Hackin9

InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A nine-person California jury will begin their deliberations Wednesday in the landmark patent battle between Apple and Samsung. The case, which has been argued since the beginning of the month, pits two of the world's largest electronics makers against each other and could result in billions of dollars in fines depending on the jury's decision.
 
I have seen one on my own phone, and a lot of people have reported seeing them. It is an SMS mesage from a throw away or spoofed number and looks something like this:
You have won an Apple iPad or iPhone or iPod or something from Apple, click on this www.apple.com.othercrud.baddomain
Guess what? You have won your credentials being phished, free malware, and other badness. Ain't nothing for free. Although from the spammer/phisher point of view they get something of value from people who expect something for nothing, for little effort on the part of the spammer/phisher. Funny how that works.
Cheers,

Adrien de Beaupr

Intru-shun.ca Inc.



I will be teaching SANS Sec560 in Montreal this September, and Sec542 in Vancouver this December. (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The Remote Desktop 3.6.1 update from Apple fixes the problem that if a user connected to a remote VNC server that did not have encrytion enabled, there was no encryption, even though Encrypt all network data is set. The user wasnot alerted to the problem. I particularly like software that allows you to select a secure option, then promptly ignores it, without telling you. The solution is that now the Remote Desktop application first attempts to login via SSH, then tunnels over the connection. The connection will now fail is Encrypt all network data is set and the SSH tunnel is not established. The CVE for this issue is CVE-2012-0681. More information from Apple is here: https://support.apple.com/kb/HT5433
Thanks Dave for writing in!
Cheers,

Adrien de Beaupr

Intru-shun.ca Inc.



I will be teaching SANS Sec560 in Montreal this September, and Sec542 in Vancouver this December. (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
From their Security Bulletin Adobe has released security updates for Adobe Flash Player 11.3.300.271 and earlier versions for Windows, Macintosh and Linux, Adobe Flash Player 11.1.115.11 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.10 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system. Fixes the following CVE entries: CVE-2012-4163, CVE-2012-4164, CVE-2012-4165, CVE-2012-4166, CVE-2012-4167, CVE-2012-4168. It appears as though Adobe is going for a weekly update cycle.
More details are here: https://www.adobe.com/support/security/bulletins/apsb12-19.html
Thanks Toby and Rene for writing in!
Cheers,

Adrien de Beaupr

Intru-shun.ca Inc.



I will be teaching SANS Sec560 in Montreal this September, and Sec542 in Vancouver this December. (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The Rugged Operating System (ROS) has a hard coded RSA private key used for SSL/TLS communications. With the private key from a server being a known value it is not difficult to decrypt any traffic to/from the device. This vulnerability could lead to loss of confidentiality, loss of integrity, and loss of availability for a device that should be secure and reliable. This is the same set of devices that had a backdoor account disclosed in April, where the account name was factory and the password was based on the MAC address. These devices are often used in SCADA and process control systems, where they should be adequately protected from any potentially hostile network access. For 'hardened' devices these two significant fails to implement security properly makes you wonder.
The key management fail is from an ICS-CERT ALERT: http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-234-01.pdf
The backdoor and password management fail is here: http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-116-01A.pdf
Thanks Andrew for writing in!
Cheers,

Adrien de Beaupr

Intru-shun.ca Inc.



I will be teaching SANS Sec560 in Montreal this September, and Sec542 in Vancouver this December. (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Closing arguments have begun in the high-profile patent-infringement case between Apple and Samsung.
 
Users of Windows 8 Release Preview can indeed do a full upgrade to the final code, something Microsoft said was impossible, an IT consultant said today.
 
Dell has tapped a former Hewlett-Packard executive to run its server, networking and storage division, an important area for Dell as it tries to expand its data center business and reduce its dependence on PCs.
 
Closing arguments have begun in the high-profile patent-infringement case between Apple and Samsung.
 
FalconStor today announced a new version of its RecoverTrac software, which simplifies disaster recovery and reduces recovery time from days to hours or even minutes.
 
Audits can be expensive, and fines and compensatory actions could mean millions more. Here are the things you should be looking out for.
 
NASA's Mars Curiosity rover wiggled its wheels Tuesday and is ready to make its first -- if brief -- test drive on Wednesday.
 
W32.Disttrack, a worm that corrupts files and overwrites the MBR, further proves attackers now favor targeted malware for penetrating enterprises.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
The Windows version of Crisis, a piece of malware discovered in July, is capable of infecting VMware virtual machine images, Windows Mobile devices and removable USB drives, according to researchers from antivirus vendor Symantec.
 
Paving the way for more server-side use of JavaScript, platform-as-a-service (PaaS) provider Engine Yard has added the Node.js library to its collection of hosted Web application tools.
 
Sprint officials showed off new 4G LTE cellular service today in Baltimore, the carrier's 16th market in the U.S. to get the technology.
 
Marvell plans to begin selling PCIe adapter cards that will act as cache accelerators for consumer-class SSDs to be used in enterprise-class servers.
 
Jurors hearing arguments between Apple and Samsung have been warned not to accept software updates or install apps on mobile gadgets they receive while deliberating the merits of the patent-infringement case.
 
Workday is expanding its cloud-based human resources and financial applications' footprint with a new employee time-tracking module, the company announced Tuesday.
 
Call it the legal equivalent of baseball's seventh-inning stretch. San Jose District Court Judge Lucy Koh plans to get the courtroom in the Apple versus Samsung case on its feet later Tuesday in a bid to stave off sleep as the jury hears a mammoth set of instructions.
 
Microsoft yesterday warned Windows users of possible "man-in-the-middle" attacks able to steal passwords for some wireless networks and VPNs, or virtual private networks.
 
Flaws in proxy handling and negotiation are fixed in Apache HTTP Server 2.4.3, along with over fifty other bugs and outstanding issues including an SSL on Windows problem from version 2.4.2


 
GRBoard Multiple SQL Injection and Security Bypass Vulnerabilities
 
[ MDVSA-2012:141 ] openslp
 
Google has added a feature to its Webmaster Tools search engine optimization (SEO) service that will alert publishers about sudden changes in their site's Google results and click-throughs.
 
A buggy update released Friday by security vendor McAfee for its consumer and enterprise antivirus products, left the computers of its customers unprotected and, in some cases, unable to access the Internet.
 
The National Institute of Standards and Technology (NIST) is requesting comments on new draft guidelines for securing BIOS systems for server computers. BIOSamp-Basic Inputoutput Systemamp-is the first major software that runs when a ...
 
The National Institute of Standards and Technology (NIST) will co-sponsor the 2012 Biometric Consortium Conference (BCC 2012), September 18-21, 2012, at the Tampa Convention Center in Tampa, Fla. The annual conference, produced in ...
 
The Norwegian Tax Administration and the State Educational Loan Fund's use of Google Analytics violate the country's privacy laws, because the agencies have no control over how Google uses information about users, the Norwegian Data Protection Authority said.
 
If having to pay $7+ per gigabyte for secure flash drives makes you blanch, take a look at the Lenovo ThinkPad USB 3.0 Secure Hard Drive.
 
Amazon Web Services has announced Glacier, a low-cost storage service that has been customized for data archiving and backup.
 
Between a man-sized mouse, two foul-tempered ducks, and a cross-dressing rabbit, animated comedies have long aimed to strike a balance between innocence and irreverence. At its best, The Act, a self-described "interactive comedy," straddles that line expertly. In the span of a few short scenes, your hapless hero goes from dealing with a puking infant to sabotaging a brain transplant--a story communicated entirely through beautifully animated physical comedy and wacky music. It's not exactly a good sign, however, that at its best, the iPhone and iPad offering from Chillingo is merely showing you these things. Playing through a game on your iOS device is another matter.
 
SAP NetWeaver Remote Code Execution and Denial of Service Vulnerabilities
 
Oracle MySQL Prior to 5.1.50 Privilege Escalation Vulnerability
 
Lattice Diamond Programmer Buffer Overflow Vulnerability
 
Splunk Unspecified Cross Site Scripting Vulnerability
 
Microsoft Excel 'MergeCells' Record Heap Overflow Remote Code Execution Vulnerability
 
IBM Rational ClearQuest Cross Site Scripting and Information Disclosure Vulnerabilities
 
Microsoft on Monday began taking orders for the $14.99 Windows 8 upgrade promised to customers who purchased a new Windows 7-powered PC in the last 11 weeks.
 
Lenovo's new ThinkPad X1 Carbon ultrabook is fast, stylish and lightweight, although the price is slightly higher than some of its rivals.
 
Imagine the longest, most complex government form you've ever had to fill out and you start to have an idea what jurors will face as they begin to consider their verdict in the patent infringement case between Apple and Samsung.
 
The Internet Corporation for Assigned Names and Numbers (ICANN) said it would take up to December to come up with a process for handling the large number of applications for gTLDs (generic top-level domains).
 
Version 3.6.1 of Apple's Remote Desktop application fixes a vulnerability when connecting to third-party VNC servers that could lead to information disclosure


 
A federal court decision on Monday to throw out a civil lawsuit against Infosys is a clear loss for the plaintiff, Jay Palmer. But it isn't much of a win for Infosys.
 
Users wishing to use the HOSTS file as an ad blocker under Windows 8 are in for a surprise - some entries made in the file vanish as if by magic. Facebook and Twitter are among the unblockable sites


 
Oracle Outside In Technology CVE-2012-1770 Remote Code Execution Vulnerability
 

Posted by InfoSec News on Aug 21

http://www.telegraph.co.uk/technology/news/9485004/Childrens-private-records-leaked-on-internet-from-independent-school-applications.html

By Jason Lewis
Investigation's Editor
Telegraph.co.uk
19 Aug 2012

The security breach led to the publication of 1,367 private records,
including the names and addresses of pupils and parents and confidential
notes about their children’s personality and school achievements and, in
some cases,...
 

Posted by InfoSec News on Aug 21

http://arstechnica.com/security/2012/08/passwords-under-assault/

By Dan Goodin
Ars Technica
Aug 20, 2012

In late 2010, Sean Brooks received three e-mails over a span of 30 hours
warning that his accounts on LinkedIn, Battle.net, and other popular
websites were at risk. He was tempted to dismiss them as hoaxes -- until
he noticed they included specifics that weren't typical of mass-produced
phishing scams. The e-mails said that his...
 

Posted by InfoSec News on Aug 21

http://www.nextgov.com/big-data/2012/08/nsa-computers-sometimes-make-policy-calls/57519/

By Aliya Sternstein
Nextgov
Aug 20, 2012

John DeLong, the first-ever compliance director at the Pentagon’s spy
agency, spends his days making sure analysts are not snooping on
Americans.

U.S. law forbids the National Security Agency from intercepting
communications between citizens. While privacy advocates argue that NSA
databases nevertheless...
 

Posted by InfoSec News on Aug 21

http://www.darkreading.com/mobile-security/167901113/security/vulnerabilities/240005872/don-t-trust-that-text-message-tool-simplifies-ios-sms-spoofing.html

By Kelly Jackson Higgins
Dark Reading
Aug 20, 2012

A French researcher has unleashed a free tool that exploits a weakness
he recently highlighted in the SMS feature of Apple's iOS that could
allow an attacker to spoof the sender of a text message.

The new tool, created by researcher...
 

Posted by InfoSec News on Aug 21

http://www.computerworld.com/s/article/9230363/Saudi_Aramco_hacked_company_confirms_disruption

By Jaikumar Vijayan
Computerworld
August 17, 2012

A hacker group calling itself the Arab Youth Group has claimed
responsibility for what appears to be a serious hacking attack on Saudi
Aramco, one of the world's largest energy companies.

The attack comes at the same time security firms are warning of a
destructive new malware threat called...
 
PostgreSQL 'xslt_process()' Function Arbitrary File Creation or Overwrite Vulnerability
 
Forget the fastest sail boat, next year's America's Cup could come down to who has the fastest computer.
 
Internet Storm Center Infocon Status