Hackin9

Sydney Morning Herald

Mobile virus writers pay to Google Play
Sydney Morning Herald
ANALYSIS. Millions of users at risk from "vulnerable" apps ... Android. Banking customers are the target of a new Android malware package seeking to infiltrate the Google Play store. Photo: Getty Images. An explosion in mallicious software -malware ...

and more »
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
This year's South by Southwest Interactive will play host to tech trends in areas as diverse as gaming, artificial intelligence, 3D printing and social networking, but whether the next Twitter will emerge at the conference is harder to say.
 
Oracle Auto Service Request Insecure Temporary File Creation Vulnerability
 

The Age

Mobile virus writers pay to Google Play
The Age
Banking customers are the target of a new Android malware package seeking to infiltrate the Google Play store. Photo: Getty Images. An explosion in mallicious software -malware - targeting Android smartphone users is being fueled in part by a budding ...

and more »
 
Some school administrators are testing a bold idea to integrate the multitude of systems that are used to store student data, giving teachers a single view of how students are performing and allowing them to better deliver the right learning materials.
 

The Canberra Times

Mobile virus writers pay to Google Play
The Canberra Times
Banking customers are the target of a new Android malware package seeking to infiltrate the Google Play store. Photo: Getty Images. An explosion in mallicious software -malware - targeting Android smartphone users is being fueled in part by a budding ...

and more »
 
Ruby REXML Parser Denial of Service Vulnerability
 
Re: Squid 3.2.7 DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc
 
Microsoft's anti-Google "Scroogled" campaign is a battle for hearts and minds as much as for search and email market share, and Microsoft claims the effort is making a difference.
 
It may not be 'feasible' to complete a gigantic SAP software project meant to unify California's many public employee payroll systems, according to a report issued this week by the office of the state Legislative Analyst.
 
After multiple years of double-digit drops, prices for DRAM could stabilize as demand exceeds supply and the number of memory makers dwindles, a research analyst for IC Insights said this week.
 
The growing use of handheld devices and social media among students is creating a technology tipping point for schools that could completely break down the barriers between teaching platforms within five to 10 years, Bill Gates said Thursday.
 
Multiple NULL Pointer Dereference Vulnerabilities in Corel Quattro Pro X6
 
Untrusted Pointer Dereference Vulnerability in Corel WordPerfect X6
 
[security bulletin] HPSBGN02854 SSRT100881 rev.1 - HP Intelligent Management Center (iMC), iMC TACACS+ Authentication Manager (TAM), and iMC User Access Manager (UAM), Cross Site Scripting (XSS), Remote Code Execution, Remote Disclosure of Information
 
A survey of physicians in eight countries found that U.S. doctors in particular do not believe patients should have full access to their electronic health records.
 
It's easy to be overwhelmed by Twitter, especially when you're trying to use the micro-blogging service for business purposes. Who should I follow? How do I get more people to follow me? When should I tweet? Where do I start? These are just a few of the questions that Twitter users often have--and they are among the ones that SocialBro tries to answer. This comprehensive Twitter management tool offers plenty of features to help you make the most of Twitter, but it, too, can be overwhelming--and its free edition is limited.
 
Django Denial of Service Vulnerability And Information Disclosure Vulnerabilities
 
Microsoft today announced it will deliver seven security updates next week, four of them rated "critical," to patch Internet Explorer, Windows, Office, SharePoint Server and the Silverlight media software.
 
Facebook unveiled an updated look for its News Feed on Thursday, showing more visual content and ways to organize different feeds of users' interests.
 
Android is where the latest malware and threats are appearing, with F-Secure finding only it and Symbian showing any new activity in the last quarter of 2012 - 96 out of 100 new threat families were written for Android


 
[ MDVSA-2013:019 ] gnutls
 
[security bulletin] HPSBPI02851 SSRT101078 rev.1 - Certain HP LaserJet Pro Printers, Unauthorized Access to Data
 
Facebook unveiled an updated look for its News Feed on Thursday, showing more visual content and ways to organize different feeds of users' interests.
 
[slackware-security] sudo (SSA:2013-065-01)
 
[security bulletin] HPSBMU02849 SSRT101124 rev.1 - HP ServiceCenter, Remote Denial of Service (DoS)
 
DDIVRT-2013-51 DALIM Dialog Server 'logfile' Local File Inclusion
 

Ive been trying for a few months now to get my lab running IPv6 natively, with mixed success. Whats standing in my way you ask? A couple of things, which in turn have further implications:



Barrier #1: IPv6 isnt free

First of all, if you want IPv6 addresses that will route on the internet, theyre not free. For instance, if youre within arin.nets jurisdiction, the fee schedule is here: https://www.arin.net/fees/fee_schedule.html. The fees are annual, none of these are one time prices.



Note that experimental addresses are still relatively cheaper (500 per allocation), but they expire in 12 months. Since I wont be folding my lab up anytime soon, I think Ill need to cave and buy a subnet. Note that the smallest allocation is a /48, which leaves a whopping 80 bits of address space to carve up - more than the entire IPv4 space. So for $1250, I (or any company who needs space) can make my routeable address problem go away.



What the implications of this are is quite different though. Currently, in the IPv4 world, most organizations assign RFC1918 addresses (private addresses) to their inside network, and then NAT those IPs out to a much smaller address space, which theyve purchased from their registrar, or that has been provided by their ISP. So migrating to a new ISP involves some firewall and router work, and, youve got a small address block to move either mvoe to a new ISP, or get a new block from your new ISP and change all your DNS entries (and VPN tunnels) to the new subnet.



In the IPv6 world, well see folks in two camps. Those who have purchased a routable block and used those on their inside network will be in one camp. Theyre very mobile, and will be able to change ISPs very readily. However, theyll also need a much deeper network skillset, as theyll likely need to run an external routing protocol, peering with their ISP using the BGP routing protocol to advertise their subnet (note that this could also be done statically). The smaller organizations who have been given IPv6 space by their ISP however will be in a different situation, and faced with two problems. Once they implement IPv6 using ISP address space, changing ISPs will involve renumbering their entire inside address space, changing the IPv6 address of every server, workstation, printer and access point. Not only is this a large, disruptive project in the best of situations, these small companies generally are not well-equiped to understand or deliver on such a project. So once they have implemented IPv6, they are essentially chained to their ISP, or need to bring in outside help to migrate.

Barrier #2: Check your Network Hardware and OS

For the most part, newer network hardware such as routers, switches and firewalls - say anything sold in the last 5 years or so - is IPv6 capable. However, the OS running on that hardware isnt neccessarily ready, or it may have known problems. Plus its not uncommon at all to find network gear in rack thats older and is *not* IPv6 ready (how many Cisco PIX units are still in service for instance - PIXs will do IPv6, but only from the CLI in the newest of new IOS versions, no ASDM support). Be sure you check your gear and the OS running on it before committing to a final budget on your IPv6 project !

Barrier #3: IPv6 still isnt everywhere (yet)

I live and work mostly in Canada, so my lab is also north of the 49th. Even now, 2 years after the IPv4 address space has been fully allocated (https://www.arin.net/announcements/2011/20110203.html) and 10 years after our ISPs and WAN providers have all known what was coming, many, if not most providers are just starting down the path. Weve gone from not at this time to well be there in 6-8 months list with almost every WAN provider, telecom and ISP in Canada for the last 3-4 years. Even my current lab ISP, who has extensive blog postings on why you should migrate, will not have IPv6 for my area until May/June (of this year, I hope!). This is frustrating to me, because any gear that supports MPLS or supports a full internet BGP table has been IPv6 capable for several years now - this is purely a problem of assigning technical folks to do the work at the ISPs and WAN providers.

So if you want native, routed IPv6, in many cases youre looking at using a tunnel broker such as Hurricane Electric to give you transport. What this means to me is that my IPv6 traffic now (all) needs to traverse a third party that is not my ISP. Given that Im generally running one or more security assessments or penetration tests, or otherwise messing with my datastream, giving more folks than neccessary access to my packets does not fill me with joy, especially since I dont have any kind of contractual agreement with a free tunnel broker. Given how easy ettercap, sslstrip and other MITM tools are to run, or even how much information you can glean from simple netflow/sflow, Id as soon limit that sort of exposure. If your internet traffic might carry confidential data, especially using SSL for encryption, Id suggest that you might not be thrilled with a tunnelling solution either.



So, while Im getting the purchase of my address space all worked out this month, Im still firmly rooted in the IPv4 world until later this summer, no matter how much Id like to have a foot in each version.

If youve completed your IPv6 project, or if you are still planning one out, wed love to hear about any roadblocks or problems youve identifed or overcome - please use our comment form !



===============

Rob VandenBrink

Metafore
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
SAP is expanding its array of software products for the insurance industry with the acquisition of Camilion. Terms were not disclosed.
 
Kaspersky Lab's Internet Security 2013 product contains a bug that can be exploited remotely, especially on local networks, to completely freeze the OS on computers running the software.
 
A U.K. court has invalidated three Samsung patents that cover 3G technology in two rulings in cases between Samsung and Apple, according to court filings published on Thursday.
 

Browser security took a drubbing during the first day of an annual hacker contest, with the latest versions of Microsoft's Internet Explorer, Google's Chrome, and Mozilla's Firefox all succumbing to exploits that allowed attackers to hijack the underlying computer.

The Pwn2Own contest, which is sponsored by HP's Tipping Point division, paid $100,000 for the successful exploitation of IE 10 running on a Surface Pro tablet powered by Windows 8. The attack was impressive because it was able to bypass a variety of anti-exploit technologies Microsoft has added to its flagship operating system and browser over the past decade. To succeed, researchers from France-based Vupen Security had to combine multiple attacks, a technique that is growing increasingly common.

"We've pwned MS Surface Pro with two IE10 zero-days to achieve a full Windows 8 compromise with sandbox bypass," the firm announced by Twitter on Wednesday.

Read 6 remaining paragraphs | Comments

 
IT administrators now have more control over the usage of Chrome OS devices in their organizations, with new settings covering areas like Web browsing, cookie acceptance and plug-in management.
 
Asustek has announced it will soon begin U.S. shipments of an all-in-one PC that can be an Android 4.1 tablet, or a fully functional desktop running Windows 8 when attached to a docking station.
 
The FCC remains focused on rapidly expanding spectrum for licensed and unlicensed use, and encouraging both research and products that will let it be used more efficiently, according to the commission's boss.
 
 
When you're talking to a n00b -- say, your CEO or VP of sales and marketing (or maybe even your CIO) -- it can be hard to get them to understand just how big and complex the Internet is. Sure, they hear about the billions of people on the 'Net and all of the companies making money through e-commerce of one kind or another (which hopefully includes yours), but what they will often have a problem grasping is the sheer scale of the Internet and how it's grown. What they need is a visual aid.
 
Samsung on Thursday confirmed reports by German media that it will stop selling its Windows RT tablet, the Ativ Tab, in Germany.
 
Oracle first announced its Social Relationship Management product family several months ago at OpenWorld, but has now taken steps to actually integrate the components of the product set, which it gained through a number of acquisitions over the past year.
 
The Payment Card Industry Security Standards Council has just issued guidance that anyone processing credit cards in the cloud will want to review.
 
LinuxSecurity.com: New sudo packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix security issues. [More Info...]
 
LinuxSecurity.com: Updated java-1.7.0-openjdk packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Updated xen packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Updated java-1.6.0-openjdk packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Updated java-1.6.0-sun packages that fix two security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More...]
 
LinuxSecurity.com: Updated java-1.7.0-openjdk packages that fix two security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having critical [More...]
 
LinuxSecurity.com: Updated kernel-rt packages that fix several security issues and multiple bugs are now available for Red Hat Enterprise MRG 2.3. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Updated java-1.7.0-oracle packages that fix two security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More...]
 
LinuxSecurity.com: Updated java-1.6.0-openjdk packages that fix two security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having critical [More...]
 
LinuxSecurity.com: Updated Grid component packages that fix one security issue, multiple bugs, and add various enhancements are now available for Red Hat Enterprise MRG 2.3 for Red Hat Enterprise Linux 6. [More...]
 
LinuxSecurity.com: Multiple vulnerabilities has been found and corrected in openssl: OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote attackers to cause a denial of service (NULL [More...]
 
Taiwan's Foxconn Technology Group said it was still negotiating a deal for greater cooperation with Sharp, despite the Japanese display maker securing a $110 million investment to supply LCD panels to rival Samsung Electronics.
 
U.S. Attorney General Eric Holder defended the role of the prosecution in the case of the late Internet activist and innovator Aaron Swartz, stating that "there was never an intention for him to go to jail for longer than a three, four, potentially five-month range."
 
The author of a successful White House petition calling on government officials to legalize the unlocking of mobile phones has turned his attention to broader reform of the Digital Millennium Copyright Act.
 
At the first day of the Pwn2Own hacking context, Chrome, Firefox and Internet Explorer 10 on Windows 8 were all successfully exploited. Java was also owned using several zero day exploits


 
Wireshark DTLS Dissector CVE-2013-2488 Denial of Service Vulnerability
 
Research teams Wednesday cracked Microsoft's Internet Explorer 10 (IE10), Google's Chrome and Mozilla's Firefox at the Pwn2Own hacking contest, pulling in more than $250,000 in prizes.
 
We looked at three desktop scanners from Brother, Fujitsu and Panasonic to see how well they help scan, store and send your documents
 
General Motors is hiring 1,000 IT staff for a center in a suburb of Phoenix as part of its strategy to move more high-value IT work in-house.
 
Demand for information security experts in the United States is outstripping the available supply by a widening margin, according to a pair of recently released reports.
 
gksu-polkit CVE-2012-5617 Local Privilege Escalation Vulnerability
 
Java web security has depended on a certificate signing process to grant applets and applications higher privileges, but deficiencies in the default settings mean that Java users are vulnerable to social engineering delivering malware


 

Posted by InfoSec News on Mar 06

Forwarded from: cfp2013 (at) recon.cx

[There may be some formatting issues from forwarding this to the list. - WK]

+ + + +
+ + +
+ +
\ /
+ _ - _+_ - ,__
_=. .:. /=\ _|===|_...
 

Posted by InfoSec News on Mar 06

http://www.aviationweek.com/Article.aspx?id=/article-xml/asd_03_06_2013_p03-01-555784.xml

By Frank Morring, Jr.
Aerospace Daily & Defense Report
March 06, 2013

Rep. Frank Wolf (R-Va.), chairman of the House Appropriations subcommittee that
funds NASA,, has demanded that the U.S. space agency revoke a reported
invitation to Chinese officials for an Earth-observation coordination
conference at Langley Research Center next week.

In a March...
 

Posted by InfoSec News on Mar 06

http://www.darkreading.com/threat-intelligence/167901121/security/attacks-breaches/240150216/time-bomb-attack-out-of-china-defused.html

By Kelly Jackson Higgins
Dark Reading
Mar 06, 2013

Mandiant's in-depth report published last month on a prolific cyberespionage
team tied to the Chinese military was, in turn, used as a lure in other
targeted attacks -- by what appears to be different Chinese hacker groups.

The attacks, spotted by...
 

Posted by InfoSec News on Mar 06

http://www.nextgov.com/cloud-computing/2013/03/gsa-will-stop-recruiting-cloud-security-testers-until-fall/61697/

By Aliya Sternstein
Nextgov
March 6, 2013

The government's new program for certifying the safety of browser-based
software will not be able to recruit additional testers until the fall, federal
officials told Nextgov.

Currently, there are 16 government-approved independent testing firms assessing
the security of dozens of...
 

Posted by InfoSec News on Mar 06

http://www.theregister.co.uk/2013/03/06/palm_vein_reader_banking_trial/

By John Leyden
The Register
6th March 2013

Italian banking group UniCredit has developed a commercial biometric payment
system based on Fujitsu PalmSecure palm vein reader technology.

UniCredit selected palm vein reader technology instead of more widely touted
biometric technologies, such as fingerprint readers and retina scanners, to
underpin a prototype mobile payment...
 
Internet Storm Center Infocon Status