InfoSec News


Peer Pressure Drives Many To Acquire Security Certifications
Dark Reading
Mike Murray, also with InfoSec Leaders and co-founder of MAD Security, says as a manager, he has never hired or promoted someone based on a certification: "I can't remember a time I've ever done that or known anyone who did that," he says. ...

 
After forming in 2009 and stalling a couple of times since, the Open Cloud Initiative formally launched on Tuesday in an effort to encourage the adoption of open cloud principles.
 
Intel has appointed company executive Andy Bryant to be vice chairman of the company's board, and he will likely take over as chairman next May, the chip maker said on Tuesday.
 
Verizon Wireless has teamed up with cellular booster company Wilson Electronics to propose federal standards for boosters, which sometimes help to overcome weak signals but can also interfere with mobile operators' networks.
 

Application session management (or rather the lack thereof) is still one of the most frequently exploited vulnerabilities in web apps.OWASP contributor and fellow SANS ISC Handler Raul Siles has now put together a nice OWASP cheat sheet on things to consider when designing or reviewing web application session handling. One of my favorite sentences in there is
The session ID must simply be an identifier on the client side, and its value must never include sensitive information (or PII). The meaning and business or application logic associated to the session ID must be stored on the server side,
because not doing so is one of my favorite application mistakes when I conduct a penetration test. Times and again do I find session IDs that are actually more than just random identifiers. All it takes in such cases is two distinct, valid users .. and looking at their session token readily reveals the non-random portions like account numbers, which can then be manipulated and attacked.
In his write-up, Raul also links to a couple other OWASP cheat sheets that are equally worth reading, like one on cross site scripting (XSS) prevention. Enjoy!
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Like Clint Eastwood in The Good, The Bad, and The Ugly, Apple is looking unbeatable in the wild tablet market. Will the iPad be the last man standing after the smoke clears?
 
SAP's second-quarter revenues grew 14%, driven by strong software sales in all regions, the company reported.
 
Google is adjusting the real-name policy of its Google+ social service to appease angry users -- many kicked off without notice. But Google will still not allow pseudoymns. Is Google+ being too pedantic about using real names?
 
phpMyAdmin Prior to 3.3.10.3 and 3.4.3.2 Multiple Remote Vulnerabilities
 
A survey of 1,000 people between the ages of 18 and 65 in the U.K. showed that many Britons are as emotionally connected to the Internet and their mobile devices as smokers are to their cigarettes.
 
InterDigital said it has filed complaints with the U.S. International Trade Commission and in federal court against Nokia, Huawei and ZTE, charging the companies with patent infringement.
 
The U.S. government can help grow the nation's cloud computing market by assisting private companies in the development of cloud security standards and by encouraging cloud providers to allow data portability among them, a new tech industry report recommended.
 
Video streaming made up 39% of all mobile data traffic worldwide in the first half of this year, and YouTube accounted for a majority of that video traffic, according to a survey by traffic management vendor Allot Communications.
 
Mango, the latest version of the Windows Phone mobile operating system, was released to manufacturers Tuesday.
 
Researcher Tarjei Mandt uncovered dozens of hidden vulnerabilities deep inside Microsoft Windows.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Mozilla's plan to create a mobile operating system will probably face patent challenges, one expert said, while another called it 'too little, too late.'
 
[Tool] DoS for OpenSLP (and others)
 
Two U.S. senators pledged to open up the nation's borders to highly skilled immigrants, with lawmakers arguing that the U.S. is turning away some of the world's smartest people.
 
Google has heard the public outcry about its name restrictions and the way it terminated many Google+ user accounts, and it's working fast to fix the problem.
 
InterDigital said it has filed complaints with the U.S. International Trade Commission and in federal court against Nokia, Huawei and ZTE, charging the companies with patent infringement.
 
Researcher In-Stat projects some 48 billion mobile application downloads by 2015 as the explosive growth continues.
 
Consumers just don't trust electronic health records to securely store their personal information, according to a survey by Harris Interactive.
 
Automated attack tools are targeting directory traversal bugs, cross-site scripting errors, SQL injection flaws and remote file inclusion vulnerabilities.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Re: CA ARCserve D2D r15 GWT RPC Request Auth Bypass / Credentials
 
Hacking IPv6 Networks (slides)
 
Two Verizon Wireless 4G LTE Samsung Galaxy Tab 10.1 tablet models go on sale this Thursday at prices of $529.99 and $629.99.
 
ManageEngine ServiceDesk Plus Security Bypass Vulnerability
 
[PT-2011-05] Cross-Site Scripting in Koha Library Software
 
A Mac security firm today criticized Microsoft for warning Mac users of new malware, saying that the threat simply wasn't worth mentioning.
 
Precision (products.php?cat_id) Remote SQL injection Vulnerability
 
[PT-2011-25] SQL injection vulnerabilities in Support Incident Tracker
 
[PT-2011-08] Multiple vulnerabilities in Dlink DPH 150SE/E/F1
 
Lava (news_item.php?id) (album.php?id) (basket.php?baction) Remote SQL injection Vulnerability
 

Federal Agency Recognizes Information Security as a Separate, Distinct Career ...
Infosecurity Magazine (US) (blog)
In a recent article, "Infosec Joblessness Remains Steady, at 0%", Govinfosecurity.com editor, Eric Chabrow, discussed the startling fact that employment in the information security analyst career field had increased by 16% in the last quarter. ...

 
Using OpenStack cloud software, Dell has created a package of hardware, software and services that organizations can use to deploy Infrastructure-as-a-Service operations.
 
U.S. outsourcer Cognizant Technology Solutions said Tuesday it has agreed to acquire the Indian services operations of CoreLogic to increase its services capabilities for the mortgage industry.
 
Banks are facing more trouble from SpyEye, a piece of malicious software that steals money from people's online bank accounts, according to new research from security vendor Trusteer.
 
Funnel Web (pages.php?page) Remote SQL injection Vulnerability
 
Funnel Web (selected_product.php?t) Remote SQL injection Vulnerability
 
Funnel Web (directory.php?cid) Remote SQL injection Vulnerability
 
Funnel Web (items.php?&cat_id) Remote SQL injection Vulnerability
 
Privacy researchers Alessandro Acquisti and Ralph Gross have converged facial recognition technology with publicly available personal information on social networks to identify individuals.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Presented By:
Welcome the Zettabyte Era with Cisco
  Today we use terms like gigabyte and terabyte when it comes to data. Five years from now, we will enter the era of the zettabyte. Connect with Cisco across the web through various social channels as we guide you through the future of the Internet.
socialmedia.cisco.com

Ads by Pheedo

 
Zones Web Solution (index.php?manufacturers_id) Remote SQL injection Vulnerability
 
CA ARCserve D2D r15 GWT RPC Request Auth Bypass / Credentials Disclosure and Commands Execution
 
PHP-Barcode 0.3pl1 Remote Code Execution
 
[SECURITY] [DSA 2285-1] mapserver security update
 
Privacy researchers Alessandro Acquisti and Ralph Gross have converged facial recognition technology with publicly available personal information on social networks to identify individuals.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Presented By:
Welcome the Zettabyte Era with Cisco
  Today we use terms like gigabyte and terabyte when it comes to data. Five years from now, we will enter the era of the zettabyte. Connect with Cisco across the web through various social channels as we guide you through the future of the Internet.
socialmedia.cisco.com

Ads by Pheedo

 
SystemTap Multiple Local Privilege Escalation Vulnerabilities
 
Developers are taking a strong liking to the distributed system, though Subversion and others remain in the game
 
Saudi Arabia appears to have blocked the website of human rights organization Amnesty International.
 
A brewing legal dispute between Sony and one of its insurers over data breach liability claims highlights the challenges that companies may face in getting insurance providers to cover expenses arising from cybersecurity incidents.
 
Reaction was mixed to the 2,000 layoffs announced by BlackBerry maker Research In Motion, as several analysts said RIM continues to face problems from aggressive smartphone and tablet competitors like Apple and Google.
 
By 2014, states must deploy public health insurance exchanges, giving millions of Americans purchasing power that could change the landscape for health insurers. Private retailers are already eying their own online exchanges -- possibly as in-store kiosks.
 
XMMS Skins Integer Overflow And Underflow Vulnerabilities
 
PHP-Barcode 'code' Parameter Remote Command Injection Vulnerability
 

Posted by InfoSec News on Jul 25

http://www.computerworld.com/s/article/9218636/Director_of_US_CERT_quits_abruptly

By Jaikumar Vijayan
Computerworld
July 25, 2011

Randy Vickers, the director of the U.S. Computer Emergency Response Team
(US-CERT), has resigned from his position without any official
explanation for the abrupt move.

Vickers' resignation last Friday was communicated via email to members
of the Department of Homeland Security's (DHS) Office of...
 

Posted by InfoSec News on Jul 25

http://www.bloomberg.com/news/2011-07-25/cyberwar-hysteria-aids-consultants-hurts-u-s-susan-crawford.html

By Susan Crawford
Bloomberg
July 24, 2011

On Feb. 3, President Barack Obama and the entire West Wing lost access
to e-mail for more than seven hours. A tree-trimmer had accidentally cut
the lines running out of the White House data center. White House
Communications Director Dan Pfeiffer sent a bulletin via Twitter -- the
only way he...
 

Posted by InfoSec News on Jul 25

http://www.informationweek.com/news/government/mobile/231002423

By Eric Zeman
InformationWeek
July 22, 2011

Score one for Research In Motion. While its PlayBook tablet may not have
scored a home run with consumers (or developers), it just got a big
thumbs up from the National Institute of Standards and Technology
(NIST), which granted it FIPS certification. No other tablet, despite
its success in the market, can lay claim to this title. The...
 

Posted by InfoSec News on Jul 25

http://www.darkreading.com/security/news/231002602/war-texting-attack-hacks-car-alarm-system.html

By Kelly Jackson Higgins
Dark Reading
July 25, 2011

It took researcher Don Bailey a mere two hours to successfully hack into
a popular car alarm system and start the car remotely by sending it a
message.

Bailey, a security consultant with iSec Partners, next week at Black Hat
USA in Las Vegas plans to show a video of the car alarm attack he and...
 

Posted by InfoSec News on Jul 25

http://www.telegraph.co.uk/technology/internet/8660683/Hackers-post-documents-from-Italian-cybercrime-unit.html

The Telegraph
25 July 2011

The hackers posted a trove of apparently confidential documents online
and claimed much more was to come from systems at CNAIPIC - il Centro
Nazionale Anticrimine Informatico per la Protezione delle Infrastrutture
Critiche.

So far less than 100 megabytes of data have been published but the
hackers claim...
 
Internet Storm Center Infocon Status