InfoSec News

More than a dozen vendors created a working group to create a new SSD interconnect standard that would allow equipment manufacturers to use SAS, SATA or PCIe as a plug-in in their devices.
 
Todays topic for the CyberSecurity Awareness Month is the Role of the Employee. Almost everyone reading this today will create some form of stored data which is significant to them. Thus is the role of the user. And, basically, every employee with an IT system is a user of some form or other. Recently I had the opportunity to discuss a very similar topic with some friends at www.eitc.edu . The discussion centered on personal responsibility in regards to security. This was a very productive discussion that yielded many of the same questions and conclusions I will discuss today. The role of the employee is essentially the role of the user which always led to 3 questions:
What data have I produced?
How do I get this data back, so I may continue, when all else fails?
Once you have addressed these questions to the data you have created, whether 2 presentations or 200 emails, you will find the long road ahead much easier. The third question is a bit more difficult, and is topic for another day.
What data, other than my own, am I ultimately responsible for today??
I would like to talk about the first 2 here a bit more. Of course discussions or comments are always welcome and encouraged. What data have I produced today? This question hopefully leads everyone to ask a number of questions about backup, restoration, and possibly even continuity of operations in regards to their jobs and data. One common question is how do I keep going after a (insert disaster here i.e fire, flood, etc)? If you are reading this then most likely we, in both our professional and personal lives, create some form of data each day. In the workplace this may be several proposals or presentations. In the home, it may have been a weekend of pictures downloaded to the home computer. So what happens when the workplace is flooded? God forbid a fire to the home? Is the data created on a computer any less priceless than the letters from 2 years ago? No. You would hopefully plan and protect these electronic artifacts the same as you would the physical artifacts.

How do I get this data back, so I may continue, when all else fails? To completely answer this question the answers to question number 1 have to be answered. Essentially once you have identified who is responsible for the backup and restoration, then ask the question where is my data so I can get it back when everything else fails? Sometimes this is a question we have to ask of ourselves about personal data weve created, in the form of contact lists, email archives, and personal data. In the data realm we are producers, provisions, consumers, and sometimes all three. Anyone in the role of the first two needs to understand completely the role they play in todays CyberSecurity world.


tony d0t carothers at isc d0t sans d0t org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
On Day 27 of the 2010 version of Cyber Security Awareness Month we want your view on the use of social media in the office.



Unless you are in one of those few industries or parts of government or military where the control of data is so strict that you can forbid Internet use then it is very likely that your company has had to deal with the conundrum of whether or not to allow access to social media sites. There is no doubt that from your corporate point of view that there may be huge benefits, not the least of which is low cost access to your customer base, both for customer feedback and for targeted advertising, but there are huge risks, some of which are increased exposure to malware, intellectual property and confidential information leakage, productivity issues, and exposure to objectionable content.



I am not going to get into the discussion of whether companies should or shouldn't allow access to social media. That should be an individual company risk versus reward decision. But if you do decide to go ahead, here is my list of the minimum you should have in place.

Internet Acceptable Use Policy - hopefully your company already has one. An Internet AUP defines the parameters of acceptable use for your company's Internet resources. Most companies have come down on the side of limiting work-based Internet use to usage directly related to job responsibilities with limited personal use being acceptable. The two big things are that if your jurisdiction permits it you should indicate that the network can be monitored and that all data stored on company resources belongs to the company. A good sample Internet AUPis available at the SANSInternet Security Policy Templates page.
Social Networking Policy - more and more companies are publishing a social networking policy. In a nutshell it defines what people can and can't say online. This policy should indicate that employees can only speak on behalf of the company within their area of responsibility and that they must clearly identify who they are. It also should define what they can and can't talk about. Obviously intellectual property, trade secrets, sensitive corporate information, and customer and partner information should be off the table. Most importantly the policy should provide a reporting mechanism to be utilized if employees trip over inappropriate information about your company. Here is a good sample social media policy to help you get started.
Management training - no policy should be published without adequate training. In this case managers must be made aware of the policy and what is an isn't appropriate for their employees to be doing. What is the difference between limited personal use and abuse? Where do I report a potential problem?
Employee training - employees must also be trained on the social media policy. They need to know under what conditions they can speak on behalf of the company, and where the line is between limited personal use and abuse. Employees will also be your best source of reporting of inappropriate information being posted, so be sure to let them know how to report issues.
Apply Operations Security (OpSec) - OpSec is a military term which describes a process to determine if information which can be obtained by adversaries could be useful to them and minimizing the impact of that information. Applying this concept to InfoSec, I am referring to a process of monitoring the Internet with the goal of identifying corporate information which could be useful for competitive intelligence, or which could present your company in a negative light, and have it removed when possible. Google alerts are a good place to start in this area.



I've gone on long enough. It is your turn to provide us with guidance. What techniques have you employed to limit the impact of work-based social media on your company?



As usual your ideas and feedback are encouraged via the comment mechanism below.


Other Resources:
Another good resource when creating your Social Media policy is Ten things you should cover in your social networking policy
-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected) (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected) (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Oracle has updated its lawsuit against Google to allege that parts of its Android mobile phone software "directly copied" Oracle's Java code.
 
Less than 48 hours after receiving a report of a critical flaw in Firefox, Mozilla issued an emergency update on Wednesday that patched the problem.
 
Mozilla Firefox 3.5/3.6 Remote Heap Buffer Overflow Vulnerability
 
The music industrys success in getting a federal court to shut down LimeWire's peer-to-peer file-sharing network on Tuesday shows just how effectively secondary liability laws can be used to enforce copyright protections, say legal experts.
 
Nessus 'wintab32.dll' DLL Loading Arbitrary Code Execution Vulnerability
 
With prosecutors seeking an 18-month prison sentence, Sarah Palin hacker David Kernell is asking the judge in his case for probation instead.
 
The 2010 MacBook Air models offer impressive improvements in both design and in performance when compared to previous MacBook Airs. But with just 2GB of RAM and the slowest Intel Core 2 Duo processors in the entire Mac lineup, we were interested in putting some of the build-to-order options to the test.
 
A New York company is developing technology so that 3D images can be seen on high-definition screens without the need for viewers to wear special glasses.
 
Online Grades Multiple Local File Include Vulnerabilities
 
MyCart 2.0 Multiple Remote Vulnerabilities
 
USBsploit 0.4b - added: Auto[run|play] USB infection & PDF
 
"Back with another one of those block rockin' beats"
 
CVE-2010-3700: Spring Security bypass of security constraints
 

GovInfoSecurity.com

Weak Infosec Places Historic Papers in Jeopardy
GovInfoSecurity.com
An audit, prompted by the loss of some historic documents, shows that the National Archives and Records Administration isn't effectively implementing ...

and more »
 
Google is now the second-largest carrier of Internet traffic, according to data released this week by Arbor Networks. But should corporate network managers care about this news?
 
Gibbs gets all environmental, continues e-bookishly, and concludes with a great NAS
 
Mozilla today announced that it will delay the release of Firefox 4 until 2011.
 
Verizon Wireless detailed its plans for LTE in West Virginia at an event that hailed the efforts of U.S. Sen. John "Jay" Rockefeller, a key player in carrier regulation in Washington.
 
Oracle Fusion Middleware CVE-2010-3581 BPEL Console Cross Site Scripting Vulnerability
 
Oracle Fusion Middleware CVE-2010-2413 BI Publisher HTTP Response Splitting Vulnerability
 
Symantec IM Manager Multiple SQL Injection Vulnerabilities
 
In my line of work, I'm constantly opening and saving files in myriad folders scattered across my hard drive. It seems like every time I face an Open or Save As dialog box, it means I have to spend considerable time navigating between folders.
 
A former director of sales at HannStar Display of Taiwan has agreed to plead guilty and serve jail time for participating in a global conspiracy to fix the prices of thin-film transistor liquid crystal display (TFT-LCD) panels, the U.S. Department of Justice announced.
 
Mozilla today said it wouldn't -- or couldn't -- pull a "kill switch" to disable the Firesheep add-on that lets anyone steal log-on and account access information to Facebook, Twitter and other major Web services.
 
Google has revamped the way it organizes and presents local search results, eliminating overlapping items, consolidating a variety of relevant information and packaging it within individual entries.
 
Cisco Security Advisory: CiscoWorks Common Services Arbitrary Code Execution Vulnerability
 
Polycom announced Wednesday that its room and desktop videoconferencing systems have been integrated with IBM Lotus Sametime to offer business customers a fuller range of unified communications tools.
 
Google has revamped the way it organizes and presents local search results, eliminating overlapping items, consolidating a variety of relevant information and packaging it within individual entries.
 
T-Mobile announced that it will start selling Samsung's Galaxy Tab computer Nov. 10 for $400 with a two-year contract.
 
Reader Alec Decker would like some help tweaking the Finder's Column view. He writes:
 
DATAC RealWin Multiple Remote Buffer Overflow Vulnerabilities
 
Todd Miller Sudo Runas Group Local Privilege Escalation Vulnerability
 
Todd Miller Sudo 'sudoedit' Local Privilege Escalation Vulnerability
 
Todd Miller Sudo 'runas_default' Local Privilege Escalation Vulnerability
 
rPSA-2010-0073-1 lftp
 
[security bulletin] HPSBMI02582 SSRT100269 rev.1 - Palm webOS Camera Application, Unauthorized Write Access
 
Verizon Wireless is on schedule to start selling Apple Inc.'s iPad in 2,000 stores starting on Thursday.
 
SAP fired back Wednesday against a broadside Oracle CEO Larry Ellison leveled Tuesday at its former CEO Léo Apotheker, saying Ellison made a significant error in the heated missive.
 
The U.S. Federal Trade Commission has closed an investigation into Google Street View cars snooping into open Wi-Fi networks, with the agency declining to take action.
 
[DSECRG-09-029] Oracle BI Publisher Enterprise 10 - Response Splitting
 
Secunia PSI Insecure Library Loading Vulnerability
 
Multiple Browser Wild Card Certificate Spoofing Vulnerability
 
Mozilla Firefox SeaMonkey and Thunderbird CVE-2010-3174 Memory-Corruption Vulnerability
 
rPSA-2010-0075-1 sudo
 
rPSA-2010-0072-1 curl
 
Police took over the command-and-control servers responsible for sending orders to Bredolab, a notorious spam botnet known for spreading rogue antivirus programs.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
IBM and other chip makers are looking beyond CMOS to figure out how redesign microprocessors so that they consume less energy when in use and leak less energy when in stand-by mode.
 
Over the last few weeks, criminals have been exploiting weak fraud detection systems used for debit cards with "flash" attacks, where hundreds of withdrawals are made over a very short period of time.
 
BlogBird Multiple HTML Injection Vulnerabilities
 
XSS vulnerability in Zomplog
 
SQL injection in BloofoxCMS registration plugin
 
XSS vulnerability in Zomplog
 
A member of Google's antimalware team revealed how the search engine giant combs billions of webpages for hidden malware downloads.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Police took over the command-and-control servers responsible for sending orders to Bredolab, a notorious spam botnet known for spreading rogue antivirus programs.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
T-Mobile announced that it will start selling Samsun's galaxy Tab computer on Nov. 10 for $400 witha two-year contract
 
Russia has reportedly launched its first-ever criminal case related to spam against a man accused of running one of the world's most prolific pharmaceutical spam operations, according to local news reports.
 
bloofoxCMS 'gender' Parameter SQL Injection Vulnerability
 
Zomplog Cross Site Scripting and HTML Injection Vulnerabilities
 
DBHcms Multiple SQL Injection Vulnerabilities
 

Social networking: The 'what not to do' guide for organisations
Infosecurity Magazine
Infosec professionals are left wondering whether social networking is leading the way, or in the way. Brian McKenna reports “You meet a lot of IT security ...

and more »
 
deV!L'z Clanportal Local File Include Vulnerability
 
Myspace has launched a new version of its site that includes a whole host of new entertainment-focused features in a bid to turn around dwindling visitor numbers, and at the same time make visitors stay longer.
 
The conventional wisdom is that enterprises aren't impressed by Apple's shiny iDevices, perceiving them as a consumer play. Is that a fair assessment? And if so, could it change in the foreseeable future?
 
Revenue and profit at enterprise software vendor SAP rose in the July to September quarter, the company said Wednesday.
 
Apache mod_jk2 Host Header Multiple Stack Based Buffer Overflow Vulnerabilities
 

Omniquad slams data breach “lies”
V3.co.uk
The firm's managing director, Daniel Sobstel, claims that since the news came to light, Webroot reseller Infosec Technologies has been contacting his ...

and more »
 
Revenue and profit at enterprise software vendor SAP rose in the July to September quarter, the company said Wednesday.
 
An all out assult on privacy is taking place and some people are failing to see the problem, said Tracy Ann Kosa, a privacy impact assessment specialist with the government of Ontario.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
While the federal government has set a five-year timeline for healthcare providers to implement electronic health records (EHRs), rural and inner-city community-based clinics and private physician practices can't afford the upfront costs. So populations served by those facilities won't benefit from increased use of evidence-based medicine used to treat chronic illnesses acute to those populations that are a contributing factor to high mortality and morbidity rates.
 
Oracle CEO Larry Ellison on Tuesday vowed to prove that new Hewlett-Packard CEO Leo Apotheker was in on a scheme to steal large amounts of Oracle software, when Apotheker was CEO of software maker SAP.
 
Students & Scholars Against Corporate Misbehavior has objected to the arrest earlier this month of about 319 workers of Foxconn International Holdings at a factory in Chennai, south India. The workers were striking for a wage increase among other demands.
 
Microsoft has quietly released Windows 7 Service Pack 1 release candidate, slated to be the first and last RC version to be released before the final version ships early next year.
 
Joomla! Projects 'com_projects' Component SQL Injection and Local File Include Vulnerabilities
 
Motorola announced management support for Android smartphones and iPhones in its latest software management tool, known as Mobility Services Platform 3 Control Edition.
 
CFOs hold major sway over IT projects in tough economic times. Here's what the finance people want tech managers to know before they ask for funding.
 
Oracle CEO Larry Ellison on Tuesday vowed to prove that new Hewlett-Packard CEO Leo Apotheker was in on a scheme to steal large amounts of Oracle software, when Apotheker was CEO of software maker SAP.
 
Microsoft's new productivity suite for the Mac doesn't match Office 2010 for Windows, but a new ribbon interface, Outlook client, and SharePoint integration help close the gap
 
InfoSec News: Iranian cyber army moves into botnets: http://www.csoonline.com/article/629117/iranian-cyber-army-moves-into-botnets
By Jeremy Kirk IDG News Service October 25, 2010
A group of malicious hackers who attacked Twitter and the Chinese search engine Baidu are also apparently running a for-rent botnet, according to new research. [...]
 
InfoSec News: Hackers plant Firefox 0day on Nobel Peace Prize website: http://www.theregister.co.uk/2010/10/26/firefox_0day_report/
By Dan Goodin in San Francisco The Register 26th October 2010
Malicious hackers have exploited an unpatched vulnerability in the latest version of Firefox to attack people visiting the Nobel Peace [...]
 
InfoSec News: The Online Threat: http://www.newyorker.com/reporting/2010/11/01/101101fa_fact_hersh
By Seymour M. Hersh The New Yorker November 1, 2010
On April 1, 2001, an American EP-3E Aries II reconnaissance plane on an eavesdropping mission collided with a Chinese interceptor jet over the [...]
 
InfoSec News: Researchers hack toys, attack iPhones at ToorCon: http://news.cnet.com/8301-27080_3-20020547-245.html
By Elinor Mills InSecurity Complex CNet News October 24, 2010
SAN DIEGO -- From "weaponized" iPhone software to hacked toys and leaked cookies, researchers at the ToorCon security conference here this [...]
 
InfoSec News: How to protect against Firesheep attacks: http://www.computerworld.com/s/article/9193201/How_to_protect_against_Firesheep_attacks
By Gregg Keizer Computerworld October 26, 2010
Security experts today suggested ways users can protect themselves against Firesheep, the new Firefox browser add-on that lets amateurs [...]
 
InfoSec News: Report: ‘Spear-Phishing’ Attacks Keep on Giving: http://www.wired.com/threatlevel/2010/10/spear-phishing/
By Kim Zetter Threat Level Wired.com October 26, 2010
The number of targeted phishing attacks against individuals has risen dramatically in the last five years from one or two a week in 2005 to [...]
 
InfoSec News: [Dataloss Weekly Summary] Week of Sunday, October 17, 2010: ========================================================================
Open Security Foundation - DataLossDB Weekly Summary Week of Sunday, October 17, 2010
20 Incidents Added.
======================================================================== [...]
 

Posted by InfoSec News on Oct 27

http://www.wired.com/threatlevel/2010/10/spear-phishing/

By Kim Zetter
Threat Level
Wired.com
October 26, 2010

The number of targeted phishing attacks against individuals has risen
dramatically in the last five years from one or two a week in 2005 to
more than 70 a day this month, according to a new report from computer
security firm Symantec.

The industry most recently hardest hit by so-called spear-phishing
attacks is the retail...
 

Posted by InfoSec News on Oct 27

========================================================================

Open Security Foundation - DataLossDB Weekly Summary
Week of Sunday, October 17, 2010

20 Incidents Added.

========================================================================

DataLossDB is a research project aimed at documenting known and reported
data loss incidents world-wide. The Open Security Foundation asks for
contributions of new incidents and new data for...
 

Posted by InfoSec News on Oct 27

http://www.csoonline.com/article/629117/iranian-cyber-army-moves-into-botnets

By Jeremy Kirk
IDG News Service
October 25, 2010

A group of malicious hackers who attacked Twitter and the Chinese search
engine Baidu are also apparently running a for-rent botnet, according to
new research.

The so-called Iranian Cyber Army also took credit last month for an
attack on TechCrunch's European website. In that incident, the group
installed a page...
 

Posted by InfoSec News on Oct 27

http://www.theregister.co.uk/2010/10/26/firefox_0day_report/

By Dan Goodin in San Francisco
The Register
26th October 2010

Malicious hackers have exploited an unpatched vulnerability in the
latest version of Firefox to attack people visiting the Nobel Peace
Prize website, a Norway-based security firm said on Tuesday.

Mozilla representatives confirmed a "critical vulnerability" in versions
3.5 and 3.6 of the open-source browser. It...
 

Posted by InfoSec News on Oct 27

http://www.newyorker.com/reporting/2010/11/01/101101fa_fact_hersh

By Seymour M. Hersh
The New Yorker
November 1, 2010

On April 1, 2001, an American EP-3E Aries II reconnaissance plane on an
eavesdropping mission collided with a Chinese interceptor jet over the
South China Sea, triggering the first international crisis of George W.
Bush's Administration. The Chinese jet crashed, and its pilot was
killed, but the pilot of the American...
 

Posted by InfoSec News on Oct 27

http://news.cnet.com/8301-27080_3-20020547-245.html

By Elinor Mills
InSecurity Complex
CNet News
October 24, 2010

SAN DIEGO -- From "weaponized" iPhone software to hacked toys and leaked
cookies, researchers at the ToorCon security conference here this
weekend showed how easy it can be to poke holes in software and hardware
with the right tools, know-how, and curiosity.

One researcher demonstrated how to take control of an iPhone...
 

Posted by InfoSec News on Oct 27

http://www.computerworld.com/s/article/9193201/How_to_protect_against_Firesheep_attacks

By Gregg Keizer
Computerworld
October 26, 2010

Security experts today suggested ways users can protect themselves
against Firesheep, the new Firefox browser add-on that lets amateurs
hijack users' access to Facebook, Twitter and other popular services via
Wi-Fi.

Firesheep adds a sidebar to Mozilla's Firefox browser that shows when
anyone on an open...
 
Revenue and profit at enterprise software vendor SAP rose in the July to September quarter, the company said Wednesday.
 
Oracle CEO Larry Ellison on Tuesday vowed to prove that new Hewlett-Packard CEO Leo Apotheker was in on a scheme to steal large amounts of Oracle software, when Apotheker was CEO of software maker SAP.
 


Internet Storm Center Infocon Status