Hackin9

Today Apple confirms a new exploit against passwords was discovered which was affecting all users who havent enabled the two-step verification on their Apple ID/iCloud account. The flaw appears fixed now. The steps to set it up are available here.

Apple is implementing a two-step process to login with Apple ID/iCloud accounts. The steps are:

1- You provided your Apple ID and password

2- Apple sends a verification code to one of your devices

3- You enter the code to confirm your identity to complete your login

Initially, two-step verification is being offered in the U.S., UK, Australia, Ireland, and New Zealand. Additional countries will be added over time. When your country is added, two-step verification will automatically appear in the Password and Security section of Manage My Apple ID when you sign in to My Apple ID. [1]



[1] http://support.apple.com/kb/HT5570

[2] http://www.theverge.com/2013/3/22/4136242/major-security-hole-allows-apple-id-passwords-reset-with-email-date-of-birth

[3] http://www.latimes.com/business/technology/la-fi-tn-apple-security-flaw-20130322,0,2800832.story

[4] http://www.theverge.com/2013/3/22/4137068/apple-confirms-security-threat-working-on-fix

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The U.S. Senate has overwhelmingly passed a nonbinding proposal to allow states to collect sales tax on Internet sellers that have no presence within their borders.
 

Apple suspended the password-reset functionality for its iCloud and iTunes services following a published report that hackers could exploit it to hijack other people's accounts.

The password reset page stopped loading a few hours after The Verge reported there was an online tutorial that provided detailed instructions for taking unauthorized control of Apple accounts. The report didn't identify the website or the precise technique, except to say it involved "pasting in a modified URL while answering the DOB security question on Apple's iForgot page."

"It's a process just about anyone could manage, and The Verge has confirmed the glaring security hole firsthand," reporter Chris Welch wrote. "Out of security concerns, we will not be linking to the website in question."

Read 3 remaining paragraphs | Comments

 
CIOs and IT managers tracking the progress of the SharePoint-Yammer integration got more details about the road map this week, but the updates were a sobering reminder of the long road ahead as Microsoft works to mesh the two products.
 

A day after Russian anti-virus firm Doctor Web highlighted an adware Mac trojan called "Yontoo," Apple has moved to block it. Confirmed by Intego, Apple has updated the definitions included in OS X's Xprotect.plist in order to detect the adware, meaning users don't need to run anything special in order to be protected.

"In testing, it appears this detection is very specific and potentially location-dependent," wrote Intego. "This extra specificity is likely there so as to catch only the surreptitious installations of this file."

As we wrote on Thursday, the Yontoo adware socially engineers users into installing it as a browser plugin. Once it's installed into Safari, Firefox, and Chrome, the plugin injects advertising into the websites you're visiting—including those that don't even normally show ads.

Read 1 remaining paragraphs | Comments

 
Former U.S. national security advisor Greg Rattray believes better cybersecurity intelligence is needed to combat a growing "Internet underground."

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Maxim Mitrokhin, Director-Operations, Kaspersky Lab, APAC, talks about the company's aspirations for the Indian market.
 
Vikas Pradhan, Country Director-- India, CommVault, shares his unabashed take of the competition and the company's India strategy.
 
BlackBerry began a fight to regain share in the key U.S. market on Friday with the debut of the first phone running its BlackBerry 10 operating system.
 
Microsoft launched a Windows 8 app-for-cash promotion this week because growth of the company's app store has slowed this quarter, an analyst argued today.
 
The $99 BlueAnt Commute speakerphone, much like its cousins, the S4 and the S3, houses the devices controls along a flat surface. Almost all car units I've tested sport physical buttons----and the larger, the better, in my book as it makes using them while driving all the more safe.
 
Legal experts are stepping in to help hacker Andrew Auernheimer appeal his 41 month prison sentence for illegally accessing emails and other data belonging to about 120,000 iPad subscribers of AT&T's networks.
 
A frame from a video demonstrating an attack that allows attackers to execute malicious code on older Windows systems that have Play4Free installed.

If you play EA's popular Battlefield Play4Free game on an older version of Windows, a pair of researchers say they can hijack your system by luring you to a booby-trapped website.

The proof-of-concept exploit, demonstrated last week at the Black Hat security conference in Amsterdam, allows attackers to surreptitiously execute malicious code on default systems running Windows XP or Windows 2003 that have the Play4Free title installed. There are close to 1 million players of the first-person shooter game, and about 39 percent of Windows users are still on XP.

The webpage used in the exploit opens the game on a victim's computer and instructs it to load a malicious "MOD" file used to customize game settings and features, according to a document the researchers published Friday. Using some nonstandard behavior of a programming interface version found only in older versions of Windows, the MOD file is able to upload a malicious batch file that will be executed the next time the computer is restarted. The technique is successful because it overrides a whitelist that's supposed to restrict the sites that are permitted to load the Play4Free game.

Read 4 remaining paragraphs | Comments

 
Autonomy Keyview IDOL Multiple Remote Code Execution Vulnerabilities
 
Move over Glass. Google is also reportedly working on an Android-based 'smartwatch.'
 
The link says it goes to H-Online, but the user ends up somewhere else. Mouse-over testing and even a look at the page source fails to reveal the redirection. Link manipulation can mean that by the time you find out the truth, it's too late


 
Confession time: I'm an inveterate social media junkie. From Facebook to Instagram to Diaspora, whenever a newA communication platform rolls around--or comes back around--I'm ready to leap aboard.
 
U.S. Federal Communications Commission Chairman Julius Genachowski announced Friday he will soon step down, following months of rumors that he would resign early this year.
 
In English-speaking countries, in addition to their password, users will be able to opt in to needing a temporary PIN sent by text or via an iOS app to access iTunes and iCloud


 
[waraxe-2013-SA#099] - Update Spoofing Vulnerability in LibreOffice 4.0.1.2
 
DC4420 - London DEFCON - March meet - Tuesday 26th March 2013
 
[security bulletin] HPSBUX02856 SSRT101104 rev.1 - HP-UX Running OpenSSL, Remote Denial of Service (DoS) and Unauthorized Disclosure
 
[SE-2011-01] PoC code for digital SAT TV research released
 
Google Drive, the cloud storage and applications suite used by millions at home and at work, has suffered three service interruptions this week, making it impossible at times for affected users to access their files and applications.
 
LinuxSecurity.com: An updated openstack-packstack package that fixes one security issue and several bugs is now available for Red Hat OpenStack Folsom. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
LinuxSecurity.com: Updated Django packages that fix multiple security issues are now available for Red Hat OpenStack Folsom. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
LinuxSecurity.com: Updated qt packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
LinuxSecurity.com: Updated openstack-cinder packages that fix two security issues and add one enhancement are now available for Red Hat OpenStack Folsom. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
LinuxSecurity.com: Updated boost packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
LinuxSecurity.com: Updated openstack-nova packages that fix two security issues, several bugs, and add an enhancement are now available for Red Hat OpenStack Folsom. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
A new piece of custom malware sold on the underground Internet market is being used to siphon payment card data from point-of-sale (POS) systems, according to security researchers from antivirus vendor McAfee.
 
Even the most high-end smartphones and tablets today still have less-than-stellar speakers. We test four mobile Bluetooth speakers to see how they can improve your sound.
 
The European Commission is deciding whether or not to launch an anti-trust investigation into Apple's contracts with European mobile phone companies.
 
Even the most high-end smartphones and tablets today still have less-than-stellar speakers. We test four mobile Bluetooth speakers to see how they can improve your sound.
 
Twitter is offering archives of tweets in 12 more languages as part of a global rollout of the facility.
 
Apple's iPhone has again taken the top ranking in J.D. Power and Associates' smartphone customer satisfaction survey, the company said.
 
As Congress considers a law requiring online retailers to collect sales taxes nationally, debate is heating up over the revenue threshold for triggering collections.
 
The U.S. Senate's comprehensive immigration bill is expected to include an H-1B cap hike and higher fees aimed at offshore outsourcers.
 
Privoxy Proxy Authentication Information Disclosure Vulnerabilities
 
Microsoft Internet Explorer CVE-2013-1288 Use-After-Free Remote Code Execution Vulnerability
 

Posted by InfoSec News on Mar 21

http://www.theregister.co.uk/2013/03/22/finland_scada_vulnerabilities/

By Richard Chirgwin
The Register
22nd March 2013

Security researchers in Finland have turned up thousands of unsecured
Internet-facing SCADA systems in that country, using the Shodan search engine.

The researchers, from Aalto University, ran their test in January, and found
2,915 exposed systems running functions from building automation to transport
and water supply....
 

Posted by InfoSec News on Mar 21

http://www.wired.com/threatlevel/2013/03/logic-bomb-south-korea-attack/

By Kim Zetter
Threat Level
Wired.com
03.21.13

A cyberattack that wiped the hard drives of computers belonging to banks and
broadcasting companies in South Korea this week was set off by a logic bomb in
the code, according to a security firm in the U.S.

The logic bomb dictated the date and time the malware would begin erasing data
from machines to coordinate the...
 

Posted by InfoSec News on Mar 21

http://healthitsecurity.com/2013/03/21/analyzing-foreign-health-data-breaches/

By Patrick Ouellette
Health IT Security
March 21, 2013

The U.S. has experienced its fair share of health data breaches over the past
few years, but there are breaches popping up all over the world that are worth
watching because of the varied nature of the attacks. HealthITSecurity.com
aggregated a few foreign data breaches, many originally pointed out by...
 

Posted by InfoSec News on Mar 21

http://www.thesmokinggun.com/buster/hacking/john-doerr-hacked-by-guccifer-098742

The Smoking Gun
MARCH 21, 2013

Add a billionaire Silicon Valley titan to the growing list of public figures
victimized by the hacker “Guccifer.”

Venture capitalist John Doerr had his AOL account breached several days ago by
the same hacker responsible for illegally accessing the e-mails of Colin
Powell, former White House aide Sidney Blumenthal, and...
 

Posted by InfoSec News on Mar 21

https://www.computerworld.com/s/article/9237777/Defense_spokesman_says_DoD_not_dumping_BlackBerry

By Matt Hamblen
Computerworld
March 21, 2013

A U.S. Department of Defense spokesman on Thursday said a report suggesting the
defense agency is dumping BlackBerry devices was inaccurate, and that
BlackBerry is still part of ongoing DoD mobile device deployment plans.

The spokesman contradicted a report in Electronista that cited "well-placed...
 
Apache Struts 'ParameterInterceptor' Class OGNL (CVE-2011-3923) Security Bypass Vulnerability
 
Internet Storm Center Infocon Status