Hackin9

azcentral.com

Southeast Valley cities check network security
azcentral.com
The Information Security and Privacy Office staff maintain a website dedicated to providing information about identity theft, cyber bullying and other technology-related security concerns: www.phoenix.gov/infosec. Gilbert. Gilbert uses the security ...

 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
For the Internet of Things, collecting data is only half the battle, and public transit agencies know that as well as anyone.
 
AskMen.com, a popular website with millions of monthly visitors, was redirecting visitors to other domains that delivered the Caphaw malware, according to security vendor WebSense.
 

Agiliance Introduces First NIST Cybersecurity Framework Security Checklist and ...
MarketWatch
... the Year, 2014 Cyber Defense Magazine Most Innovative InfoSec Award for Most Innovative Risk Management Product, Deloitte 2013 Technology Fast 500 Honoree (#4 in security software), and Government Security News 2013 Homeland Security Award.

and more »
 

Microsoft developers have fortified Internet Explorer with new protections designed to prevent a type of attack commonly used to surreptitiously install malware on end-user computers.

The "isolated heap for DOM objects" made its debut with last week's Patch Tuesday. Just as airbags lower the chance of critical injuries in automobile accidents, the new IE protection is designed to significantly lessen the damage attackers can do when exploiting so-called use-after-free flaws in the browser code. As the name suggests, use-after-free bugs are the result of code errors that reference computer memory objects after they have already been purged, or freed, from the operating system heap. Attackers can exploit them by refilling the improperly freed space with malicious code that logs passwords, makes computers part of a botnet, or carries out other nefarious behavior.

Use-after-free flaws are among the most commonly exploited, often at great expense to end users. Recent in-the-wild attacks that targeted IE versions 9, 10, and 11 capitalized on a use-after-free bug. The bug class has been at the heart of many other real-world attacks on IE that are too numerous to count. (They have also been known to bring down Google Chrome and Mozilla Firefox.) Wei Chen, an exploit developer with Rapid 7's Metasploit vulnerability framework, likens use-after-free exploits to sneaking tainted cookies into an already-opened bag of Oreos.

Read 5 remaining paragraphs | Comments

 
Have you ever tried to read a website's privacy policy only to give up after slogging through paragraphs and paragraphs of dense, lawyerly language? Privacy-focused companies Disconnect and TRUSTe have released a new browser add-on that attempts to translate those policies into easy-to-understand terms.
 
Microsoft has launched a buyback program to try to get MacBook Air owners to part with their laptops and replace them with new Surface Pro 3 devices.
 
The battle between Oracle and Oregon officials over the state's Cover Oregon health insurance exchange site is raging on, with the vendor now claiming the exchange was functional in February, but Governor John Kitzhaber decided to dump it for political reasons.
 
Researchers at the Massachusetts Institute of Technology have developed a 36-core processor in an effort to find new ways to eke more performance out of chips.
 
Some North American Office 365 customers are without Lync service this afternoon due to an unexplained outage that started about 7a.m., Eastern time.
 
Yahoo has released an Android personalization app that could give the company a stronger foothold in mobile contextual search.
 

In the latest gaffe to demonstrate the privacy perils of anonymized data, New York City officials have inadvertently revealed the detailed comings and goings of individual taxi drivers over more than 173 million trips.

City officials released the data in response to a public records request and specifically obscured the drivers' hack license numbers and medallion numbers. Rather than including those numbers in plaintext, the 20 gigabyte file contained one-way cryptographic hashes using the MD5 algorithm. Instead of a record showing medallion number 9Y99 or hack number 5296319, for example, those numbers were converted to 71b9c3f3ee5efb81ca05e9b90c91c88f and 98c2b1aeb8d40ff826c6f1580a600853, respectively. Because they're one-way hashes, they can't be mathematically converted back into their original values. Presumably, officials used the hashes to preserve the privacy of individual drivers since the records provide a detailed view of their locations and work performance over an extended period of time.

It turns out there's a significant flaw in the approach. Because both the medallion and hack numbers are structured in predictable patterns, it was trivial to run all possible iterations through the same MD5 algorithm and then compare the output to the data contained in the 20GB file. Software developer Vijay Pandurangan did just that, and in less than two hours he had completely de-anonymized all 173 million entries.

Read 6 remaining paragraphs | Comments

 

5 Free Tools for Compliance Management
eSecurity Planet
After all, a good inventory is the first step in seeing what needs to be secured. www.ptatechnologies.com: A free toolset that is driven by the methodology of effectively managing operational and infosec risks in complex systems using calculative ...

 
Intel hopes to take hardware performance to the next level with its latest Xeon Phi supercomputing chip, which packs an array of new hardware technologies that could ultimately find their way to laptops and desktops.
 
Despite a great start, the rate of patching OpenSSL servers against the critical Heartbleed vulnerability has slowed down to almost a halt. Around 300,000 servers remain vulnerable and many of them are unlikely to get patched anytime soon.
 
Supercomputer vendor Cray is trying to make the Lustre file system easier to work with, allowing users to copy material from the file system into a multilayered storage archiving system.
 
What level of control governments should exert over the Internet emerged early in ICANN's meeting this week as a primary sticking point, with the representative from France advocating for more state control and the U.K. arguing for less.
 
Mozilla Firefox CVE-2014-1543 Heap Buffer Overflow Vulnerability
 
Mozilla Firefox/Thunderbird CVE-2014-1539 Clickjacking Vulnerability
 
Microsoft plans to double OneDrive's free storage space for consumers to 15GB from its previous allowance of 7GB.
 
Will Google CEO Larry Page walk out with a 330-lb. robot when he takes the stage this week at Google I/O, his company's developers conference? With Google's purchase of eight robotics companies, it could happen.
 
WordPress WP GPX Maps Plugin Arbitrary File Upload Vulnerability
 
D-Bus 'activation.c' Denial of Service Vulnerability
 
[security bulletin] HPSBHF03052 rev.1 - HP Intelligent Management Center (iMC), HP Network Products including H3C and 3COM Routers and Switches running OpenSSL, Remote Denial of Service (DoS), Code Execution, Unauthorized Access, Modification or Disclosur
 
 
 
[SECURITY] [DSA 2966-1] samba security update
 
[SECURITY] [DSA 2965-1] tiff security update
 

Microsoft announced a private preview of Microsoft Interflow today in timing with the 26th FIRST Conference in Boston. While its not available for general release yet this is the first public announcement of a project I've been tracking internally for awhile (I work at MSFT). Be patient, your opportunity is coming, this is good news for the DFIR community. Microsoft Interflow is a security and threat information exchange platform for professionals working in cybersecurity and allows collaboration for a collectively stronger ecosystem, action prioritization through automation, and integration via plug-in architecture. There's a write-up on the benefits as well as an FAQ so you can learn more. Microsoft Interflow, as security automation platform for the exchange of security and threat information, is based on the STIX (Structured Threat Information eXpression), TAXII (Trusted Automated eXchange of Indicator Information), and CyBox (Cyber Observable eXpression standards) specifications. This is all good news as it means that we're getting closer to general release.

Russ McRee | @holisticinfosec

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Technology and HR pros, as well as IT recruiters, share their advice on how recent graduates and those still in college can best position themselves for a technology career.
 
Splunk, best known for creating systems that analyze machine-generated data, has created a tool for analyzing comments filed at Regulation.gov.
 
Physical perimeter security can differ from facility to facility, with myriad factors playing into what exactly is implemented, including budget and the assets that are being protected.
 
Piwigo 'ws.php' Cross-Site Request Forgery Vulnerability
 
Drupal Custom Meta Module Multiple Cross Site Scripting Vulnerabilities
 
[SECURITY] [DSA 2964-1] iodine security update
 
The National Institute of Standards and Technology (NIST)Cloud Computing Program (NCCP) is forming three public working groups toprovide solutions to cloud computing challenges. A teleconferenceon Wednesday, June 25, 2014, at 11 a.m. ...
 
They aren't exactly smartphones, tablets or even phablets, but Panasonic's new Toughpad line of 'handheld tablets' redefine tough for mobile devices and include the ability to warm themselves in extreme cold with a built-in heater.
 
Amazon has good reasons to turn Firefly loose on iOS and Android even though the technology is one of the selling points for its own Fire phone.
 
CIO's Publisher Adam Dennison makes the case for CIOs to take advantage of user enthusiasm for new technologies while shoring up security and compliance controls.
 
Oracle is buying hospitality and retail technology vendor Micros Systems for $5.3 billion, in a deal that will be its largest since the purchase of Sun Microsystems in 2010.
 
Drupal Easy Breadcrumb Module Unspecified Cross Site Scripting Vulnerability
 
Users who accessed some stories on the Reuters website Sunday were redirected to a message from hackers criticizing the news agency's coverage of Syria.
 
The problem with all too many software developers, from a security professional's point of view, is they lack a healthy sense of mistrust.
 
Quicken Loans, LinkedIn and Noah Consulting topped our list of Best Places to Work in IT by keeping employees well compensated and challenged in their jobs.
 
An explanation of the methodology behind Computerworld's selection of the 100 organizations on the 2014 Best Places to Work in IT list.
 
See who's made the list the last 21 years.
 
At Quicken Loans, a new in-house training program and strong corporate values help IT employees thrive in an atmosphere of accelerated growth.
 
The first barcode was used in 1974 to scan in a pack of gum. Now they're used for everything from flight check-ins to patient records and warehouse inventory. They've even been used to track bees. Yes, bees.
 
Breaking from the cocoon of the iPhone 5S, 64-bit ARM processors will start delivering breakthrough performance in servers, aided by graphics cards used in some of the world's fastest computers.
 
Employers will be better able to attract, retain and motivate talented people if they recognize what drives each generation and take those factors into account as they develop approaches to recruiting, hiring, onboarding and employee engagement.
 
Organizations looking to attract the best and brightest IT talent find a good salary and decent benefits aren't enough to close the deal anymore. How about free lunch and onsite kickboxing?
 
Chris LeBeau, IT director at Advanced Technology Services, is shutting down several outdated systems, migrating users and switching to a more modern business architecture.
 
The decline of OS X Snow Leopard has accelerated in the last three months, perhaps because users now know that Apple has stopped patching the five-year-old OS.
 
China continues to dominate the high end of the Top500 list of the world's most powerful supercomputers, even as the growth of the computing power on the list seems to be stagnating.
 
Internet Storm Center Infocon Status