Hackin9
Oracle Database Server CVE-2013-3774 Remote Security Vulnerability
 
RETIRED: Oracle Database Server CVE-2013-3774 Remote Security Vulnerability
 
RETIRED: Oracle Database Server CVE-2013-3751 Remote Security Vulnerability
 
Apple's partnership with IBM to tackle the mobile enterprise could have lasting ramifications for both companies -- as well as for rivals Google, Microsoft and BlackBerry. It could also make life a lot easier for IT staff at large enterprises.
 
Microsoft Azure just became the next cloud connection for NetApp Private Storage, which can already link enterprise storage to Amazon Web Services.
 
The business-focused deal between Apple and IBM unveiled Tuesday is "brilliant," one analyst said, noting that Apple now gets into the enterprise through the front door rather than the back.
 
Intel has started shipping Xeon E5 chips based on the Haswell microarchitecture to server makers, and the chip will be in servers this quarter.
 
Oracle E-Business Suite CVE-2014-4248 Local Security Vulnerability
 
Oracle E-Business Suite CVE-2014-2482 Remote Security Vulnerability
 
Oracle E-Business Suite CVE-2014-4213 Remote Security Vulnerability
 

Infosec still a concern for state's Auditor-General
WA today
Information security remains an area of concern for the state's Auditor-General. Photo: Michele Mossop. Information security remains an area of concern for Queensland's Auditor-General, with the number of “significant control weaknesses” identified ...

and more »
 
Google+ may attract some new -- and mysterious -- users after Google announced Tuesday it was abolishing its real-names policy for the profiles in the service.
 
Delays in Intel's production of the upcoming Broadwell chip won't push back its successor, Skylake, still expected next year.
 
Oracle Database Server CVE-2013-3774 Remote Security Vulnerability
 
Oracle Database Server CVE-2014-4236 Remote Security Vulnerability
 
Oracle Database Server CVE-2014-4237 Remote Security Vulnerability
 
Oracle E-Business Suite CVE-2014-4235 Remote Security Vulnerability
 
Oracle Hyperion Common Admin CVE-2014-4270 Remote Security Vulnerability
 
Oracle Hyperion BI+ CVE-2014-0436 Remote Security Vulnerability
 
Oracle Hyperion Analytic Provider Services CVE-2014-4246 Remote Security Vulnerability
 
Oracle Hyperion Enterprise Performance Management Architect Local Security Vulnerability
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

In addition to the Java vulnerabilities that I covered earlier, there is at least one more vulnerability that warrants attention. CVE-2013-3751, a problem in the XML parser of Oracle Database. Reading the description, I had a bit of a déjà-vu, also because of the CVE number from last year. And digging into past alerts, I found that, yes, this has indeed been patched before:

 


Looks like the Oracle 12 code was forked before the 11g patch went in, and nobody ported it over, so Oracle 12 remained exposed to the same bug until now. This speaks volumes about Oracle's software development life cycle and security processes... Dear Larry Ellison: how about writing a "Trustworthy Computing" memo for your staff, and then following through on it? I'm sure Bill Gates won't mind much if you simply copy his from 2002 and do a little search-and-replace.

For other untrustworthy computing features brought to you by this month's CPU patch bundle, see https://blogs.oracle.com/security/ and http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Bank of America illegally copied $300 million worth of Tibco's enterprise software for use in a massive IT project at its Merrill Lynch subsidiary, Tibco alleges in a lawsuit.
 
Software developers may find more employers using customized bonuses to attract and retain them as the job market for their skills stays competitive, according to a salary survey from IT job site Dice.
 
Yahoo reported falling sales and mixed results in its crucial advertising business on Tuesday, signaling further challenges ahead in CEO Marissa Mayer's efforts to turn around the aging company.
 
Apple and IBM today unveiled an "exclusive partnership" that melds IBM's big data and analytics capabilities with Apple's iPhone and iPad for business customers..
 
Intel's second-quarter earnings got a boost from a quicker-than-expected turnaround in the PC market, driven by the continuing upgrades from Windows XP, the chip maker said Tuesday.
 
Just a few of the "weaponized" capabilities from GCHQ's catalog of information warfare tools.

What appears to be an internal Wiki page detailing the cyber-weaponry used by the British spy agency GCHQ was published today by Glenn Greenwald of The Intercept. The page, taken from the documents obtained by former NSA contractor Edward Snowden, lists dozens of tools used by GCHQ to target individuals and their computing devices, spread disinformation posing as others, and “shape” opinion and information available online.

The page had been maintained by GCHQ’s Joint Threat Research Intelligence Group (JTRIG) Covert Internet Technical Development team, but it fell out of use by the time Snowden copied it. Greenwald and NBC previously reported on JTRIG’s “dirty tricks” tactics for psychological operations and information warfare, and the new documents provide a hint at how those tactics were executed. GCHQ’s capabilities included tools for manipulating social media, spoofing communications from individuals and groups, and warping the perception of content online through manipulation of polls and web pages’ traffic and search rankings.

Originally intended to inform other organizations within GCHQ (and possibly NSA) of new capabilities being developed by the group, the JTRIG CITD team noted on the page, “We don’t update this page anymore, it became somewhat of a Chinese menu for effects operations.” The page lists 33 “effects capability” tools, as well as a host of other capabilities for collecting information, tracking individuals, attacking computers, and extracting information from seized devices.

Read 8 remaining paragraphs | Comments

 

"You should be able to use the Web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets, or monitor your communications," writes Google security researcher Chris Evans. To help make that a reality, Google has put together a new team of researchers whose sole purpose is to find security flaws in software—any software—that's used on the Internet.

Google employees have found and reported security flaws in the past, but only as a part-time effort. The new "Project Zero" team will be dedicated to hunting for the kind of exploitable flaws that could be used to spy on human rights activists or conduct industrial espionage. Aiming to disrupt targeted attacks, the team will look at any software that's depended on by a large number of people.

Project Zero will report bugs it finds only to the software vendor, and it will give those vendors 60 to 90 days to issue patches before public disclosure. This time frame may be reduced for bugs that appear to be actively exploited.

Read 4 remaining paragraphs | Comments

 
Bank of America illegally copied US$300 million worth of Tibco's enterprise software for use in a massive IT project at its Merrill Lynch subsidiary, Tibco alleges in a lawsuit.
 
Apple is making a big push for the corporate IT market through a partnership with IBM, which will develop iOS apps for its big data and analytics services and promote iPhones and iPads to its clients.
 
Apple and IBM today unveiled an "exclusive partnership" that melds IBM's big data and analytics capabilities with Apple's iPhone and iPad.
 

Welcome to the n-th iteration of "patch now" for Java on Workstations. Oracle today published their quarterly patch bulletin, and Java SE is once again prominently featured. This Critical Patch Update (CPU) contains 20 new security fixes for Oracle Java SE.  Most of the vulnerabilities are remotely exploitable without authentication, and CVSS scores of 10 and 9.3 indicate that they can be readily exploited, and lead to full compromise. Which means that keystroke loggers, ebanking trojans, etc, will soon follow.

Oracle/Java is probably by now one of the most successful charities in the world, it continues to do an outstanding job at enabling significant wealth transfer to support poor cyber criminals and their families. Except that the sources of the funds usually have no idea, and didn't agree to donate directly from their bank accounts ...

After the past three years of repeated gaping holes in Java, we hope that by now you have found a way to remove Java from your computers entirely, or to at least no longer run the Java plugin within the web browser.  Otherwise, it is back to the hamster wheel, to yet again re-test all your applications that still require Java, to check for the inevitable incompatibilities with this latest release, and then to expedite the roll-out. This is definitely a patch that you don't want to skip or delay.

The full Oracle patch bulletin is available here: http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html#AppendixJAVA  .

The other Oracle patches (for database, etc) released in today's patch CPU are still under analysis here at SANS ISC. I'll post about them later, if warranted.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Ralph Whitworth, who'd been chairman of Hewlett-Packard for just over a year, is resigning from his job for health reasons, HP said on Tuesday.
 
The U.S. House of Representatives has voted to permanently extend a ban on Internet access taxes that Congress has temporarily extended three times over the past 16 years.
 
Intel's answer to the popular $25 Raspberry Pi credit-card sized PC, the Galileo Gen2, is set to be available in August for around $60.
 
Many scientists believe we're not alone in the universe, and NASA researchers say discovering if that's true is within their reach.
 
Two weeks ago, venerable media company CondA(c) Nast -- publisher of magazines like Vogue, The New Yorker and Wired -- decommissioned its Newark, Del. data center. The 67,200 square feet facility had already been sold and the deal closed. The 105-year-old company had gone all-in with the cloud.
 
Microsoft's COO says his company and its army of OEMs will compete on price with Google's Chromebooks, a milestone in Microsoft's battle against the encroaching enemy.
 

Update: A few hours after this article was published, OpenBSD founder Theo de Raadt emailed Ars and wrote: "It is way overblown. This will never happen in real code." The vulnerability, cataloged as CVE-2014-2970, already has been patched, with modified code located here.

The first "preview" release of OpenSSL alternative LibreSSL is out, and already a researcher says he has found a "catastrophic failure" in the version for Linux.

The problem resides in the pseudo random number generator (PRNG) that LibreSSL relies on to create keys that can't be guessed even when an attacker uses extremely fast computers. When done correctly, the pool of numbers supplied is so vast that the output will almost never be repeated in subsequent requests, and there should be no way for adversaries to accurately predict which numbers are more likely than others to be chosen. Generators that don't produce an extremely large pool of truly random numbers can undermine an otherwise robust encryption scheme. The Dual EC_DRBG influenced by the National Security Agency and used by default in RSA's BSAFE toolkit, for instance, is reportedly so predictable that it can undermine the security of applications that rely on it.

Read 8 remaining paragraphs | Comments

 
The U.S. Federal Communications Commission's Web comments form crashed Tuesday morning in the hours before the agency's first deadline for submitting comments on its net neutrality proposal.
 
The National Institute of Standards and Technology needs to hire more cryptographers and improve its collaboration with the industry and academia, reducing its reliance on the U.S. National Security Agency for decisions around cryptographic standards.
 
PHP 'ext/spl/spl_dllist.c' Local Denial of Service Vulnerability
 
Node Browserify RCE vuln (<= 4.2.0)
 
[security bulletin] HPSBGN03068 rev.1 - HP OneView running OpenSSL, Remote Denial of Service (DoS), Unauthorized Access, Disclosure of Information
 
Google has set up an internal task force that will work to expose the activities and techniques of malicious Internet wrongdoers, aiming to cut down on the number of targeted cyberattacks.
 
Google has reached a deal with Alcon to work together on smart contact lenses that can monitor diabetics' blood sugar levels.
 
CIOs with an eye on mobility have probably spent a small fortune creating a private enterprise app store. They've spent countless hours tending to an environment where business managers plant seeds for app ideas and developers bring those ideas to fruition. Often, the number of mobile enterprise apps sprouts like weeds.
 
Google has set up an internal task force that will work to expose the activities and techniques of malicious Internet wrongdoers, aiming to cut down on the number of targeted cyberattacks.
 
Box has integrated its cloud storage and file share service with Microsoft's Office productivity apps suite, and will offer unlimited capacity to customers of its Business edition, as the company waits for the right time to go public.
 
 
Microsoft Windows On-Screen Keyboard CVE-2014-2781 Local Privilege Escalation Vulnerability
 
Microsoft DirectX DirectShow CVE-2014-2780 Local Privilege Escalation Vulnerability
 
PHP 'ext/spl/spl_array.c' Local Denial of Service Vulnerability
 
The U.S. Federal Communications Commission's Web comments form crashed Tuesday morning in the hours before the agency's first deadline for submitting comments on its net neutrality proposal.
 
Ruxcon 2014 Final Call For Presentations
 
Cloud storage and file-sharing fever has hit Zimbra.
 
You may not be an AT&T or Verizon wireless customer, but part of your monthly cell phone bill likely winds up in their coffers. That's because the two mobile giants charge sky-high roaming rates when competitors' customers access the AT&T and Verizon networks as they travel out of range of their smaller networks.
 
"We're not really here to talk about the future too much, but I'm going to tell you that our biggest investment by far will be a next-generation virtual world. Something in the spirit of Second Life."
 
[security bulletin] HPSBHF02913 rev.1 - HP Intelligent Management Center (iMC) and HP Branch Intelligent Management System (BIMS), Remote Disclosure of Information
 
[security bulletin] HPSBST03039 rev.1 - HP StoreVirtual 4000 Storage and StoreVirtual VSA, Remote Disclosure of Information, Elevation of Privilege
 
A status update filed in Pennsylvania by the U.S. Department of Justice said that both the Gameover Zeus botnet and Cryptolocker 'remained neutralized.'
 
LinuxSecurity.com: Updated ror40-rubygem-activerecord packages that fix one security issue are now available for Red Hat Software Collections 1. The Red Hat Security Response Team has rated this update as having Moderate [More...]
 
LinuxSecurity.com: Updated ruby193-rubygem-activerecord packages that fix one security issue are now available for Red Hat Software Collections 1. The Red Hat Security Response Team has rated this update as having Moderate [More...]
 
Oracle is hoping to turn heads in the crowded data analysis market with Big Data SQL, a software tool that can run a single SQL query against Oracle's own database as well as Hadoop and NoSQL data stores.
 
Google's Nest subsidiary and heavy hitters including Samsung Electronics and Arm Holdings are launching the latest bid to make sensors, cameras, appliances and other devices in homes easily talk to each other.
 
Amazon Web Services is offering on its Marketplace annual subscriptions to over 90 software products, which could help customers cut software costs by over 40%, the Amazon.com unit said.
 
Motorola Solutions on Tuesday unveiled a speech technology upgrade targeting mobile device workers in warehouses and distribution centers.
 
The quantum computing technology developed by D-Wave gets ongoing scientific debate, but it's also getting money, $28 million last week, bringing its total funding to about $150 million.
 
Two years after losing high-profile government work to Amazon Web Services, IBM has revamped the way it structures enterprise cloud services contracts, thanks in part to its $2 billion acquisition of cloud services provider SoftLayer.
 
Microsoft's widely used software for brokering network access has a critical design flaw, an Israeli security firm said, but Microsoft contends the issue has been long-known and defenses are in place.
 

Posted by InfoSec News on Jul 15

http://www.infosecnews.org/hacking-a-100k-tesla-model-s-for-fun-and-10k-profit/

By William Knowles
Senior Editor
InfoSec News
July 14, 2014

At the 2014 SyScan 360 Conference, being held July 16th and 17th 2014 at
the Beijing Marriott Hotel Northeast in Beijing China. Security
professionals and hackers paying $319 to attend the conference will have
the opportunity to win $10,000 if they can compromise the security of the
Tesla Model S....
 

Posted by InfoSec News on Jul 15

http://thehill.com/regulation/212134-fcc-mulls-emergency-alert-system-overhaul-for-broadcasters

By Tim Devaney
The Hill
07/14/14

The Federal Communications Commission (FCC) is looking to overhaul the
Emergency Alert System so the president can speak to the country at the
flip of a switch in the event of a nationwide emergency.

The national Emergency Alert System broadcasts television alert messages
to warn people about immediate dangers....
 

Posted by InfoSec News on Jul 15

http://variety.com/2014/tv/news/mr-robot-usa-sam-esmail-1201262044/

By Whitney Friedlander
News Editor
Variety
@loislane79
July 14, 2014

USA has given a pilot pickup to "Mr. Robot," a drama about an anti-social
computer programmer who finds he can only connect with other people by hacking
into their personal lives.

The Universal Cable Productions project from executive producers Sam Esmail
("Comet") and Anonymous...
 

Posted by InfoSec News on Jul 15

http://www.eweek.com/security/chinese-hacker-charged-with-stealing-u.s.-defense-contractor-secrets.html

By Sean Michael Kerner
eWEEK.com
2014-07-14

The FBI gets Canadian authorities to hold a Canadian-Chinese resident on
charges of stealing information from U.S. defense contractors, including
Boeing and Lockheed Martin.

Not all Chinese hackers are actually in China. Case in point is a newly
revealed case against Su Bin, who is alleged to...
 

Posted by InfoSec News on Jul 15

http://blogs.wsj.com/riskandcompliance/2014/07/11/survey-roundup-cybersecurity-complacency-threatens-ma-deals/

By BEN DIPIETRO
Wall Street Journal
July 11, 2014

Taking Risks for Granted: A global survey of 214 senior dealmakers by law
firm Freshfields Bruckhaus Deringer found a worrying level of complacency
toward the assessment of cyber risks during M&A deals. The survey found
90% of respondents said cyber breaches would result in a...
 

Posted by InfoSec News on Jul 15

Forwarded from: "Jackie Blanco" <jackie (at) sdiwc.info>

The International Conference on Information Security and Cyber Forensics
(InfoSec 2014)

October 8-10, 2014
Universiti Sultan Zainal Abidin (UniSZA), Kuala Terengganu, Malaysia

http://goo.gl/y8LNrR

All registered papers will be included in SDIWC Digital Library.

The conference aims to enable researchers build connections between
different digital applications. The...
 

Posted by InfoSec News on Jul 15

http://www.timesofisrael.com/us-firm-helps-hamas-netanyahu-keep-hackers-at-bay/

By David Shamah
The Times of Israel
July 14, 2014

There isn’t much Prime Minister Benjamin Netanyahu and Hamas have in
common — but one thing they do agree on is how to keep their websites safe
from hackers. Both rely on a web service called CloudFlare, which helps
customers avoid hacking and denial of service attacks.

CloudFlare enables users to mask their...
 
Internet Storm Center Infocon Status