Hackin9
Apple sold 4.4 million Macs in the June quarter, the most ever for that three-month stretch, with an annual growth rate the rest of the PC industry hasn't seen since 2010.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Microsoft paid more than $7 billion for Nokia's handset and services business, and the jury is still out as to what it means for its future. In the past quarter it boosted Microsoft's revenue but also ate into its profit.
 
Apple reported its quarterly numbers on Tuesday, a mixed bag that saw profits rise up but sales fall short of the mark. Here are five takeaways from the earnings call that followed.
 
Wireless broadband subscriptions now outnumber people in seven countries as consumers continue to snap up smartphones and tablets, according to a new report.
 
Mozilla Firefox/Thunderbird CVE-2014-1544 Use After Free Memory Corruption Vulnerability
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Apple has racked up another hugely profitable quarter on sales of iPhones and Macintosh computers, though its revenue growth was slower than expected.
 
Linux Kernel 'sctp_association_free()' Function Denial of Service Vulnerability
 
Linux Kernel '/fs/aio.c' Local Information Disclosure Vulnerability
 
Oracle is combining its BlueKai consumer data aggregation platform with other parts of its catalog to create Oracle Data Cloud, a data-as-a-service offering aimed at companies that want to reach customers and prospects across multiple channels.
 
Breaking up is hard to do, but could a split be in store soon for EMC and VMware?
 
Strong sales of cloud products to businesses helped lift Microsoft's revenue by 18 percent last quarter, though its profits declined.
 
ARM is developing its second wave of 64-bit processors as it tries to maintain its edge over Intel in smartphones and tablets.
 
Apple has racked up another hugely profitable quarter on sales of iPhones and Macintosh computers, though its revenue growth was slower than expected.
 
Following through on promises from new CEO Satya Nadella, Microsoft continues to add support for non-Microsoft technologies, allowing them to run well on the company's Azure cloud hosting platform.
 
 

Developers of the Tor privacy service say they're close to fixing a weakness that researchers for an abruptly canceled conference presentation said provides a low-cost way for adversaries to deanonymize hundreds of thousands of users.

The talk previously scheduled for next month's Black Hat security conference in Las Vegas was titled "You Don't Have to be the NSA to Break Tor: Deanonymizing Users on a Budget." The abstract said that the hack cost less than $3,000 and could uncloak hundreds of thousands of users. On Monday, Black Hat organizers said the presentation was canceled at the request of attorneys from Carnegie Mellon University (CMU), where the researchers were employed, as well as the Software Engineering Institute (SEI). The attorneys said only that the materials to be presented "have not yet been approved by CMU/SEI for public release." Researchers Alexander Volynkin and Michael McCord have yet to explain why their talk was pulled.

Tor officials responded by saying that they're working on an update for individual Tor relay nodes that will close the unspecified security hole.

Read 6 remaining paragraphs | Comments

 

Now that the XMLRPC "pingback" DDoS problem in WordPress is increasingly under control, the crooks now seem to try brute force password guessing attacks via the "wp.getUsersBlogs" method of xmlrpc.php. ISC reader Robert sent in some logs that show a massive distributed (> 3000 source IPs) attempt at guessing passwords on his Wordpress installation. The requests look like the one shown below

and are posted into xmlrpc.php. Unfortunately, the web server responds with a 200-OK in all cases, because the post to xmlrpc.php actually WAS successful. The expected "403 - Not Authorized" error is part of the XML message that the server returns as payload. Hence, to determine what is going on, relying on simple HTTP web server logs is not sufficient. One of the problems with this is that "traditional" means of curbing brute force attacks in WordPress, like using BruteProtect, are less effective, because most of these add-ons tend to watch only wp_login.php and the associated wp_login_failed result, which does not trigger in the case of an xmlrpc login error.

If you are seeing similar attacks, and have found an effective way of thwarting them, please share in the comments below.

 

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Cisco says small cell technology is primed for explosive growth as it plans to connect 3G and LTE cellular networks to Wi-Fi access points that are already widely deployed in many enterprise facilities.
 
The 300-pound humanoid robot working on the International Space Station is in the midst of getting a series of upgrades, including new processors and software in preparation of having a pair of legs attached to it.
 
Apple today will reveal its Q2 revenue and device sales during a conference call with Wall Street. Here's what to listen out for.
 
Google is trying out a new Google Maps feature said to provide people with more information about their destinations, or about nearby points of interest, reports say.
 
An industrious design graduate from the University of Edinburgh has posted a 3D printing CAD file for a wrist ban that allows users to insert an iPod Nano, which can act as a watch, music player and more.
 
The U.S. Patent and Trademark Office served up further evidence on Tuesday that Apple is designing a smart watch when it awarded the company a patent for a wrist-worn gadget with a touchscreen and ability to communicate with a smartphone.
 
Intel today unveiled its Pro 2500 series of flash drives, which include 2.5-in. drives and M.2 flash cards for mobile devices.
 
Developers of Tor software believe they've identified a weakness that was scheduled to be revealed at the Black Hat security conference next month that could be used to de-anonymize Tor users.
 
Teradata has bought the assets of Revelytix and Hadapt in a bid to grow out its capabilities for the Hadoop big-data processing framework.
 
[security bulletin] HPSBMU03071 rev.1 - HP Autonomy IDOL, Running OpenSSL, Remote Unauthorized Access, Disclosure of Information
 
Barracuda Networks Spam&Virus Firewall v6.0.2 (600 & Vx) - Client Side Cross Site Vulnerability
 
Chinese smartphone maker Xiaomi jokes that its newest handset, built out of stainless steel, is like a "kitchen knife," but iPhone-esque might be the better comparison.
 
I'd never confuse Amazon, Facebook or doubleClick with the NSA, but I still don't like being tracked online. Tracking is more than just annoying; it lets unscrupulous companies that scarf up user data turn around and sell your information --A and despite statements to the contrary, the collection isn't always done anonymously.
 
Apache HTTP Server CVE-2014-0117 Remote Denial of Service Vulnerability
 
Web Login Bruteforce in Symantec Endpoint Protection Manager 12.1.4023.4080
 
Cross-site Scripting in EventLog Analyzer 9.0 build #9000
 
[oCERT-2014-004] Ansible input sanitization errors
 
Call for Papers / Speakers for ISACA Ireland Conference on 3rd Oct in Dublin
 

ISC reader James had just installed "Foxit Reader" on his iPhone, and had answered "NO" to the "In order to help us improve Foxit Mobile PDF, we would like to collect anonymous usage data..." question, when he noticed his phone talking to China anyway. The connected-to site was alog.umeng.com, 211.151.151.7. Umeng is an "application telemetry" and online advertising company. Below is what was sent (some of the ids are masked or have been obfuscated)

I particularly like the "is_pirated: No". It goes well with "is_snooping: Yes" that is though missing from the exchange...

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Record numbers of new tablet users, and the first rise in fixed-line revenue in seven years, drove Verizon Communications' second-quarter revenue up 5.7 percent year on year, it reported Tuesday.
 
LinuxSecurity.com: Updated java-1.6.0-openjdk packages that fix multiple security issues and one bug are now available for Red Hat Enterprise Linux 5, 6, and 7. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Updated java-1.6.0-sun packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5, 6, and 7. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: CUPS could be made to expose sensitive information, leading to privilegeescalation.
 
Nokia, once a great company and the pride of Finland, is shuffling to its grave under Microsoft's leadership.
 
Apple may release a public beta for OS X Yosemite as early as next week, according to an online report Monday.
 
Email encryption startup Virtru has launched a version of its service for businesses using Google Apps, a market segment that the company thinks is showing increased interest in secure communications.
 
Google recently announced a new networking protocol called Thread that aims to create a standard for communication between connected household devices.
 
Three stealthy tracking mechanisms designed to avoid weaknesses in browser cookies pose potential privacy risks to Internet users, a new research paper has concluded.
 
Former Microsoft CEO Steve Ballmer's 'devices and services' strategy may be in tatters, discarded by his successor, Satya Nadella, but Ballmer must be smiling all the way to the bank.
 
A presentation on a low-budget method to unmask users of a popular online privacy tool, TOR, will no longer go ahead at the Black Hat security conference early next month.
 
Goodwill Industries International said Monday federal authorities are investigating a possible payment card breach at its U.S.-based retail outlets.
 
Apple is ordering a combined 70 to 80 million units of two big-screen versions of its next iPhone, its largest initial production to date, according to a report in The Wall Street Journal.
 
Zend Framework 'Zend_Db_Select::order()' Function SQL Injection Vulnerability
 
IBM 1754 GCM16 and GCM32 Global Console Managers Multiple Cross Site Scripting Vulnerabilities
 
IBM 1754 GCM16 and GCM32 Global Console Managers Unspecified Arbitrary File Read Vulnerability
 
PolarSSL CVE-2014-4911 Remote Denial of Service Vulnerability
 

Posted by InfoSec News on Jul 22

Forwarded from: "Jackie Blanco" <jackie (at) sdiwc.info>

Dear Colleague,

You may be interested in the following IEEE conference to be held in
Lebanon. If you have a research paper within the scope of the event,
submit it and let's join the conference.

Regards,
Jackie

=================================================

The Fifth International Conference on Digital Information and
Communication Technology and its...
 

Posted by InfoSec News on Jul 22

http://www.informationweek.com/mobile/mobile-applications/hidden-ios-services-bypass-security/d/d-id/1297452

By Thomas Claburn
InformationWeek
7/21/2014

A computer researcher asks why Apple allows undocumented services to
bypass encryption and access user data.

Apple's iPhone and iPad run undisclosed services that allow security
features to be bypassed, according to a prominent computer security
researcher.

In a presentation at the...
 

Posted by InfoSec News on Jul 22

http://krebsonsecurity.com/2014/07/banks-card-breach-at-goodwill-industries/

By Brian Krebs
Krebs On Security
July 21, 2014

Heads up, bargain shoppers: Financial institutions across the country
report that they are tracking what appears to be a series of credit card
breaches involving Goodwill locations nationwide. For its part, Goodwill
Industries International Inc. says it is working with the U.S. Secret
Service on an investigation into...
 

Posted by InfoSec News on Jul 22

http://www.v3.co.uk/v3-uk/news/2356410/fresh-threat-to-critical-infrastructure-found-in-havex-malware

By Alastair Stevenson
V3.co.uk
21 Jul 2014

A dangerous open-platform communication (OPC) scanner that could be used
to launch cyber attacks against critical infrastructure areas has been
discovered in a variant of the Havex malware.

The scanner was uncovered by researchers at FireEye while investigating a
variant of Havex commonly referred...
 

Posted by InfoSec News on Jul 22

http://www.bankinfosecurity.com/gao-identifies-weakness-in-fdic-infosec-a-7085

By Eric Chabrow
Bank Info Security
July 22, 2014

Two separate audits by the Government Accountability Office show
information security weaknesses at the Federal Deposit Insurance Corp. and
significant deficiencies in information system controls at the Treasury
Department unit that manages the federal debt.

The FDIC, the government-owned corporation that insures...
 
Internet Storm Center Infocon Status