Restlet Framework Object Deserialization Remote Code Execution Vulnerability
Apache Camel CVE-2013-4330 Information Disclosure Vulnerability
Eric Schmidt, Google's executive chairman, put a question to a large audience Gartner's Symposium ITxpo here on Monday. 'Raise [your] hand if you're sure the Chinese are not inside your corporate network.' Only five hands were raised.
Premier 100 IT Leader Robert Krestakos also answers questions on certifications and acting on suspicions.
Cisco Nexus 7000 Series Switches NX-OS CVE-2012-4090 Remote Information Disclosure Vulnerability
Oracle Sun Products Suite CVE-2012-3128 Local SPARC T-Series Servers Vulnerability
Gartner expects major changes in technology, especially in areas like 3D printing, machine learning and voice recognition -- powerful trends that will reduce the need for workers and bring on social unrest.
How many eyes see a tweet about television? Nielsen wants to find out, and let marketers know so they can make more informed advertising decisions on Twitter.
As marketing departments becoming more reliant on technology, a strong relationship with the CMO will be necessary for the survival of CIOs. In fact, don't be surprised to see CEOs siding marketing when there's a conflict.
Enterasys Networks joined with PCM to unveil a cloud-based Wi-Fi service that offers daily management, access point hardware, software and network setup for one monthly fee.
Red Hat JBoss Application Server Multiple Servlets Remote Code Execution Vulnerabilities
[ MDVSA-2013:246 ] openjpa
An image taken from documents former NSA contractor Edward Snowden provided to The Guardian newspaper.

One of the more intriguing revelations in the most recent leak of NSA documents is the prospect the spy agency is using browser cookies from the Google-owned DoubleClick ad network, Yahoo, or Hotmail to decloak users of the Tor anonymity service.

One slide from a June 2012 presentation titled "Tor Stinks" carried the heading "Analytics: Cookie Leakage" followed by the words "DoubleclickID seen on Tor and nonTor IPs." The somewhat cryptic slide led to rampant speculation on Twitter and elsewhere that the NSA and its British counterpart, the Government Communications Headquarters (GCHQ), are able to bypass Tor protections by somehow manipulating the cookies Google uses to track people who have viewed DoubleClick ads. Principal volunteers with the Tor Project believe such a scenario is "plausible" but only in limited cases. Before explaining why, it helps to discuss how such an attack might work.

As documented elsewhere in the "Tor Stinks" presentation, the spy agencies sometimes use secret servers that are located on the Internet backbone to redirect some targets to another set of secret servers that impersonate the websites the targets intended to visit. Given their privileged location, the secret backbone nodes dubbed Quantum are able to respond to the requests faster than the intended server, allowing them to win a "race condition." Government spies can't track cookies within the Tor network because traffic is encrypted during its circuitous route through three different relays. But if the spies can watch the Internet backbone, they may be able to grab or manipulate cookies once the data exits Tor and heads toward its final destination.

Read 10 remaining paragraphs | Comments


Apple Motion Integer Overflow Vulnerability

AnubisNetworks marca presença nos eventos Infosec Week e JoinSec
A AnubisNetworks vai marcar presença nos eventos Infosec Week, em Lisboa (a decorrer entre 7 a 11 de Outubro) e JoinSec, em Londres (17 e 18 de Outubro). Com o objectivo de debater e analisar as principais tendências nacionais e internacionais sobre ...

Microsoft paid more than $28,000 in rewards to researchers for its first bug bounty program, a one-month special it ran during the summer for the preview version of Internet Explorer 11.
At its big IT conference here this week, Gartner analysts put what everyone knows into a milkshake, gave it a good shake, and then used its conclusions to scare its audience of IT professionals and vendors.
U.S. President Barack Obama should add actual technologists to a group reviewing the nation's surveillance technologies, IT-related groups have said.
Toshiba's new Portege Z30 ultrabook can be fixed or upgraded in-house, which the company hopes will set the new offering apart from competition.
Hosting provider LeaseWeb became the latest high-profile company to have its domain name taken over by attackers, highlighting that DNS (Domain Name System) hijacking is a significant threat, even to technically adept businesses.
The Department of Health and Human Services recently confirmed that a lack of training is a common cause of HIPAA compliance difficulties. But is that really such a surprise? Given the poor state of awareness training in many organizations, it's no wonder that HIPAA violations are actually on the rise. The fact is, to achieve formal, "letter of the law" compliance, just about any form of training will do to "check the box." But as we continue to see, bad training is, in the final analysis, practically equivalent to--or worse than--no training at all, and hence the disappointing results reported by HHS and by others who wonder why their compliance training fails.
As Twitter gears up for an initial public offering, its executives should study Facebook's path to an IPO to learn what not to do.
BlackBerry has reportedly asked Cisco, Google, SAP, Intel, LG and Samsung separately to consider buying all or parts of its embattled company.
LG Electronics' Display unit will start mass-producing the world's first flexible OLED panel for smartphones, and the technology will also be used in automotive displays, tablets and wearable devices.
Xpdf Multiple Remote Code Execution Vulnerabilities
Vanilla Forums CVE-2013-3528 Multiple PHP Code Injection Vulnerabilities

CSOs face ongoing paradoxical challenges, according to report
IDG News Service
Equally unhelpful is the fact that a very small percentage of InfoSec professionals even have the certification for secure software development. The scarcity of people with the skill set for app security "is also a problem," explained Julie Peeler ...

and more »
If you're one of those folks who read a lot of InfoSec news, you've no doubt heard a lot of mention of the effectiveness of a Cyber Kill Chain approach to security. If you managed to miss the hubbub, you may be wondering if that's the latest sci-fi movie starring the usual muscle-bound action hero. In this article we'll talk about what a Cyber Kill Chain approach is, and whether it might be a good fit for your organization.
LinuxSecurity.com: A buffer overflow vulnerability in Aircrack-ng could result in execution of arbitrary code or Denial of Service.
LinuxSecurity.com: A vulnerability in GEGL might allow a remote attacker to execute arbitrary code.
LinuxSecurity.com: Multiple vulnerabilities have been found in nginx, the worst of which may allow execution of arbitrary code.
LinuxSecurity.com: Multiple vulnerabilities have been found in Poppler, some of which may allow execution of arbitrary code.
LinuxSecurity.com: A vulnerability in isync could allow remote attackers to perform man-in-the-middle attacks.
LinuxSecurity.com: A heap-based buffer overflow vulnerability was found in icedtea-web, a web browser plugin for running applets written in the Java programming language. If a user were tricked into opening a malicious website, an attacker could cause the plugin to crash or possibly execute arbitrary [More...]
Xen CVE-2013-1442 Information Disclosure Vulnerability

Portugal susceptible to cyber attacks - study
Telecompaper (subscription)
Portugal is susceptible to cyber attacks and has no adequate legislation, according to a study by Dognaedis, a spin-off of the University of Coimbra. It detailed the findings at InfoSec Week, an event organized by ShadowSec during the European ...

Vendor tests and very early 802.11ac customers provide a reality check on 'gigabit Wi-Fi' but also confirm much of its promise.
Microsoft last week warned potential customers that its second round of Surface tablets were nearing sell-out status.
Our manager hadn't realized how the government affected his daily life until he couldn't get to government websites that hold information he needs.
Toshiba's first cloud offering will come with a twist -- users will be able to customize the remote hardware being used to host the virtual desktop and storage service.
Samsung Electronics is working on a new 13-megapixel camera module with optical image stabilization, an area where Samsung has fallen behind its competitors.
Anturis and CloudPassage Halo are complementary products that attack infrastructure monitoring from different directions. Anturis is a cloud-based portal that monitors systems connectivity, systems, MySQL databases and websites. CloudPassage Halo monitors operating systems instances and the comparatively sticky compliance of instance state machines.
Adobe on Thursday admitted that hackers broke into its network and stole personal information, including an estimated 2.9 million credit cards, illustrating the lucrative target that software-by-subscription providers have become to cyber criminals.
For us, avoiding being blamed for anything is an all-too-common compulsion.
Researchers at Stanford have demonstrated the first functional computer built using only carbon nanotube transistors, according to an article in the scientific journal Nature.
Smaller vendors would seem to be at a competitive disadvantage in the $9 billion Unix server market, which is in seemingly permanent decline. But one of those smaller vendors, Fujitsu, vows to stay in the market for the long haul.
After keeping its IT employees in the dark for weeks, Northeast Utilities last week confirmed that it plans to cut half of its tech jobs and turn over some IT operations to a pair of India-based IT service providers. Insider (registration required)
Microsoft is pursuing an operating system ideal: a unified code base that can run devices ranging from smartphones to servers.
The younger you are, the harder it is for you to imagine what life would be like without the Web. And in 20 more years, very few of us will be able to live without it.
In a sign of the growing enterprise interest in new technologies for big data applications, NoSQL database vendor MongoDB has raised $150 million in a fresh round of funding from several major firms including Salesforce.com, Intel Capital and Sequoia Capital.
BlackBerry's likely buyer, Fairfax Financial Holdings, faces a tough road after the close of the $4.7 billion deal, with many analysts saying its only option is to break up the company.
Many Oracle OpenWorld attendees felt short-changed when Larry Ellison skipped his conference closing keynote to watch an America's Cup yacht race.
As Twitter looks to convince investors its IPO is a good bet, analysts are studying the biggest challenges facing the company, like finding a path to profitability while fending off rivals like Facebook and Google.
RubyGems CVE-2012-2125 URI Redirection Vulnerability
Oracle MySQL and MariaDB CVE-2012-5627 Insecure Salt Generation Security Bypass Weakness
[KIS-2013-09] Vanilla Forums <= (class.utilitycontroller.php) PHP Object Injection Vulnerability
[SECURITY] [DSA 2768-1] icedtea-web security update

Posted by InfoSec News on Oct 07


By Mathew J. Schwartz
Information Week
October 04, 2013

Is the FBI allowed to entrap suspected computer criminals? That question
is at the heart of a request for leniency by Jeremy Hammond, who's due to
be sentenced on November 15 for hacking private intelligence contractor
Stratfor, among other business and government sites.


Posted by InfoSec News on Oct 07


By Tim Wilson
Dark Reading
October 04, 2013

NEW YORK, N.Y. -- Interop New York 2013 -- Here at one of the networking
industry's best-known trade shows, you can get help with cloud networking,
mobile device deployment, virtual private networks, email security, and
much more. But finding a provider that can help you manage your
enterprise's risk,...

Posted by InfoSec News on Oct 07


By Patrick Ouellette
Health IT Security
October 3, 2013

BOSTON -- No healthcare privacy and security discussion would be complete
with the mention of cloud computing and last week’s HIMSS Privacy and
Security Forum didn’t disappoint. The “Managing Security Risks of Health
Data in the Cloud” keynote featured Lee Kim, JD, Director of...

Posted by InfoSec News on Oct 07


By Ellen Nakashima
The Washington Post
October 6, 2013

During suspected Iranian cyber­attacks on the Web sites of commercial
banks last year, Gen. Keith B. Alexander, who simultaneously heads the
country’s largest electronic spy agency and the military’s Cyber Command,...

Posted by InfoSec News on Oct 07


Star Tribune
October 6, 2013

The 9-year-old boy who stowed away on a Delta flight from Minneapolis to
Las Vegas on Thursday passed through three security checkpoints at the
airport without a boarding pass or identification, officials and an
airline expert said Sunday.

“I’ve worked at the airport for 13 years, and we have more than 33 million
people go through...

How to establish trust in the cloud
Help Net Security
A troubling example was recently brought to light by WNC Infosec (Western North Carolina InfoSec Community), which found that the Dropbox file sharing service opens certain files after they are uploaded. While it may be fine for individuals to trust ...

Internet Storm Center Infocon Status