Information Security News

Google increased the reward for a code execution bug to $20,000. Microsoft remains against a bug bounty.

Mozilla Firefox/Thunderbird/SeaMonkey CVE-2012-0467 Memory Corruption Vulnerability

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Mozilla Firefox/Thunderbird/Seamonkey CVE-2012-0474 Cross Site Scripting Vulnerability

Mozilla Firefox/Thunderbird/SeaMonkey CVE-2012-0473 Out of Bounds Memory Corruption Vulnerability

Mozilla Firefox/Thunderbird/Seamonkey CVE-2012-0477 Cross Site Scripting Vulnerability

Google is making a change to its search algorithm to penalize what the company's head of Web spam called "over-optimization" and instead favor websites with high-quality content and less refined search-engine optimization.

Google developed its Android smartphone software without using Sun's intellectual property and its use of Java in Android was "legally correct," Google's executive chairman, Eric Schmidt, testified in court Tuesday.

The launch of Google's cloud storage and synchronization service -- Google Drive -- means hundreds of millions of tech users will now be introduced to file sharing, collaboration and integrated document search.

Intel has agreed to buy specific high-performance-computing interconnect assets from server company Cray, the chip maker said on Tuesday.

Start your engines: Google's long-rumored Drive service is officially out and ready for a testa| well, drive. The search giant's answer to services like Dropbox, Drive offers 5GB of free online storage space that also syncs with a local folder on the desktop of your Mac or PC. (An Android app is currently available, with an iOS app in the works.)

For more than a year Intel has talked about graduating from copper wires to fiber optics for Thunderbolt ports on Apple's Mac computers, and Sumitomo Electric Industries has became one of the first companies to deliver optical cables.

Google said Tuesday it was going direct to consumers again, selling the Galaxy Nexus smartphone on Google Play for $399. The unlocked smartphone will also run the Google Wallet mobile payment app.

The sponsors of a controversial cyberthreat information-sharing bill will offer new amendments to address privacy concerns, with changes focused on limiting how government agencies can use information shared by private companies, as the bill comes to a vote in the U.S. House of Representatives this week.

Despite concerns about competition from Android devices, Apple managed to exceed expectations for iPhone sales for its second fiscal quarter, reporting a healthy year-over-year jump in both revenue and profit.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Mozilla today released Firefox 12, patching 14 security bugs in the browser and moving it one step closer to matching rival Chrome in silent updating.

Context Information Security found that data stored by a cloud customer could be accessed by the next customer to spin up a VM on the same disk.

Google Chrome Prior to 18.0.1025.142 Multiple Security Vulnerabilities

Looking to address growing cybersecurity threats in the healthcare industry the Health Information Trust Alliance today said it has established a centralized Cybersecurity Incident Response and Coordination Center where organizations can report incidents and get help remediating electronic medical security problems.

So-called stretched clusters promise utopia of disaster avoidance and disaster recovery virtualization, but the technology is still new. Here's how to deal with the challenges. Insider (registration required)

How well do Facebook apps protect your privacy? Before you download something new and agree to share information, check out how Privacyscore rates its first.

Today Google launched Google Drive, a free-if-you-just-need-5GB-of-storage Dropbox-like service that lets you easily store and share files in the cloud.

Lenovo is expanding the recall of some ThinkCentre all-in-ones due to a component defect that can cause the PCs to overheat and catch fire, the U.S. Consumer Product Safety Commission said on Tuesday.

Few Oracle products in recent years have received as much hype as the Exadata database machine, with the vendor attempting to use it as a standard-bearer for a series of appliances that combine its software with storage, networking equipment and Sun servers.

A new, sneakier variant of the Flashback malware has been uncovered by the French security firm Intego.

OpenSSL CVE-2012-2131 Encoded ASN.1 Data Incomplete Fix Memory Corruption Vulnerability

PHP Ticket System Beta 1 'p' SQL Injection

Context Information Security found that data stored by a cloud customer could be accessed by the next customer to spin up a VM on the same disk.

IT PRO

Infosec: Safer internet depends on private sector
IT PRO
Neelie Kroes, vice president of the European Commission, said business must play its part in the development of a more secure online world. By Caroline Donnelly, 24 Apr 2012 at 17:38 The development of a safer, more secure internet will require greater ...

and more »

Google today launched its Google Drive cloud storage service, offering 5GB of free space -- an increase of 4GB over what it had been offering users of Google Docs.

A growing number of lawmakers are expressing concern over the controversial Cyber Intelligence Sharing and Protection Act bill that's scheduled for a vote later this week in the U.S. House of Representatives.

Tablets will become most users' primary computing device within the next four years after a period of explosive growth, a Forrester Research analyst believes.

One in five Mac computers is likely to carry Windows malware, but only one in 36 is likely to be infected with malware specifically designed for the Mac OS X, according to study performed by antivirus firm Sophos.

David Willetts: UK firms need to 'fess up to security boobs
Register
Speaking at the Info Sec conference this morning, Willetts, whose remit includes cyber security, urged companies to be very honest in reporting their cyber security problems and system breaches. He said: I want large companies to be very frank about ...

and more »

TechWeekEurope UK

InfoSec: The UK Drops FUD Bombs On BYOD
TechWeekEurope UK
At least, that's the impression I was left with after an InfoSec 2012 briefing with BT and a number of its customers, including the Ministry of Defence and Norfolk County Council. Research from BT showed globally, 60 percent of businesses allow ...

and more »

Microsoft's top Windows executive today said that the company will ship an almost-complete version of Windows 8 the first week of June.

Yammer will announce a series of enhancements to its enterprise social-networking software on Tuesday, including updates in areas such as search, groups and mobile, as well as expanded integration with third-party products, such as the Microsoft Dynamics enterprise applications.

RE: McAfee Web Gateway URL Filtering Bypass

OpenSSL has posted an updated advisory today indicating the fix for CVE-2012-2110 released on 19APR2012 was not sufficient to correct the ASN1 BIO vulnerability issue for OpenSSL version 0.9.8.
Please note thatthis latest issue only affects OpenSSL 0.9.8v. OpenSSL 1.0.1a and 1.0.0ialready contain a patch as released on the 19th sufficient to correct CVE-2012-2110.
Please upgrade to0.9.8w.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Samsung posted a list today detailing which Samsung phones and tablets sold by U.S. carriers will eventually receive an upgrade to Android 4.0, or Ice Cream Sandwich.

RuggedCom - Backdoor Accounts in my SCADA network? You don't say...

[ MDVSA-2012:064 ] openssl0.9.8

New IETF I-D: Security Implications of IPv6 on IPv4 networks

[security bulletin] HPSBUX02768 SSRT100664 rev.1 - CIFS Server (Samba), Remote Cross Site Request Forgery (CSRF), Denial of Service (DoS)

Learn how to work smarter, not harder with InfoWorld's roundup of all the tips and trends programmers need to know. Insider (registration required)

Growth in mobile services largely due to smartphone sales pushed AT&T revenue up 1.8%, with a 5.2% increase in revenue for the first quarter of 2012 compared to the year-ago quarter, the company reported Tuesday.

Western Digital's My Book Thunderbolt Duo is about as big as WD's My Book Studio II, and the two drives have similar cases, The obvious difference are the different activity indicator lights on the front of each drive. The other major difference is that the My Book Thunderbolt Duo, as the name indicates, has Thunderbolt connectors--two of them, to be exact.

A deceptive little beast of a puzzler, Triple Town lures you close and sinks its teeth in before demanding you feed it more of your hard-earned cash. This clever hybrid of match-three puzzles and settlement planning gameplay from Spry Fox is insidiously addictive, but poorly conceived micro-transactions soon suck all the joy out of the experience.

The volume of email spam that originated from India during the first three months of 2012 exceeded the volume coming from the U.S. and transformed the Asian country into the world top spam source in the world, security firm Sophos said on Monday.

Oracle MySQL CVE-2012-1690 Remote MySQL Server Vulnerability

Oracle MySQL CVE-2012-1688 Remote MySQL Server Vulnerability

Oracle MySQL CVE-2012-1703 Remote MySQL Server Vulnerability

You’d have to be a serious security curmudgeon to try to pick holes in the Microsoft SDL. The company’s security development lifecycle grew out of the Trustworthy Computing initiative, which turned 10 years old this year, and in many organizations, it sets the standard for secure development practices. At a minimum, it put secure development into the consciousness of many organizations and inspired a lot of companies to adopt bits and pieces, if not all, of the SDL.

No program is perfect, however.

Two security program managers working in the Microsoft Security Response Center (MSRC) shared a story during the SOURCE Boston Conference last week that’s worth sharing. It seems not too long ago, a security researcher reported a fairly serious vulnerability to Microsoft via its [email protected] email address. Turns out, however, that Microsoft’s spam filter kicked in and the vulnerability sat in limbo for months in a spam folder (sometimes it’s the simplest details that get ya.)

The researcher waited a responsible, er, respectable period of time, and eventually went public with details on the vulnerability, thinking Microsoft had ignored the researcher’s efforts. Once the details went full disclosure, Microsoft had to rush an out-of-band fix for the vulnerability; the two program managers refused to reveal the flaw last week.

“Don’t trust spam filtering,” said Jeremy Tinder, one of the managers. “This one was a crisis. Now we read them all (up to 500 a day). We have dedicated individuals to this triage stage of our security response.”

Tinder and his colleague David Seidman explained the MSRC’s role in the SDL at Microsoft and how vulnerabilities are handled once reported—and suggested these are minimal steps that organizations building their own software could follow. It’s a well-reported process that involves several stages:

· Triage—Microsoft determines whether vulnerabilities are security issues, or, for example, a coding or configuration error.

· Reproduce the issue –Microsoft tries to reproduce the security bug with the information provided by the researcher who reported it.

· Analyze the root cause—Once the MSRC is able to reproduce the issue, it determines how much user interaction is required to trigger it, and whether it’s a configuration that’s widely used by all customers.

· Planning—Schedule a fix and move forward after determining the scope of what needs to be fixed and any variants that could also trigger the vulnerability.

· Variant testing/investigation – This is a critical stage where all possible variants are tested before releasing a fix; the last thing the MSRC wants to do is release a fix and then have to re-release it.

· Implementation stage – The MSRC starts developing fixes immediately, and tests in parallel. They test whether other fixes cause regressions.

· Verification—Functional and regression testing is done here to ensure the patch fixes all attack vectors, doesn’t revert previous patches and doesn’t break applications.

· Release: More than a click of a button, Tinder and Seidman said. Involves having the infrastructure in place to push automatic downloads of patches, or give enterprises the ability to choose when and how to apply fixes.

Ultimately, the MSRC shoots for 60 to 90 days to turn around a patch, depending on testing and any issues that could arise and cause a regression forcing the MSRC to start over.

And oh yeah, check those spam folders.

Presented By:

Reduce Human Error in Distributed Server Rooms and Remote Wiring Closets

		Click here to Download a FREE white paper – “How Monitoring Systems Reduce Human Error in Distributed Server Rooms and Remote Wiring Closets ” and learn how a basic monitoring system can help reduce the occurrence of unanticipated downtime events in server rooms and remote wiring closets.
		www.apc.com

Ads by Pheedo

ComputerActive.co.uk

UK biz pays heavy price for skimping on security - PwC
Register
By John Leyden • Get more from this author Infosec 2012 Hacking attacks against Blighty's top firms hit a record high according to figures for 2011. On average, each large organisation suffered 54 significant digital assaults in that 12-month period, ...
Security breaches costing UK firms billionsMicroScope (blog)

all 15 news articles »

Digital agenda commissioner Neelie Kroes wants the E.U. to invest in security technologies, and also called for more transparency in the security product market during a speech at the Infosecurity Europe conference in London on Tuesday.

A Chinese official said on Tuesday that Apple does not have ownership of the iPad trademark in China, signaling that authorities could be favoring local company Proview in its battle with the U.S. tech giant over rights to the iconic brand name.

Dell will flesh out its new virtual networking strategy at Interop next month when it shows off a 40-Gigabit Ethernet switch for the PowerEdge M1000e blade system announced Tuesday.

One of India's largest IT services firm, Infosys, is warning investors that it is facing a government probe over its use of work visas, and it "cannot predict the final outcome."

The U.S. International Trade Commission has ruled that Microsoft infringed on patents of Motorola Mobility in its Xbox games console.

Russian-speaking hackers earned an estimated $4.5 billion globally using various online criminal tactics, Russian security analyst firm Group-IB said in a report published on Tuesday.

Security vendor Guardian Analytics launched on Tuesday a product for financial institutions that detects possible fraudulent online banking transactions executed with a mobile device.

Facebook announced on Monday that its total revenue rose 45% year over year in the first quarter of 2012, but its profit fell 12%.

HDS's new midrange Hitachi Unified Storage system, which is similar to EMC's VNX array and NetApp's Fabric Attached Storage, can serve up both file- and block-based data through a single management framework.

The University of Florida in Gainesville is on the verge of dismantling its computer science department through budget cuts and restructuring, a move that has shocked students.

SugarCRM is expected to discuss a significant upgrade to its open-source CRM software during the SugarCon event in San Francisco.

EMC has announced a new Data Domain Boost integration with Oracle Recovery Manager, offering data deduplication on database servers and for Oracle administrators to have direct control of Oracle backup and disaster recovery operations.

With the arrival of Intel's Ivy Bridge processors, the chip maker has just given its competition a new bar to shoot for.

Bit9 wants to bin 'broken' antivirus, install whitelisting tech
Register
By John Leyden • Get more from this author Infosec 2012 Bit9 is using the Infosec show as a launchpad for its move into Europe as part of its wider ambitions to displace traditional antivirus technologies from corporate desktops and data centres.

Brit upstart flogs cloudy SaaS to clipboard-waving bods
Register
By John Leyden • Get more from this author Infosec 2012 UK-based startup SureCloud is flogging a cloud-based auditing and compliance platform at mid-market businesses with high info-security standards. SureCloud's Unified Compliance Platform pulls ...

and more »

SSH Communications Security Unveils SSH User Key Management Solution at ...
RealWire (press release)
London, UK – April 24th, 2012: SSH Communications Security, known the world over as the inventors of the SSH protocol, unveiled today at Infosec 2012, London the first new extension of its SSH Information Integrity Platform, SSH User Key Management.

and more »

Penetration Testing Book For Hackers & Security Professionals Published Just ...
PR Web (press release)
HackerStorm.com has published a new ebook aimed at ethical hackers and security professionals to enable them to create better test plans, test scopes and to grill testing consultants at InfoSec Europe about their services. 'Firewall Hacking Secrets For ...

GlobalSign Demonstrates iOS Device Authentication Solution for the Enterprise
PR Web (press release)
The increased risk that come with mobile devices accessing corporate networks will be a hot topic here at InfoSec in London this week, and we believe GlobalSign's iOS Identity Certificates are a perfect fit for the “bring your own device era.

and more »