When I started my shift I was thinking of writing about how its important to log out of things like Facebook, Gmail, etc. whenever youre not using them. Then my twitter feed lit up with links to this announcement: http://blog.twitter.com/2013/02/keeping-our-users-secure.html

There are a lot of distractions in the post: references to the New York Times and Wall Street Journal announcement of a compromise, and a warning about updating the java in your browser. While the NYT/WSJ hack is news worthy and updating your browsers java (or uninstalling it) is a really good idea(tm) neither are related to the Twitter incident. The important bit that you need to look at is this: investigation has thus far indicated that the attackers may have had access to limited user information usernames, email addresses, session tokens and encrypted/salted versions of passwords for approximately 250,000 users. Thats a system-penetration, and while they continue their investigation (which is going to take long time,) they are containing the incident by invalidating session tokens and issuing password resets.

Its good that they share the scope of what was exposed and point out that it was session tokens and encrypted/salted passwords. Its good news they even use the term salt.

If you have received a password reset message, then you should probably do the following: log out of every one of your mobile apps that interacts with twitter. From within the web interface of twitter, click on the Settings/gear icon and click on settings. Click on Apps and it will show you what apps are authenticated and you can revoke access. See any there you dont recognize? I was a bit surprised to see a TweetDeck still active from 10-FEB-2012 that had permissions to read, write and direct messages. Then log out of twitter and follow their instructions to reset your password. Try to not do this from a shared system or on a public or hotel wifi if you can avoid it.

In general, log out of things. Log out of linkedin, and foursquare, and facebook, and twitter when youre not using them. Staying authenticated to gmail or yahoo mail is why your webmail account starts sending out pharmaceutical spam when you happen upon someones hacked wordpress site.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Oracle Java Runtime Environment Multiple Security Vulnerabilities
Twitter's servers have been breached by "extremely sophisticated" hackers who may have made off with user names and passwords for about 250,000 users, the company said Friday.
All those pet cat profiles add up: Facebook has reported that roughly 76 million of the 1.06 billion user accounts on its social network are bogus in some way or other.
Drupal email2image Module Access Bypass Vulnerability
Over the last couple of years a huge buzz has been building around the consumerization of IT, workers using their own PCs, smartphones, tablets and phablets at work, a movement that also goes by the name Bring Your Own Device (BYOD).
Despite some caution about the fortunes of BlackBerry, Facebook and Apple, solid financial results from tech vendors coupled with positive reports about the economy are boosting confidence in IT, with share prices of computer, consumer electronics and Internet companies rising this week.
Google has created a €60 million (US$81 million) fund designed to settle disputes with French publishers over lost revenues, providing an alternative to a proposed "link tax" that would have charged the company for posting French news content in its search results.
Unused intranets. Siloed departmental portals. Excessive email use.

First off, a huge thank you to readers Ken and Paul for pointing out that Oracle has released Java 7u13. As the CPU (Critical Patch Update) bulletin points out, the release was originally scheduled for 19 Feb, but was moved up due to the active exploitation of one of the critical vulnerabilities in the wild. Their Risk Matrix lists 50 CVEs, 49 of which can be remotely exploitable without authentication. As Rob discussed in his diary 2 weeks ago, now is a great opportunity to determine if you really need Java installed (if not, remove it) and, if you do, take additional steps to protect the systems that do still require it. I havent seen jusched pull this one down on my personal laptop yet, but if you have Java installed you might want to do this one manually right away. On a side note, weve had reports of folks who installed Java 7u11 and had it silently (and unexpectedly) remove Java 6 from the system thus breaking some legacy applications, so that is something else you might want to be on the lookout for if you do apply this update.

Update: (2013-02-01 22:00 UTC) Thanx to another Ken for pointing out that 26 of the CVEs have a CVSS base score of 10.0 and to Neil for pointing out that 6u39 is out, too.




Recent Java diaries:





Jim Clausing, GIAC GSE #26

jclausing --at-- isc [dot] sans (dot) edu
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
When the Baltimore Ravens and the San Francisco 49ers meet up in New Orleans, social networks are expected to light up with users talking about great passes, touchdowns and, of course, those Super Bowl commercials.
Hewlett-Packard plans to use its recently announced SDN controller to distribute its TippingPoint intrusion prevention system across networks, overcoming the scale limitations of dedicated appliances.
Visitors to what used to be Buy.com will see a few changes on the front page this week -- including a pronunciation guide for its new name.
Corosync HMAC Denial of Service Vulnerability
GNU Coreutils 'sort' Text Utility Buffer Overflow Vulnerability
GNU Coreutils 'join' Text Utility Buffer Overflow Vulnerability


Jim Clausing, GIAC GSE #26

jclausing --at-- isc [dot] sans (dot) edu
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Adding more performance management muscle to its line of analysis software and services, IBM is acquiring the software assets of Star Analytics.
President Barack Obama is expected to issue a cybersecurity executive order in the days after his Feb. 12 State of the Union address.
Apple topped Samsung as the leading cellphone vendor in the U.S. in the last three months of the year to become the number-one U.S. vendor by volume for the first time, according to data published on Friday by Strategy Analysis.
Windows 8 fell further behind the pace of Windows Vista's uptake last month, a metric company said today, even as usage share of the new operating system continued to slowly climb.
QEMU KVM QXL Denial of Service Vulnerability
The maker of the Path social networking app will pay a US$800,000 civil penalty to settle U.S. Federal Trade Commission charges that it illegally collected personal information from children without parental consent, the agency said Friday.
Imation's IronKey division has introduced a new USB drive from which you can boot up an encryption-secured Windows 8 PC on any computer.
You just read about another online database hack, and now 4 million users' names and passwords are floating around the Internet--and you have a sinking feeling that one of them might be yours. And then there are the security breaches you don't hear about, the ones that leave nasty surprises in your inbox or on your credit card statement.
In this edition of Lost+Found: A demonic SSH daemon, Woot.com sends out a bag of crap in the nicest possible way, the Bill Shocker malware, iOS 6.1 jailbreak, and The Onion decides to be proactive

Apple has, yet again, blocked the currently available version of the Java plugin for browsers on Mac OS X, apparently reacting to the news of a proof-of-concept attack which bypasses Oracle's latest defences

The fourth defendant connected with the DDoS attacks that were carried out during "Operation Payback" has been sentenced in London. However, he won't have to serve a custodial sentence

Mobile app developers should provide real-time disclosures to users on the personal information they collect and get permission to collect sensitive information, the U.S. Federal Trade Commission has recommended.
SAP's burgeoning portfolio of cloud-based applications has prompted it to make some changes to its PartnerEdge channel program.
A court has rejected Oracle's appeal of a judge's ruling in the lawsuit Hewlett-Packard brought over Oracle's decision to stop porting its software to HP's Itanium server platform.
As more companies adopt a bring-your-own-device (BYOD) approach to mobile, many are getting caught by hidden costs. But virtualization titan VMware has bucked that trend. VMware CIO Mark Egan explains how his company accomplished its feat.
Symantec has published a statement saying its software is not to blame for the hacking of the New York Times by Chinese hackers. Meanwhile, several other media organisations have said that they have been targeted for years

Intellectual property company I/P Engine has sued Microsoft for infringing two search patents it acquired from Lycos.
The U.S. International Trade Commission plans to investigate the smartphones of Samsung, Nokia and Chinese vendors Huawei and ZTE for patent infringement, after wireless technology provider InterDigital filed a complaint.
The European Commission has received a proposal from Google to settle an antitrust investigation into the compny's search engine practices, a Commission spokesman said on Friday. At the same time, an industry organization said it has filed another antitrust complaint against Google with the Commission.
Apple managed to outsell Samsung Electronics by almost one million units to become the number one mobile phone vendor in the U.S. for the first time ever during the fourth quarter, according to Strategy Analytics.
A U.S. appeals court has denied Apple a rehearing on the rejection of an injunction on the Samsung Electronics Galaxy Nexus phone.
MariaDB developers address the remainder of the security flaws that were revealed in December in MySQL and the MySQL database clones

DataLife Engine 'catlist' Parameter PHP Code Injection Vulnerability

#FFSec, Feb. 1: Five infosec pros who stand out
CSO (blog)
@WeldPond: Chris Wysopal has had a long and eventful career in infosec as former L0pht researcher, L0phtCrack and Netcat for Windows developer, and as Veracode CTO & co-founder. He put together a team of some of the smartest people in the industry ...

The European Commission has received Google's proposal to settle an antitrust investigation into the search engine's practices, a Commission spokesman said on Friday. But one industry organization said it has filed another antitrust complaint against Google with the Commission.

Posted by InfoSec News on Feb 01

"Y2K was Survived...Mayan Apocalypse was Survived...And we are ready
for Doomsday of Armageddon 2020...
All new HACKIM-2013 is ready to help dust your Armour...and when you
are through...you would say it - Yeah!!!Come to Papa..."

"YOU...yes YOU...Think you survived The Mayan Apocalypse????
YOU...yes YOU...Relieved for next 6 years till the Armageddon strikes????
YOU...yes YOU...dancing out of the bath tub dream with...

Posted by InfoSec News on Feb 01


By John E Dunn
31 January 2013

Symantec has offered a carefully-worded but defiant response to the news that
one of its customers, the New York Times, was attacked by Chinese hackers with
barely any intervention from its software.

Earlier today, the newspaper revealed that hackers probably connected to the

Posted by InfoSec News on Feb 01


By Robert Lemos
Contributing Writer
Dark Reading
Jan 31, 2013

Data-center operator Rackspace takes the physical security of its facilities

In a post on the topic earlier this month, the company, which declined to be
interviewed for this article, outlined some of the standard...

Posted by InfoSec News on Feb 01


By Jeremy Kirk
IDG News Service
January 31, 2013

The Wall Street Journal said Thursday it had been targeted by hackers trying to
monitor the newspaper's coverage of China, less than a day after a similar
revelation from its competitor The New York Times.

The Journal, which is owned by News Corp., said it finished an overhaul of its...

Posted by InfoSec News on Feb 01


By John Leyden
The Register
31st January 2013

An application developer reports that the latest Java 7 update "silently"
deletes Java 6, breaking applications in the process.

Java 7 update 11 was released two weeks ago to deal with an unpatched
vulnerability which had gone mainstream with its incorporation into cybercrook
toolkits such as the Blackhole Exploit Kit in the...
Linux Kernel '/dev/ptmx' File Local Information Disclosure Vulnerability
Oracle MySQL Server CVE-2012-1705 Remote Security Vulnerability
Oracle MySQL Server CVE-2013-0383 Remote Security Vulnerability
Oracle MySQL Server CVE-2013-0375 Remote Security Vulnerability
QEMU KVM QXL Local Denial of Service Vulnerability
Drupal Core Multiple Access Bypass and Cross Site Scripting Vulnerabilities
Internet Storm Center Infocon Status