Hackin9
Sales of Sony's Xperia A smartphone have doubled those of the Samsung Galaxy S4 at Japan's main carrier, after a nationwide sales campaign that exclusively promoted the two handsets side-by-side.
 
Unlike China and Europe, the U.S. has yet to adopt and fund an exascale development program, and concerns about what that means to U.S. security are growing darker.
 

ENMU-R ahead of the curve in cyber security
Ruidoso News
ENMU is the only two-year college in the state that meets InfoSec certification requirements, a standard set by the Committee on National Security Systems, an agency within the National Security Administration. The certificate program is a 19-credit ...

 
The emerging IEEE 802.11ac wireless LAN standard will be able to deliver faster connections wherever it's used, but the biggest benefit may come at public hotspots -- eventually.
 
Oracle's revenue was flat year-over-year in its fourth quarter at US$10.9 billion, while profits rose 10 percent to $3.8 billion, as the company reported strong growth in sales for SaaS (software as a service) subscriptions and "engineered systems" such as Exadata.
 
Facebook has unveiled its new video feature for Instagram, five months after Twitter launched a very similar video app called Vine. Can the rival services co-exist?
 
Oracle hasn't even officially released its 12c database yet, but CEO Larry Ellison has already revealed plans for the version that will follow, 12.1c, which apparently will be Oracle's most direct response yet to SAP's HANA in-memory platform.
 
Two secret documents describing the procedures the National Security Agency (NSA) is required to follow when spying on foreign terror suspects reveal the provisions that allow the agency to collect, retain and use information on U.S residents without a warrant, The Guardian newspaper reported today
 
"Word games," an "overreaching narrative" and a "case of inferences" were a few choice phrases used by attorney Orin Snyder Thursday in closing arguments for Apple in the U.S. Department of Justice's antitrust, e-books price fixing case against the tech giant.
 

Using online anonymity services such as Tor or sending encrypted e-mail and instant messages are grounds for US-based communications to be retained by the National Security Agency even when they're collected inadvertently, according to a secret government document published Thursday.

The document, titled Minimization Procedures Used by the National Security Agency in Connection with Acquisitions of Foreign Intelligence, is the latest bombshell leak to be dropped by UK-based newspaper The Guardian. It and a second, top-secret document detail the circumstances in which data collected on US persons under foreign intelligence authority must be destroyed or can be retained. The memos outline procedures NSA analysts must follow to ensure they stay within the mandate of minimizing data collected on US citizens and residents.

While the documents make clear that data collection and interception must cease immediately once it's determined a target is within the US, they still provide analysts with a fair amount of leeway. And that leeway seems to work to the disadvantage of people who take steps to protect their Internet communications from prying eyes. For instance, a person whose physical location is unknown—which more often than not is the case when someone uses anonymity software from the Tor Project—"will not be treated as a United States person, unless such person can be positively identified as such, or the nature or circumstances of the person's communications give rise to a reasonable belief that such person is a United States person," the secret document stated.

Read 5 remaining paragraphs | Comments

 

For the past few months, Firefox alphas have been heuristically blocking certain cookies in a bid to protect user privacy and reduce the amount of online tracking by advertisers. Mozilla has not moved this blocking into the stable builds of its browser, however, because of problems with its effectiveness. The heuristics aren't perfect, so sometimes it blocks cookies it shouldn't block and other times lets cookies through that it should block.

A new project from Stanford University could provide the solution. The Cookie Clearinghouse intends to provide lists of cookies that should be blocked or accepted. Still in the planning stages, it will be designed to work in concert with the heuristics found in Firefox in order to correct the errors that the algorithmic approach makes.

Firefox's algorithm is simple. Essentially, if you visit a domain directly, that domain will be able to set cookies (first-party cookies) and it will continue to be permitted to set cookies even when visited indirectly (third-party cookies). For example, if you visit facebook.com, it will be allowed to set cookies both for explicit visits and whenever other sites embed Facebook content such as like buttons.

Read 13 remaining paragraphs | Comments

 
Sprint Nextel has offered and Clearwire has accepted a bid of $5 per share for the struggling wireless network provider, raising the stakes yet again in an expensive bidding war between Sprint and satellite service provider Dish Network.
 
Unlike China and Europe, the U.S. has yet to adopt and fund an exascale development program, and concerns about what that means to U.S. security are growing darker.
 
Samsung on Thursday announced nine new products, including smartphones, tablets and a smart camera, but the biggest breakthrough product was a 13.3-in. convertible tablet called the ATIV Q that runs both Android Jelly Bean and Windows 8.
 
Oracle's revenue was flat year-over-year in its fourth quarter at US$10.9 billion, while profits rose 10 percent to $3.8 billion, as the company reported strong growth in sales for SaaS (software as a service) subscriptions and "engineered systems" such as Exadata.
 
Two U.S. lawmakers have introduced a bill that would prevent the Department of Justice from prosecuting people for violating terms of service for Web-based products, website notices or employment agreements under the Computer Fraud and Abuse Act (CFAA).
 

Australia's banks quietly swatting trojan
WA today
Australia's banks work around the clock to swat malware that steals from customers' accounts. Photo: Simon Rankin. Australia's banks have been quietly working with a Russian security and forensics firm to swat a nasty banking trojan crafted in the ...

and more »
 
The demise of Google Reader means millions in potential revenue for companies that have stepped up to replace the RSS service, according to a just-published survey.
 
After nearly a week of speculation, Facebook announced today that Instagram, its popular photo-sharing service, now supports video.
 
The U.S. Federal Trade Commission will launch an investigation of the business practices of so-called patent trolls in an effort to understand whether those companies are harming competition and consumers, the agency's chairwoman said.
 
Privacy issues are bubbling up in Congress, where lawmakers are pushing bills to give car owners control over data collected by black box-style recorders on their vehicles and more control over viewer tracking by DVRs at home.
 
"Word games," an "overreaching narrative" and a "case of inferences" were a few choice phrases used by attorney Orin Snyder Thursday in closing arguments for Apple in the U.S. Department of Justice's antitrust, e-books price fixing case against the tech giant.
 
Oracle's recent upgrade to its online forums has divided the portal's many users, with some saying the update brings welcome changes but others claiming it is bug-riddled and inferior to its predecessor.
 
Facebook CEO Mark Zuckerberg was in South Korea this week to meet with Samsung executives, and sparking speculation -- yet again -- that the social network will build its own smartphone.
 
Mozilla has effectively postponed Firefox's controversial third-party cookie-blocking policy for several months.
 
A professional tennis player hopes to wear Google Glass at the famed Wimbledon tennis tournament next week.
 

Posted by bimal mehta on Jun 20

Please unsubscribe me.
Thanks

Bimal mehta

http://www.iherb.com
use code: BIM331

-----Original Message-----
From: ISN [mailto:isn-bounces () lists infosecnews org] On Behalf Of InfoSec
News
Sent: Thursday, June 20, 2013 1:12 AM
To: isn () lists infosecnews org
Subject: [ISN] ?Anonymous? search engine sees rocketing growth after NSA
revelations

http://rt.com/news/search-duckduckgo-popularity-nsa-956/

RT.com
June 19, 2013

An alternative search...
 
A new user privacy initiative from Stanford Law School called Cookie Clearinghouse will maintain block and allow lists of cookie creators. Mozilla has put its cookie patch on hold while it works with the group
    


 
[security bulletin] HPSBUX02876 SSRT101148 rev.2 - HP-UX Running BIND, Remote Denial of Service (DoS)
 
Android ICS "adb restore" directory traversal vulnerability (resending after bounce)
 
[SECURITY] [DSA 2712-1] otrs2 security update
 
The successor to LG's Optimus G smartphone, due sometime in the third quarter, will run a faster Qualcomm Snapdragon 800 processor, the companies said.
 
Airwatch has emerged as one of the clear leaders in mobile device management (MDM), but the company faces numerous challenges, including a rapidly evolving market that's moving away from simply managing devices and toward more complicated control of apps and data.
 
LinuxSecurity.com: Updated java-1.7.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Updated java-1.7.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having critical [More...]
 
LinuxSecurity.com: It was discovered that users with a valid agent login could use crafted URLs to bypass access control restrictions and read tickets to which they should not have access. [More...]
 
LinuxSecurity.com: Multiple security issues have been found in HAProxy, a load-balancing reverse proxy: CVE-2012-2942 [More...]
 
LinuxSecurity.com: Multiple security issues were fixed in OpenStack Swift.
 
Joomla crypto vulnerability (all versions)
 
LinkedIn's domain name was temporarily redirected to a third-party server Thursday, which resulted in a service outage and potentially put user accounts at risk of compromise.
 
The term 'gamification' may be new, but the concept has been around for some time--just think credit card rewards programs. Despite the buzz and proven results, many companies are still not sure about using gamification. Here are five key reasons why your business should be gamifying.
 
Pirate Bay co-founder Gottfrid Svartholm Warg has been sentenced to two years in prison by a District Court in Sweden for multiple data intrusions, attempted aggravated fraud and aggravated fraud.
 
 
RETIRED: HP StorageWorks P4000 Virtual SAN Appliance Remote Command Execution Vulnerability
 
HP Performance Insight Multiple Unspecified Security Vulnerabilities
 
Web content filtering company Netsweeper has supplied its products to Pakistan, even as some top IT companies have refused to supply gear for a controversial filtering project, a Canadian research group has disclosed.
 
In this installation of the IDG Enterprise CEO Interview Series, Chief Content Officer John Gallant talks to Airwatch CEO John Marshall about the company's approach toward mobile, its $225 million in venture funding, and its new Content Locker product, which aims to help enterprises control data access from devices.
 
Linux Kernel 'DE4X5_GET_REG' Information Disclosure Vulnerability
 
France's data protection authority has given Google three months to change the way it handles users' private data, or face legal sanctions.
 
Microsoft on Wednesday backpedaled from a long-standing refusal to pay bug bounties when it announced a temporary program for the beta of Internet Explorer 11 (IE11).
 
Electronics manufacturer Foxconn Technology Group is putting yet more effort behind Mozilla's Firefox OS, and plans to hire up to 3,000 people in Taiwan with expertise in HTML5 and cloud computing.
 
Chip maker Qualcomm is introducing six new processors meant for entry-level phones in China and emerging markets.
 
3-D printer company Stratasys is acquiring desktop 3-D printer maker MakerBot for over $400 million in an all-stock deal, to shore up its consumer presence.
 
Despite the promise of portability from service providers, the reality of the cloud for big customers is a similar type of lock-in as they experience with on-premise apps vendors such as Oracle and SAP, two CIOs said Tuesday.
 
With IT talent hard to find and expensive to replace, savvy companies use tech-specific onboarding programs to win the hearts and minds of IT employees. Insider (registration required)
 
Re: Happy Birthday FreeBSD! Now you are 20 years old and your security is the same as 20 years ago... :)
 
Adobe Flash Player CVE-2011-2137 Remote Buffer Overflow Vulnerability
 
Adobe Acrobat and Reader CVE-2011-0562 DLL Loading Arbitrary Code Execution Vulnerability
 
Adobe Acrobat and Reader for Linux CVE-2010-2887 Multiple Privilege Escalation Vulnerabilities
 
The Senate is expected to vote next week on an immigration bill, and it is likely to pass after one last fight to give U.S. workers hiring preference over foreigners with H-1B visas.
 
Russia and the US plan to improve communication in the fight against cyber-threats in order to minimise the risk of a bilateral crisis. Lines of direct communication between Moscow and Washington are being expanded
    


 
Microsoft has announced that it is launching a bug bounty programme for upcoming versions of Windows and Internet Explorer. Researchers will be able to earn up to $150,000 for vulnerabilities reported to the company
    


 
Oracle Solaris CVE-2012-3199 Local Security Vulnerability
 

LinkedIn had its DNS "hijacked". There are no details right now, but often this is the result of an attacker compromissing the account used to manage DNS servers.But so far, no details are available so this could be just a simple misconfiguration.

The issue has been resolved, but If LinkedIn is "down" for you, or if it points to a different site, then you should flush your DNS cache.

It does not appear that Linkedin uses DNSSEC (which may not have helped if the registrar account was compromissed). Your best bet to make sure you connect to the correct site is SSL. But of course, "owning" the domain may allow the attacker to create a new certificate rather quickly.

As indicated in a comment below (and some twitter messages), other sites are affected as well. Please add a comment if you find any. The fact that multiple site's NS records are affected implies that this may not be a simple compromissed registrar account.

Current, appearantly accurate, DNS replies for LinkedIn:

 

dig +short A linkedin.com
216.52.242.86

dig +short NS linkedin.com
ns4.p43.dynect.net.
ns4.linkedin.com.
ns3.p43.dynect.net.
ns1.p43.dynect.net.
ns2.p43.dynect.net.
ns1.linkedin.com.
ns3.linkedin.com.
ns5.linkedin.com.
ns6.linkedin.com.
ns2.linkedin.com.
All the NS records point to the same IP address right now: 156.154.69.23.
 
According to http://blog.escanav.com/2013/06/20/dns-hijack/, the bad IP address is 204.11.56.17.
 
For partial passive DNS cache results, see http://www.bfk.de/bfk_dnslogger.html?query=204.11.56.17#result
 
 
------
Johannes B. Ullrich, Ph.D.

SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
FreeBSD CVE-2013-2171 Local Privilege Escalation Vulnerabiity
 
OpenStack Swift CVE-2013-2161 XML Files Handling Security Bypass Vulnerability
 

Ranks of Romanian cyber cops surge
SC Magazine Australia
The agency competed with local infosec firms to hire the country's famously mathematically-minded youth who would be equally well-equipped to forge a career plundering online transactions, jacking ATMs or hacking corporates. Seasoned cybercrime police ...

 
Best Buy has recalled about 5,100 replacement batteries for Apple's MacBook Pro laptops, after 13 reports that the battery caught fire, a U.S. consumer safety agency said.
 
Chip maker Qualcomm is introducing six new processors meant for entry-level phones in China and emerging markets.
 

Posted by InfoSec News on Jun 20

http://www.computerworlduk.com/news/security/3452438/bank-of-england-ranks-cyber-attacks-above-eurozone-crisis-as-biggest-threat/

By Matthew Finnegan
Computerworld UK
13 June 2013

Cyber attacks have risen to the top of the list of threats for UK banks
according to Bank of England’s director of financial stability, Andrew Haldane,
but understanding and management of the risk is still at an “early stage”.

Speaking at a Treasury select...
 

Posted by InfoSec News on Jun 20

http://rt.com/news/search-duckduckgo-popularity-nsa-956/

RT.com
June 19, 2013

An alternative search engine DuckDuckGo has enjoyed a record surge in traffic
as NSA scandals spark fears and frighten away Internet users from the more
popular Google or Yahoo!.

Over the previous week DuckDuckGo, a private search engine, which claims not to
collect users' searches or create any personal user profile, has increased its
traffic by 26 per cent...
 

Posted by InfoSec News on Jun 20

http://www.gulf-times.com/qatar/178/details/356891/qatar--%E2%80%98an-interesting-target%E2%80%99-for-cyber-criminals-,-says-security-expert

By Joey Aguilar
Staff Reporter
Gulf Times
June 20, 2013

Qatar has become “an interesting target for cyber crimes” ranging from malware,
phishing, defacement of websites and distributed denial-of-service (DDoS)
attacks, an official of the global computer security software company, McAfee,
has said....
 

Posted by InfoSec News on Jun 20

http://www.theregister.co.uk/2013/06/19/microsoft_bug_bounty_black_hat/

By Iain Thomson in San Francisco
The Register
19th June 2013

Microsoft is breaking its long-standing tradition of not paying for security
vulnerabilities by offering a $100,000 cash prize for the first penetration
tester to crack Windows 8.1 and a $50,000 bonus to explain how they did it.

At this year's Black Hat USA conference – held at the end of July in the...
 

Posted by InfoSec News on Jun 20

http://www.clinical-innovation.com/topics/policy/shasta-regional-slapped-275k-hipaa-fine

By Laura Pedulli
Clinical Innovation + Technology
June 18, 2013

Shasta Regional Medical Center (SRMC) agreed to pay $275,000 and undertake a
corrective action plan after a Department of Health and Human Services (HHS)
Office for Civil Rights (OCR) investigation uncovered HIPAA violations stemming
from unauthorized disclosure of a patient’s personal...
 
OTRS CVE-2013-4088 Remote Security Bypass Vulnerability
 
Happy Birthday FreeBSD! Now you are 20 years old and your security is the same as 20 years ago... :)
 
Internet Storm Center Infocon Status