InfoSec News

VietNamNet Bridge

More warnings given by Internet community about Chinese Baidu
VietNamNet Bridge
A research work conducted by the members of the Vietnamese hackers' community (HVA) in cooperation with CMC InfoSec, has found out that some services and software pieces provided by Baidu in the Vietnamese market have illegally intervened the ...


Well it could have been worse. Yahoo on Friday said it has fixed the vulnerability that allowed hackers to expose approximately 450,000 email addresses and passwords belonging to the Yahoo Contributor Network. That’s a huge number but still small potatoes compared to the half billion visitors Yahoo claims each month.

The online giant said in a blog post Friday that the compromised data was an older file containing email addresses and passwords provided by writers who joined Associated Content prior to May 2010, when Yahoo acquired it and renamed it the Yahoo Contributor Network. “This compromised file was a standalone file that was not used to grant access to Yahoo systems and services,” Yahoo said.

In addition to fixing the vulnerability that led to the breach, the company said it deployed additional security measures for affected Yahoo users, boosted its underlying security controls and is notifying affected users. “In addition, we will continue to take significant measures to protect our users and their data,” Yahoo said.

Yahoo’s blog post touted its response to the breach as “swift” but the company had already taken a lot of punches since the reports of the breach were published Thursday. Some security pros berated Yahoo for lack of security while others expressed mock surprise that the struggling company still had so many members. For sure, the breach – the latest in a series of password breaches – is yet another reminder of the need for users to be more careful about the passwords they create and for companies to take proper steps to secure those passwords.


Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Japan's FujiFilm is suing Google's Motorola Mobility subsidiary over four patents associated with digital camera and photo technology in cellphones.
Yahoo today said it has fixed the flaw that allowed hackers to steal more than 450,000 passwords from one of its many services.
In a rare admission of error, Apple said Friday that it's back in EPEAT, the environmental standards group for electronics products that it withdrew from earlier this week.
We're a bit slow on the uptake given SANSFIRE, but as you are likely well aware, a SQL injection vulnerability was leveraged to gain access to the Yahoo Voice service which was utilized by attackers to acquire thenpost login credentials for more than 453,000 user accounts that they said they retrieved in plaintext.
You can download and review the account list for account that may impact you or your organizations here:

Related stories:

Password analysis of the account list proved what we've all come to expect. The top five passwords in the stolen batch were 123456, password, welcome, ninja and abc123, said David Harley, senior research fellow at security firm ESET.
Ninja = great skill set, bad password. :-)

Russ McRee | @holisticinfosec (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
While hardware and components makers face economic hurdles, the picture for software is getting brighter, according to earnings reports from major vendors and mid-year market research polls.
Those who pre-ordered Google Nexus 7 tablets directly from the Google Play Store in late June are getting testy about reports that some retailers are already selling the Android 4.1 (Jelly Bean) tablets this week.
Google has started shipping units of the highly anticipated Nexus 7 tablet, but multiple retailers said the tablet has sold out and that they are struggling to fill orders.
In a rare admission of error, Apple said Friday that it's back in EPEAT, the environmental standards group for electronics products that it withdrew from earlier this week.
Apple's Retina MacBook Pro is now shipping faster to online customers, according to the company's e-stores for the U.S., Brazil, Canada, China, France, Germany, Japan and several other countries.
Once a high-flying web property, Digg was sold Thursday for a paltry $500,000. The sale to Betaworks, maker of an iOS news aggregator app and an URL clipper, Bit.ly, was a fraction of the $45 million lavished on the venture by Silicon Valley money lenders since its founding in 2004. Why did Digg fall on hard times? Here are seven reasons.
Acer is offering a free upgrade to Windows 8 on some ultrabook models, saying it will refund the upgrade fee being charged by Microsoft on certain Windows 7 PC models purchased by buyers.
Microsoft will introduce Office 2013, the likely official label for the next version of the company's money-making suite, on Monday, according to a report from USA Today.
In a market where few vendors make dedicated Mac keyboards, much less good ones, Logitech has released its second premium Mac keyboard of the past year. Announced back in May, the company's $80 Wireless Solar Keyboard K760 (officially called the Wireless Solar Keyboard K760 for Mac, iPad, iPhone, but which I'll just refer to as the K760) is based on last fall's Wireless Solar Keyboard K750 for Mac ( Macworld rated 4 out of 5 mice ), but offers a more-compact design, much-requested Bluetooth support, and the capability to pair with three devices.
[security bulletin] HPSBMU02796 SSRT100594 rev.2 - HP Operations Agent for AIX, HP-UX, Linux, Solaris and Windows, Remote Execution of Arbitrary Code
Editor's note: The following review is part of Macworld's GemFest 2012 series. Every weekday from mid June through mid August, the Macworld staff will use the Mac Gems blog to briefly cover a favorite free or low-cost program. Visit the Mac Gems homepage for a list of past Mac Gems.
[Ask the iTunes Guy is a regular column in which we answer your questions on everything iTunes related. If there's something you'd like to know, send an email to the iTunes Guy for consideration.]
Adobe Prelude CS6, a new application in Adobe Creative Suite's multimedia-oriented Production Premium bundle, is designed to streamline the process of reviewing, logging, ingesting, and adding metadata to tapeless media--video footage derived directly from a card, camera, or hard drive. It transfers, transcodes, and verifies the media upon ingest and can copy those files to various locations simultaneously. It allows you to export the logged and organized clips directly into Premiere Pro CS6 ( Macworld rated 4 out of 5 mice ) and Final Cut Pro 7 ( Macworld rated 4 out of 5 mice ) video editing applications. (Final Cut Pro X will import XML files
[ MDVSA-2012:106 ] libexif
It's been a busy week for me having presented OWASP Top 10 Tools and Tactics at SANSFIRE in Washington, DC Tuesday evening 10 July, followed by Evil Through The Lens of Web Logs at the Microsoft Security Response Alliance Summit in Redmond (the other Washington) Thursday morning 12 July.
I had an excellent time in both cases and met some great people.
The OWASP Top 10 Tools and Tactics talk was for attendees who've spent any time defending web applications as a security analyst, or perhaps as a developer seeking to adhere to SDLC practices, and have utilized or referenced the OWASP Top 10. Intended first as an awareness mechanism, the Top 10 covers the most critical web application security flaws via consensus reached by a global consortium of application security experts. The OWASP Top 10 promotes managing risk in addition to awareness training, application testing, and remediation. To do so, application security practitioners and developers need an appropriate tool kit. As such, this presentation explored tooling, tactics, analysis, and mitigation for each of the Top 10 and is a useful companion for attendees of Kevin (never except his FB friend request) Johnson's Security 542: Web App Penetration Testing and Ethical Hacking.
We had a full house and a lot of fun.

The MSRA presentation was a summary of activity related to the SANS Reading Room paper of the same title, and was presented to attendees from the Global Infrastructure Alliance for Internet Safety (GIAIS) working group (shout out to the REN-ISAC crew).
Web logs can be analyzed with specific attention to Internet Background Radiation (IBR). Two bands of the IBR spectrum include scanning and misconfiguration where details about attacker and victim patterns are readily available. Via web application specific examples this discussion analyzed attacks exhibiting traits, trends, and tendencies from the attacker and victim perspectives. This presentation built on findings to cover parsing and analysis techniques, as well as investigative tactics. Tooling and real examples were included to allow attendees to learn methods that can be utilized against their own logs for detective measures useful in mitigating attacks.
The MSRA copy of the presentation is not published online but you can grab the same presentation from RSA here or watch a short video version of it here.
This work includes major contributions from ISC Handlers Mark Hofman and Rob Danford

Let me know if you have any questions, and thanks to all who attended.

Russ McRee | @holisticinfosec (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
[ MDVSA-2012:107 ] exif
[SECURITY] [DSA 2510-1] extplorer security update
Apple sold fewer Macs in the U.S. during the second quarter than it did in the same period a year earlier, its first decline in three years.
Although Texas is refusing to set up health insurance exchanges required by the Affordable Care Act, other states realize it's time to choose a customized exchange before a 2014 federal deadline.
China has started blocking SlideShare, a document sharing service recently acquired by LinkedIn, making the site inaccessible to users in the country.
Android Forums, an online forum for Android users, was the target of a hacker attack which could have led to user information including passwords getting compromised, its operator Phandroid.com said on Thursday.
HP's new Envy Sleekbook 6-1010us offers an alternative to higher-priced ultrabooks: It's not as fast, but it's got a fine display and great audio.
Even with all the online storage now available, sharing files -- especially large ones -- can still be a problem. We look at 10 online services that aim to make it simpler.
VMSA-2012-0012 is an advisory specific to a VMware ESXi update that addresses several security issues.
This includes an ESXi update to third party component libxml2.The libxml2 third party library has been updated which addresses multiple security issues.
All the details are available here:http://www.vmware.com/security/advisories/VMSA-2012-0012.html
Russ McRee | @holisticinfosec
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Internet Storm Center Infocon Status