Hackin9

ISC StormCast for Thursday, March 7th 2013 http://isc.sans.edu/podcastdetail.html?id=3169, (Thu, Mar 7th)

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Apple Blocking Java Web plug-in, (Thu, Mar 7th)


Apple has released a security bulletin indicating they have updated the web plug-in blocking mechanism to disable versions of Java older than Java 6 update 41 and Java 7 update 15. Review the links below on how you might be affected.

[1] http://support.apple.com/kb/HT5677

[2] http://support.apple.com/kb/HT5660

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Wireshark Security Updates, (Thu, Mar 7th)


Wireshark released updates for version 1.6.14 and 1.8.6 to fix several vulnerabilities (multiple CVEs have been fixed). See the Wireshark announcements for the complete list of fixes.

You can download the latest versions here.

[1] http://www.wireshark.org/lists/wireshark-announce/201303/msg00000.html

[2] http://www.wireshark.org/lists/wireshark-announce/201303/msg00001.html

[3] http://www.wireshark.org/download.html

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Create a local file server with Kanex's meDrive

Kanex'sA meDrive is supposed to make it easy to set up a file server on your home network. It's a small device that you plug into your network router after you've attached your own USB storage device. But a few little quirks made using meDrive more trouble than it should've been.
 

Bill Clinton calls for healthcare price transparency, embracing IT to cut costs

Former President Bill Clinton on Wednesday called for transparency in healthcare pricing and addressing chronic disease epidemics such as obesity in order to drive down the cost of care for all. He also called for embracing IT and letting go of outmoded administrative systems.
 

Bugtraq: [ MDVSA-2013:018 ] openssl

[ MDVSA-2013:018 ] openssl
 

A wish list for Facebook's News Feed includes highlighted friends, improved mobile

Facebook is set to unveil an updated News Feed on Thursday and analysts have a wish list of changes that users might welcome.
 

Thanks, Oracle: New Java malware protection undone by old-school attack

by Dan Goodin

Researchers have found a shortcoming in key security protection recently introduced in the browser plugin for Oracle's Java software framework, a flaw that makes it easier for attackers to sneak malware onto end-user computers.

By default, the widely used plugin doesn't check the status of digital certificates used to sign Java apps hosted on websites, Ars Technica has confirmed. As a result, Java presents certificates as trustworthy even when they've been reported as stolen and added to publicly available revocation databases. The failure of Java to check certificate revocation lists came to light on Tuesday when a legitimate site was found hosting a malicious app. Java presented an accompanying certificate as a trusted credential belonging to Texas-based Clearesult Consulting Inc. even though the firm had issuer GoDaddy revoke the certificate in December.

"Java thinks the stolen certificate used is 100% valid and should be trusted," Jindrich Kubec, director of threat intelligence at antivirus provider Avast, wrote in an e-mail. Referring to certificate revocation lists and an alternate method for invalidating credentials known as the online certificate status protocol, he added: "With CRL/OCSP it would make it untrusted and probably present completely different dialogues or even won't allow running the applet at all—unfortunately, the situation is a bit complicated with testing this behaviour, so I can't tell for sure which of the above would be true."

Read 4 remaining paragraphs | Comments

 

Vuln: Oracle Java SE CVE-2013-0809 Remote Code Execution Vulnerability

Oracle Java SE CVE-2013-0809 Remote Code Execution Vulnerability
 

Bugtraq: Verax NMS Password Disclosure (CVE-2013-1631)

Verax NMS Password Disclosure (CVE-2013-1631)
 

Bugtraq: Verax NMS Hardcoded Private Key (CVE-2013-1352)

Verax NMS Hardcoded Private Key (CVE-2013-1352)
 

Bugtraq: Verax NMS Password Replay Attack (CVE-2013-1351)

Verax NMS Password Replay Attack (CVE-2013-1351)
 

IPv6 Focus Month: Guest Diary: Stephen Groat - Geolocation Using IPv6 Addresses, (Wed, Mar 6th)


[Guest Diary: Stephen Groat] [Geolocation Using IPv6 Addresses]

Today we bring you a guest diary from Stephen Groat where he speaks about validating that IPv6 address tracking and monitoring are possible.

IPv6 designers developed a technique called stateless address autoconfiguration (SLAAC) to reduce the administrative burden of managing the immense IPv6 address space. To most operating systems current accepted definition of SLAAC, a nodes IPv6 addresss interface identifier (IID), or host portion, is deterministic across networks. For the last 64 bits, the node automatically configures an address on the basis of its network interfaces media access control (MAC) address. Even operating systems that obscure addresses according to Request for Comments (RFC) 4941 contain a static IID used for neighbor solicitation. These static IIDs can identify a particular node, even as the node changes networks.



Using Virginia Techs campuswide IPv6 production network, which supports more than 30,000 IPv6 nodes daily, we were able to validate that IPv6 address tracking and monitoring are possible. We tested an Android mobile device using MAC-based IIDs to form wireless IPv6 addresses.



[Figure 1]

The first part of our test involved tracking the mobile device as it moved around campus. Geotemporal tracking was possible because the campus network contains different subnets that cover different geographic areas. We programmed a script that continually sent echo requests to the different subnets on campus. When we received an echo reply, we stored its time and location. Figure 1 demonstrates the results of a successful tracking attempt.



The second part of our test involved traffic monitoring. Our goal was to demonstrate that we could isolate a node, regardless of subnet, and collect all of its associated network traffic. We placed a sensor at the network border to collect all IPv6 traffic leaving the network. Using a packet sniffer, we successfully filtered the traffic related to the node in question across different subnets.



Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form

--

Adam Swanger, Web Developer (GWEB, GWAPT)

Internet Storm Center https://isc.sans.edu
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Facebook's new News Feed wish list includes mobile and highlighted friends

Facebook is set to unveil an updated News Feed on Thursday and analysts have a wish list of changes that users might welcome.
 

EU let Microsoft police itself on browser ballot promises

Europe's antitrust agency put Microsoft on the honor system, letting the company monitor its own compliance with a 2009 settlement that required it to offer other browsers to Windows users, the EU's top regulator admitted.
 

Bugtraq: [SECURITY] CVE-2013-0248 Apache Commons FileUpload - Insecure examples

[SECURITY] CVE-2013-0248 Apache Commons FileUpload - Insecure examples
 

Bugtraq: Multiple XSS vulnerabilities in Events Manager WordPress plugin

Multiple XSS vulnerabilities in Events Manager WordPress plugin
 

Bugtraq: OS Command Injection in CosCms

OS Command Injection in CosCms
 

U.S. lawmakers introduce electronic surveillance reform bill

Three U.S. lawmakers have introduced a bill to provide more protection from government surveillance for people who store data in the cloud.
 

T-Mobile-MetroPCS merger passes key hurdle

T-Mobile USA is drawing closer to finishing its merger with MetroPCS Wireless as a deadline for action by the U.S. Department of Justice passed on Tuesday.
 

Vuln: WordPress Events Manager Plugin Multiple Cross Site Scripting Vulnerabilities

WordPress Events Manager Plugin Multiple Cross Site Scripting Vulnerabilities
 

Bugtraq: Verax NMS Authenication Bypass (CVE-2013-1350)

Verax NMS Authenication Bypass (CVE-2013-1350)
 

Bugtraq: Re: Kingcopes AthCon 2012 Slides & Notes --> Video online

Re: Kingcopes AthCon 2012 Slides & Notes --> Video online
 

Bugtraq: Varnish 2.1.5 DoS in fetch_straight() while parsing Content-Length header

Varnish 2.1.5 DoS in fetch_straight() while parsing Content-Length header
 

Bugtraq: Squid 3.2.5 httpMakeVaryMark() header value DoS, 2.7.Stable9 memory corruption.

Squid 3.2.5 httpMakeVaryMark() header value DoS, 2.7.Stable9 memory corruption.
 

Google+ launches updates to profile, local pages

Social network Google+ is launching some tweaks and updates to users' profile pages, as well as enabling local reviews.
 

Adaptec shows 12Gbps Serial Attached SCSI

The arrival of Serial Attached SCSI (SAS) at 12Gbps will be a boon for demanding applications such as databases, according to Adaptec by PMC, which is demonstrating the technology at Cebit.
 

Bugtraq: Varnish 2.1.5, 3.0.3 DoS in http_GetHdr() while parsing Vary header

Varnish 2.1.5, 3.0.3 DoS in http_GetHdr() while parsing Vary header
 

Bugtraq: SIP Witch 0.7.4 w/libosip2-4.0.0 DoS via NULL pointer derefence in libosip2

SIP Witch 0.7.4 w/libosip2-4.0.0 DoS via NULL pointer derefence in libosip2
 

Bugtraq: Squid 3.2.7 DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc

Squid 3.2.7 DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc
 

Yahoo's Telecommuting Problem Is Management, Not Collaboration

Yahoo CEO Marissa Mayer's controversial decision to ban employees from working from home led some to question the value of social business tools. Two executives from social business providers say Yahoo's problem isn't about collaborating. It just needs to manage better.
 

ARM server maker offers cloud service to port x86 code

ARM processors are used mostly in smartphones, but Boston Limited is offering a service through which developers can port existing x86 applications to work on ARM servers, which can then be tested via a cloud service.
 

Bugtraq: [ MDVSA-2013:017 ] libxml2

[ MDVSA-2013:017 ] libxml2
 

Bugtraq: [SECURITY] [DSA 2639-1] php5 security update

[SECURITY] [DSA 2639-1] php5 security update
 

March 2013 OUCH! - Social Networking Safely http://www.securingthehuman.org/resources/newsletters/ouch/2013#march2013, (Wed, Mar 6th)


Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form

--

Adam Swanger, Web Developer (GWEB, GWAPT)

Internet Storm Center https://isc.sans.edu
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Bugtraq: Varnish 2.1.5 DoS in STV_alloc() while parsing Content-Length header

Varnish 2.1.5 DoS in STV_alloc() while parsing Content-Length header
 

Bugtraq: Varnish 2.1.5, 3.0.3 DoS in VRY_Create() while parsing Vary header

Varnish 2.1.5, 3.0.3 DoS in VRY_Create() while parsing Vary header
 

Microsoft pulls last lever, discounts Windows 8 to OEMs to spark sales

Microsoft has done something it's historically been loath to do: discount prices for the copies of Windows it sells to computer makers, online reports said today.
 

A giant, tethered tablet: Acer shows its Android Display

The Acer DA220HQL looks like a giant Android tablet, with its 1920 x 1080 pixel, 21.5-inch touch screen -- but you wouldn't want to carry it around.
 

Meet 60GHz Wi-Fi, the insanely fast future of wireless networking

Get ready for a ridiculous boost in wireless networking speed. Two camps are competing to deliver wireless components that are at least seven times faster than today's gigabit (IEEE 802.11ac) routers.
 

LinkedIn wins dismissal of lawsuit over massive password breach

Professional social networking service LinkedIn won the dismissal of a lawsuit seeking damages on behalf of premium users who had their log-in passwords exposed as a result of a security breach of the company's servers last year.
 

Samsung tops patent applicants in the EU

Samsung filed the most patent applications in Europe last year according figures released by the European Patent Office (EPO) on Wednesday.
 

How to blunt spear phishing attacks

According to Allen Paller, director of research at the SANS Institute, 95% of all attacks on enterprise networks are the result of successful spear phishing. In other words, somebody received an email and either clicked on a link or opened a file that they weren't supposed to.
 

FreedomPop: Great idea that needs a better network

Shaw reviews the FreedomPop Photon.
 

OCZ aims to improve SQL Server performance with new acceleration card

OCZ Technology has started offering to beta testers is ZD-XL SQL Accelerator, a card that uses solid state drive (SSD) storage to improve the performance of SQL Server databases.
 

FoundationDB aims to consolidate NoSQL

In an effort to combine the best of two database technologies, startup FoundationDB has launched a new data store that it claims can offer the reliability of transactional databases and the scalability and speed of NoSQL.
 

Microsoft retreats from Office 2013 restrictive licensing

Microsoft today backpedaled from a sweeping change in its licensing for retail copies of Office 2013, saying that customers now have the right to move the software from one machine to another.
 

Ubuntu: 1756-1: Linux kernel vulnerabilities

LinuxSecurity.com: Several security issues were fixed in the kernel.
 

Ubuntu: 1755-1: OpenJDK 6 vulnerabilities

LinuxSecurity.com: OpenJDK could be made to crash or run programs as your login if it opened aspecially crafted file.
 

Red Hat: 2013:0596-01: openstack-keystone: Moderate Advisory

LinuxSecurity.com: Updated openstack-keystone packages that fix multiple security issues, various bugs, and add enhancements are now available for Red Hat OpenStack Folsom. [More...]
 

Red Hat: 2013:0595-01: openstack-packstack: Moderate Advisory

LinuxSecurity.com: An updated openstack-packstack package that fixes two security issues and several bugs is now available for Red Hat OpenStack Folsom. The Red Hat Security Response Team has rated this update as having moderate [More...]
 

Red Hat: 2013:0594-01: kernel: Low Advisory

LinuxSecurity.com: Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low [More...]
 

Mandriva: 2013:017: libxml2

LinuxSecurity.com: A vulnerability has been found and corrected in libxml2: A denial of service flaw was found in the way libxml2 performed string substitutions when entity values for entity references replacement was enabled. A remote attacker could provide a specially-crafted XML [More...]
 

Debian: 2639-1: php5: Multiple vulnerabilities

LinuxSecurity.com: Several vulnerabilities have been discovered in PHP, the web scripting language. The Common Vulnerabilities and Exposures project identifies the following issues: [More...]
 

Debian: 2638-1: openafs: buffer overflow

LinuxSecurity.com: Multiple buffer overflows were discovered in OpenAFS, the implementation of the distributed filesystem AFS, which might result in denial of service or the execution of arbitrary code. Further information is available at http://www.openafs.org/security. [More...]
 

Red Hat: 2013:0590-01: nss-pam-ldapd: Important Advisory

LinuxSecurity.com: Updated nss-pam-ldapd packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...]
 

Red Hat: 2013:0589-01: git: Moderate Advisory

LinuxSecurity.com: Updated git packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
 

Red Hat: 2013:0587-01: openssl: Moderate Advisory

LinuxSecurity.com: Updated openssl packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
 

Red Hat: 2013:0588-01: gnutls: Moderate Advisory

LinuxSecurity.com: Updated gnutls packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
 

Do NOT Tweet your #Vote: It could be Election Fraud!

by richi

Taking a picture of your ballot with your smartphone and posting it to social media may be illegal, depending on your state. It could even be a Class One felony...

 

Thinning the Dinosaur Herd: What's In Your Script Closet?

by RickCook

Scripts are the glue that tie together most IT organizations. The problem is, a lot of companies have far too much glue and it's gumming up the works. Scripts, written in dynamic languages or shell scripts, are generally an inefficient, resource heavy, and slow method of accomplishing tasks. You need to sort through your script closet and eliminate or replace the dinosaurs.

 

How Social Media Affects Corporate Operations

by LisaMorgan

Large companies are starting to adjust their operational strategies based on social network chatter. Take customer relationship management, for example. Rather than waiting for “enough” customer service representatives to report a problem that may spur management action, savvy businesses are using tweets and status updates to proactively minimize issues.

 

Relying on Public Cloud Alone is Not A Good Business Strategy: Analyst

by ToddWeiss

Instead, a hybrid approach, with a mix of public and private clouds, can better serve your company, says IT analyst Dan Maycock. A number of popular Web-based businesses learned that lesson in late October when a part of Amazon's public cloud went down.

 

OLPC Experiment Win? Or Just PR?

by richi

Nicholas Negroponte, the founder of the "failed" One Laptop Per Child foundation, is crowing about his latest experiment.

 

Who Really Sees Your Private Information Online? Should You Care?

by dreaknufken

From cookies to Google Streetview, Facebook photos to cellular providers, everyone these days is collecting your personal information. Here’s the primary ways that you're tracked online, and which methods should be cause for worry.

 

How Location-Based Technologies Could Change Your Business

by dreaknufken

Location-based technologies are cheaper and more accessible than ever. They enable your business to reach consumers in new ways. Whether you run a coffee shop or a dental office, chances are that your company can benefit from the revolution in location-based apps. 

 

Does your App use Broken SSL Encryption?

by richi

SSL is great, isn't it? SSL -- or TLS if you prefer -- lets us transact business, maintain our privacy, and do a whole host of things on the Web that we otherwise couldn't do. Worryingly though, German researchers have discovered that 8% of Android apps don't do SSL right...

 

Can A Gadget Save Your Life?

by Dponce80

One happy consumer trend is the growing number of devices that can help us improve our health. Some, like the six gadgets described here, can help save lives.

 

Re: The 30-year-long Reign of BIOS is Over: Why UEFI Will Rock Your IT

by name2

Fast Forward to 18:33 for the BUGS and Security Risks~!

 

Re: Can You Quit a New Job to Take a Better Offer?

by Jae

Job hopper is a rather derogatory word for this day and age. WIth the economy the way it is, people are going to accept the jobs that are given to them, even if it is way below their professional resume. When another job comes up with better pay and benefits it only makes sense to take that job. I'll behaving to quit a job after a week for this very reason, I'm not looking for a quick buck, I'm looking to secure my finances for the future.

 

Re: The Top IT Certifications

by casey

Hi Steven,

 

I was wondering if this list is still accurate in the new year 2013.  Any recommendations on some good combos of cert's (e.g. CompTIA Security, LIPC-1, and RHCE)?

 

Re: Your GPU's “Fingerprint” Could Lead to New Security Methods

by nodnyl

NOTE:  I posted on your 2011 UEFI article, then saw it was over a year old.  Thinking you might not read that again, I'm posting it here, too.

 

The reason I'm writing this post is that I purchased a brand new h8-1420t with a 1TB HDD.  My intention was always to install a new SSD and put a second o/s on it - namely, W7/64.  The HDD is running w8 Pro/64.

 

I tried to use my usual procedures for accomplishing this, normally, simple task.  Secure Boot stopped me and I embarked upon a days search on how to get past it!  Just this morning, after carefully looking at the BIOS related startup menus, I decided that there must be some new control panels made for UEFI, and started looking for that.  I found your article.  You seem to be the expert I'm seeking!

 

How can I tell Secure Boot/UEFI that my new SSD is "part of the family?  The menus suggest there are keys or passwords - HP seems to own them.  If they could destroy the computer, is there an interface where I can very simply tell Secure Boot that my SSD is OK and allow it to be used as a bootable disk?  Then, I could have what I, the computer owner, wants:  W7 and W8 on two different disks, and dual-boot!!

A simple request, but we simple users are blind.

Thank you.

 

Re: How UEFI Will Change Your Computer Management

by nodnyl

The reason I'm writing this post is that I purchased a brand new h8-1420t with a 1TB HDD.  My intention was always to install a new SSD and put a second o/s on it - namely, W7/64.  The HDD is running w8 Pro/64.

 

I tried to use my usual procedures for accomplishing this, normally, simple task.  Secure Boot stopped me and I embarked upon a days search on how to get past it!  Just this morning, after carefully looking at the BIOS related startup menus, I decided that there must be some new control panels made for UEFI, and started looking for that.  I found your article.  You seem to be the expert I'm seeking!

 

How can I tell Secure Boot/UEFI that my new SSD is "part of the family?  The menus suggest there are keys or passwords - HP seems to own them.  If they could destroy the computer, is there an interface where I can very simply tell Secure Boot that my SSD is OK and allow it to be used as a bootable disk?  Then, I could have what I, the computer owner, wants:  W7 and W8 on two different disks, and dual-boot!!

A simple request, but we simple users are blind.

Thank you.

 

 

Re: How to Hire a Security Genius

by dain bramage

Hi, (please excuse the lag -- I've had serious tech issues lately, and just now decided to dump Evil OS in favor of one that actually works)

"Cryptocracy" is courtesy of late journalist Walter Bowart; I insert the banks, since they have been so closely interwoven from the word go, by the admission of folks who would know. As an aside: wouldn't it be fun to be able to get inside information on the markets -- or to be able to influence the markets, say, by staging coups, assassinations, corporate sabotage, etc? But no one in our Wall Street-founded CryptoBankocracy would ever use that power for personal gain, right? Riiiiiiiight!

You want evidence that the secret government is primarily organized to serve the ends of insiders rather than the American people? Gosh, where to start?

Allied High Commander & President Dwight D. Eisenhower (famous warning about "military-industrial complex" taking over)

Smedley Butler (Major General USMC - "War is a Racket")

Peter Dale Scott, Noam Chomsky - scholars documenting U.S. misdeeds around the globe

L. Fletcher Prouty (Colonel USAF, CIA, JCS staff; wikipedia notes "he retired from military service to become a banker")

Terry Reed (USAF, CIA contractor; participated in and meticulously documented CIA illegal gun/drug-running and Contra training during '80s)

Bo Gritz (Lt Col, Army Special Forces, also outed govt drug-running and other crimes)

Rodney Stich, Greg Palast (former federal investigators turned investigative reporters)

Many many others.

A saying in law is "falsus in uno, falsus in omnibus." Basically, if a witness lies in one point, he blows his credibility in all points. You can't trust a liar. If the U.S. government/secret government is shown to lie to us about its aims even just 10% of the time (which I believe to be a very low estimate), it loses its entitlement to our faith completely, since we never know which of its claims are true. In a court of law, you or I would also lose credibility for even a single lie -- not to mention, we would be prosecuted to the full extent of the law.

The entire [purported] premise of secrecy is that, in order to catch or avert a vast array of alleged amorphous conspiracies against the state, the state must out-conspire the alleged conspirators. If the agents of the state are themselves caught using the cover of secrecy to conspire against our well-being, where does that leave us? We cannot trust a thing they say. We don't know which of the alleged "threats" they constantly prattle about are bona fide, totally imaginary, or are predictable blowback from the actions of the cryptocracy itself. We should dismantle the whole "national security" apparatus and go back to the Constitution.

In the video I linked, the commenter's professed status (which seems to check out if you search his name) as ex-USAF/NSA linguist lends some credibility to his passion. Nowadays, you can find many bona fide cryptocracy alumni and scholars of U.S. foreign policy who will reinforce his statements -- not to mention academics as well.

 

Email Lessons From General Petraeus' Privates

by slfisher

Regardless of the moral issues surrounding married people sleeping around, people threatening perceived other lovers, and people stalking people they're supposed to protect, there's one thing most people will agree with: This isn't how government workers are supposed to be using email.

 

Keeping Your Business Secure in the Cloud: 10 Steps for Success

by ToddWeiss

The only way to keep your company's cloud operations secure is to watch over everything like a hawk. A new report from the Cloud Standards Customer Council can help your business keep all of your security concerns in check.

 

 

Making Change: The Future of Payments is Ease of Use

by LisaMorgan

The battle for digital wallet share is on. The proliferation of cards, e-wallets, apps, and other options has consumers’ and merchants’ heads spinning. While the trend is to digitize everything physical that now exists in wallets, not everyone agrees what the ideal solution is or how it should be implemented.

 

Re: Cleaning Out The Turkey Coop: What To Do After You Get Rid of an Incompetent Employee

by Earl

I am honestly not seeing how the author is an asshole. We had an employee who left a mess almost as described in the article. And when he was let got for committing a security breach, we spent over a year cleaning up the mess he had made. We're talking about:

 

1) Machines configured so badly we had to bring them down for an extended period just to fix them.

2) Tasks not done that were claimed to be done

3) Equipment purchased and then hidden away.

4) A total revamp of our security as he had violated security pretty badly.

 

He literally spent more time coverign his tracks than actual work. And in the end it did change how we operate. There is more accountability now so a fast talker like him cannot get away with what he got away with. So there was an upside.

 

EMail Voting Victim of Its Own Success

by slfisher

After Sandy, Gov. Chris Christie ordered, with just a few days' notice, that the state be prepared to accept voting via email. Unfortunately, it didn't work so well -- because it was too popular.

 

Donald Trump’s Twitter “seriously hacked,” tweets Lil Wayne lyrics

by Peter Bright

Exotically coiffured businessman and self-appointed Republican visionary Donald Trump is the owner of the latest high-profile Twitter account to be hacked. Trump joins the esteemed ranks of Burger King and Jeep, with both companies suffering compromised accounts in the last few days.

The Trump hack was less colorful and briefer than the Burger King takeover. A single tweet was sent quoting a song lyric from Lil Wayne's verse in the will.i.am ditty "Scream & Shout." Trump appeared to declare, "These hoes think they classy, well that's the class I'm skippen."

Unamused by the hack—and perhaps cognizant of the serious reputation damage being outed as a will.i.am listener could cause—Trump later tweeted, "My Twitter has been seriously hacked--- and we are looking for the perpetrators." He went on to warn such exploits could render Twitter "irrelevant."

Read 1 remaining paragraphs | Comments

 

Dev site behind Apple, Facebook hacks didn’t know it was booby-trapped

by Jacqui Cheng

iPhoneDevSDK—the site apparently responsible for the hacks at Facebook, Apple, and Twitter—says it was not aware it was being used to attack visitors until it read press reports this week. In a news post (do not click if you're wary of security breaches) on Wednesday, site admins said they had no knowledge of the breach and were not contacted by any of the affected companies. Though, iPhoneDevSDK is now working with Facebook's security team in order to share information about what happened.

"We were alerted through the press, via an AllThingsD article, which cited Facebook. Prior to this article, we had no knowledge of this breach and hadn't been contacted by Facebook, any other company, or any law enforcement about the potential breach," wrote iPhoneDevSDK admin iseff.

"What we've learned is that it appears a single administrator account was compromised. The hackers used this account to modify our theme and inject JavaScript into our site. That JavaScript appears to have used a sophisticated, previously unknown exploit to hack into certain user's computers," he went on. "We're still trying to determine the exploit's exact timeline and details, but it appears as though it was ended (by the hacker) on January 30, 2013."

Read 6 remaining paragraphs | Comments

 

“il0vetheWhopper” doesn’t cut it: Twitter calls for tougher passwords

by Dan Goodin

Amid the ongoing epidemic of hacks and account breaches at major companies and online services, Twitter officials are once again reminding users how to beef up the security of their passwords.

A blog post published Tuesday night by Twitter Director of Information Security Bob Lord came a day after the official Twitter account for Burger King was hacked by pranksters who used their unauthorized access to publish tweets falsely claiming the fast food chain had been sold to arch-rival McDonald's. Lord's post also followed a similar compromise of Jeep's Twitter account, resulting in the Chrysler division's logo being replaced with one belonging to competitor Cadillac. The account takeovers came almost three weeks after hackers pierced Twitter's defenses and stole cryptographically protected password data belonging to some 250,000 users.

Lord didn't say how the Burger King and Jeep accounts were taken over, although he did go on to cite some frequently repeated password advice. Chief among the recommendations: use a password that's a minimum of 10 characters and includes upper- and lower-case letters, numbers, and symbols. This advice is good, but as Ars demonstrated in August, many passcodes that meet these criteria remain easy pickings for crackers.

Read 4 remaining paragraphs | Comments

 

How Anonymous accidentally helped expose two Chinese hackers

by Nate Anderson

How did security firm Mandiant put names to two previously unknown Chinese hackers who, it says, steal American corporate secrets for the Chinese government? With a little inadvertent help from Anonymous.

Mandiant's 74-page report covers a particular hacking group referred to as "APT1" and contends that the group works for or under the direction of the Chinese government as part of the military's secretive "Unit 61398." The report ties a huge string of hacks over the last few years to Unit 61398 and goes on to show the building where the hacks might be hatched. The report is stuffed with detail uncommon in these types of stories, and even includes a translated Chinese document showing a local telecom company agreeing to Unit 61398's request for additional fiber optic connections in the name of state security.

The Mandiant researchers then tried to go one step further, putting at least a few real names to the coders involved. (BusinessWeek recently did something similar, with fascinating results.) Mandiant began with a malware coder who goes by the name "UglyGorilla"—a name which is left repeatedly in code tied to the APT1 group.

Read 7 remaining paragraphs | Comments

 

Facebook, Twitter, Apple hack sprung from iPhone developer forum

by Sean Gallagher

iPhone Dev SDK, the web forum that was at the center of the hack of Facebook and other companies in January.

The website used to infect engineers at Facebook with espionage malware has been identified as an iPhone developer forum by people close to the investigation into the hacking incident.

That page, at the iPhone developer website iphonedevsdk.com, was used to expose visitors to a previously undocumented vulnerability in Oracle's Java browser plugin. The "zero-day" exploit allowed the attackers to install a collection of malware on the Java-enabled computers of those who visited the site. Ars readers shouldn't visit the site because it still may still be compromised.

iphonedevsdk.com is an example of a "watering hole" attack. These attacks compromise a site popular with a population of desired hacking victims, using security vulnerabilities to install code on the Web server hosting it, which injects attacks into the HTML sent to its visitors. In this case, the site, which hosts a Web forum for iPhone developers, netted the hackers access to the computers of software engineers and developers working on mobile application projects for a number of companies, including Facebook. The exploit was the source of the attack on Twitter that led to the theft of Twitter usernames and passwords, according to a source familiar with the attack, and was used to infect computers belonging to Apple engineers. The source requested anonymity because he was not authorized to provide the details to the press.

Read 1 remaining paragraphs | Comments

 

Unusually detailed report links Chinese military to hacks against US

by Dan Goodin

The emblem of the People's Liberation Army.

Security firm Mandiant has published an unusually detailed report documenting China-sponsored hacking intrusions that have siphoned terabytes of sensitive data from 141 organizations over the past seven years.

The 74-page study is only the latest report to lay a battery of computer intrusions at the feet at hackers linked to China's government or military apparatus. But until now, many of those claims lacked crucial details, opening them up to skeptics who complained that the lack of specificity made it difficult or impossible to conclude Chinese actors were behind attacks targeting US governmental agencies, corporations, and human rights organizations. Given the anonymity that shrouds most network intrusions, critics have pointed out, the use of Chinese domain names, IP addresses, and localized language in computer espionage campaigns could almost as easily have been chosen by perpetrators from other countries who want to divert the attention of investigators.

The Mandiant report is largely a response to these critics. It identifies a 12-story white office tower on the outskirts of Shanghai as the nerve center for a hacking group long known to security researchers as the "Comment Crew." IP addresses that have been used for years in espionage hacks map to the immediate surroundings of the building. The tower also happens to be the headquarters for the People Liberation Army's Unit 61398, which was described in 2011 as the "premier entity targeting the United States and Canada, most likely focusing on political, economic, and military-related intelligence" by the Virginia-based nongovernmental organization known as the Project 2049 Institute. Many of the claims in the Mandiant report have been independently confirmed by US intelligence officials, according to an article published by The New York Times.

Read 10 remaining paragraphs | Comments

 

Apple HQ also targeted by hackers, will release tool to protect customers

by Jacqui Cheng

Apple says a "small number" of computers on its Cupertino campus were attacked by hackers, according to Reuters. The hack appears to exploit the same Java vulnerability that recently compromised computers at Facebook. “There is no evidence that any data left Apple," the company reportedly said.

According to the Reuters exclusive, Apple is currently working with law enforcement to identify the hackers. (The company has since also confirmed to Macworld the same details.) The company also said it planned to release software on Tuesday that would help Mac users keep their own machines safe. But assuming the exploit is indeed the same one used at Facebook, the attackers may not be able to get to many Mac users in the first place. Following last year's Flashback malware scare, many Mac users disabled or uninstalled Java on their machines. Apple has also removed the Java plugin from all Mac-compatible Web browsers and blacklisted Java browser plugins on OS X twice this year already in order to prevent critical exploits.

The incident follows a recent series of attacks targeting The New York Times, The Wall Street Journal, and other publications. Various attacks in the past months have also hit Twitter and Facebook (Facebook told Ars last week how the hack unfolded). Among other things, the hack used a compromised, third-party website for mobile developers to exploit a previously unknown vulnerability in Java, causing anyone who visited with Java enabled to become infected.

Read 3 remaining paragraphs | Comments

 

Facebook computers compromised by zero-day Java exploit

by Sean Gallagher

Facebook officials said they recently discovered that computers belonging to several of its engineers had been hacked using a zero-day Java attack that installed a collection of previously unseen malware. In an exclusive interview with Ars Technica, company officials said that the attack did not expose customer data, and it was contained to the laptops of a small number of Facebook engineers. But other companies who were affected by the same hacking campaign may not have been so lucky.

Facebook's internal security team worked with a third party to "sinkhole" the attackers' command server, taking over the network traffic coming into it from systems infected by its malware. They discovered traffic coming from several other companies, according to Facebook Chief Security Officer Joe Sullivan. Facebook notified those companies of the attack, and it has turned the case over to federal law enforcement. An investigation is still ongoing. While some of the affected companies were aware of an ongoing attack, others were unaware of the problem before being notified by Facebook.

The attack was discovered when a suspicious domain was detected in Facebook's Domain Name Service request logs. According to Sullivan, the requests were tracked back to the laptop of an engineer working on mobile application development projects. Forensic analysis of the files on the laptop led to the discovery of a number of other compromised systems.

Read 11 remaining paragraphs | Comments

 

iOS 6.1 brings back bug that gives anyone access to your contacts, photos (Update)

by Chris Foresman

An old vulnerability in the iPhone's lock screen and Emergency Call feature appears to have resurfaced for a third time in iOS 6.1. With the right sequence of button clicking, it's possible to get to an iPhone user's voicemails, contacts, and photos—even if the iPhone is locked and password protected.

A similar bug first appeared in iOS 2.0. That version of iOS added optional user-selectable actions for double-clicking the Home button, with the default to access a user's contact favorites. By clicking the Emergency Call button on an iPhone's lock screen and then double-clicking the Home button, the Phone app would show the list of your favorite contacts. From there, it was possible to access call logs, voicemails, and any contact; send SMS messages; send or read e-mails; and even launch Safari.

Apple fixed the flaw in iOS 2.1, but it popped up again in iOS 4.1. The sequence of actions was a little more complex, however. It required dialing a random number for an emergency call and then hitting the hardware lock button. Doing so would allow the standard Phone app UI to appear once again, giving a potential hacker access to call logs, voicemails, and contacts.

Read 4 remaining paragraphs | Comments

 

Evernote resets user passwords after being hit by “coordinated” hack

by Nathan Mattise

Evernote is requiring each of its 50 million users to reset their login credentials after the site's security team detected a security breach that exposed password data and other personal information.

In a security notice published Saturday, Evernote said the precautionary password reset came after an investigation found no evidence of any stored content being accessed, changed, or lost. The advisory also stated that payment information wasn't accessed. However, Evernote warned that user information—including usernames, cryptographically protected passwords, and e-mail addresses—were accessed. "Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption," the statement noted. "(In technical terms, they are hashed and salted.)"

Evernote's decision to cryptographically hash and salt this information is important in the wake of this digital break-in, because the technique makes the information slightly more time-consuming to crack. That can buy a security team time in the hours or days following the discovery of a breach. (For a more detailed explanation of the techniques, see Ars Security Editor Dan Goodin's feature "Why passwords have never been weaker—and crackers never been stronger.") Despite the precaution, Evernote's decision to reset all the passwords remains a necessary precaution.

Read 1 remaining paragraphs | Comments

 

Apple blacklists older versions of Flash plugin due to security risk

by Jacqui Cheng

Just as it did with some versions of Java, Apple has now blocked older versions of Adobe's Flash plugin to protect Mac users from security risks. In a new support document posted to its website on Friday, Apple explained that it has already updated its plugin blocking tool built into Safari—users don't need to lift a finger.

"To help protect users from a recent vulnerability, Apple has updated the web plug-in-blocking mechanism to disable older versions of the web plug-in: Adobe Flash Player," the company wrote.

Earlier this year, Apple blacklisted the latest version of Java—twice—due to security vulnerabilities. But Flash comes with its own security risks: Adobe issued an emergency Flash update earlier this month due to similar vulnerabilities on OS X and Windows, with another emergency update issued again three days ago. Like the Java holes, the Flash vulnerabilities allow remote attackers to surreptitiously install malware on vulnerable machines.

Read 1 remaining paragraphs | Comments

 

Another Java zero-day exploit in the wild actively attacking targets

by Dan Goodin

Hackers are exploiting a previously unknown and currently unpatched vulnerability in the latest version of Java to surreptitiously infect targets with malware, security researchers said Thursday night.

The critical vulnerability is being exploited to install a remote-access trojan dubbed McRat, researchers from security firm FireEye warned. The attacks work against Java versions 1.6 Update 41 and 1.7 Update 15, which are the latest available releases of the widely used software. The attack is triggered when people with a vulnerable version of the Java browser plugin visit a website that has been booby-trapped with attack code. FireEye researchers Darien Kindlund and Yichong Lin said the exploit is being used against "multiple customers" and that they have "observed successful exploitation."

The security of Java is reaching near-crisis levels as reports of new in-the-wild exploits have become an almost weekly occurrence over the past few months. In the past several weeks, Facebook, Apple, and Twitter have all disclosed that their computers were compromised by exploits that were later linked to a developer website that itself had been hacked and turned into a platform for exploiting zero-day vulnerabilities in Java. Microsoft has also said its computers were hacked in a manner consistent with the same attack. Oracle says Java runs on three billion devices, although only Java browser plugins have been targeted in the string of exploits.

Read 3 remaining paragraphs | Comments

 

“Download this gun”: 3D-printed semi-automatic fires over 600 rounds

by Cyrus Farivar

The white portion of this AR-15, known as the "lower," was manufactured using 3D printing.

Cody Wilson, like many Texan gunsmiths, is fast-talkin’ and fast-shootin’—but unlike his predecessors in the Lone Star State, he’s got 3D printing technology to help him with his craft.

Wilson’s nonprofit organization, Defense Distributed, released a video this week showing a gun firing off over 600 rounds—illustrating what is likely to be the first wave of semi-automatic and automatic weapons produced by the additive manufacturing process.

Last year, his group famously demonstrated that it could use a 3D-printed “lower” for an AR-15 semi-automatic rifle—but the gun failed after six rounds. Now, after some re-tooling, Defense Distributed has shown that it has fixed the design flaws and a gun using its lower can seemingly fire for quite a while. (The AR-15 is the civilian version of the military M16 rifle.)

Read 33 remaining paragraphs | Comments

 

Exploit lets websites bombard visitors’ PCs with gigabytes of data

by Dan Goodin

A Web developer has demonstrated a simple-to-execute exploit that allows websites to surreptitiously bombard visitors' storage devices with gigabytes of junk data.

As its name suggests, FillDisk.com loads an almost unlimited amount of data onto hard drives of people who access the site. It requires no user interaction and works with the Google Chrome, Microsoft Internet Explorer, and Apple Safari browsers. It adds 1GB of data every 16 seconds on a MacBook Pro Retina equipped with a solid state drive, according to Feross Aboukhadijeh, the Web developer and computer science grad student who created the proof-of-concept site.

FillDisk.com manipulates the Web Storage standard included in the HTML5 specification. This standard is designed to make websites easier to use by allowing them to store data on visitors' hard drives. The functionality can be useful when end users are filling out long forms; if the browser crashes before the form has been completed, the data that's already been entered will be available when the person visits the site later. The creators of the standard specifically warn that browser developers should take steps to ensure websites can't abuse the feature by writing unlimited amounts of data.

Read 3 remaining paragraphs | Comments

 

Oakland mayor apologizes for promoting local lockpicking class

by Cyrus Farivar

The City of Oakland is both wonderful and problematic, as Ars editor Joe Mullin and I can attest, given that we're both denizens of this fine city. It has incredible natural beauty and vibrant culture, but also a notoriously mismanaged police department and a climbing crime rate.

It’s understandable, then, that some Oakland residents would be slightly annoyed at an upcoming workshop entitled “Introduction to Lockpicking,” which was mentioned in Mayor Jean Quan’s weekly newsletter (PDF) this week. The class is one of a larger "Workshop Weekend," to be held at Tech Liminal, an Oakland co-working space, and Sudoroom, a relatively new hackerspace in downtown Oakland. (Disclosure: I am a paying member at Sudoroom.)

According to the Oakland Tribune, some Oaklanders are miffed that the city would seem to endorse such a practice—the mayor has subsequently apologized.

Read 5 remaining paragraphs | Comments

 

Bizarre old-school spyware attacks governments, sports Mark of the Beast

by Dan Goodin

One of the Twitter feeds MiniDuke-infected machines use to locate a command-and-control server.

Unidentified attackers have infected government agencies and organizations in 23 countries with highly advanced malware that uses low-level code to stay hidden and Twitter and Google to ensure it always has a way to receive updates.

MiniDuke, as researchers from Kaspersky Lab and Hungary-based CrySyS Lab have dubbed the threat, bears the hallmark of viruses first encountered in the mid-1990s, when shadowy groups such as 29A engineered innovative pieces of malware for fun and then documented them in an E-Zine by the same name. Because MiniDuke is written in assembly language, most of its computer files are tiny. Its use of multiple levels of encryption and clever coding tricks makes the malware hard to detect and reverse engineer. It also employs a method known as steganography, in which updates received from control servers are stashed inside image files.

In another testament to the skill of the attackers, MiniDuke has taken hold of government agencies, think tanks, a US-based healthcare provider, and other high-profile organizations using the first known exploit to pierce the security sandbox in Adobe Systems' Reader application. Adding intrigue to this, the MiniDuke exploit code contained references to Dante Alighieri's Divine Comedy and also alluded to 666, the Mark of the Beast discussed in a verse from the Book of Revelation.

Read 11 remaining paragraphs | Comments

 

Adobe releases third security update this month for Flash Player

by Dan Goodin

Adobe has released an emergency security update for its widely used Flash media player to patch a vulnerability being actively exploited on the Internet. The company is advising Windows and Mac users to install it in the next 72 hours.

An advisory the software company issued on Tuesday said only that affected Flash flaws "are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content." It identified the bugs as CVE-2013-0643 and CVE-2013-0648 as indexed in the common vulnerabilities and exposures database. The advisory added the exploits targeted the Firefox browser. A spokeswoman said no other attack details are available.

Adobe's advisory assigns a priority rating of 1 to Flash versions that run on Microsoft Windows or Mac OS X computers. The rating is reserved for "vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild." The priority for Linux users carries a rating of 3, which is used to designate "vulnerabilities in a product that has historically not been a target for attackers."

Read 2 remaining paragraphs | Comments

 

Revealed: Stuxnet “beta’s” devious alternate attack on Iran nuke program

by Dan Goodin

Researchers have uncovered a never-before-seen version of Stuxnet. The discovery sheds new light on the evolution of the powerful cyberweapon that made history when it successfully sabotaged an Iranian uranium-enrichment facility in 2009.

Stuxnet 0.5 is the oldest known version of the computer worm and was in development no later than November of 2005, almost two years earlier than previously known, according to researchers from security firm Symantec. The earlier iteration, which was in the wild no later than November 2007, wielded an alternate attack strategy that disrupted Iran's nuclear program by surreptitiously closing valves in that country's Natanz uranium enrichment facility. Later versions scrapped that attack in favor of one that caused centrifuges to spin erratically. The timing and additional attack method are a testament to the technical sophistication and dedication of its developers, who reportedly developed Stuxnet under a covert operation sponsored by the US and Israeli governments. It was reportedly personally authorized by Presidents Bush and Obama.

Also significant, version 0.5 shows that its creators were some of the same developers who built Flame, the highly advanced espionage malware also known as Flamer that targeted sensitive Iranian computers. Although researchers from competing antivirus provider Kaspersky Lab previously discovered a small chunk of the Flame code in a later version of Stuxnet, the release unearthed by Symantec shows that the code sharing was once so broad that the two covert projects were inextricably linked.

Read 24 remaining paragraphs | Comments

 

Researchers find yet another way to get around iOS 6.1 passcode

by Jacqui Cheng

There's a second passcode lock vulnerability in iOS 6.1, according to Vulnerability Lab CEO Benjamin Kunz Mejri (hat tip to Kaspersky Lab's threatpost). Mejri had recently outlined the vulnerability in an e-mail to the Full Disclosure list, highlighting yet another way for attackers to get past the lock screen and access a user's contacts, voicemails, and more.

Yet another iOS 6.1 passcode bug.

As detailed by Mejri, this new bug appears to be slightly different from the one highlighted earlier this month. The two start out in a similar way—by following a set of steps that utilizes the Emergency Call function in addition to the lock/sleep button and the screenshot feature. When making an emergency call, an attacker could cancel the call while holding the lock/sleep button in order to access data on the phone.

The difference between the first exploit and this one is how it can make the iPhone screen go black, allowing an attacker to plug the device into a computer via USB and access the user's data without having their PIN or passcode credentials.

Read 2 remaining paragraphs | Comments

 

Java’s latest security problems: New flaw identified, old one attacked

by Jon Brodkin

A flaw identified in the latest version of Java allows for a complete bypass of the Java security sandbox, a security firm reported today. Meanwhile, a security hole recently fixed by Oracle is being targeted by attackers, underscoring the importance of installing patches quickly.

The security firm Security Explorations said today that it sent a "Vulnerability Notice along with a Proof of Concept code" to Oracle, and that Oracle has confirmed receiving the notice. "The company informs that it will investigate based on the data provided and get back to us soon," Security Explorations said.

Security Explorations CEO Adam Gowdiak told Softpedia that it tested the flaw in the original release of Java 7, as well as in Java 7 Updates 11 and 15. Java 7 Update 15 is the latest version released last week. "When combined, the flaws can be leveraged to achieve a complete bypass of the Java security sandbox," Softpedia wrote.

Read 3 remaining paragraphs | Comments

 

Server hack prompts call for cPanel customers to take “immediate action”

by Dan Goodin

The providers of the cPanel website management application are warning some users to immediately change their systems' root or administrative passwords after discovering one of its servers has been hacked.

In an e-mail sent to customers who have filed a cPanel support request in the past six months, members of the company's security team said they recently discovered the compromise of a server used to process support requests.

"While we do not know if your machine is affected, you should change your root level password if you are not already using SSH keys," they wrote, according to a copy of the e-mail posted to a community forum. "If you are using an unprivileged account with 'sudo' or 'su' for root logins, we recommend you change the account password. Even if you are using SSH keys we still recommend rotating keys on a regular basis."

Read 3 remaining paragraphs | Comments

 

Microsoft joins Apple, Facebook, and Twitter; comes out as hack victim

by Peter Bright

Facebook, Twitter, Apple, and now Microsoft. Redmond has announced that it too has found compromised computers on its network.

A brief statement on its Security Response Center blog states that a small number of computers—with machines in the Mac Business Unit mentioned explicitly—were compromised using techniques "similar" to those documented by other victims, implying, but not outright stating, that the attack vector was a Java exploit placed on a popular iOS development site.

Microsoft says that no customer data was exposed, and it is continuing to investigate.

Read on Ars Technica | Comments

 

HTC “failed to employ reasonable security” on Android, says FTC

by Cyrus Farivar

On Friday, the Federal Trade Commission (FTC) announced that it had reached a settlement (PDF) with HTC over notable security holes on its millions of tablets and Android handsets. HTC has now agreed to provide a patch within 30 days and be subject to a security review for the next 20 years.

“Because of the potential exposure of sensitive information and sensitive device functionality through the security vulnerabilities in HTC mobile devices, consumers are at risk of financial and physical injury and other harm,” the agency wrote in its complaint (PDF).

The agency also alleged that HTC’s user manuals “contained deceptive representations." The FTC said that the Tell HTC application, which lets users report errors to HTC, does not actually allow users to opt out of sharing their location, despite a displayed option to do so.

Read 2 remaining paragraphs | Comments

 

Oracle releases new Java patch to address this week’s McRat problem

by Nathan Mattise

Oracle has released an emergency Java patch addressing the latest in-the-wild exploit targeting the software. The company suggests users apply this update "as soon as possible" due to "the severity of these vulnerabilities." The full patch description and download is available through Oracle's Technology Network (you can also get the patch through the software's auto-update).

This particular vulnerability is being exploited to install a remote-access trojan dubbed McRat. The attacks targeted Java versions 1.6 Update 41 and 1.7 Update 15, which are the latest available releases of the widely used software. Security Editor Dan Goodin reported on the issue just three days ago, as attacks were being triggered when people with a vulnerable Java version visited a booby-trapped website.

It almost goes without saying—Java security has left something to be desired lately. High profile companies such as Facebook, Apple, and Twitter all fell at the hands of Java recently. These businesses disclosed that their computers were compromised by exploits later linked to a developer website hacked into a platform for Java exploits. Here at Ars, you can peruse nine separate stories involving Java exploits within the last month alone.

Read on Ars Technica | Comments

 

Critics: Substandard crypto needlessly puts Evernote accounts at risk

by Dan Goodin

Security experts are criticizing online note-syncing service Evernote, saying the service needlessly put sensitive user data at risk because it employed substandard cryptographic protections when storing passwords on servers and Android handsets.

The scrutiny of Evernote's security comes two days after Evernote officials disclosed a breach that exposed names, e-mail addresses, and password data for the service's 50 million end users. Evernote blog posts published over the past few years show that the company protects passwords and sensitive user data with encryption algorithms and schemes that contain known weaknesses. That is prompting criticism that the company's security team isn't doing enough to protect its customers in the event that hackers are able to successfully compromise the servers or end-user phones.

The chief complaint involves Evernote's use of the MD5 cryptographic algorithm to convert user passwords into one-way hashes before storing them in a database. Use of MD5 to store passwords has long been frowned on by security experts because the algorithm is an extremely fast and computationally inexpensive way to convert plaintext such as "password" into a unique string of characters such as "5f4dcc3b5aa765d61d8327deb882cf99." MD5 makes an attacker's job of cracking the hashes much easier by allowing billions of guesses per second, even on computers of relatively modest means.

Read 13 remaining paragraphs | Comments

 

Vuln: Google Chrome Multiple Security Vulnerabilities

Google Chrome Multiple Security Vulnerabilities
 

EU fines Microsoft $732M over browser ballot debacle

European Union antitrust officials today hit Microsoft with a $732 million fine for failing to live up to a 2009 settlement that requires it to offer Windows users a choice of alternate browsers.
 

Samsung's lock screen grants unauthorised insights

A home screen contains anything that a user wants to access quickly. If the home screen can be viewed even though the phone is locked, a potential intruder can quickly find out a number of personal details


 

Vuln: Linux Kernel VFAT Filesystem Local Buffer Overflow Vulnerability

Linux Kernel VFAT Filesystem Local Buffer Overflow Vulnerability
 

Asprox botnet proves to be a resilient foe

A botnet that has been in the eye of researchers for years continues to serve up malware, spam and fake antivirus software, according to research by Trend Micro.
 

Asus: Windows 8 acceptance still low, but touch-based notebooks performing well

Touch-based Windows 8 notebooks have been selling well for Taiwanese PC maker Asus, but overall Microsoft's new operating system has yet to find a major following, the company said.
 

Following hack, Evernote speeds move to two-factor authentication

Evernote is speeding up its plans to offer two-factor authentication to users following a recent data breach that exposed user names, email addresses and encrypted passwords.
 

Google's latest Android browser promises faster surfing

Faster Web browsing and lower data use might be on the cards for Android mobile phone users if they download a new version of the Chrome Web browser offered by Google.
 

U.S. military networks not prepared for cyber threats, report warns

The U.S. is dangerously unprepared to face a full-scale cyber conflict launched by a peer adversary, a report by the military's Defense Science Board (DSB) warns.
 

Physicians may be marginalized as mobile tech engages us in healthcare

Dr. Eric Topol, a cardiologist and professor of genomics took aim at the medical community, calling for the end to paternal medicine and annual checks and the beginning a consumer-centered healthcare, where patients own their own data, including their genomes for drug treatment.
 

Six useful JavaScript libraries for maps, charts and other data visualizations

These JavaScript libraries can help format your data for analysis or a compelling online presentation.
 

U.S. lawmaker introduces bill to legalize cellphone unlocking

A U.S. senator has proposed a bill that will allow consumers to unlock cellphones for use in other networks, after the administration of President Barack Obama backed over 114,000 petitioners who asked the government to legalize the unlocking of smartphones.
 

D-Link fixes router vulnerabilities very quietly

Unless the latest firmware has been installed, the DIR-645 router can divulge the administrator password in plain text. The improved firmware has been available since autumn


 

Samsung locks up Sharp as long-time screen provider

Japan's Sharp has secured a US$110 million lifeline investment from Samsung Electronics, and agreed to become a major supplier of screens for the South Korean company's growing electronics empire.
 

Vuln: JSON Denial of Service and Security Bypass Vulnerabilities

JSON Denial of Service and Security Bypass Vulnerabilities
 

Vuln: rpi-update Insecure Temporary File Handling and Security Bypass Vulnerabilities

rpi-update Insecure Temporary File Handling and Security Bypass Vulnerabilities
 

PHEARCON Call For Papers

Posted by InfoSec News on Mar 05

Forwarded from: AA <anarchy.ang31 (at) gmail.com>

::[ About ]::

http://www.phearcon.org

PHEARCON is a hacking conference based in Milwaukee Wisconsin with the
goal of bringing hackers together under one roof to learn, hack, and
party!

::[ When / Where ]::
October 12th @ 10am
[-]location[-]
Bucketworks
706 S 5th St.
Milwaukee, WI. 53204

::[ Format ]::
One main track that will host 8 50-60 minute talks.
One turbo track that will host 8...
 

Surprise Visitors Are Unwelcome At The NSA's Unfinished Utah Spy Center (Especially When They Take Photos)

Posted by InfoSec News on Mar 05

http://www.forbes.com/sites/kashmirhill/2013/03/04/nsa-utah-data-center-visit/

By Kashmir Hill
Forbes Staff
Forbes.com
03/04/2013

Most people who visit Salt Lake City in the winter months are excited about
taking advantage of the area’s storied slopes. While skiing was on my itinerary
last week, I was more excited about an offbeat tourism opportunity in the area:
I wanted to check out the construction site for “the country’s biggest...
 

Gang arrested for hacking Dubai exchange companies' accounts

Posted by InfoSec News on Mar 05

http://gulfnews.com/news/gulf/uae/crime/gang-arrested-for-hacking-dubai-exchange-companies-accounts-1.1153543

By Bassma Al Jandaly
Senior Reporter
GulfNews.com
March 3, 2013

Dubai: The Dubai Police have arrested a cyber crime gang who were able to
transfer more than Dh7 million from exchange companies in Dubai, a senior
official from Dubai Police said.

Major General Khamis Matter Al Mazeina, acting chief of Dubai Police, said on
Sunday that...
 

Ex-Exel president found guilty of hacking former employers

Posted by InfoSec News on Mar 05

http://www.theregister.co.uk/2013/03/05/exel_president_guilty_hacking/

By Iain Thomson in San Francisco
The Register
5th March 2013

The former president of transportation logistics firm Exel has been found
guilty of hacking into the servers of his former employer to glean secrets for
his new business.

A federal jury found Michael Musacchio, 61, guilty of one felony count of
conspiracy to make unauthorized access to a protected computer...
 

BofA Confirms Third-Party Breach

Posted by InfoSec News on Mar 05

http://www.bankinfosecurity.com/bofa-confirms-third-party-breach-a-5582

By Tracy Kitten
Bank Info Security
March 5, 2013

Hacktivists are taking credit for a data breach impacting Bank of America - an
incident the hackers claim allowed them to access employee and executive data
stored through a third party.

"The data was retrieved from an Israeli server in Tel Aviv," says the
hacktivist group Par:AnoIA, part of the Anonymous...
 
Internet Storm Center Infocon Status