Hackin9

InfoSec News

A group of Chinese writers has filed a lawsuit against Apple, alleging that the company's App Store sells pirated versions of the authors' works.
 
The U.S.-China Economic and Security Review Commission (USCC) has asked for an investigation after hackers posted online a memo purportedly from India's military, which claimed that the country had intercepted emails of USCC officials with the help of Nokia, Research In Motion, and Apple.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Samsung Electronics announced a host of new gadgets at the International Consumer Electronics Show on Monday, including smart TVs with face recognition, plus voice and gesture control, and a super-thin ultrabook laptop with a DVD drive.
 
Lenovo got in on the ultrabook excitement before CES even officially opened, unveiling the IdeaPad Yoga as well as a cloud service and a new desktop PC with a touchscreen.
 
Nokia on Monday unveiled the Lumia 900, its first 4G LTE smartphone, which will run over the AT&T network.
 
Acer takes a page from Apple's playbook--well, more like a slide or two from its presentation deck--while Microsoft's hyperbole engines are still firing on all cylinders. And CES becomes the place to launch your products off a short pier. The remainders for Monday, January 9, 2012 have their ups and downs--but mostly downs.
 
See all the great content from our print magazine. You can browse through articles or search for specific stories and topics (free registration required).
 
From slender smartphones to coffee-table-sized touch screens, all the hot tech products from the Consumer Electronics Show in Las Vegas.
 
A new tablet from Vizio will come with Intel's upcoming Atom chip, code-named Medfield, and will run Google's Android operating system, a source with knowledge of the product plans said.
 
AT&T said it will unveil five Android smartphones and one tablet, the Pantech Element, on its 4G LTE network sometime early in the year.
 
Samsung and Verizon Wireless announced the Galaxy Tab 7.7 at CES to run on the carrier's 4G LTE network.
 
In the spirit of openness and with a willingness to have his cloud prognostication grades displayed in public, CIO.com's Bernard Golden scores--and comments on--his predictions for 2011.
 
Most interesting products announced at the Consumer Electronics Show in Las Vegas.
 
Sprint Nextel's first three devices for its coming LTE network will be the Samsung Galaxy Nexus and LG Viper smartphones and a Sierra Wireless hotspot that will use Sprint's 3G and WiMax networks as well as LTE, the carrier announced in advance of the Consumer Electronics Show.
 
A Facebook spokesperson said the malware is not propagating on the social network.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
With a glut of 'ultrabook' announcements slated at this week's CES, Apple watchers have one question: How will the Cupertino, Calif. company respond?
 
Intel is taking on the burgeoning tablet market by working on hybrid ultrabooks that look and act like both laptops and tablets.
 
Sprint Nextel's first three devices for its coming LTE network will be the Samsung Galaxy Nexus and LG Viper smartphones and a Sierra Wireless hotspot that will use Sprint's 3G and WiMax networks as well as LTE, the carrier announced in advance of the Consumer Electronics Show.
 
The increasing integration of networks to physical devices is bringing new companies, such as LiftMaster, to the Consumer Electronics Show.
 
HTC announced the Titan II smartphone at CES on Monday, making it the first Windows Phone on AT&T's fast 4G LTE network.
 
3M today is demonstrating a 46-inch coffee-table like multi-touch display at the Consumer Electronics Conference.
 
Re: [SE-2011-01] Security vulnerabilities in a digital satellite TV platform
 
[SECURITY] [DSA 2384-1] cacti security update
 
DDIVRT-2011-37 HP JetDirect Device Page Directory Traversal (CVE-2011-4785)
 

If you have not patched yet for vulnerability MS11-100 you might want to do it ASAP, because the DoS PoC exploit for this vulnerability has been published two days ago.

More information about the vulnerability and patches at http://technet.microsoft.com/en-us/security/bulletin/ms11-100
Manuel Humberto Santander Pelez

SANS Internet Storm Center - Handler

Twitter: @manuelsantander

Web:http://manuel.santander.name

e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
At about 6.8 millimeters thick, Huawei Technologies' Android 4.0-based Ascend P1 S is the thinnest smartphone yet introduced, the company said on Monday.
 
LG Electronics today unveiled its latest smartphone, highlighting its ability to stream sports.
 
Intel today showed off a prototype of an ultrabook with a transparent touch screen. The device, unveiled at CES, can be used as either a notebook or tablet.
 
Demand for the iPhone 4S among U.S. consumers remains "incredibly strong," ChangeWave Research said today as it cited a late December survey of smartphone buying plans.
 
The PC is not likely to be challenged by the tablet or the smartphone, and many users of the Internet on these devices will turn to the PC for a better experience, Michael Dell said in Bangalore on Monday.
 
WordPress Adminimize Plugin 'page' Parameter Cross Site Scripting Vulnerability
 
Torque Munge Authentication Bypass Vulnerability
 

One of the major concerns of a public utility security issues applicable to securing SCADA systems of energy, gas and water supply. Manufacturers have responded slowly to this challenge and we can see traffic assurance deployments like HP with its TippingPoint IPS and Fortinet. The complex point of these solutions is that their cost is quite remarkable and some of them do not have enough functionality.

Fortunately, the Sourcefire guys began to include support for SCADA protocols withinSnort from version 2.9.2 and started with the electrical substations protocols DNP3 and Modbus.
Check out one of my previous SCADAdiary for basic definitions. I made some test myself with this functionality and Ifound very useful the following features to increase the valuable alerts within the SCADANetwork:

Check for broadcast messages: DNP3 protocol talks to each device within the system and perform specific functions on it. Broadcast messages can be dangerous specially if they have a turn off command to all the Remote Terminal Unit (RTU) that controls its own energy substation. You can check this with the following snort rule:


alert tcp any 20000 - any any (msg:All RTU being contacted using DNP3)



Check for write or delete operations not being sent by the master station: We definitely don't want someone else to write or deleteto theRTU on behalf of the official Human-Machine Interface (HMI). The following snort rule can be used to check this behavior, assuming thatHMI ip address is 1.1.1.1:


alert tcp!1.1.1.1any - any any (msg:Someone trying to write or deleteto RTU)



Check for save configuration commands not being sent by the master station: If someone writes to the RTU and then tries to save the configuration on behalf of the official HMI, could already have control of the RTU devices and make sure we no longer can send commands to them. The following snort rule can be used to check this behavior, assuming that HMI ip address is 1.1.1.1:


alert tcp!1.1.1.1any - any any (msg:Someone trying to save the configurationof a RTU device)



Check for stop applications commands not being sent by the master station: This is very dangerous if sent broadcast to all RTU.The following snort rule can be used to check this behavior, assuming that HMI ip address is 1.1.1.1:


alert tcp!1.1.1.1any - any any (msg:Someone trying to save the configurationof an RTU device)



I would include a couple of special wishlist to the Sourcefire guys to include in next versions: IEC60870-5 and Bristol Standard Asynchronous Protocol (BSAP), used in water supply SCADA systems.
Manuel Humberto Santander Pelez

SANS Internet Storm Center - Handler

Twitter:@manuelsantander

Web:http://manuel.santander.name

e-mail: msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Sortable chart of the most interesting products announced at the Consumer Electronics Show in Las Vegas.
 
Lenovo unveiled at CES the IdeaTab S2 10, a 10-in. tablet that weighs just 1.1 pounds, and latest S2 smartphone
 
[security bulletin] HPSBPI02733 SSRT100646 rev.1 - Certain HP LaserJet Printers, Remote Unauthorized Access to Files
 
Lenovo and Acer are following Apple, Google and Microsoft into the cloud with services that make your music, videos, photos, and documents available instantly across all your devices.
 
Google last week patched Chrome 16 and improved the download warnings in the impending Chrome 17.
 
[ GLSA 201201-03 ] Chromium, V8: Multiple vulnerabilities
 
[SECURITY] [DSA 2382-1] ecryptfs-utils security update
 
[security bulletin] HPSBPI02728 SSRT100692 rev.3 - Certain HP Printers and HP Digital Senders, Remote Firmware Update Enabled by Default
 
[SECURITY] [DSA 2383-1] super security update
 
A top Israeli official said Saturday that cyber attacks are similar to terrorism and merit the same response, just a few days after tens of thousands of credit card numbers were released by a hacker going by the name "oxOmar."
 
Semiconductor company MediaTek has introduced a system-on-a-chip that will be used to power wireless routers based on the 802.11ac wireless networking standard, which promises gigabit speeds.
 
Zhc( Z Company Hacking Crew ), THA( TheHackerArmy ) and a bunch of other hackers have struck out at a bunch of websites that have some importance. In the website defacing the back ground is a Pink Anonymous logo with black background (as seen above). The message that has been left all over these websites is fairly [...]


 
InfoWorld's Test Center unveils the 2012 Technology of the Year Awards
 
By all accounts the economy is stronger now than it was 12 months ago, but it is also clear that companies are still moving cautiously, and for the bulk of IT that means continuing to do more with what you have, which is at least better than doing more with less.
 
IBM, Hewlett-Packard and Microsoft led the list of companies that failed to patch vulnerabilities after being notified by the world's largest bug-bounty program, according to the TippingPoint Zero-Day Initiative.
 
Forget artificial intelligence; researchers at MIT say they've figured out how to mimic the way a real brain works.
 
Now that the company is finally making good server and desktop operating systems, we're moving to the cloud, smartphones and tablets.
 
A virtual desktop infrastructure will be the security key to reaching the CIO's goal of allowing personal devices on the corporate network.
 
The explosive growth in smartphone usage and the growing adoption of tablets means that a mobile communication strategy -- or the lack of one -- could make or break a candidate in this year's presidential election. < i>(Insider, registration required.)
 
Meat suppliers can track a single pig all the way from live animal to pork chop, thanks to new technology from IBM that may limit or prevent disease outbreaks.
 
In a bid to save money or redirect funds to product development, Seagate and Western Digital are cutting hard drive warranties -- in some cases from five years to one.
 
Kaiser Permanente's 'CIO Challenge' pumps up IT morale while promoting healthier lifestyles.
 
After more than two years of work, the city of Los Angeles has abandoned its effort to migrate its police operations to Google's hosted email and office application platform because it says the service cannot meet FBI security requirements. Insider (registration required)
 
If you decide to pump up your resume with mastery of a scripting language, be sure you choose one that employers really want.
 
Super CVE-2011-2776 Remote Buffer Overflow Vulnerability
 
Gibbs reviews last year's predictions and sees that the end could be nigh ...
 
We've had gesture control with Microsoft Kinect. Now get ready for gaze control. Swedish firm Tobii is at the Consumer Electronics Show this week to promote the use of its eye tracking technology in PCs and tablets, though it could be a couple of years before it's ready for mainstream use.
 

Posted by InfoSec News on Jan 09

http://www.jpost.com/NationalNews/Article.aspx?id=252636

By JPOST.COM STAFF AND YAAKOV LAPPIN
jpost.com
01/08/2012

Hacker responds to reports that Amir Fedida uncovered his identity,
dismissing them as "another Israeli failure"; blogger claims hacker made
mistakes enabling him to trace him; file spread containing Trojan horse.

The hacker who published tens of thousands of Israeli credit card
numbers denied reports that an Israeli...
 

Posted by InfoSec News on Jan 09

Forwarded from: Edward Talbot <edward.talbot >

The Proceedings of the Workshop will be published in a major academic digital
library.

The Workshop URL is: http://www.cert.org/laser-workshop/

-=-

LASER 2012 -- Learning from Authoritative Security Experiment Results

The goal of this workshop is to provide an outlet for publication of unexpected
research results in security -- to encourage people to share not only what
works, but also...
 

Posted by InfoSec News on Jan 09

http://www.guardian.co.uk/technology/2012/jan/08/hackers-expose-defence-intelligence-officials

By Ed Pilkington in New York and Richard Norton-Taylor
guardian.co.uk
8 January 2012

Thousands of British email addresses and encrypted passwords, including
those of defence, intelligence and police officials as well as
politicians and Nato advisers, have been revealed on the internet
following a security breach by hackers.

Among the huge database...
 

Posted by InfoSec News on Jan 08

http://blogs.computerworld.com/19531/hacked_memo_leaked_apple_nokia_rim_supply_backdoors_for_govt_intercept

By Darlene Storm
Security Is Sexy
Computerworld.com
January 8, 2012

Previously a group of Indian hackers called The Lords of Dharmaraja had
posted documents that were pillaged during the hack of an Indian
military network. That Pastebin post was removed, but can be viewed via
Google cache.

More of the story continues to be unveiled...
 

Posted by InfoSec News on Jan 08

http://gcn.com/articles/2012/01/05/disa-okays-secure-andriod-mobile-system-for-dod.aspx

By Henry Kenyon
GCN.com
Jan 05, 2012

The Defense Information Systems Agency has certified a secure
Android-based mobile system for use by Defense Department agencies. The
system allows DOD personnel to sign, encrypt and decrypt e-mail, and
securely access data from a smart phone or tablet computer.

Developed by Good Technology for use on DOD-approved...
 
An what appears to new another new Operation by anonymous hackers, has been targeting Insecure WoW, world of Warcraft website to expose them of the false advertising that they are "secure" under the mcafee flag, when indeed they are not secure at all.


 
Internet Storm Center Infocon Status