Hackin9
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
OWC today announced a desktop drive that comes with up to 10TB of capacity, one USB 3.0 port and two Thunderbolt ports that offer 10Gbps throughput.
 
SAP's recently announced plans to overhaul its support services have user groups giving the thumbs up, although it may be some time before many customers feel a big difference.
 
After flirting with the idea for more than a year, Advanced Micro Devices has finally provided concrete details for bringing Android to its chips as the company looks to support more operating systems beyond Windows.
 
Two sets of emails obtained by Al Jazeera America under a Freedom of Information Act request suggest that Google's cooperation with the National Security Agency may have been less coerced than the company has let on.
 

Bitdefender
Researchers have uncovered Android-based malware that disables infected handsets until end users pay a hefty cash payment to settle trumped-up criminal charges involving the viewing of illegal pornography.

To stoke maximum fear, Android-Trojan.Koler.A uses geolocation functions to tailor the warnings to whatever country a victim happens to reside in. The screenshot to the right invoking the FBI, for instance, is the notice that's displayed on infected phones connecting from a US-based IP address. People in Romania and other countries will see slightly different warnings. The malware prevents users from accessing the home screen of their phones, making it impossible to use most other apps installed on the phone. The normal phone functions in some cases can be restored only when the user pays a "fine" of about $300, using untraceable payment mechanisms such as Paysafecard or uKash.

The discovery of Koler.A comes 18 months after researchers from Symantec found that so-called ransomware extorts an estimated $5 million a year from users of traditional PCs. Ransomware refers to malware that disables computers and demands that cash payments be paid to purported law-enforcement agencies before the machines are restored. More recently, ransomware scammers upped their game by building strong cryptography into malware, known as Cryptolocker, that holds entire hard drives hostage until end users pay a Bitcoin ransom of $300.

Read 4 remaining paragraphs | Comments

 
Aurich Lawson / Thinkstock

David Helkowski stood waiting outside a restaurant in Towson, Maryland, fresh from a visit to the unemployment office. Recently let go from his computer consulting job after engaging in some “freelance hacking” of a client’s network, Helkowski was still insistent on one point: his hack, designed to draw attention to security flaws, had been a noble act.

The FBI had a slightly different take on what happened, raiding Helkowski’s home and seizing his gear. Helkowski described the event on reddit in a thread he titled, “IamA Hacker who was Raided by the FBI and Secret Service AMAA!” Recently Ars sat down with him, hoping to get a better understanding of how this whitehat entered a world of gray. Helkowski was willing to tell practically everything—even in the middle of an ongoing investigation.

Until recently, Helkowski worked for The Canton Group, a Baltimore-based computer consulting firm serving, among other clients, the University of Maryland. Helkowski’s job title at The Canton Group was “team lead of open source solutions,” but he began to shift his concerns toward security after identifying problems on a University of Maryland server.

Read 70 remaining paragraphs | Comments

 
cups-filters CVE-2014-2707 Arbitrary Command Execution Vulnerability
 
Fish-shell CVE-2014-2914 Remote Code Execution Vulnerability
 
Fish-shell Multiple Insecure Temporary File Creation Vulnerabilities
 
OWC today announced a desktop drive that comes with up to 10TB of capacity, one USB 3.0 port and two Thunderbolt ports that offer 10Gbps throughput.
 
Apple awarded new retail chief Angela Ahrendts stock grants that, if fully vested, would be worth as much as $78.5 million at Monday's closing price, according to SEC filings.
 
Google is developing a tool to help teachers manage classroom tasks, a move that should have education app vendors trembling as if they'd been sent to the principal's office.
 
Major Internet service providers in the United States are essentially holding their connections for ransom while letting customers suffer, according to a company that acts as a middleman for Internet traffic.
 
Citrix Systems wants to manage desktops and mobile devices with the latest version of XenMobile, and is also working on making it easier for XenApp users to upgrade.
 
Cognizant had more than 7,100 H-1B visa requests approved in the first half of the federal fiscal year.
 
CVE-2014-0930 - Kernel Memory Leak And Denial Of Service Condition in IBM AIX
 
CVE-2014-2882 - Lack of SSL Certificate Validation in Citrix Netscaler
 
CVE-2014-2881 - Poor Quality Implementation of Diffie-Hellman Key Exchange in Citrix Netscaler
 
[security bulletin] HPSBMU03037 rev.1 - HP Multimedia Service Environment (MSE), (HP Network Interactive Voice Response (NIVR)), Remote Disclosure of Information
 
Workday is expanding its competitive assault against Oracle and SAP with the general availability of Workday Recruiting, an application for finding the most qualified internal and external job candidates.
 
Tax return uncovered due to vulnerability affecting shared links to documents.

Dropbox has disabled access to previously created shared links to certain kinds of documents after the discovery that some users' sensitive files—including tax returns and bank records—were exposed through Google AdWords campaigns.

The flaw, which is reportedly also present on Box, impacts shared files that contain hyperlinks. "Dropbox users can share links to any file or folder in their Dropbox," the company noted yesterday while confirming the vulnerability:

Files shared via links are only accessible to people who have the link. However, shared links to documents can be inadvertently disclosed to unintended recipients in the following scenario:

  • A Dropbox user shares a link to a document that contains a hyperlink to a third-party website.
  • The user, or an authorized recipient of the link, clicks on a hyperlink in the document.
  • At that point, the referrer header discloses the original shared link to the third-party website.
  • Someone with access to that header, such as the webmaster of the third-party website, could then access the link to the shared document.

Dropbox said it's not aware of this vulnerability being exploited.

Read 10 remaining paragraphs | Comments

 
ZipItFast PRO '.zip' File Heap Buffer Overflow Vulnerability
 
CVE-2014-2845 - Cyberduck (Windows): Failure validating some certificates (using FTP-SSL) with untrusted root certificate authority
 
The National Cybersecurity Center of Excellence (NCCoE) is seeking collaborators to provide products and technical expertise to create a model, standards-based system that companies in the financial services sector could use to integrate ...
 
Dell is making updates to its Android-based, thumb-size PC called Wyse Cloud Connect -- widely known as Project Ophelia -- as the company moves to make the stick computer suitable for consumers.
 
LG, Motorola and Huawei will all launch new smartphones in the next three weeks as they try to chip away at Apple and Samsung Electronics, a task that doesn't seem as insurmountable as it did a year ago.
 
LinuxSecurity.com: The system could be made to crash or run programs as an administrator.
 
LinuxSecurity.com: The system could be made to crash or run programs as an administrator.
 
LinuxSecurity.com: The system could be made to crash or run programs as an administrator.
 
LinuxSecurity.com: The system could be made to crash or run programs as an administrator.
 
LinuxSecurity.com: The system could be made to crash or run programs as an administrator.
 
LinuxSecurity.com: The system could be made to crash or run programs as an administrator.
 
LinuxSecurity.com: The system could be made to crash or run programs as an administrator.
 
LinuxSecurity.com: The system could be made to crash or run programs as an administrator.
 
LinuxSecurity.com: The system could be made to crash or run programs as an administrator.
 
LinuxSecurity.com: OpenStack Neutron would allow unintended access to other tenant networks.
 
LinuxSecurity.com: OpenStack Glance could be made to run programs as the glance user if itprocessed a specially crafted request.
 

10 tips to attract women to infosec jobs
CSO
“It fosters women of all backgrounds, in all functional organizations – not just infosec or IT – helping them more forward in terms of management at BAE,” said Jo Cangianelli, vice president of business development for BAE System's intelligence and ...

and more »
 
Salesforce.com is releasing Social Studio, a new product that combines features from its Radian6 social-media-monitoring technology with the content publishing capabilities of its Buddy Media software for marketers.
 
Dropbox has disabled old shared document links in a bid to prevent its users' files from being accessed by unintended recipients.
 
Fish-shell Insecure Temporary File Creation Vulnerabiliy
 

As we all know, web standards are only leaving "draft" status once they start becoming irrelevant. It is a constant challenge to keep up with how web browsers interpret standards and how the standards themselves keep changing. We are just going through one of the perpetual updates for our "Defending Web Applications" class, and I got reminded again about some of the changes we had to make over the last year or so.

Autocomplete=Off

This weekend we just had yet another post about people picking bad passwords. The only real way around this problem is a password manager. For a long time, browsers included features to allow you to save passwords. But historically, these features were not liked very well as they tended to protect the password inadequately. But with the number of leaked passwords going up and up, and browser makers feeling more confident about their built in password safe features, some browsers started to ignore this setting. For example recent versions of Chrome and Safari will offer saving your password no matter if the "autocomplete=off" attribute is set or not.

BTW: You may still need to keep your autocomplete=off attribute in your forms to pass the PCI audit. After all, in this case you are not defending against hackers but against auditors and the attribute still works great to fend of auditor questions.

In the end, this means it is up to the user to decide to enable or disable this feature, and what password safe to use. Personally I don't think you can do without a password safe. But some people still think they can remember > 100 random passwords/passphrases. (I am having a hard time with one or two).

Cookie2 Headers

"nobody" ever really used the Cookie2 header. It was supposed to address privacy concerns people had with regular cookies. Cookies set via the Cookie2 header are essentially session cookies. They can not be set "cross domain" and they expire as soon as you close the browser. But that was back in the day when people still considered privacy as something attainable. RFC 6265 officially obsoletes Cookie2 back in 2011. I guess nobody noticed (me neither) because nobody uses it.

URL Bars

Another "good old days" feature of many browsers was URL bars. They are slowly disappearing. The simple reason is that most users (no... you are not "most users" as you are reading this post) have no idea what a URL is or how to decipher it. It all started with mobile browsers who pushed the URL off the screen as soon as possible to save the few mega pixels it would take to render the URL bar. I think it was Internet Explorer 8 where I first noticed that the URL bar got squished into a corner in order to provide more space for the search bar. Google now is tying to make this change more official by only showing the hostname, not the full URL, in recent beta releases of Chrome. The idea here is that the hostname is what matters and the other parts of the URL are usually just used by phishers to confuse the user as to the actual location of the page.

Anything I missed? Not looking for brand new features like HTTP/2.0 but for old features that no longer work in new browsers and are somewhat security related. I may add a couple more items to this post or as a comment as I remember them.

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Lenovo is bringing a unique design to Chromebooks with the N20p Chromebook, which has a touchscreen that can rotate roughly 300 degrees to a "stand mode."
 
Hackers claiming to have found a critical flaw in a widely used open-source remote login software, OpenSSH, are likely bluffing, according to a developer affiliated with the project.
 
Whether you've lost your car or lost your Internet connection, Google Now is getting a little more helpful.
 
Marketers will want to use tools like Snapchat's Here feature to bend consumers to their will. IT has to inject rationality into the resulting discussions.
 
You've heard the term and probably read stories about smart homes where the toaster talks to the smoke detector. But what makes it all connect? These frequently asked questions help explain it all.
 
With low-cost Chromebooks catching fire in many education settings, Lenovo has expanded its Chromebook line to consumers with two new models.
 
Microsoft co-founder Bill Gates would back any move by CEO Satya Nadella to spin off the Xbox video game console business.
 
Ubuntu 'Unity' Package Local Security Bypass Vulnerability
 
XBuffy CVE-2014-0469 Stack Based Buffer Overflow Vulnerability
 
Ubuntu 'Unity' Package Local Security Bypass Vulnerability
 
Ubuntu 'Unity' Package Local Security Bypass Vulnerability
 

Posted by InfoSec News on May 06

http://online.wsj.com/news/articles/SB10001424052702303417104579544551961937712.html

By Andrew Grossman
The Wall Street Journal
May 5, 2014

WASHINGTON —- A Navy systems administrator assigned to the nuclear reactor
department of an aircraft carrier was also the leader of an antigovernment
hacking group, prosecutors alleged Monday.

Prosecutors say 27-year-old Nicholas Knight, an alleged hacker since age
16, led Team Digi7al, a group that...
 

Posted by InfoSec News on May 06

http://www.defenseone.com/technology/2014/05/were-saved-experts-show-how-fix-us-cybersecurity/83734/

By Patrick Tucker
Defense One
May 4, 2014

The date is April 4, 2015. A major cyberattack hits two generators in
Florida, knocking out power in the cities of Coral Springs and St.
Augustine, leading to multiple deaths and millions of dollars lost. One
month later, Congress has to get a bill to the president to fix the
vulnerability. But...
 

Posted by InfoSec News on May 06

http://www.computerworld.com/s/article/9248129/Canada_woes_breach_seen_as_cause_for_Target_CEO_s_exit

By Jaikumar Vijayan
Computerworld
May 5, 2014

Target CEO Gregg Steinhafel's resignation Monday as president, CEO and
chairman of the Board of the company likely isn't a sign that boards of
directors are now holding chief executives accountable for massive data
breaches.

While some observers quickly linked Steinhafel's exit...
 

Posted by InfoSec News on May 06

http://arstechnica.com/security/2014/05/antivurus-pioneer-symantec-declares-av-dead-and-doomed-to-failure/

By Dan Goodin
Ars Technica
May 5, 2014

Commercial antivirus pioneer Symantec has finally admitted publicly what
critics have been saying for years: the growing inability of the scanning
software to detect the majority of malware attacks makes it "dead" and
"doomed to failure," according to a published report.

Over...
 

Posted by InfoSec News on May 06

Forwarded from: cfp () ruxcon org au

Ruxcon 2014 Call For Presentations
Melbourne, Australia, October 11th-12th
http://www.ruxcon.org.au

The Ruxcon team is pleased to announce the Call For Presentations for
Ruxcon 2014.

This year the conference will take place over the weekend of the 11th and
12th of October at the CQ Function Centre, Melbourne, Australia.

.[x]. About Ruxcon .[x].

Ruxcon brings together the individual talents of the best...
 

Posted by InfoSec News on May 06

http://abclocal.go.com/wls/story?section=news/iteam&id=9526738

[Jason isn't related to me, and fair warning, I know this story is bad, but its
one of those news articles I had to share on how not to report on a technology
story. -- WK]

By Jason Knowles
WLS.com
@KnowlesABC7
May 04, 2014

April 29, 2014 (WLS) -- The ABC7 I-Team is learning more about "heartbleed" and
how you can be a victim without even knowing it.

The...
 
Internet Storm Center Infocon Status