InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
A top Apple security guru Thursday presented an in-depth view into the security architecture for iOS, the basis of iPhones and iPad tablets, underscoring the complex certificate-based encryption framework Apple has adopted.
Facebook boosted revenue by 32% in its first earnings report as a public company, bringing in $1.18 billion and slightly topping analyst expectations.
New Mac owners took their frustration with Apple onto Twitter today as they groused that they have not received redemption codes for the free copy of OS X Mountain Lion they were promised.
At Black Hat 2012, longtime Oracle thorn David Litchfield presents working exploits targeting Oracle database indexing vulnerabilities.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Facebook seemed to answer at least one burning question about its mobile business on Thursday -- it doesn't plan to build its own smartphone -- but it's still not entirely clear how it will capitalize on its rapidly expanding base of mobile users.
A Twitter outage on Thursday that lasted as long as two hours for some users was caused by separate data centers failing at nearly the same time, the company said in an apologetic blog post.
The stakes are high for both Apple and Samsung Electronics as they prepare to kick off their much-anticipated patent-infringement trial in front of a California jury on Monday.
Facebook boosted revenue by 32 percent in its first earnings report as a public company, bringing in US$1.18 billion and topping analysts' expectations slightly.
Mobile apps collect a myriad of data sources from contacts to location information and could also be accessing sensitive enterprise data.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
We've covered the 404 Project https://isc.sans.edu/404project/ in a previous feature https://isc.sans.edu/diary/ISC+Feature+of+the+Week+The+404Project/12415 and announced reports in https://isc.sans.edu/diary/ISC+Feature+of+the+Week+404Project+Reports/12685.
Today we feature an IPMask for those who would like to obfuscate the IPfor privacy or legal concerns. The parsing scripts have been tested to handle v1 format (without IP mask) or v2 (with mask) so backwards compatibility is ensured.
A quick summary explanation with example ranges has been added at https://isc.sans.edu/404project/index.html#summary.
The full details are in the code block at https://isc.sans.edu/404project/index.html#instructions
Simply copy/paste the new code, fill in the variables as before with the addition of updating $sIPMask if you want to obfuscate the IP or leave the default to pass the entire value unchanged. Possible masks include but not limited to:

0xffffffff = (Default)
0xffffff00 = (mask /24)
0xffff0000 = (mask /16)
0xff000000 = (mask /8)
0x00ffffff = (mask first octet)
0xff00ffff = (mask second octet)

Please send us a note if you encounter any problems or post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form


Adam Swanger, Web Developer (GWEB, GWAPT)

Internet Storm Center https://isc.sans.edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Thursday's Apple tech talk marked its first public discussion about iOS security, but only covered what security researchers already know.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Consumers will spend $114 billion more in 2012 than they did in 2011 on digital products and that spending will grow at a faster rate than in the past, at around $130 billion a year, to reach $2.7 trillion by the end of 2016, according to Gartner.
Microsoft must aggressively price its Office 365 subscription plans, perhaps as low as $2 a month, to convince consumers that it's better to rent software than to buy it.
[ MDVSA-2012:116 ] dhcp
[ MDVSA-2012:115 ] dhcp
[ MDVSA-2012:114 ] apache-mod_auth_openid
The Obama administration "strongly supports" a new cybersecurity bill scheduled to be debated on the Senate floor soon, even though some of its provisions are watered down from earlier legislation, the White House Office of Management and Budget said.
Sprint Nextel, the third largest mobile carrier in the U.S., has reported a net loss of $1.4 billion for the second quarter of 2012, the 19th consecutive quarter of losses for the company.
After suffering an outage that lasted more than an hour and a half today, Twitter is back up and running.
After suffering the loss of some of its major hard drive manufacturing facilities in Thailand due to flooding, WD announced it's back in the black with record financial results for 2012.
Google Fiber broadband service in Kansas City will cost US$70 per month for 1Gbps Internet access and $120 per month for that service plus TV, the company said Thursday.

It seems the Federal Financial Institutions Examination Council could have done a little better with its cloud computing advisory. Earlier this month, the FFIEC issued a statement on outsourced cloud computing. The resource document outlines key cloud computing risks financial institutions should consider.

In the document, the FFIEC said it considers cloud computing to be another form of outsourcing with “the same basic risk characteristics and risk management requirements as traditional outsourcing.”

Right there, I think a lot of security experts would disagree. Cloud computing involves so many new elements — namely multi-tenancy – that present different risks than traditional outsourcing models. The FFIEC cloud computing statement covers multi-tenancy and other issues associated with cloud computing, such as potential complications with regulatory compliance due to data location, but at a high level without much detail. The document also covers familiar ground like vendor management and due diligence, stressing the importance of both in cloud computing arrangements.

Perhaps the FFIEC figured others, such as the National Institute of Standards and Technology (NIST), have already provided ample guidance on cloud computing risks. Late last year, NIST released its Guidelines on Security and Privacy in Public Cloud Computing (.pdf), which covers threats and risks associated with public cloud computing and provides organizations with recommendations.

Still, banks look to the FFIEC for guidance, and if any industry needs to be careful with moving data into the cloud, it’s banks. The FFIEC’s rather cursory treatment of the subject is puzzling indeed.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
The day before the opening of the 2012 London Olympics that are expected to light up major social networks, Twitter has crashed.
[ MDVSA-2012:113 ] arpwatch
[SECURITY] [DSA 2516-1] isc-dhcp security update
Motorola does not infringe a Microsoft patent related to technology for monitoring events in mobile phones, the lower regional court of Munich ruled on Thursday, according to a court spokesman.
Apple was denied an injunction against Samsung's Galaxy Nexus and the adjusted Galaxy Tab 10.1N by the higher court of Munich, a court spokesman said.
Researcher Charlie Miller says Near Field Communication or NFC security issues open a huge attack surface on smartphones.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Making the move from Outlook (or another mail client) to Gmail can be jarring. It means giving up the folder system you've used for years, getting accustomed to an entirely new interface, and so on.
SkyDrive seemed destined to be another Microsoft also-ran product. Although introduced long before the current wave of cloud-based synchronization and storage services, SkyDrive had a number of frustrating limits, and comprised two separately named services (central and peer-to-peer file transfer) under one hood. Then Microsoft did something marvelous. The same week that Google released its long-expected Google Drive, Microsoft unveiled a thorough revamping of SkyDrive into an explicable and competitive service. (Microsoft lists the version that I reviewed as version 16.4.)
At first glance, the free Houzz Interior Design Ideas for iPhone and iPad looks like a home design-oriented variation of Pinterest, the hot social networking service that lets you collect, view, and share interesting items. But Houzz (pronounced How-zz) is a richer resource than that visual inspiration site du jour. While you can scroll through its hundreds of thousands of photos and products and add them to your own virtual lookbooks, otherwise known as Ideabooks, you can also peruse informational content, buy products, and find professional home-design services in your local area directly through the app.
[ MDVSA-2012:112 ] perl-DBD-Pg
tekno.Portal 0.1b - SQLi Vulnerability in "anket.php"
APPLE-SA-2012-07-25-2 Xcode 4.4
[security bulletin] HPSBUX02795 SSRT100878 rev.2 - HP-UX Running BIND, Remote Denial of Service (DoS)
Three widely deployed payment terminals have vulnerabilities that could allow attackers to steal credit card data and PIN numbers, according to a pair of security researchers from penetration testing firm MWR InfoSecurity in the U.K.
French telecom equipment company Alcatel-Lucent plans to cut 5,000 jobs after reporting a net loss of a$308 million in the second quarter, it said on Thursday.
Chip makers LSI and STMicroelectronics did not infringe on patents claimed by Rambus, according to a ruling by the U.S. International Trade Commission on Wednesday .
Social games provider Zynga swung to a loss in the quarter ended June 30, and lowered its outlook for the year, leading its shares to fall by about 40% in after-hours trading on Wednesday.
At the Black Hat Conference in Las Vegas Wednesday, Accuvant Labs researcher Charlie Miller showed how he figured out a way to break into both the Google/Samsung Nexus S and Nokia N9 by means of the Near Field Communication (NFC) capability in the smartphones.
To celebrate the 15th anniversary of the Black Hat Conference here, a panel of experts got together to expound on what they see as the privacy and security mess of our times, and they had plenty to say about the U.S. government, cyberwar and Google.
ARM on Thursday formed a group with other U.K. companies to create a reference design on how smart devices with Internet access should be deployed in coming years.
In plain English, domain-specific languages let users define business rules, help ensure applications do what they're supposed to
Apple will be the world's largest chip buyer this year because of the surge in demand for the company's products, enabling it to command lower prices and quicker delivery, IHS iSuppli said in research released on Wednesday.
As companies demand soft skills from their tech team, some IT pros are turning to executive coaches for guidance.
Security researcher Dan Kaminsky?s annual "black ops" talk at Black Hat 2012 focused improving secure software development with better code.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Internet Storm Center Infocon Status