InfoSec News

Yesterday, I wrote about all the great things Apple did to improve security in its new operating system. Today however, we got a new, and quite different, vulnerability. It turns out that the firmware in Apple's laptop batteries is secured with a default passwords. An attacker would be able to use this password to change the battery firmware or settings, permanently ruining the battery. So its more of a denial of service attack. Persistent malware should be possible but it is not clear how much access it would have to the system.
It is always amazing what devices have firmware which may be manipulated by an attacker. I remember a while back a firmware update for the display port to VGA addapter. If there is a firmware update, there is always a change for a malicious firmware install. Recently, we talked about thunderbolt, Intel's new interface standard that provides direct bus access similar to Firewire. Thunderbolt cables are fare removed from pairs of copper we are used to. Instead, each thunderbolt cable has active circuits, and you guessed it, firmware embedded in the connector.
A malicious thunderbolt cable could potentially have direct access to system memory and disk.

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Oracle has been ordered to lower its multibillion-dollar claim for damages in its patent infringement lawsuit against Google and its Android operating system, court papers show.
Google has acquired Pittsburgh Pattern Recognition, known as PittPatt, a company that develops technology for recognizing faces in images and video, according to PittPatt's website.
Oracle has been ordered to lower its multibillion-dollar claim for damages in its patent infringement lawsuit against Google and its Android operating system, court papers show.
Overall, most Mac users upgrading to the new Lion version of Mac OS X seem to be doing so with minimal problems. There's still ongoing debate about whether Lion, which introduces concepts and features from Apple's mobile iOS platform, really roars.
IcedTea6 and IcedTea-Web Information Disclosure and Security Bypass Vulnerabilities.
With the explosion of job-specific data center appliances, it is common today to find several appliances monitoring a single resource. A typical scenario, for example, is three appliances monitoring the same connection, with one monitoring flows, another doing performance analysis and a third providing intrusion detection functionality.
Track the latest news, opinion and analysis swirling around Microsoft's next operating system. The OS wars live on.
Complete coverage of key IT issues by subject area, from the economic downturn to Windows 7, the iPhone to Web 2.0. Plus, news by company.
With an eye toward helping tomorrow's data-deluged organizations, IBM researchers have created a super-fast storage system capable of scanning in 10 billion files in 43 minutes.
The post-PC era is not yet upon us, executives from Intel and Advanced Micro Devices insisted this week in conference calls to discuss their earnings, where the impact of tablets on their businesses was the big question.
libvte9 'vte_sequence_handler_multiple()' Function Remote Denial of Service Vulnerability
Complete coverage of Apple's next generation desktop operating system and new features such as Mac App Store, and FaceTime for the Mac.
Apple has launched the next generation of its tablet computer, the iPad 2. Computerworld has it covered.
Mozilla is scrambling to deal with Google's decision to drop the Google Toolbar for Firefox, according to notes on Mozilla's website.
Linux-HA OCF Resource Agents 'LD_LIBRARY_PATH' Multiple Local Privilege Escalation Vulnerabilities
Thousands of SAP partners who sell the Business All-in-One ERP suite and Business Objects analytics software can now also offer customers Sybase mobile technology and applications.
Kaspersky CTO wants Apple to open up its iPhone platform, but that could increase the risk of threats, say some security experts.

Add to digg Add to StumbleUpon Add to Add to Google
Data breaches are more prevalent and more costly than ever. Smarter technologies seem to breed smarter hackers, making it difficult for IT to keep up. But sometimes IT unwittingly helps the bad guys by improperly using core tools, such as remote support mechanisms.
Newly purchased security products aren't going to deploy themselves.
Adobe has backpedalled from a claim that its popular Flash Player did not work with OS X Lion's hardware acceleration, saying that a testing mistake led it to the wrong conclusion.
A raft of computer and software vendor financial results this week, including reports from IBM, Intel, Apple and Microsoft, revealed some record quarterly results and a healthy market for business technology, though clouds remain for segments of the consumer arena.
Oracle Sun CVE-2011-2294 Remote Solaris Vulnerability
Oracle Sun CVE-2011-2295 Local Solaris Vulnerability
Oracle Sun CVE-2011-2290 Local Solaris Vulnerability
Demand for Google+ business profiles has reached white-hot intensity, prompting Google+ leader Vic Gundotra to acknowledge the company has been caught off guard, but pledging a fix is being fast-tracked.
Author page
See most recent articles and blogs by Sharon Machlis.
Oracle Sun CVE-2011-2259 Local Solaris Vulnerability
Aaron Swartz, founder of progressive action group Demand Progress, has been a bad boy, but how bad?
The U.K.'s largest airport, Heathrow, will install facial recognition scanners by September for international and domestic passengers to prevent illegal immigration in the country.
Verizon Communications on Friday reported revenue of $27.5 billion for the second quarter of 2011, up 2.8% from the second quarter of 2010, largely driven by mobile subscriber additions.
Linus Torvalds has designated the new release of the Linux operating system kernel posted Friday as version 3.0, even while maintaining that the release is only a routine update.
Toyota has developed a safety system that can automatically stop a car in the moments before a collision with a pedestrian.
PRADO 'TActiveFileUpload.php' Directory Traversal Vulnerability
Kaiser Permanente's 'CIO Challenge' pumps up IT morale while promoting healthier lifestyles.
After announcing smartphones with a dedicated Facebook button, HTC is trying the same formula in China. This time it will have a button connecting to one of the country's largest Twitter-like services in the country.
Joomla! AlphaRegistration Component 'email' Parameter SQL Injection Vulnerability
Oracle may depose Google CEO Larry Page and two others in connection with its lawsuit accusing Google of patent infringement in its Android operating system, a magistrate in California ordered on Thursday.
A U.S. Department of Commerce official says the agency will convene groups to develop privacy codes of conduct.
Sun Microsystems offered to license its Java technology to Google for US$100 million, a Google attorney said Thursday, attempting to show that Oracle is out of touch as it seeks billions from Google for patent infringement.

Posted by InfoSec News on Jul 21

By Dan Goodin in San Francisco
The Register
21st July 2011

With Wednesday's release of Mac OS X Lion, Apple has definitively
leapfrogged its rivals by offering an operating system with
state-of-the-art security protections that make it more resistant to
malware exploits and other hack attacks, two researchers say.

Unlike the introduction of Snow Leopard in 2009, which...

Posted by InfoSec News on Jul 21

By Kelly Jackson Higgins
Dark Reading
July 21, 2011

More than 80 percent of organizations disable functions in their network
security products because they slow the network, according to a newly
released survey.

Crossbeam Systems surveyed 500 network security,...

Posted by InfoSec News on Jul 21

By Elizabeth Montalbano
July 21, 2011

Hacktivist group Anonymous was at it again Thursday, claiming it had
breached the servers of the North Atlantic Treaty Organization (NATO),
but that it likely would not reveal most of the 1 gigabyte of
information it said was stolen.

"Yes, #NATO was breached. And we have lots of restricted material," the

Posted by InfoSec News on Jul 21

By Jaikumar Vijayan
July 21, 2011

One of Sony's insurers has asked a New York court to absolve it of any
responsibility for defending or indemnifying Sony against claims arising
from the recent data breaches at the company.

In a lawsuit filed Wednesday, Zurich American Insurance Company argued
that Sony's...

Posted by InfoSec News on Jul 21

By Tony Bradley
July 20, 2011

There has been an epidemic of data breaches in recent months, prompting
action in the United States Congress to introduce new legislation to
protect consumer data. A recent survey, however, found that most
businesses are more concerned with their own brand integrity and
reputation than whatever...

Posted by InfoSec News on Jul 21

The Wall Street Journal
JULY 21, 2011

Recent hacking attacks on Sony Corp. and Lockheed Martin Corp. grabbed
headlines. What happened at City Newsstand Inc. last year did not.

Unbeknownst to owner Joe Angelastri, cyber thieves planted a software
program on the cash registers at his two Chicago-area magazine shops
that sent...

Posted by InfoSec News on Jul 21
July 18, 2011

An elite team of computer technicians assembled by the Obama
administration to protect Pentagon networks from cyberattack shockingly
includes a former Clinton official who "lost" thousands of archived
emails under subpoena and who more recently left the Department of
Homeland Security under an ethical cloud related to her qualifications,
WND has learned.

The administration...
Internet Storm Center Infocon Status