InfoSec News

Passed to the Internet Storm Center from Jim.
Linksys wireless access point(WAP610N) hasan unauthenticated root console issue
Taken from the actual advisory
*** SUMMARY ***



Linksys WAP610N is a SOHO wireless access point supporting 802.11n draft.



Unauthenticated remote textual administration console has been found that allow an attacker to run system command as root user.



Full details can be found here: http://www.securenetwork.it/ricerca/advisory/download/SN-2010-08.txt
This issue was also posted to the Full Disclosure mailing list http://seclists.org/fulldisclosure/2011/Feb/228

Chris Mohan --- ISC Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Hewlett-Packard launched a slick-looking tablet computer on Wednesday based on a new release of its webOS, but the question many are now asking is, has HP done enough to steal some business from Apple's trailblazing iPad?
 
AT&T introduced a mobile calling plan Wednesday that allows unlimited free voice calls to any wireless network in the U.S.
 
Over the years, I have heard some of the leading thinkers in the intelligence and military fields talk about history, as they often do. They turn and gaze back on the fields in which wars were won and lost, and discuss what caused those victories or defeats.
 
The FCC looks for ways to speed up broadband deployment in the U.S.
 
Mobile Active Defense (MAD) Partners promises to make your life dealing with mobile devices easier
 
HP joined the tablet fray in a big way on Wednesday, and launched two new phones -- all tapping HP's updated webOS. Here's a look at them.
 
Cisco beat analyst estimates with its second-quarter earnings, posting revenue of $10.4 billion.
 
A considerable number of Facebook and Google users worry about privacy and malware when using the social networking site and search engine, according to a survey from Gallup Poll and USA Today.
 
As large enterprises search for solutions to get the most out of their outsourcing vendors, many are turning to operational frameworks like ITIL (Information Technology Infrastructure Library) to improve the effectiveness of IT service delivery.
 
Search engine Bing, and even Yahoo, are providing users with more-accurate searches than their rival Google, according to a report out this week.
 
Company takes another step in polishing an image that has been hurt by a lawsuit questioning the contents of its beef products.
 
IBM unwrapped a variety of mobile security initiatives to help corporate customers better protect and manage the mass of intelligent devices coming to their networks.
 
Oracle release a security bulletin yesterday relating to the binary floating point issue when converting2.2250738585072012e-308 to a binary floating-point number. (http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html)
The problem affects both JRE and JDK 6 update 23 and earlier. 4.0 Update 27 and earlier, as well as, yes people still use it, SDK JRE 1.4.2_29.
Applications utilising these versions will be vulnerable to denial of service attacks. Servlet managers such as tomcat and others are likely affected as these often run older versions of java.
No patch available just yet.
- Mark -
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Just to add to the list of patches released: (thanks Frank, Ric, Jack):

APSB11-01Security update available for Shockwave Player
APSB11-02Security update available for Adobe Flash Player
APSB11-03Security updates available for Adobe Reader and Acrobat
APSB11-04Security update: Hotfix available for ColdFusion



Make sure you update these products as well please.
Mark

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A lot of excitement surrounded the Motorola Atrix at the Consumer Electronics show in January. It appeared to be not just another phone, but the cornerstone of a new concept that might deliver the mobility of a smartphone and the superior usability of a laptop in a single product.
 
Picking up where the Palm Pixi left off, the HP Veer is smaller than your average high-end smartphone. But not everybody wants, or needs, a monolithic 4.3-inch phone so it is nice to see HP come up with some alternative form factors.
 
Hewlett-Packard introduced two new webOS phones, the HP Veer and the HP Pre 3. The Veer, targeted more at the everyday consumer, will be available this spring. The Pre 3, designed for professional and entertainment use, will be available this summer.
 
Microsoft today said it will release Windows 7 SP1 to the general public on Feb. 22 via the Windows Update Service.
 
The CRU DataPort ToughTech Duo from WiebeTech puts data redundancy capabilities into a surprisingly sturdy and convenient box. Priced at $669 for 1TB across two 500GB 5400-rpm drives (as of 2/8/2011), the ToughTech Duo uses 2.5-inch portable hard drives and eSATA and FireWire 800 connections to provide speedy data backup.
 
SourceBans Version 1.4.7 XSS
 
TPTI-11-05: Adobe Shockwave PFR1 Font Chunk Parsing Remote Code Execution Vulnerability
 
TPTI-11-04: Adobe Shockwave GIF Logical Screen Descriptor Parsing Remote Code Execution Vulnerability
 
TPTI-11-03: Adobe Shockwave Font Xtra String Decoding Remote Code Execution Vulnerability
 
With the job market becoming increasingly competitive, security professionals need to find ways to distinguish themselves beyond certifications and technical skills.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Advanced Micro Devices announced a flurry of moves, including the departure of two senior executives, which analysts said was part of an internal cleanup effort as the company searches for a new CEO.
 
The various cloud markets and services will start making more sense to business buyers in 2011, according to a new Forrester report, with the midmarket embracing public clouds and enterprises sticking with virtualization as a prelude to private clouds. Here are three significant ways cloud adoption will shift this year.
 
Microsoft has released an optional update for Windows XP and Vista that promises to prevent AutoRun-based attacks like those used by the Conficker and Stuxnet worms.
 
HP rolled out its debut entrant into the red-hot tablet market, the TouchPad, as well as two new smartphones -- all running a new version of the webOS acquired last year with Palm.
 
Cost-saving technologies remain a priority for IT in 2011 and virtual desktop infrastructure (VDI), with its ability to streamline operations, is one of the technologies at the top of the list.
 
RE: Microsoft Terminal Services vulnerable to MITM-attacks.
 
Re: Microsoft Terminal Services vulnerable to MITM-attacks.
 
Adobe Flash Player CVE-2011-0559 Remote Memory Corruption Vulnerability
 
PHP GD Extension 'imagepstext()' Function Stack Buffer Overflow Vulnerability
 
PHP Zend Engine (CVE-2010-4697) Use-after-free Heap Corruption Vulnerability
 
The late Douglas Adams stated, "Writing is easy. You only need to stare at a piece of blank paper until your forehead bleeds." Ravenshead Software's WriteItNow ($60, free demo) aims to make the bleeding process easier and to help authors through every stage of the process, from "What shall I name my lead character?" to "Where should I send this for publication?" The numerous specialized features for authors helps answer the question, "Why use WriteItNow, and not a general outlining/text tool like TreePad Plus?"
 
Satya Nadella will succeed Bob Muglia to head Microsoft's Server and Tools Business.
 
Adobe Flash Player CVE-2011-0558 Remote Integer Overflow Vulnerability
 
ZDI-11-079: Adobe Shockwave Player 0xFFFFFF45 Record Count Element Remote Code Execution Vulnerability
 
ZDI-11-078: Adobe Shockwave Player FFFFFF88 Record Count Element Remote Code Execution Vulnerability
 
Linux Kernel CIFS 'CIFSSMBWrite()' Remote Denial of Service Vulnerability
 
Adobe addressed more than a dozen vulnerabilities in Flash Player and more than two dozen holes in Adobe Reader and Acrobat.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
One of the risks of deploying Internet-scale infrastructure and applications is that, until they are put to the test, you can't have 100% confidence that they will scale as expected. Applications and infrastructure that perform well - and correctly - at nominal scale may begin to act wonky as load increases.
 
The government's all-encompassing digital federal records keeping system is costing a lot more - perhaps as high as 41% more -- than originally planned and could top $1.4 billion if estimates from the Government Accountability Office are correct.
 
Adobe issued patches for 42 vulnerabilities, many rated critical, in its popular Reader and Flash products.
 
Oracle Java Floating-Point Value Denial of Service Vulnerability
 
RETIRED:Coppermine Photo Gallery 'picmgmt.inc.php' Multiple Remote Command Execution Vulnerabilities
 
ZDI-11-073: Adobe Reader ICC Parsing Remote Code Execution Vulnerability
 
ZDI-11-072: Adobe Reader BMP ColorData Remote Code Execution Vulnerability
 
[ MDVSA-2011:024 ] krb5
 
[HITB-Announce] HITB Magazine Issue 005 Released
 
ZDI-11-068: Adobe Acrobat Reader U3D Texture bmp RLE Decompression Remote Code Execution Vulnerability
 
ZDI-11-067: Adobe Acrobat Reader U3D Texture rgba RLE Decompression Remote Code Execution Vulnerability
 
Nokia CEO Stephen Elop compared the company's situation to standing on a burning oil platform in the North Sea. Nokia must decide how it is going to change its behavior, or perish in the flames as its platform burns, Elop wrote in a memo to employees.
 
The PCI Security Standards Council has announced that the nomination period for election to the 2011-2013 PCI SSC Board of Advisors is now open.
 
Cross-document messaging, WebSockets, and other HTML5 APIs bolster website and browser interactivity to create a faster, richer Web
 
Nokia CEO Stephen Elop has compared the company's current situation to standing on a burning oil platform in the North Sea. Nokia must decide how it is going to change its behavior, or perish in the flames as its platform burns, Elop wrote in a memo to employees.
 
Oracle has issued an emergency patch for a Java vulnerability that can cause systems to hang and that can be exploited by remote attackers without authentication.
 
Android became the second most popular smartphone OS in 2010 amid reports that market leader Nokia may abandon its flagship Symbian operating system.
 
WordPress Prior to 3.0.5 Multiple Security Vulnerabilities
 
An increasing number of foreign students seeking doctorates at U.S. universities likely explains President Obama's push to keep them in the country after graduating.
 
Taiwan's top computer makers such as Acer and Asustek expect dips in first-quarter shipments as they stop early sales of units containing potentially flawed chipsets recalled by Intel.
 
Adobe Flash Player CVE-2011-0578 Remote Memory Corruption Vulnerability
 
Adobe Shockwave Player APSB11-01 Multiple Remote Vulnerabilities
 

Posted by InfoSec News on Feb 08

http://www.darkreading.com/insider-threat/167801100/security/vulnerabilities/229206169/tracking-the-botnet-s-dns-trail.html

By Kelly Jackson Higgins
Darkreading
Feb 08, 2011

A researcher is looking at mapping trends in Domain Name System (DNS)
queries to better pinpoint stealthy botnet activity and ultimately the
botnet's command and control (C&C) infrastructure.

Zhi-Li Zhang, a professor at the University of Minnesota, is looking at...
 

Posted by InfoSec News on Feb 08

http://www.eweek.com/c/a/Security/Nasdaq-Hackers-After-Sensitive-Inside-Information-Not-Trading-System-490573/

By Fahmida Y. Rashid
eWEEK.com
2011-02-08

The attackers who “repeatedly” breached Nasdaq OMX systems over the past
year were most likely stealing insider information to use for financial
trades, according to a security expert.

Nasdaq OMX confirmed Feb. 5 that its systems had been breached by
hackers and malware had been found...
 

Posted by InfoSec News on Feb 08

Forwarded from: Lionel Garth Jones <lgj (at) usenix.org>

On behalf of the 2nd USENIX Workshop on Health Security and Privacy
(HealthSec '11) program committee, we invite you to submit innovative
papers covering all aspects of healthcare information security and
privacy.

The focus of HealthSec '11 is the exploration of security and privacy
issues that arise from the exploding quantity of digital personal health
information, in both...
 

Posted by InfoSec News on Feb 08

http://www.ynetnews.com/articles/0,7340,L-4025751,00.html

By Boaz Fyler
YNews News
02.08.11

IDF Spokesman Avi Benayahu said Tuesday that the army is currently in
the process of enlisting "new media fighters".

Benayahu told a panel on the subject of "the digital medium as strategic
weapon" that the army was searching for "little hackers who were born
and raised online".

"We screen them with special care...
 
Adobe Acrobat and Reader CVE-2011-0590 3D File Parsing Remote Code Execution Vulnerability
 


Internet Storm Center Infocon Status