Internet Security Alliance Updates 6-15-09

June 15, 2009 by ADMIN

Share |

Learn About the ISAlliance

In Today’s News…

June 12, The Register – (International) Chrome update completes busy browser patch week. Google has pushed out an update designed to fix a pair of vulnerabilities involving the WebKit application framework that underpins its Chrome browser. The most severe of the two flaws involved a “high risk” memory corruption flaw in WebKit, which creates a potential means for hackers to inject hostile code into the sandbox used by the browser. The second flaw involves a less severe information disclosure risk, involving the Drag and Drop functionality built into WebKit. The update completes a busy week on the browser security front with a significant cumulative update for Internet Explorer on June 9 and a Firefox update on June 11. In addition, Apple released a beta version of its Safari 4 browser. Outside the browser security arena, Adobe released the first of its scheduled patch updates on June 9, and FreeBSD dropped an update designed to defend against a stack-based buffer-overflow that poses a potential code injection risk. It is becoming more difficult for hard-pressed system administrators to keep track of updates, especially when many arrive without any indication a fix is in development. Some security patching experts, such as the director of security operations at nCircle, advocate the creation on a general industry patching day to make the patching process easier to plan and manage.
Source: http://www.theregister.co.uk/2009/06/12/google_chrome_update/

June 11, VNUNet.com – (International) Symantec warns of wireless keyboard security threat. Security firm Symantec has uncovered a new form of attack aimed at users of wireless keyboards. The warning follows the release of Keykeriki, an open-source “sniffer” project that allows users to remotely decode wireless transmissions. Symantec said that this effectively creates a new type of key-logger that could be used by cybercriminals to steal sensitive data such as user names, passwords and bank details. The project was created by a site called remote-exploit.org. “This open-source hardware and software project enables every person to verify the security level of their own keyboard transmissions, and/or demonstrate the sniffing attacks (for educational purpose only),” the site notes. Symantec warned that, although the creator’s intentions appear honorable, making the software code and hardware schematics open to everyone means that criminals could use the software to eavesdrop on wireless keyboard inputs. The criminals would not have to install anything on the host system, but would simply have to be in range of the keyboard’s wireless signal. Symantec said that future wireless keyboards should introduce encrypted communication between the device and the receiver, and warned those working on office or public computers to resort to wired keyboards for the time being.
Source: http://www.enterprise-security-today.com/story.xhtml?story_id=67095

June 11, InformationWeek – (International) Microsoft to launch Morro antivirus ‘soon.’ Microsoft on June 11 confirmed plans to kill off its Windows Live OneCare subscription security service in favor of a free offering that will feature a core of essential anti-malware tools while excluding peripheral services, such as PC tune-up programs, found in OneCare. A spokesman for the company told news agency Reuters that Microsoft will launch the free product, code-named Morro, “soon” but did not provide further details. Microsoft has said previously that Morro will be suitable for use on low-cost, low-powered netbooks that are growing in popularity in emerging markets and in some segments of the North American computer market. Microsoft also is planning to launch versions of Windows 7 that are netbook-compatible. The definition of malware covers a range of computer threats, including viruses, spyware, rootkits, and Trojans. Hackers, many of them connected to organized crime, often use such tools to extract sensitive data like bank account numbers and passwords from users’ PCs. Microsoft announced in November that it will launch Morro in this month, at which time it will discontinue the $49.95-per-year OneCare service. As of June 11, Microsoft was still selling OneCare subscriptions. Morro will be compatible with Windows XP, Windows Vista, and the forthcoming Windows 7 operating systems, the company has said. While users and analysts may welcome Microsoft’s offer of free antivirus software, competitors such as Symantec and McAfee and government competition watchdogs may not. Microsoft could draw antitrust complaints if it integrates Morro so tightly into Windows that it makes security software from third parties difficult to install or use. Source: http://www.informationweek.com/news/security/antivirus/showArticle.jhtml?articleID=217800827

June 11, New York Times – (International) More scamming and spamming on Twitter. Twitter is seeing a surge in activity from the scamming and spamming classes. A spate of phishing attacks have been followed by myriad other efforts to soak Twitter’s enthusiastic and rapidly growing user base. Recently, attackers have tapped into popular topics and latched onto popular people to get in front of big Twitter audiences. Their goal: to persuade people to click and visit their Web sites and then hand over personal information, be sold a bill of goods or become infected with a malicious program. The first strategy capitalizes on Twitter users’ penchant for searching for random commentary on news subjects. Lately, attackers have been using hundreds of dummy accounts to tweet messages about popular subjects. Links in the messages pointed to malicious video sites pretending to show porn. Visitors who clicked to download a program supposedly needed to watch videos actually installed a fake security application called Privacy Center, which tried to hit them up for money for a full version of the bogus product. Pop culture buzz and shocking breaking news are not the only lures, though. Users should beware any topic that hits Twitter’s list of “Trending Topics.” The hashtag #smx, used to call out news about a search-marketing conference, reached the list recently and was summarily added to blasts of spam tweets. In a blog post, an irritated conference host said: “We knew this would happen, but it is annoying and becoming a growing problem. Question is, will Twitter do anything about it, beginning with removing its ‘Trends’ feature?” Source:http://gadgetwise.blogs.nytimes.com/2009/06/11/more-scamming-and-spamming-on-twitter/

Should you or your colleagues be looking at more specific information?

ISAlliance subscribers to Phishing received the following and more today - June 10, Washington Post – (National) Spear-phishing gang resurfaces, nets big catch
ISAlliance subscribers to Defense Industrial Base Security Issues received the following and more today - June 11, WMUR 9 New Hampshire – (National) Shea-Porter files bill to punish negligent defense contractors
ISAlliance subscribers to Financial Sector (Banking & Insurance) Security Issues received the following and more today - June 12, Bloomberg – (International) Italian police ask SEC to authenticate seized U.S. Treasuries
ISAlliance subscribers to Pandemic and Public Health Alerts received the following and more today - June 12, Agence France-Presse – (International) Swine flu vaccine ready for tests
ISAlliance subscribers to Transportation and Border Security Issues received the following and more today - June 10, Federal Computer Week – (Virginia) IG: Dulles IT security needs more work
ISAlliance subscribers to Insider Threats received the following and more today - June 9, Frederick News Post – (Maryland) Insider threat is biolab’s biggest security issue
ISAlliance subscribers to Federal and State Government; Emergency Services Security Issues received the following and more today - June 11, Government Computer News – (Minnesota) Minneapolis/St. Paul, federal DOT test next-generation 911 systems

This Week at the ISAlliance…

Monday, June 15: Cross Sector Cyber Security Working Group (CSCSWG) meeting at 1. Managing cyber risk is an issue that cuts across all of the nation’s critical infrastructures and key resources, and across-sector perspective will ensure effective coordination to address cyber security in a collaborative manner with all of the sectors. To meet this need, the Department of Homeland Security’s Assistant Secretary for Cyber Security and Communications, Greg Garcia, proposed to establish the CSCSWG under the auspices of the Critical Infrastructure Partnership Advisory Council (CIPAC). The CSCSWG serves as a forum to bring government and the private sector together to address common cyber security challenges and opportunities across the CI/KR sectors.

Monday, June 15: IT Sector Coordinating Council Executive Committee Conference Call at 5. The Information Technology Sector Coordinating Council was established on January 27, 2006 for the purposes of bringing together companies, associations, and other key IT sector participants on a regular basis to coordinate strategic activities and communicate broad sector member views associated with infrastructure protection, response and recovery that are broadly relevant to the IT Sector. The IT sector envisions a secure, resilient, and protected global information infrastructure that can rapidly restore services if affected by an emergency or crisis, ensuring the continued and efficient function of information technologies, infrastructures and services for people, governments, and businesses worldwide. The Executive Committee manages the affairs of the IT-SCC in the same way that a board of directors would manage the affairs of a “for profit” company.

Tuesday, June 16: CyLab and National Science Foundation Instinctive Computing 2009 Workshop Instinctive computing is a computational simulation of biological and cognitive instincts. Instincts profoundly influence how we see, feel, appear, think, and act. If we want a computer to be genuinely secure, intelligent and to interact naturally with us, we must give computers the ability to recognize, understand, and even to have primitive instincts. In this workshop, we will explore transformational developments in this area, including the building blocks for instinctive computing systems and potential applications such as security, privacy, human-computer interaction, next generation networks, and product design.

Tuesday, June 16: IT Sector Coordinating Council (IT-SCC) Plans Working Group meeting at 2. This group is responsible for the development of sector policy with respect to its partnership with Department of Homeland Security, including support for the continued development and refinement of the Sector Specific Plan and other documents associated with the National Infrastructure Partnership Plan and critical Infrastructure protection. The Plans and Reports working group consists of chairs from each of the IT SCC committees, and will focus the planning and reports coming from each of the committees. This includes annual updates and activities such as the Sector Annual Report, Section Specific Plan update, Tier 1 - Tier 2, and SHIRA, among others

Tuesday, June 16: The Department of Homeland Security (DHS) Office of Cybersecurity and Communications (CS&C) National Cyber Security Division (NCSD), the Department of Defense (DoD) and National Institute for Standards and Technology (NIST) Information Technology Laboratory will host the Software Assurance Forum and Working Group Sessions. The SwA Forum and Working Groups bring together members of government, industry, and academia with vested interests in software assurance to discuss and promote integrity, security, and reliability in software. Progress updates on relevant programs and initiatives will be presented. If you are implementing practical solutions to problems related to examining alternatives to mitigate security risks attributable to software, then you should attend the Software Assurance Forum to better understand what others are doing and extend your network of collaborators. The key objective of the Software Assurance Forum is to shift the security paradigm from patch management to software assurance. This shift is designed to encourage software developers and consumers to raise overall software quality and security from the start, rather than relying on applying patches to systems after vulnerabilities are discovered. Recognizing that software security is fundamentally a software engineering issue that must be addressed in a systematic way throughout the software development life cycle, the SwA Forum encourages all software developers, from the public sector and private industry, to raise the standard on software quality and security. Moreover, the roles of consumers, as users of software, need to be better clarified to drive requirements for software assurance. Together, government, industry, and academia will raise expectations for product assurance with requisite levels of integrity and security, by promoting security methodologies and tools as a normal part of business.

Wednesday, June: 17 The Department of Homeland Security (DHS) Office of Cybersecurity and Communications (CS&C) National Cyber Security Division (NCSD), the Department of Defense (DoD) and National Institute for Standards and Technology (NIST) Information Technology Laboratory will host the Software Assurance Forum and Working Group Sessions. The SwA Forum and Working Groups bring together members of government, industry, and academia with vested interests in software assurance to discuss and promote integrity, security, and reliability in software. Progress updates on relevant programs and initiatives will be presented. If you are implementing practical solutions to problems related to examining alternatives to mitigate security risks attributable to software, then you should attend the Software Assurance Forum to better understand what others are doing and extend your network of collaborators. The key objective of the Software Assurance Forum is to shift the security paradigm from patch management to software assurance. This shift is designed to encourage software developers and consumers to raise overall software quality and security from the start, rather than relying on applying patches to systems after vulnerabilities are discovered. Recognizing that software security is fundamentally a software engineering issue that must be addressed in a systematic way throughout the software development life cycle, the SwA Forum encourages all software developers, from the public sector and private industry, to raise the standard on software quality and security. Moreover, the roles of consumers, as users of software, need to be better clarified to drive requirements for software assurance. Together, government, industry, and academia will raise expectations for product assurance with requisite levels of integrity and security, by promoting security methodologies and tools as a normal part of business.

Thursday, June 18: The Department of Homeland Security (DHS) Office of Cybersecurity and Communications (CS&C) National Cyber Security Division (NCSD), the Department of Defense (DoD) and National Institute for Standards and Technology (NIST) Information Technology Laboratory will host the Software Assurance Forum and Working Group Sessions. The SwA Forum and Working Groups bring together members of government, industry, and academia with vested interests in software assurance to discuss and promote integrity, security, and reliability in software. Progress updates on relevant programs and initiatives will be presented. If you are implementing practical solutions to problems related to examining alternatives to mitigate security risks attributable to software, then you should attend the Software Assurance Forum to better understand what others are doing and extend your network of collaborators. The key objective of the Software Assurance Forum is to shift the security paradigm from patch management to software assurance. This shift is designed to encourage software developers and consumers to raise overall software quality and security from the start, rather than relying on applying patches to systems after vulnerabilities are discovered. Recognizing that software security is fundamentally a software engineering issue that must be addressed in a systematic way throughout the software development life cycle, the SwA Forum encourages all software developers, from the public sector and private industry, to raise the standard on software quality and security. Moreover, the roles of consumers, as users of software, need to be better clarified to drive requirements for software assurance. Together, government, industry, and academia will raise expectations for product assurance with requisite levels of integrity and security, by promoting security methodologies and tools as a normal part of business.

Friday, June 19: Communications Sector Coordinating Council Executive Committee meeting at 2. The broad purpose of a Sector Coordinating Council is to foster and facilitate the coordination of sector-wide activities and initiatives designed to improve physical and cyber security of the critical infrastructures and related information flow within the sector, cross-sector and with DHS. Through the CSCC, private-sector owners, operators and suppliers can efficiently engage DHS and other federal agencies, collaborating to identify, prioritize, and coordinate policy issues related to the protection of critical infrastructure and key resources; facilitate sharing of information related to physical and cyber threats, vulnerabilities, incidents, potential protective measures, and best practices; facilitate policy issues related to response and recovery activities and communication following an incident or event. The Executive Committee manages the affairs of the CSCC in the same way that a board of directors would manage the affairs of a “for profit” company.

Adapting the SAFETY Act to Cyber Security - ISAlliance Member Assistance Program: Following the 911 catastrophe Congress passed a new law, the SAFETY Act, which provided market incentives for technologies to fight terrorism, most of which dealt with physical attacks. The SAFETY Act office approached ISA for assistance in getting cyber technologies designated or certified as SAFETY Act compliant. Designation brings with it various market advantages including liability protection and marketing benefits. ISA is arranging for individual members to receive attention for their technol ogies with the SAFETY Act office. Please contact bfoer@isalliance.org to discuss ISAlliance assistance and review which of your technologies are eligible under this program.

ISAlliance/NIST/DHS VOIP SECURITY PROGRAM - CALL TO PARTICIPATE

As you may be aware, ISAlliance is leading a project to develop an industry led, cost effective SCAP solution for VoIP and Unified Communications with the goal of providing a secure playing field for corporations as they deploy VoIP and related technologies. We are currently seeking workgroup participants with expertise in VoIP systems, VoIP Security Standards, Cybersecurity or SCAP. Volunteers may participant in one, or both of the following workgroups:

Applicability – Meets by phone conference every-other Tuesday from 1 to 2 PM Eastern. This workgroup is focusing on documenting the SCAP Goals for a VoIP solution, identifying SCAP gaps and determine how SCAP may, or may not be applied to a non-desktop environment. The group will also review the SCAP components and standards and determine gaps and short falls of the SCAP components for applicability to a VoIP solution. This work will result in a whitepaper that captures the analysis, its results and makes recommendations regarding SCAP applicability to a VoIP Solution.

Skills Sought for Participation: Expertise in VoIP systems, cybersecurity or SCAP.

Baseline Standards – Meets by phone conference every-other Thursday from 1 to 2 PM Eastern. This workgroup is focused on cataloging all relevant industry security, configuration and compliance standards and best practices for possible inclusion and enumeration by SCAP components. These will be reviewed and analyzed to identify potential gaps and shortcomings. Analysis of how updates to standards and best practices will be implement using SCAP components and standards, including identification of potential shortcomings of SCAP as applicable to VoIP will be performed. The results of this analysis will be presented in a whitepaper. Shortcomings in the standards and/or the SCAP components will be document and referred back to the appropriate responsible party .

Skills Sought for Participation: Expertise in VoIP systems, cybersecurity or SCAP.

ISAlliance Members Invited to Particpate in Nortel Voice Security Technology Blog. The voice security technology blog is meant to allow readers to keep informed about news and events around the world of voice and multimedia security from a technical perspective. It is a forum where the industry’ s best and brightest minds can cooperatively discus s and debate the hottest issues and topics facing secure voice, multimedia and unified communications. This b log will be of interest to those who are actively involved in providing security solutions, services or products, specifically those related to voice and multimedia communications.

ISAlliance Web Portal Information

ISAlliance US-CERT Portal: https://portal.us-cert.gov/member/index.cfm

ISAlliance/CyLab Portal: www.cylab.cmu.edu/

Download a complete copy of The Cyber Secuirty Social Contract: Policy Recommendations for the Obama Administration and 111th Congress.

The Internet Security Alliance (ISAlliance) was created to provide a forum for information sharing and thought leadership on information security issues. The ISAlliance represents corporate security interests before legislators and regulators, in so doing the alliance aims to identify and standardize best practices in Internet security and network survivability, while creating a collaborative environment to develop and implement information security solutions.

* * *

Stay Informed With RSS Feeds or Email Alerts Here: