Windows Update can't be readily disabled in Windows 10 Home, and the license terms that all users must agree to allow Microsoft to install updates automatically.

The Insider Preview releases of Windows 10 didn't include any way to prevent Windows Update from downloading and installing updates, but it wasn't clear if this was just some quirk of the previews, or the long-term plan; Microsoft's previews often have special rules for things like providing automated feedback and hooking up online services, and so this could have been part of that.

Build 10240, released to insiders on Wednesday, changes that. This build is believed to be the release-to-manufacturing build that OEMs will preinstall on hardware, and as such, it contains the finalized settings, license text, and so on.

Read 11 remaining paragraphs | Comments

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Security researchers at Trend Micro's Trend Labs have uncovered a trick in a sample of a fake news application for Android created by the network exploitation tool provider HackingTeam that may have allowed the company's customers to sneak spyware through the Google Play store's code review. While the application in question may have only been downloaded fewer than 50 times from Google Play, the technique may have been used in other Android apps developed for Hacking Team customers—and may now be copied by others trying to get malware onto Android devices.

The sample app, called "BeNews", is designed as a Trojan horse for Hacking Team's RCSAndroid "backdoor" malware. It used the name of a defunct news site to make it seem like a legitimate Android application. Wish Wu of Trend Labs wrote in a blog post that Trend Labs team found the source code for the app within the leaked Hacking Team files, along with documentation "that teaches customers how to use it," he wrote. "Based on these, we believe that the Hacking Team provided the app to customers to bus used as a lure to download RCSAndroid malware on a target's Android device."

The app exploits a local privilege escalation vulnerability in Android which has been determined to affect all versions of the mobile operating system from Android 2.2 ("Froyo") to 4.4.4 ("KitKat"). Other versions may be vulnerable as well, according to Wish. The exploit, which also affected other Linux operating systems, was documented last summer.

Read 2 remaining paragraphs | Comments


2015's Top 5 Higher Ed Infosec Issues [#Infographic] | EdTech Magazine
EdTech Magazine: Focus on Higher Education
Ensuring that members of the institutional community (students, faculty, and staff) receive information security education and training. Developing security policies for mobile, cloud, and digital resources (includes issues of data handling/protection ...

Oracle Java SE CVE-2015-4731 Remote Security Vulnerability
Adobe Flash Player CVE-2015-5122 Use After Free Remote Memory Corruption Vulnerability
Adobe Flash Player ActionScript 3 BitmapData Use After Free Remote Memory Corruption Vulnerability

Dark Reading

10 Trends In Infosec Careers And Staffing - Dark Reading
Dark Reading
It's a reflection of the overall infosec job market, where employers struggle to find enough qualified candidates and opportunities abound for the right candidates. We've put together the results from the Black Hat survey, along with a few other ...

and more »
SEC Consult SA-20150716-0 :: Permanent Cross-Site Scripting in Oracle Application Express
Elasticsearch CVE-2015-5531
Elasticsearch CVE-2015-5377

Smartphone apps from Walmart, CNN, ESPN, and dozens of other organizations put user accounts at risk of compromise because they allow attackers to make an unlimited number of login attempts, according to recently published research.

Security experts have long recognized the benefit of limiting the number of unsuccessful login attempts that users can make to online accounts. While such limits make it possible for attackers to lock out legitimate users, such denial-of-service drawbacks are generally outweighed by the protection they provide against online password cracking attempts, in which attackers make huge numbers of password guesses against specific user accounts in the hopes of trying the right one. Until last September, Apple's iCloud service failed to limit the number of login attempts to that service, a shortcoming that may have contributed to last year's mass celebrity hack and nude photo thefts.

Despite Apple mending its ways, many smartphone apps still allow users to make an unlimited number of login attempts. That failure allows attackers to cycle through long lists of the most commonly used passwords. Given the difficulty of entering strong passwords on smartphone keyboards, it's a likely bet that it wouldn't be hard to compromise a statistically significant number of accounts over a period of weeks.

Read 2 remaining paragraphs | Comments

Linux Kernel CVE-2015-2922 Denial of Service Vulnerability
ESA-2015-122: EMC Documentum CenterStage Cross-site Scripting Vulnerability
ESA-2015-123: EMC Documentum WebTop Open Redirect Vulnerability

iT News

Infosec firms oppose 'misguided' exploit export controls
iT News
A group of IT security vendors have joined forces in an effort to stop the US government from instituting new export regulations that aim to restrict the trade and operation of intrusion software used by hackers. High-profile infosec companies Mandiant ...
Infosec bigwigs rally against US cyber export control ruleThe Register

all 3 news articles »
Oracle Java SE CVE-2015-4733 Remote Security Vulnerability
Oracle Java SE CVE-2015-2628 Remote Security Vulnerability
Re: [FD] 15 TOTOLINK router models vulnerable to multiple RCEs
[CVE-2015-3253] Apache Groovy Zero-Day Vulnerability Disclosure
Backdoor and RCE found in 8 TOTOLINK router models

BankInfoSecurity.com (blog)

Analysis: InfoSec Workforce Growth Stalls - BankInfoSecurity
BankInfoSecurity.com (blog)
An Information Security Media Group analysis of Bureau of Labor Statistics employment data - culled from the same household surveys the government uses to determine the monthly unemployment rate - shows that 73,800 people identified themselves as ...


Posted by InfoSec News on Jul 16


By Aliya Sternstein
July 15, 2015

Sometimes fear is the best motivator. At the Interior Department, this was
the case when computer hackers stole millions of federal employee records
from an Office of Personnel Management database stored inside one of
Interior's data centers. The assailants left Interior's data...

Posted by InfoSec News on Jul 16


Business Insider
Jul. 14, 2015

It's a known fact that hacking makes money. But how much money? And how do
hackers carry out their internal dealings with one another so as not to
step on each other's toes?

Much like the fine-tuned systems of mafias and gangs that act almost
identically to businesses, hackers have also...

Posted by InfoSec News on Jul 16


By Kim Zetter
July 15, 2015

TWO MONTHS AFTER United Airlines launched a bug-bounty program to reward
researchers who report flaws in the company’s web site and apps, a
researcher has received 1 million air miles in the first reward given.

After submitting information to United about a remote-code execution flaw
in the airline’s web...

Posted by InfoSec News on Jul 16


By John E Dunn
July 15, 2015

Symantec believes the future of security is out there somewhere and has
set up a new partnership with VC firm Frost Data Capital to try and find
it in the form of early-stage security startups.

Security firms have a long track for acquiring startups for intellectual
property as well as...

Posted by InfoSec News on Jul 16


By Lucian Constantin
IDG News Service
July 15, 2015

Go ahead and update Java -- or disable it if you don't remember the last
time you actually used it on the Web. Oracle's latest patch, released
Tuesday, fixes 25 vulnerabilities in the aging platform, including one
that's already being exploited in...
Internet Storm Center Infocon Status