Hackin9

InfoSec News

Linux Kernel 'memcg' NULL Pointer Deference Local Denial of Service Vulnerability
 
Apple's CEO Tim Cook met with Beijing's mayor on Monday, and called for increased cooperation with China's capital city along with market expansion, according to a report from Chinese state-run press.
 
taglib Memory Corruption and Infinite Loop Denial Of Service Vulnerabilities
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Linux Kernel '__split_huge_page()' Race Condition Local Denial of Service Vulnerability
 
Linux Kernel ASLR Security Bypass Weakness
 
Ever since Mozilla started its controversial new versioning scheme, Firefox 3.6 was still maintained as a stable and supported version of Firefox. Today, Mozilla announced that Firefox 3.6.28, to be released over the next few weeks, will be the final version of Firefox 3.6. As of April 24th, no more security fixes will be published for Firefox 3.6
Of course, the Firefox version number is at first just a number. One could consider the just released Firefox 11 more like a Firefox 4.11.0 (or 5.11.0). However, plugins and extensions have never quite caught up to the new versioning scheme.
A Firefox add-on XPI file is a zip file, that once unpacked reveals a number of components, including a install.rdf file, which among other settings governing the install of the extension lists the range of version numbers for which a certain extension will work. Developers usually do not include future major versions as changes to the extension API and to the Firefox feature set will make it necessary to adapt the extension. This will require extension developers to consistently maintain and update extensions as Firefox releases new major versions.
In some ways, this may be a good thing as this will remove unmaintained extensions. In other ways, developers of valuable extensions may get discouraged by this practice. As a user, you could edit install.rdf file, and modify the range of supported versions. I have done this in a couple cases myself, and had decent succes. However, there is a good chance that this will fail in some cases.
http://blog.mozilla.com/futurereleases/2012/03/23/upcoming-firefox-support-changes/
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
PHP CVE-2012-0789 Remote Denial Of Service Vulnerability
 

Infosec World Conference & Expo 2012 Hosts Hitachi ID Systems
Exec Digital (press release)
CALGARY, March 26, 2012 /PRNewswire/ - The Infosec World Conference & Expo, managed by the MIS Training Institute, offers over 70 sessions addressing the most pertinent IT security challenges facing the industry today. Topics include audit security ...

 
RESTEasy JaxB XML Entity References Information Disclosure Vulnerability
 
RESTEasy XML Entity References Information Disclosure Vulnerability
 

Infosec World Conference & Expo 2012 Hosts Hitachi ID Systems
Technology Digital (press release)
CALGARY, March 26, 2012 /PRNewswire/ - The Infosec World Conference & Expo, managed by the MIS Training Institute, offers over 70 sessions addressing the most pertinent IT security challenges facing the industry today. Topics include audit security ...

 
HTC plans to shut down its HTCsense.com cloud backup services on April 30 in preparation for the launch of "new and improved services," it said on its website.
 
Linux Kernel KVM CVE-2012-0045 Local Denial of Service Vulnerability
 
Washington, D.C. -- Responding to President Obamas call for an 'all-of-the-above' strategy to help consumers reduce their energy costs, the Administration announced on March 22 that nine major utilities and electricity suppliers will ...
 
IBM CIO Jeanette Horan has plenty of IT projects and systems to worry about, but perhaps one of the most pressing and timely is Big Blue's ongoing BYOD (bring your own device) rollout, which is aimed at including all of the company's 440,000 employees over time.
 
A watchdog group issued a renewed call for Apple to address what this group considers poor working conditions for factory workers in China, criticizing the company for not assigning any of its US$98 billion cash pile to address the issues.
 
The first real test for Nokia in North America will come April 8, the day AT&T announces it will start selling the Lumia 900.
 
Imagine that criminals broke into headquarters and bugged your executive offices for insider information--and then made millions trading on that information. That's what can happen if you jump into a Board Communication Systems too quickly. It has already happened: They silently monitor your Board of Directors communications until they hear insider information that they can use to strike it rich on the stock market.
 
Mozilla Firefox/Thunderbird/SeaMonkey 'shlwapi.dll' Use-After-Free Memory Corruption Vulnerability
 
UltraVNC VNCViewer 'ClientConnection.cpp' Remote Buffer Overflow Vulnerability
 

PR Newswire
Virtual-Strategy Magazine
CALGARY, March 26, 2012 /PRNewswire/ - The Infosec World Conference & Expo, managed by the MIS Training Institute, offers over 70 sessions addressing the most pertinent IT security challenges facing the industry today. Topics include audit security ...

 
The public cloud doesn't work for everyone, says Pete Stevenson, CEO of Latisys, a cloud, managed hosting and colocation service provider that announced an expansion of its offerings and facilities today.
 
In its upcoming ProLiant Gen8 Smart Array, HP uses solid-state drives and a caching algorithm it calls Dynamic Workload Acceleration to address I/O throughput issues.
 
Microsoft will launch the "release candidate" of Windows 8 in late May or early June, according to a Saturday report by a Dutch blog.
 
Workers at AT Kearney connect with their friends on Facebook now and then when they're on the job, and that's just fine with executives there.
 
Katie Moussouris discusses coordinated vulnerability disclosure, the Microsoft Blue Hat Prize and developing an ISO vulnerability disclosure standard.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Vidyo is announcing a new program for service providers, enabling cloud-based video services it says could sell for $30 per month.
 
Many companies that rely on Office Live Small Business (OLSB) for their e-mail and website hosting are complaining that a required transition to Office 365 or to a third-party hosting provider is too complicated for them to carry out and that Microsoft could be doing more to help them out as OLSB's closure date fast approaches.
 
A do-not-track law focused on protecting Web users' privacy may not be necessary, with private groups working to implement recommendations from the U.S. Federal Trade Commission, the agency's chairman said.
 
Apple's royalty-free nano-SIM is an empty promise, because the company doesn't have any essential patents related to its nano-SIM proposal, a Nokia spokesman said on Monday.
 
Apple is shortchanging new iPad owners on battery power, an analyst said today.
 
The rapid adoption of 802.11n has become a significant milestone in the history of wireless LANs. The MIMO-based technologies used in most 802.11n systems provide enough throughput, reliability, and rate vs. range performance to effectively remove the last major barriers to the broad adoption of WLANs in the enterprise.
 
Many small businesses with larger server needs are turning to blade servers to pack big power into a small space. But what exactly is a blade server, and how do you know if it's right for your small business?
 
The Internet Society, a nonprofit that operates the .org registry and funds Internet standards development work, is celebrating its 20th anniversary with a gala event in Geneva next month.
 

Those of you clamoring for Internet service providers to get proactive about security and malicious activity on their networks got a win late last week from the Federal Communications Commission. The FCC’s Communications Security, Reliability and Interoperability Council (CSRIC) got unanimous support of its U.S. Anti-Bot Code of Conduct for Internet Service Providers from most of the leading ISPs.

Known as the ABCs for ISPs, participation is voluntary for the providers who must take “meaningful action” in the education of users in botnet prevention, botnet removal, detection of botnet activity on an ISP network, notification of customers of suspected infections, providing information to customers on how to remediate botnet infections, collaborating with other ISPs around botnet activity, and sharing experiences around the FCC’s code of conduct.

AT&T, CenturyLink, Comcast, Cox, Sprint, Time Warner Cable, T-Mobile and Verizon agreed to the code of conduct. Their acknowledgement, or concession, of the problem is a nice public step forward here. There have been many arguments pro and con regarding ISPs and security, and countless debates as to whether an ISP should provide a clean pipe.

ISPs clearly are in optimal position to see malicious traffic, but there’s a slippery slope choking off what an ISP believes is malicious traffic—what’s the impact on legitimate traffic caught in the crossfire, performance of services and cost, for example? Some ISPs sell security services too, raising conflict of interest issues. And then there are the net neutrality folks who protest an ISP’s ability to restrict access to content or impact network performance by throttling traffic for some and ratcheting it up for others, for example.

The code of conduct solves none of these riddles, but at least it moves the conversation forward without legislation. FCC Chairman Julius Genachowski has been vocal about an industry response to botnets. According to Arbor Networks’ Atlas service, for the 24-hour period starting last Wednesday, there were 951 attacks per subnet carried out over TCP Port 80 (http) and another 284 over TCP Port 445 (used for Microsoft Server Message Block service), accounting for 69% of attacks. Botnets are responsible for denial-of-service attacks, attacks on the DNS infrastructure, Internet routing attacks, spam campaigns and other malware attacks.

ISPs, to their credit, have been better about security. Comcast, for example, has fully implemented DNSSEC for its customers and it is part of the provider’s Constant Guard service. John Schanz, executive vice president of Comcast National Engineering and Technical Operations in Security and Privacy, wrote in a blog post: “The Code recognizes that the entire Internet ecosystem has important roles to play in addressing the botnet threat and ISPs depend on support from the other players like security companies and operating system vendors.” PayPal, Microsoft, Symantec and the Online Trust Alliance also took part in developing the code of conduct.

Nothing in the code of conduct, however, really suggests ISPs do much more today than what Comcast and others are already doing—namely monitor, notify and recommend remediation. ISPs still won’t take meaningful action about botnet removal without being forced to, and that’s a lot of lobbying down the road. Stay tuned.



Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 

Online banking faces growing threat of fraud: Q-CERT official
Peninsula On-line
INFOSEC Conference hosted by ictQatar that cyber threats in the country have notably gone up at the height of the Arab Games late last year but mitigation measures has been done to contain it. “Online banking is more prone to attacks but we coordinated ...

 
Sure, there are budget constraints and far fewer resources. But being an IT leader in a small shop has numerous benefits, not the least of which are agility and a greater ability to influence the business.
 
After 244 years, the Encyclopaedia Britannica will cease to publish its flagship encyclopedia and will concentrate instead on its digital offerings.
 
The National Geographic Society announced that it is moving its backup and archive of large unstructured multimedia files -- including video, photos and graphics -- to Nirvanix's Cloud Storage Network.
 
Our manager talks to colleagues and attends various breakout sessions and talks, where he might learn something new or (even better) get validation for his security program and priorities.
 
The battle over next-generation nano-SIM card technology intensified after Apple sent a letter to the director general of standards organization ETSI, saying its proposal will be royalty-free, according to a report.
 
The federal government last week issued a remarkable complaint against AT&T: In essence, the Department of Justice alleges that the telecom giant has bilked U.S. customers out of millions of dollars by willfully failing to prevent the rampant abuse of a system designed to help the hearing impaired.
 
Half the fun of iPhone photography is editing and altering your photos in various photo apps. And now that Apple has introduced its iPhoto app for the iPhone and iPad, bringing its desktop photo management and editing software to the touchscreen interface, users have a great, all-in-one photo-editing tool at their fingertips.
 

Telstra slips 4G Galaxy S II into its range
ZDNet Australia
RT @GatoMalo2: Is the Lulz Boat well and truly sunk? http://t.co/mkW55bCT #infosec #security #cyberwar #cybersecurity #hacking @pgreenbe likes what MSFT is showing. I esp agree with him on the upcoming UX front, I hope @salesforce can keep up.

and more »
 

Infosec World Conference & Expo 2012 Hosts Hitachi ID Systems
African Business Review (press release)
CALGARY, March 26, 2012 /PRNewswire/ - The Infosec World Conference & Expo, managed by the MIS Training Institute, offers over 70 sessions addressing the most pertinent IT security challenges facing the industry today. Topics include audit security ...

 

ZDNet App Wrap: 26 March 2012
ZDNet Australia
They just followed ASIO that had a long track of tensions with Huawei http://t.co/DLaWqI1P RT @paulsparrows: RT @GatoMalo2: Is the Lulz Boat well and truly sunk? http://t.co/mkW55bCT #infosec #security #cyberwar #cybersecurity #hacking The ipad 3 and ...

and more »
 

Libs slam Huawei ban, Greens want explanation
ZDNet Australia
They just followed ASIO that had a long track of tensions with Huawei http://t.co/DLaWqI1P RT @paulsparrows: RT @GatoMalo2: Is the Lulz Boat well and truly sunk? http://t.co/mkW55bCT #infosec #security #cyberwar #cybersecurity #hacking The ipad 3 and ...

and more »
 
More and more IT shops are using technologies such as virtualization and replication to make disaster recovery just another service, sometimes using the same servers, network and storage that run order entry, email, application development or other services.
 
Security is a top concern for potential cloud users so the formation of the Cloud Security Alliance was welcome news when the organization emerged in 2009. And while many vendors have since joined CSA, precious few service providers have stepped up to take part in its Security, Trust and Assurance Registry.
 

Infosec World Conference & Expo 2012 Hosts Hitachi ID Systems
MarketWatch (press release)
CALGARY, March 26, 2012 /PRNewswire via COMTEX/ -- The Infosec World Conference & Expo, managed by the MIS Training Institute, offers over 70 sessions addressing the most pertinent IT security challenges facing the industry today.

and more »
 
New managers lack the language to understand and express the value of management itself. Insider (registration required)
 
Experts and IT leaders offer strategies for getting the most from the latest encryption and digital rights management technologies.
 
Meet David D. Clark, who has been involved the development of the Internet since the 1970s. He talks here about the Internet, its potential and problems, and its future. Insider (registration required)
 
Next month's Firefox 12 will be the last version of Mozilla's browser to run on early editions of Windows XP and the 12-year-old Windows 2000.
 
In Brook Colangelo's first 40 days as CIO of the Executive Office of the President, the White House email system was down 23% of the time while he and his staff put in 80-hour weeks. Insider (registration required
 
Microsoft is cutting the price of its own cloud-based service, Office 365, to improve its chances of success in the enterprise market and to stave off competition from Google Apps, analysts say.
 
Next month, Marvel Comics will release a new application to add content enhanced with augmented reality to some of its comic books.
 
Tablets are making huge inroads, but PCs aren't even close to being dead yet
 
Orion project adds JavaScript and HTML capabilities for Web app development
 
GnuTLS TLS Record Handling Heap Memory Corruption Vulnerability
 
GNU Libtasn1 ASN1 Length DER Decoding Memory Corruption Vulnerability
 
Fortigate UTM WAF Appliances Cross Site Scripting and HTML Injection Vulnerabilities
 
Microsoft said on Monday it and several partners had disrupted several cybercrime rings that used a notorious piece of malicious software called Zeus to steal US$100 million over the last five years.
 
The U.S. broadband infrastructure is a monopolistic mess
 

Posted by InfoSec News on Mar 25

http://www.dailymail.co.uk/news/article-2118900/Computer-thief-goes-victims-house-apologise--invited-steal-SECOND-laptop.html

By Chris Parsons
Mail Online
22 March 2012

A shameless thief called at his victim's house to apologise for stealing
his computer - before making off with his replacement laptop.

Ivan Barker called at the house of wheelchair-bound Jacque Mathley to
say 'sorry' for stealing his laptop and cigarettes three...
 

Posted by InfoSec News on Mar 25

***LASER 2012 -- SUBMISSION DEADLINE EXTENDED TO APRIL 9, 2012*** 
Please make a note of this extension.  Details are below.

LASER 2012 -- Learning from Authoritative Security Experiment
Results

The goal of this workshop is to provide an outlet for
publication of unexpected research results in security -- to
encourage people to share not only what works, but also what
doesn't.  This doesn't...
 

Posted by InfoSec News on Mar 25

http://www.theregister.co.uk/2012/03/26/hong_kong_vote_hack/

By Phil Muncaster
The Register
26th March 2012

Two local men have been arrested after an online referendum organised by
Hong Kong university to poll citizens on their choice of chief executive
was disabled in an apparent denial of service attack.

Broadcaster Radio Television Hong Kong (RTHK) reported that the men,
aged 17 and 28, were arrested at the weekend after the online poll...
 

Posted by InfoSec News on Mar 25

http://www.nextgov.com/nextgov/ng_20120323_1655.php

By Joseph Marks
Nextgov
03/23/2012

Agencies that deal with national security data and programs must do more
to secure their information technology supply chains, a government
watchdog said Friday.

Federal agencies aren't required to track "the extent to which their
telecommunications networks contain foreign-developed equipment,
software or services," the Government...
 

Posted by InfoSec News on Mar 25

http://www.usatoday.com/tech/news/story/2012-03-25/visa-data-center/53774904/1

By Jon Swartz
USA TODAY
March 25, 2012

SOMEWHERE ON THE EASTERN SEABOARD -- Prisons are easier to enter than
Visa's top-secret Operations Center East, its biggest, newest and most
advanced U.S. data center.

The 8-acre facility looks like any other industrial park in a sleepy
suburb. But the serene setting masks hundreds of cameras and a crack
team of former...
 
Internet Storm Center Infocon Status