InfoSec News

IT hiring in 2013 will focus on jobs involving cloud computing, mobile technology and business intelligence, said staffing professionals.
Vendor earnings, market research reports and the International CES in Las Vegas this week highlighted the hardware arena, which appears to be a tale of two sectors with very different fates: PCs and mobile devices.
The International CES is packed to the rafters with the latest in shiny, often expensive high-tech gadgets, so it's no surprise that theft is a problem for companies exhibiting at the show.
The International CES is packed to the rafters with the latest in shiny, often expensive high-tech gadgets, so it's no surprise that theft is a problem for companies exhibiting at the show.


VanRoekel on Infosec and Sequestration
VanRoekel on Infosec and Sequestration. Federal CIO Says Smart Spending Should Keep Gov't IT Secure. By Eric Chabrow, January 14, 2013. Send Email. Tweet Like LinkedIn share. "Cybersecurity is in everything we do in government so we can't say ...

and more »
Starting with Java 8, to be released in September, the development team behind the widely used programming language plans to release a new version of Java every two years -- and stick to that schedule.
Internet users should consider disabling Java in their browsers because of an exploit that can allow remote attackers to execute code on a vulnerable system, the U.S. Computer Emergency Readiness Team (US-CERT) recommended late Thursday.
Though U.S. officials blamed Iran for an ongoing stream of distributed denial of service attacks against major U.S. banks, security experts say there's not enough evidence yet to assign blame.
RETIRED: Adobe Acrobat and Reader APSB13-02 Multiple Security Vulnerabilities
Despite a major push by rival Lenovo, Hewlett-Packard has held onto its position as the top seller of PCs worldwide, according to IDC.
A long-running legal dispute between Marin County, California, Deloitte Consulting and SAP over a troubled software project has concluded in a legal settlement this week that will reportedly net the county far less money than it had sought.
Want to send a message directly to Facebook founder Mark Zuckerberg? It might cost you $100, if you don't want it to wind up in his spam folder.
Dell SecureWorks is bringing security vulnerability management services to its cloud customers, along with its Global Threat Intelligence Service.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Microsoft and a respected researcher disagreed this week about whether a bug in Windows RT is actually a security vulnerability that should be patched.
Kanex's $60 MySpot aims to let you easily create a secure Wi-Fi network in a hotel room or any other location where you have an ethernet port that provides automatically assigned IP addresses. This seems like a marvelous idea, but the MySpot doesn't quite live up to the promise on scrutiny.
PCs were upstaged by tablets, smartphones and TVs at this year's International CES show, with some companies maintaining a smaller presence or holding back product announcements for a later date.
Internet users should consider disabling Java in their browsers because of an exploit that can allow remote attackers to execute code on a vulnerable system, the U.S. Computer Emergency Readiness Team (US-CERT) recommended late Thursday.
Adobe Acrobat and Reader CVE-2013-0613 Remote Integer Overflow Vulnerability
Adobe Acrobat and Reader CVE-2013-0609 Remote Integer Overflow Vulnerability

Windows IT Pro

The Winners and Losers of 2012 in Infosec and Technology
Windows IT Pro
Loser-Facebook: Leaving behind their disastrous IPO, Facebook continued to struggle with their privacy policies. And then, there's the various frauds making the rounds about how to protect your personal information. Those are urban legends, people.

In this edition: the offensive uses of plain text, proof of concepts for the lulz, 29C3 videos, payload-enabled cats, and Inception opens up Windows 8

Re: Wordpress gallery-3.8.3 plugin Arbitrary File Read Vulnerability
[security bulletin] HPSBMU02838 SSRT100789 rev.1 - HP Serviceguard on Linux, Remote Denial of Service (DoS)
[SE-2012-01] 'Fix' for Issue 32 exploited by new Java 0-day code
A built-in PDF viewer component based on JavaScript and HTML5 Web technologies has been added to the beta version of Firefox 19, Mozilla said Friday.
Oracle is preparing to release 86 patches for security vulnerabilities in a wide span of its products, including 18 for MySQL database flaws.
Apache CloudStack CVE-2012-5616 Local Information Disclosure Vulnerability
WeBid 'validate.php' Multiple SQL Injection Vulnerabilities

The Chrome team over at Google have been busy, and V24 of their Chrome browser has been released.

V24 brings both new functionality with the introduction of Math MLand an update to the flash version but also more importantly a significant number of bug fixes.








Use-after-free in SVG layout.




Same origin policy bypass with malformed URL




Use-after-free in DOM handling




Missing filename sanitization in hyphenation support




Integer overflow in audio IPC handling




Use-after-free when seeking video




Integer overflow in PDF JavaScript




Out-of-bounds read when seeking video




Out-of-bounds stack access in v8




Integer overflow in shared memory allocation




Missing Mac sandbox for worker processes




Use-after-free in PDF fields

162776 /162156



Out-of-bounds reads in PDF image handling




Bad cast in PDF root handling




Corruption of database metadata leading to incorrect file access




Missing NUL termination in IPC




Possible path traversal from extension process




Use-after-free with printing




Out-of-bounds read with printing




Out-of-bounds read with glyph handling




Browser crash with geolocation




Crash in v8 garbage collection




Crash in extension tab handling




Tighten permissions on shared memory segments

For more details, and the credits to the vulnerabilities please see:




(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Nokia's Xpress browser redirects any data traffic through the company's servers – even encrypted traffic. Nokia has confirmed that the data is decrypted in the process, but emphasised that it is secure regardless

Revenue at Infosys grew in the fourth quarter, but profit fell as a result of a wage rise and investments in newer businesses.
Oracle Java Runtime Environment Unspecified Remote Code Execution Vulnerability

Well, hot on the heals of Microsoft Patch Tuesday as we now know comes Adobe Patch Tuesday.

Guy has already kindly alerted us to the Cold Fusion vulnerability announced in apsa13-01 but we also need to highlight apsa13-02 which was also released on the 8th.

This covers a huge number of CVEs (27 if you need to know) and most of which could lead to code execution using a variety of techniques including use-after-free, integer, heap and stack over flows.

However, as we know other PDF readers are available and Foxitis quiet often what security minded people have installed. However there is also announced this week an as yet un-patched vulnerability discovered by Andrea Micalizzii inFoxit Reader 5.x, and Foxit Reader 2.x Plugin for which the exploit code is publicly available. This has reportedly been tested against versionFoxit Reader which is what is available for download as of today.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Big Data is clearly a disruptive technology, but using it successfully is as much art as it is science. The key is integrating Big Data with traditional BI to create a data ecosystem that allows you to generate new insights while executing on what you already know.
Ericsson has agreed to transfer 1,922 patents and 263 patent applications to Unwired Planet in return for a share in ongoing revenue from the patents.
Drupal Subuser Module Cross Site Request Forgery and Access Security Bypass Vulnerabilities
KnFTPd 'FEAT' Command Remote Denial Of Service Vulnerability
Simple Machines Forum 'scheduled' Parameter Cross Site Scripting Vulnerability
IrfanView Bitmap File Remote Heap Based Buffer Overflow Vulnerability
IPv6, the next version of the Internet Protocol, could make life easier and battery life longer for electronics-addicted consumers.
Wikimedia Foundation, the host of the Wikipedia online encyclopedia, is launching next week a global online travel guide called Wikivoyage.
Microsoft's Windows 8 OS failed to provide a spark to PC sales during last year's fourth quarter, with worldwide unit shipments falling by 6.4 percent compared to the same quarter in 2011, according to research by IDC released on Thursday.
Apple CEO Tim Cook expects China to become the company's largest market, surpassing the U.S.
Google on Thursday upgraded Chrome, improving the browser's start-up performance and patching two dozen security vulnerabilities.
There isn't a shortage of rare earth metals in the ground, but one country, China, has managed to dominate about 95% of the market. It not only mines the metals, but has built a supply chain to produce them.
Inspired by the release of ever larger and more detailed sets of municipal data, citizen-developers are writing apps to ease every aspect of city living, from preschools to parking meters.
A last-minute move by the U.S. Senate to renew a controversial wiretapping law, days before it was set to expire on Dec. 31, has dismayed privacy advocates, rights groups and lawmakers who have long opposed the measure.
There isn't a shortage rare earth metals in the ground. But one country, China, has managed to dominate about 95% of the market. It not only mines rare earths, but it has built a supply chain to produce them.
The latest Chrome stable release closes 25 security vulnerabilities, adds support for using MathML to represent mathematical notation on web sites, and has expanded support for datalists

Foxit Reader, a PDF viewer application often used as an alternative to the more popular Adobe Reader, contains a critical vulnerability in its browser plug-in component that can be exploited by attackers to execute arbitrary code on computers.

Posted by InfoSec News on Jan 11


By Taylor Armerding
January 09, 2013

There are ways for healthcare organizations to protect the electronic
health records (EHR) of their patients. But a segregated network for EHR
is generally not one of them, says Martin Fisher, director of
information security for Atlanta-based Wellstar Health System.

Fisher disputes a recommendation for...

Posted by InfoSec News on Jan 11


The Telegraph
11 January 2013

Samin Tan’s email account was “specifically targeted in a sophisticated
and persistent attack” to retrieve sensitive documents, a seven-page
report by a private security company claims, according to a newspaper.

One member of Bumi’s board subsequently received some of the documents

Posted by InfoSec News on Jan 11


By Information Security Media Group
January 10, 2013

Global Payments Inc. says the data breach it revealed in April 2012 has
cost the company $93.9 million.

In a Jan. 8 quarterly report, the Atlanta-based payments processor says
expenses associated with the breach, estimated by Global to have
affected 1.5 million payment cards in North America, related mainly to...

Posted by InfoSec News on Jan 11


By Dan Goodin
Ars Technica
Jan 10 2013

Internet phones sold by Cisco Systems are vulnerable to stealthy hacks
that turn them into remote bugging devices that eavesdrop on private
calls and nearby conversations.

The networking giant warned of the vulnerability on Wednesday, almost
two weeks after a security expert demonstrated how...

Posted by InfoSec News on Jan 11


By Mathew J. Schwartz
January 10, 2013

If Iran is masterminding the online attacks against U.S. banks, where's
the hard evidence?

Numerous current and former U.S. officials have accused the Iranian
government of sponsoring the distributed denial-of-service (DDoS)
attacks, which began in September and recently...
RETIRED: Mozilla Firefox/Thunderbird/SeaMonkey MFSA 2013-01 through -20 Multiple Vulnerabilities
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0763 Use After Free Memory Corruption Vulnerability
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0761 Use After Free Memory Corruption Vulnerability
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0757 Security Bypass Vulnerability
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0771 Heap Buffer Overflow Vulnerability
Internet Storm Center Infocon Status