Django 'Vary Header' Information Disclosure Vulnerability
Django 'is_safe_url()' Function URI Redirection Vulnerability
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Google's annual I/O conference for developers takes place next month in San Francisco, and it looks like wearable computing will hog much of the limelight, along with an emphasis on better design.

Shares of anti identity theft service LifeLock fell almost 18 percent on Monday after the company said it was temporarily suspending its iOS and Android apps because it may have failed to adequately secure user data.

The stock price closed down $2.28, or 17.6 percent, to $10.70 on the New York Stock Exchange Monday. The sell-off was triggered by LifeLock's move late last week to delete all information stored on its servers by the Wallet mobile applications for iOS and Android devices. LifeLock, which acquired the apps in December for about $42.6 million, also pulled them from the Apple App Store and Google Play Market. The company took the unusual steps after determining that unspecified aspects of the apps "may not be fully compliant with payment card industry (PCI) security standards" that are binding on most merchants who accept payments through credit or debit cards.

"We know we’re asking a lot of our LifeLock Wallet users—to delete and go without this application for a period of time," CEO Todd Davis wrote in a blog post published Friday. "I personally apologize for the inconvenience. At the same time, I want to make sure that when LifeLock Wallet is available again, you’ll know that you can download it, provide your personal information, and use it again with confidence—knowing that it’s backed by an industry leader that is committed to doing the right thing and taking care of its customers." The company, which said there's no indication that any data has been maliciously compromised, issued an accompanying statement to shareholders at the same time.

Read 1 remaining paragraphs | Comments

The U.S. Department of Justice's decision to bring computer hacking and economic espionage charges against five alleged members of the Chinese army is an attempt by President Barack Obama's administration to redirect a global discussion about cyberhacking and surveillance, some cybersecurity experts said.
SolarWinds Server and Application Monitor 'PEstrarg1' ActiveX Heap Buffer Overflow Vulnerability
Of the 150 new words added to this year's Merriam-Webster's Collegiate Dictionary, hashtag, big data and selfie made the list.
Microsoft will not unveil a smaller-sized Surface tablet tomorrow, according to multiple sources familiar with Microsoft's plans.

More than 100 people in the US and countries around the world have been arrested and charged with using malware available for sale online to surreptitiously spy on computer users' most intimate moments. The victims include Miss Teen USA, who last year was the target of a high-profile peeping tom attack that secretly snapped nude images while she was dressing in her bedroom.

The coordinated global crackdown coincided with the FBI seizure of bshades.eu, a website that, according to US prosecutors, brazenly sold Blackshades for about $40 and provided technical support for the so-called remote access trojan (RAT). Indictments filed in US District Court in Manhattan named Alex Yücel and Brendan Johnston with distributing, marketing, and supporting the malware and Kyle Fedorek and Marlen Rappa with purchasing it and collectively using it to infect more than 400 people. Police in at least 15 countries outside of the US announced the arrest of 100 other people in raids that were coordinated to prevent defendants from tipping off each other. Word of the raids began circulating over the weekend on hacker forums.

While prosecutors said Blackshades was used to perpetrate everything from bank fraud to extortion, the best known application remains men using it to spy on women through the webcams of RAT-infected PCs. Blackshades isn't the only malware used in the illicit pastime, although the ease in buying, installing, and using it makes it among the most popular, especially by peeping toms with little technical skill.

Read 6 remaining paragraphs | Comments

InduSoft Web Studio CVE-2014-0780 Directory Traversal Vulnerability
Google could gain a stronger position in businesses by acquiring Divide, an enterprise software company focused on the bring-your-own-device to work model.
AT&T's mega-bid to buy DirecTV includes several deal sweeteners designed to win over government regulators and customers.
The U.S. government's decision to formally indict five members of the Chinese military on criminal hacking charges marks a significant escalation of what's been a war of words between both countries.
Despite two broken wheels had NASA's planet-hunting telescope spinning out of control, the Kepler Space Telescope is using the power of the sun to continue its search for Earth-like planets.
Microsoft and SAP's long-standing partnership is being strengthened with the pending certification of SAP's ERP (enterprise resource planning) software for deployment on the Azure cloud infrastructure service.
Cisco will target individual video conferencing users with new desktop devices and a cloud-based service, a move that complements a recent announcement focused on outfitting small and mid-size office meeting rooms.
If you're worried about an Internet "fast lane" squeezing out all the futuristic connected devices you're hoping to use around your home, fear not.
Last-minute moves by businesses to scrap Windows XP may have offset the continued free fall in consumer spending, but that gift from XP won't help the PC industry for long.

How To Talk About InfoSec To Your Board Of Directors
Dark Reading
How To Talk About InfoSec To Your Board Of Directors. Today's cybersecurity challenges cannot be met by a compartmentalized IT strategy because every piece of the modern enterprise runs on connectivity and data. In our global economy, the rapid ...
CISO and beyond: Insights and advice from security thought leadersInformationWeek India

all 3 news articles »
Law enforcement agencies from 16 countries on three continents last week arrested 97 people after executing raids targeting those suspected of creating, buying and using a notorious Trojan program called BlackShades.
John Morgridge was Cisco's first CEO. He took the company public and presided over its growth until John Chambers took over as CEO in 1995. On the 25th anniversary of the Networker's user conference this week, Morgridge, 80, reflects on the past and looks ahead to the future as Cisco's Chairman Emeritus.
U.S. officials later today will charge several individuals connected to China's military with hacking American firms, online reports said early Monday.
Facebook is said to be building a video-messaging app to rival the Snapchat messaging service.
LinuxSecurity.com: Multiple vulnerabilities have been found in MCrypt, allowing attackers to execute arbitrary code or cause Denial of Service.
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: A stack-based buffer overflow in JBIG-KIT might allow remote attackers to cause a Denial of Service.
LinuxSecurity.com: A vulnerability has been found in Charybdis and ShadowIRCd, possibly resulting in remote Denial of Service.
LinuxSecurity.com: Multiple vulnerabilities in Pidgin may allow execution of arbitrary code.
LinuxSecurity.com: A vulnerability in lib3ds might allow a remote attacker to execute arbitrary code.
LinuxSecurity.com: Memory consumption errors in Apache Portable Runtime and APR Utility Library could result in Denial of Service.
LinuxSecurity.com: A vulnerability in Symfony may allow remote attackers to read arbitrary files.
LinuxSecurity.com: A local privilege escalation vulnerability has been discovered in X2Go Server.
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 6.3 Extended Update Support. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: Updated libxml2 packages that fix two security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Moderate [More...]
The U.S. Department of Justice is preparing to charge Chinese military officials with hacking US companies to obtain trade secrets.
Customer relationship experts share their top tips for managing customer interactions and getting the most out of your CRM software.
[SECURITY] [DSA 2931-1] openssl security update
[SECURITY] [DSA 2932-1] qemu security update
Google is planning to buy Twitch, a service that allows gamers to stream their game play.
Microsoft has lost more than $1.2 billion so far on its Surface tablet business, an expensive experiment that makes tomorrow's revelations of new hardware an important milestone for the "devices" side of its corporate-refashioning strategy.
Microsoft and SAP's long-standing partnership is being strengthened with the pending certification of SAP's ERP software for deployment on the Azure cloud infrastructure service.
Scout for iPhone, a free turn-by-turn navigation app, will be automatically updated this week with map data that can be altered and improved by the app's users through the OpenStreetMap community.
[security bulletin] HPSBHF02946 rev.2 - HP Servers with NVIDIA GPU Computing Driver, Elevation of Privilege
APPLE-SA-2014-05-16-1 iTunes 11.2.1
[SECURITY] [DSA 2930-1] chromium-browser security update
Thin clients aren't very exciting, and for a reason: they're designed to allow remote access to servers, usually with a Citrix, Microsoft, or VMware client. The folks at Dell WYSE have spiced up the category by building a thin client on top of Android, and getting it down to a form factor only slightly larger than a USB memory stick.
Linksys' ambitious, prosumer-grade Wi-Fi router is pricey compared to the classic WRT54G router that inspired it, but it comes with a great feature set
If Congress approves comprehensive immigration reform, it will likely more than double the cap on H-1B visas. What happens then sounds dystopian for workers.
Cisco Systems CEO John Chambers has written to U.S. President Barack Obama, asking for his intervention so that U.S. technology sales are not affected by a loss in trust as a result of reports of surveillance by the U.S. National Security Agency.
The co-founders of business-growth consulting firm Growth Vault discuss how IT can be influential within a business.
When it comes to IT professional services, using the DOD sourcing method called Lowest Price Technically Acceptable is ludicrous, because it disregards the value of expertise and experience.
Edward Marx, senior vice president and CIO at Texas Health Resources in Arlington, is using social media to connect with the organization's local community and implementing BI tools to deliver advanced clinical care.
The current system of risk management at most organizations is designed to frustrate everyone. Here are seven ways to change the dialogue.
After trying Update 1 for the last few weeks, the best I can say for it is that it sucks less.
Our manager scrambles to find and fix any vulnerable resources after the OpenSSL flaw is discovered.
Mono ASP.NET Web Form Hash Collision Denial of Service Vulnerability

Posted by InfoSec News on May 19


By Danny Yadron and Christopher M. Matthews
The Wall Street Journal
May 16, 2014

The Federal Bureau of Investigation and foreign police agencies have
launched a series of raids around the world at the homes of people linked
to a type of hacking software called Blackshades, according to posts on
hacker forums and people familiar with the investigation.


Posted by InfoSec News on May 19


By Stewart Baker
May 14, 2014

This episode of the Steptoe Cyberlaw Podcast features an interview with
Chris Painter, the State Department’s Coordinator for Cyber Issues.
Chris had a long and distinguished career at the Justice Department and
the White House before joining State. Our interview ranges widely. Are
there really norms in cyberconflict, and should the US really...

Posted by InfoSec News on May 19


By Aliya Sternstein
May 16, 2014

Software that monitors utility plants and other operations at several
military installations has been found to be affected by the recently
discovered superbug Heartbleed, when configured a certain way, according
to the Homeland Security Department and the software’s manufacturer.


Posted by InfoSec News on May 19


By William Knowles
Senior Editor
InfoSec News
May 18, 2014

On Monday May 12th 2014, sometime during the 169th Commencement Exercises
of Emory University, what best could be called a career limiting move, a
Windows 7 deployment image was accidentally sent to all Windows machines,
(approximately 2000+ machines) including...

Posted by InfoSec News on May 19


By John E Dunn
16 May 2014

Stung into action by a wave of devastating data breaches, US retailers
have taken the historic decision to share data on cyber-threats for the
first time through a new initiative, the Retail Cyber Intelligence Sharing
Center (R-CISC).

Developed after input from 50 retailers and the...
Ettercap GTK Insecure Temporary File Creation and Format String Vulnerabilities
Internet Storm Center Infocon Status