InfoSec News

ISAW Shredding Event
BU Today
InfoSec personnel will be on hand to accept custody of your documents and watch over them until they are destroyed: • Tuesday, 10/02 – 9-noon – CRC - Granby St Lot • Thursday, 10/04 – 9-noon, – CRC - in the Parking Lot of Agganis Arena We look forward ...


CMC Infosec launches antivirus
Viet Nam News
HA NOI (VNS)— CMC Infosec Company on Wednesday released its latest anti-virus software, CMC Mobile Security 2013, which can also help users find lost smart phones with the Google Maps application. The software for the Android operating system will ...

Embattled satellite carrier LightSquared proposed that the government let it share spectrum with federal uses such as weather balloons so it can get enough spectrum to launch its proposed national LTE mobile network.
Yesterday Adobe came out in a bog post stating an inappropriate use of an Adobe code signing certificate for Windows.
Apparently they discovered a compromised build server with access to Adobe code signing infrastructure. (Which is corporate speak for one of our servers was hacked.) They immediately decommissioned the existing Adobe code signing infrastructure and initiated a forensics investigation to determine how these signatures were created.
This apparently only effects the Windows platform and three Adobe AIR applications for both Windows and Macintosh. I found a list of the applications involved, and how to update them on this page: http://helpx.adobe.com/x-productkb/global/certificate-updates.html. This update revocation will not occur until the 4th of October. (Next Thursday).
The interesting section (to me at least) of this post is the middle section:

We have identified a compromised build server that required access to the code signing service as part of the build process.Although the details of the machines configuration were not to Adobe corporate standards for a build server, this was not caught during the normal provisioning process.We are investigating why our code signing access provisioning process in this case failed to identify these deficiencies.The compromised build server did not have rights to any public key infrastructure (PKI) functions other than the ability to make code signing requests to the code signing service.

Our forensic investigation is ongoing. To date we have identified malware on the build server and the likely mechanism used to first gain access to the build server. We also have forensic evidence linking the build server to the signing of the malicious utilities.We can confirm that the private key required for generating valid digital signatures was not extracted from the HSM. We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software.

The build server used a dedicated account to access source code required for the build. This account had access to only one product. The build server had no access to Adobe source code for any other products and specifically did not have access to any of Adobes ubiquitous desktop runtimes such as Flash Player, Adobe Reader, Shockwave Player, or Adobe AIR. We have reviewed every commit made to the source repository the machine did have access to and confirmed that no source code changes or code insertions were made by the build server account. There is no evidence to date that any source code was stolen.

Naturally people are writing in to us asking what this impacts (see the first link above) and what happened, (the second link above). But there is one thing we are sure of, we don't know the extent of the damage, and hope there was nothing more compromised than what Adobe has found in their investigation. I know Brad Arkin and trust him, so I don't have any reason to doubt him and his team (who are very good, and work very hard by the way, I don't want anyone to get the wrong impression), but you never know, I guess, is my point.

Since I work for an IDS vendor, (Sourcefire, in the interest of full disclosure), our customers were very interested in the rules we released yesterday to cover this. So this is definitely on people's minds.

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Apple CEO Tim Cook's apology earlier today was unnecessary, Wall Street analyst Brian White said today. Even so, he called it 'the right decision' to protect Apple's brand.
With Intel unveiling a tablet processor this week, analysts say the chip maker may be on track to becoming less dependent on the struggling PC market.
With each year, Oracle becomes a bigger company and in turn, so does its annual OpenWorld conference, which kicks off Sunday in San Francisco.
The U.S. Federal Communications Commission took the first step toward groundbreaking auctions of television spectrum to mobile carriers faced with skyrocketing bandwidth demands from their customers.
Facebook Gifts, the new social gifting service launched by Facebook on Thursday, might encourage users to expose information like their home addresses, birth date, clothing or shoe size that could pose security and privacy risks, according to security experts.
Asustek Transformer Pad TF300TL has quad-core processor and LTE support along with a 10.1-inch screen, the company said Friday.
In the face of an Apple demand for a sales ban on its Android products, Samsung told a Dutch court on Friday that in fact it has already changed the products so they no longer infringe. But the South Korean company's failure to provide evidence of the change exasperated the judges.
Pirate Bay founder Gottfrid Svartholm Warg will remain in detention for at least two more weeks while Swedish prosecutors investigate his alleged involvement in the hacking of IT company Logica, a Swedish court ruled Friday.
When Apple switched to Intel processors, Windows switchers as well as Mac users who needed to run the occasional Windows app rejoiced.
A newly leaked video shows off two coming BlackBerry 10 smartphones from RIM, while also describing an elaborate marketing campaign designed to help launch the devices in the first quarter of 2013.
Smartphones from nearly every manufacturer are exposed to an Android control code vulnerability which can kill a phone's SIM card. The causes of the problem have now been identified

[ MDVSA-2012:155 ] xinetd
[ MDVSA-2012:154 ] apache
Mozilla Firefox/Thunderbird Web Console CVE-2012-3980 Remote Code Execution Vulnerability
Apple CEO Tim Cook today apologized to users for the substandard Apple Maps app in iOS 6, and steered them toward alternatives including Microsoft's Bing app and Google's online Maps.
BYOD is a trend few will be able to escape, nor should they try. But it's no easy task.
Crashing iPhones, dumping network traffic from iOS devices, ZeroAccess botnet distribution, visualising malware and its variants, silently installing malicious Firefox extensions, and Gamma suggests someone is trying to torpedo its trojan business

openCryptoki Multiple Insecure File Creation Vulnerabilities
Xinetd CVE-2012-0862 Security Bypass Vulnerability
On its semi-annual patch day, Cisco has released nine updates that exclusively fix denial-of-service holes - at least according to Cisco's own assessment, which has been known to be inaccurate in the past

Apple CEO Tim Cook is "extremely sorry" to customers for inaccuracies in its new mapping software included in iOS 6, and has pointed users to competing services in an open letter to customers released Friday.
FastJar 'extract_jar()' Archive Extraction Directory Traversal Vulnerability
Adobe is investigating an incident that involved malicious programs with valid digital signatures from Adobe. It appears that the company's internal digital code-signing infrastructure was breached

With the recession hit in 2008, Congress put the idea of a "skills shortage" and a need for more H-1B visas in a closet. This didn't mean that interest in raising the H-1B cap went away for good.
Version 2.10 of the JVM language will gain improvements in classes and asynchronous programming
A year after a flooding disaster in Thailand took out a large portion of hard disk drive production, the industry has fully recovered with shipments to the computer market expected to hit a record level this year.
Computerworld wants to know: What type of tech gear do you most want to give or receive as a holiday present this year? Let us know by taking our quick poll. We'll focus on the most popular product types in our 2012 holiday gift guide.
IT company Telvent has told its customers that project data relating to its SCADA software has been stolen. The software is used to control critical infrastructures such as power grids and pipelines


InfoSec Skills Joins "National Skills Academy for IT" Training Partner Network
PR.com (press release)
InfoSec Skills announces its approval as a Training Partner for the "National Skills Academy for IT" Training Partner Network, putting this relative newbie in the industry alongside the big guns of IBM, Reed Learning, the Open University and Global ...

and more »
Two privacy watchdogs filed a joint letter with the Federal Trade Commission on Thursday alleging Facebook may already be skirting an agreement to be more clear over how it handles user data.
Google said it had no choice but to block a political video in Brazil, after it lost a court appeal.
Internet Storm Center Infocon Status