Hackin9

Why InfoSec Pay Shows Lackluster Gains
BankInfoSecurity.com (blog)
Conventional wisdom dictates that the high demand for IT security practitioners would cause salaries to rise, perhaps significantly - a simple example of supply and demand. But the recovery from the Great Recession - which lasted from December 2007 to ...

 

Applying Engineering Values to InfoSec
BankInfoSecurity.com
The National Institute of Standards and Technology is developing new cybersecurity standards based on the same principles engineers use to build bridges and jetliners. At the University of Minnesota College of Science and Engineering's Technology ...

and more »
 
Google is ramping up its efforts to get its wearable computer onto as many heads as possible by opening up Glass for general sale.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Oracle has asked an appeals court to reinstate a $1.3 billion jury award against SAP for what an Oracle lawyer on Tuesday called "the most massive and brazen copyright infringement in history."
 
Overall STARTTLS Results

Server-to-server e-mail encryption using the STARTTLS protocol has reached an important tipping point that hardens the majority of messages Facebook sends its users against wholesale snooping by well-financed adversaries, according to figures released Tuesday by site.

The social network said 58 percent of the notification e-mails it sends users are successfully encrypted using STARTTLS. Even more impressive, 76 percent of unique Mail Exchange hostnames are set up to support the protection, although only about half of them use valid digital certificates to cryptographically validate connections. STARTTLS ensures that plaintext e-mails are encrypted before being transferred from the sending server to the receiving server. Amid revelations of an expansive surveillance program by the National Security Agency and other state-sponsored groups, the extension is seen as a way of thwarting such programs or at least making them more costly to carry out. But like most network-based technologies, its value is proportional to the square of the number of servers that use it, meaning it provides benefit only when widely used.

"It's clear to us that STARTTLS has achieved critical mass and there is immediate value in deploying it," Facebook officials wrote in a blog post. "We encourage anyone who has not already deployed STARTTLS to at least deploy it for opportunistic encryption. As more systems support e-mail encryption, the value increases for everyone."

Read 2 remaining paragraphs | Comments

 
Google is being tight-lipped about when the 64-bit version of Android will be released, but Linux development group Linaro has built a version of the open-source operating system so mobile apps can be written and tested by manufacturers and developers rushing to catch up with Apple.
 
SanDisk today announced its SanDisk X300s SSD line-up, which uses TCG Opal 2.0 and Microsoft Encrypted Hard Drive hardware-based encryption, coupled with a new SSD administration dashboard.
 
A flood of Internet users and net neutrality advocates called on the U.S. Federal Communications Commission to enact strong net neutrality rules, with many participants in an agency-sponsored Twitter chat advocating utility-style regulations for broadband providers.
 
Three former IBM employees laid off last year have filed a lawsuit in federal court alleging they were victims of age discrimination. IBM denies the charge.
 
For the latest round of Microsoft's monthly collection of software patches, the company has fixed critical issues in Internet Explorer (IE) and Windows that have already been used by malicious attackers to compromised systems.
 
Microsoft is struggling to explain its requirement for Windows 8.1 customers to update to the latest version of the OS in order to receive bug and security patches.
 
Samsung plans to launch a Google Glass competitor called Gear Glass in September, timed with the IFA technology show in Berlin, according to a report in Business Korea.
 
SAP is trimming an unspecified number of workers as part of an effort to restructure its overall skill set.
 
U.S. Sen. Al Franken questioned Samsung on the privacy protections the company has in place for the fingerprint scanning technology on its recently released Galaxy S5 smartphone.
 
The $1,500 price of Google Glass is about 10 times more than the cost to build the wearable computer, but analysts say the device is more than the sum of its parts.
 
India's antitrust agency has initiated an inquiry into Google's termination of an AdWords account with a remote technology support business, after allegations that it was done to promote the Internet giant's own services in the area.
 
The CEOs of 28 U.S. broadband providers and trade groups, including the four largest ISPs, have warned the U.S. Federal Communications Commission against reregulating broadband as a utility in an effort to protect net neutrality, saying reclassification of broadband would scare away investors.
 
It's Patch Tuesday for Microsoft, but Windows XP users aren't getting any of the security updates. Get used to it, the company says.
 

Last year, Ars documented how Skype encryption posed little challenge to Microsoft abuse filters that scanned instant messages for potentially abusive Web links. Within hours of newly created, never-before-visited URLs being transmitted over the service, the scanners were able to pluck them out of a cryptographically protected stream and test if they were malicious. Now comes word that the National Security Agency is also able to work around Skype crypto—so much so that analysts have deemed the Microsoft-owned service "vital" to a key surveillance regimen known as PRISM.

"PRISM has a new collection capability: Skype stored communications," a previously confidential NSA memo from 2013 declared. "Skype stored communications will contain unique data which is not collected via normal real-time surveillance collection." The data includes buddy lists, credit card information, call records, user account data, and "other material" that is of value to the NSA's special source operations.

The memo, which was leaked by former NSA contractor Edward Snowden and released Tuesday by Glenn Greenwald to coincide with the publication of his book No Place to Hide, said the FBI's Electronic Communications Surveillance Unit had approved "over 30 selectors to be sent to Skype for collection."

Read 2 remaining paragraphs | Comments

 
EMC Documentum Foundation Services Unauthorized Access Vulnerability
 
[security bulletin] HPSBMU03022 rev.2 - HP Systems Insight Manager (SIM) Bundled Software running OpenSSL, Remote Disclosure of Information
 
[security bulletin] HPSBMU02998 rev.4 - HP System Management Homepage (SMH) running OpenSSL on Linux and Windows, Remote Disclosure of Information, Denial of Service (DoS)
 
Multiple Stored XSS in FOG Image deployment system - FD
 
FD - Cobbler Arbitrary File Read CVE-2014-3225
 

On Tuesday, Doge Vault, one of the most popular online repositories for the cryptocurrency Dogecoin, formally acknowledged that it had been hacked two days earlier.

“On the 11th of May, the Doge Vault online wallet service was compromised by attackers, resulting in a service disruption and tampering with wallet funds,” the site wrote. “As soon as the administrator of Doge Vault was alerted, the service was halted. The attackers had already accessed and destroyed all data on the hosted virtual machines.”

While Doge Vault hasn’t officially said how much was lost, a newly created Dogecoin wallet shows that 121,550,030 dogecoins have been transferred into it over the last 24 hours. At present exchange rates, that’s worth about $56,000.

Read 4 remaining paragraphs | Comments

 

We are now up to 3 bulletins from Adobe.

TL;DR ? Current versions in one simple table (I hope I got that right):

Current Adobe Software Versions
  Windows OS X Linux
Adobe Reader XI 11.0.07 11.0.07 -
Adobe Reader X 10.1.10 10.1.10 -
Adobe Flash Player 13 13.0.0.214 13.0.0.214 11.2.202.359
Adobe Flash Player (Google Chrome) 13.0.0.214 13.0.0.214 13.0.0.214
Adobe Flash Player (MSFT Internet Expl) 13.0.0.214 - -
Adobe Air SDK 13.0.0.111    
Adobe Illustrator Subscription 16.2.2 16.2.2  
Adobe Illustrator Non-Subscription 16.0.5 16.0.5  



 

 

APSB14-14: covering Flash Player [1]. It fixes 6 different vulnerabilities, one of which was found earlier this year during the pwn2own contest (CVE-2014-0510).

These vulnerabilities affect Windows, Linux and OS X. Adobe assigned them "Priority 1" indicating that they may have been used in targeted exploits. This makes this a "Patch Now!" vulnerability for us.

CVE-2014-0510: pwn2own vulnerability. remote code execution with sandbox bypass.
CVE-2014-0516: Same origin bypass
CVE-2014-0517: Security feature bypass
CVE-2014-0518: Security feature bypass
CVE-2014-0519: Security feature bypass
CVE-2014-0520: Security feature bypass

APSB14-15: For Adobe Acrobat and Reader [2]

CVE-2014-0511: pwn2own vulnerability. remote code execution wiht sandbox bypass
CVE-2014-0512: pwn2own vulnerability. remote code execution wiht sandbox bypass
CVE-2014-0521: information disclosure in Javascript API
CVE-2014-0522: code execution (memory corruption)
CVE-2014-0523: code execution (memory corruption)
CVE-2014-0524: code execution (memory corruption)
CVE-2014-0525: code exectution (use after free?)
CVE-2014-0526: code execution (memory corruption)
CVE-2014-0527: code execution (use after free)
CVE-2014-0528: code execution (double free)
CVE-2014-0529: code execution (buffer overflow)

Like the Flash bulletin, this one is rated "Priority 1".

APSB14-11: Hotfix for Adobe Illustrator

CVE-2014-0513: code execution (Stack Overflow)

This bulletin is only rated "Priority 3".
 

[1] http://helpx.adobe.com/security/products/flash-player/apsb14-14.html
[2] http://helpx.adobe.com/security/products/reader/apsb14-15.html
[3] http://helpx.adobe.com/security/products/illustrator/apsb14-11.html

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Adobe Acrobat and Reader CVE-2014-0526 Unspecified Memory Corruption Vulnerability
 
Adobe Acrobat and Reader CVE-2014-0524 Unspecified Memory Corruption Vulnerability
 
Adobe Reader CVE-2014-0512 Unspecified Security Bypass Vulnerability
 
Adobe Reader CVE-2014-0511 Heap Based Buffer Overflow Vulnerability
 

Is Infosec Getting More Stressful?
eSecurity Planet
As the security landscape changes, infosec pros find it tough to keep up, said Bill Gardner, an assistant professor who teaches Digital Forensics and Information Assurance at Marshall University and is also president and principal security consultant ...

 
The National Science Foundation is investing $15 million to create a more robust, agile and secure Internet.
 
]
 
Some Firefox users, cranky over the browser's user interface changes, have scrambled to find ways to make the latest version look more like older editions.
 
AT&T is in advanced talks to acquire DirecTV for about $50 billion, according to published reports.
 

Overview of the May 2014 Microsoft patches and their status.

IMPORTANT: Don't miss MS14-029. This bulletin fixes ANOTHER vulnerability in MSIE that has already been used in targeted exploits! 

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers

MS14-021

(released May 1st)

Security Update for Internet Explorer
Microsoft Windows, Internet Explorer

CVE-2014-1776
KB 2965111 Yes! Severity:Critical
Exploitability: 1
PATCH NOW Critical
MS14-022 Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution
Microsoft Server Software,Productivity Software
CVE-2014-0251
CVE-2014-1754
CVE-2014-1813
 
KB 2952166 . Severity:Critical
Exploitability: 1,3
Important Critical
MS14-023 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
Microsoft Office
CVE-2014-1756
CVE-2014-1808  
KB 2961037 . Severity:Important
Exploitability: 1
Critical Important
MS14-024 Vulnerability in a Microsoft Common Control Could Allow Security Feature Bypass (ASLR Bypass)
Microsoft Office
CVE-2014-1809  
KB 2961033 Yes Severity:Important
Exploitability: NA
Important Important
MS14-025 Vulnerability in Group Policy Preferences Could Allow Elevation of Privilege
Group Policy Preferences
CVE-2014-1820
KB 2962486 . Severity:Important
Exploitability: 1
Important Important
MS14-026 Vulnerability in .NET Framework Could Allow Elevation of Privilege
Microsoft Windows,Microsoft .NET Framework
CVE-2014-1806
KB 2958732 . Severity:Important
Exploitability: 1
Important Important
MS14-027 Vulnerability in Windows Shell Handler Could Allow Elevation of Privilege
Microsoft Windows
CVE-2014-1807
KB 2962488 Yes Severity:Important
Exploitability: 1
Important Important
MS14-028 Vulnerability in iSCSI Could Allow Denial of Service
iSCSI
CVE-2014-0225
CVE-2014-0226
KB 2962485 . Severity:Important
Exploitability: 3
Important Important
MS14-029 Security Update for Internet Explorer
Microsoft Windows, Internet Explorer

CVE-2014-0310
CVE-2014-1815
 
KB 2962482 Yes Severity:Critical
Exploitability: 1
PATCH NOW! Critical
">We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
    • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.

       

------

Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
NetSuite is overhauling its cloud ERP software's user interface, hoping to keep pace at a time when consumer-like experiences are increasingly becoming the norm in enterprise applications.
 
Salesforce.com has made another step toward unifying its family of application development technologies with Salesforce1 Heroku Connect, which synchronizes data between its Force.com platform and Heroku.
 
Four years have passed since augmented reality apps for smartphones started appearing in app stores for consumer use, but the trend has been slow to catch on.
 
 
IBM Security Access Manager for Web CVE-2014-0963 Remote Denial of Service Vulnerability
 

Data breach detection and remediation share spotlight at InfoSec
AppsTech
Most of the vendors interviewed at InfoSec were more than willing to talk about their latest strategies for the proactive protection of business systems and networks, the data they hold, and the applications they use. But at the same time many seemed ...

 
Three founders of Lawson Software have agreed to pay about $5.8 million to settle insider trading charges in connection with Infor's 2011 acquisition of the company.
 
Motorola Mobility's Moto E doesn't cost much, but it works well and doesn't look cheap.
 
Three founders of Lawson Software have agreed to pay about $5.8 million to settle insider trading charges in connection with Infor's 2011 acquisition of the company.
 
LinuxSecurity.com: Security Report Summary
 
A new initiative by computer security experts at the National Institute of Standards and Technology (NIST) seeks to bring widely recognized systems and software engineering principles to bear on the problem of information system ...
 
Google and other search engine providers can be ordered to delete links to outdated information about a person published on the Internet, the Court of Justice of the European Union ruled Tuesday.
 
The White House's big report on big-data privacy has several shortcomings.
 
The hacker group dedicated to supporting Syria's dictator wasted an attack vector on trying to embarrass the writer. Will the SEA's handlers in the Syrian intelligence services approve of such immaturity?
 
Motorola Mobility hopes its $129 smartphone, the Moto E, will attract consumers that might otherwise have bought a feature phone.
 
 
[security bulletin] HPSBPI03031 rev.2 - HP Officejet Pro X Printers, Certain Officejet Pro Printers, Remote Disclosure of Information
 
ESA-2014-005: EMC Documentum Foundation Services (DFS) Content Access Vulnerability
 
Bitcoin payment processor BitPay raises $30 million to fund its international expansion.
 
Motorola Mobility hopes its $129 smartphone, the Moto E, will attract consumers that might otherwise have bought a feature phone.
 
The U.S. Federal Communications Commission and the CTIA, a lobbying group for the wireless industry, discussed a major initiative last year that could have significantly cracked down on trading in stolen phones, but the plan appears to have gone nowhere.
 
In an Internet of Things world, smart buildings with Web-enabled technologies for managing heat, lighting, ventilation, elevators and other systems pose a more immediate security risk for enterprises than consumer technologies.
 
Allegations that the NSA installed surveillance tools in U.S.-made network equipment, if true, could mean enterprises have more to worry about than just government spying.
 
Microsoft on Monday said that customers had downloaded about 27 million copies of the Office for iPad apps in six weeks, a "promising" figure that one analyst said still lacks important contextual details.
 
Facebook's messaging application doesn't support encryption, but an open-source chat program, Cryptocat, has made it possible to chat with friends there over an encrypted connection.
 
With new specs increasing USB's throughput to 10Gbps, its power up to 100 watts and its cable to a reversible design, Thunderbolt's future could be dim.
 

Posted by InfoSec News on May 13

http://www.theregister.co.uk/2014/05/12/ge_patches_gap_in_capabilities_with_infosec_buy/

By Richard Chirgwin
The Register
12 May 2014

Years after the infosec world noticed the chronic insecurity of SCADA kit,
industrial giant GE has decided it needs to improve its in-house
capabilities by announcing that it's to acquire Wurldtech.

Founded in 2006, Wurldtech's product portfolio, sold under the Achilles
brand, includes a test suite...
 

Posted by InfoSec News on May 13

http://www.tradearabia.com/news/IT_257994.html

Trade Arabia
13 May 2014

Iranian hackers have become increasingly aggressive and sophisticated,
moving from disrupting and defacing US websites to engaging in cyber
espionage, security experts say.

According to Silicon Valley-based cybersecurity company FireEye, a group
called the Ajax Security Team has become the first Iranian hacking group
known to use custom-built malicious software to...
 
RETIRED: Linux Kernel 'n_tty.c' Memory Corruption Vulnerability
 

Posted by InfoSec News on May 13

http://www.csoonline.com/article/2153713/security-leadership/how-to-optimize-your-security-budget.html

By George V. Hulme
CSO Online
May 12, 2014

The good news is that security budgets are rising broadly. The bad news?
So are successful attacks. Perhaps that’s why security budgets averaging
$4.3 million this year represent a gain of 51% over the previous year –
and that figure is nearly double the $2.2 million spent in 2010 – all...
 

Posted by InfoSec News on May 13

http://krebsonsecurity.com/2014/05/teen-arrested-for-30-swattings-bomb-threats/

By Brian Krebs
Krebs on Security
May 12, 2014

A 16-year-old male from Ottawa, Canada has been arrested for allegedly
making at least 30 fraudulent calls to emergency services across North
America over the past few months. The false alarms — two of which targeted
this reporter — involved calling in phony bomb threats and multiple
attempts at “swatting”...
 

Posted by InfoSec News on May 13

http://www.independent.co.uk/news/uk/crime/cybercrime-boss-offers-a-ferrari-for-hacker-who-dreams-up-the-biggest-scam-9349931.html

By Paul Peachey
Crime Correspondent
The Independent
11 May 2014

The leader of a global cybercrime syndicate offered his associates a
Ferrari for the hacker who came up with the best scam, according to a
senior European security source.

The gift – made on a professionally produced video hidden in a dark recess...
 

Posted by InfoSec News on May 13

http://www.bankinfosecurity.com/ffiec-cyber-assessments-what-to-expect-a-6831

By Tracy Kitten
Bank Info Security
May 12, 2014

The Federal Financial Institutions Examination Council's new cybersecurity
assessments for community banking institutions will be incorporated into
the usual IT examination process, regulators say. Industry associations
and analysts say banking leaders should be preparing for more stringent
oversight of...
 

Posted by InfoSec News on May 13

http://english.vietnamnet.vn/fms/science-it/102081/vietnam-china-cyberwar-breaking-out-.html

vietnamnet.vn
12/05/2014

Securitydaily on May 9 quoted techz.vn as reporting that tens of websites
of Chinese organizations and enterprises had been attacked by hackers from
Vietnam. The main attack mode was DDoS (distributed denial of service).

Some websites of individuals and organizations with the domain name “.tw”
(Taiwan) have also been...
 

Posted by InfoSec News on May 13

http://www.defenseone.com/technology/2014/05/what-most-secure-email-universe-would-look/84247/

By Patrick Tucker
Defense One
May 12, 2014

Say you wanted to send an email more secure than any message that had ever
been transmitted in human history, a message with absolutely no chance of
being intercepted. How would you do it?

You may have encrypted your message according to the highest standards,
but encryption doesn’t guarantee secrecy....
 
Internet Storm Center Infocon Status