Information Security News

Tom Bicer wrote in to tell us about some interesting development amongst the SSLcertificate providers. Comodo made a press release announcing that they found some vulnerabilities related to Verisign's certificate and had advised Verisign on the vulnerabilities. The vulnerability at least led to potential security issues at one of Verisign's customer (a bank). The vulnerability was discovered using publicly available information. Comodo definitely was careful in the wording of this press release, no details of the vulnerability was released. They also stated that they followed CCSS's (Common Computing Security Standards Forum) guideline in releasing the vulnerability information.
While it seems that Comodo is doing everything right, it still brings the question - Should you test your competitor's products/ stuff? And - How do you handle the announcement so it doesn't look like you are doing leveraging your competitor's security weakness in marketing? There are no good answers to those questions, it's all dependent on the situation. It's all a very fine line. It's hard to balance the bragging rights by the finder of a vulnerability before the announcement of actual vulnerability by the vendor. In some cases, vulnerabilities are never released by the vendor. Bottom line, credit to the finder of vulnerability should be given. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Virtualization, cloud computing and SaaS all carry their own security challenges.

Mac OS X and Linux may be safer today, but that can change. And no operating system is completely secure.

In the federal agency's first case against a social networking service, Twitter agreed to periodic third-party reviews of its security program over the next decade.

Twitter - Federal Trade Commission - Social network - Social network service - Online Communities

First look: Apple's new iPhone is faster, slimmer, slicker, better -- except for potential reception problems

If you're a LAN administrator in charge of--or a consultant diagnosing--an ad hoc collection of hardware and software, it can be difficult to get a handle on the diverse hardware and software that might be running. Enter Lansweeper (various pricing, 30-day free trial with advanced features), a program which allows you to audit every computer on your network so you can know exactly what's out there and what users are running on it. Personally, I was hoping that Lansweeper would work with workgroups; however, in my hands-on, it found no computers on my existing workgroup and I had to create a test domain. This may have been a quirk of my system, as I was able to create one later.

The iPhone 4 went on sale on Thursday morning, with Japanese customers who waited in long lines among the first to purchase the latest smartphone from Apple.

A French business school plans to trade Google Apps, used by around half its staff and students, for Microsoft's rival [email protected] service.

Some users say the new Apple iPhone 4's high-resolution display is marred with yellowish spots and bands.

Intel researchers have published the results of a performance comparison between their latest quad-core Core i7 processor and a two-year-old Nvidia graphics card, and found that the Intel processor can't match the graphics chip's parallel processing performance.

The Droid X smartphone was unveiled Wednesday, and its backers declared that it has enterprise potential.

Microsoft fired another salvo as its battle against Google for search turf heated up this week.

Social-networking giant Twitter has agreed to settle a complaint from the U.S. Federal Trade Commission alleging that the company deceived users and put their privacy at risk by failing to take appropriate security safeguards.

More than 400 people lined up this morning at one Apple Store in Massachusetts to get a new iPhone 4, and promptly started using FaceTime video chat as soon as they got the new smartphones.

Vodafone foreshadows Nexus One launch
ZDNet Australia
CNET retracts article: http://bit.ly/cmeHMH RT @opexxx: RT @InfoSec: Malware Watch: Adobe zero day attack, malicious FIFA-themed spam ...

and more »

In the federal agency's first case against a social networking service, Twitter agreed to a periodic third-party review of its security program over the next decade.

Twitter - Federal Trade Commission - Social network - Social network service - Online Communities

Many of the software giant's highly touted security features cost extra to get, require additional Microsoft products to run and lag behind third-party vendors.

Microsoft - Gartner - Microsoft Windows - Operating system - Security

Payment processors are touting tokens to protect payment data, but a lack of standards can result in vendor lock-in. An encryption and token expert says more work is needed.

Payment Card Industry Data Security Standard - Tokenization - Security - Cryptography - RSA

InfoSec News: US cyber-combat Top Gun training details emerge: http://www.theregister.co.uk/2010/06/23/us_cyberwar_training/
By Lewis Page The Register 23rd June 2010
Details are emerging of the training programme that will produce the US military's new elite corps of cyberwarfare operatives.
According to a Department of Defense statement, the undergraduate cyber training course for career field 17DX "cyber operations officers" in the US Air Force was launched last week at Keesler airforce base in Mississippi. The course lasts six months.
"We didn't have the pipeline in place to train the new skills needed to operate in the cyberspace domain," says Lieutenant Colonel Scott Solomon of the 333rd Training Squadron. "It's the one domain for which we didn't have an initial skills course.
"For years, we've done fundamental training in telecommunications, radar, radio, long-haul infrastructure, microwave and air traffic control systems, but now most of these things are connected at the Internet protocol level via the Internet," he added. "Our new cyberspace operators are going to be trained to operate looking through the lens at that IP level."
[...]

InfoSec News: Another domain adopts added DNS security: http://gcn.com/articles/2010/06/23/org-dnssec-deployment-062310.aspx
By William Jackson GCN.com June 23, 2010
The Public Interest Registry, which operates the .org generic top-level domain, announced today that it has completed deployment of Domain Name [...]

InfoSec News: Internet whizzes recruited to IDF intelligence unit: http://www.ynetnews.com/articles/0,7340,L-3909528,00.html
By Yossi Yehoshua Ynetnews 06.23.10
In each round of recruitments, the IDF aims to single out the most talented future fighters for its elite commando units, cadets' course, field units, and intelligence units. [...]

InfoSec News: VeriSign refutes security vulnerability claim: http://www.tgdaily.com/security-features/50315-verisign-refutes-security-vulnerability-claim
By Aharon Etengoff TG Daily 22nd Jun 2010
VeriSign has denied claims of an alleged security vulnerability recently identified by Comodo.
According to Comodo CEO Melih Abdulhayoglu, the vulnerability could theoretically allow hackers to access VeriSign customer accounts - including a major financial institution - without proper authentication.
"The vulnerability involves a simple search for a specific keyword, which then leads to a VeriSign account public access page. So, access to these accounts are only a pass phrase away. Think about it: malicious hackers from Russia or China can simply brute force their way past the password. Remember, security is only as good as its weakest link," Abdulhayoglu told TG Daily.
"Unfortunately, VeriSign has not accepted our analysis of the vulnerability. They are not seeing the problem and have told us that (second tier) challenge phrases are surrounded by stringent security and are monitored. But this is certainly not an acceptable policy and that is is the crux of the problem."
[...]

InfoSec News: Secrets of Doing Business With the Intelligence Community: http://www.afcea.org/signal/signalscape/index.php/2010/06/secret-of-doing-business-with-the-intelligence-community/
By Maryann Lawlor AFCEA Signal Scape 6/23/10
It's sometimes difficult to figure out what's the bigger secret - intelligence or the acquisition processes of the organizations that [...]

InfoSec News: Bulgarian Hackers Tangled in Tax Evasion Scams: http://www.novinite.com/view_news.php?id=117423
Novinite.com June 23, 2010
Computer hackers in Bulgaria help retailers hide their revenues and deprive the State budget of millions in Value Added Tax (VAT), the Bulgarian daily Standard writes.
The police and the National Revenue Agency (NRA) are probing computer wizs, who were able to break the code of cash registers and manipulate their memory. For a monthly fee from merchants, the hackers can delete a number of transactions or reduce by 10% - 20% the value of each sale.
The scam is difficult to prove since when the revenue agents and the police make a surprise visit, they find the cash register functioning while a check would not show days and hours without registered sales..
The scam is common in big cities, the police say, because stores there have larger turnover. In order to deal with the crime, the revenue agents also use innovative methods such as making purchases from the same store in the course of several days and keeping their receipts. The probe is done a month later and the receipts are compared against the memory of the register. If the purchase had been deleted, NRA begins a full audit of the retailer.