Posted by InfoSec News on May 09


By Jonathan Grass
May 08, 2013

TENNESSEE VALLEY, Alabama -- MAPCO is alerting customers to a security
breach in which third-party hackers may have obtained credit and debit
card information.

In a security alert on its website, the company states hackers used
malware to access payment processing systems in MAPCO Express stores in
several states, including...

Posted by InfoSec News on May 09


By Senol Yilmaz
May 8, 2013

OVER THE PAST few decades, Singapore’s economy has moved up from a mere
producer of material goods to a creative inventor of ideas. This success
stands on two main pillars: Firstly, heavy investment has been made in
education as well as research and development. Secondly, the...

Posted by InfoSec News on May 09


By Shaun Waterman
The Washington Times
May 8, 2013

A conspiracy-obsessed hacker who recently targeted George W. Bush and
Colin Powell has stolen and posted online the opening pages of an
unfinished novel by "Sex and the City" author Candace Bushnell.

"Guccifer," the hacker who has posted about the alleged centuries-old

Posted by InfoSec News on May 09


By Kyle Murphy, PhD
May 8, 2013

A theft of tens of thousands of dollars in the form computer equipment
from a city office in Chicago may have exposed personally identifiable
information (PII) or protected health information (PHI) to authorized
access or abuse.

According to a Chicago Tribune report, the theft took place at...

Posted by InfoSec News on May 09


By Kevin Poulsen
Threat Level

They know when to fold ‘em. Las Vegas prosecutors targeting two men who
took advantage of a software bug to win a small fortune at video poker
have dropped all hacking charges from the case, cashing out an 18-month
legal battle over the applicability of the 1986 Computer Fraud and Abuse

“The United States of...
Norway's Crown Prince Haakon and Princess Mette-Marit tried touchless gesturing systems and other technologies developed by Norwegian startups at a tech incubator in Palo Alto on Wednesday afternoon .

Microsoft has released a temporary update that fixes the critical vulnerability in Internet Explorer 8 that was recently exploited to target federal government workers involved in nuclear weapons research and in the aerospace, defense, and security industries. Adobe Systems, meanwhile, warned of a critical vulnerability in its ColdFusion server platform.

The first solution is a Fix it designed to protect Windows XP users and other Microsoft customers who are unable to upgrade to a later version of the browser. It's intended to be a stop-gap measure until the release of a comprehensive update, which Microsoft engineers are actively testing now.

The Fix it addresses a code-execution vulnerability that attackers exploited to surreptitiously install malware on the computers of government workers. The exploits—which don't work against IE versions 6, 7, 9, and 10—were triggered when people visited pages on the US Department of Labor website that had been compromised. The specific webpages, which dealt with illnesses suffered by employees and contractors developing atomic weapons for the Department of Energy, redirected visitors to a series of intermediary addresses that ultimately exploited the vulnerability. At least nine other sites were similarly booby-trapped. Compromised computers were infected by the notorious backdoor trojan known as "Poison Ivy."

Read 6 remaining paragraphs | Comments

Intruders used to creep in through ventilation ducts. Now they break in using the software that controls the ventilation.
Microsoft has released a temporary fix for a zero-day vulnerability in Internet Explorer 8, which was used by hackers in a prominent attack against the U.S. Department of Labor's website.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
X1 has released the biggest upgrade of its desktop search tool in four years, adding the ability to query SharePoint sites and tap webmail accounts.
As part of the Open Compute Project (OCP), Facebook's network engineering team is leading a project to develop an open source networking switch.
[security bulletin] HPSBUX02876 SSRT101148 rev.1 - HP-UX Running BIND, Remote Denial of Service (DoS)
[2.0 Update] Cisco Security Advisory: Cisco Prime Data Center Network Manager Remote Command Execution Vulnerability
San Francisco killed its cellphone radiation warning law on Tuesday by agreeing to settle a lawsuit by the mobile industry group CTIA.
A standards organization has created a boot environment for tablets and PCs that could potentially run a 64-bit version of Windows RT.
Software defined networking (SDN) is generating a lot of buzz these days, but the technology will ultimately make itself useful in the enterprise largely because it will save enterprises time in deploying new applications, predicted Martin Casado, chief architect of networking at VMware.
Google is rolling out a new IT administration console for its Apps email and collaboration cloud suite and for other enterprise products such as Maps Coordinate and Chrome OS devices.

A new website published by chipmaker Intel asks readers "How Strong is Your Password?" and provides a form for estimating the strength of specific passcodes. It's too bad the question isn't "How Strong is your Password-grading site," because the answer, unfortunately, is "not very."

The most glaring problem with the site is its failure to use standard HTTPS Web encryption. Based on the secure sockets layer and transport layer security protocols, HTTPS ensures that a Website being accessed is authentic and operated by a legitimate entity, as opposed to a knock-off page created by someone who is able to control the end user's Internet connection. It also encrypts traffic sent between the end user and site to prevent anyone else from eavesdropping. It wouldn't take much effort for someone to create a convincing replica of the McAfee-powered site and substitute it for the real one on a network in a coffee shop, at a conference, or in another setting. At that point anything a visitor typed could be sent to the attacker. Authoritarian regimes have also been known to inject code into legitimate sites to log account credentials.

To be sure, there are caveats. The site instructs users: "PLEASE DO NOT ENTER YOUR REAL PASSWORD," but I'd bet some percentage of users will ignore this request. Even then, the attack wouldn't reveal the user name corresponding to the password, or even the service or site they belong to. Still, the attack could be used in campaigns aimed at a specific individual or group to gain important insights about the passwords the targets use. More importantly, I'd expect a site with a goal of educating the masses about password security would tell users they should never enter a password on a plain HTTP connection. And I certainly expect Intel and its McAfee subsidiary to offer HTTPS on their own sites. The lack of encryption and authentication is surprising. I'd strongly discourage readers from entering any passwords they trust or use to secure important accounts.

Read 4 remaining paragraphs | Comments

Nvidia will stay on board with making Tegra ARM-based processors for Windows RT tablets despite sluggish early sales of the devices, making the same commitment that Qualcomm has made, an Nvidia executive said
The U.S. military's reliance on foreign-made products, including telecommunications equipment and semiconductors, is putting the nation's security at risk by exposing agencies to faulty parts and to the possibility that producing nations will stop selling vital items, according to a new report from the Alliance for American Manufacturing.
Google Maps is reportedly getting an overhaul that may be shown off at the annual Google I/O conference next week.
gpsd AIS driver Remote Denial of Service Vulnerability
WordPress Gallery Plugin 'filename_1' Parameter Remote Arbitrary File Access Vulnerability
As part of its ongoing restructuring, EMC today announced its latest round of layoffs, which are expected to include 1,004 positions.
Fusion-io President and CEO David Flynn has resigned and will be replaced by Shane Robison, the former CTO of Hewlett-Packard.
Microsoft yesterday took a swipe at long-time partner Adobe for the latter's wholesale shift to rent-not-buy software subscriptions, and along the way seemed to promise it would Office as old-school perpetual licenses for the next 10 years.
The anti-virus experts at ESET have found Linux/Cdorked.A on more kinds of servers. The malware redirects web site visitors to dangerous pages that try to exploit security holes to infect the system with malicious code

Cisco Security Advisory: Multiple Vulnerabilities in Cisco Unified Customer Voice Portal Software
Cross-Site Request Forgery (CSRF) in UMI.CMS
Cisco Prime Data Center Network Manager Remote Command Execution Vulnerability
Joomla! DJ-Classifieds Extension 'se_regs' Parameter SQL Injection Vulnerability

You may have noticed that earlier today, I removed the flash player that we use to play audio files on our site. The trigger for this was a report that the particular flash player we use (an open source player usually used with Wordpress) is suscepible to cross site scripting [1][2]. Instead of upgrading to the newer (patched) version, we instead decided to remove the player. 

The other part of this is that pretty much all current browsers do have reasonable support for HTML 5 audio tags. We do offer our audio files, like the daily podcast, in MP3 as well as Ogg Vorbis format, which covers all major browsers. We also offer links to the direct files in case someone would like to play the files "offline" and we do offer via RSS feeds various MP3/Podcast players. 

So in short, the flash player wasn't worth maintaining. 

On the other hand, we will try to embrace some of the HTML5 features more as we move the site forward. The data will still be available in pretty much any browser (yup. ... lynx), but you will see our graphs and similar parts of the site take advantage of newer browser features to make it easier to navigate the data. For now, we still got a couple of flash movies on the site, but we are working on moving them either to youtube, or using our own (again HTML5 based) solution.

Big thanks to Rafay Baloch [3] for reporting the XSS vulnerability to us! 

Example exploit string to test your own player: player.swf ? playerID= \\%22))} catch(e){alert('Your%20cookies%20are%20mine%20now')} //    (remove spaces, but keep the // at the end)

[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1464
[2] http://wordpress.org/extend/plugins/audio-player/
[3] http://rafayhackingarticles.net twitter @rafaybaloch

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The remarkable success that Chinese state-sponsored groups have had in infiltrating U.S. government, military and corporate networks in recent years should not be mistaken as a sign that China is gaining technical superiority over the U.S. in cyberspace, security experts say.
Intel will advance Moore's Law for the foreseeable future, but keeping up with it is becoming more challenging as chip geometries shrink, according to a company executive.
Two U.S. senators will push Congress or President Barack Obama's administration to pursue trade and immigration sanctions against China and other countries that allegedly support cyberattacks on U.S. government agencies and businesses, the lawmakers said Wednesday.
Google has pushed out an update to Glass, its upcoming futuristic, computerized eyeglasses.
Big data may seem to promise big insights to users, but more isn't always better, cautions statistician Nate Silver.
Syria suffered another Internet and mobile communications outage that lasted for about 20 hours. Service was restored earlier today.
Microsoft's head of Windows development on Tuesday came close to promising that the iconic Start button would return to the Windows 8 desktop, but never made a guarantee.
[ MDVSA-2013:162 ] glibc
[ MDVSA-2013:163 ] glibc
A lawsuit against Google's customer service practices in Germany is looming after the company declined to sign a document promising German consumer organizations to start answering customer emails individually.
With so many social media options, how do you pick the best one(s)? IT executives and social media experts share their top six tips for selecting the social media platforms that will provide the greatest return on your investment of time and resources.
JR Raphael compares the image quality from two popular smartphone cameras.
NetSuite is beefing up its cloud-based ERP software's order-processing features by acquiring OrderMotion, a move that could strengthen its appeal to customers in retailing. Terms of the deal, announced Wednesday, were not disclosed.
Having two or more monitors makes it easier for an employee to multitask, but many companies deem multi-monitor workstations too expensive or too difficult to set up. This guide will walk you through common issues, considerations and tips related to deploying multiple monitors.
Google has added a new notification to its Cloud Storage service, allowing applications to automatically take action when new content is uploaded by users.
LinuxSecurity.com: Several security issues were fixed in OpenJDK 6.
LinuxSecurity.com: Multiple vulnerabilities has been discovered and corrected in glibc: Buffer overflow in the extend_buffers function in the regular expression matcher (posix/regexec.c) in glibc, possibly 2.17 and earlier, allows context-dependent attackers to cause a denial of [More...]
LinuxSecurity.com: Multiple vulnerabilities has been discovered and corrected in glibc: Integer overflow in the vfprintf function in stdio-common/vfprintf.c in glibc 2.14 and other versions allows context-dependent attackers to bypass the FORTIFY_SOURCE protection mechanism, conduct format string [More...]
LinuxSecurity.com: Mesa could be made to crash or run programs if it processed speciallycrafted data.
LinuxSecurity.com: libxml2 could be made to crash or run programs if it opened a speciallycrafted file.
Taiwan and Hong Kong may be only the beginning of Xiaomi's expansion outside China. The popular Chinese vendor of low-priced handsets is aiming at getting into five more markets next year.
Nokia has posted a video comparing the camera on the Lumia 928 with the Galaxy S III and the iPhone 5, as it gets ready to launch the phone.
The development team behind the popular Nginx open-source Web server software released security updates on Tuesday to address a highly critical vulnerability that could be exploited by remote attackers to execute arbitrary code on susceptible servers.
Taiwan and Hong Kong may be only the beginning of Xiaomi's expansion outside China. The popular Chinese vendor of low-priced handsets is aiming at getting into five more markets next year.
Gabriela Nunez, Linda Green, Chin-Sun Kim and Ashlee Stiller – these are the alleged names of children whose pictures a new variant of the BKA trojan claims to have found on a computer

HP 3PAR StoreServe 7400 combines high scalability, high performance, and a big bag of tricks for easing storage management
Nokia has posted a video comparing the camera on the Lumia 928 with the Galaxy S III and the iPhone 5, as it gets ready to launch the phone.
The intent of the comprehensive immigration bill's H-1B database is to improve the odds that a U.S. worker will be hired over a foreign one. But its effectiveness may depend on fuzzy terms such as "good faith" hiring, and enforcement. This is where the real legislative battle may be fought.
Schneider Electric Magelis XBT HMI Controller CVE-2013-2762 Remote Security Bypass Vulnerability
Oracle Java SE CVE-2013-2429 Remote Java Runtime Environment Vulnerability
Microsoft has extended a search revenue guarantee agreement with Yahoo for one more year, amid reports that the Internet company is trying to break its 10-year agreement with Microsoft.
A stealthy malicious software program is taking hold in some of the most popular Web servers, and researchers still don't know why.
A bill proposed in the U.S. Senate aims to block imports of products containing U.S. technology stolen online, a move that appears primarily directed at China.

Posted by InfoSec News on May 08


By Dan Goodin
Ars Technica
May 7 2013

Security researchers have uncovered an ongoing and widespread attack
that causes sites running three of the Internet's most popular Web
servers to push potent malware exploits on visitors.

Linux/Cdorked.A, as the malicious backdoor behind the attacks is known,
has been observed infecting at...

Posted by InfoSec News on May 08


By Leo Mirani
May 7, 2013

America’s Department of Defense yesterday released its annual report on
China’s military capabilities (pdf). The report includes “electronic
warfare” and “information dominance” as part of a larger campaign it
says is an “essential element, if not a fundamental prerequisite” of

Posted by InfoSec News on May 08


By Brittany Ballenstedt
May 7, 2013

Salaries for federal information security workers are beginning to lag
behind those received by their private sector counterparts, an issue
that could impact agencies that already are facing challenges in
recruiting, hiring and retaining in-demand cyber talent, according to...
Internet Storm Center Infocon Status