InfoSec News

Firefox versions 3.6.4 and 3.5.10 fixed nine flaws but Mozilla instead emphasized the addition of plug-in crash protection over the security fixes.
 
Fiberlink Communications thinks it can cut patch management costs for IT departments with a new cloud-based service.
 

HP upgrades ProLiant servers
ZDNet Asia
Paper highlights device #infosec problem. http://tinyurl.com/3232unl RT @alexcovic: Gotta love this - computer viruses can infect devices inplanted in human ...

and more »
 
The U.S. needs local education and training programs and better computer reuse programs to overcome a large broadband adoption gap, speakers at a broadband adoption forum said Tuesday.
 
Researchers in the U.K. are developing a lean-and-mean programming framework called Mirage that is designed specifically to support applications running on cloud infrastructure platforms such as Amazon Web Services and Google App Engine.
 
The research firm argues social networking isn't the responsibility of enterprise information security, but social media governance policies and monitoring practices are important.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Facebook - Social network service - Online Communities - Social Networking - Services
 
Trustwave has acquired Breach Security for an undisclosed sum, an acquisition that the company said would bring Breach Security's Web application firewall together with Trustwave's own enterprise security tools.
 
The research firm argues social networking isn't the responsibility of enterprise information security, but social media governance policies and monitoring practices are important.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Facebook - Social network service - Online Communities - Social Networking - Services
 
More than one in four Apple iPhones break or fail within two years, a company that provides after-sale warranties said today.
 
Apple announced that iPad sales have surpassed three million less than three months after the tablet computer launched
 
With its popular software increasingly targeted by hackers, Adobe has stepped up efforts to secure its applications.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Software development - Adobe Systems - Companies - Adobe - Consultants
 

Garnter: Companies shouldn't bother banning Facebook, social networking
SearchSecurity.com
Tuesday at Gartner's Security and Risk Management Summit, research director Andrew Walls told attendees that although infosec pros may worry that social ...

and more »
 
The Google Voice telephony management system is now open to all U.S. residents; invitations to sign up no longer needed.
 
Somewhere between the premium e-readers and the bare-bones, low-cost models lies the Kobo eReader. Kobo has its sights set on delivering a satisfying e-reading experience, without the cost premium of blue-chip competitors like Amazon and Sony. In this mission, Kobo only partly succeeds. At $150, the Kobo eReader is almost half the price of an Amazon Kindle 2, and one of the least-expensive E-Ink devices available (price as of June 7, 2010). However, in spite of its refreshing interface, its usability suffers from sluggish performance and stiff buttons.
 
LinkedIn's Groups pages just got a facelift. Here's a look at the new, more interactive options and what they can do for you.
 
WiMax service provider Clearwire has raised more than $290 million in a rights offering, part of a continuing effort to build up its war chest as it deploys a national 4G network.
 
As part of Monday's iOS 4 upgrade, Apple patched a record 65 vulnerabilities in the iPhone, more than half of them critical. But Apple's iPad isn't slated to get the iOS 4 update until this fall.
 
The administation of President Barack Obama Tuesday announced plans to require that all government contractors check for illegal software, and to apply pressure to countries that don't shutter piracy Web sites.
 
Hewlett-Packard on Tuesday announced new blade and rack servers designed to deliver more performance while combining hardware and software capabilities to improve server reliability and lower energy costs.
 
Lenovo's IdeaPad Y460 laptop is probably the closest thing to a Transformer I'll ever have my hands on. As tested, the Core i5-520M processor, 4 gigs of RAM, and the 64-bit version of Windows 7 together provide plenty of power -- the vehicle form, so to speak, of the Y460. But flick a switch up front, and the Y460's ATI Mobility Radeon HD 5650 graphics card springs into action, turning the machine into a power-chugging powerhouse. It's a cool feeling to suddenly have tons more power when you need it, but is it worth its list price of $1199?
 
Trustwave said it would integrate Breach's Web application firewall into its pen testing and code review services. Vendor says it's committed to ModSecurity.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Security - Firewalls - Products - ModSecurity - Breach Security
 
Enterprise reinvention and enterprise risk management have been a challenge to implement in many large organizations. The key to unlocking the potential of both is to understand and overcome why the traditional implementation approach consistently struggles.
 
If you visited the Lenovo support site over the last few days, you may want to check out this link that Jim sent in. Lenovo Support Website Loads Malicious IFrame, Infects Visitors With Trojan
Christopher Carboni - Handler On Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The PCI Security Standards Council will update the PCI Data Security Standard on a new three year cycle after the latest update is applied in October.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Conventional PCI - Security - Hardware - PCI Security Standards Council - PCI Data Security Standard
 
Does your laptop seem more like Clark Kent than Superman? Whether your notebook is a few years old or brand-new, hardware upgrades and software tweaks can add functions or enhance its capabilities. Here are 15 tricks to give your laptop superpowers.
 
Google is developing services to let consumers pay for access to news articles and songs through individual purchases and subscriptions, according to various news reports.
 
IBM today unveiled a new package of pre-integrated software applications, called the Financial Markets Industry Framework, configured for the financial services market
 
Security managers can keep blocking Facebook, refusing to support mobile devices and vetoing cloud-based services, but they aren't going away. And ignoring ways to make room for them in your security program is like burying your head in the sand, according to Tom Gillis, vice president and general manager of Cisco's security technology business unit, and author of the new book Securing the Borderless Network: Security for the Web 2.0 World.
 
An interview with Andrews International COO Ty Richmond about security at the FIFA World Cup soccer tournament.
 
When you're shopping for a new PC, don't meekly settle for the default processor recommended by the configurator. Picking the right CPU is a personal decision that you shouldn't enter into lightly. And with so many options to choose from, you need to know what you're getting into when you settle on a chip for your system. We've rounded up eight of the leading processors on the market and put them through a battery of rigorous tests to help you shop with confidence.
 
Where'sMyStuff? ($99) can quickly index and find files on multiple hard drives, and aims to reduce the need to manually type in search criteria. But it lacks features you'd expect in a paid desktop search program.
 
Worried about how to link IT networks with business partners without getting burned? Forrester analyst Usman Sindhu offers a 4-step strategy to ensure trust.
 
Botnets will be a major problem for at least the next two years and key cloud computing and virtualization security decisions could determine the outcome of future attacks.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Botnet - Cloud computing - Security - Gartner - Warfare and Conflict
 
People looking to buy new PCs or other gadgets will see prices continue to rise after a move by China's central bank to relax the exchange rate of its currency.
 
Three out of four companies will soon face more security risks because they continue to run the soon-to-be-retired Windows XP Service Pack 2, according to a new report.
 
Adobe Systems plans to release the final version of Flash Player 10.1 for smartphones on Tuesday, but very few people will be able to use it right away.
 
InfoSec News: Researcher Builds Mock Botnet Of 'Twilight'-Loving Android Users: http://blogs.forbes.com/firewall/2010/06/21/researcher-builds-mock-botnet-of-twilight-loving-android-users/
By Andy Greenberg The Firewall Forbes.com June 21, 2010
A word of caution to any Android users who downloaded an app over the past weekend promising pictures of the next Twilight film: Next time, your obsession with vampires might just turn your phone into a zombie.
In a talk at the hacker conference SummerCon last Friday, researcher Jon Oberheide gave a demonstration of just how easy it may be to infect large numbers of phones running Google's Android OS with hidden software that turns the devices into a zombie-like "botnet" under the control of a cybercriminal--particularly if that software associates itself with a phenomenon as popular and tween-entrancing as the upcoming Twilight Eclipse film.
Oberheide focused on what may be a serious security weakness in Android's App Market: that apps don't have to ask permission from a user to fetch new executable code. Even after an app has been approved for downloads in Google's market, Oberheide says, it can still metamorphose at will into a much less friendly program.
Oberheide, who works for security startup Scio Security, developed an application called "RootStrap" to demonstrate that trust problem for Android apps. After it's installed, Rootstrap periodically "phones home" to check for any new code that Oberheide wants to add to the program, including any hidden control program or "rootkit" that he wished to install--hence the program's name. "This is probably the most effective way to build a mobile botnet," Oberheide told SummerCon's audience of hackers and security researchers.
[...]
 
InfoSec News: Government devotes more brainpower and money to cybersecurity: http://www.washingtonpost.com/wp-dyn/content/article/2010/06/21/AR2010062104680.html
By Walter Pincus The Washington Post June 22, 2010
Cybersecurity, fast becoming Washington's growth industry of choice, appears to be in line for a multibillion-dollar injection of federal [...]
 
InfoSec News: Looking For Vulns In All The Right Places? Experts Say You Might Be Missing A Few: http://www.darkreading.com/vulnerability_management/security/perimeter/showArticle.jhtml?articleID=225700674
By Keith Ferrell Contributing Writer DarkReading June 18, 2010
The biggest vulnerabilities in the enterprise might be items we see every day -- and just don't think about. [...]
 
InfoSec News: Stock Manipulation Botnet Surfaces: http://www.informationweek.com/blog/main/archives/2010/06/stock_manipulat.html
By George Hulme InformationWeek June 21, 2010
A Belgian federal investigation into an electronic bank account heist reveals a sophisticated attack designed to manipulate stock prices, a [...]
 
InfoSec News: [Dataloss Weekly Summary] Week of Sunday, June 13, 2010: ========================================================================
Open Security Foundation - DataLossDB Weekly Summary Week of Sunday, June 13, 2010
4 Incidents Added.
======================================================================== [...]
 
InfoSec News: Darpa Taking Fire for Its Cyberwar Range: http://www.wired.com/dangerroom/2010/06/darpa-taking-fire-for-its-cyberwar-range/
By Noah Shachtman Danger Room Wired.com June 21, 2010
Two years ago, the White House and the Pentagon launched a massive, secretive $17 billion effort to shore up the nation's defenses, and [...]
 

Posted by InfoSec News on Jun 21

http://blogs.forbes.com/firewall/2010/06/21/researcher-builds-mock-botnet-of-twilight-loving-android-users/

By Andy Greenberg
The Firewall
Forbes.com
June 21, 2010

A word of caution to any Android users who downloaded an app over the
past weekend promising pictures of the next Twilight film: Next time,
your obsession with vampires might just turn your phone into a zombie.

In a talk at the hacker conference SummerCon last Friday, researcher...
 

Posted by InfoSec News on Jun 21

http://www.washingtonpost.com/wp-dyn/content/article/2010/06/21/AR2010062104680.html

By Walter Pincus
The Washington Post
June 22, 2010

Cybersecurity, fast becoming Washington's growth industry of choice,
appears to be in line for a multibillion-dollar injection of federal
research dollars, according to a senior intelligence official.

Delivering the keynote address at a recent cybersecurity summit
sponsored by Defense Daily, Dawn...
 

Posted by InfoSec News on Jun 21

http://www.darkreading.com/vulnerability_management/security/perimeter/showArticle.jhtml?articleID=225700674

By Keith Ferrell
Contributing Writer
DarkReading
June 18, 2010

The biggest vulnerabilities in the enterprise might be items we see
every day -- and just don't think about.

Experts say that vulnerability assessments often overlook the everyday
dangers: Network-attached devices that aren't computers. Paper
documents. Passwords posted...
 

Posted by InfoSec News on Jun 21

http://www.informationweek.com/blog/main/archives/2010/06/stock_manipulat.html

By George Hulme
InformationWeek
June 21, 2010

A Belgian federal investigation into an electronic bank account heist
reveals a sophisticated attack designed to manipulate stock prices, a
Belgian newspaper reported over the weekend.

This news report in the Belgian newspaper De Tijd described a
highly-targeted botnet that was designed to infiltrate software trading...
 

Posted by InfoSec News on Jun 21

========================================================================

Open Security Foundation - DataLossDB Weekly Summary
Week of Sunday, June 13, 2010

4 Incidents Added.

========================================================================

DataLossDB is a research project aimed at documenting known and reported data loss incidents world-wide. The Open
Security Foundation asks for contributions of new incidents and new data for...
 

Posted by InfoSec News on Jun 21

http://www.wired.com/dangerroom/2010/06/darpa-taking-fire-for-its-cyberwar-range/

By Noah Shachtman
Danger Room
Wired.com
June 21, 2010

Two years ago, the White House and the Pentagon launched a massive,
secretive $17 billion effort to shore up the nation's defenses, and
assigned Darpa a crucial role: build a replica Internet - a "National
Cyber Range" - that could not only be used to test out information
attacks, but could...
 
One of the reasons that I love going to conferences is that it really makes me think. Being around some of the best minds in information security. talking to people, listening to thier views and re-evaluating my own opinions based on any new information is a big takeaway for me.



For those who were not at SANSFire this year and didn't otherwise follow the Handler's annual State of the Internet Panel, one of the questions asked of the panel was (and I'm paraphrasing because I can't remember the exact word for word question) Every year we hear a prediction that this will be the year that mobile malware becomes wide spread. Do you think that will happen this year?



I remember giving some answer along the lines of Well, we've already had a few examples and one of the other Handlers cited the malware infested apps that became available (breifly) from the iTunes Store. The panel concluded and we all went about our business but something was nagging me. Something just didn't feel right.



I started talking to a few friends discussing mobile security and then looked at my own devices.



How would I really know if there was malware on my smart phone?



Malware authors have become increasingly good at hiding the presence of malware on infected systems and I didn't have anti virus on my phone, a problem which has since been corrected. But given the problems with signature based AV protection, do I really have confidence that I'm protected?



How do we really know that mobile malware is not widespread right now?



Please take a moment and answer the poll that I've posted and if you have some creative ways you're protecting your mobile devices, send them in and I'll post them.
While 130 people is not a statistically large sample we do have some interesting preliminary results.
Of 130 people, only 15 are scanning for malware.
Of those 15, 3 (20%) have detected malware.
If you extrapolate that percentage out to the entire sample, 23 people who responded who do not scan would be infected with malware.
For now, I'm filing that under Things that make you go Hmmmmm.
Christopher Carboni - Handler On Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Internet Storm Center Infocon Status