Information Security News

One of the two men accused of hacking AT&T's website to grab personal information about thousands of iPad users has been released on bail.

The Twitter account used to promote Microsoft's Bing search engine went slightly bonkers Monday afternoon, posting a deluge of pre-Oscar party photos.

A good part of the fight against malware relies on the good guys sharing samples and intel. For some reason though, many anti-virus (AV) companies seem to make it exceedingly hard to extract usable samples from their tools and quarantines. They insist on a quarantine in proprietary format, and more often than not, the only option given in the GUI is Send to Vendor or Delete.
Send to vendor? Well duh, how about sending to _more than one_ vendor? How about letting me extract the sample in an industry standard format, so that I can share it with the other AV vendors whose products I'm using to protect my corporation or university ?
Exasperated by a recent run-in with the quarantine mechanism of a particularly stubborn yellow product, I googled some, and found out that there's actually an IEEE Working Group looking into standardizing an open Malware Exchange format. Good news. Though even better news would be if the format chosen were simply an existing forensic file format, maybe with added encoding or encryption to turn the sample inert.
But, no matter which format gets selected eventually, I sure hope that (a) this happens soon and (b) that the AV vendors actually adopt the idea and make extracting and sharing samples and intel easier than they do today. Because most of their products today ... to me look a whole lot like the vendors don't care [beep] about their client's security and efficient malware defense. Not anywhere as much as they care about their own revenue.

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

All of Motorola's high-end smartphones will soon be able to work with a docking station that provides them with a large screen and keyboard when needed, the company's CEO said Monday.

Verizon is preparing to offer its customers unified communications services that can include presence information, instant messaging, videoconferencing and fixed-mobile call handoffs through a Cisco Systems-based cloud infrastructure.

Samba 'FD_SET' Memory Corruption Vulnerability

Intel has completed its US$7.68 billion acquisition of security vendor McAfee, the chip maker announced on Monday.

Law enforcement has a problem, and you may be part of it.

Open democracy, open borders and open standards were the themes to which speakers returned again and again at the opening ceremony for the Cebit trade show in Hannover, Germany, on Monday night.

Linux Kernel Video Output Status Local Denial of Service Vulnerability

AT&T customers in four U.S. cities will soon be able to receive mobile coupon alerts and other marketing information from nearby stores, based on cellular location technology.

Apple's new MacBook Pro shows some quality-of-build problems that shouldn't be seen in a notebook that costs $1,800, a teardown expert said.

The business-oriented HP Mini 1103 netbook is good-looking and solidly designed, and it has great battery life. Two years ago it would've earned high praise. Today it reminds us how inadequate Atom-based netbooks are for all but the most basic computing tasks. If the basics are all you need to cover, however, at $299 (as of February 28, 2011) this machine is a good deal with nice ergonomics.

Home FTP Server Directory Traversal Vulnerability

RETIRED: Home FTP Server 1.12 Directory Traversal Vulnerability

CIOs to Guvs: Pay More Attention to Infosec
GovInfoSecurity.com
According to GovInfoSecurity.com's State of Government Information Security survey released in February (see Gov't Infosec Pros Question Fed's Security Resolve), a majority of state and local IT security organizations struggle to recruit and retain ...

and more »

Google employees may be getting new tablets, Motorola's CEO said Monday.

The central command post for the International Space Station's robotics work failed Monday in the middle of the first spacewalk for the shuttle Discovery's final space mission.

Chinese hackers have modified the free Steamy Windows Android app, allowing them to hijack a smartphone to install other apps and silently send text messages.

Pablo Software Solutions Quick 'n Easy FTP Server User Command Denial of Service Vulnerability

[USN-1077-1] FUSE vulnerabilities

[USN-1076-1] ClamAV vulnerability

[USN-1075-1] Samba vulnerability

[ MDVSA-2011:038 ] samba

ClamAV 'vba_read_project_strings()' Double Free Memory Corruption Vulnerability

On March 6, AT&T will begin selling the new Kindle 3G e-reader at its retail stores for $189. It will be the first time the carrier has sold a dedicated e-reader device.

About 150,000 of Google's Gmail users woke up Sunday morning to missing e-mails, contacts and chat histories. Will you trust such "cloud" services any less?

Apple's new MacBook Pro shows some quality-of-build problems that shouldn't be seen in a notebook that costs $1,800, a teardown expert said.

Tens of thousands of Google's Gmail users woke up Sunday morning to missing e-mails, contacts and chat histories.

Software AG added a complex-event processing tool to its software portfolio and said it will release cloud-enabled versions of webMethods and its Aris business process modeling tool in the third quarter.

Many have questioned more than once the value of COAC, especially about its memberships self-interests. But now there is serious question about its role in the security of this nation's borders and ports. COAC's obvious weaknesses are two: first, its latest charter; and second, the self-interest of COAC's non-government membership that places protecting and promoting company and industry values over the greater security of U.S. trade infrastructure essential to our nation's economic base. It has value to the Department of Homeland Security that needs to claim it understands both trade and security for the political agenda of the Administration.

Intel today announced its next line of new solid-state drives. The new Intel SSD 510 features fast SATA 6Gbit/sec performance to take full advantage of Intel's transition to higher speed SATA bus interfaces on the recently introduced 2nd Generation Intel Core processor-based platforms.

Hoping to do for personal computers what Microsoft has done for gaming, Asus will soon offer a motion sensing device that looks and works like the Xbox Kinect.

Linux Kernel SCTP HMAC Handling Memory Corruption Vulnerability

FreeBSD crontab information leakage

Re: prestashop vuln: sql injection submitted to [email protected]

Linux Kernel 'irda_bind()' Null Pointer Dereference Vulnerability

The great IT risk measurement debate, part 1
CSO
Doug Hubbard: Infosec is a very interesting subset of risk assessment and risk management in general. It falls in a category of disciplines that have developed risk management in isolation from what we now know about experimental psychology ...

About 150,000 of Google's Gmail users woke up Sunday morning to missing e-mails, contacts and chat histories.

Wlpncp asked the Desktops forum for advice on setting up a new Windows 7 PC.

[security bulletin] HPSBPI02635 SSRT100391 rev.1 - HP Web Jetadmin Running on Windows, Local Unauthorized Access to Managed Resources

CONFidence 2011- CfP only 6 days left, we are still waiting for your submission

Imageview v6.0 Remote [and] Local Directory Traversal Vulnerability

Many have questioned more than once the value of COAC, especially about its memberships self-interests. But now there is serious question about its role in the security of this nation's borders and ports. COAC's obvious weaknesses are two: first, its latest charter; and second, the self-interest of COAC's non-government membership that places protecting and promoting company and industry values over the greater security of U.S. trade infrastructure essential to our nation's economic base. It has value to the Department of Homeland Security that needs to claim it understands both trade and security for the political agenda of the Administration.

Nokia and Microsoft joining forces to better compete with Apple and Google's Android OS will be good for the smartphone market, Vodafone Germany's CEO Jan Geldmacher said in an interview at the Cebit trade show in Hanover.

Bernd Wagner, the managing director of Fujitsu's German subsidiary, has jumped to Software AG to become its chairman.

[USN-1074-1] Linux kernel vulnerabilities

[USN-1073-1] Linux kernel vulnerabilities

[SECURITY] [DSA 2174-1] avahi security update

[SECURITY] [DSA 2173-1] pam-pgsql security update

Wireshark Visual C++ Analyzer Buffer Overflow Vulnerability

GIMP Multiple File Plugins Remote Stack Buffer Overflow Vulnerabilities

PHP Exif Extension 'exif_read_data()' Function Remote Denial of Service Vulnerability

Early adopters of DLP deployments say slow, incremental rollouts help reduce the burden on IT staff and the potential for chaos among business units.

With the new update of its Project and Portfolio Management software, Hewlett-Packard is broadening the potential scope of the software to manage all organizational projects, not just IT projects.

Ruby "#to_s" Security Bypass Vulnerability

Ruby 'FileUtils.remove_entry_secure()' Method Race Condition Vulnerability

InfoSec News: Familiar faces, new names step up at Pwn2Own hacking contest: http://www.computerworld.com/s/article/9211402/Familiar_faces_new_names_step_up_at_Pwn2Own_hacking_contest
By Gregg Keizer Computerworld February 25, 2011
The Pwn2Own hacking contest next month will feature its largest-ever crew of contestants, including past winners, a French security firm [...]

InfoSec News: Chinese tech giant invites investigation of spying claims: http://www.telegraph.co.uk/technology/news/8347357/Chinese-tech-giant-invites-investigation-of-spying-claims.html
By Christopher Williams Technology Correspondent The Telegraph 25 Feb 2011
In an extraordinary open letter, Huawei's deputy chairman Ken Hu [...]

InfoSec News: NSA Winds Down Secure Virtualization Platform Development: http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=229219339
By J. Nicholas Hoover InformationWeek February 24, 2011
After several years in the making and two releases, the National Security Agency is winding down new development of its secure client [...]

InfoSec News: Grandmaster Flash Offers Reward For Stolen Laptop: http://www.hiphopdx.com/index/news/id.14218/title.grandmaster-flash-offers-reward-for-stolen-laptop
By Jake Paine Hip Hop DX February 26, 2011
Last week, one of Hip Hop's pioneers was victim of a theft at New York's 40/40 Club. He's offering a cash reward in hopes of getting it back. [...]

InfoSec News: Iran to take pre-emptive action against cyber terrorism: general: http://www.mehrnews.com/en/newsdetail.aspx?NewsID=1262106
2/26/2011
TEHRAN, Feb. 26 (MNA) – Deputy chairman of Iran’s Joint Chiefs of Staff has said that Iran will take pre-emptive cyber action against the centers which launch cyber attacks against the Iranian facilities. [...]

Organizers of Pwn2Own on Sunday defended the hacking contest's rules after a three-time winner criticized the challenge for encouraging researchers to "weaponize" exploits.

SeaMicro announced a low-power server that includes 256 of Intel's latest Atom N570 dual-core processors.

Clickatell today announced a Short Message Service (SMS) for small businesses that costs only $25 a month for 1,000 messages, a drastic reduction in price compared to its earlier version.

Following a recent report that data on most SSDs is very difficult to completely erase, researchers and analysts say there are really only two methods to ensure sensitive data is secure once you're finished using your SSD.

Cloud-based monitoring software tracks your productivity and measures how you compare to other employees.

Citrix Systems has invested in Primadesk, a company developing a free, Web-based application to help users keep track of content stored in different cloud-based services, the company said Monday.