(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Moscow-based Elcomsoft has developed a tool to collect iCloud backup files without knowing a person's Apple ID, a development intended to help law enforcement analyze seized computers.

=============== Rob VandenBrink Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Cisco Adaptive Security Appliance WebVPN Portal Information Disclosure Vulnerability
SolarCity, headed by Elon Musk of Tesla fame, plans to build one of the world's largest solar panel production plants on 88 acres in upstate New York.
The total amount of data handled by wireless carriers in the U.S. more than doubled in 2013, an increase driven in large part by video traffic.
The scoop: Transporter Sync, by Connected Data, about $100 (plus cost of external storage drive)
Microsoft has cut prices of its almost-retired Surface Pro 2 tablet by $100 just days before the next-generation goes on sale.
Amazon Web Services has launched a new general purpose Elastic Block Store that runs fully on solid state drives, which the leading IaaS cloud vendor says will provide dramatically better performance for users compared to previous-generation spinning disk persistent storage.
The pace of change for Information Technology is challenging established notions of "What is IT?" and "What is Information Security in the modern age?" For one example, the "new" data center technologies such as virtualization, Software-Defined Networking (SDN), service-oriented delivery models, and cloud computing have radically changed the typical IT infrastructure from a defined set of assets owned and controlled by the organization to a constantly fluctuating roster of resources that can come and go from IT department visibility and control.
The story of A. B. and the training of the IT worker's H-1B replacement struck a chord with Computerworld readers. It provided an opportunity for them to vent, argue and share their views about the visa and its impact on U.S. workers.

Microsoft has released a number of security advisories and updates to advisories, hopefully they'll all have matching updates next Patch Tuesday

Microsoft Security Advisory 2974294  (just posted today)
Vulnerability in Microsoft Malware Protection Engine Could Allow Denial of Service

MS14-036   Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (2967487) (June 10 advsiory, updated today)

MS14-035    Cumulative Security Update for Internet Explorer (2969262) (June 10 advsiory, updated today)

You can track June's list as it is built here:

Rob VandenBrink

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
apt CVE-2014-0478 Security Bypass Vulnerability
Facebook took direct aim at social competitor Snapchat with its new mobile app, Slingshot.
A German hacker generated more than $620,000 in cryptocurrency after hijacking an unknown number of network storage devices and turning them into digital slaves to mine Dogecoin, researchers said.
Facebook has launched a new photo- and video-sharing app called Slingshot that's aimed squarely at popular cool-kid Snapchat.

Early in June, Ars reported the discovery of Android/Simplocker, which appeared to be the first cryptographic ransomware Trojan targeted at Android devices. Simplocker encrypts photos, documents, and videos in devices’ local storage and then instructs the device owner to send money if they ever want to see that content again.

One researcher—Simon Bell, an undergraduate student at the University of Sussex—managed to dissect the code for Simplocker. He found that while the code actually called back to a command and control server over the Tor anonymizing network to pass information about the infected device, all of the encryption work was done by the malware itself.

Today, Bell released an antidote to Simplocker—a Java program that can decrypt the files attacked by the malware. “The antidote was incredibly easy to create because the ransomware came with both the decryption method and the decryption password,” Bell wrote. “Therefore producing an antidote was more of a copy-and-paste job than anything.”

Read 3 remaining paragraphs | Comments

CA Technologies is applying its expertise in service management to the cloud, launching a hosted offering to allow organizations manage and provision IT assets and external cloud services.
YouTube has thousands of videos promoting compromised credit card numbers, with the site sometimes running advertisements for legitimate credit cards or retail outlets alongside the hacker videos, according to a new report from an online safety group.
Brendan Eich's ignominious departure from Mozilla this spring wasn't, as most of us think, due only to his opposition to gay marriage.
A group of U.S. lawmakers have introduced legislation that would prohibit broadband providers from charging Web content generators for priority traffic management.
Oracle is reportedly close to buying hospitality and retail technology vendor Micros Systems for more than US$5 billion in a deal that would be its biggest since the purchase of Sun Microsystems several years ago.
NASA's Hubble Space Telescope will begin searching for an object beyond Pluto that the New Horizons spacecraft can explore next summer.
Democrat lawmakers plan to keep the FCC from allowing ISPs from offering higher-bandwidth connections for some Internet traffic over others.
Monitorix HTTP Server Multiple Unspecified Security Vulnerabilities
Recruiting the best technology professionals starts with the job description. Here's how to make sure yours is hitting all the right areas.

A Brooklyn-based designer has created a 3D-printed sculptural boob tube to spark social commentary on the state of privacy in a data-driven world—by making the top gradually more sheer.

X.pose's striking black webbed rubber structure was engineered using a Stratasys printer, molded to the body to ensure comfort and very much inspired by creator Xuedi Chen's previous work, Invasive Growth (moss-grown jewelry based on the parasitic cordyceps fungus). But underneath, its layers tell another story about our lack of control and veritable vulnerability when it comes to who uses our data, what for, and how much they take.

"By participating in this hyper-connected society while having little to no control of my digital data production, how much of myself do I unknowingly reveal?" asks Chen, who created X.pose in around three weeks with fellow artist Pedro Oliveira. "To what degree does the aggregated metadata collected from me paint an accurate portrait of who I am as a person? What aspects of my individuality are reflected in this portrait?"

Read 12 remaining paragraphs | Comments

Cost has kept U.S. businesses from adopting fraud-resistant credit cards, but consumer concerns about privacy could make adoption a key differentiator.
Google has been hit with yet another antitrust complaint in Europe, this time for alleged anticompetitive behavior in the app market, the European Union's top competition authority confirmed Tuesday.
British spies are authorized to spy on British citizens' Internet communications transiting through servers outside the U.K., a civil rights group has discovered.
LinuxSecurity.com: USN-2214-1 introduced a regression in libxml2.
LinuxSecurity.com: Multiple vulnerabilities have been found in Adobe Flash Player, worst of which allows remote attackers to execute arbitrary code.
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: Multiple vulnerabilities have been found in cups-filters, worst of which allows remote attackers to execute arbitrary code.
LinuxSecurity.com: Security Report Summary
Adobe Flash Player and AIR CVE-2014-0532 Unspecified Cross Site Scripting Vulnerability
Salesforce.com wants to be the go-to option when small and medium-sized businesses decide they need better customer support software, with a series of updates to its Desk.com application.
In the hunt for more spectrum to speed up mobile networks, Vodafone and Huawei Technologies have successfully tested a technology that lets LTE and GSM share the same frequencies.

Canada recently passed anti-spam legislation.  Starting July 1 2014, organizations now need consent to send unsolicited emails or other electronic communications, which includes text messages, faxes and anything else you might think of.  This doesn't cover just mass marketing, a single email to a single person is covered in this new legislation.

Starting Jan 15,2015, the installation of apps, plug-ins and other programs need similar consent.

With fines up to $1 million for individuals and $10 million for organizations, there's a bit of a scramble to get consent from us Canadians .  Everyone from car companies wanting to send service bulletins to insurance companies who this this applies to emails on our insurance claims are sending "click here to consent" emails.  And of course, a similar scramble for folks that we've bought something from once, who want to send us sales flyers forever.

See the problem yet?  There was a clue in the note above

In this onslaught of "Click here" notes, it's oh-so-easy to slip in a few malicious emails, and of course if you do click in those notes, there's some special malware just for you!

To make things more interesting, many of the legit emails of this type are loaded with graphics with the links point to third party sites, so they also look like malicious content all on their own.

So in an effort to protect us Canadians from our collective compulsion to open every email and click every link (this isn't confined to just Canadians mind you), this legislation is actually resulting in a new "easy button" attack vector, so we have a spike of the very activity this is trying to prevent!

I wonder if the folks in Ottawa who wrote this legislation realize that this also applies to their campaign material at election time?  Or if they understand that a telephone call is also "electronic communication"?  <Just the first two gotcha's that came to mind>

If you've seen malware in email of this type, or if you have a slow day and want to read the legislation and look for similar "oops" situations, please share using our comment form !


Rob VandenBrink

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
cups-filters 'urftopdf.cpp' Multiple Heap Based Buffer Overflow Vulnerabilities
Microsoft on Monday launched a developers' channel of Internet Explorer that will be regularly updated to give website and Web app designers and developers an early look at what the company plans with its browser.
Security researchers said they've spotted a new type of banking malware that rivals the capabilities of the infamous Zeus malware.
Microsoft on Monday launched a developers' channel of Internet Explorer that will be regularly updated to give website and Web app designers and developers an early look at what the company plans with its browser.
Microsoft is planning to use programmable chips to boost the performance of the servers for its Bing search engine, by accelerating certain services using these devices.
[SECURITY] [DSA 2961-1] php5 security update
[SECURITY] [DSA 2950-2] openssl update

Posted by InfoSec News on Jun 17


By Vincent Berk

The National Institute of Science and Technology's Special Publication
800-53 aims to raise the bar and set a standard of security for federal
government information processing systems. As NIST works on Revision 5 of
the document, which is expected to come out in...

Posted by InfoSec News on Jun 17


By Andrew Grossman
The Wall Street Journal
June 16, 2014

Federal prosecutors announced a criminal charge against a 20-year-old
Tennessee man allegedly associated with a group of activist hackers that
targeted companies and universities, including Bell Canada and the
University of Virginia.

Timothy French allegedly conspired with a computer hacking group called...

Posted by InfoSec News on Jun 17


By Warwick Ashford
16 June 2014

“Cyber security should not be seen as a necessary evil,” says Francis
Maude, minister for the Cabinet Office.

“It is a growth business in its own right and can be a strength for the
UK,” he told the opening session of IA14, the government’s annual cyber
security and information...

Posted by InfoSec News on Jun 17

Forwarded from: security curmudgeon <jericho (at) attrition.org>

: http://ottawacitizen.com/technology/internet/how-did-the-rcmp-crack-blackberrys-security
: By Vito Pilieci
: ottawacitizen.com
: June 12, 2014
: BlackBerry Ltd. has long held that its BlackBerry devices are among the most
: secure in the world, but it turns out the platform isn?t as bulletproof as
: many had been led to believe.


: PIN-to-PIN messages are...

Posted by InfoSec News on Jun 17


By Shaun Nichols
The Register
14 Jun 2014

AT&T is warning customers that their personal information might have been
breached as part of a scheme to unlock and resell devices.

The company said in a filing to the California Attorney General's office
that employees at an unnamed service provider it works with had accessed
the personal data of...

Posted by InfoSec News on Jun 17


By Angelica Mari
Brazil Tech
June 16, 2014

Brazilians and foreign visitors in the country for the World Cup are being
warned of a potential rise in security attacks.

The lack of specific legislation and regulations for information security
in Brazil coupled with its general vulnerability online — the country
ranks eighth in the global league of cyberattacks,...
Apple has reached an out-of-court settlement in the e-books price-fixing lawsuit with U.S. states and a consumer group ahead of a trial for damages scheduled for July 14, according to records in a New York federal court.
The brake pedal in your car probably isn't attached to the brakes. But don't worry, the pedal knows how to tell the brakes that you've pressed it. And now there's a new way to secure the messages they send each other.
Internet Storm Center Infocon Status