People using Internet Explorer and possibly other Windows applications could be at risk of attacks that abuse counterfeit encryption certificates recently discovered masquerading as legitimate credentials for Google, Yahoo and possibly an unlimited number of other Internet properties.

A blog post published Tuesday by Google security engineer Adam Langley said the fraudulent transport layer security (TLS) certificates were issued by the National Informatics Centre (NIC) of India, an intermediate certificate authority that is trusted and overseen by India's Controller of Certifying Authorities (CCA). The CCA, in turn, is trusted by the Microsoft Root Store, a library that IE and many other Windows apps rely on to process the TLS certificates that banks, e-mail providers, and other online services use to encrypt traffic and prove their authenticity. (Firefox, Thunderbird, and Chrome on Windows aren't at risk. More about that later in this post.)

Unknown scope

In an update posted Wednesday, Langley said the CCA confirmed that the bogus certificates were the result of a compromise of NIC's certificate issuance process. The CCA reportedly said only four certificates were compromised. In a sign the CCA's findings aren't reliable, or at least are only tentative, Langley went on to say Google researchers are aware of still more counterfeit credentials stemming from the NIC breach.

Read 8 remaining paragraphs | Comments

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Google, Dropbox and a few other high-tech firms have come up with a new way to help defend themselves against patent trolls.
Upgrades from Windows XP PCs to newer computers during the second quarter perked up the PC market, which inched closer to positive quarterly shipment growth.
The Department of Homeland Security mistakenly released details on an experiment in which a 27-ton generator was destroyed via a cyberattack.
Instagram's cookies and unencrypted Web traffic give you up to anyone watching packets pass by.
Sean Gallagher

Most people know the privacy risk of Web cookies—the bits of data that Web browsers store and return to websites to help them keep track of your credentials, where you are in an application, and other information. Advertisers, social media services, and search engine providers use cookies to track users' travels on the Web to target them for advertising. And as we’ve reported, those cookies can be used by someone surveilling Web traffic to track you as well.

But when people use mobile applications, they’re also vulnerable to the same sort of cookie tracking. Many mobile apps are just Web applications wrapped in a package for an app store—they send cookies back to the same server to identify the user and provide location information and other data about a device to the application vendor, third parties, or anyone who happens to be watching network traffic. Taken together with other data, these cookies can be used to track individuals as they wander the world, posing a significant privacy risk.

There are other components of the Web content consumed by mobile apps that can be used in tracking. Some use REST interfaces that pass data as part of their requests back to servers, and that data is often sent in the clear. JavaScript elements within Web content can also access local device data and send it back as a data structure; this data is often sent unencrypted as well, and the process follows a common enough format for hackers or intelligence organizations to reverse engineer it.

Read 18 remaining paragraphs | Comments

phpMyAdmin CVE-2013-5002 Cross Site Scripting Vulnerability
phpMyAdmin 'import.php' Cross Site Scripting Vulnerability
[SECURITY] [DSA 2975-1] phpmyadmin security update
Google executives are no longer saying whethert Glass will be ready for release in 2014.
RootMetrics gives Verizon Wireless a big thumbs-up in its latest biannual ranking of wireless network performance in U.S. cities.
Adobe Flash Player and AIR CVE-2014-4671 Unspecified Security Vulnerability
Several analysts argue that Samsung's warning about Q3 profits is due to its strategy of competing on price.
Microsoft is continuing its dogfight with Salesforce.com in the customer relationship management software market with a new Dynamics CRM Online cloud service for U.S. government agencies.
What would you do with your time if you gave up Facebook for 99 days?
Apple's API for in-car mobile devices, better known as CarPlay, will outpace both the open API MirrorLink and GENIVI.

Microsoft has formally settled legal differences with No-IP, the dynamic domain name host that was kneecapped by a botnet takedown that recently knocked out service to millions of legitimate hostnames.

As we reported, Microsoft surrendered the 23 No-IP domains last week. A bare-bones statement e-mailed to journalists Wednesday morning said the agreement settled a controversial lawsuit Microsoft filed in late June that allowed the software maker to confiscate 23 No-IP domain names before the service provider had an opportunity to oppose the maneuver in court. The malware families targeted in the latest takedown infected more than 7.4 million machines in the past year alone, Microsoft said.

A federal judge approved Microsoft's confidential ex parte motion arguing that the software maker was entitled to seize control of the addresses because No-IP owner Vitalwerks Internet Solutions failed to follow industry practices designed to prevent malware operators from abusing the service. In the course of a few hours, millions of connections from law-abiding users were severed. The statement read in part:

Read 3 remaining paragraphs | Comments

Microsoft will revamp its Office 365 lineup for small and midsize businesses (SMBs), adding features, dropping prices and increasing the flexibility to mix and match them with Office 365 plans for enterprises and with stand-alone applications.
Developer interest in OS X Yosemite appears to be quadruple that of 2013's Mavericks.
BlackBerry is in full defensive mode these days. Rightly so. These are troubling times for the Canadian company.
PHP unserialize() Function Type Confusion Security Vulnerability
Cisco Security Advisory: Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products
Weak Local Database Credentials in Infoblox Network Automation
OS Command Injection Infoblox Network Automation
Earlier this week, I had an in-depth conversation with the man who created Google's Glass at Work program, Eric Johnsen. Glass at Work is a program that certifies Glass-related third-party apps and services for use in the enterprise.
Gone, at least potentially, are the days of salespeople having to lug around a 4-pound projector to make presentations to potential customers.
Thousands of compromised computers are actively trying to break into point-of-sale (POS) systems using brute-force techniques to guess remote administration credentials.
Google Chrome CVE-2012-5150 Use-After-Free Remote Code Execution Vulnerability
Cisco SPA300 and SPA500 Series IP Phones Unspecified Cross Site Scripting Vulnerability
Notorious Russian leaker Wzor denied any link between the publication of internal Microsoft info and a former employee who stole trade secrets.
[ MDVSA-2014:132 ] libxfont
[ MDVSA-2014:131 ] file
[ MDVSA-2014:130 ] php
[ MDVSA-2014:129 ] ffmpeg
When it comes to budgeting for cloud software, it's important to have some solid data about the cost of deploying a "zero-feature" update, the likelihood of encountering latent bugs, and the level of effort required for simple developer overhead and housekeeping. While there's some good data and solid advice out there from the Standish Group, as I mentioned in a recent article, I haven't seen any data that's particularly modern or really focused on the harsh realities of cloud software development.
It's a bad moment. You dropped your expensive smartphone in the toilet. By the time you fish it out, it's really soaked. It won't turn on, and it seems quite dead.
U.S. National Security Agency whistleblower Edward Snowden has applied for extended asylum in Russia, according to news reports.
[SECURITY] [DSA 2974-1] php5 security update
CVE-2014-4331 OctavoCMS reflected XSS vulnerability
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Unified Communications Domain Manager
FreeBSD Security Advisory FreeBSD-SA-14:17.kmem
According to research conducted by labor market analytics and consulting firm Burning Glass , the future is looking bright, or brighter, for college students majoring in science, technology, engineering and math (STEM) -- especially if they are looking to go into healthcare, IT or engineering & advanced manufacturing. Indeed, according to Burning Glass's findings, STEM graduates have access to twice as many entry-level jobs as non-STEM graduates -- and the pay is better too, $66,123 compared to $52,299.
The folks at The Weather Channel have come up with another cool app,A OutSider, that's designed for weather geeks who are also runners, walkers, hikers and/or cyclists.


Infosec Taylor Swift, Hipster Hacker among Twitter's twisted security comedians
Information security is no laughing matter — unless you're one of many infosec accounts on Twitter trying to be funny. I say "trying to" because some Twitter infosec comics are actually funny, and some are seriously not. They are loved and hated in ...

Google's Android Wear platform is an impressive first step toward making smartwatches people will actually want to buy. Here's an in-depth look at where the software shines -- and where it falls short.
The U.S. Senate Intelligence Committee approved Tuesday a cybersecurity bill that would pave the way for sharing of information between government and the private sector on security threats.
The most successful wearable devices will be ones that can work without a phone, and AT&T will have at least one of them by the end of this year, the man who manages the carrier's partnerships said.
The LG G Watch vs. Samsung Gear Live may look similar, but the first two Android Wear watches have some meaningful differences.

Posted by InfoSec News on Jul 09


By Carter Dougherty
July 8, 2014

Wall Street’s biggest trade group has proposed a government-industry cyber
war council to stave off terrorist attacks that could trigger financial
panic by temporarily wiping out account balances, according to an internal

The proposal by the Securities Industry and Financial...
With Congress refusing to move on immigration reform, President Barack Obama has options that could have broad impacts on immigration generally, and on the H-1B and green card visa systems in particular.
Microsoft has managed to reverse years of sometimes-sharp decline in Internet Explorer's user share and revive interest in the browser it bundles with Windows.

Posted by InfoSec News on Jul 09


By Thomas S. Popik and William R. Graham
The Hill
July 07, 2014

With a Senate vote on two nominees for commissioners of the Federal Energy
Regulatory Commission (FERC) pending, there is unprecedented attention on
this obscure regulator of interstate pipelines and electricity
transmission. In 2005, Congress granted FERC...

Posted by InfoSec News on Jul 09


By Terry Sheridan
Accounting Web
July 8, 2014

The Madoff Ponzi scheme, financial crisis of 2007-2009, ongoing mortgage
fraud and other scandals, and laws like Sarbanes-Oxley and Dodd-Frank that
were passed to counter the fraudsters, send a clear message: fraud
investigation is a can't-miss career track and valuable expansion to an
accounting or law practice or...

Posted by InfoSec News on Jul 09


By Nina Xiang

A sex tape is always intriguing.

In this case, my curiosity was aroused by a secretly-filmed alleged sex
tape of the former China head of British drug-maker GlaxoSmithKline (GSK)
and his girlfriend, which was sent to senior executives at GSK as a teaser
for whistler-blower documents.

So I talked with...

Posted by InfoSec News on Jul 09


By Doris Taylor
July 8, 2014

As the travel season heats up, Consumer Reports cautions that some popular
hotel and motel chains could be vulnerable to hackers because of weak
security systems.

The major credit-card companies require businesses to have standard data
protections if they want to accept credit and debit cards. It’s called...

Somewhat similar to the typo squatting story earlier, the recent proliferation of cloud service usage by enterprises has led to a new problem. For a project at a community college, we needed a couple servers, and didn't want (or have the funds) to build them on-site. In view of the limited duration of the experiment, we decided to "rent" the boxes as IaaS (infrastructure as a service) devices from two "cloud" providers. So far, all went well. But when we brought the instances live, we discovered to our surprise that three (out of 24) public IP addresses that we were assigned still had "afterglow", meaning they were receiving productive traffic that was intended for the former owner/holder of these IPs. Two of the IPs received DNS queries, one was receiving email. Researching through the passive DNS logs, I confirmed that yes, the three IP addresses had indeed been used accordingly. One of the DNSes had been active only for a week, obviously for nefarious purposes, because it had lots of random .ua and .pw domain names delegated to it. The other seems to have been the DNS+EMail of a midsize company that had been hosted with that IaaS provider for two years, and had been migrated elsewhere earlier that same week.

To make a long story short, for all services where the Internet has an extended memory and caching, make sure you hold on for a couple of weeks or months to the corresponding IP or domain name after you no longer need and use them, and let them "cool off". Otherwise, if the IP address is immediately reassigned, or the domain name immediately repurchased, someone else *will* end up with some of your web traffic, DNS requests, or even email.


(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Django 'reverse()' Function Arbitrary Code Execution Vulnerability
PHP '/ext/standard/info.c' Type Confusion Information Disclosure Vulnerability
PHP Fileinfo Component 'cdf_read_property_info()' Function Denial of Service Vulnerability
PHP Fileinfo Component CVE-2014-3478 Remote Denial of Service Vulnerability
Internet Storm Center Infocon Status