Hackin9
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The developers of many SSL libraries are releasing patches for a vulnerability that could potentially be exploited to recover plaintext information, such as browser authentication cookies, from encrypted communications.
 
Australia's High Court cleared Google on Wednesday of violating fair trade law by allowing companies to purchase keywords containing their competitors' names, handing a defeat to the country's fair trade regulator.
 
A mathematician at the University of Central Missouri has discovered what is now the largest known prime number -- one with more than 17 million digits.
 
A secret review of American policies governing the use of cyberweapons has concluded that President Barack Obama has the broad power to order pre-emptive strikes on any country preparing to launch a major digital attack against the U.S.
 
The first U.S. House hearing on immigration this year put a lot of focus on high skilled foreign workers, while lawmakers support for comprehensive reform appeared tempered.
 
Free from the bright lights of Wall Street, Dell's decision to go private is likely to lead to the company downplaying if not entirely eliminating consumer products in favor of building out its enterprise product portfolio, analysts said.
 
 
Electric utility National Grid is still trying to resolve problems with its recently implemented SAP payroll system that cropped up after Hurricane Sandy, the major storm that caused widespread damage on the U.S. East Coast and the Caribeean in late October.
 
Microsoft's $2 billion loan to Dell, one of its largest computer-making partners, will have an impact on how other OEMs view their Windows ecosystem collaborator, analysts said today.
 
Countries pushing for international regulation of the Internet through the U.N. International Telecommunication Union will not quit after a partial victory at an ITU meeting in December, some Internet government experts told U.S. lawmakers.
 
Microsoft's $2 billion loan to Dell is a sign that the software maker wants to influence hardware designs in a post-PC world while protecting itself from the growing influence of Linux-based operating systems in mobile devices and servers, according to analysts.
 
Cisco Unity Express CVE-2013-1120 Cross Site Request Forgery Vulnerability
 
Cisco Unity Express CVE-2013-1114 Cross Site Scripting Vulnerability
 
Oracle MySQL Server CVE-2013-0385 Local Security Vulnerability
 
[MajorSecurity-SA-2013-014] Sony Playstation Vita Browser - firmware 2.05 - Adressbar spoofing
 
[security bulletin] HPSBST02846 SSRT100798 rev.1 - HP LeftHand Virtual SAN Appliance hydra, Remote Execution of Arbitrary Code
 
[ MDVSA-2013:007 ] mysql
 
Re: [SE-2012-01] Details of issues fixed by Feb 2013 Java SE CPU
 
A faulty antivirus update issued by Kaspersky Lab on Monday left many of its home and business customers unable to access any websites on their computers.
 
Dell's buyout deal should give the company renewed business flexibility and stealth but now buyers need to know if Dell will be in the PC market for the long haul.
 
Betting that it can help agile development teams finally rid themselves of messy hand-written sticky notes, Hewlett-Packard is launching a new hosted service focused on providing easily accessible application life-cycle management (ALM) capabilities from the cloud.
 
Oracle MySQL Server CVE-2013-0368 Remote Security Vulnerability
 
With Windows 8, Microsoft is betting that users want to touch the screen in place of using a mouse or touchpad. Apple has famously declared the opposite. What do you think?
 
 
"Lucky 13" is the name given to an attack on the protocol used to encrypt web connections. It exploits timing effects during decryption of TLS messages. The danger posed by the attack remains low at present, but, warn the researchers, this could change


 

OpenSSL has issued an advisory regarding updates released to address the following issues:


SSL, TLS and DTLS Plaintext Recovery Attack (CVE-2013-0169)


Affected users should upgrade to OpenSSL 1.0.1d, 1.0.0k or 0.9.8y



TLS 1.1 and 1.2 AES-NI crash (CVE-2012-2686)


Affected users should upgrade to OpenSSL 1.0.1d



OCSP invalid key DoS issue (CVE-2013-0166)


Affected users should upgrade to OpenSSL 1.0.1d, 1.0.0k or 0.9.8y.






The SSL, TLS and DTLS Plaintext Recovery Attack (CVE-2013-0169) is particularly interesting as described in Lucky Thirteen: Breaking the TLS and DTLS Record Protocols.



From their writeup (AlFardan and Paterson):

Its called Lucky 13 because the TLS MAC calculation includes 13 bytes of header information (5 bytes of TLS header plus 8 bytes of TLS sequence number) which, in part, makes the attacks possible. In the context of the attacks, 13 is lucky from the attackers perspective. At a high level, these attacks can be seen as an advanced form of the padding oracle attack. These new attacks against TLS and DTLS allow a Man-in-the-Middle attacker to recover plaintext from a TLS/DTLS connection when CBC-mode encryption is used. The attacks arise from a flaw in the TLS specification rather than as a bug in specific implementations.

Read Nadhem J. AlFardan and Kenneth G. Patersons full paper here.



The attacks apply to all TLS and DTLS implementations that are compliant with TLS 1.1 or 1.2, or with DTLS 1.0 or 1.2 as well as implementations of SSL 3.0 and TLS 1.0 that incorporate countermeasures to previous padding oracle attacks. Variant attacks may also apply to non-compliant implementations.

Fresh bits available via the OpenSSL project page.

Russ McRee|@holisticinfosec






(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Facebook makes it easy to connect with people online, but some of its users say they got burned out on the site or grew tired of their friends' "drama," a new survey shows.
 
Analysts peg the Indian healthcare industry to reach $155 billion in terms of revenue by 2017. But are hospitals really using their money effectively? Narayana Hrudayalaya (NH) most certainly has been. The NH Group of Hospitals has been delivering on its promises of providing high quality, highly affordable healthcare services.
 
It has now been just about a year since the Obama administration put forth its online privacy blueprint. In spite of a title on the announcement that insisted "We Can't Wait," not much has happened since the blueprint was published. Meanwhile, things are heating up on the online privacy front in Europe, and the contrast between the United States and European viewpoints is and is not stark.
 
If you have a hard time getting employees to attend corporate training, maybe you need to add a little fun. To motivate workers to attend training courses, Deloitte put its course catalog online and added gamification. Badges? Turns out you do need stinkin' badges.
 
Oracle Java SE CVE-2013-1478 Remote Java Runtime Environment Vulnerability
 
Oracle Java SE CVE-2013-1476 Remote Java Runtime Environment Vulnerability
 
Oracle Java SE CVE-2013-0427 Remote Java Runtime Environment Vulnerability
 
Oracle Java SE CVE-2013-1479 Remote Java Runtime Environment Vulnerability
 
Microsoft will open five new retail stores by summer, including one it's transmuting from a "pop-up" outlet created last year to drive holiday sales.
 
Michael Dell has teamed up with investment firm Silver Lake to buy computer maker Dell, the company he founded as a 19-year-old in 1984, in a deal valued at about $24.4 billion.
 
Those who heed well-intentioned recommendations and use a separate password for every service either require a photographic memory or the right techniques to keep the multitude of passwords under control


 
Oracle E-Business Suite CVE-2013-0390 Remote Security Vulnerability
 
APPLE-SA-2013-02-04-1 OS X Server v2.2.1
 
In a much anticipated move, Michael Dell and investment firm Silver Lake will acquire the company he founded by paying shareholders $13.65 per share in cash. The deal is valued at about $24.4 billion.
 
Oracle Java SE CVE-2013-0434 Remote Java Runtime Environment Vulnerability
 
Oracle Java SE CVE-2013-0435 Remote Java Runtime Environment Vulnerability
 
Former Atari Interactive CEO Frederic Chesnais has decided to take a 25.23% stake in the company in a bid to save it from bankruptcy, Atari announced on Tuesday.
 
Employees come and employees go, but access rights tend to live on long after their departures.
 
Users of Amazon Web Services' Relational Database Service (RDS) can now keep track of their databases with new notifications via email and SMS.
 
Oracle Java SE CVE-2013-0428 Remote Java Runtime Environment Vulnerability
 
Oracle Java SE CVE-2013-0441 Remote Java Runtime Environment Vulnerability
 
Oracle Java SE CVE-2013-0442 Remote Java Runtime Environment Vulnerability
 
With MySQL 5.6, released Tuesday, Oracle has updated the open-source database to make it more competitive with NoSQL data stores such as MariaDB or Cassandra.
 
When Google began reporting that the NetSeer advertising network's domain was a source of malware, NetSeer found the source of the alert on its own web site and managed to be removed from Google's Safe Browsing list within four hours


 
Oracle Java SE CVE-2012-1532 Remote Java Runtime Environment Vulnerability
 
UK Information Commissioner Christopher Graham has relaxed the rules on cookie use set out by his own office in May 2011. Rather than requiring explicit user consent, implied acceptance will now be considered sufficient


 
Oracle Java SE CVE-2013-1480 Remote Java Runtime Environment Vulnerability
 
Oracle Java SE CVE-2013-1475 Remote Java Runtime Environment Vulnerability
 
Oracle Java SE CVE-2013-1473 Java Runtime Environment Remote Security Vulnerability
 
Oracle Java SE CVE-2013-0448 Remote Java Runtime Environment Vulnerability
 
Tech employment posted a large increase last month, despite a generally soft employment gain overall, according to two separate reports.
 
Is a touch display on a laptop user-friendly or an annoying productivity-killer? Computerworld editors hash it out.
 
Oracle Java SE CVE-2013-0438 Remote Java Runtime Environment Vulnerability
 
Oracle Java SE CVE-2013-0445 Remote Java Runtime Environment Vulnerability
 
Oracle Java SE CVE-2013-0432 Java Runtime Environment Remote Security Vulnerability
 
Oracle Java SE CVE-2013-1489 Remote Java Runtime Environment Vulnerability
 
Oracle Java SE CVE-2013-0423 Java Runtime Environment Remote Security Vulnerability
 
Oracle Java SE CVE-2013-0409 Remote Java Runtime Environment Vulnerability
 
Oracle Java SE CVE-2013-0351 Java Runtime Environment Remote Security Vulnerability
 
Microsoft is collaborating with the Kenyan government and a local Internet service provider to provide broadband access using TV white spaces and solar-powered base stations, as part of a long-term strategy to spread mobile telephony and Internet connectivity in Africa.
 
IBM's Watson supercomputer outperformed humans in the televised game show "Jeopardy." Now the company is moving some of its underlying technologies from the supercomputer into new entry-level servers.
 
RETIRED: Oracle Java Runtime Environment Multiple Security Vulnerabilities
 
Samsung Kies Air Denial of Service and Security Bypass Vulnerabilities
 
U.S. lawmakers pledged to rewrite an antihacking law as hundreds of people gathered in Washington, D.C., to mourn the death of Internet activist and innovator Aaron Swartz.
 
Internet Storm Center Infocon Status