InfoSec News

Cooperation between Sprint Nextel and Clearwire on LTE should help to bring two versions of that technology together, leading to increased device choices and roaming opportunities for subscribers in developed markets.
In the end it was a search that let Google down.
Facebook plans to shut down the Beluga mobile messaging application it acquired earlier this year, after launching a similar, native service called Facebook Messenger that's based in part on the Beluga technology.
[PT-2011-29] Arbitrary file reading and arbitrary code execution in Router Manager for D-Link DIR-300
Oracle Solaris CVE-2011-2311 ZFS Component Local Vulnerability
Oracle Solaris CVE-2011-2312 'ZFS' Sub Component Local Vulnerability
Oracle Sun Products Suite CVE-2011-3536 Local Vulnerability
[SECURITY] [DSA 2323-1] radvd security update
[SECURITY] [DSA 2331-1] tor security update
[PT-2011-30] Disclosure of sensitive information in D-Link DIR-300 Router
Customers who buy two BlackBerry PlayBooks will get a third one free, in what one analyst says is an effort by Research In Motion to boost flagging sales.
Google TV, the company's platform for Internet-connected televisions, got an upgrade to simplify its user interface, improve its search engine, optimize YouTube access and open it for Android app developers.
According to a published report, Brocade is again making it known that it has placed itself on the selling block, hoping to drum up interest in suitors with enough money to cover its more than $2 billion market cap.
Hewlett-Packard's decision to reject the plan to spin-off or sell its PC division came after an intensive, six-week study by a team of 100 people at the company.
Spinning off its PC unit would have been too costly for Hewlett-Packard, and that was one of the reasons why the company backed off from the plan it announced in August, an HP executive said Friday.
Researchers in Germany have demonstrated weaknesses in the W3C XML encryption standard used to secure websites and other Web applications.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
RETIRED: Linux Kernel kexec-tools Multiple Information Disclosure Vulnerabilities
Linux Kernel CVE-2011-3589 kexec-tools 'mkdumprd' Utility Information Disclosure Vulnerability
Empathy 'nickname' Field Cross Site Scripting Vulnerability
[PT-2011-20] Authorization bypass vulnerability in OneOrZero AIMS
Re: jara 1.6 sql injection vulnerability
VMSA-2011-0013 VMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX
[security bulletin] HPSBUX02715 SSRT100623 rev.2 - HP-UX Containers (SRP), Local Unauthorized Access and Increased Privileges
Cisco Nexus OS 'section' and 'less' Local Command Injection Vulnerabilities
ZDI-11-314 : Apple Quicktime PnPixPat PatType 3 Parsing Remote Code Execution Vulnerability
ZDI-11-313 : Apple QuickTime FLC RLE Packet Count Decompression Remote Code Execution Vulnerability
ZDI-11-312 : Apple QuickTime Atom Hierarachy Argument Size Mismatch Remote Code Execution Vulnerability
ZDI-11-311 : Apple Quicktime Empty URL Data Handler Remote Code Execution Vulnerability
Apple's position in the catbird seat for global smartphone shipments has been short-lived. Just a scant three months ago, the maker of the iPhone knocked Nokia out of the top spot. Now Samsung and its lineup of Android smartphones are top dog.
APPLE-SA-2011-10-26-1 QuickTime 7.7.1
[ GLSA 201110-26 ] libxml2: Multiple vulnerabilities
When you have a skeleton crew but a long list of things that need to get done, it just makes sense to do them yourself.
With Windows Phone Mango showing up in new smartphones and rolling out to old ones, it's time to look ahead to the next big update to Microsoft's mobile operating system, code-named Apollo.
Europe’s Council of Ministers has said that all European Union countries must make the 800 MHz band available for wireless broadband services by January 1, 2013 as part of an ambitious deal agreed on Friday.
The frequency of attacks that distribute fake antivirus software, a long-time pillar of the underground economy, has decreased considerably in recent months.
eFront <= 3.6.10 (build 11944) Multiple Security Vulnerabilities
ZDI-11-309 : Novell iPrint Client nipplib.dll GetDriverSettings Remote Code Execution Vulnerability
ZDI-11-308 : Cisco WebEx Player ATAS32.DLL linesProcessed Remote Code Execution Vulnerability
There's two parts to this control - one focuses on users, the other on security and IT staff.
Keeping your users abreast of current threats and how to steer clear of these dangers is definitely important. But in today's compliance-driven corporate world, the average staff member already has to sit through many trainings and e-learnings on topics ranging from corporate records management to HR policies to anti bid-rigging rules, etc. Hence, the first hurdle that every security training has to overcome is to actually get the initial attention of the audience.
If you had the choice between attending a Security Awareness Training, and a presentation called How to keep your kids safe on the Net .. which one would you join? The latter can impart just about the same lessons as the former, but hardly anyone in the audience will catch on to the fact that you are teaching them to be careful on the Net just as much as you empower them to watch their kids.
In other words, as in all marketing endeavors, packaging is everything. Once you have the users' initial attention, the easiest way to keep them interested is by using real life examples from your own company or institution. Even if the audience happens to be already aware of a certain attack or threat, and would otherwise be bored, they will always be interested in what REALLY happened, close to home.
You might find out that users come with three levels of security clue:
1. Those who just don't know better

2. Those who do know better, but take shortcuts, don't care, or have an it won't happen to me attitude

3. Those who do know better, and stick to being careful
For Group #1, train them, patiently and repeatedly

For Group #2, make a gory example out of one or two trespassers. The others will catch on. If you can't get away with gory examples pour encourager les autres, then patiently treat Group#2 like Group#1.

For Group #3, thank them for every risk that they spot and report, and empower them to act as coaches for Group #1 staff in their team
SANS Control #20 http://www.sans.org/critical-security-controls/control.php?id=20 and the SANS Securing the Human project (http://www.securingthehuman.org) are two good starting points for further information.
Now, for training of security and IT staff. For most readers of this ISC diary, this will mean yourself, and maybe also people that you manage in your team. With training budgets for 2012 currently getting drawn up in many companies, and the economic situation making it unlikely that the budget will be a brimming bucket of money, now is a good time to honestly assess where the gaps are and how to most effectively fill them.
Ask yourself:

- Do I have the know-how to oversee the implementation of some or all of the 20 critical controls? Where are my gaps?

- Would I have the know-how to actually implement, hands-on, some or all of the 20 critical controls? Where are my gaps?
If you are a manager of a security team, I'd recommend you do the above assessment for each of your staff members. Not everyone can be an expert in everything. But, sadly, the recent years of paperwork compliance (SOX, the old FISMA, etc) have bred a large caste of security staff whose main and only competency seems to be to track open issues. In the past couple months though, senior executives have definitely started to catch on to the surprising delta between what the security compliance report suggests, and what the reality is.
SANS training is doing a great job teaching people (and even managers :) hands-on security skills of value. But this isn't a SANS training commercial. Just an encouragement with emphasis to all security specialists out there to make sure that you keep your skills up to snuff. And to all managers of security specialists, that you make sure to have the right people for the job on the team.
Because one thing's for certain: The job ain't gonna get any easier anytime soon.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
A key House committee this week approved a Republican-sponsored high-skill immigration bill intended to help advanced degree holders in India and China get green cards to work in the U.S.
The U.S. Federal Communications Commission's vote Thursday to shift long-time telephone subsidies to broadband deployment generated praise in the telecom industry, but other groups questioned the move.
Third-quarter earnings reports from major tech vendors continued to pour in this week, confirming upbeat trends for enterprise software and emerging markets but mixed results for hardware and components.
[SECURITY] [DSA 2329-1] torque security update
Look out Amazon. OpenStack is shaping up to be a game changer in the cloud world. Today, Atlanta-based Internap Network Services announced the launch of the first public cloud built on OpenStack.
The traditional retirement age for CEOs at IBM has been 60, or close to it. Should CEOs be forced to step aside when they get to 60?
Facebook downplayed an alleged vulnerability in its social-networking site that could allow a hacker to send a potentially malicious file to anyone on Facebook.
Microsoft is now expanding the distribution of its Windows Phone 7.5 update to all eligible users, but some owners of phones including Samsung's Omnia 7 will have to wait a bit longer.
The administrative keys to your kingdom are easier to get than you might know. Here's how to protect yourself. Insider (registration required)
SBLIM-SFCB Multiple Buffer Overflow Vulnerabilities
Samsung beat Apple to the top position in the smartphone market in the third quarter taking a 23.8 percent share of the global market to Apple's 14.6 percent, according to data released Friday by research firm Strategy Analytics.

Posted by InfoSec News on Oct 27


By Tomer Zarchin

Anat Kamm, who was convicted in February of collecting, holding and
passing on classified information without authorization, is to be
sentenced by the Tel Aviv District Court on Sunday.

The conviction was obtained under a plea bargain that reduced the
charges. Originally, Kamm had been charged...

Posted by InfoSec News on Oct 27


By Dan Goodin in San Francisco
The Register
27th October 2011

In a hack fitting of a James Bond movie, a security researcher has
devised an attack that hijacks nearby insulin pumps so he can
surreptitiously deliver fatal doses to diabetic patients who rely on

The attack on wireless insulin pumps, made by medical devices giant
Medtronic, was demonstrated Tuesday at...

Posted by InfoSec News on Oct 27


By Space Rogue
October 27, 2011

First some historical background, this is at least the third time I have
seen a similar story over the last 15 years. “OMG ‘hackers’ can control
a satellite”, the previous two times it turned out to be false. The
first time I was one of the first people call the story suspect.

It is hard to find links that still work from 1999 but Reuters actually
had to...

Posted by InfoSec News on Oct 27


By Anh Nguyen
October 27, 2011

UBS has admitted that certain internal controls were not in place at the
time that rogue trader Kweku Adoboli allegedly ran up a $2 billion (1.3
billion) loss on the bank's derivatives desk.

This follows a memo that interim chief executive Sergio Ermotti sent to
employees earlier this month saying that the...

Posted by InfoSec News on Oct 27


By Ed O'Keefe
Federal Eye
The Washington Post

Homeland Security Secretary Janet Napolitano spends a considerable
amount of time dealing with cybersecurity threats, including potential
attacks on the nation’s infrastructure. But don’t ask her to detail the
nation’s biggest...

Posted by InfoSec News on Oct 27


The Opinion Pages
The New York Times
October 26, 2011

Washington -- BRAVE journalists have defied court orders and have even
been jailed rather than compromise their ethical duty to protect
sources. But as governments increasingly record their citizens’ every
communication - even wiretapping...

Posted by InfoSec News on Oct 27


The Secunia Weekly Advisory Summary
2011-10-20 - 2011-10-27

This week: 81 advisories

Table of Contents:

1.....................................................Word From Secunia...
Internet Storm Center Infocon Status