InfoSec News


Infosec: Government urges companies to reveal cyberattacks
By Anh Nguyen David Willetts, minister of state for universities and science, has called for businesses to disclose their experiences of successful and unsuccessful cyberattacks. He believes that this will help to raise companies' awareness about ...
David Willetts: UK firms need to 'fess up to security boobsRegister

all 11 news articles »
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Just a quick update to Johannes's story on the 27th about the Oracle TNS listener vulnerability (http://isc.sans.edu/diary.html?storyid=13069)

We received two updates from our readers on this today:

Reader anothergeek posted a comment to Johannes's story, noting that a patch was released today - find details here == http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html

Shortly after, reader R.P. pointed us to a page that had proof of concept (with a video no less) ==}


So get that maintenance window scheduled folks! Those patches don't do you any good in your Downloads folder!

From the perspective of someone who does audits and assessments, it's a sad thing to note that in many organizations it's tough to schedule maintenance on a large Oracle server. So many applications get piled on these that database and operating system patches can be a real challenge to book, because an interruption in service can affect dozens or hundreds of applications.

Sadly this means that database patches are often quarterly or annual events. Or fairy tale events (as in never-never).


Rob VandenBrink

Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Microsoft is sticking to its plan to shut down its Office Live Small Business (OLSB) suite of cloud-based services on Monday, even though it seems many customers are either unaware of the deadline or are having difficulties migrating.
The jury began its deliberations Monday in the copyright phase of Oracle's lawsuit against Google over Android.
Conventional wisdom says the CIO should report to the CEO. But not everyone agrees that's so important.
U.S. lawmakers should reopen an investigation into the snooping on Wi-Fi networks by Google's Street View cars because of information in a U.S. Federal Communications Commission report that suggests several people at Google knew of the spying, a privacy group said Monday.
One day while observing a lady next to me on her iPad, I noticed how this person was literally condensing an exercise that would normally require a happy shopper all day to complete within a period of 30 minutes at most. This person had within a blur of swipes and prods completed the purchase of at least eight items of clothing and accessories all from different well-known brands and all delivered to the doorstep within the week.
Smartphone-maker LG Electronics has backed off producing Windows Phone devices for now and will instead focus on Android phones, according to a report.
By using Tibbr, this Hong Kong-based logistics company is able to share short messages to resolve exceptions, reschedule deliveries and keep customers happier. Insider (registration required)
How Yale New Haven Health's CIO tackled integrating three IT systems into one while keeping customer care front and center
Columnist Adam Hartung says CIOs are in danger of becoming irrelevant if they focus on old technologies and practices. He advises that you forget what worked in the past and focus on technologies that will delight employees and customers in the future. Insider (registration required)
IBM took steps on Monday to help enterprises go mobile, introducing a set of software and services called Mobile Foundation.
Reader Gregg Andrews has an iOS device here and files there and wonders how to bring the two together. He writes:
Microsoft's partnership with Barnes & Noble could lead to development of a Windows-based tablet or e-reader, not just a Nook e-reader application for Windows 8, some analysts said.
AT&T spent nearly $7.1 million on lobbying Congress and President Barack Obama's administration in the first quarter of 2012, making it the leading corporate spender on lobbying, with Google, Comcast and Verizon Communications also making the top five.
McAfee Virtual Technician MVT.MVTControl.6300 ActiveX Control GetObject() Security Bypass Remote Code Execution Vulnerability
NGS00118 Technical Advisory: Symantec pcAnywhere Remote Code Execution as SYSTEM
NGS00117 Technical Advisory: Symantec pcAnywhere insecure file permissions local privilege escalation

SYS-CON Media (press release)

A Fistful of Fears: Our Top Five Security Issues
SYS-CON Media (press release)
By Adrian Bridgwater If you work in information technology and you passed through the city of London over the last week it would have been hard not to notice the InfoSec IT security conference being held at the Earl's Court exhibition center.

Facebook co-founder and CEO Mark Zuckerberg is taking to the network news Tuesday to announce a new tool that is supposed to have the power to save lives.
NGS00141 Technical Advisory: Websense Triton 7.6 stored XSS in report management UI
NGS00140 Technical Advisory: Websense Triton 7.6 - unauthenticated remote command execution as SYSTEM
NGS00138 Technical Advisory: Websense Triton 7.6 - authentication bypass in report management UI
NGS00137 Technical Advisory: Websense Triton 7.6 - reflected XSS in report management UI
Windows users appear half as interested in trying out the new Windows 8 as they did three years ago when they jumped at the chance to test drive Windows 7, data shows.
The customer always comes first. Except when it comes to HCL, the $6 billion Indian outsourcing -- make that co-sourcing -- giant led by CEO Vineet Nayar, who literally wrote the book on a philosophy known as 'employees first, customer second.' In this latest installment of our CEO Interview Series, Nayar spoke with IDG Enterprise Chief Content Officer John Gallant about how that philosophy is fueling HCL's rapid growth and why more CIOs ought to consider adopting it.
Wordpress WPsc-MijnPress plugin Cross-Site Scripting Vulnerabilities
OWASP 2012 Online Competition with Hacking-Lab
[SECURITY] [DSA 2462-1] imagemagick security update
C4B XPhone UC Web 4.1.890S R1 - Cross Site Vulnerability
Name: Joe Freda
Most apps take aim at some small slice of your life and help improve it. MotionX Sleep is more like the rock band The Kinks--it wants to be with you all day, and all of the night.
Microsoft will invest $300 million in a new Barnes & Noble subsidiary, which will include the digital Nook and College businesses of Barnes & Noble, the companies said in joint statement on Monday.
Nokia PC Suite Video Manager '.mp4' File Denial Of Service Vulnerability
As things stand now, all bets are off if you lose your smartphone.
Facebook purchased in the last five months eight of ten patents it has cited in a counterclaim to a patent infringement lawsuit filed by Yahoo, and several were purchased after Yahoo filed the suit, the Internet portal claimed in a filing on Friday before a federal court.
Windows PCs infected with Conficker are more likely to be compromised by other malware because the worm masks those secondary infections and makes those machines easier to exploit, a security expert said.
With Microsoft Open Technologies release, websites and mobile apps can use Metro style
Amazon Web Services offer new challenges and flexibility for database admins -- here's how to avoid the pitfalls and tune for performance
To take full advantage of virtualization's high-level benefits, companies must view the technology's capabilities across the entire IT organization. Here's some expert advice on creating a virtualization strategy that looks at the big picture. Insider (registration required)
PHP 'getimagesize()' Remote Denial Of Service Vulnerability
The NFL may have big stadiums, big players and big games, but when it comes to its IT operation, Nancy Galietti, the NFL's vice president of IT, does not use the word big.
The U.S. House of Representatives last week passed the controversial Cyber Intelligence Sharing and Protection Act (CISPA) despite opposition from privacy advocates, lawmakers and the White House, which threatened to veto the bill if it lands on the president's desk in its current form.
Croogo CMS Multiple HTML Injection Vulnerabilities

Posted by InfoSec News on Apr 30


By John Edwards
Defense Systems
April 26, 2012

The cloud promises to help the military achieve data storage
efficiencies leading to cost benefits, but it first needs to figure out
which types of information can safely reside in the cloud and which are
best left in a conventional data storage environment.

Doug Gardner, technical director of the Program Executive...

Posted by InfoSec News on Apr 30


The Secunia Weekly Advisory Summary
2012-04-22 - 2012-04-29

This week: 236 advisories

Table of Contents:

1.....................................................Word From Secunia...

Posted by InfoSec News on Apr 30


By Lucian Constantin
IDG News Service
April 27, 2012

Instructions on how to exploit an unpatched Oracle Database Server
vulnerability in order to intercept the information exchanged between
clients and databases were published by a security researcher who
erroneously thought that the company had patched the...

Posted by InfoSec News on Apr 30


By Darren Pauli
April 30, 2012

International sting hits 36 underground sites.

More than 15,000 Australian credit cards worth an estimated $3.75
million in total were salvaged from underground hacker forums in a
global police sting.

The cards were held across 36 carding websites that used automated
vending carts to sell the...

Posted by InfoSec News on Apr 30


By Robert McMillan
Wired Enterprise
April 27, 2012

When Panos Ipeirotis checked his Amazon Web Services bill last week, he
started to sweat. It was $1,177.76 -- much more than he’d ever been
charged before -- and it was going up another $50 to $100 with each
passing hour. He had no idea why.

After a some investigation, he found the problem. He had accidentally...
WebCalendar Local File Include and PHP code Injection Vulnerabilities
Internet Storm Center Infocon Status