InfoSec News

Microsoft began this week an early access program for developers to get the upcoming "Mango" release of Windows Phone.
Research In Motion's board of directors has agreed to form an independent committee to study aspects of the company's management structure, including clarifying the roles of RIM's controversial co-CEOs.
LightSquared plans to start building its terrestrial wireless network soon, despite a regulatory approval process that has sparked vehement opposition from GPS vendors and won't be over until at least the middle of August.
Systems integrator Dimension Data plans to enhance its cloud computing offerings by acquiring OpSource, a provider of hosted cloud services.
Remember those net neutrality rules the U.S. Federal Communications Commission passed back in December? The agency is taking steps toward finally implementing them, although the rules still won't go into effect for months.
Research in Motion questioned the authenticity of an open letter posted today that bashed RIM management, saying also that there is "excitement and optimism" within its ranks.
Facebook's Mark Zuckerberg is trying to build some excitement for an announcement the company is planning next week. The social networking site plans to 'launch something awesome,' he said.
The Federal Trade Commission has launched an investigation into Twitter, according to a report from the Business Insider website.
Sometimes you need to buy a boatload of laptops for your staff when they need mobile PCs. HP is hoping its low-cost ProBook 5330m business laptop lineup will fit the bill. Here we look at the $799 version, which strips out some features to hit that low price.
To grow their businesses, companies need a deeper focus, not a broader reach
Remember those net neutrality rules the U.S. Federal Communications Commission passed in December? The agency is taking steps toward finally implementing them, although the rules still won't go into effect for months.
AeroMail Cross Site Request Forgery, HTML Injection and Cross Site Scripting Vulnerabilities
Mozilla Firefox and Thunderbird CVE-2011-2376 Memory Corruption Vulnerability
Interest in Google's new social networking service has exceeded not only the company's expectations but its ability to keep up with demand. For now, it's not allowing new users to join.
Analysts say Hewlett-Packard has to do more to make the new TouchPad tablet a market winner.
Google this week added an anti-phishing feature to Gmail that automatically displays the sender's address for some messages.
In an open letter published on the BGR online news site, an unamed senior RIM manager heavily criticizes the company's co-CEO's for putting the company years behind Apple in the smartphone business.
Mozilla Firefox and Thunderbird CVE-2011-2374 Memory Corruption Vulnerability
Mozilla Firefox/Thunderbird/SeaMonkey SVG Parsing Remote Code Execution Vulnerability
Mozilla Firefox and Thunderbird CVE-2011-2364 Memory Corruption Vulnerability
Samsung announced it is producing high-performance microSD cards with data transfer speeds that support the performance requirements of 4G smartphones.
Intel gained microprocessor revenue market share from Advanced Micro Devices during this year's first quarter despite the recent Sandy Bridge chipset woes, research firm IHS iSuppli said this week.
Amazon announced late on Wednesday that it is eliminating the cost for all inbound data transfer to Amazon Web Services, matching Microsoft's recent announcement of the same offer for its Azure service.
The company is using repeatable processes to roll out software updates more efficiently
HP OpenView Storage Data Protector Remote Code Execution Vulnerability
SAP Netweaver Insecure SAPTerm User Account Creation Security Bypass Vulnerability
All companies, not just financials, must comply with the Dodd-Frank Act; Gartner recommends having a compliance bureau monitor the implications.

Add to digg Add to StumbleUpon Add to Add to Google
Microsoft has clarified the advice it gave users whose Windows PCs are infected with a new, sophisticated rootkit that buries itself on the hard drive's boot sector.
They can definitely make it easy for sensitive data to get into the wrong hands, but you can do some simple things to reduce (not eliminate) the risks.
Joomla Newsletter Subscriber Plugin Multiple Cross Site Scripting Vulnerabilities
New York Mayor Michael Bloomberg is demanding that systems integrator Science Applications International Corporation reimburse more than US$600 million it was paid in connection with the troubled CityTime software project, a long-running effort to overhaul the city's payroll system.
OpenSSH 'pam_thread()' Remote Buffer Overflow Vulnerability
----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu SEC 503 coming to Ottawa Sep 2011 (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Computers lacking patches for long-known vulnerabilities potentially face more of a hacking risk than from zero-day exploits, or attacks targeting vulnerabilities that haven't been publicly disclosed, according to new research from Secunia.
CIOs say helping workers cope is key to recovery
Event log management tools have evolved into a proactive solution set called security information and event management (SIEM), which has enabled IT to better correlate data provided by security software and appliances across the network.
LightSquared filed a long-awaited report on possible GPS interference by its planned cellular network to the FCC on Thursday, along with a formal proposal to use a different block of frequencies to prevent those problems.
Gartner on Thursday upgraded its forecast for worldwide IT spending, saying it will grow 7.1 percent this year to US$3.7 trillion as companies migrate to the cloud and spend more on software and IT services.
RSAposted SP4 Patch 4 of their Authentication Manager product today. There are a few pages of fixes in the README, but the most significant is that Authentication Manager can now be installed on Windows Server 2008 (both 32 and 64bit).
This is significant, as until now Windows Server 2003 was the most recent Windows version supported - this has been a growing source of frustration for RSAshops.
Long story short, I've installed it in a production environment on Server 2008, it works exactly as you'd expect. Good on them for catching up !
ps - The native ADintegration (via LDAP) also works quite nicely - this is recent but not new in this release.

Rob VandenBrink

Metafore (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Wireshark Lucent/Ascend File Parser Denial of Service Vulnerability
[security bulletin] HPSBMU02686 SSRT100541 rev.3 - HP OpenView Storage Data Protector, Remote Execution of Arbitrary Code
CORE-2011-0606: HP Data Protector EXEC_CMD Buffer Overflow Vulnerability
CORE-2011-0514: Multiple vulnerabilities in HP Data Protector
Re: Resolved - NNT Change Tracker - Hard-Coded Encryption Key Originally posted as

Romanized Arabic - Does it go far enough to speed translation?
CSO (blog)
A reporter queried me this week on Basis Technology and their Rosette Chat Translator for Arabic (surprised the name has not attracted some other folks…). I had heard of them before but had not looked at ...

----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu SEC 503 coming to Ottawa Sep 2011 (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
A popular Twitter-like service in China with 140 million users was hit by a worm earlier this week that resembles past attacks that infected Twitter and MySpace, according to a security analyst.
Chinese police have arrested 36 suspects for allegedly operating scams that netted $6.6 million from customers from customers of e-commerce platform and other sites.
Version 9.0 of EnterpriseDB's Oracle-compatible database is now available, with new support for Hewlett-Packard's HP-UX operating system, the company announced Thursday.
Can Google+, the new social network from Google, lure users away from Facebook, the world's largest social network? It won't be easy, say analysts.
The Internet-based E-Verify employment eligibility system can be an important enforcement tool in the fight against illegal immigration, but only if it can be made error-free and reliable, President Obama said on Wednesday.
IBM researchers have successfully stored multiple bits of data in the cells of phase-change memory chips. This will allow the creation of non-volatile memory with as much capacity as NAND flash but with vastly greater performance and longevity for enterprise-class applications.
Ruby on Rails Multiple Cross Site Scripting Filter Security Bypass Weaknesses
Terror group al-Qaida has been left without a trusted operational channel on the Internet for distributing its media and propaganda, according to a terrorism expert.

Posted by InfoSec News on Jun 30

By John Markoff
The New York Times
June 29, 2011

Robert Morris, a cryptographer who helped developed the Unix computer
operating system, which controls an increasing number of the world’s
computers and touches almost every aspect of modern life, died on Sunday
in Lebanon, N.H. He was 78.

The cause was complications of dementia, his wife, Anne Farlow Morris,

Known as an...

Posted by InfoSec News on Jun 30

By Robert McMillan
IDG News Service
June 29, 2011

Time may be running out for the members of LulzSec as police continue to
step up their inquiries into the hacking group.

On Monday, the U.S. Federal Bureau of investigation executed a search
warrant at a Hamilton, Ohio, residence -- a raid that local media has
linked to the ongoing investigation of...

Posted by InfoSec News on Jun 30

By Elinor Mills
InSecurity Complex
CNet News
June 29, 2011

Hackers have temporarily shut down Al Qaeda's online distribution of
videos and statements, NBC News reported today.

"Al-Qaeda's online communications have been temporarily crippled, and it
does not have a single trusted distribution channel available on the

Posted by InfoSec News on Jun 30

By Juan Martinez
Direct Marketing News
June 29, 2011

Marketing services firm Epsilon has added new security enhancements to
its email marketing platform in collaboration with Verizon Business,
Epsilon president and CEO Bryan Kennedy told Direct Marketing News on
June 28. The new features include enhanced protection for Epsilon's

Posted by InfoSec News on Jun 30

By Cliff Edwards, Olga Kharif and Michael Riley
June 27, 2011

The U.S. Department of Homeland Security ran a test this year to see how
hard it was for hackers to corrupt workers and gain access to computer
systems. Not very, it turned out.

Staff secretly dropped computer discs and USB thumb drives in the
parking lots of...

NetClarity NACwall Next Generation NAC Appliances Now Dynamically Control All ...
NetClarity, Inc., the leading provider of Next Generation (NG) Network Access Control (NAC) technology in the marketplace today, on the heels of receiving the “Most Innovative New Security Product for 2011” award from InfoSec Products Guide, ...

Internet Storm Center Infocon Status