Hackin9

InfoSec News

Advanced Micro Devices has announced it will sell ARM-based server processors in 2014, ending its exclusive commitment to the x86 architecture and adding a new dimension to its decades-old battle with Intel.
 
Oracle Java SE CVE-2012-3143 Remote Java Runtime Environment Vulnerability
 
Internet payments company PayPal will cut 325 jobs as part of a companywide reorganization, its president said Monday.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
As it stood late this afternoon, Hosting.com's data center in Newark, Del., was within walking distance of the projected path Hurricane Sandy's center once it makes landfall.
 
Microsoft has seen strong initial demand for its Windows 8 operating system, CEO Steve Ballmer said Monday.
 
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2012-3986 Multiple Security Bypass Vulnerabilities
 
Two of Apple's top executives are leaving the company: Scott Forstall, who has overseen the iOS platform that runs the iPhone and iPad, will leave Apple next year, and John Browett, senior vice president of retail, is leaving sooner, Apple said Monday.
 
PLIB 'ssgParser.cxx' Remote Stack Buffer Overflow Vulnerability
 
Yammer said it has simplified and expanded the ways in which its enterprise social networking (ESN) software can be integrated with third-party business applications.
 
Enterprises are beginning to leverage mobility to transform their business processes rather than simply providing always-on access to email and calendaring. Healthcare, financial services and retail are at the forefront of using mobile to transform their businesses, and Windows 8 may accelerate the process.
 
Windows Phone 8 smartphones, which officially launched Monday and will shi in November on three U.S. carriers, will support 46 of the top 50 most popular smartphone apps with a Data Sense app for more efficient data usage that will first be supported by Verizon Wireless.
 
U.S. Supreme Court justices on Monday questioned the legitimacy of a law allowing a secretive government surveillance program and the assertion by a government lawyer that some groups couldn't challenge the law in court because they don't know if they've been spied on.
 
Yahoo will ignore "Do Not Track" privacy requests sent by Microsoft's Internet Explorer 10 browser, calling its ally's unilateral decision "signal abuse" and pointing to a possible rift between the search partners.
 
Establishing clear rules of engagement, improving public/private sector security collaboration among priorities ahead, former cybersecurity Czar said.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
The biannual Deloitte-NASCIO survey revealed what state CISOs believe are the top barriers in addressing cybersecurity.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Millions of Social Security numbers and thousands of credit and debit cards were exposed after an attacker penetrated a state agency server.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Seventeen Starbucks stores in the Boston area are taking part in a wireless charging pilot program that will allow customers to recharge their phones by placing them on the charging surfaces of tables.
 
Idea management can help your organization stay competitive. Here are 10 best practices for getting the most from it.
 
Windows Phone 8, Microsoft's new operating system for cellphones, was launched on Monday and with it the software company's hopes of reclaiming a portion of the fast-growing smartphone market.
 
Google on Monday announced a new 10-inch Nexus tablet and 4.7-inch Nexus smartphone with the latest Android 4.2 operating system, code-named Jelly Bean.
 
SafeNet Privilege 'PrivAgent.ocx' ActiveX Controls Multiple Buffer Overflow Vulnerabilities
 
Google on Monday announced a Nexus 4 smartphone, an updated Nexus 7 tablet with a fast cellular connection and a Nexus 10 tablet.
 
As Hurricane Sandy roars up the East Coast, residents, news organizations and government agencies are using social networks to get their messages out.
 
Fewer than half of U.S. consumers have heard of Windows 8, hinting that Microsoft faces a tough task convincing buyers that they need to jump on the bandwagon.
 
Intel on Monday announced its latest SSD 335 solid-state drive, which is being pitched as a hard-drive replacement for laptops.
 
Red Hat has announced that it has been awarded the Common Criteria Certification at EAL4+ for its Red Hat Enterprise Linux 6 distribution, including the KVM hypervisor


 
Browser CRM Multiple SQL Injection and Cross Site Scripting Vulnerabilities
 
VLC Media Player 'get_chunk_header()' Function Memory Corruption Vulnerability
 
libfpx 'Free_All_Memory()' Function Double Free Remote Code Execution Vulnerability
 
Call for Papers: DIMVA 2013
 
PIAF H.M.S - SQL Injection
 
KmPlayer v3.0.0.1440 Local Crash PoC
 
To avoid being detected by automated threat analysis tools, a trojan attaches itself to the code for handling mouse events


 
A Clear Standard
A Clear Desk Policy is becoming a more commonly adopted STANDARD in the work place. The idea that a clean desk is a standard may seem a bit of stretch. However, it is recognized in the access control domain by ISO [1], NIST [2], and ISC2 [3]. The standard name varies a bit and often includes the Clear Screen title and requirements too. AClear Desk standard is not primarily targeting the actual cleanliness of the desk, but the often seen clutter of classified information left unattended out in the open.
I have worked in environments as an infosec professional, with a Clear Desk policy in effect and without. The comparison of each environment is drastic. An ENFORCED Clear Desk Standard ultimately reduces risk and nicely faciliates efficiency and effectiveness in the work place. An unenforced standard is equivalent to no standard and creates an endless list of items for any ambitious auditor.
A highly effective execution of a defined Clear Desk Standard/Policy should include two main components.

Awareness
Audit



Awareness
Awareness is key. This can be very simple. Make sure your employee KNOWS the policy/standard EXISTS and that it is ENFORCED. The awareness does not need to include an expensive training module. It can be delivered with mailbox flyers, emails, or simple cascaded conversations by management. Please check out the resource link that SANS provides. [4]
Audit
Once the awareness piece is in place, regularly auditing the work place is very critical. This too, does NOT need tobe expensive. It can consist of delegating a champion to schedule/execute a review of the workplace, a spreadsheet fortracking, and a pad of review slips to leave on each desk detailing the review.



Here's a simple review slip example that can be used.

Keep it simple. I created this example in MS Word in ten minutes.




When the audit slip is left, it keeps the employee/user aware that checks are in place and the policy is enforced. This need only have to happen quarterly to be extremely effective. The spreadsheet can be used to track results and assist in accomplishing the compliancy goals of the policy. Publishing the quarterly numbers is also very effective.
Conclusion
The responsibility lies on the user to comply to any standard/policy. The responsibility lies on Management to enforce standard/policy. A lack of policy or policy enforcement can increase risk, loss of reputation and loss of data. Here is a snapshot of an assessment from a corporate envrionment where no policy existed.







These monitor notes are a simple example of the endless problems identified within an environment with little policy and enforcement. A simple expectation of a clean desk can provide an unmeasurable amount of decreased risk and positive image. The risk is tangible and the positive image is intangible. Both of which translate into increased efficiency and effectiveness by the staff and ultimately every line of business.




[1] http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf

[2] * Page H9 of link listed on reference [1].

TABLE H-2: MAPPING ISO/IEC 27001 (ANNEX A) TO NIST SP 800-53

[3] https://www.isc2.org/cissp-domains/default.aspx

[4] http://www.sans.org/security-resources/policies/desk-top.php

-Kevin

--

ISC Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Parts of New York City received mandatory evacuation notices from the governor's office as Hurricane Sandy moved toward shore Monday. Along with other businesses in the city's financial district, the New York Stock Exchange voluntarily shut down.
 
Version 11.04 of Canonical's Ubuntu Linux distribution, known as "Natty Narwhal", has reached its end of life, meaning that no new updates, including security updates and critical fixes, will be made available


 
IrfanView TIFF Image File Remote Heap Based Buffer Overflow Vulnerability
 
[slackware-security] mozilla-firefox (SSA:2012-300-01)
 
[SECURITY] [DSA 2568-1] rtfm security update
 
[SECURITY] [DSA 2567-1] request-tracker3.8 security update
 
Exploit - EasyITSP by Lemens Telephone Systems 2.0.2
 
In a bid to help large businesses create and manage snapshots of application data across sprawling enterprise environments, CommVault is releasing the snapshot component of its Simpana suite as a standalone product.
 
A design flaw in a commonly used ladder logic runtime system, CoDeSys, exposes industrial control systems that use it to an unauthenticated network attack which could well be run with system privileges. The developers are working on a patch


 

Dr Guy Bunker joins infosec firm Clearswift
SC Magazine UK
Clearswift has announced the appointment of former HP global security architect Dr Guy Bunker to its senior management team. Bunker, an expert and recognised figure in the infosec industry, has joined the Reading-based cyber security company as senior ...

and more »
 
Big data, analytics and mobile apps are enabling smaller political campaigns and advocacy groups to be more effective when it comes to winning over voters and raising money.
 
The U.S. Department of Energy's Oak Ridge National Laboratory on Monday completed the deployment of a 20-petaflop supercomputer called Titan, which the lab hopes will give the U.S. an edge over China and Japan in the race to build the world's fastest computers.
 
Mozilla Firefox/SeaMonkey/Thunderbird CVE-2012-4194 Cross Site Scripting Vulnerability
 
Mozilla Firefox/SeaMonkey/Thunderbird CVE-2012-4195 Cross Site Scripting Vulnerability
 
Hadoop and MapReduce have long been mainstays of the big data movement, but some companies now need new and faster ways to extract business value from massive -- and constantly growing -- datasets.
 
The apps available for Microsoft's new Windows operating systems are good enough to entice early buyers of tablets and other touch devices, analysts said.
 
Mozilla has released a security update to Firefox, Thunderbird, and their ESR versions, and Seamonkey after critical security flaws were found which exposed users to XSS attacks


 

Posted by InfoSec News on Oct 29

http://www.reghardware.com/2012/10/25/dyson_claims_bosch_acquired_motor_designs_unlawfully/

By Caleb Cox
Reg Hardware
25th October 2012

British vacuum cleaner magnate Dyson has started High Court proceedings
against German industrial giant Bosch, claiming its rival swiped its
designs for a new generation of electric motor.

Mark Taylor, Dyson's R&D chief, said: “Bosch’s VP for engineering
employed a Dyson engineer and benefited...
 

Posted by InfoSec News on Oct 29

http://www.computerworld.com/s/article/9232956/Critical_flaw_found_in_software_used_by_many_industrial_control_systems

By Lucian Constantin
IDG News Service
October 26, 2012

CoDeSys, a piece of software running on industrial control systems (ICS)
from over 200 vendors contains a vulnerability that allows potential
attackers to execute sensitive commands on the vulnerable devices
without the need for authentication, according to a report from...
 

Posted by InfoSec News on Oct 29

http://www.nextgov.com/cybersecurity/2012/10/pentagon-cyber-threat-sharing-program-lost-participants/59028/

By Dawn Lim
Nextgov
October 25, 2012

A Pentagon effort designed to share information on computer threats with
defense contractors has lost members, InsideDefense reports.

Five of the initial 17 members have pulled out of the Defense Industrial
Base Enhanced Cybersecurity Services group, a component of the
department's...
 

Posted by InfoSec News on Oct 29

http://go.bloomberg.com/tech-blog/2012-10-29-experian-customers-unsafe-as-hackers-steal-credit-report-data/

By Jordan Robertson
Bloomberg
Oct. 29, 2012

When hackers broke into computers at Abilene Telco Federal Credit Union
last year, they gained access to sensitive financial information on
people from far beyond the bank’s home in west-central Texas.

The cyberthieves broke into an employee’s computer in September 2011 and
stole the...
 

Posted by InfoSec News on Oct 29

http://www.scotsman.com/news/international/euromillions-website-hit-by-hackers-1-2603437

By CLAIRE GARDNER
Scotsman.com
29 October 2012

THE FRENCH website of the Euromillions lottery has been hacked, with the
homepage replaced by a passage from the Koran condemning gambling.

The hackers, calling themselves “Moroccanghosts”, posted the message in
Arabic and French.

The Koranic verses call games of chance and alcohol “works of the...
 
IBM has hit a milestone in its quest to come up with a successor to silicon computer chips.
 
Drupal Arbitrary PHP Code Execution and Information Disclosure Vulnerabilities
 
Linux Kernel 'uname()' System Call Local Information Disclosure Vulnerability
 
Internet Storm Center Infocon Status