Infosec 2014: No win, no break even, no escape
CSO Magazine
The three laws of of thermodynamics – “you can't win, you can't even break even, and you can't even get out of the game” – can be applied to hackers who only have to succeed once and get access to one piece of data for you to have lost, said consultant ...

OpenJDK CVE-2014-0462 Unspecified Security Vulnerability
OpenJDK CVE-2014-2405 Unspecified Security Vulnerability
Ron Amadeo

Silent Circle, maker of the ultra-secure BlackPhone, announced on Wednesday that the company raised $30 million in investment. The company is also moving its global headquarters to Switzerland, a country long known for valuing privacy and security, to help keep up with internal growth due to unexpected demand.

Silent Circle was founded by a veritable all-star team of crypto geniuses, including Phil Zimmerman, the creator of Pretty Good Privacy e-mail encryption standard and the ZRTP secure calling protocol, and Jon Callas, who cofounded the PGP Corporation among others endeavors. At the Mobile World Congress earlier this year, the $629 BlackPhone made waves as soon as it debuted. According to Mike Janke, the company’s CEO, it was crazy-popular, and the new influx of cash is simply to deal with the demand.

“To be honest with you, we never expected that BlackPhone would win phone of the year [at Mobile World Congress], and we didn’t know that our global calling plan was so disruptive to telcos,” he told Ars. “That’s not something we thought when we started a year ago. Black is just the beginning. We’re launching global calling plans, starting July 1, to 42 countries on mobile and 89 on landline.”

Read 5 remaining paragraphs | Comments


eBay officials are taking flak for burying news of the password reset issued in response to a hack on the company's corporate network that exposed sensitive data for millions of users.

More than seven hours after eBay published an advisory that was five clicks removed from end users, the company still made no mention of the breach, said to affect 145 million customers, in e-mails, on its front page, or when users log in to their accounts. The bare-bones post disclosed a breach in February or March that allowed attackers to make off with cryptographically protected passwords. It advised users to change their login credentials. The breach also exposed customers' names, e-mail addresses, home addresses, phone numbers, and dates of birth in a human readable format.

Given the magnitude of the breach, it's surprising to see an Internet-based company like eBay take so long to directly notify customers and inform them of what steps they should take to protect themselves. The burying of such an important advisory didn't escape the scrutiny of security bloggers such as Graham Cluley or Paul Roberts. Asked to comment on the lack of disclosure, an eBay spokeswoman wrote: "An updated password reset process is currently being rolled out to all our users. It will be available shortly."

Read 2 remaining paragraphs | Comments

Dell is making a line of PCs using plastics obtained by expanding its recycling program.
Oracle could be gearing up to make an anticipated in-memory computing option for its flagship 12c database generally available after hyping it for the better part of a year, judging from an upcoming appearance by CEO Larry Ellison.
At peak times, Netflix accounts for around a third of the consumer Internet traffic in North America. This week, one of its senior engineers described how it gets all those movies to your screen.
A former network engineer for oil and gas company EnerVest has been sentenced to four years in federal prison after pleading guilty in January to sabotaging the company's systems badly enough to disrupt its business operations for a month.
William Hanna, vice president of technical services at the University of Pittsburgh Medical Center (UPMC), went out looking for a way to add capacity to a backup network and found what he wanted in Software Defined Networking (SDN) tools from Alcatel-Lucent. Network World Editor in Chief John Dix sat down with Hanna to learn about the process and experience.
libgadu CVE-2014-3775 Memory Corruption Vulnerability
FreeBSD CVE-2014-3000 Remote Denial of Service Vulnerability
Cisco this week announced its intent to acquire ThreatGRID, a New York-based maker of malware analysis and threat intelligence technology.
Legislation aimed at curbing so-called patent trolls may be dead until 2015 after the chairman of the U.S. Senate Judiciary Committee pulled the bill off the committee's agenda, citing a lack of consensus.
Hewlett-Packard has integrated its service automation programs with IT configuration and management programs Chef and OpenStack, a move that could make it easier for IT staff to work with these open source applications, often used by individual lines of business.
Google has boosted the Android management features in Apps to help IT admins control access to the suite from users' Android smartphones and tablets.
Apple will again kick off its developer conference with a keynote, where top-tier executives, including CEO Tim Cook, will tout the newest versions of iOS and OS X, and likely introduce new hardware.
Multiple generations in the workforce simultaneously can make benefits a tricky issue for businesses. The key is understanding how benefits can help you attract and retain top talent by offering the right solutions for each generation.
U.S. Department of Justice computer hacking charges against five suspected members of the Chinese army should send a message that the U.S. government is fed up with state-sponsored cyberattacks, some lawmakers said Wednesday.

Adobe's Shockwave Player bundles a version of the company's Flash Player that is 15 months behind on security updates, a feature hackers can use to hijack both Windows PCs and Macs running it, a security expert has warned.

The advisory about the risk from Shockwave, which was published in late 2012 by security researcher Will Dormann for Carnegie Mellon University's CERT, escaped public notice until Wednesday, when it was reported by KrebsOnSecurity. In the 15 months since the initial post, Adobe has made little progress. According to reporter Brian Krebs, the current version of Shockwave for both Windows and Mac systems lacks any of the Flash security fixes released since January 2013. That includes almost 20 different patches for security holes, some that fixed critical holes that real-world hackers exploited in the wild to commandeer end users' computers. According to Krebs:

As if that weren’t bad enough, Dormann said it may actually be easier for attackers to exploit Flash vulnerabilities via Shockwave than it is to exploit them directly against the standalone Flash plugin itself. That’s because Shockwave has several modules that don’t opt in to trivial exploit mitigation techniques built into Microsoft Windows, such as SafeSEH.

“So not only are the vulnerabilities there, but they’re easier to exploit as well,” Dormann said. “One of the things that helps make a vulnerability more difficult [to exploit] is how many of the exploit mitigations a vendor opts in to. In the case of Shockwave, there are some mitigations missing in a number of modules, such as SafeSEH. Because of this, it may be easier to exploit a vulnerability when Flash is hosted by Shockwave, for example.”

Adobe spokeswoman Heather Edell confirmed that CERT’s information is correct, and that the next release of Shockwave Player will include the updated version of Flash Player.

“We are reviewing our security update process in order to mitigate risks in Shockwave Player,” Edell said.

In the interest of reducing the "attack surface"—that is, the number of potentially exploitable components available for malicious hackers to target—Ars has long advised readers to strongly consider uninstalling Flash, Java, and other browser plugins that may provide more hazard than benefit. Readers should put Shockwave at the top of this list. This link shows that Shockwave is installed by prompting (or in the case of Google Chrome, initiating) a download on machines that don't have it. Mozilla Firefox users shouldn't confuse "Shockwave Flash" with "Shockwave Player." Adobe provides an uninstall tool here.

Read on Ars Technica | Comments

Multiple HP IceWall Products CVE-2014-2604 Unspecified Denial of Service Vulnerability
Typo3 si_bibtex Extension Multiple SQL Injection and HTML injection Vulnerabilities
The enhancements in the Surface Pro 3 are aimed straight at the enterprise.
A third of data breaches investigated by security firm Trustwave last year involved compromises of point-of-sale (PoS) systems and over half of all intrusions targeted payment card data.
Botan NULL Pointer Dereference Local Denial of Service Vulnerability
Rackspace doesn't fit Cisco's acquisition profile, CEO John Chambers told a room packed with reporters this week at the company's annual conference and exhibition.
LinuxSecurity.com: Pidgin could be made to crash or run programs if it received speciallycrafted network traffic.
LinuxSecurity.com: libgadu could be made to crash or run programs if it received speciallycrafted network traffic.
LinuxSecurity.com: Updated mariadb55-mariadb packages that fix several security issues are now available for Red Hat Software Collections 1. The Red Hat Security Response Team has rated this update as having Moderate [More...]
LinuxSecurity.com: Updated kernel packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 6.2 Extended Update Support. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: Security Report Summary
EBay is asking users to change their passwords after attackers gained unauthorized access to eBay's corporate network, compromising a database containing encrypted passwords and other personal data.
Verizon Wireless has reiterated plans to offer Voice over LTE (VoLTE) 'later this year' nationwide to offer users both High Definition Voice and video calling options.
The San Francisco Bay Area and south to San Jose will soon have what may be the nation's first dedicated Internet of Things network. It may change the way you think about the future of the IoT.

eBay today revealed that attackers "compromised a database containing encrypted passwords and other non-financial data" between late February and early March. The database included names, e-mail addresses, home addresses, phone numbers, and dates of birth. While there is "no evidence of the compromise resulting in unauthorized activity for eBay users," the company is recommending that users change their passwords.

The attackers were able to log in to eBay employee accounts."Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network," the eBay announcement said. "Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers."

eBay detected the unauthorized employee logins two weeks ago, and "[e]xtensive forensics subsequently identified the compromised eBay database, resulting in the company’s announcement today." Financial and credit card information was apparently not affected as it is "stored separately in encrypted formats." PayPal data is also stored separately.

Read 3 remaining paragraphs | Comments

Oracle Solaris CVE-2014-0447 Local Security Vulnerability
SPIP Security Bypass Vulnerability
CIO.com recently queried nearly 30 SEO experts and rounded up their advice into a list of the "Top 10 Technical SEO Issues (and How to Fix Them)." The following seven quick-hit SEO tips offer additional best practices that are well worth your attention.
The USS Harry S. Truman apparently had adequate Internet bandwidth for a sailor to hack websites in his spare time.
US Navy

A 27-year-old now-former sailor pleaded guilty in a federal court in Tulsa, Oklahoma on May 20 to charges of conspiracy after leading a band of hackers in the US and Canada from onboard an aircraft carrier. Nicholas Paul Knight, who was the system administrator for the USS Harry S. Truman’s nuclear reactors department, was caught trying to hack into a Navy database while at sea.

Knight and a co-defendant—Daniel Kreuger of Salem, Illinois—were part of “Team Digi7al,” a collective of hackers who attacked at least 24 websites in 2012 in search of personally identifiable information. Knight himself hacked the Navy’s Smart Web Move website, a system for sailors to manage household moves during transfers between stations; that hack included about 220,000 service members’ Social Security numbers, dates of birth, addresses, and other personal data.

Other sites attacked by the group included ones operated by the Department of Homeland Security, the Library of Congress, Stanford University, Los Alamos National Laboratory, the Toronto Police Service, and the University of Nebraska-Lincoln.

Read 2 remaining paragraphs | Comments

dpkg CVE-2014-0471 Local Directory Traversal Vulnerability
Microsoft CEO Satya Nadella pushed the need for blending tablets and notebooks at the unveiling of the Surface Pro 3, countering earlier arguments by Apple CEO Tim Cook that the trade-offs from such devices don't please anybody.
Google plans to spend $20 billion to $30 billion of its accumulated international profits to fund potential acquisitions of non-U.S. companies and technology rights.
Wordpress Booking System (Booking Calendar) plugin SQL Injection
Beginners error: Hewlett-Packards driver software executes rogue binary C:\Program.exe
APPLE-SA-2014-15-20-1 OS X Server 3.1.2
CVE-2014-3446 - Unauthenticated Blind SQL Injection in BSS Continuity CMS
The sun shone outside the Cisco Live conference on Tuesday even as the clouds gathered within, and that was exactly the kind of weather Cisco was hoping for.
Microsoft's Surface Pro 3 would be a good tablet to replace my laptop, but at $799 to start, it's just too expensive.
Now that Glass is available to anyone with $1,500 to burn, you might be tempted to buy a pair. Our tester shares 10 good reasons not to.
A public utility in the U.S. was compromised after attackers took advantage of a weak password security system, according to a U.S. Department of Homeland Security team that studies cyberattacks against critical infrastructure.
Despite a leak of its source code, an Android program aimed at compromising online bank accounts is still commanding $5,000 per copy, one of the highest prices seen for a type of malware, according to research from Symantec.
DuckDuckGo, the privacy-themed search engine, has received a major redesign with enhanced search tools that could usher in a wave of new users.
Lenovo's net profit grew 25 percent year-over-year in the first quarter as the Chinese company continued to make gains in the PC and smartphone markets.
CVE-2014-3450 - Privilege Escalation in Panda Security
CVE-2014-3447 - Remote Denial Of Service in BSS Continuity CMS
CVE-2014-3448 - Remote Code Execution Via Unauthenticated File Upload in BSS Continuity CMS

Posted by InfoSec News on May 21


By Mary Beth Faller
The Republic
May 20, 2014

The Maricopa County Community College District governing board has
approved an additional $2.3 million in lawyers' fees to deal with the
computer-security breach that occurred last year.

The board also approved spending $300,000 to deal with records management,
pushing the...

Posted by InfoSec News on May 21


By Charles Levinson
The Wall Street Journal
May 20, 2014

Monday was a big day for the nation’s cyber police. The Justice Department
charged five Chinese military officials with hacking, and brought charges
against the creators of powerful hacking software.

But FBI Director James B. Comey said Monday that if the FBI hopes to

Posted by InfoSec News on May 21


By Jeremy Kirk
21 May 2014

A public utility in the U.S. was compromised after attackers took
advantage of a weak password security system, according to a U.S.
Department of Homeland Security team that studies cyberattacks against
critical infrastructure.

The utility's control system was accessible via Internet-facing...
Apple Mac OS X CVE-2014-1322 Local Security Bypass Vulnerability
Cisco WebEx Business Suite 'meetinginfo.do' Information Disclosure Vulnerability

Wacky 'baccy making a hash of FBI infosec recruitment efforts
The Federal Bureau of Investigation wants to hire more infosec professionals to help fight cyber-crime, but can't find the people they need because there's too much weed to weed out from the talent pool. No, really: the Wall Street Journal is reporting ...

and more »
Internet Storm Center Infocon Status