Hackin9
Insurance provider WellPoint has agreed to pay a $1.7 million fine for exposing more than 600,000 personal records online due to weak database security, the U.S. Department of Health & Human Services (HHS) said Thursday.
 

SANS Has Added Online Training Event to Support Training Budgets without ...
PR Newswire (press release)
SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; and it operates the Internet's early warning system - the Internet Storm Center. At the heart of SANS are the many security ...

and more »
 
Re: Windows 7/8 admin account installation password stored in the clear in LSA Secrets
 
CVE-2012-6297 - Command Injection via CSRF on DD-WRT v24-sp2
 
Sprint and its new owner, SoftBank, hit the ground running on Thursday by announcing service plans that can include guaranteed talk, text and data for life.
 
Re: Windows 7/8 admin account installation password stored in the clear in LSA Secrets
 
Windows 7/8 admin account installation password stored in the clear in LSA Secrets
 
Steve Ballmer's grand plan to reinvent Microsoft has garnered mixed reviews from industry analysts, ranging from enthusiastic endorsements to frowning skepticism.
 

Wall Street Journal

Def Con Hacking Conference Invites Feds to Stay Away This Year
All Things Digital
But, given the tensions over the Snowden debacle, putting a bit of distance between the feds and the InfoSec community that shows up for Def Con might be a wise move. That said, there are those who disagree. Among them, OpenStack developer Matt Joyce ...
NSA director Keith Alexander to speak at hacker conference in Las VegasThe Guardian
DefCon to feds: You're not welcome this yearSC Magazine
Hacker Conference Asks Federal Agents to Keep OutTechNewsDaily

all 65 news articles »
 
Oracle has updated some of its middleware and developer products to make them better equipped for private cloud deployments, releasing major updates for the WebLogic application server and Oracle Coherence in-memory data cache.
 
Microsoft's reorganization is the biggest shot yet fired against the company's core partners, the computer makers who have made the software developer a technology giant, analysts said today.
 
Engineers at the University of Michigan are looking to use spacecraft the size of a loaf of bread to study interplanetary space faster and cheaper.
 
Microsoft helped the U.S. National Security Agency circumvent the company's own encryption in order to conduct surveillance on email accounts through Outlook.com, according to a report in the Guardian.
 

General Keith Alexander, the Director of the NSA and Commander of the DOD's US Cyber Command, has been announced as the keynote speaker at the upcoming Black Hat USA security conference at Caesar's Palace in Las Vegas. The announcement comes on the heels of a request by Jeff Moss, organizer of the DefCon hacker conference, that federal employees take a "time-out" from attending DefCon this year because of high tensions in the wake of revelations made by former NSA contractor Edward Snowden about the NSA's widespread surveillance programs.

Black Hat occurs the same week as DefCon, just a mile away. But while the two events are both focused on computer and network security (or the lack thereof), they have totally different audiences and personalities. Black Hat is produced by UBM Tech, the media company that owns trade publications such as InformationWeek and runs the Interop technology conference. DefCon, on the other hand, is a "hacker convention," not a security convention, and tends to welcome a more anarchic demographic.

And while Moss sees the glass as half-empty in the wake of the Snowden leaks, the Black Hat conference's management sees it as half full. "We are honored to have General Alexander join us this year at Black Hat in Las Vegas for the first time," Black Hat's general manager Trey Ford told The Guardian. "We couldn't have asked for a better time to welcome him. The security and intelligence communities have common interest in protecting international critical infrastructure and the Internet at large. We both have an acute interest in defining and defending privacy."

Read 1 remaining paragraphs | Comments

    


 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Armed with the Nokia Lumia 1020's camera superiority in a crowded smartphone market dominated by Android and iOS, it appears that Nokia is helping Windows Phone instead of the other way around.
 
Re: Facebook Url Redirection Vuln.
 
Microsoft's sweeping company reorganization may have some insiders feeling jittery about the future, but it's doubtful that the vendor's Dynamics business applications division or its customers need to worry.
 
A second vulnerability that can be exploited to modify Android apps without breaking their digital signatures has been identified and publicly documented.
 
DEF CON, the world's biggest hacker conference, is asking federal agents not to attend this year. The organiser says his request is a result of the current discussions about the NSA's eavesdropping operations
    


 
Low-cost Chromebooks are doing very well with retailers, in stores and online, and now make up a significant share of the low end market, said market research firm NPD Group.
 
NASA's Hubble Space Telescope has given scientists information about a blue planet 63 light years away that looks a lot like Earth. However, that might be where the similarities end
 

The Guardian

NSA director Keith Alexander to speak at hacker conference in Las Vegas
The Guardian
Army General Keith Alexander, the director of the NSA and the leader of the US Cyber Command, is slated to give a keynote presentation at Black Hat, a convention that bills itself as bringing together "all facets of the infosec [information security ...
Def Con Hacking Conference Invites Feds to Stay Away This YearAll Things Digital
Hacker Conference Asks Federal Agents to Keep OutTechNewsDaily
DefCon to feds: You're not welcome this yearSC Magazine

all 60 news articles »
 
Kurt DelBene, the former head of Microsoft's Office division, will retire, apparently one of the executive casualties of the company's reorganization announced today.
 
T-Mobile will begin its rollout of phones based on Mozilla's Firefox OS when it puts the Alcatel One Touch on sale in Poland next week.
 
Re: Facebook Url Redirection Vuln.
 
Re: [Full-disclosure] XSS and SQL Injection Vulnerabilities in MiniBB
 
Bit9 chief executive Patrick Morley talks mobile security, company partnerships with FireEye and Palo Alto Networks, and the evolving role of today's CISO
 
As expected, Nokia today announced its Lumia 1020 smartphone with superior camera and video technologies, including a 41 megapixel optical sensor and 6x zoom.
 
Boosting its portfolio of solid state storage technologies, EMC is acquiring ScaleIO, a purveyor of storage management software, for an undisclosed amount of cash.
 
[ MDVSA-2013:194 ] kernel
 
Facebook Url Redirection Vuln.
 
[ MDVSA-2013:193 ] apache
 
LinuxSecurity.com: Multiple vulnerabilities has been found and corrected in the Linux kernel: net/ceph/auth_none.c in the Linux kernel through 3.10 allows remote attackers to cause a denial of service (NULL pointer dereference [More...]
 
LinuxSecurity.com: A vulnerability has been found and corrected in apache (ASF HTTPD): mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a [More...]
 
LinuxSecurity.com: Multiple vulnerabilities were discovered in the poppler PDF rendering library. CVE-2013-1788 [More...]
 
LinuxSecurity.com: New dbus packages are available for Slackware 14.0, and -current to fix a security issue. [More Info...]
 
LinuxSecurity.com: An updated Adobe Flash Player package that fixes three security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More...]
 
LinuxSecurity.com: Updated kernel packages that fix multiple security issues and various bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low [More...]
 
LinuxSecurity.com: Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.2 Extended Update Support. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: An attacker could trick Ruby into trusting a rogue server.
 
Hard-coded accounts on multiple network cameras
 
[SECURITY] [DSA 2719-1] poppler security update
 

Today's story isn't about protecting corporate crown jewels so much as protecting yourself.  Richard's story last month (When Hotel Alarms Sound - https://isc.sans.edu/diary/When+Hotel+Alarms+Sound/15998) got me thinking about personal physical security - in particular, the reader comment about not being able to hear fire alarms inside many datacenters struck a chord - most datacenters are not built with protection of the folks working there in mind.  Even when the Health and Safety folks get involved, they'll check for cables across the floor (trip hazards), a first aid kit, clear exits and that's about it.

If you're like me, you spend a LOT of time in datacenters.  Small datacenters to large ones, it seems like I'm in a different machine room every day.  Over the long haul (30 years and counting), that adds up to a lot of hours!  What I'm starting to notice is that some clients are putting signs up regarding noise levels and hearing protection, and some are even providing disposable earplugs.

 

A quick measurement shows that most larger datacenters are in the greater than 100db-ish range.  In fact, even my lab (I have one rack out of 5 in the room) is in that range.  This puts a good part of my work environment into the "red zone" for risk of hearing loss. 

 

 

 

While this graph is simplistic (it does not account for frequency for instance), you should be concerned about hearing damage after even a short time in most datacenters (in the range of 100db)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

What this means to me is that after 30 years, it's about time I started protecting what little of my hearing I've got left.  I've been carrying a set of "real" earplugs - the kind that has a real Noise Reduction Rating (25db in this case) in my laptop bag.  And like all the personal "critical infrastructure" I carry, I have a spare in the bag, and another in the trunk of my car.

                             



What's really surprised me is that even in the rooms with the signage and dispensers, often I'm the only one wearing earplugs!  I am, however, seeing more folks wearing noise-cancelling headphones, which I understand help in much the same way (I am not a doctor, so don't have an actual opinion on how effective these are - especially if you're playing Led Zeppelin or The Black Keys)

While we need an arsenal of technical gear to work, you'll need your ears both during and after work - for the little space it takes in the laptop bag, carrying hearing protection is a good investment.  This article isn't meant as a definitive reference, I'd encourage you to do your own research on hearing and other safety issues.

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

NPR

Hacker Conference Asks Federal Agents to Keep Out
TechNewsDaily
"Telling Feds they are not welcome at Defcon damages our collective infosec community. Will be harder for folks to justify to mgmt too," tweeted Florida security professional Tony Turner. "Strange that DefCon is concerned about trust issues w/ the feds ...
DefCon to feds: You're not welcome this yearSC Magazine

all 32 news articles »
 
It emerged Thursday, that Europe's top antitrust watchdog carried out unannounced raids on Telefonica, Deutsche Telecom and Orange on Tuesday.
 
Microsoft CEO Steve Ballmer unveiled what he termed is a "far-reaching realignment" of the company designed to help Microsoft innovate faster and operate in a more coherent and holistic manner as it faces a variety of challenges from rivals big and small.
 
Microsoft CEO Steve Ballmer today unveiled a "far-reaching realignment" of the company designed to help Microsoft innovate faster and operate in a more coherent manner as it faces a variety of challenges from rivals.
 
f you haven't read Nassim Taleb 'Anti-Fragile,' it's time to break out your e-reader. Big software projects are constitutionally doomed because they're fragile. Agile may be the way to go, but what can you do to make sure your agile project doesn't become fragile?
 
Should your friends and acquaintances send you a contact file called "Priyanka" via WhatsApp, don't accept it, otherwise everyone in WhatsApp will become Priyanka
    


 
The organizers of the Defcon hacking convention have publicly asked federal government workers not to attend the event this year due to tension in the hacker community over revelations of the U.S. government's electronic surveillance efforts.
 
Google Chrome CVE-2013-2877 Out of Bounds Denial of Service Vulnerability
 
strongSwan CVE-2013-2054 DNS TXT Record Buffer Overflow Vulnerability
 

IOActive Expands by Opening New Office in South Africa
PR Web (press release)
Tweet this: #IOActive expands its operations and opens new office in South Africa. http://bit.ly/1abIjBR #infosec. Supporting Quotes. Jennifer Steffens, chief executive officer for IOActive. “Our move into South Africa helps us to better service our ...

and more »
 
Google released Chrome 28, the first polished version of the browser to use the company's home-grown "Blink" rendering engine.
 
Japan's most famous mountain now has 4G coverage.
 
Some Avira users are unable to use their web browsers without first disabling Web Protection. A reinstall helps users, but doesn't solve all their problems
    


 
RETIRED: Microsoft July 2013 Advance Notification Multiple Vulnerabilities
 
The number of electrical engineers in the workforce has declined over the last decade. It's not a steady decline, and it moves up and down, but the overall trend is not positive.
 
Matchbox computers -- small but powerful open-source devices -- are a good way to build your own system and/or carry it with you. We look at the phenomenon and offer a slideshow of examples.
 
Algis Info aiContactSafe Component for Joomla! 'url' Parameter Cross-Site Scripting Vulnerability
 
Microsoft Internet Explorer CVE-2013-3163 Memory Corruption Vulnerability
 
X.Org libXp CVE-2013-2062 Multiple Remote Code Execution Vulnerabilities
 
A project underway in Kenya is linking Bitcoin with M-Pesa, a popular mobile payments system, in an experiment designed to spur innovative payments in Africa.
 
LG Display said Thursday it has developed the world's thinnest full HD LCD display for smartphones, measuring just 2.2 millimeters thick.
 

Posted by InfoSec News on Jul 11

http://www.infosecnews.org/former-national-security-agency-booz-allen-contractor-edward-snowden-is-an-isc2-member/

By William Knowles
Senior Editor
InfoSec News
July 11, 2013

On July 4th, the New York Times reported NSA contractor Edward Snowden
trained and certified as a Certified Ethical Hacker by the EC-Council, a
certificate which has since been rescinded by the organization. After what
could be called stall tactics with myself, the...
 

Posted by InfoSec News on Jul 11

http://www.bostonglobe.com/business/2013/07/09/global-chase-cracked-corporate-espionage-case/8HC7wKBJezDkNFNSWB5dFO/story.html

By Erin Ailworth
Boston Globe Staff
July 10, 2013

On a Thursday evening three Junes ago, Dejan Karabasevic desperately
needed to contact his former wife. Karabasevic, a top engineer in American
Superconductor Corp.'s offices in Klagenfurt, Austria, had been summoned
to work, then confronted by police, who...
 

Posted by InfoSec News on Jul 11

https://www.computerworld.com/s/article/9240707/Alert_Study_finds_Internet_users_heed_browser_warnings

By Jeremy Kirk
IDG News Service
July 10, 2013

Security warnings displayed by Web browsers are far more effective at
deterring risky Internet behavior than was previously believed, according
to a new study.

The study looked at how users reacted to warnings displayed by Mozilla's
Firefox and Google's Chrome browsers, which warn of...
 

Posted by InfoSec News on Jul 11

http://arstechnica.com/security/2013/07/for-first-time-ever-feds-asked-to-sit-out-defcon-hacker-conference/

By Dan Goodin
Ars Technica
July 11, 2013

Since its founding in 1992, Defcon has been a venue where anarchists,
geeks, and employees of three-letter federal agencies became unlikely
comrades under a live-and-let-live credo that placed the love of computer
tinkering above almost everything else. No more. As tensions mount over
the broad...
 

Posted by InfoSec News on Jul 11

http://www.nextgov.com/cio-briefing/wired-workplace/2013/07/opm-creating-new-databank-cyber-skills/66332/

By Brittany Ballenstedt
NextGov.com
July 10, 2013

The Office of Personnel Management is calling on federal agencies to
submit data on their cybersecurity workforce to help build a new databank
for agencies in addressing current and future cyber skills needs.

In a memorandum issued Monday, OPM acting Director Elaine Kaplan pointed
to a...
 

Since its founding in 1992, DefCon has been a venue where anarchists, geeks, and employees of three-letter federal agencies became unlikely comrades under a live-and-let-live credo that placed the love of computer tinkering above almost everything else. No more. As tensions mount over the broad and indiscriminate spying of Americans and foreigners by the National Security Agency, DefCon organizers are asking feds to sit out this year's hacker conference.

"For over two decades DEF CON has been an open nexus of hacker culture, a place where seasoned pros, hackers, academics, and feds can meet, share ideas and party on neutral territory," Jeff Moss, aka The Dark Tangent, wrote in a blog post published Wednesday night. "Our community operates in the spirit of openness, verified trust, and mutual respect."

He continued:

Read 5 remaining paragraphs | Comments

    


 
Yahoo wants the Foreign Intelligence Surveillance Court to order the public release of a secret order in a 2008 surveillance dispute, as it will demonstrate that the Internet company "objected strenuously" to government directives.
 
Poppler CVE-2013-1790 Memory Corruption Vulnerability
 

SANS Launches New Hands-On IT Security Training Program With NetWars
Dark Reading
SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; and it operates the Internet's early warning system - the Internet Storm Center. At the heart of SANS are the many security ...

and more »
 
Internet Storm Center Infocon Status