Hackin9

InfoSec News

Bring-your-own-device (BYOD) makes securing cloud services complex, say experts. Enterprises should set mobile guidelines consistent with cloud policies.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Federal initiatives to make more spectrum available for mobile services are likely to take off running after President Barack Obama's re-election on Tuesday, a member of a presidential technology commission said.
 

Heres a novel (to me) phishing approach. Cal, one of our readers, was staying at a hotel in Arizona on business, and he got a call to his room from the - alleged - front desk. They were saying that their computer had gone down, and that they needed to re-verify his billing information.



Cute, isnt it.

Being a security geek, Cal didnt fall for it, said that he was currently talking on his mobile phone with his wife, and whether he could call back. Not surprisingly, the front desk seemed a tad reluctant to provide a number. Stalemate. Thats when the phish caller came up with a very customer service oriented approach: We really regret this trouble, and we will gladly offer you 40% off your room rate for the inconvenience

But no dice: Not even the prospect of a rebate was sufficient to convince Cal to hand out his personal data and credit card information to an unknown caller. He hung up, walked down to the front desk, and upon asking, the lady at the front desk put her head down and said You too? Theyve been calling 201, 203, 204, 210, and now you?

Given the right circumstances and timing, Id say quite a few hotel guests would fall for this. Make sure you are not one of them!


(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Stringent iPhone 5 production specifications established by Apple and supply issues with new components like the Lightning port and larger screen could be responsible for Foxconn's delays of the handset, analysts said on Wednesday.
 
IcedTea-Web CVE-2012-4540 Heap Based Buffer Overflow Vulnerability
 
Mac owners still running 2009's OS X 10.6 are not about to give up on the operating system, making arguments strikingly similar to those trotted out by diehard Windows XP users.
 
Oracle is finding itself caught up in another Java-related patent lawsuit, but this time it's the one getting sued.
 
Tuesday's election eaves President Barack Obama in the White House and maintains the balance of power in Congress. In many longstanding technology debates, policy experts see little movement forward, although lawmakers may look for compromises on a handful of issues.
 
Oracle WebCenter Forms Recognition 'CroScPlt.dll' ActiveX Control Insecure Method Vulnerability
 
Plone and Zope Multiple Remote Security Vulnerabilities
 
As presidential election day unfolded on Tuesday, people spent time posting photos of long lines at polling places, tweeting about casting a vote and commenting on a viral video of a malfunctioning voting machine.
 
Oracle WebCenter Forms Recognition 'Sssplt30.ocx' ActiveX Control Remote Code Execution Vulnerabilty
 
PrestaShop 'message' Field HTML Injection Vulnerability
 
Security pros need to share anonymous attack information or face dire consequences, said Dave Cullinane, CEO of Security Starfish and chairman of the Cloud Security Alliance.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 

Cisco has released a patch that addresses a TACACS+ Authentication Bypass vulnerability. Exploitation is likely very easy. If you are using Cisco ACS for authentication you should probably take note of this annoucment.

The following Cisco Secure ACS versions are affected by this vulnerability:




Cisco Secure ACS Version

Affected



5.0

Yes



5.1

Yes



5.2

Yes



5.3

Yes



5.4

No




http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121107-acs

Thanks to the ISC reader who asked not to be mentioned by name who brought this to my attention. And thanks to Scott for keeping me straight on the versions.

Join me in San Antonio Texas November 27th for SANS504 Hacker Techniques, Exploits and Incident Response! Register Today!!

Follow me on Twitter @MarkBaggett

Mark Baggett
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
AT&T will invest $14 billion over the next three years for wireless and wired capital improvements, including an expansion of 4G LTE service to 300 million people by the end of 2014.
 
They say no one can hear you scream in space, but if you so much as whisper on the Web, you can be tracked by a dozen different organizations and recorded for posterity. Simply visiting a website can allow its operators to figure out your general physical location, identify details about your device information, and install advertising cookies that can track your movements around the web. (Don't believe me? Check this out.)
 
Google's Nexus 4 offers outstanding hardware and an optimal Android experience, but it may require you to make a few compromises. Here's an in-depth look at the new flagship phone.
 
Google yesterday made good on a promise from earlier this year and shipped Chrome 23 with the "Do Not Track" privacy feature.
 
MasterCard is testing new ways to make online transactions more secure with its PayPass application and a mobile phone, including using QR codes to secure the transactions.
 
The global software market grew 4.7% in the first half of this year to $167 billion, with CRM, virtualization and collaboration coming in as the fastest-growing segments, according to figures from market research firm IDC.
 
Companies that specialize in data recovery are still getting many calls for help from businesses and institutions whose equipment was damaged by the effects of Hurricane Sandy.
 
In a move to speed online transaction processing (OLTP), Microsoft is adding in-memory capabilities into its SQL Server relational database management system.
 
Samsung's recent licensing of 64-bit processor designs from ARM suggests that the chip maker may expand from smartphones and tablets into the server market, analysts said this week.
 
The number of new IT and business process outsourcing contracts worldwide dropped year-on-year in the third quarter, with contract values also decreasing, a research firm said.
 
Google's Nexus 4 Android smartphone officially goes on sale in Australia next week. How does it compare to the Apple iPhone 5?
 
When a malicious web page reconfigures a router or sets up forwarding in a webmail frontend, the culprit is usually a cross-site request forgery. OWASP's CSRFTester hunts down this kind of vulnerability


 
Apparently, Skype passed on the personal data of a young Dutch user to a private security company without a court order. The user is believed to have been involved in DDoS attacks that were part of Operation Payback


 
Cross-Site Request Forgery (CSRF) in CMS Made Simple
 
Sql injection in AJAX post Search wordpress plugin
 
Windows Phone SDK 8.0 gives developers extensive features, snappier code, lots of help, and the option to code in JavaScript and HTML
 

Im getting really good feedback on our bug hunt. Ive had a couple of people report interesting vulnerabilities to ISC or me directly that they have discovered using the technique outline on the ISC Diary here (https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464). The vulnerability reported can be used by malware instead of creating registry entries to survive a reboot. In cases where the program run as a service they can be used for privilege escaltation.

As you are checking your programs, be sure to occationally check for instances of CALC.EXE running invisibly in the background. Those are sometime the more interesting processes to look at. :)

Thanks to everyone reporting vulnerabilites. Be sure to post a comment on the bug hunt diary and read the comments from other people finding the bugs.

Join me in San Antonio Texas November 27th for SANS504 Hacker Techniques, Exploits and Incident Response! Register Today!!

Follow me on Twitter @MarkBaggett

Mark Baggett
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Adobe on Tuesday announced that it will pair future security updates for its popular Flash Player with Microsoft's Patch Tuesday schedule.
 
In addition to fixing several high-severity security vulnerabilities, version 23 of Google's Chrome web browser promises to improve battery life for some users and includes support for the Do Not Track (DNT) header


 
U.S. President Barack Obama won re-election Tuesday night, topping 270 electoral votes to defeat Republican challenger Mitt Romney just after 11 p.m. ET.
 
Amazon.com, a latecomer to Japanese e-reader market, is slashing its Kindle prices in the country before it has shipped a single device.
 
Apple dropped out of the top five list in China's smartphone market for the third quarter, as local handset vendors saw their shipments surge from the sales of low-priced smartphone models, according to research firm Canalys.
 
AT&T has agreed to pay $700,000 and refund certain customers said to have been overcharged on smartphone plans, after the Federal Communications Commission found that some customers were moved to more expensive monthly plans without their consent.
 
TI announced its first single-stage wireless power receiver with integrated battery charger and a new "free-position" transmitter integrated circuit, which expands the charge area by four times.
 
Several security holes discovered by Google's Security Team have been closed in the latest update to Flash Player. A high priority on the Windows update suggests that exploits may well be in the wild


 
Adobe Flash Player And AIR APSB12-24 Multiple Security Vulnerabilities
 
IBM WebSphere Application Server for z/OS Multiple Security Vulnerabilities
 
IBM WebSphere Application Server Administrative Access Security Bypass Vulnerability
 

Posted by InfoSec News on Nov 06

http://arstechnica.com/security/2012/11/crypto-keys-stolen-from-virtual-machine/

By Dan Goodin
Ars Technica
Nov 6 2012

Piercing a key defense found in cloud environments such as Amazon's EC2
service, scientists have devised a virtual machine that can extract
private cryptographic keys stored on a separate virtual machine when it
resides on the same piece of hardware.

The technique, unveiled in a research paper published by computer...
 

Posted by InfoSec News on Nov 06

Forwarded from: Hafez Kamal <aphesz (at) hackinthebox.org>

The Call for Papers for the fourth annual HITBSecConf in Europe is now
open! Taking place on the 8th till 11th of April at the Okura Hotel,
Amsterdam, #HITB2013AMS will be a triple track conference (with HITB
Labs) and features keynotes by Eddie Schwartz, Chief Information
Security Officer at RSA and Bob Lord, Chief Security Officer at Twitter

As always, talks that are more...
 

Posted by InfoSec News on Nov 06

http://www.telegraph.co.uk/news/uknews/law-and-order/9659365/Cyber-help-squad-set-up-by-GCHQ.html

By Tom Whitehead
Security Editor
The Daily Telegraph
07 Nov 2012

Four private companies that specialise in tackling and preventing cyber
attacks will form a new “Cyber Incident Response” programme that will
provide expert help to victims.

It has been developed because of the growing cyber threat and comes two
weeks after The Daily Telegraph...
 

Posted by InfoSec News on Nov 06

http://www.darkreading.com/advanced-threats/167901091/security/vulnerabilities/240049917/scada-security-in-a-post-stuxnet-world.html

By Kelly Jackson Higgins
Dark Reading
Nov 06, 2012

New data points illustrate just what a turning point Stuxnet truly was
in SCADA security: Twenty times more software flaws have been discovered
in industrial-control systems (ICS)/SCADA systems since the 2010
discovery of Stuxnet, and the vendor whose PLC...
 

Posted by InfoSec News on Nov 06

http://www.csoonline.com/article/720881/volunteering-falls-short-on-threat-information-sharing

By Taylor Armerding
CSO
November 06, 2012

Critical infrastructure security apparently has its own version of Don't
Ask, Don't Tell, despite calls in the public and private sector for
better information sharing.

And this one goes both ways. The private sector is not telling the
government about its vulnerabilities, and government is also...
 
U.S. President Barack Obama won re-election Tuesday night, topping 270 electoral votes to defeat Republican challenger Mitt Romney just after 11 p.m. ET.
 
Internet Storm Center Infocon Status