Information Security News
Hundreds of thousands of websites could be endangered by publicly available attack code exploiting a critical vulnerability in the Plesk control panel. This particular vulnerability gives hackers control of the server it runs on according to security researchers.
The code-execution vulnerability affects default versions 8.6, 9.0, 9.2, 9.3, and 9.5.4 of Plesk running on the Linux and FreeBSD operating systems, a configuration used by more than 360,000 websites. Plesk running on Windows and other types of Unix haven't been tested to see if those configurations are vulnerable as well. The exploit code was released Wednesday on the Full-Disclosure mailing list by "kingcope," a pseudonymous security researcher who has frequented the forum for years. He has a proven track record for developing reliable exploits.
"This vulnerability has a high severity rating," kingcope wrote in an e-mail to Ars. "An attacker can use this exploit to get a command line shell remotely with the privileges of the configured Apache user."
--- ISC Handler on Duty(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
San Francisco Chronicle
Would Bradley Manning Be Better Off In a Civilian Court?
... reports found on the SIPRNet; what kind of websites the enemy was known to frequent; what kind of non-disclosure agreements members of the unit were aware of signing, even if there was no actual information security (“infosec”) to speak of at the base.
Army Intelligence Report on WikiLeaks 'Threat' Being Used to Argue Bradley ...
Richard Porter --- ISC Handler on Duty(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
by Dan Goodin
Mac users running the latest version of Apple's OS X are now fully protected against an attack that allows hackers to hijack some encrypted browsing sessions. Apple OS X users also received new defenses against malware attacks that exploit Oracle's frequently abused Java browser plugin.
In all, an OS X update released Tuesday fixes more then 30 security bugs in addition to a host of minor usability issues. On the same day, Apple also updated its Safari browser to plug more than two dozen security holes, some of which could allow attackers to remotely execute malicious code.
The most notable fix included an update to the open-source OpenSSL cryptography library to prevent attacks that allowed hackers to hijack browser sessions even when they were protected by the HTTPS encryption. Banks, e-commerce merchants, and other sites use this encryption to prevent snooping on sensitive transactions and to prove the authenticity of their webpages. The "CRIME" attacks—short for Compression Ratio Info-leak Made Easy—are able to decrypt encrypted communications when they incorporate one of two data-compression schemes designed to reduce network bandwidth. The OpenSSL fix works by disabling compression when using the transport layer security (TLS) protocol.
LCQ6: Promote use of ICT among SMEs
7thSpace Interactive (press release)
The Government has been disseminating up-to-date reference materials and news on information security via various channels, including the "InfoSec" portal, talks, seminars and publicity leaflets/pamphlets, to help SMEs understand various security risks ...
Is Security Professional Development Too Expensive?
"Mathematically it's easily demonstrable that organizations can't afford to send all of their employees to a class when you're talking classes that typically are around $1,000 a day," says Xeno Kovah, lead infosec engineer at The Mitre Corporation. "It ...