Researchers have released technical details and attack code for 30 security issues affecting Oracle's Java Cloud Service. Some of the issues make it possible for attackers to read or modify users' sensitive data or to execute malicious code, the researchers warned.

Poland-based Security Explorations typically withholds such public airings until after any vulnerabilities have been fixed to prevent them from being exploited maliciously. The researchers broke from that tradition this week after Oracle representatives failed to resolve issues including bypasses of the Java security sandbox, bypasses of Java whitelisting rules, the use of shared WebLogic server administrator passwords, and the availability of plain-text use passwords stored in some systems.

"The company openly admits it cannot promise whether it will be communicating resolution of security vulnerabilities affecting their cloud data centers in the future," Adam Gowdiak, CEO of Security Explorations said. The security research firm is the same one that has discovered a host of extremely severe vulnerabilities in Oracle's Java software framework, some of which have been exploited in the wild to surreptitiously install malware on end user computers.

Read 1 remaining paragraphs | Comments

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

First Info Sec highlights cutting edge next-gen secure mobility solutions at ...
Zawya (registration)
First Information Security (First Info Sec), a company dedicated to offering a comprehensive range of security products and services that are in compliance with the latest international industry standard requirements, is highlighting its latest range ...

ownCloud Multiple Arbitrary PHP Code Execution Vulnerabilities
A six-astronaut crew has begun a four-month "mission" in remote area of Hawaii to investigate how they would interact and survive long-duration space exploration, such as a trip to Mars.
Canonical is shutting down its Ubuntu One cloud-storage service rather than continue to go up against competitors such as Dropbox, Google Drive and EMC Syncplicity.
Cortana, Microsoft's new digital assistant for Windows Phone 8.1, gets her name from a fictional character in the popular Halo video game series.
Instead of relegating desktops to a lower priority while pursuing the mobile device market, Microsoft will integrate its PC dominance into its current core strategy to become a devices and services company, opening keynotes at the company's 2014 Build developer conference suggest.

The past few days have revealed new data that suggests the recent upsurge in malware targeting routers—as Ars has chronicled here, here, and here—is not only continuing, but it's spreading to digital video recorders (DVRs).

Exhibit A came Monday from researchers at security training institute Sans, which unearthed a Bitcoin-mining trojan that has infected DVRs. The researchers found the infection while researching the source of an automated script they observed scanning the Internet for data storage devices made by Synology. The researchers eventually found that the bot ran on a DVR with an ARM processor but didn't know much else. They later determined it was part of a Bitcoin miner that took control of DVRs used to record video from security cameras, most likely by exploiting an exposed telnet port and a default root password of "12345." Samples of the malware are here. The password to access the binaries is "infected."

On Tuesday, Sans researchers uncovered evidence that the binaries can also infect routers, even when they're configured to provide network address translation (NAT), which can help lock down the security of devices on a network.

Read 6 remaining paragraphs | Comments

Microsoft will give away licenses to Windows Phone and Windows to device makers building smartphones or tablets with screens smaller than 9-in. measured diagonally.
A case before the U.S. Supreme Court earlier this week could have a huge impact on business-method and software patents, with some experts concerned that the court could put significant limits on what can be patented.

SnoopWall Unveiling Next Generation Privacy Solution for Android Devices at ...
Virtual-Strategy Magazine (press release)
The InfoSec World Expo brings together the latest advances in technology and the most innovative solutions businesses need to secure their information assets. Specialized workshops and discussion platforms are aimed to provide the professionals and ...

Nokia announced three new Lumia smartphones on Wednesday that will run the just-announced Windows Phone 8.1 OS, including a Lumia 630 with a dual 3G SIM variant that will cost just $169.
CompTIA, a 32-year-old tech industry group best known for its IT certifications, is broadening access to it resources by making them free.
A U.S. National Telecommunications and Information Administration plan to end its formal relationship with the Internet Corporation for Assigned Names and Numbers could open the door to Internet censorship by China, Russia or Iran, some U.S. lawmakers said.
Amazon announced its $99 Fire TV set-top box that plugs into an HDTV's HDMI port and includes voice activated searches.
Microsoft unveiled Windows Phone 8.1 on Wednesday, and confirmed reports that the new OS includes Microsoft's first voice-activated digital assistant, called Cortana.
Microsoft today said that it will ship a Windows 8.1 refresh, a set of new features designed to make the struggling OS easier to use for customers with a mouse and keyboard, on April 8.
Former Apple CEO Steve Jobs declared 2011 the year of "holy war against Google" in an email to Apple executives ahead of an annual management retreat in late 2010.
A push by the high-tech industry to support a stand-alone H-1B increase is drawing the ire of U.S. Dick Durbin (D-Ill.).
Security researchers released technical details and proof-of-concept code for 30 security issues affecting Oracle's Java Cloud Service, some of which could allow attackers to compromise business-critical Java applications deployed on it.
A presentation at the Intel Developer's Forum this week showed images of the upcoming USB Type-C plug that is smaller than today's USB 3.0 connectors and is symmetrical in design.
Getting new products to market on time is critical, especially for a business that is seasonal. In order to improve new product development and delivery Trek Bicycle implemented a project management tool that is keeping teams better connected, collaborating and creative.
The Document Foundation is looking for developers who want to help make documents locked in old, outdated and inaccessible file formats readable again.
Gnew CMS CVE-2013-5640 Multiple SQL Injection Vulnerabilities
WordPress XCloner Plugin Cross-Site Request Forgery Vulnerability
WebKit Use-After-Free Remote Code Execution Vulnerability
Microsoft will webcast the opening keynote address from its Build developers conference today starting at 8:30 a.m. PT (11:30 a.m. ET).
Dell's new rugged laptop has a 11.6-in. screen with a twist -- the screen can rotate 180 degrees to turn the device into a tablet.
Linux Kernel 'drivers/net/wireless/ath/ath9k/xmit.c' Denial of Service Vulnerability
libpng CVE-2014-0333 Infinite Loop Denial of Service Vulnerability
RubyGems rack-ssl 'lib/rack/ssl.rb' Cross Site Scripting Vulnerability
WebKit CVE-2013-6625 Use After Free Remote Code Execution Vulnerability

Miss Teen USA Promoting Privacy at InfoSec World 2014
PR Web (press release)
As SnoopWall strongly shares my mission to educate the public about online privacy, I'm happy to support and join them at the InfoSec World conference to call attention to this growing issue.” “SnoopWall is honored to have the support of Miss Teen USA ...

and more »
Squid CVE-2014-0128 Remote Denial of Service Vulnerability
WebKit Multiple Unspecified Memory Corruption Vulnerabilities
WebKit CVE-2013-2926 Use After Free Remote Code Execution Vulnerability
[MATTA-2013-004] CVE-2014-1409; MobileIron authentication bypass vulnerability
Сross-Site Request Forgery (CSRF) in XCloner Wordpress Plugin
SEC Consult SA-20140402-0 :: Multiple vulnerabilities in Rhythm File Manager
iShare Your Moving Library 1.0 iOS - Multiple Vulnerabilities
APPLE-SA-2014-04-01-1 Safari 6.1.3 and Safari 7.0.3
[IMF 2014] Call for Participation
Google has asked the U.S. Supreme Court to review a decision by an appeals court that its collection of data from unencrypted Wi-Fi networks is not exempt under federal wiretap laws.
Apple on Tuesday patched the security vulnerability in Safari that was successfully exploited at last month's Pwn2Own hacking contest, where a team cracked the browser to win $65,000.
HTC is working to bring a sense of luxury to its smartphones -- and with its new HTC One (M8), it's closer than ever to delivering the ultimate high-end device.
Online tracking is on the rise, but efforts to create a practical Do Not Track policy have slowed to a crawl. Meanwhile, users and browser companies are taking matters into their own hands.
Bitcoin wallet service Coinbase has denied it suffered a security breach, but acknowledged that a list of some of its users has been circulating on the Web.
Apple is said to be in talks with Renesas Electronics to buy its majority-owned joint venture that designs chips for smartphone displays.
For wearables to really take off, they will have to cannibalize the smartphone, just as mobile devices have cannibalized the PC.
Cisco Web Security Appliance HTTP Header Injection Vulnerability
Shaarli 'index.php' Multiple Cross Site Scripting Vulnerabilities
Bigtable-inspired open source projects take different routes to the highly scalable, highly flexible, distributed, wide column data store
A new report from the Intergovernmental Panel on Climate Change summarizes the growing consequences of global warming -- rising sea levels and threats to health, food supplies, water resources and species.
Apple marketing chief Phil Schiller took a California courtroom on a trip back to 2007 on Tuesday afternoon, recalling how Apple 'bet the company' on development of the iPhone

-Kevin -- ISC Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Internet Storm Center Infocon Status