Maintainers of the PostgreSQL open-source database have patched a vulnerability that allowed attackers to corrupt files and in some cases, execute malicious code on underlying servers.

The bug, categorized as CVE-2013-1899, opened users to "persistent denial-of-service" attacks, in which unauthenticated hackers could corrupt files in a way that caused the database server to crash and refuse to reboot. Affected servers could only be restarted by removing garbage text from the files or by restoring them from a backup. Versions 9.0, 9.1, and 9.2 are all vulnerable.

The bug also allowed limited users of a PostgreSQL database to escalate their privileges when it was configured in a way that assigned the same name to the user and the database. When those conditions are met "then this vulnerability may be used to temporarily set one configuration variable with the privileges of the superuser," PostgreSQL maintainers wrote. Such users who also had the ability to save files to the system could also execute malicious code, except in cases where the database is running on the SELinux operating system.

Read 1 remaining paragraphs | Comments

Facebook has posted a Q&A on its website about the privacy implications of its new Facebook Home software for Android phones, though it was unclear if it has addressed all the concerns raised.
LinuxSecurity.com: Multiple vulnerabilities has been found and corrected in wireshark: Infinite and large loops in ANSI MAP, BACapp, Bluetooth HCI, IEEE 802.3, LTP, and R3 dissectors have been fixed. Discovered by Laurent Butti (http://www.wireshark.org/security/wnpa-sec-2012-08.html [More...]
LinuxSecurity.com: Multiple vulnerabilities has been found and corrected in sudo: A flaw exists in the IP network matching code in sudo versions 1.6.9p3 through 1.8.4p4 that may result in the local host being matched even though it is not actually part of the network described by the [More...]
LinuxSecurity.com: A vulnerability has been found and corrected in proftpd: ProFTPD before 1.3.5rc1, when using the UserOwner directive, allows local users to modify the ownership of arbitrary files via a race condition and a symlink attack on the (1) MKD or (2) XMKD commands [More...]
LinuxSecurity.com: Multiple vulnerabilities has been found and corrected in openssl: OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote attackers to cause a denial of service (NULL [More...]
LinuxSecurity.com: A vulnerability has been found and corrected in openssh: The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial [More...]
LinuxSecurity.com: Google reported to Mozilla that TURKTRUST, a certificate authority in Mozillas root program, had mis-issued two intermediate certificates to customers. The issue was not specific to Firefox but there was evidence that one of the certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not [More...]
LinuxSecurity.com: A vulnerability has been discovered and corrected in net-snmp: An array index error, leading to out-of heap-based buffer read flaw was found in the way net-snmp agent performed entries lookup in the extension table. When certain MIB subtree was handled by the extend [More...]
LinuxSecurity.com: Multiple vulnerabilities has been discovered and corrected in ncpfs: ncpfs 2.2.6 and earlier attempts to use (1) ncpmount to append to the /etc/mtab file and (2) ncpumount to append to the /etc/mtab.tmp file without first checking whether resource limits would interfere, [More...]
LinuxSecurity.com: A vulnerability has been discovered and corrected in libxslt: The XSL implementation in libxslt allows remote attackers to cause a denial of service (incorrect read operation) via unspecified vectors (CVE-2012-2825). [More...]
LinuxSecurity.com: Updated libtiff packages fix security vulnerabilities: libtiff did not properly convert between signed and unsigned integer values, leading to a buffer overflow. An attacker could use this flaw to create a specially-crafted TIFF file that, when opened, would [More...]
LinuxSecurity.com: Updated libssh packages fix security vulnerabilities: Multiple double free flaws, buffer overflow flaws, invalid free flaws, and improper overflow checks in libssh before 0.5.3 could enable a denial of service attack against libssh clients, or possibly [More...]
LinuxSecurity.com: A vulnerability has been discovered and corrected in libjpeg: A Heap-based buffer overflow was found in the way libjpeg-turbo decompressed certain corrupt JPEG images in which the component count was erroneously set to a large value. An attacker could create [More...]
NVIDIA Unix GPU Driver CVE-2013-0131 Local Privilege Escalation Vulnerability
Microsoft took off the gloves and took a big swing at Facebook today, calling the social network's new Home launcher an old idea.
The more information that leaks about Windows 8's expected summer upgrade, dubbed "Blue" by Microsoft, the more questions that pop up, analysts said today.
A handful of Samsung smartphones infringe an Apple patent on text selection, according to the initial determination of a U.S. International Trade Commission judge.
The Department of Homeland Security has a warning for organizations that post a lot of business and personal information on public web pages and social media sites: Don't do it.
NASA's Hubble Space Telescope has found the oldest, most distant supernova ever discovered, which experts say could help scientists better understand the evolution of the universe.
The government's H-1B visa caps have already been reached, meaning a lottery will be needed to distribute visas, federal officials said late today.
Though the tech IPO market has gone from a boil to a simmer, some companies in areas such as big data and cloud-related technology are plunging in.

Bitcoin wallet service Coinbase has publicly, and presumably accidentally, exposed information about its users' names, e-mail addresses, and details of their transactions on the Coinbase website. The exposed e-mail addresses have become the target of phishing attacks. Update: Coinbase says only certain Coinbase merchants had their email addresses exposed. See below for details.

Coinbase, a Y Combinator-backed startup, is a popular service for holding users' bitcoins. At the time of this writing, the leaked information was still showing up in Google searches of the Coinbase site:

The URLs of the pages label them "checkouts," and they appear to be transaction receipts. One was a 0.05 BTC ($6.85) transaction labeled as a donation. Another was a $980 transaction for "8 managed VPS hosts" from a company called cachedd. A third was a 229.99 BTC ($31,508) transaction for "AVALANCHE SPA POWDER."

Read 6 remaining paragraphs | Comments


As the value of bitcoins skyrockets, security researchers have discovered yet another piece of malware that harnesses the processing power of compromised PCs to mint the digital currency.

BTCs, as individual bitcoin units are known, have recently traded as high as $130, about four times their value from February. In Bitcoin vernacular, BTCs are "mined" by computers that solve cryptographic proof-of-work problems. For each correct block of data submitted, contributors are collectively rewarded with 50 25 bitcoins. Legitimate participants, who typically receive a percentage of the reward based on the number of blocks processed, often use powerful systems with multiple graphics processors to streamline the process.

But scammers spreading malware on Skype are taking a decidedly more nefarious approach. Their malicious code hijacks a computer's resources to mine BTC, according to a blog post published Thursday by a researcher from Kaspersky Lab. While the bitcoin-miner.exe malware harnesses only the CPU resources, which are much slower than GPUs in BTC mining, the attackers have the benefit of infecting many computers and then chaining them together to mint the digital currency. Unlike legitimate miners, the criminals don't have to pay the purchase price of the hardware or pay for the electricity to run them.

Read 4 remaining paragraphs | Comments

Cogent Real-Time Systems DataHub CVE-2013-0680 Remote Stack Buffer Overflow Vulnerability
Just as industry watchers have predicted, the race to the bottom for cloud computing prices continues.
An image of what could be the next-generation of the BlackBerry Curve running on BlackBerry 10 has appeared on the BlackBerryOS forums.
The Scribd document-sharing service has said that "Less than 1 per cent" of Scribd users must potentially worry about the safety of their email addresses and passwords – one per cent of at least 100 million registered users

[ MDVSA-2013:027-1 ] clamav
[ MDVSA-2013:019 ] bash
Microsoft plans to issue nine bulletins for its April 2013 Patch Tuesday release, including two "critical" fixes for Internet Explorer and Windows iterations.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Apache Subversion 'svn_fs_file_length()' Remote Denial of Service Vulnerability

The Academy - Miami Campus announces great success with its new InfoSec ...
PR Newswire (press release)
MIAMI, April 5, 2013 /PRNewswire-iReach/ -- The Academy – Miami Campus (itacademymiami.com) announced today the success of its new cyber security certificate program called InfoSec Warrior® program. The recent graduating class passed all ...

and more »

#FFSec, April 5: Five infosec pros who stand out
CSO (blog)
@marcusjcarey: Marcus Carey, hacker and self-described "former U.S. Navy spook," is a favorite of mine because he's not afraid to dive into the middle of the myriad infosec debates on Twitter and give you a piece of his mind. He did it to me this week ...

Security researchers from Kaspersky Lab have identified a spam message campaign on Skype that spreads a piece of malware with Bitcoin mining capabilities.
Facebook's big announcement was a big "so what?" and minimal innovation at its finest
Mozilla plans to introduce a common API to make online paymentsA easy and secureA on Firefox OS devices.
Facebook unveiled a Facebook-focused home screen dubbed Facebook Home for Android phones. The launcher is designed to work with the apps you already have on your phone, along with Facebook's new line of apps. Do you want Facebook Home as your smartphone's home screen?

'Hidden' Law Could Hamper Gov't Infosec
BankInfoSecurity.com (blog)
A mysterious lawmaker shielded by congressional rules covertly added language into a new law that could make the purchase of IT security wares very difficult for the departments of Commerce and Justice, NASA and the National Science Foundation.

The PostgreSQL developers released updates for all major branches of the popular open-source database system on Thursday in order to address several vulnerabilities, including a high-risk one that could allow attackers to crash the server, modify configuration variables as superuser or execute arbitrary code if certain conditions are met.
A Japanese research institute says it can tell what people are dreaming about by analyzing their brain waves.
Cloud computing company Rackspace has sued two companies it describes as 'patent trolls' for breach of contract, and asked a federal court for a declaratory judgment that it did not infringe three patents owned by one of the companies, Parallel Iron.
With its patch day spring clean, Microsoft plans to fix security holes in Windows, Internet Explorer, Office, its server software, and Windows Defender

PostgreSQL CVE-2013-1901 Security Bypass Vulnerability
PostgreSQL CVE-2013-1899 Denial of Service Vulnerability
PostgreSQL 'contrib/pgcrypto' Functions Information Disclosure Weakness
Microsoft today reminded customers running Office for Mac 2008 that support for the suite ends next Tuesday.
Less than a year after calling mobile one of its biggest risks, Facebook has made another big move to attack the mobile market with Facebook Home for Android devices.
The success of the Bitcoin currency is being overshadowed by hacking. Mt. Gox is struggling with DDoS attacks, and Instawallet is down for the count


Posted by InfoSec News on Apr 05

Forwarded from: Paul Kelly <p.kelly (at) worldcis.org>

Apologies for cross-postings.

Please send it to interested colleagues and students. Thanks!


World Congress on Internet Security (WorldCIS-2013)
Technically Co-Sponsored by IEEE Tokyo Section
August 5-7, 2013
Venue: Tokyo University of Information Sciences, Japan

Posted by InfoSec News on Apr 05


By Patrick Ouellette
Health IT Security
April 4, 2013

The University of Florida (UF) medical clinic announced yesterday that a
former medical clinic employee, Arthur Thomas, had breached the data of
nearly 15,000 patients as part of an identity theft ring.

Thomas was arrested Tuesday, according to The Gainesville Sun, and stole
patient data...

Posted by InfoSec News on Apr 05


By Ellen Messmer
Network World
April 03, 2013

A report from the Inspector General of the U.S Department of Defense that's
critical of the way the Army has handled mobile-device security has been
inexplicably yanked from the IG DoD public website but can still be found in
the Google caching system.

The IG DoD report No. DODIG-2013-060, entitled...

Posted by InfoSec News on Apr 05


By Bruce Brody
Bank Info Security
April 4, 2013

A recent article concerning how to reform the Federal Information
Security Management Act without enacting new legislation caught my

In my take on that article [see 6 Ways to Reform FISMA without New Law],
two former Office of Management and Budget officials contend that agency
inspectors general...

Posted by InfoSec News on Apr 05


By Dan Goodin
Ars Technica
Apr 4 2013

Plans to populate the Internet with dozens of new top-level domains in
the next year could give criminals an easy way to bypass encryption
protections safeguarding corporate e-mail servers and company intranets,
officials from PayPal and a group of certificate authorities are


Posted by InfoSec News on Apr 05


By Zain Shauk
April 4, 2013

Exxon Mobil Corp. is targeting employee habits in its effort to improve
computer security, which has become “extraordinarily important” to
preventing disasters and safety risks, CEO Rex Tillerson said.

In an exclusive interview with FuelFix, Tillerson said the company is
educating its employees on safe computer behavior, just as...

Posted by InfoSec News on Apr 05


The Times of Israel
April 5, 2013

Under the threat of what hackers swore would be “the largest Internet battle
in the history of mankind,” Israel has been preparing for the past week for
what many expect to be a massive attempt to swamp Israel’s Internet — bringing
websites to a crawl, or even bringing them down.

he attack is set for...
ownCloud 'addressbookprovider.php' Script SQL Injection Vulnerability
Internet Storm Center Infocon Status