InfoSec News

Sprint Nextel may offer developers information about subscribers' location and browsing behavior -- with an opt-in agreement -- so they can make mobile Web-based applications more relevant and useful to those users.
 
Google's Dalvik virtual machine, which runs Java applications in Android phones, is under fire again, this time in a lawsuit filed by Gemalto.
 
There's a lot to like in Apple's latest version of the MacBook Air, such as the smaller size, longer battery life and faster flash storage. Still, I was disappointed that the new MacBook Air uses the aging Core 2 Duo processor. The new Air even takes what looks like a step backwards in processor speeds, going from the standard 1.83GHz and 2.13GHz Core 2 Duo processors in the previous models to a wince-inducing 1.4GHz Core 2 Duo in the standard 11-inch models ($999 with 64GB of flash storage, $1199 with 128GB of flash storage) and 1.86GHz Core 2 Duo processors in the standard 13-inch model ($1299 with 128GB of flash storage and $1599 with 256GB of flash storage).
 
The Search Engine Security add-on for Firefox aims to thwart online attacks that start with fake search engine results, and end with a malware infection. This free add-on can help defend against "poison" Web sites--but it may alter benign pages as well.
 
The use of smaller hard drives, solid-state drives, thin provisioning and deduplication will lead to significant cost savings for data centers over the next four years, IDC said today.
 
Being online is making Americans feel more connected -- but they're actually seeing friends less often in person.
 
Enterprises now in the midst of migrating to Windows 7 are unlikely to repeat that same work in just two years with Windows 8, an analyst said today.
 
RETIRED: Zoki Catalog 'search_text' parameter SQL Injection Vulnerability
 
Market researcher iSuppli is projecting markedly slower growth in the computer chip business next year as economic worries continue.
 
A new Firefox add-on dubbed Firesheep lets 'pretty much anyone' scan a Wi-Fi network and hijack others' access to Facebook, Twitter and a host of other services, a security researcher warned today.
 
As Ray Ozzie prepares to leave Microsoft, he's offering a new five-year plan for the company that eschews the current PC-centric world, just as he made his mark five years ago issuing a call to arms away from software products toward cloud computing.
 
If you use Linux on your company's desktop or server computers, you're already familiar with many of the security advantages the open source operating system offers over its Windows and Mac rivals. What many people don't realize, however, is that Linux can also be used to rescue a computer that has been crippled by malware.
 
Once you've determined that you're eligible to take the Project Management Institute's (PMI) exam toward PMP certification, your next step is to fill out and submit the application.
 
IBM is rolling out a major update to its Cognos BI platform that includes new features for collaboration, statistical analysis and mobile devices like the Apple iPad.
 
Oracle MySQL 'HANDLER' interface Denial Of Service Vulnerability
 
Oracle MySQL 'LOAD DATA INFILE' Denial Of Service Vulnerability
 
[USN-959-2] PAM vulnerability
 
PAM MOTD Module Local Privilege Escalation Vulnerability
 
PostgreSQL PL/Perl and PL/Tcl Local Privilege Escalation Vulnerability
 
As you've been going through this exercise (http://isc.sans.edu/diary.html?storyid=9664, http://isc.sans.edu/diary.html?storyid=9712, http://isc.sans.edu/diary.html?storyid=9778) you have certainly run into the issue of bad WHOIS contact information, and have likely had bad/no response from the abuse contacts. Hasn't that been frustrating?
Today we put the shoe on the other foot, and take steps to make sure that others don't suffer from our own WHOIS records and abuse-handling processes.
Look up your own net-block(s). Do you have an abuse contact defined? Are the email addresses AND the phone numbers appropriate? If someone sends an email to your abuse address will it be read by a human? If someone calls the phone number will they be able to reach a security/computer person?
Are you RFC 2142 (http://www.ietf.org/rfc/rfc2142.txt) compliant? Most aren't fully compliant (for example I don't think we use [email protected])
I just did a quick audit myself. Though mergers and acquisition we have a hand-full of net-blocks. They all don't point to the same domains, but they all have abuse contact records and the owner block is correct. We also route all [email protected]* to the same work-flow. So, I would consider that a pass. On the other hand, the phone numbers all reach the main switchboard. Getting routed to the right security contact was challenging, so I would recommend that we update that number. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A panoply of emerging cloud services is offering IT executives alternatives to things like in-house ERP deployments and the need to hire consultants to solve data integration problems. But CIOs say they are moving slowly to avoid potential security and legal problems.
 
We asked, and you answered. As our thank-you, here are two of our signature research pieces for you to download and share among friends and colleagues.
 
Computerworld, working with sister publications CIO, CSO, InfoWorld, ITworld and Network World, is rolling out its Insider content program.
 
The most interesting cloud computing I saw this week was the announcement that the General Services Administration (GSA) has awarded 11 companies the opportunity to participate in the apps.gov portal, offering IaaS services.
 
IT folks frequently grumble about their lack of influence, but seem just as often to back away from the conversations that result in decisions and policy.
 
Oracle Java SE and Java for Business CVE-2010-3561 Remote CORBA Vulnerability
 
Oracle Java SE and Java for Business CVE-2010-3550 Remote Java Web Start Vulnerability
 
The next version of Canonical Ubuntu will use Unity as a desktop shell, rather than the prestently used Gnome
 
Misclassifying a computer professional as an independent contractor, as opposed to an employee, can lead to severe IRS legal penalties and fees.
 
Adobe Acrobat and Reader CVE-2010-2890 Remote Memory Corruption Vulnerability
 
Adobe Acrobat and Reader for Mac CVE-2010-3624 Remote Code Execution Vulnerability
 
Adobe Acrobat and Reader 'ACE.dll' ICC Streams Remote Memory Corruption Vulnerability
 
Adobe Acrobat and Reader CVE-2010-3620 Remote Code Execution Vulnerability
 
Sprint announced that it will start selling Samsung's Galaxy Pad tablet for $400 with a two-year contract, and acknowledged it will be priced at $600 with no contract.
 
I hate to blame the victim, but people who inadvertently gave up personal data to Google's Street View cameras were really asking for trouble.
 
Warehouse workers using IBM Maximo can now approve workflow items from their handheld devices
 
Adobe Shockwave Player Director rcsL Chunk Remote Memory Corruption Vulnerability
 
Microsoft IIS Request Header Buffer Overflow Vulnerability
 
phpCAS Service Ticket Validation Session Hijacking Vulnerability
 
phpCAS Proxy Mode Multiple Security Vulnerabilities
 
A company that compiles profiles of Internet users for targeted advertising said it is no longer passing user identifiers used by Facebook and MySpace to advertising networks due to privacy concerns.
 
Former Oracle co-president Charles Phillips emerged as CEO of ERP software vendor Infor on Monday, about six weeks after he was replaced at Oracle by former Hewlett-Packard CEO Mark Hurd.
 
The price and availability for Dell's Venue Pro smartphone has leaked on Amazon's U.K. Web site ahead of its official launch.
 
Seagate and Iomega have announced new high-capacity portable drives; both support the USB SuperSpeed protocol.
 
Lee asked the Answer Line forum how to increase the number of Windows System Restore points.
 
Microsoft's Games for Windows brand undergoes its latest makeover on November 15, but it's already had several, none of which culminated in the successes of its console analogue. Games for Windows simply feels emasculated next to Xbox Live, and it's an even tougher comparison when you look at the other Windows gaming storefronts.
 
Aardvark Topsite XSS vulnerability
 
How Visual Studio Makes Your Applications Vulnerable to Binary Planting
 
Re: MULTIPLE REMOTE SQL INJECTION VULNERABILITIES---MIM:InfiniX v1.2.003--->
 
We assessed Cisco's FabricPath technology with tests in five areas: with 16 redundant paths; with 16 links per redundant path; with load-balancing of multicast traffic across redundant links; with removal or addition of one device in the switching fabric to determine convergence time; and with management by Cisco’s Data Center Network Manager (DCNM) platform.
 
Cisco has three words for network architects looking to grow their data centers: Faster. Flatter. Simpler.
 
With the introduction of InMarket, which will allow developers to upload their applications once and sell them across many online stores, Adobe Systems hopes to grab a share of revenue for applications downloaded to smartphones and tablets, the company said on Monday.
 
China Unicom is launching a new online app store as more mobile carriers and handset manufacturers look to cash in on China's app market.
 
Network World this week launches the beta release of a premium online program called Insider that will give you access to exclusive articles and new functions on NetworkWorld.com and sister sites in the IDG Enterprise family, including CIO.com, Computerworld.com, CSO.com, InfoWorld.com and ITworld.com.
 
InfoWorld's Windows expert teaches the key features -- fast -- for users and admins, and provides a free Windows 7 QuickStart PDF guide
 
An architectural approach for savvy enterprise adoption of public cloud computing
 
From Ruby to Erlang, once niche programming language are gaining converts in today’s enterprise
 
A dozen nitty gritty tools and technologies that cut energy costs, boost data center efficiency and promote green IT practices.
 
So I'm on MSN.com last week and among the headline links being touted as "Must See" is one asking the provocative question: "Is your computer possessed?"
 
IPv6 security myths
 
[ MDVSA-2010:212 ] glibc
 
[USN-1008-3] libvirt update
 
[USN-1009-1] GNU C Library vulnerabilities
 
Wi-Fi Direct officially became a concrete technology today with several new laptop components certified by the Wi-Fi Alliance.
 
A group of malicious hackers who attacked Twitter and the Chinese search engine Baidu are also apparently running a for-rent botnet, according to new research.
 
Adobe has released version 2.5 of its Air runtime environment, which will be used to develop applications for Research In Motion's (RIM) upcoming tablet PlayBook, Adobe and RIM said on Monday at the MAX conference in Los Angeles.
 
Google, Apple and other major vendors are moving to dismiss charges that each has infringed on patents held by a company owned by Microsoft co-founder Paul Allen.
 
phpMyAdmin Configuration File PHP Code Injection Vulnerability
 
There are a number of technology trends that IT execs must be ready for, but one that's expected to require action sooner than the rest will be the need to migrate off of Windows XP and Office 2003.
 
Indian outsourcers are reporting strong financial results as customers place orders that had been shelved by the recession.
 
Hackers using the Zeus malware are now asking victims to name their employers, which could lead to corporate espionage, a security researcher says.
 
Gartner estimates that outdated software like IE6 has created a 'global IT debt' of $500 billion. But IT shops are likely to walk away from that debt and keep running IE6-dependent Web tools and other old apps until they can be replaced with new software based on whatever hot new paradigm comes along.
 
An interview with Robin Beck, the vice president for information systems and computing at the University of Pennsylvania. Her challenges include the security issues involved with safeguarding data in a collaborative and mobile culture.
 
A new banking company in the U.K. -- focused on providing superior customer service -- relies on a totally outsourced IT infrastructure.
 
Companies seeking more collaboration should assess employees' information workflows -- perhaps using the skills of a corporate anthropologist -- before selecting technologies.
 
Body language could make all the difference at a job interview.
 
The rescue of 33 miners in Chile was an uplifting and memorable moment that Chile hopes will translate into more outsourcing business.
 
phpMyAdmin Multiple Cross Site Scripting Vulnerabilities
 
GNU glibc Dynamic Linker 'LD_AUDIT' Local Privilege Escalation Vulnerability
 
DBHcms 'editmenu' Parameter SQL Injection Vulnerability
 


Internet Storm Center Infocon Status