Hackin9
Icinga Classic UI 'MAX_INPUT_BUFFER' Value Multiple Buffer Overflow Vulnerabilities
 
Microsoft's share price cracked $40, setting an 11-year high in trading on Thursday.
 
LinuxSecurity.com: A vulnerability has been found and corrected in mozilla NSS: In a wildcard certificate, the wildcard character should not be embedded within the U-label of an internationalized domain name. See the last bullet point in RFC 6125, Section 7.2 (CVE-2014-1492). [More...]
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Cisco released a patch for AsyncOS, the operating system used in it's E-Mail Security Appliance (ESA) and Security Management Appliance (SMA).

The vulnerability is exploited by an authenticated attacker uploading a crafted blocklist file. The file has to be uploaded via FTP, so this vulnerability is only exploitable if the FTP service is enabled. Once the blacklist is pared, arbitrary commands are executed.

This sounds like an OS command injection vulnerability. The parameters (assumed to be IP addresses) are likely passed as arguments to a firewall script, but if the address includes specific characters (usually ; or & ?) , additional commands can be executed.

Time to patch, but given that the attacker has to be authenticated, makes this a less severe vulnerability then other arbitrary code execution vulnerabilities.

[1] http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140319-asyncos

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

The software driving Bitcoin transactions on the Internet has been updated to fix a weakness that contributed to the downfall of Mt. Gox, once one of the biggest exchanges for the digital currency.

Version 0.9.0 of the "Bitcoin Core" software, the Bitcoin infrastructure software previously known as Bitcoin-QT, contains five separate changes designed to make so-called transaction malleability attacks harder to pull off. As Ars explained last month, the attacks work by flooding exchanges with large numbers of malformed transactions that are similar, but not identical, to legitimate transactions that have already been made. Exchanges that trust one or more of the phantom records instead of the entries in the official Bitcoin blockchain can fall out of sync with the rest of the network and must recalculate their fund balances once the mistakes become apparent.

Attacks that abused the weakness caused several exchanges to suspend cash withdrawals. Tokyo-based Mt. Gox never recovered. Three weeks ago, it filed for bankruptcy after claiming to lose $468 million, $412.5 million of which it said belonged to customers.

Read 2 remaining paragraphs | Comments

 
For the second time in less than two years, Symantec Corp. has a new chief executive officer.
 

One of the annoyances with IPv6 addresses is that they may be abbreviated. Leading "0"s may be omitted, and groups of all ":0000:" may be replaced with "::". The key annoyance is the word "may". Some logs (for example iptables) will not abbreviate, others, like for example nginx or apache, will abbreviate, making correlating logs more difficultly.

Lately, I started using a little perl script to "normalize" my IPv6 addresses in logs. The script will insert all the missing "0"s making it easier to find a specific IP address. The script I am using:

#!/usr/bin/perl
 
use strict;
 
while (<> ) {
    my $line=$_;
    if ( $line=~/[0-9a-f:]+/ ) {
my $old=$&;
        my $new=fillv6($old);
$line=~ s/$old/$new/;
    }
    print $line;
}
 
 
sub fillv6 {
    my $in=shift;
    $in =~ s/^:/0000:/;
    my @parts=split(/:/,$in);
    my $partn=scalar @parts;
    if ( $partn < 7 ) {
my $x= ':0000' x (9-$partn);
$in =~ s/::/$x:/;
$in =~ s/:://g;
@parts=split(/:/,$in);
    }
    while ( my $part=each(@parts) ) {
$parts[$part] = sprintf("%04s",$parts[$part]);
    }
    return join(':',@parts);
}
What I could use is a bit more diverse IPv6 logs to see if it covers all possible cases. The script is right now in a "works for me" state, so let me know if it works for you too.
 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Windows and Xbox games will receive a significant graphics and performance boost with Microsoft's new DirectX 12, a set of application programming interfaces and tools used in PC games.
 
Syria was hit by what appeared to be an Internet outage that swept nearly the entire country, according to Internet monitoring companies.
 
[ MDVSA-2014:066 ] nss
 
Fitbit, a startup that makes wearable devices for activity tracking, is being sued following reports that users of its Force device developed skin rashes.
 
In June 1967, when Patrick J. McGovern published the first issue of Computerworld, the new publication did something different -- it reported on the computing industry from a user perspective.
 
Some financial services companies are looking to migrate their ATM fleets from Windows to Linux in a bid to have better control over hardware and software upgrade cycles.
 
ownCloud CVE-2014-2055 XML External Entity Injection vulnerability
 
FreeType CVE-2014-2241 Denial of Service Vulnerability
 
Microsoft Internet Explorer CVE-2014-0312 Memory Corruption Vulnerability
 
The next version of Red Hat's Software Collections package includes Apache httpd and Nginx Web servers, Ruby 2.0, and NoSQL database MongoDB.
 
Observers are split on whether the latest Java version gives the software a new edge or simply lets it keep up with other top programming languages.
 
Citing the need to protect users from government cyber-spying, Google has tightened Gmail's encryption screws by removing the option to turn off HTTPS.
 
Facebook has released a programming language called Hack, which marries the ease of PHP with the rigorous safety controls of older languages such as C++.
 
AT&T announced it will sell the Samsung Galaxy S5 smartphone for $200 with a two-year contract starting April 11.
 
Job applicant tracking systems capture massive amounts of info on candidates. But all that data doesn't help if the best candidates aren't able or willing to complete the process. Going more simple and streamlined can make it easier to find talent.
 
LinuxSecurity.com: Security Report Summary
 
Microsoft Internet Explorer CVE-2014-0298 Memory Corruption Vulnerability
 
MP3Info Unspecified Buffer Overflow Vulnerability
 
Twitter is getting ready to celebrate its eighth birthday on Friday and it's marking the occasion with a present for its users.
 
Python logilab-common Package CVE-2014-1839 Insecure File Creation Vulnerability
 
Apache HTTP Server Multiple Denial of Service Vulnerabilities
 
[SECURITY] [DSA 2882-1] extplorer security update
 
[ MDVSA-2014:065 ] apache
 
Wireless Drive v1.1.0 iOS - Multiple Web Vulnerabilities
 
Shakacon 2014: Call for Papers - Deadline April 11th
 
The noted Windows leak site Wzor.net was offline Thursday and its Twitter account had disappeared, a day after an ex-Microsoft employee was charged with stealing trade secrets from the company.
 

Pro Syrian hacktivists have offered compelling proof that they successfully breached Microsoft's corporate network and made off with highly sensitive documents that company employees sent to law enforcement officials, according to a media report published Thursday.

Billing invoices and other documents show Microsoft charging the FBI hundreds of thousands of dollars a month to comply with legal requests for customer information, according to the article published by The Daily Dot. The publication said the stolen Microsoft material was provided by members of the Syrian Electronic Army (SEA), a hacking group that has compromised social media accounts and occasionally private networks of eBay and Viber, as well as media outlets including The Washington Post, the Associated Press, The Financial Times, the BBC, Al Jazeera, and Forbes. The group has proven itself to be extremely effective in waging highly targeted phishing attacks that extract login credentials. For an idea how intricate some SEA attacks can be, see this detailed post-mortem of a recent ransacking of Forbes.

Most of the SEA's successes result in little more than a public embarrassment for the compromised targets. But recent exploits against Microsoft and eBay, which Ars covered here and here, were more serious because they exposed confidential operations or data that could be used to further penetrate the companies or compromise operational security.

Read 3 remaining paragraphs | Comments

 
Even if you have high-quality customer relationship management data, there's a hidden monster that can gobble up management information system credibility. It's time to reign in user-generated CRM reports.
 
For the past several months Tor developers have unsuccessfully been trying to convince Apple to remove from its iOS App Store what they believe to be a fake and potentially malicious Tor Browser application.
 
Pen 'penctl.cgi' Multiple Insecure Temporary File Creation Vulnerabilities
 
ImageMagick PSD Image File Handling CVE-2014-1947 Remote Buffer Overflow Vulnerability
 
Confidential company data can make its way onto mobile devices, where it's no longer under the protection of your toughest network defenses. Does that make your data vulnerable? To find out, review some strategies for preventing data loss on mobile devices.
 
LinuxSecurity.com: Multiple vulnerabilities has been found and corrected in apache (ASF HTTPD): XML parsing code in mod_dav incorrectly calculates the end of the string when removing leading spaces and places a NUL character outside [More...]
 
LinuxSecurity.com: Two vulnerabilities have been found in GNU Emacs, possibly leading to user-assisted execution of arbitrary code.
 
LinuxSecurity.com: Security Report Summary
 
[SECURITY] [DSA 2859-2] pidgin security update
 
International Data Group announced today that its founder and chairman, Patrick J. McGovern, died Wednesday at Stanford Hospital in Palo Alto, Calif.
 
Chinese e-commerce giant Alibaba Group is investing $215 million to acquire a minority stake and a seat in the board of Tango, a mobile messaging app from the U.S.
 
Google's Android Wear mobile operating system is about powering smartwatches and wearables, but it also fits neatly into the company's overall smart strategy.
 
Hybrids -- laptops whose displays detach to become tablets -- were designed to allow users to have one device with many uses. But do they work as advertised? We talked to some users to find out.
 
The software driving Bitcoin's network was upgraded Wednesday, with security fixes addressing a problem that defunct bitcoin exchange Mt. Gox blamed for losing nearly half a billion dollars worth of bitcoins.
 
NASA, with an eye toward Earth-based projects, is calling on software and hardware developers to create new technologies for addressing issues around coastal flooding.
 
Software developers were among the first in the world to get their hands on Sony's futuristic Project Morpheus headset on Wednesday, and they liked what they saw.
 
A former Microsoft employee accused Wednesday of leaking Windows RT updates and software that validates product key codes faces federal criminal charges of stealing trade secrets.
 
Joomla! eXtplorer Component CVE-2013-5951 Multiple Cross Site Scripting Vulnerabilities
 
Joomla! Youtube Gallery Component 'flvthumbnail.php' Cross-Site Scripting Vulnerability
 

Posted by InfoSec News on Mar 20

http://www.nextgov.com/cio-briefing/2014/03/obama-administration-denies-abandoning-internet/80881/

By Brendan Sasso
National Journal
March 19, 2014

A top Commerce Department official pushed back Wednesday against concerns
that the Obama administration is opening the door to an Internet takeover
by Russia, China, and other authoritarian regimes.

The fears stem from the Commerce Department's announcement last Friday
that it plans to give...
 

Posted by InfoSec News on Mar 20

http://www.fool.com/investing/general/2014/03/19/target-inc-is-still-a-liability-landmine.aspx

By Rich Duprey
The Motley Fool
March 19, 2014

Three months have passed since the massive data breach at Target (NYSE:
TGT) ended, and though the retailer continues to plug away, investors
should be cautious treading here, because there's still a massive
liability IED waiting to detonate -- and it could blow up anytime now.

As is all too well...
 

Posted by InfoSec News on Mar 20

http://blog.osvdb.org/2014/03/19/missing-perspective-on-the-closure-of-the-full-disclosure-mail-list/

By jerichoattrition
OSVDB
March 19, 2014

This morning I woke to the news that the Full-Disclosure mail list was
closing its doors. Assuming this is not a hoax (dangerously close to April
1st) and not spoofed mail that somehow got through, there seems to be
perspective missing on the importance of this event. Via Facebook posts
and Twitter I...
 

Posted by InfoSec News on Mar 20

http://gulfnews.com/news/gulf/oman/teen-hacker-hits-five-omani-government-websites-1.1306001

Staff Report
Gulf News
March 19, 2014

Muscat: Five Oman government websites, including the Telecommunications
Regulatory Authority (TRA) and the General Directorate of Traffic, were
hacked on Tuesday evening.

Local media reported that the hacker was a 14-year-old who calls himself
Dr DarknesS. He said he hacked the TRA website to express his...
 

Posted by InfoSec News on Mar 20

http://www.hollywoodreporter.com/news/man-who-exposed-target-security-689782

By Borys Kit
The Hollywood Reporter
3/19/2014

Sony has picked up the rights to the New York Times article "Reporting
From the Web’s Underbelly," which focused on cyber security blogger Brian
Krebs. Krebs, with his site KrebsonSecurity.com, was the first person to
expose the credit card breach at Target that shook the retail world in
December.

Richard...
 
Internet Storm Center Infocon Status