Hackin9

InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A report by Dell SecureWorks debunks the idea that the newly discovered Duqu Trojan is related to last year's Stuxnet worm or was created by the same authors.
 
ZDI-11-302 : Adobe Reader U3D TIFF Resource Buffer Overflow Remote Code Execution Vulnerability
 
ZDI-11-301 : Adobe Reader U3D PICT 0Eh Encoding Remote Code Execution Vulnerability
 
The third iteration of the widely acclaimed Building Security in Maturity Model documents software security initiatives at 42 enterprises.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Attackers used SQL injection against Sony?s website to gain access to its internal server and steal sensitive data.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
A new bill introduced in the U.S. House of Representatives would allow law enforcement officials to shut down websites that enable or facilitate copyright infringement, leading some digital rights groups to suggest that YouTube, Twitter and online news sites could be targeted.
 
Symantec researchers said an early analysis of Duqu has found that it could be a precursor to a future Stuxnet-like attack.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
A Microsoft analysis found malware targeting zero-day flaws making up only 0.12% of all exploit activity in the first half of 2011, but firms that lack zero-day defenses could be the next target.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Web inventor Tim Berners-Lee told RSA Europe attendees the future of IT security must include greater simplicity for users.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
RSA revealed a ?nation state? was behind the SecurID attack in March. Twitter and Facebook are still banned at RSA.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Microsoft has issued eight security bulletins, two rated ?critical,? for its October 2011 Patch Tuesday. It also released its 11th volume of its Security Intelligence Report.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Trend Micro Inc. has uncovered a new Android malware variant that uses a blog site with encrypted content as its command-and-control server and disguises itself as an e-book reader app.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Microsoft?s eight security bulletins address flaws in Internet Explorer, Windows, Forefront UAG and the .NET Framework. Two bulletins are rated ?critical.?

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Using private cloud at separate data centers has allowed the Department of Homeland Security to strike a balance between security and cost savings.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
McAfee buys NitroSecurity for its ePolicy Orchestrator while Big Blue has created a security division for its Q1 Labs acquisition.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Even the most mature organizations are using multiple risk-management frameworks and various processes to make risk-based decisions.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Many firms rely on antivirus and antimalware technologies to address social networking risks, according to a survey by the Ponemon Institute.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Many businesses struggle to maintain PCI DSS compliance, suggesting meeting the standard is a goal rather than an ongoing initiative, according to a new report from Verizon Business.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Asynchronous JavaScript Technology, XML, Flash and HTML 5 enable a rich Web experience, but also give attackers an alarming number of ways to penetrate corporate networks.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Researchers in Germany have demonstrated weaknesses in the W3C XML encryption standard used to secure websites and other Web applications.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Deep Defender examines memory processes, enabling enterprises to block or deny actions to provide rootkit protection. Analysts say there may not be great demand for the protection.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Two civil liberties groups have filed lawsuits asking the U.S. Department of Justice to detail its collection of electronic data and other information under the 10-year-old counterterrorism law, the USA Patriot Act.
 
The intellectual property lawsuit between Oracle and Google over the Android mobile OS won't go to trial until next year, according to a ruling made Wednesday in U.S. District Court for the Northern District of California by the judge overseeing the case.
 
The Apple iPhone is attracting more new subscribers than expected to Sprint Nextel, and it will probably ease rather than worsen congestion on the carrier's 3G network, Sprint executives said as they announced third-quarter results on Wednesday.
 
Oracle Java SE Rhino Script Engine Remote Code Execution Vulnerability
 
Adobe Acrobat and Reader CVE-2011-2436 Remote Heap Buffer Overflow Vulnerability
 
ZDI-11-300 : Adobe Reader U3D PICT 10h Encoding Remote Code Execution Vulnerability
 
ZDI-11-299 : Adobe Reader PICT Parsing Remote Code Execution Vulnerability
 
ZDI-11-298 : Adobe Reader U3D IFF RGBA Parsing Remote Code Execution Vulnerability
 
ZDI-11-297 : Adobe Reader U3D PCX Parsing Remote Code Execution Vulnerability
 
Asynchronous JavaScript Technology, XML, Flash and HTML 5 enable a rich Web experience, but also give attackers an alarming number of ways to penetrate corporate networks.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
The traditional retirement age for CEOs at IBM has been 60, or close to it.
 
Just weeks before Mozilla's lucrative contract with Google comes up for renewal, the open-source developer launched a customized version of Firefox that uses rival Microsoft's Bing search engine.
 
Citrix says it's driven down costs to the point that next year it will be cheaper to deploy virtual desktops than traditional desktops.
 
For the second time in six weeks, Target's website crashed Tuesday, and that is scary news for any major retailer heading into the holiday shopping season.
 
Jim Stickley got his first computer at age 12, and he was chatting with other computer "nerds" on bulletin board sites by the time he was 16. A wannabe hacker, Stickley said his first foray into playing the system was with free codes -- codes that would exclude his phone and computer time from racking up charges that would incur the wrath of his parents.
 
Adobe Acrobat and Reader CVE-2011-2433 Remote Heap Buffer Overflow Vulnerability
 
Adobe Acrobat and Reader CVE-2011-2435 Remote Buffer Overflow Vulnerability
 
Nokia's new Windows Phone 7.5-based Lumia smartphones won't cause many problems for Android-based devices and the iPhone in the U.S., analysts predicted.
 
Adobe Acrobat and Reader U3D Tiff Remote Buffer Overflow Vulnerability
 
Adobe Acrobat and Reader CVE-2011-2434 Remote Heap Buffer Overflow Vulnerability
 
Adobe Acrobat and Reader CVE-2011-2438 Multiple Remote Stack Buffer Overflow Vulnerabilities
 
Adobe Acrobat and Reader CVE-2011-2437 Remote Heap Buffer Overflow Vulnerability
 
Cisco Security Advisory: Cisco Unified Communications Manager Directory Traversal Vulnerability
 
Path disclosure in SPIP
 
[ GLSA 201110-23 ] Apache mod_authnz_external: SQL injection
 
IBM doesn't like drama -- and it proved that with its appointment Tuesday of Virginia Rometty as its new CEO.
 
U.S. government requests for Google user data jumped nearly 30% in the first half of this year compared to the prior six months, the search vendor said this week.
 
Retired: Microsoft Outlook Web Access Session Replay Security Bypass Vulnerability
 
IBM WebSphere ILOG Rule Team Server 'project' Parameter Cross Site Scripting Vulnerability
 
Freshmen in a Chicago-area school district now have a reason to be excited about coming to school: Free iPads.
 
Apple today kicked off in-store pickup of orders placed at its online store, letting customers retrieve their goods at a trio of stores in San Francisco.
 

Blancco Announces Key Certifications of Data Erasure Products from Mexican and ...
Sacramento Bee
In addition, the UK government's Defence Infosec Product Cooperation Group (DIPCOG) has approved a new version of Blancco software for use by its Ministry of Defence (MoD). "These certifications represent Blancco's global emphasis on serving the ...

and more »
 
Apple today kicked off in-store pick-up of orders placed at its online store, letting customers retrieve their goods at a trio of stores in San Francisco.
 
Microsoft on Tuesday delivered its last service pack for Office 2007.
 
I was interested in this week's ZDNet piece, Cloud computing's real creative destruction may be the IT workforce. The piece discusses a presentation at last week's Gartner Symposium that posited cloud computing will be a net destructor of IT jobs.
 
German researchers say they found flaws in Amazon Web Services that they believe exist in many cloud architectures and enable attackers to gain administrative rights and to gain access to all user data.
 
A new breed of services called virtual assistants let you outsource just about any task overseas, as long as the work can be done with a computer and a telephone.
 
Online orders for the $299.99 Droid Razr start Thursday, and Verizon Wireless promised that devices ordered online will ship no later than Nov. 10.
 
For years, we have been taught (warned?) that establishing an SSL session consumes much more in the way of CPU resources than the actual sessions do, once established. We've also been warned that there is a theoretical vulnerability in SSL Renegotiation in many web server implementations. Combined, they make for a nice it'd be bad if someone wrote such a toolstory in many security classes.
These two situations are evident in the specifications for SSL offload and Load Balancer devices, which are typically rated in sessions established per second rather than a total session count or data throughput value. It's also very much in our face when doing vulnerability assessments, when web server after web server comes back with a vulnerability named something like SSL Renegotiation saturation (or similar). We've been told, over and over, that there is a theoretical problem here, waiting for an exploit to happen.
Since there hasn't been much in the way of exploits in this area, efforts towards resolving the SSL Renegotiation problem haven't been on anyone's front burner. That's all changed now - THC (The Hackers Choice), has released another tool - THC-SSL-DOS. This tool targets the problem of SSL Renegotiation. With very limited bandwidth, a single host can DOS almost any vulnerable web server. Even offload devices such as load balancers are vulnerable (though more attacking hosts are required). In their release notes, THC makes the excellent point that the SSL renegotiation feature has never been widely used, and arguably should be simply disabled on almost all webservers.
Unfortunately, SSLRenegotiation is enabled by default on many servers, and we all know what happens with defaults - systems get installed with default settings, then NEVER get changed.
Just to emphasise the point, THISISNOTANEWSECURITYEXPOSURE, it's simply a handy proof of concept tool to demonstrate a problem that's been hanging around for quite some time, hopefully with the goal (and with luck, the result)of getting this setting changed on vulnerable systems.
Take a peek at this new tool. Hopefully it will serve as a catalyst, proving that this is one setting that should be changed post-install. It'd be nice if the developers of affected web server applications would take this as a cue to modify their installation scripts to change the default value of this setting as well.
http://thehackerschoice.wordpress.com/2011/10/24/thc-ssl-dos/
http://www.thc.org/thc-ssl-dos/
===============
Rob VandenBrink

Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Asynchronous JavaScript Technology, XML, Flash and HTML 5 enable a rich Web experience, but also give attackers an alarming number of ways to penetrate corporate networks.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
A week after promising the PlayBook OS 2.0 to developers in October, RIM cites quality issues and says it will drop a key feature.
 
Consultants have been a mainstay of IT departments forever. But in the cloud the commercial language is filled with a new set of euphemisms you need to understand. Here are some to look out for.
 
Researchers from the Horst Goertz Institute of the Ruhr-University Bochum in Germany have demonstrated an account hijacking attack against Amazon Web Services that they believe affects other cloud computing products as well.
 
The Samsung Exhibit II 4G smartphone is slated to go on sale Thursday for $29.99 after rebate and a two-year agreement with T-Mobile USA.
 
Nokia on Wednesday unveiled its first two smartphones running the Windows Phone operating system.
 

Do infosec tweeps talk too much?
CSO (blog)
by CSO, Salted Hash – IT security news analysis, over easy! A friend in the security industry took issue with my suggestion that it's good for people who don't see eye to eye to keep talking. It's better to do, he says. But can we really do our jobs ...

 
Attachmate's Suse division has announced plans to offer software based on the OpenStack platform for enterprises to build private clouds.
 
Microsoft's mobile OS reboot turns out to be a small update that lacks enterprise security and rich apps but is a cleaner alternative to Google's Android for smartphones
 
The technology is still in its infancy, and there are technical, legal, safety and privacy issues to be worked out -- but we're entering the era of cars that connect to the Internet, to each other and to the public infrastructure.
 
Computers at Japan's diplomatic offices abroad and its House of Representatives were infected by viruses during cyberattacks over the last several months, the country's top spokesman said.
 
IBM's announcement Tuesday that company veteran Virginia Rometty will take over on Jan. 1 as president and CEO from Sam Palmisano is the latest in high-profile changes at the top in key technology companies, including Apple, Yahoo, and Hewlett-Packard.
 
Cisco Systems is taking several steps to extend its TelePresence videoconferencing technology beyond enterprise meeting rooms, introducing two endpoints and a free client application for ad hoc participants to download.
 
Thomas J. Trappler advises you to vet cloud providers to make sure they have adequate physical security safeguards. Insider (registration required)
 
Nokia unveiled on Wednesday four new phones intended for developing markets as well as the company's first two smartphones running the Windows Phone operating system.
 
Citrix Wednesday is set to unveil a prototype sub-$100 system-on-a-chip with a so-called 'zero client' at its Synergy conference in Barcelona.
 
Chinese authorities have started to detain Internet users for allegedly spreading online rumors, in its latest measure to control the country's social media sites.
 
SAP reported Wednesday a 14% increase in revenue in the third quarter ending Sept. 30, and said its business pipeline continues to remain very strong and companies continue to invest in IT. The business software vendor did not, however, revise its outlook for the full year 2011, citing the ongoing uncertain macroeconomic environment.
 

Posted by InfoSec News on Oct 26

Forwarded from: security curmudgeon <jericho (at) attrition.org>

*SNORE*

U.S. government officials calling for a second Internet is getting really
old, and likely goes back 10 years or more. Such a call is a non-starter
though; if they know what the Internet is, they have to know you can't
just re-create it and keep it 'private' (something the Internet is not).
If they want a secure official network, copy the DOD model of...
 

Posted by InfoSec News on Oct 26

http://news.techworld.com/security/3313227/trojan-hack-lands-cycle-star-floyd-landis-with-suspended-sentence/

By John E Dunn
Techworld
25 October 2011

Disgraced former Tour de France cyclist Floyd Landis should be given an
18-month suspended prison sentence for his part in an alleged plot to
hack the French national anti-doping laboratory (LNDD) using Trojans, a
prosecutor has said.

The planting of computer Trojans for the purposes of data...
 

Posted by InfoSec News on Oct 26

http://www.iansresearch.com/ians-events/10th-annual-midwest-information-security-forum

The 10th Annual Midwest Information Security Forum is coming up on
November 7-8, in Chicago, IL.

The IANS Midwest Forum covers the latest in information security trends
and enable IT risk management professionals to get down to business.
Best practices, benchmarking studies, trend analyses and practical
insights are provided by professionals who actually...
 

Posted by InfoSec News on Oct 26

http://www.theregister.co.uk/2011/10/25/rsa_attak_list_leaked/

By Richard Chirgwin
The Register
25th October 2011

When RSA’s network security was breached earlier this year, the result
wasn’t only the replacement of its SecurID tokens all over the world.

At the time, specialists believed that similar techniques could have
been deployed against other victims who mostly didn’t go public. Only a
handful of stories confirmed the use of...
 

Posted by InfoSec News on Oct 26

http://www.networkworld.com/news/2011/102511-zions-security-252371.html

By Ellen Messmer
Network World
October 25, 2011

Zions Bancorporation has set up a massive repository for proactively
analyzing a combination of real-time security and business data in order
to identify phishing attacks, prevent fraud and ward off stealthy hacker
incursions known as advanced persistent threats.

"This system allows you to start leveraging disparate...
 

Posted by InfoSec News on Oct 26

http://www.informationweek.com/news/security/attacks/231901580

By Mathew J. Schwartz
InformationWeek
October 25, 2011

Remember the Nasdaq breach? It's worse than previously thought.

Last week, two experts with knowledge of Nasdaq OMX Group's internal
investigation said that while attackers hadn't directly attacked trading
servers, they had installed malware on sensitive systems, which enabled
them to spy on dozens of company...
 
Internet Storm Center Infocon Status