InfoSec News

For the iOSsphere, it’s like the iPhone 4S never happened. The fever of speculation around the Next Apple iPhone rises and ebbs like a great tide, ever restless.
We released this week a diary on Oracle Critical Patch Update, we would also like to emphasise that Oracle also released a Java SE critical patch update that patches multiple vulnerabilities (also includes non-security fixes) with the complete list here.

[1] http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html

[2] http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html#AppendixJAVA

[3] http://isc.sans.edu/diary/Oracle+Critical+Patch+Update/11839
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Apple's iCloud is a nice tool for keeping contacts, calendar items, and other data in sync between my iPhone and iPad, but what about keeping everything synced up with my Windows PC? Apple has that covered as well with the iCloud Control Panel for Windows.
A weakness in XML Encryption can be exploited to decrypt sensitive information, researchers say.
Apple's talkative new virtual assistant is no parlor trick. It's a powerful tool that can transform how you live and work.

Ever wondered if events like wikileaks are pertaining only to government agencies or large companies? Information is a precious commodity. Many institutions regardless of its size have information of interest to many people and those people are willing to pay large sums of money for it or even make major criminal acts to get it.

How cananybody get access to information in an unauthorized manner? There are attackers at all times seek to exploit the vulnerabilities of information systems, but there are also users that, once they have been authorized to access a specific information asset, may have unrestricted access to the information and carry out actions such as copy and steal through removable storage media, email, dropbox, among others.

This means it is necessary to place a type of controls that allow the user has been authorized to access the information to manipulate it in the terms allowed by the information asset classification. This is known as Data Loss Prevention (DLP). Under what criteria can we classify information? We can use the classic: Confidentiality, integrity and availability, and can also add other important as traceability and non-repudiation. Traceability is the property of information that helps determine the operations performed on it at all times and non-repudiation is the feature that ensures that a transaction has been for the person whose user ID made and no other. Depending of the classification on each variable, the operations allowed to the information asset can be defined as read only, e-mail transmission, shared resource copy, among many others.

Data Loss Prevention Software allows monitoring of the following:

Data in motion: When you have a network security perimeter in place, just beforetraffic reaches the firewall you can put the DLP device to monitor incoming and outgoing traffic and then realize which users are violating information security rules by performing unauthorized transmission of information assets.
Data at rest: Information Assets arestored into servers located inside datacenters.DLP software can be installed intoservers tolearn aboutsensitive information storedin unsecure locations as openwindows shares and unencryptedstoragedevices.
Data in use: DLP software can be installed in endpoint devices to control the transmission of information assets like instant messaging, desktop e-mail clients and web transmissions.

DLP implementations are very challenging because of information identification. If information is not correctly identified, false positives arises and can be very painful as they can stop the information flow inside the whole company. That is why you should perform several accuracy tests with the information asset classification and solve problems before deploying.

Please keep in mind that business needs are first and needs to be satisfied. You cannot implement controls that will make the company operation slow and painful. Check the control 15 implementation tips for more information.

Manuel Humberto Santander Pelez

SANS Internet Storm Center - Handler

Twitter: http://twitter.com/manuelsantander

Web: http://manuel.santander.name

e-mail: msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
As new information about the Duqu continues to come out, some experts are starting to question whether the danger from the trojan has been exaggerated.
Google looks close to unleashing Google+ on the enterprise.
The evolution of social-networking capabilities in corporate systems, and technologies that dramatically boost productivity and reduce risk, are themes that dominate the "Top Ten Predictions 2012" from one IT research firm.
On Monday, we polled IT and business leaders about how they're using public and private clouds. The respondents to our pair of suveys who say they are well on the way to a completely virtual data center outnumber those who haven't started using the cloud at all.
Samsung confirmed Friday that another in its line of tablet computers, the Galaxy Tab 7.0 Plus, will sell for $399.99 starting Nov. 13.
All-you-can-eat data ran up against booming demand this week as Sprint Nextel became the last big U.S. carrier to end unlimited mobile broadband plans. But those unlimited plans may come back -- some day.
Internet Storm Center Infocon Status