Hackin9

InfoSec News

Samsung Electronics said Friday that it is aiming to launch mobile phones with flexible displays next year, with tablets and other portable devices to have these displays soon after.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Amazon says vulnerabilities were fixed and no customers were affected.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Incident responders may not always keep the business continuity planning (BCP) or management (BCM) team on their speed dial but I can tell you its worthwhile to do so in consideration of Critical Control 19: Data Recovery Capability.
Successful data recovery is as much a part of reliability as it is security, so embrace the process as paramount to successful response. Whether it is a significant outage from operational data loss (the SQL server ate that data) or that moment that leaves as all shuddering and queasy (attackers have tweaked our data and it is no longer reliable) you have to know you can recover.
This control does mention testing restorations from backups twice, once in the measurements section and once in the procedures and tools section, but I humbly submit that every possible measurement and procedure should be tested quarterly at a minimum. I mean real data to real systems in real scenarios that mimic your production environment. Clearly testing the process directly in production may be difficult but a staging (or dev/test) environment is ideal for this testing.
Unfortunately for them, you need someone expert in the restoration/recovery process on-call as part of your incident response planning.
Heres a scenario to chew on. Imagine responding to a reported incident where critical system configurations have gone missing (operational snafu, not malicious). The next day, you respond to another incident where a particular configuration has put an environment at risk and the extent of exposure needs to be identified. As a result, you ask for the offline configuration only to learn that it went missing in the incident from the day before, and that restoration was not immediately possible due another unrelated systemic shortcoming. Aargh!
How to avoid this? Short answer: test, drill, validate. Regularly. More than regularly on critical systems.
Another ugly problem that comes out of incident response but is directly affected by or is subject to data recovery practices is the when did we get pwned? scenario. This is where backup design is so important.
As the control mentions, you have to factor foroperating system, application software, and data recovery. Yet each of these three is influenced by full, differential, and incremental methodology, depending on need, scheduling, and planning as well as the-)

Been through this? Succeeded? Failed? Let us know via the comment form.

Russ McRee - russ at holisticinfosec dot org - http://holisticinfosec.blogspot.com - Twitter: @holisticinfosec

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Apple QuickTime Prior To 7.7.1 Pict File Handling Integer Overflow Vulnerability
 
In opting not to get rid of its PC division, HP -- and new CEO Meg Whitman -- offered some insight about what type of company they think HP should be.
 
Cisco has announced a hardware encryption module for its ISR G2 router that allows point-to-point encryption of IP traffic based on what's called "Suite B," the set of encryption algorithms designated by the National Security Agency for Department of Defense communications.
 
Will the world end? Will the Internet grind to a screeching halt? Will your computer systems disintegrate into a pile of bits and bytes? In short, no. At least not yet. But you may want to consider a few things.
 
A couple of updates were released recently that are worth calling to your attention.

Quicktime - APPLE-SA-2011-10-26-1 QuickTime 7.7.1


This patch addresses critical several issues affecting Quicktime running on Windows.

http://www.apple.com/quicktime/download/

More information is available at the Apple Security Updates

web site: http://support.apple.com/kb/HT1222

Chrome 15.0.874.102 to the Stable Channel for Windows, Mac, Linux, and Chrome Frame


This patch addresses a number of issues including XSS, Origin Policy violations, cookie theft and more. Chrome users should look at the details here: http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html

Java 5 Update 30 prelease


Apreprelease version of Java 6 update 30 is now available to Java Developers. This is a prerelease and not recommended for production systems. Java developers can check it out here http://jdk6.java.net/6uNea.html
Thanks to Dave and Jim for bringing these to my attention.
Mark Baggett - @markbaggett
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Google+ usage has increased in October compared with last month, but the social networking site couldn't sustain a dramatic one-week surge that took place after it became publicly available on Sept. 20, according to Experian Hitwise.
 
RETIRED: Apple QuickTime Prior To 7.7.1 Multiple Arbitrary Code Execution Vulnerabilities
 
Apple QuickTime CVE-2011-3221 Movie File Remote Code Execution Vulnerability
 
Apple QuickTime Prior To 7.7.1 TKHD Atoms Handling Remote Code Execution Vulnerability
 
In less than a decade, that smartphone you're holding could have 32 times the memory, 20 times the bandwidth and a microprocessor core no bigger than a red blood cell, the CTO of chip design company ARM said on Thursday.
 
Looking for inspiration? Want to learn a few new ways to elevate your security game? Can you spare five minutes to think strategically and long-term instead of just putting out another fire? Insider (registration required)
 
In 1995, Steve Jobs was on the cusp of middle age -- 40 years old -- when he sat down for this exclusive video interview with the Computerworld Honors program. Insider (free registration requested)
 
Intel on Thursday released the third generation of its solid-state drive monitoring and management firmware SSD Toolbox 3.0, which offers many of the same tools as previous versions but with a simpler interface.
 
Advanced Micro Devices on Thursday reported revenue and profit growth for the third fiscal quarter of 2011, despite issues with the manufacturing of processors.
 
When cloud computing service provider Nimbula hires employees for its South Africa development office, company turns to social networking, not recruiters, to find workers.
 
Hewlett-Packard Co. said late today that it has decided to keep its PC division.
 
Google announced that its new social networking site is now integrated with Google Apps, its cloud-based office suite.
 
The Coalition to Save Our GPS challenged LightSquared's forecasts that the FCC will be able to resolve the controversy over the company's planned cellular network by the end of this year, using a conference call with reporters on Thursday to slam the startup's business plan and technical claims.
 
By now you're likely familiar with near-field communications (NFC) technology and its ability to help process mobile payments. But NFC's boosters think it's capable of more, oh, so much more.
 
It's time for enterprise IT to wake up and smell the coffee, an analyst said today, and help workers who have spent their own money on Mac laptops to access corporate resources.
 
LSI Corporation today announced that it has signed an agreement to acquire SandForce, a leading provider of flash storage processors for enterprise and client PCIe-based flash cards and solid-state drives.
 
The U.S. Federal Communications Commission has voted to overhaul a decades-old system of telephone subsidies in rural areas, with the funding refocused on broadband deployment.
 
ARM has introduced its first 64-bit microprocessor architecture, ARMv8, which should enable wider use of ARM chips in servers and other enterprise equipment and turn up the competitive heat on Intel.
 
Apple Mac OS X QuickTime Player CVE-2011-3228 Multiple Memory Corruption Vulnerabilities
 
Apple Mac OS X FLIC Files CVE-2011-3223 Buffer Overflow Vulnerability
 
Despite striking similarities in the Duqu kernel driver, the ultimate payloads of Duqu and Stuxnet are significantly different and unrelated, according to a report from Dell SecureWorks researchers.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
phpScheduleIt 'reserve.php' Remote Code Execution Vulnerability
 
Apple Mac OS X FlashPix Files CVE-2011-3222 Buffer Overflow Vulnerability
 
McAfee buys NitroSecurity for its ePolicy Orchestrator while Big Blue has created a security division for its Q1 Labs acquisition.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Even the most mature organizations are using multiple risk-management frameworks and various processes to make risk-based decisions.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Many firms rely on antivirus and antimalware technologies to address social networking risks, according to a survey by the Ponemon Institute.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Many businesses struggle to maintain PCI DSS compliance, suggesting meeting the standard is a goal rather than an ongoing initiative, according to a new report from Verizon Business.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Visitors to MySQL.com were treated to theBlackHole exploit kit which quietly served malware to Windows users.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
The third iteration of the widely acclaimed Building Security in Maturity Model documents software security initiatives at 42 enterprises.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Attackers used SQL injection against Sony?s website to gain access to its internal server and steal sensitive data.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Asynchronous JavaScript Technology, XML, Flash and HTML 5 enable a rich Web experience, but also give attackers an alarming number of ways to penetrate corporate networks.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Researchers in Germany have demonstrated weaknesses in the W3C XML encryption standard used to secure websites and other Web applications.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Deep Defender examines memory processes, enabling enterprises to block or deny actions to provide rootkit protection. Analysts say there may not be great demand for the protection.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Symantec researchers said an early analysis of Duqu has found that it could be a precursor to a future Stuxnet-like attack.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
A Microsoft analysis found malware targeting zero-day flaws making up only 0.12% of all exploit activity in the first half of 2011, but firms that lack zero-day defenses could be the next target.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Web inventor Tim Berners-Lee told RSA Europe attendees the future of IT security must include greater simplicity for users.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
RSA revealed a ?nation state? was behind the SecurID attack in March. Twitter and Facebook are still banned at RSA.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Microsoft has issued eight security bulletins, two rated ?critical,? for its October 2011 Patch Tuesday. It also released its 11th volume of its Security Intelligence Report.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Trend Micro Inc. has uncovered a new Android malware variant that uses a blog site with encrypted content as its command-and-control server and disguises itself as an e-book reader app.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Microsoft?s eight security bulletins address flaws in Internet Explorer, Windows, Forefront UAG and the .NET Framework. Two bulletins are rated ?critical.?

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Using private cloud at separate data centers has allowed the Department of Homeland Security to strike a balance between security and cost savings.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 

Soghoian: " Without Computer Security, Sources' Secrets Aren't Safe With ...
Boing Boing
Christopher Soghoian's NYT op-ed on one important lesson from Wikileaks: infosec for journalists and their sources. "Sadly, operational computer security is still not taught in most journalism schools, ...

and more »
 
Facebook and several of its high-tech partners are rethinking how companies can handle big data with low-cost computing centers.
 
One of Computerworld's Premier 100 IT Leaders also answers questions about mentors and what he's looking for in new hires.
 
Suspected Chinese hackers interfered with two U.S. satellites on four separate occasions in 2007 and 2008, according to a Bloomberg Businessweek story that cites an upcoiming report by a congressional commission.
 
After years of playing catch-up to VMware the upcoming version of Hyper-V is wowing the Microsoft faithful with unique new features -- and gaining the attention of VMware users, too, one consultant says.
 
Microsoft yesterday dismissed a lawsuit against a Czech firm it had accused of hosting command-and-control servers for a botnet it stamped out last month.
 
SAP announced a version of Business One, its ERP suite for small companies, as it revs up the marketing strategy behind its Business ByDesign on-demand suite.
 
Google, which had until now sought coupons and special offers directly from merchants for its Offers service, will now also aggregate and market offerings from other online daily deal providers.
 
X.Org X11 File Read Permission Information Disclosure Vulnerability
 
A security penetration tester discovered a major flaw in Facebook that could allow a person to send anyone on the social-networking site malicious applications.
 
The details of more than 400,000 user accounts have leaked onto the Internet in Sweden, following a series of attacks that have affected about 60 websites.
 
Microsoft yesterday dismissed a lawsuit against a Czech firm it had accused of hosting command-and-control servers for a botnet it stamped out last month.
 
U.S. CIO Steven VanRoekel hopes cloud computing, Web services and a new IT culture of sharing can reap huge savings and prop up Uncle Sam.
 
Facebook has begun building a data center in Lulea, Sweden, where it will benefit from cheap electricity and year-round free air cooling, the company announced Thursday.
 
Google's work to integrate its Google+ social networking site broadly with its other services could raise red flags for users who want to closely guard their privacy.
 
Dropbox for Teams starts at $795 annually for five users and offers 1TB of storage. It also comes with phone customer support and gives IT shops control to add or remove users.
 
Linux Kernel GHASH Local Denial of Service Vulnerability
 

Two U.S. government satellites came under attack four times in 2007 and 2008, according to a Bloomberg report.

Technologies designed to disrupt satellite communications are becoming more sophisticated and a dangerous threat to national security, according to a congressional commission that reviews U.S.-China relations.

In fact two U.S. government satellites were attacked four times in 2007 and 2008 through a ground station in Norway, according to a Bloomberg report, which sites information from a draft report expected to be issued next month by the U.S.-China Economic Review Commission.

According to Bloomberg, a Landsat-7 earth observation satellite system experienced 12 or more minutes of interference in October 2007 and July 2008. Hackers also interfered with a Terra AM-1 earth observation satellite twice, for two minutes in June 2008 and nine minutes in October that year, the draft says, citing a closed-door U.S. Air Force briefing.

Chinese officials have denied any role in computer attacks.

A 2009 report highlighted the rapid development of new cyber weapons (.pdf) and the growing need for cybersecurity to protect critical infrastructure. It found that Chinese researchers are working on a variety of radio frequency weapons that could potentially disrupt satellite communications. The goal is to develop sophisticated jamming systems and anti-satellite (ASAT) weapons to disrupt reconnaissance operations.

“In 2007, China successfully tested a direct ascent ASAT weapon that used a kinetic kill vehicle to destroy an aging Chinese weather satellite38 and in 2006, the US military accused the Chinese of using a laser dazzling weapon that temporarily blinded a reconnaissance satellite.”

SearchSecurity recently interviewed Tony Sager, chief operating officer of the Information Assurance Directorate at the NSA on cyberwarfare. Sager said nation-states are still understanding the complicated rules of engagement in cyberspace. Cyberwarfare is a reality and organizations should prepare for disruptions, he said. But Sager added that any catastrophic cyberattack would be disruptive worldwide including the systems used by the adversary, making the chances of a digital Pearl Harbor very slim.

“We’re all using this resource that we call the Internet and we all have a vested interest in keeping it alive,” Sager told SearchSecurity.com earlier this month. “There are a lot of norms of behavior that have not been established yet….It took many, many years to establish things like what constitutes acceptable behavior between nations around physical borders and those are simple compared to cyberspace.”



Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 

What would Teddy Roosevelt do about infosec?
CSO (blog)
--He would have written more infosec books than Andrew Hay, Anton Chuvakin and Ben Rothke put together. He was crazy like that. --He would have frequented the security conferences and would have given keynotes whether he was on the agenda or not. ...

 
If a speedy processor is the brain of a gaming PC, the graphics card is the heart and soul. A powerful graphics card can mean the difference between a sensory feast and an interactive slideshow. Although upgrading your graphics board is one of the simplest ways to produce noticeable improvements in your PC’s gaming performance, it’s also one of the most confusing: Throwing extra money at the problem isn’t always the best solution, and you have lots of products to choose from. Don’t fret, however: We’re here to help.
 

Some time ago I was brought in to help an organization create their Incident Response Team. Working together we defined an incident response procedure, assigned the various roles and responsibilities, worked with executive management to ensure the appropriate supporting policies and controls were in place and 'let her rip'. A few people in the management team had initially commented that they didn't see a need for all of the formality as the organization had never experienced even a minor breach in security. The first few months went by and everything seemed to be working fine. The head of the Incident response team wrote up a summary of all the incidents for the last thirty days and distributed it to all employees at the end of each month. Most of the incidents were pretty innocuous. A virus infection here or there, a targeted web attack that was thwarted by mod_proxy, or other malicious but minor deviations from the norm. Then, on the third month, someone reported a corporate laptop was lost by an employee. I'm told that after that report was distributed to all employees, the email account that was designated for reporting incidents got two separate emails asking if they should be reporting lost or stolen company assets. They were told yes. The following month 5 laptops were reported lost or stolen. The next month 6 laptops were reported lost of stolen. Over the first year of the incident response teams existence 2.5 laptops were reported lost or stolen every month. Prior to having an incident response team the organization had never had a laptop lost or stolen. So was the creation of an IRT (Incident Response Team) responsible for the theft of all those laptops? Of course not! If you don't measure risk you can't manage it. If you don't have a formal process for capturing and responding to incidents you will not know they are occurring. No matter your size, you should have internal incident response capabilities. As they say, a failure to plan is a plan for failure. Here are some tips for ensuring the success of your organizations incident response capabilities.



Write down your incident handling procedures. If it is written down then it is easier to explain to the business why your are doing what you are doing in the heat of battle. If you don't have a written procedure you can use the NIST guideline as a framework. http://csrc.nist.gov/publications/nistpubs/800-61-rev1/SP800-61rev1.pdf



Document the roles and responsibilities of people on your incident response team. This will often include representatives from Legal, Human Resources, Public Relations, Compliance your Executive Sponsor and the usual suspect in the networking and information technology engineering groups along with your security team.



Management support is critical to the success of most business initiatives. It is especially important when dealing with potentially politically explosive issues that are often associated with security incidents. Maintaining excellent and frequent communications with your executive management is critical to the success of your team.



Establish requirements for all personnel to report suspicious incidents to the incident response team.



Generate a regular report that summarizes the incidents that have occurred and how you handled them. Distribute the report to all employees in the organization.



Require all incident responders to report in within a predefined amount of time once an incident has been declared. Periodically test the team to make sure everyone can be reached in a timely manner. Once you have your team together, conduct training exercises with various scenarios that test the teams ability to access and identify evidence on various systems throughout the networks they are responsible for protecting.



If you would like more information here are some helpful resources:

http://computer-forensics.sans.org/blog/2009/09/12/best-practices-in-digital-evidence-collection/

http://isc.sans.edu/diary.html?storyid=5354

http://www.sans.org/critical-security-controls/



Mark Baggett - Handler on Duty

Twitter @markbaggett
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Facebook has begun building a data center in Lulea, Sweden, where it will benefit from cheap electricity and year-round free air cooling, the company announced Thursday.
 
Dell will sell a new Latitude tablet for businesses with Microsoft's Windows 7 operating system, while it prepares to bring the OS's successor, Windows 8, to tablets.
 
Sony said Thursday it will acquire Ericsson's 50 percent share in their Sony Ericsson mobile phone joint venture, turning the company into a subsidiary in January 2012.
 
OpenLogic is launching a platform-as-a-service offering that aims to give users the flexibility that many developers like about infrastructure-as-a-service without the work.
 
In 1995, Steve Jobs was on the cusp of middle age -- 40 years old -- when he sat down for this exclusive video interview with the Computerworld Honors program.
 
Czech based free domain provider dotFree Group has settled the lawsuit brought against it by Microsoft in the Kelihos takedown case by suspending all abusive hosts registered through its service and promising better collaboration in the future.
 
Samsung's new Stratosphere Android smartphone comes with a slide-out keyboard and 5GHz Wi-Fi, but it could get lost amid its slicker competition.
 
Taiwan Semiconductor Manufacturing Co. Thursday reported that profit fell by 35.2% in the third quarter, citing a decline in demand due to economic conditions.
 
Cisco Systems' Home Networking Business Unit will keep both its Linksys brand and its place in the parent company as Cisco pares down its business, but the unit is also sharpening its focus.
 
Sony said Thursday it will acquire Ericsson's 50 percent share in their Sony Ericsson mobile phone joint venture, turning the company into a subsidiary in January 2012.
 
Research In Motion faces a possible class action lawsuit over recent outages in its BlackBerry services earlier this month, and a trademark infringement complaint for its use of the BBX name for its upcoming platform for its tablets and smartphones.
 

Posted by InfoSec News on Oct 26

http://www.crn.com.au/News/278107,sourcefire-burnt-again-by-rogue-ex-employee.aspx

By Allie Coyne
CRN Australia
Oct 27, 2011

Asia Pacific-based partners of security vendor SourceFire have once
again been sent abusive emails in an attack the company attributes to a
“disgruntled ex-employee”.

The latest expletive-laden email is the second to be sent to the
company’s APAC channel partners - both purporting to be a memo written
by...
 

Posted by InfoSec News on Oct 26

http://www.bloomberg.com/news/2011-10-27/chinese-military-suspected-in-hacker-attacks-on-u-s-satellites.html

By Tony Capaccio and Jeff Bliss
Bloomberg
Oct 26, 2011

Computer hackers, possibly from the Chinese military, interfered with
two U.S. government satellites four times in 2007 and 2008 through a
ground station in Norway, according to a congressional commission.

The intrusions on the satellites, used for earth climate and terrain...
 

Posted by InfoSec News on Oct 26

http://www.csoonline.com/article/692550/social-engineering-my-career-as-a-professional-bank-robber-

By Joan Goodchild
Senior Editor
CSO
October 26, 2011

Jim Stickley got his first computer at age 12, and he was chatting with
other computer "nerds" on bulletin board sites by the time he was 16. A
wannabe hacker, Stickley said his first foray into playing the system
was with free codes -- codes that would exclude his phone and...
 

Posted by InfoSec News on Oct 26

http://news.ninemsn.com.au/entertainment/8365694/man-suing-rnb-singer-for-lost-laptop-reward

By ninemsn staff
Oct 26 2011

An American singer who offered a $1 million reward for his stolen laptop
is now being sued by the man who found it -- after the singer failed to
pay up.

Hip hop producer and singer Ryan Leslie had his MacBook stolen when he
was touring around Germany last year, so he posted a music video on
YouTube to advertise the...
 

Posted by InfoSec News on Oct 26

http://www.computerworld.com/s/article/9221234/Duqu_Stuxnet_link_unclear

By Jaikumar Vijayan
Computerworld
October 26, 2011

A report by Dell SecureWorks on Wednesday debunked the idea that the
newly discovered Duqu Trojan is related to last year's Stuxnet worm or
was created by the same authors.

According to SecureWorks, there are some similarities in code and
function between Duqu and Stuxnet, but there's little conclusive proof...
 

Posted by InfoSec News on Oct 26

http://www.infoworld.com/t/security/new-dos-tool-thc-another-overhyped-threat-177167

By Woody Leonhard
InfoWorld
October 26, 2011

If you have a site that uses SSL encryption, right now might be a good
time to find out if the site supports automatic SSL Renegotiation.

But the sky isn't falling, despite what you may have read. Yes, a German
hacker group known as THC (The Hacker's Choice) has just released
THC-SSL-DoS, which can...
 
Internet Storm Center Infocon Status