Hackin9
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The U.S. Federal Communications Commission has approved ATT's $1.2 billion acquisition of competitor Leap Wireless, which sells prepaid mobile service under the Cricket brand.
 
LinuxSecurity.com: The mutt mail client could be made to crash or run programs as yourlogin if it opened a specially crafted email.
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Updated udisks packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Updated 389-ds-base packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: A vulnerability in QXmlSimpleReader class can be used to cause a Denial of Service condition.
 
LinuxSecurity.com: A vulnerability in file could result in Denial of Service.
 
LinuxSecurity.com: Updated freeradius package fixes security vulnerability: SSHA processing in freeradius before 2.2.3 runs into a stack-based buffer overflow in the freeradius rlm_pap module if the password source uses an unusually long hashed password (CVE-2014-2015). [More...]
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Several security issues were fixed in Sudo.
 
LinuxSecurity.com: Updated mediawiki packages fix multiple vulnerabilities: MediaWiki user Michael M reported that the fix for CVE-2013-4568 allowed insertion of escaped CSS values which could pass the CSS validation checks, resulting in XSS (CVE-2013-6451). [More...]
 
LinuxSecurity.com: Updated apache-commons-fileupload packages fix security vulnerability: It was discovered that the Apache Commons FileUpload package for Java could enter an infinite loop while processing a multipart request with a crafted Content-Type, resulting in a denial-of-service condition [More...]
 
LinuxSecurity.com: Updated owncloud packages fix security vulnerabilities and bugs: Owncloud versions 5.0.15 and 6.0.2 fix several unspecified security vulnerabilities, as well as many other bugs. [More...]
 
NoSQL database vendor Basho has restaffed its executive ranks, following a recent exodus of its CEO, chief technology officer and chief architect.
 
Supercomputing speed is typically boosted by adding more processors, but two new systems funded by the National Science Foundation due to go live next January will take an unconventional approach to speed up calculations and data analysis.
 
Oracle is continuing to simplify the look and feel of its Fusion Applications, including with a new skin inspired by Apple iOS 7, as the vendor ramps up marketing efforts around its application portfolio.
 
An article that accused the National Security Agency of impersonating Facebook to spy on U.S. citizens has triggered a denial from the NSA and a reprimand for the U.S. president from CEO Mark Zuckerberg.
 

For the past seven years, an annual hacker competition that pays big cash prizes has driven home the point that no Internet-connected software, regardless of who made it, is immune to exploits that surreptitiously install malware on the underlying computer. The first day of this year's Pwn2Own 2014 and the companion contest that ran concurrently stuck with much the same theme, with successful hacks of the Internet Explorer, Firefox, and Safari browsers and Adobe's Flash and Reader applications.

Contestants from Vupen, the France-based firm that sells fully weaponized exploits to governments it deems non-repressive, fetched $400,000 during day one of the two-day event. The haul came from exploits that allowed team members to gain full control over IE, Firefox, Flash, and Reader. Vupen's Firefox attack was one of three hacks that successfully compromised the Mozilla browser, with researchers Mariusz Mlynski and Juri Aedla also taking it down, feats that won them $50,000 each. At the Pwn4Fun contest held at the same CanSecWest security conference, researchers from Google toppled Apple's Safari browser, and their counterparts from HP commandeered IE.

During day two, Chrome was on tap to be tested. If it is successfully felled, it wouldn't be the first time. Meanwhile, George "GeoHot" Hotz, the hacker who famously bypassed the copyright restrictions of the Sony PlayStation 3, reportedly became the fourth contestant to defeat Firefox during day two. Update: Vupen has reportedly pwned Chrome as well.

Read 3 remaining paragraphs | Comments

 
Net-SNMP SNMPD Multiple Object Request Handling Denial of Service Vulnerability
 
DotNetNuke Open-Redirection and HTML Injection Vulnerabilities
 
Just because your website can be viewed on a mobile device doesn't make it mobile-friendly. To find out how to ensure your mobile customers have a positive experience, follow these suggestions from mobile experts and Web design and development pros.
 
Microsoft's announcement today of a less expensive Office 365 subscription for consumers was the strongest hint yet that the company will soon offer an edition for Apple's iPad, an analyst said.
 
XnView JXR File Handling Heap Buffer Overflow Vulnerability
 
As the world still reels over reports of U.S. government surveillance of privately owned smartphones, a spyware industry is growing that's focused on helping employers monitor the ways smartphones and tablets are used by their workers. Parents are also interested in the service to track their children's smartphone use.
 
Congress needs to overhaul the take-down notice provision in the Digital Millennium Copyright Act to make it easier for copyright holders to police infringing uploads of their intellectual property, some advocates told lawmakers.
 
An assortment of video ads will soon start appearing in Facebook users' feeds as the company grasps at a larger slice of the lucrative TV advertising market.
 
MantisBT 'mc_issue_attachment_get' SOAP API SQL Injection Vulnerability
 
Microsoft is unbundling chunks of Office, including a rumored free OneNote client for the Mac, as part of a strategy to reach customers who can't stomach the idea of paying for the full-fledged suite, or who have opted for free or inexpensive alternatives, an analyst said today.
 
The leading minds in sports convened in Boston last week at the annual MIT Sloan Sports Analytics Conference to share ideas about how big data will be a game-changer for fans, players, coaches, officials and front-office personnel.
 
Google announced Thursday that it is dramatically cutting its prices for its cloud storage service by as much as 80%.
 
Samsung

On Wednesday, developers of an alternative version of Google's Android mobile operating system published a startling claim: Samsung's S3, Note 2, and seven other models of Galaxy smartphones contained a backdoor that provides remote access to virtually all data stored on the devices. The code that allows access, which controls the phones' baseband or modem processors, made it possible to remotely read, write, or even modify users' files.

"Provided that the modem runs proprietary software and can be remotely controlled, that backdoor provides remote access to the phone's data, even in the case where the modem is isolated and cannot access the storage directly," Paul Kocialkowski, one of the Free Software Foundation (FSF) developers who reported the finding, wrote in a separate post. "This is yet another example of what unacceptable behavior proprietary software permits!" Going on to plug the Android replacement known as Replicant, he continued: "Our free replacement for that non-free program does not implement this backdoor. If the modem asks to read or write files, Replicant does not cooperate with it."

To get a second opinion, Ars turned to Dan Rosenberg, a senior security researcher at Azimuth Security, who specializes in the reverse engineering of Unix and embedded devices. While he expanded the list of affected phones to include Samsung's more recent S4 and Note 3 models, he largely dispelled the claims that the software provided a backdoor that could be used to compromise users' privacy or security. What follows is an e-mail interview conducted early Thursday.

Read 15 remaining paragraphs | Comments

 
[security bulletin] HPSBMU02967 rev.1 - HP Unified Functional Testing Running on Windows, Remote Execution of Arbitrary Code
 
[ MDVSA-2014:057 ] mediawiki
 
[ MDVSA-2014:056 ] apache-commons-fileupload
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Adobe Systems released a new security update for Shockwave Player in order to fix a critical vulnerability that could allow attackers to remotely take control of affected systems.
 
Security Manager George Grachis discusses the current cyber threat landscape and why Human Sensors, our users, are our most underutilized resource that can make all the difference
 
With the right collaboration tools and an open-minded management team, the phrase 'productive meeting' doesn't have to be an oxymoron.
 
The developers of Replicant, a mobile OS based on Android, claim to have found a backdoor vulnerability in a software component shipped with some Samsung Galaxy devices that potentially provides remote access to users' private files through the device modem.
 
Kentico CMS Username Enumeration Weakness
 
Re: Medium severity flaw in BlackBerry QNX Neutrino RTOS
 
[ MDVSA-2014:055 ] owncloud
 
[ MDVSA-2014:054 ] otrs
 
[ MDVSA-2014:053 ] libssh
 
A Tip of the Hat to Newsweek's Davis K. Johnson for an update on the FCC's ambitious pledge that high-speed Internet would be available to 100 million U.S. homes by 2020.
 
European Union politicians have vowed to end the "nightmare" of non-compatible phone chargers.
 
Google is testing some changes to the way it displays search results, including a tweak to how it presents paid links that could throw off unsuspecting users.
 
OTRS Help Desk CVE-2014-1695 HTML Injection Vulnerability
 
Researchers cracked Microsoft's Internet Explorer 11, Mozilla's Firefox and Adobe's Flash and Reader at the Pwn2Own hacking contest, earning $400,000 in prizes, a one-day record for the challenge.
 
Sen. Dianne Feinstein's (D-Calif.) claim that the CIA violated provisions of the Computer Fraud and Abuse Act when it accessed computers used by members of the Senate Intelligence Committee, could be hard to substantiate, according to a leading legal expert.
 
We've rounded up a bunch of experts' tips about how to retain your privacy when messaging and using apps, and while on social media.
 
The U.S. Foreign Intelligence Surveillance Court has temporarily reversed its earlier order that call records collected by the National Security Agency should be destroyed after the current five-year limit.
 

A SANS ISC reader sent us the following Apache log snippet earlier today

108.178.x.x - [11/Mar/2014:04:21:14 +0100] "GET /index.shtml/RK=0/RS=o_wLEbyzxJDMeXhdrhZU9KN7uD4- HTTP/1.0" 302 206
196.196.x.x - [11/Mar/2014:07:43:19 +0100] "GET /index.shtml/RS=^ADAY1N1JxWPFnnOEW3FpVC1g.n4rec- HTTP/1.0" 302 206
88.80.x.x   - [11/Mar/2014:15:02:01 +0100] "GET /index.shtml/RS=^ADAw5eOsxy0br6iGm1BZPRs2wtnyAE- HTTP/1.1" 302 206

index.shtml exists on the reader's server, but the RS= / RK= stuff is bogus. The RS= looks like it could be a regular expression for a pattern match of sorts, since it is starting with an anchor "^", but that's guessing. We don't really know. Googling for the pattern shows that this sort of thing has been around for a while, but I didn't find any definite explanation about which software or toolkit these requests are attempting to exploit, if any. If you have information on what this is, please share in the comments below, or via our contact form.


 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
lighttpd CVE-2014-2324 Multiple Directory Traversal Vulnerabilities
 
lighttpd 'mod_mysql_vhost.c' SQL Injection Vulnerability
 

Posted by InfoSec News on Mar 13

http://www.infosecnews.org/for-ec-council-mums-the-word/

By William Knowles
Senior Editor
InfoSec News
March 12, 2013

We have been following the compromise, Web defacement, and subsequent
silence of EC-Council for a couple of weeks now. On February 22nd the
Albuquerque, NM based EC-Council Web site was broken into and defaced
three separate times. If you hold a certification from EC-Council your
confidential information is rumored to have...
 

Posted by InfoSec News on Mar 13

http://www.nextgov.com/health/2014/03/75-percent-hospitals-and-clinics-are-worried-about-healthcaregov-hacks/80344/

By Aliya Sternstein
Nextgov
March 12, 2014

A major concern about Obamacare is that the online swap of patient
information between providers and the federal government's data hub will
jeopardize consumers' privacy and security, according to a new study by
the Ponemon Institute.

As far as cyber threats that affect...
 

Posted by InfoSec News on Mar 13

http://news.cnet.com/8301-1001_3-57620262-92/google-fixes-7-chrome-security-holes-just-before-cansecwest/

By Seth Rosenblatt
CNET News
March 12, 2014

Google has fixed seven security flaws in Chrome, just a day before the
annual, real-time hacking competitions Pwnium and Pwn2Own.

The new security update for Chrome on Windows, Mac, and Linux patched four
flaws labeled as High, below the more important level of Critical; three
flaws in its...
 

Posted by InfoSec News on Mar 13

http://www.ft.com/cms/s/0/f5c87808-a883-11e3-b50f-00144feab7de.html

By Hannah Kuchler in San Francisco
FT.com
March 12, 2014

Cyber security start-ups have become the latest fascination for Silicon
Valley investors, who have flooded the sector with venture capital
investment as they seek to back the latest technology to combat criminals
online.

Early-stage funding for the sector soared by almost 60 per cent last year
to $244m worldwide,...
 

Posted by InfoSec News on Mar 13

http://arstechnica.com/information-technology/2014/03/nsas-automated-hacking-engine-offers-hands-free-pwning-of-the-world/

By Sean Gallagher
Ars Technica
March 12, 2014

Since 2010, the National Security Agency has kept a push-button hacking
system called Turbine that allows the agency to scale up the number of
networks it has access to from hundreds to potentially millions. The news
comes from new Edward Snowden documents published by Ryan...
 
Internet Storm Center Infocon Status