Share |

InfoSec News

For those of you who would like to contribute to the future of Firefox, while not quite ready for final release, Firefox 4 Beta 12 is considered stable and safe to use for daily browsing. There are still some known issues and the Mozilla people do warn that if you are a add-on user there may be some issues with your add-ons, but with the Add-on Compatability Reporter you can assist the add-on developers as well.
-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected) (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
In a sign that hackers, like everyone else, are taking an interest in everything Apple, researchers at Sophos say they've spotted a new Trojan horse program written for the Mac.
 
It's been a few years coming, but it looks like China may finally be getting a handle on its spam problem.
 
Users will have to send their Motorola Xoom tablets away for a week in order to upgrade them to 4G, Verizon Wireless said this week.
 
Linux Kernel 'x25_parse_facilities()' Remote Denial of Service Vulnerability
 

At Bat: Lineup of Infosec Subcommittees' New Leaders
GovInfoSecurity.com (blog)
Also set to show off its infosec sway is the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies, chaired by Daniel Lungren, R-Calif., with New York Democrat Yvette Clarke, its former chair, ...

 
Apple is offering security experts a copy of the developer preview of Mac OS X 10.7, aka Lion, and asking them for feedback.
 
T-Mobile USA suffered a net loss of 23,000 customers in the fourth quarter but gained 1 million smartphone users, which helped to increase the data revenue that the carrier pulled in from an average subscriber.
 
Linux Kernel 'drivers/scsi/gdth.c' IOCTL Local Privilege Escalation Vulnerability
 
[USN-1071-1] Linux kernel vulnerabilities
 
Re: Linksys Cisco Wag120N CSRF Vulnerability
 
Microsoft isn't exactly suffering, but it needs deals like this to maintain high growth.
 
Consumer Reports today said that its lab tests show the Verizon iPhone 4 suffers from a "death grip" problem similar to last summer's revelations about AT&T's model.
 
Astronauts aboard the shuttle Discovery are using the vehicle's robotic arm today to inspect for damage to its exterior during Thursday's launch into orbit.
 
Remember when Apple wanted us to "think different"? That was a pose, 'cause now they don’t …
 
Repeating what has been a familiar pattern for the past six months, tech earnings and market forecasts this week show that while enterprise IT sales, especially for software, are booming, consumer demand for PCs is flagging.
 
The RSA conference and Disneyland both demonstrate ways that it can be done.
 
Oracle Java SE and Java for Business CVE-2010-4473 Remote Java Runtime Environment Vulnerability
 
Linksys Cisco Wag120N CSRF Vulnerability
 
DoS Condition with Altigen VoIP Phone Systems
 
[BMSA-2011-01] Insecure secure cookie in web.go
 
prestashop vuln: sql injection submitted to [email protected]
 
Apple on Thursday gave us another sneak peek at what's in store for the next major release of Mac OS X, dubbed Lion, due out this summer. Between the iOS-inspired features we saw in the first Lion preview in October and the new features the company revealed today, it's clearer than ever that Apple isn't merely getting Back to the Mac. With Lion, Apple is getting back to basics, making significant changes and adding new features that are all focused on making the Mac easier to use and more accessible to both new and longtime users.
 
Etiquette by users of mobile devices keeps getting worse as use of the technology proliferates, a survey has found.
 
Oracle Java SE and Java for Business CVE-2010-4470 Remote Java Runtime Environment Vulnerability
 
Oracle Java Applet Clipboard Injection Remote Code Execution Vulnerability
 
Oracle Java SE and Java for Business CVE-2010-4450 Remote Java Runtime Environment Vulnerability
 
A Swiss court is considering a request from the country's data protection commissioner that Google should manually blur people's faces in its Street View imagery application rather than use automated technology.
 
After a few years in development, Intel formally unveiled its next-generation data transfer interconnect. The new Thunderbolt standard represents a shift in the underlying technology--and a potential shift in how we can do things down the road.
 
Nokia bypassed Google's Android and selected Windows Phone 7 as its primary smartphone operating system after Microsoft made a $1 billion-plus offer to partner with the Finnish company.
 
Walter Poole, complaining about recent writing habits, asked if it's possible to automate capitalization in Microsoft Word.
 
IT must industrialize infrastructure and operations -- and IT workers must be taught to abandon their love affair with complexity, says Forrester's Glenn O'Donnell. Consider these 10 pieces of advice on how to do it right.
 
Apple's Thursday release of a developer preview of Mac OS X Lion included a number of new features, but few were more surprising than the company's plans for OS Server. On Apple's Lion preview page, the company says:
 
CA Host-Based Intrusion Prevention System 'XMLSecDB' ActiveX Control Code Execution Vulnerability
 
Feb. 25, 2011: Apple iPad 2 to come next week, Motorola also courts the gadget geek
 
Google has made a significant change to its search engine that will push further down in its rankings websites that pilfer content from other places on the Internet or do not offer high-quality information, the company said in a blog post on Thursday.
 
Former CEO says 'Google today would be running on Solaris' if Sun had not mishandled its OS
 

The password is dead, long live ID
Infosecurity Magazine
GrIDsure, a vendor that bases its marketing around the concept of evolution of ID security, is frustrated by the 'state' of the infosec industry. “It's the only sector I can think of where 20 year old technology is still dominating the market”, ...

 
The Pwn2Own hacking competition returns next month with a record number of contestants looking to break Web browsers and smartphones.
 
We look at four video editing applications that offer high-level features combined with ease of use, along with video previews.
 
With the launch of CloudFormation, Amazon Web Services is hoping to make it easier for enterprises to put together stacks of applications and resources for its cloud computing service.
 
The social networking site LinkedIn has been blocked in China, a move that analysts say is tied to Chinese government efforts to suppress mention of a "Jasmine Revolution" on the Internet.
 
The U.S. agency that tracks complaints of criminal activity on the Internet reported Thursday that fewer people complained about Internet fraud in 2010 than in the previous year.
 
The company has invited developers to test out the upcoming Java upgrade, but some are balking at "draconian" licensing terms
 
phpMyAdmin Bookmark Security Bypass Vulnerability
 
Two separate enforcement actions taken this week by the U.S. Department of Health and Human Services for HIPAA privacy violations should serve as a warning to all healthcare entities, say privacy analysts.
 
Pidgin 'Libpurple' Cipher API Information Disclosure Vulnerability
 
InfoSec News: USENIX HotSec '11 Call For Papers Now Available: Forwarded from: Lionel Garth Jones <lgj (at) usenix.org>
The Call for Papers for the 6th USENIX Workshop on Hot Topics in Security is now available. Please submit all work by 11:59 p.m. EST on May 5, 2011.
HotSec is renewing its focus by placing singular emphasis on new [...]
 
InfoSec News: SLCERT - Army join to fight cyber war: http://print.dailymirror.lk/news/news/36661.html
By Lakna Paranamanna Daily Mirror 25 February 2011
The national centre for cyber security, Sri Lanka Computer Emergency Response Team (SLCERT) said that they are currently collaboratively working with the military forces to identify possible factors which could wage a cyber war against Sri Lanka.
SLCERT Senior Information Security Engineer Rohana Palliyaguru said that they are working together with the military forces on determining potentially harmful forces that are operating in cyberspace that have the possibility of waging a cyber-war against the country so that a mechanism could be formulated to prepare Sri Lanka against such attacks.
Mr. Palliyaguru, who also spoke of the rising issue of cyber crimes in Sri Lanka, said that most cyber crimes occur as a result of the lack of awareness and knowledge on the part of the victims. “There are certain necessary precautionary actions which cyberspace users should follow in order to protect themselves from cyber crimes. However, we realized that most of the crimes had occurred as a result of the lack of awareness of such protective measures,” he said.
 
InfoSec News: Secunia Weekly Summary - Issue: 2011-08: ========================================================================
The Secunia Weekly Advisory Summary 2011-02-17 - 2011-02-24
This week: 74 advisories [...]
 
InfoSec News: Former employee accused of writing virus to target Whac-a-Mole machines: http://www.orlandosentinel.com/news/crime/os-arrest-virus-whac-a-mole-20110224,0,6618031.story
By Gary Taylor Orlando Sentinel February 24, 2011
Whac-A-Mole seems like it could be endless fun.
Moles pop out of five holes in the arcade game and a soft mallet is used [...]
 
InfoSec News: Security Firm Strikes Back At Cenzic Patent Lawsuit Threat: http://www.darkreading.com/vulnerability-management/167901026/security/vulnerabilities/229219381/security-firm-strikes-back-at-cenzic-patent-lawsuit-threat.html
By Kelly Jackson Higgins Darkreading Feb 24, 2011
Cenzic is back on the legal warpath with another patent infringement [...]
 
InfoSec News: Encrypted USB stick glitch led to Council data loss: http://news.techworld.com/security/3262523/encrypted-usb-stick-glitch-led-to-council-data-loss/
By John E Dunn Techworld 24 February 11
A council that used encrypted memory sticks has been handed a reprimand from the Information Commissioner’s Office (ICO) after an employee’s [...]
 
InfoSec News: 'The most stupid criminal ever' pleads guilty to burglary after he stole a laptop and posted photo of himself on owner's Facebook: http://www.dailymail.co.uk/news/article-1359952/Burglar-posted-picture-stolen-laptop-owners-Facebook-pleads-guilty.html
By Daily Mail Reporter 24th February 2011
He didn't exactly stand much chance of getting away with it.
And yesterday the man described as 'the most stupid criminal ever', who [...]
 
PayPal has lifted a temporary restriction placed on the account of Courage to Resist, a group raising funds to support the legal defense of U.S. Army Pfc. Bradley Manning, who was arrested for allegedly downloading classified information and providing it to the WikiLeaks whistle-blowing website.
 

Posted by InfoSec News on Feb 24

http://www.orlandosentinel.com/news/crime/os-arrest-virus-whac-a-mole-20110224,0,6618031.story

By Gary Taylor
Orlando Sentinel
February 24, 2011

Whac-A-Mole seems like it could be endless fun.

Moles pop out of five holes in the arcade game and a soft mallet is used
to force them back into the holes to score points.

Children and adults alike could whack the moles for hours at a time.

Or at least they could until a worker programmed a virus...
 

Posted by InfoSec News on Feb 24

http://www.darkreading.com/vulnerability-management/167901026/security/vulnerabilities/229219381/security-firm-strikes-back-at-cenzic-patent-lawsuit-threat.html

By Kelly Jackson Higgins
Darkreading
Feb 24, 2011

Cenzic is back on the legal warpath with another patent infringement
lawsuit filed against a security company over Cenzic's patented "fault
injection methods" technology. But this time the target of the lawsuit
is...
 

Posted by InfoSec News on Feb 24

http://news.techworld.com/security/3262523/encrypted-usb-stick-glitch-led-to-council-data-loss/

By John E Dunn
Techworld
24 February 11

A council that used encrypted memory sticks has been handed a reprimand
from the Information Commissioner’s Office (ICO) after an employee’s
struggle to use the technology resulted in data being lost on an
unsecured replacement drive.

According to a release put out by the ICO, Cambridgeshire County...
 

Posted by InfoSec News on Feb 24

http://www.dailymail.co.uk/news/article-1359952/Burglar-posted-picture-stolen-laptop-owners-Facebook-pleads-guilty.html

By Daily Mail Reporter
24th February 2011

He didn't exactly stand much chance of getting away with it.

And yesterday the man described as 'the most stupid criminal ever', who
stole a laptop then posted a leering photo of himself on its owner's
Facebook page, pleaded guilty to burglary in Washington D.C.

Last December,...
 

Posted by InfoSec News on Feb 24

Forwarded from: Lionel Garth Jones <lgj (at) usenix.org>

The Call for Papers for the 6th USENIX Workshop on Hot Topics in
Security is now available. Please submit all work by 11:59 p.m. EST
on May 5, 2011.

HotSec is renewing its focus by placing singular emphasis on new
security ideas and problems. Works reflecting incremental ideas or well
understood problems will not be accepted. Cross-discipline papers
identifying new security...
 

Posted by InfoSec News on Feb 24

http://print.dailymirror.lk/news/news/36661.html

By Lakna Paranamanna
Daily Mirror
25 February 2011

The national centre for cyber security, Sri Lanka Computer Emergency
Response Team (SLCERT) said that they are currently collaboratively
working with the military forces to identify possible factors which
could wage a cyber war against Sri Lanka.

SLCERT Senior Information Security Engineer Rohana Palliyaguru said that
they are working...
 

Posted by InfoSec News on Feb 24

========================================================================

The Secunia Weekly Advisory Summary
2011-02-17 - 2011-02-24

This week: 74 advisories

========================================================================
Table of Contents:

1.....................................................Word From...
 
Today, Apple release a new set of Macbook Pros, sporting the first implementation of Thunderbolt, a new interconnect technology based on what Intel so far called Lightpeek. It promisses 10 GBit/sec duplex connectivity to everything from storage to video devices. The technology is similar to Firewire (aka i.Link, IEEE 1394) in some ways. Like for Firewire, multiple devices may be daisy chained. However, if a display port display is used as part of the chain, the display has to be the last device in the chain.
One speculation put forward in an article in the register [1] is that devices connected via Thunderbolt are not authenticated and like for firewire, have full bus access. This speculation is supported by the so far available material form Intel and Apple. Like with Firewire, this bus would provide direct access to RAM and possibly disks. As a result, a malicious device may be able to read RAM and disks without authentication.
These attacks have been shown to work for Firewire, and have been used for example in memory forensics to extract memory content from live systems. However, with the larger variety of devices expected for thunderbolt, it may be more of a threat. In particular, the scenario put forward in the article: Connecting a laptop to a projector at a conference via display port. There is no telling if inside the projector a second device sits in line waiting to extract memory from the attached laptop.
As mentioned in the title: At this point, I don't think anybody has had a chance to experiment with this yet, and I am not aware of any display link projectors. Actually almost all of the time at conferences I find good old VGA (not DVI or HDMI). But this may of course change in the future.
[1] http://www.theregister.co.uk/2011/02/24/thunderbolt_mac_threat/
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 


Internet Storm Center Infocon Status