Hackin9

Richard Porter --- ISC Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Plenty of eyes may be focused on Google Glass as the device attracts attention in the field of "augmented reality," but a crop of other players developing their own glasses-like products are also hoping to stand out as the industry matures.
 

Security researchers have blown the whistle on a computer-espionage campaign that over the past eight years has successfully compromised more than 350 high-profile targets in 40 countries.

"NetTraveler," named after a string included in an early version of the malware, has targeted a number of industries and organizations, according to a blog post published Tuesday by researchers from antivirus provider Kaspersky Lab. Targets include oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies, military contractors and Tibetan/Uyghur activists. Most recently, the group behind NetTraveler has focused most of its efforts on obtaining data concerning space exploration, nanotechnology, energy production, nuclear power, lasers, medicine, and communications.

"Based on collected intelligence, we estimate the group size to about 50 individuals, most of which speak Chinese natively and have working knowledge of the English language," the researchers wrote. "NetTraveler is designed to steal sensitive data as well as log keystrokes, and retrieve file system listings and various Office of PDF documents."

Read 3 remaining paragraphs | Comments

 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Apple released the next update for OS X, 10.8.4. Eventually, we should learn more about the security content of the update, but at this point, the security page has not been updated yet [1]. 

However, Apple did distribute a list of patched vulnerabilities via e-mail (thanks Dave for sharing). The update fixes a total of 33 vulnerabilities. Here are some of the highlights:

 

OS 10.8.4 Update Overview
  CVE # Component Affected Versions  
2013-0982 CFNetwork 10.8 - 10.8.3 data leakage (authentication cookies)
2013-0983 CoreAnimation 10.8 - 10.8.3 code execution
2013-1024 CoreMedia 10.7-10.7.5 (Server
10.8-10.8.3
code execution
2013-5519 CUPS 10.8-10.8.3 priv. escalation
2013-0984 Directory Service 10.6.8 remote code execution as system
2013-0985 Disk Management 10.8-10.8.3 data leakage (disable file vault)
2012-4829 OpenSSL 10.6.8, 10.7-10.7.5, 10.8-10.8.3 data leakage ("CRIME" attack)
multiple OpenSSL 10.6.8, 10.7-10.7.5, 10.8-10.8.3 DoS, data leakage
2013-0987 QuickTime QTIF Files 10.6.8, 10.7-10.7.5, 10.8-10.8.3 code execution
2013-0988 QuickTime FPX Files 10.6.8., 10.7-10.7.5, 10.8-10.8.3 code execution
2013-0989 QuickTime MP3 Files 10.8-10.8.3 code execution
multiple Ruby on Rails 10.6.8 code execution (EXPLOITED)
2013-0990 SMB 10.7-10.7.5, 10.8-10.8.3 authenticated user may write files outside of shared directory

Other changes:

Gatekeeper will check downloaded JNLP applications and may require a valid developer ID certificate.

In addition, this update includes Safari 6.0.5 with various improvements / security fixes not listed here. 

Safari 6.0.5 patches a total of 23 arbitrary code execution vulnerabilities, two cross site scriting issue and one problem with the XSS Auditor that may cause form submissions to be altered.

 

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Novopay Report: Costs Blew Out As Talent2 'Overwhelmed'
Scoop.co.nz (press release)
IT firm Talent2 and the Ministry of Education were “unprepared and overwhelmed” by escalating problems with the Novopay payroll system for teachers. The Ministerial Inquiry into the Novopay Project paints a picture of departmental failures across the ...

 
 
Apple infringed a Samsung Electronics patent, the U.S. International Trade Commission said in a final judgment released Tuesday that bans import into the U.S. of certain AT&T iPhone and iPad models.
 
An ongoing cyberespionage campaign compromised over 350 high-profile victims from more than 40 countries over the past eight years, including political activists, research centers, governmental institutions, embassies, military contractors and private companies from various industries.
 
libimobiledevice 'userpref.c' Insecure Temporary File Creation Vulnerability
 
libsrtp 'srtp_protect()' Function Buffer Overflow Vulnerability
 
Long considered old-school tools with no place in shiny corporate social collaboration suites, to-do software is making a comeback with a new air of cool about it and renewed appreciation from enterprise IT.
 
Dell has introduced a converged computing, storage and networking system for small and remote offices, the PowerEdge VRTX, saying it will let customers deploy a system with virtualization in hours.
 
Former CIO Charles Beard describes how his IT team modernized the $11 billion company's infrastructure and made the business more agile
 
Distributed denial-of-service (DDoS) attacks that could be related have in the past few days slammed the DNS servers of at least three providers of domain name management and DNS hosting services.
 
LinuxSecurity.com: The python client library for Keystone did not properly verify expired PKItokens.
 
LinuxSecurity.com: Maksim Otstavnov discovered that the Wocky submodule used by telepathy-gabble, the Jabber/XMPP connection manager for the Telepathy framework, does not respect the tls-required flag on legacy Jabber servers. A network intermediary could use this vulnerability to bypass [More...]
 
LinuxSecurity.com: Updated qemu-kvm packages that fix one security issue and two bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
LinuxSecurity.com: Updated mesa packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
LinuxSecurity.com: Updated mesa packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...]
 
LibRaw CVE-2013-2126 Multiple Memory Corruption Vulnerabilities
 
Dell and Oracle will integrate hardware and software for customers through a strategic partnership, the companies announced on Tuesday.
 
Google today patched 12 vulnerabilities in Chrome, including one of the few labeled critical that it has fixed in the five-year history of its browser.
 
Trees probably aren't the first thing you think of when someone mentions New York City, but the city has a lot of them. Pruning and maintaining them is a public safety issue, and determining how to prioritize that maintenance is no easy feat. With the help of a nonprofit organization called DataKind, the city's Parks department is leveraging big data analytics for the job.
 
Early Monday, a developer announced the release of the first porn app for Google Glass only to learn that Google had banned porn apps for its computerized eyeglasses.
 
Development platform vendor Verivo Software wants to provide the back end for mobile enterprise apps to make it easier for corporate programmers to add features such as off-line access and authentication.
 
Vinton Cerf, one of the computer scientists who turned on the Internet in 1983, is concerned that much of the data created since then, and for years still to come, will be lost to time.
 
ARM Holdings has done well under CEO Warren East and there was no obvious reason for him to step aside. But by July 1, the new CEO, fellow ARM veteran Simon Segars, will be the new chief executive.
 
[SECURITY] [DSA 2702-1] telepathy-gabble security update
 
Novell ZENworks Configuration Management CVE-2013-1095 Cross-Site Scripting Vulnerability
 
CVE-2013-3843 Monkey HTTPD 1.2.0 - Buffer Overflow DoS Vulnerability With Possible Arbitrary Code Execution
 
CVE-2013-3724 Monkey HTTPD 1.1.1 - Denial of Service Vulnerability
 
Microsoft will ship Internet Explorer 11 with Windows 8.1 later this year, but isn't saying whether the browser would also be available to Windows 7 users
 
How your website is laid out, what colors, fonts and images you use (or don't use) can mean the difference between success (low bounce and exit rates, high conversion) and failure (high abandonment, low sales).
 
Salesforce.com's pending US$2.5 billion purchase of marketing software vendor ExactTarget will help it develop a new $1 billion annual revenue stream and set the company on a clear strategic course for the foreseeable future, according to Salesforce.com CEO Marc Benioff.
 
Smartphone owners who also have a tablet spend three times as much on apps as those who only own smartphones, according to a survey by research and consulting firm Analysys Mason.
 
The next release of the Microsoft Team Foundation Server (TFS), an application for managing software development, has been designed to bring agile development practices to larger, multi-team projects.
 
Continuing coverage of Apple's WWDC 2013
 
More smartphones will ship worldwide in 2013 than other so-called mobile 'feature' phones as the average price of smartphones drops, IDC said Tuesday.
 
Cloud budgets are rising as IT confronts security and ROI challenges, according to the 2013 Cloud Computing Survey from IDG Enterprise (free download). (Insider: Registration required)
 
BYOD is only the beginning of a shift away from traditional corporate bureaucracy, as companies begin to realize they have a deep creative asset -- their employee base -- just waiting to be tapped.
 
From a YouTube video showing KoreLogic's GPU-powered password cracker being dropped into a tank of mineral oil.

Going where few password crackers have gone before, a team of security consultants has deployed a cracking-optimized computer that's completely submerged in mineral oil. Members say the setup offers significant cost savings compared with the same machine that uses air to stay cool.

The rig contains two AMD Radeon 6990 graphics cards, long considered a workhorse for password crackers. While the parallel processing in just one of these $800 cards can make as many as 9 billion password guesses each second (see PC3 in the graph at the bottom of this page), the performance comes at a price. GPUs run extremely hot, particularly when combined with other graphics cards, which drives up the cost of keeping them cool enough to run without burning out. The dedicated fans normally used to keep them cool also generate plenty of noise.

Employees of security consultancy KoreLogic recently deployed the password cracker at Midas Green Tech, an Austin, Texas-based data center that specializes in so-called immersion-cooled server hosting. Unlike the other air-cooled systems KoreLogic uses to test the strength of clients' password policies, the cost of hosting it is less than $60 per month, compared to about $100 for an air-cooled system, said Rick Redman, one of the KoreLogic penetration testers who deployed the new machine.

Read 17 remaining paragraphs | Comments

 
A vulnerability in all versions of Windows can be exploited by ordinary users to obtain system privileges. The vulnerability was discovered by Google's Tavis Ormandy, who posted his discovery online without first informing Microsoft
    


 
Criminals are manipulating video and music files so that Windows Media Player, in an attempt to clarify their licensing, is tricked into visiting infected web sites. VirusTotal is now able to detect this
    


 
TYPO3 CVE-2013-1843 Open Redirection Vulnerability
 

Army Intelligence Report on WikiLeaks 'Threat' Being Used to Argue Bradley ...
Firedoglake
Wikileaks.org, a publicly accessible Internet Web site, represents a potential force protection, counterintelligence, operational security (OPSEC), and information security (INFOSEC) threat to the US Army. The intentional or unintentional leaking and ...

and more »
 
Google wants more developers to use its App Engine cloud service, and has launched Mobile Backend Starter to make it easier.
 
Samsung TVs will be able to play movies streamed directly from PCs running Intel's latest processors by the end of this year.
 
Informatica has given its virtual data machine technology a proper name and is planning to create versions of it that can run on anything from high-end servers in private data centers to small devices and sensors.
 
Agile promises many things, but the reality in the field is often very far from the expectations. Is it agile we need--or an agile way of thinking?
 
A low-power Thunderbolt interconnect for smartphones and tablets is in the works, but the wired technology may not thrive if consumers prefer products using the wireless WiGig specification for data transfers.
 
The Chinese State Intellectual Property Office (SIPO) on Tuesday signed an agreement to start using the same patent classification system as adopted by the E.U. and U.S. patent authorities in January, the European Patent Office (EPO) announced.
 
Compuware has updated its application performance management (APM) software to give administrators more insight into what might be slowing application performance, thanks to the inclusion of new metrics showing the operational health of the host infrastructure.
 
Gartner today drastically lowered its forecast for the monetary payments that near field communication technology will provide in coming years, noting the struggles of Google Wallet and Isis mobile wallet services.
 
The U.S. Congress should allow new challenges to patents on processes that are enabled by computers, and lawmakers should make it more difficult for patent-holding firms to gain import injunctions at the U.S. International Trade Commission, the White House has recommended.
 
IBM has signed an agreement to acquire SoftLayer Technologies, as it looks to accelerate the build-out of its public cloud infrastructure. The company is also forming a services division to back up the push.
 
MongoDB CVE-2013-2132 NULL Pointer Dereference Remote Denial of Service Vulnerability
 
Intel wants to match PC battery life with that of tablets through its new dual-core fourth-generation Core processors code-named Haswell.
 
The Green Grid, the 21st Century Achievement Award winner for sustainability, continues to develop and promote the tools that organizations need to design and maintain more efficient data centers.
 
Lenovo is in preliminary negotiations to start a joint venture with an unspecified party, the company said on Tuesday, setting off speculation that the company could be looking to bolster its expanding smartphone business.
 
Nvidia's CEO showed an updated version of the company's Shield portable gaming device at the Computex trade show Tuesday, and said it will start shipping the device later this month to customers who pre-ordered it.
 
Intel on Tuesday showed the first smartphone based on its next Atom smartphone chip code-named Merrifield, which will provide better performance and battery life than current Atom chips.
 
Nvidia is usually trumpeting the graphics performance of its Tegra 4 chip, but at the Computex trade show on Tuesday CEO Jen-Hsun Huang showed how its newest processor can be used to create a precise, affordable stylus for tablets.
 
Dell has announced new PCs with Intel's fourth-generation Core processors code-named Haswell, including a thinner and lighter XPS 12 laptop-tablet hybrid, which will offer up to 9.5 hours of battery life.
 
Feedly, the free RSS service that has been the safe harbor for millions of Internet refugees fleeing the soon-to-be-defunct Google Reader, announced Monday that several popular RSS apps will access its API free of charge.
 
The trusty old laptop is being kicked to the curb, with PC makers trying to spice up their offerings by pushing a variety of hybrids, tablets and smaller-screen devices at the Computex trade show in Taipei this week.
 
Among several BYOD strategies Starz has tried over the past five years, dual persona smartphones -- offering employees a business and personal interface -- took off like a lead balloon.
 
OpenSSL CVE-2013-0166 Remote Denial of Service Vulnerability
 
Intel on Tuesday showed the first smartphone based on its next Atom smartphone chip code-named Merrifield, which will provide better performance and battery life than current Atom chips.
 
Intel wants to match PC battery life with that of tablets through its new dual-core fourth-generation Core processors code-named Haswell.
 
Intel is jumping into cloud gaming with the new Xeon E3-1200v3 chips, which are the company's first server processors based on the Haswell microarchitecture.
 
U.S. President Barack Obama is expected to announce Tuesday measures directed against patent-holding companies, often referred to as patent trolls, according to a newspaper report.
 
Nvidia is usually trumpeting the graphics performance of its Tegra 4 chip, but at the Computex trade show on Tuesday CEO Jen-Hsun Huang showed how its newest processor can be used to create a precise, affordable stylus for tablets.
 
Dell has announced new PCs with Intel's latest fourth-generation Core processors code-named Haswell, including a thinner and lighter XPS 12 laptop-tablet hybrid, which will offer up to 9.5 hours of battery life.
 

Posted by InfoSec News on Jun 04

http://www.army.mil/article/103799/Army_releases_new_leaders__handbook_on_cybersecurity/

By Army CIO/G-6
June 3, 2013

WASHINGTON (June 3, 2013) -- The Army published a new handbook this
month to provide leaders of all levels with the information and tools
needed to address today's cybersecurity challenges, and to ensure
organizations adopt the necessary practices to protect their information
and the Army network.

"We must change...
 

Posted by InfoSec News on Jun 04

http://gcn.com/articles/2013/06/03/dhs-data-breach-employee-info.aspx

By William Jackson
GCN.com
Jun 03, 2013

The Homeland Security Department has notified some employees that
personally identifiable information used for security clearances and
stored in a third-party database could have been exposed to unauthorized
users.

The notifications came after DHS was alerted to a vulnerability in the
vendor software by a “law enforcement...
 

Posted by InfoSec News on Jun 04

http://news.cnet.com/8301-13579_3-57587482-37/iphones-can-apparently-be-hacked-with-malicious-charger/

By Dara Kerr
CNET News
June 3, 2013

Most people have heard of malicious software as a way to hack into an
iPhone, but what about a malicious charger?

Three researchers with the Georgia Institute of Technology, say they
have come up with a proof-of-concept malicious iPhone charger that lets
them hack into the mobile device running the...
 

Posted by InfoSec News on Jun 04

http://www.informationweek.com/security/application-security/oracle-promises-enterprise-java-security/240155912

By Mathew J. Schwartz
InformationWeek.com
June 03, 2013

Java security memo to enterprise IT managers: Better distributed client
control capabilities, locked down Java servers and certificate-based
controls are coming.

Those three upcoming Java security changes were outlined in "Maintaining
the security-worthiness of Java is...
 

Posted by InfoSec News on Jun 04

http://www.mcclatchydc.com/2013/06/03/192895/us-publishes-details-of-missile.html

By Sheera Frenkel
McClatchy Foreign Staff
June 3, 2013

TEL AVIV, Israel -- Israel’s military fumed Monday over the discovery
that the U.S. government had revealed details of a top-secret Israeli
military installation in published bid requests.

The Obama administration had promised to build Israel a state-of-the-art
facility to house a new ballistic-missile...
 
Mesa Out of Bounds CVE-2013-1872 Memory Corruption Vulnerability
 
Internet Storm Center Infocon Status