InfoSec News

The music streaming application Grooveshark is available again for Android devices 16 months after it was removed by Google from its application market.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Drupal Faster Permissions Module Access Security Bypass Vulnerability
Hardly a day goes by without a story about the UK banking community messing up in some way or other. Some of the highest profile stories of the year have been around banks side-stepping regulation and fixing the markets for their own benefit.
Attacks targeting an unpatched vulnerability in the latest versions of Java 7 have become widespread after an exploit for the new flaw was integrated into the popular Blackhole attack toolkit, according to security researchers from antivirus vendor Kaspersky Lab.
Drupal CDN Module Information Disclosure Vulnerability
Drupal OG Vocabulary Module Security Bypass Vulnerability
Drupal Link Checker Security Bypass Vulnerability

Saudi Gazette

SANS CyberCon 2012
Saudi Gazette
There are few local Information Security (Info Sec) education opportunities for IT professionals in Saudi Arabia. That's why the upcoming virtual event from the SANS Institute is so important. SANS CyberCon 2012 will take place October 8 through ...

Advanced Micro Devices on Tuesday said it had hired former Intel researcher John Gustafson as the chief architect for graphics products, continuing an executive shuffle among chip companies.
Mozilla today launched Firefox 15, boasting that users will see "drastic improvements in performance" because of new code that stops add-ons from leaking memory.
Security researchers have proposed several methods for users to protect their computers from ongoing attacks that target a new and yet-to-be-patched vulnerability in all versions of Java Runtime Environment 7.

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Advanced Micro Devices is taking steps to bridge the gap between x86 and ARM processors, and hopes to build a foundation from which programs will operate on mobile devices like tablets independent of architecture, the company's chief technology officer, Mark Papermaster, said in an interview.
Smartphones are selling faster than previously predicted by IHS iSuppli and will make up more than half of global cell phone shipments next year.
ESA-2012-034: EMC Cloud Tiering Appliance (CTA) Authentication Bypass Vulnerability
[security bulletin] HPSBUX02805 SSRT100919 rev.3 - HP-UX Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
Christie's will auction off an Apple 1 computer from the firm's first batch, and predicted the machine will sell for as much as $126,000 when it hits the block in October.
As you are planning to roll out IPv6, one of the questions that keeps coming up is how to assign addresses. Sure, you may do so manually one system at a time, but that is not exactly the preferred method. IPv6 provides two different protocols to assign addresses:
Router Advertisements (RA)
The router may advertise itself, and the network it is supporting, via Router Advertisements. In this case, the router will typically advertise the first 64 bits of the address, and the host will make up the last 64. Router advertisements that advertise more then 64 bits are ignored. Router Advertisements are widely supported by client devices. The problem with this method is that you will see very little accountability as to who is using what IP address at what time. Unlike DHCP, there is no lease and the router will not log who used what address when.
DHCPv6 is a complete rewrite of the DHCP protocol, but provides many of the same features you are used to from DHCPv4. Your DHCPv6 server will hand out leases, you can assign static IP addresses, and you will obtain logs with details who obtained what IP address, just like in IPv4 (of course, just like in IPv4, a malicious user could just pick up an address without using the DHCP server).
RA and DHCPv6 interactions
It gets tricky if you have both, router advertisements and DHCP. This is actually normal when it comes to IPv6. Router advertisements include two flags, which will indicate the presence of a DHCP server:
- managed flag: used to indicate that there is a DHCP server handing out addresses.

- other flag: used to indicate that there is a DHCP server handing out other information (like DNS server addresses) but not addresses. The address is still provided by the router advertisement.
I ran some preliminary tests to see how different operating systems resolve the conflicts that may occur if both router advertisements and DHCP is present. I used a Cent OS server as router and DHCP server, and as client, I used Cent OS 6.3 (Linux), OS 10.8 Mountain Lion (OS X), Windows 7 and Windows 8 (latest pre-release from technet).

Other and Managed flag cleared, but the DHCP server is still running and the systems had a DHCP address prior to the last reboot

Windows 8 and OS X will still use the DHCPserver.

Linux and Window 7 will only use the RA provided address
Managed flag set, DHCP server running

all operating systems tested will use RA and DHCP provided addresses
Managed and Other flag set, but the DHCP server is not running

all operating systems tested will just use the RA provided addresses
Managed and Other flag set (and DHCP Server running

This test was a bit tricky. In a first round, all operating systems ignored the RA, and only used the DHCP address. In a second round, they accepted all.

Advertising recursive name servers via RA
A relatively recent extension to router advertisements allows the inclusion of the recursive name servers IP address (RDNSS). This option was originally introduced by RFC 5106, and later revised by RFC 6106 [1]. Linux and OS X appears to accept it, but Windows doesn't. (7 or 8).
According to my tests, neither operating system appears to support DHCPv6. You have to use router advertisements to configure IPv6. However, both operating systems make it hard to review the IPv6 configuration, and I am still working on more systematic tests. According to some sources, iOS appears to support DHCPv6, but I wasn't able to verify this so far in my tests [2].

(thanks to feedback from readers, I did edit some parts of the diary removing confusing statements about RA and stateless auto configuration as well as cleaning up the language around RFC 5106).
(want to learn more about IPv6? Or just want to go to Vegas? Seehttp://www.sans.org/network-security-2012/description.php?tid=5086)

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
PMSoftware Simple Web Server Remote Buffer Overflow Vulnerability
WordPress Cloudsafe365 Plugin 'file' Parameter Remote File Disclosure Vulnerability
[ MDVSA-2012:144 ] tetex
[SE-2012-01] information regarding recently discovered Java 7 attack
Lexmark International has exited the inkjet printer business and is laying off 1,700 people as part of a restructuring plan to improve profitability.
Most U.S. residents want the ability to place video calls to people using a different service provider, even though consumer video-calling services are now locked behind proprietary walls, according to a survey released Tuesday by Cisco Systems.
Kindle-exclusive books have been purchased, downloaded or borrowed more than 100 million times, Amazon announced Tuesday.
With the release of the Backup Plus Portable Drive for Mac, Seagate has reinvented its line of portable hard drives, incorporating a number of desirable features into its new design.
CVE-2012-2665 Manifest-processing errors in Apache OpenOffice 3.4.0
CA20111208-01: Security Notice for CA SiteMinder [updated]
The vCloud Networking and Security package, featuring vShield Edge and vShield App, is designed to make virtualization security easier to implement.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
The Java zero-day flaw affects users of Mozilla, Internet Explorer and Safari.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

ID Don't Mean a Thing Unless Its Got that Integration Thing
Dark Reading (blog)
By now, we should know that there are no silver bullets in Infosec. But yet, even today enterprise write RFIs and RFPs that hone in on support for a specific standard and yet gloss over the importance of integration. Identity has made tremendous ...

CPG Dragonfly CMS Multiple Multiple Cross Site Scripting Vulnerabilities
Samsung said Tuesday it will "take all necessary measures" to keep its products on sale in the U.S.
Samsung is expected to show off its Intel-based Series 5 Hybrid PC tablet running Windows prior to the start of the IFA trade show in Berlin this week.
Sometimes, you play games to build something, like being the architect of your own simulated city. Sometimes, though, it's more fun to wreck stuff, like being the architect of your own sandcastle's destruction. In Plague Inc. by Ndemic Creations, you get to have the appeal of strategic creation and the subversive glee of wanton destruction as you craft a pandemic to destroy all of humanity.
Windows 8 may be the most disruptive operating system upgrade in 17 years, but the learning curve isn't as steep as some have claimed, enterprise support company PC Helps said today.
OpenJPEG Heap Based Buffer Overflow Vulnerability
LG Electronics has launched an LTE smartphone with a quad-core processor, the Optimus G, which it hopes will set it apart from the competition as the smartphone market starts to ramp up for the holiday season.
WordPress chenpress Plugin Arbitrary File Upload Vulnerability
Multiple Conceptronic Products 'login.js' Information Disclosure Vulnerability
Troubled Japanese LCD and TV panel maker Sharp said Tuesday it will cut 2,000 jobs domestically, or about 6% of its local workforce, as part of ongoing restructuring efforts.
Sony will close its once-proud optical PC drive subsidiary by early next year, as part of its efforts to refocus on the connected world of smartphones, tablets and netbooks, a spokesman said Tuesday.
Yahoo said Tuesday that Kathy Savitt, former founder and CEO of social commerce company Lockerz, is joining the ailing Internet company as chief marketing officer, responsible for all worldwide marketing and branding.
Digital marketing firm Blue Calypso has filed a lawsuit against local deals company LivingSocial for patent infringement, less than a month after suing its competitor Groupon in a court in Texas.
Apple's top hardware engineer, Bob Mansfield, is not leaving the company after all and will stay to work on future products, Apple announced Monday.
The U.S. Federal Aviation Administration is taking a new look at the use of portable electronics on airplanes, seeking public comments starting this week and forming a government-industry group to study when smartphones, tablets and other devices can be used safely.
From choosing a mobile app platform to deciding if your back-end cloud is up to the task, here are some factors to consider.
With the aid of key fob token YubiKey Neo, supported smartphone apps can be protected with a one-time password. To unlock items such as password safe app LastPass, the token is simply brushed across the back of the phone

Computer Associates SiteMinder 'login.fcc' Cross Site Scripting Vulnerability
IBM's latest mainframe, the zEnterprise zEC12, is big on data analytics and hybrid clouds.

Posted by InfoSec News on Aug 28

Forwarded from: security curmudgeon <jericho (at) attrition.org>

If you are, you should be aware that ISC2 board elections are coming up.
Last year, Wim Remes decided to run a petition to get his name added to
the ballot, and ultimately joined the board. He did so seeking to help
change ISC2 for the better, to begin to tackle the many criticisms
leveled against the organization, and their CISSP certification.

This year, four more...

Posted by InfoSec News on Aug 28


By: Brian Prince

Approximately 30,000 workstations were hit in a cyber-attack this month,
but the company says it has cleaned the systems and restored them to

Saudi Aramco, the national oil company of Saudi Arabia, has cleaned its
workstations and resumed operations after a malware attack struck the...

Posted by InfoSec News on Aug 28


By Kashmir Hill

If you’ve been following the coverage of Prince Harry’s recent trip to
Las Vegas, you’re likely very, very tired of hearing jokes about the
“crown jewels.” The day after one reporter (ironically) recounted the
British prince remarking to a security guard that he...

Posted by InfoSec News on Aug 28


By Mathew J. Schwartz
August 27, 2012

Dropbox is making two-factor authentication available to some users as
part of a beta test that's meant to shake down the new service.

The feature's debut--for self-selected early adopters--involves
installing and running an "experimental build" version of...

Posted by InfoSec News on Aug 28


By Dave Neal
The Inquirer
Aug 24, 2012

UK RETAILERS are losing hundreds of millions to cyber criminals every
year, warns the British Retail Consortium (BRC).

The BRC reckons that such crime is the biggest threat facing the retail
sector, so is even worse than bored shop assistants, and is an evolving
market that sees criminals adopting...
Internet Storm Center Infocon Status