InfoSec News

The Trophy ($150 with new 2-year contract) is the first Windows Phone 7 device on Verizon, and it does a pretty good job at showing off what the platform is all about. The Trophy is great for handling multimedia, but the phone feels dated next to other current generation smartphones.
 
VMware has acquired Socialcast, its third acquisition this year of technology for enterprise collaboration, the company said on Tuesday.
 
Twitter, which has made generating ad revenue one of its priorities, has acquired AdGrok, a company whose software is designed to simplify the creation and management of campaigns using Google's AdWords search advertising service.
 
One of the not-much-talked-about new features in Snow Leopard aka OS 10.6 was a build in anti virus tool. However, up to now, the tool only looked for a small number of old malware samples, hardly ever found in the wild. This changed with today's OS X security update (2011-003). This latest update includes the ability to automatically download new signatures, just like for other anti malware software. In addition, signatures got added for the recent set of fake AV tools spreading for the Mac (Mac Defender).
XProtectUpdater, the new component downloading these updates, it configured using the system preferences according to some reports. But so far, I have not been able to find the configuration in either of the systems I installed the update on. (I will keep looking and maybe will update this later)
Update: Found it. The item is called Automatically update safe downloads list. It can be found in the Generaltab of the security settings. Iguess this is the least malicious sounding naming Apple could come up with. It is enabled by default.

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Apple today released an update for Snow Leopard that warns users that they've downloaded fake Mac security software and claims to scrub machines already infected with the so-called 'scareware.'
 
Apple’s Worldwide Developer’s Conference will kick off next Monday, June 6. As always, there is plenty of speculation about the announcements to be made at the 10am PST Jobs & Co. keynote. You can expect to hear about the next major revision of iOS- which if Apple hopes to keep an edge on Android’s growing market share, should come with a host of drastic improvements. Here is my Top 5 wish list for iOS 5 announcements at WWDC.
 
The U.S. military is prepared to use physical attacks in response to cyberattacks, the U.S. Department of Defense said Tuesday.
 
It's an ultraportable, it's a netbook, it's an ultraportable, it's a netbook... Judging by its size, screen real estate, and features, Asus's 3.3-pound Eee PC 1215B is an ultraportable. However, it's priced at only $450 and sold as part of Asus's netbook line. Alas, the performance of its AMD Fusion E-350 CPU just muddies the waters further; while significantly above average for a netbook, it falls well below the norm for ultraportable laptops.
 
The World Health Organization has determined that radiation from cell phones can possibly increase brain cancer risk – a change in thinking for an organization that previously has denied any such link.
 
Microsoft has become the first member of a crowdsourcing service designed to challenge and invalidate specious software patents used in lawsuits brought by so-called patent trolls.
 
As part of a reseller agreement, NetApp will offer SnapProtect branded software, a packaging of CommVault's Simpana snapshot copies, replication and tape management software.
 
Autonomy KeyView PRZ File Viewer Buffer Overflow Vulnerability
 
[SECURITY] [DSA 2247-1] rails security update
 
Apple today released new versions of its iWork apps for the iPhone and iPod Touch, adding support for the productivity programs to its smaller devices.
 
As part of a reseller agreement, NetApp will offer SnapProtect branded software, a packaging of CommVault's Simpana snapshot copies, replication and tape management software.
 
Apache Archiva Multiple Cross Site Scripting and HTML Injection Vulnerabilities
 
GIMP BMP Image Parsing Integer Overflow Vulnerability
 
When news of the major RSA breach broke about two months ago I complained that the company was not being all that upfront in telling customers what the breach might mean to them. Now we hear that the break-in at giant defense contractor Lockheed Martin may be an example of the fallout of the RSA breach.
 
Oracle has fired back against a New Jersey university's claim it is responsible for a problematic ERP (enterprise resource planning) software project, saying school officials have embarked on a "scorched earth" litigation campaign in order to cover up their own shortcomings.
 
Apple CEO Steve Jobs will take the stage at the company's developer conference next week to introduce iCloud -- Apple's new cloud service -- and the next version of its mobile operating system, iOS 5.
 
For the first time, companies around the world are planning to spend as much on new software projects as they do maintaining existing systems, according to a new report from Forrester Research.
 
Intel is adding a pair of new features to chips used in notebooks and netbooks, one of which will allow the devices to turn on within five to six seconds after being put in hibernation mode.
 
AT&T announced that it will start selling an Android-based Pantech smartphone for under $69.99 a month with a two-year voice contract and monthly data plan.
 

Sony has spent $171 million cleaning up its massive data breach. One security firm outlines mistakes.
Spring 2011 has not been good for executives at Sony. Security vendor Lumension Security put together a graphic depicting the timeline of the massive Sony breach. The firm also outlined what it calls missteps that likely cost the firm further embarrassment and money.

Sony’s PlayStation Network was taken down April 20 while a forensics team investigated the scope of the Sony breach. By May 2 the breach affected an estimated 100 million people and spread to its Online Entertainment division.

The firm has implemented additional security measures, but on May 18, the firm discovered a vulnerability in its password reset application causing another short outage.

Sony’s high-profile data breach is one of a slew of breaches that marked the beginning of 2011. Each one casts light on security weaknesses - configuration issues, vulnerabilities and social engineering threats - that combine to give a roadmap to cybercriminals attempting to gain access to systems.

Last month, Mandiant Corp. CSO Richard Bejtlich told my colleague Eric Parizo that it’s time for new innovative approaches to defend against attacks. Bejtlich advocates counter-threat operations for larger organizations that can afford it. Those organizations can go on the offensive to “actively hunt for intruders in their enterprise.”

Others are calling for a renewal of the basics:

  • Review your security policies. Are they effectively communicated to employees? How are they are enforced. Experts say improving communication goes a long way to reducing data leakage. Employees are introducing devices onto the network, but many may not know what their company’s security policies are or if they’re even enforced. Some employees who deal with sensitive data often assume that an underlying technology is keeping them safe.
  • Conduct a data audit (easier said than done) to find out where your most sensitive data resides on your systems. Experts say companies often deploy security technologies without even knowing where their data resides. This practice would have saved Sony further embarrassment. It found an exposed server containing credit card data that dated back to 2007.
  • Ensure your security technologies are properly configured. Often Web application firewalls or other security devices are put in place to serve a compliance mandate, but far too often they’re set with so few policies that they have little impact on threat mitigation. Organizations that take the time to tune security devices to weed out nefarious activity or alert on a suspected anomaly can avoid a protracted breach and may even detect an attack in progress, as RSA did on its systems.
  • Conduct a vulnerability assessment of Web facing applications and systems. As we’ve seen from the recent Verizon Data Breach Investigations Report, cybercriminals will almost always choose the low-hanging fruit for a point of entry. A thorough assessment of Web applications and the underlying infrastructure they’re connected to will make it more difficult for an attacker to penetrate a network.
  • Prepare for a breach. It’s going to happen, experts say, so plan ahead for the inevitable. Companies with a contingency plan in place and a centralized incident response team led by a strong leader often suffer less pain. Again, it’s easier said than done, but there are some key steps to take for incident response planning.

Taking these steps won’t stop a determined attacker, but they may stall a cybercriminal long enough for alert systems to flag an anomaly and a response team to isolate and ultimately reduce the extent of a data breach before it spirals out of control.



Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Nokia has "increased confidence" that the first of its smartphones with Windows Phone will ship in the fourth quarter, the company said on Tuesday.
 
The Ribbon interface that Microsoft introduced with Office 2007--and refined in Office 2010--makes it easier to get at all of Office's features. But there's one small, annoying problem with it: When you want to go from one tab to another, you're forced to click that second tab, rather than merely moving your mouse over it. Office add-in Ribbon Helper for Office ($15) solves the problem.
 
IBM Tivoli Management Framework 'opts' Argument Stack Buffer Overflow Vulnerability
 
Cross-Site Scripting vulnerability in Serendipity Plugin "serendipity_event_freetag"
 
Paranoia 2011: Call for papers
 
[CVE-2011-1026] Apache Archiva Multiple CSRF vulnerabilities
 
[CVE-2011-1077] Apache Archiva Multiple XSS vulnerabilities
 
CDW study finds that cloud users aren’t implementing security capabilities or verifying cloud provider security.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Security companies look to overcome performance bottlenecks with retooled technology for virtual security.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Here in Australia we're in the middle of National Cyber Security Awareness Week [1], which is an Australian Government initiative to help spread the word about the security issues faced every day by those using technology. Its a shame Ive only just found out about this now as I would have been letting as many people know as possible this was on and herding them to sitting in or be part of the events. The IT security community needs to get everyone, including itself, to good quality, relevant talks, presentations and debates on whats happening in and around IT security.
I'm a firm believer that the more informed people are in what the problems and risks are facing us using technology, the better off well all be. Of course the information has to be in a clear, concise and non-jargon polluted manner to be digestible to the non-technical folk to make it relevant and actionable. Having someone other than you communicate what IT security is all about and why its important can help push others to believing you're not some crazy person making this stuff up, because, to most,some of the cyber attacks that take place today can seem to be the stuff of sci-fi movie plots
If you dont believe user awareness is a key defence measure, then you might be one of those charming sales folk attempting to sell me the next Big Thing to protect my company from EVERYTHING bad*. If you haven't alreadyread Kevin Liston's recent Diary entry, Managing CVE-0 [2], take a moment and go read it. Attackers will continue to innovate on getting us humans to unknowingly bypassing technological safeguard measures the defenders have put in place, as thisblog piece from Sophos lab shows [3].
Find good qualityevents to send out your management, co-workers and friends and family to learn from someone else why its important to understand at least the basics of IT security principles. From vendor events to talks at retirement homes or schools, match up the ability level of the talk to the attendee. Spare a though for having likeminded people in the audience as those attending in order put them to their comfort zone, so dont send your Grandmother off to a meeting filled with CEOs. If you cant find event to send them to, offer them easy to understand tips on keeping safe. SANS tip of the day site [4] is a marvellous place to harvest tips from.
Nothing written here is earth shattering or ground breaking, but I feel a bit miffed when I miss an opportunity toget otherstosee for themselves why IT security has to be understood and practiced by everyone, especially if it's a free event. If events like National Cyber Security Awareness Week are coming up in your area, use whatever medium be it social media to bits of coloured paper stuck on the wall - to let everyone, including your fellow IT security professionals, know it's happening ahead of time. I know I wont be the only gratefully one if you do.

[1] http://www.staysmartonline.gov.au/awareness_week

[2] http://isc.sans.edu/diary.html?storyid=10933

[3] http://nakedsecurity.sophos.com/2011/05/30/fake-firefox-warnings-lead-to-scareware/

[4] http://www.sans.org/tip_of_the_day.php

*Well, apart from all the stuff it doesnt protect you from. You do get a soft toy, badge and pen that breaks after 20 uses included in the price. Support and maintain is extra. Yes, we told you up front. Well, it was in the fine print. On the back of the page we didnt send you the first eight times you asked. Perhaps cyber mutant chickens ate the fax with those details then. Oh and our product doesnt protect against those cyber mutant chickens either. Thats just silly. Our Executive deluxe add-on widget does that. It's an additional cost. When do you want sign the contract?

Chris Mohan --- Internet Storm Center Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Intel's proposal of a new class of laptop, the Ultrabook, isn't an admission that it is losing the battle to put its microprocessors in tablets, according to a company executive.
 
Xen 'get_free_port()' Denial of Service Vulnerability
 
Zhang Boyang FTP Server Remote Denial of Service Vulnerability
 

Kishore Deshpande Joins MIEL e-Security As The Vice President
EFYTimes (press release)
Few years ago, MIEL started off with a Vision to be one of the biggest, pure-play, 360 degree companies in the Infosec domain, with strong value systems, unique business model, high quality deliverables, blue-chip clientele and internal processes. ...

 
Moves by Seagate and Western Digital to acquire hard-drive companies are being investigated by European regulators because of "competition concerns," the European Commission said.
 
Is there such a thing as too much security?
 
Search engine optimization methods fall into white-hat, gray-hat and black-hat categories. Those who turn to the dark side, even unknowingly, do so at their peril.
 
MSI is showing off new X-Slim laptops at Computex that are less than an inch thick, contain the latest Intel and AMD processors, and offer more than eight hours of battery life. It is also showing new tablets running Windows or Android at the Taipei trade show.
 
InfoSec News: Moderator's note: We're changing hosts!: May 31, 2011
Just a quick note, we're changing hosts from Steadfast Networks to Tegatai Phoenix.
You've probably noticed we've been running an ad for Tegatai since October, but if you never bothered to look...
Tegatai Phoenix delivers proactive information security, datacenter, and [...]
 
InfoSec News: Lockheed Martin investigates possible link between cyber attack and RSA data breach: http://www.computerweekly.com/Articles/2011/05/31/246816/Lockheed-Martin-investigates-possible-link-between-cyber-attack-and-RSA-data.htm
By Warwick Ashford ComputerWeekly.com 31 May 2011
US-based global defence firm Lockheed Martin says it has beefed up [...]
 
InfoSec News: Honda security breach exposes 283,000 customers: http://www.theregister.co.uk/2011/05/27/honda_data_breach/
By Dan Goodin in San Francisco The Register 27th May 2011
Honda's Canadian division has suffered a data breach that exposed the personal information of 283,000 customers, according to its website and published media reports. [...]
 
InfoSec News: Survey: Breaches Cost Some Healthcare Organizations $100K Per Day: http://www.darkreading.com/database-security/167901020/security/news/229700106/survey-breaches-cost-some-healthcare-organizations-100k-per-day.html
By Kelly Jackson Higgins Dark Reading May 27, 2011
Most healthcare organizations have made compliance with security and [...]
 
InfoSec News: 35 Million Google Profiles Captured In Database: http://www.informationweek.com/news/security/privacy/229700122
By Mathew J. Schwartz InformationWeek May 27, 2011
Caveat poster: A security researcher has assembled a single database containing 35 million people's Google Profiles information, including [...]
 
InfoSec News: [Dataloss Weekly Summary] Week of Sunday, May 22, 2011: ========================================================================
Open Security Foundation - DataLossDB Weekly Summary Week of Sunday, May 22, 2011
24 Incidents Added.
======================================================================== [...]
 
InfoSec News: CALL FOR POSTERS - 4th Summer School on Network and Information Security (NIS'11): Forwarded from: Ioannis Askoxylakis <asko (at) ics.forth.gr>
=========================================================================== OUR SINCERE APOLOGIES IF YOU RECEIVE MULTIPLE COPIES OF THIS ANNOUNCEMENT =========================================================================== [...]
 
InfoSec News: Lockheed Martin Bets Big on Quantum Computing: http://www.pcworld.com/article/228921/lockheed_martin_bets_big_on_quantum_computing.html
By Keir Thomas PCWorld May 28, 2011
Defense contractor Lockeed Martin Corp. is betting big on the promise of quantum computing.
The company recently shelled out big money to Canadian firm D-Wave for [...]
 

Posted by InfoSec News on May 31

http://www.pcworld.com/article/228921/lockheed_martin_bets_big_on_quantum_computing.html

By Keir Thomas
PCWorld
May 28, 2011

Defense contractor Lockeed Martin Corp. is betting big on the promise of
quantum computing.

The company recently shelled out big money to Canadian firm D-Wave for
the world's first commercial quantum computer.

D-Wave says quantum computers can be used to solve hard problems that
ordinarily take too long even...
 

Posted by InfoSec News on May 31

May 31, 2011

Just a quick note, we're changing hosts from Steadfast Networks to
Tegatai Phoenix.

You've probably noticed we've been running an ad for Tegatai since
October, but if you never bothered to look...

Tegatai Phoenix delivers proactive information security, datacenter, and
cloud computing solutions for enterprises, corporations and governments.
Tegatai Phoenix’s IT infrastructure and security solutions are the...
 

Posted by InfoSec News on May 31

http://www.computerweekly.com/Articles/2011/05/31/246816/Lockheed-Martin-investigates-possible-link-between-cyber-attack-and-RSA-data.htm

By Warwick Ashford
ComputerWeekly.com
31 May 2011

US-based global defence firm Lockheed Martin says it has beefed up
security around remote access to its IT network after a "significant and
tenacious attack" on 21 May, which could be linked to an earlier breach
at security firm RSA.

Lockheed...
 

Posted by InfoSec News on May 31

http://www.theregister.co.uk/2011/05/27/honda_data_breach/

By Dan Goodin in San Francisco
The Register
27th May 2011

Honda's Canadian division has suffered a data breach that exposed the
personal information of 283,000 customers, according to its website and
published media reports.

The purloined data includes the names, addresses and vehicle
identification numbers of customers who made purchases in 2009. The
company is warning...
 

Posted by InfoSec News on May 31

http://www.darkreading.com/database-security/167901020/security/news/229700106/survey-breaches-cost-some-healthcare-organizations-100k-per-day.html

By Kelly Jackson Higgins
Dark Reading
May 27, 2011

Most healthcare organizations have made compliance with security and
privacy regulations a priority, but that hasn’t slowed the data-breach
bleed, a new survey finds.

Some 56 percent of IT administrators in healthcare organizations say
they...
 

Posted by InfoSec News on May 31

http://www.informationweek.com/news/security/privacy/229700122

By Mathew J. Schwartz
InformationWeek
May 27, 2011

Caveat poster: A security researcher has assembled a single database
containing 35 million people's Google Profiles information, including
Twitter feeds, real names, and email addresses, among other data points.

Google bills Profiles as a way to "decide what the world sees when it
searches for you."

But...
 

Posted by InfoSec News on May 31

========================================================================

Open Security Foundation - DataLossDB Weekly Summary
Week of Sunday, May 22, 2011

24 Incidents Added.

========================================================================

DataLossDB is a research project aimed at documenting known and reported
data loss incidents world-wide. The Open Security Foundation asks for
contributions of new incidents and new data for...
 

Posted by InfoSec News on May 31

Forwarded from: Ioannis Askoxylakis <asko (at) ics.forth.gr>

===========================================================================
OUR SINCERE APOLOGIES IF YOU RECEIVE MULTIPLE COPIES OF THIS ANNOUNCEMENT
===========================================================================

***************************************************************************
CALL FOR POSTERS
4th Summer School on Network and...
 
Chris Mohan --- Internet Storm Center Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Research in Motion's PlayBook tablet is primarily intended to connect with a BlackBerry handheld device via Bluetooth in order to present an enhanced display of the BlackBerry's e-mail, contacts list, calendar and other items.
 
Intel announced plans for a new class of thin and light laptops at the Computex trade show on Tuesday, its latest move to improve its competitiveness in the mobile computing market.
 
Sony plans to restore all its PlayStation Network services by this weekend in all regions except Japan, South Korea, and Hong Kong, the company said Tuesday.
 
With 4G smartphones hitting the market in a big way, we decided to test a couple of devices to get an overall sense of how 4G compares with 3G, how specific devices perform and how the underlying networks differ.
 
Internet Storm Center Infocon Status