Share |

InfoSec News

Representatives from both Apple and Google will testify at a Congressional hearing next month on consumer privacy and smartphones, two U.S. senators confirmed on Thursday.
 
Research In Motion warned that its first-quarter smartphone shipments are likely to be lower than expected, cutting its earnings forecast for the quarter.
 
Verizon still hasn't disclosed the cause of the network outage that plagued LTE users this week, but at least one effect is clear: embarrassment.
 
The weak first quarter growth in gross domestic product announced by the government Wednesday was blamed, in part, by a decline in public sector spending. But some tech vendors, including Hewlett-Packard, selling to the federal government may not be hurt by this.
 
Xbox and enterprise software saved Microsoft from sluggish PC sales in its third fiscal quarter.
 
Motorola Mobility shipped 250,000 Xoom tablets in the first month the device was available, the company said on Thursday as part of its first-quarter earnings report.
 
Every time another survey about CIO tenure shows up, we're reminded yet again that a long corporate life at one company is rarely in the cards for IT leaders. Today's CIO lasts an average of 4.1 years on the job, according to management consultancy Janco Associates.
 
Yahoo mulls spinning out Hadoop with its own company, report says.
 
A customer service representative with the New York Yankees accidentally e-mailed out personal details on close to 18,000 season ticket holders, the baseball team said Thursday.
 

The web site www.dslreports.com has sent out an email notification that around 9,000 accounts have been compromised.
The site has a write up of the incident here: http://www.dslreports.com/forum/r25793356-site-user-password-intrusion-info

Thank you to ISC reader Alan for passing this on.

Chris Mohan --- Internet Storm Center Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

FRANCE 24

ICANN hires Defcon founder as security chief
CNET
Paul Vixie, chairman and chief scientist at the Internet Systems Consortium, said Moss has been in the infosec community "since the dawn of time and not only knows where the weak spots are, but also how they got that way" and what to do about them. ...
Jeff Moss Appointed ICANN Chief Security OfficerPR Web (press release)

all 20 news articles »
 
When the PC brought computing to the desktop three decades ago, it began a revolution that's led to a quantum leap in the speed and productivity in the offices of businesses and institutions. Today, smart object technology promises to bring a similar shift in efficiency and intelligence to physical infrastructure, logistics chains and customer relationships.
 
The hacker who has received widespread grassroots support after being sued by Sony for posting code that can jailbreak Sony PlayStation consoles blamed the company's recent data breach on executive-level arrogance.
 
Yahoo's email service was struggling Thursday, and users around the globe complained that they hadn't had access for most of the day.
 
A lawsuit alleges that a trial version of a 3D CAD software package tracked users, allowing the company to demand payment months later.
 
If your corporate network starts to get a bit sluggish Friday, you might have to blame Prince William and Kate Middleton.
 
Some U.S. companies may unwittingly be helping to provide millions of dollars in illicit financing to businesses in China.
 
BlackBerry PlayBook tablet sales have far exceeded expectations at retailer Best Buy, the company said after more than a full week of sales.
 
Xbox and enterprise software saved Microsoft from sluggish PC sales in its third fiscal quarter.
 
Researchers from universities in California and Pakistan have developed an algorithm that uses disk fragmentation to hide data on a clustered file system, keeping it from being detected by law enforcement officials, who typically search for encrypted data.
 
If you look at most of Sony's VAIO laptop lines, it's easy to be impressed with the company's design chops. For instance, who wouldn't like the S-series, with its very thin, elegant design?
 
The out-of-band update can detect botnet infections and continue to cripple the notorious Coreflood botnet.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
One of the six men lifting off Friday on NASA's space shuttle Endeavour is a computer programmer who built software for spacecraft before becoming an astronaut.
 
Apple's new white iPhone 4 has sold out in some Asian markets, analysts and sites reported today.
 
Microsoft today issued a fix for a problem in its Outlook 2007 email client caused by an update that shipped two weeks ago.
 
According to a leaked roadmap, Intel plans five new SSDs by year's end, including a new chipset that will allow it to produce a hybrid drive.
 
With Mother's Day fast approaching and graduations and summer vacation on the horizon in a few weeks, Microsoft has given the Shopping section of its Bing search engine a makeover, including the ability to link it to Facebook accounts.
 
The Attachmate Group this week finalized its $2.2 billion buyout of network industry pioneer Novell. IDG Enterprise's Chief Content Officer John Gallant spoke with Attachmate Chairman and CEO Jeff Hawn shortly after the Novell deal was sealed to get his thoughts on what the acquisition means for Attachmate and its new and old customers.
 
Sony is facing a lawsuit in federal court alleging it was negligent in allowing its PlayStation Network to be breached.
 
Sprint added 1.1 million new wireless subscribers last quarter but the company still lost $439 million over the same period.
 
[Onapsis Security Advisory 2011-011] Oracle JD Edwards JDENET Buffer Overflow
 
Linux Kernel FUSE 'iov_length()' Local Privilege-Escalation Vulnerability
 
VMSA-2011-0007 VMware ESXi and ESX Denial of Service and third party updates for Likewise components and ESX Service Console
 
[Onapsis Security Advisory 2011-013] Oracle JD Edwards JDENET USRBROADCAST Denial of Service
 
[Onapsis Security Advisory 2011-012] Oracle JD Edwards JDENET Firewall Bypass
 
The patch resolves several security issues (CVE-2011-1786, CVE-2010-1324, CVE-2010-1323, CVE-2010-4020, CVE-2010-4021, and CVE-2011-1785) affecting OpenLDAP and KRB5.
The full list of issues fixed with patch ESXi410-201104401-SG is available here and the patch can be downloaded here.
[1] http://kb.vmware.com/kb/1035108

[2] http://www.vmware.com/patch/download/


-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Apple's explanation about how and why iPhones track users' locations was too late, too little, a crisis communications expert said today.
 
If you are a smart enterprise customer, you hate carrier "acceptable use policies" (AUPs). They have virtuous roots (avoiding liability for customer communications under the Digital Millenium Copyright Act) but have morphed into lengthy, (allegedly) non-negotiable, overly broad and one-sided "agreements" that make the customer responsible for all kinds of things for which it isn't really responsible and shield the carrier from responsibility for things for which it should be responsible.
 
Researchers have discovered a flaw in the system used by Nikon professional digital cameras to ensure images have not been tampered with.
 
Linux Kernel Unix Socket Backlog Local Denial of Service Vulnerability
 
SAP saw revenue rise by 21% in the quarter ended March 31, with double-digit growth in all regions driven by increased software business from partners and the channel.
 
Verizon Wireless said its 4G LTE network was back 'up and running' Thursday, following a nationwide outage that began late Tuesday.
 
HTB22960: XSS in Daily Maui Photo Widget wordpress plugin
 
Symantec Antivirus Corporate Ed. Alert Management Service Remote Privilege Escalation Vulnerability
 
hashdays 2011 - Call for Papers (#days CFP)
 
HTB22958: XSS in phpGraphy
 
HTB22959: CSRF (Cross-Site Request Forgery) in phpGraphy
 
Most people expect that running a small business means heading to the bank, hat in hand, asking for a five- or six-figure loan just so they can get through the month. Thanks to modern technology and the Web, however, that's no longer the case. Savvy business owners know that numerous cheap and free tools work just as well as their expensive, brand-name counterparts. Here's where to look for business bargains.
 
Mobile hotspots like Novatel’s popular MiFi 2200 have been greeted warmly by tech users and have sold well. They simplify things by providing our various devices with Internet connectivity under one data service bill. And they’re small and superportable.
 
Five months after releasing the original 7-inch Samsung Galaxy Tab, the company has finally shipped a Wi-Fi-only version, as it promised to do way back when the Tab debuted in September 2010. This Tab offers no surprises: We've seen the hardware before. What's different here is that it lacks the wireless connectivity available on the tablets from AT&T, Sprint, T-Mobile, U.S. Cellular, and Verizon. And since it has no carrier involvement, there's no need to mess around with contracts: Instead, the Galaxy Tab Wi-Fi is priced at $350 (as of April 27, 2011), with no additional costs.
 
[USN-1125-1] PCSC-Lite vulnerability
 
In the wake of the RSA SecurID breach, a vendor survey finds a reduced level of confidence in the security provided by tokens.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
The design of applications that facilitate the digital health experience is often far removed from the needs of users who deliver care
 
BMC has purchased Coradiant, maker of software for improving end-user experience and tracking Web application performance.
 
}

McAfee Labs have issued an alert that McAfee VirusScan DAT file 6329 is returning a false positive for spsgui.exe. This is impacting SAP telephone connectivity functionality.





McAfee have a work around for the issue documented in KB71739 https://kc.mcafee.com/corporate/index?page=contentid=KB71739

Chris Mohan --- Internet Storm Center Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The launch of Apple's iPhone 4 in a white casing generated a long line of Chinese customers Thursday outside an Apple store in Beijing.
 
Demand for tablets helped Taiwan Semiconductor Manufacturing Co. boost first quarter revenues by 14.3%.
 
Acer, the world's second largest PC maker, is counting on tablets to boost overall sales.
 
Sony will restart Blu-ray disc production in late May
 
A new interconnect technology being developed by Intel could be ready for use by 2015.
 
Verizon Wireless has determined the cause of an outage that crippled its LTE mobile data network starting late Tuesday.
 
Android has shot past BlackBerry to become the third most popular smartphone operating system in the world behind Symbian and the iPhone , according to StatCounter. In the U.S., however, the Android is now No.1, according to recent reports by comScore and Neilsen. These reports found Android trending upward for pretty much every demographic group studied.
 
Sony's apparent difficulty in figuring out the extent of the damage from the recent intrusion into its PlayStation Network, while frustrating for those affected by it, is not too surprising given the bag of tricks that hackers employ to hide their tracks.
 
Last week, President Barack Obama described federal IT as "horrible," and on Wednesday, Jeff Zients, the federal chief performance officer, explained why this is the case.
 
Some IT shops have formal enterprise deployment strategies that address everything from security to app delivery and support.
 
After nine months of waiting, the white iPhone 4 is finally available to buy in the UK.
 
Chinese search company, Baidu, reported strong revenue and profit growth
 
InfoSec News: Cyberespionage: US finds FBI agents in elite unit lack necessary skills: Forwarded from: Justin Lundy <jbl (at) tegataiphoenix.com>
http://www.csmonitor.com/USA/2011/0427/Cyberespionage-US-finds-FBI-agents-in-elite-unit-lack-necessary-skills
By Mark Clayton Staff writer The Christian Science Monitor April 27, 2011
Many of the Federal Bureau of Investigation's field agents assigned to an elite cyber investigative unit lack the skills needed to investigate cases of cyberespionage and other computerized attacks on the US, the Justice Department inspector general reported Wednesday.
That's a problem because the US is under constant and increasing cyberattack with 5,499 known intrusions into US government computer systems in 2008 alone -- a 40 percent jump from 2007, the inspector general's office found.
Investigating these kinds of cyberespionage attacks falls largely on the FBI as the lead agency for the National Cyber Investigative Joint Task force, which also includes representatives from 18 different intelligence agencies and is assigned to investigate the most difficult national security intrusions -- those by a foreign power for intelligence gathering or terrorist purposes.
But in interviews with 36 field agents in 10 of the FBI's 56 field offices nationwide, 13 agents, or more than a third, "reported that they lacked the networking and counterintelligence expertise to investigate national security [computer] intrusion cases." Five of the agents told investigators "they did not think they were able or qualified" to investigate such cases, the report said. The inspector general report does not indicate whether the 36 field agents who were interviewed are a representative sampling of the FBI’s cyber unit.
[...]
 
InfoSec News: Experts dissect hacker attacks during cybersecurity forum at Hagerstown Community College: http://www.herald-mail.com/news/local/hm-cyber-experts-dissect-hacker-attacks-during-cybersecurity-forum-at-hagerstown-community-college-20110427,0,2996601.story
By ANDREW SCHOTZ herald-mail.com April 27, 2011
Experts Wednesday detailed simple and complex ways to protect computers [...]
 
InfoSec News: Are we talking "cyber war" like the Bush admin talked WMDs?: http://arstechnica.com/security/news/2011/04/are-we-talking-cyber-war-like-the-bush-admin-talked-wmds.ars
By Matthew Lasar Ars Technica April 27, 2011
Turn any corner in the complex metropolis that is Internet policy and you'll hear about the "cybersecurity" crisis in two nanoseconds. [...]
 
InfoSec News: Oracle hedging its vulnerability reports?: http://www.computerworld.com/s/article/9216213/Oracle_hedging_its_vulnerability_reports_
By Joab Jackson IDG News Service April 27, 2011
Oracle may be subtly misleading customers about the severity of some of the vulnerabilities found in its database software, according to [...]
 
InfoSec News: PlayStation credit card data was encrypted: http://www.zdnet.com.au/playstation-credit-card-data-was-encrypted-339314012.htm
By Darren Pauli ZDNet.com.au April 28th, 2011
Sony has confirmed that the credit card details possibly stolen in a breach of its PlayStation Network (PSN) were encrypted. [...]
 
InfoSec News: Phone-hacking laws are 'very uneven and unclear': http://www.guardian.co.uk/media/2011/apr/26/phone-hacking-laws-christopher-graham
By James Robinson guardian.co.uk 26 April 2011
The information commissioner has told a powerful group of MPs that legislation outlawing phone hacking is "very uneven" and "very unclear" [...]
 
InfoSec News: [ACM CCS'11] Reminder: Deadline Approaching (May 6, 2011): Forwarded from: ACM CCS 2011 <acmccs2011 (at) gmail.com>
Apologies for multiple copies of this announcement. The annual ACM Computer and Communications Security Conference is a leading international forum for information security researchers, practitioners, developers, and users to explore cutting-edge ideas and results, and to exchange techniques, tools, and experiences. The conference seeks submissions from academia, government, and industry presenting novel research on all practical and theoretical aspects of computer and communications security. Papers should have relevance to the construction, evaluation, application, or operation of secure systems. Theoretical papers must make a convincing argument for the practical significance of the results. All topic areas related to computer and communications security are of interest and in scope. Accepted papers will be published by ACM Press in the conference proceedings. Outstanding papers will be invited for possible publication in a special issue of the ACM Transactions on Information and System Security.
Paper Submission Process
Submissions must be made by the deadline of May 6, 2011, through the website:
http://www.easychair.org/conferences/?conf=ccs2011
The review process will be carried out in two phases and authors will have an opportunity to comment on the first-phase reviews. Authors will be notified of the first-phase reviews on Monday, June 20, 2011 and can send back their comments by Thursday, June 23, 2011.
Submitted papers must not substantially overlap papers that have been published or that are simultaneously submitted to a journal, conference or workshop. Simultaneous submission of the same work is not allowed.
Authors of accepted papers must guarantee that their papers will be presented at the conference.
Paper Format
Submissions must be at most 10 pages in double-column ACM format (note: pages must be numbered) excluding the bibliography and well-marked appendices, and at most 12 pages overall. Submissions must NOT be anonymized. Only PDF or Postscript files will be accepted. Submissions not meeting these guidelines risk rejection without consideration of their merits.
Tutorial Submissions
Proposals for long (3-hour) and short (1.5-hour) tutorials on research topics of current and emerging interest should be submitted electronically to the tutorials chair by May 24, 2011. The guidelines for tutorial proposals can be found on the website.
Important Dates
- Paper submission due: Friday, May 6, 2011 (23:59 UTC - 11) - First round reviews communicated to authors: Monday, June 20, 2011 - Author comments due on: Thursday, June 23, 2011 (23:59 UTC - 11) - Acceptance notification: Friday, July 15, 2011 - Final papers due: Thursday, August 11, 2011
GENERAL CHAIR:
Yan Chen (Northwestern University, USA)
PROGRAM CHAIRS:
George Danezis (Microsoft Research, UK) Vitaly Shmatikov (University of Texas at Austin, USA)
PROGRAM COMMITTEE:
Michael Backes (Saarland University and MPI-SWS, Germany) Bruno Blanchet (INRIA, Ecole Normale Superieure, and CNRS, France) Dan Boneh (Stanford University, USA) Nikita Borisov (University of Illinois at Urbana-Champaign, USA) Herbert Bos (VU, Netherlands) Srdjan Capkun (ETHZ, Switzerland) Avik Chaudhuri (Adobe Advanced Technology Labs, USA) Shuo Chen (Microsoft Research, USA) Manuel Costa (Microsoft Research, UK) Anupam Datta (CMU, USA) Stephanie Delaune (CNRS and ENS-Cachan, France) Roger Dingledine (The Tor Project, USA) Orr Dunkelman (University of Haifa and Weizmann Institute, Israel) Ulfar Erlingsson (Google, USA) Nick Feamster (Georgia Tech, USA) Bryan Ford (Yale University, USA) Cedric Fournet (Microsoft Research, UK) Paul Francis (MPI-SWS, Germany) Michael Freedman (Princeton University, USA) Guofei Gu (Texas A&M University, USA) Nicholas Hopper (University of Minnesota, USA) Collin Jackson (CMU Silicon Valley, USA) Markus Jakobsson (Paypal, USA) Jaeyeon Jung (Intel Labs Seattle, USA) Apu Kapadia (Indiana University Bloomington, USA) Jonathan Katz (University of Maryland, USA) Stefan Katzenbeisser (TU Darmstadt, Germany) Arvind Krishnamurthy (University of Washington, USA) Christopher Kruegel (University of California, Santa Barbara, USA) Ralf Kuesters (University of Trier, Germany) Ninghui Li (Purdue University, USA) Benjamin Livshits (Microsoft Research, USA) Heiko Mantel (TU Darmstadt, Germany) John Mitchell (Stanford University, USA) Fabian Monrose (University of North Carolina at Chapel Hill, USA) Steven Murdoch (University of Cambridge, UK) David Naccache (Ecole Normale Superieure, France) Arvind Narayanan (Stanford University, USA) Kenny Paterson (Royal Holloway, University of London, UK) Niels Provos (Google, USA) Mike Reiter (University of North Carolina at Chapel Hill, USA) Thomas Ristenpart (University of Wisconsin, USA) Hovav Shacham (University of California, San Diego, USA) Adam Smith (Pennsylvania State University, USA) Anil Somayaji (Carleton University, Canada) Francois-Xavier Standaert (UCL, Belgium) Eran Tromer (Tel Aviv University, Israel) Leendert Van Doorn (AMD, USA) Paul Van Oorschot (Carleton University, Canada) Bogdan Warinschi (University of Bristol, UK) Brent Waters (University of Texas at Austin, USA) Robert Watson (University of Cambridge, United Kingdom) Xiaowei Yang (Duke University, USA) Haifeng Yu (National University of Singapore, Singapore)
 
SAP’s first quarter revenue is up 21 percent, but profit growth was slower at 4 percent
 

Posted by InfoSec News on Apr 28

http://arstechnica.com/security/news/2011/04/are-we-talking-cyber-war-like-the-bush-admin-talked-wmds.ars

By Matthew Lasar
Ars Technica
April 27, 2011

Turn any corner in the complex metropolis that is Internet policy and
you'll hear about the "cybersecurity" crisis in two nanoseconds. As a
consequence, the public is treated to a regular diet of draconian fare
coming from Sixty Minutes and Fresh Air about the "growing...
 

Posted by InfoSec News on Apr 28

http://www.computerworld.com/s/article/9216213/Oracle_hedging_its_vulnerability_reports_

By Joab Jackson
IDG News Service
April 27, 2011

Oracle may be subtly misleading customers about the severity of some of
the vulnerabilities found in its database software, according to
researchers from database security software provider Application
Security (AppSec).

"Oracle likes to downplay the risk of its vulnerabilities," said Alex...
 

Posted by InfoSec News on Apr 28

http://www.zdnet.com.au/playstation-credit-card-data-was-encrypted-339314012.htm

By Darren Pauli
ZDNet.com.au
April 28th, 2011

Sony has confirmed that the credit card details possibly stolen in a
breach of its PlayStation Network (PSN) were encrypted.

Customer names, addresses, email addresses, birthdays, PlayStation
Network and Qriocity passwords and user names, as well as online user
handles, were obtained illegally by an...
 

Posted by InfoSec News on Apr 28

http://www.guardian.co.uk/media/2011/apr/26/phone-hacking-laws-christopher-graham

By James Robinson
guardian.co.uk
26 April 2011

The information commissioner has told a powerful group of MPs that
legislation outlawing phone hacking is "very uneven" and "very unclear"
and the law should be clarified.

Christopher Graham told the home affairs select committee that existing
legislation outlawing the practice "was drawn...
 

Posted by InfoSec News on Apr 28

Forwarded from: ACM CCS 2011 <acmccs2011 (at) gmail.com>

Apologies for multiple copies of this announcement.

------------------------------------------------------
18th ACM Conference on Computer and Communications Security (ACM CCS 2011)
CALL FOR PAPERS
OCTOBER 17 - 21, 2011
SWISSOTEL Chicago, Chicago, IL, USA
http://sigsac.org/ccs/CCS2011

The annual ACM Computer and Communications Security Conference is a
leading international forum...
 

Posted by InfoSec News on Apr 28

Forwarded from: Justin Lundy <jbl (at) tegataiphoenix.com>

http://www.csmonitor.com/USA/2011/0427/Cyberespionage-US-finds-FBI-agents-in-elite-unit-lack-necessary-skills

By Mark Clayton
Staff writer
The Christian Science Monitor
April 27, 2011

Many of the Federal Bureau of Investigation's field agents assigned to
an elite cyber investigative unit lack the skills needed to investigate
cases of cyberespionage and other computerized...
 

Posted by InfoSec News on Apr 28

http://www.herald-mail.com/news/local/hm-cyber-experts-dissect-hacker-attacks-during-cybersecurity-forum-at-hagerstown-community-college-20110427,0,2996601.story

By ANDREW SCHOTZ
herald-mail.com
April 27, 2011

Experts Wednesday detailed simple and complex ways to protect computers
during a cybersecurity forum held at Hagerstown Community College.

One basic defense against computer hackers is making passwords difficult
to guess. Don't go...
 


Internet Storm Center Infocon Status