Hackin9

GOP Report Stresses Gov't InfoSec Flaws
BankInfoSecurity.com
Days before the Obama administration will release a framework aimed at securing the nation's critical infrastructure, Senate Republicans issued a report detailing vulnerabilities in federal IT, suggesting the White House get its own house in order ...

and more »
 
A majority of companies that achieve annual compliance with the Payment Card Industry Data Security Standard fail to then maintain that status, leaving them vulnerable to breaches.
 
LinkedIn is shutting down Intro, its recently launched mobile service for connecting people over email, that raised security concerns.
 
IBM is working on electronics for the U.S. military that will self-destruct on command to ensure that powerful devices holding critical data stay out of the hands of the enemy.
 
Microwave networking equipment maker Aviat Networks was forced to delay filing its second-quarter earnings report due to "unexpected difficulties" with a newly installed ERP system.
 
Bitcoin's value declined sharply Friday, just as Mt. Gox, an online exchange for buying and selling the digital currency, announced that it was temporarily suspending withdrawals.
 
Microsoft today implored its technically astute customers to help friends and family who are still running Windows XP get rid of the soon-to-be-retired operating system.
 
Google is opening the door wider to the enterprise, launching a videoconferencing tool designed to make it easier and cheaper to have face-to-face meetings with far-flung co-workers.
 
Xen libvchan Xenstore Ring Indexes Local Privilege Escalation Vulnerability
 
If you're in tech, it pays to be in big data. Nine of the top 10 highest paying IT salaries are for languages, databases and skills related to big data.
 
 
LinuxSecurity.com: Yves Younan and Ryan Pentney discovered that libgadu, a library for accessing the Gadu-Gadu instant messaging service, contained an integer overflow leading to a buffer overflow. Attackers which impersonate the server could crash clients and potentially execute [More...]
 

A bugged phone conversation in which two senior US officials traded offensive remarks about the European Union has ignited a diplomatic free-for-all and raised questions about the ability of the US to protect its sensitive communications from the spy apparatuses of Russia and other countries.

US Assistant Secretary of State for European Affairs Victoria Nuland and Geoffrey Pyatt, the US ambassador to Ukraine, clearly thought they were speaking on a secure line when discussing the political unrest in Ukraine and how the US government should help resolve the crisis. At one point during the January 25 call, Nuland colorfully rejected recent overtures from European Union leaders by telling her colleague: "Fuck the EU."

The four-minute call was posted to YouTube on Thursday. The voice quality is strikingly clear, suggesting the recording was made by a well-positioned source. Among the first people to tweet the link was an aide to Russian Deputy Prime Minister Dmitry Rogozin. US State Department officials quickly seized on the tweet as proof that the Russian government was involved in the eavesdropping, calling the episode a "new low in Russian tradecraft." The Russian government has denied any involvement.

Read 5 remaining paragraphs | Comments


    






 
An example of one of the "inkblot" images used by the GOTCHA system.

Luis von Ahn and colleagues developed CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) in early 2000 to help fight against computer-generated spam. The test requires users to type in letters from a distorted image to prove that they're human. This system worked great for years, but as with many things on the Internet, there's always a hacker who wants to break the system.

Hackers have found ways to crack the CAPTCHA system—one example involves tricking users into thinking they are entering a CAPTCHA at a completely safe website while the user’s input is used to access another site. So it's up to the computer scientists to figure out how to beat the hackers again.

That's exactly what a team of researchers at Carnegie Mellon University set out to do. (The team consisted of PhD student Jeremiah Blocki, professor Manuel Blum, and associate professor Anupam Datta) The system they developed is called GOTCHA (Generating panOptic Turing Tests to Tell Computers and Humans Apart), and it uses a user-provided password to generate several multi-colored inkblots, with the blotches distributed randomly.

Read 3 remaining paragraphs | Comments


    






 

EE rolls out Brightbox fix... but it WON'T stop packet sniffers, DNS meddlers ...
Register
EE rolls out Brightbox fix... but it WON'T stop packet sniffers, DNS meddlers – infosec bod. '2 out of 3' major holes in router plugged: researcher. By John Leyden, 7th February 2014. 2. Related stories. Security 101 fail: 3G/4G modems expose control ...

and more »
 
Mozilla yesterday launched a beta version of its touch-enabled Firefox browser for Windows 8 and 8.1, fulfilling a promise to put the application on the road to a final release next month.
 
In February, the hills around Tokyo come alive with cypress pollen, and that means one thing: hay fever.
 
Zabbix User Spoofing Vulnerability
 
 
New Microsoft CEO Satya Nadella certainly has his work cut out for him, but his job pales in comparison to the mess Steve Ballmer inherited in 2000. Nadella should succeed -- and if he does, he owes a lot to his oft-maligned predecessor.
 

Also in the news, ISO standard 30111 was published recently (on Jan 21) - a standard for the Vulnerability Handling Processes.  The standard was edited by Katie Moussouris, Senior Security Strategist Lead at Microsoft

The standard covers all the basics, including Vulnerability Verification steps, the Vulnerability Handling Process, and of particular interest is that it delineates where vendors should and should not be in the process.

The companion document, ISO 29147 (published in 2013) covers Vulnerability Disclosure.  This one is extremely valuable both to security researchers and for any company with a software product.  This standard includes guidance on buidling a framework to address vulnerabilities, including a 5 step process that guides vendors through initial receipt and verification of the vulnerability, developing a resolution, releasing the final fix and communication with customers after the fix is released

As with all ISO standards, unfortunately these are not free - both are well worth it if the standards apply to your organization.  If your organization writes code, or if you sell hardware that runs code, both of these standards are a must-have.
ISO 30111 can be purchased here: http://www.iso.org/iso/catalogue_detail.htm?csnumber=53231
ISO 29147 can be purchased here: http://www.iso.org/iso/catalogue_detail.htm?csnumber=45170

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Microsoft Thursday said it will issue five security updates next week, two tagged as "critical," to close holes in Windows and the company's Exchange-based Forefront Protection 2010 security software.
 
Sometimes even a tablet is too much trouble to tote. These Android smartphone e-reader apps will make it easy to enjoy your favorite book wherever you go.
 
IBM is exploring the sale of its semiconductor unit shortly after agreeing to sell its low-end server business to Lenovo Group, according to newspaper reports.
 
Oracle CEO Larry Ellison relied on a time-tested bromide to sell a conference crowd on the vendor's array of HCM applications on Thursday.
 
The open source Docker container technology is taking on the server virtualization market, offering what some see as a faster alternative to running full virtual machines over hypervisors.
 
Politicians and law enforcement officials in California will introduce a bill on Friday that requires all smartphones and tablet PCs sold in the state be equipped with a digital "kill-switch" that would make the devices useless if stolen.
 
LinkedIn is acquiring Bright, a startup that has developed a search technology for better matching job hunters with employers that could help to drive more users to LinkedIn's site.
 
The massive Target breach led to revelations that many companies use Internet-connected heating, ventilation, and air conditioning (HVAC) systems without adequate security, giving hackers a potential gateway to key corporate systems.
 
Twitter Wednesday reported that fourth quarter sales more than doubled over the past year, but the company nevertheless spooked investors by acknowledging a slowdown in new user growth and in user engagement.
 
A contractor for Target said Thursday it was also a victim of a cyberattack, supporting the retailer's claim that hackers gained entry to its network via a third party.
 
Microsoft made a surprising, intriguing and dramatic announcement on Tuesday: No, it wasn't Satya Nadella&'s appointment as CEO to replace Steve Ballmer. It was the news that Bill Gates would step down as chairman and take on a new tech advisory role in which he'll substantially increase his involvement with the company he co-founded in 1975.
 
Linux Kernel CVE-2013-6431 NULL Pointer Dereference Local Denial of Service Vulnerability
 

Posted by InfoSec News on Feb 07

http://www.nextgov.com/cybersecurity/2014/02/75-percent-pentagon-contractors-adjusted-security-after-snowden-leaks/78302/

By Aliya Sternstein
Nextgov.com
February 5, 2014

Leaks of national secrets by former federal contractor Edward Snowden
drove 75 percent of U.S. defense company executives to adjust information
security procedures, mostly by increasing employee training and going on
high alert for deviant behavior, according to a new...
 

Posted by InfoSec News on Feb 07

http://www.eetimes.com/author.asp?section_id=8&doc_id=1320907

By Carolyn Mathas
EE Times
2/6/2014

I just noticed the results of a report commissioned by the Institution of
Engineering and Technology (IET) called "Using Open Source Intelligence to
Improve ICS & SCADA Security." The report suggests that information that
engineers place on social media, in blogs, and in papers is sufficient to
mount cyberattacks. In this...
 

Posted by InfoSec News on Feb 07

http://blog.erratasec.com/2014/02/that-nbc-story-100-fraudulent.html

By Robert Graham
Errata Security
February 06, 2014

Yesterday (Feb 5 2014) NBC News ran a story claiming that if you bring
your mobile phone or laptop to the Sochi Olympics, it'll immediately be
hacked the moment you turn it on. The story was fabricated. The technical
details relate to going to the Olympics in cyberspace (visiting websites),
not going to there in...
 

Posted by InfoSec News on Feb 07

http://www.timesofisrael.com/hack-this-start-up-claims-it-can-stop-all-viruses-permanently/

By David Shamah
The Times of Israel
February 6, 2014

An Israeli start-up claims it may be able to put an end to the viruses,
malware, and trojan horses that cost the world economy hundreds of
billions of dollars a year. Not only does Cyactive say it can stop viruses
that are already “in the wild,” currently causing damage, but according to
CEO...
 

Posted by InfoSec News on Feb 07

http://www.informationweek.com/healthcare/security-and-privacy/texas-hospital-discloses-huge-breach-/d/d-id/1113724

By David F Carr
InformationWeek.com
2/5/2014

St. Joseph Health System has confirmed a security breach affecting the
records of up to 405,000 past and current patients, as well as employees
and employees' beneficiaries.

St. Joseph says it believed the attack occurred between Dec. 16 and 18,
when one of its computer servers...
 
[SECURITY] [DSA 2852-1] libgadu security update
 
Information on recently-fixed Oracle VM VirtualBox vulnerabilities
 
Internet Storm Center Infocon Status