InfoSec News


US Data Erasure Software Leader Now Certified by European Security Group
The Open Press (press release)
Certification is awarded when software has met all of the criteria for secure erasure of magnetic media in accordance with HMG Infosec standards. After independent testing carried out by QinetiQ, a British global defence technology company under ...

 

Smartphone apps for tax time
ZDNet Australia
... on PCs and Macs? http://dlvr.it/XHFzm #InfoSec 10 Ways to Cure Your Virtualization Ills: By Ken Hess | June 21, 2011, 2:52pm PDT Is there a doctor in the house... http://bit.ly/kSEL8x RT @GarethMP: Iceland crowd-sources re-write of constitution. ...

and more »
 
To maintain its prominence, Java must evolve to meet the needs of cloud computing, the author of the popular Spring Framework for Java said on Tuesday.
 
The coast is not yet clear for LightSquared's hybrid satellite-LTE network despite the company's announcement on Monday that it has found a solution to interference with GPS.
 
WordPress is currently investigating a series of [...] suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory. [1]
If you have a WordPress.org, bbPress.org and BuddyPress.org account, you will be required to choose a new password. You can change your password here.
[1] http://wordpress.org/news/2011/06/passwords-reset/
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Barnes & Noble on Tuesday said it sold three times as many digital books through its website compared to physical books during the fourth fiscal quarter.
 
Google has released an experimental extension for its Chrome browser that developers can use to scan their Web applications and flag code that could make them vulnerable to malware attacks.
 
A former co-owner of an Ilinois networking firm is sentenced to a year in prison for an E-Rate bribery conspiracy.
 
IT workers who want to be a CIO need to think outside the box -- like pushing for staff to spend 10% of their time working on something other than operational tasks, according to advice at a recent CIO conference.
 
Research out of the Georgia Institute of Technology can detect when bot masters reserve domains to set up command-and-control networks.
 
Top IT executives speaking at at the Computerworld Honors awards ceremony Monday talked of a post-PC era in which specific devices become mostly irrelevant.
 
Mozilla Firefox/Thunderbird/SeaMonkey 'Array.reduceRight()' Remote Code Execution Vulnerability
 
Linux Kernel 'drivers/net/niu.c' Local Denial of Service Vulnerability
 
Although enterprises are in the midst of migrating more machines to Microsoft's Windows 7, the aged Windows XP still accounts for nearly 6-in-10 PCs in corporations, according to a recent report by research firm Forrester.
 
IBM's Netezza division is rolling out a new analytic appliance that can analyze up to 10 petabytes of data "in a matter of minutes," the company is expected to announce Wednesday during the Enzee Universe conference in Boston.
 
A major challenge to the principles of free software was mounted in a German district court on Tuesday.
 
If-CMS 'newlang' Parameter Local File Include Vulnerability
 
Mozilla Firefox Firebug Extension 'chrome:' Cross Domain Scripting Vulnerability
 
Linux Kernel 'agp_allocate_memory/agp_create_user_memory' Local Privilege Escalation Vulnerabilities
 
TWSL2011-006: IBM Web Application Firewall Bypass
 
ZDI-11-225: Mozilla Firefox nsXULCommandDispatcher Remote Code Execution Vulnerability
 
New service aims to help businesses measure their security programs against Verizon’s Data Breach Investigations Report and the VERIS classification and reporting data.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
BlackBerry-maker Research In Motion has started to hand out pink slips to employees in Waterloo, Ontario, where the Canadian company's headquarters are located.
 
Online storage service Dropbox made an embarrassing error Monday, turning off password authentication for millions of users.
 
A U.S. senator calls for new cybersecurity regulations for banks.
 
pam_ssh Incorrect 'SetGID()' Local Privilege Escalation Vulnerability
 
The New York Stock Exchange's European stock markets were floored for two hours this morning, after a significant system problem hit trading for a second day.
 
Mozilla released Firefox 3.6.18 for Windows, Mac and Linux fixing several security and stability issues [1]. Mozilla Thunderbird released version 3.1.11 fixing vulnerabilities reported in version 3.1.10 [2].
Mozilla released Firefox 5.0 for Windows, Mac and Linux and it is the First Web Browser to Support Do Not Track on Multiple Platforms.[3] This version includes more than 1,000 improvements and performance enhancements. It is available for download here.
[1] http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.18

[2] http://www.mozilla.org/security/known-vulnerabilities/thunderbird31.html#thunderbird3.1.11

[3] http://blog.mozilla.com/blog/2011/06/21/mozilla-delivers-new-version-of-firefox-first-web-browser-to-support-do-not-track-on-multiple-platforms/


-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Mozilla today delivered the final version of Firefox 5, the first edition under the new faster-release regime it kicked off earlier this year.
 
ZDI-11-224: Mozilla Firefox SVGPointList.appendItem Remote Code Execution Vulnerability
 
ZDI-11-223: Mozilla Firefox SVGPathSegList.replaceItem Remote Code Execution Vulnerability
 
Our manager's growing IT department has a lot of new managers, and they want to oversee the actual implementation of security projects. But very little implementation is actually taking place.
 
Hewlett-Packard's research organization in Bangalore has developed an application that will help consumers create personalized channels of online video content on their Windows computers.
 
U.K. police arrested a 19-year-old on Monday for allegedly attacking a police website earlier in the day, in what is the first arrest connected with the rogue hacking group Lulz Security.
 

Continuous Monitoring According to FISMA - Steven Polk, ITILv3® MCTS
CSO (blog)
One analogy that will describe the movement toward awareness is to think of system managers as Air Traffic Controllers in action. Currently, Continuous Monitoring is employed by systems owners like the big ...

 
U.K. police arrested a 19-year-old on Monday for allegedly attacking a police website earlier in the day, in what is the first arrest connected with the rogue hacking group Lulz Security.
 
No. 4 wireless carrier T-Mobile has just joined its larger rivals in offering a mobile hotspot to its users. These handy devices tap into your cellular service, broadcasting a Wi-Fi signal that lets you connect up to five laptops, tablets or other devices to the Internet, effectively creating a personal high-speed wireless network wherever you go.
 
Most people in the IT industry are sure that enterprise cloud computing usage will double in the next two years. But they also feel that IT professionals will not be displaced from their enterprise jobs because of the cloud.
 
Businesses must start preparing to serve the emerging tech-savvy Customer 2.0 class that's graduating from college looking to spend money with companies that understand their social networking world.
 
iSCSI Enterprise Target Multiple Implementations iSNS Message Stack Buffer Overflow Vulnerability
 
Re: Perfect PDF products distributed with vulnerable MSVC++ libraries
 
[slackware-security] fetchmail (SSA:2011-171-01)
 
All companies, not just financials, must comply with the Dodd-Frank Act; Gartner recommends having a compliance bureau monitor the implications.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 

Breach is part of a string of high profile attacks targeting gaming networks and other websites. Experts say enterprises should assess their basic security defenses.

Sega Corp. has warned its customers of a major breach of its systems which had exposed the personal information of users of its Sega Pass gaming network.

The gaming giant took its network offline June 16 when it detected a breach of its systems. In an email to users, the company said the exposed data included names, email addresses, and dates of birth of about one million users of its gaming platform.

“We have identified that a subset of SEGA Pass members emails addresses, dates of birth and encrypted passwords were obtained. To stress, none of the passwords obtained were stored in plain text,” the company said in a statement posted to its website. “If you use the same login information for other websites and/ or services as you do for SEGA Pass, you should change that information immediately.”

A company spokesperson told Reuters that the breach affected 1.3 million users. Sega has not explained how its network was breached.

The breach is one in a string of high profile data breaches that have plagued a number of enterprises. The successful attacks have highlighted many basic security lapses. Web application vulnerabilities continue to plague even the most popular websites. For example, a Citigroup breach reportedly involved a fairly common business logic vulnerability, which enabled the attacker to alter the URL to access other accounts. That breach affected more than 200,000 customers. SQL injection and cross-site scripting errors continue to be problematic, experts say. In addition, organizations are failing to analyze the location of sensitive data to put appropriate security layers in place.

Sony has been bolstering its systems after a spate of data breaches to its various networks resulting in exposure of sensitive information on as many as 100 million users. The breach affected millions of users of its PlayStation Network. Sony took its gaming network down for nearly a month after detecting the attack. The scope of the breach was later expanded to other websites that are part of its Online Entertainment division. Sony discovered a cache of outdated credit card data stored on a server, which was exposed during the breach.

A hacker group called LulzSec, which communicates its attacks via Twitter, has been targeting the websites of enterprises and government agencies. The hacktivist group did not claim responsibility in the Sega or Sony attacks. The group claims to have breached the websites of the FBI, CIA and PBS, among others.



Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

 

US Data Erasure Software Leader Now Certified by European Security Group
Your-Story.org (press release)
Certification is awarded when software has met all of the criteria for secure erasure of magnetic media in accordance with HMG Infosec standards. After independent testing carried out by QinetiQ, a British global defence technology company under ...

 
Chris Mohan --- Internet Storm Center Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
I posted a piece entitled Log files - are you reviewing yours? the external attack portion.



The meat of the external attack portion in the report covers a third party, using common security tools, running very aggressive and obviously hostile external scans against the targeted departments. The heavy scanning uncovered a number of exploitable known vulnerabilities. One of the most damning statements is no-one noticed one web application system actually started to slow down from millions of username and password brute force attacks. If the security team missed this, thats one thing but the operation team missing the system hit is another. Operations team tend to pick up on wrongness pretty quickly, either from help desk calls or their own performance alerts. I wonder if someone did notice, would they have told the security team? If you've ever tested your own systems, any obvious noisy, repetitive attacks should standout and scream for attention against normal log entries. This, to me highlights, the total misused of monitoring and reporting on logs that could so easily provide warning of an attack and the attacker.



I'm impressed that this type of report is in the public domain and the blunt approach it has taken to highlight the key findings*. This open approach is a marked change to the old misdirection of These aren't the droids, er, - massive problems we're pretending don't exist, which anyone with Nessus 0.99.10 could find - you're looking for, so we'll just ignore it.



It is easy, and important, to take a number of positive actions and lessons learnt from the report, rather than treat this as another stick to be beaten with. Show this report and the any of the numerous breaches to management to and use resources such as http://datalossdb.org/ to factor in the financial cost of breach to your company. This may sway those that control your time and the purse strings to make time for simple, effective security steps, such as testing and log review, and even a bit of training**



Here are a couple of points I've gotten from reading this report:



Technical

Know what normal traffic and logs look like for your environment
Test your own systems with freely available and widely used scanning and vulnerability assessment tools to see what shows up in the logs files ***With PERMISSION only***
Test username and password brute force attack tools against your publicly facing systems and see what shows up in the logs files ***With PERMISSION only***
Find a simple, automated process to review logs files for the alert or events generated in these scans

People

Let people in your company know who to call if they see a possible security incident
Make sure you have an incident response plan first, then one that works and finally is understood, endorsed and signed off by management
Show other IT staff what attacks look like and how they can affect system performance

As a final note, if you get an audit result like this on your systems, use it to highlight business risks and produce a plan on how to effectively and realistically address the points and issues raised. IT security is part of the business to support and protect it so it a group effort involving the business to fix it, not just the poor, misunderstood IT security sap in the corner. To the folks in those fifteen agencies trying get their systems and processes secured keep at it, work through whats been reported and next year audit will be very different picture.
As always, if you have any suggestions, insights or tips please feel free to comment.





[1] http://isc.sans.org/diary.html?storyid=11068

[2] http://www.audit.wa.gov.au/reports/pdfreports/report2011_04.pdf

[2a] Strategies to Mitigate Targeted Cyber Intrusions pdf mentioned in the report http://www.cert.gov.au/www/cert/RWPAttach.nsf/VAP/(3A6790B96C927794AF1031D9395C5C20)~intrusion_mitigations+pdf+for+CERT+website.PDF/$file/intrusion_mitigations+pdf+for+CERT+website.PDF



* Despite the warm and fuzzy thanks that are recorded in the agencies' responses, I suspect there may have been a number of closed door meetings with enraged management waving the report and equally annoyed security teams waving their own reports saying we told you this already.



** http://www.sans.org/security-training/courses.php - learn something new for every, and any, security professional :)


Chris Mohan --- Internet Storm Center Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

GovInfoSecurity.com

4 R&D Initiatives Focus on Infosec
GovInfoSecurity.com
Northrop Grumman Cybersecurity Research Consortium's Robert Brammer says IT security researchers should think like Wayne Gretzky, the National Hockey League hall of famer: Skate to where the puck will be. "Most people, when they think about computer ...

and more »
 

Ten Commandments of Cyber Counterintelligence - Adapted from James M. Olson
CSO (blog)
Be Offensive Cyber CI that is passive and defensive will fail. We cannot hunker down in a defensive mode and wait for things to happen. We are spending far too much money on signature-based solutions, ...

 

India PRwire (press release)

Mr. Firdosh Balsara joins MIEL e-Security as the President, Education Services ...
India PRwire (press release)
Few years ago, MIEL started off with a Vision to be one of the biggest, pure-play, 360 degree companies in the Infosec domain, with strong value systems, unique business model, high quality deliverables, blue-chip clientele and internal processes. ...

 
Online storage service Dropbox accidentally turned off password authentication for its 25 million users for four hours Monday, although "much less than 1 percent" of those accounts were accessed during the period, the company said.
 
NNT Change Tracker and Remote Angel Insecure File Permissions Vulnerability
 
An Atlanta hospital switches to Microsoft Exchange in the cloud to update an email service that had become a headache for the medical staff and the IT team.
 
HP today announced it has qualified its P2000 entry-level storage array with VMware's API for Array Integration, which enables simpler virtual server configuration.
 
No. 4 wireless carrier T-Mobile has joined its larger rivals in offering a mobile hotspot to its users. How does the device -- and network -- stack up?
 

Security Events To Watch: 44Con London Security Conference
ComputerworldUK (blog)
I've long thought that the UK needed a real security conference; for years we've had the booth-bunny fest that is Infosec where you get to see anti-virus pitchmen working the crowd like the guy at my saturday market vegetable stall; ...

 
Nokia unveiled Tuesday its new N9 smartphone that runs the MeeGo operating system, and is being marketed as a "pure touch screen" device without buttons.
 

Posted by InfoSec News on Jun 21

http://gcn.com/articles/2011/06/20/anatomy-of-hack-from-china.aspx

By John Breeden II
GCN.com
June 20, 2011

I was happy to see last week that the National Security Agency is
joining the battle against Internet hackers by offering its own set of
scanning tools to private companies.

It’s good to see the government taking this threat seriously, because if
defense companies have their security breached, its pretty much like our
nation is...
 

Posted by InfoSec News on Jun 21

http://www.afcea.org/signal/articles/templates/Signal_Article_Template.asp?articleid=2651&zoneid=318

By Robert K. Ackerman
SIGNAL Online Exclusive
June 20, 2011

New technology capabilities are driving agency goals.

Integrating the network and defending it against cyberattacks are among
the top priorities in the new Defense Information Systems Agency (DISA)
2011-2012 Campaign Plan. The plan, released this morning, focuses on
requirements...
 

Posted by InfoSec News on Jun 21

http://news.cnet.com/8301-31921_3-20072755-281/dropbox-confirms-security-glitch-no-password-required/

By Declan McCullagh
Privacy, Inc.
CNet News
June 20, 2011

Web-based storage firm Dropbox confirmed this afternoon that a
programmer's error caused a temporary security breach that allowed any
password to be used to access any user account.

The San Francisco-based start-up attributed the security breach to a
"code update" that...
 

Posted by InfoSec News on Jun 21

http://www.theinquirer.net/inquirer/news/2080140/lulzsec-teams-anonymous-target-governments-banks

By Dean Wilson
The Inquirer
June 20 2011

NINJA PIRATE HACKER GROUP Lulzsec has joined forces with the hacktivist
group Anonymous in a global operation targeted at governments and banks.

The duo launched Operation Anti-Security today, declaring "unremitting
war" on the "freedom-snatching moderators" of the internet. They vowed...
 

Posted by InfoSec News on Jun 21

http://www.newscientist.com/article/mg21028175.900-spies-can-send-messages-hidden-in-a-google-search.html

By Paul Marks
New Scientist
17 June 2011

THE peculiar list of search options that Google suggests as you type in
a query could be hijacked to let people communicate secretly.

So says Wojciech Mazurczyk at the Warsaw University of Technology in
Poland, who specialises in steganography - the art of hiding messages in
plain sight....
 

Posted by InfoSec News on Jun 21

http://risky.biz/distributeit

By Patrick Gray
risky.biz
June 21, 2011

It looks like Melbourne-based hosting company and ICANN-accredited
domain name registrar Distribute.IT is fighting for its very survival.

The company has posted this depressing notice on what's left of its
Web-site.

It might seem crazy, but Distribute.IT is facing nothing short of an
existential crisis because, absurdly, it didn't take offline backups. As
the...
 

Posted by InfoSec News on Jun 21

http://www.theregister.co.uk/2011/06/21/startssl_security_breach/

By Dan Goodin in San Francisco
The Register
21st June 2011

Yet another web authentication authority has been attacked by hackers
intent on minting counterfeit certificates that would allow them to
spoof the authenticated pages of high-profile sites.

Israel-based StartCom, which operates StartSSL suffered a security
breach that occurred last Wednesday, the company said in a...
 
An attack on web authentication authority StartSSL has lead to them suspending their services and stopped issuing any further certificates.



From the landing page of Startssl's web site [1] they offer this information:



Due to a security breach that occurred at the 15th of June, issuance of digital certificates and related services has been suspended.

Our services will remain offline until further notice.

Subscribers and holders of valid certificates are not affected in any form.

Visitors to web sites and other parties relying on valid certificates are not affected.

We apologize for the temporary inconvenience and thank you for your understanding



The Register web site has more information on the story [2]



[1] https://www.startssl.com/

[2] http://www.theregister.co.uk/2011/06/21/startssl_security_breach/
Chris Mohan --- Internet Storm Center Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status