InfoSec News

Firefox 3.6.6 with crash protection is now available, and according to Mozilla it "provides uninterrupted browsing for Windows and Linux users when there is a crash in the Adobe Flash, Apple Quicktime or Microsoft Silverlight plugins. If a plugin crashes or freezes, it will not affect the rest of Firefox. You will be able to reload the page to restart the plugin and try again."
 
Adobe has released the update they promised earlier this month for Reader and Acrobat (flash player 10.0.45.2 code execution).

It addresses the following vulnerabilities including the recently announced CVE-2010-1297 :

CVE-2010-1240, CVE-2010-1285, CVE-2010-1295, CVE-2010-1297, CVE-2010-2168, CVE-2010-2201, CVE-2010-2202,

CVE-2010-2203, CVE-2010-2204, CVE-2010-2205, CVE-2010-2206, CVE-2010-2207, CVE-2010-2208, CVE-2010-2209,

CVE-2010-2210, CVE-2010-2211, CVE-2010-2212



The new version is 9.3.3 and the Security Bulletin is here:

http://www.adobe.com/support/security/bulletins/apsb10-15.html
More details can be found at:

http://blogs.adobe.com/adobereader/2010/06/adobe_reader_and_acrobat_933_a.html
don smith (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
If you didnt realize how pervasive video technology research is at Cisco Systems, consider these product previews offered up by Marthin De Beer, senior vice president of emerging technologies.
 
The JonDoFox utility creates a customized Firefox profile that automatically uses the separately installed JonDo program, as well as a number of privacy and security-themed Firefox addons, to allow for anonymous, protected surfing. It's a nicely configured setup that takes very little effort to set up--but using the JonDo option does mean dealing with a major slowdown.
 
The exterior of the Gateway NV59C09 is a subtly rippling silver with black edging and an understated "Gateway" logo on the top. The LED-backlit 15.6-inch screen set to a 16-by-9 aspect ratio scores, too: It's small enough for easy portability, yet roomy enough to let you dig into work or games. At 15 inches wide, 9.96 inches front to back, 1.22 to 1.34 inches thick, and 5.5 pounds (6.3 pounds including the charger), the NV59C09 isn't too big or too heavy. Nevertheless I didn't come away believing that this all-purpose laptop was worth the asking price of $799.
 
Lenovo's new L-Series ThinkPads--of which the L412 is one--are attractively priced, business-oriented laptops with a green twist: They're made with up to 30 percent post-consumer waste and shipped in almost 100 percent recycled packaging. The professional-looking L412 has a decent screen and speakers, and its low starting price makes it an ideal choice for the eco-conscious businessperson.
 
Hackers have broken into the payment processing system of Destination Hotels & Resorts, a high-end chain best known for its resort hotels in destinations such as Vail, Colorado; Lake Tahoe, California; and Maui, Hawaii.
 
Hearsay in recent days that Google is working hard on a project to better compete against Facebook has captured the attention of industry observers, who wonder what shape this initiative might take and what is its likelihood of success.
 
The long wait for Verizon users to get their hands on the Apple iPhone could be over early next year, according to a Bloomberg report.
 
Java founder offers mixed outlook for Oracle's handling of the technology
 
Root Wireless is still working on a commercial offering that will help enterprises choose and monitor cellular service providers, but it plans to release a new consumer client designed for the "wow factor" in a few weeks.
 
The U.S. Federal Communications Commission must move quickly to set limits on the rates that large telecom carriers charge businesses and competitors for middle-mile access because AT&T is planning significant rate increases in July, a group of competitors, consumer groups and business customers said.
 
In an effort to maintain its Chinese business, Google is no longer redirecting search requests from China to its Hong Kong site.
 
McAfee fully integrates its acquisition of MX Logic, rolling out a cloud-based antimalware Web filtering service aimed primarily at small- and mid-sized -businesses.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

MX Logic - McAfee - Services - Business - Security
 
So out of the blue today, I click a link embedded in an e-mail, and Outlook gives me this error:
 
PC maker Dell has been accused of selling thousands of desktop PCs despite knowing the machines contained faulty components, according to recently unsealed court documents first reported about on Tuesday by The New York Times.
 
Cisco Systems today unveiled the Cius, a 7-in. touch-screen tablet computer that runs the Android operating system and is sure to be compared to the Apple iPad.
 
Much has been made of Microsoft's decision to retire this aging OS. Why Bill Brenner thinks we should be happy about its impending death.
 
HannStar Display, a Taiwanese maker of liquid crystal displays (LCDs), has agreed to plead guilty and pay a $30 million fine for participating in a global conspiracy to fix prices of the displays, the U.S. Department of Justice said.
 
Cisco Systems on Tuesday announced the Cisco Network Building Mediator Manager 6300, a platform to manage all the systems in an enterprise that consume energy, across all the organization's facilities.
 
Cisco Systems took another step into the consumer market today by announcing a Home Energy Controller device that homeowners could buy from local utilities to help with energy conservation.
 
Taking a page from Mozilla's security playbook, Google plans to block outdated plug-ins from launching in its Chrome browser.
 

Pamela Fusco, VP, Industry Solutions, Solutionary to Speak at KC's Event on ...
PR-USA.net (press release)
Pamela is certified and accredited as a CISSP, CISM, CHS Level III, National Security Agency INFOSEC Assessment Methodology Auditor (AIM Auditor), ...

and more »
 
With the way the RougeAv teams are using SEO to poison search results one of the isc.sans.org readers Andy submitted this idea in response to this article by Bojan.

http://isc.sans.edu/diary.html?storyid=9085



If search engines were to ignore everything that is not Visible on a page they crawl, then a lot of this malware

would lose their stealth.

Drop all hidden, non formatted, and even white text on a white background.

It would improve search results.



Google may already be doing something like this as they are not getting hit as hard as some other search engines in the fakeav SEO poisoning attacks.

Thanks Andy. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
As promised, AT&T today started selling the iPhone 4 to walk-in customers, but many stores quickly ran dry.
 
Seagate today unveiled its highest capacity external hard disk drive for desktops, a 3.5-inch-wide 3TB model that can connect using USB 2.0, USB 3.0 or FireWire 800.
 
As promised, AT&T today started selling the iPhone 4 to walk-in customers, but many stores quickly ran dry.
 
PC maker Dell has been accused of selling thousands of desktop PCs despite knowing the machines contained faulty components, according to recently unsealed court documents first reported about on Tuesday by The New York Times.
 
Versata Software lodged a complaint against SAP with the European Commission on Tuesday, claiming that the vendor illegally blocked it from selling its pricing software to SAP customers.
 
Hewlett Packard has brought Avaya into its alliance partners program in a move that will help it compete against Cisco by offering more choices to customers interested in unified communications and contact centers.
 
Cloudera has unveiled a new set of Hadoop management tools, called Cloudera Enterprise, that the company will offer for an annual subscription fee. It also updated its open-source distribution package of Hadoop.
 
With a feature dubbed "Noise Blackout Extreme," the Jabra Extreme clearly takes noise cancellation seriously. Priced at $80 (as of June 28, 2010), the Extreme plants the company's latest audio technology in a lightweight shell to create an excellent-sounding unit that's ready for the noise of the big city--or of a busy household.
 
People who are determined to lie and steal will do so. And if that's the case, Monday's Supreme Court ruling on the Sarbanes-Oxley law's oversight board, doesn't touch the real question, says one CIO. Does a law that today boils down to inexperienced auditors armed with checklists have any value any more?
 
On Monday, a number of Russian nationals got arrested for espionage against the US [1]. With all the talk and attention paid to cyber spies, spear phishing, APT and new high tech satellites and drones, it is almost refreshing to see that good old fashioned human spies are still used and apparently found valuable. Skynet hasn't taken over quite yet. However, the story has a few neat cyber security lessons.
Lesson 1: Encrypt your Wifi
The spies evidently used WiFi networks to communicate. However, instead of all of them to connect to a particular access point, they established Ad-Hoc networks. This idea is interesting in so far as it does make remote surveillance of the connection a bit harder. The FBI had to have a listening post close by in order to intercept the connection. It appears the FBI used to be parked close to coffee shops and such frequented by the spies in order to observe them meeting with their embassy contacts. The FBI was able to intercept the communication, and apparently used MAC addresses to track the participant. It is not clear if any kind of encryption was used for the WiFi connection. But Ad-Hoc networking would only allow for WEP unless encrypted chat software is used.
As a sub lesson one may take away that you should change your MAC address as a spy to avoid tracking. But it is not clear if this would have made a difference.
One neat side effect of this meeting method: The participants of the meeting never had to acknowledge each other visibly.
Lesson 2:Keep your password secure
The FBI followed these spies for a while already. A few years back, the FBI secretly searched the homes of some of the spies, copying various hard disks in the process. Small problem: The hard disk was encrypted. Luckily, an observant FBI agent noted a piece of paper during the search with a long number / letter combination. Turned out it was the password. This turned out to be critical as it allowed the agents to not only decrypt the hard disk, but after decrypting the hard disk the agents found steganography software and other encryption tools, as well as lists of web sites used to exchange steganographic messages.
Lesson 3:Obscurity != Security
The spies to some extend used steganography to exchange messages. These messages where encoded into an image, and then uploaded to various web sites. As explained above, the FBIwas able to obtain a list of these sites and the software used to encode them. However, at least according to some reports, the messages were not encrypted. Typically, if you want to do steganography right, first encrypt the message, then encode it in an image. In particular if you use standard software to perform your steganography. (Update:Some reports mention that the messages had been encrypted before encoding them into the images)
Lesson 4: Perfect forward security
Perfect forward security is an important cryptographic concept. You never want to use an old password to encrypt the new password. If you do, once an attacker figured out one password, they will be able to decrypt all future passwords. It appears that the spies frequently made arrangements about future meetings and communication protocols over insecure channels (like the ad-hoc wifi). In some ways this may also be considered as relying on obscurity again.
[1] http://newyork.fbi.gov/dojpressrel/pressrel10/nyfo062810a.htm

various other news reports like:
http://www.cnn.com/2010/POLITICS/06/28/russian.spying.arrests/index.html?hpt=T1

http://www.guardian.co.uk/world/2010/jun/29/russian-spies-uk-irish-passports

http://www.dailymail.co.uk/news/worldnews/article-1290475/U-S-charges-Russian-spies-FBI-swoop-Cold-War-style-espionage-plot.html

http://www.nytimes.com/2010/06/30/world/europe/30spy.html?hp

http://www.theregister.co.uk/2010/06/29/spy_ring_tech/

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
In my SANSFire presentation I described how and why to automate parts of the security testing process. The slides are posted here (handlers.dshield.org/adebeaupre/deBeaupre-SANSFire2010v011.pdf). Part of the process involves taking tool outputs, parsing them, and then importing the results to a database. In the example I am giving here we are taking nmap XML output, parsing it using a perl script and the nmap::parser (code.google.com/p/nmap-parser/) module, and then importing it to a MySQL database. The script I'm using is based on work by Paul Haas found here (www.redspin.com/blog/2009/10/27/nmap-database-output-xml-to-sql/). The table schema he uses is one of the better ones I have seen for nmap data storage. One of the major things the script lacks is the ability to parse nmap NSE output, still a work in progress. In any case the script is found here (handlers.dshield.org/adebeaupre/nmap_xml2mysql-v011.pl). The structure of the script is straight forward:
Main - reads command line arguments and calls the other functions

Usage - prints out a usage message if no command line arguments are provided

CreateTables - creats the database tables

Nmap_info - reads in the xml file and populates the tables

Db_output - outputs a success message
Unfortunately it needs some more work, but does the trick. I am more than open to suggestions, or better ways of doing things. Part II will be a script to import v2 .nessus files into a MySQL database, also in perl. Let us know if you use this script, something like it, or some other technique to manage security test data. Contact us or use the comment fields below.
Cheers,

Adrien de Beaupr

EWA-Canada.com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A critical, out-of-cycle patch is set to repair a serious flash vulnerability in the software that is being actively targeted by attackers.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Adobe Acrobat - Adobe Systems - Flash - AdobeFlash - Multimedia
 
Sybase announced on Tuesday SQL Anywhere 12, the latest edition of its mobile database and one of the "crown jewels" SAP will acquire with its pending purchase of the company.
 
Hitachi Data Systems is preparing to offer cloud storage that even cloud-averse enterprises might accept: It resides in the customer's own data center.
 
Alcatel-Lucent has acquired ProgrammableWeb, which hosts an on-line directory of over 2,000 open web APIs that developers can use to build 'mashups' of Web services.
 
Nexus One owners have begun to receive version 2.2 of the Android software, code-named Froyo, as an over-the-air update to their phones, Google said in a blog post on Monday.
 
Micron Technology reported its best net profit in years on Monday as sales of DRAM and NAND flash memory chips soared.
 
Users of a popular Cisco Systems wireless access point may be setting themselves up for trouble if they leave a WPA wireless migration feature enabled, according to researchers at Core Security Technologies.
 

Making sense of compliance and governance
SC Magazine UK
“We've already put a new series of infosec guidelines out there. Hopefully, the auditors and regulators will be working to those.” But he does predict that ...

and more »
 
Monday's Supreme Court decision on a lawsuit challenging the Sarbanes-Oxley Act financial regulations is unlikely to cause IT managers to change current strategies for complying with the law.
 
InfoSec News: Alleged Russian agents used high-tech tricks: http://news.cnet.com/8301-13578_3-20009101-38.html
By Declan McCullagh Politics and Law CNet News June 28, 2010
A clandestine network of Russian spies in the United States used private Wi-Fi networks, flash memory sticks, and text messages concealed in [...]
 
InfoSec News: Brazilian banker's crypto baffles FBI: http://www.theregister.co.uk/2010/06/28/brazil_banker_crypto_lock_out/
By John Leyden The Register 28th June 2010
Cryptographic locks guarding the secret files of a Brazilian banker suspected of financial crimes have defeated law enforcement officials. [...]
 
InfoSec News: FBI Investigating Possible DSHS Hacker: http://www.texastribune.org/texas-state-agencies/department-of-state-health-services/fbi-investigating-possible-dshs-hacker/
By Emily Ramshaw The Texas Tribune June 28, 2010
The FBI is investigating whether a hacker broke into the state's confidential cancer registry, possibly holding personal information and medical records hostage.
Health and Human Services Commissioner Tom Suehs says state health officials notified his office in early May that a hacker was holding the Texas Cancer Registry hostage and demanding a ransom. Suehs says preliminary investigation results from the FBI indicate the threat may be a hoax, and officials with the Department of State Health Services, which oversees the cancer registry, say they don't believe the names, dates of birth, Social Security numbers and personal medical information contained in it were stolen. But if the FBI determines private records were revealed, Suehs says, health officials will quickly notify the people listed in the registry.
"This is an incident that makes everybody's antennas go a little bit higher, and I'm using it as an opportunity to elevate our awareness of our responsibility to protect information," Suehs says. "Nothing is 100-percent secure. But I think [most of] our systems, our processes, worked. And that's the positive thing."
The security scare comes at a sensitive time for the state's health agencies, which are making plans for an electronic superhighway to exchange Texas medical records -- and expect an influx of federal dollars to help do it. Privacy advocates are already nervous about whether the state has the technology safeguards to keep these records out of hackers' hands.
[...]
 
InfoSec News: [Dataloss Weekly Summary] Week of Sunday, June 20, 2010: ========================================================================
Open Security Foundation - DataLossDB Weekly Summary Week of Sunday, June 20, 2010
19 Incidents Added.
======================================================================== [...]
 
InfoSec News: Misconfigured Cisco gear could lead to Wi-Fi breach: http://www.networkworld.com/news/2010/062810-misconfigured-cisco-gear-could-lead.html
By Robert McMillan IDG News Service June 28, 2010
Users of a popular Cisco Systems wireless access point may be setting themselves up for trouble if they leave a WPA wireless migration feature [...]
 
InfoSec News: Challenges from all sides beset CISOs: http://fcw.com/articles/2010/06/28/ciso-panel.aspx
By Henry Kenyon FCW.com June 28, 2010
Government agencies rely on their chief information security officers to stay on top of evolving threats to their information technology systems. But CISOs must balance a variety of needs and requirements to keep their organization's networks safe. A panel of government CISOs discussed these issues at a recent meeting sponsored by the Armed Forces Communications Electronics Association's Bethesda, Md., chapter.
Moderated by Jerry Davis, NASA's deputy chief information officer for IT security, the panel examined how CISOs balance their existing mission needs with new and pending rules, managing new technology trends such as real-time data monitoring, and working with the vendor community.
Davis noted that the federal government was going through a period of change as it renewed emphasis on cybersecurity, citing the nearly 40 cyberspace related bills currently under consideration in Congress. Davis added that the role of the CISO continues to evolve, as they increasingly assume greater responsibility and authority in their organizations.
When asked how they balanced their responsibilities with meeting established priorities and complying with new regulations, the panelists offered a range of answers. Patrick Howard, the Nuclear Regulatory Commission's CISO, said that while he keeps up with his current responsibilities, he also is watching new legislation; he specifically cited a proposed law that would allow CISOs to withhold bonuses to executives and managers who did not meet federal compliance standards.
[...]
 
InfoSec News: White House Cybersecurity Czar Unveils National Strategy For Trusted Online Identity: http://www.darkreading.com/securityservices/security/government/showArticle.jhtml?articleID=225701705
By Kelly Jackson Higgins DarkReading June 28, 2010
The White House has outlined a national strategy for trusted digital identities that could ultimately eliminate the username-and-password [...]
 
Google has stopped automatically redirecting some search traffic from China to its Hong Kong search engine in a bid to placate angry Chinese officials, the company said Tuesday.
 
Cisco Systems and MobileAccess today announced a system designed to improve in-building cellular signals that uses copper cable integrated into corporate LANs and works alongside Cisco Wi-Fi networks.
 

Posted by InfoSec News on Jun 28

http://news.cnet.com/8301-13578_3-20009101-38.html

By Declan McCullagh
Politics and Law
CNet News
June 28, 2010

A clandestine network of Russian spies in the United States used private
Wi-Fi networks, flash memory sticks, and text messages concealed in
graphical images to exchange information, federal prosecutors said
Monday.

The Justice Department has filed criminal charges against 11 people who
allegedly were covert agents of the Russian...
 

Posted by InfoSec News on Jun 28

http://www.theregister.co.uk/2010/06/28/brazil_banker_crypto_lock_out/

By John Leyden
The Register
28th June 2010

Cryptographic locks guarding the secret files of a Brazilian banker
suspected of financial crimes have defeated law enforcement officials.

Brazilian police seized five hard drives when they raided the Rio
apartment of banker Daniel Dantas as part of Operation Satyagraha in
July 2008. But subsequent efforts to decrypt files held...
 

Posted by InfoSec News on Jun 28

http://www.texastribune.org/texas-state-agencies/department-of-state-health-services/fbi-investigating-possible-dshs-hacker/

By Emily Ramshaw
The Texas Tribune
June 28, 2010

The FBI is investigating whether a hacker broke into the state's
confidential cancer registry, possibly holding personal information and
medical records hostage.

Health and Human Services Commissioner Tom Suehs says state health
officials notified his office in early...
 

Posted by InfoSec News on Jun 28

========================================================================

Open Security Foundation - DataLossDB Weekly Summary
Week of Sunday, June 20, 2010

19 Incidents Added.

========================================================================

DataLossDB is a research project aimed at documenting known and reported data loss incidents world-wide. The Open
Security Foundation asks for contributions of new incidents and new data for...
 

Posted by InfoSec News on Jun 28

http://www.networkworld.com/news/2010/062810-misconfigured-cisco-gear-could-lead.html

By Robert McMillan
IDG News Service
June 28, 2010

Users of a popular Cisco Systems wireless access point may be setting
themselves up for trouble if they leave a WPA wireless migration feature
enabled, according to researchers at Core Security Technologies.

The issue has to do with Cisco's Aironet 1200 Series Access Point, which
is used to power centrally...
 

Posted by InfoSec News on Jun 28

http://fcw.com/articles/2010/06/28/ciso-panel.aspx

By Henry Kenyon
FCW.com
June 28, 2010

Government agencies rely on their chief information security officers to
stay on top of evolving threats to their information technology systems.
But CISOs must balance a variety of needs and requirements to keep their
organization's networks safe. A panel of government CISOs discussed
these issues at a recent meeting sponsored by the Armed Forces...
 

Posted by InfoSec News on Jun 28

http://www.darkreading.com/securityservices/security/government/showArticle.jhtml?articleID=225701705

By Kelly Jackson Higgins
DarkReading
June 28, 2010

The White House has outlined a national strategy for trusted digital
identities that could ultimately eliminate the username-and-password
model and lay the groundwork for a nationwide federated identity
infrastructure.

Howard Schmidt, cybersecurity coordinator and special assistant to the...
 

Internet Storm Center Infocon Status