Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Mozilla Firefox/Thunderbird CVE-2014-1575 Multiple Memory Corruption Vulnerabilities
 

Newcastle (UK) University researchers claim to have found an exploit for the contactless payment feature of Visa cards. One of the fraud prevention features of these cards is that only small amounts can be charged in touch mode, without requiring a PIN. But the researchers say that simply changing the currency seems to evade these precautions completely, and they built a fake POS terminal into a smart phone that apparently can swipe money from unsuspecting victims just by getting close enough to their wallet.

According to the press release, VISAs response was that they believe that the results of this research could not be replicated outside a lab environment. Unfortunately, there aint too many cases in security engineering history where such a claim held for more than a day or three. If this attack turns out to be true and usable in real life, Visas design will go down into the annals of engineering screwups on par with NASAs Mars Climate Orbiter, where the trajectory was computed in inches and feet, while the thruster logic expected metric information.

Needless to say that the latter episode didnt end all that well.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

A couple of weeks ago, I already covered the situation where a cloud IP address gets re-assigned, and the new owner still sees some of your traffic. Recently, one of our clients had the opposite problem: They had changed their Internet provider, and had held on to the old address range for a decent decay time. They even confirmed with a week-long packet capture that there was no afterglow on the link, and then dismantled the setup.

Until last week, when they got an annoyed rant into their [email protected] mailbox, accusing them of hosting an active spam operation. The guy on duty in the NOC didnt notice the IP address at first (it was still familiar to him), and he triggered their incident response team, who then rather quickly confirmed: Duh, this aint us!

A full 18 months after the old ISP contract expired, it turns out that their entire contact information was still listed in the WHOIS record for that old netblock. After this experience, we ran a quick check on ~20 IP ranges that we knew whose owner had changed in the past two years, and it looks like this problem is kinda common: Four of them were indeed still showing old owner and contact information in whois records.

So, if you change IPs, dont just keep the afterglow in mind, also remember to chase your former ISP until all traces of your contact information are removed from the public records associated with that network.

If you have @!#%%%! stories to share about stale whois information, feel free to use the comments below, or our contacts form.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

ComputerWeekly.com

Infosec heading to tipping point, says NTT Com Security
ComputerWeekly.com
Information security is heading to a tipping point that will force a shift in focus to understand threats and their potential impact on business, says NTT Com Security. “Security has got to evolve from putting constraints on people to enabling them to ...

 

A two-stage attack could allow spies to sneak secrets out of the most sensitive buildings, even when the targeted computer system is not connected to any network, researchers from Ben-Gurion University of the Negev in Israel stated in an academic paper describing the refinement of an existing attack.

The technique, called AirHopper, assumes that an attacker has already compromised the targeted system and desires to occasionally sneak out sensitive or classified data. Known as exfiltration, such occasional communication is difficult to maintain, because government technologists frequently separate the most sensitive systems from the public Internet for security. Known as an air gap, such a defensive measure makes it much more difficult for attackers to compromise systems or communicate with infected systems.

Yet, by using a program to create a radio signal using a computer’s video card—a technique known for more than a decade—and a smartphone capable of receiving FM signals, an attacker could collect data from air-gapped devices, a group of four researchers wrote in a paper presented last week at the IEEE 9th International Conference on Malicious and Unwanted Software (MALCON).

Read 5 remaining paragraphs | Comments

 

LockPath Receives 2014 GRC Value Award for Third Party Management
Marketwired (press release)
OVERLAND PARK, KS--(Marketwired - November 03, 2014) - LockPath, a leader in innovative governance, risk, compliance (GRC) and information security (InfoSec) solutions, has been honored with a 2014 GRC Value Award in the Third Party Management ...

 

Representing a potential privacy snare for some users, Mac OS X Yosemite uploads documents opened in TextEdit, Preview, and Keynote to iCloud servers by default, even if the files are later closed without ever having been saved.

The behavior, as noted in an article from Slate, is documented in a Knowledge Base article from December. But it nonetheless came as a surprise to researcher Jeffrey Paul, who said he was alarmed to recently discover a cache of in-progress files he intended to serve as "temporary Post-It notes" that had been silently uploaded to his iCloud account even though he never intended or wished them to be.

"Apple has taken local files on my computer not stored in iCloud and silently and without my permission uploaded them to their servers," Paul wrote in a recent blog post.

Read 4 remaining paragraphs | Comments

 

How I Became A CISO: Quinn Shamblin, Boston University
Dark Reading
"Infosec is the first career I really latched onto that uses all those old things that were drivers for me as a kid," says Shamblin, now the executive director and information security officer at Boston University (which does not use C- titles like ...

 
Twitter's mobile ad service is giving advertisers access to a unique tracking number that carriers hide in cell phone network traffic—and users can't turn off.
Shawn Campbell/CC BY 2.0

This article originally appeared on ProPublica on October 31, 2014.

Wired and Forbes reported earlier this week that the two largest cell phone carriers in the United States, Verizon and AT&T, are adding the tracking number to their subscribers' Internet activity, even when users opt out. The data can be used by any site—even those with no relationship to the telecoms—to build a dossier about a person's behavior on mobile devices, including which apps they use, what sites they visit, and how long. MoPub, acquired by Twitter in 2013, bills itself as the "world's largest mobile ad exchange." It uses Verizon's tag to track and target cellphone users for ads, according to instructions for software developers posted on its website.

Twitter declined to comment. AT&T said that its actions are part of a test. Verizon says it doesn't sell information about the demographics of people who have opted out.

Read 21 remaining paragraphs | Comments

 
Shim CVE-2014-3675 Remote Denial of Service Vulnerability
 
Shim CVE-2014-3677 Memory Corruption Vulnerability
 
Shim CVE-2014-3676 Heap Based Buffer Overflow Vulnerability
 

If you think the two-factor authentication offered by Google and other cloud services will keep your account out of the hands of an attacker, think again. One developer found out this weekend the hard way; Google’s account protection scheme can be bypassed by going after something most people would consider an even harder target—the user’s cell phone account.

As Wired’s Mat Honan found out two years ago, customer service representatives are the weakest link in cloud security. And mobile phone carrier customer service representatives are just as susceptible to social engineering attacks, apparently. That’s what Grant Blakeman, an independent software developer and designer, learned when he woke up to find his Google account’s password had been changed and his Instagram account—desirable because of its two-letter name (@gb)—had been hijacked despite the use of two-factor authentication on his Google account.

Blakeman contacted his cell provider after an online conversation with Honan about what happened. He found that someone enabled call-forwarding on his cell account without his knowledge. That call-forwarding setup allowed the attacker to get an authentication code from Google to take over his Gmail address, which was in turn tied to his Instagram account.

Read 3 remaining paragraphs | Comments

 
OpenStack Glance Image Registry and Delivery Service Denial of Service Vulnerability
 
LinuxSecurity.com: Updated openstack-keystone packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6. [More...]
 
LinuxSecurity.com: Updated openstack-keystone packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7. [More...]
 
LinuxSecurity.com: Updated openstack-neutron packages that fix one security issue, several bugs, and add multiple enhancements are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7. [More...]
 
LinuxSecurity.com: Updated python-keystoneclient packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6. [More...]
 
LinuxSecurity.com: Updated openstack-neutron packages that fix one security issue, several bugs, and add multiple enhancements are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6. [More...]
 
LinuxSecurity.com: Updated openstack-nova packages that fix two security issues, multiple bugs, and add enhancements are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7. [More...]
 
LinuxSecurity.com: Updated openstack-nova packages that fix two security issues, multiple bugs, and add enhancements are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6. [More...]
 
LinuxSecurity.com: Updated python-keystoneclient packages that fix one security issue and two bugs are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7. [More...]
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
binutils 'srec.c' Stack Based Buffer Overflow Vulnerability
 
[SECURITY] [DSA 3062-1] wget security update
 
Quassel 'cipher.cpp' Out-of-Bounds Read Vulnerability
 
[SECURITY] [DSA 3063-1] quassel security update
 
"Aircrack-ng 1.2 Beta 3" multiple vulnerabilities
 
PARSADEV CMS Cross-Site Scripting Vulnerability
 
[SECURITY] [DSA 3061-1] icedove security update
 
MantisBT Incomplete Fix Multiple SQL Injection Vulnerabilities
 
Mozilla Firefox CVE-2014-1583 Same Origin Policy Security Bypass Vulnerability
 
Internet Storm Center Infocon Status