Hackin9
Cisco Systems' point man on the Internet of Things (IoT) has resigned just as industries start to explore how millions of sensors and devices can be connected over networks.
 
Aurich Lawson / Thinkstock

More than four weeks after the disclosure of the so-called Heartbleed bug found in a widely used cryptography package, slightly more or slightly less than half the systems affected by the catastrophic flaw remain vulnerable, according to two recently released estimates.

A scan performed last month by Errata Security CEO Rob Graham found 615,268 servers that indicated they were vulnerable to attacks that could steal passwords, other types of login credentials, and even the extremely sensitive private encryption keys that allow attackers to impersonate websites or monitor encrypted traffic. On Thursday, the number stood at 318,239. Graham said his scans counted only servers running vulnerable versions of the OpenSSL crypto library that enabled the "Heartbeat" feature where the critical flaw resides.

A separate scan using slightly different metrics arrived at an estimate that slightly less than half of the servers believed to be vulnerable in the days immediately following the Heartbleed disclosure remain susceptible. Using a tool the researcher yngve called TLS Prober, he found that 5.36 percent of all servers were vulnerable to Heartbleed as of April 11, four days after Heartbleed came to light. In a blog post published Wednesday, he said 2.33 percent of servers remained vulnerable. It's important to remember the results don't include the number of Heartbleed-vulnerable servers providing services such a virtual private networks or e-mail.

Read 3 remaining paragraphs | Comments

 
Apple is in talks to buy headphones maker Beats Electronics for US$3.2 billion, in what would be its largest-ever acquisition, according to reports Thursday.
 
Cisco TelePresence TC and TE Software Multiple Security Vulnerabilities
 
Apple iOS 'MobileMail.app' Local Information Disclosure Vulnerability
 
After almost two decades of trailing the market leader, Microsoft's Web server software is coming close to rivaling the dominance of the Apache Web server, according to the latest Netcraft survey of Internet infrastructure.
 
The U.S. Federal Communications Commission should delay its scheduled May 15 vote on a new net neutrality proposal because of public outcry that the rules aren't strong enough, a commissioner said.
 
An inadvertent data leak that stemmed from a physician's attempt to reconfigure a server cost New York Presbyterian Hospital and Columbia University Medical Center $4.8 million to settle with the U.S. Department of Health and Human Services.
 
For gamers and desktop users looking to shift to the new DDR4 memory as quickly as possible, the wait will end in the third quarter this year.
 
Microsoft will issue eight security updates to customers next week that will include fixes for Internet Explorer, Windows, Office and SharePoint.
 
Microsoft Internet Explorer CVE-2014-1763 Use-After-Free Remote Code Execution Vulnerability
 
After encountering problems last year selling its newest smartphones, BlackBerry has shifted to a stronger focus on the enterprise, especially through distribution of its BlackBerry Enterprise Service 10 mobility management client software.
 
J.D. Power and Associates has given its top ranking in tablet satisfaction to Apple, six months after it gave the honor to Samsung and broke Apple's winning streak.
 
One day after the U.S. House of Representatives voted unanimously to end the National Security Agency's bulk collection of U.S. phone records, a second committee has approved the same bill.
 
]
 

Steganography is the ancient practice of stashing secret text, images, or messages inside a different text, image, or message. It dates back to as early as the fifth century BC, when Spartan King Demaratus removed the wax from a writing tablet and wrote a message hidden on the wood underneath warning of an imminent invasion by Xerxes. Steganography was a common technique used by German spies in both World Wars. More recently, it has been used to conceal highly advanced espionage malware inside image files and stash secret al-Qaeda documents inside pornographic images.

Now steganography is going mainstream with a service that embeds hidden messages inside more or less ordinary Twitter messages. Users need only type the text they want others to see in one field and the hidden message in a separate field. The service, created by New Zealand-based developer Matthew Holloway, then spits out a tweetable message that fuses the two together in a way that's not noticeable to the human eye. Take the following tweet:

Read 3 remaining paragraphs | Comments

 
Python Imaging Library Multiple Insecure Temporary File Creation Vulnerabilities
 
ModSecurity 'modsecurity.c' Security Bypass Vulnerability
 
Chip maker Marvell Technology has been ordered to pay Carnegie Mellon University $1.54 billion for infringing on two hard drive chip patents the school applied for in 1997.
 
Japanese operator NTT DoCoMo has joined forces with six vendors to conduct experimental trials of emerging 5G technologies, hoping to lay the groundwork for mobile networks that offer data transmissions at more than 10Gbps.
 
Oracle and Comcast are locked in a legal tussle related to Oracle's intellectual-property lawsuit against Solaris OS support providers Terix and Maintech.
 
Cobbler 'Kickstart' Value Local File Include Vulnerability
 
OpenSSL 'so_ssl3_write()' Function NULL Pointer Dereference Denial of Service Vulnerability
 
[SECURITY] [DSA 2925-1] rxvt-unicode security update
 

Smaller cities look to compete in a growing InfoSec job market
CSO
Perhaps their story offers some foreshadowing, at least as far as the future of InfoSec in Indiana is concerned. "Attracting high-tech companies and employees to Indy is critical to our city's future," said Indianapolis Mayor Greg Ballard in a statement.

 
Long-time Apple columnist Ryan Faas got his hands on a Lumia 520 running Windows 8.1 and liked what he found.
 
Directory Traversal Vulnerability in VMTurbo Operations Manager 4.5 or earlier
 
Digital workspace delivery technologies can give users more individualized tools that will make them more efficient in their particular tasks. (Insider; registration required)
 
Users looking for IdeaPad laptops with 4K screens, some of the earliest laptops of their kind, are going to have to wait longer because they just shipped -- only, without 4K displays.
 
[ MDVSA-2014:081 ] apache-mod_security
 
[ MDVSA-2014:080 ] openssl
 
Fish-shell '/tmp/fishd.socket.user' Local Privilege Escalation Vulnerability
 
[ MDVSA-2014:083 ] mediawiki
 
[ MDVSA-2014:082 ] python-imaging
 
Small business digital marketing pros share their top picks regarding the best ways for businesses with big plans but small budgets to market their products or services.
 
Rocked recently by reports that it has delayed its IPO, Box has rebounded with a major customer win, snapping up General Electric, which plans to roll out the cloud storage and file sharing service to its 300,000 employees worldwide.
 
SAP BusinessObjects Unspecified Cross Site Scripting Vulnerability
 
vBulletin Multiple Cross Site Scripting Vulnerabilities
 
SAP Solution Manager Background Processing Security Bypass Vulnerability
 
SAP NetWeaver Portal WD Information Disclosure Vulnerability
 
The U.S. Federal Communications Commission should delay its scheduled May 15 vote on a new net neutrality proposal because of public outcry that the rules aren't strong enough, a commissioner said.
 
If you love hearing yourself talk, Adobe wants to put your voice center stage with a new video app.
 
We spoke with industry experts to get the advice that will help you craft better answers to what are some of the most common, and difficult, interview questions.
 
Samsung has appointed a new head of its design team less than a month after the Galaxy S5 went on sale, a change that hints the company has finally taken years of negative feedback to heart.
 
djbdns Long Messages Denial of Service Vulnerability
 
Japan is putting its strict firearms-control laws up against the latest in digital manufacturing with the arrest of a man who allegedly made 3D-printed guns.
 
[RT-SA-2014-003] Metadata Information Disclosure in OrbiTeam BSCW
 
SEC Consult SA-20140508-0 :: Multiple critical vulnerabilities in AVG Remote Administration
 
Cisco Adaptive Security Appliance CVE-2014-2181 Information Disclosure Vulnerability
 
EMC may be in the market for security and data analytics acquisitions as it builds out what it calls a federation of businesses among VMware, RSA Security, Pivotal and the company's traditional storage operations.
 
Asus may launch its first wearable device in this year's third quarter in line with its growing reliance on devices like smartphones and tablets to drive sales.
 
The U.S. Securities and Exchange Commission issued a lengthy warning to investors about risks it sees in bitcoin and virtual currencies.
 
Google has snapped up startup Stackdriver that offers a service for developers to monitor apps and services on the cloud.
 
News, email and photo-sharing are some of the most popular services on the Web. Marissa Mayer knows that, and they're some of the reasons she thinks you should try Yahoo.
 
More than 100 online companies, including Google, Amazon and Facebook, have signed a letter to the U.S. Federal Communications Commission warning of "grave consequences" if it fails to protect the openness of the Internet.
 
Hewlett-Packard hopes its focus on private clouds -- and its investment of muscle and money in the technology -- can convince enterprise IT executives that it can provide a secure way to enter the fray.
 
Yahoo's News Digest application is now available on Android, with an international and a Canadian edition also added.
 

Posted by InfoSec News on May 08

http://www.rawstory.com/rs/2014/05/07/report-texas-police-arrest-man-linked-to-target-data-breach/

By Reuters
May 7, 2014

SAN FRANCISCO (Reuters) – Texas police have arrested a man named Guo Xing
Chen they say is linked to the devastating data breach at No. 3 U.S.
retail chain Target Corp last year, USA Today cited a state criminal
complaint as saying on Wednesday.

“It is also believed Chen is involved in a large-scale credit breach...
 
Wireshark CVE-2013-4083 Denial of Service Vulnerability
 

Posted by InfoSec News on May 08

http://www.theregister.co.uk/2014/05/07/4chan_bounty/

By Darren Pauli
The Register
7 May 2014

Internet armpit 4chan now has a bug bounty – although with just $20 in
"self-serve ad spend" on the website or an annual membership up for grabs,
it's not particularly bountiful.

The bounty programme was launched after the image-board website and a
drawing website, both founded by Chris "moot" Poole, were compromised by...
 

Posted by InfoSec News on May 08

http://www.darkreading.com/threat-intelligence/why-threat-intelligence-is-like-teenage-sex/a/d-id/1235049

By Nick Selby
Commentary
Dark Reading
5/7/2014

Whatever the official theme of the 2014 RSA Conference was, any one
attendee will tell you the unofficial theme -- the message on every banner
in the place, it seemed -- was “Threat Intelligence.” But threat
intelligence, as it was put to me by Eric Olson of Cyveillance, is a lot
like...
 

Posted by InfoSec News on May 08

http://www.computerworld.com/s/article/9248166/Malware_infections_tripled_in_late_2013_Microsoft_finds

By Jeremy Kirk
IDG News Service
May 7, 2014

A three-fold increase in Microsoft Windows computers infected with
malicious software in late 2013 came from an application that was for some
time classified as harmless by security companies.

The finding comes as part of Microsoft's latest biannual Security
Intelligence Report (SIR),...
 

Posted by InfoSec News on May 08

http://www.itpro.co.uk/data-leakage/22202/orange-confirms-details-of-13-million-customers-were-stolen

By Caroline Donnelly
ITPro.co.uk
8 May, 2014

Orange has warned people to be on their guard against phishing attacks
after the personal details of 1.3 million of its customers were stolen by
the hackers.

The French telecommunications group has confirmed the breach resulted in
the victims’ names, telephone numbers, birth dates and email...
 
Cisco Broadband Access Center Telco Wireless Software Cross Site Scripting Vulnerability
 
Cisco Broadband Access Center Telco Wireless Cross Site Request Forgery Vulnerability
 
Internet Storm Center Infocon Status