InfoSec News

Mozilla Firefox/Thunderbird/SeaMonkey XUL Document Use-After-Free Vulnerability
Citigroup suffered about $2.7 million in losses after hackers found a way to steal credit card numbers from its website and post fraudulent charges.
Twitter is introducing ads into the live stream of messages, according to the Financial Times. The addition of "promoted tweets" -- a euphemism for advertising -- within the live Twitter stream is bound to frustrate many users, at the same time as it attracts businesses looking to reach some of the company's 300 million users.
Google said on Friday that it plans to shut down two services that proved unpopular: Google Health and Google PowerMeter.
'glibc' Library 'locale/programs/locale.c' Local Privilege Escalation Vulnerability
In this video, Gartner Vice President Neil MacDonald discusses the SecurID attack at RSA, APT realities and the growing enterprise social engineering threat.

Add to digg Add to StumbleUpon Add to Add to Google

House Creates GOP-Only Cybersec Task Force
... after Republicans regained control of the House, Boehner tapped Thornberry to coordinate ways to more efficiently address cybersecurity legislation in a Congress where nearly every committee has some sway (see Texan Emerges as House Infosec Leader. ...

Crawlability vBSEO 'vbseo.php' Local File Include Vulnerability
Intel hopes to make it easier for developers to make money by pushing a subscription model to sell applications through its tablet and netbook application store, a company executive said this week.
RETIRED: Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities
Mozilla Firefox/Thunderbird/SeaMonkey Cookie Cross Domain Information Disclosure Vulnerability
The city of Orlando, Fla. has deployed 600 Chromebooks to employees as part of a pilot project and the early verdict is that they're low maintenance devices.
HP reportedly plans to launch a 7-in. tablet in August, just a month after its 9.7-in. TouchPad arrives.
Google acknowledged today that the Federal Trade Commission has launched an investigation into its business practices. Analysts say the potentially long and costly battle could benefit Microsoft.
Mozilla is planning to retire Firefox 3.6 from support, but won't put the 18-month-old browser out to pasture until August at the earliest.

Hacking group faces its own hackers - and hubris
"LulzSec seems to be imploding a bit with the pressure put on them by their own interpersonal issues as well as the likes of th3j35t3r (The Jester) and the Web Ninja's on their backs as well," wrote Scot Terban on Infosec Island, a website for IT and ...

and more »
The PCI Council Friday released a list of mobile payment app types that are eligible to meet its security standard; analysts critical of incomplete list.
Apple on Thursday released the final feature update for Snow Leopard as it prepared users' Macs for the upcoming Lion upgrade set to ship next month.
In this video, Gartner’s Neil MacDonald discusses patch management, IE9 security, his Windows 8 security wish list and protecting Apple computers.

Add to digg Add to StumbleUpon Add to Add to Google

Insider Threats and Cyber Vigilantes (blog)
Josh Corman, research director of the Enterprise Security Practice at The 451 Group, says cyber-vigilantes like LulzSec and Anonymous, now simply known as Anon, are changing the way Infosec approaches insider threats, or at least they should. ...

We're three months into the Major League Baseball season and the Philadelphia Phillies have the best record in baseball. The Houston Astros have the worst. Even an average fan knows the home team's league standing. And any fan who owns a team-branded article of clothing can report the home run tally of the team's slugger and the ERA of the pitching staff.
It's been all hackers all the time this week with news of new cyber attacks as well as cyber arrests dominating the blogosphere. Never before have the anonymous (as well as the Anonymous) been so famous. But that's not all -- we still had plenty of Apple iPhone rumors to kick around. Nokia enjoyed some smartphone buzz after photos of its upcoming Windows handset were leaked onto the Web (accidentally, we think). And we learned that jackasses can't drive and pretty people can get hacked, too. Have you been keeping up with all things tech? Prove it by acing our quiz. Each correct answer is worth 10 points. And no trying to hack the quiz to get at the answers. We know who you are.
Opera Web Browser Frameset Constructs Memory Corruption Vulnerability
Iwrote a diary a while back about process maturity called Countdown to Tuesday, using peoples patching processes as an example. Iwant to use this diary as a catalyst to understand how people tell their boss, or indeed their CxO level managers how well, or badly they are doing with security response.
Incident Response is a classic example of where your ability to respond needs to be measured, and your success or failure at doing the response presented to the powers that be.
Given that we have some key steps during our incident lifecycle, we can look at gathering data, performing analysis and then producing reports based on that data. The SANSincident response lifecycle is based on PICERL short for Preparation, Identification,. Containment, Eradication, Recovery and Lessons learned.
So when your incident response process is triggered, we have clearly entered the identification phase. But how do you keep track of when you enter containment, or Eradication, or indeed Recovery.
If you could measure between when an incident happened, and when it was identified you have a metric which shows how good your security monioring is. If you come up with the metric of how quickly you go from Identification to Containment you can then show how well your team is working. If you can work out your mean time to achieve something then you can identify and focus in on steps in your process where it went wrong, or didnt operate effectively. You can trend, and produce further statistics showing the cost of the incident if your business has an average cost for being unable to do business.
But we're getting ahead of ourselves here. How do you record this information? Drop me a note via the contact form, and i'll add it to my next diary on how you could do it using free tools, some scripts, and allow you to produce statistics you'll want to present.

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
ST-Ericsson this week said it would cut up to 500 jobs as part of a cost-savings plan.
For all its great apps, the iPad has quite a ways to go before it'll be ready to replace a desktop PC. But that doesn't mean you can't leave your laptop at the office and travel light. Given a sufficiently stable Internet connection, your iPad can control your PC from anywhere.
Upgrading your CPU can be a frustrating experience, even though the physical acts of removing an old processor and installing the new one are pretty easy. The more difficult questions to answer are these: When is the right time for me to upgrade a CPU? What processor will give me the best bang for the buck?
gdk-pixbuf 'gdk_pixbuf__gif_image_load()' Remote Denial of Service Vulnerability
A U.S. House of Representatives committee has stepped into the fray over startup LightSquared's planned mobile data network, and passed a bill that would block the Federal Communications Commission from spending any money granting the carrier a waiver it is seeking.
Addressing the IT furor over Mozilla's plan to pull support for Firefox 4, Microsoft issued an open letter affirming its commitment to support the current Internet Explorer edition through 2020.
Lulz Security, the hacker group that earlier attacked websites of the Central Intelligence Agency and Sony, has information it says was hacked from the computers of an Arizona law enforcement agency.
The HP TouchPad arrives July 1. Can it, unlike earlier iPad rivals, finally take a bite of Apple's success in the tablet market? Columnist Ryan Faas thinks it just might.
Cameron and Tyler Winklevoss were back in court on Thursday, a day after their lawyers had submitted to a court in California that they would not appeal to the U.S. Supreme Court their US$65 million settlement with Facebook and its CEO Mark Zuckerberg.
Internet Storm Center Infocon Status