InfoSec News

McAfee Unveils the First Situational and Risk-Aware SIEM
MarketWatch (press release)
LONDON, Apr 24, 2012 (BUSINESS WIRE) -- INFOSEC --McAfee today announced ground-breaking situational awareness and accuracy for Security Information and Event Management (SIEM). The introduction of McAfee Enterprise Security Manager (formerly ...

and more »
I spent last Tuesday (17APR2012) taking orientation training at the State Emergency Operations Center (SEOC), a facility operated by the Washington State Military Department, Emergency Management Division.WA SEOC is a fully realized, extremely robust EOC with full authority to fulfill disaster and emergency coordination at the state level.The training was designed to orient attendees to serving or assisting when the EOC is activated during emergencies and disasters.
I was, as I have been during past EOC training or drills I've attended, drawn to the immediate parallels between EOC activity and mature security incident response programs.

Anyone who participates in or serves in a security incident response/management role has likely had the grave displeasure of being part of incident response gone bad. You know the event, it's seared into your memory. No incident command, no structure, everyone running around with their hair on fire, endless FUD and speculation, broken communication streams. and more damage being done than good. I for one, cannot and will not tolerate events unfolding in this manner, and am always thrilled when I see training and robust processes take over during major events.
EOCs are designed to do this right at a scale few of us can imagine or fathom.
It's one thing to lead your organization through a server compromise or a DDoS attack.
It's quite another to do so where the lives of citizens and millions of dollars of property are in the mix. Life and death decisions change your perspective.
All of which is a long way of getting to the point: there is much to be learned and utilized from the incident management structure utilized by EOCs as it pertains to information security incident response and management.
I'm a huge proponent of everything in its place, a place for everything during incidents. Everyone should know their role, what swim lane they should be in, and how to garner the assistance and support they may need.
In an EOC you'll note that seating is arranged in pods. These pods each pertain to an ESF or Emergency Support Function. Such functions include communications (ESF 2), logistics (ESF 7), public safety and security (ESF 13), external affairs (ESF 15), and defense support to civil authorities (ESF 20).

Washington State EOC

Not every ESF has a direct match to a role during an information security incident or major event - hopefully you won't need housing, public health, or search and rescue functions (we lost Bobby in the data center!) - but allow me to strengthen my claims to correlation.
The ESF 2 function includes protection, restoration, and sustainment of national cyber and information technology resources. Check, that sounds like an incident response analyst and/or manager.
ESF 7 includes logistics planning, management, and sustainment capability as well as resource support. Ever try to muddle through a major information security incident without your operations teams at the ready to perform systems and network functions?
ESF 13 includes security planning and technical resource assistance along with resource security. Roger that, I see a mitigations working group in the making here, yes?
ESF 15 provides protective action guidance as well as media and community relations. Indeed. Sounds like the all important information security advisory (patch now, avoid website x) or the pressing need for a good PR response when your high traffic website was defaced.
ESF 20 offers guidance to officials on the coordination of military resources in support of operations during response and recovery. Ack. Subject matter expertise, vulnerability assessment post-mitigation and remediation, after action reports (lessons learned), and defensive tactics oversite.
You get my point. Having a well defined, practiced (drill, drill, drill!) incident management system that springs into action like a well oiled machine is of extraordinary value during major information security incidents.
Following are some resources for you to consider.
Check out FEMA's National Incident Management System (NIMS). You can take NIMS training online via FEMA's Emergency Management Institute. I suggest starting with IS-100.b Introduction to Incident Command System, IS-200.b ICS for Single Resources and Initial Action Incidents, and IS-700.a National Incident Management System (NIMS) An Introduction. I've taken these, as well as four other ISP courses as part of requirements for the Military Emergency Management Specialist (MEMS) Basic level and continue to see content matches to my role in security incident management. Also familiarize yourself with the National Response Framework.
If you've noted similar relationships with emergency management practices and information security response and incident management, feel free to share with the readership via the comments form along with any questions you may have.

Russ McRee | @holisticinfosec (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Readers continue to write in conveying updates from sources regarding theNikjju mass SQL injection campaign. Like the Lilupophilupop campaign from December,ASP/ASP.net sites are target and scripts inserted.
Be wary ofscript src= hxxp://nikjju.com/r.php /script orscript src = hxxp://hgbyju.com/r.php /script and the resulting fake/rogue AV campaigns they subject victims to.
Infected site count estimations vary wildly but a quick search of the above strings will give you insight. Handler Mark H continues to track this one and indicates that the MO is similar to the lihupophilupop campaign but that they're trying some interesting things this round. We'll report if anything groundbreaking surfaces.
As always if you have logs to share send them our way via the contact form or any comment with any insight you want to share with readers.
Russ McRee | @holisticinfosec

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Andy Rubin, the head of Google's Android development team, took the witness stand for the first time Monday in Oracle's lawsuit accusing Google of patent and copyright infringement in its Android OS.
About 100 peripherals based on the Thunderbolt connector technology will become available by the end of the year, a big jump from a fraction of the devices available today, if Intel meets its target, a company executive said on Monday.
Re: phpMyBible 0.5.1 Mutiple XSS
FYI: We're now paying up to $20,000 for web vulns in our services
WebCalendar <= 1.2.4 Two Security Vulnerabilities
AST-2012-006: Remote Crash Vulnerability in SIP Channel Driver
Nissan Motor Co. and apparel maker Under Armor have disclosed recent data breaches involving the potential compromise of employee information.
Craigslist late last week posted an ad looking for a "hands-on" senior user interface engineer, along with a front-end and usability engineers.
Mobile and wired broadband providers should disclose detailed information about data caps, and the U.S. regulators should "vigilantly monitor" so-called usage-based pricing for abuses, digital rights group Public Knowledge said Monday.
Google today dramatically raised the bounties it pays independent researchers for reporting bugs in its core websites, services and online applications.
Acer on Monday started shipping desktops that are among the first PCs available with Intel's third-generaton Core processors, code-named Ivy Bridge.
Facebook on Monday continued its latest spending spree by agreeing to pay Microsoft about $550 million for some 650 former AOL patents and patent applications.
Omissions from the feature set of Windows RT are leaving analysts increasingly skeptical that enterprises will gravitate toward tablets running the new forked version of Windows. Is Windows RT on tablets DOA because it lacks needed enterprise features?
Iran's oil ministry today confirmed that it was the target of malware attacks over the weekend, adding to reports by state-run media that the country's oil industry was hit by hackers.
Intel on Monday announced its first third-generation Core processors code-named Ivy Bridge, which are faster and more power efficient than Core processors now used in laptops and desktops.
Attackers are already in the network, so if companies aren?t monitoring activity, they?re not doing enough, said Shawn Henry of CrowdStrike.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Wireshark Buffer Underflow and Denial of Service Vulnerabilities
Version 4.0 of the WebStorm IDE focuses on ECMAScript, which is the official standard underlying JavaScript
The comment period forNational Institute of Standards and Technology (NIST) proposed changes to the Digital Signature Standard (FIPS 186-3) is open until May 25, 2012. Submit comments viafips_186-3_change_notice at nist dot gov, with ''186-3 Change Notice'' in the subject line.
The proposed changes include:

clarification on how to implement the digital signature algorithms approved in the standard: the Digital Signature Algorithm (DSA), the Elliptic Curve Digital Signature Algorithm (ECDSA) and the Rivest-Shamir-Adelman algorithm (RSA)
allowing the use of additional, approved random number generators, which are used to generate the cryptographic keys used for the generation and verification of digital signatures

NIST indicates that the standard provides a means of guaranteeing authenticity in the digital world by means of operations based on complex math that are all but impossible to forge but that updates to the standard are still necessary as technology changes.
Comment and feedback on your digital signature implementations are welcome via our comments form.

Russ McRee |@holisticinfosec
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Mozilla will ship Firefox 12 on Tuesday with a key component of its years-long silent update project in place.
U.S. President Barack Obama has signed an executive order allowing the U.S. government to block the sale of any technology used to track or monitor dissidents in Syria and Iran by the governments there.
.NET Framework EncoderParameter integer overflow vulnerability
[HITB-Announce] HITB Magazine Issue 008 (now with print edition!)
XSS and Blind SQL Injection Vulnerabilities in ExponentCMS
[Spam] Chengdu Bureau of Commerce - SQL Injection Vulnerability

TechWeekEurope UK

Raising Awareness Is The Best Cyber Defence
TechWeekEurope UK
The InfoSec show is being held for three days starting on Tuesday at London's Earls Court Exhibition Centre and Security B-Sides, a competing conference, at the Barbican, also in London. The shortage of security staff needs to be addressed by academia ...

How do they stack up against each other?
Dropbox, the Internet-hosted file-synchronization service, updated its desktop, mobile, and Web app software on Monday to allow any file or folder stored in a user's sync folder to be shared with other people via a Web-accessible link. The shared files and folders make use of Web-based previewing that allows images, videos, and documents to be viewed, heard, or paged-through without an external application, as well as simply downloaded.
EMC is in talks to buy flash array storage maker XtremIO for bteween $400 million and $450 million and is close to pulling the trigger on the deal, according to an Israeli publication.
Name: Peter Chantel
Microsoft has released a new version of a tool designed to let enterprise IT staffers automate and manage large-scale deployments of Microsoft OSes, desktop applications and server software.
The majority of IT and security professionals believe that Anonymous and hacktivists are among the groups that are most likely to attack their organizations during the next six months, according to the results of a survey sponsored by security vendor Bit9.
The suspense is over.
Condusiv today announced a new version of its disk defragmentation software, Diskeeper, which now includes TRIM commands to reclaim SSD space marked for deletion, as well as new monitoring tools and fast system boot-up features.
Re: McAfee Web Gateway URL Filtering Bypass
Re: Squid URL Filtering Bypass
[SECURITY] [DSA 2455-1] typo3-src security update
The Iomega Helium is a sleek, pocket-sized portable hard drive with a durable aluminum case. The Helium's compact design and matte silver appearance is the perfect aesthetic complement to the Mac, but it boasts only a USB 2.0 interface.
Oracle scored a victory in its battle with Google, as the US Patent and Trademark Office decided to uphold a Java patent it had previously rejected, according to a court filing.
Apple products using touch technology infringe on a patent owned by the Pennsylvanian company FlatWorld Interactives, the company alleged in court documents filed on Friday.
Smartr Contacts--a free app from Xobni--just might be the iPhone's ultimate address book.

Industry Today (press release)

Tabernus to Exhibit at April InfoSecurity Europe 2012
Industry Today (press release)
We're excited to be a part of this years' InfoSec", said Joe Mount, Tabernus Vice President of Business Development. Infosecurity Europe brings the information security community together every year, demonstrating the latest product and service ...

and more »
ownCloud Password Reset Security Bypass Vulnerability

Tabernus to Exhibit at April InfoSecurity Europe 2012
Your-Story.org (press release)
We're excited to be a part of this years' InfoSec”, said Joe Mount, Tabernus Vice President of Business Development. Infosecurity Europe brings the information security community together every year, demonstrating the latest product and service ...

Chinese Internet firms will need to better screen their websites for unlicensed digital works or be held responsible for infringement.
Microsoft last Friday pulled an Office for Mac 2011 major update from its upgrade servers, acknowledging bugs that have corrupted the Outlook database on some machines.
Oracle GlassFish Server Multiple Cross Site Scripting and HTML Injection Vulnerabilities
Users want us to acknowledge the emotions that accompany their technology problems. Relax, though; you don't have to be Dr. Phil to do that. Insider (registration required)
Wayne Shurts, executive vice president and CIO at SuperValu, talks about how he's working to help the IT department at the grocery retailer better support the company's overall business. Insider (registration required)
Researchers at Northwestern University have developed a device they say can deliver messages from the brain directly to muscles -- skipping over the spinal cord -- and enable a paralyzed hand to move.
The boss needs a power supply for his PC's speakers. Unfortunately, there aren't any to spare...
IBM has reduced its number of internal applications by 70%, but it's not enough for CIO Jeanette Horan.
Facebook's foolish buyout of Instagram is a waste of a billion of its pre-IPO dollars, but it's not the all-time worst tech business deal.
As employees bypass IT and regularly subscribe to collaboration, analytic and other cloud services with the press of a button, some of the savviest CIOs are embracing and even encouraging shadow IT. Here's why.
Microsoft has kicked off what it calls a 'two-year countdown' to the death of Windows XP and its Office 2003 productivity suite.
Microsoft is gambling its reputation with its upcoming operating system.
Condusiv today announced a new version of its disk defragmentation software, Diskeeper, which now includes TRIM commands to reclaim SSD space marked for deletion, as well as new monitoring tools and fast system boot-up features.
Last week I posted to Buzzblog a list of the 50 best "bragging rights" claimed by users of Google+.

Posted by InfoSec News on Apr 23


By Katherine Long
Seattle Times higher education reporter
April 20, 2012

Somewhere in Texas right now, 30 hackers known as the Red Team are
attacking a computer network called Go Mommy, using every trick to try
to bring it to its knees.

Among the defenders: Eight computer-science students from the University
of Washington, working to repel the attack — quite possibly...

Posted by InfoSec News on Apr 23


By Darren Pauli
April 23, 2012

In a fortified, bulletproof facility in North Sydney, security engineers
who once skirted the limits of hacking laws now work to catch those
attacking NSW’s state critical infrastructure.

The engineers were talented hackers from Brazil, India, Russia and the
former Soviet states, some of whom breached...

Posted by InfoSec News on Apr 23


By Gregg Keizer
April 20, 2012

Contrary to reports by several security companies, the Flashback botnet
is not shrinking, the Russian antivirus firm that first reported the
massive infection three weeks ago claimed today.

Dr. Web, which earlier this month was the first to report the
largest-ever successful malware...

Posted by InfoSec News on Apr 23


By Dan Goodin
ars technica
April 22, 2012

It's still premature to say you need firewall or antivirus protection
for your television set, but a duo of recently diagnosed firmware
vulnerabilities in widely used TV models made by two leading
manufacturers suggests the notion isn't as far-fetched as many may...

Posted by InfoSec News on Apr 23


By Tracy Kitten
Bank Info Security
April 19, 2012

Lax security makes non-banking sites prime targets for skimming attacks,
like the ones that hit eight hospitals in Toronto.

Earlier this week, Toronto police announced that eight area hospitals
had been recent targets for ATM skimming attacks. Over the past six
months, authorities believe fraudsters targeted these...
Internet Storm Center Infocon Status