Hackin9
Skype plans to retire older versions of its desktop Internet calling application, including versions on Windows and OS X launched as recently as January and February of this year.
 
Nest, the Internet-connected thermostat and smoke detector maker owned by Google, is acquiring home security system developer Dropcam as part of a push to connect a wider range of devices in people's homes.
 
Promotional texts and other messages from Twitter are fine if you consent to them, but some are going out to old phone numbers that have been around the block, according to a new lawsuit.
 
dvs

Google is releasing its own independently developed "fork" of OpenSSL, the widely used cryptography library that came to international attention following the Heartbleed vulnerability that threatened hundreds of thousands of websites with catastrophic attacks.

The unveiling of BoringSSL, as the Google fork has been dubbed, means there will be three separate versions of OpenSSL, which is best known for implementing the secure socket layer and transport layer security protocols on an estimated 500,000 websites. Developers of the OpenBSD operating system took the wraps off LibreSSL a few weeks after the surfacing of Heartbleed. Google is taking pains to ensure BoringSSL won't unnecessarily compete or interfere with either of those independent projects. Among other things, the company will continue to back the Core Infrastructure Initiative, which is providing $100,000 in funding to OpenSSL developers so they can refurbish their badly aging code base.

"But we’ll also be more able to import changes from LibreSSL and they are welcome to take changes from us," Adam Langley, a widely respected cryptography engineer and Google employee, wrote in a blog post introducing BoringSSL. "We have already relicensed some of our prior contributions to OpenSSL under an ISC license at their request and completely new code that we write will also be so licensed."

Read 6 remaining paragraphs | Comments

 

I've been running kippo for several years now on a couple of honeypots that I have around and when I started I was just logging to the text logs that kippo can create.  Since then, kippo now supports logging directly to a MySQL database and some other folks (especially Ioannis “Ion” Koniaris at bruteforce.gr) have created some nice tools to generate reports from kippo data.  These tools expect the data to be in the kippo MySQL database schema.  Having logged several years worth of stuff to the text log files, I didn't want to lose all that data, but I did want to be able to take advantage of some of the neat tools that Ion has developed, so I needed a way to get that data from the text logs to the supported db schema.  Now Ion had created a script that he called Kippo2MySQL, but that converted things to his own schema and lost some data in the process.  Using that as inspiration, however, I have created a script that will read the kippo text logs and populate a kippo database (using the same schema that kippo can now log to directly).  The only hitch that I discovered is that when kippo is logging to text logs and restarts, it doesn't maintain unique session ids, it starts over again from 1.  This caused me have to make a small change to the sessions table.  I had to change the primary key from ID to (ID,STARTTIME).  Fortunately, I haven't had an collisions where multiple sessions with the same id actually had ttylogs which is where things might get a bit sketchy.  This was accomplished with

mysql> alter table sessions drop primary key, add primary key(id,starttime);

yielding

mysql> show create table sessions\G
*************************** 1. row ***************************
       Table: sessions
Create Table: CREATE TABLE `sessions` (
  `id` char(32) NOT NULL,
  `starttime` datetime NOT NULL,
  `endtime` datetime DEFAULT NULL,
  `sensor` int(4) NOT NULL,
  `ip` varchar(15) NOT NULL DEFAULT '',
  `termsize` varchar(7) DEFAULT NULL,
  `client` int(4) DEFAULT NULL,
  PRIMARY KEY (`id`,`starttime`),
  KEY `starttime` (`starttime`,`sensor`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1
1 row in set (0.01 sec)

I've imported about 800K login attempts and can now play with kippo-graph or (soon, I haven't had the chance yet) kippo2elasticsearch.  The script can be found here though I have one small issue that I'll try to fix shortly, I think it is printing out too many #'s, I set it to print out 1 every 10,000 lines it reads from the log files and it seems like I'm getting way more than that, but that is a minor annoyance, maybe I'll just add a switch to turn that off later.  In the meantime, enjoy and if you find any problems or have ideas for improvement, let me know either in the comments or by e-mail at my address below.

References:

http://handlers.sans.org/jclausing/kippo-log2db.pl

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
With Google's social network coming up on its third anniversary, industry analysts are wondering if the company is rethinking Google+ and where it goes from here.
 
Police in Dallas are scrambling after snafus involving a new records management system caused more than 20 jail inmates, including a number of people charged with violent crimes, to be set free.
 
U.S. schools could get a cool billion to set up Wi-Fi networks to connect more than 10 million more students by the 2015-2016 school year under a new FCC proposal.
 
Skype plans to retire older versions of its desktop Internet calling application, including versions on Windows and OS X launched as recently as January and February of this year.
 
If home automation can reduce insurance claims due to fire, water damage and theft, insurers may become advocates for Internet of Things technologies.
 
The current shortage of cybersecurity professionals in the U.S will likely resolve itself over the next several years, according to the RAND Corp. But until then, companies will find it disturbingly difficult to find skilled workers.
 
A new report shows that 3D printers and the materials that go along with them will explode over the next five years due to a growing comport with the technology fed mainly by inclusion of the tech in academic settings.
 
Two U.S. senators have introduced legislation aimed at expanding the amount of Wi-Fi spectrum available in a band now designated for intelligent vehicle communications, satellite service and amateur radio.
 
Microsoft today kicked off retail sales of the Surface Pro 3, the 2-in-1 device touted by the company as a notebook replacement.
 
Cisco WebEx Meetings Server CVE-2014-3296 Information Disclosure Vulnerability
 
Linux Kernel Unspecified Local Denial of Service Vulnerability
 
The U.S. Federal Communications Commission should leave net neutrality enforcement to antitrust agencies that can bring lawsuits against broadband providers after they see evidence of anti-competitive behavior, some U.S. lawmakers have advocated.
 
Everyone is obsessed with millennials -- hiring them, managing them, understanding them. But what to do millennials think about how they are perceived? Staff writer Lauren Brousell (a member of Gen Y herself) recently moderated a panel packed with millennials at CIO Perspectives and sets the record straight.
 
An earnings miss by Oracle is usually enough to send tech market forecasters back to their spreadsheets with furrowed brows. But there was enough good news on the tech sales front this week to keep expectations for IT on the optimistic side.
 
Indian outsourcing provider Infosys is making some fundamental changes, starting with appointing a new CEO, to transform itself and regain its prominence in the offshore IT services industry. However, it will take more than a new CEO to transform the company.
 
Most tech companies trying to turn themselves around start with the products that customers don't want right now, not the products those customers will want several years from now. That's why most turnaround efforts fail. BMC, having gone private and assembled a new executive team, seems to have learned its lesson.
 
Microsoft inadvertently confirmed in a user guide that it had a smaller Surface tablet ready to release when it unveiled the larger Surface Pro 3 last month.
 

Infosec bods try Big Data in search for better anti-virus mousetrap
Register
Infosec house Panda Security is looking to Big Data and application monitoring as a means to achieve better malware detection. The launch of Panda Advanced Protection Service (PAPS) is a response to the widely known shortcomings of signature-based ...

 
Oracle is scooping up co-browsing software maker LiveLOOK in a bid to flesh out its suite of customer experience software.
 
Microsoft has delivered on a promise made earlier this year to provide a road map to future Office 365 enhancements and additions, something both current and potential customers have been clamoring for.
 
Android devices running Java applications do not infringe on patents belonging to SIM card maker Gemalto, the U.S. Court of Appeals ruled.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Updated kernel packages that fix three security issues and two bugs are now available for Red Hat Enterprise Linux 5.9 Extended Update Support. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
As more companies look to profit from the their data, CIOs must grow beyond their traditional roles as data stewards, says CIO magazine's editor in chief.
 
Survey results from the Healthcare Information and Management Systems Society's analytics arm says more than 80 percent of organizations use cloud services, primarily to host apps and data. Concerns remain, particularly around security and uptime, but most users seem optimistic.
 
Ubisoft Rayman Legends 'memset()' Function Stack Based Buffer Overflow Vulnerability
 
BarracudaDrive '/rtl/protected/admin/ddns/' Multiple Cross Site Scripting Vulnerabilities
 

If you don't know, now you know
DVIDS
“Properly securing information plays a big role in reducing adversary indicators toward our OPSEC mission as well as INFOSEC. Refer to your unit security manager for correct labeling and storage guidance,” said Griffin. Vigilance is key when achieving ...

 
The U.S. Marshals Service is going ahead with an auction of US$18 million in bitcoins even though it inadvertently leaked the identities of potential bidders.
 
Less than three weeks after pushing Android 4.4.3 to users of its Nexus devices, Google released a new version of the OS that incorporates a patch for a serious vulnerability identified in the OpenSSL cryptographic library.
 
Tens of thousands of servers have a hard-coded, plain-text password that could yield remote access to a management interface for a server, according to a security researcher.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

A new vulnerability has been released by the CARI.net team regarding Supermicro’s implementation of IPMI/BMC for management.  The vulnerability involves a plaintext password file available for download simply by connecting to the specific port, 49152.  One of our team has tested this vulnerability, and it works like a champ, so let’s add another log to the fire and spread the good word.  The CARI.net team has a great writeup on the vulnerability linked below:

http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/


Much thanx to the Zach at CARI.net for the heads-up.

tony d0t carothers --gmail

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

The state of the systems we use in our day to day lives, typically outside our place of business, is ours to use and abuse as we see fit.  As such, we are also responsible for the security of said systems, and one of the oft overlooked is WordPress. The WordPress application is used by many SOHO users, and is as vulnerable to attack as anything out there today.  WordPress can be be secured, and with a bit of effort and guidance, fairly easily.  The WordPress.Org site has a great hardening guide for WordPress that covers most of the aspects of security and bringing it to their application. http://codex.wordpress.org/Hardening_WordPress


If the instance of WordPress is running on a shared server, as most are, then working with the local hosting company may be necessary if they are behind on patching, updating, etc.  If their host is compromised, then everything you do for your instance of WordPress can be easily undermined at the OS level.  If you choose to use tools, such as Metasploit or ZAP to test your application, ensure it is done within the confines of the User Agreement in place for your hosting site.  

tony d0t carothers --gmail

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Microsoft has delivered on a promise made earlier this year to provide a roadmap to future Office 365 enhancements and additions, something both current and potential customers have been clamoring for.
 

Posted by InfoSec News on Jun 20

http://arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/

By Dan Goodin
Ars Technica
June 19, 2014

An alarming number of servers containing motherboards manufactured by
Supermicro continue to expose administrator passwords despite the release
of an update that patches the critical vulnerability, an advisory
published Thursday warned.

The threat resides in the baseboard management...
 

Posted by InfoSec News on Jun 20

http://www.aopa.org/News-and-Video/All-News/2014/June/18/Garmin-tackles-misinformation-on-hacking-aircraft-avionics.aspx

By AOPA ePublishing staff
June 18, 2014

With much publicity the past several months focusing on hacking and
security breaches—in the media, TV shows, and movies—Garmin is setting the
record straight on the myths around one such possible breach: hacking
aircraft avionics.

Garmin, an industry leader in aviation...
 

Posted by InfoSec News on Jun 20

http://www.theregister.co.uk/2014/06/19/microsoft_nsa_fallout/

By Jack Clark
The Register
19 Jun 2014

Microsoft's top lawyer says the fallout of the NSA spying scandal is
"getting worse," and carries grim implications for US tech companies.

In a speech at the GigaOm Structure conference in San Francisco on
Thursday, Microsoft general counsel Brad Smith warned attendees that
unless the US political establishment figures out...
 

Posted by InfoSec News on Jun 20

http://ctmirror.org/irs-hartford-police-conducting-criminal-investigation-on-access-health-data-breach/

By Arielle Levin Becker
The CT Mirror
June 19, 2014

The Internal Revenue Service and Hartford police are conducting a criminal
investigation of the data breach involving information on clients of
Connecticut’s health insurance exchange. But an exchange official said
Thursday that the cause was most likely a mistake by a call center...
 

Posted by InfoSec News on Jun 20

http://www.csoonline.com/article/2365184/security-industry/circlecitycon-the-missing-update.html

By Steve Ragan
Salted Hash
CSO
June 19, 2014

Last weekend, 240 people attended CircleCityCon, Indianapolis' first major
security conference. It was an amazing time, offering a chance to lean
form a wide range of professionals.

There were more than thirty talks recorded at the event, thanks to Adrian
Crenshaw (@irongeek_adc) and his team of...
 

Posted by InfoSec News on Jun 20

http://www.computerworld.com/s/article/9249246/USENIX_Unstable_code_can_lead_to_security_vulnerabilities

By Joab Jackson
IDG News Service
June 19, 2014

As if tracking down bugs in a complex application isn't difficult enough,
programmers now must worry about a newly emerging and potentially
dangerous trap, one in which a program compiler simply eliminates chunks
of code it doesn't understand, often without alerting the programmer...
 

Posted by InfoSec News on Jun 20

http://bits.blogs.nytimes.com/2014/06/19/cybercriminals-zero-in-on-a-lucrative-new-target-hedge-funds/

By Nicole Perlroth
Bits
The New York Times
June 19, 2014

They say crime follows opportunity.

Computer security experts say hedge funds, with their vast pools of money
and opaque nature, have become perfect targets for sophisticated
cybercriminals. Over the past two years, experts say, hedge funds have
fallen victim to targeted attacks....
 
AlienVault OSSIM CVE-2014-3804 Multiple Unspecified Remote Code Execution Vulnerabilities
 
Linux Kernel 'mm/slab.c' Local Denial of Service Vulnerability
 
Internet Storm Center Infocon Status