When BNSF Railway decided to move its Microsoft email and collaboration systems from its own premises to a public cloud, it considered suites from various vendors, but ultimately picked Office 365.

Security Policy Orchestration brings InfoSec under larger tent
Network World (blog)
For a long time many pundits have spoken about a time when security does not exist in a separate silo but is instead integrated into the larger IT mission. Combining this with development processes represents a holy grail for some in security as well ...

and more »
Twitter's first day of trading as a public company sits in sharp contrast to Facebook's troubled and disappointing IPO a year and a half ago.
Juniper Junos J-Web Privilege Escalation Vulnerability
Opsview 'service_selection' Parameter SQL Injection Vulnerability
SaltStack Salt CVE-2013-4438 Multiple Remote Code Execution Vulnerabilities
The buzz is all about 'Big Data' and how best to use it to generate actionable intelligence. To do this, companies will need to hire loads of highly trained, highly paid data scientists -- or will they?
The Internet Archive, a massive, publicly accessible online repository of everything on the World Wide Web, suffered major fire damage to one of its San Francisco facilities Wednesday night.
Microsoft today released Internet Explorer 11 (IE11) for Windows 7, and announced it would soon start pushing it to customers as an automatic update.
Three astronauts arrived at the International Space Station early today, bringing with them the Olympic torch that will light the Olympic flame in Sochi, Russia, for the 2014 Winter Games.
AT&T supplies information on international calls that travel over its network, including ones that start or end in the U.S., under a voluntary contract with the U.S. Central Intelligence Agency, The New York Times reported Thursday.
A smart person once said, 'As long as you're asking the wrong questions, it doesn't matter what answers you come up with.' When it comes to making the business case for CRM, the CFO is likely to ask too many of the wrong questions.
LinuxSecurity.com: Updated java-1.7.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More...]
LinuxSecurity.com: Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More...]
LinuxSecurity.com: Updated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having [More...]
One of the e-mails that delivers a Word document booby-trapped to silently install the Citadel trojan.

The critical Microsoft Windows and Office vulnerability that came to light two days ago is being more widely exploited than previously reported, making it more urgent that end users install a temporary fix right away.

Early research into the zero-day exploit detected only highly targeted attacks on individuals or companies that were mostly located in the Middle East and South Asia. More often than not, the word "targeted" is used to describe espionage campaigns aimed a particular company or industry. Now, researchers at two security firms have uncovered evidence that the same critical flaw—found in Windows Vista, Windows Server 2008, Microsoft Office 2003 through 2010, and all supported versions of Microsoft Lync—is also being targeted in wider-ranging hacking campaigns being carried out by multiple gangs, including one made up of financially motivated criminals.

The more recently discovered attacks are being carried out by the same India-based group behind Operation Hangover, a malware campaign first detected earlier this year, researchers from security firm FireEye wrote in a recent blog post. The researchers went on to say that the same attacks—which exploit weaknesses in the way Microsoft code processes TIFF images—is being waged by yet another group, alternately dubbed Arx and Ark, to deliver the Citadel trojan. Citadel is a highly malicious piece of malware that's mostly used by criminals to access and liquidate online bank accounts.

Read 5 remaining paragraphs | Comments


IBM Tivoli Federated Identity Manager/Business Gateway Open Redirection Vulnerability
Twitter is now a publicly traded company and opening at a price of $45.10 a share, 73% higher than its initial IPO price.
A new bug bounty program sponsored by Microsoft and Facebook will reward security researchers for finding and reporting vulnerabilities in widely used software that have the potential to affect a large number of Internet users.
Microsoft today released Internet Explorer 11 (IE11) for Windows 7, and announced it would soon start pushing it to customers as an automatic update.

Ladar Levison founded secure e-mail service Lavabit in 2004. His company garnered international attention when it was revealed to be the preferred provider for Edward Snowden, a former NSA contractor and whistleblower now living in exile in Russia. In July 2013, the American government ordered Lavabit to hand over the SSL keys to the entire website, which would have allowed them to read every single user's e-mail—not just Snowden's. Levison complied with the order by printing the keys on paper in a tiny font, which gave him enough time to shut down the service. He is actively fighting the government in court, and he recently joined forces with another related company, Silent Circle, to create the forthcoming Dark Mail Alliance.

Lavabit was designed to protect the privacy of e-mail by allowing users to encrypt messages stored on the Lavabit servers. Once encrypted, an e-mail could only be decrypted with a user’s password. The system was made to protect messages on Lavabit’s servers from prying eyes. Quite simply, the goal was to remove Lavabit from the surveillance equation.

In response to the recently announced Dark Mail Alliance, famed security researcher Moxie Marlinspike penned an op-ed in which he makes a number of interesting points. His arguments are well-reasoned and his contributions to the community are worthy of note, so I feel compelled to respond to his critique of Lavabit’s design.

Read 19 remaining paragraphs | Comments


More than a month after it went live, a couple of large questions remain about the U.S. Department of Health and Human Services' botched launch of HealthCare.gov.
Twitter is now a publicly traded company, opening at a price of $45.10 a share, 73% higher than its initial IPO price.

Researchers have uncovered software available on the Internet designed to overload the struggling Healthcare.gov website with more traffic than it can handle.

"ObamaCare is an affront to the Constitutional rights of the people," a screenshot from the tool, which was acquired by researchers at Arbor Networks, declares. "We HAVE the right to CIVIL disobedience!"

In a blog post published Thursday, Arbor researcher Marc Eisenbarth said there's no evidence Healthcare.gov has withstood any significant denial-of-service attacks since going live last month. He also said the limited request rate, the lack of significant distribution, and other features of the tool's underlying code made it unlikely that it could play a significant role in taking down the site. The tool is designed to put a strain on the site by repeatedly alternating requests to the https://www.healthcare.gov and https:www.healthcare.gov/contact-us addresses. If enough requests are made over a short period of time, it can overload some of the "layer 7" applications that the site relies on to make timely responses.

Read 5 remaining paragraphs | Comments


Imperva SecureSphere Web Application Firewall Search Field SQL Injection Vulnerability
The unpatched vulnerability in Windows that Microsoft acknowledged on Tuesday has been used by a known Indian hacker group responsible for earlier "Operation Hangover" attacks, security company Symantec said.
A recent survey shows that 90% of drivers would consider using an autonomous car if it would cut their insurance rates. Are you one of them?
LinuxSecurity.com: A vulnerability has been found in Vixie cron, allowing local attackers to conduct symlink attacks.
LinuxSecurity.com: Two vulnerabilities in Quassel may result in Denial of Service or SQL injection.
LinuxSecurity.com: Light Display Manager could be made to expose sensitive informationlocally.
LinuxSecurity.com: Updated java-1.6.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having [More...]
RETIRED: Tiki Wiki CMS Groupware CVE-2013-4714 Unspecified Cross Site Scripting Vulnerability
Tiki Wiki CMS Groupware Unspecified SQL Injection and Cross Site Scripting Vulnerabilities
CFP BugCON 2014 - Mexico City
Cisco Security Advisory: Cisco WAAS Mobile Remote Code Execution Vulnerability
Cisco Security Advisory: Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability
Cisco Security Advisory: Cisco TelePresence VX Clinical Assistant Administrative Password Reset Vulnerability
Apple received kudos yesterday for inserting a 'warrant canary' in its first transparency report on government information requests.
Though not every experiment has yielded pay dirt, many organizations giving kiosks a go report minimal IT investment and improvement in customer satisfaction or employee self-service.
A unique effort to crowdsource a security audit of the popular TrueCrypt open source encryption software appears to be going viral three weeks after it was launched by two U.S. based researchers in response to concerns that the National Security Agency may have tampered with it.
Office Web Apps, the browser-based, pared-down version of the Microsoft suite, now lets people co-edit documents in real time, a capability its main rival Google Docs has had for more than two years.
Chinese PC maker Lenovo posted a 36% year-over-year growth in its net profit in the third quarter, with demand for the company's smartphones and tablets continuing to outpace shipments for its PC products.
Twitter has set its IPO price at $26 per share, a dollar above the top end of the price range it predicted earlier this week.
Some new details have emerged about Jelly, the mysterious startup from Twitter co-founder Biz Stone: The company's app is "very close" to launching, and will be available for free on iOS and Android-based devices, Stone recently said.
YouTube is overhauling comments on videos to highlight the ones that actually mean something to viewers, the site said Wednesday.
The ongoing revelations of governmental electronic spying point to a problem larger than National Security Agency malfeasance, or even of security weaknesses. Rather the controversy arising from Edward Snowden's leaked documents suggest we face unresolved issues around data ownership, argued security expert Bruce Schneier.
Workers at four Dell suppliers in China are allegedly enduring long overtime hours and facing exposure to toxic fumes, according to new reports from watchdog groups.
Several state healthcare exchanges established as part of the Affordable Care Act (ACA) appear buggy and easy to attack, a security researcher warned this week.
On the morning of Oct. 1 in Washington, temperatures in the low 80s were expected, the Republican-engineered federal shutdown was in its first day, and a Healthcare.gov "War Room" team gathered for a meeting. They kept notes.
Karma, the startup that offers pay-as-you-go mobile data through a portable Wi-Fi hotspot, will catch up with the 4G world next year by moving to LTE.
LightDM 'create_guest_session()' Function CVE-2013-4459 Security Bypass Vulnerability
Drupal Quiz Module Multiple Access Bypass Vulnerabilities
Google Android Signature Verification Security Bypass Vulnerability

Posted by InfoSec News on Nov 07


By Liam Tung
ZDNet News
November 6, 2013

Android smartphone makers are not only slow to release security patches to
end users, they're are also stuffing their phones with buggy software in
the name of differentiation.

Vendor efforts to customise Android phones are unnecessarily introducing a
host of potential security...

Posted by InfoSec News on Nov 07


November 07, 2013

Two Russian nationals have been added to the FBI cyber criminals most
wanted list. One is wanted for hacking US based firms and stealing
confidential data including employee identities, while the other one for
infecting PCs in more than 100 countries.

The FBI is offering a reward of up to $100,000 for Alexsey Belan who is
wanted for allegedly compromising the cyber...

Posted by InfoSec News on Nov 07


[This is the USO I can usually be found at when not working away on InfoSec
News, Great to see a neat news story about the center! - WK]

By Associated Press
November 6, 2013

CHICAGO -- It didn’t matter that the 13 Marines on their way home from

Posted by InfoSec News on Nov 07


By Tony Romm

The Department of Homeland Security has struggled to respond to
cybersecurity threats and disseminate information about them because of
lingering technical, funding and staffing woes, according to the agency’s
inspector general.

As hackers increasingly take aim at U.S. banks and other top targets, DHS
still lacks some tools...

Posted by InfoSec News on Nov 07


By Dan Goodin
Ars Technica
Nov 6 2013

Microsoft and Facebook are sponsoring a new program that pays big cash
rewards to whitehat hackers who uncover security bugs threatening the
stability of the Internet at large.

The Internet Bug Bounty program, which in some cases will pay $5,000 or
more per vulnerability, is sponsored by Microsoft and...
Internet Storm Center Infocon Status