Hackin9
Paying rewards to independent security researchers for finding software problems is a vastly better investment than hiring employees to do the same work, according to researchers from the University of California Berkeley.
 
For a cloud storage provider, Dropbox puts on quite a show. On Tuesday it held its inaugural developer conference in San Francisco, and there was plenty of colorful activity to see.
 
Apache CXF CVE-2013-2160 Multiple Remote Denial of Service Vulnerabilities
 
Students at Stanford University unveiled their latest solar-powered car on Tuesday, two weeks before it will be shipped to Australia to take part in the world's premier solar vehicle race.
 
Zoom X4/X5 ADSL Modem and Router -Unauthenticated Remote Root Command Execution
 
Ruby SSL Client Certificate Validation CVE-2013-4073 Security Bypass Vulnerability
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The next robotic rover NASA sends to explore Mars should have a different set of scientific tools to help it search for signs of past life and collect rocks and soil samples that future missions can send back to Earth.
 
AT&T is planning a July 16 announcement to divulge "what's next in wireless," which could be news regarding a rollout of faster LTE-Advanced network technology or other innovations.
 

A security researcher has published working exploit code that allows attackers to surreptitiously turn legitimate apps running on Google's Android mobile operating system into malicious trojans. Around the same time, Google said it released a patch that helps protect users from abuse.

As previously reported, the weakness involves the way legitimate Android applications are cryptographically signed to ensure they haven't been modified by parties other than the trusted developer. Researchers at security startup Bluebox provided high-level details of the vulnerability last week, but omitted technical details most people would need to reproduce the attack. That didn't stop members of CyanogenMod, an alternative Android firmware version, from piecing together the available details into this bug report that identifies the conditions necessary for exploiting the vulnerability. It also incorporates a fix from Google into the CyanogenMod code.

Working from that description, Pau Oliva Fora, senior mobile security engineer at viaForensics, published proof-of-concept code that allows anyone with a moderate level of skill to modify an existing Android app without changing the cryptographic signature that's supposed to certify it hasn't been tampered with. The 32-line exploit demonstrates the ease in exploiting the vulnerability and the consequences the flaw might have for people who install and update apps from third-party sources.

Read 6 remaining paragraphs | Comments

    
 
A U.S. government board focused on privacy and civil rights should push Congress to rein in the U.S. National Security Agency's mass collection of telephone records and Internet communications, privacy advocates said Tuesday.
 
Of the six critical security bulletins Microsoft issued in its Patch Tuesday monthly release of software updates, three address a vulnerability in how Microsoft software renders fonts.
 
Microsoft today said it would give third-party app developers 180 days to clean up their security act -- and patch serious vulnerabilities -- or the company will yank their software from its online stores.
 

Special Training Offer from SANS vLive for IT Professionals Preparing for the ...
Wall Street Journal (press release)
SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; and it operates the Internet's early warning system - the Internet Storm Center. At the heart of SANS are the many security ...

and more »
 
3D television programming may be out before it was ever in, according to industry analysts. In fact, the BBC just cancelled its 3D programming indefinitely.
 
Google on Monday expanded on its strategy to turn any connected device into an ersatz Chromebook by adding access to several services, including Google Wallet, and baked-in hardware, like Bluetooth, to super-apps that run in its Chrome browser.
 
Two astronauts are in the midst of a six-and-a-half-hour spacewalk to prep the International Space Station for the addition of a Russian module to its backbone later this year.
 

Overview of the July 2013 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS13-052 Multiple vulnerabilities allow privilege escalation and/or remote code execution. 
.NET & silverlight

CVE-2013-3129
CVE-2013-3131
CVE-2013-3132
CVE-2013-3133
CVE-2013-3134
CVE-2013-3171
CVE-2013-3178
KB 2861561 Microsoft claims CVE-2013-3131 and CVE-2013-3134 have been publicly disclosed. Severity:Critical
Exploitability:1
Critical Important
MS13-053 Multiple vulnerabilities allow privelege escalation and/or remote code execution.
kernel mode drivers (KMD)

CVE-2013-1300
CVE-2013-1340
CVE-2013-1345
CVE-2013-3129
CVE-2013-3167
CVE-2013-3172
CVE-2013-3173
CVE-2013-3660
KB 2850851 Microsoft claims CVE-2013-3172 and CVE-2013-3660 have been publicly disclosed. Moreover they claim to be aware of "targeted" attacks exploiting CVE-2013-3660. Severity:Critical
Exploitability:1
PATCH NOW Important
MS13-054 A truetype font parsing issue in the GDI+ library allows remote code execution. This affects a wide selection of sofware and extra care should be given to make sure to patch all instances.
GDI+

CVE-2013-3129
KB 2848295 No publicly known exploits. Severity:Critical
Exploitability:1
Critical Important
MS13-055 A multitude of vulnerabilities are fixed in this month's IE cumulative patch, you want this one. All but one are memory corruption vulnerabilities.
MSIE

CVE-2013-3115
CVE-2013-3143
CVE-2013-3144
CVE-2013-3145
CVE-2013-3146
CVE-2013-3147
CVE-2013-3148
CVE-2013-3149
CVE-2013-3150
CVE-2013-3151
CVE-2013-3152
CVE-2013-3153
CVE-2013-3161
CVE-2013-3162
CVE-2013-3163
CVE-2013-3164
CVE-2013-3166
KB 2846071 No publicly known exploits Severity:Critical
Exploitability:1
Critical Important
MS13-056 An input validation problem in how directShow handles GIF file allows random code execution.
DirectShow

CVE-2013-3174
KB 2845187 No publicly known exploits Severity:Critical
Exploitability:1
Critical Important
MS13-057 An input validation problem in windows media format (WMV - windows media player, not to be confused with the infamous WMF format) allows random code execution.
Media Player

CVE-2013-3127
KB 2847883 No publicly known exploits Severity:Critical
Exploitability:2
Critical Important
MS13-058 An unquoted path vulnerability (see more on what this is in Mark Bagget's excellent diary on the unquoted path issues) in windows defender allows privilege esclation to the localsystem account.
Windows defender

CVE-2013-3154
KB 2847927 No publicly known exploits Severity:Important
Exploitability:1
Important Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.

--
Swa Frantzen

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Adobe released their July 2013 Black Tueday bulletins:

# Affected CVE Adobe rating
APSB13-17 Flash Player CVE-2013-3344
CVE-2013-3345
CVE-2013-3347
Critical
APSB13-18 Shockwave CVE-2013-3348 Critical
APSB13-19 Coldfusion CVE-2013-3349
CVE-2013-3350
Critical (v10)
Important (v9)

--
Swa Frantzen

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
After leaving his post as CEO of SAP's Business Objects division about three years ago, John Schwarz had a revelation.
 
Two astronauts are in the midst of a six-and-a-half-hour spacewalk to prep the International Space Station for the addition of a Russian module to its backbone later this year.
 
Starting tomorrow, July 10th, in San Diego, the National Institute of Standards and Technology (NIST) will host the third, and perhaps most important, in a series of workshops aimed at developing a voluntary comprehensive cybersecurity framework that will apply across sixteen critical infrastructure sectors.
 
Reports of an imminent and broad Microsoft business reorganization keep mounting, including an anonymously sourced article from The Wall Street Journal's AllThingsD blog that says CEO Steve Ballmer will unveil the plan on Thursday.
 
RETIRED: Oracle Java Runtime Environment Multiple Unspecified Remote Code Execution Vulnerabilities
 
Re: re: Real player resource exhaustion Vulnerability
 
Samsung's three latest Wi-Fi-ready tablets in the Galaxy Tab 3 portfolio have started popping up at national retailers, continuing Samsung's commitment to offering a diverse product line in the fast-growing tablet market.
 
In a perfect example of miscommunication of malware infecation and impossible demands for assurances, a US government department set about destroying all their hardware, only stopping when they ran out of budget
    


 
Users from Germany and Hong Kong offered real-world experience in deploying data mapping apps at the Esri International User Conference in San Diego.
 
Sprint today announced that its first Windows Phone 8 smartphone, the HTC 8XT, goes on sale July 19 for $99.99 after rebate and with a two-year service agreement.
 
RealNetworks RealPlayer CVE-2013-3299 Denial of Service Vulnerability
 
SEC Consult SA-20130709-0 :: Denial of service vulnerability in Apache CXF
 
From attracting new customers with online marketing to recruiting employees, business owners, managers and video experts discuss how video can benefit your organizations.
 
An exploit is available for the Android signing hole which allows an attacker to manipulate the contents of an APK file without disturbing the signature of the archive
    


 
[HITB-Announce] REMINDER: #HITB2013KUL CFP Closes 25th July
 
Re: re: Real player resource exhaustion Vulnerability
 
Even some of the most talented IT professionals have found themselves the victim of a downsizing or reorganization. You can never feel too safe regardless of how stable the environment seems. If you find yourself in your worst-case scenario, these tips will help you work your way out of it.
 
The prospect of downloading data, sending text messages and making calls while travelling in Europe, without incurring huge 'roaming' charges came a step closer on Tuesday when politicians voted in favour of new legislation.
 
Massive open online courses, the result of advances in information-sharing technology, are also ideally suited to the teaching of IT skills.
 
Technical details and a proof-of-concept exploit have been published for a recently announced Android vulnerability that potentially affects millions of devices and allows attackers to turn legitimate apps into Trojan programs.
 
Linux Kernel CVE-2013-2206 NULL Pointer Dereference Denial of Service Vulnerability
 
MongoDB Remote Privilege Escalation Vulnerability
 
After two short trips since the Fourth of July, NASA's Mars rover Curiosity has begun a journey that could take as long as a year to reach the ultimate destination for its mission -- Mount Sharp.
 
Apple on Monday commemorated the fifth anniversary of its App Store launch by starting a free app giveaway that included some of its most popular and praised iOS games.
 

Microsoft set to deliver seven patches and address Windows zeroday
Dark Reading
A special July 4 weekend installment of the links has us thinking about infosec conferences, cross-site tracing (say what?) and a popular guy known as Edward Snowden.Microsoft on Tuesday plans to release seven patches as part of its monthly security ...

 
As the government cuts its own employment, federal agencies are trying to stimulate job creation by making vast amounts of government data freely available.
 
Why are manhole covers round? Why do you ask? Tech managers weigh in on the practice of using brainteasers to screen IT candidates and share their own favorite interview questions.
 
Google Android 'APK' code Remote Security Bypass Vulnerability
 

Posted by InfoSec News on Jul 09

http://www.stuff.co.nz/dominion-post/business/8894905/

By Tom Pullar-Strecker
Technology reporter
Stuff.co.nz
09/07/2013

Digital activist and journalist Quinn Norton says hacker group Anonymous
has survived dozens of arrests in the United States, but there are a "lot
of broken spirits" in the US following the crackdown on the Occupy Wall
Street movement.

Norton, famed for her lucid accounts of Anonymous, including one, Inside...
 

Posted by InfoSec News on Jul 09

http://www.pcpro.co.uk/news/security/382909/olympic-organisers-feared-opening-ceremony-hack-attack

By Shona Ghosh
PCPro.co.uk
8 Jul 2013

The organisers of the London Olympics feared hackers would target the
opening ceremony and knock out the lights.

Olympics security chief Oliver Hoare told the BBC he had been warned
hackers might try and attack the electricity infrastructure underpinning
the games, potentially blacking out the ceremony....
 

Posted by InfoSec News on Jul 09

http://www.washingtonpost.com/world/national-security/report-web-monitoring-devices-made-by-us-firm-blue-coat-detected-in-iran-sudan/2013/07/08/09877ad6-e7cf-11e2-a301-ea5a8116d211_story.html

By Ellen Nakashima
The Washington Post
July 8, 2013

American-made devices used for Internet monitoring have been detected on
government and commercial computer networks in Iran and Sudan, in apparent
violation of U.S. sanctions that ban the sale of...
 

Posted by InfoSec News on Jul 09

http://www.wired.com/threatlevel/2013/07/eas-holes/

By Kim Zetter
Threat Level
Wired.com
07.08.13

Several models of Emergency Alert System decoders, used to break into TV
and radio broadcasts to announce public safety warnings, have
vulnerabilities that would allow hackers to hijack them and deliver fake
messages to the public, according to an announcement by a security firm on
Monday.

The vulnerabilities included a private root SSH key...
 

Posted by InfoSec News on Jul 09

http://www.federalnewsradio.com/241/3382009/EDAs-overreaction-to-cyber-attack-highlights-every-agencys-challenge

By Jason Miller
Federal News Radio
7/8/2013

The Commerce Department's Economic Development Administration spent almost
half of its IT budget last year to remediate a cyber attack that barely
happened.

Commerce's inspector general found in a report released last week a string
of errors and miscommunications led to...
 
ERDAS ER Viewer 'rf_report_error()' Function Stack Buffer Overflow Vulnerability
 
A privacy group has filed legal action against the U.K. government for conducting mass surveillance on citizens across the U.K., including accessing data about people located in the U.K. that is collected and passed on by the U.S. National Security Agency.
 
Citrix has added native video and audio chat to its Podio enterprise social suite to complement the other communication and collaboration features in the product.
 

Seoul to train 5000 infosec pros
Register
The South Korean government is planning to train up 5,000 information security experts to address the growing threat from Pyongyang and a shortage of home-grown talent. The science and technology ministry said that the shortfall of information security ...

 
Internet Storm Center Infocon Status