Hackin9
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A driverless shuttle vehicle unveiled at CES can carry up to 10 people, learning any new route with a single trip and responding to rider stops when requested.
 
NASA researchers are working on a whole new kind of robot - one that is spherical, travels by rolling and could land on a planet by simply hitting the surface and bouncing.
 
Samsung introduced a 105-inch, curved-screen, Ultra High Definition TV at a pre-International CES news event, but the new product was upstaged when movie director Michael Bay walked offstage because of a problem with a teleprompter.
 

PrisonLocker Ransomware Emerges From Criminal Forums
Threatpost
Novice infosec/malware researcher and cybercrime analyst. C/C++ and currently polishing up my MASM.” PrisonLocker is written in C++. Malware Must Die suggests that the author may either be double dipping as a security researcher and a criminal, ...

and more »
 

Chinese Trader Relied On Inside Info, SEC Tells Jury
Law360 (subscription)
Law360, Chicago (January 06, 2014, 7:15 PM ET) -- A Chinese investment adviser reaped more than $8 million in illicit gains for himself and investors by trading on inside knowledge about the management-led buyout of pork processor Zhongpin Inc., the ...

and more »
 
LinuxSecurity.com: Multiple vulnerabilities have been found in Python, worst of which allows remote attackers to cause a Denial of Service condition.
 
LinuxSecurity.com: A vulnerability in Nagstamon could expose user credentials to a remote attacker.
 
LinuxSecurity.com: An error in Gajim causes invalid OpenSSL certificates to be accepted as valid.
 
LinuxSecurity.com: Updated ruby193-rubygem-actionpack packages that fix multiple security issues are now available for Red Hat OpenStack 3.0. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Puppet could be made to overwrite files.
 
LinuxSecurity.com: A memory exhaustion vulnerability in ISC DHCP could lead to Denial of Service.
 
As car telematics systems become connected to the Internet, cars will become one more device on consumer mobile data plans. But connecting to the cloud also means vehicles will be aware of everything around them.
 
PC maker Asus is taking the Windows-Android hybrid concept to another level with a convertible laptop that can switch between the two OSes with the click of an on-screen button.
 
While Apple has called its Apple TV set-top box a "hobby," rival Roku has teamed up with two manufacturers to build its popular video streaming service directly into TVs. Columnist Ryan Faas weighs in on the consequences.
 

In Search Of A Warmer Security Blanket
Forbes
And the scariest of all of them is security. As Dave Piscitello, vice-president of security for ICANN, lamented in My 5 Wishes For Security In 2014, “Year-end security predictions are really hard for InfoSec practitioners, in no small part because so ...

 
AT&T will let media companies and other partners cover the cost of delivering some data over the carrier's mobile network, letting subscribers click on videos and other content without worrying about their monthly data caps.
 
When it comes to keeping its thousands of servers running smoothly, Facebook relies on the open source Chef configuration manager, modified slightly to handle the size of the social networking giant's huge infrastructure.
 

Security researchers have uncovered evidence of a new piece of malware that may be able to take gigabytes' worth of data hostage unless end users pay a ransom.

Discussions of the new malware, alternately dubbed PrisonLocker and PowerLocker, have been occurring on underground crime forums since November, according to a blog post published Friday by Malware Must Die, a group of researchers dedicated to fighting online crime. The malware appears to be inspired by CryptoLocker, the malicious software that wreaked havoc in October when it used uncrackable encryption to lock up victims' computer files until they paid hundreds of dollars for the decryption key.

PowerLocker could prove an even more potent threat because it would be sold in underground forums as a DIY malware kit to anyone who can afford the $100 for a license, Friday's post warned. CryptoLocker, by contrast, was custom built for use by a single crime gang. What's more, PowerLocker might also offer several advanced features, including the ability to disable the task manager, registry editor, and other administration functions built into the Windows operating system. Screen shots and online discussions also indicate the newer malware may contain protections that prevent it from being reverse engineered when run on virtual machines.

Read 1 remaining paragraphs | Comments

 
AT&T, making sure that auto makers don't get all the credit for the smart cars of the future, called attention to AT&T's wireless network that will connect cars to powerful apps, content and data on distant servers.
 
Resolution fanatics hoping that 4K TVs will become cheaper got some welcome news from Sharp on Monday when it unveiled its Aquos 4K Ultra HD, with 60- and 70-inch versions priced at USD$4,999.99 and $5,999.99, respectively.
 
Revelations in 2013 about NSA surveillance and the power of big-data analytics suggest the age of privacy is over. But a new 'privacy death index' places us far from the tipping point.
 
Premier 100 IT Leader Juan Perez also answers questions on getting more funding for training and the pros and cons of being an IT specialist.
 
OEMs and Intel risk damaging both the Android and Windows ecosystems if they go through with plans to sell devices able to run software from both worlds, an analyst argued today.
 
Oracle has broadened the number of languages its social media analysis software supports, in a bid to appeal to enterprises with operations and customers across the world.
 
NASA has postponed tomorrow's scheduled launch of a commercial cargo mission to resupply the International Space Station for at least a day because of dangerously cold weather in Virginia.
 
Debian devscripts 'uscan' CVE-2013-6888 Remote Code Execution Vulnerability
 
WebYaST 'config/initializers/secret_token.rb' Local Privilege Escalation Vulnerability
 
Open-Xchange Security Advisory 2014-01-06
 

SANS Digital Forensics and Incident Response Training Event (DFIRCON)
SecurityInfoWatch
SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system—the Internet Storm Center. At the heart of SANS are the many security ...

and more »
 
The network security industry's legendary free thinker Bruce Schneier Monday said he's taken a job as CTO at Co3 Systems, but that this in no way will curtail his determination to speak and write candidly on important topics such as the National Security Agency's (NSA) practices.
 
Makers of cable boxes and video streaming devices will soon have the option of delivering 4K video with STMicroelectronics' new chips, which will decode the emerging HEVC video codec and support the HDMI 2.0 video delivery specification.
 
D-Link and Netgear have both announced so-called range extenders to improve the coverage of Wi-Fi networks based on the 802.11ac specification.
 
 
LinuxSecurity.com: Several vulnerabilities have been discovered in uscan, a tool to scan upstream sits for new releases of packages, which is part of the devscripts package. An attacker controlling a website from which uscan would attempt to download a source tarball could execute arbitrary code [More...]
 
LinuxSecurity.com: Jan Juergens discovered a buffer overflow in the parser for SMS messages in Asterisk. An additional change was backported, which is fully described in [More...]
 
LinuxSecurity.com: Multiple integer overflow vulnerabilities in Libgdiplus may allow remote attackers to execute arbitrary code.
 

World of Warcraft players have been hit with a malicious trojan that hijacks accounts even when they're protected by two-factor authentication, officials have warned.

The malware is infecting systems by posing as an installer of Curse, a legitimate add-on that helps players manage other World of Warcraft add-ons. On Friday, officials with WoW developer Blizzard warned that trojanized versions of Curse available on unofficial sites were posing as the authorized Curse client. Once installed on end-user computers, the imposter versions were being used to take over accounts. In some cases, users reported that their accounts were hijacked even after the passwords were changed and even when the accounts were protected by Authenticator, a two-factor authentication system that sends a temporary password to players' smartphones.

"We've been receiving reports regarding a dangerous trojan that is being used to compromise players' accounts even if they are using an authenticator for protection," Blizzard officials wrote on Friday. "The trojan acts in real time to do this by stealing both your account information and the authenticator password at the time you enter them."

Read 3 remaining paragraphs | Comments

 
Poppler 'JBIG2Stream::readSegments()' Method Denial of Service Vulnerability
 

SANS Institute Announces its First All-Digital Forensic and Incident Response ...
PR Newswire (press release)
SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system—the Internet Storm Center. At the heart of SANS are the many security ...

 
This is a guest diary submitted by Tomasz Miklas. Interested in providing a guest diary yourself? Please send a proposal (title/outline) using our contact form. Interested in becoming a hanlder and regular contributor? See you Handler Roadmap.
 
Some time ago I was asked to help with incident response for a small company. While the incident itself was not very exciting, the lessons learned were a bit more than a surprise. The victim was shocked how spectacularly they failed even though they considered themselves to follow good security practices or at least to be above the “low hanging fruit” category. This is classic example of false sense of security. 
 
Key lessons learned:
  1. Running a hardened web server as reverse proxy to protect the actual application is a great idea, however if the actual web application also listens on publicly available TCP port, there is nothing to stop the attacker from going after the application directly, bypassing the proxy.
    (If possible always bind the applications to localhost only or at least use the firewall to limit access to the application. This is how the attacker got a foothold on the system - known vulnerable web application and bypassing simple but efficient virtual patching done by the reverse proxy.)
  2. Hard-coded passwords and password reuse - as it turned out, all of the IT systems and components used the same administrator password. The original password could be found in a publicly readable backup script on a compromised server located in the DMZ.
    (Backup process is one of the most sensitive elements of the system - should everything else fail, backup is all you have. If privilege separation was implemented and properly used the attacker wouldn’t get the administrator’s password. Finally there is no excuse for password reuse - password management applications are widely available and really easy to use. )
  3. Centralised logging can be very useful, especially if it’s used with some kind of log monitoring solution. Unfortunately it can also create extra work if you try to review logs from the incident and notice large portion of the systems having their clocks off by minutes or hours.
    (Keeping all your system clocks in sync is really important. NTP clients do the job very well and are already built into most if not all of the network equipment and general purpose operating systems. Another thing to keep in mind are time zones - make sure all systems use the same time zone and if possible pick one that doesn’t observe Daylight Saving Time (DST) as this has great potential to create additional issues or delays if the incident spans systems located in more than one country, especially if it happened around DST time change. Remember - simplicity is your friend.)

    Some interesting DST facts:
  • Different countries observe DST on different dates - for example in US, Mexico and most of Canada DST begins about two weeks earlier than European countries.
  • China which spans five time zones uses only one time zone (GMT+8) and doesn’t observe DST.
  • In Southern Hemisphere where seasons of the year are in opposite to the Northern Hemisphere, so is the DST - starting in late October and ending in late March.
  • Many countries don’t observe DST at all.
 
-- 
Tomasz Miklas
Twitter: @tomaszmiklas
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Infosec Skills, BCS announce winners of Cyber Security Challenge
ComputerWeekly.com
Terry Neal, InfoSec Skills CEO, said: “As well as testing their current level of knowledge, these competitions showed candidates how broad these information security subjects really are. “We were delighted with the business savviness of our highest ...

 
SanDisk showed off a 64GB version of its Connect Wireless Flash Drive at the 2014 International CES show on Monday, an upgrade to a small drive announced last July that lets users send data such as photos and videos across platforms via Wi-Fi.
 
The arrival of Software Defined Networking (SDN), which is often talked about as a game changing technology, is pitting two industry kingpins and former allies against each other: Cisco and VMware.
 
Ubiquiti Networks UniFi Hostname Field HTML Injection Vulnerability
 
Tor Random Number Generation Weakness
 

Free cyberbullying webinar Jan 13. at 12 pm
PenBayPilot.com
This is ideal for parents, teachers, counselors, grandparents, Info-Sec specialists, police and anyone who needs to get up to speed quickly on the types of cyberbullying that may be affecting a child they care about. For more information: www.cyberslammed.

and more »
 
Freescale Semiconductor wants users to develop and test their own wearable devices with a mini-computer.
 
Google has teamed up with several auto manufacturers with the goal of bringing Android to cars by the end of this year.
 
Scammers are nothing if not innovative. It just goes to show that the best defense is an educated workforce.
 
[SECURITY] [DSA 2836-1] devscripts security update
 
[SECURITY] [DSA 2835-1] asterisk security update
 
IcoFX CVE-2013-4988 '.ico' File Remote Buffer Overflow Vulnerability
 

Free cyberbullying webinar Jan 13. at 12 pm
PenBayPilot.com
This is ideal for parents, teachers, counselors, grandparents, Info-Sec specialists, police and anyone who needs to get up to speed quickly on the types of cyberbullying that may be affecting a child they care about. For more information: www.cyberslammed.

and more »
 
Yahoo said that malware spread by advertisements served by its European websites had not affected users in North America, Asia Pacific and Latin America as people in these locations were not served the advertisements.
 
Nvidia showed its new Tegra K1 graphics processor, which packs 192 GPU cores onto a single chip and promises to bring console-class graphics to smartphones and tablets.
 
Ever wanted to control your Crock-Pot with a phone?
 
Harman International introduced a new software kit for home and in-car entertainment systems that automatically discovers compressed music files and restores them to their original audio quality.
 
Ubuntu is moving into the rarified class of operating systems that cover x86/x64 clients and servers, ARM-based tablets/smartphones, and commodity cloud instances. Meaning that it's taking on everybody from Microsoft to Red Hat to Apple and Google.
 
Open source is free and widely available, but its benefits don't stop there. Enterprises are embracing it for its agility, a quality they value above all in these times of marketplace upheaval.
 
Lower average selling prices for millions of new smartphones and tablets will help keep the global market for technology in 2014 at 1% below the levels of last year, according to the Consumer Electronics Association.
 
Seagate said that its disk drive and data recovery service "Seagate Rescue" will now be offered through Staples stores. The company also unveiled 2TB and 4TB portable drives.
 
Microsoft support representatives have told Surface Pro 2 owners that a firmware update will be issued Jan. 14 to remedy multiple problems that cropped up after they installed a similar update a month ago.
 
libgdiplus for Mono File Processing Multiple Integer Overflow Vulnerabilities
 
Linux Kernel CVE-2013-6378 Local Denial of Service Vulnerability
 

Lok Sabha Polls 2014: Security experts concerned with election commission's ...
Daily Bhaskar
... intelligence agencies like NSA (National Security Agency) for global cyberspying, to provide electoral registration and facilitation services by providing them the whole database of registered voters in India," the Indian Infosec Consortium to ...

and more »
 

Times of India

Lok Sabha Polls 2014: Security experts concerned with election commission's ...
Daily Bhaskar
... intelligence agencies like NSA (National Security Agency) for global cyberspying, to provide electoral registration and facilitation services by providing them the whole database of registered voters in India," the Indian Infosec Consortium to ...
Google-Election Commission tie-up talks alarm cyber groupBusiness Standard

all 17 news articles »
 
Internet Storm Center Infocon Status