InfoSec News

Facebook has sued Faceporn.com, claiming the porn site essentially copied Facebook to build an X-rated social network.
 
Apple will stop bundling Adobes Flash with Mac OS X, the company confirmed Friday.
 
Here's a provocative prediction for you: By 2012, there will be more non-IT than IT devices on the typical corporate network. This came from an IT professional I work with, who's seeing these trends already on his network.
 
Mozilla Firefox SeaMonkey Thunderbird Modal Calls Cross Domain Information Disclosure Vulnerability
 
Mozilla Firefox SeaMonkey and Thunderbird 'document.write' Memory Corruption Vulnerability
 
The Web is a great place to search for information--and a lousy place to actually read it. When you find long articles that you want to read, you have to click through to multiple pages, contend with ads and graphics that distract your attention, and deal with poor printing options. Firefox add-on iReader (free) may change that for you.
 
Steve Jobs was a busy man this week, making a rare appearance on Apple's quarterly earnings call where he availed himself of the opportunity to trash-talk the competition, which seems to be a hobby for him of late, and taking the stage at a company event focused on Mac hardware and software. In other news, Microsoft took to the cloud.
 
As the holiday shopping season nears, many companies are launching products that could be popular sellers. With its starting price down to US$999, Apple's lightweight MacBook Air laptop is high on my shopping list. Canon's new PowerShot SD4500 IS, a point-and-shoot digital camera that can shoot 1080p high-definition video, is another product I may buy, but only if its $349 price comes down. Other coveted products expected to be out soon include Dell's Venue Pro smartphone and Adam's Notion Ink tablet.
 
The W3C has updated its standard for representing mathematical notation on the Web
 
Justice Department report says FBI Sentinel computer system lacks features, is over budget.
 
Facebook Thursday announced that it will start encrypting User IDs before they are transmitted to third-party Web sites.
 
Under fire for months over its capture of people's Wi-Fi traffic data, Google has announced several steps aimed at preventing similar missteps in the future.
 
Mozilla Firefox SeaMonkey and Thunderbird 'nsBarProp' Use-After-Free Memory Corruption Vulnerability
 
The Criptored guys are building a new project called intypedia to provide on-line free training in several topics of information security. There will be videos both in spanish and english. In the first stage will contain introductory content and upcoming ones will be targeted to people from all knowledge levels.
Upcoming lessons are:

History of Cryptography and its Early Stages in Europe
Secret-Key Cryptography
Public-Key Cryptography
Network and Internet Security

If you are new to security, it's a good place to start. More information at http://www.criptored.upm.es/intypedia/index.php?lang=en
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Apple's lowest-priced MacBook Air costs the company $718 to manufacture, giving the company a heftier margin for the line than for its other notebooks, an analyst said.
 
Analysts say Apple's backing and declining prices of SSDs could convince consumers and CIOs that hard drives aren't always needed. Is the death of the hard drive near?
 
RoarAudio 'LD_LIBRARY_PATH' Local Privilege Escalation Vulnerability
 
OCS Inventory NG Agent 'Backend.pm' Perl Module Handling Code Execution Vulnerability
 
Removable media are nothing new. Computer storage started with removable media, those of us old enough likely have fond memories of cassette tapes and floppy disks. What changed, primarily, is the ubiquity of such media and the stunning capacity of memory sticks, USB drives, iGadgets, etc.



In addition to a lot of Good Things, removable media come with two prominent risks:



(1) Given that such media is used as a carrier of data between computers, it is also a good carrier of communicable diseases, aka computer viruses.



(2) The small form factor of such media makes it very easy to misplace or lose the device, and all the data on it



Both problems can be stopped of course by banning the use of removable media completely. Some firms and organizations are trying this, but since computers come with built-in ports of all sorts and DVD writers and Bluetooth and and, it is very hard and costly to get this right. Also, it usually doesn't stop staff from exchanging data, they'll just find some other way, like uploading it to a file exchange site. Thus, while a complete ban of a certain technology is often the first reaction of Security in a corporate setting, it hardly ever works in the long run.



If we assume that the USB ports are accessible and usable, here's three things you can do reduce the virus risk:



(a) Disable AutoRun
AutoRun is one of the dumbest inventions ever. Attaching a device or inserting a DVD should *never* lead to direct execution of a program without explicit user action. Viruses propagating via removable media became almost completely extinct when the boot floppy vanished, but came back in force once Microsoft put AutoRun into XP. Thankfully, it can be completely turned off, and should be. http://support.microsoft.com/kb/967715 shows how.



(b) Enable Anti-Virus
For anti virus, auto-run is desired. It makes good sense to have antivirus do a quick and automatic scan of any newly attached or inserted removable media, as soon as the file system is mounted. Especially in a corporate setting, you might want to know if one of your staff brings in a keylogger on a memory stick, even when the malicious file is not actually started.



(c) Write Protect
If you are in a support or techie role that requires you to attach your memory stick to many different PCs, for example to run diagnostic programs or software updates, do everyone a favor and invest in a memory stick that can be write protected. A stick that has no internal memory and only acts as an SD card reader, for example, can do the job, and also others USB media that come with a write protect switch. This keeps the USB memory clean even when attached to an infected PC.






To address the problem of data loss, encryption is the only viable answer. Free software like TrueCrypt (truecrypt.org) comes with cross-platform support, is reasonable easy to use, and provides good protection if used with a decent password. In a corporate setting, chances are you already have a way to encrypt files or folders. Using one of these programs, make sure you gather the data to be copied in a folder that is *not* on the stick, encrypt it there, and only then copy the encrypted archive over to the USB media. Otherwise, you create temporary files that can be retrieved by a skilled attacker. In case the stick gets lost, the separate copy on the source system also gives you a perfect inventory of what was actually lost, which can be invaluable.



If you have additional tips on how to safely use removable media, let us know (http://isc.sans.edu/contact.html) or use the comment form below. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Analysts say Apple's backing and declining prices of SSDs could convince consumers and CIOs that hard drives aren't always needed. Is the death of the hard drive near?
 
libsmi 'smiGetNode()' Long OID Remote Buffer Overflow Vulnerability
 
[ MDVSA-2010:209 ] libsmi
 
[SECURITY] [DSA 2122-1] New glibc packages fix local privilege escalation
 
Apple, actually Steve Jobs, put on another big show this week. The well attended and very well covered show was vintage Apple. Remarkable showmanship with a reasonable amount of actual content.
 
Several Internet companies, including Facebook, Zynga, Amazon.com AOL and Comcast, have created a $250 fund that will be used to help guide social networking firms through their early days.
 
Dell will push Google's Android 2.2 OS to its Streak handheld devices in a matter of "weeks," a company executive said this week.
 
Verizon Communications reported revenue of $26.5 billion for the third quarter, down 2.9% from a year earlier, with the drop largely due to a loss of revenue from sold operations.
 
InterSystems Cache 'UtilConfigHome.csp' Remote Stack Buffer Overflow Vulnerability
 
Microsoft Internet Explorer Uninitialized Memory Word Document Remote Code Execution Vulnerability
 
Discuz! '2fly_gift.php' SQL Injection Vulnerability
 
RETIRED: 2FLY Gift Delivery System 'gameid' Parameter SQL Injection Vulnerability
 
The vulnerability could be exploited by an attacker to cause a crash and take control of a victim's system.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Google patched 11 vulnerabilities in Chrome on Thursday as it updated the browser to version 7.
 
When it comes to the supply chain, best practices gleaned from the likes of Apple and Cisco simply don't apply to all companies' problems. Here's some advice on how to think more critically about improving supply chain.
 
In an effort to spur cloud adoption, Microsoft is making an unusual move: participating in an open-source project.
 
Mobile operators speaking at the 4G World conference in Chicago are feeling the pressure to hasten rollouts of the faster networks across the United States.
 
[security bulletin] HPSBMA02593 SSRT100237 rev.1 - HP Virtual Connect Enterprise Manager (VCEM) for Windows, Remote Arbitrary File Download
 
Remember that disappointing HP tablet with Windows 7 from January everyone thought it was scrapped? Well, it's called the HP Slate and it's out now for a whopping $799. Before you get click-happy on HP's website, though, you might want to have a look at this: put alongside other tablets, the HP Slate could disappoint you, again.
 
In a bid to set itself apart from the smartphone competition, Lumigon, a small Danish manufacturer that has never launched a product, is aiming to ship this quarter an Android-based phone with amplification technology from Bang & Olufsen and an FM transmitter.
 
[USN-1008-1] libvirt vulnerabilities
 
[USN-1008-2] Virtinst update
 
Some have described Office 365 as a rebranding exercise. But that's not really it. Others would have you believe that it's "Office in the cloud." But that not quite right, either. So what is it, and why should you care?
 
The Electronic Privacy Information Center has given the Obama Administration mediocre grades in its second annual privacy report card released this week.
 
Sharp is scaling back its laptop PC operations and will focus resources on its recently announced Galapagos tablet PC and mobile terminals, the company said.
 
Sleipnir Binary Loading Arbitrary Code Execution Vulnerability
 
Microsoft is pushing a plan to prevent consumer computers from spreading malware. Senior Site Editor Eric B. Parizo says it's an idea that enterprise infosec pros should support.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 

Microsoft's Internet access control plan deserves a chance
SearchSecurity.com
Information security as an industry rarely has the opportunity to take such a large leap forward; enterprise infosec pros should support (or at least ...

and more »
 

Information Security Analyst
Silicon.com
... of IDS and SIEM systems, responding to support requests for INFOSEC issues and ensuring compliance with our clients Information Security Policy. ...

 

GovInfoSecurity.com

CAG Vs. IG: Conflict Over Infosec
GovInfoSecurity.com
John Gilligan doesn't believe inspector general audits are worthless. If anything, some agencies IGs do a better job than others in identifying problems ...

and more »
 
Photo enthusiast Sharon Machlis shares three great tools for sharing and showing digital images at their best.
 
Hewlett-Packard said its highly anticipated Slate 500 tablet--the company's first such device--is now available for purchase.
 
The increasing ubiquity of Apples iPad is evident in airports and technology conferences, especially. The tablet's use is so widespread that an army of hands was raised when Salesforce.com CEO Marc Benioff asked at a Gartner conference how many people were using the tablet.
 
Relief agencies are working with data analysis and management tools from SAS Institute to better help victims of the devastating Pakistan floods.
 
Apple's decision to use SSD technology rather than a hard drive in the new MacBook Air -- and Steve Jobs' pronouncement that it represents the future of notebooks -- could hasten the replacement of traditional drives with NAND flash technology.
 
Microsoft plans to open a new online PC game store called Games for Windows Marketplace in the middle of November, it said Monday.
 
libvirt Multiple Local Security Bypass Vulnerabilities
 
InfoSec News: The Scariest Company In Tech: http://www.conceivablytech.com/3637/business/the-scariest-company-in-tech/
By Rob Enderle October 20, 2010
A rather controversial presentation came to light this week (it was done back in 2001) from an Oracle market intelligence executive. It suggests [...]
 
InfoSec News: Japan has national botnet warriors; why don't we?: http://arstechnica.com/tech-policy/news/2010/10/japan-has-a-national-botnet-fighter-wheres-ours.ars
By Matthew Lasar Ars Technica Oct 20, 2010
October is Cybersecurity Awareness Month here in the United States, which is a good thing, because we come down with more PC botnet [...]
 
InfoSec News: FBI Warns Of 'Corporate Account Takeover' Scams: http://www.darkreading.com/smb-security/security/perimeter/showArticle.jhtml?articleID=227900529
By Tim Wilson DarkReading Oct 21, 2010
Cybercriminals are targeting the financial accounts of small and midsize businesses (SMBs), fraudulently transferring money directly from their [...]
 
InfoSec News: Secunia Weekly Summary - Issue: 2010-42: ========================================================================
The Secunia Weekly Advisory Summary 2010-10-14 - 2010-10-21
This week: 60 advisories [...]
 
InfoSec News: Mac users warned of growing virus threat: http://news.techworld.com/security/3245158/mac-users-warned-of-growing-virus-threat/
By John E Dunn Techworld 21 October 10
Attacks on the Mac are now significant enough to warrant Apple users investing in an anti-virus product, security company Panda Security said [...]
 

Posted by InfoSec News on Oct 21

http://arstechnica.com/tech-policy/news/2010/10/japan-has-a-national-botnet-fighter-wheres-ours.ars

By Matthew Lasar
Ars Technica
Oct 20, 2010

October is Cybersecurity Awareness Month here in the United States,
which is a good thing, because we come down with more PC botnet
infections than any other country in the world. Microsoft reports 2.2
million US PCs hijacked for cybercrime or distributed denial of service
(DDOS) attacks on websites...
 

Posted by InfoSec News on Oct 21

http://www.darkreading.com/smb-security/security/perimeter/showArticle.jhtml?articleID=227900529

By Tim Wilson
DarkReading
Oct 21, 2010

Cybercriminals are targeting the financial accounts of small and midsize
businesses (SMBs), fraudulently transferring money directly from their
accounts, the FBI warned yesterday.

In a fraud alert issued Wednesday, the FBI said "corporate account
takeover" attacks use malware to steal passwords...
 

Posted by InfoSec News on Oct 21

========================================================================

The Secunia Weekly Advisory Summary
2010-10-14 - 2010-10-21

This week: 60 advisories

========================================================================
Table of Contents:

1.....................................................Word From...
 

Posted by InfoSec News on Oct 21

http://news.techworld.com/security/3245158/mac-users-warned-of-growing-virus-threat/

By John E Dunn
Techworld
21 October 10

Attacks on the Mac are now significant enough to warrant Apple users
investing in an anti-virus product, security company Panda Security said
as it launched a new product that offers such protection.

Marketing spin to harvest the Apple economy or justified caution? Panda
points to the numbers. There are now 5,000...
 

Posted by InfoSec News on Oct 21

http://www.conceivablytech.com/3637/business/the-scariest-company-in-tech/

By Rob Enderle
October 20, 2010

A rather controversial presentation came to light this week (it was done
back in 2001) from an Oracle market intelligence executive. It suggests
that Oracle has a CIA-like competitive intelligence unit that would be
the envy of some countries and sleeper agents in most of Oracle’s
competitors. While this last is troubling,...
 


Internet Storm Center Infocon Status