Computer scientists have devised a technique that could one day allow advertisers or law enforcement organizations to surreptitiously fingerprint smartphones.

The attack, recently unveiled by a team of researchers from Stanford University, could be attractive because it works against virtually any smartphone equipped with an "accelerometer." That's the sensor that determines the tilt a person is using to orient a smartphone and shifts the display to either landscape or vertical, accordingly. No special apps or permissions are required beyond a standard browser running with default settings. The technique leaves no browser cookies or other files on the device disk, making it hard for end users to detect using any security or privacy software available today.

The technique works when a smartphone visits a website that hosts JavaScript code that queries the accelerometer for its orientation. This proof of concept site requires the phone to be held face up on a flat surface and a few moments later for it to be tapped and then turned face down. While the z coordinates measured by the sensor should in theory measure -1 and 1 respectively, most smartphones inevitably report miniscule variations—0.71217 and 0.99324 for example on a test device, rounded down for purposes of anonymity. The precise coordinates, according to the site, were unique among 5,000 records.

Read 3 remaining paragraphs | Comments


Cisco Unified Computing System CVE-2012-4105 Local Denial of Service Vulnerability
Cisco Unified Computing System CVE-2012-4106 Local Privilege Escalation Vulnerability
The current mess in Washington has tech lobbyists trying to figure out what happens after the shutdown and default issues are resolved. The predictions of several lobbyists, all speaking on background, follow.

I came acros this page because I have a samsung Wave phone that keeps calling the police when it is locked and the protective cover is down and will be taking it back to Currys for a second time and will demand my money back this time.

You could write what I know about mobile phones on the back of a postage stamp but I am an expert on PC Security and I can tell you that you are being watched more than ever and smasung are great TV's but the smart TV I got from them sends the MAC address of the TV using HTTP messages to Koria and Samsung.com and then the TV connects to everyone from Goolge to Youtube and all within a second of turning the TV on.

Samsung knows it you using the IP-Address since they have the MAC address registered to you and Google plus everyone else knows that you are using a samsung TV from the user-agent in tthe HTTP requests so it becomes a fair bet that Samsung is completing the triangle and is being paid to confilm it's you on that IP address to fee paying customers like Google/Microsoft who all share data.

No point locking the door if someone outside is giving away copies of your front door key

SSL/HTTPS is often not used to protect you but to hide the spyware scripts used by the likes of Google and in any case it seems that most ISP;s are now using a MITM SSL certificate to decrypt all your data.

Smart phone, smart TV's are not so smart after all so don't throw them old phones away that cannot be hacked and just think some come without a stupid one touch SOS button that might get you into a lot of trouble and gives the police an excuse to kick in anyones door and say that it was the phone that did it.








The sales pattern of the iPhone 5S and iPhone 5C closely resemble the mix in 2012 of the then-new iPhone 5 and the year-old iPhone 4S, an analyst said today, acknowledging that overeager investors will interpret the data to claim that the former or the latter -- or both -- are failures.
Scientists in Germany and The Netherlands have determined that using tungsten and silicon nitride as a storage medium, they can store data that will last from a million to a billion years.
Managed security service providers get paid by enterprise customers to stop malware or other kinds of cyberattacks, but if they fail, they face what's often a multi-million-dollar liability.
D-Link will address by the end of October a security issue in some of its routers that could allow attackers to change the device settings without requiring a username and password.
Bilboplanet 'index.php' Multiple Cross-Site Scripting Vulnerabilities
BilboPlanet 'auth.php' SQL Injection Vulnerability
osCommerce 'products_id' Parameter HTML Injection Vulnerability
The Brazilian Federal Data Processing Service, known as Serpro, will build a secure email system for Brazil's federal government following media reports that foreign intelligence agencies intercepted electronic communications in the country.
LinuxSecurity.com: Multiple security issues in systemd have been discovered by Sebastian Krahmer and Florian Weimer: Insecure interaction with DBUS could lead to the bypass of Policykit restrictions and privilege escalation or denial of service through an integer overflow in journald and missing [More...]
LinuxSecurity.com: Multiple vulnerabilities have been been fixed in the Drupal content management framework, resulting in information disclosure, insufficient validation, cross-site scripting and cross-site request forgery. [More...]

Re: iPad factory blast; 60+ Chinese workers hurt (video)

by スント 時計 アウトレット

I'm curious to find out what blog system you happen to be utilizing? I'm experiencing some small security issues with my latest site and I would like to find something more secure. Do you have any solutions? スント 時計 アウトレット
LinuxSecurity.com: Aki Helin of OUSPG discovered many out-of-bounds read issues in libxml2, the GNOME project's XML parser library, which can lead to denial of service issues when handling XML documents that end abruptly. [More...]
LinuxSecurity.com: Robert Matthews discovered that the Apache FCGID module, a FastCGI implementation for Apache HTTP Server, fails to perform adequate boundary checks on user-supplied input. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service [More...]

In the HBO hit series The Wire, disposable cell phones were the bane of detectives' lives. Drug dealers obtained these prepaid "burners" in mass quantities with cash at multiple stores hundreds of miles away from where they were used. After a week or two of use, a crook would destroy one cheap handset and fetch a new one. The Baltimore Police detectives' inability to tap the phones stymied their investigation into one of the city's most ruthless crime families—until they found a way to track the devices.

The National Security Agency may have made a similar breakthrough. Cato Institute researcher and Ars alum Julian Sanchez recently pulled a few sentences from a 2009 declaration by NSA Director Keith Alexander. They describe an unnamed tool that routinely accessed the vast database of call records assembled by the NSA. Sanchez argues that the purpose may be to identify burner phones used by NSA targets. The tool, according to Alexander's declaration:

was automatically invoked to support certain types of analytical research. Specifically, to help analysts identify a phone number of interest. If an analyst conducted research supported by [REDACTED] the analyst would receive a generic notification that NSA’s signals intelligence (“SIGINT”) databases contained one or more references to the telephone identifier in which the analyst was interested; a count of how many times the identifier was present in SIGINT databases; the dates of the first and last call events associated with the identifier; a count of how many other unique telephone identifiers had direct contact with the identifier that was the subject of the analyst’s research; the total number of calls made to or from the telephone identifier that was the subject of the analyst’s research; the ratio of the count of total calls to the count of unique contacts; and the amount of time it took to process the analyst’s query. [REDACTED] did not return to the analyst the actual telephone identifier(s) that were in contact with the telephone identifier that was the subject of the analyst’s research and the analyst did not receive a listing of the individual NSA databases that were queried by [REDACTED].

Sanchez writes:

Read 2 remaining paragraphs | Comments


Cisco Unified Computing System CVE-2012-4108 Local Command Injection Vulnerability
Enterprises will standardize on Windows 7 and Office 2010 and will ignore Microsoft's newer operating system and suite for years, research firm Gartner predicted.
The U.S. government's healthcare portal is under emergency care, afflicted by ailments that have sickened many government IT health systems worldwide.
Network Security Services Uninitialized Data Read Security Vulnerability
Imagination Technologies will deliver its first Warrior CPU core to device makers by the end of the year, beginning a campaign to make the MIPS architecture a more potent rival to ARM and x86.
Microsoft's next Windows Phone update opens the door for 1080p screens and more powerful processors from Qualcomm.
What should IT be paying attention to above all else? How about our organizations' potential for human effectiveness?
PolarSSL RSA Private Key Recovery Security Bypass Vulnerability
Linux Kernel CVE-2013-4387 Memory Corruption Vulnerability

Pondering interesting infosec transactions
SC Magazine Australia
ProofPoint - who are serial acquirers in the cyber-security industry - acquired Sendmail for about $23 Million in cash, paying a revenue multiple of something like 10, and a profit multiple of n/a since by the sounds of the announcement, Sendmail as a ...

and more »
HTC's newest phone, the 5.9-inch HTC One Max, includes a fingerprint scanner -- although unlike the one in Apple's latest iPhone, it's located on the back of the device.
QEMU CVE-2013-4344 Remote Buffer Overflow Vulnerability
Xen CVE-2013-4361 Information Disclosure Vulnerability
Facebook has agreed to acquire mobile data compression startup Onavo and plans to use its technology in an effort to make Internet access more affordable, Facebook said .
A backdoor found in firmware used in several D-Link routers could allow an attacker to change a device's settings, a serious security problem that could be used for surveillance.
The administrator for ".my" domain names in Malaysia plans to strengthen the security of partners that resell its services following an attack that affected Google on Friday.
Microsoft on Friday shipped a toolkit to block Internet Explorer 11 from automatically installing on Windows 7 PCs, a signal that the new browser will release in the next few weeks.
Most Linux enthusiasts prefer to install the OS into existing systems. However, if you don't have the time or inclination to deal with the tinkering involved, you can try a preloaded Linux PC or laptop.
International Components for Unicode Use After Free Remote Code Execution Vulnerability
[SECURITY] [DSA 2779-1] libxml2 security update
Apache 'mod_fcgid' Module CVE-2013-4365 Heap Buffer Overflow Vulnerability
CFP: Passwords^13 Bergen (Norway), December 2-3 2013
[CISTI'2014]: Call for Workshops
Wordpress Cart66 Plugin Multiple Vulnerabilities
[SECURITY] [DSA 2778-1] libapache2-mod-fcgid security update

Posted by InfoSec News on Oct 14


THV 11 News
Oct 13, 2013

LITTLE ROCK, AR - Christopher R. Thyer, United States Attorney for the
Eastern District of Arkansas; and James Hendricks, Acting Special Agent in
Charge of the Little Rock Field Office of the Federal Bureau of
Investigation (FBI); announced today that Jason Woodring, age 37, of
Jacksonville, Arkansas, was arrested on...

Posted by InfoSec News on Oct 14


The Call for Papers for the 4th BayThreat security conference is open!

BayThreat is a 2 day event in the Bay Area, CA, December 6th & 7th. The
BayThreat team is taking the theme for BayThreat 4 back to the classics:
"Building & Breaking Security." Two tracks, each tackling opposite sides of the
security fence.

Most importantly, however, all of the talks must be ACTIONABLE. Speakers must...

Posted by InfoSec News on Oct 14


By Peter Apps and Brenda Goh
Oct 13, 2013

For the governments and corporations facing increasing computer attacks,
the biggest challenge is finding the right cyber warriors to fight back.

Hostile computer activity from spies, saboteurs, competitors and criminals
has spawned a growing industry of corporate defenders who can attract the
best talent...

Posted by InfoSec News on Oct 14


By Smita Mainkar
14 Oct, 2013

RAIPUR: He hacked some of the most secured internet networks existing on
world wide web and got rewarded by his targets. Monendra Sahu, a young
mining engineer from National Institute of Technology (NIT-Raipur) has the
distinction of hacking websites of Microsoft,...

Posted by InfoSec News on Oct 14


By Cromwell Schubarth
Senior Technology Reporter
Silicon Valley Business Journal
Oct 10, 2013

Cybersecurity is hot, with FireEye's recent doubling in stock price after
going public and this week's $255 million acquisition of fingerprint tech
company Validity Sensors the most recent examples.

But these are hardly isolated examples, according to...
Cisco Unified Communications Manager CVE-2013-5528 Directory Traversal Vulnerability
Internet Storm Center Infocon Status