Civil liberties advocates have asked the US Federal Trade Commission to take action against the nation's four major wireless carriers for selling millions of Android smartphones that never, or only rarely, receive updates to patch dangerous security vulnerabilities.

The request for investigation and complaint for injunctive relief was filed Tuesday by the American Civil Liberties Union against AT&T, Verizon Wireless, Sprint Nextel, and T-Mobile USA. The vast majority of phones that the carriers sell run Google's Android operating system and rarely receive software updates, the 16-page document stated. It went on to allege that the practice violates provisions of the Federal Trade Commission Act barring deceptive and unfair business practices, since the carriers don't disclose that the failure to provide updates in a timely manner puts customers at greater risk of hacking attacks. Among other things, the filing seeks an order allowing customers to terminate contracts that cover a phone that's no longer eligible to receive updates.

"All four of the major wireless carriers consistently fail to provide consumers with available security updates to repair known security vulnerabilities in the software operating on mobile devices," Christopher Soghoian, principal technologist and senior policy analyst for the ACLU, wrote in the document. "The wireless carriers have failed to warn consumers that the smartphones sold to them are defective and that they are running vulnerable operating system and browser software. The delivery of software updates to consumers is not just an industry best practice, but is in fact a basic requirement for companies selling computing devices that they know will be used to store sensitive information, such as intimate photographs, e-mail, instant messages, and online banking credentials."

Read 14 remaining paragraphs | Comments

Oracle MySQL CVE-2012-5614 Denial of Service Vulnerability
Apache APR-util 'apr_brigade_vprintf' Off By One Vulnerability
Yahoo wants to accelerate its development of mobile products geared toward delivery of personalized content, CEO Marissa Mayer said Tuesday, as the company works to stay relevant in a world where smartphones and tablets are becoming dominant.
Just a month away from retirement, Intel CEO Paul Otellini has reflected on his four decades with the company during his last quarterly earnings call with analysts and reporters.
Oracle Java SE CVE-2013-1491 Remote Code Execution Vulnerability
Oracle Java SE CVE-2013-0401 Remote Code Execution Vulnerability
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Apache Mod_Mem_Cache Information Disclosure Vulnerability
Oracle Fusion Middleware CVE-2013-1529 Remote Security Vulnerability
Apache APR-util 'xml/apr_xml.c' Denial of Service Vulnerability


Venture Capital's Role in InfoSec
What's the role of venture capital in today's information security market? Alberto Yépez of Trident Capital describes start-up companies and the unique qualities that separate winners from losers. Yépez, managing director of Silicon Valley-based ...

Intel reported a drop in profits and revenue for the first quarter, as the biggest PC market slump in recent memory weighed on its business.
Google has beefed up the administration and management controls that IT staff have over their users' Chrome browsers.
Just a month before Paul Otellini steps down as CEO of Intel, the company does not yet have a replacement.

A vulnerability in the ColdFusion Web server platform, reported by Adobe less than a week ago, has apparently been in the wild for almost a month and has allowed the hacking of at least one company website, exposing customer data. Yesterday, it was revealed that the virtual server hosting company Linode had been the victim of a multi-day breach that allowed hackers to gain access to customer records.

The breach was made possible by a vulnerability in Adobe's ColdFusion server platform that could, according to Adobe, "be exploited to impersonate an authenticated user." A patch had been issued for the vulnerability on April 9 and was rated as priority "2" and "important." Those ratings placed it at a step down from the most critical, indicating that there were no known exploits at the time the patch was issued but that data was at risk. Adobe credited "an anonymous security researcher," with discovering the vulnerability.

But according to IRC conversation including one of the alleged hackers of the site, Linode's site had been compromised for weeks before its discovery. That revelation leaves open the possibility that other ColdFusion sites have been compromised as hackers sought out targets to use the exploit on.

Read 5 remaining paragraphs | Comments

Yahoo's profits rose more than 30% in the first quarter, due to a variety of factors including lowered operating costs, though sales at the company declined.
Many enterprise level-tech firms have sophisticated social media strategies. Unfortunately, all it takes is one employee with inflammatory social media skills, and the firm's brand takes a beating.
American Airlines restored access to its reservation system on Tuesday afternoon after a four-hour long outage that grounded its flights across the U.S.
Emerging enterprise antiphishing tools use testing, training to help users recognize bogus messages, addressing a long-standing defensive pain point.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0795 Security Bypass Vulnerability

Several of our readers have written in to let us know about the latest Java Update. 

So why isn't this a normal one-liner with a pointer off to the readme?  Because Oracle has significantly changed how Java runs with this version.  Java now requires code signing, and will pop up brightly coloured dialogue boxes if your code is not signed.  They now alert on unsigned, signed-but-expired and self-signed certificates.

We'll even need to click "OK" when we try to download and execute signed and trusted Java.

This is a really positive move on their part - with as many problems as Java has, it'll be nice to stop blaming the developers of the language entirely for malicious code - Java doesn't give you malware, running malware gives you malware. 

(not that Java is perfect, mind you)


The graphics you can expect to see once you update are:

Valid Certificate Self-Signed Certificate



Expired Certificate Unsigned Application

Full details on the new run policy can be found here ==> https://www.java.com/en/download/help/appsecuritydialogs.xml

And more information can be found here ==> http://www.oracle.com/technetwork/java/javase/tech/java-code-signing-1915323.html


Rob VandenBrink

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Chat Heads, the buzzy messaging feature released as part of Facebook's Home software for Android-based smartphones, is now coming to the iPhone and iPad.
Harvards Clean Energy Project is conducting a study on millions of potential chemical structures and has identified next-generation organic solar cell material.
The U.S. Congress should limit the ability of patent holders that don't make products to file infringement complaints at the U.S. International Trade Commission because of a huge increase in cases there, representatives of some companies told lawmakers Tuesday.
American Airlines grounded all its flights across the U.S. on Tuesday after an unidentified computer problem hit its reservation system.
With federal and state investigators searching for clues about the person or organization behind the Boston Marathon bombing, social networks could hold a treasure trove of information.
FFmpeg Multiple Remote Code Execution Vulnerabilities
GNOME Online Accounts CVE-2013-1799 SSL Certificate Validation Security Bypass Vulnerability
FFmpeg 'ff_h264_decode_seq_parameter_set()' Function Denial of Service Vulnerability
SSH Communications Security will offer a free tool for auditing SSH key use within large organizations at next week's Infosecurity Europe conference.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Bobsguide (press release) (blog)

Show Preview: InfoSec Europe 2013 and securing your financial future
Bobsguide (press release) (blog)
Infosecurity Europe, running 23-25 April at the London Earls Court Exhibition Centre, is expected to attract more than 10,000 infosec delegates, 350 exhibitors, and numerous bank chief information security officers (CISOs) such as Michael Paisley at ...

Samsung Galaxy S smartphone fans can soon stop panting for the next generation of the popular handset.
The U.S. Senate's comprehensive immigration bill would make major changes to the H-1B visa that are certain to upset some and possibly please others.
Oracle will release a new version of Java on Tuesday that will include 42 security fixes and will make changes to how Web-based Java content will be presented inside browsers.
Microsoft's top executive for mobile phones took shots at both iOS and Android today, calling Apple's operating system "boring" and claiming Google's is "a mess."
Nitro PDF 'bcgcbproresen.dll' DLL Loading Arbitrary Code Execution Vulnerability
The U.S. Senate's comprehensive immigration bill would make major changes to the H-1B visa that are certain to upset some and possibly please others.
Netflix plans to abandon Microsoft's Silverlight media player plug-in for Windows and OS X in-browser video streaming, and replace it with a trio of HTML5 extensions.
Qemu 'qemu-nbd' Tool Local Security Bypass Vulnerability
Merging the worlds of big data and cloud computing, Red Hat, Hortonworks and Hadoop integrator Mirantis are jointly building a software program, called Savanna, that will make it easier to deploy Apache Hadoop on an OpenStack cloud service.
Following the deadly bombings at the Boston Marathon on Monday, investigators mounted a massive effort to scrutinize digital photos and videos taken about the time of the blasts from citizen smartphones and area surveillance cameras.
Google won't do anything to thwart Facebook's recently launched Home software for Android devices if it becomes explosively popular, according to Google Executive Chairman Eric Schmidt.
Pirate Bay co-founder Gottfrid Svartholm Warg was charged with hacking the IBM mainframe of Logica, a Swedish IT firm that provided tax services to the Swedish government, and the IBM mainframe of the Swedish Nordea bank, the Swedish public prosecutor said on Tuesday.

NPR's Web publishing system and several of the news agency's Twitter accounts were hacked yesterday by a group supportive of the Syrian government that calls itself the "Syrian Electronic Army."

"Late Monday evening, several stories on the NPR website were defaced with headlines and text that said 'Syrian Electronic Army Was Here,'" an NPR statement published in a NPR.orgnews story on the incident said. "Some of these stories were distributed to and appeared on NPR Member Station websites. We have made the necessary corrections to those stories on NPR.org and are continuing to work with our Member Stations. Similar statements were posted on several NPR Twitter accounts. Those Twitter accounts have been addressed. We are closely monitoring the situation."

Sophos's Naked Security blog published a summary of the hack, including a screenshot of a Google search showing some of the headlines edited by the Syrian Electronic Army:

Read 3 remaining paragraphs | Comments

An old trick is currently being used again: Unwitting users can be tricked into executing harmful commands by copy and pasting text that includes hidden elements

Apache Commons Compress and Apache Ant CVE-2012-2098 Denial Of Service Vulnerability

Yesterday, TheDomains reported there was 125 potentially fake domains registered just hours after the attack in Boston. By my current count, I see 234. Some of these are just parked domains, some are squatters who are keeping the domains from bad people. A couple are soliciting donations (one is soliciting bitcoins, oddly enough). So far, there has been no reports of any spam related to this but there have been a few fake twitter accounts which are fairly quickly getting squashed. Oh, and one lawsuit-lawyer related site in connection to the event but that's a different kind of scum then we typically deal with here. But so far, most of the domains are parked (typically at GoDaddy, but don't read that as a swipe at them) or they don't resolve anywhere.

In short, I would have thought this would have picked up quicker than it had.

That said, it did give me the impetus to finish scripting a few things to basically monitor these domains automagically to start looking for indicators and to see when (or if) they ever come out of "parked" status.

As usual, the standard advice applies in events like these. If you want to donate (or have friends/family/collegaues who do) work through well-known and established charities to do so.

Feel free to send any suspicious sites/spam/twitter accounts/etc to use so we can keep doing analysis.

John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
[security bulletin] HPSBUX02866 SSRT101139 rev.1 - HP-UX Running Apache, Remote Denial of Service (DoS), Execution of Arbitrary Code and other vulnerabilities
DDIVRT-2013-52 Dell EqualLogic PS6110X Directory Traversal
Following the deadly bombings at the Boston Marathon on Monday, investigators mounted a massive effort to scrutinize digital photos and videos taken about the time of the blasts from citizen smartphones and area surveillance cameras.
[ MDVSA-2013:143 ] poppler
Wireshark Dissector LWRES Multiple Buffer Overflow Vulnerabilities
Wireshark ERF File Remote Code Execution Vulnerability
Wireshark 0.9.0 through 1.2.4 Multiple Vulnerabilities
Wireshark 1.2.0 Multiple Vulnerabilities
LinuxSecurity.com: Applications using libcurl could be made to expose sensitive informationover the network.
LinuxSecurity.com: Updated 389-ds-base packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having low [More...]
LinuxSecurity.com: HAProxy could be made to crash or run programs if it received speciallycrafted network traffic.
Google's placement of its own flight-finding service in search results is resulting in lower click-through rates for companies that have not bought advertising, according to a study by Harvard University academics.
Red Hat has launched a community version of its still-in-development OpenStack distribution, and it also released a preview of the enterprise edition of this distribution for those who sign up for an early adopter program.
The creators of Android originally dreamed it would be used to create a world of "smart cameras" that connected to PCs, a founder said, but it was reworked for mobile handsets as the smartphone market began to explode.
The Google Glass wearable computer will have a high-resolution display equivalent of a 25-inch high-definition screen from eight feet away, and will capture 5-megapixels images and video at a resolution of 720p, according to technical specs disclosed on Monday.
Cybercriminals are increasingly targeting small businesses due to their less sophisticated defenses, according to a new report from Symantec.
Not having an API is becoming like not having a website, but the interface has got to be easy for outside developers to work with.
Web hosting company Linode has published details of an attack on their network that saw unknown attackers gain access to customer infornation such as hashed passwords and encrypted credit card data

RETIRED: Google Chrome OS Prior to 26.0.1410.57 Multiple Security Vulnerabilities

Bradford Networks Addresses BYOD Security Threats at InfoSec World 2013
Marketwire (press release)
ORLANDO, FL--(Marketwired - Apr 15, 2013) - InfoSec World Expo and Conference, Booth #104 -- Bradford Networks™, the best choice to secure network access for BYOD, today announced its participation in the InfoSec World Expo and Conference. During ...

Linux Kernel Multiple Local Security Bypass Vulnerabilities
Internet Storm Center Infocon Status