VTE Remote Escape Sequences CVE-2012-2738 Denial of Service Vulnerability

San Francisco Chronicle (press release)

Pwnie Express Next Stop: InfoSec World Orlando
San Francisco Chronicle (press release)
Pwnie Express participates in this year's InfoSec World in Orlando April 15 & 16th. Booth 220 will feature the Pwn Pad which created such a sensation at February's RSA Conference in San Francisco. Fully equipped with wireless tools such as Aircrack-ng, ...

and more »
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Don't set your Google Inactive Account Manager just yet, but there are billions of tons of solar matter hurtling toward the Earth at more than 600 miles (970 kilometers) per second. NASA estimates the plasma will hit our atmosphere late Friday night, U.S. Eastern Daylight Time.

Have a plan to steal millions from banks and their customers but can't write a line of code? Want to get rich quick off advertising click fraud but "quick" doesn't include time to learn how to do it? No problem. Everything you need to start a life of cybercrime is just a few clicks (and many more dollars) away.

Building successful malware is an expensive business. It involves putting together teams of developers, coordinating an army of fraudsters to convert ill-gotten gains to hard currency without pointing a digital arrow right back to you. So the biggest names in financial botnets—Zeus, Carberp, Citadel, and SpyEye, to name a few—have all at one point or another decided to shift gears from fraud rings to crimeware vendors, selling their wares to whoever can afford them.

In the process, these big botnet platforms have created a whole ecosystem of software and services in an underground market catering to criminals without the skills to build it themselves. As a result, the tools and techniques used by last years' big professional bank fraud operations, such as the "Operation High Roller" botnet that netted over $70 million last summer, are available off-the-shelf on the Internet. They even come with full technical support to help you get up and running.

Read 63 remaining paragraphs | Comments

Mind maps are fundamentally very simple. You can create one on the back of a napkin in mere seconds, so it follows that there should be an equally effortless way to do it online. And there is: MindMup, a free and lightweight service lets you throw together simple mindmaps without having to download anything, open an account, or do anything else. It's Web-based, too, so it works across Windows, Mac OS X, and Linux.
LinkedIn, the world&'s largest professional networking site, continues to beef up its content publishing platform with its agreement to acquire Pulse, which makes a mobile news aggregation, reader and content distribution application.
Twitter, in an effort to make its site more useful to an ever-increasing number of people, is rolling out its Trends topic discovery feature in 160 new locations.

Researchers have uncovered an ongoing cyberespionage campaign targeting more than 30 online video game companies over the past four years.

The companies infected by the malware primarily market so-called massively multiplayer online role-playing games. They're mostly located in South East Asia, but are also in the US, Germany, Japan, China, Russia, Brazil, Peru, and Belarus, according to a release published Thursday by researchers from antivirus provider Kaspersky Lab. The attackers work from computers with Chinese and Korean language configurations. They used their unauthorized access to obtain digital certificates that were later exploited in malware campaigns targeting other industries and political activists.

So far, there's no evidence that customers of the infected game companies were targeted, although in at least one case, malicious code was accidentally installed on gamers' computers by one of the infected victim companies. Kaspersky said there was another case of end users being infected by the malware, which is known as "Winnti." The company didn't rule out the possibility that players could be hit in the future, potentially as a result of collateral damage.

Read 4 remaining paragraphs | Comments

In what's quickly turning out to be a replay of events from last year, the White House today signaled that it would not support the recently reintroduced Cyber Intelligence Sharing and Protection Act (CISPA) in its present form.
With Windows XP security updates ending in 2014, organizations still running the venerable Microsoft OS should start making transition plans.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Security testing vendor Veracode has released a report showing that mobile apps aren't getting their cryptography right.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Products based on a USB specification that will double the data transfer rates between host devices and peripherals will reach the market in late 2014, the standards-setting organization said on Thursday.
A U.S. House of Representatives subcommittee has voted to approve a bill that would make it official U.S. policy to promote an Internet "free from government control," with promises that the Republican majority would work with critics of the bill's wording.
After its buyout of Texas Memory Systems, IBM is now the latest on the vendor bandwagon to push flash into the data centers, saying it will invest a whopping $1 billion into flash research.
The group will focus on immigration reform that includes both border security and a path to citizenship, along with higher school standards and support for teachers.
A T-Platforms supercomputer.

Six months ago, a company called T-Platforms triumphantly announced the "First Delivery of [a] Russian Supercomputer to [the] US."

The US government has since added T-Platforms to a list of entities that are "acting contrary to the national security or foreign policy interests of the United States" by having involvement with nuclear research. Specifically, T-Platforms' operations in Russia, Germany, and Taiwan were added to the Export Administration Regulations (EAR) Entity List by representatives of the US Departments of Commerce, State, Defense, and Energy. This will make it difficult for T-Platforms to do business with US companies, although it isn't an outright ban.

"The Entity List notifies the public about entities that have engaged in activities that could result in an increased risk of the diversion of exported, reexported, or transferred (in-country) items to weapons of mass destruction (WMD) programs," the Department of Commerce's Bureau of Industry and Security said in its notice that T-Platforms is now on the list. "Since its initial publication, grounds for inclusion on the Entity List have expanded to activities sanctioned by the State Department and activities contrary to U.S. National security or foreign policy interests, including terrorism and export control violations involving abuse of human rights."

Read 10 remaining paragraphs | Comments

Apache Subversion 'mod_dav_svn/lock.c' Remote Denial of Service Vulnerability
Subversion 'mod_dav_svn' CVE-2013-1845 Denial of Service Vulnerability
Apache Subversion 'mod_dav_svn' Remote Denial of Service Vulnerability
MacOSX 10.8.3 ftpd Remote Resource Exhaustion
[SECURITY] [DSA 2659-1] libapache-mod-security security update
Cisco Security Advisory: Cisco Prime Network Control Systems Database Default Credentials Vulnerability
Intel's Atom processors designed for netbooks could be on their last leg, with analysts saying that the chip maker could be tweaking its product road map as PC sales tumble and tablet adoption widens.
Microsoft's stock took a beating in trading today after a pair of research firms said PC shipments in the first quarter were down as much as 14% from the year before.
A U.S. House of Representatives subcommittee has voted to approve a bill that would make it official U.S. policy to promote an Internet "free from government control," with promises that the Republican majority would work with critics of the bill's wording.

As if inexpensive attacks on mission-critical global positioning systems weren't enough, a researcher said he's developed an Android app that could redirect airplanes in mid-flight.

The frightening scenario was presented on Wednesday at the Hack in the Box security conference in Amsterdam. It's made possible by security weaknesses in the protocol used to send data to commercial planes and in flight-management software built by companies including Honeywell, Thales, and Rockwell Collins, Forbes reports. Vulnerable systems include the Aircraft Communications Addressing and Report System used for exchanging text messages between planes and ground stations using VHF radio or satellite signals. It has "virtually no authentication features to prevent spoofed commands."

Using a custom-developed Android app dubbed PlaneSploit, researcher Hugo Tesa of N.Runs showed how a virtual plane in a laboratory could be redirected. Because there's no means to cryptographically authenticate communications sent over ACARS, pilots have no way to confirm if messages they receive in the cockpit are valid. Malformed messages can then be used to trigger vulnerabilities, Tesa told Forbes.

Read 3 remaining paragraphs | Comments

Oracle Java SE CVE-2012-1721 Remote Code Execution Vulnerability
Cisco Security Advisory: Multiple Vulnerabilities in Cisco IOS XE Software for 1000 Series Aggregation Services Routers
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Unified MeetingPlace Solution
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Firewall Services Module Software
Brookstone's $300 Big Blue Media Tower is an unusual entrant into the world of speaker bars. It's powerful, it offers pretty good audio quality, and it includes Bluetooth connectivity, but the speaker's design seems odd. It's meant to serve as both a music speaker and an entertainment-center audio hub, but it uses a tower design that presents a placement predicament: You don't want to put the Tower smack-dab in front of your TV, but if you place it off to the side instead, won't you be listening to off-center audio?
A U.S. House of Representatives committee failed to make the changes necessary to allay fears about government surveillance in a controversial cyberthreat sharing bill that's moving toward a House vote, critics said.
Samsung today announced it is now mass-producing a 3-bit per cell, sub-20 nanometer class NAND flash chip that is the densest memory to date.
Some time ago I had a call with a company that ran data centers they claimed were "green." Their argument for their greenness was they purchased power with green credits, which meant they paid a premium for electricity to fund alternative energy programs. Along with that they had a car park full of solar cells.
Reports are circulating that Google is very close to shipping its promised "Explorer Edition" of Glass to developers and testers.
Mt. Gox, the largest exchange for buying and selling bitcoins, is temporarily shutting down after an uptick in activity on the site sparked by a massive drop in the digital currency's price.
Microsoft will launch a new line of Surface tablets later this year, including one or more smaller 7-in. devices, according to the Wall Street Journal.
The MT.Gox lookalike site that delivered malware to unwitting Bitcoiners.

In another example of the security mantra of "be careful what you click," at least one Bitcoin trader has been robbed in a forum "phishing" attack designed specifically to ride the hype around the digital currency. The attack attempts to use Java exploits or fake Adobe updates to install malware, and it's one of the first targeted attacks aimed at the burgeoning business of Bitcoin exchanges.

The bait for the attack was a post to a Bitcoin traders' forum announcing that MT.Gox was going to start handling exchanges of Litecoins, a Bitcoin alternative. The post advertised a live chat on the topic at a link provided to mtgox-chat.info. That site, which used stolen code and style to masquerade as the legitimate MT.Gox site, then prompted victims to update their Java plugin and offered a forged Adobe updater.

The scam was first reported on reddit earlier this week, when a redditor reported spotting the fake site and its attempt to drop malware. While the attack was originally described by one of its victims as a "Java zero-day" exploit, it actually uses either a Java exploit or a fake Adobe updater to deliver its malware payload. That payload is DarkComet, a fairly common "remote administration tool" and keylogger. The attackers not only stole credentials for the victim's MT.Gox account, but they took other passwords as well.

Read 8 remaining paragraphs | Comments

A vulnerability can cause the mod_security web application firewall to over-consume resources or expose local files. The 2.7.3 version of the software fixes the bug but no advisories have been issued

[ MDVSA-2013:141 ] libxslt
[security bulletin] HPSBUX02859 SSRT101144 rev.2 - HP-UX Running XNTP, Remote Denial of Service (DoS) and Execute Arbitrary Code
[ MDVSA-2013:139 ] x11-server
[ MDVSA-2013:138 ] x11-driver-video-qxl

PR Web (press release)

Pwnie Express Next Stop: InfoSec World Orlando
PR Web (press release)
Pwnie Express participates in this year's InfoSec World in Orlando April 15 & 16th. Booth 220 will feature the Pwn Pad which created such a sensation at February's RSA Conference in San Francisco. Fully equipped with wireless tools such as Aircrack-ng, ...

and more »
Hackers could use vulnerable charging stations to prevent the charging of electric vehicles in a certain area, or possibly even use the vulnerabilities to cripple parts of the electricity grid, a security researcher said during the Hack in the Box conference in Amsterdam on Thursday.
The European Commission confirmed on Thursday that it has formally received a package of concessions from Google aimed at ending a two-year antitrust investigation.
Samsung struck again Thursday, announcing two even bigger Galaxy Mega smartphones with 5.8-in. and 6.3-in. LCD HD screens.
Microsoft's SkyDrive service has gained a lot of traction over the past couple of years, given that it works well across numerous platforms (including Gmail and Xbox 360) and is easy to use. With Office 2013 and Office 365, Microsoft introduced a SkyDrive Pro service that is oriented toward businesses and enterprises.
LinuxSecurity.com: Updated weechat packages fix security vulnerability: A buffer overflow is causing a crash or freeze of WeeChat (0.36 to 0.39) when decoding IRC colors in strings. The packages have been patched to fix this problem (CVE-2012-5854). [More...]
LinuxSecurity.com: Updated vte packages fix security vulnerability: A denial of service flaw was found in the way VTE, a terminal emulator widget, processed certain escape sequences with large repeat counts. A remote attacker could provide a specially-crafted file, which once [More...]
LinuxSecurity.com: Updated viewvc packages fix security vulnerabilities: complete authz support for remote SVN views (CVE-2012-3356). log msg leak in SVN revision view with unreadable copy source [More...]
LinuxSecurity.com: Updated usbmuxd packages fix security vulnerability: It was discovered that usbmuxd did not correctly perform bounds checking when processing the SerialNumber field of USB devices. An attacker with physical access could use this to crash usbmuxd [More...]
LinuxSecurity.com: Updated tor package fixes security vulnerabilities: Tor before, when configured as a client or bridge, sends a TLS certificate chain as part of an outgoing OR connection, which allows remote relays to bypass intended anonymity properties by reading this [More...]
LinuxSecurity.com: Updated taglib packages fix security vulnerabilities: taglib before 1.7.2 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted MP4 file (CVE-2012-2396). [More...]
LinuxSecurity.com: Updated stunnel packages fix security vulnerability: stunnel 4.21 through 4.54, when CONNECT protocol negotiation and NTLM authentication are enabled, does not correctly perform integer conversion, which allows remote proxy servers to execute arbitrary code [More...]
LinuxSecurity.com: Timur Yunusov and Alexey Osipov from Positive Technologies discovered that the XML files parser of ModSecurity, an Apache module whose purpose is to tighten the Web application security, is vulnerable to XML external entities attacks. A specially-crafted XML file provided by a [More...]
LinuxSecurity.com: Multiple vulnerablilities was identified and fixed in asterisk: The SIP channel driver in Asterisk Open Source 1.8.x before, 10.x before 10.12.2, and 11.x before 11.2.2; Certified Asterisk 1.8.15 before 1.8.15-cert2; Asterisk Business Edition (BE) C.3.x [More...]
LinuxSecurity.com: This fixes a format string vulnerability in the LogVHdrMessageVerb function in os/log.c when handling input device names in X.Org X11 server (CVE-2012-2118). MBS1 is not vulnerable to arbitrary code execution via this [More...]
LinuxSecurity.com: Updated x11-driver-video-qxl package fixes security vulnerability: A flaw was found in the way the host's qemu-kvm qxl driver and the guest's X.Org qxl driver interacted when a SPICE connection terminated. A user able to initiate a SPICE connection to a guest [More...]
LinuxSecurity.com: This update provides WordPress 3.4.2, a maintenance and security release. [More...] _______________________________________________________________________
A new cookie policy and new do not track options are in the most recent development versions of Mozilla's Firefox and appear to cement privacy as one of the major features of the browser in the future

[ MDVSA-2013:121 ] qemu
[ MDVSA-2013:124 ] ruby
[ MDVSA-2013:122 ] quagga

Blancco to Showcase Innovative Data Erasure Solutions at InfoSec World
PR Newswire (press release)
Blancco, the global leader in data erasure and computer reuse solutions, will showcase its innovations and data privacy expertise at InfoSec World Conference and Expo 2013, MIS Training Institute's flagship event on issues surrounding security threats ...

and more »
Thousands of wireless IP cameras connected to the Internet have serious security weaknesses that allow attackers to hijack them and alter their firmware, according to two researchers from security firm Qualys.
The online virtual currency Bitcoin has generated some serious buzz lately, with its value soaring past US$200 for the first time this week. Now a smaller player hopes to emerge as a rival by processing transactions faster and giving its users more payment options.
The language used for Apple iOS app development drops a notch in Tiobe index
Cybercriminals from the Ukraine and Russia have stolen more than 8 billion roubles from corporate accounts using variants of the Carberp trojan. 20 suspects were arrested in connection with the hacks

libytnef TNEF File Buffer Overflow Vulnerability
Multiple D-Link Products Command Injection and Multiple Information Disclosue Vulnerabilities

St. Louis Infosec Conference: “The next time you present your phone to pay for ...
PR Web (press release)
St. Louis Infosec Conference: “The next time you present your phone to pay for your coffee … you might just have gotten owned,” A Keynote by Elite Hacker Charlie Miller. IT Security Professional and member of Twitter's Product Security Team, Charlie ...

and more »
Facebook has launched a program that will target advertisements based on what users have actually purchased, but said that advertisers will not have direct access to information that identifies the user.
A court in Florida said that Apple and Motorola Mobility have no interest in quickly and efficiently resolving a patent infringement lawsuit, but are instead using their litigations around the world 'a business strategy that appears to have no end.'
The lack of security in communication technologies used in the aviation industry makes it possible to remotely exploit vulnerabilities in critical on-board systems and attack aircraft in flight, according to research presented Wednesday at the Hack in the Box security conference in Amsterdam.
Microsoft is said to be planning a 7-in. version of its Surface tablet to help it compete with similar size devices from Apple and Google.
Microsoft is trying to stamp out concerns about its Surface Pro warranty policy in China just over a week after Apple apologized for its own customer service woes in the country.
Bitcoin';s roller-coaster price swings on Wednesday were caused by an influx of new buyers and software that couldn't keep up, according to the largest exchange, Mt. Gox.
Microsoft's Windows 8 took another knock Wednesday as research firm IDC laid much of the blame for the first quarter's historically-horrible PC numbers at the feet of the beleaguered operating system.
Mobile app developers face a huge challenge in keeping up with the fast-changing landscape of data privacy law. They got some tips Wednesday at a conference devoted to the topic in San Francisco.
A patent that Samsung considers essential to the 3G standardA was invalidated by the German Federal Patent Court that ruled in favor of Apple.
Internet Storm Center Infocon Status