InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Two U.S. lawmakers have called on the U.S. Department of Justice to reopen its investigation into Google's snooping on Wi-Fi networks in 2010 after recent questions about the company's level of cooperation with federal inquiries.
A pair of security researchers have proposed an extension to the Transport Layer Security (TLS) protocol that would allow browsers to detect and block fraudulently issued SSL certificates.
Quad-core processors have not yet been combined with 4G LTE in smartphones, but that could change soon.
Facebook introduced its own mobile photo app, Camera, on Thursday, bringing richer photo-sharing features to the platform even before the company closes its deal to acquire the popular photo-sharing app Instagram.
About 4.5 million Catholic school students will get access to Microsoft's Office 365 cloud e-mail and collaboration suite as part of a 3-year deal the software vendor struck with the Catholic International Education Office (OIEC).
[SECURITY] [DSA 2480-1] request-tracker3.8 security update
[ MDVSA-2012:081 ] firefox
[SECURITY] [DSA 2479-1] libxml2 security update
[SECURITY] [DSA 2478-1] sudo security update
As promised in the Data/Reports Feature Diary, this week we will cover the Country Report page at https://isc.sans.edu/countryreport.html in detail. The Worldmap graphic on this page is used in numerous spots around the site and links back here in most cases.
Worldmap - https://isc.sans.edu/countryreport.html#worldmap

Summary graph color coded with legend by port
Grouped and graphed by percentage (%)

Country Statistics - https://isc.sans.edu/countryreport.html#statistics

Link to Country Report page which individually lists countries, as well as other features worthy of its own feature.
To view specific country summary data, select a Country name from the drop-down and click Submit.
Summary table of country name, country flag, additional information and data submitted through our sensor

How to read this table / FAQs - https://isc.sans.edu/countryreport.html#faq

Detailed explanation of the Statistics table above and where certain information is pulled from.

Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form


Adam Swanger, Web Developer (GWEB, GWAPT)

Internet Storm Center https://isc.sans.edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
A federal judge in Kentucky this week upheld a lower court's decision to throw out crucial evidence in a drug case because the evidence was gathered with the help of a GPS tracking device installed without a warrant.
[ MDVSA-2012:080 ] wireshark
IPv6 security: New IETF I-Ds, slideware and videos for recent presentations, trainings, etc...
The efforts of President Barack Obama's administration to streamline and improve the government's IT systems aren't proceeding as quickly as officials have suggested, a federal auditor said Thursday.
Reports earlier this week that Microsoft CEO Steve Ballmer predicted unprecedented sales of Windows 8 were wrong on multiple counts, Microsoft and independent analysts agreed.
European privacy regulators want better answers from Google about its privacy policy and the way it informs its users about changes to it.
With the new version of Linux Mint, the developers behind the open source Linux distribution have put all energies behind Gnome, offering two versions of the desktop interface.
With Axis, Yahoo is trying to change the search game, while also trying to change its image as a troubled company.
Although Microsoft and Yahoo are search partners, Microsoft's Internet Explorer 9 (IE9) may complain that Yahoo's new Axis search add-on is slowing down the browser.
Facebook on Thursday launched Camera, a new standalone iPhone app for browsing your friends' photos and sharing new ones of your own. Were Instagram owned by anyone else, it might be sweating bullets right now.
Request Tracker Multiple Security Vulnerabilities
Yahoo was forced to release a new version of its Axis extension for Google Chrome after the original one contained a private key that allowed anyone to digitally sign extensions in Yahoo's name.
More than 95 percent of over 600 SAP systems tested by security firm Onapsis were vulnerable to espionage, sabotage and fraud, mainly because patches had not been applied, according to a researcher.
During the upcoming retrial of Oracle's corporate-theft lawsuit against SAP, the companies plan to call a star-studded array of tech executives as witnesses including CEO Larry Ellison, former Oracle co-president and current Infor CEO Charles Phillips and SAP co-CEO Bill McDermott, according to court documents.

CISOs adding risk management to their expanding portfolio
Infosecurity Magazine
... risk officer) instead of the CIO Chief information security officers (CISOs) are increasingly adding risk management to their ever expanding portfolio of responsibilities, according to a new report by infosec social networking site Wisegate.

and more »
Mozilla Firefox/Thunderbird/SeaMonkey 'cairo-dwrite' CVE-2012-0472 Memory Corruption Vulnerability
Google-owned Motorola Mobility has infringed a Microsoft patent related to SMS messaging, according to a ruling in the Munich regional court, which also dismissed a second case related to a localization patent.
JBL's $600 OnBeat Xtreme is a Bluetooth-enabled, dock-cradle speaker system for the iPod, iPhone, and iPad. Now, one of the first things we like to do when we review a speaker system is describe how the thing looks. In this case, though, I'm going to just direct you to the photos associated with this review--the OnBeat Xtreme looks like its own thing, and it's nearly impossible to describe in words. My best attempt: It looks like it's from the future, it's a mix of black materials with shiny chrome, and its various pieces form a sort of oblong X.
xArrow Multiple Remote Denial of Service Vulnerabilities
ESA-2012-020: EMC AutoStart Multiple Buffer Overflow Vulnerabilities
The first U.S. commercial spacecraft to head for the International Space Station made its first fly-by of the orbiter this morning and now is undergoing a series of pre-rendezvous tests.
Name: Amichai Shulman
In my time at Macworld, I've reviewed and tested numerous iOS apps. I've also reported on the challenges that iOS developers face. But it was only recently that I built my first iOS app, along with developer (and frequent Macworld contributor) Marco Tabini. The experience left me with insights into the iOS development process that I probably would never have otherwise discovered, and a better understanding of what the developers of many of our favorite apps go through on a regular basis.
Box will start letting customers test a new set of IT administration controls for its cloud-hosted enterprise collaboration and content management software on Thursday.
Security researchers unveiled eight vulnerabilities in Google services during the Hack in the Box conference in Amsterdam on Thursday -- but they claim to have discovered more than 100 such bugs over the past few months.
ZTE has successfully completed a hand-over test between two different versions of LTE, allowing operators to more effectively use their spectrum in a way that is seamless to the end user, the company said on Thursday.
Android and iPhone smartphones together made up 82% of all such devices shipped to retailers in the first quarter of 2012, IDC said Thursday.

For years, the mantra of the security industry has been to get enterprises to look internally for weaknesses and activity that can raise a red flag to a malware-infected machine or an employee with malicious intentions. But how do you know how secure your partners and clients are?

It’s not difficult to see the security risks posed by a contractor taking care of payroll, a managed services provider, or the string of businesses that make up the supply chain. A breach at any of those businesses could have a serious impact your company’s security. An enterprise CISO or IT director has little control over the security of their partner networks. Managing business partner security risks has been left to putting in protections in service-level agreements. From a technology perspective, enterprises can review the logs to look for suspicious behavior if partners are given access to company resources.

Derek Gabbard and his team at Lookingglass Cyber Solutions aim to change all that. The company’s technology, which is being used by a variety of government and financial organizations, can map out the networks of partners and clients and apply a layer of threat intelligence data to determine if there are any potential compromises. The technology provides companies with third-party risk management capabilities.

Called ScoutVision, the technology can get information about a company’s business partner networks once the partner’s IP address range is fed into it. It bases its threat analysis on security vendor intelligence feeds licensed by Lookingglass, honeypots and other proprietary threat intelligence data. Lookingglass monitors communication in cybercriminal networks. It ties intelligence on botnets and malware attacks to trace a threat back to a network that has been penetrated.

The company boasts that nearly 40 separate distinct sources of threat intelligence data are used in the analysis. It looks at dark IP space and passive DNS data globally. The service can provide all the threat intelligence data it has about the entire network and describe, for example, if it has 20 to 30 bad hosts, Gabbard said. For example, if any Microsoft IP addresses have been communicating directly with a darknet, the company can characterize the nature of the communication to determine the nature of the threat.

Gabbard, who served as General Dynamics Advanced Information System’s program director for the United States Computer Emergency Readiness Team (US-CERT), told me that up until now companies have been focusing internally with little regard to the security of their partner systems.

I can’t find a company that is taking Lookingglass’ approach. SIEM systems such as HP Arcsight, and network appliances like RSA Netwitness or Solera Networks, don’t provide external network visibility in the same context, Gabbard said. The technology could eventually be integrated with a network appliance, he said. As CEO of Lookingglass, Gabbard is looking to extend ScoutVision to a broader set of customers.

So what does a company do with the threat data provided by Lookingglass?

Gabbard said he believes the information gleaned by the service can be actionable. The first commercial customers consisted of pilot projects conducted in 2010. So far the service has resulted in mainly reporting and phone calls to third parties. Some early adopters create reports and inform their partners of the potential security issues. Depending on their relationship, they’ll say “hey, your network’s messed up,” he said. “Clean it up or we’ll have to restrict access.”

The firm is gaining interest. In January, the fledgling company received $5 million in funding from Alsop Louie Partners, a firm that includes Gilman Louie, the founder and former CEO of In-Q-Tel – the investment arm of the Central Intelligence Agency. It will be interesting to watch if other security vendors attempt to take a similar approach with existing security appliances. The potential exists to apply the technology to companies with an extensive supply chain.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Ethical hackers hired by an organization to assess its vulnerabilities must always be careful to not “cross the line” and get themselves into trouble with the law. With all the computer security laws in the U.S., it can be a challenge for ethical hackers to ensure they are obeying all the laws.

But according to David Snead, an attorney in Washington D.C. who frequently represents IT security providers and consultants, it is possible to focus on just a handful of laws to avoid lawsuits and stay out of jail.

During a session at the Source Conference in Boston last month, Snead listed the overwhelming number of laws related to IT security in the U.S. But ethical hackers can focus on just three laws that are most likely to lead to litigation, according to Snead:

Computer Fraud and Abuse Act (CFAA), which makes it illegal to access a computer or network without proper authorization.
• Wiretap Act, which can be applied to packet sniffing.
• Stored Communications Act (SCA), which can be applied to any email that was meant to be confidential.

Similarly, each state has different laws, and few organizations have the time or resources to ensure they are compliant in all 50 states. Snead recommended ethical hackers and security consultant assist their client organizations by ensuring they are compliant in just three states, at least initially. The three states should be:

• The organization’s own headquarter state;
• The state where most of the organization’s employees work;
• The state where most of the organization’s customers live or work.

In some cases, these three scenarios may point to just one or two states, making the consultant’s job that much easier.

In my view, Snead was bold to make these recommendations. Many lawyers, when asked which IT security laws their clients should obey, would probably say, “All of them.” But Snead’s advice comes from a real-world perspective, and it’s this kind of realistic advice that’s greatly appreciated by security practitioners — especially the many independent penetration testers out there — who are often grappling with their budgets.

Still, security pros must understand the risks of following this advice. As Snead explained, triaging the laws this way will avert most legal problems. But the pen tester’s client organization could still get tripped up by a lesser-known law if a creative prosecutor convinces the court it applies to the organization’s security practices.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
OpenOffice Multiple Heap Based Buffer Overflow Vulnerabilities

8217;s guess how the FedRAMP cloud security initiative will pan out, but the pieces are coming together. Last week, the U.S. General Services Administration released an initial list of approved third-party assessment organizations (3PAOs).

Launched by the Obama administration in December, the Federal Risk and Authorization Management Program (FedRAMP) aims to set a standard approach for assessing the security of cloud services. The goal is to cut the cost and time spent on agency cloud assessments and authorizations.

3PAOs will assess cloud service providers’ security controls to validate they meet FedRAMP requirements. Their assessments will be reviewed by the FedRAMP Joint Authorization Board, which can grant provisional authorizations that federal agencies can use.

Here’s the list of accredited 3PAOs: COACT, Department of Transportation Enterprise Service Center, Dynamics Research Corp., J.D. Biggs and Associates, Knowledge Consulting Group, Logyx,  Lunarline, SRA International and Veris Group.

If you’re wondering how these companies became 3PAOs, they had to submit an application demonstrating technical competence in assessing security of cloud-based systems, according to the GSA. They also had to meet ISO/IEC 17020:1998 requirements for companies performing assessments.

When I wrote about FedRAMP earlier this year, the program drew praise, criticism and cautious optimism. Will it get bogged down in bureaucracy? Will it become simply another paper-pushing compliance exercise? Will it help advance cloud security standards for the private sector? Hard to say how long it will take until we know those answers, but at least FedRAMP appears to be on schedule.  With the release of the 3PAOs, the program moves closer its target of becoming operational next month.

I’m planning to speak with one of the 3PAOs tomorrow; hopefully I’ll have some additional information from that interview about the 3PAO process and FedRAMP in general. If I do, I’ll post it on SearchCloudSecurity.com.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Sony said Thursday it will pull out of its over three-year LCD TV panel joint venture with Sharp, which had been part of its ongoing attempts to reform its foundering TV business.
Yahoo beefed up its search offerings on Wednesday when it launched Axis, an HTML5-based browser app that delivers search results as page previews rather than as links.
There's a growing body of research on phantom cellphone vibrations and the other problems associated with technology obsession, and leading the way is Larry Rosen, the author of iDisorder. IN this Q&A, Rosen talked about how addicted we've become and what we can do about it.
The National Center for Supercomputing Applications has chosen a massive tape library and disk array system to support of Blue Waters, one of the world's largest supercomputers.
Google is now allowed under U.S. export control rules to offer downloads in Syria of its mapping software Google Earth, photo sharing software Picasa, and its Chrome browser, it said Wednesday.
The U.S. government has sided with monopoly rather than competition in bringing a case of e-book price-fixing against Apple, the company said in a filing on Tuesday before a federal court.
Hewlett-Packard plans to cut 9,000 people by Oct. 31, and 27,000 overall by the end of 2014, as part of a multi-year turnaround plan
Symantec Endpoint Protection Manager Remote Denial of Service Vulnerability
appRain CMF 'uploadify.php' Remote Arbitrary File Upload Vulnerability
Internet Storm Center Infocon Status