InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Former Sun boss Scott McNealy sided with Oracle on Thursday in its dispute with Google over Android, testifying in court that companies needed a license to use Sun's Java programming interfaces.
Oracles April Critical Patch Update listed a vulnerability in the TNS Listener services as one of the patched vulnerabilities. Sadly, it turns out that current versions of Oracle are not patched. Instead, the vulnerability will apparently only be fixed in future versions of the Oracle database. According to a statement from Oracle quoted by the discoverer of the vulnerability, the fix would have possible had stability issues for current versions of Oracle. [1]
The vulnerability was responsibly reported to Oracle back in 2008. Upon release of the April CPU, Joxean Koret, who originally found the vulnerability, came forward with additional details including a proof of concept exploit, fully expecting that a patch is now available.
So in short: We got an unpatched remote code execution vulnerability in all current versions of Oracle with proof of concept exploit code.
Joxean's details published after the CPU release also include some useful workarounds [2]. Please refer to the post for details.



Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The U.S. House of Representatives has passed a cyberthreat information-sharing bill that critics say will give U.S. government agencies access to the private communications of millions of Internet users
Britain's Information Commissioner's Office has discovered that more than one in every 10 secondhand hard drives contains recoverable personal information of the original owner.
The U.S. Federal Trade Commission has hired an outside litigator to lead its antitrust investigation of Google, a possible sign that the FTC is preparing to file a lawsuit against the search and advertising giant.
FBI tracks down Higinio Ochoa using geo-tagged photos
Google plans to move ahead with its self-driving car technology and hopes to get a hand from the folks in Detroit.
Twitter released updated iPhone and Android apps Thursday that make it easier for users to search and find new information.
U.S. Rep. Zoe Lofgren isn't giving up on a bill to give green cards to advanced degree graduates in technical fields, but she has been unable to find any Republican backing for it.
Britain's Information Commissioner's Office has discovered that more than one in every ten second-hand hard drives contains recoverable personal information of the original owner.
Since late last year, Google has been using an industrial-strength testing system to identify, analyze and fix security holes in its Chrome browser, helping it significantly cut down on the number of vulnerabilities that slip through to the most recent version product in production.
When Apple CEO Tim Cook dissed the whole idea of hybrid mobile computers, he may have been showing unease about the rise of laptop/tablet hybrids.
Gigabit-speed wireless LAN equipment that uses the emerging IEEE 802.11ac standard is about to hit the market, with Netgear saying it will start shipping a consumer 802.11ac router in May for a starting list price of $199.99.
Android device activations have skyrocketed lately, and now average around 850,000 a day. That's quite a leap from the first quarter of 2010, when Android activations were averaging a mere 65,000 per day. Android is currently the most popular mobile operating system in the world, as research firm Gartner reported late last year that Android devices accounted for more than half of all smartphones sold worldwide in the third quarter of 2011. Insider (registration required)
Microsoft yesterday re-released Office for Mac 2011 Service Pack 2 (SP2) after fixing a bug that wormed into the original update.
DDIVRT-2012-41 ACTi Web Configurator cgi-bin Directory Traversal
DDIVRT-2012-40 PacketVideo TwonkyServer and TwonkyMedia Directory Traversal
Apple's dominance over Android in the corporate tablet market grew in the first quarter, according to a survey from mobile device management and wireless email vendor Good Technology.
Ive won by a large margin with almost fifty per cent of the vote (46.6%). In second place was Sir Tim Berners-Lee (inventor of the world wide web) with 18.8 per cent of the vote.
The other day I detailed how I recovered my Office 2011 apps after installing Microsoft's ill-conceived Office 2011 SP2 update. A few days later, Microsoft pulled the update. Now Microsoft has released an update to that update in the form of the Microsoft Office for Mac 2011 14.2.1 update.
A new book reveals a fresh insight into Steve Jobs' mind, and how his obsession with simplicity drove Apple to success. Anecdotes from 'Insanely Simple' include Jobs' Willy Wonka competition idea, and his dislike for the iPod's silhouette ad campaign.
Intel researchers hope the cloud will provide a new model to deliver accurate information about the quality of air and weather within meters of where a user is standing, which could ultimately help improve the quality of life.
For all the apprehension they may bring, public clouds demand a position in the enterprise IT strategy. CIO.com columnist Bernard Golden explains how CIOs and business leaders can make their peace with the public cloud, and how it's not incompatible with the much-revered private cloud.
Ninety percent of the Internet's top 200,000 HTTPS-enabled websites are vulnerable to known types of SSL attack, according to a report by the Trustworthy Internet Movement (TIM), a nonprofit organization that tries to solve Internet security, privacy and reliability problems.
The long-suppressed Conficker botnet is still actively infecting millions of new machines, giving Windows enterprise users a two-and-a-half-year headache.
[security bulletin] HPSBPI02728 SSRT100692 rev.6 - Certain HP Printers and HP Digital Senders, Remote Firmware Update Enabled by Default
PHP Volunteer Management 'id' 1.0.2 Multiple Vulnerabilities
Re: The history of a -probably- 13 years old Oracle bug: TNS Poison
Oracle TNS Poison vulnerability is actually a 0day with no patch available


Infosec: Workplace Facebook bans are a waste of time
Web security vendor Barracuda Networks claims banning staff from using social networking sites still exposes firms to risks. By Caroline Donnelly, 26 Apr 2012 at 18:02 IT departments that try to ban employees from accessing social networking sites for ...

and more »
Babelverse, a service designed to enable users to directly contact a human translator anytime, anywhere, opened a public beta of their service in Amsterdam on Thursday.
RETIRED: vtiger CRM 'module_name' Parameter Local File Include Vulnerability

Information Week [1] is running a piece on FDA Checks of Medical Hardware. After some review a NIST [2] paper quickly jumped into my head and memories of past experiences washed forward. After emailing our handlers alias it seems that a few of us have some direct experience in this matter.
To plug the critical controls [3] and just about all apply but to highlight:
CC3: Secure Configuration for Hardware and Software [4]
CC5: Malware Defense [5]
to patch the Windows Embedded Critical Life Saving Device or not to patch.
Horror story, report of a fetal monitor crashing along with event correlation tracking a malware infected device on same subnet. Ended up that the fetal monitor had been infected with malware, fortunately it was not in use.
Another interesting confidence builder? your IV pump is infected, but don't worry, it can't infect any of the *other* patient equipment ...
There are some clear root causes to the above scenarios and something that is accelerating this is network convergence along with Bring Your Own Device programs. As most things are transported over Ethernet [6] networks quickly converge for cost savings measures. It becomes more of a challenge to perform proper network segmentation and traffic separation when you converge N services plus X unmanaged devices.
Something we are observing more often are Physical Infrastructure Security systems (e.g. Building Management, Wireless Door lock systems, Camera Infrastructure, etc) being converged onto Ethernet networks that also host data services to users.
We have seen networks that converge, voice (VoIP), Video, Data and iSCSI [7] and I can tell you that, let alone providing quality of service, it can become high management overhead process to perform network segmentation.The issue arises when cost savings causesdecisionmakers to Accept Risk of converged networks and sometimes not fully understanding said risks.
Now, some things we can do in the short term:
- Make complaints to your local or state authority (Here in the U.S. that's the FDA [8]). Although this diary is U.S. Centric, it is fairly safe to go down the Slippery Slope [9] that a parity of this issue exists in most modern medical institutions.
- Understand what is on your network, apply the critical controls and segment critical infrastructure to mitigate and reduce risk.
- Introduce segmentation controls like Private VLANs. [10] Firewalls for traffic separation, access control lists [11] to restrict device communication.

As the cost savings of Ethernet drives network convergence, we have to take low level measures to reduce risk. Remember a VLAN is not secure traffic separation but only a logical traffic separation measure! It's like saying NAT [12] is a security protocol...

Richard Porter
--- ISC Handler On Duty
Keeping the watch from 35,000 Feet, with In-Flight Wifi on US Flight 1507

[1] http://www.informationweek.com/news/healthcare/security-privacy/232900818
[2] http://csrc.nist.gov/news_events/cps-workshop/cps-workshop_abstract-1_gupta.pdf
[3] http://www.sans.org/critical-security-controls/
[4] http://www.sans.org/cag/control/3.php
[5] http://www.sans.org/cag/control/5.php
[6] http://www.ieee802.org/3/
[7] http://tools.ietf.org/html/rfc3720
[8] http://www.fda.gov/
[9] http://en.wikipedia.org/wiki/List_of_fallacies
[10] http://en.wikipedia.org/wiki/Private_VLAN
[11] http://en.wikipedia.org/wiki/Access_control_list

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Scott Carl, CIO of Parsons, an engineering and construction company with more than 11,500 employees, knew he needed the right tools to help new employees integrate into the company and facilitate collaboration among existing staff--particularly recent college grads. "As we hire them, we have to help them form a personal relationship with whomever has the answers for them," he says.
The 800-pound gorilla has landed and is leveraging its existing relationship with hundreds of millions of users to port them to their cloud storage and file sharing service Google Drive. Can smaller cloud storage players survive this assault?
Reports indicate that the first BlackBerry 10 smartphone will be announced by mid-August and will be launched in October, somewhat earlier than expected.


InfoSec 2012: One in 10 second-hand hard drives contain personal data
By Sophie Curtis April 26, 2012 — Techworld — The Information Commissioner's Office has published a report revealing that one in ten second-hand hard drives sold online contains residual personal data, with some containing scanned bank statements, ...
Graham: ICO will blow £3m on IT servicesRegister
Infosecurity Europe 2012: The ICO on better regulation and better infosecInfosecurity Magazine
ICO to spend 20% of budget on ITThe Guardian

all 83 news articles »

ComputerWeekly.com (blog)

InfoSec 2012: IBM launches new threat analytics engine
By Sophie Curtis April 26, 2012 — Techworld — IBM is growing its Security Systems unit with the launch of a new threat analytics appliance, which the company claims can identify suspicious behaviour in the network to protect organisations against ...
Infosec: IBM debuts anomaly detection systemIT PRO
IBM at InfoSec: security megatrends for application developmentComputerWeekly.com (blog)
IBM Announces New Threat Analytics to Help Organizations Better Identify ...MarketWatch (press release)

all 35 news articles »

InfoSec 2012: New online dashboard to monitor SSL quality
By Sophie Curtis April 26, 2012 — Techworld — The Trustworthy Internet Movement, a non-profit initiative formed in February to help address ongoing security issues on the internet, has unveiled its first project - an online dashboard called SSL Pulse ...

and more »

Infosec and B-Sides: Security biz exhibitions face off in London
By John Leyden • Get more from this author Show diary Infosec and B-Sides both came to London this week to display the contrasting faces of the information security industry. (before the cry of "Open bar!" was heard, natch).

Amazon Web Services said it has made it possible to create private clouds using CloudFormation, which automatically creates stacks of resources described using templates.
ZestCash, an online lending service for lower-income borrowers, has begun using a new big data-driven decision-making method that it claims will allow it to lend to 25% more people and improve repayment rates by 20%.
The top item on my son's Christmas list last December was Skylanders: Spyro's Adventure for the Nintendo Wii. For the uninitiated, Skylanders uses plastic toys that activate characters in the video game. The game and toys are very much aimed at kids and are very popular--according to a recent report, Activision has made about $200 million from the Skylanders franchise, which launched in October 2011. And yes, my wallet has made a significant contribution to that sales figure.
Ubuntu Server 12.04 LTS will feature the Essex release of the OpenStack cloud fabric layer

The new AWS Marketplace, launched by Amazon last week, is an interesting development on the cloud security front. The Amazon cloud services marketplace allows customers to choose from a menu of various software products and SaaS services, and launch the applications in their EC2 environments with one click.

applications are among the options, including a virtual appliance from Check Point Software Technologies, SaaS endpoint protection from McAfee, and SaaS network IDS and vulnerability assessment from Alert Logic. Customers are charged for what they use on an hourly or monthly basis, and the charges appear on the same bill as their other AWS services.

“We wanted to shrink the time between finding what you want and getting it up and running,” Werner Vogels, CTO at Amazon.com, wrote in a blog post.

By making it easy for organizations to add security to their cloud environments, AWS has made a promising move. Integrating security can be complicated, but the AWS Marketplace appears to eliminate any heavy lifting. It could leave organizations with fewer excuses to not implement cloud security.

But not all is hunky dory with the AWS Marketplace, according to a blog post by Joe Brockmeier at ReadWriteCloud. While the AWS Marketplace makes it simpler to consume single-server apps, it “still leaves a lot of configuration to the end users,” he wrote. For example, he said, deploying Sharepoint with Amazon Virtual Private Cloud involves an architecture that’s “much less simple than a single EC2 image,” which means the marketplace doesn’t offer anything right now for those with needs beyond a single EC2 image.

Still, it will be interesting to see what other security services are offered via the marketplace and whether other cloud providers follow Amazon’s lead in easing the path to cloud security.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
The hacker who stole Facebook source code has gone public with a deeper explanation of how he penetrated the most popular social network in the world.
Nissan said it found malicious software on its network that stole employee user IDs and hashed passwords, but said no personal information or e-mails appeared to have been compromised.
Apple, Google, Microsoft and all major smartphone vendors were slapped with a lawsuit Wednesday by Potter Voice Technologies, an obscure Colorado company that claims they are infringing its patent on natural-language voice control of a computer.
The low-end, under-$200 tablet market is on the brink of a transformation -- and that means you'll soon be able to get a lot more value for a lot less money.
Samsung Electronics has introduced the 1.4GHz Exynos 4 Quad processor, which will power the next Galaxy smartphone, the company said on Thursday.
Online photo service Shutterfly has emerged as the only bidder for the customer accounts and images of Kodak Gallery online photo services business, the companies said Wednesday.
Google is asking Australia's High Court to hear an appeal over whether it mislead consumers by allowing advertisers to purchase AdWords containing competitors' names and products.
The Web's 800-pound gorilla has landed in the cloud. Google is leveraging its existing relationships with hundreds of millions of users as it drums up business for its new cloud storage and file-sharing service, Google Drive. Can smaller cloud storage players survive this assault?

BBC News

Graham: ICO will blow £3m on IT services
By Brid-Aine Parnell • Get more from this author Infosec 2012 The UK's Information Commissioner's Office is looking to spend around £3m on its IT, with an invitation for tenders expected at the end of next month. Information commissioner Christopher ...
ICO to spend 20% of budget on ITThe Guardian

all 71 news articles »


Mobile Malware Is At A Similar Level To PC Malware, States Symantec
Symantec has stated to ITProPortal, at the 'Infosec' Internet Security event in London - mobile Malware is at a level close to its computer variant, putting it on par with the types of exploits and vulnerabilities that the PC is exposed to, ...

and more »

Posted by InfoSec News on Apr 25

Slightly edited for the younger or more sensitive viewers...

- WK

---------- Forwarded message ----------
From: Sentimental A**hole <sentimental-a**hole (at) dotorg.org>
To: Those Wacky Hackers <dc-stuff (at) dc-stuff.org>
Subject: CFP - Skytalks

I *F**KING* *HATE* how Gmail won't let me put in pre-formatted monospace
text into an email. One of the downsides, I guess. Thank the gods for
direct injection.

It wouldn't be...

Posted by InfoSec News on Apr 25


By Kim Zetter
Threat Level
April 25, 2012

A Canadian company that makes equipment and software for critical
industrial control systems planted a backdoor login account in its
flagship operating system, according to a security researcher,
potentially allowing attackers to access the devices online.

The backdoor, which cannot be disabled, is found in all versions of the...

Posted by InfoSec News on Apr 25


By Sophie Curtis
25 April 2012

The Information Commissioner’s Office has published a report revealing
that one in ten second-hand hard drives sold online contains residual
personal data, with some containing scanned bank statements, passports,
information on previous driving offences, and medical details.

The report...

Posted by InfoSec News on Apr 25


By Nick Selby
April 25, 2012

If you work for a large corporation, you hear lots of talk about
corporate responsibility, and that's great. But I can't help but point
out that, whether it is intentional, there is a massive and growing
hypocrisy in the corporate world when it comes to prosecuting crime.

When I worked at a large...

Posted by InfoSec News on Apr 25


By David Kushner
May 2012

The hacker's eyes widened as the image filled his screen. There, without
her makeup, stood Scarlett Johansson, her famous face unmistakable in
the foreground, her naked backside reflected in the bathroom mirror
behind her, a cell phone poised in her hand snapping the shot. Holy
sh*t, he thought. This was a...
Internet Storm Center Infocon Status