Hackin9
After more than a decade of research, Intel's new connector that uses light as a speedy way to shuffle data between computers is finally ready to replace slower copper cables.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Apple Safari CVE-2013-5227 Multiple Cross Origin Information Disclosure Vulnerabilities
 
WebKit CVE-2013-5198 Unspecified Memory Corruption Vulnerability
 
WebKit CVE-2013-5225 Unspecified Memory Corruption Vulnerability
 
WebKit CVE-2014-1269 Unspecified Memory Corruption Vulnerability
 
WebKit CVE-2014-1270 Unspecified Memory Corruption Vulnerability
 
Government-funded broadband projects have led to higher speeds and lower prices for U.S. small businesses, despite opposition from some in Congress, according to an auditor's report.
 
Intel is putting its energy into the development of smart grid standards and monitoring systems in Germany, with company executives announcing a number of initiatives at the Cebit trade show Monday.
 
Smart Crib Ltd.

Security researchers have developed a password storage system that uses inexpensive hardware to prevent the cracking of passwords—even the most common and weak ones such as "123456," "password," and "letmein."

The S-CRIB Scrambler uses an additional layer of protection over methods many websites use now to prevent mass account compromises in the event a password database is exposed during a site breach, according to a post published Friday on the University of Cambridge's Light Blue Touchpaper blog. Rather than relying solely on a one-way cryptographic hash to represent plaintext passwords, the small dongle performs an additional operation known as hash-based message authentication code (HMAC). The secret 10-character key used to generate the HMAC resides solely on the dongle. Because it's not included in password tables that are stored on servers, the key could remain secret even in the event of a major security breach.

The new method comes amid twin epidemics of website security breaches that spill password databases and a large percent of end users who use "princess," "123abc," and other easily guessed passcodes to safeguard their accounts. Like a similar approach unveiled last year that uses a hardware security module to encrypt hashed passwords, it's designed to make it much harder for attackers to guess the plaintext corresponding to the hashes in a leaked database. Even if a hacker gains access to hashes protecting "123456" or other extremely weak passwords, there is no way to crack them.

Read 6 remaining paragraphs | Comments

 
APPLE-SA-2014-03-10-2 Apple TV 6.1
 
[ MDVSA-2014:050 ] wireshark
 
Getting a jump on competing hypervisors, the open source Xen is preparing for the day when ARM processors will run virtual machines.
 
Google is nearly ready to come out with an Android operating system for wearable computers.
 
In 1993, a few years after immigrating to the U.S., Arkadiy Dobkin, an electrical engineer trained in Minsk, Belarus, started a company that aimed to tap the IT engineering talent developed in the former Soviet Union.
 
After about a week-and-a-half, Google finished unclogging a backlog of legitimate messages its Postini spam filter trapped by mistake at the end of February.
 
[security bulletin] HPSBGN02970 rev.1 - HP Rapid Deployment Pack (RDP) or HP Insight Control Server Deployment, Multiple Remote Vulnerabilities affecting Confidentiality, Integrity and Availability
 
[SECURITY] [DSA 2872-1] udisks security update
 
APPLE-SA-2014-03-10-1 iOS 7.1
 
Android Vulnerability: Install App Without User Explicit Consent
 

Here is detailed information on today's Apple releases - both iOS and Apple TV were updated

APPLE-SA-2014-03-10-1 iOS 7.1

iOS 7.1 is now available and addresses the following:

Backup
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A maliciously crafted backup can alter the filesystem
Description:  A symbolic link in a backup would be restored, allowing
subsequent operations during the restore to write to the rest of the
filesystem. This issue was addressed by checking for symbolic links
during the restore process.
CVE-ID
CVE-2013-5133 : evad3rs

Certificate Trust Policy
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Root certificates have been updated
Description:  Several certificates were added to or removed from the
list of system roots.

Configuration Profiles
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Profile expiration dates were not honored
Description:  Expiration dates of mobile configuration profiles were
not evaluated correctly. The issue was resolved through improved
handling of configuration profiles.
CVE-ID
CVE-2014-1267

CoreCapture
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A malicious application can cause an unexpected system
termination
Description:  A reachable assertion issue existed in CoreCapture's
handling of IOKit API calls. The issue was addressed through
additional validation of input from IOKit.
CVE-ID
CVE-2014-1271 : Filippo Bigarella

Crash Reporting
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A local user may be able to change permissions on arbitrary
files
Description:  CrashHouseKeeping followed symbolic links while
changing permissions on files. This issue was addressed by not
following symbolic links when changing permissions on files.
CVE-ID
CVE-2014-1272 : evad3rs

dyld
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Code signing requirements may be bypassed
Description:  Text relocation instructions in dynamic libraries may
be loaded by dyld without code signature validation. This issue was
addressed by ignoring text relocation instructions.
CVE-ID
CVE-2014-1273 : evad3rs

FaceTime
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A person with physical access to the device may be able to
access FaceTime contacts from the lock screen
Description:  FaceTime contacts on a locked device could be exposed
by making a failed FaceTime call from the lock screen. This issue was
addressed through improved handling of FaceTime calls.
CVE-ID
CVE-2014-1274

ImageIO
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow existed in the handling of JPEG2000
images in PDF files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-1275 : Felix Groebert of the Google Security Team

ImageIO
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow existed in libtiff's handling of TIFF
images. This issue was addressed through additional validation of
TIFF images.
CVE-ID
CVE-2012-2088

ImageIO
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Viewing a maliciously crafted JPEG file may lead to the
disclosure of memory contents
Description:  An uninitialized memory access issue existed in
libjpeg's handling of JPEG markers, resulting in the disclosure of
memory contents. This issue was addressed through additional
validation of JPEG files.
CVE-ID
CVE-2013-6629 : Michal Zalewski

IOKit HID Event
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A malicious application may monitor on user actions in other
apps
Description:  An interface in IOKit framework allowed malicious apps
to monitor on user actions in other apps. This issue was addressed
through improved access control policies in the framework.
CVE-ID
CVE-2014-1276 : Min Zheng, Hui Xue, and Dr. Tao (Lenx) Wei of FireEye

iTunes Store
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A man-in-the-middle attacker may entice a user into
downloading a malicious app via Enterprise App Download
Description:  An attacker with a privileged network position could
spoof network communications to entice a user into downloading a
malicious app. This issue was mitigated by using SSL and prompting
the user during URL redirects.
CVE-ID
CVE-2014-1277 : Stefan Esser

Kernel
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description:  An out of bounds memory access issue existed in the ARM
ptmx_get_ioctl function. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2014-1278 : evad3rs

Office Viewer
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Opening a maliciously crafted Microsoft Word document may
lead to an unexpected application termination or arbitrary code
execution
Description:  A double free issue existed in the handling of
Microsoft Word documents. This issue was addressed through improved
memory management.
CVE-ID
CVE-2014-1252 : Felix Groebert of the Google Security Team

Photos Backend
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Deleted images may still appear in the Photos app underneath
transparent images
Description:  Deleting an image from the asset library did not delete
cached versions of the image. This issue was addressed through
improved cache management.
CVE-ID
CVE-2014-1281 : Walter Hoelblinger of Hoelblinger.com, Morgan Adams,
Tom Pennington

Profiles
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A configuration profile may be hidden from the user
Description:  A configuration profile with a long name could be
loaded onto the device but was not displayed in the profile UI. The
issue was addressed through improved handling of profile names.
CVE-ID
CVE-2014-1282 : Assaf Hefetz, Yair Amit and Adi Sharabani of Skycure

Safari
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  User credentials may be disclosed to an unexpected site via
autofill
Description:  Safari may have autofilled user names and passwords
into a subframe from a different domain than the main frame. This
issue was addressed through improved origin tracking.
CVE-ID
CVE-2013-5227 : Niklas Malmgren of Klarna AB

Settings - Accounts
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A person with physical access to the device may be able to
disable Find My iPhone without entering an iCloud password
Description:  A state management issue existed in the handling of the
Find My iPhone state. This issue was addressed through improved
handling of Find My iPhone state.
CVE-ID
CVE-2014-1284

Springboard
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A person with physical access to the device may be able to
see the home screen of the device even if the device has not been
activated
Description:  An unexpected application termination during activation
could cause the phone to show the home screen. The issue was
addressed through improved error handling during activation.
CVE-ID
CVE-2014-1285 : Roboboi99

SpringBoard Lock Screen
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A remote attacker may be able to cause the lock screen to
become unresponsive
Description:  A state management issue existed in the lock screen.
This issue was addressed through improved state management.
CVE-ID
CVE-2014-1286 : Bogdan Alecu of M-sec.net

TelephonyUI Framework
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A webpage could trigger a FaceTime audio call without user
interaction
Description:  Safari did not consult the user before launching
facetime-audio:// URLs. This issue was addressed with the addition of
a confirmation prompt.
CVE-ID
CVE-2013-6835 : Guillaume Ross

USB Host
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A person with physical access to the device may be able to
cause arbitrary code execution in kernel mode
Description:  A memory corruption issue existed in the handling of
USB messages. This issue was addressed through additional validation
of USB messages.
CVE-ID
CVE-2014-1287 : Andy Davis of NCC Group

Video Driver
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Playing a maliciously crafted video could lead to the device
becoming unresponsive
Description:  A null dereference issue existed in the handling of
MPEG-4 encoded files. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2014-1280 : rg0rd

WebKit
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-2909 : Atte Kettunen of OUSPG
CVE-2013-2926 : cloudfuzzer
CVE-2013-2928 : Google Chrome Security Team
CVE-2013-5196 : Google Chrome Security Team
CVE-2013-5197 : Google Chrome Security Team
CVE-2013-5198 : Apple
CVE-2013-5199 : Apple
CVE-2013-5225 : Google Chrome Security Team
CVE-2013-5228 : Keen Team (@K33nTeam) working with HP's Zero Day
Initiative
CVE-2013-6625 : cloudfuzzer
CVE-2013-6635 : cloudfuzzer
CVE-2014-1269 : Apple
CVE-2014-1270 : Apple
CVE-2014-1289 : Apple
CVE-2014-1290 : ant4g0nist (SegFault) working with HP's Zero Day
Initiative, Google Chrome Security Team
CVE-2014-1291 : Google Chrome Security Team
CVE-2014-1292 : Google Chrome Security Team
CVE-2014-1293 : Google Chrome Security Team
CVE-2014-1294 : Google Chrome Security Team

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Microsoft Sysinterals has updates Process Explorer v16.02, Process Monitor v3.1, PSExec v2.1, Sigcheck v2.03 :

Process Explorer v16.02: This minor update adds a refresh button to the thread’s stack dialog and ensures that the Virus Total terms of agreement dialog box remains above the main Process Explorer window.

Process Monitor v.3.1: This release adds registry create file disposition (create vs open) and a new switch, /saveapplyfilter, which has Process Monitor apply the current filter to the output file as it saves it.

PSExec v2.1: This update to PsExec, a command-line utility that enables you to execute programs on remote systems without preinstalling an agent, encrypts all communication between local and remote systems, including the transmission of command information such as the user name and password under which the remote program executes.

Sigcheck v2.03: This version corrects a bug that caused the output of the –u switch to include signed files, and fixes several other minor bugs.

http://blogs.technet.com/b/sysinternals/archive/2014/03/07/updates-process-explorer-v16-02-process-monitor-v3-1-psexec-v2-1-sigcheck-v2-03.aspx

 

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Oracle is planning to make significant investments in its ERP software for higher education institutions, with an eye on keeping the installed base happy and fending off challenges from the likes of Workday.
 
Deutsche Telekom's T-Systems have along with luggage maker Rimowa developed a line of suitcases with GPS, Wi-Fi and GSM to help users keep track of them.
 
Apple today shipped iOS 7.1, the first major update since its newest mobile operating system launched in September 2013.
 
Encryption technologies can be a powerful tool against government surveillance, but the most effective techniques are still largely out of reach to the average Internet user, Edward Snowden said Monday.
 
February was a good month for IT hiring after months of sluggish demand. Reports from three research firms each reported an increase in hiring in the sector.
 
A portable music player that promises better sound fidelity than MP3s is set to launch on Kickstarter with backing from veteran rocker Neil Young.
 
Atlassian JIRA Issue Collector Plugin Arbitrary File Creation Vulnerability
 
Atlassian JIRA Importers Plugin Arbitrary File Creation Vulnerability
 
Recently released security updates for the popular Joomla content management system (CMS) address a SQL injection vulnerability that poses a high risk and can be exploited to extract information from the databases of Joomla-based sites.
 
WordPress Search Everything Plugin 'index.php' SQL Injection Vulnerability
 
[SECURITY] [DSA 2871-1] wireshark security update
 
[ MDVSA-2014:049 ] subversion
 
[ MDVSA-2014:048 ] gnutls
 
[SECURITY] [DSA 2870-1] libyaml-libyaml-perl security update
 
WordPress Thank You Counter Button Plugin Multiple Cross Site Scripting Vulnerabilities
 
Trying to protect your expanding virtual machine (VM) empire will require a security product that can enforce policies, prevent VMs from being terminated or infected, and deliver the virtual equivalents of firewalls, IPS and anti-virus solutions.
 
imapsync CVE-2013-4279 Information Disclosure Vulnerability
 
PHP Fileinfo Component Out of Bounds Memory Corruption Vulnerability
 
FreeRADIUS 'rlm_pap' Module Denial of Service Vulnerability
 
PHP 'ext/gd/gd.c' Heap Based Buffer Overflow Vulnerability
 
PHP CVE-2013-7327 Heap Overflow Vulnerability
 
PHP CVE-2013-7328 Memory Corruption Vulnerability
 
Samsung Electronics removed three standard-essential patents claims from its dispute with Apple in a California federal court.
 
Mozilla last week announced it was abandoning in-house development of the single sign-on "Persona," a failed alternative to website passwords, and would hand the project to volunteers.
 
Apple has improved its security in recent years, but is it enough?
 
Sony and Panasonic have developed a next-generation optical disc for enterprise storage with an initial capacity of 300GB.
 
The secret Foreign Intelligence Surveillance Court has ruled against a U.S. government request that it be allowed to hold telephone metadata beyond the current five-year limit as it may be required as evidence in civil lawsuits that question the data collection.
 
PostgreSQL 'make check' Local Privilege Escalation Vulnerability
 
E-Store (1.0 & 2.0) <= SQL Injection Vulnerability
 
Hackers attacked the personal blog of Mt. Gox CEO Mark Karpeles on Sunday and posted what they claim is a ledger showing a balance of some 950,000 bitcoins based on records they obtained from the defunct exchange for the virtual currency.
 
Problem arose after a consultant made a configuration change, opening up control ports to the Internet, with no authentication required.
 
Every day, contemporary executives confront a series of inflection points, where received wisdom is no longer adequate.
 
With little or no competition, Comcast will have little reason to increase speed or lower the cost of broadband, or any impetus to preserve Net neutrality.
 
Corporate culture may matter even more to your project's success than ROI does. Here's how to work with it rather than against it.
 
To get your projects done, you'll need to motivate your people to perform, no matter where their loyalties lie.
 
Two surveys show that starting salaries for recent college graduates with computer science degrees has slipped, but pay might not be the most important factor for IT professionals when it comes to choosing jobs.
 

Posted by InfoSec News on Mar 10

http://www.infosecnews.org/assessment-corporate-threat-intelligence-versus-actual-intelligence-products/

By Scot Terban
Special to InfoSec News
March 10, 2014

Threat Intelligence:

Threat intelligence is the new hotness in the field of information
security and there are many players who want your money to give you their
interpretation of it. Crowdstrike, Mandiant, and a host of others all
offer what they call threat intelligence but what is...
 

Posted by InfoSec News on Mar 10

http://www.healthcareitnews.com/news/bad-news-169k-after-new-hipaa-breach

By Erin McCann
Associate Editor
Healthcare IT News
March 7, 2014

Some 168,500 people are getting HIPAA breach notification letters after
unencrypted computers were stolen from the Los Angeles County public
health and health services departments, city officials announced Thursday.

According to a public notice, third-party billing vendor Sutherland
Healthcare Solutions...
 

Posted by InfoSec News on Mar 10

http://blogs.csoonline.com/security-industry/3050/cansecwest-talk-infrastructure-attacks-canceled-after-being-classified

By Steve Ragan
Salted Hash
CSO Online
March 09, 2014

Eric Filiol, head of the Operational Cryptography and Computer Virology
lab hosted by ESIEA in Laval, France, was scheduled to give a talk on
Friday at the CanSecWest conference in Vancouver, British Columbia.

However, that talk has been canceled after reviewers in the...
 

Posted by InfoSec News on Mar 10

http://www.computerworld.com/s/article/9246837/Perspective_Microsoft_risks_security_reputation_ruin_by_retiring_XP

By Gregg Keizer
Computerworld
March 9, 2014

A decade ago, Microsoft kicked off SDL, or Security Development Lifecycle,
a now-widely-adopted process designed to bake security into software, and
began building what has become an unmatched reputation in how a vendor
writes more secure code, keeps customers informed about security...
 

Posted by InfoSec News on Mar 10

http://news.techworld.com/security/3505809/mt-gox-ceos-blog-goes-blank-after-alleged-hack/

By Jeremy Kirk
Techworld
10 March 2014

Hackers attacked the personal blog of Mt. Gox CEO Mark Karpeles on Sunday
and posted what they claim is a ledger showing a balance of some 950,000
bitcoins based on records they obtained from the defunct exchange for the
virtual currency.

They said the sum contradicts Mt. Gox's claim in a Japanese bankruptcy...
 
Internet Storm Center Infocon Status