There was a largely euphoric reaction online in the hours after Microsoft reversed its policies for the upcoming Xbox One game console, which had restricted resales of used games and required a constant Internet connection.
3-D printer company Stratasys is acquiring desktop 3-D printer maker MakerBot for over US$400 million in an all-stock deal, to shore up its consumer presence.

HP released a security bulletin on a potential remote unauthorized access with HP Integrated Lights-Out iLO3/iLO4 using Single-Sign-On.

CVE-2013-2338 has been assigned and the following versions are impacted:

HP Integrated Lights-Out 3 (iLO3) firmware versions prior to v1.57.
HP Integrated Lights-Out 4 (iLO4) firmware versions prior to v1.22.

If you are impacted, HP recommends upgrading as soon as possible. The current version is available here.

[1] http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c03787836
[2] http://www.hp.com/go/bizsupport
[3] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2338


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Twitter has bought Spindle, a search technology company that informs users about what's happening with local businesses and organizations around them.
With more than a billion monthly active users, it's easy to imagine that most of the data travelling over Facebook's networks is delivering photos, status updates and "likes" to its end users, but that's far from the case.
Despite the promise of portability from service providers, the reality of the cloud for big customers is a similar type of lock-in as they experience with on-premise apps vendors such as Oracle and SAP, two CIOs said Tuesday.
The top 10 most commonly used words contained in default iPhone hotspot passwords, ordered by relative frequency.

If you use your iPhone's mobile hotspot feature on a current device, make sure you override the automatic password it offers to secure your connections. Otherwise, a team of researchers can crack it in less than half a minute by exploiting recently discovered weaknesses.

It turns out Apple's iOS versions 6 and earlier pick from such a small pool of passwords by default that the researchers—who are from the computer science department of the Friedrich-Alexander University in Erlangen, Germany—need just 24 seconds to run through all the possible combinations. The time required assumes they're using four AMD Radeon HD 7970 graphics cards to cycle through an optimized list of possible password candidates. It also doesn't include the amount of time it takes to capture the four-way handshake that's negotiated each time a wireless enabled device successfully connects to a WPA2, or Wi-Fi Protected Access 2, device. More often than not, though, the capture can be completed in under a minute. With possession of the underlying hash, an attacker is then free to perform an unlimited number of "offline" password guesses until the right one is tried.

The research has important security implications for anyone who uses their iPhone's hotspot feature to share the device's mobile Internet connectivity with other Wi-Fi-enabled gadgets. Adversaries who are within range of the network can exploit the weakness to quickly determine the default pre-shared key that's supposed to prevent unauthorized people from joining. From there, attackers can leach off the connection, or worse, monitor or even spoof e-mail and other network data as it passes between connected devices and the iPhone acting as the access point.

Read 8 remaining paragraphs | Comments

Symantec Endpoint Protection Manager CVE-2013-1612 Remote Buffer Overflow Vulnerability
Microsoft and cellphone maker Nokia were in advanced talks about an acquisition of the Finnish company's device business, but the discussions have broken down, according to a report in The Wall Street Journal.
The freewheeling flow of information on public social media sites may cause many people in conservative, highly regulated industries such as financial services to shudder. But one Canadian firm has taken the plunge, believing its employees can use social tools in a safe and ultimately profitable way.
Intellectual Ventures, a large patent-licensing firm, has filed a second patent-infringement lawsuit against Motorola Mobility while its first patent lawsuit is still pending in a Delaware count.
AT&T and NEC have teamed up to launch the NEC Terrain, a ruggedized Android push-to-talk smartphone that goes on sale Friday online for $99.99 and a two-year contract.
Privacy officials from six countries and the European Commission are pushing Google to answer questions about privacy issues surrounding its digital eyewear called Glass.
House Republican leaders are shooting to get astronauts on the moon and Mars, but they're trying to nix the president's asteroid plans.
Researchers from Harvard and the University of Illinois have printed precisely interlaced stacks of tiny battery electrodes, each less than the width of a human hair.
Intel has joined the Alliance for Wireless Power (A4WP), a consortium founded by Qualcomm and Samsung, as the chip maker looks to bring wireless charging to tablets and laptops.
IBM WebSphere Commerce Enterprise CVE-2013-0523 Information Disclosure Vulnerability
Fraud prevention for the Web: RSA Silver Tail sets stage for enterprise-level security with big data and brand new interface.

British Defence Security Group Approves Tabernus Data Erasure Solution
SBWire (press release)
London, UK -- (SBWIRE) -- 06/19/2013 -- Tabernus, leader in Certified data erasure solutions, have announced today that the UK governments Defence Infosec Product Co-operation Group (DIPCOG) has formally approved the latest version of Tabernus data ...

Microsoft will pay security researchers for finding and reporting vulnerabilities in the preview version of IE11, for finding novel techniques to bypass exploit mitigations present in Windows 8.1 or later versions and for coming up with new ideas to fend off exploits.
Intel has joined the board of the Alliance For Wireless Power, an industry group competing with others in the wireless charging market with its 'flexible wireless power' specification.
Feedly today switched on its own RSS API and service, divorcing itself from the soon-to-be-dead Google Reader.
Some bugs aren't worth very much cash.

Microsoft has announced that it will give security researchers cash rewards for devising novel software exploitation techniques, creating new exploit mitigation systems, and finding bugs in the beta of Internet Explorer 11 when it's released later this month.

Bug bounty programs, where security researchers receive a cash reward from software vendors for disclosing exploitable flaws in those vendors' software, have become an important part of the computer security landscape. Finding flaws and working out ways to exploit them can be a difficult and time-consuming process. Moreover, exploitable flaws have a market value, especially to criminals, as they can be used to propagate malware and attack systems.

Bounty programs address both concerns. They provide a means for compensating researchers for their efforts, and they provide a market for flaws that won't lead to compromised machines and harm to third parties. Google, Mozilla, Facebook, PayPal, and AT&T, among others, all offer monetary rewards for bug disclosures.

Read 7 remaining paragraphs | Comments

Privacy officials from six countries and the European Commission are pushing Google to answer questions about privacy issues surrounding its digital eyewear called Glass.
A telephone records surveillance program run by the U.S. Federal Bureau of Investigation and National Security Agency raises serious privacy concerns and should be reined in, some U.S. senators said Wednesday.
[SECURITY] [DSA 2711-1] haproxy security update
[CVE-2013-0523] IBM WebSphere Commerce: Encrypted URL Parameter Vulnerable to Padding Oracle Attacks
Microsoft erred when it decided that the new Office Mobile for iPhone would be available to Office 365 customers but not to those who purchased a traditional "perpetual" license to Office 2013, an analyst argued
Demand for mainframe and high-performance Unix servers is falling, but a new wave of SPARC and IBM Power chips for the servers will be unwrapped at the Hot Chips conference in late August.
LeaseWeb, one of Europe's biggest hosting providers, has wiped 630 servers that contained Megaupload data and countered claims from the company that the file-sharing site wasn't warned.
CERN is making the infrastructure that handles the data from the Large Hadron Collider (LHC) more flexible by upgrading it with OpenStack for virtualization and Puppet for configuration management.
Taiwan's HTC has unveiled an updated version of its 5-inch Butterfly smartphone that comes equipped with a bigger battery, more powerful processor and the company's BlinkFeed homescreen.
NASA's Cassini spacecraft, now flying near Saturn, is turning its cameras back toward Earth today so it can grab a photo of its home planet from almost 900 million miles away
ESA-2013-032 RSA BSAFE® Micro Edition Suite Security Update for SSL/TLS Plaintext Recovery (aka ?Lucky Thirteen?) Vulnerability
Cisco Security Advisory: Multiple Vulnerabilities in Cisco TelePresence TC and TE Software
Facebook suffered a service disruption for about four hours Tuesday night, giving users error messages or long response times.

Posted by InfoSec News on Jun 19


By Marshall Honorof
Staff Writer
June 18 2013

A Dutch drug ring employed a group of Belgian hackers to reroute two tons
(1,814 kilograms) of cocaine and heroin into their waiting arms — but the
police nabbed them just before they could carry out their devious plan.

This may sound like the elaborate setup for a crime drama, but it actually
happened, according to...

Posted by InfoSec News on Jun 19


By Dave Fidlin
June 18, 2013

Officials in the Town of Waterford Sanitary District No. 1 are interested in
using updated technology to address a series of perceived deficiencies.

At last month’s district meeting, WSD commissioners discussed contracting with
a firm to back-up the district’s files, perhaps through a cloud method that
would result in off-site...

Posted by InfoSec News on Jun 19


The Hindu
June 19, 2013

The world may acknowledge India as an information technology superpower, but
its very own official cyber security workforce comprises a mere 556 experts
deployed in various government agencies. How “grossly inadequate” is India’s
cyber security manpower can be gauged by the fact...

Posted by InfoSec News on Jun 19


By Tracy Kitten
The Fraud Blog
Bank Info Security
June 18, 2013

Banking regulators say they don't expect to issue any new guidelines
specifically aimed at distributed-denial-of-service mitigation efforts.

But regulators' increased warnings about risks linked to DDoS, especially at
the community bank level, suggest more scrutiny of DDoS reporting...

Posted by InfoSec News on Jun 19


By Phil Muncaster
The Register
19th June 2013

India’s outsourcing giants are likely to face more delays in their
frustrated bid to tap a potential IT services market worth $30 billion,
after a report emerged suggesting the EU still has big data security
concerns with the country.

The EU and India have been trying to finalise their Broad-based Trade and...
Makandra plans to continue providing security updates for the old 2.3.x branch once Ruby on Rails 4.0 is released and official support is ended

Remote code execution in Puppet
A recently discovered email indicates that the spear phishing campaign from the group behind NetTraveler is still operating, despite being exposed by Kaspersky

Oracle Java SE CVE-2013-1500 Local Security Vulnerability
Oracle Java SE CVE-2013-2451 Local Security Vulnerability
Oracle Java SE CVE-2013-2467 Local Security Vulnerability
ESA-2013-045: RSA BSAFE® SSL-C Security Update for SSL/TLS Plaintext Recovery (aka ?Lucky Thirteen?) Vulnerability
ESA-2013-039: RSA BSAFE® SSL-J Multiple Vulnerabilities
Hackers are stealing credit card and other sensitive information from ecommerce sites. To protect (and reassure) your customers, it's imperative to know how to protect your ebusiness and your sensitive customer data. Ecommerce and security experts share 15 tips on how you can prevent fraud and keep your site safe.
Heading on a business trip? To get work done, you're going to need more than your laptop, smartphone and tablet. Here's what else you need to bring to be as productive as possible.
Oracle addressed 40 security issues in Java and enabled online certificate revocation checking by default in its scheduled critical patch update for Java on Tuesday.
LinuxSecurity.com: The security update DSA-2628 for nss-pam-ldapd failed to build on kfreebsd-amd64 and kfreebsd-i386. For the oldstable distribution (squeeze) this problem has been fixed in [More...]
LinuxSecurity.com: Puppet could be made to run programs if it received specially craftednetwork traffic.
LinuxSecurity.com: Multiple issues were discovered in the TIFF tools, a set of utilities for TIFF image file manipulation and conversion. CVE-2013-1960 [More...]
LinuxSecurity.com: James Forshaw from Context Information Security discovered several vulnerabilities in xml-security-c, an implementation of the XML Digital Security specification. The Common Vulnerabilities and Exposures project identifies the following problems: [More...]
LinuxSecurity.com: LibRaw could be made to crash or run programs as your login if it opened aspecially crafted file.
LinuxSecurity.com: libKDcraw could be made to crash or run programs as your login if it openeda specially crafted file.
Oracle Java SE CVE-2013-1571 Frame Injection Vulnerability
RETIRED: Oracle Java SE Critical Patch Update June 2013 Advance Notification
Google's recent update of its Gmail app made archive the default setting, encouraging its users to save their email, literally, forever.
Sony's gaming division pulled its latest firmware update for the PlayStation 3 Wednesday, after widespread reports that installing it could render the console useless.
iOS's choice of password for mobile tethering is not genuinely random. Passwords for mobile hotspots can be cracked in just a few seconds

X.Org libXi CVE-2013-1984 Multiple Remote Code Execution Vulnerabilities
Dish Network won't try to beat SoftBank's $21.6 billion bid for Sprint Nextel, apparently clearing the way for the Japanese service provider to buy Sprint.
Internet tools are just starting to be applied to industrial tasks such as maintaining equipment and optimizing operations, but the wealth of data being produced by industrial systems could make this a major focus of development in the coming years.
The Wi-Fi Alliance unveiled a certification program for 802.11ac Wi-Fi (also known as 5G Wi-Fi) designed to make sure devices using the wireless technology interoperate with older hardware.
LTE Advanced is coming soon to the Samsung Galaxy S4 smartphone, but U.S. carriers still have to upgrade LTE networks to operate the faster service, and their plans to do so are vague.
Hewlett-Packard and Samsung Electronics will now ensure that their PCs in China are installed with licensed Windows and Office software as part of new agreements signed with Microsoft meant to fight piracy.
Alcatel-Lucent will refocus on IP networking and ultra-broadband access in mobile and fixed-line networks as it seeks to return to profitability by 2015.
A Dell special committee has rejected a new proposal from a key shareholder Carl C. Icahn, and said it will continue to support the proposal by founder Michael Dell and private-equity firm Silver Lake Partners to take the company private.
Apple on Tuesday patched Java 6 for OS X Snow Leopard, Lion and Mountain Lion, fixing 34 flaws that Oracle addressed the same day for Windows.
Oracle's latest critical patch update addresses 37 vulnerabilities in all versions of Java that can be exploited without authentication over a network. Free updates are only available for Java 7 users

As well as offering better protection from cyber-attacks, version 4.0 of EMET, Microsoft's mitigation tool, has been made much more user friendly. The recommended protection settings can now be set up with just a few mouse clicks


LC Urgent Q1: Network and information security
7thSpace Interactive (press release)
... community, the OGCIO keeps abreast of global information security trend and development at all times, and provides the public with abundant references and latest news on information security through the one-stop INFOSEC website (www.infosec.gov.hk).

Alcatel-Lucent will refocus on IP networking and ultra-broadband access in mobile and fixed-line networks as it seeks to return to profitability by 2015.
A Dell special committee has rejected a new proposal from a key shareholder Carl C. Icahn, and said it will continue to support the proposal by founder Michael Dell and private-equity firm Silver Lake Partners to take the company private.
Siemens Scalance X200 Series Switches SNMPv3 Remote Security Bypass Vulnerability
Siemens Scalance X200 Series Switches Remote Privilege Escalation Vulnerability
Siemens COMOS CVE-2013-3927 Local Security Bypass Vulnerability
Internet Storm Center Infocon Status