The cause isn't yet clear, but more than 36 hours after Microsoft disrupted dynamic DNS hosting for millions of No-IP.com users, service reportedly remained down for many, and the main website was also unavailable.

No-IP users continue to post tweets such as this one and this one saying service is still down. No-IP representatives on Tuesday evening reported coming under a denial-of-service attack but went on to suggest it had no relation to continuing problems with domain name resolution, which Microsoft took over a day earlier under a highly controversial court order issued in a botnet takedown action.

"Please note the DDOS attack was only directed at our website, not to our DNS infrastructure," No-IP representatives wrote in a twitter message posted around 5 pm California time. In a separate tweet about an hour earlier, they said Microsoft's claims that service was restored Tuesday morning were not true. The No-IP website was unavailable at the time this article was being prepared and a spokeswoman didn't respond to an e-mail requesting comment. The spokeswoman has reportedly indicated Microsoft's attempts to restore service to legitimate users have been ineffective.

Read 3 remaining paragraphs | Comments

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Microsoft admitted Tuesday it made a technical error after it commandeered part of an Internet service's network in order to shut down a botnet, but the Nevada-based company says its services are still down.
VidCon was like a crash course in modern day pop culture. On the quad outside the main hall an army of screaming teenagers rushed from one YouTube star to the next. Some of the stars and their respective mobs were large enough to require security escorts.
The Electronic Frontier Foundation, a prominent digital privacy rights group, has filed a lawsuit against the U.S. National Security Agency to get it to specify the extent to which it might exploit software security flaws.
Tinder co-founder Justin Mateen was suspended from his work after texts such as this one surfaced as part of a filed complaint in Los Angeles Superior Court.

Tinder, the iOS App Store's fastest-growing dating app, set itself apart from the online dating competition in early 2013 by combining the personality-algorithm matching of OKCupid with GPS functionality, allowing users to comb through eligible, interested singles faster than ever before.

Yesterday, the app gained a different sort of attention after former Tinder executive Whitney Wolfe filed a wide-ranging sexual harassment claim against the company. The complaint, filed in Los Angeles Superior Court, included copies of enough scathing text exchanges sent to Wolfe by co-founder/CMO Justin Mateen to prompt the company to announce Mateen's temporary suspension "pending an ongoing internal investigation."

In addition to allegations of frequent, public, and sexist name-calling, the 19-page complaint alleged that Mateen "told Ms. Wolfe that he was taking away her 'co-founder' title because having a young female co-founder 'makes the company seem like a joke' and 'devalues' the company." Additionally, the complaint alleges a complete failure by both Tinder CEO Sean Rad and parent company Match.com CEO Sam Yagan to react to accusations of corporate impropriety; in the case of the latter, Yagan was alleged to have reacted to her complaints by saying, "I can still sleep at night."

Read 2 remaining paragraphs | Comments

Forget carrying a smartphone in your pocket. In about 10 years, we're likely to have digitally connected cars, smart homes, and refrigerators and dishwashers that can think for themselves.
Oracle is selling $10 billion in bonds, in a move that could signal the vendor is planning to ramp up its already steady pace of acquisitions.
Almost 90 percent of U.S. CIOs and about 70 percent of U.S. hiring managers plan to hire IT professionals in the second half of 2014, according to separate research reports from Robert Half Technology and Dice.com, respectively. That adds up to great news for the IT industry and for tech pros looking to land a new job, but hiring companies must adapt to upward pressure on salaries and stem high turnover rates.
The FBI and CIA can query the content of U.S. residents' electronic communications that the National Security Agency inadvertently collects when targeting foreign terrorism suspects, an intelligence official said.
LinuxSecurity.com: Multiple vulnerabilities were found in OpenLDAP, allowing for Denial of Service or a man-in-the-middle attack.
LinuxSecurity.com: Multiple vulnerabilities have been found in Openfire, the worst of which could lead to a Denial of Service condition.

Last December, Microsoft promised to expand its use of encryption for its cloud services to protect them from criminals and hackers (and, though the company didn't say so, spying governments). Today, it announced that it has reached a number of milestones in this ongoing effort.

Both inbound and outbound mail on the Outlook.com service will use TLS encryption when sending and receiving from servers that also support TLS. The company says that it has worked with a number of other mail providers, including Deutsche Telekom, Yandex, and Mail.Ru, to ensure that mail sent to and from these popular providers is encrypted in transit.

Outlook.com and OneDrive have also been updated to use perfect forward security (PFS). In PFS, the keys used for each connection are randomly generated on a per-session basis. This is important because it protects against bulk data collection. Without PFS, if a law enforcement agency or hacker can demand or steal the long-term key used to secure connections, they can use that key to decrypt all historic, recorded sessions. PFS prevents this; compromising one session's key only enables decryption of that session.

Read 3 remaining paragraphs | Comments

phpPgAdmin 'function.php' Cross Site Scripting Vulnerability
Ericsson says it has succeeded in sending data at 5 gigabits per second over a wireless testbed for future "5G" mobile networks.
In a recent research survey, ESG asked security professionals to identify the most important type of data for use in malware detection and analysis (note: I am an employee of ESG). The responses were as follows:
T-Mobile USA made hundreds of millions of dollars by charging customers for purported "premium" SMS subscriptions that, in many cases, they never ordered, the U.S. Federal Trade Commission says.
With the uproar continuing over Facebook's manipulation of users' News Feeds to conduct an experiment on emotions, there are several things people need to understand.

Websites that run WordPress and MailPoet, a plugin with more than 1.7 million downloads, are susceptible to hacks that give attackers almost complete control, researchers have warned.

"If you have this plugin activated on your website, the odds are not in your favor," Daniel Cid, CTO of security firm Sucuri, warned in a blog post published Tuesday. "An attacker can exploit this vulnerability without having any privileges/accounts on the target site. This is a major threat, it means every single website using it is vulnerable."

The bug allows attackers to remotely upload any file of their choice to vulnerable servers. Cid declined to provide specifics about the flaw other than to say it's the result of the mistaken assumption that WordPress admin_init hooks are called only when a user with administrator privileges visits a page inside the /wp-admin directory. In fact, "any call to /wp-admin/admin-post.php also executes this hook without requiring the user to be authenticated." The behavior makes it possible for anyone to upload files on vulnerable sites. The only safe version is the just released 2.6.7, which should be installed immediately on all vulnerable websites. MailPoet gives sites added abilities to create newsletters and automatically post notifications and responses.

Read 2 remaining paragraphs | Comments

Can you name a single activity that consumes more IT staff time and presents more potential exposure to enterprise security risks than maintaining desktop and laptop computers across the enterprise? Despite the widespread use of remote desktop management tools, administrators must periodically descend upon offices and cubicles to upgrade or troubleshoot PCs.
Conservatively, 53 of the Fortune 100 companies using renewable energy for power found remarkable savings, study finds
Netty 'WebSocket08FrameDecoder' Class Denial of Service Vulnerability
Openfire XMPP Server XMPP-Layer Compression Denial of Service Vulnerability
Ignite Realtime Smack API Multiple Information Disclosure Vulnerabilities
Ignite Realtime Smack API 'ParseRoster' Security Bypass Vulnerability
As digital technology transforms 21st centurylife, questions about privacy rights abound. The U.S. Supreme Court ruled onone such question in late June: if you are arrested, can the police search yourcell phone without first obtaining a ...
My last post noted that the IT industry appears to suffer from cloud computing ennui, as the number of Google searches for the term over the past two years has dropped significantly. I also said that other evidence indicates that many IT users appear to have put cloud computing in the "done and dusted" category despite not really understanding it very well.
Amazon Web Service has launched a type of instance to reduce costs for hosted remote desktops and small databases that don't consistently use high levels of CPU power, but every now and then need better performance.
Microsoft has added encryption safeguards to the Outlook.com webmail service and to the OneDrive cloud storage service, in part to better protect these consumer products from government snoops.
FFmpeg LZO 'LZ4_decompress_generic()' Function Memory Corruption Vulnerability

SolarWinds' Chris LaPoint: InfoSec, Systems, Network Roles to Evolve in Gov't IT
Based on the results of SolarWinds' latest public sector IT survey, Chris LaPoint, the company's vice president of product management, believes training on emerging technologies for government IT professionals is crucial in order to adapt to evolving ...

Microsoft has backtracked on a plan to stop sending email-based notifications about security bulletins starting this month.
There's been a lot of talk about all the great benefits companies reap from mobilizing their workforce, especially those in sales and services who work mostly out in the field.
Apple began its annual back-to-school promotion in the U.S., once again reprising a gift card deal for customers who buy eligible hardware.
It's not me, AT&T. It's you.
Despite Yahoo CEO Melissa Mayer's decision to ban telecommuting last year, working in places other than a traditional office headquarters is becoming more popular. Not only has this been a benefit for workers who want more flexibility in when and where they work, including at home, it has also been a boon for coworking spaces, which support both the self-employed and more traditionally employed.
SEC Consult SA-20140701-0 :: Stored cross-site scripting vulnerabilities in EMC Documentum eRoom
Kerio Control <= 8.3.1 Boolean-based blind SQL Injection

Microsoft obtained a court order allowing it to take over various domains owned by free dynamic DNS provider "No-IP" [1]. According to a statement from Microsoft, this was done to disrupt several botnets [2] . However, No-IP is crying foul, stating that Microsoft never contacted them to have the malicious domains blocked. Further, Microsoft is apparently not able to properly filter and support all queries for these seized domains, causing widespread disruption among legit no-ip customers. According to the court order, Microsoft is able to take over DNS for the affected domains, but because the legit domains far outnumber the malicious domains, Microsoft is only allowed to block requests for malicious domains.

Microsoft apparently overestimated the abilities of it's Azure cloud service to deal with these requests.

In the past, various networks blocked dynamic IP providers, and dynamic IP services have been abused by criminals for about as long as they exist. However, No-IP had an abuse handling system in place and took down malicious domains in the past. The real question is if No-IP's abuse handling worked "as advertised" or if No-IP ignored take down requests. I have yet to find the details to that in the law suit (it is pretty long...) and I am not sure what measure Microsoft used to proof that No-IP was negligent.

For example, a similar justification may be used to filter services like Amazon's (or Microsoft's?) cloud services which are often used to serve malware [4][5]. It should make users relying on these services think twice about the business continuity implications of legal actions against other customers of the same cloud service. There is also no clear established SLA for abuse handling, or what level of criminal activity constitutes abuse.

[1] http://www.noticeoflawsuit.com
[2] http://blogs.technet.com/b/microsoft_blog/archive/2014/06/30/microsoft-takes-on-global-cybercrime-epidemic-in-tenth-malware-disruption.aspx
[3] http://www.noip.com/blog/2014/06/30/ips-formal-statement-microsoft-takedown/?utm_source=email&utm_medium=notice&utm_campaign=takedown
[4] http://blog.malwarebytes.org/fraud-scam/2014/04/cyber-criminals-interested-in-microsoft-azure-too/
[5] http://www.washingtonpost.com/blogs/the-switch/wp/2014/01/16/amazon-is-a-hornets-nest-of-malware/

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The company mischaracterizes what net neutrality is all about. (Insider; registration required)
The Dell user conference was held in a beach hotel against a calm ocean with no threat of storms. For a company that wants to be known as the strong, silent type, the location may have been perfect.
Scientists from at least 11 robotics teams have less than a year to prepare to compete in the DARPA robotics challenge finals.
Apple on Monday updated both OS X and iOS, patching 19 security vulnerabilities in the former and 44 in the latter.
The Galaxy S5 mini will still have the fingerprint scanner, heart-rate monitor and waterproofing of its bigger brother, but its quad-core processor will run slower and its screen will, of course, be smaller.
Hewlett-Packard has reached agreement in three shareholder lawsuits arising from its over $10 billion acquisition of Autonomy.
Dozens of China-based suppliers to Samsung Electronics violated various labor regulations last year, including failing to pay overtime wages and provide proper safety equipment for workers, according to recent audits.
Early adopters share their lessons learned on ramping up, scaling back and avoiding disasters in the cloud. Insider (registration required)
Samsung's new 850 Pro SSD series has up to 1TB of capacity and is designed for workstations and high-end PCs.
Twitter said Monday it has agreed to acquire TapCommerce a mobile advertising company focused on re-engaging people who have downloaded advertisers' apps.

Posted by InfoSec News on Jul 01


By Loren Steffy

The American Petroleum Institute is working with several large U.S. oil
companies to assemble a team of cybersecurity specialists that would help
identify and prevent malicious software attacks against the computers that
control the country’s energy infrastructure. Led by an...

Posted by InfoSec News on Jul 01


By Aliya Sternstein
June 30, 2014

Agencies are partially taking advantage of a huge bulk-price
governmentwide deal to help automate network vulnerability-tracking and
fix problems in real-time, according to federal officials.

If departments underutilize the arguably complex acquisition program, the
upshot could be saving money on...

Posted by InfoSec News on Jul 01


By Barry Petchesky

Two years ago, the Houston Astros constructed "Ground Control"—a
built-from-scratch online database for the private use of the Astros front
office. It is by all accounts a marvel, an easy-to-use interface giving
executives instant access to player statistics, video, and communications
with other front...
kdelibs CVE-2014-3494 SSL Certificate Validation Security Bypass Vulnerability
kdelibs CVE-2013-2074 Local Password Disclosure Vulnerability
Internet Storm Center Infocon Status