[SECURITY] [DSA 2819-1] End-of-life announcement for iceape
XSS and Full Path Disclosure in MijoSearch Joomla Extension

A Department of Energy network breach earlier this year that allowed hackers to download sensitive personal information for 104,000 people was the result of a decade-old patchwork of systems, some that hadn't installed critical security updates in years, according to a federal watchdog.

July's successful hack on the department's Employee Data Repository database was at least the third one to occur since 2011, DOE Inspector General Gregory H. Friedman wrote in a recently published review of the breach. The hack resulted in the exfiltration of more than 104,000 individuals' personally identifiable information (PII), including their social security numbers, bank account data, dates and places of birth, user names, and answers to security questions. The department expects to incur costs of $3.7 setting up credit monitoring and in lost productivity. That figure doesn't include the costs of fixing the vulnerable systems.

The inspector general review recited a litany of failures that allowed hackers to penetrate system defenses. Chief among them is the fact that none of the 354 database tables containing social security numbers were encrypted. Using strong cryptography to protect such "at rest" PII has long been considered a best practice in government and corporate data security. The department's management information system (MIS) that allowed access to the DOEInfo databases also failed to require common security enhancements, such as two-factor authentication or a department-issued virtual private network.

Read 3 remaining paragraphs | Comments


[security bulletin] HPSBHF02953 rev.1 - HP B-series SAN Network Advisor, Remote Code Execution
[SECURITY] [DSA 2818-1] mysql-5.5 security update
Phone Drive Eightythree 4.1.1 iOS - Multiple Vulnerabilities
The number of personal cloud users increases every year and is not about to slow down. Back in 2012 Gartner predicted the complete shift from offline PC work to mostly on-cloud by 2014. And it's happening.
Bio Basespace SDK 0.1.7 Ruby Gem exposes API Key via command line
LiveZilla Multiple Stored XSS in webbased operator client
LiveZilla Insecure password storage
Advisory 01/2013: PHP openssl_x509_parse() Memory Corruption Vulnerability
Call for Papers -YSTS 8 - Information Security Conference, Brazil
User Identity Spoofing in Bitrix Site Manager
Microsoft Internet Explorer CVE-2013-5048 Memory Corruption Vulnerability
Cisco WAAS Mobile CVE-2013-5554 Remote Code Execution Vulnerability
Microsoft Internet Explorer CVE-2013-5047 Memory Corruption Vulnerability
Microsoft Internet Explorer CVE-2013-5049 Memory Corruption Vulnerability
Microsoft's Surface tablets were in short supply Monday, with most models out of stock on the company's online store.
In a potential blow to government surveillance efforts, a federal judge today ruled that the NSA's practice of collecting phone metadata records on millions of Americans may be unconstitutional.
The cost of installing solar power has fallen 60% since 2011 16% in this past year alone, according to GTM Research.
Apache Subversion CVE-2013-1884 Remote Denial of Service Vulnerability

Social Security numbers, addresses of 18800 state workers in missing thumb drive
The Denver Channel
Should you need any further information, please contact the Office of Information Security at infosec@state.co.us." Copyright 2013 Scripps Media, Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed. PRINT.

and more »
In a potential blow to government surveillance efforts, a federal judge today ruled that the NSA's practice of collecting phone metadata records on millions of Americans may be unconstitutional.
BI (business intelligence) and analytics will remain a top investment priority for CIOs, but by 2015 BI vendors will make ad-hoc data discovery, rather than report generation, the prime focus of their product development efforts, according to a new Gartner report.
Verizon Wireless Monday continued to maintain that it has the "largest and most reliable 4G LTE network" in the U.S. despite the recent admission by some company executives of some dents in the armor.
NASA engineers are still trying to figure out how to fix a cooling system problem on the International Space Station. The space agency now says it may call for a spacewalk to get the work done.
DRAMeXchange expects second-generation PCIe to replace SATA III in servers and higher-end laptops as the interface of choice for manufacturers, including Apple.
Apple has won the hearts and minds of small- and mid-sized businesses, which have overwhelmingly adopted Cupertino's mobile devices over rivals powered by Android or Windows.

Jailbroken Phones Targeted by Hacker Jammers
One of the problems the BYOD trend poses is jailbreaking -- and then hiding it. "Jailbroken and rooted phones are super dangerous in the enterprise," said Marble Security Chairman and CTO Dave Jevan. "They have no security. They can also have ...

and more »
Nearly a week after Yahoo's email service crashed, the company is still working to bring it all back.
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to a new upstream version, 5.5.33, which includes additional changes, such as performance improvements, bug fixes, new features, and possibly incompatible [More...]
LinuxSecurity.com: A buffer overflow vulnerability in Win32 Codecs can potentially allow for user-assisted arbitrary code execution.
LinuxSecurity.com: A buffer overflow in libsmi might allow a context-dependent attacker to execute arbitrary code.
LinuxSecurity.com: Multiple vulnerabilities have been found in cabextract, allowing remote attackers to execute arbitrary code or cause a Denial of Service condition.
LinuxSecurity.com: Timo Warns reported multiple integer overflow vulnerabilities in libtar, a library for manipulating tar archives, which can result in the execution of arbitrary code. [More...]
LinuxSecurity.com: Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development. The Common Vulnerabilities and Exposures project identifies the following issues: [More...]
LinuxSecurity.com: Updated kernel packages that fix multiple security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: Updated nss, nspr, and nss-util packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: Several security issues were fixed in PHP.
Sites browsed by hacked PCs (left) and SQL injection flaws found by the botnet (masked, right).

Investigative journalist Brian Krebs has uncovered an unusual botnet that forces infected PCs to scour websites for security vulnerabilities that can cough up proprietary data or be exploited in drive-by malware attacks.

The botnet, dubbed "Advanced Power" by its operators, has discovered at least 1,800 webpages vulnerable to SQL injection attacks since May, Krebs reported in a post published Monday. SQL injection vulnerabilities exploit weaknesses in Web applications that allow attackers to send powerful commands to a website's backend databases. From there, attackers can download login credentials or other database contents or cause sites to post links that silently redirect visitors to malicious websites.

Advanced Power masquerades as a legitimate add-on for Mozilla's Firefox browser. Once installed, it looks for vulnerabilities on sites visited by the infected machine. Krebs wrote:

Read 1 remaining paragraphs | Comments


Sensing a growing interest in big data-style analysis, software provider Revolution Analytics has updated its flagship package of R statistical functions so it can be run with the Hadoop data processing platform.
Attackers exploited a vulnerability in Adobe ColdFusion to install data-stealing malware that works as a module for the Microsoft Internet Information Services Web server software.
Nokia has released a beta version of its Camera app that will add more advanced features to smartphones like the Lumia 520 and the Lumia 720.
RealNetworks RealPlayer SWF File Heap Based Buffer Overflow Vulnerability
To foster innovation, IT leaders must balance blue-sky thinking and practical goals. However, balancing structure and creativity, often means designing new processes.
At some point, desktops and laptops will come with the new Gigabit Wi-Fi standard 802.11ac built in. But if you can't wait and want to speed up the wireless links on your existing devices, you can buy an 802.11ac adapter today.
IBM Global Security Kit CVE-2013-6329 Remote Denial of Service Vulnerability

Unlocking CryptoLocker: How infosec bods hunt the fiends behind it
CryptoLocker, the bitcoin thieving ransomware menace that has become 2013's most infamous malware, was likely created by a single hacker crew in Russia or former Eastern bloc states and is heavily targeting US and UK systems, researchers have ...

and more »
After years of false starts, virtual desktop infrastructure (VDI) products are here. They work, and if implemented correctly they can deliver substantial cost savings to enterprise IT shops. What are the risks and rewards involved in embarking on a VDI implementation for your organization?
Siemens COMOS CVE-2013-6840 Local Privilege Escalation Vulnerability
The Canadian Commissioner of Competition believes Google has abused its dominant search position and in an ongoing investigation has filed a document with the Federal Court of Canada demanding more information on the company's practices.
Premier 100 IT Leader Randall Gaboriault also answers questions on the skills needed in QA and the wisdom of getting a doctorate.
McAfee Email Gateway Multiple SQL Injection and Remote Command Execution Vulnerabilities
Zimbra 'skin' Parameter Local File Include Vulnerability
SAP NetWeaver 'RSDDCVER_COUNT_TAB_COLS()' Function SQL Injection Vulnerability
And there's mounting evidence that it's counterproductive.

Information security skills is extremely weak in India
Economic Times
India's talent pipeline in information security skills is extremely weak, according to 'The Talent Crisis in Infosec, Report by EC Council (International Council of Electronic Commerce Consultants), October 2013'. This could cast a shadow on the ...

More than half of the respondents to our survey say they don't aspire to be a CIO. Here's why politics, relatively low pay and a lack of prestige can sink CIO aspirations.
If you thought the traditional help desk would be outsourced, automated or altogether shut down, think again. Hiring for the help desk is hot. Insider (registration required)
Futurist Thornton A. May foresees bright futures for IT professionals who strive to integrate value-creating IT behaviors into every nook and cranny of the enterprise.
A fake antivirus program in circulation uses at least a dozen stolen digital code-signing certificates, indicating cybercriminals are increasingly breaching the networks of software developers, Microsoft wrote on Sunday.
As the federal government abandons funding primary and applied research, companies like Google and Amazon can pick up the slack.
Columnist Paul Glen says those who insist that career planning is an employer's responsibility place their own futures in jeopardy, relinquishing control of their development to their managers, who can make decisions on a whim.
IT spending is kicking up again, but training budgets have been slow to recover. Many IT professionals are taking matters into their own hands.
Apple's newest 15-in. MacBook Pro looks just like last year's model but delivers on faster performance and solid battery life, says columnist Michael deAgonia.
After nine years with Guess Inc., Michael Relich moved from the CIO post to his dream job as the company's new chief operating officer. He talks about how his tech background helped him make the transition.
Observers of Microsoft's three-month-and-counting CEO search have watched the art of the "non-denial denial" at its best -- or worst -- a public relations expert said today.
SAProuter Remote Authentication Bypass Vulnerability

Posted by InfoSec News on Dec 16


DECEMBER 12, 2013

NUDE pictures of former French first lady Carla Bruni were used to break in to
the computer systems of dozens of diplomats, it emerged today.

The shocking security breach was first discovered at the G20 summit in Paris in

Posted by InfoSec News on Dec 16


December 13, 2013

NEWARK, N.J. - December 12, 2013 (WPVI) -- More than a half million Horizon
Blue Cross Blue Shield members are in danger of identity theft after two
laptops were stolen from the company's office in Newark, New Jersey.

The laptops were stolen during the first weekend of November.

They contained information about members including their name,...

Posted by InfoSec News on Dec 16


By Matt Zapotosky
The Washington Post
December 13, 2013

Unhappy with his middling scores on the standardized test for aspiring
medical students, Bosung Shim tried to hack into the Association of
American Medical Colleges computer system and change them. When that
didn’t work, he...

Posted by InfoSec News on Dec 16

Forwarded from: Luiz Eduardo <le/at/ysts.org>

Sao Paulo, Brazil

April 14th, 2014

Call for Papers Opens: December 13th, 2013

Call for Papers Close: February 1st, 2014




After 7 very successful editions here we are again, off to the 8th
edition of the you Sh0t the Sheriff information security conference
and we are sending this out so you send us the coolest stuff you've
been working...

Posted by InfoSec News on Dec 16

Until January 15, 2014, your company can post jobs on HotInfoSecJobs.com for
50% off our normal rate of $99 for 31 days by using the discount code -


At HotInfoSecJobs.com we pride ourselves on creating an excellent overall
experience for InfoSec job seekers and employers. Postings cost just $99 and
all jobs are cross-posted to popular sites like SimplyHired & LinkedIn for
FREE. Its like getting...
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-5610 Multiple Memory Corruption Vulnerabilities
Linux Kernel 'ieee80211_radiotap_iterator_init()' Function Denial of Service Vulnerability
cabextract '.cab' File Code Execution Vulnerability
cabextract MS-ZIP and Quantum Decompressed '.cab' File Denial Of Service Vulnerability
Internet Storm Center Infocon Status