InfoSec News

Dropbox spokesman says investigation is ongoing after attackers gained access to an employee account leaking user email addresses.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
libjpeg-turbo Heap-Based Buffer Overflow Vulnerability
SpecView Web Server Directory Traversal Vulnerability
Apple will ask a federal court to sanction Samsung Electronics for releasing documents that were not allowed as evidence in the companies' dueling patent-infringement suits.
A California court on Wednesday ordered Oracle to continue porting its software to the Intel Itanium chips used by Hewlett-Packard in a number of its servers.
It's urgent for the U.S. Senate to pass a cybersecurity bill now stalled because of opposition from several lawmakers, officials from the U.S. White House said Wednesday.
Researchers from IBM's X-Force Advanced Research Team demonstrated how an attacker could escape a Flash sandbox implementation at Black Hat.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
A new defensive technique that can be used in Intel-based processors could thwart memory-based return oriented programming attacks.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Its new partnership with Lenovo takes EMC even further into the data center. With plans now to begin selling storage and servers in the Chinese market, could that partnership stress EMC's existing relationships?
A California court on Wednesday ordered Oracle to continue porting its software to the Intel Itanium chips used by Hewlett-Packard in a number of its servers.
Sielco Sistemi Winlog Pro Multiple Security Vulnerabilities
Police in Oakland, California, have spent about US$1.8 million in recent years on software and other crime-fighting technologies that they either never used or drastically underutilized, according to a report released Wednesday by city auditor Courtney Ruby.
The U.S. government will try to persuade other nations to abandon proposals to regulate the Internet at an upcoming United Nations treaty-writing conference by showing them the success of open markets, the U.S. ambassador to the conference said.
[SECURITY] [DSA 2519-1] isc-dhcp security update
Microsoft today announced that it's wrapped up Windows 8 and declared that the operating system has met the 'release to manufacturing' (RTM) milestone.
ISIS, a consortium of three wireless carriers, is reportedly set to launch its mobile payment pilot test on Aug. 20 in Austin and Salt Lake City.
Twitter is looking to take the country's temperature when it comes to the presidential election in November with its new Twitter Political Index.
Mozilla Firefox, SeaMonkey, and Thunderbird Multiple Remote Memory Corruption Vulnerabilities
[ MDVSA-2012:111 ] krb5
The Nexus 7 with 16GB of storage reappeared 'in stock' on the Google Play store after it was unavailable there and in many retail stores in the U.S. for about a week.
Microsoft announced on Wednesday that it has completed the development and testing of Windows 8, a major upgrade of its OS for desktops, laptops and tablets and one of the most important product releases in the company's history.
Following a four-month beta period, Rackspace has started offering its hosted servers and databases using the open source OpenStack suite of cloud software.
The Uptime Institute, a well-known and -respected organization that focuses on data center best practices and economics, recently released its 2012 Data Center Survey (registration required).
Last night, various time servers wrongly announced that a leap second would be applied; it is as yet unclear whether this was caused by a simple bug or whether it could have been a DoS attack that targeted Linux systems

After saying their products were unaffected by the recently disclosed Oracle file converter holes, Avira has now released updates for Avira AntiVir for Exchange to fix that very vulnerability

Secunia Research: Citrix Access Gateway Plug-in for Windows nsepacom ActiveX Control Buffer Overflow
Secunia Research: Citrix Access Gateway Plug-in for Windows nsepacom ActiveX Control Integer Overflow
Kaspersky PM - Software Filter Vulnerability
ME Mobile Application Manager v10 - SQL Vulnerabilities
The latest release of Google's Chrome browser can render webpages with the resolution of Apple's Retina display, the company said on Tuesday, making good on a commitment it made several weeks ago.
More than 1 million people registered with the new Outlook.com email service on opening day, Microsoft said.
A hurricane app from the American Red Cross offers location-based NOAA weather alerts and lets users send a one-touch 'I'm safe' message via social networks to family and friends in an emergency.
ME Application Manager 10 - Multiple Web Vulnerabilities
Barracuda SSL VPN 680 - Cross Site Scripting Vulnerabilities
Barracuda Appliances - Validation Filter Bypass Vulnerability
[SECURITY] [DSA 2518-1] krb5 security update
Advanced Micro Devices has lured Jim Keller from his role as platform architect at Apple to head its processor group as the struggling company tries to reshape its chip strategy and stem a loss in processor market share.
Microsoft feels that it has the upper hand in its patent battle with Google-owned Motorola Mobility and wants to put an end to the fight, but only as long as a broad agreement is signed, the company said ina blog post on Tuesday.
Specific vulnerabilities in two routers and bad organisational security practices have led two researchers to question the security qualifications of the Chinese manufacturer

Google yesterday released Chrome 21, the latest version of Google's browser. In addition to the usual set of bug fixes (including some critical security patches), Chrome now joins Opera with support for the getUserMedia API.
getUserMedia is part of the larger HTML 5 ecosystem. HTML 5 includes not just new HTML tags. It is frequently used to represent a larger set of emerging standards for various browser APIs. getUserMedia will allow javascript to access microphones and cameras, something that hasn't been possible so far without special plugins. Usually Flash was used to collect images.
The getUserMedia API itself is part of WebRTC. WebRTC (Real Time Communication) will allow direct communication between browser. With WebRTC and getUserMedia, it will be possible to implement a video calling application using just HTML/Javascript without any plugins or other software.
From a security point of view, the critical problem is to protect the user from accidentally turning on the microphone and camera, or for a web application to turn it on without user permission. Google Chrome will show a warning message, asking the user for permission. Flash uses its own warning for this purpose, and has been subject to some clickjacking exploits that could be used to trick a user into giving it permission to use the camera/microphone.
This API has not been finalized yet. Expect changes, and bugs. Firefox will support it in version 16 (current . There is no word about support in Safari, but it is likely going to follow. If you wnat to experiment with it, seehttp://www.html5rocks.com/en/tutorials/getusermedia/intro/ for details and a demo.
Problably the best list of supported features by browser can be found at http://html5test.com

Camera Permission Dialog in Opera

Camera Permission Dialog in Chrome


Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Dr. Web Enterprise Security Suite 'username' Field HTML Injection Vulnerability
Lenovo and EMC will team up to develop and sell server and storage technology, with an eye to the Chinese market, the companies said.
Google has acquired Wildfire Interactive, a social media marketing company, aiming to creating new opportunities for its clients to engage with people across all social services, it said Tuesday.
Japanese electronics heavyweights Fujitsu and NEC, together with the country's largest mobile operator NTT DoCoMo, said Wednesday they will form a new joint venture to build and sell wireless chips for smartphones.
Prices are dropping on tablets running Android 4.1 OS, with Indian company Karbonn Mobiles announcing a tablet priced at around $125 and using Google's latest OS, code-named Jelly Bean.
An industry group launched Tuesday will guide a massive upgrade of the U.S. payment card system to a new platform designed to prevent card fraud.
The launch of Google's Nexus Q media streaming device has been postponed, and those who preordered will get the device free, the company said.
A file with customer data was stolen from the Dropbox account of one of the cloud storage service provider's employees. The data was subsequently used by unknown parties to send out spam

Joomla RSGallery2 Component HTML Injection and SQL Injection Vulnerabilities
From implementing single sign-on to including social media in the lineup, shops are doing what they need to make the cloud work for them.
Shipments of Windows laptops and desktops have hit new lows as tablet shipments continued to rise during the second quarter of this year, Canalys Research said in a study released on Tuesday.
Microsoft rebooted Hotmail as Outlook.com, serving notice that the former is headed toward retirement and that the latter is the new face of the company's 15-year-old online email effort.
In the major stable update to Chrome, web applications can now directly access the local system's built-in camera and microphone. Support for Apple's new Retina display MacBook Pro has been added, and a number of security holes have been closed

According to a report from Bloomberg, Chinese hackers tried to spy on numerous top politicians including the President of the European Union Council, Herman Van Rompuy. However, the hackers were being tracked by US security experts


Posted by InfoSec News on Aug 01


By Jon Brodkin
Ars Technica
July 31, 2012

A couple of weeks ago Dropbox hired some "outside experts" to
investigate why a bunch of users were getting spam at e-mail addresses
used only for Dropbox storage accounts. The results of the investigation
are in, and it turns out a Dropbox employee’s account was hacked,

Posted by InfoSec News on Aug 01

Forwarded from: William Knowles <wk (at) c4i.org>


By Eric Katz
July 31, 2012

Analysts increasingly are turning to social media forums such as Facebook and
Twitter to gather valuable information that can be used to help predict social,
cultural and political shifts, and events before they might otherwise be...

Posted by InfoSec News on Aug 01


By Gregg Keizer
July 31, 2012

Microsoft last week warned IT administrators that critical
vulnerabilities in code licensed from Oracle could give attackers access
to Exchange Server 2007 and Exchange Server 2010 systems.

Oracle patched the vulnerabilities in its "Oracle Outside In" code
libraries as part of a...

Posted by InfoSec News on Aug 01


By Parmy Olson
Forbes Staff

Guest post by Conrad Constantine and Dominique Karg

Fretful members of U.S. Senate are preparing to debate the Cybersecurity
Act of 2012, potentially making it easier for corporations to share data
about their users with the authorities. But who are they scared of? In
the current lexicon of the cyber security...

Posted by InfoSec News on Aug 01


By Rachel Hirshfeld

The website of Public Diplomacy and Diaspora Affairs Minister Yuli
Edelstein (Likud) was hacked today by a group dubbed “the hacker group
of Gaza.”

MK Edelstein, who has come under fire from Arab extremists as the result
of his steadfast and unwavering work on behalf of the State of Israel,
responded by calling the hacking...
WebPagetest Multiple Input Validation Vulnerabilities
MIT Kerberos 5 Uninitialized Pointer Dereference Remote Multiple Denial of Service Vulnerabilities
Microsoft Internet Explorer CVE-2012-1876 Col Element Remote Code Execution Vulnerability
Internet Storm Center Infocon Status