Hackin9
Apple today followed Microsoft in opening up pre-release, or beta, versions of its personal computer operating system to all comers.
 
A partnership between Microsoft and Violin Memory will let enterprises tightly tie a new all-flash storage array to their servers, speeding up popular Microsoft applications.
 
Installment plans for cellphones are starting to squeeze out the time-honored practice of paying a subsidized price up front, AT&T says.
 
Google agreed to take over some of Samsung's defense against patent claims brought by Apple under a secret agreement reached in 2012, a federal court jury heard Tuesday.
 
Can your tablet withstand a 2-meter drop or be submerged in water for 30 minutes and keep functioning? The new $5,000 tablets from Xplore Technologies can.
 
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
WebKit CVE-2014-1305 Unspecified Memory Corruption Vulnerability
 
WebKit CVE-2014-1307 Unspecified Memory Corruption Vulnerability
 

Unlike announced a few month ago, the infamous "Port 32764" backdoor was not fully patched in new routers [1]. As a reminder, the original backdoored allowed unrestricted/unauthenticated root access to a router by connecting to port 32764. The backdoor was traced back to components manufactures by Sercomm. Sercomm delivers parts for a number of name brand routers sold under the brands of Cisco, Linksys, Netgear, Diamond and possibly others.

An analysis of an updates router by Synacktive revealed that the code implementing the backdoor is still present, and can be activated to listen again by sending a specific Ethernet packet. The packet would not be routed, so an attacker has to have access to the local network the router is connected to, which significantly lowers the probability of exploitation, but doesn't eliminate it.

The packet activating the backdoor is identified by an Ethernet type of 0x8888.

[1] http://www.synacktiv.com/ressources/TCP32764_backdoor_again.pdf

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Apple today released patches for OS X, iOS and Apple TV. The OS X patches apply for versions of OS X back to Lion (10.7.5). Vulnerabilities fixed by these patches can lead to remote code execution by visiting malicious web sites.

For more details, see Apples security update page [1]. Links to the actual update details should become available shortly.

[1] http://support.apple.com/kb/HT1222

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
WebKit Unspecified Heap Based Buffer Overflow Vulnerability
 
WebKit CVE-2014-1299 Unspecified Memory Corruption Vulnerability
 

Apple has patched versions of its iOS and OS X operating systems to fix yet another extremely critical cryptography vulnerability that leaves some users open to surreptitious eavesdropping. Readers are urged to install the updates immediately.

The flaw resides in the secure transport mechanism of iOS version 7.1 and earlier for iPhones and iPads and the Mountain Lion 10.8.5 and Mavericks 10.9.2 versions of Mac OS X, according to advisories here and here. The bug makes it possible to bypass HTTPS encryption protections that are designed to prevent eavesdropping and data tampering by attackers with the capability to monitor traffic sent by and received from vulnerable devices. Such "man-in-the-middle" attackers could exploit the bug by abusing the "triple handshake" carried out when secure connections are established by applications that use client certificates to authenticate end users.

"In a 'triple handshake' attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker's data in one connection, and renegotiate so that the connections may be forwarded to each other," Apple's warning explained. "To prevent attacks based on this scenario, Secure Transport was changed so that, by default, a renegotiation must present the same server certificate as was presented in the original connection."

Read 4 remaining paragraphs | Comments

 
The first open source web application for managing the mobile app vetting process is available for free from the National Institute of Standards and Technology (NIST).Because mobile 'apps' on smart phones and tablets can be just as big a ...
 

Federal safety officials have issued an urgent warning about software defects in an anesthesia delivery system that can cause life-threatening failures at unexpected times, including when a cellphone or other device is plugged into one of its USB ports.

The ARKON anesthesia delivery system is used in hospitals to deliver oxygen, anesthetic vapor, and nitrous oxide to patients during surgical procedures. It is manufactured by UK-based Spacelabs Healthcare Ltd., which issued a recall in March. A bug in Version 2.0 of the software running on the device is so serious that it could cause severe injury or death, the US Food and Drug Administration warned last week in what's known as a Class I recall. In part, the FDA advisory read:

Reason for Recall: Spacelabs Healthcare is recalling the ARKON Anesthesia System with Version 2.0 Software due to a software defect. This software issue may cause the System to stop working and require manual ventilation of patients. In addition, if a cell phone or other USB device is plugged into one of the four USB ports for charging, this may also cause the System to stop working.

This defect may cause serious adverse health consequences, including hypoxemia and death. Spacelabs Healthcare received one report related to the software defect. There has been no injuries or deaths associated with this malfunction.

At least 16 vulnerable units were in place at hospitals in North Carolina and South Carolina, according to the Class I advisory, the most serious type of recall notice issued by the FDA.

Read 2 remaining paragraphs | Comments

 
Apple Mac OS X CoreGraphics PDF Handling Buffer Overflow Vulnerability
 
Computers were once 'just' tools to improve worker productivity, now information systems are recognized as an essential component of a successful organization. The best example is the rise of former computer department managers to the ...
 
Apple today issued a security-only update for OS X, patching 25 vulnerabilities in Mavericks, its newest operating system, and 7 bugs in older editions.
 
APPLE-SA-2014-04-22-3 Apple TV 6.1.1
 
APPLE-SA-2014-04-22-2 iOS 7.1.1
 
APPLE-SA-2014-04-22-1 Security Update 2014-002
 
Mobile users of Google's search and YouTube service will soon see more targeted ads that take them straight to the installation pages for advertisers' mobile apps.
 
A notorious Windows leaker dubbed 'Wzor' says Microsoft will issue yet another update to Windows 8.1 later this year, evidence of an even-faster acceleration in the company's development tempo.
 
If the U.S. Supreme Court rules that streaming video provider Aereo violates the copyrights of TV networks, it may also put cloud storage services at risk, the company's lawyer argued Monday.
 
As data centers demand faster and faster storage, Micron is answering the call with long-lasting, solid-state drives that offer up to 800GB of capacity.
 
As Google added a taste of iOS functionality to Glass, one analyst said this is just the beginning of efforts to draw in Apple users to the computerized eyewear.
 
A battle for rights to U.S. airspace is brewing between the Federal Aviation Administration and organizations looking to operate small, unmanned aerial vehicles, or drones, for commercial and other purposes.
 

OpenBSD founder Theo de Raadt has created a fork of OpenSSL, the widely used open source cryptographic software library that contained the notorious Heartbleed security vulnerability.

OpenSSL has suffered from a lack of funding and code contributions despite being used in websites and products by many of the world's biggest and richest corporations.The decision to fork OpenSSL is bound to be controversial given that OpenSSL powers hundreds of thousands of Web servers. When asked why he wanted to start over instead of helping to make OpenSSL better, de Raadt said the existing code is too much of a mess.

"Our group removed half of the OpenSSL source tree in a week. It was discarded leftovers," de Raadt told Ars in an e-mail. "The Open Source model depends [on] people being able to read the code. It depends on clarity. That is not a clear code base, because their community does not appear to care about clarity. Obviously, when such cruft builds up, there is a cultural gap. I did not make this decision... in our larger development group, it made itself."

Read 12 remaining paragraphs | Comments

 
Oracle Java SE CVE-2013-5902 Remote Security Vulnerability
 
Oracle Java SE CVE-2013-5904 Remote Security Vulnerability
 
[SECURITY] [DSA 2911-1] icedove security update
 
Apple is expected Wednesday to confirm Wall Street's fears, that iPad sales growth not only slackened in the March quarter, but reversed course with fewer of the iconic tablets sold than the year before.
 
Dell released a new virtualized storage accelerator appliance called Fluid Cache for SAN on Tuesday, designed to help customers keep data-intensive applications working quickly under load.
 
Redmine 'redirect_back_or_default()' Function Open Redirection Vulnerability
 
Oracle Identity Manager 'backUrl' Parameter URL Redirection Vulnerability
 
[security bulletin] HPSBMU03018 rev.1 - HP Software Asset Manager running OpenSSL, Remote Disclosure of Information
 
[security bulletin] HPSBMU03017 rev.1 - HP Software Connect-IT running OpenSSL, Remote Disclosure of Information
 
[security bulletin] HPSBMU03019 rev.1 - HP Software UCMDB Browser and Configuration Manager running OpenSSL, Remote Disclosure of Information
 
Oracle Java SE CVE-2014-2420 Remote Security Vulnerability
 
When faced with technology options, we are choosing the ones that require the least commitment to undivided attention.
 
Sencha Labs Connect '_method' Parameter Cross Site Scripting Vulnerability
 
Nagios Remote Plugin Executor 'nrpe.c' Remote Code Execution Vulnerability
 
Drupal Core Information Disclosure Vulnerability
 
A malware campaign of yet-to-be-determined origin is infecting jailbroken iPhones and iPads to steal Apple account credentials from SSL encrypted traffic.
 
gdomap Remote Denial of Service Vulnerability
 
[slackware-security] php (SSA:2014-111-02)
 
[slackware-security] libyaml (SSA:2014-111-01)
 
Mobile operators want a way to keep urban users happy as they get more thirsty for data, and a professor in New York City thinks he's found what they're looking for.
 
Mainframe operators using BMC software may now be able to enjoy the speedy, devops-style development pace that is quickly becoming the norm for customer-facing mobile applications and Internet services.
 
After three weeks of defending itself against patent infringement claims, Samsung switched gears and began presenting its argument that Apple is the one that infringes others' intellectual property.
 
Apple is offering to recycle its products for free worldwide, and has included third-party products like mobile phones and PCs in the program in some countries.
 
Web application attacks, cyber-espionage and point-of-sale intrusions were among the top IT security threats in 2013, according to Verizon's latest annual report on data breach investigations.
 
We keep a large amount of personal and business data on our smartphones and tablets; here are some tips and tricks to help you protect both your hardware and your information.
 
NEC has launched a biometric security program that uses face recognition to unlock access to PCs.
 

Posted by InfoSec News on Apr 22

http://www.computerworld.com/s/article/9247802/SEC_seeks_data_on_cyber_security_policies_at_Wall_Street_firms

By Jaikumar Vijayan
Computerworld
April 21, 2014

The Securities and Exchange Commission (SEC) plans to review the cyber
defenses of 50 Wall Street broker-dealers and investment advisers to
determine whether they are prepared for potential cyber threats.

The SEC Office of Compliance Inspections and Examinations (OCIE) will
review...
 

Posted by InfoSec News on Apr 22

http://www.zdnet.com/hackers-attack-spokeo-un-civil-aviation-org-in-nine-site-crime-spree-7000028594/

By Violet Blue
Zero Day
ZDNet News
April 21, 2014

Adding to a list of high profile targets that includes Comcast, NullCrew
released on Sunday evidence it added a major "people finder" data broker,
the UN's aviation regulation and security arm, the University of Virginia,
Telco Systems and others to its growing catalog of those...
 

Posted by InfoSec News on Apr 22

http://online.wsj.com/news/article_email/SB10001424052702304626304579508212978109316-lMyQjAxMTA0MDIwMTEyNDEyWj

By DANNY YADRON
The Wall Street Journal
April 20, 2014

When cybercriminals stole $2.5 million from the state of Utah in 2009,
authorities got most of the money back—but never could find their man.

The money was wired to a bank account in Texas, officials said, as a step
before an attempt to move it overseas. Utah authorities...
 

Posted by InfoSec News on Apr 22

http://www.chicagotribune.com/business/technology/la-fi-tn-aol-hacked-email-phishing-twitter-20140421,0,6586634.story

By Salvador Rodriguez
Chicago Tribune
April 21, 2014

You've got (spam) mail.

Several AOL users are complaining on Twitter that their email accounts
have been hacked and are being used to send out spam to others.

Multiple users have said that their accounts have been affected despite
not being used in a long time. Among...
 

Posted by InfoSec News on Apr 22

http://arstechnica.com/security/2014/04/how-heartbleed-transformed-https-security-into-the-stuff-of-absurdist-theater/

By Dan Goodin
Ars Technica
April 21, 2014

If you want to protect yourself against the 500,000 or so HTTPS
certificates that may have been compromised by the catastrophic Heartbleed
bug, don't count on the revocation mechanism built-in to your browser. It
doesn't do what its creators designed it to do, and switching...
 
Internet Storm Center Infocon Status