(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Twitter reported its first earnings as a public company on Wednesday, revealing that sales more than doubled from a year ago, though it still hasn't managed to turn a profit.
Pidgin 'gg_http_watch_fd()' Function Buffer Overflow Vulnerability
Pidgin 'process_chunked_data()' Function Heap Buffer Overflow Vulnerability
NASA's Mars rover Curiosity is set to take a dangerous journey this week.
Satya Nadella, Microsoft's new CEO, took the unexpected step Tuesday of addressing customers and partners in a 16-minute interview, where he did not stray from the messaging Microsoft has used for 20 months.
Recent data breaches at Target and Neiman Marcus were sophisticated attacks not detected by robust cybersecurity measures, executives with the two companies told U.S. lawmakers.
Humorists stuck a minor gold mine yesterday when Microsoft anointed Satya Nadella, a veteran company insider, as its new CEO, proving that funny can be found in the most unlikely places.
Starbucks was able to generate a staggering $1 billion in revenue from smartphone transactions used at sales terminals in its stores in 2013 largely due to the fanatical loyalty of its customers, according to a recent estimate.

The hackers who broke into Target's corporate network and made off with payment card data for 40 million of its customers gained entry using authentication credentials stolen from a heating, ventilation, and air-conditioning (HVAC) subcontractor that has done work for a variety of other large retailers, according to a report published Wednesday by KrebsOnSecurity.

Reporter Brian Krebs writes:

Sources close to the investigation said the attackers first broke into the retailer’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems.

Fazio president Ross Fazio confirmed that the U.S. Secret Service visited his company’s offices in connection with the Target investigation, but said he was not present when the visit occurred. Fazio Vice President Daniel Mitsch declined to answer questions about the visit. According to the company’s homepage, Fazio Mechanical also has done refrigeration and HVAC projects for specific Trader Joe’s, Whole Foods and BJ’s Wholesale Club locations in Pennsylvania, Maryland, Ohio, Virginia and West Virginia.

Target spokeswoman Molly Snyder said the company had no additional information to share, citing a “very active and ongoing investigation.”

It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network. But according to a cybersecurity expert at a large retailer who asked not to be named because he did not have permission to speak on the record, it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store.

“To support this solution, vendors need to be able to remote into the system in order to do maintenance (updates, patches, etc.) or to troubleshoot glitches and connectivity issues with the software,” the source said. “This feeds into the topic of cost savings, with so many solutions in a given organization. And to save on head count, it is sometimes beneficial to allow a vendor to support versus train or hire extra people.”

Wednesday's post reports several newly available details, including a timeline of the attack. The attackers, Krebs says, spent about 13 days uploading their card-stealing malware to a small number of point-of-sale terminals within Target stores to make sure it worked as designed. They then pushed the malicious software to a majority of Target's cash registers and actively collected card records captured from live customer transactions.

Read 1 remaining paragraphs | Comments


British intelligence agency Government Communications Headquarters has reportedly infiltrated hacktivist groups and used denial-of-service and other techniques to disrupt their online activities.
A new exploit that prompted Adobe to release an emergency patch for Flash Player was used in targeted attacks that distributed malware designed to steal log-in credentials for email and other online services, according to Kaspersky researchers.
Mozilla Firefox/SeaMonkey/Thunderbird CVE-2014-1487 Information Disclosure Vulnerability
Mozilla Firefox/SeaMonkey CVE-2014-1485 Cross Site Scripting Vulnerability
Mozilla Network Security Services CVE-2014-1490 Use After Free Memory Corruption Vulnerability
Rounding out its set of software for connecting enterprise applications, Red Hat has released additional software for its JBoss Fuse enterprise service bus that provides the basis for building service-oriented architectures.
Twitter is opening up access to company executives today during the firm's first earnings calls as a public company.
A Newport Beach, Calif., high school expelled 11 students after uncovering a plot in which a private tutor allegedly directed them to change their grades on teachers' PCs by breaking into them using credential-stealing hardware keyloggers.
This e-mail, purportedly sent by a security incident handler for eBay, was posted by members of a pro-Syrian hacker group. It has since been removed from Twitter.

Pro-Syrian hackers have produced evidence that they intercepted the sensitive communications of eBay security personnel as the employees responded to a recent hack of the company's UK websites. The incident underscores the lack of success some of the world's most powerful tech companies have withstanding everyday attacks.

An image posted over the weekend shows an e-mail purportedly sent by Paul Whitted, whose LinkedIn profile lists him as a senior manager at eBay overseeing "incident management and resolution of major site issues." The February 1 message addresses other eBay employees and raises the possibility that one or more of their computers—or at least one of their e-mail accounts—was compromised as they were discussing a hack last Saturday on eBay and PayPal websites.

It reads:

Read 7 remaining paragraphs | Comments



GOP Report Stresses Gov't InfoSec Flaws
Days before the Obama administration will release a framework aimed at securing the nation's critical infrastructure, Senate Republicans issued a report detailing vulnerabilities in federal IT, suggesting the White House get its own house in order ...

and more »
A Newport Beach, Calif., high school expelled 11 students after uncovering a plot in which a private tutor allegedly directed them to change their grades on teachers' PCs by breaking into them using credential-stealing hardware keyloggers.
Security Advisory: NETGEAR Router D6300B Firmware: V1.0.0.14_1.0.14
British intelligence agency Government Communications Headquarters has reportedly infiltrated hacktivist groups and used denial-of-service and other techniques to disrupt their online activities.
The headquarters of British intelligence agency GCHQ—where a covert war against Anonymous was directed from in 2011.

NBC News has published new documents from the National Security Agency trove provided by former NSA contractor Edward Snowden. The latest revelation is that British intelligence agency GCHQ conducted a covert campaign against Anonymous in September of 2011, crippling one operation by the hacktivist group and unmasking several of its members. The slides indicate that the GCHQ infiltrated the Internet relay chat (IRC) for Operation Payback, a collective “op” by hackers affiliated with Anonymous that targeted PayPal, MasterCard, and Visa after they stopped electronic donations to WikiLeaks.

The irony of the efforts is that the GCHQ operative used almost precisely the same sort of techniques and methods that hackers who have often aligned themselves with Anonymous employ. The GCHQ employed a covert informant to conduct the campaign, and the informant used social engineering, denial-of-service attacks, and malware against the targets.

It’s not clear if there’s a connection between the GHCQ’s “CHIS” (covert human intelligence source) and the FBI’s turning of Hector “Sabu” Monsegur in June of 2011. But the timing of the GCHQ's operation against the Anonymous IRC corresponds to the time frame during which Sabu became a government informant.

Read 7 remaining paragraphs | Comments


socat PROXY-CONNECT Address Stack Buffer Overflow Vulnerability
Since reports surfaced late last week that Satya Nadella would be the third CEO in Microsoft's history, the tech world has been abuzz with speculation about the future of one of the industry's major forces.
Westmont College in Santa Barbara, Calif., was the first school in the country to deploy an all-802.11n network when, four years ago, it rolled out 290 Meraki access points to bring nearly complete coverage to dorms, classrooms and campus buildings.
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2014-1479 Security Bypass Vulnerability
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2014-1482 Remote Code Execution Vulnerability
Mozilla Firefox/SeaMonkey/Thunderbird Use-After-Free Remote Code Execution Vulnerability
German patent licensing firm IPCom has accused Apple of infringing a patent on 3G technology and wants $2.1 billion in damages, the Mannheim Regional Court said Wednesday.

Our reader Rodney sent us a link to a story that apparently aired on NBC Nightly News last night:

"I was wondering if someone could do a piece on the report that was on NBC's Nightly News last night (see link below) regarding connecting personal devices like smart phones and laptops to the Internet while in Sochi for the Olympics. The first video leaves out some details that the second video reveals. The first video aired on NBC, the second did not. It seems as if the first video was sensationalism. The second video revealed that the journalist had willingly clicked on links to download the malware. The first video made it look like they only had to connect to become infected. I know that it can happen, but they made it sound like it will definitely happen."

The first video [1] shows how a brand new computer is infected while connected to the a hotel network in Russia. "If they fire up their phone at baggage claim, it is too late" the announcer states to introduce the story. The reporter then states that his Android Phone was hacked almost immediately hacked "before we even finished our coffee". It then states that the two computers at the hotel where hacked as well "very quickly". 


A second video ("Open Hunting Season for Hackers" Same URL as earlier video) clarifies things a bit. The journalist clicked on a link. However, the link does appear to have been somewhat targeted as it came to him addressing him as a journalist and promised leads for a story. We don't know if there where additional warning signs.

There was also a brief twitter exchange about this story with Kyle Wilhoit, the security expert in the story:

first tweet about nbcnightlynews

kyle wilhoit response

So in short, it was not "uninitiated".

How dangerous is it to travel?

The report states that there is no expectation of privacy. I think this is a good assumption to go with no matter where and how you use the Internet. Many privacy rules are just that: Rules. To actually have privacy, you may need to go a step further and put technical controls in place. We covered travel security before, but here some of the main points:

- Patch before you go, not while on the road.
- Use a VPN whenever possible
- Use anti-malware / personal firewalls
- Don't leave your computer unattended
- encrypt your disks
- Power down your system if you have to leave it in your room and setup a BIOS/Firmware password.
- use hotel safes / lock down cables if you don't have another choice (yes, they can get broken into easily. But it is even easier to take a system that is not in the safe)
- if you have a choice, a wired connection is a tiny bit more secure then WiFi.

(also see the April 2011 edition of Ouch http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201104_en.pdf )

Will you get hacked "automatically as you have a coffee"? Who knows. But if, it may as well happen while you have the coffee at home. The risk isn't as much the location as a recent breach of PoS systems in hotels from Chicago to Merrillville shows. [2] . One of the great things about the internet is that distance doesn't really matter that much. Russian hackers can get to you while you (and they?) are in there PJs no matter where.

In the end, I am not sure if "TV magic" is the right way to educate users about the risks.

[1] http://www.nbcnews.com/watch/nightly-news/hacked-within-minutes-sochi-visitors-face-internet-minefield-137647171983

[2] http://www.dailyfinance.com/2014/02/04/credit-card-data-breaches-target-big-hotels/

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Worldwide IT spending will grow by 4.6% this year, as enterprises look to upgrade storage, servers and networking equipment, according to market researcher IDC.
Networking experts are running out of superlatives to describe the coming tidal wave of mobile data traffic.
Two items on BI customer wish lists have long been ease of use and a lower burden on IT. A startup called ThoughtSpot, which came out of stealth mode on Wednesday, says its new BI appliance can tackle both.
The U.S. Congress needs to help restore global trust in the nation's technology vendors by reining in surveillance programs at the National Security Agency, an industry representative told lawmakers Tuesday.
Microsoft's new CEO, Satya Nadella, was born in Hyderabad, India, one of that nation's largest IT centers, and graduated from Manipal University in India before heading to the U.S. to earn an advanced degrees in business and computer science.
Attention, IT: As marketing goes all-digital, your CMO needs more from you than back-office support. Are you ready to be a marketing partner?
Google is broadening its bug bounty program for security researchers to encompass all Chrome apps and extensions made by company. It's also upping payments for its Patch Rewards Program, focused on improvements for open-source code.
The choice of Satya Nadella as CEO suggests that the consumer-market party is over for the company, as it turns its attention to the unglamorous world of infrastructure.
Microsoft's new CEO, Satya Nadella, had better hit the ground running with a plan for his first three months on the job, corporate strategy and branding experts said today.
Google has agreed to give comparable display to specialized search services that rival its own, in order to settle a European Union antitrust case, the European Commission said Wednesday.
Researchers at IBM and the University of California are questioning whether a closely watched experimental computer used by Google actually relies on quantum mechanics as its manufacturer, D-Wave, claims.
The U.S. Department of Health and Human Services launched a security probe of Healthcare.gov after a U.S. intelligence unit last week warned that portions of the Affordable Care Act website was built by software developers linked to the Belarus government.
Adobe Flash Player CVE-2014-0497 Remote Code Execution Vulnerability

Posted by InfoSec News on Feb 05


By Ashley Feinberg
February 4, 2014

Today, a report from the Homeland Security and Governmental Affairs Minority
Committee offered an overview of the fed's current state of cybersecurity. And
how is the government with which we entrust our most sensitive and private
information looking? In short-bad. Very, very bad.

It's no secret that the...
Internet Storm Center Infocon Status