Hackin9
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The latest Ponemon study on data breaches found that the cost per lost record in an average breach incident increased modestly, from $130 to $136.
 
Many enterprise storage systems include two or more types of hard disk drives, with data automatically moved between those two tiers of storage. The same concept has now been applied to two types of SSDs.
 

Hundreds of thousands of websites could be endangered by publicly available attack code exploiting a critical vulnerability in the Plesk control panel. This particular vulnerability gives hackers control of the server it runs on according to security researchers.

The code-execution vulnerability affects default versions 8.6, 9.0, 9.2, 9.3, and 9.5.4 of Plesk running on the Linux and FreeBSD operating systems, a configuration used by more than 360,000 websites. Plesk running on Windows and other types of Unix haven't been tested to see if those configurations are vulnerable as well. The exploit code was released Wednesday on the Full-Disclosure mailing list by "kingcope," a pseudonymous security researcher who has frequented the forum for years. He has a proven track record for developing reliable exploits.

"This vulnerability has a high severity rating," kingcope wrote in an e-mail to Ars. "An attacker can use this exploit to get a command line shell remotely with the privileges of the configured Apache user."

Read 7 remaining paragraphs | Comments

 
Today BIND9 recevied an update fixing a "recursive resolver with a RUNTIME_CHECK error in resolver.c" [1] Affected versions are BIND 9.6-ESV-R9, 9.8.5, and 9.9.3. The rated CVSS on this one is 7.8 [1,2]
 
To quote isc.org:
 
"At the time of this advisory no intentional exploitation of this bug has been observed in the wild. However, the existence of the issue has been disclosed on an open mailing list with enough accompanying detail to reverse engineer an attack and ISC is therefore treating this as a Type II (publicly disclosed) vulnerability, in accordance with our Phased Disclosure Process."
 
It it is time to review those BIND9 servers and start the process of patching.
 
[1] https://kb.isc.org/article/AA-00967
[2] http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Richard Porter

--- ISC Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
McAfee has announced an agreement to acquire next-gen firewall maker Stonesoft for $389 million.
 
The Chinese government's alleged cyber-espionage arm remains active after a quiet period, using the same tactics revealed in Mandiant's APT1 report.
 
The US Department of Defense (DoD) has approved BlackBerry and Samsung mobile devices for use on its networks
 
A survey released by WhiteHat Security finds that website vulnerabilities have decreased steadily in recent years, though problems persist.
 
McAfee introduces two new identity and access management (IAM) products.
 
The yet-unnamed certification will seek to validate skills of cloud security pros, but it's unclear how it may complement or overlap with existing certs.
 
Security researcher HD Moore says 114,000 serial devices exposed to the Internet are highly hackable.
 
Verizon's annual breach report highlights a spate of new security research reports. However, overall conclusions from these are hard to come by.
 
The attack seeks to compromise a Twitter webpage via a man-in-the-browser attack. Trusteer warns it could be a harbinger of broader future attacks.
 
The 2013 Verizon data breach report details how authentication attacks affect organizations of all sizes, blaming single-factor passwords.
 
Verizon's 2013 breach report shows most breaches are caused by a select few attack types, and the majority of breaches aren't detected for months.
 
IBM QRadar Security Information and Event Manager Remote Command Injection Vulnerability
 
Compliance practitioners say new mandates like the HIPAA Omnibus Rule and Obamacare are making enterprise compliance management even harder.
 
A report by iViZ Security Inc. found that overall vulnerabilities in security products in 2012 rose sharply.
 
A US supermarket chain has implemented an endpoint security system to secure legacy applications and to save additional development
 
New features for detecting and analyzing malware in Sourcefire's FireAMP and FirePOWER products supplement flagging signature-based antimalware.
 
Though the Spamhaus DDoS attack showed the potential devastation of increasing bandwidth, DDoS attack trends show DDoS type to be just as important.
 
The software giant's May 2013 Patch Tuesday update permanently fixes the IE8 zero-day flaw found in the Dept. of Labor website attack.
 
US federal authorities have charged eight hackers in connection with a $45m debit card fraud scheme
 
The IE8 zero-day attack planted in the U.S. Labor Department's website highlights how few organizations can ward off never-before-seen attacks.
 
Microsoft released a temporary fix to mitigate attacks using the most recent Internet Explorer 8 zero day vulnerability.
 
Cisco Security Advisory: Multiple Vulnerabilities in Cisco TelePresence Immersive Endpoint Devices
 

San Francisco Chronicle

Would Bradley Manning Be Better Off In a Civilian Court?
The Nation.
... reports found on the SIPRNet; what kind of websites the enemy was known to frequent; what kind of non-disclosure agreements members of the unit were aware of signing, even if there was no actual information security (“infosec”) to speak of at the base.
Army Intelligence Report on WikiLeaks 'Threat' Being Used to Argue Bradley ...Firedoglake

all 1,236 news articles »
 

Richard Porter --- ISC Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
College graduates receiving their diplomas this year were teenagers when the first iPhone debuted and Facebook allowed anyone to create a profile. As this tech-saturated generation enters the IT workforce their familiarity with technology -- especially consumer products -- can lead to communication and work style clashes with more seasoned employees who may not share a passion for digital life.
 
NASA's Mars rover Curiosity is approaching its biggest turning point since landing on the Red Planet last August.
 
Don't like the song playing on the stereo? Just wave it goodbye, literally.
 
As the time for a shareholder vote draws near, the Dell special committee weighing competing bids for the company said Wednesday that a plan from investor Carl Icahn and Southeastern Asset Management comes up short by billions of dollars.
 
Microsoft today confirmed what many analysts suspected, that it has cut prices of Windows 8 and Windows RT licenses to hardware partners building smaller-sized tablets as a way to drop device prices and juice sales.
 
A majority of Americans -- about 56% -- now own a smartphone, according to Pew Research Center's latest survey.
 
The pending launch of Windows Server 2012 release 2 focuses on offering a number of advanced capabilities in storage and networking, which used to require the purchase of additional software, or even a full-fledged storage system.
 
The Digital Advertising Alliance, a coalition of online advertising networks and companies, will soon release guidelines for the use of targeted advertising on mobile devices, although it's been difficult to come up with standards in the diverse mobile marketplace, members of the DAA said.
 

Mac users running the latest version of Apple's OS X are now fully protected against an attack that allows hackers to hijack some encrypted browsing sessions. Apple OS X users also received new defenses against malware attacks that exploit Oracle's frequently abused Java browser plugin.

In all, an OS X update released Tuesday fixes more then 30 security bugs in addition to a host of minor usability issues. On the same day, Apple also updated its Safari browser to plug more than two dozen security holes, some of which could allow attackers to remotely execute malicious code.

The most notable fix included an update to the open-source OpenSSL cryptography library to prevent attacks that allowed hackers to hijack browser sessions even when they were protected by the HTTPS encryption. Banks, e-commerce merchants, and other sites use this encryption to prevent snooping on sensitive transactions and to prove the authenticity of their webpages. The "CRIME" attacks—short for Compression Ratio Info-leak Made Easy—are able to decrypt encrypted communications when they incorporate one of two data-compression schemes designed to reduce network bandwidth. The OpenSSL fix works by disabling compression when using the transport layer security (TLS) protocol.

Read 4 remaining paragraphs | Comments

 
Researchers at the National Institute of Standards and Technology (NIST) have reported* the first observation of the 'spin Hall effect' in a Bose-Einstein condensate (BEC), a cloud of ultracold atoms acting as a single quantum object. As ...
 
Merging the Windows Phone OS with the Windows and Windows RT OSs could give Microsoft a boost in attracting more developers and, ultimately, improving its market share for smartphones and tablets.
 
A Wisconsin man ordered last month by a magistrate to decrypt several of his storage drives to let investigators inspect them for evidence of child porn this week won a last minute reprieve from a federal judge.
 
Merging the Windows Phone OS with the Windows and Windows RT OSs could give Microsoft a boost in attracting more developers and, ultimately, improving its market share for smartphones and tablets.
 
The number of malware samples that use P-to-P (peer-to-peer) communications has increased fivefold during the past 12 months, according to researchers from security firm Damballa.
 
Gallery Multiple Cross Site Scripting Vulnerabilities
 
[CORE-2013-0103] Mac OSX Server DirectoryService buffer overflow
 
Texas Instruments and Qualcomm are working on products that will power small mobile base stations, also known as small cells, and help improve indoor coverage and speeds for enterprises.
 
Fairphone has received enough orders to start production on what it says is a smartphone that will be built according to ethical standards, designed and produced with minimal harm to people and the planet.
 
After years of Windows OS exclusivity, Advanced Micro Devices is opening the door to design chips to run Google's Android and Chrome OS in PCs and tablets.
 
SAP is buying privately held Hybris in a bid to build out an e-commerce software offering that connects with customers across multiple "channels, devices and touch points."
 
The next version of Microsoft's relational database management system (RDMS) promises to bring immense performance gains to online transactional processing systems.
 
Nick Parker has one of the more interesting jobs in the PC business right now. As corporate vice president for Microsoft's OEM division, he manages the company's relationships with PC manufacturers, including sales and licensing of Windows.
 
Another highly critical flaw has been found in the Apache Struts web framework and users are strongly advised to update to the latest version to block the threat of remote code execution
    


 
Apple QuickTime CVE-2013-0987 Memory Corruption Vulnerability
 
[security bulletin] HPSBMU02883 SSRT101227 rev.1 - HP Data Protector, Remote Increase of Privilege, Denial of Service (DoS), Execution of Arbitrary Code
 
Developer tool company AppGyver loves the PhoneGap platform, but is convinced there is room for productivity and performance improvements and is working on products to achieve both.
 
At US$99, the mini PC developed by thin-client expert Young Song is meant to be affordable. In fact, the price is so low, most consumers won't hesitate to buy one, he said Wednesday.
 
The WebRTC standard aims to make peer-to-peer communication over the Web as easy as picking up a phone. Here's what developers need to know about WebRTC, including how to set it up and what limitations the protocol currently faces.
 
IT departments are quickly becoming consultancies in companies increasingly driven by consumer technology, and the control they once had over tech use is quickly dissipating.
 
Nick Parker has one of the more interesting jobs in the PC business right now. As corporate vice president for Microsoft's OEM division, he manages the company's relationships with PC manufacturers, including sales and licensing of Windows.
 
cgit 'url' Parameter Directory Traversal Vulnerability
 
MiniUPnP CVE-2013-0230 Stack-Based Buffer Overflow Vulnerabilities
 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A firmware fix for Schneider Electric's Quantum Ethernet Module has finally been released for hard-coded passwords found in the device in 2011. The new firmware removes the vulnerable telnet and debug services
    


 
Over fifty vulnerabilties were closed in Apple's latest operating system and security update, with nearly 20 of these fixes being for Ruby on Rails and OpenSSL
    


 
VxWorks Debugging Service Security-Bypass Vulnerability
 

LCQ6: Promote use of ICT among SMEs
7thSpace Interactive (press release)
The Government has been disseminating up-to-date reference materials and news on information security via various channels, including the "InfoSec" portal, talks, seminars and publicity leaflets/pamphlets, to help SMEs understand various security risks ...

and more »
 
IT upheaval is inevitable -- like it or not.
 
Google is pushing out a software update for Glass that improves the capabilities of one of the most popular features - the camera.
 
Intel expects tablets containing its upcoming Atom processor code-named Bay Trail will cost under $200, a company executive said Wednesday.
 
Fujitsu will this month launch a super-thin Ultrabook, built on Intel's latest Haswell processors, with an 11-hour battery life and a screen with nearly three times HD resolution.
 
Apple on Tuesday updated OS X Mountain Lion, likely for one of the last times, with a combination of compatibility and reliability bug fixes as well as vulnerability patches.
 
Plenty of eyes may be focused on Google Glass as the device attracts attention in the field of 'augmented reality' but a crop of other players developing their own glasses-like products are also hoping to stand out as the industry matures.
 
Being a visionary within a corporation lead to playing with a lot of consumer toys, and that's exactly the point. Play, have fun and discover what does or doesn't work in your company.
 
Samsung is adding another Galaxy S4 smartphone to its portfolio. The Active model is dust- and water-resistant, and has a special camera mode for underwater pictures and video.
 
Microsoft is bringing its Outlook email program to Windows 8 RT in a bid to expand the availability of Windows tablets based on low-power ARM processors.
 
Google has released a security update for Chrome 27, which fixes one critical and nine high severity bugs, and has paid out nearly $10,000 to bug hunters for their finds
    


 
WebKit CVE-2013-1000 Unspecified Memory Corruption Vulnerability
 
WebKit CVE-2013-1002 Unspecified Memory Corruption Vulnerability
 
WebKit CVE-2013-1003 Unspecified Memory Corruption Vulnerability
 
WebKit CVE-2013-0995 Unspecified Memory Corruption Vulnerability
 
WebKit CVE-2013-0994 Unspecified Memory Corruption Vulnerability
 
WebKit CVE-2013-0996 Unspecified Memory Corruption Vulnerability
 
Microsoft is bringing its Outlook email program to Windows 8 RT in a bid to expand the availability of Windows tablets based on low-power ARM processors.
 
Advanced Micro Devices has announced a new strategy that could lead to games that run in the future across PCs and games consoles like the Xbox and PlayStation.
 
Amazon.com has set up a website with its brand in India, but will not be selling on the site.
 

Is Security Professional Development Too Expensive?
Dark Reading
"Mathematically it's easily demonstrable that organizations can't afford to send all of their employees to a class when you're talking classes that typically are around $1,000 a day," says Xeno Kovah, lead infosec engineer at The Mitre Corporation. "It ...

 
Internet Storm Center Infocon Status