Hackin9
CIOs at midmarket and large companies in Europe and the U.S. will spend 4.5 percent more on IT products and services this year than in 2013 as they focus their budget priorities on cloud computing, ERP and analytics software.
 

Users of Tweetdeck, and possibly other Twitter apps, take note: old settings can come back to trip you up. Digital media strategist Kate Gardiner learned this lesson first hand on Tuesday, when she inadvertently caused at least a dozen separate news-oriented Twitter accounts to tweet "f gwenifill" in unison.

The errant tweets quickly triggered suspicions of another hack involving the hijacking of a high-profile Twitter account, only in this case at least 12 accounts would have been taken over and used to poke fun at PBS News Hour anchor Gwen Ifill.

The cause turned out not to be a hack, but rather the mismanagement of the Tweetdeck application Gardiner had used for years to send tweets for a variety of different media outlets. In the course of clearing out the old credentials, she said, she accidentally sent out tweet. Because her Tweetdeck was still associated with the Twitter accounts of her old employers or clients, it ended up broadcasting the "f gwenifill" tweet to all of them.

Read 3 remaining paragraphs | Comments

 
RETIRED: Oracle FLEXCUBE Private Banking CVE-2013-4316 Remote Security Vulnerability
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Oracle Java SE CVE-2014-0423 Remote Security Vulnerability
 
Websense Email Security CVE-2012-4605 Information Disclosure Vulnerability
 
 
Recommendations by a presidential panel to overhaul a U.S. National Security Agency phone records collection program could impede efforts to track terrorism suspects, some senators suggested Tuesday.
 
The market for cloud security tools is expected to grow significantly in the coming year. Here are 10 cloud security startups that could help boost cloud adoption in 2014 and beyond.
 
The U.S. Federal Communications Commission and its allies have several options, with most of them difficult, after a U.S. appeals court struck down most of the agency's 2010 net neutrality rules.
 
Microsoft's "Patch Tuesday" set of monthly software patches is so minimal for January that at least one security firm is suggesting that IT shops first tend to recently issued patches for more severe vulnerabilities found in Oracle Java, Adobe Flash and Adobe Reader.
 

Today we also got Oracle's quarterly "Critical Patch Update". As announced, we got a gross or 144 different patches from Oracle. But remember that these patches affect 47 different products (if I counted right).

The product we are overall most worried about is Java. With this CPU, 34 security vulnerabilities are fixed in Java SE. So again: Patch or disable (fast).

http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
As part of its initiative to ensure that the Internet continues to spawn growth and innovation, the Department of Commerce will hold a symposium on 'Cybersecurity and Innovation in the Information Economy' on July 27, 2010, at the Ronald ...
 
Cybersecurity training is spreading from high-tech and government offices into high schools, libraries and workplaces near you. Called the National Initiative for Cybersecurity Education (NICE) and coordinated bythe National Institute of ...
 
Ethel Marden, National Bureau of Standards (now the National Institute of Standards and Technology) computer programmer, operates the Standards Electronic Automatic Computer (SEAC) during the 1950s.Credit: NISTView hi-resolution ...
 
 
The National Institute of Standards and Technology (NIST) has been designated by Federal Chief Information Officer Vivek Kundra to accelerate the federal governments secure adoption of cloud computing by leading efforts to develop ...
 
The National Institute of Standards and Technology (NIST) has published the final version of a special publication that can help organizations to more effectively integrate information security risk planning into their mission-critical ...
 
What NIST-led innovation is estimated to have saved U.S. industry $6.1 billion over the past 20 years? Well, probably several, but, perhaps surprisingly, a new economics study* points to the development of 'role-based access control,' a ...
 
If you found this article through a search engine, you can thank an automated text retrieval system. For 20 years, the Text REtrieval Conference (TREC) sponsored by the National Institute of Standards and Technology (NIST) has been one ...
 
Information technology experts, insurers, policy makers and representatives of healthcare organizations will convene on April 5-6, 2011, in Bethesda, Md., to survey current approaches to preserving electronic health records (EHRs) and ...
 
The National Institute of Standards and Technology (NIST) and the Federal Information Systems Security Educatorsapos Association (FISSEA) are co-hosting FISSEAs 24th annual conference March 15-17, 2011, at NISTs Gaithersburg, Md. ...
 
The National Institute of Standards and Technology (NIST) has issued two new draft documents on cloud computing for public comment, including the first set of guidelines for managing security and privacy issues in cloud computing. The ...
 
The National Institute of Standards and Technology (NIST) has issued the final version of its recommendations for securely configuring and using full computing virtualization technologies. The security recommendations are contained ...
 
The Information Technology Laboratory of the National Institute of Standards and Technology (NIST) is pleased to announce that Jeremy Grant is joining the NIST team as a senior executive advisor. Mr. Grant has been selected to manage the ...
 
At a January 7, 2011 forum with Silicon Valley business and academic leaders at Stanford University, U.S. Commerce Secretary Gary Locke and White House Cybersecurity Coordinator Howard Schmidt announced plans to create a National Program ...
 
At a forum with Silicon Valley business and academic leaders at Stanford University, U.S. Commerce Secretary Gary Locke and White House Cybersecurity Coordinator Howard A. Schmidt today announced plans to create a National Program Office ...
 
Palo Alto, Calif. ? As part of a meeting today with local industry and academic leaders in Silicon Valley, at Stanford University, U.S. Commerce Secretary Gary Locke and White House Cybersecurity Coordinator Howard A. Schmidt will ...
 
On Dec. 9, 2010, the National Institute of Standards and Technology (NIST) announced the selection of five finalists in its ongoing competition to select a new cryptographic hash algorithm standard, one of the fundamental security tools ...
 
As the day draws nearer for the world to run out of the unique addresses that allow us to use the Internet?now predicted to happen by the end of 2012?researchers at the National Institute of Standards and Technology (NIST) have issued a ...
 
Two new draft publications from the National Institute of Standards and Technology (NIST) provide the groundwork for a three-tiered risk-management approach that encompasses computer security risk planning from the highest levels of ...
 
Two new publications from the National Institute of Standards and Technology (NIST) are intended to help developers of software and computer systems for doctorsapos offices, clinics, and hospitals improve the ease of use of electronic ...
 
The National Institute of Standards and Technology (NIST) has joined in a new public-private partnership to spur cybersecurity innovation in the financial services sector. Through a memorandum of understanding signed on Dec. 6, 2010, ...
 
This simulation depicts flow in a rheometer, as its rotating vaneaposs blade begins to stir a suspension of particles. Colors represent the quadrant where the particles are initially positioned. Such simulations can be used to link ...
 
Researchers at the National Institute of Standards and Technology (NIST) have released an updated version of a computer system testing tool that can cut costs by more efficiently finding flaws. A tutorial on using the tool accompanies ...
 
A new publication from the National Institute of Standards and Technology (NIST) provides technical guidance to government agencies and other organizations interested in mitigating risks with WiMAX (Worldwide Interoperability for ...
 
The National Institute of Standards and Technology (NIST) and the National Telecommunications and Information Administration (NTIA) are seeking partners in the telecommunications industry to help create a demonstration broadband ...
 
On November 4 and 5, 2010, the National Institute of Standards and Technology (NIST) will host the Cloud Computing Forum and Workshop II to give government and industry stakeholders opportunity to comment on the next steps in developing ...
 
 
The Sixth Annual IT Security Automation Conference, co-hosted by the National Institute of Standards and Technology (NIST), focuses on applying and integrating emerging cyber security automation technologies and software assurance into a ...
 
In efforts to help the nationaposs health care industry make the transition to the digital age in an effective and meaningful fashion, the National Institute of Standards and Technology (NIST) has published a set of approved procedures ...
 
Nothing beats the feeling of starting up a new computer ? be it a laptop, desktop or a major, custom-designed computing system. A new system is a blank slate with no worry of botnets, viruses or any other cybersecurity ...
 
The Commerce Department has published a Notice of Inquiry (NOI) on 'Cybersecurity, Innovation, and Internet Policy.' The department seeks comments from all stakeholders, including the commercial, academic and civil society sectors, on ...
 
A comprehensive review of the nexus between cybersecurity challenges in the commercial sector and innovation in the Internet economy that is being conducted by The Department of Commerceaposs Internet Policy Task Force is the subject of ...
 
The National Institute of Standards and Technology (NIST) has issued draft recommendations for securely configuring and using full virtualization technologies, which, by means of software, duplicate a computeraposs operating system and ...
 
On July 15, 2010, two Department of Commerce Agencies?the National Institute of Standards and Technology (NIST) and the National Telecommunications and Information Administration (NTIA)?announced the completion of a major initiative to ...
 
A computer security invention patented* a decade ago at the National Institute of Standards and Technology (NIST) is now poised to help safeguard patient privacy in hospitals.Photo courtesy GWImagesShutterstockThe invention?an algorithm ...
 
After a public comment period, the National Institute of Standards and Technology (NIST) has published an updated set of guidelines for developing security assessment plans and associated security control assessment procedures that are ...
 
Washington, D.C.?The U.S. departments of Commerce and Homeland Security (DHS) today discussed with other federal agencies and private-sector leaders in the information technology industry the need to create a voluntary industry code of ...
 
Maryland Governor Martin OaposMalley addressed several hundred educators, IT experts, and others at the National Institute of Standards and Technology (NIST) yesterday as part of a workshop hosted by the National Initiative for ...
 
Risk assessment is the topic of the newest special publication from the National Institute of Standards and Technology (NIST). Guide for Conducting Risk Assessments (NIST Special Publication 800-30, Revision 1), an extensive update to ...
 
The National Institute of Standards and Technology (NIST) has published two new documents on cloud computing: the first edition of a cloud computing standards roadmap and a cloud computing reference architecture and taxonomy. Together, ...
 
Bringing order and security to the patchwork quilt of computing environments in a large organization can be a daunting task. Software tools and technical specifications that allow security information to be shared between information ...
 
The Seventh Annual IT Security Automation Conference, co-hosted by the National Institute of Standards and Technology (NIST), will focus on the breadth and depth of principles and technologies designed to support computer security ...
 
The National Institute of Standards and Technology (NIST) will host a workshop on cryptography for new technologies from Nov. 7-8, 2011, at the agencys Gaithersburg, Md., campus.As the Internet evolves, it is becoming possible for ...
 
The National Institute of Standards and Technology (NIST) today* issued for public comment a draft strategic plan for the National Initiative for Cybersecurity Education (NICE) program. The plan, 'Building a Digital Nation,' outlines ...
 
With increasing dependency on information systems and advances in cloud computing, the smart grid and mobile computing, maintaining the confidentiality and integrity of citizensapos personally identifiable information is a growing ...
 
Researchers at the National Institute of Standards and Technology (NIST) have released for public comment updated specifications for the Security Content Automation Protocol (SCAP), which helps organizations find and manage ...
 
The National Institute of Standards and Technology (NIST) has issued the final version of its Guide to Industrial Control Systems (ICS) Security (SP 800-82),* intended to help pipeline operators, power producers, manufacturers, air ...
 
Most industry executives, military planners, research managers or venture capitalists charged with assessing the potential of an RampD project probably are familiar with the wry twist on Arthur C. Clarkeaposs third law*: 'Any ...
 
The Department of Commerceaposs Internet Policy Task Force is requesting comments on a report that proposes voluntary codes of conduct to strengthen the cybersecurity of companies that increasingly rely on the Internet to do business, ...
 
A new White House policy document released today* highlights strategic roles that the National Institute of Standards and Technology (NIST) plays in accelerating the modernization of the nationaposs electric infrastructure, bolstering ...
 
Robotic automation, microrobotics and robotic perception and recognition all advanced a few steps closer to their future applications in manufacturing, health care and other areas during the week of May 9-13, 2011.A photomicrograph ...
 
The National Institute of Standards and Technology (NIST) is hosting a workshop on usability of electronic health records (EHR) on June 7, 2011, at NISTaposs campus in Gaithersburg, Md. 'A Community-Building Workshop: Measuring, ...
 
The cloud computing research team at the National Institute of Standards and Technology (NIST) is requesting public comments on a draft of its most complete guide to cloud computing to date.NIST Cloud Computing Synopsis and ...
 
A new publication from the National Institute of Standards and Technology (NIST) provides guidelines to secure the earliest stages of the computer boot process. Commonly known as the Basic InputOutput System (BIOS), this fundamental ...
 
On April 15, the Obama Administration formally launched its National Strategy for Trusted Identities in Cyberspace (NSTIC), a plan to work with the private sector to develop a private market for secure identity credentials for the ...
 
The governing board of the Smart Grid Interoperability Panel (SGIP) has voted in favor of a new standard and a set of guidelines important for making the long-planned smart electricity grid a reality. The two documents address the need ...
 
Ron Ross, a National Institute of Standards and Technology (NIST) Fellow, has been named to InformationWeek Governments CIO 50, which identifies 2010s top information technology decision-makers in government. Ross is project lead of the ...
 
Its increasingly difficult to keep up with all the vulnerabilities present in todays highly complex operating systems and applications. Attackers constantly search for and exploit these vulnerabilities to commit identity fraud, ...
 
The National Institute of Standards and Technology (NIST) is co-hosting a conference to explore the current health information technology security landscape and the Health Insurance Portability and Accountability Act (HIPAA) Security ...
 
The National Institute of Standards and Technology (NIST) will host the Cloud Computing Forum and Workshop III on April 7-8, 2011, at its Gaithersburg, Md., campus. Featured speakers include U.S. Chief Information Officer Vivek Kundra, ...
 
The National Institute of Standards and Technologys (NIST) Donna Dodson has received the 2011 Federal 100 Award. Presented by Federal Computer Week, the award honors the top professionals in the federal information technology community.A ...
 
Before you can build that improved turbojet engine, before you can create that longer-lasting battery, you have to ensure all the newfangled materials in it will behave the way you want?even under conditions as harsh as the upper ...
 
Computer scientists at the National Institute of Standards and Technology (NIST) are requesting comments from interested parties on their biennial update of the catalog of security controls for the federal government. The security ...
 
The International Biometric Performance Conference 2012, to be held March 5-9 at the National Institute of Standards and Technology (NIST), will bring together evaluators, users and technology providers to discuss recent advances in the ...
 
The National Strategy for a Trusted Identities in Cyberspace (NSTIC) National Program Office will host the 2012 NISTNSTIC IDtrust Workshop Technologies and Standards Enabling the Identity Ecosystem on March 13 and 14, 2012, in ...
 
The National Institute of Standards and Technology (NIST) needs American innovators and entrepreneurs to help solve technological problems and develop NIST technologies into marketable products. The NIST Small Business Innovation ...
 
The National Institute of Standards and Technology (NIST) is conducting the 21st annual Text Retrieval Conference (TREC), the premier experimental effort in the field, to encourage research in information retrieval and related ...
 
A new draft computer security publication from the National Institute of Standards and Technology (NIST) provides guidance for vendors and security professionals as they work to protect personal computers as they start up.The first ...
 
A newly revised publication from the National Institute of Standards and Technology (NIST) expands the options for government agencies that need to verify the identity of users of their Web-based services. Electronic Authentication ...
 
The National Institute of Standards and Technology (NIST) published a revised biometric standard in November, 2011, that vastly expands the type and amount of information that forensic scientists can share across their international ...
 
Computer scientists at the National Institute of Standards and Technology (NIST) have dramatically enlarged a database designed to improve applications that help programmers find weaknesses in software. This database, the SAMATE ...
 
A new tool, developed by the National Institute of Standards and Technology (NIST) and offered for free, can help public and private organizations, large and small, to understand and implement the requirements of the Health Insurance ...
 
Charles H. Romine, new director of the NIST Information Technology Laboratory.Credit: NISTView hi-resolution imageCharles (Chuck) H. Romine became director of the Information Technology Laboratory (ITL) of the National Institute of ...
 
The National Initiative on Cybersecurity Education (NICE) has published for public comment a draft document that classifies the typical duties and skill requirements of cybersecurity workers. The document is meant to define professional ...
 
The National Institute of Standards and Technology (NIST) has released for public comment a draft 'roadmap' that is designed to foster federal agenciesapos adoption of cloud computing, support the private sector, improve the information ...
 
The National Institute of Standards and Technology (NIST) has agreed to work with the Department of Education and a new organization, the National Cybersecurity Education Council (NCEC), to develop a strategic public-private partnership ...
 
The U.S. Commerce Departmentaposs National Institute of Standards and Technology (NIST) has released for public comment a draft 'roadmap' that is designed to foster federal agenciesapos adoption of cloud computing, support the private ...
 
If quantum computers are ever to be realized, they likely will be made of different types of parts that will need to share information with one another, just like the memory and logic circuits in todayaposs computers do. However, ...
 
The National Institute of Standards and Technology (NIST) has issued for public review and comment two draft guides to securing wireless communication networks. NIST is requesting comments on the two publications?one on Bluetooth ...
 
After years in the works and 15 drafts, the National Institute of Standards and Technologyaposs (NIST) working definition of cloud computing, the 16th and final definition has been published as The NIST Definition of Cloud Computing ...
 
Government Computer News magazine has honored the Digital Library of Mathematical Functions (DLMF), which the National Institute of Standards and Technology (NIST) released last year, with one of its 10 annual awards for information ...
 
A new computer security publication* from the National Institute of Standards and Technology (NIST) will help organizations understand their security posture against threats and vulnerabilities and determine how effectively their ...
 
The National Institute of Standards and Technology (NIST) will unveil the public draft of its U.S. Government Cloud Computing Technology Roadmap at the Cloud Computing Forum amp Workshop IV that it will host Nov. 2-4, in Gaithersburg, ...
 
The National Institute of Standards and Technology (NIST) awarded today a $1 million cooperative agreement to the University of Maryland at College Park (UMD). Researchers at UMDs Institute for Systems Research will help NIST as it ...
 
The National Institute of Standards and Technology (NIST) will host the 25th annual conference of the Federal Information Systems Security Educators Association (FISSEA) March 27-29, 2012, at its Gaithersburg, Md., headquarters.FISSEA is ...
 
Video recordings of the Nov. 2-4, 2011 Cloud Computing Forum amp Workshop IV hosted by the National Institute of Standards and Technology (NIST) are now available for on-line viewing.The three-day November meeting featured, among other ...
 
Proposers Conference Set for Feb. 15WASHINGTON - The National Institute of Standards and Technology (NIST) today announced a competition to award a total of approximately $10 million for pilot projects to accelerate progress toward ...
 
Three new draft reports published by the National Institute of Standards and Technology (NIST) are designed to help both public and private organizations improve the security of their information management systems by developing ...
 
The National Institute of Standards and Technology (NIST) has finalized its first set of guidelines for managing security and privacy issues in cloud computing.*Guidelines on Security and Privacy in Public Cloud Computing (NIST Special ...
 
 
The National Institute of Standards and Technology (NIST) has released in final form a guide to enhanced security for wireless local area networks (WLAN). A WLAN is a group of wireless networking devices within a limited geographic area, ...
 
 
An updated roadmap for the Smart Grid is now available from the National Institute of Standards and Technology (NIST), which recently finished reviewing and incorporating public comments into the NIST Framework and Roadmap for Smart Grid ...
 
A major revision of a Federal Information Security Management Act (FISMA) publication released today by the National Institute of Standards and Technology (NIST) adds guidance for combating new information security threats and ...
 
The National Institute of Standards and Technology (NIST) has published for public comment a draft update to a guide for organizations managing their responses to computer security incidents such as hacking attacks. The authors cast a ...
 
State of Maryland and Montgomery County Join PartnershipThe National Institute of Standards and Technology (NIST) today announced a new partnership to establish the National Cybersecurity Center of Excellence, a public-private ...
 
The National Institute of Standards and Technology (NIST) released its recommendations for a new, privately led steering group to tackle the complex policy and technical issues necessary to create an online environment where individuals ...
 
Securing computers against unlawful and malicious attacks is always important, but its especially vital when the computers in question control major physical systems?manufacturing plants, transportation systems, power grids. ...
 
Washington, D.C. -- Responding to President Obamaaposs call for an 'all-of-the-above' strategy to help consumers reduce their energy costs, the Administration announced on March 22 that nine major utilities and electricity suppliers will ...
 
An important aspect of any product is how easily someone can use it for its intended purpose, also known as usability. Electronic health records (EHR) that are usable have the potential to improve patient care, which is why the National ...
 
On March 9, the National Institute of Standards and Technology (NIST) announced that it is soliciting proposals to establish a steering group in support of the National Strategy for Trusted Identities in Cyberspace (NSTIC) and to provide ...
 
Botnet activity is on the rise around the globe, and to help understand this problem the National Institute of Standards and Technology (NIST) is hosting a free, day-long workshop May 30, 2012, at its Gaithersburg, Md., campus. Technical ...
 
On Tuesday, May 22, 2012, the National Institute of Standards and Technology (NIST) and the Office of the National Coordinator for Health IT (ONC) will host Creating Usable Electronic Health Records: A User-Centered Design Best Practices ...
 
The National Institute of Standards and Technology (NIST) has extended until May 25, 2012, the comment period for the second draft of a publication intended to help federal departments and agencies better manage supply chain risks for ...
 
Researchers at the National Institute of Standards and Technology (NIST) have developed and published a new protocol for communicating with biometric sensors over wired and wireless networks?using some of the same technologies that ...
 
The National Institute of Standards and Technology (NIST) is hosting Cloud Computing Forum amp Workshop V on June 5-7, 2012, at the Department of Commerces Herbert C. Hoover Building in Washington, D.C.Cloud computing is a model for ...
 
 
Identifying people by acquiring pictures of their eyes is becoming easier, according to a new report* from the National Institute of Standards and Technology (NIST). NIST researchers evaluated the performance of iris recognition software ...
 
The National Institute of Standards and Technology (NIST) is co-hosting the fifth annual Safeguarding Health Information: Building Assurance through HIPAA Security conference on June 6 and 7, 2012, at the Ronald Reagan Building and ...
 
The National Institute of Standards and Technology (NIST) has announced proposed changes to a standard that specifies how to implement digital signatures, which can be used to ensure the integrity of electronic documents, such as wills ...
 
A new guide from the National Institute of Standards and Technology (NIST) describes a 'scoring system' that computer security managers can use to assess the severity of security risks arising from software features that, while ...
 
Next-generation 'smart' electrical meters for residential and commercial buildings will have computerized operating systems just as laptops or mobile devices do. On July 10, 2012, the National Institute of Standards and Technology (NIST) ...
 
The National Institute of Standards and Technology (NIST) has released the second-round draft version of its updated security standard for identity credentials in the Personal Identity Verification cards (PIV cards) that all federal ...
 
The National Institute of Standards and Technology (NIST) has released a guide to help improve the design of electronic health records for pediatric patients so that the design focus is on the users?the doctors, nurses and other ...
 
The National Institute of Standards and Technology (NIST) has released a proposed update to its guidelines for securing mobile devices?such as smart phones and tablets?that are used by the federal government. NIST is asking for public ...
 
A powerful color-based imaging technique is making the jump from remote sensing to the operating room?and a team of scientists* at the National Institute of Standards and Technology (NIST) have taken steps to ensure it performs as well ...
 
The National Institute of Standards and Technology (NIST) has issued the final version of the Guide to Bluetooth Security (NIST Special Publication 800-121 Rev. 1). The publication is a revision of the original guide, which was released ...
 
The National Institute of Standards and Technology (NIST) is hosting a workshop on the use of 'big data'?a term referring to massive amounts of stored and streaming digital information?at its Gaithersburg, Md., campusaposs Green ...
 
For a clear view of cloud computing, the National Institute of Standards and Technology (NIST) has issued a new publication that explains cloud systems in plain language.The final version of Cloud Computing Synopsis and Recommendations ...
 
The National Cybersecurity Center of Excellence (NCCoE) will host a kickoff workshop on Tuesday, June 26, 2012. The workshops goal is to introduce the center, which will bring together experts from industry, government and academia to ...
 
The National Institute of Standards and Technology (NIST) has published draft guidelines that outline the baseline security technologies mobile devices should include to protect the information they handle. Smart phones, tablets and ...
 
A new software test suite developed at the National Institute of Standards and Technology (NIST) allows local and federal agencies and other users of the NISTaposs revised biometric standard to gain higher confidence that the correct ...
 
The National Institute of Standards and Technology (NIST) has published for public comment a revised draft of its guidance for managing computer patches to improve overall system security for large organizations. The previous version, ...
 
The National Institute of Standards and Technology (NIST) today announced the winner of its five-year competition to select a new cryptographic hash algorithm, one of the fundamental tools of modern information security.Credit: K. ...
 
The National Institute of Standards and Technology (NIST) is offering a strong finale to National Cybersecurity Awareness month with its the third annual National Initiative for Cybersecurity Education (NICE) Workshop, Oct. 30 through ...
 
The U.S. Department of Commerces National Institute of Standards and Technology (NIST) today announced more than $9 million in grant awards to support the National Strategy for Trusted Identities in Cyberspace (NSTIC). Five U.S. ...
 
xa0Online registration is now open for [email protected] 2012, a three-day symposium on cutting-edge forensic science research being performed at NIST. The symposium will run from Wednesday, November 28 - Friday, November 30, 2012, at the ...
 
The National Institute of Standards and Technology (NIST) has released a final version of its risk assessment guidelines that can provide senior leaders and executives with the information they need to understand and make decisions about ...
 
The National Institute of Standards and Technology (NIST) will host a workshop at its Gaithersburg, Md., headquarters October 15 and16, 2012, to discuss ways NIST can focus its work to help federal departments and agencies manage the ...
 
The National Institute of Standards and Technology (NIST) is requesting comments on new draft guidelines for securing BIOS systems for server computers. BIOS?Basic Inputoutput System?is the first major software that runs when a computer ...
 
The National Institute of Standards and Technology (NIST) will co-sponsor the 2012 Biometric Consortium Conference (BCC 2012), September 18-21, 2012, at the Tampa Convention Center in Tampa, Fla. The annual conference, produced in ...
 
Tests performed at the National Institute of Standards and Technology (NIST) show that a new method for splitting photon beams could overcome a fundamental physical hurdle in transmitting electronic data. These results* could lead to ...
 
The National Institute of Standards and Technology (NIST) has published the final version of its guide for managing computer security incidents. Based on best practices from government, academic and business organizations, this updated ...
 
The Identity Ecosystem Steering Group Kickoff Meeting to support the National Strategy for Trusted Identities in Cyberspace (NSTIC) will be held Aug. 15 and 16, 2012, in Chicago, Ill.In April 2011, President Obama signed the strategy, ...
 
Detecting and stopping malicious attacks on computer networks is a central focus of computer security these days. The National Institute of Standards and Technology (NIST) is asking for comments on two updated guides on malicious ...
 
The National Cybersecurity Center of Excellence (NCCoE) is inviting comments on a Partial Draft Request for Proposals (RFP) for a contractor to operate a Federally Funded Research and Development Center (FFRDC) to support the mission of ...
 
AirLink Raven X EV-DO Replay Security Bypass Vulnerability
 
AirLink Raven X EV-DO CVE-2013-2819 Information Disclosure Vulnerability
 

 Adobe released two bulletins today:

1 - Reader/Acrobat

This bulletin fixes three vulnerabilities. Adobe rates this one "Priority 1" meaning that these vulnerabilities are already exploited in targeted attacks and administrators should patch ASAP.

After the patch is applied, you should be running Acrobat/Reader 11.0.06 or 10.1.9 .

2 - Flash Player and Air

The flash player patch fixes two vulnerabilities. The Flash player problem is rated "Priority 1" for Windows and OS X. The Air vulnerability is rated "3" for all operating systems. For Linux, either patch is rated "3".

Patching flash is a bit more complex in that it is included with some browsers, in which case you will need to update the browser. For example Internet Explorer 11 and Chrome include Flash.

 

http://helpx.adobe.com/security/products/flash-player/apsb14-01.html
http://helpx.adobe.com/security/products/flash-player/apsb14-02.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Defence mulls surveillance malware export restrictions
iT News
The additions of security technology to the WA dual-use lists leaves open the possibility that penetration testing tools relied on by infosec professionals could be restricted. But London officials close to the WA changes told Privacy International ...

 
A settlement with a so-called "patent troll" requiring it to repay all money received from organizations in New York should serve as a warning to other companies engaged in similar practices, the state's attorney general said.
 
Google's decision to pay $3.2 billion for Nest Labs, a mostly unknown maker of smart smoke alarms and thermostats, could be the start of a radical shift in the tech industry.
 
The really important question right now isn't what to do about Edward Snowden; it's how much surveillance is tolerable in a free society.
 
OpenJPEG CVE-2013-6053 Multiple Out of Bounds Memory Corruption Vulnerabilities
 

Overview of the January 2014 Microsoft patches and their status.

 

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS14-001 Code Remote Execution Vulnerability in Microsoft Word and Office Web apps
(ReplacesMS13-072 MS13-084 MS13-086 MS13-100 )
Word and SharePoint / Office Web Apps components related to Word Docs.
CVE-2014-0258
CVE-2014-0259
CVE-2014-0260
CVE-2014-0260
KB 2916605 No. Severity:Important
Exploitability: 1
Critical Critical
MS14-002 Privilege Escalation Vulnerabilities in Windows Kernel
(ReplacesMS10-099 )
NDPROXY driver
CVE-2013-5065
KB 2914368 publicly disclosed and used in targeted attacks. Severity:Important
Exploitability: 1
Important Important
MS14-003 Elevation of Privilege Vulnerability in Windows Kernel Mode Drivers
(ReplacesMS13-101 )
win32k.sys Kernel Mode Driver
CVE-2014-0262
KB 2913602 No. Severity:Important
Exploitability: 1
Important Important
MS14-004 Denial of Service Vulnerability in Microsoft Dynamics AX
(Replaces )
Microsoft Dynamics AX
CVE-2014-0261
KB 2880826 No. Severity:Important
Exploitability: 1
N/A Important
lign: center;"> We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Scammers have devised new ways to trick users into revealing personal information, hand over control of computers and pay for unnecessary software and tech support services, security experts warn.
 
Microsoft will likely talk up its next iteration of Windows, which some have already dubbed "Windows 9," at the BUILD developers conference in 11 weeks.
 
Don't worry, Yoshi. That's just the fabric of reality reprogramming itself before our eyes.

In the world of personal computing, hacks that exploit memory errors to allow for the execution of arbitrary (and often malicious) code are far from surprising anymore. What's more surprising is that such "arbitrary code" bugs are also present on the relatively locked-down computers inside of video game consoles.

This was demonstrated quite dramatically last week at Awesome Games Done Quick (AGDQ), an annual marathon fundraiser that this year raised over $1 million for the Prevent Cancer foundation. The event focuses on live speedruns of classic games by human players and included a blindfolded Mike Tyson's Punch-Out!! run that ranks among the most impressive live video game playing performances I have ever seen. The most remarkable moment of the weeklong marathon, though, came when a robotic player took "total control" of an unmodified Super Mario World cartridge, reprogramming it on the fly to run simple versions of Pong and Snake simply by sending a precise set of inputs through the standard controller ports on the system.

The two-and-a-half minute video of this incredible exploit is pretty tough to follow if you're not intimately familiar with the state of emulator-assisted speedruns. At first, it looks like the game must have been hacked in some way to allow for things like multiple on-screen Yoshis, item boxes that spawn multiple 1-ups, and the ability for Mario to carry items while riding on Yoshi. In actuality, these seeming impossibilities are just glitches that have been discovered over the years through painstaking emulated playthroughs by the community at TASVideos (short for tool-assisted speedrun videos).

Read 8 remaining paragraphs | Comments

 
LinuxSecurity.com: New samba packages are available for Slackware 14.1, and -current to fix a security issue. [More Info...]
 
LinuxSecurity.com: New openssl packages are available for Slackware 14.0, 14.1, and -current to fix security issues. [More Info...]
 
LinuxSecurity.com: New libXfont packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. [More Info...]
 
LinuxSecurity.com: New php packages are available for Slackware 14.0, 14.1, and -current to fix a security issue. [More Info...]
 
LinuxSecurity.com: Two buffer overflow vulnerabilities were reported in Graphviz, a rich collection of graph drawing tools. The Common Vulnerabilities and Exposures project identifies the following issues: [More...]
 
LinuxSecurity.com: Bind could be made to crash if it received specially crafted networktraffic.
 
[slackware-security] samba (SSA:2014-013-04)
 
[slackware-security] php (SSA:2014-013-03)
 
[slackware-security] libXfont (SSA:2014-013-01)
 
[CVE-2014-0647] Insecure Data Storage of User Data Elements in Starbucks v2.6.1 iOS mobile application
 
A U.S. appeals court has struck down the U.S. Federal Communications Commission's net neutrality rules.
 
For enterprises that don't want employees to roam using cellular networks, Telefonica has launched Universal Wi-Fi, which offers coverage in 110 countries.
 
[security bulletin] HPSBUX02960 SSRT101419 rev.1 - HP-UX Running NTP, Remote Denial of Service (DoS)
 
[SECURITY] [DSA 2843-1] graphviz security update
 
The coffee chain was smart enough to push mobile by not initially pushing mobile. It's an approach that can work for your business too, internally and externally.
 
Take some time in the early days of 2014 to improve the computer setup in your home office or small business. These security, networking, storage and productivity tips will help you work faster once you get back to business as usual.
 
The outrage is more about media hype, hypocrisy and grandstanding than firm principles.
 
Spamming and scanning botnets - is there something I can do to block them from my site?
 
This question keeps popping up on forums and all places popular with those beleaguer souls despondent of the random spamming and over filled logs from scanning. Although this isn't a Magic ball question answer does come out a: Maybe, Maybe not.
 
The reason behind the ambiguity is logical, to a degree; it’s easy trying to hinder, frustrate and reduce the effectiveness of automated botnet processes, like posting and scanning rather than stop them dead. 
 
Why? Glad you asked.
 
Botnets tend to a number of systems located in random locations globally, you'll get some that are regional specific, but the majority we at the Internet Storm Center (ISC) see are global in distribution. So unless you can pick out only the  six IP addresses you completely trust as good*, you’re accessible to every system on the planet that has an internet link. 
 
First and foremost you need to look at your logs find those non-human attacks or blog spamming posts. We keep saying here at the ISC you need to understand your logs. If you don’t understand what you’re seeing research it or writing in to us. It doesn’t take too long to be able to work out a real human interaction against an automated non-human one. Have a look at one our recent posts [1] to see the types of patterns automated processes leave behind in logs. 
 
Let say you are now at one with your logs files, so what next? From a random reader's submission for the bots they logged I did a little Excel shuffling, then some IP geo-locationing followed by more Excel-ing, finally braking the IP addressed down to which country they came from. The results were interesting as Spain has the highest set of bad IPs (13%), follow by: Argentina (9%), Italy(8%), Colombia (5%), United States (5%), United Kingdom (4%), Mexico (4%), Romania (4%) and Germany (4%).
 
So what can we divine from these random statistics? First we can acknowledge this is botnet has a significant portion of it bots in Europe, second the next biggest group is in South America, leave the United States well out of the picture. Yeah so what, I hear you yell. Now go back on look at the locations your human visitors came from. With a simple bit of review, you’ll be able to work out you never see visitors, say from South America and New Zealand IP address ranages. 
 
Now you can make the determination to black list (deny) net blocks in those countries from very be able to access your web site or blog. On the flip side you could block everything and white list (allow) certain countries. Or go crazy and play wack-a-mole by adding in every single bad IP address to a block list. It’s up to you.
 
The point of this piece is look at your logs, understand your visitors, work out who actually needs to get to your site and block out the rest if the now constant automated scans annoy you.
 
Remember Dshield loves logs [2] and Handlers love weird logs and packets, so start off your New Year by looking at your logs and sending in anything wild, crazy or that just seems plain odd to us at the Storm Center [3]. You’ll learn some new and might help someone who's been puzzling over the same questions you’re looking at now.
 
[1] https://isc.sans.edu/diary/Massive+PHP+RFI+scans/17387
[2] https://isc.sans.edu/howto.html 
[3] https://isc.sans.edu/contact.html#contact-form 
 
* This kinda of breaks the Internet model and takes us back to the good ol’day of having host file to resolve stuff on the ‘Net
 

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Target said Monday it is investing $5 million in a multi-year campaign to educate the public on the dangers of scams, after the company disclosed that up to 110 million people may have been affected by a data breach at the retailer's U.S. stores.
 
More Android apps may soon have built-in support for Bitcoin payments thanks to a new partnership between Coinbase and BitMonet.
 
What's the downside to successfully stealing 40 million credit card numbers from Target? Trying to sell the data.
 
The explanation that New Jersey closed access lanes on the heavily traveled George Washington Bridge for a 'traffic study' is a head scratcher for traffic engineers.
 
Sony's new Android phone, the Xperia Z1S, combines a distinctive design and premium build with stellar stamina and an underwater-capable camera.
 

Posted by InfoSec News on Jan 14

http://arstechnica.com/science/2014/01/new-cyber-attack-model-helps-predict-timing-of-the-next-stuxnet/

By Akshat Rathi
Ars Technica
Jan 13 2014

Of the many tricks used by the world’s greatest military strategists, one
usually works well—taking the enemy by surprise. It is an approach that
goes back to the horse that brought down Troy. But surprise can only be
achieved if you get the timing right. Timing which, researchers at the...
 

Posted by InfoSec News on Jan 14

http://news.techworld.com/security/3496940/target-hackers-have-more-data-than-they-can-sell/

By Jeremy Kirk
Techworld
14 January 2014

What's the downside to successfully stealing 40 million credit card
numbers from Target? Trying to sell the data.

There's a thriving economy among cybercriminals, some of whom specialize
in stealing credit card numbers to others who figure out a way to profit.
But it's also constrained by...
 

Posted by InfoSec News on Jan 14

http://www.channelregister.co.uk/2014/01/14/win_xp_uk_gov_hacker_deadline_miss/

By Gavin Clarke
The Channel
14th January 2014

FOIs reveal bureaucrats losing switchover race by widest margin

Exclusive - Thousands of PCs at Britain’s biggest public sector bodies
will miss Microsoft’s April deadline to abandon Windows XP before open
season for hackers begins.

HMRC and the NHS in England and Scotland will still be running thousands
of...
 

Posted by InfoSec News on Jan 14

http://www.telegraph.co.uk/motoring/news/10569052/Hackers-could-compromise-car-safety.html

By Roger Stansfield
The Telegraph
14 Jan 2014

Internet security is becoming as much of an issue in cars as in the home
or office as a result of the increasing number of models offering
connectivity services.

This problem was highlighted at the Consumer Electronics Show in Las Vegas
last week, when audio manufacturer Harman warned that cyber attackers...
 

Posted by InfoSec News on Jan 14

http://www.janes.com/article/32169/hacking-group-s-threat-to-winter-olympics-in-russia-highlights-risk-of-cyber-attacks-on-sponsor

IHS Jane's Intelligence Weekly
08 January 2014

Key Points

* A group calling itself the Caucasus Anonymous issued a threat on 30
December to undertake a "cyber war" against the Winter Olympics.
* The group is unlikely to be able to threaten actual Games operations
because of the high levels of...
 

Use strong passwords and install antivirus, mmkay? UK.gov pushes awareness ...
Register
The initiative has earned the support of UK infosec firms such as Sophos, which is providing security expertise and content for the Cyberstreetwise site. James Lyne, global head of security research at Sophos, explained that Cyber Streetwise is ...

and more »
 
Internet Storm Center Infocon Status