Hackin9
[Onapsis Security Advisories] Multiple Hard-coded Usernames in SAP Components
 
[Onapsis Security Advisory 2014-020] SAP SLD Information Tampering
 
[slackware-security] libtasn1 (SSA:2014-156-02)
 
SEC Consult SA-20140606-0 :: Multiple critical vulnerabilities in WebTitan
 
[slackware-security] sendmail (SSA:2014-156-04)
 
[slackware-security] openssl (SSA:2014-156-03)
 

Dark Reading Radio: Breaking the Glass Ceiling in InfoSec
Dark Reading
Dark Reading Radio: Breaking the Glass Ceiling in InfoSec. Join the discussion about the challenges and rewards of being a woman in IT security from the vantage point of three accomplished security professionals. "Lean in," says Facebook COO Sheryl ...

 
As software vendors tend to do during their big annual user conferences, SAP made a lot of promises to customers this week at Sapphire. The overarching theme was a desire to make SAP's software simpler and its customers' lives easier.
 
A novel form of database that focuses on connections between entities, called a graph database, is finding a home in the health care industry.
 
As the science of robotics quickly advances, researchers say the lines between robots and humans is beginning to blur.
 
Google has unseated rival Microsoft as the leading browser maker in the U.S. for the first time, Adobe said this week, citing data from its analytics platform.
 
Vodafone has granted governments direct access to its networks in several countries, allowing them to listen to all conversations on those networks, the company said Friday.
 
this is a test
 
At this year's WWDC, Apple showcased a variety of new technologies under the Continuity umbrella that take device communication to a more sophisticated level. Users are the winners, says columnist Michael deAgonia.
 
A debate in the U.S. about whether the National Security Agency should end its bulk collection of U.S. telephone and business records has come down to an argument over the meaning of the word "bulk."
 
Free snacks and on-site video games may help companies attract skilled IT workers, but speeding up the hiring cycle is also important. Drawn-out employee searches frustrate IT managers and prompt good candidates to accept jobs elsewhere.
 

Security researchers have documented another first in the annals of Android malware: a trojan that encrypts photos, videos, and documents stored on a device and demands a ransom for them to be restored.

The crudeness of Android/Simplocker, as the malicious app has been dubbed, suggests it's still in the proof-of-concept phase, Robert Lipovsky, a malware researcher for antivirus provider Eset, said in a recent blog post. The malware also addresses users in Russian and demands that payments be made in Ukrainian hryvnias, an indication that it targets only people in Eastern Europe. Still, the trojan—with its combination of social engineering, strong encryption, and robust Internet architecture—could be a harbinger of more serious and widespread threats to come. After all, the first Android trojans to make hefty SMS charges also debuted in the same region.

Once installed on a device, the app delivers the following message:

Read 3 remaining paragraphs | Comments

 
Mumble CVE-2014-0044 Denial of Service Vulnerability
 
Mumble CVE-2014-3756 Denial of Service Vulnerability
 
Mumble CVE-2014-0045 Heap Based Buffer Overflow Vulnerability
 
There's a huge demand for software development talent, both for core technologies like Java and .Net as well as in emerging tech areas like the Internet of Things and wearable tech.
 
Half of Angela Ahrendts' first allotment of stock grants vanished this week when Apple withheld them for tax purposes
 
EMC Documentum Content Server CVE-2014-2507 Shell Command Injection Vulnerability
 
EMC Documentum Content Server Remote Privilege Escalation Vulnerability
 

Microsoft is expecting to release 2 critical and 5 important bulletins on Tuesday [1]. 

There are no patches scheduled for Windows XP even though CVE-2014-1770 does affect Internet Explorer 8, which is the last version of IE to run on Windows XP.

Preliminary Patch Table: (the bulletin numbers and anything else may change in the final release)

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS14-030 Cumulative Internet Explorer Update
 
Internet Explorer
CVE-2014-1770
TBD Vuln. known, but according to MSFT not yet exploited. Severity: Critical
Exploitability: ?
Critical Critical
MS14-031 Microsoft Office and Lynx Remote Code Execution Vulnerability
 
Windows, Office, Lync (Client) TBD . Severity: Critical
Exploitability: ?
Critical Important
MS14-032 Microsoft Office Remote Code Execution Vulnerability
 
Microsoft Office TBD . Severity: Important
Exploitability: ?
Critical Important
MS14-033 Information Disclosure Vulnerability in Windows
 
Microsoft Windows TBD . Severity: Important
Exploitability: ?
Important Important
MS14-034 Information Disclosure Vulnerability in Lync Server
 
Lync Server TBD . Severity: Important
Exploitability: ?
N/A Important
MS14-035 Denial of Service Vulnerability in Windows
 
Microsoft Windows TBD . Severity: Important
Exploitability: ?
Important Important
MS14-036 Tampering Vulnerability in Windows
 
Microsoft Windows TBD . Severity: Important
Exploitability: ?
Important Important

 

[1] https://technet.microsoft.com/library/security/ms14-jun

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
 
An Australian company has made a big deal this week of taking umbridge over Apple's use of the name HealthKit. That's because the company is named HealthKit.
 
 
LinuxSecurity.com: A buffer overflow in Echoping might allow remote attackers to cause a Denial of Service condition.
 
LinuxSecurity.com: Multiple vulnerabilities have been found in Mumble, the worst of which could lead to arbitrary code execution.
 
LinuxSecurity.com: New openssl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. [More Info...]
 
LinuxSecurity.com: New gnutls packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. [More Info...]
 
LinuxSecurity.com: New sendmail packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. [More Info...]
 
LinuxSecurity.com: New libtasn1 packages are available for Slackware 14.0, 14.1, and -current to fix security issues. [More Info...]
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
libfep Local Privilege Escalation Vulnerability
 
Re: [FD] [oss-security] Bug in bash <= 4.3 [security feature bypassed]
 
[SECURITY] [DSA 2952-1] kfreebsd-9 security update
 
Cisco Security Advisory: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products
 
Linux Kernel CVE-2014-3153 Local Privilege Escalation Vulnerability
 
Re: Bug in bash <= 4.3 [security feature bypassed]
 
[SECURITY] [DSA 2951-1] mupdf security update
 
A new study from the Everest Group reports that most global in-house offshore centers deliver more savings than offshore outsourcing.
 
Malicious advertisements on domains belonging to Disney, Facebook, The Guardian newspaper and others are leading people to malware that encrypts a computer's files until a ransom is paid, Cisco Systems has found.
 
The U.S. Army warned Thursday that databases holding information on 16,000 South Korean civilian employees of the U.S. military and applicants for base jobs may have been compromised.
 
Apple's new retail chief, Angela Ahrendts, cashed in half of her first allotment of stock grants earlier this week, pocketing nearly $5.3 million just a month after starting to work at the Cupertino, Calif. company.
 
Safari on OS X Yosemite will mask most of a URL in its top-of-window address bar, following in the footsteps of Safari on iOS, and beating Google's Chrome, which is experimenting with the same design, to the desktop.
 
PC convertibles are not new, but Toshiba is releasing one that can change into seven different forms, thanks to its attachable keyboard and a 360-degree hinge.
 
Malicious advertisements on domains belonging to Disney, Facebook, The Guardian newspaper and others are leading people to malware that encrypts a computer's files until a ransom is paid, Cisco Systems has found.
 
FreeBSD CVE-2014-1453 Remote Denial of Service Vulnerability
 
Apple's just announced approach to home automation involves Homekit, an iOS 8 framework and network protocol for controlling devices in the home. But will it play nicely with others?
 
NASA is working to make science fiction a reality as it chose 12 advanced technologies to study, including a deep space submarine and the tech to capture a passing asteroid.
 

Posted by InfoSec News on Jun 06

http://www.nextgov.com/cybersecurity/2014/06/flaw-lets-hackers-control-electronic-highway-billboards/85849/

By Aliya Sternstein
Nextgov.com
June 5, 2014

The Homeland Security Department is cautioning transportation operators
about a security hole in some electronic freeway billboards that could let
hackers display bogus warnings to drivers.

"The vulnerability is a hard-coded password that could allow unauthorized
access to the highway...
 

Posted by InfoSec News on Jun 06

http://www.infosecnews.org/chester-nez-last-of-the-world-war-ii-navajo-code-talkers-passes-away-quietly-at-93/

By William Knowles
Senior Editor
InfoSec News
June 5, 2014

Chester Nez, the last original Navajo Code Talker, has passed away quietly
in his sleep at his Albuquerque home.

Nez served with the United States Marines in the Pacific and helped defeat
the Japanese by creating a code, using the Navajo language, and secret
words that was...
 

Posted by InfoSec News on Jun 06

http://www.itbusiness.ca/news/canadian-security-professionals-unsure-about-defenses-ponemon-study-finds/49183

By Candice So
itbusiness.ca
June 5, 2014

A little over half of Canada’s IT security professionals aren’t very
confident about their ability to defend against attacks – and 77 per cent
of them aren’t getting the support they need from the C-suite to protect
confidential data.

That’s according to a new survey from the...
 

Posted by InfoSec News on Jun 06

http://www.nationaljournal.com/congress/there-s-a-security-gap-at-the-capitol-and-it-s-as-troublesome-as-the-one-at-navy-yard-20140605

By Matt Vasilogambros
National Journal
June 5, 2014

On Sept. 23, as on most days, Aaron Alexis arrived at work at the
Washington Navy Yard. He drove up to the front gates, displaying his
parking pass and credentials. Sitting next to him was a backpack
containing a shotgun and shells. The bag was never...
 

Posted by InfoSec News on Jun 06

http://news.techworld.com/security/3523699/us-army-warns-of-database-breaches-in-south-korea/

By Jeremy Kirk
Techworld.com
06 June 2014

The U.S. Army warned Thursday that databases holding information on 16,000
South Korean civilian employees of the U.S. military and applicants for
base jobs may have been compromised.

The military became aware on May 28 that the Korean National Recruitment
System may have been breached, according to a...
 

Posted by InfoSec News on Jun 06

http://www.businessweek.com/articles/2014-06-05/infiltrate-conference-draws-hackers-spies-to-miami-beach

By Michael Riley
Business Week
June 05, 2014

Thomas Lim, the founder of a boutique company that sells cybermunitions
and hacking tools to governments and corporations around the world, has
mischievous taste in T-shirts. The one he’s got on, as he sits in the Art
Deco-style bar of Miami Beach’s famed Fontainebleau Hotel, says he’s a...
 

Posted by InfoSec News on Jun 06

Forwarded from: Conference Mailer <noreply (at) crypto.cs.sunysb.edu>

2014 ACM Cloud Computing Security Workshop (CCSW) at CCS

November 7, 2014, The Scottsdale Plaza Resort, Scottsdale, Arizona, USA.
http://digitalpiglet.org/nsac/ccsw14/

Platinum Sponsor: Microsoft Research

--------

Dear Colleagues,

ACM CCSW is back! The previous workshops were a tremendous success, with
over 100+ people in the audience, multiple sponsors (NSF,...
 

Posted by InfoSec News on Jun 06

http://arstechnica.com/security/2014/06/still-reeling-from-heartbleed-openssl-suffers-from-crypto-bypass-flaw/

By Dan Goodin
Ars Technica
June 5, 2014

A researcher has uncovered another severe vulnerability in the OpenSSL
cryptographic library. It allows attackers to decrypt and modify Web,
e-mail, and virtual private network traffic protected by the transport
layer security (TLS) protocol, the Internet's most widely used method for...
 
Internet Storm Center Infocon Status