InfoSec News

Facebook has proposed a new model for designing servers that it says will give businesses more choice in selecting components and a smarter way to upgrade systems when needs change, though it remains to be seen how widely its method will be adopted.
A federal judge in California has ordered Apple and Amazon.com to sit down and attempt to settle a lawsuit between them over Amazon's use of the "Appstore" name for its online application marketplace.
The scoop: Wireless Plus mobile storage, by Seagate, about $200 (1TB capacity)
Intel is taking the first steps to implement thin fiber optics that will use lasers and light as a faster way to move data inside computers, replacing the older and slower electrical wiring technology found in most computers today.
Longtime VMware Chief Technology Officer Steve Herrod has stepped down from his post, leaving the company during a challenging time.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
U.S. President Barack Obama has called on Congress to provide funding for research on violence in video games and possible connections to real-world gun violence as part of a wide-ranging package of policy moves announced Thursday.
In the next 12 months, smartphones with five new operating systems are scheduled to go on sale, leaning on Web technologies and improved user interfaces to try and make a dent in the dominance of Apple's iOS and Google's Android.
With Facebook's new search service out in the open, the social network seems to be on a collision course with search giant Google.
Dell is trying to bring the ARM and x86 processors closer by supporting a new systems management technology, a step toward making both the CPU technologies interoperable, the company said on Wednesday.
Microsoft teased the Surface Pro today, hinting that the company will soon announce an on-sale date for its second tablet.
Longtime readers of the Mac Gems column know that I'm a keyboard person. With few exceptions, I prefer to keep my fingers on the keyboard and off my mouse, trackpad, or trackball--sticking to the keyboard is better ergonomically, and it's often faster, as well.
Oracle Java Runtime Environment CVE-2012-3174 Unspecified Remote Code Execution Vulnerability
Oracle Java Runtime Environment CVE-2013-0422 Remote Code Execution Vulnerability
QEMU CVE-2012-6075 Buffer Overflow Vulnerability
Shipments of smartphones with screens 5 inches or larger will more than double this year, as consumers are increasingly attracted to the large screen sizes offered by the phones, according to a prediction from IHS iSuppli.
A petition posted on whitehouse.gov that seeks the removal of U.S. Attorney Carmen Ortiz, who oversaw the prosecution of Internet activist and pioneer Aaron Swartz on hacking-related charges, is nearing 40,000 signatures.
Research in Motion announced Wednesday that credit card company Visa has approved RIM's security management system for use in mobile payments made with smartphones or tablets that use a Near Field Communication chip.
phpShop 'module_id' Parameter SQL Injection Vulnerability
PhpShop Cross-Site Scripting and SQL Injection Vulnerabilities
HP PKI ActiveX Control Denial of Service Vulnerability
Cisco Security Advisory: Cisco ASA 1000V Cloud Firewall H.323 Inspection Denial of Service Vulnerability
DC4420 - 2013 CFP
Oracle E-Business Suite CVE-2013-0397 Security Bypass Vulnerability
phpShop 'index.php' SQL Injection Vulnerability
Re: [CVE-ID REQUEST] vBulletin - Multiple Open Redirects
Re: [CVE-ID REQUEST] Atlassian Confluence - Multiple Cross-Site Request Forgery (CSRF) Vulnerabilities
Re: Wordpress gallery-3.8.3 plugin Arbitrary File Read Vulnerability
Samsung's Galaxy tablets do not infringe on an Apple design right, the District Court of The Hague ruled Wednesday in response to a request by Samsung.
Two hackers who pleaded guilty to having hacked Sony Music's servers to download unreleased Michael Jackson recordings have been sentenced to a suspended prison term of six months

Police authorities in Seoul have accused North Korea of destroying important data in a hacking attack that the country had previously threatened to launch against a South Korean newspaper

Ettercap Multiple Stack Buffer Overflow Vulnerabilities
Even though Oracle patched critical Java vulnerabilities on Monday, the U.S. Computer Emergency Readiness Team (US-CERT) is still urging users to disable Java browser plug-ins.

Be Prepared For Big Data Revolution In InfoSec: RSA
RSA, The Security Division of EMC, has released a security brief asserting that Big Data will be a driver for major change across the security industry and will fuel intelligence-driven security models. Big Data is expected to dramatically alter almost ...


If Zenga Media needed to keep pace with the customers of its live streaming business, it would need to turn to the cloud.

[slackware-security] freetype (SSA:2013-015-01)

Oracle has released a lengthy list of updates to many products. descriptions are available here:


Of the 86 Oracle updates released there are a few high risk updates listed:

CVE-2012-3220 (effecting Oracle Database server products) represents the highest severity with risk score of 9.0 (for a windows hosted database server) out of a possible 10, for *nix based servers the score is lower at 6.5. There is a remote exploit, requiring authentication.

Oracle Mobile Database server products are next on the list with the following CVEs and CVSS base scores, all have remote exploits without authentication via HTTP

CVE-2013-0361 10

CVE-2013-0366 10

CVE-2013-0362 7.8

CVE-2013-0363 7.8

CVE-2013-0364 7.8

The two following CVEs effect MySQL servers with a CVSS score of 9.0 and a remote exploit with authentication:



The remainder of the updates listed have scores of 7.5 or lower, and represent a mix of remote and local exploits some without authentication.

In most cases well designed defense in depth will protect most middleware and backend database servers from direct exploit. Limiting which hosts can communicate with these systems using both network and host based firewalls to reduce the attack plane for the servers to exploits that run through the application (SQL injection or similar) helps mitigate these attack vectors. Database and middleware servers that can be reached from any remote hosts are at greater risk to attack. Applying vendor updates after testing the application in non-production environments is still best practice in all cases.

If you run any of these impacted systems and can report on your experience with these updates please share that with us, and I will update or post another diary covering these experiences.



Volunteer Handler, Internet Storm Center
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
To simplify the roll-out of clusters for big data applications, Skytap is now offering pre-configured Cloudera Hadoop templates that can run in the its public cloud.
Fusion-io has taken the flash storage cards it's been making for its biggest customers and turned them into products that almost any company can buy.
Among the vulnerabilities Oracle has fixed with its now released regular Critical Patch Update are 24 security holes in the company's database products, 18 of them in MySQL. Some of the holes could be exploited remotely and without authorisation

Adobe released security patches for its ColdFusion application server on Tuesday, addressing four critical vulnerabilities that have been actively exploited by attackers since the beginning of January.
Drupal Better Revisions Module Cross Site Scripting Vulnerability
Drupal Activism Module Access Bypass Vulnerability
Drupal Elegant Theme Module HTML Injection Vulnerability
A draft bill to exclude terms of service violations from the Computer Fraud and Abuse Act is to be introduced in the U.S. House of Representatives.
AT&T will expand its Business Exchange collaboration service by adding Polycom back-end infrastructure to complement the Cisco Systems technology it's been using for several years.
Walmart this year plans to install 10,000 self-service kiosks in hundreds of stores. But even as it moves ahead, other retailers are bailing on the technology.
SoftLayer brings fine-grained configuration options, high performance, and interesting extras to the self-service cloud
Working with Drupal is not for the timid -- but these 10 free modules could make things easier for developers and administrators.
Advanced Micro Devices has been granted by a court in Massachusetts a temporary restraining order against four former employees, three of whom are alleged to have left the company to join Nvidia with confidential documents and trade secrets.
A Canadian think tank called on Tuesday for continued scrutiny of U.S. security vendor Blue Coat Systems after a new technical analysis showed wide use of its products in countries with human rights and censorship concerns.
ColdFusion 10 and 9 users should install the new hotfix, which closes two authentication bypass issues, a directory traversal flaw and an information disclosure hole



Be Prepared For Big Data Revolution In InfoSec: RSA
RSA, The Security Division of EMC, has released a security brief asserting that Big Data will be a driver for major change across the security industry and will fuel intelligence-driven security models.รก Big Data is expected to dramatically alter ...

and more »
Internet Storm Center Infocon Status