Thursday, August 26, 2010

Dept of State CISO to Speak at NoVA ISSA Chapter Meeting

If you happen to be near northern Virginia on 16 Sept 2010, you can catch the US Department of State's CISO - John Streufert - speak at the Northern Virginia ISSA chapter meeting. John Streufert is interesting because he and his team are one of the first to break ranks with FISMA and create what they call a "continuous monitoring" security metrics program instead.

I look forward to this presentation.


References:
http://www.issa-nova.org/default.aspx



email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity

Back to School Special on Fake AV

Emails were found circulating yesterday masquerading as school parking permit receipts. Below is an example:

Parking Permit and/or Benefit Card Order Receipt - 396521 Parking Permit and/or Benefit Card Receipt for Date:Wed, 25 Aug 2010 16:43:59 +0200
Grossmont-Cuyamaca Community College District

Your Credit Card has been charged $40.00.
"GROSSMONT-CUYA PARKING" will appear on your credit card statement.

A summary of the contents of your order are shown below.
Please note that each item will be mailed individually.

------------------------------------------------------------------------
Order # Description Amount
------------------------------------------------------------------------
0GU843621 Student Fall Permit - # 081821 40.00
------------------------------------------------------------------------
TOTAL: 40.00

Please find attached invoice

Being timed so close to the start of the new school year in the US, a few people fell for this and tried to open up the HTML file attachment that accompanied the email. In this example, the attachment contained obfuscated Javascript that to pointed
http://enjoyyourhaircut (dot) com/5 (dot) html. That page redirected to http://conspalopi (dot) cz (dot) cc/scanner10/?afid=24, which in turn tried to sell you a copy of "My Windows Online Scanner".

According to this article, this was part of a much larger spam campaign.


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Tuesday, August 24, 2010

Adobe Shockwave Player 11.5.8.612 Released

Adobe addresses 20 security issues in this update. The 20 relevant CVEs are listed in the link below.

Adobe Shockwave player is a relatively easy upgrade to deploy, just remember to make sure all old versions of the player software get removed so that follow up vulnerability scans and your software asset inventory data are clean and show only fully patched versions.

References:
http://www.adobe.com/support/security/bulletins/apsb10-20.html


email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity

Friday, August 20, 2010

Google Chrome 5.0.375.127 Released

Google Chrome 5.0.375.127 has been released for Windows, Mac, and Linux. The update includes fixes for nine vulnerabilities, six of which are classified as critical.

References:
http://googlechromereleases.blogspot.com/2010/08/stable-channel-update_19.html
http://sites.google.com/a/chromium.org/dev/Home/chromium-security


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Thursday, August 19, 2010

Writing a Social Media Policy

There are lots of ways to product a viable social media policy document. This article lays out one simple template. The links in the references section show other methods and ideas for accomplishing the same thing.

EXAMPLE
Policy
A broad general statement saying you disallow social media goes here if you don't allow it at all. Otherwise, say that you permit the use of social media within certain guidelines. Specifically mention that people covered by this policy must protect themselves and the organization's shareholders, brand, reputation, and assets. Indicate what actions failure to comply with the policy might result in.


Procedures
Briefly describe what social media is here. Cover blogs, message boards, wikis, Facebook, etc here.

Restate your organizations view on social media use here.

IMPORTANT - If you have any regulatory requirements or guidelines that impact your employees' use of social media, SPELL THOSE OUT HERE. You should check with your Legal, HR, and all relevant IT and business management to identify what applies to you. For examples, in some industries use of social media can be considered advertising if products or services are mentioned.


List our your DOs and DONTs:
Example DOs
1. Remind people of other related company policies here
2. Remind people that they are solely responsible for any legal liability arising from or related to what they post online. Remind official company spokepersons of their special requirements when speaking online.
3. Do say that if commenting on some aspect of the organization, identify yourself as an employee and include a disclaimer.



Example DONTs:
1. do not disclose confidential or proprietary information.
2. do not disparage other people (customers, coworkers, etc) or any other company (suppliers, business partners, etc)
3. do not use the organization's logos or trademarks without permission


Any closing legalese and a reminder that the policy has teeth can go here.



Some other good advice can be found in the links below:

References:
[Online policy creation tool]: http://socialmedia.policytool.net/
http://www.inc.com/guides/2010/05/writing-a-social-media-policy.html
http://socialmediagovernance.com/policies.php
http://mashable.com/2009/04/27/social-media-policy/




email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Adobe Reader 9.3.4 and 8.2.4 Released for Windows and Apple Mac

Included in the changes in these releases are a fix the security issue reported last month by Charlie Miller at the Black Hat USA 2010 conference.

The GDI object leak problem described here is still present in this latest release of Adobe Reader.

References:
http://www.adobe.com/support/security/bulletins/apsb10-17.html


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Saturday, August 14, 2010

Have You Scanned Your Network for Any Vulnerable VxWorks Devices Yet?

VxWorks is an embedded operating system found on a wide variety of devices – including some things commonly found on enterprise networks like network storage devices, printers, external RAID controllers, and some other types of control devices. You should probably scan your networks using something like the new VxWorks scanning facility in Metasploit to be assured that you don't have any vulnerable devices on your network. The links below will help you get started.


References:
Description of current issues with VxWorks:
http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html

US-CERT advisory
http://www.kb.cert.org/vuls/id/362332

Wikipedia link describing VxWorks - includes list of some known VxWorks-based devices
https://secure.wikimedia.org/wikipedia/en/wiki/VxWorks


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Thursday, August 12, 2010

Apple Quicktime Player 7.6.7 Released

Apple has released version 7.6.7 of their Quicktime Player for Windows. This version contains a security fix as described in the first link below.

References:
Security content: http://support.apple.com/kb/HT4290
Download location: http://support.apple.com/kb/HT1222


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Wednesday, August 11, 2010

Apple iOS 4.0.2 Released for iPhone and iPod Touch. 3.2.2 for iPad

Apple has released iOS version 4.0.2 for the iPhone and iPod Touch. Version 3.2.2 was released for the iPad. These releases fix the two vulnerabilities exploited by jailbreakme.com.


References:
http://support.apple.com/kb/HT4291
iOS 4.0.2 for iPhone 4
iOS 4.0.2 for iPhone 3GS
iOS 3.2.2 for iPad



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Tuesday, August 10, 2010

Adobe ColdFusion Security Update Released

Adobe has released a security update for ColdFusion. The issue affects ColdFusion versions 9.0.1, 9.0, 8.0.1 and 8.0. The update patches for each version are available at the second link below.

References:
http://www.adobe.com/support/security/bulletins/apsb10-18.html
http://kb2.adobe.com/cps/857/cpsid_85766.html


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

AdobeFlash Media Server 3.5.4 or 3.0.6 Released

Adobe has released versions 3.5.4 and 3.0.6 of their Flash Media Server software. These new versions contain security-related updates according to the release notes.

References:
http://www.adobe.com/support/security/bulletins/apsb10-19.html

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Adobe Flash Player 10.1.82.76 and 9.0.280 Released

Adobe has released versions 10.1.82.76 and 9.0.280 of their Flash player product. These new versions contain security-related updates according to the release notes.

References:
http://www.adobe.com/support/security/bulletins/apsb10-16.html


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Friday, August 6, 2010

New FoxIt Version 4.1.1.0805 Released - Contains Security Fixes

According to the release notes, version 4.1.1.0805 of the Foxit Reader fixes a bug (new iPhone/iPad jailbreak issue) that can be used to remotely exploit a victim machine.

References:
http://www.foxitsoftware.com/announcements/2010861227.html
Download location: http://www.foxitsoftware.com/pdf/reader/addons.php


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Security Fix Released for Citrix ICA Client

Citrix has released a fix for a remotely exploitable vulnerability in ICA Client versions 12.0.0.6410 and 11.2.0.31560 and all versions of the Online
Plug-in for Windows for versions less than 12.0.3. Citrix recommends upgrading affected client installations to the latest version - which is currently 12.0.3.


References:
http://seclists.org/fulldisclosure/2010/Aug/50
http://citrix.com/English/ss/downloads/details.asp?downlaodld=2301299&productId=186


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Thursday, August 5, 2010

New Adobe Reader Version due out Week of 16 - 20 August 2010

Adobe has announced that a security update will be released in the form of a new Adobe Reader version sometime in the week of 16 - 20 August 2010.

References:
http://www.adobe.com/support/security/bulletins/apsb10-17.html


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

New NBISE Infosec Certs

I am surprised to see supportive comments from SANS' Alan Paller in the threatpost.com link below, given that SANS might lose a profitable revenue stream from its own GIAC certification program if NBISE is successful in its goal "to supplant a hodge podge of private and industry certifications for IT security practitioners, including the CISSP and certificate programs run by the SANS Institute and other industry and private groups". From the second and third links below, I see Alan Paller listed as a board member for NBISE.

Are these proposed new NBISE certs intended to replace those from GIAC? Is this a signal from Dr. Paller that we shouldn't obtain new or renew old SANS/GIAC certs going forward?


References:
http://threatpost.com/en_us/blogs/new-certification-group-aims-set-high-bar-it-security-pros-080510
https://prodnet.www.neca.org/publicationsdocs/wwpdf/71210natboard.pdf
http://nbise.org/leadership.php/


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity