Five music labels have filed a lawsuit against streaming music service Pandora Music, saying the company is violating state law by refusing to pay labels and artists for its use of recordings made before 1972.

Over a week after the revelation of a fatal flaw in the most recent versions of the OpenSSL cryptographic library—the encryption at the heart of much of the Internet’s security—a large number of systems associated with the Tor anonymizing network remain unpatched and vulnerable to attack. To protect the security of the network, the Tor Project flagged relay servers still susceptible to the Heartbleed bug for rejection, meaning they would not be allowed to pass traffic to the core of the network.

The Heartbleed bug, which allows attackers to retrieve bits of memory from the encryption engine, still affects about 10 percent of the relays and gateways that allow users to connect to the network, which could expose the encryption keys and even the IP addresses of users.

In a blog post on April 7, the Tor Project alerted users of the bug, which affected the Tor client, relay, and bridge software; Tor’s “Hidden Service” darknet Web services; and even its internal directory servers. The Orbot client for Android was also vulnerable. The Tor Project team has been moving to provide patches for all of the components, and most of the core network was quickly secured.

Read 2 remaining paragraphs | Comments

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Advanced Micro Devices' bottom line changed from black to red on Thursday when the company posted a loss after two straight quarters of profits.
Google has expanded its Project Loon tests to the Nevada desert and, for the first time, into licensed radio spectrum.
Google did little during its first-quarter earnings report to shush critics who say its Enterprise unit is a second-class citizen in its kingdom.
Southern California Edison is outsourcing part of its IT operations, and the jobs may be going overseas.
Worried about how the Heartbleed vulnerability may affect your personal accounts? A new tool may be of help.

Mission-critical satellite communications relied on by Western militaries and international aeronautics and maritime systems are susceptible to interception, tampering, or blocking by attackers who exploit easy-to-find backdoors, software bugs, and similar high-risk vulnerabilities, a researcher warned Thursday.

Ground-, sea-, and air-based satellite terminals from a broad spectrum of manufacturers—including Iridium, Cobham, Hughes, Harris, and Thuraya—can be hijacked by adversaries who send them booby-trapped SMS text messages and use other techniques, according to a 25-page white paper published by penetration testing firm IOActive. Once a malicious hacker has remotely gained control of the devices, which are used to communicate with satellites orbiting in space, the adversary can completely disrupt mission-critical satellite communications (SATCOM). Other malicious actions include reporting false emergencies or misleading geographic locations of ships, planes, or ground crews; suppressing reports of actual emergencies; or obtaining the coordinates of devices and other potentially confidential information.

"If one of these affected devices can be compromised, the entire SATCOM infrastructure could be at risk," Ruben Santamarta, IOActive's principal security consultant, wrote. "Ships, aircraft, military personnel, emergency services, media services, and industrial facilities (oil rigs, gas pipelines, water treatment plants, wind turbines, substations, etc.) could all be impacted by these vulnerabilities."

Read 5 remaining paragraphs | Comments

Oracle Java SE CVE-2014-0452 Remote Security Vulnerability
Oracle Java SE CVE-2014-0429 Remote Security Vulnerability
Oracle Java SE CVE-2014-2398 Remote Security Vulnerability
Microsoft's new updating "normal" for Windows -- a faster-paced tempo that demands customers apply releases within weeks -- is a first step in moving the OS to a services-style model. But companies may be leery of the change.
Cloud services can help CIOs free themselves from worrying about managing data centers, scaling capacity, configuring servers, applying security patches and other routine maintenance so they can focus on providing insight to improve the business.
Facebook now has its own take on location sharing -- an optional feature that periodically broadcasts people's locations to their friends.
Oracle Java SE CVE-2014-0460 Remote Security Vulnerability
Oracle Java SE CVE-2014-0453 Remote Security Vulnerability
Oracle Java SE CVE-2014-2413 Remote Security Vulnerability
Oracle Java SE CVE-2014-2403 Remote Security Vulnerability
[security bulletin] HPSBMU02995 rev.3 - HP Software HP Service Manager, Asset Manager, UCMDB Browser, UCMDB Configuration Manager, Executive Scorecard, Server Automation, Diagnostics, LoadRunner, and Performance Center, running OpenSSL, Remote Disclosure

I received this week a very valuable e-mail from the DNP Technical Committee Chair, Mr. Adrew West, who pointed an excellent observation and it's the very slow adoption of DNP3 Secure Authentication Version 5, which is the latest security enhancement for the DNP3 protocol. I want to talk today about this standard and the advantages of adopting it into your DNP3 SCADA system.

This standard has two specific objectives:

  • Help DNP3 outstation to determine beyond any reasonable doubt that it's communicating with an authorized user.
  • Help DNP3 master to determine beyound any reasonable doubt that it's communicating to the correct outstation.

This standard minimize the following risks:

  • Spoofing to outstation or master: Since the original specification includes only the DNP3 outstation address as the only way for identification, the new standard uses crypto keys to enforce the authentication to each end.
  • Modification: The standard includes the concept of Message Authentication Code (MAC) as shown in ISO/IEC 9798-4. This standard allows to determine if a message has been modified before arriving to the destination, ensuring integrity.
  • Replay attack: Valid traffic cannot be retransmitted anymore by any third party as authentication information would not be the same.
  • Eavesdropping: Crypto keys are securely exchanged. Data being transmitted goes still in clear-text, so confidentiality is not ensured. You need additional gear like crypto-boxes on each end of the communication link.

The following diagram shows the implementation architecture for this standard:

DNP Application Layer
DNP Secure Authentication
DNP Transport Function
DNP Data Link Layer
Serial Internet Protocol Suite


As seen, an additional level before application layer is added, providing the new security features.Unfortunately, there are two specific reasons that is preventing this standard for being widely deployed in the world:

  • ICS systems are still being planned to last from 10 to 20 years: Technology has arrived to that world and most ICS people have not noticed that yet. They still think that air gap is enough to protect the ICS systems and won't consider new investements to implement new security features. United States is one of the leaders in regulation for critical infrastructure. However, this does not happen in most countries and unless governments produce new laws for enforcing cybersecurity on critical infrastructure, adoption of such standards will keep slow.
  • DNP3 equipment manufacturers do not offer the same references and features in all countries of the world, and most of them even claim that this standard is not yet supported (for example, in south america).

Cybersecurity is not still mature in the ICS industry and has a long way to go. Information Security Professionals working with the ICS world has a really big challenge: We need to demonstrate that Information Security Controls like this standard will have a return of investment to the company and the risk of not having them, if operating a critical infrastructure to a Country, could be catastrophic and impacts incalculable. This standard works, won't put at risk any ICS facility and we all have a responsability of ensuring its implementation to our companies.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Oracle Java SE CVE-2013-5906 Remote Security Vulnerability
[security bulletin] HPSBMU02998 rev.2 - HP System Management Homepage (SMH) running OpenSSL on Linux and Windows, Remote Disclosure of Information, Denial of Service (DoS)
Oracle is gearing up for a fight with officials in Oregon over its role developing an expensive health insurance exchange website that still isn't fully operational.
CUPS Web Interface Cross Site Scripting Vulnerability
I guess there is truth in the saying that the devil is in the details. If anyone ever tries to tell you that their product or service is 100% secure you have my permission to smack them with a large fish (not an actual permission slip). That being said, it is good to tackle the issues straight on when you've been hacked. In this case the storage manufacturer LaCie was breached by a nefarious third party who managed to set up shop on their internal network well over a year ago.
LinuxSecurity.com: Updated libyaml packages that fix two security issues are now available for Red Hat Common for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: Updated java-1.7.0-oracle packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having Critical [More...]
LinuxSecurity.com: Updated java-1.6.0-sun packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: Updated java-1.7.0-oracle packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having Critical [More...]
LinuxSecurity.com: Updated json-c packages fix security vulnerabilities: Florian Weimer reported that the printbuf APIs used in the json-c library used ints for counting buffer lengths, which is inappropriate for 32bit architectures. These functions need to be changed to using [More...]
LinuxSecurity.com: Security Report Summary
[security bulletin] HPSBGN03010 rev.1 - HP Software Server Automation, "HeartBleed" OpenSSL Vulnerability, Remote Disclosure of Information
[ MDVSA-2014:079 ] json-c
[security bulletin] HPSBMU02935 rev.2 - HP LoadRunner Virtual User Generator, Remote Code Execution, Disclosure of information

Pro2col Announces Its Presence at InfoSec and an Exclusive Distribution Deal ...
PR.com (press release)
Leading independent file transfer specialists Pro2col who will be exhibiting at InfoSec, is also pleased to announce an exclusive agreement with Thru to distribute their file transfer solution in the UK and Ireland. London, United Kingdom, April 16 ...

[security bulletin] HPSBMU02988 rev.1 - HP Universal Configuration Management Database, Disclosure of Information
Nokia has temporarily halted sales of the Lumia 2520 in seven countries, because the tablet's AC-300 charger can give users an electric shock.

Developers at Internet services company Netcraft have released a browser extension that makes it easy for Web surfers to know if the site they're visiting is vulnerable to the catastrophic Heartbleed vulnerability.

The extension works on the Chrome, Firefox, and Opera browsers. It's available here, and you can read Netcraft's description of it here. Once installed, it provides a bleeding heart icon and warning sign when users visit a site that remains susceptible to one or more of the risks posed by Heartbleed, the extremely critical bug that allows attackers to pluck sensitive data from the memory of vulnerable servers. Exposed data most often seems to include usernames and passwords, but it can also include taxpayer identification numbers and even the private encryption keys that are a website's crown jewels.

The Netcraft extension will alert users if an OpenSSL-powered site has yet to install an update that's immune to Heartbleed exploits. It also lets people know if sites that have updated OpenSSL are still using an HTTPS encryption certificate that has yet to be changed since OpenSSL was updated. That latter alert is crucial, since possession of a private encryption key makes it possible for attackers to impersonate HTTPS-protected sites with malicious sites that are almost impossible for most end users to detect. Out of an abundance of caution, all sites that were vulnerable to Heartbleed should assume their keys are now in the hands of malicious attackers.

Read 3 remaining paragraphs | Comments

Apache Hadoop RPC Authentication CVE-2013-2192 Man in the Middle Security Bypass Vulnerability
D-Link DAP-1320 Wireless Range Extender Directory Traversal and XSS Vulnerabilities
[security bulletin] HPSBMU02987 rev.1 - HP Universal Configuration Management Database Integration Service, Remote Code Execution
[security bulletin] HPSBMU02982 rev.1 - HP Database and Middleware Automation, Disclosure of Information
[security bulletin] HPSBGN03008 rev.1 - HP Software Service Manager, "HeartBleed" OpenSSL Vulnerability, Remote Disclosure of Information
Users of the new Kindle for Samsung app will get up to 12 e-books for free a year, as Samsung Electronics joins forces with Amazon.com to boost the content on its mobile devices.
Melissa Andrews, a resident of Canada, is a cyber security "cop" for Payza, an international e-commerce payment platform operating in 97 countries. Her job, described by the company's public relations firm as "the worst security job on the Internet," is to protect the public from illegal, and many times revolting, content, by shutting the sites down and alerting authorities about criminal activity. She spoke with CSO this week about her job and why she is proud of what she does.
Cybercriminals have started using a sophisticated Android Trojan app designed for e-banking fraud to target Facebook users, possibly in an attempt to bypass the two-factor authentication protection on the social network.
Google reported a 19% increase in revenue for the first quarter, but results from its advertising business were mixed.
Microsoft on Wednesday extended the Windows 8.1 Update migration deadline for businesses by three months, but again told consumers they had less than four weeks to make the move before the company shuts off their patch faucet.
Samsung's Galaxy S5 Android phone follows a very popular predecessor, but the latest version doesn't stand out in a sea of thoughtfully designed competitors.
Microsoft may have retired Windows XP, but one of China's leading security vendors is trying to keep the OS threat-free, and rolling out protection software to hundreds of millions of users in the nation.
Emergency room physicians at Beth Israel Deaconess Medical Center are four months into a pilot program where they are using Google's computerized eyeglasses to help treat patients.

Posted by InfoSec News on Apr 17


By Dan Goodin
Ars Technica
April 16, 2014

Private encryption keys have been successfully extracted multiple times
from a virtual private network server running the widely used OpenVPN
application with a vulnerable version of OpenSSL, adding yet more urgency
to the call for operators to fully protect their systems against the

Posted by InfoSec News on Apr 17


By Del Quentin Wilber
April 16, 2014

U.S. Secret Service Agent Matt O'Neill was growing nervous. For three
months, he'd been surreptitiously monitoring hackers' communications and
watching as they siphoned thousands of credit card numbers from scores of
U.S. retailers.

Most every day O'Neill was alerting a credit...

Posted by InfoSec News on Apr 17


By William Knowles
Senior Editor
InfoSec News
April 17, 2013

Here's a 2:33 video that is safe for work, enjoy!


Think you know what being a CISSP is all about? Not all CISSP’s are equal, some
are more equal than others!

@HostUnknownTV brings just two contrasting views of the lifestyle of a CISSP
starring @j4vv4d, @ThomLangford & @sirjester with...

Posted by InfoSec News on Apr 17


By Liu Jiayi
View from China
ZDNet News
April 17, 2014

The Keen, a top hacking team which took down Windows 8.1. Adobe Flash in
just 15 seconds and Apple’s Safari Mac OS X Mavericks system in only 20
seconds during a Pwn2Own Vancouver event in March, has divulged the
identity of its members, a Chinese newspaper reported on 13 April 2014.

"50 percent...

Posted by InfoSec News on Apr 17


By Paul Rosenzweig
Security States
The New Republic
April 16, 2014

One of the most hotly contested questions in the cyber domain (at least
domestically) is whether or not the federal government should have a role
in setting universal cybersecurity standards for critical American
infrastructure. That was the ground for debate much of...
Oracle Java SE CVE-2014-0456 Remote Security Vulnerability
Oracle Java SE CVE-2014-0457 Remote Security Vulnerability
Internet Storm Center Infocon Status