Share |

InfoSec News

When you're trying to answer a phone call, fumbling around while you're putting on a headset can be all too easy. The Jawbone Era aims to fix that: The Era ($130 as of March 1, 2011) has a standout feature called ShakeShake, which lets you shake the Bluetooth headset twice to pick up a call when the unit isn't in your ear. This function worked great for me, as I like to keep my headset and phone on my desk; when a call comes in, I can see who's calling and can then double-shake the Era before placing it in my ear, so I don't lose the call.
 
I had high expectations for the Plantronics Voyager Pro UC. For starters, the $200 (as of March 1, 2011) Bluetooth headset promised to deliver a full-on communications package that would allow users to connect it to a PC for software installations and updates--the headset can integrate with Skype, for example. And its sensor technology can detect when the Voyager Pro UC is in the user's ear, so you can make it answer calls automatically.
 
"Black and boring" is one way to describe the Jabra Easygo Bluetooth headset. But its $40 (as of March 1, 2011) price tag is attractive considering what you get: average to above-average call quality, extra earbud covers, and a choice of wearing style (you can go with or without the earhook).
 
The personal information of 13,000 individuals who had filed compensation claims with BP after last year's disastrous oil spill may have been potentially compromised after a laptop containing the data was lost by a BP employee.
 
The Motorola Oasis ($80 as of March 1, 2011) Bluetooth headset looks a bit like a folded-up miniature-golf putter. Its shape is unusual--the Oasis's hook is squarish by design--and its boom microphone folds inward, so ferrying it around is easy. Also unusual is the placement of the Call button: It's located on the boom, whereas on all other headsets I've tested the chief button sits somewhere around the ear's curve or adjacent to the ear. The novel position of the Call button took getting used to.
 
Thanks to its friendly design and consistent audio quality, the Plantronics K100 is one of the best Bluetooth car speakerphones we've used, in spite of our few complaints. The K100 ($80 as of March 8, 2011) is easy to use, and produces generally clear and effective audio.
 
When I'm driving and I need to rely on a Bluetooth speakerphone to handle calls, I like controls that are superlarge and a cinch to access by feel alone. You (and a gazillion other drivers) too, right?
 
If you live in a state where it's legal to mount technology devices, such as a GPS unit, on your windshield, here's an innovative Bluetooth car accessory to ponder. The Parrot Minikit Smart ($130 as of March 1, 2011) takes on a number of roles: The cradlelike design lets you attach your phone (horizontally) to the Minikit, which acts as a charging holder and serves as a GPS unit and Bluetooth speakerphone.
 
The earbud accessories for the lightweight Motorola Finiti ($130 as of March 1, 2011) Bluetooth headset are the most peculiar I've seen in years--somehow I found this unusual design more noteworthy than the headset's excellent noise cancellation. To don the Finiti in hook mode, you wear an earbud cover that looks a lot like a soda can's pull tab (in gel form). If you'd rather ditch the hook, you switch to the earbud cover shaped like a tadpole, instead.
 
The BlueAnt S4 ($100 as of March 8, 2011) Bluetooth car speakerphone is sleek and slender--far more slick-looking than its predecessor, the BlueAnt Supertooth 3. As with the Supertooth 3, you affix the S4 to your visor, thanks to the convenience of magnetic pull: You slide a metal clip onto the visor, and then the S4 clamps onto the clip by way of the magnetic blobs underneath the unit. The clip can stay permanently on the visor; you pop the S4 on and off the clip with minimal effort.
 
A company charged with fraud by Verizon and the Texas attorney general is fighting back, asking an Arizona court on Monday not to impose an injunction that would shut down its business.
 
The Heritage Provider Network wants to do for healthcare what technology in the film "Minority Report" did for police work.
 
Thank you for ordering from Cellphone Inc is what the email says ... what it doesn't say is have a nice day cleaning your infected PC.Reader Scott had just taken his mobile phone to a store for repair, but being the savvy security specialist, he was still suspicious when he got the following email shortly thereafter
Thank you for ordering from Cell Phone Inc.
This message is to inform you that your order has been received

and is currently being processed.
Your order reference is Cell Phone Inc. You will need this in all correspondence.

This receipt is NOT proof of purchase. We will send a printed invoice by mail to your billing address.
You have chosen to pay by credit card. Your card will be charged for the amount

of 629.99 USD and Cell Phone Inc. will appear next to the charge on your statement.

Your purchase information appears below in the file.
Cell Phone Inc.


Turns out of course that this email had nothing to do with Scott's phone, it is just the latest malware scam. The email comes with a PDF attachment that - at current count - tries to exploit collab.getIcon, media.newPlayer, collab.collectEmailInfo and util.printf -- all rather old Adobe Acrobat vulnerabilities, but apparently still good enough for the bad guys to warrant a new spam run.
The PDF's guts are obfuscated JavaScript, as usual, and currently showing up with a lousy 2/43 on the Virustotal radar.
Keep your users from clicking ... and keep up with those pesky almost-feels-like-weekly Adobe updates!
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Toshiba's Mini NB505-508GN has two things that separate it from the netbook pack, albeit only slightly: a somewhat better-than-average keyboard and longer-than-average battery life. Okay, make that three things--it's also better-looking than most of its competition with its smooth styling and lime-green lid. Otherwise, the unit is the epitome of the cookie-cutter netbook.
 
Lawson Software customers still don't know the fate of the company following Infor's roughly $1.8 billion acquisition offer earlier this month, with just days to go before Lawson's annual CUE conference in Boston.
 
After becoming something of a second-class player in the online world, eBay is looking to get back into the game with its purchase of GSI Commerce.
 
Massachusetts Attorney General Martha Coakley announced a $110,000 settlement against the owner of several Boston area bars for failing to secure its patrons' personal information.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 

Humans Most Critical Piece of Cybersecurity
BankInfoSecurity.com (blog)
... associate national intelligence director who BoA named earlier this month as a senior vice president and CISO, about the impact of the shortage of IT security pros is having on governments and businesses (see Is Infosec Worker Need Underestimated? ...

and more »
 
Google is testing a music service that would take on the popular Apple iTunes offering, according to online reports.
 
Apple Mac OS X 'i386_set_ldt()' Privilege Escalation Vulnerability
 
Past August, we ran a story about the dangers of abandoned email and chat accounts. Since then, we've been getting a steady trickle of requests from readers for advice on how to get a provider to delete an unused profile or address completely.
Reading the fine print of legalese is never fun, and therefore it's no surprise that many users apparently read the privacy policy of a free web site for the first time when they want to cancel the account. More often than not, they then find out that ... there is simply no way to back out. Or rather, that the legalese gives the provider ample rights to delete an account at any time, without warning, but that there is no way for an user to request such an action.
Today's question on the topic came from reader Mike, who tries to have his old and unused ICQ.com account properly closed and deleted. Not so easy, it turns out: The support forum on ICQ is full of users who post please close my account requests, but don't seem to be getting an answer or action.If you know an approach that works for ICQ, please comment below, or let us know via ourcontact page.
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Kopelman-Backed Monetate Monetizes $5M - cbl
Citybizlist (press release)
Earlier he co-founded ePrivacy Group and InfoSec Labs. Bookspan co-founded, and was President and CEO of MarketSpan, Inc., now part of LexisNexis. Earlier he co-founded DreamIt Ventures, LP, a pre-seed venture fund launching new technology companies. ...

 
The quick sell-out of Apple's WWDC prompted several people to scalp tickets on eBay and Craigslist, with some priced as high as $4,599, nearly triple the sticker price of $1,599.
 
Deduplication vendor Permabit announced a product aimed at lower-end NAS systems based on Linux servers and the iSCSI protocol.
 
Avahi 'avahi-core/socket.c' Zero Size Packet Denial Of Service Vulnerability
 
More than a dozen errors at McAfee.com and its software download site could lead to cross-site scripting or other attacks, according to a group of hackers that discovered the flaws.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Six NASA servers exposed to the Internet had critical vulnerabilities that could have endangered Space Shuttle, International Space Station and Hubble Telescope missions -- flaws that would have been found by a security oversight program the agency hasn't yet implemented, according to NASA's inspector general.
 
Microsoft Office brings support for Visual Basic for Applications (VBA) macros back to the Mac. But if you haven't used VBA before, you might be wondering what you can actually use it for and how difficult it is to use. I've got a sample project that will provide some answers to both questions.
 
The Multicore Association is establishing specifications for a programming model that will reduce the complexity involved in writing software for multicore chips used in smartphones, tablets and other embedded systems.
 
Using IT as a percentage of sales as a stand-alone metric offers little insight.
 
A three-year-old startup called Overtis launched a browser plugin on Tuesday aimed at letting companies control what data employees can access through Web applications such as Salesforce.com and Google Apps.
 
The Briar Group has agreed to settle claims that it failed to adequately protect credit card data of its customers.
 
A week after it launched Firefox 4 for the desktop, Mozilla today shipped the final version of Firefox 4 for Android.
 
In the good old days that weren't so good, we suffered from DLL hell: the need to find and certify libraries that we didn't write but did depend on. Cloud computing presents an analogous challenge with services we want to use, but don't really control. You might not see it the short run, but if you plan to have clouds applications operational over years, this can present a very real issue.
 
Cisco Systems announced its intent to acquire privately held newScale, a provider of software that delivers a self-service portal for IT organizations to select and deploy cloud services within their businesses.
 
An open government group protests proposed cuts to a federal government transparency program.
 
Amazon's new Cloud Drive online storage service allows customers to store music in the cloud and, in the U.S., stream it to an Android app or through a Web browser.
 
Amazon's new Cloud Drive online storage service allows customers to store music in the cloud and, in the U.S., stream it to an Android app or through a Web browser.
 
Asterisk TCP/TLS Server NULL Pointer Dereference Denial Of Service Vulnerability
 
Asterisk Manager Interface Remote Denial of Service Vulnerability
 
Doctrine Project Database Abstraction Layer Library 'modifyLimitQuery()' SQL Injection Vulnerability
 
GNOME Display Manager Race Condition Local Privilege Escalation Vulnerability
 
The owner of a headhunting business was sentenced to prison last week after pleading guilty to visa fraud.
 
Nokia has filed a new round of complaints against Apple with the U.S. International Trade Commission (ITC) and with a Delaware court, the Finnish phone maker said on Tuesday.
 
Oracle's announcement last week that it will stop developing software for Intel's Itanium processor has database startup EnterpriseDB looking to capitalize.
 
"WESPA PHP Newsletter v3.0" Remote Admin Password Change With install path
 
"Simple PHP Newsletter" Remote Admin Password Change With install path
 
HTB22905: Path disclosure in Wordpress
 
HTB22904: Path disclosure in bbPress
 
IDC made a bold prediction Tuesday, forecasting that Windows Phone will surge ahead to become the No. 2 smartphone operating system by 2015 behind Android in the top spot.
 

5 Things To Know Today: March 29
Patch.com
Call for Mohr info; Sec. of State Mollis At JHS; Trip to Turning Stone Resort for seniors; play and learn at the Providence Children's Museum; and today in history: dah-dah-DAAAH! dah-DAH-dahhh! By Joseph Hutnak | Email the author | 6:00am Call Ahead: ...

 
A few manufacturing issues must still be overcome before devices with screens that flex, bend or roll up make it into consumers' hands.
 
Fast, thin, bright and energy efficient, organic light-emitting diode displays are making their way into the smartphone mainstream. OLED-based TVs may be next, with bendable or rollable OLED displays on the far horizon.
 
InfoSec News: MySQL Web site falls victim to SQL injection attack: http://www.computerworld.com/s/article/9215249/MySQL_Web_site_falls_victim_to_SQL_injection_attack
By Jeremy Kirk IDG News Service March 28, 2011
Oracle's MySQL.com customer Web site was compromised over the weekend by a pair of hackers who publicly posted usernames, and in some cases [...]
 
InfoSec News: Oz parliamentary network breached: http://www.theregister.co.uk/2011/03/28/china_hacks_oz_parliament_net/
By Richard Chirgwin The Register 28th March 2011
In a security breach that presumably now has Chinese spies trawling through the kind of letters MPs do their best to deflect or ignore, the [...]
 
InfoSec News: [Dataloss Weekly Summary] Week of Sunday, March 20, 2011: ========================================================================
Open Security Foundation - DataLossDB Weekly Summary Week of Sunday, March 20, 2011
20 Incidents Added.
======================================================================== [...]
 
InfoSec News: McAfee: Hackers Want the Info for Your Company's Soul: http://www.redherring.com/Home/26525
By RedHerring 28 March 2011
McAfee, the computer securities company, has lit the universal bat signal high in the sky with a dire warning: Hackers are out to steal company's secrets, and have never had a better opportunity, thanks to a [...]
 
InfoSec News: Researchers point out holes in McAfee's Web site: http://news.cnet.com/8301-27080_3-20048135-245.html
By Elinor Mills InSecurity Complex CNet News March 28, 2011
Researchers disclosed on a public security e-mail list today three vulnerabilities in the Web site of security firm McAfee, whose site has been found to have bugs several times before. [...]
 

Posted by InfoSec News on Mar 28

http://www.computerworld.com/s/article/9215249/MySQL_Web_site_falls_victim_to_SQL_injection_attack

By Jeremy Kirk
IDG News Service
March 28, 2011

Oracle's MySQL.com customer Web site was compromised over the weekend by
a pair of hackers who publicly posted usernames, and in some cases
passwords, of the site's users.

Taking credit for the hack were "TinKode" and "Ne0h," who wrote that the
hack resulted from a SQL...
 

Posted by InfoSec News on Mar 28

http://www.theregister.co.uk/2011/03/28/china_hacks_oz_parliament_net/

By Richard Chirgwin
The Register
28th March 2011

In a security breach that presumably now has Chinese spies trawling
through the kind of letters MPs do their best to deflect or ignore, the
Australian Parliament House network has been invaded.

The network is not rated as suitable for “sensitive” communications.
According to News Limited, Australian government...
 

Posted by InfoSec News on Mar 28

========================================================================

Open Security Foundation - DataLossDB Weekly Summary
Week of Sunday, March 20, 2011

20 Incidents Added.

========================================================================

DataLossDB is a research project aimed at documenting known and reported
data loss incidents world-wide. The Open Security Foundation asks for
contributions of new incidents and new data for...
 

Posted by InfoSec News on Mar 28

http://www.redherring.com/Home/26525

By RedHerring
28 March 2011

McAfee, the computer securities company, has lit the universal bat
signal high in the sky with a dire warning: Hackers are out to steal
company's secrets, and have never had a better opportunity, thanks to a
proliferation of mobile technology that's led to a de-centralization of
the workplace and the transition to the cloud.

The company released its findings in the...
 

Posted by InfoSec News on Mar 28

http://news.cnet.com/8301-27080_3-20048135-245.html

By Elinor Mills
InSecurity Complex
CNet News
March 28, 2011

Researchers disclosed on a public security e-mail list today three
vulnerabilities in the Web site of security firm McAfee, whose site has
been found to have bugs several times before.

The YGN Ethical Hacker Group told the Full Disclosure list that it had
reported the problems to McAfee on February 10 and two days later the...
 


Internet Storm Center Infocon Status