(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
A group claiming responsibility for a string of cyberattacks against several major U.S. banks over the past four months today said that it has suspended its campaign in response to YouTube's apparent removal of a controversial anti-Muslim video.

Rob VandenBrink
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
More CISOs may be taking on data privacy management. Fortunately, old, outdated privacy laws may lend them a helping hand.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
libupnp Multiple Buffer Overflow Vulnerabilities
Software defined networking (SDN) offers significant opportunities and challenges for enterprise IT professionals. SDN has the potential to make networks more flexible, reduce the time to provision the network, improve quality of service, reduce operational costs, and make networks more secure.
Many large companies are embracing internal social networks, but for the most part, they're not getting much good from them, according to analyst firm Gartner.
Yahoo CEO Marissa Mayer says the company plans on a big comeback in the Internet search business, which means directly taking on industry giant Google.
As more and more smartphone and tablet users shop via their mobile devices, being able to accept mobile payments is becoming a more important element of ecommerce. But does it make sense for your business? Mobile payment service providers Square, PayAnywhere, PayPal and Bank of America discuss fees, security and which types of business would benefit the most.
The U.S. Department of Justice and the Department of Homeland Security have asked for more time to consider Softbank's proposed takeover of Sprint Nextel, a move that may signal a rough road ahead for the US$20 billion deal.
Foursquare has launched a new mobile app aimed at making it easier for the 1 million business owners using the service to connect and share news with customers.
Sun Solaris sendfile(3EXT) and sendfilev(3EXT) Local Denial Of Service Vulnerability

This was a quote from a recent conference call hosted by Oracle (details on the call are here http://www.scmagazine.com/oracle-speaks-promises-to-get-java-fixed-up/article/277898/ ) In that call, Oracles full quoted statement is The plan for Java security is really simple, its to get Java fixed up, number one, and then, number two, to communicate our efforts widely. We really cant have one without the other.

This sounds very positive, right? With Java 6 rolling into unsupported status soon, and real problems (and no emphatic fix in sight) in Java 7, this sounds like good news for folks who need Java day-to-day, in support real business functions.

Ummm - not so much for me. personal opinion follows They make it sound like this might be something they can do in a couple of weeks, and fix with a service pack or a version update. When Microsoft was in a similar situation, they shut down development completely and re-tooled their methodology. I think Oracle is in a similar situation right now, but arent coming clean like Microsoft did back in the day (2002 - it doesnt seem that long ago to me ...)

While the current round of vulnerabilties in Java can certainly be resolved in the current framework, I think that if they dont retool their Development, Test and QA methodologies to place a higher emphasis on Security in the final product, well be having this same discussion again and again.

Putting a change freeze in for new features would be another excellent thing to do. Given recent events, freezing dev for an audit and security effort is likely a really good idea. I get the impression that in the race for new features, theres a significant technical debt on the security side that is coming home to roost.

I think that Oracle, and a few others while were discussing it, need to take a close look at what Microsoft did those few short years ago, and make some big changes on how things get written and rolled out.

Again, just my opinion. Feel free to set me straight (or even agree with me) in our comment form.


Rob VandenBrink

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
New legislation introduced by a bipartisan group of 10 U.S. senators would nearly double the number of H-1B visas that companies can get each year to hire foreign high-skill workers, including technology employees.
As expected, Microsoft today updated Office for Mac 2011 to work with the new Office 365 Home Premium software-by-subscription plan the company debuted Tuesday.
Infor is being sued by a Puerto Rican tax authority on grounds that its failure to maintain software used by the organization racked up US$9 million in costs.
Oracle Sun Products Suite CVE-2012-3123 Remote Solaris Vulnerability
The US plans a substantial expansion for its cyber security force, increasing the headcount from 900 to 4,900 in the next few years

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
LibTIFF 'tif_lzw.c' Remote Buffer Underflow Vulnerability
Oracle Solaris CVE-2012-0098 Local Solaris Vulnerability
The U.S. Department of Justice and the Department of Homeland Security have asked for more time to consider Softbank's proposed takeover of Sprint Nextel, a move that may signal a rough road ahead for the $20 billion deal.
Developers of the Ruby on Rails Web development framework released versions 3.0.20 and 2.3.16 of the software on Monday in order to address a critical remote code execution vulnerability.
Sun Solaris NFS Version 4 Kernel Module Local Denial Of Service Vulnerability
JNLPAppletLauncher Arbitrary File Creation Vulnerability
Apple today doubled the maximum storage space of its fourth-generation iPad to 128GB, and announced it would start selling the new tablet next week.
It's been a long time since anyone got excited about the FlickrA app for iPhone. Its longevity, its association with a tired, clunky website, its inherent weaknesses and limitations, and the rise of powerful competitors heavily depressed its initial "wow" factor. It did not help that the free iOS program languished for years under Yahoo's neglect.
Re: Wordpress Valums Uploader - File Upload Vulnerability
Office 365 Home Premium, Microsoft's new subscription-based version of Office 2013, lets you use your applications anywhere. But does it really cost less than the client version?
Ruby on Rails 'convert_json_to_yaml()' Method Security Vulnerability
libvirt 'virNetMessageFree()' Function Use After Free Code Execution Vulnerability
Adobe Reader XI versions are vulnerable to a heap overflow
XSS in Elgg 1.8.12, 1.7.16 (core module "Twitter widget")
APPLE-SA-2013-01-28-2 Apple TV 5.2
Hitachi today announced the industrys highest-capacity 10,000rpm enterprise-class hard drive, the Ultrastar C10K1200.
The universe of Windows Media Center Extenders--a class of networking hardware that enables you to connect the PC in your den to the TV in your living room--rapidly shrunk to just one device after Microsoft rendered its Xbox gaming console capable of the trick. Now Ceton is trying to carve out a niche in this space with its Echo--a component barely larger than a Roku box.
ESA-2013-010: EMC AlphaStor Buffer Overflow Vulnerability
Fortinet FortiMail 400 IBE - Multiple Web Vulnerabilities
Unauthenticated remote access to D-Link DCS cameras
Kohana Framework v2.3.3 - Directory Traversal Vulnerability
Chatting online is easier than ever; chatting securely, not so much. The chat clients built into Facebook and Gmail emphasize ubiquity and ease of use over encryption. Cryptocat is one chat client that says you can have both security and convenience, and made quite a splash upon arrival.
AppSense has released MobileNow, a cloud-based service that combines device and application administration features, as it hopes to take a bite out of the growing mobile management market.
Users of Rails 2.3.x and 3.0.x need to upgrade as soon as possible as the Rails developers have fixed an "extremely critical" flaw that affects those versions of the Ruby-based web framework

At the CanSecWest conference, Google is sponsoring the Pwn2Own challenge as well as putting up $3.14159 million for hackers who find exploits in Chrome OS for its own Pwnium competitionGoo

[SE-2012-01] An issue with new Java SE 7 security features
Tens of millions of network-enabled devices including routers, printers, media servers, IP cameras, smart TVs and more can be attacked over the Internet because of dangerous flaws in their implementation of the UPnP (Universal Plug and Play) protocol standard, security researchers from Rapid7 said Tuesday in a research paper.
With Office 365 Home Premium, Microsoft brings excellent cloud features and pay-as-you-go pricing to the world's best office suite
If you adopt just one security tool this year, make it KeePass. This free and open-source password manager is available for Windows, with unofficial ports for iOS, Android, Linux, and Mac OS X. A secure, lengthy, completely random password goes a long way towards improving your security--and having a separate password for each and every website and service you use is the single most important thing you can do to keep secure.
Microsoft will begin selling worldwide on Tuesday the new consumer version of the Office suite, making it available both via a subscription model and perpetual licenses.
IT spending growth in the Asia-Pacific region is expected to slow as countries including China and India grapple with emerging economic issues as a result of the world economic crisis, according to research firm Forrester.
U.S. phone unlocking services face the biggest legal risk from mobile operators keen to enforce a change in copyright law that now makes it illegal to modify a mobile device to work on another network, according to the Electronic Frontier Foundation.
The new iOS version 6.1 fixes around 20 security vulnerabilities, most of them in the underlying WebKit browser engine, which could have permitted code injection

WordPress Multiple Security Vulnerabilities
WordPress Plupload Plugin 'id' Parameter Cross Site Scripting Vulnerability
RETIRED: Apple iPhone/iPad/iPod touch Prior to iOS 6.1 Multiple Vulnerabilities
Microsoft will launch Office 2013 and new Office 365 subscription plans today, a move that also starts the countdown clock ticking for the expiration of free previews the company distributed last year.
Actian, formerly Ingres, is to acquire Pervasive Software, a vendor of cloud-based and on-premises software for data management and analysis. The deal is targeted at the growing big data market.
Google has published detailed maps of North Korea, based on information entered by users via its online Map Maker tool.
VMware said it will cut 900 jobs in a move to focus more on high potential businesses, as profits remained strong but growth slowed.
The company has less to "communicate" and a lot more to fix after researcher claims he has completely bypassed the latest defences to drive-by Java exploitation

The Pentagon is planning to expand its cyber security force nearly five fold over the next several years in a bid to bolster its defensive and offensive computer capabilities.
Motorola Solutions believes workplaces will find value in rugged handheld mobile computers that cost several times more than consumer-focused smartphones, but lasts much longer.
Elgg 'params[twitter_username]' Parameter HTML Injection Vulnerability

Posted by InfoSec News on Jan 28


By Liau Yun Qing
January 29, 2013

Online crimes such as fraud and personal information theft have cost China 289
billion yuan (US$46.4 billion) in 2012, but the lack of legal support makes it
tough for local authorities to reduce the losses.

Citing a study by the People's Public Security University of China on Internet
crimes in the country, Global...

Posted by InfoSec News on Jan 28


By Iain Thomson in San Francisco
The Register
29th January 2013

Google has announced the target for its third Pwnium hacking contest, to be
held at this year's CanSecWest security conference, with $3.14159m in prize
money for the researchers who can successfully crack its Chrome OS operating

And yes, that figure is derived from the first six digits of π.


Posted by InfoSec News on Jan 28


[Son of Stuxnet? -- WK]

January 27, 2013

Israel’s Home Front Defense Minister Avi Dichter on Sunday welcomed a report
that Iran’s Fordo nuclear facility had been rocked by a huge explosion.

The report was published Friday on the website wnd.com, under the sensational
headline: “Sabotage! Key Iranian nuclear...
ZoneMinder Remote Multiple Arbitrary Command Execution Vulnerabilities
Internet Storm Center Infocon Status