InfoSec News

Google thinks it might have found an answer to the vexing problem of forgotten or weak passwords: "physical" passwords, which might come in the form of a piece of jewelry such as a ring.
Cities around the U.S. will have gigabit-speed Internet access by 2015 if the FCC's wishes come true.
When it comes to keeping my PC secure, I rely on a small handful of tools: Windows 7's built-in firewall, Gmail's spam filtering, Web of Trust's helpful browser plug-in, and Microsoft's free Security Essentials anti-virus utility.
The man who broke into the Palo Alto, Calif., home of tghe late Apple CEO Steve Jobs and stole laptops, iPads and other possessions was sentenced to seven years in a California state prison.
The price for upgrading to Windows 8 Pro will shoot up after Jan. 31, when the existing special offers to acquire the new OS lapse.
Microsoft is close to wrapping up work on Internet Explorer 10 (IE10) on Windows 7, according to a report Friday.
2013 could be the year of enterprise social media, but don't take our word for it. According to a survey of your peers, Indian companies are slowly, but surely, beginning to implement enterprise social media solutions. The State of the CIO Survey found that back in 2011, 30 percent of Indian CIOs were not interested in implementing a social media solution. In the 2012 edition of the survey, that number had fallen to 25 percent.
When Ricoh Europe realized its IT environment was both spiraling out of control and environmentally unfriendly, it turned to a IT services provider for help. Working with Infosys, Ricoh developed a private cloud that helped it consolidate nine data centers into two, cutting infrastructure costs and reducing carbon dioxide emissions significantly.
Dnsmasq Multiple Remote Denial of Service Vulnerabilities
Mozilla Firefox and SeaMonkey CVE-2013-0751 Information Disclosure Vulnerability
MantisBT 'match_type' Parameter Cross Site Scripting Vulnerability
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0750 Heap Buffer Overflow Vulnerability
In corporate circles, inside the four-walls of IT, and at executive gatherings, tales of the affair between the public cloud and IT have fed uninterested CIOs with far-from-juicy gossip.
If you're one of those organizations that don't believe in the power of mobility, chances are you'll soon be termed as outdated. Because if you turn a blind eye to the potential of mobility--despite BYOD, consumerization of IT and its cousins that have stirred up a revolution--your competition will get the better of you.
Flash storage vendor Violin Memory has acquired Gridiron Systems for an undisclosed sum and plans to use the company's application acceleration smarts with its flash arrays.
Research In Motion kicked off its last port-a-thon event on Friday, pushing developers to port their applications over to the new BlackBerry 10 operating system. The new OS, on which much of the fortunes of Research In Motion ride, will launch in less than two weeks.
Lands' End is at legal loggerheads with its longtime payroll software vendor over how much longer the clothier can lawfully use the application, with US$1 million in potential fees hanging in the balance.

Sourcefire VRT released a rules update on 17 JAN that included what they refer to as a potential security issue with rule 3:20275 reported by Tavis Ormandy.

Tavis Tweet states that todays snort rules fix a remote stack buffer overflow I found in rule 20275. Fixed by @sourcefire in just 48hrs. http://bit.ly/STm7Ij

Fast turnaround by the Sourcefire gang. Heres the diff for the fix:

Compare: ()D:\so_rules\src\netbios_kb961501-smb-printss-reponse.c (10885 bytes) with: ()D:\so_rules\src\netbios_kb961501-smb-printss-reponse.c (10923 bytes)

Change 1:

2, /* revision */


3, /* revision */

Change 2:

#define NUM_ARRAYS 20

Change 3:


Change 4:

if(arrays 20) {


if(arrays NUM_ARRAYS) {

Russ McRee|@holisticinfosec
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Researchers from Security Explorations, a Poland-based vulnerability research firm, claim to have found two new vulnerabilities in Java 7 Update 11 that can be exploited to bypass the software's security sandbox and execute arbitrary code on computers.
Kim Dotcom, creator of Megaupload, plans to launch a new file-sharing site under the New Zealand-based domain Mega.co.nz and will offer 50GB of free storage to all members.
It's all too easy to neglect data security, especially for a small business. While bigger organizations have IT departments, service contracts, and enterprise hardware, smaller companies frequently rely on consumer software, which lacks the same sort of always-on security functionality.
It is still possible to silently install an add-on into Firefox, though it takes a little more work than it did in the days before Firefox 8

A serious security problem on the online retailer's web sites allowed attacks on session cookies – and therefore access to customer accounts

HP TippingPoint, the long-time organizer of the annual Pwn2Own hacking contest, has revamped the challenge for the second year running and will offer cash awards exceeding half a million dollars, more than five times the amount paid out last year.
Microsoft Windows TrueType Font CVE-2012-4786 Remote Code Execution Vulnerability
Microsoft Windows OpenType Font (OTF) Driver CVE-2012-2556 Remote Code Execution Vulnerability
CVE-2012-6452 Axway Secure Messenger Username Disclosure
Nokia is embracing the 3D printing community by releasing files that will let smartphone users create their own custom shells.

Posted by InfoSec News on Jan 18


By Dan Goodin
Ars Technica
Jan 17 2013

The Red October malware that infected hundreds of computer networks in
diplomatic, governmental, and scientific research organizations around the
world was one of the most advanced espionage platforms ever discovered,
researchers with antivirus provider Kaspersky Lab have concluded.

Its operators had...

Posted by InfoSec News on Jan 18


The New York Times
JANUARY 17, 2013

A hacker wearing a fake beard and dark sunglasses took the stage at a computer
security conference in Miami on Thursday and showed a group of about 60
security researchers how to intercept the radio communications between Silver
Spring Networks, a maker of smart grid technology, and its clients,...

Posted by InfoSec News on Jan 18


18 January 2013

GEORGE TOWN: KDU Penang's School of Engineering, Science and Technology and
EC-Council Academy (ECCA) recently signed a MOU to ensure a level playing field
between hackers and information security professionals.

The agreement will allow KDU's computer security students to access ECCA's
flagship Certified...

Posted by InfoSec News on Jan 18

Forwarded from: Reese <reese (at) inkworkswell.com>

At 01:15 AM 1/17/2013, InfoSec News wrote:

If you trace the story back, it originated with a Verizon security guy
who is promoting his company services on their blog.

What are the odds this is a completely fictional account or at best, the
story could be used in classrooms for lessons on hyperbole and

Meanwhile, the story has been picked up by quite a few outlets. Is...

Posted by InfoSec News on Jan 18


The Independent
17 JANUARY 2013

A former "white hat" hacker hired by banks to test their computer security has
been able to discover the names of individuals who volunteered to take part in
genome studies on the condition of anonymity.

Nearly 50 people who had agreed to...
Mozilla's Minion project wants to lend a hand to web application developers by launching test attacks on web sites and apps on request

Taiwan's Asustek is in talks with Microsoft about using the company's Windows Phone 8 OS in a smartphone, according to a report.
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0769 Memory Corruption Vulnerability
Blame Apple's aesthetic: Even the stodgiest of enterprise shops are engaging user experience experts who can design logical, beautiful interfaces for mobile computing's limited spaces.
The Shylock banking trojan has been given a new way to get around the internet to perform its nefarious deeds - Skype. Its also very careful about cleaning up after itself so a user may not be able to notice it spreading through their Skype

TYPO3 Front End User Registration Extension Authentication Bypass Vulnerability
Novell eDirectory Multiple Security Vulnerabilities

WA today

How to strengthen your computer defences
WA today
However, he also notes that the "most important resource you can have is a professional trained in infosec". "This not something you can just do from a checklist," he said. For those banking, financial services and insurance organisations covered by ...

and more »
Wipro's fourth-quarter IT services revenue grew 4.8% year on year, reflecting an overall recovery in offshoring to India.
In this edition of Lost+Found: An SSL guru in search of new challenges, hacker flair for all, guidelines for advisory authors, a Volatility contest and a very liberal URL shortener

The discovery of a remote code execution flaw in the Spring Framework is being reported, but many are not mentioning that the flaw in question was fixed over a year ago and what has been found is actually a new way to exploit that old flaw

Linux Kernel hypervkvpd 'hv_kvp_daemon.c' Netlink Packet Processing Denial of Service Vulnerability
Multiple SonicWALL Products CVE-2013-1359 Authentication Bypass Vulnerability

1) From reader Kevin Murphy, a nice mapping of NIST 800-53 controls to the 20 Critical Controls: http://isc.sans.edu/diaryimages/files/NIST-Critical_Controls_Mapping.xlsx

2) The Citizen Lab: Planet Blue Coat: Mapping Global Censorship and Surveillance Tools

Researchers use Shodan to identify Blue Coat system the could be user for digital censorship, surveillance, and tracking according to NYT

3) Dark Reading: Security Researchers Expose X-ray Machine Bug

ICS-CERT now handling medical device vulnerability alerts in addition to SCADA/ICS vulnerabilities

4) Spiceworks: Passwords: The security tool that loves to be insecure

5) The Next Web: Microsoft debuts Android, iOS, and Windows Phone app to give, ask for help after natural disasters

Russ McRee|@holisticinfosec
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Internet Storm Center Infocon Status