InfoSec News

The security firm Sophos released a tool on Monday that it claimed will block any attacks trying to exploit the critical unpatched vulnerability in Windows' shortcut files.
 
The release by Wikileaks of more than 90,000 documents about sensitive military operations in Afghanistan may just be the start of problems for the U.S. government.
 
Apple lost its bid today to criminalize "jailbreaking," the practice of hacking an iPhone to install unauthorized apps on the smartphone, according to a decision by the U.S. Copyright Office and the Library of Congress.
 
Google on Monday unveiled a new version of Google Apps designed to meet the rigorous security needs of U.S. government agencies.
 
AT&T is patching software in its network to fix a bug that kept iPhone 4 users from getting the full upstream speed on their handsets.
 
Interest in the SaaS (software as a service) delivery model is growing to the point that by 2012, almost 85% of new vendors will be focused on SaaS services, according to new research from analyst firm IDC.
 
Citigroup has urged customers conducting mobile banking from their iPhones to immediately upgrade because a security flaw in the older app secreted account information on the smartphone.
 
The recent discovery of malware designed to penetrate industrial control systems has renewed concerns about the security of power plants, manufacturing facilities.
 
Sprint Nextel today said that its NextMail voice messaging service is now available on all of the devices the carrier sells.
 
If there's a bigger computing hassle than sharing photos from your camera, I haven't found it.
 
I'm not really answering a reader's question today. But the trick I'm about to reveal is important to all Firefox users who like to get their hands dirty fiddling with settings. In fact, it's important to the tip I'm posting on Wednesday (which is why I decided to post it first).
 
The European Commission announced on Monday that it will begin formal investigations into allegations that IBM has abused its dominant market position in mainframe computers.
 
SophosLabs has just released a free tool that provides detection against the Windows shortcut exploit that we published last week here and here. Sophos has indicated it works with any antivirus software and it works with Windows XP/Vista/7 but not 2000. When Windows tries to display an icon with a shortcut, the tool will intercept the request in order to validate it and give back control to the user if not found to be malicious.
SophosLabs has made a video available on what is the exploit and how the tool works here and the tool is available for downloaded here.
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
After setting up a special Wi-Fi hot zone in Times Square in May, AT&T has now taken a similar step in busy downtown Charlotte, N.C.
 
Roper Industries said Monday it plans to buy on-demand SCM software vendor iTradeNetwork from private equity firm Accel-KKR for $525 million. The transaction is expected to close later this week.
 
Opinion: Apple security is perceived to be very good, but as the popularity of Apple technologies increases, so too are the dangers for Apple users and the companies charged with securing Apple products.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Apple - Macintosh - Apple II - IPad - IPhone
 
Buy less equipment, use less power: That's a proposition network managers can get behind, and it's what Cisco promises with the new power management features in its Catalyst 3750-X stackable access switch.
 
Employee use of personal smartphones and web-based technologies should be embraced by enterprises to reduce costs and boost productivity, according to two new reports.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Technology - RSA - World Wide Web - Human Resources - Security
 
The European Commission announced on Monday that it will begin formal investigations into allegations that IBM has abused its dominant market position in mainframe computers.
 
New research from NCP Engineering points out that companies are complacent about VPN security configurations, and poorly managed VPNs are often at the heart of large data breaches.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Virtual private network - Security - Black Hat - Consultants - General and Freelance
 
Apple's iPhone 4 antenna woes have provided creative entrepreneurs an opportunity to make some money marketing related wares.
 
Tim Bray, co-inventor of XML and now with Google, hails languages such as Erlang, Clojure as developers deal with multicore chips
 
The list of features missing in Windows Phone 7 has dominated forums and early reviews of reference smartphones now in the hands of 1,000 developers.
 
Responding to the CEO's call to improve internal communication, Alcatel-Lucent has installed a variety of Web 2.0 tools that are now used by some 19,000 employees.
 
The final so-called meaningful-use rules that must be followed to receive federal reimbursement funds for implementing electronic health records systems give more leeway to organizations than a set of e-health guidelines that had been proposed by the U.S. Department of Health and Human Services earlier this year.
 
Gartner says CIOs should develop a list of IT projects that could be postponed or canceled -- if there's a second recession in the next 12 to 18 months.
 
Several CIOs identify what books they'll be reading on vacation, and why.
 
Our security manager is willing to outsource some things, but others are simply out of the question.
 
MIT researchers have developed a way to speed up Internet routers by 100 times or more, as a way to cope with increasingly bandwidth-hungry applications.
 
The Bluetooth SIG has approved the Bluetooth 4.0 wireless networking standard to exchange short bursts of data using little energy.
 
When you, as CIO, are asked to be Solomon, it's important not to counter emotion with more emotion.
 
Some people are concerned that the NSA's 'Perfect Citizen' program could threaten our privacy. But Frank Hayes says the real issue is why the agency would have to pay special attention to the networks that run critical infrastructure in the first place.
 
InfoSec News: CfP: WORKSHOP ON CLOUD PRIVACY, SECURITY, RISK & TRUST (CPSRT 2010) - Deadline Extended!: Forwarded from: George Yee <gmyee (at) sce.carleton.ca>
DEADLINES EXTENDED!!
CALL FOR PAPERS (For HTML version, please visit http://CPSRT.cloudcom.org/)
INTERNATIONAL WORKSHOP ON CLOUD PRIVACY, SECURITY, RISK & TRUST (CPSRT 2010)
In conjunction with 2nd IEEE International Conference on Cloud Computing Technology and Science (CloudCom 2010), November 30 - December 3, 2010 Indiana University, USA, http://2010.cloudcom.org/
IMPORTANT DATES - EXTENDED!
Submission deadline: 20 August 2010 Author notification: 15 September 2010 Camera-ready manuscript: 1 October 2010 Author registration: 1 October 2010 Workshop date: 30 November 2010
WORKSHOP CHAIRS
Latifur Khan University of Texas at Dallas, USA email: lkhan at utdallas.edu
Siani Pearson Hewlett-Packard Laboratories, Bristol, UK e-mail: Siani.Pearson at hp.com
George Yee Carleton University, Canada e-mail: gmyee at sce.carleton.ca
WORKSHOP STEERING COMMITTEE (in progress)
Martin Gilje Jaatun, Department of Software Engineering, Safety and Security, SINTEF, Trondheim, Norway Chunming Rong, Center of IP-based Services Innovation (CIPSI), University of Stavanger, Stavanger, Norway Bhavani Thuraisingham, Cyber Security Research Center, University of Texas at Dallas, U.S.A. Athanasios Vasilakos, Department of Computer and Telecommunications Engineering, University of Western Macedonia, Greece
WORKSHOP PROGRAM COMMITTEE
Carlisle Adams, University of Ottawa, Canada Andrew Charleswoth, University of Bristol, UK Giles Hogben, ENISA, Greece Paul Hopkins, University of Warwick, UK Latifur Khan, University of Texas at Dallas, USA Steve Marsh, Communications Research Centre Canada, Canada Christopher Millard, University of London, UK Andrew Patrick, Office of the Privacy Commissioner of Canada, Canada Siani Pearson, HP Labs, UK Simon Shiu, HP Labs, UK Sharad Singhal, HP Labs, USA Ronggong Song, National Research Council Canada, Canada Anthony Sulistio, Hochschule Furtwangen University, Germany George Yee, Carleton University, Canada
WORKSHOP OBJECTIVE
Cloud computing has emerged to address an explosive growth of web-connected devices, and handle massive amounts of data. It is defined and characterized by massive scalability and new Internet-driven economics. Yet, privacy, security, and trust for cloud computing applications are lacking in many instances and risks need to be better understood. Privacy in cloud computing may appear straightforward, since one may conclude that as long as personal information is protected, it shouldnt matter whether the processing is in a cloud or not. However, there may be hidden obstacles such as conflicting privacy laws between the location of processing and the location of data origin. Cloud computing can exacerbate the problem of reconciling these locations if needed, since the geographic location of processing can be extremely difficult to find out, due to cloud computings dynamic nature. Another issue is user-centric control, which can be a legal requirement and also something consumers want. However, in cloud computing, the consumers' data is processed in the cloud, on machines they don't own or control, and there is a threat of theft, misuse or unauthorized resale. Thus, it may even be necessary in some cases to provide adequate trust for consumers to switch to cloud services. In the case of security, some cloud computing applications simply lack adequate security protection such as fine-grained access control and user authentication (e.g. Hadoop). Since enterprises are attracted to cloud computing due to potential savings in IT outlay and management, it is necessary to understand the business risks involved. If cloud computing is to be successful, it is essential that it is trusted by its users. Therefore, we also need studies on cloud-related trust topics, such as what are the components of such trust and how can trust be achieved, for security as well as for privacy.
MISSION
This year, the CPSRT workshop will bring together a diverse group of academics and industry practitioners in an integrated state-of-the-art analysis of privacy, security, risk, and trust in the cloud. The workshop will address cloud issues specifically related to access control, trust, policy management, secure distributed storage and privacy-aware map-reduce frameworks.
TOPICS OF INTEREST
The workshop includes but is not limited to the following topics that refer to computing in the cloud: * Access control and key management * Security and privacy policy management * Identity management * Remote data integrity protection * Secure computation outsourcing * Secure data management within and across data centers * Secure distributed data storage * Secure resource allocation and indexing * Intrusion detection/prevention * Denial-of-Service (DoS) attacks and defense * Web service security, privacy, and trust * User requirements for privacy * Legal requirements for privacy * Privacy enhancing technologies * Privacy aware map-reduce framework * Risk or threat identification and analysis * Risk or threat management * Trust enhancing technologies * Trust management
These topics give rise to a number of interesting research questions to be discussed at the workshop, such as the following: * How can consumers retain control over their data when it is stored and processed in the cloud? * How can users' trust in cloud computing be enhanced? How can reputation management be used in a practical way? * How can transborder data flow regulations be enforced within the cloud? * How can solutions be tailored to a specific context? For example, how can privacy and security requirements be gathered and matched to service provisioning in an automated or semi-automated way, and on an ongoing basis? * How can adequate assurance be given about the way in which cloud providers process and protect data? * How can audit mechanisms be provided for the cloud?
Software demonstrations are welcome. We encourage submissions of greenhouse work, which present early stages of cutting-edge research and development.
SUBMISSION
The submission format must conform to the following: 10 pages maximum including figures, tables and references (see http://CPSRT.cloudcom.org/). Authors should submit the manuscript in PDF format. The official language of the meeting is English. Please submit your paper to the CPSRT 2010 Workshop submission server (https://www.easychair.org/account/signin.cgi?conf=cpsrt2010) via an EasyChair account.
DISSEMINATION
Peer-reviewed papers that are accepted for presentation at the workshop will be published in the CloudCom 2010 IEEE proceedings, and will be available in IEEExplore (EI indexing). The workshop organisers plan to invite the authors of selected high quality papers to revise and lengthen their papers for a special issue of a related journal or an edited book.
For further details, please visit the workshop Web site: http://CPSRT.cloudcom.org/
 
InfoSec News: Police called over pizza hack: http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10661073
By Joseph Barratt nzherald.co.nz July 25, 2010
The personal details of several Kiwi celebrities have been released by hackers as proof they have cracked Hell Pizza's customer database. [...]
 
InfoSec News: Wikileaks releases massive set of Afghan war files: http://news.cnet.com/8301-1009_3-20011594-83.html
By Declan McCullagh and Steven Musil Security CNET News July 25, 2010
Wikileaks, the document-leaking organization that has previously released internal U.S. military videos, on Sunday disclosed over 75,000 [...]
 
InfoSec News: Microsoft: No plans to pay for security vulnerabilities: http://www.zdnet.com/blog/security/microsoft-no-plans-to-pay-for-security-vulnerabilities/6935
By Ryan Naraine Zero Day ZDNet July 23, 2010
Mozilla and Google may be increasing the bounties to security researchers who find security holes in their software products but don't [...]
 
InfoSec News: Iran was prime target of SCADA worm: http://www.computerworld.com/s/article/9179618/Iran_was_prime_target_of_SCADA_worm
By Robert McMillan IDG News Service July 23, 2010
Computers in Iran have been hardest hit by a dangerous computer worm that tries to steal information from industrial control systems. [...]
 
InfoSec News: Hackers With Enigmatic Motives Vex Companies: http://www.nytimes.com/2010/07/26/technology/26security.html
By Nick Bilton The New York Times July 25, 2010
The world of hackers can be roughly divided into three groups. "Black hats" break into corporate computer systems for fun and profit, taking [...]
 
InfoSec News: Linux Advisory Watch: July 23rd, 2010: +----------------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | July 23rd, 2010 Volume 11, Number 30 | | | [...]
 
InfoSec News: Why no one wants DHS to play cyber mall cop: http://fcw.com/articles/2010/07/26/comment-mike-spinney-dhs-trusted-identities.aspx
By Mike Spinney FCW.com July 22, 2010
COMMENTARY - Mike Spinney is a senior privacy analyst at the Ponemon Institute, which conducts independent research on privacy, data [...]
 
Looking for a relatively simple and inexpensive way to improve end user productivity? Desktop search tools can help end users swiftly locate critical nuggets of data, freeing up time for more important tasks.
 
Still, Copernic strikes a good balance of usability, features and performance.
 
DtSearch combines impressive searching power with an easy-to-manage interface. The software handles more than a terabyte of text in a single index – and can simultaneously search an unlimited number of indexes.
 
Exalead is built around an intuitive, browser-based interface that's modeled after the company's Web search portal. This convenient design lets you search your desktop and external Web sites from one place.
 
Google, like Exalead, builds its desktop search experience around a browser. In the case of Google, however, it has an advantage because Desktop generally matches Google's Web search experience.
 
Designed for individual power users, ISYS Personal Edition lives up to its name. The $99 application (for a 12-month license) has the most complex interface and operation of the products tested.
 
Mark Gibbs loves the Android operating system and isn't ashamed to say so.
 
If you're coming from Windows XP land, you know the frustration of trying to find files on your hard disk – it's slow and cumbersome. In fact, much of the software covered in our main reviews was created to solve this problem.
 
X1 Technologies' X1 was first released in 2002 as a free download. Additionally, Yahoo licensed the technology and it's still available as the no-charge Yahoo Desktop Search.
 
The "bring your own" craze started with instant messaging but certainly didn't end there. Today employees are bringing the rest of their social network tools to work, their own smartphones, their own computers, and now, with the advent of Google Voice, their own phone number and voice mail.
 

Posted by InfoSec News on Jul 25

Forwarded from: George Yee <gmyee (at) sce.carleton.ca>

DEADLINES EXTENDED!!

CALL FOR PAPERS (For HTML version, please visit
http://CPSRT.cloudcom.org/)

INTERNATIONAL WORKSHOP ON CLOUD PRIVACY, SECURITY, RISK & TRUST (CPSRT 2010)

In conjunction with 2nd IEEE International Conference on Cloud Computing
Technology and Science (CloudCom 2010), November 30 - December 3, 2010
Indiana University, USA, http://2010.cloudcom.org/...
 

Posted by InfoSec News on Jul 25

http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10661073

By Joseph Barratt
nzherald.co.nz
July 25, 2010

The personal details of several Kiwi celebrities have been released by
hackers as proof they have cracked Hell Pizza's customer database.

Private information including passwords, email and home addresses, phone
numbers - plus pizza orders - have fallen into the hands of the
anonymous cyber hackers.

Hell have called in...
 

Posted by InfoSec News on Jul 25

http://news.cnet.com/8301-1009_3-20011594-83.html

By Declan McCullagh and Steven Musil
Security
CNET News
July 25, 2010

Wikileaks, the document-leaking organization that has previously
released internal U.S. military videos, on Sunday disclosed over 75,000
confidential files related to the war in Afghanistan.

The group gave the documents in advance to the New York Times, Germany's
Der Spiegel, and the U.K.'s Guardian newspaper, which...
 

Posted by InfoSec News on Jul 25

http://www.zdnet.com/blog/security/microsoft-no-plans-to-pay-for-security-vulnerabilities/6935

By Ryan Naraine
Zero Day
ZDNet
July 23, 2010

Mozilla and Google may be increasing the bounties to security
researchers who find security holes in their software products but don't
expect Microsoft to join the pay-for-flaws party.

According to Threatpost's Dennis Fisher, a Microsoft security official
dismissed any suggestion that the company would...
 

Posted by InfoSec News on Jul 25

http://www.computerworld.com/s/article/9179618/Iran_was_prime_target_of_SCADA_worm

By Robert McMillan
IDG News Service
July 23, 2010

Computers in Iran have been hardest hit by a dangerous computer worm
that tries to steal information from industrial control systems.

According to data compiled by Symantec, nearly 60 percent of all systems
infected by the worm are located in Iran. Indonesia and India have also
been hard-hit by the malicious...
 

Posted by InfoSec News on Jul 25

http://www.nytimes.com/2010/07/26/technology/26security.html

By Nick Bilton
The New York Times
July 25, 2010

The world of hackers can be roughly divided into three groups. "Black
hats" break into corporate computer systems for fun and profit, taking
credit card numbers and e-mail addresses to sell and trade with other
hackers, while the "white hats" help companies stop their disruptive
counterparts.

But it is the third...
 

Posted by InfoSec News on Jul 25

+----------------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| July 23rd, 2010 Volume 11, Number 30 |
| |
| Editorial Team: Dave Wreski <dwreski () linuxsecurity com> |
| Benjamin D. Thomas <bthomas () linuxsecurity...
 

Posted by InfoSec News on Jul 25

http://fcw.com/articles/2010/07/26/comment-mike-spinney-dhs-trusted-identities.aspx

By Mike Spinney
FCW.com
July 22, 2010

COMMENTARY - Mike Spinney is a senior privacy analyst at the Ponemon
Institute, which conducts independent research on privacy, data
protection and information security policy.

The Homeland Security Department recently announced an initiative aimed
at creating a more secure system of online identification. According to...
 

Internet Storm Center Infocon Status