InfoSec News

Lenovo has stopped selling netbooks through its website and hasn't decided if it will start selling them again there in the future, the company said on Friday.
Movable Type Multiple Remote Vulnerabilities
AntiSec hacked a government based InfraGard site early this morning. InfraGard is a private non-profit organization  serving as a public-private partnership between U.S. businesses and the FBI. The organization describes itself as “an information sharing and analysis effort serving the interests and combining the knowledge base of a wide range of members.” [1] InfraGard states [...]

Dropbear SSH server use-after-free vulnerability
PHP Gift Registry 1.5.5 SQL Injection
[Onapsis Security Advisory 2012-08] Oracle JD Edwards Security Kernel Information Disclosure
[Onapsis Security Advisory 2012-07] Oracle JD Edwards SawKernel SET_INI Configuration Modification
[Onapsis Security Advisory 2012-06] Oracle JD Edwards JDENET Large Packets Denial of Service
[Onapsis Security Advisory 2012-05] Oracle JD Edwards JDENET Multiple Information Disclosure
A new study suggests many organizations are concerned about managing big data, but most don't have a clear understanding of what big data means. Log management solutions can help organizations make sense of some of the data they're generating, but many resort to syslogs, spreadsheets or nothing at all.
A bad global economy, poor market conditions and confusing management moves combined to create a perfect storm that slammed into Hewlett-Packard and staggered the PC maker in its first fiscal 2012 quarter.
When it comes to connecting networks or other systems together, it is best to have many, but not too many, connections, mathematicians have found.
Microsoft will probably trim the number of Windows 8 editions it will sell later this year, but won't mimic Apple's online-only approach to OS upgrades, a retail sales analyst said today.
Time-lapse photography allows you to watch objects and scenes change over time. Lapse It Pro for Android lets you use your phone's built-in camera to create your very own time-lapsed scenes.
[Onapsis Security Advisory 2012-04] Oracle JD Edwards SawKernel GET_INI Information Disclosure
[Onapsis Security Advisory 2012-03] Oracle JD Edwards SawKernel Arbitrary File Read
[Onapsis Security Advisory 2012-02] Oracle JD Edwards Security Kernel Remote Password Disclosure
[Onapsis Security Advisory 2012-01] Oracle JD Edwards JDENET Arbitrary File Write
Oracle Java SE CVE-2012-0499 Remote Java Runtime Environment Vulnerability

Credit Union Times

Crime: Brute Force Is Latest Modus Operandi
Credit Union Times
Costs of upgrades are the only barrier to implementation, but there are also costs of delay, said Jack Koziol, a director of InfoSec Institute in Elmwood Park, Ill. “Every breech has its own costs, and they go beyond the money lost.

and more »
Oracle moved quickly on Friday to lay out its plans for the HCM (human capital management) software market, a couple days after rival SAP did the same thing.
Name: John Landy
President Obama's move Thursday to establish a so-called Privacy Bill of Rights for the Internet can be seen as the consolidation of decadelong efforts by disparate groups to improve privacy protections via countless browser add-ons, settings and privacy policies. But while it's possible to guard privacy on the desktop, the rapidly growing mobile space is still the Wild West, with an almost endless landscape of privacy pitfalls that challenge even the most vigilant consumer.
Email is still an important means of communication in business. In recent years, an increasing number of businesses are outsourcing their email to web-based services like Google Apps for Business. In a tight economic time, the money saved by moving to the cloud can be hard to ignore. There are trade-offs though. Today, for instance, iCloud email users in Germany found that push-email features were disabled due to a patent lawsuit by Motorola. Here are five things to keep in mind when considering outsourcing your businesses email.
Attorneys General from 36 states are concerned over the potential implications of Google's new privacy policy, especially for users of Android-powered smartphones.
Hospitals are embracing 'Bring-Your-Own-Device' initiatives, but with varying levels of access to business applications, according to a survey of the networking priorities of more than 130 healthcare IT pros.
Proview Electronics has brought its legal battle against Apple to the U.S., accusing the company of using deceptive practices to acquire the iPad trademark.
CJWSoft ASPGuest GuestBook 'edit.asp' - SQL Injection Vulnerability
[security bulletin] HPSBUX02737 SSRT100747 rev.2 - HP-UX Running OpenSSL, Remote Denial of Service (DoS)
[ MDVSA-2012:022 ] mozilla
[SECURITY] [DSA 2416-1] notmuch security update
A Mac Trojan named Flashback released last year masquerading as a Flash Player installer appears to back under a new variant. A new variant of the Flashback Java Trojan known as Flashback.G is circulating in the wild running on OS X 10.6 (Snow Leopard). According to Intego, if your system has been compromised, Safari and Skype maybe prone to frequent crashes and find a Java applet in ~/Library/Caches.
It is worth noting that Flashback.G will not install if VirusBarrier X6 is present, or if a number of other security programs are installed on the Mac in question.[1]
[1] http://blog.intego.com/flashback-mac-trojan-horse-infections-increasing-with-new-variant/

[2] http://www.macrumors.com/2012/02/24/flashback-trojan-returns-with-a-multi-pronged-infection-strategy/

[3] http://isc.sans.org/diary/Apple+Improving+OS+X+Anti-Malware+Feature/10951
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Todd Miller Sudo 'Sudo_Debug()' Path Resolution Local Privilege Escalation Vulnerability
IBM Lotus Symphony Image Object Integer Overflow Vulnerability
Security advisory for Bugzilla 4.2 and 4.0.5
YVS Image Gallery Sql injection
NGS00120 Patch Notification: BlackBerry PlayBook Samba Remote Code Execution
[SECURITY] [DSA 2417-1] libxml2 security update

Part of the Cost of Doing Business
Crain's Cleveland Business (blog)
You probably also already know this and therefore have a full-time Infosec staff that is in charge of making sure, first of all, that your company is compliant with any government or industry regulations that apply to your business, and second, ...

and more »
Google's plan to share user data across its online services will have little effect on users of the company's enterprise, government and education application suites, the company said.
As the White House pushed a privacy bill of rights and readied online privacy legislation for Congress, Google decided on Thursday to get behind 'Do Not Track' technology. Here's where things stand.
Facebook users are becoming decidedly unfriendly, according to a Pew Internet & American Life Project study released Friday.
CA Technologies has launched a disaster-recovery software-as-a-service offering that combines on-site data protection with a cloud-based service, using Microsoft Azure's infrastructure.
ZDI-12-039 : Oracle Java Web Start java-vm-args Command Argument Injection Remote Code Execution
ZDI-12-038 : Oracle Java JavaFX Arbitrary Argument Remote Code Execution Vulnerability
ZDI-12-037 : Oracle Java Web Start JNLP Double Quote Remote Code Execution Vulnerability
UTC Fire & Security GE-MC100-NTP/GPS-ZB Default Credentials Authentication Bypass Vulnerability

Sci-Tech Today

Two lessons enterprises can learn from pcAnywhere
At the same time, an unidentified researcher conducted an independent analysis of the leaked source code, detailing his (or her) findings about the development process behind pcAnywhere in an article submitted to InfoSec Institute.
Symantec's pcAnywhere Woes May Be Worse Than We ThoughtPC Magazine

all 6 news articles »
Disappointing earnings reports this week from Hewlett-Packard and Dell were offset by more encouraging results from software makers, confirming forecasts for general trends in IT spending this year.
TPTI-12-01 : Oracle Java True Type Font IDEF Opcode Parsing Remote Code Execution Vulnerability
ZDI-12-033 : ABB WebWare RobNetScanHost.exe Remote Code Execution Vulnerability
ZDI-12-032 : Oracle Java Runtime Environment readMabCurveData Integer Overflow Remote Code Execution Vulnerability
Mobile Mp3 Search Engine HTTP Response Splitting

Even fully patched pcAnywhere installations vulnerable, says researcher
A detailed analysis of the leaked source code by an anonymous researcher and published on the InfoSec Institute has challenged earlier assertions from Symantec that the stolen code was "old code" and "not in use." The analysis referred to the ...

and more »
InfoWorld's experts keep you up to date on the realities of deploying the cloud in the enterprise
In shop class, they tell you to measure twice and saw once. IT isn't so different. BMC's cloud workshop offers an object lesson in why it pay offs to bring the vendor, IT and the end user together before a new project is designed and deployed. A little communication can save time and money -- and maybe even your job.
Nokia shipped 900,000 Windows Phones during the fourth quarter, which was enough to become the world's No. 1 Microsoft smartphone vendor, market research company Strategy Analytics said on Friday.
Dell said Friday it has purchased backup software vendor AppAssure, in the first of an expected run of acquisitions following Dell's appointment of former CA CEO John Swainson as head of a new software division.
----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Apple has acquired apps search company Chomp for an undisclosed price, it said Friday.
Oracle JDEdwards CVE-2011-2325 Password Disclosure Security Vulnerability
IT departments and the duties of their staffers haven't changed much in recent years. But the rise of mobile, the bring-your-own-device trend and a new generation of workers is about to change all that. Ryan Faas explains.
Oracle JD Edwards EnterpriseOne Tools CVE-2011-2317 Arbitrary File Upload Vulnerability
Nvidia has partnered with modem chip makers GCT Semiconductor and Renesas Mobile to make it easier to build LTE (Long-Term Evolution) smartphones and tablets using its quad-core Tegra 3 processor, the company said on Thursday.
Wi-Fi hotspots and small cellular radios could make life easier for both consumers and mobile operators, and powerful backers are lining up this week to show how they can maximize that potential.
Oracle Java SE CVE-2012-0500 Java Runtime Environment Remote Code Execution Vulnerability
Oracle JDEdwards CVE-2011-2326 Information Disclosure Vulnerability

... 22:10 Nielsen Hldg NV at Morgan Stanley Tech Conf 27 Feb 22:10 Parametric Tech Corp. at Morgan Stanley Tech Conf 27 Feb 22:10 Scripps Networks Interactive at Morgan Stanley Tech Conf 27 Feb 23:00 Akamai Tech at AGC West Coast Info Sec & Growth Conf ...

and more »

Posted by InfoSec News on Feb 24


By Jeremy Kirk
Feb 23, 2012

Pastebin, a website favored by hackers to publicly post sensitive stolen
data, has been battling an ongoing distributed denial-of-service (DDOS)
attack aimed at disabling the site, according to its administrators.

The latest attack started on Wednesday, according to a...
News, opinion, reviews and how-to articles to make your cloud journey that much easier.

Posted by InfoSec News on Feb 24


By Kelsey Sheehy
U.S. News & World Report
February 21, 2012

Convenience and credibility are what sold Henry Bromley III on James
Madison University's M.B.A. program.

The Virginia-based mechanical engineer, husband, and father needed a
reputable business school close to home...

Posted by InfoSec News on Feb 24


By Joe Rosato Jr.
NBC Bay Area
Feb 22, 2012

Inside a cavernous white room amid the ramshackle piers of San
Francisco’s Southern waterfront, a group of men in white industrial
suits scrape away at what looks like a long Styrofoam canoe.

Men in matching black jackets emblazoned with the Oracle logo nervously
scan the group of media invited into...

Posted by InfoSec News on Feb 24


By Kelly Jackson Higgins
Dark Reading
Feb 23, 2012

Certificate authorities (CA's) are still reeling from the wave of hacks
against them over the past year. And it turns out their most of their
customers are struggling to keep on top of their SSL certificates
despite the increased...

Posted by InfoSec News on Feb 24


BBC News
22 February 2012

The government must take more seriously the threat of a nuclear weapon being
exploded in space by a rogue state, MPs have warned.

The Defence Select Committee said the resulting radiation pulse could disrupt
power and water supplies, UK defence and satellite navigation systems.

Its chairman, Tory MP James Arbuthnot, said an attack was "quite likely".


Posted by InfoSec News on Feb 24


The Secunia Weekly Advisory Summary
2012-02-16 - 2012-02-23

This week: 85 advisories

Table of Contents:

1.....................................................Word From Secunia...
Orbit Downloader 'Download Failed' Remote Buffer Overflow Vulnerability
Oracle JDEdwards EnterpriseOne Tools CVE-2011-2324 Denial Of Service Vulnerability
Trend Micro Control Manager 'CmdProcessor.exe' Remote Code Execution Vulnerability
Oracle JDEdwards CVE-2011-3514 Remote Security Bypass Vulnerability
@s3erverexe has been busy the last few days leaking minor data from exploited and hacked servers and sites that is in relation to many different anonymous operations.

Oracle JDEdwards CVE-2011-3509 Remote File Disclosure Vulnerability
Oracle JDEdwards EnterpriseOne Tools CVE-2011-2321 Information Disclosure Vulnerability
Oracle JDEdwards EnterpriseOne Tools CVE-2011-3524 Information Disclosure Vulnerability
Internet Storm Center Infocon Status