Hackin9
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Personal records for more than 309,000 students and staff were exposed this week in a "sophisticated" database attack at the University of Maryland, the university said Wednesday.
 
Oracle Java SE CVE-2013-5887 Remote Security Vulnerability
 
Facebook has agreed to buy mobile messaging app WhatsApp for US$16 billion in cash and stock, the social network said Wednesday.
 
After more than six years of internal development of its branch of the cross-language framework that powers its internal services, Facebook has released that branch to open source and hopes to work with the Apache Thrift community to incorporate the work.
 
Facebook has agreed to buy mobile messaging app WhatsApp for US$16 billion in cash and stock, the social network said Wednesday.
 
Demand for people with Linux skills is increasing, a trend that appears to follow a shift in server sales.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

The operator of a role-playing game site that was knocked offline by denial-of-service attacks has pledged a reward of more than $13,000 for information leading to the conviction of the people responsible.

The €10,000 bounty—equivalent to a little more than $13,000 at current exchange rates—was promised Tuesday by massively multiplayer online role-playing game provider Wurm. The bounty came after the company's servers were knocked offline by a distributed denial-of-service (DDoS) attack, a technique that uses large numbers of infected computers to flood a target with more data than it can handle. Wurm remained offline Wednesday as it switched to a new Web hosting provider. Engineers had already planned to make the switch but accelerated the time frame once its old host pulled the plug.

"Shortly after today's update we were the target of a DDoS attack and our hosting provider had to pull us off the grid for now," a Wurm representative wrote in a Tuesday's post. "We will be back as soon as possible but things are out of our hands since their other customers are affected. As we wrote in a previous news post we are planning on changing hosting anyways which should improve things for the future. We can offer 10 000 Euro for any tips or evidence leading to a conviction of the person responsible for this attack."

Read 3 remaining paragraphs | Comments


    






 

In 2012, Iranian hackers managed to penetrate the US Navy’s unclassified administrative network, the Navy Marine Corps Intranet. While the attack was disclosed last September, the scale of it was not—the attack gave hackers access to the NMCI for nearly four months, according to an updated report by The Wall Street Journal.

Vice Adm. Michael Rogers, who is now President Barack Obama’s choice to replace Gen. Keith Alexander as both NSA director and commander of the US Cyber Command, led the US Fleet Cyber Command when the attack came to light. Rogers' response to the attack may be a factor in his confirmation hearings.

Iranian hackers attacked NMCI in August of 2012, using a vulnerability in a public-facing website to gain initial access to the network. Because of a flaw in the security of the network the server was hosted on, attackers were able to use the server to gain access to NMCI’s private network and spread to other systems. While the vulnerability that allowed the attackers to gain access in the first place was discovered and closed by October, spyware installed by the attackers remained in place until November.

Read 8 remaining paragraphs | Comments


    






 
For decades, Intel chips would be unboxed and put straight into computers. Now the chip maker is trying to tie software closer to hardware before it starts producing chips, said CEO Brian Krzanich.
 
Some Republican policymakers objected to a new U.S. Federal Communications Commission plan to reinstate its net neutrality rules after a court threw them out, but broadband providers appeared to be less concerned.
 
The number of mobile apps infected with malware in Google's Play store nearly quadrupled between 2011 and 2013, a security group has reported.
 
Microsoft will make a killing when it launches Office apps for Apple's iPad and tablets powered by Android. Or will it?
 
Oracle Java SE CVE-2014-0410 Remote Security Vulnerability
 
Oracle Java SE CVE-2014-0387 Remote Security Vulnerability
 
As part of a review of its cryptographic standards development process, the National Institute of Standards and Technology (NIST) is requesting public comment on a new draft document that describes how the agency develops those ...
 
Alcatel-Lucent is betting big on operators wanting to virtualize their mobile networks using NFV (Network Functions Virtualization) technology, in order to become more nimble and less reliant on proprietary hardware.
 
Faster and more flexible mobile networks enabled by small cells, virtualization and next-generation LTE are expected to highlight infrastructure trends at Mobile World Congress next week.
 
Informatica is aiming to ease the pain of data integration with a new platform designed to allow businesses to rapidly prototype and validate before sending projects to development.
 
Google has chosen 34 cities across the U.S. as the next sites for possible expansion of its gigabit-speed Fiber Internet service.
 
Computerworld offers a Tip of the Hat to Richard Read of The Christian Science Monitor for a look at The Tesla-Apple rumors and what such an unlikely deal could mean for Apple's developers and users, and what it could bring to Tesla.
 
The first smartphones based on a mobile version of Canonical's Ubuntu Linux operating system will be launched this year, the company's CEO said.
 
Samsung on Monday will unveil its second-generation Galaxy Gear smartwatch, this one running the open source Tizen operating system, not the Android software that runs the first-generation model, according to reports.
 
The U.S. Federal Communications Commission will not seek further judicial review of a January court ruling that struck down the agency's net neutrality regulations, but it does plan to issue a new set of rules covering ISPs.
 
The end-of-life writing is on the wall for Intel's high-end Itanium chip, with the launch this week of the high-performance usurper, the chip maker's 15-core Xeon E7 v2 chip.
 

I'm sure hoping you've read headlines recently; there's so much to work with here. :-)
As indicated in ISC Diary coverage of the Linksys worm referred to as The Moon, as well as a KrebsonSecurity discussion of a plethora of other vulnerable hardware, threats are everywhere. And as the Internet of Things leads us to pwned refrigerators and home automation gone amok, its time to revisit one of my favorite topics: threat modeling.
Further, Adam Shostack's Threat Modeling: Designing For Security is now available via Wiley and online book sellers. If you plan to be at RSA, Adam will be speaking at RSA on New Foundations for Threat modeling (Wednesday, 26 FEB, at 9:20)
Why should you consider threat modeling for your computing and technology-centric environments? Threats abound, and there are no more important reasons than the viability and reputations of your organizations. The consequences of a successful cyberattack would almost certainly affect your organization's ability to conduct its day-to-day business operations. Ask the Navy how it feels about the four months and $10 million dollars it took to get the Iranians off the Navy Marine Corps Intranet. If such attacks lead to exposure of confidential information, your organization is likely to be perceived as one that failed to do what was necessary to protect itself, which in turn can affect the ability to conduct business in the future. Failure to protect customer information could subject your organization to legal liabilities and potentially significant fines. Imagine the possible cost to Target if you use the approximate $200 cost per exposed customer record x 110 million (40 million, then 70 million) records alleged to be in play in some for or fashion as a result of the Target compromise.
Threat modeling allows you to determine what threats exist that could affect your organization's computing infrastructure, helps you identify threat mitigations to protect resources and sensitive information, and helps you prioritize the identified threats so that you can manage your security efforts in a proactive manner.
Sound like a good plan right? I'm now leading an entire team dedicated to this cause at Microsoft; after having written the IT Infrastructure Threat Modeling Guide in 2009 (revision pending in the March/April timeline) it's finally been agreed that threat modeling and assessment is a natural fit for the practice of Threat Intelligence (data science) & Engineering (build mitigations).
The fortuitous timing of Adam's book release is not lost on me as I engage this recent new work assignment, Threat Modeling: Designing For Security is, in essence, the bible for our practice. I was honored to be the Technical Proofreader for this book which gives me the opportunity to provide you with a few insights with the hope of inspiring you to read it and embrace threat modeling broadly.
Quoting Adam directly, "This book is written for those who create or operate complex technology. That’s primarily software engineers and systems administrators, but it also includes a variety of related roles, including analysts or architects. There’s also a lot of information in here for security professionals, so this book should be useful to them and those who work with them. You will gain a rich knowledge of threat modeling techniques. You’ll learn to apply those techniques to your projects so you can build software that’s more secure from the get-go, and deploy it more securely. You’ll learn to how to make security tradeoffs in ways that are considered, measured, and appropriate and you will learn a set of tools and when to bring them to bear."
Adam asks you to consider a set of related questions that are essential to threat modeling:
1. What are you building?
2. What can go wrong with it once it’s built?
3. What should you do about those things that can go wrong?
4. Did you do a decent job of analysis?

If you embrace these as you mature your threat modeling practice you will maintain perspective throughout. Thinks about those questions as you ponder the interconnectedness of so much of modern technology. Do you need to threat model your brand new refrigerator or Internet connected lighting controller? Yeah, prpbably a good idea. What could possibly go wrong?
The well known STRIDE mnemonic (spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege) remains entirely viable, integral, and omnipresent but other modeling tactics are described in the book too. We've also incorporated Allegro Octave, as well as DREAD, OWASP, CVSS, and others risk assessment methods as part of threat assessment tactics, techniques, and procedures (thank you SimpleRisk).

Your action items are simple: read up on threat modeling, begin to threat model as part of your regular information security focuses, apply mitigations to the findings, and admire your handiwork as threat vectors are diminished. If you have any questions on this front please reach out directly or drop comments here.

Russ McRee | @holisticinfosec
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Linux Kernel 'hamradio/yam.c' Local Information Disclosure Vulnerability
 
While pursuing the goal of turning a cloud of ultracold atoms into a completely new kind of circuit element, physicists at the National Institute of Standards and Technology (NIST) have demonstrated* that such a cloud—known as a ...
 
After spending billions to acquire a series of marketing-related software companies, Oracle is now undergoing the process of creating a unified suite it can take to battle against competing offerings from the likes of Salesforce.com and Microsoft.
 
Most of the features of the perfect smartwatch exist today, but not all in the same product. (Insider; registration required)
 
Three weeks after announcing OneDrive as the new label for SkyDrive, Microsoft today activated the renamed storage service, and offered some new incentives that give customers more space.
 
Not all the proven practices of the past work in today's interconnected, heterogeneous world. Here's what you need to do differently
 
If you are looking to land your next tech job, creating and promoting a personal website can help you control Google search results, better highlight relevant skills and provide an edge in a competitive job market.
 
GnuTLS CVE-2014-1959 Certificate Validation Security Bypass Weakness
 
Apache Tomcat CVE-2013-1976 Insecure Temporary File Handling Vulnerability
 

InfoSec Investments: Venture Capital's View
BankInfoSecurity.com
What is the venture capital view of the security trends and technologies that will have the most impact on careers in 2014? Alberto Yépez of Trident Capital weighs in with his insights and predictions. The year's top security growth areas can be broken ...

 
Symantec Endpoint Protection Manager CVE-2013-5015 Local SQL Injection Vulnerability
 
Telecom carrier NTT and navigation service developer Navitime Japan are trying to make free Wi-Fi in Japan easier to find with an app featuring augmented reality (AR) guidance.
 
A court in New Zealand has ruled that warrants used to search the homes of Megaupload founder Kim Dotcom and his colleague Bram van der Kolk were valid, but objected to the removal to the U.S. by the Federal Bureau of Investigation of copies of the electronic items seized.
 
Fujitsu Laboratories has developed wearable technology in the form of a glove and a head-mounted display that could help speed up maintenance work and other applications where NFC tags are widely used.
 
California is facing its worst drought in more than 100 years and with no end in sight. Conserving water has never been more important, and the problem this poses may offer Silicon Valley a new opportunity.
 
The administration of U.S. President Barack Obama said in response to a petition that it continues to back an open Internet, but declined to direct the U.S. Federal Communications Commission on how to go about preserving Internet neutrality, as it is an independent agency.
 
Relations between BlackBerry and T-Mobile have turned frosty after a promotion last week saw T-Mobile BlackBerry users offered a cheap iPhone.
 
Nokia has unveiled its Treasure Tag device, which can help people use their smartphones to find valuables like keys or a bag by putting a tag on them.
 
Two different hacker groups are exploiting the same still-unpatched vulnerability in Internet Explorer (IE) with almost-identical attack code, a security researcher said Tuesday.
 
Implementing WAP involves a lot of moving pieces; here's what admins need to know for a successful rollout.
 
A Chinese anti-monopoly investigation into Qualcomm is examining whether the U.S. company has been abusing its market position and overcharging clients, the nation's regulators said.
 
Apache Tomcat 'log/logdir' Directory Insecure File Permissions Vulnerability
 
CVE-2014-1215 - Local Code Execution in CoreFTP Core FTP Server
 
[ MDVSA-2014:040 ] puppet
 
CA20140218-01: Security Notice for CA 2E Web Option
 
[SECURITY] [DSA 2863-1] libtar security update
 
Openswan IKEv2 payloads Remote Denial Of Service Vulnerability
 
Openswan IKEv2 Payloads Incomplete Fix Remote Denial Of Service Vulnerability
 

Posted by InfoSec News on Feb 19

http://www.computerworld.com/s/article/9246405/Zeus_banking_malware_hides_a_crucial_file_in_a_photo

By Jeremy Kirk
IDG News Service
February 18, 2014

A newly discovered variant of the notorious Zeus banking trojan is
disguising a crucial configuration code in a digital photo, a technique
known as steganography.

Zeus is one of the most effective tools to steal online banking details,
hijacking login details as a person accesses his account...
 

Posted by InfoSec News on Feb 19

http://www.lasvegassun.com/news/2014/feb/18/las-vegas-sands-hacking-went-deeper-previously-ack/

By Hannah Dreier
Associated Press
Feb. 18, 2014

Casino giant Las Vegas Sands Corp. said Tuesday that hacking into their
websites and internal systems last week went deeper than the company had
previously known.

All of the Las Vegas-based company's sites were down for six days after
hackers posted images apparently condemning comments CEO...
 

Posted by InfoSec News on Feb 19

http://news.techworld.com/security/3502442/pastebin-analysis-reveals-true-scale-of-2013-data-breaches/

By John E Dunn
Techworld
18 February 2014

The true scale of global data breaches must reach into the hundreds of
millions, according to Swiss penetration testing outfit High-Tech Bridge
which has discovered that 311,095 user credentials were posted to the
popular Pastebin website during 2013 alone.

That haul represents the number of user...
 

Posted by InfoSec News on Feb 19

http://www.theguardian.com/world/2014/feb/19/asylum-seekers-identities-revealed-in-immigration-department-data-lapse

By Oliver Laughland, Paul Farrell and Asher Wolf
theguardian.com
18 February 2014

The personal details of a third of all asylum seekers held in Australia –
almost 10,000 adults and children – have been inadvertently released by
the Department of Immigration and Border Protection in one of the most
serious privacy breaches...
 

Posted by InfoSec News on Feb 19

http://www.tasnimnews.com/English/Home/Single/287797

February 18, 2014

TEHRAN (Tasnim) - A senior Iranian military commander praised the
country's capabilities in using the state-of-the-art technologies in the
military sphere, and stressed that Iran is fully prepared to counter any
cyber threats.

"Iran is fully prepared to confront any kind of cyber attacks," General
Mohammad Aqakishi, the commander of the information...
 
Internet Storm Center Infocon Status