InfoSec News

Massachusetts’ Advanced Cyber Security Center (ACSC) was launched Tuesday to develop future cybersecurity technologies and strategies to protect the nation’s IT infrastructure.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Adobe on Wednesday patched six vulnerabilities in Flash Player, including one it admitted is already being exploited by attackers.
 
Law enforcement officials should be required to obtain a warrant based on probable cause before using GPS or other electronic location tracking to follow individuals, a bi-partisan group said in a report released today.
 
Salesforce.com has acquired help desk service provider Assistly for approximately US$50 million, the two companies announced Wednesday.
 
Adobe Flash Player CVE-2011-2444 Cross Site Scripting Vulnerability
 
Several U.S. senators accused Google of giving search preferences to its own suite of services over competitors, but Executive Chairman Eric Schmidt denied that his company is manipulating search results during a hearing Wednesday.
 
As reports swirled Wednesday of Hewlett-Packard CEO Leo Apotheker's imminent ouster from the company after less than a year on the job, some observers suggested that if such a thing indeed comes to pass, it won't be that much of a surprise.
 
Satellite-4G carrier LightSquared said Wednesday that gear to prevent interference between its network and precision GPS gear will cost $50 to $300 per device and it is in talks with the U.S. government about covering the cost of upgrading or replacing all federally-owned devices.
 
Lawmakers at a hearing Wednesday said they see a lot of potential in cloud deployment, but are unsure what they should do to encourage its growth.
 
Maryland Governor Martin OMalley addressed several hundred educators, IT experts, and others at the National Institute of Standards and Technology (NIST) yesterday as part of a workshop hosted by the National Initiative for Cybersecurity ...
 
DigiNotar, the Dutch company that was hacked earlier this summer by certificate thieves, has gone bust and shut down, its U.S.-based owner said.
 
Twitter has acquired Julpan, a startup founded last year that analyzes the way people share information on the social web with the goal of delivering fresh and relevant content to users.
 
Oracle is hoping to capture the fancy of smaller companies enamored with its Exadata data-processing machine, announcing Wednesday the availability of a new database appliance configured for SMBs' needs and budgets.
 
Certificate authority, DigiNotar filed for bankruptcy protection following a breach of its digital certificate systems and the issuance of fraudulent SSL certificates.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Amid emerging attack methods and the rollout of a new generation of BIOS, NIST offers guidelines to help enterprises reduce the risk of BIOS attacks.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
AT&T said it will sell the Samsung Galaxy S II, a 4G smartphone, for $199.99 starting Oct. 2.
 
Hewlett-Packard may be on the verge of replacing the CEO it hired just a year ago to build its software and cloud computing businesses, as well as take on Apple with a WebOS-powered tablet.
 
Even though Google said its Google Wallet app was available Monday, it won't be installed over-the-air to all Nexus S 4G customers until Friday night.
 
Trolltech Qt UTF-8 Sequences Input Validation Vulnerability
 
Linux Kernel Ethernet Bonding Remote Denial of Service Vulnerability
 
Trusteer Rapport and anti-keylogging
 
IPv6 security presentation at Hack.lu 2011
 
Reader Robert has an older Emachines desktop that recently developed a problem:
 
Apple will launch the next iPhone on Oct. 4, a technology blog said today, citing what it called "sources close to the situation."
 
Imation announced it has worked out a deal to buy the assets of IronKey's secure data storage hardware business.
 
Linux Kernel Netfilter 'ipt_CLUSTERIP.c' Buffer Overflow Vulnerability
 
----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu SEC 503 coming to Ottawa Sep 2011 (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
HP's board of directors is reportedly looking to replace CEO Leo Apotheker, with former eBay CEO and current HP director Meg Whitman said to be a finalist for the job.
 
LightSquared said it has an affordable solution to interference between its 4G network and GPS systems and will have working units available for tests planned by the U.S. government in the coming months.
 
A pitch to accelerate Firefox's rapid-release schedule even more -- cutting a week to ship a new version every five weeks -- has been rejected by Mozilla.
 
The Dutch minister who had said that U.S. cloud providers might be kept from doing business in the Netherlands because of aspects of the Patriot Act now says the matter is a "conflict of legislation" that the nations have to deal with. Meanwhile, U.S. cloud providers can do business in the Netherlands.
 
New IDS detects something horrifying.
 
Users of the Kindle e-reader and Amazon's e-reading app for other devices can now borrow e-books from more than 11,000 U.S. libraries.
 
EMC announced new software capability in its Hadoop Data Computing Appliance that allows users to mix and match unstructured and structured data analytics platforms.
 
NGS00099 Patch Notification: Vulnerable SUID script in (nomachine) NX Server for Linux
 
Multiple vulnerabilities in Help Desk Software
 
CIOs and data center managers are hesitant to place important data and applications in the public cloud. As a result, turnkey, ready to go, cloud solutions have become very popular. Here are the three essential elements that should constitute any turnkey private and/or hybrid cloud solution.
 
Spain's National Competition Commission is investigating whether Microsoft has unjustifiably prevented or limited resale of software licenses, in breach of Spanish and European Union competition laws, the Commission announced Tuesday.
 
Huawei's 7-inch tablet will be launched in the U.S. during this year's fourth quarter, according to a company spokeswoman.
 
Oracle Corp. has issued an out-of-band security alert for its Fusion Middleware and Application Server products that addresses an Apache Web server flaw.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
In addition to bank fraud, the Russian cybercriminal also stole credentials from users of Facebook, Yahoo, Google, eBay, Amazon, Twitter, PayPal and Skype.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 

IANS Launches Southeast Information Security Forum in Atlanta
MarketWatch (press release)
Best practices, benchmarking studies, trend analyses and practical insights are provided by professionals who actually implement infosec initiatives, not just write about the subject," said Dave Shackleford, Senior Vice President of Research and Chief ...

and more »
 
Flash Player 11 and AIR 3 are announced just as Microsoft chooses HTML5 over plug-ins like Flash in Metro version of IE10
 
Oracle next week will announce a new Sparc processor and a high-end server, as it continues to try to make the best of its acquisition of Sun Microsystems from last year.
 
Neither Fusion nor Parallels offer major improvements for Windows users, but they add welcome support for Mac OS X Lion virtual machines
 
Some typists can't make do with the iPad 2's on-screen keypad. Here are 5 wireless keyboards that could make for faster, more accurate typing.
 
Lest we forget that Microsoft still insists Linux violates 235 of its patents, Microsoft issued a reminder today. It announced a patent licensing deal with Casio Computer Co. Ltd. that "among other things, will provide Casio's customers with patent coverage for their use of Linux in certain Casio devices," Microsoft says.
 
i-Gallery 'd' Parameter Cross Site Scripting Vulnerability
 
It is that time of the year again, Cyber Security Awareness Month. Over the last few years we have participated in the October Cyber Security Awareness month (just search the archive for cyber security awareness month). During the month, in addition to our normal diaries, we take a specific topic or theme and publish a diary on the topic.
This year the theme is the 20 Critical Security Controls. Iknow what you are thinking, 20 controls 31 days. A number of the controls will easily take a few days to cover. For those of you that are unfamiliar with the 20 critical security controls

These Top 20 Controls were agreed upon by a powerful consortium brought together by John Gilligan (previously CIO of the US Department of Energy and the US Air Force) under the auspices of the Center for Strategic and International Studies. Members of the Consortium include NSA, US Cert, DoD JTF-GNO, the Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center plus the top commercial forensics experts and pen testers that serve the banking and critical infrastructure communities.

(http://www.sans.org/critical-security-controls/)
There are 20 controls, 15 of these can be automated, the last 5 can not. Each will address a set of risks and the diaries will explore how you may be able to implement the control.
This year the controls were updated and include the Australian Defence Signals Directorate's 35 mitigating controls.
The controls are as follows:

Critical Control 1: Inventory of Authorized and Unauthorized Devices
Critical Control 2: Inventory of Authorized and Unauthorized Software
Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
Critical Control 5: Boundary Defense
Critical Control 6: Maintenance, Monitoring, and Analysis of Security Audit Logs
Critical Control 7: Application Software Security
Critical Control 8: Controlled Use of Administrative Privileges
Critical Control 9: Controlled Access Based on the Need to Know
Critical Control 10: Continuous Vulnerability Assessment and Remediation
Critical Control 11: Account Monitoring and Control
Critical Control 12: Malware Defenses
Critical Control 13: Limitation and Control of Network Ports, Protocols, and Services
Critical Control 14: Wireless Device Control
Critical Control 15: Data Loss Prevention



Critical Control 16: Secure Network Engineering
Critical Control 17: Penetration Tests and Red Team Exercises
Critical Control 18: Incident Response Capability
Critical Control 19: Data Recovery Capability
Critical Control 20: Security Skills Assessment and Appropriate Training to Fill Gaps

As always we value your contributions, so start putting your thinking caps on and think of how you can implement some or even all of the controls in your organisation. If you have a specific tip, hint, or suggestion fee free to pass it along. It will help if you use the contact form and specify the control. That way we can make sure we include your suggestions where we can.
There are of course things that you can do yourself in your organisation for cyber security awareness month. If you haven't run an awareness campaign for a while, maybe this October.
One of our readers (Nick) will be running a campaign within his organisation. He has developed some awesome posters, linked to a competition to improve awareness within his organisation. Maybe you have other ideas to help raise awareness in your organisation, let us know and maybe schedule some of these during October?
Mark - Shearwater



(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Posted by InfoSec News on Sep 20

http://www.theregister.co.uk/2011/09/20/google_android_vulnerability_patching/

By Dan Goodin in San Francisco
The Register
20th September 2011

It's been more than a month since researchers reported two serious
security vulnerabilities in Android, but so far there's no indication
when they will be purged from the Google-spawned operating system that's
the world's most popular smartphone platform.

The first flaw allows...
 

Posted by InfoSec News on Sep 20

http://www.informationweek.com/news/security/attacks/231601692

By John Foley
InformationWeek
September 19, 2011

When Pacific Northwest National Laboratory detected a cyber attack --
actually two of them -- against its tech infrastructure in July, the lab
acted quickly to root out the exploits and secure its network. PNNL then
did something few other cyber attack victims have been willing to do. It
decided to talk openly about what happened....
 

Posted by InfoSec News on Sep 20

http://www.darkreading.com/authentication/167901072/security/attacks-breaches/231601790/diginotar-hacked-out-of-business.html

By Kelly Jackson Higgins
Dark Reading
Sept 20, 2011

Say goodbye to certificate authority DigiNotar: The beleaguered Dutch CA
has filed for bankruptcy in the wake of the recent massive breach at the
firm, its parent company VASCO Security said today, and has exited the
CA business altogether. While the demise of...
 

Posted by InfoSec News on Sep 20

http://www.theindiasite.com/india-hacked-part-iii-building-shadow-armies/

By Ulrik McKnight
The India Site
Sept 21, 2011

India’s Shadow Army -- More A Shadow Than An Army?

Shaken up by massive data losses, the Indian government has begun to
take action. As NTRO Officer on Special Duty Pukhraj Singh told The
India Site in an exclusive interview: "Recent developments include the
public release of a cybersecurity policy by the Ministry...
 

Posted by InfoSec News on Sep 20

http://www.washingtonpost.com/blogs/checkpoint-washington/post/after-stuxnet-waiting-on-pandoras-box/2011/09/20/gIQAOkw0hK_blog.html

By Jason Ukman
Checkpoint Washington
The Washington Post
09/20/2011

The mysterious computer worm known as Stuxnet has gained more than a
little notoriety since it was discovered in the summer of 2010. It
wreaked havoc on Iran’s nuclear program. It stirred suspicions that it
had been unleashed by the Israelis,...
 
Internet Storm Center Infocon Status