Hackin9

----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
As part of its cloud computing forum and workshop series, the National Institute of Standards and Technology (NIST) is hosting two meetings in March at its Gaithersburg, Md. Campus, 'The Intersection of Cloud and Mobility' from March ...
 
The U.S. Federal Communications Commission should move forward with a plan to open up new 5GHz spectrum to Wi-Fi as consumer demand for wireless bandwidth skyrockets, a member of the commission said.
 
Ruby on Rails CVE-2013-6416 Cross Site Scripting Vulnerability
 
As corporate stockpiles of data continue to grow, mostly unmanaged, to massive levels, it's increasingly likely that many major organizations will face a crisis very soon.
 
Two major studies released this week of the nation's largest wireless networks put Verizon on top in nearly every technical network measurement, with AT&T close behind and Sprint and T-Mobile trailing.
 
With robots becoming increasingly powerful, intelligent and autonomous, a scientist at Rensselaer Polytechnic Institute says it's important to make sure they know the difference between good and evil.
 
U.S. retailers are digging in their heels over their need for PIN authentication for Europay MasterCard Visa (EMV) smartcard use here.
 
Thinking there could be life on one of Jupiter's moons, NASA scientists are working on a plan to send robots to try and find out.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Google Android WebView Remote Security Bypass Vulnerability
 
FFmpeg Multiple Security Vulnerabilities
 
With smartphones and tablets increasingly at risk from malware, researchers from North Carolina State University have devised a new and potentially better way to detect it on Android devices.
 
Samsung hopes its new Milk streaming service is the next big thing in music.
 
The first Cebit trade show in the post-Snowden era will focus on security, showing off locally developed bug-proof phones and messaging systems, as well as the ability to protect mobile devices using smartcards.
 
A screenshot from a video promoting a tool for creating DIY remote access trojans for Android devices.

The scourge of the remote access trojan (RAT)—those predatory apps that use Web microphones and cameras to surreptitiously spy on victims—has formally entered the Android arena. Not only have researchers found a covert RAT briefly available for download in the official Google Play store, they have also detected a full-featured toolkit for sale in underground forums that could make it easy for other peeping Toms to do the same thing.

The specific RAT in Google Play was disguised as a legitimate app called Parental Control, according to Marc Rogers, principal security researcher at Lookout Mobile, a provider of antimalware software for Android phones. He doesn't know exactly how long it was available on Google servers, but he believes it wasn't long. It was downloaded 10 to 50 times.

The Parental Control trojan was built using Dendroid, a newly discovered software development tool that sells for about $300. Dendroid provides an impressive suite of features, including all the tools to build the command and control infrastructure to control RATted phones and receive audio and video captured from their mics and cameras. Dendroid also allows attackers to intercept, block, or send SMS text messages on compromised phones; download stored pictures and browser histories; and open a dialogue box that asks for passwords. It includes "binder" functions that allow the malicious code to be attached, or bound, into otherwise useful or innocuous apps.

Read 5 remaining paragraphs | Comments

 
The National Institute of Standards and Technology (NIST) has published two draft documents for public comment that describe processes that federal employees and contractors could use to provide smart card-like authentication for access ...
 
RETIRED: Apache Struts CVE-2014-0094 Classloader Manipulation Security Bypass Vulnerability
 
[HTTPCS] ClanSphere 'where' Cross Site Scripting Vulnerability
 
Apache Struts ClassLoader Manipulation CVE-2014-0094 Security Bypass Vulnerability
 
Samsung's new Galaxy Note Pro 12.2-in. Android tablet has a great display and a lot of useful features. Matt Hamblen tried it out as a laptop replacement and reports back.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: ImageMagick could be made to crash or run programs if it opened a speciallycrafted image file.
 
Japanese authorities are trying to unravel what happened at Mt. Gox, the popular Bitcoin exchange that collapsed last week, and recent revelations are only serving to thicken the plot, not clarify it.
 
Confidence in the underlying strength of the tech sector as a whole appears to be solid despite some dispiriting news on the hardware front.
 
SEC Consult SA-20140307-0 :: Unauthenticated access & manipulation of settings in Huawei E5331 MiFi mobile hotspot
 
[security bulletin] HPSBUX02963 SSRT101297 rev.1 - HP-UX m4(1), Local Unauthorized Access
 

PHP 5.4.26 and 5.5.10 available. Several Security Fixes @ : http://www.php.net/downloads.php

 

--

Tom Webb

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The U.S. National Security Agency has turned the European Union into a tapping 'bazaar' in order to spy on as many EU citizens as possible, says NSA leaker Edward Snowden.
 
You can shoot some great videos with your Android smartphone, but can you edit them? We review five apps that represent the best video editing options available on the platform today.
 
The U.S. Federal Aviation Administration's policy regarding the commercial use of drones, based on a 2007 policy statement, 'cannot be considered as establishing a rule or enforceable regulation,' an administrative law judge ruled Thursday.
 

Posted by InfoSec News on Mar 07

http://www.csoonline.com/article/749367/criminals-on-tor-is-the-price-of-global-liberty

By Antone Gonsalves
CSO Online
March 06, 2014

Research pointing to rising criminality on Tor shows the cost of having a
network that provides anonymity to whistleblowers, journalists, political
dissidents and others trying to avoid government surveillance.

Experts agreed on Thursday that nothing could be done to prevent
cybercriminals from using Tor...
 

Posted by InfoSec News on Mar 07

http://www.zdnet.com/visa-cfo-quite-a-bit-of-investment-needed-to-install-chip-technology-7000027067/

By Larry Dignan
Between the Lines
ZDNet News
March 6, 2014

Visa's chief financial officer said that securing retail point-of-sale
infrastructure will take a hefty investment, chips on credit cards are
critical and better encryption may be the fastest way to secure
transactions.

Byron Pollitt, CFO of Visa, said at the Morgan Stanley...
 

Posted by InfoSec News on Mar 07

http://arstechnica.com/security/2014/03/new-attack-on-https-crypto-might-know-if-youre-pregnant-or-have-cancer/

By Dan Goodin
Ars Technica
March 6 2014

As the most widely used technology to prevent eavesdropping on the
Internet, HTTPS encryption has seen its share of attacks, most of which
work by exploiting weaknesses that allow snoops to decode
cryptographically scrambled traffic. Now there's a novel technique that
can pluck out...
 

Posted by InfoSec News on Mar 07

http://news.techworld.com/security/3505545/greatest-security-story-never-told-how-microsofts-sdl-saved-windows/

By John E Dunn
Techworld
06 March 2014

Microsoft has launched a new website to "tell the untold story" of
something it believes changed the history of Windows security and indeed
Microsoft itself -- the Software Development Lifecycle or plain 'SDL' for
short.

For those who have never heard of the SDL, or...
 

Posted by InfoSec News on Mar 07

http://www.koreaherald.com/view.php?ud=20140306001442

By Choi He-suk
Heraldcorp.com
2014-03-06

The Incheon Metropolitan Police Agency on Thursday arrested two hackers
and a telemarketing firm CEO in connection with the theft of 12 million KT
Corp. customers' personal information.

KT is the country's second largest telecom services provider with some 16
million consumers subscribing to its mobile, fixed-line telephone and
internet...
 
Netgear's better, faster rack-mount NAS and iSCSI SAN makes the case for enterprise workloads with read and write caching and unlimited snapshots
 
The U.S. Federal Aviation Administration's policy regarding the commercial use of drones, based on a 2007 policy statement, 'cannot be considered as establishing a rule or enforceable regulation,' an administrative law judge ruled Thursday.
 
The market for external disk storage systems has recovered from a slump, with factory revenues up 2.4% to $6.9 billion in the fourth quarter of 2013, according to an IDC study.
 
The CIA's decision to use Amazon's cloud is part of a broader IT shake-up to make the spy business more efficient.
 
ImageMagick PSD Image File Processing 'DecodePSDPixels()' Function Buffer Overflow Vulnerability
 
Internet Storm Center Infocon Status