InfoSec News

Trend Micro has spotted a piece of malicious software that masquerades as the latest patch for Java, a typically opportunistic move by hackers.
Intel's sales and profits dropped in 2012 as the company was hit by slower demand for PCs and it failed to make it big in the smartphone and tablet markets, although its data center business continued to grow
AT&T sold a record number of smartphones in the last three months of 2012 as consumers snapped up new products from the likes of Apple and Samsung.
Adobe Acrobat and Reader CVE-2013-0603 Remote Heap Based Buffer Overflow Vulnerability
Adobe Acrobat and Reader CVE-2013-0604 Remote Heap Based Buffer Overflow Vulnerability
Adobe Acrobat and Reader CVE-2013-0610 Remote Stack Based Buffer Overflow Vulnerability
Users of Microsoft's Bing search engine can now see a wider range of Facebook content from their friends appear alongside search results, part of an effort by Microsoft to make the site more social.
Oracle Outside In Technology CVE-2013-0418 Heap Based Buffer Overflow Vulnerability
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
HTC's yet to be announced flagship smartphone, the M7, has been leaked.
The U.S. Department of Veterans Affairs (VA) has begun installing millions of sensors on just about anything that costs more than $50.
A U.S. lawmaker has proposed legislation that would allow mobile phone users to ask apps to stop collecting their personal data and to delete information collected in the past.
An Arizona school district is mulling over whether to continue working on a major software project, upgrade its legacy system or restart from scratch with a different product.
The U.S. Defense Advanced Research Projects Agency and a consortium of top semiconductor companies are handing out US$194 million to universities for research that addresses the physical limitations of semiconductors and chips.
Oracle Outside In Technology CVE-2013-0393 Denial Of Service Vulnerability
Designing sound enterprise system security is possible by following Gary McGraw's 13 principles, many of which have held true for decades.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Apple may be able to build a cut-rate iPhone for $144, which would let it price the device between $299 and $349, hundreds less than the unsubsidized price tag of its flagship smartphone, an analyst said today.
As a February deadline approaches for physicians to report on the status of their EHR rollouts, a number of complaints over ease of deployment and reimbursement payments have also come into the federal government, which an official said the agency plans to address.
The Shylock home banking malware has been updated with new functionality that allows it to spread automatically using the popular Skype Voice-over-IP (VoIP) and instant messaging client.
Lenovo has announced a rugged ThinkPad X131e laptop starting at $429 with Google's Chrome OS.
Users of Cisco's virtual desktop system will soon be able to engage in voice and video communications with their colleagues using the Jabber instant messaging tool.
Microsoft today added Office 2013 to the Home Use Program (HUP), which lets employees of some companies and organizations buy the new suite for $9.95.
Oracle Java Runtime Environment CVE-2013-0422 Multiple Remote Code Execution Vulnerabilities
Secunia Research: Oracle Outside In Technology Paradox Database Handling Buffer Overflow
Secunia Research: Oracle Outside In Technology Paradox Database Handling Denial of Service
Cisco Security Advisory Update v1.1: Cisco Unified IP Phone Local Kernel System Call Input Validation Vulnerability
NSOADV-2013-002: DELL SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/sgms/)
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Courtesy of PHP Announcements:

The PHP development team announces the immediate availability of PHP 5.4.11 and PHP 5.3.21.

These releases fix about 10 bugs. All users of PHP are encouraged to upgrade to PHP 5.4.

PHP 5.3.20 is recommended for those wishing to remain on the 5.3 series.

The full list of changes are recorded in the ChangeLog on http://www.php.net/ChangeLog-5.php

For source downloads of PHP 5.4.11 and PHP 5.3.21 please visit the downloads page at http://www.php.net/downloads.php.

Windows binaries can be found on http://windows.php.net/download/

Russ McRee|@holisticinfosec
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
If users take to Facebook's new search tool, the social network could be in line to haul in a lot of advertising dollars, say industry analysts.
In times past, choosing the best PC storage option required merely selecting the highest-capacity hard drive one could afford. If only life were still so simple! The fairly recent rise of solid-state drives and hybrid drives (which mix standard hard drives with solid-state memory) have significantly altered the storage landscape, creating a cornucopia of confusing options for the everyday consumer.
Novell has fixed a buffer overflow problem that is remotely exploitable and allows attackers to take control over the server process which is executed with super user privileges under Linux

[SECURITY] [DSA 2609-1] rails security update
At Kaplan, a genuine enthusiasm for technology comes from the top: Its CIO embraces the consumerization of IT and wants employees to be as excited about technology as he is. That culture led Kaplan to migrate from Microsoft Exchange to Google Apps and, mostly recently, to Google+.
Showing what can happen when companies don't periodically review network logs, a software developer working for a large U.S. critical infrastructure company hired a Chinese firm to do his job so he could spend time surfing Reddit and watching cat videos.
A US Representative who sits on the House Judiciary Committee is proposing "Aaron's Law": a change to the Computer Fraud and Abuse Act to halt the overly broad interpretation of the act by prosecutors and a tribute to activist Aaron Swartz

Apparently, the German Federal Criminal Police Office (BKA) plans use third-party solutions until its own custom-developed software is ready. Confidential documents suggest that products by Gamma, the company behind Finfisher/Finspy, have been acquired

Conga luci '__ac' Session Cookie Information Disclosure Vulnerability
FreeRADIUS CVE-2011-4966 Authentication Bypass Vulnerability
Nokia is planning to transfer up to 820 employees to HCL Technologies and Tata Consultancy Services and lay off up to 300 people as the company reorganizes its IT organization.
China's smartphone market is growing so fast that it is expected to be nearly twice as large as the U.S. market this year, according to research firm Canalys.
A court in California has allowed Apple and Samsung Electronics to add recent products from both companies in a patent infringement lawsuit.
Softbank sold off a large portion of a local carrier it acquired just weeks ago, looking to assuage fears over its expanded control of Japan's wireless spectrum.
U.S. Attorney Carmen M. Ortiz said Wednesday that prosecutors recognized that there was no evidence against Internet activist Aaron Swartz that warranted severe punishment.
Foxit released version 5.4.5 of its Foxit Reader PDF viewer plug-in on Thursday in order to address a critical remote code execution vulnerability that could have allowed attackers to compromise computers running previous versions of the software.
Smartphones running Mozilla Firefox and Jolla Sailfish will launch separately in 2013 amid a crowded smartphone market.
DefenseCode said it discovered the firmware flaw and reported it to Cisco 'months ago.'
The JavaScript founder details where developers can go wrong and the straightforward methods to stay on track
As tech infiltrates every corner of the business, it's only natural that some IT departments are producing revenue-generating products and services. Insider (registration required)
Electromagnetic radiation can be used to infiltrate networks isolated from the outside world. The US Army is apparently researching the applications of this approach

A black-market vendor was apparently selling an exploit for a new zero day vulnerability in Java less than 24 hours after Oracle released an update to close the recently exploited hole

GNOME Gnome-keyring 'gnome_keyring_lock_all_sync()' Security Vulnerability

Posted by InfoSec News on Jan 16


By Ricardo Bilton
January 16, 2013

"Bob" is an unassuming, 40-ish software developer with a big secret: He
really likes cat videos.

But Bob had a problem: He has to work, and the American economy doesn’t
exactly brim with jobs that pay you to watch cat videos all day.

So Bob hatched a plan: Aiming to get the best of both worlds, Bob...

Posted by InfoSec News on Jan 16


Jan. 17, 2013

North Korea was behind a hacking attack on the conservative Joongang
Ilbo in June last year, according to the National Police Agency's Cyber
Terror Response Center.

The North launched two massive so-called distributed denial-of-service
attacks on various targets in South Korea on July 7, 2009 and March 4,
2011, hacked into Nonghyup...

Posted by InfoSec News on Jan 16


By John Leyden
The Register
16th January 2013

Two US power stations were infected by malware in the last quarter of
2012, according to a report by the US Department of Homeland Security's
Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

USB flash drives packed with software nasties were blamed for a
compromise of industrial control systems in both...

Posted by InfoSec News on Jan 16


By Editorial staff
Clinical Innovation + Technology
Jan 16, 2013

The National Cybersecurity Center of Excellence plans to test tools and
technologies to support the secure exchange of electronic health
information, especially for small healthcare providers.

As part of the effort, the National Institute of Standards and
Technology (NIST)...
Internet Storm Center Infocon Status