InfoSec News

Just over a month after Hewlett-Packard said it would sell or spin-off its PC business, new CEO Meg Whitman on Thursday said the company will decide on a proposal to spin-off the PC unit by the end of the year.
 
Should the (ISC)2 look to grow the pool of CISSPs to meet demand, or boost CISSP value for those who already have it? Eric B. Parizo looks at both sides.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 

(ISC)2 at a crossroads: CISSP value vs. security industry growth
SearchSecurity.com
Most would agree that, over the years, the (ISC) 2 's work and the CISSP certification in particular has helped not only raise the profile of the infosec community, but also provided an easily recognizable benchmark: The certification can help CISSPs ...

 
The U.S. Federal Bureau of Investigation has arrested a Phoenix student, claiming that he is one of the LulzSec hackers responsible for a database attack on Sony Pictures computers that claimed more than 1 million victims.
 
At Facebook's f8 conference Thursday, CEO Mark Zuckerberg revealed some of the details of the Facebook Music Service, which is tied to its new Timeline feature. Essentially, it will allow you to populate your Facebook timeline with a constantly updating list of the music you're listening to from services such as Spotify, Rhapsody, MOG, Rdio, Slacker, iHeartRadio and others.
 
I stumbled across this nonsense while setting up a new toy, er, product here in the Gibbs Universal Industries Secret Underground Bunker.
 
Newly appointed Hewlett-Packard executive chairman Ray Lane vigorously defended the company's decision to oust CEO Leo Apotheker and replace him with board member and former eBay head Meg Whitman.
 
HP has put the rumors to rest by replacing CEO Léo Apotheker with Meg Whitman, but the big questions swirling around the company are anything but resolved.
 
Multiple Cisco Products CVE-2011-2738 Remote Code Execution Vulnerability
 
Oracle's new Database Appliance product, unveiled on Wednesday, should appeal to small and mid-size businesses that run both transactional and analytic applications, analysts said.
 
Ubuntu Linux 'apt-key' Program Security Bypass Vulnerability
 
With rising adoption of more powerful smartphones, mobile carriers are increasingly being held responsible for protecting sensitive data.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
In September 2007, in a remote laboratory in Idaho, researchers working on a project dubbed "Aurora" demonstrated the ability of a cyber hacker to destroy physical equipment -- in this case a generator used to create electricity for the power grid. The Aurora research brought the question of physical safety and the ability for a nation to defend itself from attack in the cyber world to the forefront. For the next three years, this difficult discussion would largely remain just a discussion, contemplated, if passionately, in corners of Washington and at wonk-ish meetings across the U.S.
 
Security practitioners defend the value of SIEM after elQnetworks declares the technology dead.
 
HP CEO Leo Apotheker was ousted from his position on Thursday and replaced by HP director and former eBay CEO Meg Whitman.
 
The U.S. Federal Trade Commission has asked a court to shut down websites that falsely suggested they were federal consumer assistance agencies or affiliated with government agencies focused on mortgage or debt relief, the agency said Thursday.
 
In an effort by organizers to spark the interest of lawmakers, a closed-door U.S. Capitol forum on the future of federal research was given a provocative title: 'Deconstructing the iPad: How Federally Supported Research Leads to Game-Changing Innovation.'
 
Mozilla has proposed a significantly slower Firefox release pace for enterprises, the result of a corporate backlash earlier this year against an accelerated scheme that ships a new edition of the browser every six weeks.
 
The U.S. Federal Communications Commission on Thursday took the first step toward updating the nation's 911 emergency dialing system to receive text messages, pictures and videos, in addition to voice calls.
 
Facebook has done an extreme makeover of its user profiles, redesigning the interface so that it's easy to surface not only recent updates but also years-old information, the company announced at its F8 developer conference on Thursday.
 
The U.S. edition of Yahoo News has been linked with Facebook to make it possible for users of the two sites to share with their Facebook friends the articles they have read on the Yahoo site.
 
More workers use iPhone and Android smartphones combined than BlackBerry smartphones, according to a survey of 1,681 U.S.-based workers released by Forrester Research.
 
Adobe Flash Player CVE-2011-2429 Security Control Bypass Information Disclosure Vulnerability
 
Adobe Flash Player CVE-2011-2426 AVM Stack Overflow Vulnerability
 
Adobe Flash Player CVE-2011-2428 Logic Error Remote Code Execution Vulnerability
 
The developers behind OpenStack have updated their open source cloud software package with a new graphical user interface and a unified authentication management system, the project's organizers announced Thursday.
 
The scoop: Icon HD + The Nerd, by Jawbone, about $140.
 
Hewlett-Packard CEO Leo Apotheker will likely be removed from his position on Thursday and replaced by HP director and former eBay CEO Meg Whitman, according to a Wall Street Journal report.
 
NTP 'ntpd' Autokey Stack Buffer Overflow Vulnerability
 
Oracle is buying GoAhead Software, which makes products designed to help network equipment providers improve service delivery. Terms of the deal, which is expected to be completed before year's end, were not disclosed.
 
Adobe said it is tracking reports that at least one of the coding errors is being actively targeted by attackers.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
eSignal Multiple Buffer Overflow Vulnerabilities
 
Apple created the modern tablet market, and its iPad has become the undisputed king of tablet computers. The iPad promises to hold that dominance for years to come, research firm Gartner said Thursday.
 
There's been a lively discussion on vulnerabilities in TLS v1.0 this week, based on an article posted earlier in the week ( http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/, http://www.theregister.co.uk/2011/09/21/google_chrome_patch_for_beast/, http://isc.sans.edu/diary.html?storyid=11611 ), which may (or may not, stay tuned) be based on a paper written back in 2006 ( http://eprint.iacr.org/2006/136.pdf ). Both the paper and the article outline an attack that can decrypt some part of a TLS 1.0 datastream (the article on the attack discusses cookies, we'll need to wait to see what it actually does). In any case, we've been seeing a fair amount of advice in the press recommending upgrading servers to TLS 1.2. I happened to make such a recommendation, with the caveat if it makes sense in your infrastructure on a mailing list, and was quickly corrected by Terry, an ISC reader. Terry correctly pointed out that upgrading your server is all well and good, but that's only half of the equation ...


yes, many (most?) browsers are not yet TLS 1.2 capable. I did a quick check, and while TLS 1.2 has been around for 3 years ( http://www.ietf.org/rfc/rfc5246.txt ), he was absolutely right.
The TLS support for browsers right now is:

IE9 TLS 1.0, 1.1, 1.2 all supported via Schannel

IE8 TLS 1.0 supported by default, 1.1 and 1.2 can be configured

Opera - 10.x supports TLS1.0, 1.1, 1.2

I don't count older versions of any of these browsers, since people really should have auto-update on. if they don't they've probably got bigger problems ( http://isc.sans.edu/diary.html?storyid=11527 )

Mozilla/ Firefox - TLS 1.0 only (vote here to get this fixed == https://bugzilla.mozilla.org/show_bug.cgi?id=480514 )

Chrome - TLS 1.0 only (though an update is rumoured)

Safari - TLS 1.0

Cell phones - various support levels (webkit has tls 1.2 since Nov 2010, but for individual phone browser implementations your mileage may vary)



TLS Support for Servers is similarly spotty (thanks Swa for this list)

IIS (recent versions) again, all TLSversions supported

Apache with OpenSSL - 1.0 only

Apache with GNUTLS - 1.2 is supported. (note however that GNUTLS does not have the full feature set that OpenSSL does, nor does it have the body of testing, peer review and overall acceptance that OpenSSL has behind it.)
So, if you plan to upgrade to 1.2 and force clients to 1.2, your clients better be running Opera and IE9 ONLY. The game plan most folks will follow is to plan for an upgrade if their server supports 1.2 (which means IIS right now) and run both 1.0 and 1.2 in parallel. What this means for us as a community is that if there is in fact a TLS 1.0 exploit, we'll likely start seeing it in conjunction with TLS downgrade attacks - sounds familiar eh?
The other thing that leaps out at me in this mess is cellphones. Any how popular is my browser site out there will show the jockeying for market share between the various browsers over the years, and will also show the exponential growth of cellphone browser traffic on the web. Not only are they becoming the most popular browsers out there, they will likely become the majority of browser traffic as well. Updates for cellphone browsers do not come from the browser author, they come from the phone manufacturer, and are generally distributed to end-users of the device by the carrier. So the update of any given component (like the browser) can see significant delay (like months, or never) before real people see it on their device. This update logjam has been an ongoing issue, maybe a crisis in crypto will force some improvements in this area!
===============

Rob VandenBrink

Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Two days of face-to-face mediation talks between Oracle CEO Larry Ellison and Google CEO Larry Page over the companies' Android mobile OS lawsuit have yet to result in a settlement, but the door is open for negotiations to continue, according to a document filed late Wednesday in U.S. District Court for the Northern District of California.
 
Teradata is adding an appliance option for its Aster analytic database, giving it another potential weapon against rivals such as Oracle's Exadata, EMC's Greenplum and SAP's HANA.
 
Apache 'mod_deflate' Remote Denial Of Service Vulnerability
 
Andy's PHP Knowledgebase 'saa.php' Arbitrary File Upload Vulnerability
 
IT is turning to the modern NoSQL and 'NewSQL' approaches over traditional relational databases
 
Preston Gralla spends several days working with Windows 8 on a PC, and reports on his experiences.
 
A U.S. district court judge has scheduled a trial to begin on Feb. 13 in the U.S. Department of Justice's lawsuit opposing AT&T's proposed acquisition of rival mobile carrier T-Mobile USA.
 
Massanutten Regional Library, based in Harrisonburg, Va., began offering the clientele in its mostly rural library network the option of borrowing e-books for the first time on Tuesday.
 
Cogent DataHub Buffer Overflow Vulnerability and Integer Overflow Vulnerability
 

Posted by InfoSec News on Sep 21

http://www.csoonline.com/article/690167/social-engineering-attacks-costly-for-business

By Joan Goodchild
Senior Editor
CSO
September 21, 2011

Social engineering attacks are widespread, frequent and cost
organizations thousands of dollars annually according to new research
from security firm Check Point Software Technologies.

A survey of 850 IT and security professionals located in the U.S.,
Canada, U.K., Germany, Australia and New Zealand...
 

Posted by InfoSec News on Sep 21

http://www.informationweek.com/news/government/security/231601885

By Elizabeth Montalbano
InformationWeek
September 21, 2011

The federal organization for creating technology standards has released
new guidance to help agencies assess risk within their IT systems as
part of an overall strategy to instill more prevention in federal
cybersecurity.

The National Institute for Standards and Technology (NIST) is currently
seeking comments through...
 

Posted by InfoSec News on Sep 21

http://www.theregister.co.uk/2011/09/22/japan_military_hack_follow_up/

By Dan Goodin in San Francisco
The Register
22nd September 2011

Software used to breach the security of a Japanese maker of sensitive
weapons systems contained simplified Chinese characters, making it
difficult for those who don't speak the language to carry out the hack,
Japan's biggest daily newspaper reported.

A computer screen used by attackers to remotely...
 

Posted by InfoSec News on Sep 21

http://seattletimes.nwsource.com/html/localnews/2016278295_wardriving22m.html

By Mike Carter
Seattle Times staff reporter
September 21, 2011

It took nearly three years, but Seattle police detectives say they've
unraveled a theft ring that operated both in cyberspace and through
old-fashioned burglaries with a technological twist — breaking into a
company with the sole purpose of installing malicious software to enable
future thefts....
 

Posted by InfoSec News on Sep 21

http://www.networkworld.com/news/2011/091911-clarke-cybersecurity-251014.html

By Ellen Messmer
Network World
September 19, 2011

Former White House cybersecurity adviser Richard Clarke, author of the
book "Cyber War," served 19 years in the Pentagon, intelligence
community and State Department. At the firm he founded, Good Harbor
Consulting, he advises clients on security risk management; is an on-air
consultant for ABC News; and...
 
Internet Storm Center Infocon Status