Information Security News
Maintainers of the PostgreSQL open-source database have patched a vulnerability that allowed attackers to corrupt files and in some cases, execute malicious code on underlying servers.
The bug, categorized as CVE-2013-1899, opened users to "persistent denial-of-service" attacks, in which unauthenticated hackers could corrupt files in a way that caused the database server to crash and refuse to reboot. Affected servers could only be restarted by removing garbage text from the files or by restoring them from a backup. Versions 9.0, 9.1, and 9.2 are all vulnerable.
The bug also allowed limited users of a PostgreSQL database to escalate their privileges when it was configured in a way that assigned the same name to the user and the database. When those conditions are met "then this vulnerability may be used to temporarily set one configuration variable with the privileges of the superuser," PostgreSQL maintainers wrote. Such users who also had the ability to save files to the system could also execute malicious code, except in cases where the database is running on the SELinux operating system.
by Timothy B. Lee
Bitcoin wallet service Coinbase has publicly, and presumably accidentally, exposed information about its users' names, e-mail addresses, and details of their transactions on the Coinbase website. The exposed e-mail addresses have become the target of phishing attacks. Update: Coinbase says only certain Coinbase merchants had their email addresses exposed. See below for details.
Coinbase, a Y Combinator-backed startup, is a popular service for holding users' bitcoins. At the time of this writing, the leaked information was still showing up in Google searches of the Coinbase site:
The URLs of the pages label them "checkouts," and they appear to be transaction receipts. One was a 0.05 BTC ($6.85) transaction labeled as a donation. Another was a $980 transaction for "8 managed VPS hosts" from a company called cachedd. A third was a 229.99 BTC ($31,508) transaction for "AVALANCHE SPA POWDER."
by Dan Goodin
As the value of bitcoins skyrockets, security researchers have discovered yet another piece of malware that harnesses the processing power of compromised PCs to mint the digital currency.
BTCs, as individual bitcoin units are known, have recently traded as high as $130, about four times their value from February. In Bitcoin vernacular, BTCs are "mined" by computers that solve cryptographic proof-of-work problems. For each correct block of data submitted, contributors are collectively rewarded with
50 25 bitcoins. Legitimate participants, who typically receive a percentage of the reward based on the number of blocks processed, often use powerful systems with multiple graphics processors to streamline the process.
But scammers spreading malware on Skype are taking a decidedly more nefarious approach. Their malicious code hijacks a computer's resources to mine BTC, according to a blog post published Thursday by a researcher from Kaspersky Lab. While the bitcoin-miner.exe malware harnesses only the CPU resources, which are much slower than GPUs in BTC mining, the attackers have the benefit of infecting many computers and then chaining them together to mint the digital currency. Unlike legitimate miners, the criminals don't have to pay the purchase price of the hardware or pay for the electricity to run them.
The Academy - Miami Campus announces great success with its new InfoSec ...
PR Newswire (press release)
MIAMI, April 5, 2013 /PRNewswire-iReach/ -- The Academy – Miami Campus (itacademymiami.com) announced today the success of its new cyber security certificate program called InfoSec Warrior® program. The recent graduating class passed all ...
#FFSec, April 5: Five infosec pros who stand out
@marcusjcarey: Marcus Carey, hacker and self-described "former U.S. Navy spook," is a favorite of mine because he's not afraid to dive into the middle of the myriad infosec debates on Twitter and give you a piece of his mind. He did it to me this week ...
'Hidden' Law Could Hamper Gov't Infosec
A mysterious lawmaker shielded by congressional rules covertly added language into a new law that could make the purchase of IT security wares very difficult for the departments of Commerce and Justice, NASA and the National Science Foundation.
Posted by InfoSec News on Apr 05Forwarded from: Paul Kelly <p.kelly (at) worldcis.org>
Posted by InfoSec News on Apr 05http://healthitsecurity.com/2013/04/04/university-of-florida-reports-patient-identity-theft-ring/
Posted by InfoSec News on Apr 05https://www.networkworld.com/news/2013/040313-army-cybersecurity-268371.html
Posted by InfoSec News on Apr 05http://www.bankinfosecurity.com/blogs/questioning-fisma-reform-without-new-law-p-1445
Posted by InfoSec News on Apr 05http://arstechnica.com/security/2013/04/possible-security-disasters-loom-with-rollout-of-new-top-level-domains/
Posted by InfoSec News on Apr 05http://fuelfix.com/blog/2013/04/04/exxon-mobil-ceo-zeroes-in-on-risk/
Posted by InfoSec News on Apr 05http://www.timesofisrael.com/on-eve-of-attack-israel-preparing-for-the-cyber-worst/