InfoSec News

The document from Imperva makes strong claims it reveals the way anonymous has worked in the past by studying them over a very short period of time.

a video has surfaced that main media seems to eb icking up on, the video which claims that the infamous hacking group lulzsec is making a return.

At the start of the year south African police cracked down on a cyber gang who was in the process of stealing millions from hacked and phished bank accounts.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The location-based mobile services industry is already lucrative but has to do a better job easing consumers' fears about invasion of privacy, some executives said on Wednesday at the GPS-Wireless conference.
For years Sean Anthony, vice president of treasury and planning at sales and marketing outsourcer Acosta, has acted as a report gateway for business leaders seeking budget data. While the company has cube-based applications to house data, extracting reports has been a bit more complex. But now, with encouragement from CFO Greg Delaney, Anthony is evaluating new budgeting and planning technology that would remove him as the middleman.
Internal auditors are scrutinizing social media applications and cloud-based computing as they examine the costs and benefits of technology at companies, a new report says. And they consider these the two top business priorities requiring auditing skills.
Microsoft .NET Framework CVE-2011-3415 Form Authentication URI Open Redirection Vulnerability
For all of the buzz about cloud computing, there remains confusion about its real implications for an IT organization. CIO.com's Bernard Golden argues that to take full advantage of the cost savings and efficiency improvements of the cloud, CIOs have to rethink their approach to IT.
Boost Library Regular Expression Remote Denial of Service Vulnerabilities
Red Hat Enterprise Linux Sos Private Information Disclosure Vulnerability
Verizon Wireless' proposed purchase of unused mobile spectrum from four cable companies will reduce the incentive for the companies to compete against each other in the video and broadband markets, critics told U.S. lawmakers Wednesday.
Last August the Cloud Security Alliance (CSA) announced at the Black Hat security conference in Las Vegas a registry that it hoped would serve as a place for prospective cloud users to go to easily inspect and compare cloud vendors' security controls. But to date, only three companies have submitted their cloud security data, making the registry of limited use.

ictQATAR meet on security
Gulf Times
INFOSEC, a conference today. The conference will discuss the latest challenges and trends in information security and risks faced by the finance sector to help organisations in Qatar better manage cyber threats. fin.INFOSEC will feature speakers from ...

Linux Kernel 'iproute' Package Multiple Insecure Temporary File Creation Vulnerabilities
[SECURITY] [DSA 2437-1] icedove security update
Seeker Advisory: Insecure Redirect in .NET Form Authentication - Redirect From Login Mechanism (ReturnURL Parameter)
30 Days With the Cloud: Day 25
Moxie Software will release at the end of March an integrated suite that gives companies both enterprise social networking capabilities for internal employee collaboration and customer service software for handling customer queries.
While most of the talk around big data assumes such systems will be deployed in-house, Google is building a service that will allow for analyzing large amounts of data in the cloud.
libgdata SSL Certificate Validation Security Bypass Vulnerability
[ MDVSA-2012:033 ] libpng
CMSimple_XH 1.5.2 Cross-site Scripting vulnerability
Multiple vulnerabilities in Open Journal Systems (OJS)
Cyberoam Unified Threat Management: OS Command Execution


ISC's https://isc.sans.edu/presentations/ is a informative list of detailed presentations and papers written by ISC handlers or written about the ISC and DShield. Note that not all of them are hosted on this site.


Webcasts / Podcasts - https://isc.sans.edu/presentations/#casts

ISCMonthly Threat Updates webcasts on SANS' Webcast archive

Latest webcast PDF(Now posted along with webcast on access page)
ISCPodcasts main page

Flyers / Cheat Sheets - https://isc.sans.edu/presentations/#sheets

IPv4 and IPv6 flyers

Reference Papers - https://isc.sans.edu/presentations/#reference

Link to SANSReading Room

SANSFIREPresentations - https://isc.sans.edu/presentations/#sansfire

SANSFIRE 2012 is coming up! http://www.sans.org/sansfire-2012/

Other Recent Presentations - https://isc.sans.edu/presentations/#recent
Older Presentations - https://isc.sans.edu/presentations/#older

Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form


Adam Swanger, Web Developer (GWEB, GWAPT)

Internet Storm Center (https://isc.sans.edu) (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
An in-class project on advanced search techniques led to the discovery of a major data breach at the University of Tampa in Florida last week.
Mozilla is currently testing default encrypted Google searches for all Firefox users, with the intent to make all Google searches encrypted in the near future, the browser maker said on Wednesday.
The Chinese government, Google's last hurdle to acquiring Motorola Mobility, is slowing up the purchase process by expanding its investigation into the pending transaction.
The U.S. Federal Communications Commission has voted to move ahead with plans to open up 40MHz of wireless spectrum in the 2GHz band to mobile voice and broadband service.
T-Mobile USA has started selling the Samsung Galaxy S Blaze 4G smartphone in select stores, and will begin nationwide sales March 28, a spokeswoman said.
If your enterprise finds itself needing to transfer a lot of data in the cloud, beware: depending on where the data's being moved to, it can take a long time.
Given that stolen medical records can bring $50 apiece on the underground market, the frequency and magnitude of data breaches involving electronic health records is increasing. In an effort to help CIOs and CSOs build a better business case for enhancing security, a group of standards and security organizations have issued a new report on the financial impact of such data breaches.
EMC plans to buy Pivotal Labs, an application development consultancy that focuses on helping users create applications to run in big data environments.

When I arrived home from RSA Conference 2012 after attending a number of panel discussions about mobile device protection, mobile security threats and ways IT teams can build control and visibility into their employee smartphones, I left feeling that many of the session panelists overhyped the risks.

a few experts warned incessantly about weaponized applications; another had a security expert discussing the skyrocketing mobile malware statistics. It was rather off putting that there was little discussion about how mobile device platforms are built differently than desktop OSes. In fact, a Microsoft network analyst attempted to compare the evolution of iOS and Android to the evolution of Windows. Something, I was told by several security experts, is nearly impossible to do. Security capabilities, including sandboxing, designed to isolate applications from critical processes, are built right into the mobile firmware.

I spoke to Kevin Mahaffey, CTO and founder of Lookout Security, which targets security-conscious consumers with a mobile application that provides antimalware protection, device locate, remote wipe and secure backup features.  Mahaffey was very forthcoming, saying it’s his belief that both Google Android and Apple iOS are the most secure OSes ever built.

His comment, which is no doubt debatable, made me seek out good sources of non-hyped potential risks posed by mobile devices to the enterprise. I may have stumbled upon the beginnings of a good list.

Several security experts active with the Open Web Application Security Project (OWASP) are developing a list of mobile risks. OWASP, known for its Top 10 Web Application Vulnerabilities list has come up with the Top 10 Mobile Risks list. It was released in September, and has been undergoing an open review period for public feedback. It’s still a work in progress and will undergo an annual revision cycle.

List of Mobile Risks:

1.       Insecure Data Storage

2.       Weak Server-Side Controls

3.       Insufficient Transport Layer Protection

4.       Client-Side Injection

5.       Poor Authorization and Authentication

6.       Improper Session Handling

7.       Security Decisions Via Untrusted Inputs

8.       Side Channel Data Leakage

9.       Broken Cryptography

10.   Sensitive Information Disclosure

The experts who prepared the list: Jack Mannino of nVisium Security, Mike Zusman of Carve Systems and Zach Lanier of the Intrepidus Group, have been actively researching mobile security issues. They produced an OWASP Top 10 Mobile Risks presentation describing and supporting the threats posed by the issues on the list.

Attackers are going to target the data, so insecure data storage on both back-end systems that mobile applications tap into and cached data on the device itself is at risk. Properly implemented server-side controls are essential, according to the presentation.  A lack of encryption of data in transit was cited, reminding me of my earlier post on the NSA’s VPN tunneling requirement and its other mobile security recommendations.   Properly executed authentication is a must and many of the garden variety vulnerabilities (XSS and SQL injection) for desktop software are repeatable for mobile applications. It wraps up with the call for developers to use properly implemented key management as well as tips to make a mobile application more difficult to reverse engineer.

I think the list gets to the heart of the issues without overhyping the threats. I hope it gains more visibility. I’d like to see it referred to more in public discussions about the potential weaknesses in mobile devices.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Presented By:
Win New Customers
border-top: 1px solid">
Ads by Pheedo
Hackers are using a recent report about cyberthreats to Tibetan activists as a lure in a new attack against pro-Tibet organizations that distributes Windows and Mac malware, researchers from security vendor AlienVault said.
PrivaWall Antivirus Office XML Format Evasion Security Bypass Vulnerability
The Google Chrome browser overtook Microsoft Internet Explorer, to become the number one browser for a single day last weekend, according to website analytics company StatCounter.
NEC said Wednesday it will add small earthquake sensors to the growing set of devices that work on its cloud-based network platform.
Japanese technology giant Fujitsu said it has developed a system that can determine when someone is being targeted by a phone scam.
Adobe Systems has introduced tools for advertising across social networking sites and different devices, and also analytics to keep track of it all, the company said on Wednesday.
Want to publish a book? You can either kill a bunch of trees, or get with the 2010s and publish it as an ebook.
Hewlett-Packard today announced the merger of its Imaging and Printing Group and its Personal Systems Group in what it called an effort to drive profitable growth for the entire company.
Cisco today announced a virtualized version of its Video Surveillance software for use on its Unified Computing System platform for enterprise- or government-operated video-camera deployments.
The number of IT jobs at large corporations is declining significantly, but within 10 years, this exodus may end as companies run out of jobs suitable for moving to low-cost countries, a new study says.
New to Microsoft Outlook 2010? Find your favorite commands from earlier versions of Outlook with these charts. Insider (registration required)
Whether you're upgrading from Outlook 2007 or an earlier version, we've got the goods on how to find your way around Microsoft Outlook 2010 and make the most of its new features.
Venmo, a venture-funded East Coast startup, Tuesday publicly launched a person-to-person payment app that emphasizes sharing payments on social networks.
Citrix XenServer vSwitch Controller Component Multiple Unspecified Vulnerabilities

Posted by InfoSec News on Mar 21


By Jason Koebler
US News and World Report
March 20, 2012

The computer systems of the agency in charge of America's nuclear
weapons stockpile are "under constant attack" and face millions of
hacking attempts daily, according to officials at the National Nuclear
Security Administration.

Thomas D'Agostino, head of the agency,...

Posted by InfoSec News on Mar 21


By Meridith Levinson
March 20, 2012

Would you bet money on the security of your company's systems? If your
answer is no, you're far from alone. Most IT professionals lack so much
confidence in the security of their organizations' networks that they
wouldn't bet a dime on it, according to the results...

Posted by InfoSec News on Mar 21


By Frank Kanyesigye
The New Times
18 March 2012

Following recent cyber-attacks that have been targeting East African
companies, several institutions in the country have put in place
security policies to counter them.

Speaking to Sunday Times, Innocent Muhizi, the Head of Information
Technology (IT) at Commercial Bank of Rwanda (BCR), said his institution
had set up security measures to prevent...

Posted by InfoSec News on Mar 21


By Shaun Waterman
The Washington Times
March 20, 2012

The Pentagon is still writing rules for combating cyberattacks, even
though U.S. Cyber Command has been operating for more than a year,
defense officials said Tuesday.

“The [Pentagon] is working on standing rules of engagement which will
give us the authority” to respond to attacks on vital...

Posted by InfoSec News on Mar 21


By Kelly Jackson Higgins
Dark Reading
March 20, 2012

Sometimes it's the little things -- a misconfigured network proxy or an
unused and forgotten port -- that can make the difference in whether an
organization suffers a major hack.

Organizations, especially those without the security...
Internet Storm Center Infocon Status