InfoSec News

SANS heads to Dubai with Gulf 2012 event
Security Park
SANS Gulf Region 2012, one of the region's largest infosec training events will be held at the Hilton Dubai Jumeirah from October 13th to 25th with a roster of courses covering virtualisation, cloud security, hacker techniques and Incident Handling ...

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The U.S. Federal Communications Commission is scheduled to vote on a proposal that would allow AT&T to offer mobile broadband service on 20MHz of spectrum it purchased in August along with spectrum holding company NextWave Wireless.
LibTIFF Out-Of-Order Tag Type Mismatch Remote Denial of Service Vulnerability
LTE wireless data speeds are impressing iPhone 5 and Android phone customers all across the U.S., and some of the speeds are truly mind-blowing.
When Yahoo's new CEO, Marissa Mayer, addressed company employees Tuesday, she reportedly talked about making Yahoo part of people's everyday lives.
LTE wireless data speeds are impressing new iPhone 5 and Android phone customers all across the U.S., but some of the speeds are mind-blowing.
Microsoft is taking a "big gamble" with its new Windows 8, one that will see the operating system peak at just 20% to 25% of corporate PCs, Gartner analysts said today.
When Yahoo's new CEO Marissa Mayer talked to company employees Tuesday, she reportedly talked about making Yahoo part of people's everyday lives.
A longtime user of Infor's ERP (enterprise resource planning) software says in a federal lawsuit that Infor is unjustly demanding a substantial sum of money after discovering that third-party companies have been accessing the software.
Telvent, a Canadian energy firm whose systems are used to control more than half of all oil and gas pipelines in North America and Latin America, confirmed a security breach involving some of its customers' project files.
Facebook and Dropbox announced a partnership through which current Dropbox users automatically get a file-sharing icon on their home page.
IBM has launched a new set of incentives and aids to help its service partners make better use of the company's cloud services and products.
Research In Motion's stock price jumped more than 6% Wednesday after CEO Thorsten Heins addressed developers and said, among other things, that BlackBerry subscriptions had climbed to 80 million, up from 78 million in the second quarter.
LinkedIn names the top workplace trends and items headed for obsolescence--and also lists what's becoming mainstream. Here's a look at those items, plus three tips for ensuring you don't go the way of the fax machine.
Tibco plans to ship in November an upgrade to its Tibbr enterprise social networking suite that will open up the product's social activity to enterprise and commercial developers via an API.
After nine months of deliberations and some changes on Google's side, the Norwegian Data Protection Authority lifted a ban on the use of Google Apps by municipalities.

Express shipping tops the list of malicious phishing terms
Infosecurity Magazine
More than one in four infosec professionals said that top executives or other privileged users in their enterprises have been compromised by spear phishing attacks within the last 12 months, according to a survey by PhishMe. Half of organizations were ...

and more »
Google yesterday patched 24 vulnerabilities in Chrome, and paid out $29,500 in bounties to nine researchers, more than half of that to one of the company's most prolific bug finders.
Two-thirds of healthcare organizations in the U.S. say they need more qualified IT staffers, according to a survey by the College of Healthcare Information Management Executives.
Google has added its first underwater panoramic images to Google Maps.
Zend Framework Multiple Cross Site Scripting Vulnerabilities
Asterisk Voice Mail Denial Of Service Vulnerability
An app ensures that smartphones can't be wiped without their owners' permission. Whether or when Samsung will respond to the problem remains unclear

A Java sandbox flaw could allow malicious code to run on any system running Java 5, 6, or 7. Users are advised to disable the Java browser plugin.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
389 Directory Server Access Bypass Vulnerability
Cisco said it acquired ThinkSmart Technologies of Cork, Ireland, a software company that delivers location data analysis based on Wi-Fi networks.
A Danish graduate student said he was searching for research material on an IEEE FTP server last week when he stumbled upon the usernames and passwords of about 100,000 members of the professional association.
Tablet functions seem to be heading in two directions: There are those primarily designed for consumption of books, movies and other content, and those intended for content creation as well as consumption.
I had the pleasure of sharing the stage at the Cloud Leadership Forum with John Howie. Howie is the newly minted chief operating officer for the Cloud Security Alliance. He came to the CSA after a tenure at "a large cloud provider"--very large indeed--and was able to address both my questions and those from the audience in excellent, useful detail.
Transmission Multiple HTML Injection Vulnerabilities
PPTP is a common standard for safe, encoded internet use, but CloudCracker promises it can crack any PPTP connection - within a day, for $200. We tried it out with a real session

A number of readers alerted us of news reports stating that new full sandbox escape vulnerabilities had been reported to Oracle. At this point, there are no details available as to the nature of these vulnerabilities, and there is no evidence that any of these vulnerabilities are exploited. However, it is widely known that Oracle is working on a substantial backlog of these vulnerabilities. It is still recommended to use Java with caution. Some best practices:
- Uninstall Java if you don't need it.

- if you do need Java, make sure it doesn't start automatically in your web browser.

- keep Java up to date

- reduce the number of Java variants you have installed to the minimum you need.

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
As we're adopting cloud computing, we're more aware of the security concerns it raises than we were of issues created by other large-scale technologies we adopted in the past. This is a wonderful thing! But security nirvana has yet not been achieved. While there's still plenty of room for cloud providers to improve, many aspects of cloud security must be the responsibility of the consumer.
Several years ago, the National Security Administration wasted millions on a circuit-switched approach to mobile security strategy. With help from the Department of Defense, the NSA is doing things differently now. Enterprise CIOs can learn a few things from the effort, too.
Infor has certified some of its products for Red Hat's Linux and JBoss middleware and added support for the MySQL and MariaDB databases, as part of a new push into open-source software, the companies announced Wednesday.
Tizen 2.0, the open-source smartphone operating system, is now available as an alpha release with an accompanying SDK, the Tizen project announced on Tuesday.
With Chome 22, Google paid out nearly $30,000 to researchers for discovering and reporting the various critical and high severity vulnerabilities it has now fixed. There are also some enhancements and a new Pointer Lock API for games developers

The latest hole to be found in Java's sandbox could be exploited on Java 5, 6 and 7 according to its discoverer. Oracle already have the details of the problem

VMware Workstation is richer in features and polish than ever, but VirtualBox is still both capable and free
Wells Fargo's website experience intermittent outages on Tuesday, while the hacker group claiming responsibility threatened to hit U.S. Bancorp and PNC Financial Services Group over the next two days.
A federal judge dismissed a lawsuit challenging the payout in the separation agreement between Hewlett-Packard and its former CEO Mark Hurd in 2010.
A security researcher known for finding Java bugs has uncovered a new critical zero-day vulnerability in all currently-supported versions of the popular Oracle software.
The Java ME Embedded 3.2 client runtime broadens Java to cover microcontrollers
Rental companies used a service to log keystrokes, take pictures and trick users into entering personal information without notifying the user

A modified version of the database management tool that contained a backdoor was temporarily hosted on an official download server

Alain Avakian, the Rent.com CTO, points to Siri when he talks about his own interest in virtual chat technology and its potential to augment customer service at his business.
Barnes & Noble announced two new tablets, the 7-in. Nook HD, starting at $199, and the 9-in. Nook HD+, starting at $269.

Posted by InfoSec News on Sep 26


By David Larousserie
LE MONDE/Worldcrunch
26 September 2012

PARIS - Pirates, spies, moles, thieves: those who want to steal the
scientific treasures of French research laboratories had better be

With a new measure to protect the "nation’s scientific and...

Posted by InfoSec News on Sep 26


By Elinor Mills
Security & Privacy
September 25, 2012

A computer scientist says he discovered that a server of the IEEE
(Institute of Electrical and Electronics Engineers) had about 100,000
usernames and passwords stored in plaintext and publicly accessible.

Radu Dragusin, a computer scientist who works at FindZebra and is a...

Posted by InfoSec News on Sep 26


By Dan Goodin
Ars Technica
Sept 25, 2012

Seven rent-to-own companies and a software developer have settled
federal charges that they used spyware to monitor the locations,
passwords, and other intimate details of more than 420,000 customers who
leased computers.

The software, known as PC Rental Agent, was developed by...

Posted by InfoSec News on Sep 26


By Bob Brewin
Sept 25, 2012

The Defense Information Systems Agency has been tapped to tighten up
network security of all branches of the federal government except the
State Department and the FBI, which have their own systems. The move is
in response to the unauthorized release of hundreds of thousands of
pages of Pentagon and State...

Posted by InfoSec News on Sep 26


By Erin Rigik
Associate Editor
Sep 25, 2012

In today’s high tech world, no one is immune to a breach.

This June, The Federal Trade Commission (FTC) sued hotel dynasty Wyndham
Worldwide Corp., after the company suffered multiple security breaches.
Allegedly, customer credit card numbers and personal information were
stolen from the company three times...
Romanian researcher Radu Drăgușin says that he was able to copy 100GB of unencrypted log files, including 100,000 sets of usernames and passwords, from a server belonging to the IEEE

Barnes & Noble introduced Wednesday two Nook tablets with 7-inch and 9-inch high-resolution displays, targeting entire families with the devices.
phpMyAdmin 'server_sync.php' Backdoor Vulnerability
Internet Storm Center Infocon Status