Hackin9

ZDNet

Zero Day Weekly: Drupal disaster, POODLE, Ebola phishing scams
ZDNet
Infosec communities and hacker figureheads have taken the creator to task (and called for the project to be reported to Kickstarter) and a Reddit AMA went badly for the creator; yet the project's funding has exceeded half a million dollars. The creator ...

and more »
 

ITWeb

Security pros go head-to-head
ITWeb
Infosec practitioners will get the opportunity to benchmark themselves against their colleagues and peers at the IT Security Forum in Johannesburg next week, and assess how effective they are at mitigating risk and countering attacks. During this ...

and more »
 

Kickstarter removed a fundraiser for a popular Tor-based router project on Friday afternoon.

The Anonabox, which was created by August Germar, of Chico, California, aimed to be an “open source embedded networking device designed specifically to run Tor.” Its fundraising goal was $7,500, and in five days, it raised $585,549 from nearly 9,000 backers—including three Ars editors.

Germar told Ars that he was not aware that it had been suspended until Ars forwarded him an e-mail from Kickstarter outlining the possible reasons why it could have been cancelled.

Read 8 remaining paragraphs | Comments

 
TYPO3 Calendar Base Extension Denial of Service Vulnerability
 
WebKit CVE-2013-2928 Multiple Unspecified Security Vulnerabilities
 
Trixbox Multiple Security Vulnerabilities
 
WebKit CVE-2014-4412 Unspecified Memory Corruption Vulnerability
 

Cyber attacks on large US companies result in an average of $12.7 million in annual damages, an increase of 9.7 percent from the previous year, according to the fifth Cost of Cybercrime report published by the Ponemon Institute on Wednesday.

The report, sponsored this year by Hewlett Packard’s Enterprise Security division, found that business disruption and information loss account for nearly three-quarters of the cost of cybercrime incidents. The study also confirmed that companies that make security a priority have lower costs associated with security incidents during the year. In particular, companies that use technology that helps flag potential intrusions into critical systems have lower costs, by an average of $2.6 million.

“Business disruption, information loss and the time it takes to detect a breach collectively represented the highest cost to organizations experiencing a breach,” Larry Ponemon, chairman and founder of the Ponemon Institute, said in a statement.

Read 5 remaining paragraphs | Comments

 
LinuxSecurity.com: Several security issues were fixed in OpenJDK 6.
 
LinuxSecurity.com: Updated java-1.6.0-sun packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Updated java-1.7.0-oracle packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security [More...]
 
LinuxSecurity.com: Updated libxml2 packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security [More...]
 
LinuxSecurity.com: Updated rsyslog7 packages that fix one security issue are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Several security issues were fixed in OpenSSL.
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Updated openssl packages that contain a backported patch to mitigate the CVE-2014-3566 issue and fix two security issues are now available for Red Hat Enterprise Linux 6 and 7. [More...]
 
LinuxSecurity.com: Updated openssl packages that contain a backported patch to mitigate the CVE-2014-3566 issue are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Moderate security [More...]
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. Red Hat Product Security has rated this update as having Critical security [More...]
 
LinuxSecurity.com: An updated thunderbird package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6. Red Hat Product Security has rated this update as having Important security [More...]
 
Apple TV and iOS CVE-2014-4373 NULL Pointer Dereference Denial of Service Vulnerability
 
Apple iOS and TV CVE-2014-4420 Unspecified Security Vulnerability
 
Apple iOS and TV CVE-2014-4422 Security Bypass Vulnerability
 
Apple iOS and TV CVE-2014-4364 Spoofing Vulnerability
 

Apple yesterday released the latest version of its operating system, OS X 10.10 Yosemite. As usual, the new version of the operating system does include a number of security related bug fixes, and Apple released these fixes for older versions of OS X today.

This update, Security Update 2014-005 is available for versions of OS X back to 10.8.5 (Mountain Lion).

Among the long list of fixes, here a couple of highlights:

Apple doesnt turn off SSLv3 in this release, but restricts it to non-CBC ciphers, limiting its exposure to attacks like POODLE and BEAST. The list of trusted certificate authorities has also been updates [2]

802.1x no longer supports LEAP by default due to weaknesses in this authentication method.

The bash fix, that was released as a standalone fix earlier to counter Shellshock, is included in this update.

An arbitrary code execution vulnerability in CUPS was fixed. (CVE-2014-3537)

And a quick note about OS 10.10 Yosemite:

After installing it, all security relevant settings Ichecked where untouched (good!). Among security relevant software, GPGMailwill not work with Yosemite yet, but according to the developers, a fix is in the work and may be release in a few weeks, but GPGMail may no longer be free. If you rely on software that you compiled with MacPorts: Wait for the release of XCode 6.1, as it is required to recompile the software for OS X 10.10. In general, it is adviced that you FIRST update all your software and then upgrade to Yosemite. Little Snitch, another popular piece of security software for OS X, works well with Yosemite, but I recommend you turn off the network filter during the upgrade (it works with it enabled, but you need to approve a lot of new connections from new software).

[1]http://support.apple.com/kb/HT1222
[2]http://support.apple.com/kb/HT6005

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
APPLE-SA-2014-10-16-6 iTunes 12.0.1
 
APPLE-SA-2014-10-16-5 OS X Server v2.2.5
 
APPLE-SA-2014-10-16-4 OS X Server v3.2.2
 
APPLE-SA-2014-10-16-3 OS X Server v4.0
 
APPLE-SA-2014-10-16-1 OS X Yosemite v10.10
 
[CORE-2014-0007] -SAP Netweaver Enqueue Server Trace Pattern Denial of Service Vulnerability
 
[SECURITY] [DSA 3053-1] openssl security update
 
Cisco Security Advisory: Cisco IronPort Appliances Telnet Remote Code Execution Vulnerability
 
Apple TV/Mac OS X/iOS CVE-2014-4388 Remote Code Execution Vulnerability
 
Apple iPhone/iPad/iPod touch Prior to iOS 7 Safari History Information Disclosure Vulnerability
 
Apple iOS and TV CVE-2014-4419 Unspecified Security Vulnerability
 

On Thursday, the Guardian reported that the developers of Whisper, a social media platform that allows individuals to post anonymous messages that can be seen by others based on a number of factors, isn’t all that anonymous after all. Whisper, which is advertised as “the safest place on the Internet,” tracks geolocation data of posters and uses their location data for a number of purposes—including censorship and reporting of posts from military bases to the Department of Defense. Whisper’s chief technology officer took to YCombinator’s Hacker News to defend the company against the report, but his explanation was torn apart by security and privacy experts in the discussion that followed.

Much like its competitor Secret, Whisper allows individuals to post anonymous messages overlaid on images or photos to share with others for comment. The application uses geolocation data to determine where the poster is and who should be able to see its contents.  It has become popular with a number of communities, including members of the military.

The Guardian was exploring a potential editorial relationship with Whisper, and staff from the news organization spent three days at Whisper’s offices in Los Angeles. While there, the Guardian team witnessed Whisper employees using an in-house geolocation tool to track posts made from various locations and found that the company is tracking specific Whisper users believed to be “potentially newsworthy,” including members of the military, government employees, and employees of companies such as Disney and Yahoo. The company also shares information about posters and their locations with the Defense Department, FBI, and the UK’s MI5, the Guardian’s Paul Lewis and Dominic Rushe reported.

Read 8 remaining paragraphs | Comments

 
Internet Storm Center Infocon Status