Hackin9
The U.S. House of Representatives has voted to limit the National Security Agency's ability to search U.S. records, after a similar provision was stripped out of a bill intended to rein in the agency.
 

An alarming number of servers containing motherboards manufactured by Supermicro continue to expose administrator passwords despite the release of an update that patches the critical vulnerability, an advisory published Thursday warned.

The threat resides in the baseboard management controller (BMC), a motherboard component that allows administrators to monitor the physical status of large fleets of servers, including their temperatures, disk and memory performance, and fan speeds. Unpatched BMCs in Supermicro motherboards contain a binary file that stores remote login passwords in clear text. Vulnerable systems can be detected by performing an Internet scan on port 49152. A recent query on the Shodan search engine indicated there are 31,964 machines still vulnerable, a number that may not include many virtual machines used in shared hosting environments.

"This means at the point of this writing, there are 31,964 systems that have their passwords available on the open market," wrote Zachary Wikholm, a senior security engineer with the CARInet Security Incident Response Team. "It gets a bit scarier when you review some of the password statistics. Out of those passwords, 3,296 are the default combination. Since I'm not comfortable providing too much password information, I will just say that there exists a subset of this data that either contains or just was 'password.'"

Read 5 remaining paragraphs | Comments

 
A proposed US$324.5 million settlement of claims that Silicon Valley companies including Google and Apple suppressed worker wages by agreeing not to hire each others' employees may not be high enough, a judge signaled on Thursday.
 
Microsoft's highly anticipated Surface Pro 3 will become available in stores in the U.S. and Canada starting Friday, but users may have to wait two months to buy Core i3 and i7 models.
 
Oracle is now the industry's second-largest SaaS vendor after Salesforce.com, but it made that announcement as fourth-quarter profits slipped slightly and on-premises software license sales ended its fiscal year flat.
 

Google has a surprise for us today in the form of a new (minor) version of Android. Android 4.4.4 is rolling out to Nexus devices and is available for download on the Nexus Factory Image page. A changelog available over at Sprint lists nothing other than "security fixes."

Sascha Prüter, an Android Engineering Program Manager, posted on Google+ that the update is "Primarily addressing CVE-2014-0224," which is a flaw discovered in OpenSSL after Heartbleed was widely publicized. Prüter says the update addresses "some other (not quite as severe) security issues" and that an AOSP code drop should happen in "the next 48h."

4.4.4 comes hot on the heels of 4.4.3, which came out earlier this month.

Read on Ars Technica | Comments

 
NASA expects expects to launch a robotic spacecraft in 2019 to direct an asteroid into an orbit around the moon.
 
As if tracking down bugs in a complex application isn't hard enough, programmers now must worry about a newly emerging trap, one in which a program compiler simply eliminates chunks of code it doesn't understand, often without alerting the programmer of the missing functionality.
 
Oracle is now the industry's second-largest SaaS vendor after Salesforce.com, but it made that announcement as fourth-quarter profits slipped slightly and on-premises software license sales ended its fiscal year flat.
 
A Chinese electronics vendor accused of selling signal jammers to U.S. consumers could end up leading the market in one dubious measure: the largest fine ever imposed by the Federal Communications Commission.
 
The first software updates to improve functionality, including enterprise use, are out from Dell for its thumb-size PC, the Wyse Cloud Connect.
 

One of the developers of the TrueCrypt encryption program said it's unlikely that fans will receive permission to start an independent "fork" that borrows from the current source code, a refusal that further clouds the future of the highly regarded application.

The reluctance surfaced in an e-mail published three weeks after TrueCrypt developers' bombshell advisory that users should stop using the cross-platform whole disk encryption program. TrueCrypt has been held up by a variety of privacy advocates—former National Security Agency contractor Edward Snowden among them—as a reliable means to protect individual files or entire hard drive contents from the prying eyes of government agencies and criminal hackers. In the days immediately following last month's TrueCrypt retirement, Johns Hopkins University professor Matt Green asked one of the secretive developers if it would be OK for other software engineers to use the existing source code to start an independent version. The developer responded:

I am sorry, but I think what you're asking for here is impossible. I don't feel that forking truecrypt would be a good idea, a complete rewrite was something we wanted to do for a while. I believe that starting from scratch wouldn't require much more work than actually learning and understanding all of truecrypt's current codebase.

I have no problem with the source code being used as reference.

The denial came in response to an e-mail in which Green said he suspected a TrueCrypt fork was inevitable, given the groundswell of interest in the program. Language in the TrueCrypt license raises the possibility that such independent projects will put developers at risk of violating contractual terms. Without the blessing of TrueCrypt developers, users may be forced to abandon the considerable amount of work already put into TrueCrypt. In his e-mail to the TrueCrypt developer, Green wrote:

Read 1 remaining paragraphs | Comments

 
Wireshark 'libpcap' File Parsing Memory Corruption Vulnerability
 
Novell Open Enterprise Server CVE-2014-0599 Unspecified Cross Site Scripting Vulnerability
 
Novell Open Enterprise Server CVE-2014-0598 Unspecified Directory Traversal Vulnerability
 
A U.S. House committee has called on the Federal Trade Commission's Inspector General to probe the agency's relationship with a peer-to-peer network-monitoring firm whose data is key evidence in an FTC complaint filed against LabMD.
 
Microsoft will give Office 365 customers the option to receive new and improved features considered to be significant before they are made generally available.
 
Katherine, a 14-foot electronically tagged white shark, has become so popular with visitors to a shark-tracking site that she's now routinely crashing servers.
 
Facebook is taking another run at Snapchat. This time with an app that works more like a boomerang than a slingshot. The app's unique features and silly sounds make for a playful experience, but CIO.com's Matt Kapko writes it's also an awkward, unnatural and never-ending way to live life in the moment.
 
Amazon has finally unveiled its first smartphone, the Amazon Fire, with a number of new and interesting features, like Dynamic Perspective and the Firefly button. Do you think Amazon's smartphone will be a hit or a miss?
 
By leveraging the Fire smartphone's Firefly and Dynamic Perspective technologies, Amazon could help online buying evolve in a variety of new directions, an IDC analyst predicted.
 
Parallels Plesk Panel XML External Entity Injection and Cross Site Scripting Vulnerabilities
 
Ajenti Multiple Cross Site Scripting Vulnerabilities
 
AlienVault Multiple Security Vulnerabilities
 
An ongoing nationwide performance study of broadband service in the U.S. shows broadband speeds don't measure up to advertised rates.
 
Microsoft today spelled out the "kill-switch" deterrents it will add to the Windows Phone mobile operating system, and said it would meet a July 2015 deadline for making stolen smartphones useless.
 
Hidden access brings potential for vulnerability.

A recent scan of the Google Play market found that Android apps contained thousands of secret authentication keys that could be maliciously used to access private cloud accounts on Amazon or compromise end-user profiles on Facebook, Twitter, and a half-dozen other services.

The finding is the result of PlayDrone, a system that uses a variety of hacking techniques to bypass security measures intended to prevent third parties from crawling Google Play. The brainchild of computer scientists at Columbia University, PlayDrone comprehensively indexed Play contents, downloaded more than 1.1 million apps, and decompiled more than 880,000 of them. It is believed to be the first large-scale measurement of the sprawling Google marketplace, which offers more than one million apps and has fostered 50 billion app downloads to date.

One of the most surprising observations PlayDrone made was that many apps contain secret authentication keys that can compromise accounts belonging to both developers and end users. Source code for the official AirBnB app, for example, included secret OAuth tokens for Facebook, Google, LinkedIn, Microsoft, and Yahoo. The credentials were supplied by the service providers and act as a skeleton key of sorts that allows an app to access private account data for each user. By plucking them out of the AirBnB app, an attacker could use it to read and possibly modify or add data for millions of users' profiles.

Read 8 remaining paragraphs | Comments

 

Hackers Using DDoS to Distract Infosec Staff
eSecurity Planet
Hackers are increasingly using DDoS attacks as a kind of 'smokescreen' that helps them carry out data breaches. By Paul Rubens | Posted June 19, 2014. Share. Your organization is more likely to come under a distributed denial of service (DDoS) attack ...

and more »
 
LinuxSecurity.com: An updated foreman-proxy package that fixes one security issue is now available for Red Hat Enterprise Linux OpenStack Platform 3.0 and 4.0. The Red Hat Security Response Team has rated this update as having Critical [More...]
 
LinuxSecurity.com: A vulnerability in rxvt-unicode may allow a remote attacker to execute arbitrary code.
 
LinuxSecurity.com: Several security issues were fixed in Thunderbird.
 
LinuxSecurity.com: An updated rubygem-openshift-origin-node package that fixes one security issue and several bugs is now available for Red Hat OpenShift Enterprise 2.1.1. [More...]
 
LinuxSecurity.com: OpenStack Heat would expose sensitive information over the network.
 
LinuxSecurity.com: An updated rubygem-openshift-origin-node package that fixes one security issue is now available for Red Hat OpenShift Enterprise 2.0.6. The Red Hat Security Response Team has rated this update as having Critical [More...]
 
LinuxSecurity.com: An updated rubygem-openshift-origin-node package that fixes one security issue is now available for Red Hat OpenShift Enterprise 1.2.8. The Red Hat Security Response Team has rated this update as having Critical [More...]
 
LinuxSecurity.com: OpenStack Cinder could be made to run programs as an administrator undercertain conditions.
 
An abstract idea is not patentable simply because it is tied to a computer system, the U.S. Supreme Court has ruled, potentially making it more difficult to patent some software in the future.
 
BlackBerry managed to turn the tide toward a small profit during its fiscal first quarter, but revenue and phone sales continued to drop.
 
 
NICE Recording eXpress Multiple Security Vulnerabilities
 
SQL Buddy 'browse.php' Cross Site Scripting Vulnerability
 
Apple may have kicked off its health and fitness emphasis in iOS 8 at just the right time, mobile analytics firm Flurry suggested today.
 
A code-hosting and project management services provider was forced to shut down operations indefinitely after a hacker broke into its cloud infrastructure and deleted customer data, including most of the company's backups.
 
Intel wants to inject passion and excitement into mobile chat through a new app that relies on face-tracking technology to assess facial expressions and mood.
 
Making remote workers feel like part of the team is one of the trickiest parts of management. However, by focusing on the right technology and on effective communication and personal interaction you can create a productive remote work scenario.
 
BlackBerry managed to turn the tide toward a small profit during its fiscal first quarter, but revenue and phone sales continued to drop.
 
With more than 100 million users, Evernote is popular for good reason. The app is for much more than just jotting down notes, though -- you can add contacts, collaborate and even snap pictures of paper notes. Here are some tips from getting the most out of Evernote.
 
John Legere and T-Mobile want to make buying a smartphone more like shopping for a used car. And they mean that in the best possible way.
 
OpenStack Folsom CVE-2013-1068 Local Privilege Escalation Vulnerability
 
OpenStack Heat Template URL Information Disclosure Vulnerability
 
Microsoft Internet Explorer CVE-2014-2782 Remote Memory Corruption Vulnerability
 
[security bulletin] HPSBOV03047 rev.1 - HP OpenVMS running OpenSSL, Remote Denial of Service (DoS), Code Execution, Unauthorized Access, Disclosure of Information
 

NSW Police Minister considers proposal to license IT security providers
iT News
Ty Miller, director of infosec firm Threat Intelligence, said he would support a licensing scheme for infosec professionals making recommendations on physical security control - such as access to data centres, physical social engineering, and CCTV. “I ...

 
BlackBerry managed to turn the tide toward a small profit during its fiscal first quarter, but revenue and phone sales continued to drop.
 
HP claims that its light-based, next-generation Machine will do everything except scrub the kitchen sink. But given HP's recent innovation track record, why should we believe any of it?
 
Apple's new iMac may be less expensive than its siblings, but that came at a price, a reseller said Wednesday: Do-it-yourselfers won't be able to upgrade the stock 8GB of memory in the new all-in-one.
 
Ericom AccessNow Server 'AccessServer32.exe' Stack Buffer Overflow Vulnerability
 
Rocket Servergraph CVE-2014-3914 Multiple Security Vulnerabilities
 
Apple's new iMac may be less expensive than its siblings, but that came at a price, a reseller said Wednesday: Do-it-yourselfers won't be able to upgrade the stock 8GB of memory in the new all-in-one.
 
Some ne'er-do-wells steal test questions and answers, and cheaters buy that information, share answers in chat rooms, pay other people to take tests for them and bring a range of technologies and techniques into test centers to gain an edge.
 
LinkedIn said it is making progress implementing default encryption of data exchanged with its users after a security company alleged some users are still at risk of account takeovers.
 
Revelations about U.S. National Security Agency snooping have made some buyers outside the U.S. think twice about public clouds, placing a drag on one of the world's biggest technology trends, the head of Hewlett-Packard's enterprise group said.
 
Facebook's website went down temporarily on Thursday, showing an error screen when users attempted to log on to the social network.
 
You'd be forgiven for thinking Amazon CEO Jeff Bezos wants to compete with other phone makers with his company's new Fire smartphone. But forget the multiple cameras and pretty 3-D-like effects, the device is really about selling more stuff.
 
Many of the most popular mobile apps look set to be available on Amazon's new Fire smartphone when it launches on July 25.
 
A far-reaching bill that would require the government to obtain a warrant to search through people's emails and other online communications now has majority support in the House of Representatives.
 
Responding to more than a year of pressure, Google and Microsoft will follow Apple in adding an anti-theft "kill switch" to their smartphone operating systems, U.S. law enforcement officials will announce later Thursday.
 

Posted by InfoSec News on Jun 19

http://www.emirates247.com/news/emirates/anonymous-hackers-threaten-to-target-regional-oil-gas-firms-tomorrow-2014-06-19-1.553415

By Joseph George
emirates247.com
June 19, 2014

The UAE’s Adnoc and Enoc are among the list of oil, gas, and energy
companies that may come under cyber-attacks on June 20 or closely after
that, security firm Symantec has warned.

According to Symantec, a hacker group called Anonymous, which recently
threatened to...
 

Posted by InfoSec News on Jun 19

http://healthitsecurity.com/2014/06/17/taking-time-to-build-out-a-strong-health-it-security-program/

By Patrick Ouellette
Health IT Security
June 17, 2014

Department of Health and Human Services (HHS) Chief Regional Civil Rights
Counsel Jerome Meites recently predicted that there would be a
considerable uptick in HHS data breach penalties within the next year,
according to thehill.com.

“Knowing what’s in the pipeline, I suspect that...
 

Posted by InfoSec News on Jun 19

http://www.networkworld.com/article/2364271/security0/h4ckers-wanted-report-nsa-not-having-trouble-filing-cybersecurity-jobs.html

By Ellen Messmer
NetworkWorld
June 18, 2014

While there’s a notion that a dearth of cybersecurity professionals the
shortage is most acute at the "high end" where $250,000 salaries are not
uncommon for those who combine technical and managerial skills.

That’s according to the RAND Corp. report today...
 

Posted by InfoSec News on Jun 19

http://www.businessinsider.com/microsoft-security-versus-google-guru-2014-6

By Julie Bort
Business Insider
June 18, 2014

On Tuesday, Microsoft warned that it was issuing an emergency patch to fix
a dangerous flaw in its software.

This is notable for a few reasons. Microsoft rarely releases these kinds
of urgent patches, only nine of them so far in 2014. It normally saves all
patches for one mega patch day once a month.

The software in...
 

Posted by InfoSec News on Jun 19

http://arstechnica.com/tech-policy/2014/06/hacker-taunts-arrested-comrade-after-someone-drops-dime-to-fbi/

By Sean Gallagher
Ars Technica
June 18 2014

Continuing variations on a theme, the FBI has arrested yet another alleged
"hacktivist" based on information provided by a confidential informant.
This time, FBI agents from the bureau’s Chicago field office nabbed
Timothy Justin French, who the Justice Department claims was a...
 

How infosec gained primacy with ANZ Bank execs: cyber-security head
CSO Magazine (blog)
Senior bank executives are more aware of and responsive to the growing cyber security threat than ever – and are investing to proactively address it, according to the ANZ Banking Group's global cyber-security head. The change had been driven not only ...

and more »
 
Internet Storm Center Infocon Status