InfoSec News

U.S. Senator Charles Grassley plans to drop a hold he placed on two FCC nominees because of a tussle with the agency over documents related to its treatment of would-be hybrid mobile operator LightSquared.
About 5.9 percent of AT&T shareholders have voted for a proposal calling on the company to commit to net neutrality principles on its wireless networks, but supporters of the measure called the vote a success.
The U.S. Federal Communications Commission has voted to require telephone carriers to provide their customers more billing information in an effort to crack down on mysterious, unauthorized charges on phone bills.
University of Florida computer science students remain fearful about their department's future, despite the school's decision this week to "set aside" an earlier plan to reorganize the department and cut its budget.
It's bargain day at Bugs & Fixes. This week's column offers three separate items for the price of one.
Your 802.11n wireless network and devices are about to become passA(c). Although the official 802.11ac specification won't be finalized until sometime in 2013, wireless equipment will soon appear on store shelves sporting the faster wireless protocol.
After launching a mobile app in February that can automatically upload photos and videos from Android phones, Dropbox unleashed an upgrade that expands the service to just about any device, including tablets, smartphones and Internet-enabled cameras.
The iPad is giving Apple entree to millions of customers who have never purchased one of company's products before, a research firm said today.
Instructions on how to exploit an unpatched Oracle Database Server vulnerability in order to intercept the information exchanged between clients and databases were published by a security researcher who erroneously thought that the company had patched the flaw.
RETIRED: DirectAdmin 'CMD_DOMAIN' Cross-Site Scripting Vulnerability
[ MDVSA-2012:065 ] php
Walmart's cloud video service, Vudu, which allows DVD and Blu-ray disc owners gain access to that content in the cloud, will reportedly expand to as many as 30 new countries.
The FTC has moved to hire a high-profile outside attorney to oversee its antitrust investigation into Google.

Earlier this week, Context Information Security revealed the astonishing findings of its investigation into a sampling of four cloud service providers (CSPs) — Amazon EC2, Gigenet, Rackspace and VPS.net. Context found unpatched systems, missing antivirus and back doors left open, leaving cloud customers vulnerable to attacks and breaches.


Perhaps the most dismaying finding from U.K.-based Context’s investigation was the discovery of remnant data left behind by previous cloud customers. As part of its research, Context created virtual machines (VMs) on the CSPs platforms, and was able to see data stored by previous tenants on Rackspace and VPS.net disks. (VPS was using the OnApp platform.) Context referred to this finding as the “dirty disk” problem.


At first it may seem Context’s report serves as notice to CSPs that they are falling short of basic security expectations. Yet, in many ways, the problems can be tied to customers’ own shortcomings. Too often, customers count on their CSP to lock down their applications and safeguard their data, even though most CSPs explicitly state these precautions are not included in their standard offerings. Unfortunately, this sometimes comes as an unpleasant surprise for customers.


The base service offered by many CSPs does not include antivirus, patching or data deletion services. To protect their data security, cloud computing customers need to treat VMs in the cloud as if they were on-site servers. Customers must adopt a “do-it-yourself” (DIY) mindset and apply their own security applications and procedures to their cloud implementation, or pay their CSP for more security services.

The four CSPs investigated by Context are likely representative of the data security problems to be found on all cloud platforms. Companies storing data in the cloud need to act quickly to find out how their CSP is protecting the confidentiality of their data, and do their part in protecting their data in the cloud.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
VMSA-2012-0008 VMware ESX updates to ESX Service Console
C4B XPhone UC Web 4.1.890S R1 - Cross Site Vulnerability
Car Portal CMS v3.0 - Multiple Web Vulnerabilities

A new cybersecurity bill designed to foster threat intelligence information sharing between the public and private sectors cleared its first major legislative hurdle this week, gaining passage from the House of Representatives. If the bill makes it into law, it would clear security vendors of any legal ramifications in sharing their customer data with federal officials. That’s right: Symantec or any “certified” security vendor would be able to report your company’s infections directly with the feds.

p://thomas.loc.gov/cgi-bin/bdquery/z?d112:h.r.03523:">Cyber Intelligence Sharing and Protection Act (CISPA), which is being opposed by the White House, privacy advocates and many democrats, passes the Senate in a narrow vote, political observers say it is likely to be vetoed by the president. The bill is being supported by a variety of tech companies, including Symantec, Facebook, Oracle and Microsoft.

The bill enables attack and threat information sharing on a voluntary basis between the federal government and technology, manufacturers and other businesses.  It’s a fascinating piece of legislation because under the voluntary program that the bill creates, it essentially gives security vendors the ability to share specific threat data collected from their customers with federal authorities - data that is not anonymous. The goal is to protect networks against attack, thereby giving the government some oversight into protecting critical infrastructure facilities that are under ownership by some private-sector companies. The controversial bill is being compared to Stop Online Piracy Act (SOPA) by privacy advocates who say that the legislation is too general and offers few safeguards protecting civil liberties.

CISPA amends the National Security Act and requires the director of national intelligence to establish procedures to allow intelligence community elements to share cyberthreat intelligence with private-sector entities and encourage information sharing - a common theme from the Feds at annual security conferences.

The bill would require procedures to ensure threat intelligence is shared only with “certified entities or a person with an appropriate security clearance.” It doesn’t delineate how an organization or individual becomes “certified.” But certification is needed, according to the legislation, to prevent unauthorized disclosure. Certification would be provided to “entities or officers or employees of such entities.”

Security companies, noted as “cybersecurity providers” are authorized under the proposed legislation to use cybersecurity systems to identify and obtain cyberthreat information from their customers and share that data with the federal government. The data would not be sanitized, giving the federal government unprecedented visibility into attacks and their specific targets. Many security providers already collect data on their customers and disseminate the data in threat intelligence reports, but the bill would give federal officials more visibility into attacks on specific private sector firms, such as utilities, chemical rendering companies, manufacturers and other organizations deemed essential to the protection of national security.

The bill is being supported by Symantec primarily because it takes out the company’s legal liability in sharing the data with the government. In a letter of support from Symantec, Cheri F. McGuire, vice president of global government affairs and cybersecurity policy, praised the goal of the bill (.pdf).

“In order for information sharing to be effective, information must be shared in a timely manner, with the right people or organizations, and with the understanding that so long as an entity shares information in good faith, it will not be faced with legal liability,” McGuire said. “This bi-partisan legislation exemplifies a solid understanding of the shortfalls in the current information-sharing environment, and provides common sense solutions to improve bi-directional, real time information sharing to mitigate cyberthreats.”

The Internet Security Alliance, an industry group that represents VeriSign, Ratheon and others, submitted a similar letter supporting the bill (.pdf).

Some protections were put into the bill. For example, it prevents security firms from being sued over threat data they share with the government. It says the threat data cannot be used by the federal government for a regulatory purpose.  It also prohibits the federal government from searching the information for any other purpose than for the protection of U.S. national security.

It also directs the Inspector General of the Intelligence Community to submit an annual report on how the threat data is being used and if any changes are needed to protect privacy and civil liberties concerns.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Veracode Claims 'Information Security Product of the Year' for its Veracode ...
MarketWatch (press release)
LONDON, April 27, 2012 /PRNewswire via COMTEX/ -- Veracode, Inc., the leader in application security services, was awarded 'Information Security Product of the Year' at the SC Awards dinner held during InfoSec Europe. The company was also one of four ...

and more »
The FTC has moved to hire a high-profile outside attorney to oversee its antitrust investigation into Google.
Mozilla will give Firefox 3.6 the coup de grace next month by automatically upgrading users of that 2010 browser to Firefox 12.
With Apple leading the revenue charge midweek and Amazon providing a kick to trading in tech shares Friday morning, bright spots appeared in what has otherwise been a mixed earnings season.
Japan's Casio has released an experimental app for the iPhone and iPad that encodes and sends data using colors.
The battle over the Cyber Intelligence Sharing and Protection Act is certain to heat up over the next few weeks, as the U.S. Senate begins debate on its versions of the controversial cybersecurity legislation.
[security bulletin] HPSBPV02754 SSRT100803 rev.2 - HP ProCurve 5400 zl Switch, Compact flash card contains trojan malware
[SECURITY] [DSA 2461-1] spip security update
Reverse engineering mobile apps help pen testers find weaknesses and hidden malware, but the various mobile platforms and different versions make automation difficult, according to one expert.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Oracle Grid Engine 'qrsh' Remote Code Injection Vulnerability
[ MDVSA-2012:066 ] mozilla
A couple of weeks ago we learned about the handlers at https://isc.sans.edu/diary/ISC+Feature+of+the+Week+Get+to+know+the+Handlers/12985. Today's feature highlights our Handler Created Tools page at https://isc.sans.edu/tools/handler_created.html.

A link to the handler tool page is now on https://isc.sans.edu/handler_list.html for handlers with tools posted!
Each handler section is separated and accessible directly by name ref #[handlername]
The tools are currently categorized by ones that can be:

Downloaded and run/installed
Accessed online
Available on a mobile platform

Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form


Adam Swanger, Web Developer (GWEB, GWAPT)

Internet Storm Center https://isc.sans.edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Elgamal, Marlinspike join dream team tackling SSL screw-ups
By John Leyden • Get more from this author Infosec 2012 A non-profit organisation has brought together a team of experts to tackle SSL governance and implementation issues and promote best practice. The Trustworthy Internet Movement (TIM) is convening ...

and more »
HP ProCurve 5400 zl Switches 'Compact Flash Card' Security Issue
PHP PDORow Object Remote Denial Of Service Vulnerability
The European Commission on Thursday asked six E.U. countries to explain their delay in enforcing the binding e-money Directive.
LG Electronics said on Friday that it will start selling the Optimus True HD LTE in Germany, Portugal, Sweden, helping the number of available LTE devices to slowly grow across Europe.
Huawei Technologies is aiming to bring touch-free smartphones and more inexpensive cloud storage to users, as the company boosts its research and development spending in order to bring "disruptive" technologies that will alter the market landscape.
Oracle Grid Engine 'sge_passwd.c' Local Buffer Overflow Vulnerability
Enhancements include first delivery of SDKs for Mac OS X, along with garbage collection and virtual machine boosts
AT&T and Verizon Wireless want Windows Phone smartphones to succeed in the U.S., partly to provide leverage against Apple's demands for subsidies required for selling the popular iPhone.
Samsung beat Nokia to the top position in the global handset market in the first quarter of 2012, research firms Strategy Analytics and IHS iSuppli said Friday.
IT engineers are studying what may be an easier way to fix a long-existing weakness in the Internet's routing system that has the potential to cause major service outages and allow hackers to spy on data.
Advanced Micro Devices is cutting costs and reducing the number of its data centers worldwide with the help of the cloud and hardware upgrades, an AMD executive said Thursday.

Posted by InfoSec News on Apr 27


By Brett Collson
Poker News Global
April 26 2012


TwoPlusTwo Forums Hacked

The TwoPlusTwo forums went offline on Thursday, and it had nothing to do
with the flow of traffic resulting from the Full Tilt Poker developments
this week. According to a statement posted on the website, TwoPlusTwo
was the victim of a security breach that...

Posted by InfoSec News on Apr 27


By Dan Goodin
ars technica
April 26, 2012

Less than 10 percent of the most popular websites offering Secure Socket
Layer protection are hardened against known attacks that could allow
hackers to decrypt or tamper with encrypted traffic, researchers said

The grim figure was generated by SSL Pulse, a website that monitors...

Posted by InfoSec News on Apr 27


By Kelly Jackson Higgins
Dark Reading
April 26, 2012

Iran isn't at the top of the list of cyberthreats to the U.S. today, but
the bad news is that the Iranian government has the intent and
motivation to become a major threat -- and appears to be shifting from
defense to offense, according to expert...

Posted by InfoSec News on Apr 27


By Aliya Sternstein

The Pentagon is draping its networks with technology that models in 3-D
weaknesses lurking inside, to show managers where threats are most
likely to enter, according to a contractor hired for the project.

The patented Passive Vulnerability Scanner is one of several new
surveillance systems that the Defense Information Systems Agency, the...

Posted by InfoSec News on Apr 27


By Tracy Kitten
Bank Info Security
April 26, 2012

Check fraud may seem like an antiquated scheme, but banking institutions
continue to struggle with how best to prevent it.

In fact, according to BankInfoSecurity's recent Faces of Fraud Survey,
check fraud is the second most common scheme institutions face, placing
just behind payment card fraud and ahead of phishing. And...
Internet Storm Center Infocon Status