Hackin9
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
 
A big jump in sales in Microsoft's consumer hardware devices unit, which includes its Xbox gaming console and Surface tablets, helped the company grow its revenue 14 percent and slightly improve profits year-on-year in its second fiscal quarter.
 

As the founder of one of the first highly profitable sites to post nude photos of people against their will, 27-year-old Hunter Moore had already been branded the most hated man on the Internet. On Thursday, he was arrested on federal charges claiming that he paid a man to break into the e-mail accounts of hundreds of victims and steal sexually explicit images that later showed up on Moore's notorious isanyoneup.com site.

According to an indictment filed in federal court in Los Angeles, Moore paid $200 or more per week for images that he knew were obtained by illegally accessing the e-mail accounts. To cover his tracks, he used PayPal accounts that weren't linked to his identity and at one point created new e-mail addresses and deleted data tied to past hack attacks. Moore's arrangement with Charles "Gary" Evens, who is now 25, began at an unknown date and lasted until about May 2, 2012, prosecutors alleged in the 15-count charging document.

According to the indictment:

Read 6 remaining paragraphs | Comments

 
Jason Fass, the CEO of Zepp Labs, imagines a future for sports where sensors are everywhere: in balls, bats, footballs and in a player's clothing. It's hard not to get caught up in the vision.
 
A big jump in sales in Microsoft's consumer hardware devices unit, which includes its Xbox gaming console and Surface tablets, helped the company grow its revenue 14 percent and slightly improve profits year-on-year in its second fiscal quarter.
 
The U.S. National Security Agency should abandon its collection of U.S. telephone records because the surveillance program is illegal, a government privacy oversight board said.
 
Microsoft lost $39 million last quarter selling its Surface tablets, the company acknowledged in filings today with the U.S. Securities and Exchange Commission.
 
A new computer Trojan program attempts to install mobile banking malware on Android devices when they're connected to infected PCs, according to researchers from Symantec.
 
Salesforce.com has announced a new set of tools aimed at Microsoft .NET developers, in a move that acknowledges customers' existing investment in .NET and which could help expand the size of Salesforce.com's developer community.
 
BlackBerry has asked a California court to block U.S. sales of the Typo keyboard, an add-on keyboard for the iPhone that BlackBerry says is an "obvious knock-off" of the keyboards on its phones.
 
The majority of wearable gadgets today are smartphone companion devices, designed to mostly work along with your phone and serve as a secondary display for your handset. The current popularity of smartwatches, smartglasses and other wearable gadgetry raises a number of intriguing questions about how these newfangled gizmos will affect the smartphones in so many of our pockets and purses.
 
Online distribution of movies has as much earning potential using just a $15 monthly flat fee as do TV downloads and Blu-ray and DVD sales today.
 
Nokia's disclosure today of weak Lumia sales last quarter has put Microsoft's devices strategy in the hole even before it finalizes the acquisition of the Finnish firm, analysts said today.
 
Cubic CMS Multiple Security Vulnerabilities
 
WordPress WP Forum Server Plugin SQL Injection and Cross Site Scripting Vulnerabilities
 
Hiox Guest Book 'add.php' Multiple Cross Site Scripting Vulnerabilities
 
Cisco NX-OS Software TACACS+ Server Local Privilege Escalation Vulnerability
 
Imagine you're working on a major project such as Healthcare.gov. Suddenly, you realize there's no way the software will be done on time -- or even work. What do you do? Hear how veteran testers, project managers and developers tactfully handle such situations.
 
A report Thursday by the Privacy and Civil Liberties Oversight Board calling the NSA's bulk phone records collection program illegal and mostly useless puts the Obama Administration in an awkward spot.
 
 
OpenStack Heat ReST API Validation Privilage Escalation Vulnerability
 
OpenStack Heat CFN Policy CVE-2013-6426 Security Bypass Vulnerability
 
Command School Student Management System Multiple Security Vulnerabilities
 
UAEPD Shopping Cart Script Multiple SQL Injection Vulnerabilities
 
Lenovo's deal to buy IBM's x86 server business for $2.3 billion gives the Beijing company another tech segment where it can expand beyond PCs, smartphones, tablets and smart TVs.
 

It's a feature that has bitten Google Calendar users in the past, but it's worth a reminder: in some cases, the widely used service may unexpectedly leak sensitive information to bosses, spouses, or just about anyone else.

The inadvertent leakage stems from Google Calendar's quick add feature, which is designed to automatically add the who, what, and where to events without requiring a user to manually enter those details. Typing "Brunch with Mom at Java 11am Sunday" is intended to schedule the event for the following Sunday morning at 11 and list the place as "Java." Participants can be added by listing their e-mail addresses, and in many cases, Google will respond by automatically adding an entry to the participants' calendar as well.

Google heavily promoted this time-saving feature during the rollout of its mail and calendar services. But as documented as early as 2010, the behavior can also result in the leakage of private information for people who are unaware of it. Alas, almost four years later, it's still catching some people by surprise. Blogger Terence Eden explained how an entry his wife put in her personal Google Calendar made its way to her boss. It read: "e-mail [boss's address] to discuss pay rise" and included a date a few months in the future. The boss quickly received the reminder as an entry in her own Google Calender.

Read 3 remaining paragraphs | Comments

 
Joomla! JV Comment Extension 'id' Parameter SQL Injection Vulnerability
 
OpenStack Neutron and Nova CVE-2013-6419 Information Disclosure Vulnerability
 
Snapchat added an image-based security challenge to its account registration process to verify that new accounts are created by humans, but the system can easily be defeated by computers, experts said.
 
Retailers and banks must move quickly to figure out who should be responsible for better securing the payments system network or risk having Congress decide for them.
 
Nokia's improving Lumia shipments came to a halt during the fourth quarter, bad news for Microsoft, which will soon take over the phone unit.
 
Job interviews can be nerve-wracking, but preparing for them and handling follow-up doesn't have to be. Here are some 'beyond the obvious' tips for acing the lead-up and the aftermath of job interviews.
 
LinuxSecurity.com: Updated openstack-heat packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux OpenStack Platform 4.0. [More...]
 
LinuxSecurity.com: Updated openstack-keystone packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux OpenStack Platform 4.0. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
LinuxSecurity.com: Updated x11-server package fixes security vulnerability: Bryan Quigley discovered an integer underflow in the Xorg X server which could lead to denial of service or the execution of arbitrary code (CVE-2013-6424). [More...]
 
LinuxSecurity.com: Updated elinks package fixes security vulnerability: When verifying SSL certificates, elinks fails to warn the user if the hostname of the certificate does not match the hostname of the website. [More...]
 
LinuxSecurity.com: Updated net-snmp packages fix security vulnerability: Net-SNMP 5.7.1 and earlier, when AgentX is registering to handle a MIB and processing GETNEXT requests, allows remote attackers to cause a denial of service (crash or infinite loop, CPU consumption, [More...]
 
LinuxSecurity.com: Updated net-snmp packages fix security vulnerability: Net-SNMP 5.7.1 and earlier, when AgentX is registering to handle a MIB and processing GETNEXT requests, allows remote attackers to cause a denial of service (crash or infinite loop, CPU consumption, [More...]
 
LinuxSecurity.com: Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.35. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details: [More...]
 
LinuxSecurity.com: A vulnerability in Zabbix could allow remote attackers to execute arbitrary shell code.
 
LinuxSecurity.com: Updated openstack-neutron packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux OpenStack Platform 4.0. [More...]
 
Cross-Site Scripting (XSS) in Komento Joomla Extension
 
SQL Injection in JV Comment Joomla Extension
 
If the price of the Surface Pro and other similarly equipped tablets has been preventing you from buying a Windows 8 tablet then the recent update to the Intel Atom processor may be your cue to make your move.
 
Reflected cross-site scripting (XSS) vulnerability in Mediatrix Web Management Interface login page
 
APPLE-SA-2014-01-22-1 iTunes 11.1.4
 
CONFidence 2014- Call for Papers
 
CISTI'2014: CFP - Doctoral Symposium
 

Top 10 Influencers in Health InfoSec
GovInfoSecurity.com
To recognize leaders who are playing a critical role in shaping the way healthcare organizations approach information security and privacy, HealthcareInfoSecurity announces its second annual list of Influencers. Each of these Influencers for 2014 has ...
HealthcareInfoSecurity Announces 2014 InfluencersPR-BG.com (прессъобщения) (press release)

all 2 news articles »
 
My last Diary piece was on the analysis of multiple similar breaches with a great deal of technical details from an external team brought in to handle the incidents, but it didn't touch on the human elements that are intertwined with each and every breach.
 
Sometimes reading a technical report is the same as a stunningly obvious mystery book, it takes you two pages to work out they used an open source scanner to find a foothold and exploit it, then later they use the same default password across the entire network and finally you know the bad guy is going to zip up what they stole and send it to a drop point before ever reading the next twenty pages of the report.  When reading this part of me wants to scream "Why did no-one see any of this in the first place or do anything about it?" and "Who let this happen?".
 
Well to remedy that, I offer you a second breach report: The United States' Department of Energy (DoE) suffer a breach in July 2013 and here's a special report by a different department giving their assessment of the breach and DoE [1]. I take my hat off to the DoE for publishing this report and the very honest assessment of how they failed, and what they needed to do to fix the various issues uncovered.
 
This isn't a technical read, but so worth the time for any security person to read and understand the chain of events that lead to a breach occuring. The report issued focuses on the human elements in the breach, maps the events to a timeline and who was responsible. For me, this a fascinating glimpse of third party's blunt assessment of what failed, how it failed and why it failed with direct correlation to those that could have prevented or take action on the breach. 
 
I'm going to leave it up to you to draw any conclusions from the paper as a security person, incident responder or as an IR manager*, but suggest this would be a good paper to summarise and give to whoever is in charge of security to understand the internal human elements that aided the breach.
 
Why? My suggestion would be to understand the pain points incident response teams can facing being alerted to an incident in a timely manner. 
 
Again, if you know of any other papers you believe IR teams should have to read on the details of a breach , add them in the comments or send them in to us [2]
 
[1] http://energy.gov/sites/prod/files/2013/12/f5/IG-0900.pdf
 
* Shameless plug for a great SANS class for incident response managers https://www.sans.org/course/incident-response-team-management
 
[2] https://isc.sans.edu/contact.html#contact-form

 

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
As mobile device management continues to morph, consider what's 'good enough' for what you need right now -- and don't neglect the user experience, whatever else you do.
 
In a report to be released Thursday, the U.S. Privacy and Civil Liberties board says the National Security Agency's bulk collection of phone records is illegal and should stop, according to the New York Times and the Washington Post, which received advance copies of the document.
 
VMware vCloud Director Cross Site Request Forgery Vulnerabilities
 
Multiple VMWare Products Local Denial Of Service Vulnerability
 
VMware ESXi and ESX NFC NULL Pointer Dereference Denial of Service Vulnerability
 
Apple Mac OS X Text Tracks CVE-2013-1024 Remote Code Execution Vulnerability
 
The U.S. Supreme Court has upheld that it is up to the patent holder ordinarily to prove infringement in a lawsuit, a ruling that could have vast implications on the litigious technology industry.
 
Lenovo Group has agreed to buy IBM's x86 server hardware business and related maintenance services for $2.3 billion, it announced Thursday.
 
Investment agitator Carl Icahn has now put his sights on auctioneer eBay, but that doesn't mean he will end his pursuit of a massive stock buyback by Apple, an analyst said today.
 
If there's to be an explosion of wearable devices and smartwatches in 2014, as analysts forecast, the bigger question becomes when more apps will emerge that work with such devices.
 
Google said there's no threat from a speech recognition feature in its Chrome browser that a developer said could be used to listen in on users.
 
Facebook is testing its advertisements on outside mobile applications, calling it a new way for app developers to monetize their creations.
 
Zabbix CVE-2013-6824 Remote Command Execution Vulnerability
 
Lenovo Group has agreed to buy IBM's x86 server hardware business and related maintenance services for US$2.3 billion, it announced Thursday.
 
Lenovo Group has agreed to buy IBM's x86 server hardware business and related maintenance services for US$2.3 billion, it announced Thursday.
 
WebKit CVE-2013-5127 Unspecified Memory Corruption Vulnerability
 

Posted by InfoSec News on Jan 23

http://www.businessnewsdaily.com/5787-business-biggest-security-threat.html

By Elizabeth Palermo
BusinessNewsDaily Contributor
January 17, 2014

The biggest threat to your company's cybersecurity isn't malware, phishing
scams or even hackers -- it's you. In a series of studies published last
week, three security research firms asked employees at midsize businesses
across America about the biggest threats to corporate...
 

Posted by InfoSec News on Jan 23

http://rt.com/news/hacker-guccifer-romania-email-052/

RT.com
January 23, 2014

Romanian authorities arrested on Wednesday a man they suspect is hacker
Guccifer, known for infiltrating the email accounts of many international
political and public figures, including former US President George W. Bush.

Marcel Lazar Lehel, 40, was arrested and his home in Arad County was searched,
according to Romania’s Directorate for Investigating Organized...
 

Posted by InfoSec News on Jan 23

http://www.networkworld.com/news/2014/012214-trustycon-rsa-nsa-277956.html

By Ellen Messmer
Network World
January 22, 2014

Who do you trust? That's a question asked increasingly by a security
industry with a growing sense that the National Security Agency (NSA) has
sought to weaken encryption or get backdoors into computers, based on
documents leaked by Edward Snowden to the media. Now, trust is also the
theme of a new conference...
 

Posted by InfoSec News on Jan 23

http://www.computerworld.com/s/article/9245610/As_Target_breach_unfolds_information_vanishes_from_Web

By Jeremy Kirk
IDG News Service
January 22, 2014

At least three security companies have scrubbed information related to
Target from the Web, highlighting the ongoing sensitivity around one of
the largest-ever data breaches.

How hackers broke into Target and installed malware on point-of-sale
terminals that harvested up to 40 million payment...
 
Internet Storm Center Infocon Status