Information Security News |
Users of Tweetdeck, and possibly other Twitter apps, take note: old settings can come back to trip you up. Digital media strategist Kate Gardiner learned this lesson first hand on Tuesday, when she inadvertently caused at least a dozen separate news-oriented Twitter accounts to tweet "f gwenifill" in unison.
The errant tweets quickly triggered suspicions of another hack involving the hijacking of a high-profile Twitter account, only in this case at least 12 accounts would have been taken over and used to poke fun at PBS News Hour anchor Gwen Ifill.
The cause turned out not to be a hack, but rather the mismanagement of the Tweetdeck application Gardiner had used for years to send tweets for a variety of different media outlets. In the course of clearing out the old credentials, she said, she accidentally sent out tweet. Because her Tweetdeck was still associated with the Twitter accounts of her old employers or clients, it ended up broadcasting the "f gwenifill" tweet to all of them.
Read 3 remaining paragraphs | Comments
Today we also got Oracle's quarterly "Critical Patch Update". As announced, we got a gross or 144 different patches from Oracle. But remember that these patches affect 47 different products (if I counted right).
The product we are overall most worried about is Java. With this CPU, 34 security vulnerabilities are fixed in Java SE. So again: Patch or disable (fast).
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Adobe released two bulletins today:
1 - Reader/Acrobat
This bulletin fixes three vulnerabilities. Adobe rates this one "Priority 1" meaning that these vulnerabilities are already exploited in targeted attacks and administrators should patch ASAP.
After the patch is applied, you should be running Acrobat/Reader 11.0.06 or 10.1.9 .
2 - Flash Player and Air
The flash player patch fixes two vulnerabilities. The Flash player problem is rated "Priority 1" for Windows and OS X. The Air vulnerability is rated "3" for all operating systems. For Linux, either patch is rated "3".
Patching flash is a bit more complex in that it is included with some browsers, in which case you will need to update the browser. For example Internet Explorer 11 and Chrome include Flash.
http://helpx.adobe.com/security/products/flash-player/apsb14-01.html
http://helpx.adobe.com/security/products/flash-player/apsb14-02.html
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Defence mulls surveillance malware export restrictions iT News The additions of security technology to the WA dual-use lists leaves open the possibility that penetration testing tools relied on by infosec professionals could be restricted. But London officials close to the WA changes told Privacy International ... |
Overview of the January 2014 Microsoft patches and their status.
# | Affected | Contra Indications - KB | Known Exploits | Microsoft rating(**) | ISC rating(*) | |
---|---|---|---|---|---|---|
clients | servers | |||||
MS14-001 |
Code Remote Execution Vulnerability in Microsoft Word and Office Web apps (ReplacesMS13-072 MS13-084 MS13-086 MS13-100 ) |
|||||
Word and SharePoint / Office Web Apps components related to Word Docs. CVE-2014-0258 CVE-2014-0259 CVE-2014-0260 CVE-2014-0260 |
KB 2916605 | No. |
Severity:Important Exploitability: 1 |
Critical | Critical | |
MS14-002 |
Privilege Escalation Vulnerabilities in Windows Kernel (ReplacesMS10-099 ) |
|||||
NDPROXY driver CVE-2013-5065 |
KB 2914368 | publicly disclosed and used in targeted attacks. |
Severity:Important Exploitability: 1 |
Important | Important | |
MS14-003 |
Elevation of Privilege Vulnerability in Windows Kernel Mode Drivers (ReplacesMS13-101 ) |
|||||
win32k.sys Kernel Mode Driver CVE-2014-0262 |
KB 2913602 | No. |
Severity:Important Exploitability: 1 |
Important | Important | |
MS14-004 |
Denial of Service Vulnerability in Microsoft Dynamics AX (Replaces ) |
|||||
Microsoft Dynamics AX CVE-2014-0261 |
KB 2880826 | No. |
Severity:Important Exploitability: 1 |
N/A | Important |
(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
In the world of personal computing, hacks that exploit memory errors to allow for the execution of arbitrary (and often malicious) code are far from surprising anymore. What's more surprising is that such "arbitrary code" bugs are also present on the relatively locked-down computers inside of video game consoles.
This was demonstrated quite dramatically last week at Awesome Games Done Quick (AGDQ), an annual marathon fundraiser that this year raised over $1 million for the Prevent Cancer foundation. The event focuses on live speedruns of classic games by human players and included a blindfolded Mike Tyson's Punch-Out!! run that ranks among the most impressive live video game playing performances I have ever seen. The most remarkable moment of the weeklong marathon, though, came when a robotic player took "total control" of an unmodified Super Mario World cartridge, reprogramming it on the fly to run simple versions of Pong and Snake simply by sending a precise set of inputs through the standard controller ports on the system.
The two-and-a-half minute video of this incredible exploit is pretty tough to follow if you're not intimately familiar with the state of emulator-assisted speedruns. At first, it looks like the game must have been hacked in some way to allow for things like multiple on-screen Yoshis, item boxes that spawn multiple 1-ups, and the ability for Mario to carry items while riding on Yoshi. In actuality, these seeming impossibilities are just glitches that have been discovered over the years through painstaking emulated playthroughs by the community at TASVideos (short for tool-assisted speedrun videos).
Read 8 remaining paragraphs | Comments
Chris Mohan --- Internet Storm Center Handler on Duty
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.Posted by InfoSec News on Jan 14
http://arstechnica.com/science/2014/01/new-cyber-attack-model-helps-predict-timing-of-the-next-stuxnet/Posted by InfoSec News on Jan 14
http://news.techworld.com/security/3496940/target-hackers-have-more-data-than-they-can-sell/Posted by InfoSec News on Jan 14
http://www.channelregister.co.uk/2014/01/14/win_xp_uk_gov_hacker_deadline_miss/Posted by InfoSec News on Jan 14
http://www.telegraph.co.uk/motoring/news/10569052/Hackers-could-compromise-car-safety.htmlPosted by InfoSec News on Jan 14
http://www.janes.com/article/32169/hacking-group-s-threat-to-winter-olympics-in-russia-highlights-risk-of-cyber-attacks-on-sponsorUse strong passwords and install antivirus, mmkay? UK.gov pushes awareness ... Register The initiative has earned the support of UK infosec firms such as Sophos, which is providing security expertise and content for the Cyberstreetwise site. James Lyne, global head of security research at Sophos, explained that Cyber Streetwise is ... |