ISDPodcast Episode 243 for October 26, 2010. Tonight’s podcast is hosted by Rick Hayes, and Karthik Rangarajan.
Announcements:
MyHardDriveDied.com Data Recovery Class:
http://www.myharddrivedied.com
Washington, DC – December 6th – 10th
Use the Discount Code: isdpodcast for a $300 discount.
SANS Community:
Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam: http://www.sans.org/mentor/details.php?nid=23493
Use the Discount Code: isdpod15 for a 15% discount.
SANS Cyber Defense Initiative 2010
Washington, DC,
Marriott Wardman Park
Dec 10-17, 2010
http://washingtontechnology.com/calendar/2010/12/sans-cyber-defense-initiative-2010.aspx
BSidesDelaware:
When: Saturday November 6, 2010
Where: Wilmington University, New Castle Campus
320 N. DuPont Highway, New Castle, DE 19720
Cost: Free – RSVP is REQUIRED for entry!
Eventbrite: http://bsidesde-Wiki.eventbrite.com
Schedule – CFP is open
Stories of Interest:
News: http://blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6
Mozilla is aware of a critical vulnerability affecting Firefox 3.5 and Firefox 3.6 users. We have received reports from several security research firms that exploit code leveraging this vulnerability has been detected in the wild.
Users who visited an infected site could have been affected by the malware through the vulnerability. The trojan was initially reported as live on the Nobel Peace Prize site, and that specific site is now being blocked by Firefox’s built-in malware protection. However, the exploit code could still be live on other websites.
Mozilla has diagnosed the issue and are currently developing a fix, which will be pushed out to Firefox users as soon as the fix has been properly tested.
In the meantime, users can protect themselves by doing either of the following:
* Disabling JavaScript in Firefox
* Using the NoScript Add-on
News: http://www.tekgoblin.com/2010/10/26/look-like-its-the-end-of-the-line-for-limewire
A federal judge has issued an injunction on LimeWire for copyright infringement and unfair competition. The music industry had claimed that the Lime Group which owns LimeWire back in May. LimeWire has issued an official statement on their blog today with more details. The biggest change is that they have to disable the following functionality as well as distribution of the client immediately.
“the searching, downloading, uploading, file trading and/or file distribution functionality, and/or all functionality”
LimeWire has also stated that they will try to work with the music industry to allow them to stay open for business:
“While this is not our ideal path, we hope to work with the music industry in moving forward,” said a Lime Wire spokesperson in a statement. “We look forward to embracing necessary changes and collaborating with the entire music industry in the future.”
News: http://www.myfoxatlanta.com/dpps/news/stu dy-facebook-voyeurism-part-of-workplace-dpgonc-20101021-gc_10224416
Facebook users tend to lurk instead of play when they log on to the social networking site while at their jobs, according to a report released Thursday by computer security firm Palo Alto Networks. While many workers link to Facebook on company computers, 88 percent of the online traffic consists of people watching what friends are up to in the online community, the report found. Use of social games popular at Facebook, such as “FarmVille,” accounted for only five percent of the traffic, while a meager 1.4 percent was devoted to posting updates or comments at the social network.
“The risks that voyeurism represent include a potential loss of productivity and the possibility of malware introduction by clicking on a link within someone’s ‘wall,’ ” Palo Alto Networks said in the report. “The small amount of [Facebook posts] should not minimize the risks in terms of what users are saying about work-related subjects such as current projects, travel plans and company status.”
News: https://www209.americanexpress.com/merchant/singlevoice/pdfs/en_US/DSOP_Merchant_US.pdf
American Express quietly pushed a new change to their Merchant Reporting requirements over the weekend. What was previously a requirement for the EU only is now a global requirement regardless of location. Level 2 American Express merchants (as defined by processing between 50,000 and 2.5 million transactions per year) must now submit an annual SAQ and quarterly network scans performed by an ASV. Those are now mandatory requirements globally.
Level 3 American Express merchants (less than 50,000 transactions per year) are not totally in the clear as they must comply with the Data Security Operating Policy (DSOP) which requires compliance to PCI DSS, but their creation of an annual SAQ and quarterly scans is strongly recommended instead of mandatory. The change here was to call out a global change instead of what was previously EU only. Merchants that fall into this category should ensure that they do not fall under any other payment brand levels (such as a MasterCard or Visa Level 3) as opposed to just relying on one single payment brand’s reporting criteria.
News: http://www.newsfactor.com/news/FaceTime-Flaw-Imperils-Mac-Users/story.xhtml?story_id=112006HIYVWG&full_skip=1
A feature first made popular on the iPhone 4, Apple’s FaceTime, is running into problems on new Macs. News reports suggest a dangerous security flaw could cause headaches for consumers.
Apple on Wednesday announced the public beta of FaceTime for Mac. The application lets Mac users video Relevant Products/Services-call iPhone 4 and iPod touch users as well as other Macs. FaceTime for Mac automatically uses the consumer’s address-book contacts and works through the built-in camera and microphone on Mac notebooks, iMacs and Apple LED Cinema Displays. But few may want to use it after Thursday’s revelations.
“While many users are happy about having FaceTime on their Mac, we are a little anxious about some security glitches present in the current beta of the software. With a few clicks, others can make use of the user’s Apple ID and reset the password with ease,” said MacNotes, an online magazine in Germany.
“Once you’ve logged into FaceTime, you can have a look at all the account settings of the used Apple ID,” MacNotes said. “Username, ID, place and birth date are shown as well as the security question and the answer to it — in plain text, without another password request. To reset the password to an Apple ID, all you need (is) the exact birth date and the answer to the security question — we tried that out for you, and it worked fine.”
News: http://twitter.com/#!/AndroidDev/status/28701488389
Google reached a significant milestone for its Android mobile operating system: 100,000 applications are available in the Android Market.
The company announced the news in a post to its Android Developer Twitter account, nearly two years to the day since the Android Market formally opened for business. An unofficial estimate of Android applications by AndroLib had pegged the number at 50,000 in April, but it’s not clear how accurate that was, as AndroLib currently predicts that 150,000 applications are available in the market.
Google is still well behind Apple when it comes to mobile applications, of course, with iPhone, iPod Touch, and iPad owners having access to over 280,000 iOS-based applications at last count. Still, the milestone is worth noting as Android continues to cement its role as the Apple alternative for developers and consumers.