InfoSec News

Several companies are developing new database technologies to solve what they see as the shortcomings of traditional, relational database management systems in a cloud environment.
A 26-year-old man who last year helped hackers publish personal information belonging to about 120,000 iPad users pleaded guilty to fraud and hacking charges in a New Jersey court Thursday.
We are pleased to announce a new reader comment system.

Tabcorp bets on infosec revamp
CRN Australia
Tabcorp is midway through a three-year security overhaul to tighten compliance and access management. The security team at the gaming giant is a small one: five members, plus outsourcers, ...

and more »
New legislation in the U.S. Congress would ban the export of hazardous e-waste products.
Craig Mundie, Microsoft's chief research and strategy officer, demonstrated some applications on Thursday that apply current technologies to problems facing the health care industry.
The U.S. House of Representatives has voted to approve a bill that would overhaul the U.S. patent system and allow for a new review of patents after they are approved by the U.S. Patent and Trademark Office.
Toshiba's Satellite E305-S1900X all-purpose laptop (available only at Best Buy) is a cut above average in styling, performance, and features. But you'd have to be an ardent fan of the latest, greatest technology to spend $1089 on a system with a 14-inch display. If you are, you'll find such advanced features as a 500GB hybrid hard drive with integrated 4GB solid-state drive, Blu-ray, USB 3.0, Intel Wireless display (WiDi), and WiMax.
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2011-2377 Remote Memory Corruption Vulnerability
Mozilla Firefox and Thunderbird CVE-2011-2365 Memory Corruption Vulnerability
After delays, Cisco's Cius tablet will start shipping in volume next month, and the device will be one of the first available running Intel's latest Atom chip code-named Moorestown.
An old friend weighs in on the topics of users and usability.
Eric B. Parizo discusses the top themes from the 2011 Gartner Security & Risk Management Summit, including the rediscovery of enterprise risk management.

Add to digg Add to StumbleUpon Add to Add to Google
Oracle's net income for the fourth quarter ended May 31 rose 36 percent to $3.2 billion over the same period last year, the company reported Thursday. Total revenue for the quarter grew 13 percent to $10.8 billion.
Red Hat's MRG includes support for 10G Ethernet and additional diagnostic and scheduling tools
Apple has released Mac OS X 10.6.8 and security update 2011-004. These updates address 39 CVE entries. The updates cover many components of the core operating system and many popular applications so you should probably plan to update ASAP. The bulletin went out on Apple's security-announce mailing list, but the security update web page doesn't have the details yet, they should be there shortly.

Jim Clausing, GIAC GSE #26

jclausing --at-- isc [dot] sans (dot) edu

SANS FOR558 Network Forensics coming to central OH in Sep see (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Top five themes from Gartner Security Summit 2011
It's a topic that seemed to leave more than a few infosec pros scratching their heads (if you're one of them, be sure to check out Marcia Savage's great feature, IT consumerization drives new security thinking, from the June 2011 edition of Information ...

and more »
American Express and Foursquare have launched a mobile payment plan that offers users discounts at selected national retailers.
Are you ready for a natural disaster, denial of service or security breach? If one happened right now, would you have a plan ready to respond to it? What the recent highly publicized security breaches demonstrated was that some companies were ready and some were woefully unprepared. Part of that has to do with technology and security controls, but most of it is about planning and process, not tools. So what does it take to be ready for an attack?
Defining and managing sales territories is one of the key responsibilities of sales management. But territories in CRM systems can be one of the hardest parts of the implementation.
Some corporate IT managers are unhappy with Mozilla's decision to push out new editions of Firefox every six weeks with its new rapid-release program.
In this video, learn how to get the most out of Web application security scanners, and the four key elements for a successful implementation.

Add to digg Add to StumbleUpon Add to Add to Google
The Gartner IT1 research director discusses tokenization vs. encryption, PCI tokenization to reduce audit scope and lagging tokenization standards.

Add to digg Add to StumbleUpon Add to Add to Google
Reader Kirk Edgar Aplin asks a common question that, like an ill-favored cousin, I need to revisit from time to time. He writes:
When the FBI looked to step up its efforts to hunt down alleged fugitive mobster James "Whitey" Bulger, agents turned to social media.
Yahoo CEO Carol Bartz was backed by the company's chairman at the start of the company's annual shareholder meeting on Thursday, but got ripped by an investor who called for her resignation.
BlazeDS and GraniteDS AMF/AMFX Remote Code Execution Vulnerability
Wyoming has rolled out Google Apps for some 10,000 state workers, the first state-wide implementation of the cloud platform in the U.S.
A 26-year-old man who last year helped hackers publish personal information belonging to about 120,000 iPad users pleaded guilty to fraud and hacking charges in a New Jersey court Thursday.
J.K. Rowling on Thursday announced the creation of a website where users can buy electronic versions of her Harry Potter books and can network with one another and the author.
Federal authorities have declared victory over the Coreflood botnet and shut down the replacement server that the FBI used to issue commands to infected PCs.
Enterprises are adept at securing and managing computing endpoints such as desktop and laptop computers, but most do not have the same controls and processes in place for what is likely the fastest-growing computing platform: smartphones and other smart mobile devices.
Glasses-free 3D smartphones are about to invade the U.S. Sprint will start selling the HTC Evo 3D on Friday, and AT&T has confirmed that sales of the LG Thrill 4G will begin sometime later this summer.
The U.S. FTC is preparing to service Google with subpoenas related to an antitrust investigation, according to a report in the Wall Street Journal.
These four strategies will help project managers maintain control of project budgets and prevent massive cost overruns.
Oracle's lawsuit against Google over alleged Java patent violations in the Android OS is facing a potential setback after a ruling by the U.S. Patent & Trademark Office.
Ukraine's security service said Thursday it had disrupted a cybercrime ring that cost the banking industry more than $72 million using Conficker, a fast-spreading worm unleashed in 2008.
The ability of your data center fabric to support millions of servers with low cost and power may not be due to advances from your major switch vendor, or to standards they may embrace.
A downloadable application discovery resource for Hewlett-Packard's upcoming TouchPad tablet will help grow the webOS developer community, the company said Thursday.
The first Windows Phone from Nokia is code-named Sea Ray, comes with an 8-megapixel camera and uses the Mango version of Microsoft's OS, according to a video sent to Hungarian Web site

Social Networking, Counterintelligence, and Cyber Counterintelligence
CSO (blog)
As an adjunct professor at Utica College, I come across many research papers while teaching Cyber Intelligence, Cyber Counterintelligence and Principles of Cybercrime ...


Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Banking giant UBS is to cut 500 jobs from its global IT workforce of 8,700.

Move to acquire Infrared Security will add static code analysis to WhiteHat’s dynamic vulnerability testing platform.

WhiteHat Security has acquired static code analysis technology from Infrared Security in a move to add the functionality to its Sentinal code analysis application, which until now has solely focused on dynamic vulnerability testing.

The move brings in a cadre of well known secure software development experts, including Jerry Hoff, Jim Manico and Eric Sheridan, all active members of the Open Web Application Security Project (OWASP). WhiteHat said the team will guide the integration of their existing SaaS-based code testing tool into the WhiteHat Sentinel product line. They will also guide research and product development.

Web application security has gained more attention from enterprises as website vulnerabilities and weaknesses in online payment, ecommerce and other Web-based applications have become a favorite target of attackers.

Jerremiah Grossman, founder and CTO of WhiteHat said the move was in response to WhiteHat’s customer demands. WhiteHat customers want something effective at uncovering vulnerabilities earlier in the software development life-cycle, Grossman wrote in the company blog.

Several security vendors have built SCA products to address this need, but nothing has really worked. Nothing has been even remotely accurate or managed to meet the need of enterprise scale. We know this because Sentinel measures these outcomes after our customer have purchased these products and they’ve shared their experiences with us.

Grossman said the goal of the integration is to make static analysis “fast, accurate, and scalable.”

A lot has been written about the differences and effectiveness of static versus dynamic code analysis and the move from most application security firms is to provide the tools to customers and let them integrate what they can into their processes. Static analysis happens early on in the SDL and can find a boat load of vulnerabilities.

WhiteHat competes with Campbell, Calif.-based Cenzic Inc., which has a Web application testing suite that is offered as SaaS. The integration of static code analysis technology helps it aim at Burlington, Mass.-based Veracode Inc., which combines dynamic and static code analysis for application security audits. Klocwork Inc. also offers an automated source code analysis suite and Fortify Software Inc., now part of Hewett Packard, offers both static and dynamic analysis tools.

Add to digg Add to StumbleUpon Add to Add to Google
Ukraine's security service said Thursday it had disrupted a cybercrime ring that cost the banking industry more than $72 million using Conficker, a fast-spreading worm unleashed in 2008.
Our writer takes a trip down memory lane with Basic and explains his more recent foray with Python, all in an attempt to figure out home financing.

Sterlite's firewall implementation: Standardizing perimeter security
Sterlite's infosec policy, framed by Ernst & Young in 2007, while robust, wilted under the challenge of implementation due to its dependence on local control. The firewall implementation was further spurred by the need for central control/logging and ...

The Winklevoss twins have decided to drop their legal battle with Facebook and its founder and CEO Mark Zuckerberg, and accept an earlier $65 million settlement.
Sitemagic CMS 'SMTpl' Parameter Directory Traversal Vulnerability
Our writer takes a trip down memory lane with Basic and explains his more recent foray with Python, all in an attempt to figure out home financing.
There was a time when anyone could try programming, thanks to the ubiquity of Basic. But Basic's a nonstarter these days, so what will entice a new generation?
GNOME NetworkManager 'auth_admin' Security Bypass Vulnerability

QLD cops get new 000 support
ZDNet Australia
... $350: Vizio, the budget-friendly television ... LR=U1281182 #LulzSec: Doing it more for the money than the lulz? #infosec #security #hacking [FEED] First Impressions: 8" Vizio tablet coming in late July, ...

and more »
The U.S. Federal Bureau of Investigation has taken aim at two Latvian gangs that allegedly made tens of millions of dollars by sneaking fake virus warnings onto victims' computers and then charging them to clean up the mess.

Posted by InfoSec News on Jun 23

By Luke Hopewell
June 23rd, 2011

The Netregistry Group has stepped in to acquire Distribute.IT after a
recent hacking attack on the latter that saw thousands of customer
emails and websites lost forever.

Distribute.IT fell victim to a hacking attack last week so violent that
customer data, emails and websites hosted on four of its servers were
deemed by...

Posted by InfoSec News on Jun 23

By John E Dunn
22 June 11

An angry employee who hacked his boss’s PowerPoint presentation so that
it showed a pornographic image has been given a two-year suspended
prison sentence and 100 hours of community service by a Judge in the US.

The embarrassing event happened in September 2009 as the Baltimore
Substance Abuse Systems (BSAS) CEO,...

Posted by InfoSec News on Jun 22

CBC News
Jun 21, 2011

Staples Business Depot has breached Canadian privacy law by not fully
wiping customer data off laptops and storage devices returned by
customers before reselling them, Canada's privacy commissioner has

Banking information, tax records, social insurance numbers, health card
and passport numbers, as...

Posted by InfoSec News on Jun 22

By Thomas Shaw
Law Technology News
June 22, 2011

Organizations need assurances about controls used by third-party data
custodians, such as cloud service providers (CSPs). Two methods are
typically used: 1) certification against a standardized set of controls,
such as ISO 27001 certification using ISO 27002 controls, and 2) audit
opinions about existing controls,...

Posted by InfoSec News on Jun 22

By Robert McMillan
IDG News Service
June 22, 2011

Websites belonging to the Brazilian government and energy giant
Petrobras were knocked offline Wednesday in a series of cyberattacks.

The LulzSec hacking group credited its "Brazilian arm," for the attacks,
which are the latest in a series of anti-government cyberassaults...

Posted by InfoSec News on Jun 22

The Kansas City Star
June 22, 2011

A Kansas City man pleaded guilty in federal court Wednesday to his role
in an elaborate scheme to hack computers at the University of Central
Missouri in Warrensburg.

Daniel J. Fowler, 21, admitted that he and another man conspired for a
year beginning in March 2009 to plunder the UCM computer network by...

Posted by InfoSec News on Jun 22

By Jim McElhatton
The Washington Times
June 21, 2011

Federal authorities responsible for granting security clearances to
government employees and contractors are spending hundreds of thousands
of dollars investigating the investigators.

Government inspectors say they have undertaken a broader campaign in
recent years to root out fraud in background checks...
Internet Storm Center Infocon Status