InfoSec News

Cloud file-sharing service provider Druva and backup company TeamDrive announced upgrades to their respective mobile data services that include either a combined repository for all data regardless of the device or security through encryption.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The source code for ASP.Net Web API and Razor are being made available via an Apache 2.0 license
Version 1 of programming environment is released, featuring binary distribution support and integration with Google's App Engine cloud platform
Dell has stopped selling smartphones in the U.S. as it tweaks its mobile strategy to focus more on emerging markets and higher-margin products.
F5 FirePass 'state' Parameter SQL Injection Vulnerability
For CIOs and IT professionals, the potential of the cloud is clear: transforming IT from cost center to business engine. It promises the agility and scalability that tech dreams are made of. By leveraging the cloud, you can complete typical IT tasks in hours rather than weeks or months, allowing you to dedicate staff to innovation, not just maintaining systems and infrastructure.
It's official: Red Hat is the first open-source software company to generate a billion dollars in annual revenue.
nginx 'ngx_cpystrn()' Information Disclosure Vulnerability
In the runup to the trial date for their dispute over whether Google's Android mobile OS infringes on Oracle's Java patents, Google and Oracle are negotiating over potential damages.
Much as large computing projects can make use of your free CPU cycles, Symform leverages your free hard drive space and that of others into a secure, encrypted online storage service. Quite clever actually, and even better--it's free (except, of course, for the electricity and storage space you contribute). You can be a leech and simply use the 10GB of free storage offered, but up to 100GB of online storage is available if you contribute. You can up that to 200GB by referring friends.
AOL decommissioned almost 10,000 servers and saved $5 million along the way to winning a contest that highlights the cost of running inefficient or underutilized IT equipment.
Box.com unveiled OneCloud today--a new service designed to unite the data from various mobile apps. Box OneCloud promises to make it easier to manage data on mobile devices and be productive from virtually anywhere. OneCloud resolves a fundamental limitation of the Apple iPad, and makes Box a must-have app.
Duqu, the malware that has been compared to 2010's notorious Stuxnet, is back, security researchers said today.
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2012-0463 Memory Corruption Vulnerability
States are having a hard time keeping up with the cloud, especially when it comes to taxing it.
Anonymous announced March 31 as the date of the attack, along with the method they intend to use -- disabling the Domain Name Service through DDoS attacks.
D-Link SecuriCam DCS-5605 Network Surveillance ActiveX Control DcsCliCtrl.dll lstrcpyW Remote Buffer Overflow Vulnerability
Quest InTrust 10.4.x Annotation Objects ActiveX Control AnnotateX.dll Uninitialized Pointer Remote Code Execution
Adobe released a critical update today for Flash Player.

The basic gist is that most of the platforms are exposed to a crash and a remote attacker can get potential control of your system. Details elude to memory corruption as the cause, which are patched with this update.

Another, highlight is that this update comes with an auto-update feature for the Flash player. The link below seems to only cite this feature for Window's users. I've not had a chance to hit my OS X systems with this update, so I can not confirm whether it reaches the Mac. Post a comment and tell us this new whistle.

Get further details on this update here:

APSB12-07 http://www.adobe.com/support/security/bulletins/apsb12-07.html

Flash Auto-update Feature http://blogs.adobe.com/asset/2012/03/an-update-for-the-flash-player-updater.html

Adobe Security Bulletins http://www.adobe.com/support/security/index.html

Many thanks to our readers Michael, Toby, Fred, Rene' and Mike for keeping on top of things and sending in links to us.

Keep it coming!


ISC Handler on Duty
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
My editor will be glad to know that this week, in contrast to the last few Gearhead columns I will not be discussing AT&T, ADSL (+ or otherwise), or Motorola DSL modems.
Google is now offering customers of its Apps for Business communications and collaboration suite an optional service that automatically captures, archives and indexes their employees' e-mail messages and IM chat sessions.
SAP's SuccessFactors subsidiary is rolling out a version of its Jam social collaboration platform at no charge to all users, the company announced Wednesday.
Why this latest attempt to make software more secure might stand a chance.
Cisco Security Advisory: Cisco IOS Software Network Address Translation Vulnerability
An IBM report found a slight increase in browser-based vulnerabilities, but security features are driving attackers to target components rather than the browser itself.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Quest InTrust 10.4.x ReportTree and SimpleTree Classes ArDoc.dll ActiveX Control Remote File Creation / Overwrite Vulnerability
TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow
Cisco Security Advisory: Cisco IOS Software Reverse SSH Denial of Service Vulnerability
A group of malware experts from security companies Kaspersky Lab, CrowdStrike, Dell SecureWorks and the Honeynet Project, have worked together to disable the second version of the Kelihos botnet, which is significantly bigger than the one shut down by Microsoft and its partners in September 2011.
Samsung Electronics has shipped 5 million units of its "smart notepad", the Galaxy Note, surpassing most expectations, according to analysts.
Registrars that fail to comply with copyright infringement contract terms given by the Internet Corporation for Assigned Names and Numbers will lose their accreditation.
Cisco Security Advisory: Multiple Vulnerabilities in Cisco IOS Software Traffic Optimization Features
Cisco Security Advisory: Cisco IOS Internet Key Exchange Vulnerability
Cisco Security Advisory: Cisco IOS Software RSVP Denial of Service Vulnerability
Cisco Security Advisory: Cisco IOS Software Smart Install Denial of Service Vulnerability
Federal agencies will have tight IT budgets over the next 12 to 18 months, but there are opportunities for small IT vendors as many agencies divide up contracts into small chunks, IT and financial services representatives said.
Adobe yesterday released Flash Player 11.2, adding silent updating to speed patching of "zero-day" vulnerabilities in the Windows edition.
California's Judicial Council has put the brakes on a long-running, massive software project that was supposed to modernize the state's trial courts case-management systems, saying the software is viable but that there's simply no money to continue installing it.
A group of malware experts from security companies Kaspersky Lab, CrowdStrike, Dell SecureWorks and the Honeynet Project, have worked together to disable the second version of the Kelihos botnet, which is significantly bigger than the one shut down by Microsoft and its partners in September 2011.

Cloud computing breaches often are a topic that comes up in conversations at conferences. Organizations need to prepare for the complications that will come if their cloud provider is breached, legal experts warn. However, there’s little data on breaches involving cloud providers, at least that’s public.

The 2012 Verizon Data Breach Investigations Report (DBIR) (.pdf) tries to offer some insight on cloud computing breaches. The company – which expanded its cloud services by acquiring Terremark last year — notes there are many definitions for what constitutes cloud, making it difficult to figure out how cloud computing factors into data breaches. But in an interview, Christopher Porter, a principal with Verizon’s RISK team, told me the DBIR defines the cloud as something that’s externally located, externally managed and externally owned.

“In the past year, there were several breaches of externally hosted environments that weren’t managed by the victim,” he said. “We didn’t see any attacks against hypervisors. It’s really more about giving up control of your assets as opposed to any technology specific to the cloud.”

For cloud proponents, the DBIR’s observation was proof that cloud computing services are secure. However, cloud computing risks involve more than the hypervisor. Giving up control of your assets – and not controlling the associated risks, as Verizon notes – is what makes organizations queasy about cloud services.

According to the Verizon DBIR, 26% of breaches involved externally hosted assets, while 80% involved internally hosted assets. Forty-six percent of breaches involved externally managed assets (compared to 51% internally managed assets). The report notes this is the third year the company has seen an increase in the proportion of externally hosted and managed assets involved in data breaches. Porter said the increase is mostly due to economic issues; more organizations are moving to the cloud for the cost savings.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
When files are stored in the cloud, many companies need access to them on mobile devices. And once they're on those devices, users want to be able to edit the files and place them back into the cloud. That process has been difficult at times, experts say, but cloud collaboration vendor, Box, is making some moves to address it.
The CEO community is turning to CIOs to help accelerate revenue growth and deepen engagement with customers.
An exclusive survey finds that many CIOs say cloud services are a plus for business continuity and speedy deployment. But they still worry about security.
In a speedy show of consensus, the European Union's three law making institutions have agreed new rules that will cut mobile phone roaming charges for consumers.
[security bulletin] HPSBMU02756 SSRT100596 rev.1 - HP Performance Manager Running on HP-UX, Linux, Solaris and Windows, Remote Execution of Arbitrary Code, Denial of Service (DoS)
[security bulletin] HPSBUX02755 SSRT100667 rev.1 - HP-UX WBEM, Remote Unauthorized Access to Diagnostic Data
[security bulletin] HPSBMU02744 SSRT100776 rev.2 - HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows, Remote Unauthorized Disclosure of Information
[security bulletin] HPSBMU02748 SSRT100772 rev.1 - HP OpenView Network Node Manager (OV NNM) Running Apache HTTP Server, Remote Unauthorized Disclosure of Information, Unauthorized Modification, Denial of Service (DoS)

New think tank: Centre for Strategic Cyberspace + Security Science (CSCSS)
CSO (blog)
A new infosec think tank has launched. Its CEO, Richard Zaluski, sent me the following LinkedIn message about it: It is with great pride and pleasure that I announce to you the formation of the Centre for Strategic Cyberspace + Security Science / CSCSS ...

The network-attached storage (NAS) box--an external storage device that attaches to your network router rather than directly to your PC--has become an essential tool for any home or small business that deals with shared data and media.
Nokia will not contribute its patents to the upcoming nano-SIM standard if an Apple proposal is selected in what Nokia said Wednesday violates rules of ETSI standards organization.
Box, a provider of cloud-hosted enterprise collaboration and content management software, will announce a new service designed to consolidate in a single repository companies' mobile applications and the data they generate.
File-sharing and collaboration service Box announced a new menu of third-party iOS applications that work on its service and can be more easily accessed with a single mouse click.
Does governance, risk and compliance (GRC) really pay off? It's a valid question for any organization that's looking to formulate a corporate strategy and implement software for managing GRC.
[ MDVSA-2012:042 ] wireshark

Trusted IT Technologies are Failing
Bevan Lane, director of Infosec Consulting, says the dangerous new trend towards hacktivism - hacking into an organisation's site and data to make a point - shows there is little to stop a determined hacker from accessing whatever he wants to.

and more »
Nokia will bring the first of several Lumia smartphones to China starting in April, as the company moves to reclaim its share in a key market where Android handsets have begun to dominate.
Jive Software has developed a version of its enterprise social collaboration software designed for intranets, the latest product it creates for specific workplace scenarios.
Train passengers will soon be able to use their mobile phones on the city's subways.
The European Commission is to get tough on cybercrime it revealed on Wednesday, but won't target illegal file-sharing.

Trusted IT technologies are failing
Bevan Lane, director of Infosec Consulting, says the dangerous new trend towards hacktivism - hacking into an organisation's site and data to make a point - shows there is little to stop a determined hacker from accessing whatever he wants to.

Amazon Kindle Touch 3G e-reader will start shipping across the globe with free 3G wireless access on April 27, Amazon said on Tuesday.
Today a feature-rich inkjet printer can be had for a price that seems astonishingly low -- until the ink runs out.
German security company Avira has released free antivirus software for Apple Macs, joining a host of security software providers offering protection for OS X.
Joomla! Unspecified Information Disclosure Vulnerabilities
Offshore outsourcing firms rely heavily on H-1B visas, and the chart here provides comprehensive data on the top H-1B users from 2009-2011 -- though it doesn't tell the whole story.
Columnist Kevin Fogarty says when users can buy sophisticated data services to support not only gadgets, but applications, too, that changes the role and goals of IT.
While vendors continue to work toward a single console, or "single pane of glass" tools, customers must choose from products that manage only parts of their environments or focus on specific problems such as the sprawl of unused virtual machines, security or backup.

Posted by InfoSec News on Mar 28


By J. Nicholas Hoover
March 27, 2012

China is stealing a "great deal" of military-related intellectual
property from the United States and was responsible for last year's
attacks against cybersecurity company RSA, U.S. Cyber Command commander
and National Security Agency director Gen. Keith Alexander told the
Senate Armed Services Committee on...

Posted by InfoSec News on Mar 28


By John Leyden
The Register
27th March 2012

A pair of historic Enigma machines used during the Spanish Civil War
have been donated to Britain.

The machines played a role in an untold chapter of British wartime
code-breaking history: the early 20th-century kit encoded messages that,
once intercepted, helped boffins crack German military encryption at
Bletchley Park in the...

Posted by InfoSec News on Mar 28


By Jaikumar Vijayan
March 27, 2012

An AWOL U.S. Army soldier based in Pittsburgh is accused of stealing
Microsoft co-founder Paul Allen's identity and using it attempt to steal
money from Allen's Citibank account.

Court documents unsealed this week in U.S. District Court in
Pennsylvania alleged that Brandon Price, 30, of...

Posted by InfoSec News on Mar 28


By Sen. Ron Johnson (R-Wis.)
The Hill

Our nation’s computer systems are vulnerable to online attack. This is a
growing threat to our economy and our national security. American
businesses understand this threat — this is why last year they invested
more than $80 billion in the security of their computer networks.

I came to Washington as the CEO of a...

Posted by InfoSec News on Mar 28


By Emil Protalinski
Zero Day
March 27, 2012

Summary: Cybersecurity advisor Richard Clarke is warning the U.S. that
its major companies are being regularly infiltrated by Chinese hackers
employed by the Chinese government to steal R&D.

Richard Clarke, a former cybersecurity and cyberterrorism advisor for
the White House, was a U.S....
Apple will offer refunds to people who bought its latest iPad following a claim by Australia's competition regulator that it ran misleading advertisements over the device's 4G connectivity, according to reports.
GnuTLS 'gnutls_session_get_data()' Remote Buffer Overflow Vulnerability
Internet Storm Center Infocon Status