Hackin9
The developer of the most widely used test for ranking the performance of supercomputers has said his metric is out of date and proposed a new test that will be introduced starting in November.
 
Security warnings displayed by Web browsers are far more effective at deterring risky Internet behavior than was previously believed, according to a new study.
 
SoftBank completed its US$21.6 billion acquisition of Sprint Nextel on Wednesday, capping a months-long effort that was complicated by two bidding wars and some national-security objections but is expected to produce a stronger rival to the dominant U.S. mobile operators.
 
Weakness in the global economy, component shortages, sluggish demand for Windows 8 and the popularity of tablets all contributed to another double-digit percentage decline for the global PC market in the second quarter.
 
Air Drive Plus v2.4 iOS - Arbitrary File Upload Vulnerability
 
Aurich Lawson

If you felt a twinge of angst after reading Ars' May feature that showed how password crackers ransack even long passwords such as "qeadzcwrsfxv1331", you weren't alone. The upshot was clear: if long passwords containing numbers, symbols, and upper- and lower-case letters are this easy to break, what are users to do?

Ars has largely answered that question already: use a password manager to randomly generate and store long, complex passcodes that are unique for each site you care about. Our how-to provides a thorough primer that should be required reading for anyone who uses the Internet. That said, password security is a highly nuanced undertaking with plenty of room for competing strategies and contradictory imperatives. Is it safe, for instance, to store your encrypted password file in the cloud or to allow your browser to remember frequently used log-in credentials? And what's the best way to manage passwords across a variety of computer operating systems and different smartphone platforms?

I recently checked in with five security experts to learn about their approach to choosing and storing crack-resistant passwords. They include renowned cryptographer Bruce Schneier, who is a "security futurologist" at BT and recently joined the Electronic Frontier Foundation's board of directors; Adriel T. Desautels, CEO of Netragard, a firm that gets paid to hack large companies and then tell them how it was done; Jeremiah Grossman, founder and CTO of WhiteHat Security; Jeffrey Goldberg, "defender against the dark arts" at AgileBits, a company that develops the popular 1Password password manager; and Jeremi Gosney, a password security expert at Stricture Consulting.

Read 23 remaining paragraphs | Comments

    


 
[Foreground Security 2013-001]: Joomla AICONTACTSAFE 2.0.19 Extension Cross-Site Scripting (XSS) vulnerability
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Go to a technology event or corporate meeting these days and you're bound to hear from a guest speaker. It's often someone like a retired politician telling war stories, or a new-age management guru delivering a thinly veiled pitch for their latest book.
 
The U.S. Federal Communications Commission has wasted hundreds of millions of dollars on telephone subsidies, with some rich areas of the country receiving up to US$23,000 per line per year from the agency's Universal Service Fund, according to a new study.
 
People might start seeing a lot more Instagram content across the Web -- the photo- and video-sharing app has just announced the introduction of Web embeds.
 
A U.S. judge's ruling Wednesday that Apple violated antitrust laws in its dealings with book publishers may limit the ways in which the company strikes deals in other industries going forward.
 
Dell iDRAC6 IPMI Connections Denial of Service Vulnerability
 

Based on a note on the website of SIDN [1], as SQL injection vulnerability was used to compromisse the site and place malicious files in the document root. SIDN is the registrar for the .NL country level domain (Netherlands). As a result of the breach, updates to the zone file are suspended. There is no word as to any affects to the zone files, or if the attackers where able to manipulate them.

 

[1] https://www.sidn.nl/en/news/news/article/preventieve-maatregelen-genomen-2/

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
T-Mobile on Wednesday launched an unusual phone upgrade program that allows customers to get a new phone when they want, up to twice a year, that starts six months after enrolling in a program that costs $10 a month.
 
At MobileBeat 2013, Samsung unveiled a prototype for a new smartphone with healthcare monitoring that features two fold-out panels that can change colors based on the mode the phone is in.
 
Microsoft today doubled the support lifespan of Windows Phone 8 from 18 to 36 months and promised to release an enterprise-oriented "feature pack" for the mobile operating system in the first half of 2014.
 
There is a great dichotomy in Security Awareness. Just about all of the CSOs we talk to believe that one of their top priorities is to improve their organization's security culture -- in other words, the behavior of their users. Similarly, we see article after article and study after study talking about how humans are the primary attack vector for advanced attacks. Some studies indicate that human exploitation is the key enabler in as many as 90 percent of attacks. Buzzphrases, such as protecting and attacking "Layer 8" have emerged.
 
Intelligent Platform Management Interface Null Length Credential Authentication Bypass Vulnerability
 

SANS Launches a New Hands-On IT Security Training Program with NetWars
The Herald | HeraldOnline.com
SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; and it operates the Internet's early warning system - the Internet Storm Center. At the heart of SANS are the many security ...

and more »
 

Some readers have reported in (Thanks!) that their inline Websense appliances are spiking to 100% after an update. The Websense team is aware and quickly working on a fix we are told. If you are seeing this behavior please let us know!

 

Richard Porter 

@packetalien

richard at pedantictheory dot com

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Google is incorporating several new features into its Maps app on Android-powered devices -- which are also coming soon to iOS -- to make it easier to search and navigate using the service.
 
The rumored reorganization of Microsoft, which could be unveiled as soon as tomorrow, will go unnoticed by customers in the near-term, analysts said.
 
A snake has been moving through the pipes and systems of a nuclear power plant near Vienna, Austria.
 
A popup box displayed on computers infected by Shadowlock.

If your PC's CD tray opens and you hear the iconic, five-note tune from the movie Close Encounters of the Third Kind, it's probably not a visit from aliens. Chances are it's a newly discovered piece of malware with some highly unusual characteristics.

Trojan.Shadowlock belongs to a category of malicious software known as ransomware, which typically locks down data and resources until the victim pays a hefty fee. But in this case, according to Symantec researchers, the malware demands the user of the disabled computer complete an online survey.

Shadowlock isn't as nasty as other ransomware samples that threaten criminal prosecutions based on trumped up charges and then extort fees that can be in the hundreds of dollars. That's because this latest threat, which was created with Microsoft's .Net developer tool, can be easily bypassed. Still, it contains several dormant functions that could be invoked in future versions. The ability to kill Chrome, Internet Explorer, and other browsers is one capability. Eating up disk space and disabling the Windows firewall is another.

Read 1 remaining paragraphs | Comments

    


 
VULNERABLE (3rd party) components in Adobe Reader 11.0.03, and dangling reference to Acrobat.exe
 

SANS Launches a New Hands-On IT Security Training Program with NetWars
PR Newswire (press release)
SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; and it operates the Internet's early warning system - the Internet Storm Center. At the heart of SANS are the many security ...

and more »
 
Google and many of its services suffered an outage this morning, causing a ripple of frustration and confusion to show up on Twitter.
 
RETIRED: Imperva SecureSphere Operations Manager Multiple Security Vulnerabilities
 

Information Security Expert to Host Seminar on Counter Surveillance Tactics
The Herald | HeraldOnline.com
Max Dalziel, Founder and CEO of Concise Courses USA, said, "Concise Courses looks for infosec classes that provide viewers with actionable solutions, and Gary's free 'Counterveillance' class is no exception. This is a must attend event for anyone who ...

and more »
 
Samsung Electronics has requested a new trial for a patent related to a US$1 billion infringement ruling against it in a case brought by rival Apple, due to a re-examination of the patent at the U.S. Patent and Trademark Office.
 
Apple violated antitrust laws when it colluded with publishers to set prices of e-books, a U.S. district court judge has ruled.
 
Now users can check if their Android device is vulnerable to the signing flaw which has been called a "master key" to the mobile operating system by the authors of the scanner, who also reported the flaw to Google
    
 
VLC Media Player CVE-2013-3245 Remote Integer Overflow Vulnerability
 
Now users can check if their Android device is vulnerable to the signing flaw which has been called a "master key" to the mobile operating system by the authors of the scanner, who also reported the flaw to Google
    


 
A U.S. district court judge has found Apple guilty of e-book price fixing after three weeks of court proceedings that ended June 20.
 
Apple violated antitrust laws when it colluded with publishers to set prices of e-books, a U.S. district court judge has ruled.
 
Google's Chrome 28 browser is the first to use the new Blink engine, which is designed to offer faster page loading. Also new is a notification feature that even informs users when Chrome isn't running
    


 
A dispute that has culminated in blog posts and messages on Reddit is raging between Secunia and VLC. The developers and the security firm have had differing views on an advisory since December 2012
    


 
[slackware-security] dbus (SSA:2013-191-01)
 
Flexible PKard Reader and elegant Tactivo bring smart card authentication to your favorite mobile device
 
The majority of today's clinical trials use paper surveys or single-purpose handheld devices to gather patient data. Web forms improve this process, but the smartphone could be a leap forward for the 'BYOD clinical trial'--if a notably risk-averse industry is willing to embrace the change.
 
A U.S. district court judge has found Apple guilty of e-book price fixing after three weeks of court proceedings that ended June 20.
 
RETIRED: Google Chrome Prior to 28.0.1500.71 Multiple Security Vulnerabilities
 
Peter Sunde, the co-founder of BitTorrent search engine The Pirate Bay, is working on developing a secure mobile messaging app and service that's intended to be safe from government surveillance and be user friendly at the same time.
 
The availability of so many new generic top-level domains has both thrilled and terrified brand owners. Insider (registration required)
 

How will the mobile vortex reshape your business? Meet GigaOM in Atlanta July ...
GigaOM
The meetings confirmed the view that Atlanta enterprises and startups are at the forefront of innovation in mobile, infosec (information security) and health tech, among others. Intrigued by what he saw, Paul committed to having GigaOM host and ...

 
Enterprises are gaining the ability to turn existing storage platforms over to flash even as solid-state media remains mostly a tool for caching and for applications with special requirements.
 
Adobe releases updates and two hotfixes to close various security holes in its products. All operating systems are affected
    


 
Nintendo has won a court case in Tokyo against sellers of illegal game emulators for its DS handheld console, part of its ongoing legal campaign to stamp out the products under toughened Japanese laws.
 
Game maker Konami said one of its online portals has been hit by a mass of illicit login attempts, with attackers gaining access to over 35,000 accounts, just days after Nintendo revealed a similar attack on one of its sites.
 
A working Apple-1 computer fetched $387,750 on Tuesday at auction, well off the record price of $671,400 paid in May for another of the rare personal computers
 
Re: Cisco/Linksys E1200 N300 Reflected XSS
 
Re: Project Pier Web Vulnerabilities
 
Adobe Flash Player CVE-2013-3347 Integer Overflow Vulnerability
 
Adobe Flash Player CVE-2013-3345 Unspecified Memory Corruption Vulnerability
 
RETIRED: Adobe Flash Player APSB13-17 Multiple Remote Code Execution Vulnerabilities
 
Adobe Flash Player CVE-2013-3344 Unspecified Heap Buffer Overflow Vulnerability
 

Special Training Offer from SANS vLive for IT Professionals Preparing for the ...
Sacramento Bee
SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; and it operates the Internet's early warning system - the Internet Storm Center. At the heart of SANS are the many security ...

and more »
 
Seagate, Samsung and OCZ have launched new consumer-class SSDs. We benchmarked all three to find which one has the best performance.
 
The U.S. Department of Commerce's Economic Development Administration destroyed about $170,000 worth of IT equipment including computers, printers, keyboards and computer mice last year on the mistaken belief that the systems were irreparably compromised by malware.
 
The U.S. may be the global center of the IT universe, but India will exceed the U.S. in the number of software developers by 2017, a new report notes.
 

Posted by InfoSec News on Jul 10

http://healthitsecurity.com/2013/07/08/larry-ponemon-on-securing-regulated-data-in-healthcare-qa/

By Patrick Ouellette
Health IT Security
July 8, 2013

Though mobile applications that share files through the cloud such as Box and
DropBox can be appealing to consumers, the Ponemon Institute has found that
these types of applications can be unsafe in a clinical environment. Ponemon
released its “The Risk of Regulated Data on Mobile Devices...
 

Posted by InfoSec News on Jul 10

http://arstechnica.com/security/2013/07/google-patches-critical-android-threat-as-working-exploit-is-unleashed/

By Dan Goodin
Ars Technica
July 9, 2013

A security researcher has published working exploit code that allows
attackers to surreptitiously turn legitimate apps running on Google's
Android mobile operating system into malicious trojans. Around the same
time, Google said it released a patch that helps protect users from abuse....
 

Posted by InfoSec News on Jul 10

https://www.computerworld.com/s/article/9240675/Study_Bug_bounty_programs_provide_strong_value_for_vendors

By Jeremy Kirk
IDG News Service
July 9, 2013

Paying rewards to independent security researchers for finding software
problems is a vastly better investment than hiring employees to do the
same work, according to researchers from the University of California
Berkeley.

Their study looked at vulnerability reward programs (VRPs) run by...
 

Posted by InfoSec News on Jul 10

http://www.brecorder.com/top-news/108-pakistan-top-news/126905-mushahid-outlays-7-point-plan-to-ensure-countrys-cyber-security.html

By Imaduddin
Business Recorder
09 July 2013

ISLAMABAD: The participants of a seminar on Monday agreed on a seven-point
action plan to ensure country's cyber security and to defend it against
emerging cyber threats.

Speaking on the occasion Pakistan Muslim League-Quaid (PML-Q)
Secretary-General Mushahid...
 

Posted by InfoSec News on Jul 10

http://www.cbc.ca/news/canada/saskatoon/story/2013/07/08/saskatoon-government-computer-hacking-130708.html

By Dan Zakreski
CBC News
July 9, 2013

Saskatchewan government officials said they beat back millions of
cyberattacks against the provincial computer system last year.

The province has 15,000 computers in its network. The information stored
in the system ranges from health and financial data to sensitive reports.

The province is...
 
Until recently, the emergency alert systems that enable the US president to broadcast via TV and radio stations in cases of emergency contained a hair-raising security hole
    


 
Microsoft releases seven patch packages to close a total of 34 holes in Windows, Internet Explorer, Office and other products. Among them is a patch to fix the privilege escalation hole in the Windows kernel that has been known about for over a month
    


 
Linux Kernel CVE-2013-3231 Local Information Disclosure Vulnerability
 
Linux Kernel CVE-2013-3235 Local Information Disclosure Vulnerability
 
(CVE-2013-1059) Linux Kernel libceph Null Pointer Dereference Vulnerability
 
[security bulletin] HPSBST02896 rev.1 - HP StoreVirtual Storage, Remote Unauthorized Access
 
A lawsuit filed by Apple over Amazon.com's use of the term "Appstore" has ended after Apple decided to withdraw the case.
 
With a new set of hardware and software releases, EMC is promising to simplify its customers' storage infrastructure by combining different types of operation into a single EMC system.
 
Apple has asked the U.S. International Trade Commission to stay a ban on certain iPhone and iPad models pending an appeal.
 
SWFUpload Multiple Content Spoofing and Cross Site Scripting Vulnerabilities
 

Special Training Offer from SANS vLive for IT Professionals Preparing for the ...
Wall Street Journal
SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; and it operates the Internet's early warning system - the Internet Storm Center. At the heart of SANS are the many security ...

 
Internet Storm Center Infocon Status