InfoSec News


White Hat News

Black Hat 2010 – Day Two Roundup
The Tech Herald
One of the places they plan to scout are the InfoSec gatherings, both large and small. However, the tone of the conversation seemed to point to the fact ...
Hackers Don Black Hats in VegasPC World

all 78 news articles »
 
The U.S. needs to consider working with other leading nations to develop rules of engagement in cyberspace, retired general and former director of the CIA Michael Hayden said during a keynote address at the Black Hat conference here on Thursday.
 
Google Goggles (free) is an ambitious Augmented Reality (AR) app that uses your Android smartphone camera as input, then tries to match the captured image with relevant search results. When you see something interesting, such as a restaurant or a landmark, and decide you want to know more about it, you can whip out your Android phone and snap a picture. Google Googles then goes to work to serve up information about the restaurant or landmark--often, however, with very mixed results. But when it is used properly, Goggles can be quite useful.
 
In August, 2010, Network World's Microsoft Subnet is giving away 15 copies of the book Using Microsoft Excel 2010. Here is an excerpt that introduced the Excel Web App.
 

Black Hat: Sixty percent of information security professionals believe they're ...
Infosecurity Magazine (US)
In a session entitled 'How to manage your infosec career' at the Black Hat conference in Las Vegas, 29th July 2010, Lee Kushner, president of LJKushner ...

and more »
 
McAfee on Thursday signed a deal to acquire tenCube, a provider of a mobile security service that allows users to remotely control their phones in the event they are lost or stolen.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

McAfee - tenCube - Security - Mobile - Mobile Computing
 
Few companies have the research depth to build something like Kinect, Microsoft's forthcoming Xbox add-on that allows a user to control a game through body movements -- in fact, Microsoft itself initially thought it would be impossible, its top research executive said Thursday.
 
MIcrosoft will ship a beta of Internet Explorer 9 (IE9) in September, a company executive said today.
 
SAP is sprucing up its NetWeaver portal with an upcoming add-on, Enterprise Workspaces, which will provide an iGoogle-like way for users to work with content.
 
Another student this week sued the suburban Philadelphia school district embroiled in allegations of spying on high schoolers using their school-issued laptops.
 
The storage capacity of Blu-ray discs is doubling, with companies including Sharp, TDK and Verbatim preparing to launch new discs that can store up to 100GB of data.
 
An analysis of 120 security assessments at power plants, oil and chemical refineries and other critical systems revealed tens of thousands of security vulnerabilities, outdated operating systems and unauthorized applications.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

SCADA - Security - Black Hat - Operating system - Vulnerability
 
NetJets is betting that its business customers want Wi-Fi access in the air and has has selected Aircell technology to outfit more than 250 of its private planes.
 

TopNews United Kingdom (blog)

Cyber Security Challenge Launched To Address UK Skills Shortage
eWEEK Europe UK
The challenge was first mooted at the Infosec Security Show in April and is modelled on the US Cyber Challenge, but for UK citizens. It will set tasks, ...
Search begins for future IT security prosV3.co.uk

all 57 news articles »
 
A J.D. Power and Associates report lists T-Mobile USA the top customer services provider among the largest wireless carriers in the U.S.
 
Once thought to be unhackable, the Android phone is anything but, according to researchers presenting at Black Hat 2010.
 
Technology, like fashion, evolves constantly, but one thing that is always in fashion is saving money.
 
Microsoft is shifting its strategy away from pitching itself as a company that can offer companies a choice of software or hosted services, toward pushing the cloud, an executive said on Thursday at the software giant's annual financial analyst meeting.
 
Google likes to boast that more than 2 million businesses run Google Apps, but IT pros harbor concerns about security in the cloud.
 
IBM on Thursday said it had agreed to acquire data compression technology company Storwize for an undisclosed sum.
 
If you thought you could get advanced features like remote media mounting, remote power reset, and ultraquick screen refreshes in only the big KVM boxes, think again. The $385 Lantronix SpiderDuo stuffs these features, advanced authentication (LDAP, RADIUS, Active Directory), and a pass-through port for local console access all into a portable package that can support as many as eight remote users without a dedicated KVM server. We carry it around the data center for a quick and easy way to set up new boxes.
 

Democracy Now

WikiLeaks Founder Julian Assange: "Transparent Government Tends to Produce ...
Democracy Now
... quote, "'WikiLeaks.org represents a potential force protection, counterintelligence, OPSEC and INFOSEC threat to the US Army'β€”or, in plain English, ...

and more »
 
Fellow handler Kevin points us to new developments on this case, announced here ==www.fbi.gov/pressrel/pressrel10/mariposa072810.htm
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The Lieberman, Collins, Carper cybersecurity bill would do nothing but slow down real progress and undercut Howard Schmidt's authority, former State of Pennsylvania CISO Robert Maley warns.
 
Potential buyers of Dell's new Streak smartphone are posting multiple angry notes on Dell message boards after the company disclosed this week that the device will no longer be available in the U.S. this month.
 
Amazon has launched two new Kindle e-readers priced at $139 and $189, with the cheaper version a Wi-Fi-only e-reader and $10 less than the Wi-Fi-only Nook.
 
On Monday, Apple updated its entire line of iMac and Mac Pro systems. And while the new Mac Pro models won't be available until sometime in August, the new iMacs are in the Macworld Lab right now!
 
The third-generation Kindle offers smaller size, less wasted real estate around the edges, new button design, new color -- in other words, it's a winner.
 
Amazon.com's new Kindle e-book reader in August could further stoke a price battle between major players in the e-reader market.
 
Oracle said Thursday that rival hardware vendors Dell and Hewlett-Packard intend to certify and resell its Solaris and Enterprise Linux operating systems as well as Oracle VM on their x86 servers.
 
Hackers appear to be increasingly counting on configuration problems and programming errors rather than software vulnerabilities in order to steal information from computer systems, according to a new study from Verizon.
 
New versions of Snort (Beta and Production)are both out. Release notes are here == http://www.snort.org/news/2010/07/28/snort-2-8-6-1-and-snort-2-9-beta-released/



New features that I'm finding interesting in 2.9 (Beta):

A Data Acquisition API (DAQ) is introduced in this version
A byte extract option that bears some investigation - this allows extracted values from one rule to be used in subsequent rule options
Some welcome updates for IPv6
Support for Intel's QuickAssist for use in pattern matching. This is by far the most interesting feature in the bunch (to me at least) - support for hardware based acceleration (on boxes that have this feature). QuickAssist uses FSB attached FPGAs for this, so builds on previous FPGA work. Attaching the FPGAs to the server FSB overcomes previous limitations in FPGA I/O rates (talk about the sledgehammer approach!), this likely raises the maximum throughput for Snort considerably!

More info on Quck Assist, and Snort's integration with it can be found here == http://www.intel.com/technology/platforms/quickassist/

and here ==http://download.intel.com/embedded/applications/networksecurity/324029.pdf

If anyone has used the new QuickAssist feature and has formal or informal benchmarks, please feel free to comment !
=============== Rob VandenBrink, Metafore =============== (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Paul wrote in to tell us about the new version of NoScript just out ==http://noscript.net/
The main new feature is protection against the Craig Heffner's DNSrebinding attack that's getting some press, which will be presented at Blackhat.this week ==http://www.blackhat.com/html/bh-us-10/bh-us-10-briefings.html#Heffner
The protection is pretty simple - look up the public ip of the workstation, and place it in the LOCALpseudo list. It uses a public site https://secure.informaction.com/ipecho for this - I can't comment at this time if this is a safe site to use for this or not.
If anyone has more info on this please feel free to comment.
=============== Rob VandenBrink Metafore =============== (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The Microsoft Vulnerability Research program said Wednesday that third party developers have patched less than half the bugs it reported to them over the past 12 months.
 
Videos can be used and reused for any number of purposes, so it's vital to allow end users to find exactly what they're looking for. Here are some pointers.
 
Researchers at the Black Hat conference this week said that China is becoming a hotspot for hacking activities at least partly de to easy access to malware tools.
 
Enterprise data explosion threatens to overwhelm storage systems, particularly the backup tier. Here's how data deduplication can help
 
Nintendo will announce details of a new product on Sept. 29, it said Thursday. The tight-lipped company wouldn't provide any more details, but with its 3DS handheld due to be launched in the coming months the chances are high it will be detailing launch and price details for the highly-anticipated product.
 
Barnaby Jack hit the jackpot at Black Hat on Wednesday. Twice.
 
NBC's new TV show Outsourced, about one of the most politically-sensitive business practices today, is taking a humorous look at cultural differences. It premiers on Sept. 23. The show's co-executive producer, Alexandra Beattie, answered some questions about the show via e-mail.
 
NBC's Outsourced is set to delve into offshoring. Computerworld talks to real-life outsourcers and people who have worked as managers in India for their take on the show.
 
LG Electronics plans to launch its first tablet device in the fourth quarter, running Google's Android mobile software, it said Thursday.
 
InfoSec News: Researcher Exposes Massive Automated Check Counterfeiting Operation Out of Russia: http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=226300183
By Kelly Jackson Higgins DarkReading July 28, 2010
BLACK HAT USA -- Las Vegas -- A researcher has blown wide open a sophisticated online check-counterfeiting operation out of Russia that [...]
 
InfoSec News: Security researcher demonstrates ATM hacking: http://news.cnet.com/8301-1009_3-20012019-83.html
By Declan McCullagh CNet News Security July 28, 2010
LAS VEGAS -- Hacking into an ATM isn't impossible, a security researcher showed Wednesday. With the right software, it's actually pretty easy.
Barnaby Jack, director of security testing at Seattle-based IOActive, hauled two ATMs onto the Black Hat conference stage and demonstrated to a rapt audience the fond daydream of teenage hackers everywhere: pressing a button and having an automated teller machine spew out its cash until a pile of paper lay on the ground.
"I hope to change the way people look at devices that from the outside are seemingly impenetrable," said Jack, a New Zealand native who lives in the San Jose area. One vulnerability he demonstrated even allows a hacker to connect to the ATM through a telephone modem and, without knowing a password, instantly force it to disgorge its entire supply of cash.
Jack said he bought the pair of standalone ATMs--one manufactured by Tranax Technologies and the other by Triton--over the Internet and then spent years poring over the code. The vulnerabilities and programming errors he unearthed during that process, Jack said, let him gain complete access to those machines and learn techniques that can be used to open the built-in safes of many others made by the same companies.
[...]
 
InfoSec News: DHS official fields hard questions at Black Hat: http://www.computerworld.com/s/article/9179789/DHS_official_fields_hard_questions_at_Black_Hat
By Robert McMillan IDG News Service July 28, 2010
The U.S. Department of Homeland Security sent its highest-ranking official ever to speak at the Black Hat conference this week, and its [...]
 
InfoSec News: Android wallpaper app that steals your data was downloaded by millions: http://mobile.venturebeat.com/2010/07/28/android-wallpaper-app-that-steals-your-data-was-downloaded-by-millions/
By Dean Takahashi Mobile Beat July 28, 2010
A questionable Android mobile wallpaper app that collects your personal data and sends it to a mysterious site in China, has been downloaded millions of times, according to data unearthed by mobile security firm Lookout.
That means that apps that seem good but are really stealing your personal information are a big risk at a time when mobile apps are exploding on smartphones, said John Hering, chief executive, and Kevin MaHaffey, chief technology officer at Lookout, in their talk at the Black Hat security conference in Las Vegas today.
“Even good apps can be modified to turn bad after a lot of people download it,” MaHaffey said. “Users absolutely have to pay attention to what they download. And developers have to be responsible about the data that they collect and how they use it.”
The app in question came from Jackeey Wallpaper, and it was uploaded to the Android Market, where users can download it and use it to decorate their phones that run the Google Android operating system. It includes branded wallpapers from My Little Pony and Star Wars, to name just a couple.
[...]
 
InfoSec News: BlackBerry agrees to address India's security concerns: MHA: http://timesofindia.indiatimes.com/business/india-business/BlackBerry-agrees-to-address-Indias-security-concerns-MHA/articleshow/6232306.cms
The Times of India July 29, 2010
NEW DELHI: The government today said the makers of BlackBerry - Research in Motion (RIM) - has given an assurance to it on soon addressing its security concerns and hoped that the Canadian service provider and security agencies would be on the "same page".
"BlackBerry has assured the Ministry of Home Affairs that the issue of monitoring of the BlackBerry will be sorted out soon...I am sure we will soon be on the same page and our concerns will be addressed," Special Security (Internal Security) in the MHA Utthan Kumar Bansal told reporters on the sidelines of a function here.
Government has already warned the popular smartphone company that if it does not allow it to monitor emails and SMSes to address security concerns, it will have to close down operations in the country, spelling trouble for over a million BlackBerry users in India.
The government has said the RIM will have to address its security-related issues by allowing monitoring facility in India.
[...]
 
Chip giant Taiwan Semiconductor Manufacturing Co. (TSMC) reported its best quarterly net profit and sales ever in the second quarter, and predicted the third quarter will be even better.
 

Posted by InfoSec News on Jul 29

http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=226300183

By Kelly Jackson Higgins
DarkReading
July 28, 2010

BLACK HAT USA -- Las Vegas -- A researcher has blown wide open a
sophisticated online check-counterfeiting operation out of Russia that
used a combination of a VPN'ed botnet, Zeus, and Gozi Trojans, SQL
injection attacks, and money mules to print around $9 million worth of
counterfeited U.S....
 

Posted by InfoSec News on Jul 29

http://news.cnet.com/8301-1009_3-20012019-83.html

By Declan McCullagh
CNet News
Security
July 28, 2010

LAS VEGAS -- Hacking into an ATM isn't impossible, a security researcher
showed Wednesday. With the right software, it's actually pretty easy.

Barnaby Jack, director of security testing at Seattle-based IOActive,
hauled two ATMs onto the Black Hat conference stage and demonstrated to
a rapt audience the fond daydream of teenage hackers...
 

Posted by InfoSec News on Jul 29

http://www.computerworld.com/s/article/9179789/DHS_official_fields_hard_questions_at_Black_Hat

By Robert McMillan
IDG News Service
July 28, 2010

The U.S. Department of Homeland Security sent its highest-ranking
official ever to speak at the Black Hat conference this week, and its
Deputy Secretary Jane Holl Lute ended up fielding a few tough questions
from skeptical computer security professionals in attendance.

During a question-and-answer...
 

Posted by InfoSec News on Jul 29

http://mobile.venturebeat.com/2010/07/28/android-wallpaper-app-that-steals-your-data-was-downloaded-by-millions/

By Dean Takahashi
Mobile Beat
July 28, 2010

A questionable Android mobile wallpaper app that collects your personal
data and sends it to a mysterious site in China, has been downloaded
millions of times, according to data unearthed by mobile security firm
Lookout.

That means that apps that seem good but are really stealing your...
 

Posted by InfoSec News on Jul 29

http://timesofindia.indiatimes.com/business/india-business/BlackBerry-agrees-to-address-Indias-security-concerns-MHA/articleshow/6232306.cms

The Times of India
July 29, 2010

NEW DELHI: The government today said the makers of BlackBerry - Research
in Motion (RIM) - has given an assurance to it on soon addressing its
security concerns and hoped that the Canadian service provider and
security agencies would be on the "same page"....
 
Sony returned to profitability in the second quarter, helped by strong sales of key products, prompting it to raise its profit outlook for the full year on Thursday.
 

Information security in 2020
Infosecurity Magazine
Information security history, he continues, has shown us that the infosec evolution has always been symmetric, and there is no reason to think that symmetry ...

 
This year's data breach report continues this valuable narrative. This years report is based on a larger case sample than in previous years, thanks to a partnership with the United States Secret Service, who contributed information on a few hundred of their cases this year. Many of the findings echo those of previous years (excerpts below).


Who is behind Data Breaches?

70% resulted from external agents

48% caused by insiders

11% implicated business partners

27% involved multiple parties



How do breaches occur?

48% involved privilege misuse

40% resulted from hacking

38% utilized malware

28% involved social tactics

15% comprised physical attacks



What commonalities exist? (this was the interesting section for me)

98% of all data breached came from servers

85% of attacks were not considered highly difficult

61% were discovered by a third party

86% of victims had evidence of the breach in their log files

96% of breaches were avoidable through simple or intermediate controls

79% of victims subject to PCI DSS had not achieved compliance



Come on! Not only don't folks seem to be implementing some basic protections, but when they're told that they've been compromised (in their log files), no-one is listening! I guess this isn't much different than in previous years, but it'd be nice to see a positive trend here.



I'm not sure that I believe the low numbers for government data breaches (4%). I guess the report can only summarize data from cases that are seen by the incident handlers.
Find the full report here ==http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf
Take a few minutes to read it over coffee this morning - Ifound it a good read, and just about the right length for that first cup !
=============== Rob VandenBrink, Metafore ===================== (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Barnaby Jack hit the jackpot at Black Hat on Wednesday. Twice.
 

Internet Storm Center Infocon Status