Hackin9

InfoSec News

A swab test conducted in six U.S. cities of 10 items commonly found in public places showed high levels of a type of germs that cause the common cold and the flu.
 
In the first integration between the Google+ social networking site and the Blogger blog publishing platform, users will be able to replace their Blogger profiles with their Google+ profiles, the company announced on Monday.
 
With hackers increasingly setting their sights on small businesses, the U.S. Federal Communications Commission said Monday it will provide an online tool to help those businesses develop a cybersecurity strategy.
 
The U.S. Federal Trade Commission members voted unanimously to approve an agreement that settles a privacy-violation complaint the agency leveled against Google over the company's Buzz microblogging and social networking service.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
We are now down to the last 5 controls, which are also labeled Additional Controls. The reason they are labeled additional is not because they are less important. However, these controls are more processes that are harder to measure and automate. Controls 1-15 focused on issues that may be automated.
Control #16 illustrates the automation problems pretty well. Secure Network Engineering is a process that relies on qualified humans designing and maintaining a network with security in mind.
Many issues we discussed before are easier if the network was designed securely. For example the last control, data leakage prevention, works best if egress points in your network are clearly defined and regulated. A good network design will also make it easier to block access to devices if they are found to be infected with malware, and it will make it harder for malware to spread internally.
Another problem that has come before: How do you apply secure network engineering to an existing network? I have run into this many times before. A network is supposed to be re-designed on the fly without interrupting current operations. Usually I have to say that this is just not possible without immense costs, and in some cases, it may be simpler and cheaper to build a new network from scratch.
There are some possibilities to automatically monitor at least part of this process. For example, if we receive an alert about a new server or a change to the network configuration, we may be able to automatically compare this to a change control system to ensure that the change was properly approved and went through a process reviewing out network design. In short: Make sure your actual network matched the network design and don't allow the actual network to deviate from the secure design.

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Verizon Wireless has begun pushing out updates of Android 2.3, also called Gingerbread, for both the Droid Pro and Droid 2 Global by Motorola.
 
Shopify lets you create your own store with a minimum of fuss and hassle, and with lots of customizable options.
 
Oracle Database 'CTXSYS.DRVDISP' Buffer Overflow Vulnerability
 
TC-SA-2011-01: Multiple vulnerabilities in OmniTouch Instant Communication Suite
 
[SECURITY] [DSA 2326-1] pam security update
 
[SECURITY] [DSA 2325-1] kfreebsd-8 security update
 
[ GLSA 201110-20 ] Clam AntiVirus: Multiple vulnerabilities
 
[ MDVSA-2011:160 ] krb5
 
Google CEO Larry Page may be making good on his promise to begin integrating Google+ throughout all of Google's services.
 
Microsoft's official YouTube channel was hijacked on Saturday and all videos hosted on it were temporarily removed. The hacker replaced them with others claiming that Microsoft is holding a contest.
 
Android Market app developers are a busy group, with the average publisher placing more than six apps in the online store compared to four published by the average iOS developer in the Apple App Store.
 
[CVE-2011-2569] Cisco Nexus OS (NX-OS) - Command "injection" / sanitization issues.
 
[ GLSA 201110-16 ] Cyrus IMAP Server: Multiple vulnerabilities
 
[ GLSA 201110-15 ] GnuPG: User-assisted execution of arbitrary code
 
ClamAV 'find_stream_bounds()' PDF File Processing Denial Of Service Vulnerability
 
[ GLSA 201110-17 ] Avahi: Denial of Service
 
Nokia is expected to launch its first phones based on Microsoft's Windows Phone OS on Wednesday at Nokia World in London.
 
The pursuit of Yahoo seems to be heating up as a report Monday added Google to a list of interested suitors that is already said to include Microsoft.
 
The biography of Apple co-founder and former CEO Steve Jobs debuted today at the top of both Amazon's and Barnes & Nobles' bestseller lists.
 
Steve Jobs was a brilliant-but-belligerent eccentric who transformed seven different industries, his biographer said in an interview that aired Sunday night on 60 Minutes.
 
Linus Torvalds has released the next version of the Linux kernel, and with it come virtualization enhancements and support for the emerging OpenRISC processor architecture.
 
Apple today quietly refreshed its workhorse MacBook Pro line of laptops, boosting the speed of the machines' processors and in some cases the size of their hard disk drives.
 
The Samsung Transform Ultra, a slider smartphone with a touchscreen and a qwerty keyboard, will go on sale Nov. 13 for $79.99 after rebate with a two-year Sprint contract.
 
Whistleblower Web site Wikileaks today announced that it was temporarily suspending operations due to financial constraints.
 
Consider the following scenario: A prospective customer walks into your store to buy an air conditioner. He evaluates several models and then buys one -- but not from you. It turns out your competitor located two miles away is offering the same model at a 20 percent discount. How did he know this? He scanned the product's bar code using the RedLaser app on his iPhone, which displayed several local retailers with lower prices than yours. If he had been willing to wait three days for shipping, he could have purchased the exact same model while standing in your store from an online retailer at a 30% discount.
 
D-Bus Configuration Insecure Temporary File Creation Vulnerability
 
Nokia is expected to launch its first phones based on Microsoft's Windows Phone OS on Wednesday at Nokia World in London.
 
Oracle is buying RightNow Technologies for about US$1.5 billion in order to boost its recently announced Public Cloud with customer-service software, the companies announced Monday. The deal is expected to close late this year or in early 2012.
 
Malicious or inappropriate sites, sure, but when it comes to the rest of the Web, denying employee access is an exercise in futility. Insider (registration required)
 
Even if your company website is secured with the latest software patches and has been tested by ethical hackers, it doesn't mean the scammers will stay away.
 
Oracle is buying RightNow Technologies for about US$1.5 billion in order to boost its recently announced Public Cloud with customer-service software, the companies announced Monday. The deal is expected to close late this year or in early 2012.
 
After announcing the technology at its OpenWorld conference last month, Oracle has launched its much anticipated NoSQL database.
 
Chinese e-commerce giant Alibaba Group is readying the next update of its mobile operating system as a company subsidiary launched a new fund to support app development for the OS.
 

Adelaide office hit by flash SMS hack
iT News
Remember to sign up to our Security bulletin for the definitive summary and analysis of Infosec threats. Two days after the first message was received in August last year, Jenkin contacted security companies. He sent extensive server logs to Trend ...

 
There is basic agreement on the nirvana vision for the next-generation data center, but the tricky part is getting there from here.
 
Cray was awarded a $97 million contract to build a supercomputer that could potentially deliver up to 20 petaflops of peak performance, or 20 quadrillion floating operations per second, to the Oak Ridge National Laboratory.
 
In an experiment that began in January, decommissioned Trinity Health servers, networking gear and storage systems have been running outdoors in a simple shed without failure. Takeaway: IT equipment appears to be a lot tougher than conventional wisdom says. Insider (registration required)
 
Computerworld's top Green-IT organizations for 2011 have woven energy-saving initiatives into the very fabric of their IT strategies
 
Taunting tweets, provocative pics, iPad-spam chats -- stupid slip-ups lead to high-profile hacker arrests
 
The path to better projects may be for software developers to become better people. An organizational psychologist contends that the source of project dysfunction is generally a project manager. Insider (registration required)
 
KPMG has made the use of green technologies a key component of its efforts to optimize its investments in IT, including a data center transformation that is expected to save about 15% in energy costs.
 
One big fear is that the volume of information that must be known is growing far faster than organizations' capacity to know. Insider (registration required)
 
The Federal Communications Commission has warned 20 online retailers to stop selling illegal devices that jam cell phone, GPS and Wi-Fi signals..
 
Samsung Electronics and Micron Technology have jointly launched a consortium to support and develop a new low-power memory called Hybrid Memory Cube, which could challenge DDR3 memory in high-performance computers in a few years.
 
President Obama has issued an executive order that aims to reform rules for the sharing and securing of data by federal agencies.
 
According to a media report out of San Antonio, the man recently accused of planning to assassinate a Saudi diplomat in Washington, D.C., was not the sharpest tool in the box. However, if neighbor accounts are to be taken at face value, the same could be said of the FBI agents tasked with foiling his alleged plot.
 
Equinix has launched an online marketplace for its data center customers, to make it easier for them to buy and sell network, managed hosting and other services among themselves.
 

Posted by InfoSec News on Oct 24

http://www.sunstar.com.ph/manila/local-news/2011/10/24/korean-hacker-awaiting-deportation-186795

Manila Local News
October 24, 2011

A KOREAN who hacked into a communication company's database and
downloaded data of its 40,000 customers is currently awaiting
deportation to Seoul, the Bureau of Immigration said.

Shin Un-sun, 37, has been apprehended last October 5 in a popular
shopping center in San Juan City by the Philippine National...
 

Posted by InfoSec News on Oct 24

http://articles.baltimoresun.com/2011-10-22/news/bs-md-cybersecurity-challenge-20111022_1_teen-hackers-computer-servers-college-students

By Candus Thomson
The Baltimore Sun
October 22, 2011

Like skilled cat burglars, teams of college-age hackers slithered past
defenses to probe the soft underbelly of a sophisticated computer
system.

Their mission: to steal secrets and leave an electronic calling card.

As they tapped away on laptops and...
 

Posted by InfoSec News on Oct 24

http://news.cnet.com/8301-1009_3-20124208-83/police-data-leaked-as-cop-confab-kicks-off/

By Edward Moyer
CNet News
Security
October 22, 2011

According to a report in VentureBeat, Anonymous posted a notice on
Pastebin late Friday claiming it had leaked more than 600MB of
information gained by hacking into Web sites associated with the
International Chiefs of Police (IACP), the Boston Police Patrolmens'
Association, and law enforcement...
 

Posted by InfoSec News on Oct 24

http://www.csoonline.com/article/692274/forget-new-threats-it-s-the-old-school-attacks-that-keep-getting-you

By Taylor Armerding
CSO
October 21, 2011

Everybody in IT knows it is a dangerous world out there, filled with an
endless variety of cyber attacks aimed at compromising and taking
advantage of security flaws.

But there is still a persistent lack of awareness of specific threats
and how best to confront them, according to Rob Havelt,...
 

Posted by InfoSec News on Oct 24

http://www.computerworld.com/s/article/9221122/Widely_used_encryption_standard_is_insecure_say_experts

By Lucian Constantin
IDG News Service
October 22, 2011

A weakness in XML Encryption can be exploited to decrypt sensitive
information, researchers say.

XML Encryption is used for securing communications between Web services
by many companies, including IBM, Microsoft and Red Hat. Researchers
Juraj Somorovsky and Tibor Jager from the Ruhr...
 
Internet Storm Center Infocon Status