Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

(credit: RunKeeper)

RunKeeper announced Tuesday that it had found a bug in its Android code that resulted in the leaking of users’ location data to an unnamed third-party advertising service. The blog post came four days after the Norwegian Consumer Council filed a complaint against the Boston company.

In the blog post, CEO Jason Jacobs wrote:

Like other Android apps, when the Runkeeper app is in the background, it can be awakened by the device when certain events occur (like when the device receives a Runkeeper push notification). When such events awakened the app, the bug inadvertently caused the app to send location data to the third-party service.

Today we are releasing a new version of our app that eliminates this bug and removes the third-party service involved. Although the bug affected only our Android app, we have decided to remove this service from our iOS product too out of an abundance of caution. The iOS release will be made available once approved by Apple.

We take our responsibility for the privacy of user data very seriously, and we are thankful to the Runkeeper user community for your continued trust and support.

In an e-mail sent to Ars, Jacobs declined further questions, noting the statement "will be our only comment at this time."

Read 2 remaining paragraphs | Comments

 

(credit: anutkak43)

Some people never seem to learn. A recent investigation by security firm Compaas trawled Google Docs and Dropbox and found thousands of sensitive documents belonging to hospitals, schools, and corporations. In many cases, the spreadsheets caused the organizations to run afoul of consumer privacy laws.

"We found a couple hospitals that had breaches in HIPAA compliance," Compaas COO Doran David said. "There was patient information, what types of surgeries they had, social security numbers. Anything that you would think of that you would consider personal is the type of thing we've come across."

In most cases, the documents are uploaded by employees who don't understand the privacy implications of what they're doing. They simply know that Google Docs and similar services are a much easier way to exchange documents than official methods provided by their employer. In other cases, they use misconfigured third-party apps to swap documents with co-workers. The end result is documents that never should have been made public but can in fact be downloaded by anyone.

Read 6 remaining paragraphs | Comments

 

VMWare published today a security advisory about the following CVEs:

  • CVE-2016-3427 Critical JMX issue when deserializing authentication credentials. This vulnerability allows to execute commands to the RMI Server of Oracle JRE JMX without proper authentication. This is a remote and local vulnerability.
  • CVE-2016-2077 Important VMWare Workstation and Player for Windows host privilege escalation vulnerability. This vulnerability allows privilege escalation. It">We have not noticed exploits in the wild so far. If you notice one, please let us know using our contact form.

    Manuel Humberto Santander Pelez
    SANS Internet Storm Center - Handler
    Twitter: @manuelsantander
    Web:http://manuel.santander.name
    e-mail: msantand at isc dot sans dot org

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

More vulnerabilities! This time the Symantec Antivirus engine. There is a buffer overflow that can be triggered by malformed PE executables is the SizeofRawData PE attribute is greater than SizeofImage PE attribute. Exploiting this bug will give the attacker root in UNIX and kernel memory corruption in Windows being able to execute anything with maximum privileges. This bug can be dangerous because the PE malformation is not usually checked within Antivirus, Host IPS platform or proxies.

Want to perform a PoC yourself? Download the test file . If vulnerable, a kernel panic like You should patch this vulnerability ASAP with Symantec Antivirus Engine 20151.1.1.4. Red the full Symantec Advisory Manuel Humberto Santander Pelez
SANS Internet Storm Center - Handler
Twitter:
@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
WSO2 SOA Enablement Server - Reflected Cross-Site Scripting
 
[security bulletin] HPSBHF03594 rev.1 - HPE ConvergedSystem and AppSystem for SAP HANA using OpenSSL, Multiple Remote Vulnerabilities
 

A safe password system? Here's how
TechTarget
So the answer to those questions ought to be easy. The catch is, the higher you raise the bar on password setting the more work it is for users. And the perception of "not being an enabler to business" is one of the greatest challenges that infosec ...

 

Mr. Robot Season_2.0: Series Creator Talks about Making Scenes Close to Reality
Crossmap
"A lot of my friends are nerds and coders in InfoSec," Esmail said. "Some of them are hackers. I made a poor attempt at hacking in college and was on academic probation. I wanted to tell a story about that culture because I found those people very ...

 

Richard Porter --- ISC Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

An exploit has been made publicly available for CVE-2016-1287. A patch for the vulnerability, and quite a bit of detail about the vulnerability, was released in February [1]. We recommend you expedite patching this problem if you havent already done so.

[1]https://blog.exodusintel.com/2016/02/10/firewall-hacking/

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
[SECURITY] [DSA 3581-1] libndp security update
 

Windows Security Expert, Jason Fossen, to Keynote SANS Minneapolis InfoSec Training Event
PR Newswire (press release)
BETHESDA, Md., May 17, 2016 /PRNewswire-USNewswire/ -- SANS Institute, the global leader in information security training, today announced Microsoft Windows security expert, Jason Fossen, will deliver the keynote address at the SANS Minneapolis ...

and more »
 

CATA names cybercrime advisory council
IT World Canada
... recognize and promote champions and expertise, outline needed research and establish a toolkit of innovative technologies and services available to law enforcement agents. The advisory council is another way Canadian organizations and infosec pros ...

 

We Live Security (blog)

Privacy and security fears – predictably – impact US online commerce
We Live Security (blog)
Sarcastic remarks like “No kidding” and “You don't say” floated through the infosec ether. Why? Because anyone who has studied information security for more than a decade has probably predicted this kind of news at least once. I will cite some examples ...

and more »
 

ComputerWeekly.com (blog)

Updates, updates – hares and tortoises in the software vulnerability race
ComputerWeekly.com (blog)
For off-the-shelf software, news of newly discovered vulnerabilities often comes via the suppliers of commercial packages or, in the case of open source software, from some part of the community. This also applies to components embedded in ... However ...

 

Most ransomware isn't as complex as you might think
SYS-CON Media (press release)
As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background ...

and more »
 
Internet Storm Center Infocon Status