Information Security News

Cisco released a patch(1) for a vulnerability in their Unified Communication Director system, a management system for Cisco UCS and Nexus solutions. The vulnerability, for which there is no workaround, could allow “an unauthenticated, remote attacker to take complete control of the affected device”. This vulnerability affects all devices runnning the software version prior to Release 4.0.0.3 HOTFIX.

Additional details and patch availability can be found at the link below.

(1)http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140219-ucsd

tony d0t carothers --gmail

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Ionic Security raises $25.5M from Google Ventures, Kleiner
Atlanta Business Chronicle (blog)
Infosec startup Ionic Security raises $25.5M from Google, Kleiner. Cloud wowed: Tom Noonan, from left, Ionic founder Adam Ghetti and Ionic CEO. Enlarge. Byron E. Small. Cloud wowed: Tom Noonan, from left, Ionic founder Adam Ghetti and Ionic CEO Steve ...

LinkedIn users who'd rather not receive job inquiries or other messages, or allow access to their profiles from certain other members, can now block them.

Microsoft continues to target the enterprise with the introduction of a private on-ramp for Windows Azure cloud services.

Apple sent out 3 bulletins and OS updates today (iOS 6.1.3, iOS 7.0.6, and Apple TV 6.0.2) all fixing a bug that would potentially allow SSL/TLS connections to be vulnerable to undetected man-in-the-middle attacks. All three updates share the same CVE number CVE-2014-1266. The Apple Security updates page does not yet appear to have the updates listed there, but they should be there shortly (may be there by the time you read this). If you have an Apple device running iOS 6 or 7 or Apple TV, you should probably apply these updates ASAP.

Ref: Apple Security Update page - http://support.apple.com/kb/HT1222

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Andrew Cunningham

Apple has just released iOS 7.0.6, the sixth minor update to iOS 7. Both it and the new iOS 6.1.6 update "provide a fix for SSL connection verification," their only documented addition. Unlike iOS 7.0.5, which applied only to a few international iPhone 5S and 5C models, the version 7.0.6 update applies to all devices that can run iOS 7. iOS 6.1.6 applies to the iPhone 3GS and fourth-generation iPod touch.

The update to iOS 6 is marginally more interesting than the iOS 7 update, just because Apple has so rarely patched old iOS versions after they've been replaced. The company also released version 6.1.5 for the fourth-generation iPod touch to correct a FaceTime connectivity issue. It's possible that Apple is trying to provide critical security updates to older devices dropped by newer iOS updates, something it also does for older OS X versions for a while after they're superseded by newer software.

The next major iOS 7 update is iOS 7.1, currently in its fifth developer beta. Current rumors suggest it will be released to the public in early or mid-March, and it should include more significant fixes than the six minor updates we've seen since September.

Read 1 remaining paragraphs | Comments

Bill Gates has sold another 20 million shares of the company he co-founded, taking $752 million out of his shrinking Microsoft portfolio.

libssh CVE-2012-6063 Denial of Service Vulnerability

Cisco Adaptive Security Appliance Phone Proxy sec_db Security Bypass Vulnerability

Reported interceptions by an Australian spy agency of a U.S. law firm's communications with overseas clients violates long-standing legal protections, the American Bar Association charges.

Parceling out an IT services portfolio among a number of vendors is the new normal for IT outsourcing. However, these multi-sourcing arrangements are complicated -- if things go wrong there's no single provider to blame. Here are eight steps you can take to manage liability in a multi-sourced environment.

Apple has been able to maintain high prices and high margins for its computers even as competitors jumped into a pricing pit. But with computer sales drooping, Apple may use the opportunity to lower prices.

Nokia's Here Maps application will be available for free in the coming days for all Windows 8.1 users, including those with devices running Windows Pro and Windows RT.

The newer smartphone OS entrants competing to chip away at the dominance of Android and iOS are heading to Barcelona for Mobile World Congress, and facing a landscape that has changed since last year's show.

Nvidia will soon ship a new model of the Tegra Note 7 tablet with LTE wireless connectivity and Android 4.4.2 OS code-named KitKat, with the device priced at $299.

Verizon Communications now owns its mobile business outright after closing its acquisition of Vodafone Group's 45% stake in Verizon Wireless.

Sybren A. StÃ¼vel

WhatsApp, the mobile messaging app developer that Facebook is acquiring for $19 billion, may be an attractive addition to the social network, thanks to WhatsApp's 450 million active users and en vogue status. It may also be attractive to government spies and criminal hackers, thanks to several weaknesses in the encryption WhatsApp uses to protect messages from eavesdropping, researchers say.

Among the most serious problems with WhatsApp's implementation of secure sockets layer (SSL) encryption is its support of version 2 of the protocol, according to a blog post published Thursday by a researcher from security consultancy Praetorian. That version is susceptible to several well-known attacks that allow people monitoring a connection between the two end points to decipher and in some cases manipulate the traffic as it passes through.

Put a pin in it

WhatsApp has also failed to implement a technique known as certificate pinning that's designed to block attacks using forged certificates to bypass Web encryption. Pinning allows an app to work only when communicating with a server using a specific certificate. Because the certificate fingerprint is hardcoded into the app, it will reject connections with any impostor certificates—even if they're signed by one of the 500 or so authorities trusted by major browsers and operating systems.

Read 4 remaining paragraphs | Comments

The "Sender Policy Framework" is a simple system to identify which mail servers are allowed to send e-mail on behalf of your domain. We have talked about this (and other standards like DMARC, DKIM) before.

These systems are usually implemented on your mail gateways. The outbound gateway will sign e-mail using your domain key (for DKIM). The receiving mail gateway will check if the headers are present and correct. The mail gateway will then add a special header with the result of the check, and this special header is then used by spam filters to decide if to keep the e-mail (or not).

It appears that spammers are learning and found a way to fool some badly configured mail gateways and spam filters. The spammer will add a header indicating that the e-mail passed the SPF validation. William sent us a sample of a UPS themed e-mail that included a malicious attachment. It included the following headers:

Subject: UPS Delivery Notification Tracking Number : <random string> Date: Mon, 17 Feb 2014 11:56:04 -0300 From: UPS Quantum View <[email protected]> X-Priority: 3 X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net) Message-ID: <[email protected]> Received-SPF: pass (google.com: domain of [email protected] does designate 192.123.32.83 as permitted sender) client-ip=192.123.32.83; Received: from 192.123.32.83 (EHLO mailer.ups.com) (192.123.32.83) Received: by mailer.ups.com (Postfix, from userid 1000) id A838D7824B; X-Mailer: MIME-tools 5.41 (Entity 5.404) X-Message-Status: s1:0 X-SID-PRA: UPS Quantum View<[email protected]> X-SID-Result: TempError Conversion-With-Loss: Yes

The red line indicates that the e-mail passed SPF validation. However, if you are checking the UPS.com SPF record:

$ dig +short TXT ups.com

"v=spf1 ip4:153.2.232.0/22 ip4:192.55.236.50/31 ip4:113.106.161.16 ip4:113.106.161.18 ip4:12.104.201.4/31 include:custhelp.com include:commerceplus.com.au -all"

There is no mention of 192.123.32.83. The header was added by the sender, not by the receiving mail gateway.

(you will have to check the "include" domains as well. I am leaving that as an exercise to the reader.)

If you implement SPF checking on your receiving e-mail gateway, you will have to make sure to first strip all existing SPF headers indicating SPF processing. Otherwise, the sender could add fake headers like the one above.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

News that Google is working on 3D smartphones has analysts speculating that the company will one day add the tech to a slew of its products, such as Google's Maps, Glass, robots and even virtual reality tools.

Dropbox sent notices to users today telling them they have 30 days to opt out of a new policy that aims to stop legal suits against the firm and use binding arbitration to settle disputes.

It's easy to pick out the winners in the $19 billion Facebook-WhatsApp. Computerworld offers a Tip of the Hat to ReadWrite's Selena Larson for pointing out the deal's potential losers.

In medieval times, kings let barbarians break down the castle gates but made sure they paid the price once they got inside. McAfee's approach to security takes a similar approach -- since data breaches are inevitable, companies should worry less about the perimeter and more on catching the bad guys in the act.

Dropbox sent notices to users today telling them they have 30 days to opt out of a new policy that aims to stop legal suits against the firm and use binding arbitration to settle disputes.

Get the latest from Mobile World Congress 2014 in Barcelona: News, reviews and more

CNNVD Gov CN #1 - Filter Bypass & Persistent Web Vulnerability

[ MDVSA-2014:046 ] phpmyadmin

Barracuda Bug Bounty #36 Firewall - Client Side Exception Handling Web Vulnerability

ASUS router drive-by code execution via XSS and authentication bypass

[CVE-2014-2035] XSS in InterWorx Web Control Panel <= 5.0.12

[SECURITY] [DSA 2864-1] postgresql-8.4 security update

Google claimed it's ratcheting up the fight against fraud in online advertising, disclosing Friday that it has bought Spider.io, a London company specializing in ad fraud detection technology.

Adobe Flash Player and AIR CVE-2014-0502 Remote Code Execution Vulnerability

OpenSAML-Java ParserPool and Decrypter XML External Entity Injection Vulnerability

Apache Santuario XML Security For JAVA XML Signature Denial of Service Vulnerability

The source code for an Android mobile banking Trojan app was released on an underground forum, making it possible for a larger number of cybercriminals to launch attacks using this kind of malware in the future.

Gmail users who get frustrated trying to find the 'unsubscribe' link that's often buried in small type at the bottom of promotional emails may instead start seeing it before they even open the message.

Hewlett-Packard has returned its PC business to growth and reported better-than-expected results for the first quarter of its fiscal year.

With Google Fiber about to begin a fiber Internet service in Austin, Texas, Time Warner Cable said Thursday it is increasing home broadband speeds in the city by up to six times while keeping the price flat.

Microsoft is behind the schedule it used for the last several iterations of Office for the Mac, and has not breathed a word about its Mac intentions.

If one day a swarm of small flying robots are used to search for survivors after an earthquake, credit may go to a team of Virginia Tech scientists and their study of bats.

Google has been working for the last one year on 3-D smartphones that aim to give the devices greater awareness of space and motion in natural environments.

Dell is teaming up with Red Hat to drive its effort to be a force in the burgeoning area of network function virtualization (NFV) technology, aimed at helping carriers reduce costs and quickly roll out new services.

Facebook's acquisition of WhatsApp may end up being just one milestone in a strong year for tech mergers and acquisitions.

NASA wants a humanoid robot that can perform CPR, draw blood and operate on astronauts on the International Space Station or as they travel to Mars.

We test Lenovo's latest ThinkPad X1 Carbon Touch ultrabook, which is sleek and powerful, offers an impressive display and comes with an interesting keyboard innovation.

Bitcoin fell below US$100 on major exchange Mt. Gox early Friday, dropping under a key psychological threshold.

Mitsubishi MC-WorX 'IcoLaunch.dll'' ActiveX Control Remote Code Execution Vulnerability

RuggedCom Rugged Operating System SMTP Protocol Denial of Service Vulnerability