Hackin9
Yahoo is giving itself a bit of a makeover. Earlier this week it launched two new mobile apps for email and weather; now it's ditching numerous longstanding products, including Deals and SMS Alerts, in an attempt to sharpen its focus, the company announced Friday.
 
Oracle Java SE CVE-2013-1569 Remote Java Runtime Environment Vulnerability
 

ISC Handler Rob V pointed out a blog post from Oracle's Mark Reinhold stating that Oracle has "mounted an intense effort to address those issues in a series of critical-patch update releases" and that they've also upgraded their "development processes to increase the level of scrutiny applied to new code, so that new code doesn’t introduce new vulnerabilities."

Framing statements state that Oracle:

  • is committed to continue fixing security issues at an accelerated pace
  • will enhance the Java security model
  • will introduce new security features
  • recoginizes that more engineer hours are required than can be freed up by dropping features from Java 8 or otherwise reducing the scope of the release at this stage

As such, the likely release of Java 8 will be in the first quarter of 2014 (had been intended for September 2013).

Read the full article for yourself here: http://mreinhold.org/blog/secure-the-train

Russ McRee | @holisticinfosec

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Opera Web Browser CVE-2013-3210 Information Disclosure Vulnerability
 
Oracle Java SE CVE-2013-2433 Remote Java Runtime Environment Vulnerability
 
Some of the biggest names in IT including IBM, Microsoft, Google and Intel reported quarterly earnings this week, revealing a picture of the tech sector that, while not as gloomy as had been feared, is nevertheless mixed.
 
Internet users overwhelmingly enjoy free Web content supported by advertising, and they'd rather see advertisements targeted toward their interests than random ads, according to a survey released this week by the Digital Advertising Alliance (DAA).
 
Microsoft's chief financial officer, Peter Klein, will receive $2 million in the year after he retires from the company, according to documents filed Thursday with the U.S. Securities and Exchange Commission.
 
A Florida bill that would restrict the use of airborne drones by state law enforcement officials is one signature away from becoming the first law of its kind in the country.
 
As the manhunt goes on for the surviving suspect in the Boston Marathon bombing, the bombers' social networks could give investigators needed clues about them.
 
Opera Web Browser Information Disclosure and Unspecified Vulnerabilities
 
Microsoft's chief financial officer yesterday confirmed that the company and its hardware partners would ship smaller, lower-priced Windows tablets in the next months.
 
IBM's reported interest in selling parts of its x86 server business to Lenovo may bring major changes to the global market.
 
Boston police today used Twitter and Facebook to reach out to residents during a manhunt for one of the men suspected of bombing the Boston Marathon this past Monday.
 
Blackstone Group has given up its bid for Dell, less than a month after the private-equity fund manager said it was planning to top an offer from founder Michael Dell and private-equity firm Silver Lake Partners, according to news reports.
 
Aurich Lawson

A former employee of Hostgator has been arrested and charged with installing a backdoor that gave him almost unfettered control over more than 2,700 servers belonging to the widely used Web hosting provider.

Eric Gunnar Gisse, 29, of San Antonio, Texas, was charged with felony breach of computer security by the district attorney's office of Harris County in Texas, according to court documents. He worked as a medium-level administrator from September 2011 until he was terminated on February 15, 2012, according to prosecutors and a company executive. A day after his dismissal, Hostgator officials discovered a backdoor application that allowed Gisse to log in to servers from remote locations, including a computer located at the Hetzner Data Center in Nuremberg, Germany. He took pains to disguise his malware as a widely used Unix administration tool to prevent his superiors from discovering the backdoor process, prosecutors said.

"The process was named 'pcre', a common system file, in order to disguise the true purpose of the process which would grant an attacker unauthorized access into Hostgator's computer network," a Houston Police Department investigator and the document's "affiant," Gordon M. Garrett, wrote in an affidavit. "Complainant told affiant he searched Hostgator's computer network and found the unauthorized 'pcre' process installed on 2723 different Hostgator servers within the computer network."

Read 7 remaining paragraphs | Comments

 
Apple probably still has this query of mine from 2011 saved somewhere in the cloud.

Remember that time when you asked Siri about the nearest place to find hookers? Or perhaps the time you wanted to know where to find the best burritos at 3am? Whatever you've been asking Siri since its launch in late 2011 is likely still on record with Apple, as revealed by a report by our friends at Wired on Friday. Apple spokesperson Trudy Muller told Wired that Apple stores Siri queries on its servers for "up to two years," though the company says it makes efforts to anonymize the data.

"Apple may keep anonymized Siri data for up to two years," Muller said. "Our customers’ privacy is very important to us."

Why does Apple have your Siri queries on record in the first place? Remember, Siri doesn't just operate locally on your iPhone or iPad—when you ask it a question, your voice query is sent to Apple's servers for processing before the answer—a Google search, an answer from Wolfram alpha, a Yelp result, etc.—is sent back. That's why an Internet connection is required in order to use Siri; if you have no Wi-Fi or cellular signal, you can't use Siri to perform any actions.

Read 4 remaining paragraphs | Comments

 
Android memory dump analysis, OCSP performance, 1Password security, Python crypto cracking, real-time Cuckoo, Hack In The Box slides, Certificate Pinning, and the reason Linode was hacked - all the news that's too good to lose
    


 
[ MDVSA-2013:146 ] icedtea-web
 
[ MDVSA-2013:145 ] java-1.6.0-openjdk
 
Re: SEC Consult SA-20130417-1 :: Java ActiveX Control Memory Corruption
 
TWSL2013-004: Group Name Enumeration Vulnerability in Cisco IKE Implementation
 
If your computer is stolen or otherwise liberated from your possession, don't despair: If you've remembered to enable Find My Mac, you can track it, remotely lock it, and even send messages to your Mac's screen.
 
Even though PC shipments were down 14% last quarter, Microsoft's Windows division posted revenue about the same as the last year, making up for slumping sales to OEMs with growth in long-term licensing agreements sold to enterprises.
 
Boston police today used Twitter and Facebook to reach out to residents during a manhunt for one of the men suspected of bombing the Boston Marathon this past Monday.
 
Researchers from security firm Trusteer have found a new variant of the Gozi banking Trojan program that infects a computer's Master Boot Record (MBR) in order to achieve persistence.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Two security issues were fixed in IcedTea-Web.
 
LinuxSecurity.com: Updated java-1.6.0-sun packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More...]
 
LinuxSecurity.com: Updated java-1.7.0-oracle packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More...]
 
LinuxSecurity.com: Multiple vulnerabilities have been discovered in the Xen hypervisor. The Common Vulnerabilities and Exposures project identifies the following problems: [More...]
 
Xen CVE-2013-1920 Memory Corruption Vulnerability
 
Adobe Shockwave Player CVE-2013-1384 Memory Corruption Vulnerability
 
Microsoft Forefront Unified Access Gateway 'Signurl.asp' Cross-Site Scripting Vulnerability
 
Microsoft Virtual PC and Virtual Server Heap Overflow Vulnerability
 

The release of Java 8, originally due in September this year, has been pushed back. The new version's headline feature—Project Lambda, which brings anonymous functions to Java—isn't yet finished.

The reason for this delay is, in part, security. Over the past eight months, a large number of critical security flaws have been found and patched. This has damaged Java's reputation, with Apple, for example, reacting by removing the Java plugin from its Safari browser.

In response, Mark Reinhold, chief architect of the Java Platform Group at Oracle, has announced a "renewed focus on security" that will tie up engineering efforts. As a result, Java 8 has now been pushed back until the first quarter of 2014.

Read 3 remaining paragraphs | Comments

 
Microsoft GDI+ WMF File Processing Remote Code Execution Vulnerability
 
Microsoft Forefront Unified Access Gateway Web Monitor Cross-Site Scripting Vulnerability
 
Microsoft Forefront Unified Access Gateway Mobile Portal Cross-Site Scripting Vulnerability
 
Citrix System's GoToWebcast has become generally available in North America and Europe, offering users a cloud-based webcasting tool for up to 5,000 attendees.
 
Cody Andrew Kretsinger, a 25-year-old man from Decatur, Ill., was sentenced Thursday to one year in federal prison for his role in a May 2011 breach of a Sony Pictures website and database.
 
A Motorola Mobility patent that was successfully used to force Apple to turn off its iCloud push email services for users in Germany last year could be invalid, the District Court in Mannheim, said on Friday.
 
Cross-site scripting (XSS) code could be executed when users checked in at a location. Facebook has now closed this and other XSS holes. Further loopholes exist in the social network's Chat and Messenger for Windows components
    


 
An IT support services company in Iowa said the U.S. Senate's comprehensive immigration bill, which seeks restrictions on the use of H-1B and L-1 workers, may help U.S. firms because it would raise costs on offshore IT service providers.
 
Linux Kernel CVE-2012-6548 Local Information Disclosure Vulnerability
 
Linux Kernel CVE-2012-6544 Multiple Local Information Disclosure Vulnerabilities
 
Linux Kernel CVE-2012-6545 Multiple Local Information Disclosure Vulnerabilities
 
Users can now add extra security to their Microsoft account. The details look similar to the method that Google has been using for more than two years
    


 
Wikileaks' latest release is billed as a transcript of a "secret meeting," but it may more accurately be termed a promotion.
 
Drupal MP3 Player Module Cross Site Scripting Vulnerability
 
IcedTea-Web CVE-2013-1926 Security Bypass Vulnerability
 
IcedTea-Web CVE-2013-1927 Security Bypass Vulnerability
 
Linux Kernel Tracing Mutiple Local Denial of Service Vulnerabilities
 

Posted by InfoSec News on Apr 16

http://www.theatlantic.com/national/archive/2013/04/the-boston-marathon-bombing-keep-calm-and-carry-on/275014/

By Bruce Schneier
The Atlantic
April 15, 2013

As the details about the bombings in Boston unfold, it'd be easy to be scared.
It'd be easy to feel powerless and demand that our elected leaders do
something -- anything -- to keep us safe.

It'd be easy, but it'd be wrong. We need to be angry and empathize with the...
 

Posted by InfoSec News on Apr 16

http://www.washingtontimes.com/news/2013/apr/15/hagel-nixes-medal-drone-pilots-cyber-warriors/

By Kristina Wong
The Washington Times
April 15, 2013

Defense Secretary Chuck Hagel is canceling the creation of a heroism medal for
drone pilots and cyber warriors, prompted by uproar over its precedence over
the Bronze Star and Purple Heart medals.

Mr. Hagel, who ordered a Pentagon review of the new medal, said Monday: “While
the review...
 

Posted by InfoSec News on Apr 16

http://news.cnet.com/8301-1009_3-57579744-83/hacker-celeb-mudge-joins-google-after-darpa/

By Seth Rosenblatt
Security & Privacy
CNET News
April 15, 2013

Peiter "Mudge" Zatko, who was hired three years ago to be a project manager at
the U.S. Department of Defense's research and development division known as
the Defense Advanced Research Projects Agency, has announced via Twitter that
he's returning to the private...
 

Posted by InfoSec News on Apr 16

http://arstechnica.com/security/2013/04/new-security-protection-fixes-for-39-exploitable-bugs-coming-to-java/

By Dan Goodin
Ars Technica
Apr 15 2013

Oracle plans to release an update for the widely exploited Java browser
plugin. The update fixes 39 critical vulnerabilities and introduces changes
designed to make it harder to carry out drive-by attacks on end-user
computers.

The update scheduled for Tuesday comes as the security of Java is...
 

Posted by InfoSec News on Apr 16

http://www.informationweek.com/security/attacks/wordpress-hackers-exploit-username-admin/240152864

By Mathew J. Schwartz
Information Week
April 15, 2013

Attention, WordPress users: If you have a WordPress username set to "admin,"
change it immediately.

That warning was issued Friday by WordPress founder Matt Mullenweg, in the
wake of reports that thousands of WordPress sites with an administrator
username set to "admin"...
 

Posted by InfoSec News on Apr 18

http://www.theregister.co.uk/2013/04/17/malware_squatters_boston_marathon_bombing/

By Iain Thomson in San Francisco
The Register
17th April 2013

The scummier end of the online community has been quick to use Monday's bombing
of the Boston Marathon as bait for multiple malware dispersals, plus a spot of
old-fashioned online fraud along the way.

Within 24 hours of the blasts, the ISC reported that 234 potentially fake
domains have been...
 

Posted by InfoSec News on Apr 18

http://www.baltictimes.com/news/articles/32831/?/

The Baltic Times
Apr 17, 2013

RIGA - Latvian cyber-crime suspect Deniss Calovskis is innocent until proven
guilty, but the charges against him are very serious, U.S. Ambassador to Latvia
Mark Pekala said, commenting on the so-called ‘Riga hacker affair,’ reports
LETA.

“Taking into account his possible participation in these crimes, Calovskis has
been charged with fraud and large scale...
 

Posted by InfoSec News on Apr 18

http://www.csoonline.com/article/731797/tactics-of-wordpress-attackers-similar-to-bank-assaults

By Antone Gonsalves
CSO
April 16, 2013

Cybercriminals are attacking servers hosting WordPress sites in an attempt to
build a potent botnet that would be eerily similar to one used last year to
attack major U.S. financial institutions.

The motives of the latest attackers is not known. However, their tactics
resemble those used to build the...
 

Posted by InfoSec News on Apr 18

http://www.poughkeepsiejournal.com/article/20130417/NEWS01/304170003/In-brief-Central-Hudson-says-extent-cyber-breach-an-unknown

Poughkeepsie Journal
Apr 16, 2013

Central Hudson Gas & Electric Corp.’s president says the company may never be
able to confirm if nearly one-third of its customers’ banking information has
been compromised by a cyber security breach in February.

The utility said in a statement Tuesday that it has completed...
 

Posted by InfoSec News on Apr 17

Forwarded from: DeepSec Conference <deepsec (at) deepsec.net>

DeepSec 2013 "Seven Seas" - Call for Papers

Dear Researchers, Hackers, Developers, dear Members of the IT-Security
Community: This is our call for papers for DeepSec 2013, the seventh DeepSec
In-Depth Security Conference. Our annual event will take place from November
19th to 22th at the Imperial Riding School Renaissance Hotel in Vienna. It
consists of two days of...
 

Posted by InfoSec News on Apr 17

http://www.bankinfosecurity.com/interviews/will-new-hires-impede-future-security-i-1883

By Eric Chabrow
Bank Info Security
April 16, 2013

The rush to find qualified IT security professionals to meet current
cyber-threats could jeopardize IT systems' security in the
not-too-distant future, say two leading IT security experts, Eugene
Spafford and Ron Ross.

Spafford, a Purdue University computer science professor, and Ross, a
leading IT...
 

Posted by InfoSec News on Apr 17

http://www.csoonline.com/article/731833/three-simple-steps-to-determine-risk-tolerance-

By Craig Shumard
CSO
April 16, 2013

For CISOs, in addition to deciding what policies, processes, or
technology an organization should have in place, an even more
significant challenge is successfully negotiating disputed risk issues.
But, the process for determining risk tolerance is fraught with
organizational politics, and it goes without saying that...
 

Posted by InfoSec News on Apr 17

http://www.theregister.co.uk/2013/04/17/oracle_java_security_update/

By Jack Clark in San Francisco
The Register
17th April 2013

Oracle has issued a critical update patch for Java as the database giant
works to shore up confidence in the widely used code.

The security update fixes 42 security flaws, 19 of which merit a 10
(most severe) rating acording to the CVVS metric the company uses to
evaluate the software. Along with this, Oracle has...
 

Posted by InfoSec News on Apr 17

http://english.chosun.com/site/data/html_dir/2013/04/17/2013041700511.html

The Chosun Ilbo
April 17, 2013

International hackers' collective Anonymous has broken into North Korean
propaganda website Uriminzokkiri again and released the personal
information of about 100 more subscribers on Tuesday. The hackers
earlier released the personal information of thousands of subscribers to
the website.

The group said it had hacked five North...
 

Posted by InfoSec News on Apr 18

http://arstechnica.com/security/2013/04/fueled-by-super-botnets-ddos-attacks-grow-meaner-and-ever-more-powerful/

By Dan Goodin
Ars Technica
Apr 17 2013

Coordinated attacks used to knock websites offline grew meaner and more
powerful in the past three months, with an eight-fold increase in the average
amount of junk traffic used to take sites down, according to a company that
helps customers weather the so-called distributed denial-of-service...
 
Internet Storm Center Infocon Status