InfoSec News

There's a lot to love about the Acer Aspire TimelineX 1830T. At about $700, it's extremely affordable for an ultraportable, offers great workaday performance, has excellent high-def video playback, and runs for over 6 hours on its battery. However, the 1830T also suffers some ergonomic quirks that could irritate in the long run.
 
You wouldn't let your kids walk the streets of Amsterdam's Red Light District, but giving them unrestricted access to the Web is practically the same thing. The problem is, how do you block out all that inappropriate Web content?
 
The 5-inch Dell Streak tablet won't go on sale by the end of July after all, a spokesman said late Tuesday.
 
Intel on Tuesday announced it had developed a prototype interconnect that uses light to speed up data transmission inside computers at the speed of 50 gigabits per second.
 
The U.S. Patent and Trademark Office issued a final confirmation of a patent awarded to i4i that is at the heart of a dispute with Microsoft and that once threatened the sale of Word software.
 
The Google Online Security Blog posted a brief article on their opinion the full vs responsible disclosure debate... likely in the wake of the controversy of one of their researchers publishing a security vulnerability. The debate on publishing security vulnerabilities has been and remains a hot one. Almost all vendors support responsible disclosure(a term that I absolutely detest) where a researcher discloses the bug only to the software vendor who then (hopefully) patches the bug. Full disclosure is publishing the vulnerability publicly once it is discovered (or in some cases, once a PRfirm has been hired to manage the hype).
There are pros and cons to both approaches. Responsible disclosure really only works when there is responsible software development. However, if the good guys have the vulnerability, the bad guys have it and at least 12 more. With the exception of the few vendors which buy vulnerabilities, responsible disclosure does not allow the security community to develop counter-measures to protect against the threat while a patch is being developed. For instance, it took about a week for software to be developed to detect the LNKvulnerability and there are still problems with it. On the other hand, full disclosure hands the details to the bad guys in public so they can immediately exploit the vulnerability. It does, however, get vendors and researchers to move quickly.
What are your thoughts on how disclosure should be handled?
--

John Bambenek

bambenek at gmail /dot/ com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
AT&T continues to back the Windows Phone 7 (WP7) platform wholeheartedly and says it will be the 'premier' carrier for phones running the OS when they become available.
 
Special report: Electronic espionage from China and others could be stealing your vital product and business information right now
 
The new Motorola Droid X is already hard to get, apparently due to shortages of components like its display.
 

NewsHour

A Closer Look at WikiLeaks' Past, Future
NewsHour
... operational security (OPSEC), and information security (INFOSEC) threat to the US Army," a recently leaked document revealed on WikiLeaks. ...

and more »
 
Apple is being sued over claims that its iPad easily overheats, then suddenly switches itself off.
 
As Google stumbles again in its Gmail deal with the City of Los Angeles, analysts say it's botching a giant cloud marketing opportunity. Will it make the same mistakes Netscape did in its bid to woo customers away from Microsoft?
 
Apple today refreshed its iMac line for the first time since October 2009 by adopting Intel's Core i3, i5 and i7 processors across the board and abandoning NVidia's integrated graphics chipset for ATI-branded graphics processors.
 
Want to mingle with tech recruiters? Get to know hiring managers in the companies you might be interested in joining? IT job site Dice.com has launched a networking site that connects IT job hunters and tech recruiters on a more personal level than traditional resume-submitting transactions allow.
 
The Dell Streak five-inch tablet computer could be available online in the U.S. as early as Wednesday, according to reports.
 
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Jolicloud, which is being promoted as the cloud-based Linux distro for non-Linux users, has promise -- but it still needs work.
 

Security BSides Announces 2010 Speaker Line-Up
Dark Reading
These events are all about expanding the spectrum of infosec discussions and encouraging participants to give voice, creation and refinement to the 'next ...
PandaLabs Researchers to Present at Security BSides Las VegasPR Newswire (press release)

all 12 news articles »
 

TopNews United Kingdom (blog)

Search begins for future IT security pros
V3.co.uk
The competitions form part of the Cyber Security Challenge UK, a government-backed initiative announced at InfoSec in April designed to plug the growing ...
Cyber Security Challenge Launched To Address UK Skills ShortageeWEEK Europe UK

all 53 news articles »
 
How researchers report vulnerabilities -- and how companies react to those reports -- may be one of the briskest topics at this week's Black Hat security conference.
 
Twitter is having trouble again with a digital certificate that secures communications to its Web site, which has been causing trouble for third-party applications that integrate with it, but the problem may have been fixed.
 
SAP reported a 15% year-on-year rise in earnings for the second quarter, on revenue up 12%. It forecast that underlying revenue growth in its core business of software and software-related services will accelerate following completion of its acquisition of Sybase.
 
Apple refreshed its iMac and Mac Pro notebook lines Tuesday, as well as introducing a new 27-inch LED Cinema Display.
 
Of all the software on your PC, the Web browser may be the most important tool you use each day--but you may not give it much thought. The difference between a merely good browser and a great one, however, can be vast. The best browsers are those that stay out of your way: When you're in the right browser, you feel as though you're alone with your favorite site. The browser loads pages quickly, without crashing, and it can deftly handle any Web page you visit without prompting you to do anything extra.
 
Yahoo is building a centralized software infrastructure across all its media products, to make development and global updates more efficient, an executive said on Saturday.
 
Black Hat organizers are looking to avoid pressure from outside groups to cancel important presentations by withholding details of selected talks at future events.
 
Hewlett-Packard thinks it can build data centers faster and more cheaply by using standard, pre-built components that are assembled on site in a "Lego-like" fashion.
 
Be forewarned: Nothing about enterprise-level network access control is particularly easy, from the multiple levels of protocols involved to figuring out whether to use appliances or switches. Find out whose gear plays together with the least amount of trouble, and learn about the different NAC architectures so you can get going.
 
Trying to predict the big news at this week's Black Hat and Defcon conferences is tricky, if not impossible. Hackers tend to hold off on disclosing the really big talks because they don't want jittery lawyers to shut them down. And even when you think you know what's going on, sometimes you don't.
 
Ask.com hopes to tap the knowledge of its end users to provide better answers for people who ask questions at its website, the company will announce Tuesday.
 
Lenovo announced some new entry-level servers on Tuesday, continuing its effort to become a bigger player in the server market.
 
Two premiere security conferences -- Black Hat and DefCon -- run back-to-back in Las Vegas this week, each with their own distinct flavor. But even these events don't meet the needs of all computer security pros, setting the stage for a widening set of satellite events.
 
In the 13 years since its inception, Black Hat has emerged as one of the premier conferences in the security industry. On the eve of the annual conference in Vegas, Black Hat founder Jeff Moss talks about the show and how it has evolved.
 

BankInfoSecurity.com

Why Banks are Losing the Desktop Security War
BankInfoSecurity.com
Grossman is a frequent speaker at industry events including the Black Hat Briefings, RSA Conference, ISACA, CSI, InfoSec World, OWASP, ISSA, and Defcon as ...

 
InfoSec News: One Breach = $1 Million To $53 Million In Damages Per Year, Report Says: http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=226200272
By Kelly Jackson Higgins DarkReading July 26, 2010
Organizations are getting hit by at least one successful attack per week, and the annualized cost to their bottom lines from the attacks [...]
 
InfoSec News: Black Hat too commercial for you?: http://www.networkworld.com/news/2010/072610-security-conferences.html
By Tim Greene Network World July 26, 2010
Two premiere security conferences -- Black Hat and DefCon -- run back-to-back in Las Vegas this week, each with their own distinct flavor. [...]
 
InfoSec News: Black Hat: Mobile Flaws Get Attention: http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=226100127
By Thomas Claburn InformationWeek July 22, 2010
At the Black Hat USA 2010 conference, July 24 - 29 in Las Vegas, mobile security won't just be over the air, it'll be in the air. [...]
 
InfoSec News: [Dataloss Weekly Summary] Week of Sunday, July 18, 2010: ========================================================================
Open Security Foundation - DataLossDB Weekly Summary Week of Sunday, July 18, 2010
45 Incidents Added.
======================================================================== [...]
 
InfoSec News: 39 IOS unveils advanced cyber schoolhouse addition: http://www.afspc.af.mil/news/story.asp?id=123214901
By Capt. Carrie L. Kessler 39th Information Operations Squadron 7/26/2010
HURLBURT FIELD, Fla. -- Members of the Air Force's sole information operations and cyber formal training unit celebrated a milestone July [...]
 
InfoSec News: Call for Chapter Proposals: Forwarded from: George Yee <gmyee (at) sce.carleton.ca>
Apologies for cross-posting.
Dear Colleague,
Greetings! I would like to invite you to submit a chapter proposal to a new book I am editing, entitled "Privacy Protection Measures and Technologies in Business Organizations: Aspects and Standards", assuming this topic lies within your work area. The due date for the proposal is August 15, 2010. For more details, please see the Call for Chapter Proposals at:
http://www.igi-global.com/AuthorsEditors/AuthorEditorResources/CallForBookChapters/CallForChapterDetails.aspx?CallForContentId=1039694b-2c68-4e3a-8a47-39c81d938c00
Here are some excerpts from the above site:
Introduction The recent rapid growth of the Internet, together with increases in computerization, has been accompanied by soaring deployments of client-related business applications. Since business ultimately depends on the consumption of people, this has led to more and more consumer personal information in the possession of business organizations. This in turn has led to concerns over potential violations of consumer privacy. In response, various governmental jurisdictions have enacted privacy legislation to protect the privacy of consumers. However, legislation alone is not enough. Protective foolproof measures must be in place to guard against potential invasions of privacy. For example, business communication and collaboration include content sharing and email. How can these be safeguarded against the leakage of consumer personal information? As another example, internal business systems comprise workflows that handle and process client personal information. What measures are needed to avoid inadvertently and illegally revealing this information? What standards can be followed to reduce this risk?
Objective of the Book
This book will aim to deliver a coherent collection of chapters that provide significant new insights from five areas of investigation, as follows: 1) the current legal framework concerning the protection of consumer privacy in business organizations, 2) the nature and identification of consumer private information, 3) the measures and standards that can be applied and integrated within business organizations to protect consumer privacy, 4) the integration of business structures and workflows with privacy protection measures, and 5) the impacts of applying and integrating privacy protection measures on business operational and financial performance. Although theoretical and conceptual studies are equally welcome, the likely practical implications of your research should be emphasized in all contributions.
Recommended topics include, but are not limited to, the following:
Legal and compliance aspects of privacy protection in business organizations, Privacy related business standards, The nature of consumer private information in business organizations, Approaches, methods, and tools for discovering or delimiting private information, Requirements for privacy protection measures in business organizations, Privacy protection measures / privacy enhancing technologies applicable to business, Software engineering approaches for privacy protection in business organizations (e.g. design of privacy sensitive software), . Approaches, methods, and tools to assist in complying with privacy laws and regulations, Gauging the effectiveness of privacy protection measures, Approaches, methods, and tools that can be used to support the introduction of privacy protection measures, Facilitators and inhibitors of the adoption of privacy protection measures, The nature of business structures or workflows that can integrate with privacy protection measures, Protecting consumer privacy in the age of business cloud computing, Business advantages / disadvantages from the adoption of privacy protection measures, Customer responses to the introduction of privacy protection measures, Case studies of privacy protection initiatives on business performance, The impact of privacy protection measures on organizational structure and behaviour Submission Procedure
Researchers and practitioners are invited to submit on or before August 15, 2010 (let me know if you need more time), a 2-3 page chapter proposal (outline) clearly explaining the mission and concerns of his or her proposed chapter. Please email submissions (Word document) to: gmyee (at) sce.carleton.ca. Authors of accepted proposals will be notified by September 1, 2010 about the status of their proposals and sent chapter guidelines. Full chapters are expected by November 30, 2010. All submitted chapters will be reviewed between authors on a double-blind review basis.
Thank you for your consideration, and I look forward to receiving your proposal.
Sincerely, George
 
InfoSec News: MoD loses a staggering 340 laptop computers in TWO YEARS...and most of them were not encrypted: http://www.dailymail.co.uk/news/article-1296773/MoD-loses-staggering-340-laptop-computers-TWO-YEARS--encrypted.html
By Daily Mail Reporter 22nd July 2010
The Ministry of Defence has lost or had stolen 340 laptops worth more than £600,000 in the last two years, figures reveal today. [...]
 
Google has secured a deal to provide search results and related advertising to Yahoo Japan, Japan's most popular Web site, the two companies said Tuesday.
 

Posted by InfoSec News on Jul 27

http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=226200272

By Kelly Jackson Higgins
DarkReading
July 26, 2010

Organizations are getting hit by at least one successful attack per
week, and the annualized cost to their bottom lines from the attacks
ranged from $1 million to $53 million per year, according to a newly
published benchmark study of 45 U.S. organizations hit by data breaches.

The...
 

Posted by InfoSec News on Jul 27

http://www.networkworld.com/news/2010/072610-security-conferences.html

By Tim Greene
Network World
July 26, 2010

Two premiere security conferences -- Black Hat and DefCon -- run
back-to-back in Las Vegas this week, each with their own distinct
flavor. But even these events don't meet the needs of all computer
security pros, setting the stage for a widening set of satellite events.

Some of these alternatives are corporate sponsored and some...
 

Posted by InfoSec News on Jul 27

http://www.afspc.af.mil/news/story.asp?id=123214901

By Capt. Carrie L. Kessler
39th Information Operations Squadron
7/26/2010

HURLBURT FIELD, Fla. -- Members of the Air Force's sole information
operations and cyber formal training unit celebrated a milestone July
20, with a ribbon-cutting ceremony to mark the completion of the
long-awaited 4,500 sq. ft. facility addition.

"We're at an all time high of graduating more than 480...
 

Posted by InfoSec News on Jul 27

Forwarded from: George Yee <gmyee (at) sce.carleton.ca>

Apologies for cross-posting.

Dear Colleague,

Greetings! I would like to invite you to submit a chapter proposal to a
new book I am editing, entitled "Privacy Protection Measures and
Technologies in Business Organizations: Aspects and Standards", assuming
this topic lies within your work area. The due date for the proposal is
August 15, 2010. For more details, please...
 

Posted by InfoSec News on Jul 27

http://www.dailymail.co.uk/news/article-1296773/MoD-loses-staggering-340-laptop-computers-TWO-YEARS--encrypted.html

By Daily Mail Reporter
22nd July 2010

The Ministry of Defence has lost or had stolen 340 laptops worth more
than £600,000 in the last two years, figures reveal today.

A total of 593 CDs, DVDs and floppy disks, 215 USB memory sticks, 96
removable hard disk drives and 13 mobile phones have also disappeared
from the department...
 

Posted by InfoSec News on Jul 27

http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=226100127

By Thomas Claburn
InformationWeek
July 22, 2010

At the Black Hat USA 2010 conference, July 24 - 29 in Las Vegas, mobile
security won't just be over the air, it'll be in the air. Nowadays, said
conference founder Jeff Moss, "it's all mobile all the time. It's like
when they introduced Windows 7 or Windows XP -- it's all new. Everybody
is...
 

Posted by InfoSec News on Jul 27

========================================================================

Open Security Foundation - DataLossDB Weekly Summary
Week of Sunday, July 18, 2010

45 Incidents Added.

========================================================================

DataLossDB is a research project aimed at documenting known and reported
data loss incidents world-wide. The Open Security Foundation asks for
contributions of new incidents and new data for...
 

Hackers Don Black Hats in Vegas
PC World
... together thought leaders from all facets of the infosec world--from the corporate and government sectors to academic and even underground researchers. ...

and more »
 

Internet Storm Center Infocon Status