InfoSec News

A cloud development zone being constructed in the Chinese city of Chongqing has drawn scrutiny for an alleged plan to offer uncensored Internet access, but only for foreign businesses.
 
There's little disagreement about what a test report expected this week will say about LightSquared's proposed LTE network: It knocks out GPS on many devices. There's far less consensus about what causes the problem and what to do about it.
 
Symantec published today a report that spam attacks via social networks (Facebook, Twitter and YouTube) grew in popularity between April and June 2011 for the purpose of distributing spam, malware and phishing attacks. 57% of it originated from the United States with another 19% originating from various European countries.
Of course, Symantec reminds it readership that Needless to say, none of these social network sites are behind these spam attacks. Social networks are employing a variety of techniques to protect users from such attacks and fraudulent activities involving user accounts. [1]


[1] http://www.symantec.com/connect/blogs/social-network-attacks-surge
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
Community SANS SEC 503 coming to Ottawa Sep 2011 (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
After much speculation, Google is finally taking on Facebook with Google+. Check out our first-look review, then cast your vote.
 
HP OpenView Storage Data Protector CVE-2011-1865 Op Codes Remote Buffer Oveflow Vulnerability
 
The Los Alamos National Lab has shut down two of its largest supercomputers, as wildfires continue to burn near this sprawling New Mexico facility.
 
ejabberd XML Parsing Denial of Service Vulnerability
 
Apple Mac OS X Quicktime 'Apple Lossless Audio Codec' Integer Overflow Vulnerability
 
Google+, the search giant's latest try at social networking, lets users limit who gets which message -- a strategy that could eventually challenge Facebook's "one list fits all" approach.
 
Dell on Wednesday said it was increasing focus on the midmarket as the company looks to offer new cloud computing, security and data management services to customers.
 
CA said on Wednesday it plans to acquire Interactive TKO, which offers a simulation platform designed to reduce the time it takes to develop and test complex applications, for US$330 million in cash.
 
Time may be running out for the members of LulzSec as police continue to step up their inquiries into the hacking group.
 
Apple QuickTime Movie and '.pict' Files Memory Corruption Vulnerability
 
Google+, the search giant's latest try at social networking, lets users limit who gets which message -- a strategy that could eventually challenge Facebook's "one list fits all" approach.
 
Cisco officials want to drive home a point about the Cius tablet coming on July 31: It's aimed at business users, not consumers.
 
A new and improved botnet that has infected more than four million PCs is 'practically indestructible,' security researchers say.
 
When Mozilla launched its Firefox 5 browser recently, it also said it was dropping security support of the three-month-old Firefox 4. Enterprise IT has not been pleased, and unsupportive comments from Mozilla have not helped. Microsoft was quick to exploit the uproar. Do you think Mozilla has lost its way with the enterprise?
 
MySpace, which dominated the social-networking market in the mid-2000s before Facebook eclipsed it, has been sold by its parent company News Corp. to digital media company Specific Media, the companies announced on Wednesday.
 
Gibbs' quest to resurrect an old Windows 98 game ends in success with an emulator that isn't.
 
Microsoft signed two deals this week with companies that agreed to pay royalties for technology used in Android devices.
 
HP's lawsuit against Oracle over its decision to stop developing software for Intel's Itanium processors is a 'publicity stunt' meant to 'lay the blame on Oracle for the disruption that will occur when HP's Itanium-based server business inevitably comes to an end,' Oracle said in a court filing Wednesday.
 
Democratic members of a Senate committee promised Wednesday to push hard for new online privacy protections and for legislation that would require companies to put security monitoring tools on their networks.
 
NNT Change Tracker Enterprise Hard Coded Encryption Local Security Bypass Vulnerability
 

SSLor TLS is *the* security protocol to encrypt in particular HTTPtraffic. We all know it, love it, and then ignore various pop-ups telling us that in ever so cryptic ways that someone is playing a man in the middle attack on us.
I don't want to go over the basics here, but just talk about various tricks and issues that I see sometimes left out.
What about different certificate Classes
SSL plays two important roles:It encrypts traffic AND it verifies that you are connected to the correct server. Your browser knows that it connects to the correct server because the server presents a certificate that includes its host name, among other information, and is signed by a trusted certificate authorities.
Certificate authorities vary in how they validate the information in the certificate, and what information is actually validated:
Domain: This is the simplest (and cheapest) type of certificate. All it verifies is that the host name. Usually, you can get these certificates in a few minutes as long as your e-mail address is listed in the domain's whois record. For example, if you own the domain name bigbank.com, you can get a certificate for it, no mater if you are affiliated with a company called bigbank or not.
Organization:This is the next class of certificates, sometimes called Class 2 certificates. In this case, the certificate authority verifies that you are associated with the respective organization that owns the domain name. You typically need to fax in a copy of a photo id, a business license or other paperwork. Now, the name of the business is validated by the certificate as well.
EV (Extended Validation) Certificates: This type of certificate is the most expensive to get, and requires additional paper work and validation. The goal is to better validate the business name the certificate is used for. As a reward, many browsers will display the business name, not just the host name, as part of the URLbar. Banks frequently use this type of certificate.
I need a certificate that covers multiple host names
No problem. You got two options:
Wildcard certificates are used for a domain, and they will work for all hostnames in that particular domain (e.g. *.example.com)
Multiple Domain Name Certificates can list various host names from different domain. For example, we use one for isc.sans.edu that covers some of the old host names we used like incidents.org and isc.sans.org.
I am using NameVirtualHosting (1 IP = Multiple Hostnames)
Now this is a tricky issue. If you use SSL, the entire HTTPstream, including headers, is encrypted, In order to figure out which key to use to decrypt it, the server needs to know the host name, which is encrypted... classic catch 22. As a result, you can not use multiple SSLcertificates on the same IP address unless each server listens on a different port. However, modern browsers have a solution referred to as SNI (Server Name Indication, see RFC 4366) . With server name indication, the host name is sent in the clear as part of the client establishing the SSLconnection (the SSL Client Hello message). Now the server knows what host name you are trying to connect to, and can use the right key.
Sadly, Windows XP DOES-)
In order to support SNI, you also need a recent version of openssl and Apache on the server. In cases where I can't update openssl and apache, I had good luck using nginx as a proxy (it supports SNI). Microsoft IIS will not support SNIlast time I checked.
HTTP Strict Transport Security
This is a new features, introduced in Firefox 4. Other browsers start picking it up as well. The feature is intended to tell a browser to only use HTTPS, not HTTP, to connect to a particular host. It protects against attacks that try to redirect the user to an HTTP includeSubDomains

The max-age will tell the browser for how many seconds it should remember this setting. The optional includeSubdomains parameter will extend this preference to any subdomains.
Couple Links related to SSL:
https://www.ssllabs.com/ - great site to check if SSL is configured correctly (make sure to check the Do not show the results on the boards checkbox)

http://hacks.mozilla.org/2010/08/firefox-4-http-strict-transport-security-force-https/ - details about HSTS

http://www.ietf.org/rfc/rfc4366.txt - RFC for SNI


------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Resolved - NNT Change Tracker - Hard-Coded Encryption Key Originally posted as http://seclists.org/fulldisclosure/2011/May/460
 
In today's uncertain economic climate it takes courage to predict good news in any sector, but industry analysts such as Infonetics and Ovum are sticking to their predictions for strong growth in Carrier Ethernet services and equipment - a $20 billion market set to grow to between $40 billion to $50 billion by 2014. Impressive - but still just a ripple on the greater global economy.
 
Oracle is building out its array of hardware products with the acquisition of storage vendor Pillar Data Systems, the company announced Wednesday.
 
A majority of Lawson Software shareholders approved the company's sale to Infor and Golden Gate Capital during a meeting Wednesday, paving the way for the creation of the industry's third-largest ERP software vendors after SAP and Oracle.
 
Google's new social networking service just a day old, but analysts are already wondering how long it will be before Google+ is refocused for the enterprise.
 
Google patched seven vulnerabilities in Chrome on Tuesday as it issued the second security update for its browser this month.
 
Oracle is building out its array of hardware products with the acquisition of storage vendor Pillar Data Systems.
 
RETIRED: Nodesforum '3rd_party_limits.php' Remote File Include Vulnerability
 
Gartner analysts say infosec teams can avoid tomorrow’s cloud computing security problems by anticipating future usage and becoming facilitators.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Security teams need to be involved in the contract process to ensure data security provisions are included.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Cloud giant makes it clear the onus is on customers when it comes to HIPAA, GLBA and other regulations.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Cisco announced that its Android-based Cius tablet, which should appeal to enterprise customers, will finally go on sale on July 31 for $750.
 
AST-2011-011: Possible enumeration of SIP users due to differing authentication responses
 
APPLE-SA-2011-06-28-2 Java for Mac OS X 10.5 Update 10
 
APPLE-SA-2011-06-28-1 Java for Mac OS X 10.6 Update 5
 
ESTsoft ALZip MIM File Processing Buffer Overflow Vulnerability
 
Winamp Essentials FLV File Heap Based Buffer Overflow Vulnerability
 
Oracle is building out its array of hardware products with the acquisition of storage vendor Pillar Data Systems.
 
Version 3.5 of the Cloudera Enterprise edition has new modules for configuration and process monitoring
 
NetBeans, MySQL, and GlassFish are all likely to remain in Oracle's software portfolio as they have profit potential
 
Hewlett-Packard is opening two new centers in China, one focused on cloud computing, and the other on research, as the company ramps up to address this large market.
 
Pope Benedict XVI Tuesday announced a new Vatican website, via his first Twitter post, from an Apple iPad. But you won’t be able to follow him on Twitter and he probably won’t be following you.
 
IT hardware and software companies expect to see most of their revenue come from the U.S. market this year. That's a reversal from the past two years, when China and India led, according to KPMG's annual survey of the technology business climate.
 
A Pew Research Institute survey in May found that Americans favor less-expensive e-reader devices over tablets like Apple's iPad.
 
RSLinx OPC Automation ActiveX Control Stack Buffer Overflow Vulnerability
 

NetClarity NACwall Next Generation NAC Appliances Now Dynamically Control All ...
PR Web (press release)
NetClarity, Inc., the leading provider of Next Generation (NG) Network Access Control (NAC) technology in the marketplace today, on the heels of receiving the “Most Innovative New Security Product for 2011” award from InfoSec Products Guide, ...

 

Posted by InfoSec News on Jun 29

http://www.koreaherald.com/national/Detail.jsp?newsMLId=20110628000706

By Song Sang-ho
The Korea Herald
2011-06-28

The Army signed an accord with Korea University on Tuesday to establish
a department for nurturing cyber warfare specialists as South Korea
strives to bolster its capabilities to deal with North Korean cyber
attacks.

The ceremony to sign the agreement was attended by Army Chief of Staff
Gen. Kim Sang-ki and Korea University...
 

Posted by InfoSec News on Jun 29

http://risky.biz/sosasta

By Patrick Gray
Risky.biz
June 28, 2011

The entire user database of Groupon's Indian subsidiary Sosasta.com was
accidentally published to the Internet and indexed by Google.

The database includes the e-mail addresses and clear-text passwords of
the site's 300,000 users. It was discovered by Australian security
consultant Daniel Grzelak as he searched for publicly accessible
databases containing e-mail...
 

Posted by InfoSec News on Jun 29

I'm posting this since many of you noticed that we've trimmed the size
of the security news over the last few years and stopped forwarding news
from sites that Righthaven represents, I can't afford to fight an
organization like Righthaven, but the EFF can, and I'd like to see
InfoSec News subscribers help the EFF Topple a Troll!

Thanks!

William Knowles
wk @ infosec news

-=-

Here's your chance to help EFF topple a...
 

Posted by InfoSec News on Jun 29

http://www.eweekeurope.co.uk/news/mod-creates-command-unit-to-counter-cyber-threats-32802

By Tom Jowitt
eWEEK Europe
June 28, 2011

Liam Fox has created a new joint force command at the MoD to oversee
cyber warfare and military intelligence

Reforms at the Ministry of Defence week will also include the creation
of a new joint force command unit, that will integrate the MoD’s cyber
warfare and military intelligence units.

The reforms were...
 

Posted by InfoSec News on Jun 29

Forwarded from: Simon Taplin <simon (at) simontaplin.net>

http://www.businessweek.com/magazine/content/11_26/b4234072712001.htm

By Christopher S. Stewart
Businessweek
June 16, 2011

Alex Lanstein stared at the 65-inch computer monitor in the living room of his
Boston apartment. Streaming data lit up the screen, the actions of a cyberlord
giving orders to his botnet, a zombie army of hijacked computers controlled
from an unknown...
 

Posted by InfoSec News on Jun 29

Forwarded from: William Panos <bp (at) affordablehomesandcondos.com>

http://www.sun-sentinel.com/news/local/breakingnews/os-hackers-attack-orlando-20110628,0,5300394.story

By Mark Schlueb
Orlando Sentinel
June 28, 2011

The computer hacker group Anonymous — credited with crashing the
websites of Visa and MasterCard in support of Wikileaks — launched what
it called "Operation Orlando" on Tuesday, disabling a tourism website...
 

Posted by InfoSec News on Jun 29

http://www.ft.com/cms/s/0/010c3e80-a020-11e0-a115-00144feabdc0.html

By Chris Bryant in Frankfurt
Financial Times
June 26, 2011

Top managers at a German chemicals company are being asked to toss their
mobile phones into a biscuit tin before important meetings to stop spies
stealing trade secrets.

Evonik’s measures underscore the lengths to which companies are going to
protect intellectual property.

Mobile phones, even when switched off,...
 
Internet Storm Center Infocon Status