Hackin9

Posted by InfoSec News on May 16

http://arstechnica.com/security/2013/05/critical-linux-vulnerability-imperils-users-even-after-silent-fix/

By Dan Goodin
Ars Technica
May 15 2013

For more than two years, the Linux operating system has contained a
high-severity vulnerability that gives untrusted users with restricted
accounts nearly unfettered "root" access over machines, including
servers running in shared Web hosting facilities and other sensitive
environments....
 

Posted by InfoSec News on May 16

http://www.bankinfosecurity.com/detangling-45-million-cyberheist-a-5759

By Tracy Kitten
Bank Info Security
May 15, 2013

In the aftermath of the recent news about an international $45 million
cyberheist and ATM cash-out scheme, experts say pinpointing the source
of such a massive breach can prove to be extremely difficult. That's
because so many different entities are now involved in the global
payments chain.

"There are so many...
 

Posted by InfoSec News on May 16

http://www.darkreading.com/attacks-breaches/new-algorithm-lets-scada-devices-detect/240154875

By Kelly Jackson Higgins
Dark Reading
May 14, 2013

Researchers have built a prototype that lets SCADA devices police one
another in order to catch and cut off a fellow power plant or factory
floor device that has been compromised.

The so-called secure distributed control methodology outfits SCADA
systems, such as robots or PLCs, with embedded...
 

Posted by InfoSec News on May 16

http://english.donga.com/srv/service.php3?bicode=020000&biid=2013051579958

The Dong-A Ilbo
MAY 15, 2013

"The country will directly foster the most elite white hackers (hackers
with well-intentioned purpose)."

So said Yoo Jun-sang, head of Korea Information Technology Research
Institute, at an interview with the Dong-A Ilbo Tuesday. At the
institute`s education center in southern Seoul, he said, "Korea is an IT...
 

Posted by InfoSec News on May 16

http://fcw.com/articles/2013/05/15/cybersecurity-evangelism.aspx

By Amber Corrin
FCW.com
May 15, 2013

Say you're a beef inspector. Or a firefighter. Or a doctor treating
critically ill patients. Do you think much about cybersecurity? Is it
integrated into your daily work routine? The answer probably is no --
but federal officials are hoping to change that.

Cybersecurity already ranks as a top priority at agencies such as the
Defense...
 
A day after breaking an almost year-long silence on a medical condition that had affected the way he speaks, Google co-founder Larry Page said Wednesday that people should be more open about their medical histories.
 
The seizure of funds of the largest bitcoin exchange, Mt. Gox, was triggered by an alleged failure of the company to comply with U.S. financial regulations, according to a federal court document.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

http://computer-forensics.sans.org/blog/2013/05/15/sans-eu-dfir-summit- in-prague-call-for-speakers-now-open/

The 4th annual Forensics and Incident Response Summit EU will take place on October 6-13 in Prague, one of the most historical European cities, in the context of the SANS Forensics Prague conference, the biggest Incident Response and Digital Forensics event in Europe to date.

The Summit will focus on high quality and extremely relevant content as well as panel discussions in Digital Forensics and Incident Response. In addition, we encourage you to take every opportunity to make the most of this event from attending the Summit to registering for one or more of the post-summit training classes taught by SANS' top-rated instructors and course authors. Additional events such as DFIR Netwars, evening talks and the SANS Community Night will be taking place during that week too. This event promises to bring together the leading minds in digital forensics and incident response in the EU, as well as many other practitioners from a wide cross section of industries and company sizes. You will be able to share with all of them your challenges and find out new solutions that work, techniques and approaches you didn't even know existed. Call for Speakers - Now Open The 4th annual Forensics and Incident Response Summit Call for Speakers is now open.

If you are interested in presenting or participating on a panel we are looking for user-presented case studies with communicable lessons. The Forensics Summit offers speakers opportunities for exposure and recognition as an industry leader. If you have something substantive, challenging, and original to offer, you are encouraged to submit a proposal.

Benefits of Speaking

  • Promotion of your speaking session and company recognition via the Forensic conference website and all printed materials
  • Visibility via the Forensic post-conference presentation email link for many months following the conference
  • Full conference badge to attend all Summit sessions
  • Private speaker lunch

Submission Guidelines

  • Title
  • Author Name(s)
  • Author Title
  • Company
  • Speaker Contact Information: Address, phone number, email address
  • Biography
  • Your biography should be approximately 160 words. You may include your current position, titles, areas of professional expertise, experience, awards, degrees, personal information, etc.
  • Abstract
  • The presentation abstract should outline your presentation and what attendees will learn. All content must be strictly educational.
  • The presentation should be relevant to: Media Exploitation Analysts, Legal, Incident Response Teams, Security Operations and Law Enforcement professionals.

Speaking Options:

  • Presentation: 45 minutes
  • Question & Answer: 10-15 minutes Submit your submissions to [email protected] by June 15, 2013 with the subject "SANS DFIR Summit EU CFP 2013."

Thank you for your interest in presenting

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Google has shown off new features that can reduce data consumption and improve Web performance on Android-powered mobile devices, drawing partly from capabilities already supported in the Chrome desktop OS.
 
Several users of devices running Google's Android operating system have filed an amended version of an earlier lawsuit accusing the company of illegally collecting, and allowing others to collect, extensive amounts of mobile user data without proper notice or consent.
 

Hackers compromised accounts belonging to maintainers of the open-source ZPanel after a team member supporting the Web hosting control panel called a critic a "fucken little know it all." The ZPanel site went completely down after the incident and remained down at time of writing.

ZPanel support member Nigel Caldwell made the comment in the site's official forums and it was directed at a user named joepie91. Shortly beforehand, the Netherlands-based software developer—whose real name is Sven Slootweg—claimed that websites using ZPanel in combination with certain modules were vulnerable to exploits that allowed attackers to remotely execute malicious code. Slootweg directed his statement at Caldwell, aka PS2Guy, after the support member left a comment saying ZPanel "is more secure than panels that you pay good money for." Caldwell also said users have "got more chance of someone hacking your Operating System than the control panel that sits on it."

In his response, Slootweg claimed there was an "arbitrary code execution and root escalation vulnerability in the current version of ZPanel." To support this, Slootweg provided an example line of code he said could be inserted into a main ZPanel template to trigger the vulnerability. Last month, Slootweg disclosed a ZPanel vulnerability here. Two weeks ago, he stepped up his criticism after claiming the vulnerability had gone unfixed. "I find it shameful that I even have to post here to point this out, to prevent someone from putting themselves at risk," Slootweg wrote in Wednesday's post on the ZPanel forum. "This should be the responsibility of the ZPanel team."

Read 12 remaining paragraphs | Comments

 
A bug that was already fixed in the development branch of the kernel back in April was not identified as being security relevant and can therefore still be exploited on many systems
    


 
Though the Spamhaus DDoS attack showed the potential devastation of increasing bandwidth, DDoS attack trends show DDoS type to be just as important.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Data-center and wireless sales led growth at Cisco Systems in its fiscal third quarter, as it saw customers spending more in the U.S. and developing countries but reported continuing weakness in Southern Europe.
 
Google CEO Larry Page made a surprise appearance Wednesday at the Google I/O conference, where he overcame problems with his throat to take questions from developers in the audience for almost an hour.
 
Mozilla Firefox/Thunderbird CVE-2013-1674 Remote Code Execution Vulnerability
 
The software giant's May 2013 Patch Tuesday update permanently fixes the IE8 zero-day flaw found in the Dept. of Labor website attack.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
NASA's Kepler space telescope, launched in 2009 to search for Earth-like planets, is now spinning uncontrollably in space.
 
Selling SaaS (software as a service) applications aimed at specific lines of business is one way that SAP has tried to stake a claim in the world of cloud computing and during the Sapphire conference it unveiled a broad series of updates to the portfolio.
 
VideoJS Cross Site Scripting and Denial of Service Vulnerabilities
 
RETIRED: WordPress Related Posts by Zemanta Plugin Cross Site Request Forgery Vulnerability
 
WordPress Related Posts by Zemanta Plugin Cross Site Request Forgery Vulnerability
 
Mozilla Firefox and Thunderbird CVE-2013-1679 Use After Free Memory Corruption Vulnerability
 
Google CEO Larry Page took the stage today to wrap up a nearly four-hour long keynote that kicked off the Google I/O developers conference in San Francisco.
 
CMSLogik Arbitrary File Upload and Multiple HTML Injection Vulnerabilities
 
Openswan CVE-2013-2053 DNS TXT Record Buffer Overflow Vulnerability
 
WHMCS Group Pay Plugin 'hash' Parameter SQL Injection Vulnerability
 
Cisco Security Advisory: Cisco TelePresence Supervisor MSE 8050 Denial of Service Vulnerability
 
Multiple Vulnerabilities in Exponent CMS
 
Frank X. Shaw, Microsoft's head of corporate communications, defended his company's Windows information disclosure strategy, denying that Microsoft has adopted Apple's "cone of silence" approach to imparting news.
 
Gmail's newest features include ways to search for old emails, quickly add meetings to your calendar, send large files and more. Here's a look at five of Google's latest email features to help you make the most of the popular Web-based service.
 
Google is adding 41 new features to its Google+ social network on Wednesday, including a richer interface that works better on mobile devices and some major enhancements to photo sharing.
 
Internet traffic in and out of war-torn Syria has been restored after a disruption of nearly eight and a half hours, according to Internet traffic charts.
 
Just by saying "Okay Google," people will soon be able to search using voice commands on their Chrome-powered desktop and laptop computers, Google said Wednesday.
 
Oracle Java SE CVE-2013-2432 Remote Java Runtime Environment Vulnerability
 
A special edition, stock Android version of the Samsung Galaxy S4 smartphone will go on sale June 26 on the Google Play store for $649, Google announced at its annual Google I/O conference.
 
Dell drastically cut the online price of its Windows RT tablet, reducing the price by $200 to $299.99 for Dell XPS 10.
 
Epson America is bringing hands-free interaction with YouTube to its smart glasses, which could set the stage for improved usability of applications like augmented reality.
 

For more than two years, the Linux operating system has contained a high-severity vulnerability that gives untrusted users with restricted accounts nearly unfettered "root" access over machines, including servers running in shared Web hosting facilities and other sensitive environments. Surprisingly, most users remain wide open even now, more than a month after maintainers of the open-source OS quietly released an update that patched the gaping hole.

The severity of the bug, which resides in the Linux kernel's "perf," or performance counters subsystem, didn't become clear until Tuesday, when attack code exploiting the vulnerability became publicly available (note: some content on this site is not considered appropriate in many work environments). The new script can be used to take control of servers operated by many shared Web hosting providers, where dozens or hundreds of people have unprivileged accounts on the same machine. Hackers who already have limited control over a Linux machine—for instance, by exploiting a vulnerability in a desktop browser or a Web application—can also use the bug to escalate their privileges to root. The flaw affects versions of the Linux kernel from 2.6.37 to 3.8.8 that have been compiled with the CONFIG_PERF_EVENTS kernel configuration option.

"Because there's a public exploit already available, an attacker would simply need to download and run this exploit on a target machine," Dan Rosenberg, a senior security researcher at Azimuth Security, told Ars in an e-mail. "The exploit may not work out-of-the-box on every affected machine, in which case it would require some fairly straightforward tweaks (for someone with exploit development experience) to work properly."

Read 4 remaining paragraphs | Comments

 
Google's Android OS has more than 900 million users, the company said Wednesday at its I/O event began in San Francisco.
 
The magazine's anonymous drop site is based on DeadDrop, developed by the late Aaron Swartz. Anonymity is in part ensured by only accepting connections via the Tor project's network
    


 
[ MDVSA-2013:165 ] firefox
 
[security bulletin] HPSBUX02859 SSRT101144 rev.3 - HP-UX Running XNTP, Remote Denial of Service (DoS) and Execution of Arbitrary Code
 
[SECURITY] [DSA 2668-1] linux-2.6 security update
 
In early May President Obama signed an executive order that makes "Open and Machine Readable the New Default for Government Information".
 
Security researchers from Russian cybercrime investigations firm Group-IB have uncovered a cyberfraud operation that uses specialized financial malware to target the customers of several major Australian banks.
 
SAP's software is known for its role running many of the world's largest companies, but not necessarily for its user-friendliness. As part of an ongoing effort to change this perception, SAP unveiled Fiori, a set of 25 lightweight "consumer-friendly" applications that can run on desktops, tablets and mobile devices, on Wednesday at the Sapphire conference in Orlando.
 
Internet traffic to and from Syria, a country engulfed by civil war, again came to a halt on Wednesday, according to Internet monitoring company Renesys.
 
 
In a global mobile environment, organizations are looking for ERP systems that do more than integrate with a legacy system. But with so many solutions available, how do you choose the software that's right for your enterprise? IT executives and ERP experts offer 11 tips to get a return on your software investment.
 
Cisco WebEx Social CVE-2013-1244 Cross Site Scripting Vulnerability
 
Mozilla Firefox SeaMonkey and Thunderbird CVE-2012-1942 Local Privilege Escalation Vulnerability
 
Mozilla Firefox and Thunderbird CVE-2013-1670 Cross Site Scripting Vulnerability
 
Pirate Bay co-founder Peter Sunde is planning to run for the European Parliament in 2014.
 
The tried-and-true enterprise service bus--long the foundation of now-dated service oriented architecture deployments--is back in style thanks to the increasing need to integrate disparate applications. The secret to ESB's future success, some say, is a close tie to API management tools.
 
PC shipments in Western Europe declined by 20.5% during the first quarter: The only vendors to see shipments grow were Lenovo and Apple, which returned to the top five.
 
Through a deal with Verizon, VMware is going to offer the ability for employees to download a app that allows their companies to run a standardized corporate version of Android OS on their phones along side their personal version.
 
LinuxSecurity.com: Updated acroread packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More...]
 
LinuxSecurity.com: An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More...]
 
LinuxSecurity.com: Several security issues were fixed in Thunderbird.
 
LinuxSecurity.com: Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More...]
 
LinuxSecurity.com: An updated thunderbird package that fixes several security issues is now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having critical [More...]
 
LinuxSecurity.com: Updated java-1.7.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More...]
 
LinuxSecurity.com: Firefox could be made to crash or run programs as your login if itopened a malicious website.
 
LinuxSecurity.com: Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, information leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: [More...]
 
LinuxSecurity.com: Updated httpd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
LinuxSecurity.com: Updated mesa packages fix security vulnerability: It was discovered that Mesa incorrectly handled certain arrays. An attacker could use this issue to cause Mesa to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2012-5129). [More...]
 
LinuxSecurity.com: Multiple security issues was identified and fixed in mozilla firefox: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under [More...]
 
Mozilla Firefox and Thunderbird CVE-2013-1678 Memory Corruption Vulnerability
 
Mozilla Firefox and Thunderbird CVE-2013-1681 Use After Free Memory Corruption Vulnerability
 
Mozilla Firefox and Thunderbird CVE-2013-0801 Memory Corruption Vulnerability
 
Mozilla Firefox and Thunderbird CVE-2013-1680 Use After Free Memory Corruption Vulnerability
 
Critical holes are also closed in Mozilla's Firefox ESR, Thunderbird and Thunderbird ESR, along with fixes for high severity issues; one of the high severity issues is a local privilege escalation through Mozilla's Maintenance Service
    


 
With an increase in security updates and a need to schedule non-security changes predictably, Oracle has decided to rework how Java updates get a version number
    


 
Adobe Acrobat and Reader APSB13-15 Multiple Security Vulnerabilities
 
Adobe Flash Player and AIR APSB13-14 Multiple Memory Corruption Vulnerabilities
 
The Senate Judiciary Committee rejected the idea on Tuesday of requiring all H-1B employers to make a "good faith" effort in hiring U.S. workers before taking on an H-1b worker.
 
Customers are pushing the limits of the software -- asking it to manage and do many more things than it was originally created to do -- and vendors are happy to oblige.
 
Application management, security and a bunch of other features are now baked into MDM. Check out our mondo chart showing the features and functions you get with 10 different enterprise mobile device management products.
 
Mozilla on Tuesday released Firefox 21, adding more social media connections, tweaking the Do Not Track privacy setting and rolling out a new tool that long term, aims to create a self-healing browser.
 
New social media privacy laws that have been enacted in several states around the country, or are in the works, present something of a mixed bag for businesses.
 
The company has fixed a critical hole in Internet Explorer that is already being exploited by attackers, and patched vulnerabilities in all versions of Windows, in Office, in Windows Essentials, and in other components
    


 
Adobe's May Patch Tuesday brings a flurry of security updates that close various critical security holes. Administrators who manage ColdFusion servers should act immediately; the remaining updates should also be installed as soon as possible
    


 
Oracle Java SE CVE-2013-1563 Remote Java Runtime Environment Vulnerability
 
Microsoft Publisher CVE-2013-1319 Remote Code Execution Vulnerability
 
Microsoft Publisher CVE-2013-1318 Remote Code Execution Vulnerability
 
Microsoft Publisher CVE-2013-1323 Remote Code Execution Vulnerability
 
Microsoft .NET Framework CVE-2013-1337 Authentication Bypass Vulnerability
 
Microsoft .NET Framework XML Digital Signature CVE-2013-1336 Security Bypass Vulnerability
 
Microsoft Lync CVE-2013-1302 Remote Code Execution Vulnerability
 
Concerned about Amazon.com's low pricing of e-books, publishers had taken measures as early as 2009 such as "windowing," a practice of delaying e-book releases to benefit sales of hardcover editions, Apple said in a filing in an e-book price-fixing lawsuit.
 
Hewlett-Packard has given the "Android treatment" to its latest laptop-tablet hybrid, which is called SlateBook X2 and has a detachable 10-inch screen that can independently function as a tablet.
 

Posted by InfoSec News on May 15

http://www.tucsonweekly.com/TheRange/archives/2013/05/14/amys-baking-company-chooses-we-were-hacked-as-their-damage-control-response

By David Mendez
Tucson Weekly
May 14, 2013

So, the folks at Amy's Baking Company have chosen to go the honorable
route following the social media meltdown [1] that took place yesterday
on the company's Twitter, Facebook and Yelp accounts: they've blamed it
all on hackers [2].

Sorry, did I say...
 

Posted by InfoSec News on May 15

http://www.darkreading.com/government-vertical/us-cyber-command-head-general-alexander/240154788

May 14, 2013

[NOTE: Black Hat and Dark Reading are both part of UBM Tech. As the key July
27th-August 1st information security event in Las Vegas approaches, we'll be
sharing information about the show directly from its creators here on Dark
Reading.]

Major information security event Black Hat has announced that General Keith
Alexander --...
 

Posted by InfoSec News on May 15

http://www.wired.com/threatlevel/2013/05/saudi-telecom-sought-spy-help/

By Kim Zetter
Threat Level
Wired.com
05.14.13

A prominent computer security researcher says he recently rejected a
request by a Saudi telecommunications company to help it spy on mobile
customers using social networking accounts such as Twitter.

The security researcher, who goes by the name Moxie Marlinspike and who
recently left Twitter where he worked on that...
 

Posted by InfoSec News on May 15

http://www.wlfi.com/dpp/news/local/stolen-laptop-could-contain-important-patient-information

By Kelly Roberts
WLFI.com
14 May 2013

LAFAYETTE, Ind. (WLFI) - In a letter to patients from Indiana University
Health Arnett it was announced that an employee’s laptop computer was
stolen from the employee’s car. The theft occurred on April 9.

Hospital officials said the laptop was password-protected but not
encrypted. It was stolen in White...
 

Posted by InfoSec News on May 15

http://www.theregister.co.uk/2013/05/14/nab_warning_infosec_regulation/

By Richard Chirgwin
The Register
14th May 2013

More prescriptive regulation of the security posture in industry sectors
like banking could have the paradoxical impact of reducing security,
according to Andrew Dell, head of IT security services at the National
Australia Bank.

“We have to become much more agile and proactive – how we look at, how
we react to...
 
Internet Storm Center Infocon Status