Information Security News
ISC Handler Rob V pointed out a blog post from Oracle's Mark Reinhold stating that Oracle has "mounted an intense effort to address those issues in a series of critical-patch update releases" and that they've also upgraded their "development processes to increase the level of scrutiny applied to new code, so that new code doesn’t introduce new vulnerabilities."
Framing statements state that Oracle:
As such, the likely release of Java 8 will be in the first quarter of 2014 (had been intended for September 2013).
Read the full article for yourself here: http://mreinhold.org/blog/secure-the-train
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
A former employee of Hostgator has been arrested and charged with installing a backdoor that gave him almost unfettered control over more than 2,700 servers belonging to the widely used Web hosting provider.
Eric Gunnar Gisse, 29, of San Antonio, Texas, was charged with felony breach of computer security by the district attorney's office of Harris County in Texas, according to court documents. He worked as a medium-level administrator from September 2011 until he was terminated on February 15, 2012, according to prosecutors and a company executive. A day after his dismissal, Hostgator officials discovered a backdoor application that allowed Gisse to log in to servers from remote locations, including a computer located at the Hetzner Data Center in Nuremberg, Germany. He took pains to disguise his malware as a widely used Unix administration tool to prevent his superiors from discovering the backdoor process, prosecutors said.
"The process was named 'pcre', a common system file, in order to disguise the true purpose of the process which would grant an attacker unauthorized access into Hostgator's computer network," a Houston Police Department investigator and the document's "affiant," Gordon M. Garrett, wrote in an affidavit. "Complainant told affiant he searched Hostgator's computer network and found the unauthorized 'pcre' process installed on 2723 different Hostgator servers within the computer network."
by Jacqui Cheng
Remember that time when you asked Siri about the nearest place to find hookers? Or perhaps the time you wanted to know where to find the best burritos at 3am? Whatever you've been asking Siri since its launch in late 2011 is likely still on record with Apple, as revealed by a report by our friends at Wired on Friday. Apple spokesperson Trudy Muller told Wired that Apple stores Siri queries on its servers for "up to two years," though the company says it makes efforts to anonymize the data.
"Apple may keep anonymized Siri data for up to two years," Muller said. "Our customers’ privacy is very important to us."
Why does Apple have your Siri queries on record in the first place? Remember, Siri doesn't just operate locally on your iPhone or iPad—when you ask it a question, your voice query is sent to Apple's servers for processing before the answer—a Google search, an answer from Wolfram alpha, a Yelp result, etc.—is sent back. That's why an Internet connection is required in order to use Siri; if you have no Wi-Fi or cellular signal, you can't use Siri to perform any actions.
The release of Java 8, originally due in September this year, has been pushed back. The new version's headline feature—Project Lambda, which brings anonymous functions to Java—isn't yet finished.
The reason for this delay is, in part, security. Over the past eight months, a large number of critical security flaws have been found and patched. This has damaged Java's reputation, with Apple, for example, reacting by removing the Java plugin from its Safari browser.
In response, Mark Reinhold, chief architect of the Java Platform Group at Oracle, has announced a "renewed focus on security" that will tie up engineering efforts. As a result, Java 8 has now been pushed back until the first quarter of 2014.
Posted by InfoSec News on Apr 16http://www.theatlantic.com/national/archive/2013/04/the-boston-marathon-bombing-keep-calm-and-carry-on/275014/
Posted by InfoSec News on Apr 16http://www.washingtontimes.com/news/2013/apr/15/hagel-nixes-medal-drone-pilots-cyber-warriors/
Posted by InfoSec News on Apr 16http://news.cnet.com/8301-1009_3-57579744-83/hacker-celeb-mudge-joins-google-after-darpa/
Posted by InfoSec News on Apr 16http://arstechnica.com/security/2013/04/new-security-protection-fixes-for-39-exploitable-bugs-coming-to-java/
Posted by InfoSec News on Apr 16http://www.informationweek.com/security/attacks/wordpress-hackers-exploit-username-admin/240152864
Posted by InfoSec News on Apr 18http://www.theregister.co.uk/2013/04/17/malware_squatters_boston_marathon_bombing/
Posted by InfoSec News on Apr 18http://www.baltictimes.com/news/articles/32831/?/
Posted by InfoSec News on Apr 18http://www.csoonline.com/article/731797/tactics-of-wordpress-attackers-similar-to-bank-assaults
Posted by InfoSec News on Apr 18http://www.poughkeepsiejournal.com/article/20130417/NEWS01/304170003/In-brief-Central-Hudson-says-extent-cyber-breach-an-unknown
Posted by InfoSec News on Apr 17Forwarded from: DeepSec Conference <deepsec (at) deepsec.net>
Posted by InfoSec News on Apr 17http://www.bankinfosecurity.com/interviews/will-new-hires-impede-future-security-i-1883
Posted by InfoSec News on Apr 17http://www.csoonline.com/article/731833/three-simple-steps-to-determine-risk-tolerance-
Posted by InfoSec News on Apr 17http://www.theregister.co.uk/2013/04/17/oracle_java_security_update/
Posted by InfoSec News on Apr 17http://english.chosun.com/site/data/html_dir/2013/04/17/2013041700511.html
Posted by InfoSec News on Apr 18http://arstechnica.com/security/2013/04/fueled-by-super-botnets-ddos-attacks-grow-meaner-and-ever-more-powerful/