Monday, November 9, 2009

Monday 11/09/09

Advisory ID: cisco-sa-20091109-tls
http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml
Revision 1.0
For Public Release 2009 November 9 1600 UTC (GMT)

An industry-wide vulnerability exists in the Transport Layer Security (TLS) protocol that could impact any Cisco product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml.

----------

Worm 'Rick Rolls' iPhones
First IPhone Worm Spreads Rick Astley Wallpaper
The first worm written for Apple's iPhone has been unleashed and is infecting phones in Australia.

----------

Gumblar Malware's Home Domain Active Again
ScanSafe researchers are seeing renewed activity regarding Gumblar, a multifunctional piece of malware that spreads by attacking PCs visiting hacked Web pages.

----------

Yahoo Now on China's Porn Offense List
A Chinese government watchdog has ordered Yahoo China to clean pornographic content from a photo-sharing site it hosted, a reminder of the regulatory challenges often faced by foreign Internet companies in China.

----------

CDC Tracking H1N1 in Near Real Time
The Centers for Disease Control have settled on a private, nationwide database with the electronic medical records of 14 million people run by General Electric in order to track potential outbreaks of the H1N1 virus.

----------

Study: Security Certs are IT's Hottest
The survey of more than 1,500 IT workers found that 37 percent intend to pursue a security certification over the next five years. Another 18 percent of IT workers said they will seek ethical hacking certifications during the same time period, while 13 percent identified forensics as their next certification target. The results are included in the CompTIA study 'IT Training and Certification: Insights and Opportunities.'

----------

Bardin: What DLP Companies Don't Tell You
What you are not told during the sales pitch is the Pandora’s Box you not only are about to open but completely unhinge. What you really need to understand is how deep does the business want you to go?

----------

Data breach notifications one step closer to law... again
about 2 hours ago - by Jacqui Cheng Posted in: Law & Disorder
It's frustrating to be a consumer these days, especially knowing that your personal information could be exposed anytime there's a major data breach. Two new Senate bills aim to improve notification to customers when their information is exposed to thieves and, despite their shortfalls, experts are still holding out hope.

----------

The ACTA Internet provisions: DMCA goes worldwide
about 16 hours ago - by Nate Anderson Posted in: Law & Disorder
New details about the Internet section of the Anti-Counterfeiting Trade Agreement (ACTA) have leaked, and critics are already claiming that they mandate "three strikes" policies and will put an end to Flickr and YouTube. The reality is less sensational but just as important: ACTA is really about taking the DMCA global.

----------

Worker Lost Her Job Over Error by FBI's NCIC Database

In July 2009, a woman lost a $58,000 a year accounting job with Corporate Mailing Services of Arbutus after a background check reported a non-existent criminal record. Her employer won a contact with the Social Security Administration (SSA), which required that the company submit all employees to a criminal background check. The FBI's National Crime Information Center database reported in error that the employee had a criminal record. The Social Security Administration reported back to her employer within 2 weeks acknowledging the mistake and stated that the account could in fact work on the project. The company has not reinstated the dismissed worker. There are long running issues regarding the accuracy of NCIC database. In 2003 the DOJ exempted the FBI, which manages the NCIC, from Federal Privacy Act obligations for data accuracy. The administration is moving forward with a plan to require all federal government contractors submit E-verify checks conducted by the Department of Homeland Security to determine whether they can be employed. There are questions about accuracy of this system and the potential for inaccurate reporting. Accuracy requirements for information held in databases is critical to the protection of privacy rights.

Fired due to error in background check, Carroll woman still jobless, Scott Calvert, Baltimore Sun, October 28, 2009

----------

Microsoft to release six updates next Patch Tuesday
Microsoft has announced that it will release four updates for Windows and two updates for Office on the next Patch Tuesday, the 10th of November more…

----------

Microsoft to deliver six patches covering 15 flaws
Dan Kaplan November 05, 2009
November's security update from Microsoft comes with six patches for 15 vulnerabilities -- nearly 20 fewer than last month.

----------

Former Employees Face Five-Year Sentence After Allegedly Hacking Company Database
Nov 05,2009
System access was still possible for almost two years using old passwords, indictment says

----------

New Security Certification On The Horizon For Cloud Services
Nov 04,2009
Cloud security cert would go beyond existing SAS 70, ISO 27001 standards

There's no official security certification for cloud security service providers today: some use the SAS 70 or the ISO 27001 standards as their security certifications, neither of which is sufficient for providing potential cloud customers with assurances that the provider has deployed the proper security or that their data is sufficiently locked down, experts say.

"There needs to be a certification that is specifically for cloud providers," says Jim Reavis, co-founder and executive director of the Cloud Security Alliance. The Cloud Security Alliance is working with other key players in cloud security and auditing to determine which organizations should provide the certification, as well as what such a certification should include.

"This is going to be a shared thing," he says, noting that the certification is likely to be managed by multiple bodies. He says to expect a statement of direction for a cloud security certification around the first quarter of 2010.

----------

Malware breaks Win 7 UAC defenses
Dancho Danchev: A recently conducted test by malware researchers reveals that eight out of ten malware samples used in the test, successfully bypassed Windows 7's default UAC (user access control) settings.

----------

Lawsuit claims iPhone games stole phone numbers
Browse the App Store for developer Storm8's many popular iPhone games, and you'll encounter the...

----------

AP IMPACT: Framed for child porn — by a PC virus AP – Mon Nov 9, 12:10 am ET
AP
Of all the sinister things that Internet viruses do, this might be the worst: They can make you an unsuspecting collector of child pornography.

----------

No comments: