InfoSec News

With a recent update, some users of Skype may have inadvertently installed Easy Bits Go, a Skype gaming platform. In the past, this add on was available for download via Skype's add on manager. However, the recent update installed Easy Bits Go, even if the user selected not to install it.
According to Skype [1], this additional install was a mistake that has now been corrected. Easybits in a press released [2] confirmed the problem.
An additional problem came up as users tried to uninstall the software. While it does show up in your control panel, and appears to uninstall via the control panel, the actual program folder and other components are not removed. According to the easy bits FAQ [3], a special uninstaller is required to fully remove the software.
[1] http://blogs.skype.com/garage/2011/05/easybits_update_disabled_for_s.html

[2] http://www.easybitsmedia.com/NewsAndMedia

[3] http://www.easybitsmedia.com/FAQs

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Sandisk has updated its line of solid-state drives (SSDs) for tablet and portable computers with models that feature higher performance.
 
Unbound DNS Resolver Remote Denial of Service Vulnerability
 
Linux-PAM 'pam_xauth' Module Denial of Service and Security Bypass Vulnerabilities
 
ISC BIND 9 DNSSEC Validation Remote Denial of Service Vulnerability
 
For serious writers who care more about getting good ideas out of their heads and onto the page (and not-so-serious writers who just need to concentrate better), all Microsoft Word's fancy formatting features can be more hindrance than help. So, for that matter, are all the menus and distracting layout options. To keep your mind on your thoughts, I recommend distraction-free writing tools. Of course, once you capture your thoughts, you'll probably want to use Word to format them and save them in a format all your colleagues can actually use. Fortunately, there's Write Space, a killer little plug-in that adds an old-school distraction-free editing screen to Word 2007.
 
W-Agora Multiple Arbitrary File Upload Vulnerabilities
 
Novell ZENworks Configuration Management ZAM File Remote Code Execution Vulnerability
 
Microsoft Excel HFPicture Record Parsing Remote Code Execution Vulnerability
 
[ MDVSA-2011:103 ] gimp
 
[SECURITY] [DSA 2246-1] mahara security update
 
[SECURITY] [DSA 2245-1] chromium-browser security update
 
[ MDVSA-2011:102 ] rdesktop
 
Everyone seems to be moving into the cloud. With Web-based apps and online storage services that give us constant access to the most important data from all of our devices, we have more computing power at our disposal than ever before. Online productivity suites let you work with Office documents on your laptop or smartphone, and keep them perpetually available on the Web for easy access. Cloud streaming services make your entire music library available on any device you have handy, or let you tap into an unlimited supply of free tunes from a personalized online radio station. Web-based phone services allow you to call anyone in the world--with video--for next to nothing, and receive calls on any phone. You can even protect your PC with online antivirus apps.
 
One of the biggest criticisms routinely leveled against desktop security software is that it's bloated and inefficient, slowing down PC performance and nagging users about frequent updates. In response to those complaints, a new breed of security apps is emerging from the cloud.
 
If you subscribe to a triple-play broadband package through a major cable or phone company, chances are good that your phone service already runs through the cloud--that is, the Internet. But you can get even more flexible calling options--and cool extras such as video chat or automatic voicemail transcripts--from a pure cloud service provider such as Skype or Google.
 
Ernest Valdez, Jr. asked how he could wirelessly send a video signal from his computer to his HDTV.
 
CFP for ekoparty 2011 is now OPEN! [Buenos Aires, Argentina]
 
[SECURITY] [DSA 2243-1] unbound security update
 
Just about a month ago, RSA notified its customers about a major breach of its systems. One of the big questions was if the breach leaked sufficient information to emulate RSA tokens.
RSA tokens are not random. They can't be random because the RSA authentication server has to know what number is displayed on the token. Based on the release from Lockheed Martin, suggesting that the RSA token was successfully emulated, one can only assume that the breach of RSA leaked sufficient data to predict the number displayed by a particular token. It may also have leaked which token was handed to what company (or even user).
However, remember that not all is lost. There are simple steps that you can and should do to protect your RSA token users:
- use a strong PIN or password. RSA tokens are just one factor of a two factor authentication scheme. You will have to enter a PIN or a password in addition to the token ID.
- monitor for brute forcing attempts. If your PIN is not trivial, an attacker will need a few attempts to guess it. Monitor for brute force attempts and lock accounts if someone attempts to brute force them. To prevent the associated denial of service attack, be ready to mass-unlock accounts and block access by IPaddress or other parameters.
- monitor your systems for accesses from odd IP addresses. Geo-location can help identify these out-layers. Keep logs indicating who logged in from what IP address in the past.
Also see:
http://isc.sans.org/diary.html?storyid=10609

http://isc.sans.org/diary.html?storyid=10618

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The president of ARM Holdings has sought to temper the expectations around ARM-based servers, saying those systems might not ship in volume before 2015.
 
ARM Holdings hopes to wrestle dominance of the mobile PC market from Intel and have ARM-based processors in more than half of all tablets, mini-notebooks and other mobile PCs sold in 2015, the company's president said Monday.
 
Nvidia has shown a prototype tablet computer running a four-core version of its Tegra processor and said products based on the new chip will go on sale starting in September.
 
In the latest round of an ongoing patent and trademark battle, Samsung on Friday asked a federal judge to make Apple provide the Korean electronics giant with samples of its next-generation iPhone and iPad.
 
Taiwan's Asustek Computer has previewed a smartphone-tablet PC combo device that seeks to bring together the strengths of both devices without completely duplicating the hardware.
 
ViewSonic unveiled a 10-inch tablet running both Android and Windows on Intel's newest Atom processor, Oak Trail, at the Computex trade show.
 
Google Chrome WebKit Glue Bad Cast Remote Code Execution Vulnerability
 
Google Chrome Prior to 11.0.696.57 Multiple Security Vulnerabilities
 
Google Chrome Prior to 10.0.648.204 Multiple Security Vulnerabilities
 
Mahara Versions Prior to 1.3.6 Multiple Remote Vulnerabilities
 
Internet Storm Center Infocon Status