InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
BlackBerry Mobile Fusion, announced Tuesday, isn't just Research In Motion's first entry in the race to manage enterprises' whole mobile environments. It's also positioned to ultimately succeed the BlackBerry Enterprise Server.
The U.S. Federal Communications Commission has allowed AT&T to withdraw its application to buy the mobile licenses owned by T-Mobile USA, as AT&T had requested, but the agency has also released a staff report that disputes many of the benefits the two mobile carriers claimed the merger would produce.
MediaWiki Multiple Information Disclosure Vulnerabilities
Linux Kernel 'tpm_read()' Information Disclosure Vulnerability
Like previous Facebook worms, the new malware uses stolen credentials to log into accounts and spam contacts.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Millions of HP LaserJet printers contain a security weakness that could allow attackers to take control of the systems, steal data from them and issue commands that could cause them to overheat, according to two researchers from Columbia University.
A speedy successor to PCI data transfer protocols used in PCs and interconnects like Intel's Thunderbolt is being designed with tablets in mind, a standards-setting organization said on Tuesday.
Nokia Siemens Networks plans to sell its WiMax infrastructure business to NewNet Communication Technologies for an undisclosed sum.
While standing around the water cooler in the IT department, perhaps you debate with a coworker about whether LinkedIn is better than Facebook. Or you argue with an end user about whether they can use their own device on the corporate network or can only use what is provided by the company. Insider (free registration required)
President Obama has called for all federal agencies to update their decades-old methods of records management, in large part by moving to electronic records management systems.
If your business isn't leveraging cloud technology as part of its daily operations yet, there's a good chance that it will be within next few years. According to Cisco, the global Internet traffic generated by the use of cloud computing services will increase 12-fold by 2015.
A would-be Epicor customer is taking the ERP (enterprise resource planning) vendor to court over a "big mess" of a software project that it says ended up battering its bottom line instead of improving operations.
jQuery Real Person Plugin CAPTCHA Security Bypass Vulnerability
Hackers continue to launch attacks exploiting vulnerabilities in Oracle's Java software in record numbers, Microsoft said.
The developers of an iPhone tethering app pulled from the App Store earlier today accused Apple of using bait-and-switch tactics.
Android again was the dominant mobile operating system among U.S. mobile subscribers in the third quarter, while Apple was still the largest smartphone maker, Nielsen reports.
Virtual Vertex Muster Web Interface Directory Traversal Vulnerability
apt Verify-Host Configuration Signature Verification Vulnerability
Vulnerabilities in 3S CoDeSys 3.4 SP4 Patch 2
Avid Media Composer 'AvidPhoneticIndexer.exe' Remote Stack Buffer Overflow Vulnerability
AT&T could be negotiating to sell off as much as 40% of T-Mobile USA assets in an effort to garner Department of Justice approval of its imperiled $39 billion acquisition of the Deutsche Telekom unit.
Facebook executives reportedly are looking to take the company public this coming spring with an eye on valuing the social network at more than $100 billion.
Hewlett-Packard announced an enterprise-class deduplication appliance and a new Window's powered NAS array.
Facebook has agreed to settle U.S. Federal Trade Commission charges that it deceived consumers "on numerous occasions" by telling them they could keep their personal information private, then repeatedly sharing that information, the agency said Tuesday.
No company wants to be the subject of the next headline about a cybersecurity attack or critical data loss. Losing business data or customer information takes a toll on your business' reputation and its pocketbook. While it is impossible to entirely avoid an attack, there are steps you can take to mitigate the effects.
Disoriented at Minneapolis' Mall of America? Confused at Tokyo's Narita airport? Can't find the bathrooms at your local Ikea store? The Google Maps application for Android phones and tablets may offer some help.
Apple has removed a tethering app for the iPhone that let users share the smartphone's cellular connection to the Internet with a Mac or Windows notebook.
Office 365, Microsoft's cloud collaboration and communication suite for organizations, is selling eight times faster than its predecessor, the Business Productivity Online Suite (BPOS) and has been particularly successful among small businesses, which make up over 90 percent of its customer base, the company announced on Tuesday.
Interest in tablets with Microsoft's Windows 8 is plummeting, Forrester Research said in a study released Tuesday.
Facebook's community forum was flooded during the Thanksgiving weekend with spam messages that advertised live streaming links for various sporting events.
Re: Re: wordpress Lanoba Social Plugin Xss Vulnerabilities
Oxide M0N0X1D3 HTTP Server Directory Traversal Vulnerability
Security-Assessment.com Release: Hacking Hollywood Slides, Advisories and Exploits
MVSA-11-013 - EllisLab xss_clean Filter Bypass - ExpressionEngine and CodeIgniter
An MSNBCblog has published the recent findings of a study from Columbia University saying millions of HPprinters are vulnerable to a devastating hack attack.
In essence, the vulnerability is that the LaserJet (InkJet not vulnerable) printers made before 2009 (according to HP) do not check digital signatures before installing a firmware update. Thus, a specially crafted version of firmware could be remotely installed by creating a crafted printjob including the new firmware version. The researchers demonstrated overheating a fuser to simulate what kind of physical destruction could incur (it charred the paper but was shut off by a safety before a fire started). Long story short, for an embedded system (or any system for that matter) if you can rewrite the Operating System you can control the device and make it do all sorts of unintended things.
This isn't the first time HPLaserJet printers have had vulnerabilities, though this is the first time (that I recall at least) of using the firmware to do it. I think the severity of this vector is somewhat less than portrayed but worth noting, particularly for organizations that operate highly secure environments.
Best practices are likely sufficient to prevent against this attack, namely, you should never have printers (or any other embedded device for that matter) exposed to the Internet. In theory, you could create malware that infects a PC to then infect a printer but I would suspect such effort would only be used in rare circumstances. Additionally beyond firewalling the device, network traffic to and from the device could be monitored for traffic other than printjobs which should give indication of a problem. For instance, any printer initiating an outbound TCP/IPconnection is a sign that something is awry.
The study is a helpful reminded that even devices we don't think of as computers can be hacked and do things we don't intend and compromise our security.
Do you monitor printers or other embedded devices in your environment for compromise or otherwise protect them? Take the poll and feel free to comment below.

John Bambenek

bambenek \at\ gmail /dot/ com

Bambenek Consulting (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
I'm sure you've had this happen: You're buying a TV, a refrigerator, or a digital camera, and the salesperson tries to pressure you—or maybe even scare you—into paying for an extended warranty. In some cases, the expense may be justified, but in others, you're simply paying for something you'll never need.
The functionalities of a computer program and the programming language cannot be protected by copyright according to the European Court of Justice’s senior advisor.
WikiLeaks has postponed the launch of its new secure submission system due to recent security compromises that seriously affected the credibility of the SSL infrastructure.
To choose the cloud service provider that best matches your company's risk tolerance, you should first develop a checklist of security mandates and required features. Experts explain how. Insider (registration required)
Lenovo unveiled three new tablets and a smartphone for the Chinese market on Tuesday and said it will launch a smart TV product in the first quarter of next year.
Hewlett-Packard is quickly putting to use its recent acquisitions of Autonomy and Vertica, integrating the software from these companies into a single software package, called the HP Next Generation Information Platform.
Facebook may take away the disputed page on Facebook from both Merck in Germany and Merck in the U.S., if the two companies do not come to an agreement, a person familiar with the situation said Monday.
Ruckus Wireless took another shot at optimizing Wi-Fi capacity on Monday, introducing a technology called ChannelFly that is designed to place network clients on the best possible channel based on the actual capacity of that channel.
Japanese component maker Rohm said it has developed an experimental chip that can send and receive signals at terahertz-range frequencies, which can carry data at speeds of up to 30Gbps and penetrate clothing and paper.
Citrix CIO Paul Martine is the poster child for everything that Citrix markets to other CIOs.
Seagate today released the third generation of its hybrid drive, doubling the amount of NAND memory to 8GB and increasing total capacity to 750GB.
By this time next year, we all might be interacting with our computers by means of touch, voice and in-air gestures.
Microsoft said it will license the protocols for many of its enterprise systems to a company that will develop compatible applications for non-Microsoft mobile operating systems, including Google's Android and Apple's iOS.
Research In Motion is taking on mobile device management for Android and Apple iOS devices as well as its own products, introducing the BlackBerry Mobile Fusion product on Tuesday.

Posted by InfoSec News on Nov 28


By Lucian Constantin
IDG News Service
November 24, 2011

A week-long DDoS attack that launched a flood of traffic at an Asian
e-commerce company in early November was the biggest such incident so
far this year, according to Prolexic, a company that defends websites
against such attacks.

The distributed denial-of-service attack...

Posted by InfoSec News on Nov 28


By Steven Musil
CNet News
November 27, 2011

The FBI and Philippine law enforcement officials arrested four people in
the Philippines this week who were allegedly paid by terrorists to hack
into AT&T's system, but the company said its system was not breached.

The four, who were arrested Wednesday in Manila, were paid by the same

Posted by InfoSec News on Nov 28


By Brett Winterford
Nov 28, 2011

AusCERT chief warns of need for new approach.

One of Australia's most respected security professionals has warned that
the Federal Government project to give citizens access to an electronic
health record will lead to rampant fraud and privacy abuses.

Graham Ingram, general manager of infosec emergency...

Posted by InfoSec News on Nov 28


The Secunia Weekly Advisory Summary
2011-11-17 - 2011-11-24

This week: 69 advisories

Table of Contents:

1.....................................................Word From Secunia...

Posted by InfoSec News on Nov 28


26 Nov 2011

The article by Edward Jay Epstein, published in the New York Review of
Books, raised the question of whether a Blackberry phone belonging to
Dominique Strauss-Kahn might have been being tapped by his political
opponents at the time he was arrested in May on charges of sexually...

Posted by InfoSec News on Nov 28


By Dan Goodin in San Francisco
The Register
28th November 2011

A company that provided free cellphone encryption to dissidents in Egypt
abruptly suspended its services on Monday so that Twitter could
integrate some of its privacy enabling technology into the microblogging

Twitter's acquisition of San Francisco-based Whisper Systems came on
Monday, the same day...

Posted by InfoSec News on Nov 28


By John E Dunn
25 November 2011

USB sticks remain a big security weakness for UK organisations with many
employees using drives without permission and not bothering to report
their loss, a Ponemon Institute study has found.

The study polled 451 IT staff in the UK from a global total of 2,942 on
behalf of Kingston Technology,...

Posted by InfoSec News on Nov 28


By Fahmida Y. Rashid

Criminals and scammers are targeting online shoppers looking for deals
with too-good-to-be-true offers for Cyber Monday.

Holiday shoppers planning to search for that perfect gift are gearing up
for online deals on Monday after Thanksgiving. Security experts warned
that scammers are also ramping up their...
Internet Storm Center Infocon Status