InfoSec News

As a number of readers have reported, Microsoft released a few non-security updates on Tuesday via Windows Update/Automatic Updates. Most of our readers will recognize that the 4th Tuesday of the month is when Microsoft usually releases non-security updates. From the results of a couple of computers here in my office, the updates involve the .NET Framework versions 3.x and 2.x. As with all updates, please remember to test the update in your respective environment prior to wholesale deployment. More information on the .NET Framework update available at KB982524.

Scott Fendley ISC Handler (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Payment processors are touting tokens to protect payment data, but a lack of standards can result in vendor lock-in. An encryption and token expert says more work is needed.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Payment Card Industry Data Security Standard - Tokenization - Security - Cryptography - RSA
 
Senators and witnesses at a Senate Judiciary Committee hearing roundly praised a new plan to fight intellectual property violations from the White House's first intellectual property enforcement coordinator.
 
Verizon introduced the newest Droid smartphone, the second from Motorola, but some Android fans may be disappointed to learn that it won't ship with the latest operating system or the newest Flash Player.
 
Red Hat releases Cloud Foundation, a package of software and services for running hybrid clouds
 
Qualcomm has started sampling its FSM9xxx family of chipsets for femtocells, the company said.
 
Twenty percent of applications on Android Market let third parties access private or sensitive information, according to a report from security vendor SMobile Systems.
 
Facebook's head engineer, at the Usenix conference, offers advice on managing continual exponential systems growth
 
CRM projects can have some very tricky technical elements, particularly when it comes to integrating with other customer-facing and internal systems. They can also be quite labor intensive when it comes to normalizing, deduping, cleansing, and converting data. But in many CRM projects, those issues aren't the biggest contributors to schedule slips. Look closely: the larger the CRM project, the more likely that the delays are coming from outside of IT. No, it's not time to beat up your vendors. It's time to engage more closely with your users and project sponsors.
 
More than 55 million smartphones shipped globally in the first quarter, with iPhone shipments rising slightly from the previous quarter, from 8.7 million to 8.8 million, according to ABI Research.
 
More people use their Apple devices in the workplace, and more IT shops allow it. Naturally, security concerns abound. Here are a few.
 
On Wednesday, .org became the first generic top-level domain to offer its customers improved security using DNSSEC (Domain Name System Security Extensions).
 
Verizon Business on Wednesday introduced two new communications and collaboration services aimed at easing the process of adopting the technology.
 
Infor will be relying on Microsoft technology for the next generation of its line of ERP (enterprise resource planning) products, in the wake of a deal the companies announced Wednesday.
 
SanDisk on Wednesday announced a Secure Digital card that can store data for 100 years, but can be written on only once.
 
When it was released in 1984, the tagline for Macintosh was, "The computer for the rest of us." With fairly limited (but unique) capabilities and a relatively high price, it wasn't quite clear who "the rest of us" really were. Given the Mac's natural affinity for graphics and the fact that unlike other computers of that era, Macintosh did not ship with a programming language, the core audience that gravitated to the platform were artists and other creative types.
 
Trustwave said it would integrate Breach's Web application firewall into its pen-testing and code-review services. The vendor says it's committed to ModSecurity.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Security - Firewalls - Products - ModSecurity - Breach Security
 
The PCI Security Standards Council will update the PCI Data Security Standard on a new three-year cycle after the latest update is applied in October.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Conventional PCI - Security - Hardware - PCI Security Standards Council - PCI Data Security Standard
 
On monday, Apple released iOS 4 to the masses. Among numerous security fixes, one other feature that caught my interest was the availability of IPv6. The iPhone was one of a few holdouts in the mobile phone world that did not yet support IPv6. In some ways, the iPhone and similar devices is just why people feel we may need IPv6. Features like VoIP calling (e.g. Apple's new Facetime protocol) can work with NAT, but may possibly work better if the device has a globally routable IP address which may not be available in IPv4.
Screenshot of iOS 4 beta versions showed a new configuration setting for IPv6, allowing users to turn IPv6 support on and off. The final version as delivered to customers on Monday, no longer has this switch. Instead, IPv6 support is always turned on. In order to be functional, it does need to be connected to an IPv6 capable network.
In my tests, Iconnected the iPhone's WiFi network to my home network, which supports IPv6 and uses a router that advertises itself via IPv6 router advertisements. The iPhone did pick up an IPv6 address. The IPv6 address selected by the iPhone was derived from the MAC address (EUI-64). Ipersonally would have preferred a privacy enhanced address.
iOS 4 does not appear to support any tunneling protocols. It will only use IPv6 in a dual stack configuration. I am going to update this diary as I get to experiment more with it.
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Quest extends its Toad line of database developer tools for non-relational databases
 
Oracle's new version of Oracle Application Express embraces Web 2.0
 
Twenty percent of applications on Android Market let third parties access private or sensitive information, according to a report from security vendor SMobile Systems.
 
SAS Institute is joining the newly hot area of in-memory processing, developing a series of high-performance analytics systems tuned for specialized tasks.
 
HP executives touted the company's 'converged infrastructure' plan at a tech conference this week, but some users say they fear it could lead to the much-feared vendor lock-in.
 
Even procrastinators can -- with difficulty -- get an iPhone on opening day tomorrow. Here are some tips.
 
HTML5 will spawn richer, more sophisticated Websites while also easing development. Here are nine ways the impact of HTML5 will be felt
 
Advanced Micro Devices on Wednesday announced a new family of microprocessors for cloud computing servers, including one chip priced at $99.
 
An IBM-sponsored study shows that Wall Street is ready to invest again in new technologies
 

Posted by InfoSec News on Jun 22

http://www.theregister.co.uk/2010/06/22/worlds_no_1_hacker/

By Dan Goodin in San Francisco
The Register
22nd June 2010

A recently published e-book penned by the self-proclaimed "world's No. 1
hacker" is rocking the security community with back-and-forth
allegations of plagiarism, racism, and even threats against a security
podcaster and his family.

How to Become the World's No. 1 Hacker [1] is purportedly written by
Gregory D....
 

Posted by InfoSec News on Jun 22

http://gcn.com/articles/2010/06/22/information-management-better-cybersecurity.aspx

By William Jackson
GCN.com
June 22, 2010

It might sound like heresy, but information sharing is overrated, said
Tony Sager of the National Security Agency.

IT security officials already are overloaded with information, Sager
said. As chief of the vulnerability analysis and operations group in
NSA's Information Assurance Directorate, which runs Red Team...
 

Posted by InfoSec News on Jun 22

http://www.ocregister.com/news/mijangos-254531-victims-affidavit.html

By Larry Welborn
The Orange County Register
June 22, 2010

SANTA ANA - A Santa Ana man was arrested Tuesday after authorities say
he hacked into dozens of computers and demanded sexually explicit videos
from female victims in exchange for keeping their personal information
private.

Luis Mijangos, 31, was arrested without incident at his home by special
agents with the...
 

Posted by InfoSec News on Jun 22

http://www.warwickonline.com/view/full_story_news/8013298/article-Woman-charged-with--hacking--Warwick-company-s-computer?instance=home_news_right

Warwick Beacon
June 22, 2010

A Richmond woman has been charged with hacking the computer of BayWatch
RI Marine Towing in Warwick.

Rhode Island State Police arrested Kimberly Tefft, 42, of 512 Kingstown
Road, last week, charging her with intentional accessing and damaging a
computer, a felony and...
 

Posted by InfoSec News on Jun 22

http://www.computerworld.com/s/article/9178405/Trustwave_buys_application_firewall_maker

By Stephen Lawson
IDG News Service
June 22, 2010

Trustwave has acquired Breach Security for an undisclosed sum, an
acquisition that the company said would bring Breach Security's Web
application firewall together with Trustwave's own enterprise security
tools.

Trustwave will continue to sell and support Breach Security's Web
application firewall, which...
 
InfoSec News: 'World's No. 1 hacker' tome rocks security world: http://www.theregister.co.uk/2010/06/22/worlds_no_1_hacker/
By Dan Goodin in San Francisco The Register 22nd June 2010
A recently published e-book penned by the self-proclaimed "world's No. 1 hacker" is rocking the security community with back-and-forth [...]
 
InfoSec News: Better cybersecurity depends on better information management: http://gcn.com/articles/2010/06/22/information-management-better-cybersecurity.aspx
By William Jackson GCN.com June 22, 2010
It might sound like heresy, but information sharing is overrated, said Tony Sager of the National Security Agency.
IT security officials already are overloaded with information, Sager said. As chief of the vulnerability analysis and operations group in NSA's Information Assurance Directorate, which runs Red Team penetration tests, Sager has generated his share of security information over the past 33 years. But that data often contributes little to improving the security of government IT systems, he said Tuesday at the Symantec Government Symposium on IT security in Washington.
"Dumping our inboxes at each other is not going to cut it," Sager said. "Being at the right meeting is not going to do it. The key to success in IT security is information management." E-mail exchanges and meeting attendance don't scale, he noted; an agency official can't increase them indefinitely as the demand rises.
Information management means getting the right information into the hands of those who need it. That requires not data dumps, but standards for tools that can analyze data and make it available irrespective of its source; standards such as the Security Content Automation Protocol, jointly developed by the NSA, the National Institute of Standards and Technology and the private sector.
[...]
 
InfoSec News: FBI: Hacker demanded sexually explicit videos: http://www.ocregister.com/news/mijangos-254531-victims-affidavit.html
By Larry Welborn The Orange County Register June 22, 2010
SANTA ANA - A Santa Ana man was arrested Tuesday after authorities say he hacked into dozens of computers and demanded sexually explicit videos [...]
 
InfoSec News: Woman charged with 'hacking' Warwick company's computer: http://www.warwickonline.com/view/full_story_news/8013298/article-Woman-charged-with--hacking--Warwick-company-s-computer?instance=home_news_right
Warwick Beacon June 22, 2010
A Richmond woman has been charged with hacking the computer of BayWatch RI Marine Towing in Warwick. [...]
 
InfoSec News: Trustwave buys application firewall maker: http://www.computerworld.com/s/article/9178405/Trustwave_buys_application_firewall_maker
By Stephen Lawson IDG News Service June 22, 2010
Trustwave has acquired Breach Security for an undisclosed sum, an acquisition that the company said would bring Breach Security's Web [...]
 
In other news, Opera Software released version 10.54 of their web browser on June 21st. One of the vulnerabilities corrected in this release involves the font handling flaw discussed in the advisory at http://www.opera.com/support/kb/view/954/. In addition, Opera corrected several other critical vulnerabilities which will be disclosed in the future. If you prefer to use the Opera web browser to the other mainstream alternates, it is recommended that you apply the update in the near future. More information is available in the release notes.
Thanks to Frank who noted the update a short while ago.
Scott Fendley --ISC Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Earlier today, Mozilla released the newest version of Firefox.
Firefox 3.6.4corrects 7 vulnerabilities which range from critical issues such as denial of service or arbitrary code execution bugs along with a few lower level issues. The full list of vulnerabilities corrected is located in the release notes. In addition, this release of Firefox provides much better handling of plugin crashes. Should a plugin crash or freeze while viewing a website, Firefox now allows the plugin to crash without taking down the entire browser. This is a very useful feature for those of us who keep many many tabs or windows open during the course of the day and get very irritated when you open that one website that has some odd flash or quicktime media that causes the plugin to abnormally end. YAY!
Firefox 3.5.10 also was released and corrects for 9 vulnerabilities of which 6 are rated as critical. The 3.5.x tree of Firefox will continue to receive security updates for 2 more months, so it is time to prepare to jump to 3.6.x very soon. More details on the security issues are listed in the release notes.
Thanks to all of our readers who were on top of these releases tonight and alerted us of them.
Scott Fendley --ISC Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

The Tech Herald

Report: InfoSec community launches campaign against security firm
The Tech Herald
Ligatt Security faces an InfoSec community driven campaign against them. Given that Gregory Evans has taken a considerable amount of heat from the InfoSec ...
'World's No. 1 hacker' tome rocks security worldRegister

all 2 news articles »
 
Firefox versions 3.6.4 and 3.5.10 fixed nine flaws but Mozilla instead emphasized the addition of plug-in crash protection over the security fixes.
 
Fiberlink Communications thinks it can cut patch management costs for IT departments with a new cloud-based service.
 

Internet Storm Center Infocon Status