InfoSec News

Twitter was blocked in Egypt on Tuesday as the country witnessed a large protest against the rule of President Hosni Mubarak.
 
If you're looking to buy a dedicated GPS navigation device, you'll quickly discover that every manufacturer offers an almost dizzying array of products--each with slightly different features. The challenge, then, is to determine which features are must-haves and which would just be nice to have.
 
Barack Obama focuses on innovation and education in his State of the Union address.
 
In a mature market such as that for personal navigation devices, it's difficult to come up with unique features that differentiate a new product from the competition. But Magellan has done just that with the Magellan RoadMate 3065 ($150, price as of December 22, 2010). The RoadMate 3065 is designed specifically for business travelers and commuters.
 
The U.S. Department of Justice and an organization representing police chiefs from around the country renewed calls on Tuesday for legislation mandating Internet Service Providers (ISP) to retain certain customer usage data for up to two years.
 
WebKit Text Editing Use After Free Memory Corruption Vulnerability
 
WebKit CSS Token Sequences Handling Denial of Service Vulnerability
 
Webkit History Feature Address Bar URI Spoofing Vulnerability
 
WebKit Large Text Area (CVE-2010-4198) Denial of Service Vulnerability
 
Google has scooped up SayNow, a company with a platform that enables social voice applications.
 
Oracle has nominated Brazilian user group SouJava to fill the vacancy left by the Apache Software Foundation on the Java SE/EE executive committee.
 
Intel and IBM will soon provide details of their latest high-end server processors, which may contain cutting-edge technologies that could ultimately be found in future PC and server chips.
 
Yahoo's revenue fell but profits grew in its fourth quarter, results which the company described as "encouraging" and as fueling a turnaround momentum.
 
WebKit Regular Expression Handling Remote Memory Corruption Vulnerability
 
Python 'rgbimg' Module 'rv' Array Buffer Overflow Vulnerability
 
Technology that would let consumers pay for goods with their iPhones and iPads would allow Apple to jump-start micro-payments and reduce the transactions fees it pays, an analyst said today.
 
The FCC sets LTE as the standard for a nationwide mobile broadband network for public safety agencies.
 
Surging revenue from storage, security and virtualization brought record financial results at EMC in the fourth quarter, the company reported.
 
In a negative prelude to its fourth-quarter earnings report due later on Tuesday, Yahoo confirmed it is cutting 1% of its global staff, or about 140 employees.
 
Wireshark 0.8.20 through 1.2.8 Multiple Vulnerabilities
 
Wireshark 0.10.8 to 1.0.14 and 1.2.0 to 1.2.9 Multiple Vulnerabilities
 
Verizon will retain its $30 monthly fee for unlimited data when the iPhone 4 launches in two weeks, the company confirmed today.
 
Some of the new Android tablets are priced near that of laptops. But developers are betting on Android for to create a mass market for their apps. Will prices drop on the tablets people want?
 
GFI (formerly Sunbelt) Vipre Antivirus 2011 ($30 for one year, one PC, as of 12/18/2010) finishes tenth in our roundup of 2011 paid antivirus software. Vipre is the epitome of the expression "mixed bag." It detected known malware well, cleaned up after infections competently, and it's reasonably speedy. But its design is cluttered, and it struggled mightily at stopping brand new malware.
 
If you haven't bought a new version of your antivirus software in a couple of years, now may be a good time to do so. Malware is evolving faster than ever, and the latest generation of antivirus software is better equipped to handle this rapid pace of change. If your antivirus software is a few years old, it may not be able to defend against this on­­slaught effectively, even if you faithfully download new virus definitions. In recent years, the technology that powers antivirus software has changed dramatically: An antivirus package you purchased a few years ago may be able to stop known viruses and other known malware, but brand-new, as-yet unknown viruses can be more dangerous, and newer products do a much better job of stopping them.
 
The White House will be using Web 2.0 technology to reach out to Americans during and after the president's State of the Union address tonight.
 
Oracle Java SE and Java for Business CVE-2010-3555 Remote ActiveX Plug-in Vulnerability
 
Oracle Java SE and Java for Business CVE-2010-3559 HeadspaceSoundbank.nGetName Vulnerability
 
Oracle is hoping to make new inroads against Microsoft's SharePoint with WebCenter Suite 11g, which was announced Tuesday.
 
Verizon Wireless increased subscribers to 94.1 million in the fourth quarter, up from 93.2 million in the third quarter, a small increase that shows how saturated the U.S. wireless market has become even for the top wireless player.
 
Oracle Document Capture NCSECWLib ActiveX Control Remote Vulnerabilities
 
Cybercriminals are resorting to new sales tactics to remain viable in an increasingly competitive environment, according to a new report.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 

Updates to Free Computer Security guidance notes released by Certified Digital ...
PRLog.Org (press release)
Previously launched at InfoSec 2010; the latest version (four) make it even easier for small and medium enterprises (SMEs) to implement progressive IT ...

 
[DSECRG-11-008] Open Edge RDBMS - Multiple architecture vulnerabilities (UNPATCHED)
 
A poll of some 2,200 developers found rapidly growing interest in developing applications for Android-based tablets.
 
Verizon Wireless increased subscribers to 94.1 million in the fourth quarter, up from 93.2 million in the third quarter, a small increase that shows how saturated the U.S. wireless market has become even for the top wireless player.
 
[DSECRG-11-007] Oracle Document Capture ImportBodyText - read files
 
[DSECRG-11-006] Oracle Document Capture ActiveX - Insecure method, buffer overflow
 
[DSECRG-11-005] Oracle Document Capture empop3.dll - insecure method
 
[DSECRG-00153] Oracle Document Capture Actbar2.ocx - insecure method
 
Panda Antivirus Pro 2011 ($50 for one year, 3 PCs as of 12/18/2010) does a lot right: It proved to be effective at detecting and , blocking malware, and disinfecting your PC malware, but it's slow performance brought it down to seventh some speed issues bring its rank down to seventh in a tightly packed race.
 
MicroStrategy will announce a series of new BI products for Apple mobile devices, transactional data systems and on-demand deployments at its annual user conference on Tuesday in Las Vegas.
 
Replacing CEO Eric Schmidt with co-founder Larry Page may be an attempt to return to its fleet-footed youth.
 
Verizon's revenue is down slightly in the fourth quarter of 2010, with the drop due to a sell-off of telephone lines in rural states.
 
Trend Micro Titanium Antivirus Plus 2011 ($60 for 1 year, 3 PCs as of 12/15/2010) finished fifth in our roundup of 2011 antivirus products. It's simple--some may say too simple--and easy to use, and it did a reasonably good job at blocking malware.
 
Eset NOD32 Antivirus ($72 for 1 year, 3 PCs as of 12/22/2010) finishes ninth in our roundup of 2011 antivirus software. It does a reasonable job at blocking brand new attacks and it's fast, but it has trouble detecting known malware and cleaning up infections, which makes it tough to recommend.
 
Bugzilla Multiple Vulnerabilities
 
The popularity of Apple iPhone and Google Android mobile devices could put them at risk of falling in the crosshairs of cybercriminals.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
One of the challenges faced in the IT industry is to break poorly conceived or mistaken preconceptions held by others. What happens when were the ones holding on to out dated ideas or are just wrong, as technology has taken another huge leap forward and were left standing clutching on to something thats now infective?
I have been reviewing some documentation I wrote three years ago and at a glance it appeared to be valid, using correct assumptions and only needing minor tweaks to bring it up to date.
John, an ISC reader,emailed in a great comment from a discussion about best practices he was involved in re-enforcing this. Smart people in that room brought out timeless best practice statements such as:

'Logs should be stored separate from the application to prevent out of control logs from filling up the system and causing other components to crash.'
All of which makes perfect sense from a best practice point of view, and I follow this principle for many of the systems I install and manage. Lets attempt to see if this best practice statement is still valid by asking some simple questions:

Why are we creating logs in the first place?
Who looks at them?
Do the right people have access to the logs?
Are they of any use?
Is there any need to archive them or can they be deleted after x amount of time?
Are we asking the right people about the logs in the first place?

It may come out that having 300 GB of logs, that are on their own fast RAID-ed disks and are backed up nightlyis a huge waste of time, money and resources, as no-one every looks, uses or know what to do with them. Having only a weeks worth of logs, taking up 10MB of disk, used only for possible troubleshooting might be the best solution.
So going back to my documentation, I took a hard look at what Id written. Almost immediately I found Id fallen in to the generic best practice assumptions pit. They were good at the time, but not now, given the way the business, processes and technology had changed. Needless to say the quick document update stretched in to a number of hours of re-writes, onlyafter talking to various people on a string of questions I need to address. Once the documents had been peer reviewed, signed offand finally upload, I added an entry in to my diary to take time to review and, if necessary, amend these documents six months from now.
Do you apply a review process to security policies, procedures, documentsand best practices to ensure they still meet the measures and metrics that make them still relevant, meaningful and fit current business needs?
How do can you ensure that youre not clinging to best practices or policies that are well past their sell by date?
Can you share any pearls of wisdom to help others avoid automatic adoptions of reasonable sounding, yet poorly thought out, best practices?

Chris Mohan --- ISC Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
PivotX 'module_image.php' Cross Site Scripting Vulnerability
 
Taiwan’s largest computer memory chipmaker on Tuesday forecast a jump in demand for its components in the second quarter, heralding an all-but-certain DRAM price hikes.
 
Apple's Mac App Store is only the latest effort to make finding, downloading and installing software on your computer as easy as it is on your smartphone. Are branded app stores the wave of the future for all software distribution?
 
Apple iPad remains the top tablet targeted by app builders in survey
 
Germany is stopping short of legal action against Facebook after reaching a 14-point agreement on Monday over how the site handles data from non-Facebook users.
 
The Federal Financial Institutions Examination Council (FFIEC) could soon release new guidelines for banks to use when authenticating users to online banking transactions.
 
Hewlett-Packard said it will launch its latest cloud offering next month, a service designed for large organizations.
 
Microsoft's free and easy Web development tool for noncoders has some nice features, as well as irksome shortcomings
 
[email protected] 'url' Parameter Cross Site Scripting Vulnerability
 
Automated Solutions Modbus/TCP OPC Server Remote Heap Corruption Vulnerability
 
PHPCMS 'index.php' SQL Injection Vulnerability
 

Barclay Simpson releases information security market report and salary survey ...
SourceWire (press release)
The report includes a detailed salary survey and covers economic trends together with the infosec environment to determine the prospects for those working ...

and more »
 
InfoSec News: Microsoft Windows guru turns to cybercrime (fiction): http://www.theregister.co.uk/2011/01/24/russovich_novel/
By Gavin Clarke in San Francisco The Register 24th January 2011
One of Microsoft's top Windows gurus and author of books and tools for securely coding Windows has embraced fiction with a debut tackling international cyber crime. [...]
 
InfoSec News: Hackers Get Access to New Jersey School Data System: http://www.pcworld.com/businesscenter/article/217601/hackers_get_access_to_new_jersey_school_data_system.html
By Robert McMillan IDG News Jan 24, 2011
Users of the 4chan online message board managed to get access to the online student information system used by a New Jersey school district [...]
 
InfoSec News: White House doesn't shine in cybersecurity grading: http://fcw.com/articles/2011/01/24/white-house-graded-on-cybersecurity.aspx
By Alyah Khan FCW.com Jan 24, 2011
The Obama administration has received less-than-stellar marks in a recent report card on its cybersecurity policies, earning grades in the B to D range. [...]
 
InfoSec News: [Dataloss Weekly Summary] Week of Sunday, January 16, 2011: ========================================================================
Open Security Foundation - DataLossDB Weekly Summary Week of Sunday, January 16, 2011
0 Incidents Added.
======================================================================== [...]
 
InfoSec News: Is retaliation the answer to cyber attacks?: Forwarded from: security curmudgeon <jericho (at) attrition.org>
Oh jeez.. didn't this silly notion out ten years ago?
: http://www.networkworld.com/news/2011/012011-retaliation-answer-cyber-attacks.html
: "We want to strike back. We want to exploit his network," said Oudot. [...]
 
InfoSec News: Active 'Darkness' DDoS Botnet's Tool Now Available For Free: http://www.darkreading.com/insider-threat/167801100/security/attacks-breaches/229100144/active-darkness-ddos-botnet-s-tool-now-available-for-free.html
By Kelly Jackson Higgins Darkreading Jan 24, 2011
A free version of a fast-growing and relatively efficient DDoS botnet [...]
 

Posted by InfoSec News on Jan 24

Forwarded from: security curmudgeon <jericho (at) attrition.org>

Oh jeez.. didn't this silly notion out ten years ago?

: http://www.networkworld.com/news/2011/012011-retaliation-answer-cyber-attacks.html

: "We want to strike back. We want to exploit his network," said Oudot.
: You want statistics and logs related to the attacker, and it might be
: the idea of attacking ZeuS or SpyEye or even a state-sponsored
: attacker....
 

Posted by InfoSec News on Jan 24

http://www.darkreading.com/insider-threat/167801100/security/attacks-breaches/229100144/active-darkness-ddos-botnet-s-tool-now-available-for-free.html

By Kelly Jackson Higgins
Darkreading
Jan 24, 2011

A free version of a fast-growing and relatively efficient DDoS botnet
tool has been unleashed in the underground. The so-called Darkness
botnet is best known for doing more damage with less -- its creators
boasting that it can take down an...
 

Posted by InfoSec News on Jan 24

http://www.theregister.co.uk/2011/01/24/russovich_novel/

By Gavin Clarke in San Francisco
The Register
24th January 2011

One of Microsoft's top Windows gurus and author of books and tools for
securely coding Windows has embraced fiction with a debut tackling
international cyber crime.

Platform and Services Division technical fellow Mark Russinovich has
delivered a Die-Hard-4-style novel called Zero Day [1].

It tells the story of...
 

Posted by InfoSec News on Jan 24

http://www.pcworld.com/businesscenter/article/217601/hackers_get_access_to_new_jersey_school_data_system.html

By Robert McMillan
IDG News
Jan 24, 2011

Users of the 4chan online message board managed to get access to the
online student information system used by a New Jersey school district
after the school's administrative password was posted to 4chan last
week.

The problem started last Tuesday, according to the Plainfield Board of...
 

Posted by InfoSec News on Jan 24

http://fcw.com/articles/2011/01/24/white-house-graded-on-cybersecurity.aspx

By Alyah Khan
FCW.com
Jan 24, 2011

The Obama administration has received less-than-stellar marks in a
recent report card on its cybersecurity policies, earning grades in the
B to D range.

The National Security Cyberspace Institute examined the administration’s
record of cybersecurity accomplishments in a white paper published Jan.
18.

NSCI awarded grades for...
 

Posted by InfoSec News on Jan 24

========================================================================

Open Security Foundation - DataLossDB Weekly Summary
Week of Sunday, January 16, 2011

0 Incidents Added.

========================================================================

DataLossDB is a research project aimed at documenting known and reported
data loss incidents world-wide. The Open Security Foundation asks for
contributions of new incidents and new data for...
 
Hitachi announced its highest density enterprise-class 3.5-in drive, the Ultrastar 7K3000, which comes with SATA or SAS interfaces and can store up to 3TB of data.
 
Cisco announced that it has added a hosted backup service to its entry-level, desktop disk storage arrays, giving users the ability to automate data backups both locally and in the cloud.
 


Internet Storm Center Infocon Status