Hackin9
Dell EqualLogic CVE-2013-3304 Directory Traversal Vulnerability
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
mod_auth_mellon CVE-2014-8566 Information Disclosure Vulnerability
 
mod_auth_mellon CVE-2014-8567 Denial of Service Vulnerability
 
This chatty Samsung phone is spilling all the goods on its owner's travels—without even being asked.
Sean Gallagher

Every time you use Google or Apple mobile location services, you’re not just telling the services where you are. You’re also shouting many of the places you’ve been to anyone who happens to be listening around you—at least if you follow Google’s and Apple’s advice and turn on Wi-Fi for improved accuracy.

Wi-Fi is everywhere. And because of its ubiquity, Wi-Fi access points have become the navigational beacons of the 21st century, allowing location-based services on mobile devices to know exactly where you are. But thanks to the way Wi-Fi protocols work, mapping using Wi-Fi is a two-way street—just as your phone listens for information about networks around it to help you find your way, it is shouting out the name of every network it remembers you connecting to as long as it remains unconnected.

The problem with Wi-Fi “probe” requests is nothing new—Dan Goodin covered the vulnerability for Ars two years ago. The problem poses a significant security issue in some cases—particularly for AT&T customers, whose phones automatically join networks named “attwifi” when their probe requests are answered. That’s something we’ve demonstrated ourselves in controlled test at Ars’ security skunkworks.

Read 19 remaining paragraphs | Comments

 

An unpatched vulnerability in Yosemite and some earlier versions of Apple's Mac OS X allows untrusted people to take full control of users' machines, a security researcher has warned.

Dubbed Rootpipe, the privilege escalation bug allows people to gain root access, a nearly unrestricted level of system privileges, without first entering the "sudo" password, according to a recent report published by MacWorld. Sudo is a mechanism that's designed to prevent code execution, file deletions, and other sensitive operations from being carried out by unauthorized people who have physical access to a computer.

"Normally there are 'sudo' password requirements, which work as a barrier, so the admin can't gain root access without entering the correct password," Emil Kvarnhammar, a researcher at Swedish security firm Truesec, told Macworld. "It took a few days of binary analysis to find the flaw, and I was pretty surprised when I found it."

Read 2 remaining paragraphs | Comments

 

Israeli ex-spies want to help you defend your CAR from cybercrooks
Register
Security shortcomings in new cars could nurture a new branch of the infosec industry in much the same way that Windows' security failings gave rise to the antivirus industry 20 or so years ago, auto-security pioneers hope. Former members of Unit 8200 ...

 

Google puts down POODLE, now wants to eradicate breed
Register
Android's security bod used the tool for "some time" and released it after working with developers to help lift their app infosec game. "But we want the use of TLS/SSL to advance as quickly as possible," Brubaker said. He called for the community to ...

and more »
 

--
Alex Stanford - GIAC GWEB GSEC,
Research Operations Manager,
SANS Internet Storm Center

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
LinuxSecurity.com: An updated mod_auth_mellon package that fixes two security issues is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Several security issues were fixed in Ruby.
 
LinuxSecurity.com: Updated shim packages that fix three security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security [More...]
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: New seamonkey packages are available for Slackware 14.0, 14.1, and -current to fix security issues. [More Info...]
 
LinuxSecurity.com: New php packages are available for Slackware 14.0, 14.1, and -current to fix security issues. [More Info...]
 
LinuxSecurity.com: New mozilla-firefox packages are available for Slackware 14.1 and -current to fix security issues. [More Info...]
 
LinuxSecurity.com: New mariadb packages are available for Slackware 14.1 and -current to fix security issues. [More Info...]
 
LinuxSecurity.com: Updated cups-filters packages that fix two security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security [More...]
 

Underscoring just how broken the widely used MD5 hashing algorithm is, a software engineer racked up just 65 cents in computing fees to replicate the type of attack a powerful nation-state used in 2012 to hijack Microsoft's Windows Update mechanism.

Nathaniel McHugh ran open source software known as HashClash to modify two separate images—one of them depicting funk legend James Brown and the other R&B singer/songwriter Barry White—that generate precisely the same MD5 hash, e06723d4961a0a3f950e7786f3766338. The exercise—known in cryptographic circles as a hash collision—took just 10 hours and cost only 65 cents plus tax to complete using a GPU instance on Amazon Web Service. In 2007, cryptography expert and HashClash creator Marc Stevens estimated it would require about one day to complete an MD5 collision using a cluster of PlayStation 3 consoles.

The MD5 hash for this picture—e06723d4961a0a3f950e7786f3766338—is precisely the same for the one below. Such "collisions" are a fatal flaw for hashing algorithms and can lead to disastrous attacks.

The practical ability to create two separate inputs that generate the same hash is a fundamental flaw that makes MD5 unsuitable for most purposes. (The exception is password hashing. Single iteration MD5 hashing is horrible for passwords but for an entirely different reason that is outside the scope of this post.) The susceptibility to collisions can have disastrous consequences, potentially for huge swaths of the Internet.

Read 4 remaining paragraphs | Comments

 
 
Arbitrary File Upload in HelpDEZk
 
Two Reflected Cross-Site Scripting (XSS) Vulnerabilities in Forma Lms
 
WordPress Wordfence Firewall 5.1.2 Cross Site Scripting
 
Wordpress bulletproof-security <=.51 multiple vulnerabilities
 
CVE-2014-6616 Softing FG-100 Webui XSS
 
FreeBSD Security Advisory FreeBSD-SA-14:26.ftp
 
FreeBSD Security Advisory FreeBSD-SA-14:25.setlogin
 
CVE-2014-6617 Softing FG-100 Backdoor Account
 
KL-001-2014-004 : VMWare vmx86.sys Arbitrary Kernel Read
 
Call for Papers - WorldCIST'15 - Best papers published in JCR/SCI journals
 
[SECURITY] [DSA 3064-1] php5 security update
 
[Appcheck-NG] Unpatched Vulnerabilities in Magento E-Commerce Platform
 

Posted by InfoSec News on Nov 05

http://www.nbcnews.com/news/investigations/ex-teen-hacker-tells-paris-hilton-hes-sorry-n239601

BY TOM WINTER, JEFF ROSSEN AND JOVANNA BILLINGTON
NBCNEWS.com
November 4, 2014

A former teen hacker who stole nude photos from Paris Hilton’s cellphone
and swiped a half million dollars from unsuspecting consumers tells NBC
News – and his most famous victim -- that he’s sorry for what he did.

“Paris, I’m sorry I put your information...
 

Posted by InfoSec News on Nov 05

http://www.nextgov.com/defense/whats-brewin/2014/11/disa-compliance-cloud-security-standards/98120/

By Bob Brewin
Nextgov.com
November 4, 2014

The Defense Information Systems Agency currently offers its military
customers certified cloud computing services from three vendors and has
another seven under assessment for compliance with governmentwide security
standards, top agency officials told Nextgov.

FedRAMP reviews aim to speed the...
 

Posted by InfoSec News on Nov 05

http://gizmodo.com/report-a-flaw-in-visas-contactless-card-lets-anyone-ch-1653974432

By Kelsey Campbell-Dollaghan
Gizmodo.com
November 3, 2014

Contactless credit cards are a hit in the UK. But a British research team
has revealed a serious security flaw that allows anyone to charge up to
$999,999.99 in foreign currency to a nearby card, even while it's still in
a wallet or purse.

Contactless cards let you buy things without a pin, up...
 

Posted by InfoSec News on Nov 05

http://healthitsecurity.com/2014/11/04/cybersecurity-breaches-rise-healthcare/

By John Trobough
Health IT Security
November 4, 2014

The US healthcare industry has embraced its digital future — and that
future is dependent on the Internet. The passage and implementation of
recent legislation has mandated the adoption of connected healthcare
technology as a way to reduce costs, increase patient privacy, and improve
care collaboration and...
 

Posted by InfoSec News on Nov 05

http://news.techworld.com/security/3584204/popular-messaging-apps-fail-effs-security-review/

By Lucian Constantin
Techworld.com
04 November 2014

Some of the most widely used messaging apps in the world, including Google
Hangouts, Facebook chat, Yahoo Messenger and Snapchat, flunked a
best-practices security test by advocacy group the Electronic Frontier
Foundation (EFF).

The organization evaluated 39 messaging products based on seven...
 
Internet Storm Center Infocon Status