Hackin9
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

SANS Institute and CrowdStrike Partner to Offer "Hacking Exposed Live ...
IT Business Net
SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; and it operates the Internet's early warning system - the Internet Storm Center. At the heart of SANS are the many security ...

 
LinkedIn is giving companies the ability to place their marketing content into users' feeds, in a move that expands the site's revenue opportunities.
 
Moodle CVE-2013-2246 Security Bypass Vulnerability
 
Moodle CVE-2013-2242 Security Bypass Vulnerability
 
Moodle CVE-2013-2245 Information Disclosure Vulnerability
 
Moodle CVE-2013-2244 Cross Site Scripting Vulnerability
 
Non-U.S. clients of American cloud hosting companies are clearly rattled by revelations that the U.S. National Security Agency collects huge amounts of customer data from Internet Service Providers and telecommunication companies.
 
AT&T posted higher revenue and profit in the second quarter, with gains in its mobile unit offsetting flat wireline revenue.
 
Intel says it will increase the battery life of tablets and hybrid PCs that use its microprocessors, with new low-power Haswell chips that will start shipping later this year.
 
Apple reported a drop in profits on roughly flat revenue for the April to June quarter, though the results were ahead of analysts' expectations, providing something of a silver lining for the company.
 
Node Packaged Modules Symlink Attack Local Privilege Escalation Vulnerability
 
While self-driving cars may be safe and efficient, they certainly won't be economical in terms of data storage, according to one big data strategist.
 
An increasing number of Android phones are infected with mobile malware programs that are able to turn the handsets into spying devices, according to a report from Kindsight Security Labs, a subsidiary of telecommunications equipment vendor Alcatel-Lucent.
 
LinkedIn is giving companies the ability to place their marketing content into user feeds, a move that's said to expand the social network's revenue opportunities.
 
One in three U.S. adults now owns a tablet computer, up from 18% last year, according to a June 2013 study by the Pew Internet and American Life Project. So what about professional use? Are tablets standard-issue employee equipment? To find out, CDW surveyed professionals from midsize and large business, healthcare, higher education and state and local government to see how these devices are affecting day-to-day productivity.
 
Calls for Apple to start selling a lower-priced iPhone just don't make sense, an analyst said today, because Apple already sells millions of discounted smartphones.
 
MIT has created OpenFab, an open source, programmable pipeline architecture for 3D printers that was inspired by RenderMan, the software used to design computer-generated images in movies.
 

The online helpdesk for Viber, an instant-messaging and VoIP service, was defaced by pro-Syrian hackers who claimed to have accessed e-mail addresses, phone numbers, and other personal information belonging to the company's users and employees.

The defaced page bore a blue banner that read "Hacked by the Syrian Electronic Army," a reference to the pro-hacking crew that regularly breaches online accounts in the name of Syrian President Bashar al-Assad. In recent months, the group has accessed Twitter or website accounts belonging to the Financial Times, the Associated Press, The Guardian, The BBC, and Al Jazeera, to name just a few. More recently, it has reportedly breached accounts belonging to chat app developer Tango and the online news portal Daily Dot.

"We weren't able to hack all Viber systems, but most of it is designed for spying and tracking," the SEA wrote of the Israel-based company on its support.viber.com subdomain. The tampered page also included a large image purporting to show the IP addresses, e-mail addresses, and other details belonging to people who had accessed the company's servers. A little while later, the defacement was replaced with a simple "403 Forbidden" error message. At publication time, the helpme.viber.com page carried the same message.

Read 2 remaining paragraphs | Comments

    


 

SANS Institute and CrowdStrike Partner to Offer "Hacking Exposed Live ...
IT Business Net
SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; and it operates the Internet's early warning system - the Internet Storm Center. At the heart of SANS are the many security ...

 
The National Institute of Standards and Technology (NIST) has released a revision to the digital standard used to ensure the integrity of electronic documents, as well as the identity of the signer.The new document, Federal Information ...
 
Oracle Java SE CVE-2013-2457 Remote Security Vulnerability
 
 

Recently in a penetration test engagement I tested a WebSphere application. The setup was more or less standard, but the interesting thing happened when I went to analyze how the application handles sessions.

Virtually 99% of all web applications today use cookies in order to store session information. However, the application I tested set a very weird cookie with the following content:

SSLJSESSION=0000SESSIONMANAGEMENTAFFINI:-1

Clearly that cannot be used for session handling, however no other cookies were set by the application, yet sessions were handled correctly. After a bit of browsing through WebSphere’s documentation, I found out that WebSphere (actually IBM HTTP Server as well as SUN One Web Server) support a feature called SSL ID Session Tracking. Basically, what this does is bind web application sessions to SSL sessions. This further does not require the web application to do almost any session handling since the server performs this on behalf of the application.

However, in this simplicity lurk several potential problems:

  • Since the web application’s sessions are tied to SSL channel session, any user that can somehow access the same SSL session is automatically authenticated by the target web application. While this scenario is not all that likely, it is still possible through, for example, an incorrectly configured proxy that somehow reuses opened SSL sessions – opening Burp proxy and letting it listen on the network interface in such a setup is a really bad idea.
  • The web application (as it should always anyways) has to properly handle logout activities and invalidate the SSL session – since there are no cookies it must prevent the web browser from reusing the same SSL session.

On the other hand, there are several really nice features here – probably the most important being that an attacker cannot abuse vulnerabilities such as Cross Site Scripting to steal session information. Of course, XSS can still be used to perform other attacks through the vulnerable application, but session information cannot be stolen any more.

SSL ID Session Tracking is, however, deprecated in WebSphere 7.0 so it is pretty rare today. This means that the applications must use cookies to handle session information, or transfer them as parameters in requests but this is not recommended since such information is visible in logs. In essence this leaves us with cookies which are probably here to stay so it does not hurt to remind your developers to use HttpOnly and Secure parameters; it is trivial to set them and, while they are not a silver bullet, these settings can make exploitation of some vulnerabilities much more difficult.

--
Bojan
@bojanz
INFIGO IS

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Google's Motorola Mobility has upgraded its lineup of Droid smartphones, announcing three new models including the flagship Droid Ultra. The new phones will be available through Verizon Wireless.
 
Mac sales fell 4% in the quarter that ended June 30, putting Apple into the same leaky boat as the much larger, problem-plagued PC industry, according to a survey of several dozen financial analysts.
 
Django User Account Enumeration Information Disclosure Vulnerability
 
HP System Management Homepage CVE-2012-5217 Remote Unauthorized Access Vulnerability
 
Samsung is the largest maker of Android smartphones, which make up up 70% of the overall worldwide smartphone market. Now the company's dependence on Android seems poised to start shifting to the open source Tizen OS.
 
 
F-Secure

Researchers have uncovered a family of malware that targets both Windows and OS X. Janicab.A, as the trojan is known, is also unusual because it uses a YouTube page to direct infected machines to command-and-control (C&C) servers and follows a clever trick to conceal itself.

The threat first came to light last week, when researchers from F-Secure and Webroot documented a new trojan threatening Mac users. Like other recently discovered OS X malware, Janicab was digitally signed with a valid Apple Developer ID. It also used a special unicode character known as a right-to-left override to make the infection file appear as a PDF document rather than a potentially dangerous executable file.

On Monday, researchers from Avast published a blog post reporting that Janicab can also infect computers running Windows. The strain exploits a vulnerability Microsoft patched in 2012 to install a malicious Visual Basic script that can remain active even after infected machines are restarted.

Read 2 remaining paragraphs | Comments

    


 

The Novel Practice of DevOps Stars in The Phoenix Project
Threatpost
You get the perspective of the needs and desires of the rest of the business, be it the C-suite, infosec, legal or the product team. Additionally, the Phoenix Project gives Bill and his team the understanding and sympathy for these needs so they can do ...

 
WAN optimization vendor Silver Peak apparently sees the writing on the data center's walls, announcing a new program today that offers a free upgrade to a virtual edition of its products to users of its hardware appliances.
 
Removing mobile phone roaming charges in the European Union may prove more expensive for customers in the long run, a telecoms expert has warned.
 
LinuxSecurity.com: Several security issues were fixed in OpenJDK 6.
 
LinuxSecurity.com: Multiple vulnerabilities has been discovered and corrected in mysql: MariaDB 5.5.x before 5.5.30, 5.3.x before 5.3.13, 5.2.x before 5.2.15, and 5.1.x before 5.1.68, and Oracle MySQL 5.1.69 and earlier, 5.5.31 and earlier, and 5.6.11 and earlier allows remote attackers to cause [More...]
 
LinuxSecurity.com: An updated virtio-win package that fixes one security issue is now available for Red Hat Enterprise Linux 6 Supplementary. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Updated qemu-kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...]
 
Multiple D-Link Products UPnP SOAP Interface Multiple Command Injection Vulnerabilities
 
Legislation, stealth technologies, and emerging data privacy markets are proving that the battle for our Internet privacy has only just begun
 
Removing mobile phone roaming charges in the European Union may prove more expensive for customers in the long run, a telecoms expert has warned.
 
Nokia announced its largest Windows 8 smartphone today, the low-cost Lumia 625 that sports a 4.7-in. LCD screen.
 
VMware vCenter Chargeback Manager CVE-2013-3520 Remote Code Execution Vulnerability
 
QEMU Guest Agent CVE-2013-2231 Local Privilege Escalation Vulnerability
 
Software defined networking applies the abstraction concepts of hardware virtualization to networking infrastructure. This works well for cloud implementations, which need significant configuration and planning. But SDN and network virtualization may still be too immature for prime time.
 
Enterprise bug bounty programs are increasing in popularity. They offer cash to hackers who find and report security vulnerabilities and are an effective way for large organizations to beef up the security of their software.
 
Cisco is set to expand its security software portfolio with the acquisition of Sourcefire in a deal worth $2.7 billion.
 
TwinStrata's CloudArray is a brokerage platform between enterprise networks and cloud storage services providers, and we found in testing that it's pretty clever.
 
 
 
Foreman 'bookmarks_controller.rb' Remote Code Execution Vulnerability
 
Microsoft Internet Explorer Improper Ref Counting Use-After-Free Remote Code Execution Vulnerability
 
Bug bounty programs are probably very cost-effective for software vendors, but they reward bad behavior.
 
 
In its first major revision in more than a year, the Apache OpenOffice suite now comes with a sidebar, from which users can launch their favorite tools.
 
Emerging technologies for 4G LTE networks are expected to make rapid advances over the next few years, helping mobile networks keep up with data growth and bringing more users worldwide into the LTE fold.
 
Intel has updated its road map with a new, low-power server chip to help it ward off competition from Calxeda and other makers of low-power chips.
 
Cisco is set to expand its security software portfolio with the acquisition of Sourcefire in a deal worth $2.7 billion.
 
Hurricane Sandy devastated coastal areas in New Jersey and New York last October and left some Verizon Communications customers without copper phone lines.
 
Two NASA spacecraft, flying millions of miles away from home, have sent back portraits of Earth.
 
[ MDVSA-2013:197 ] mysql
 

SANS Institute and CrowdStrike Partner to Offer "Hacking Exposed Live ...
PR Newswire (press release)
SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; and it operates the Internet's early warning system - the Internet Storm Center. At the heart of SANS are the many security ...

and more »
 
Network Solutions warned on Monday of latency problems for customers using MySQL databases just a week after the hosting company fended off distributed denial-of-service (DDoS) attacks.
 
Patent firm Eolas Technologies lost an appeal against Google, J.C. Penney, Yahoo and Amazon.com in a long-drawn lawsuit involving key Web patents.
 
A new privacy tool called MaskMe may help people evade data harvesting efforts by websites and marketers.
 
Armed with a $900 million argument, an analyst raised the Office-on-iPad banner, saying that the flop of the Surface RT gives Microsoft a chance to make billions in lemonade from its lemon.
 
CORE-2013-0701 - Artweaver Buffer Overflow Vulnerability
 

My Editorial: Q3 issue: Lost For Words
Infosecurity Magazine (blog)
When my deputy Drew 'shotgunned' the Snowden story for his editorial, I thought we could perhaps both tackle the captivating case, in a similar showdown to that of the Point Counterpoint opinion pieces. Having shared our thoughts on the controversy, ...

 
Re: Samsung TV - DoS vulnerability
 
Defense in depth -- the Microsoft way (part 4)
 
Photo Server 2.0 iOS - Multiple Critical Vulnerabilities
 
CORE-2013-0705 - XnView Buffer Overflow Vulnerability
 
SurgeFtp Server BufferOverflow Vulnerability
 
Juniper Secure Access XSS Vulnerability
 
Dell Kace 1000 SMA 5.4.742 - SQL Injection Vulnerabilities
 

Posted by InfoSec News on Jul 23

http://www.informationweek.com/security/attacks/network-solutions-recovers-after-ddos-at/240158685

By Mathew J. Schwartz
InformationWeek.com
July 22, 2013

Network Solutions said it's fully mitigated a distributed denial of
service (DDoS) attack that compromised some services last week, and that
attack volumes against the company had returned to normal.

"We experience DDoS attacks almost daily, but our automatic mitigation...
 

Posted by InfoSec News on Jul 23

http://www.maclife.com/article/news/selfouted_security_researcher_may_be_blame_dev_center_outage

By Leif Johnson
Maclife.com
July 22, 2013

The Apple Developer Center has now been down since Thursday, making our
initial surprise on Friday that it'd been down for 30 hours seem almost
silly. And now the plot thickens further. After Apple finally announced
last night that a security breach was responsible for the delay, a
self-proclaimed...
 

Posted by InfoSec News on Jul 23

http://www.wired.com/threatlevel/2013/07/open-market/

By Kevin Poulsen
Threat Level
Wired.com
07.22.13

From late 2007 until March 2011, if you were an identity thief or credit
card fraud artist in need of a fake ID, your best bet was "Celtic’s
Novelty I.D. Service." From its base in Las Vegas, the online storefront
manufactured driver’s licenses for 13 states and shipped them to buyers
around the world. No questions asked....
 

Posted by InfoSec News on Jul 23

http://www.latimes.com/business/technology/la-fi-tn-cybercrime-140-billion-dollars-economy-20130722,0,308705.story

By Paresh Dave
The Los Angeles Times
July 22, 2013

Cyberattacks may be draining as much as $140 billion and half a million
jobs from the U.S. economy each year, according to a new study that
splashes water on a previous estimate of $1 trillion in annual losses.

“That’s our best guess,” said James Andrew Lewis, the director...
 

Posted by InfoSec News on Jul 23

http://healthitsecurity.com/2013/07/22/presbyterian-ciso-drives-home-importance-of-governance/

By Patrick Ouellette
Health IT Security
July 22, 2013

Without the right governance in place, a Chief Information Security
Officer (CISO) is unofficially on their own island with little help from
the outside, according to Kim Sassaman, CISSP and CISO of Presbyterian
Healthcare Services of New Mexico. During last Wednesday's Institute for...
 
Internet Storm Center Infocon Status