finally available in the iTunes App Store. Those who downloaded the app Tuesday when it first went live complained of a litany of bugs. Google has since released an update, fixing many of the errors.
 
Acer said Thursday it plans to acquire iGware, a cloud technology company in the U.S., for $320 million, as part of a plan to allow users to more easily share content across the PC maker's products.
 
Apple Mac OS X ColorSync (CVE-2011-0200) Integer Overflow Vulnerability
 
Apple Mac OS X CoreFoundation (CVE-2011-0201) Buffer Overflow Vulnerability
 
Apple Mac OS X CoreGraphics (CVE-2011-0202) Integer Overflow Vulnerability
 
 

Right to privacy puts eyes on infosec
SC Magazine Australia
The Gillard Government spurred by recent data breaches will shortly issue a discussion paper seeking public opinion on introducing a right to privacy that will require increased attention to information security. ...

and more »
 
Internet Storm Center Infocon Status