InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Apple asked a U.S. court to block sales of eight Samsung Electronics products on Monday, following the iPhone maker's victory in a patent lawsuit against Samsung on Friday.
Apple asked a U.S. court to block sales of eight Samsung Electronics products on Monday, following the iPhone maker's victory in a patent lawsuit against Samsung on Friday.
The Republican and Democratic parties in the U.S. should take a stand for Internet "freedom" during their upcoming national conventions, a group of Internet activists urged Monday.
Wiki Web Help Multiple HTML Injection Vulnerabilities
VMware announced today that vSphere 5.1 includes backup capability complete with deduplication powered by EMC's Avamar software.
Twitter has filed an appeal of a New York judge's June decision requiring the company to turn over detailed information about a user tied to the Occupy Wall Street protest movement.
This is what we know so far about the vulnerability: there is an exploit in the wild, it works on the latest FireFox, and Chrome, and it targets Java 1.7 update 6, there is currently no patch available, the exploit has been integrated into the metasploit framework.
What this means: the potential hit rate for drive-by attacks is currently elevated. Since this is a java vulnerability, this may also affect more than just Windows platforms (multi-platform attacks currently unconfirmed, based on the multi-platform compatibility of java itself.) Update: Metasploit claims to work on Mac OS X via Safari. So consider it just a java issue and ignore the OS and the browser when considering if you're exposed.
The next patch cycle from Oracle isn't scheduled for another two months (October.)
What you can do: this places normal end-users in a pretty bad position, relying mostly upon disabling, or restricting java and hoping that AVcatches the payload that gets installed. None of these are really good options. There is a 3rd-party developed patch that is said to exist, but it's not intended for end-users. My current recommendations are to disable java if you can (see Brian Kreb's handy guide here: http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/ ,) or use something like no-script to help control where you accept and execute java from. Update: Downgrading to 1.6 might be an option for you as well, make sure you're using the latest update. Credit or blame Steven depending on how that works out for you. (JK Steven.)
Suggested reading on the topic:


Thanks to Kevin, and Ed for directing us to this. (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
A zero-day vulnerability in Java 7 can be exploited through any browser running on any operating system -- from Windows and Linux to OS X -- that has Java installed, security experts said today.
The jury's decision Friday in the landmark Samsung-Apple patent battle doesn't relate to the core of the Android mobile operating system, Google said in a brief statement Monday.
Advanced Micro Devices is looking to speed up the delivery of virtual desktops through servers with its latest FirePro S9000 and S7000 graphics cards, which the company started shipping on Monday.
Among those attending the Republican National Convention in Tampa this week is Perse Faily, the CEO of start-up EMN8. When the convention is over, she will head over to the Democratic National Convention with the same message.
Sprint extended BYOD Management to its professional services portfolio, giving businesses a way to manage security and costs for workers who use consumer smartphones and tablets for work.
Samsung's big patent fight loss to Apple could have far-reaching consequences for smartphone makers, especially those that have adopted many of the gesture-based elements users now expect, says Richard Hoffman.
iPhone owners are selling their old models at an historic pace because the rumored iPhone 5 will sport a new form factor, electronics trade-in companies said today.
Paliz CMS Full Path Disclosure Vulnerability
CommPort 1.01 <= SQL Injection Vulnerability
Wordpress fckeditor Arbitrary File Upload Vulnerability
Exploit Title: Mihalism Multi Host v 5.0
After recently experiencing a data leak, Dropbox has started testing two-factor authentication for its service. Users can now install an experimental version of the client and test the new security system

Chamilo Multiple Vulnerabilities
Scale Computing upgraded its scale-out storage cluster to include a server and hypervisor component that delivers what it calls virtualized infrastructure-as-an-appliance.
Attackers are exploiting a new and unpatched vulnerability that affects the latest version of Java -- Java 7 Update 6 -- in order to infect computers with malware, according to researchers from security vendor FireEye.
Following in the footsteps of Google and other services, Dropbox this weekend enabled two-factor authentication to bring enhanced security to its users.
ERP software vendor Deltek is being purchased by private equity firm Thoma Bravo in a $1.1 billion deal, the companies announced Monday. The acquisition is expected to close in the fourth quarter.
[slackware-security] dhcp (SSA:2012-237-01)
Samsung intends to fight Friday's landmark jury award of $1 billion to Apple over smartphone and tablet patent violations -- possibly for years.
The real embarrassment starts when taking a look at who disclosed the five critical security holes that the company hasn't fixed after more than six months

Following Intel and contract chip maker Taiwan Semiconductor Manufacturing Co., Samsung Electronics will invest $976 million in Dutch chip manufacturing equipment maker ASML to further development of next-generation lithography technology that should enable faster and more power-efficient chips.
IBM plans to boost its enterprise social line of software by acquiring Kenexa, a maker of cloud-based human resources applications, the companies said on Monday.
Cloud service providers are already starting to feel downward price pressures as basic capacity and services are quickly becoming commodities. A price wars heat up, the excess capacity that providers need for peak traffic can become a drag on profits, but it also represents new opportunities.
E-mail security vendors are trying to lure Postini customers now that Google has announced plans to shut down the unit and migrate its customers to Google Apps.
An unpatched hole in Java allows specially crafted web pages to infect visitors' computers. The H's associates at heise Security were able to recreate the problem and advise users to disable the browser plugin

Oracle Java Runtime Environment Remote Code Execution Vulnerability
ZABBIX 'node_process_command()' Remote Command Execution Vulnerability
Any.do is a free productivity app for iPhone that delivers in just about every way. It's great to look at, easy to use, and effective at helping users get stuff done.
A couple years back at our annual RSA top threat panels, one of the possible exploits I suggested was the use of social network information for more automated targeted e-mail. At that time, most spear phishing was done by first manually collecting information about the victim, then creating an e-mail based on that information. In short: The exploit didn't scale and was expensive. Most of what a half way skilled attacker can do can be done cheaper and faster by a decent python/perl script.
Since then, we have seen a number of mass mail campaigns using automated harvesting of social network information. For example, some of the early campaigns searched Linked-In for specific job titles.
This latest one abuses information published on Facebook. The spam appears to come from a Facebook Friend of yours. As a sample:
From: Some Friend [email protected] Subject: FOR FIRSTNAME To: [email protected]
The e-mails contain what appears to be valid Yahoo DKIM signatures, so they are likely sent from compromised or throw away Yahoo accounts. FIRSTNAME would be the recipients first name, and Some Friend would be the friends name. Depending on your e-mail client, you may not see the email address used in the From header.
To double check your Facebook (or other social network) privacy settings, make sure you log out, then search for yourself on the social network and verify that the information you get back is in line with your privacy expectations.

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
E-mail security vendors are trying to lure Postini customers now that Google has announced plans to shut down the unit and migrate its customers to Google Apps.
Survey finds business units are funding mobile app projects and BYOD dominates among business partners, not just employees

More hats in the (ISC)2 ring
CSO (blog)
The race for a seat on the (ISC)2 Board of Directors is getting interesting, with several highly-respected infosec professionals vying for a spot on the ballot. Many have criticized (ISC)2, which administers testing for the CISSP security certification ...

This week, consumer electronics vendors are once again congregating in Berlin for the IFA trade show, where products based on Microsoft's upcoming Windows 8 and RT are expected to set the trend.
Name: Jon Brilliant
Researchers hack the brain, iPhones hack computers, malware with an embarrassing bug, Microsoft discovers a proper virus, a script uncovers password hints and knives with expiring certificates

Samsung Electronics asked a Californian court on Sunday to lift a preliminary ban on sales of its Galaxy Tab 10.1 tablet in the U.S., after a jury found that Samsung does not infringe on an Apple design patent. Samsung also said it wants Apple to pay damages for lost sales.
Apple and Facebook this month each filed plans to expand data center operations in Prineville, Ore., a small community that's on its way to becoming one of the top data center locations in the U.S. Insider (registration required)
Their endless questioning can be painful at times, but a loyal skeptic can help keep your project on track.
JPL programmers and engineers keep the Mars rover's software up to date from 156 million miles away.
With just two months to go before the retail launch of Windows 8, Microsoft has yet to price the new OS.
Hacking has evolved from one-person crime of opportunity to an open market of sophisticated malware backed by crime syndicates and money launders
Symantec today said it has more tightly integrated its flagship NetBackup software with VMware, allowing much of the storage functions to be managed through the vCenter Console.
Futuring is not what you do when you are finished with the imagined real work of operations.
Most jobs available today in the U.S. are posted to social networking sites; and the 'eHarmony of jobs.'
With Outlook Anywhere, users can download their mail to untrusted PCs and leave sensitive documents behind.
Google's plan to cut 20% of the workforce at Motorola Mobility has reignited internal fears that the Internet giant acquired the mobile device maker primarily for its 17,000 patents.
Internet Storm Center Infocon Status