Hackin9

InfoSec News

SonicWall NSA 4500 HTML Injection and Session Hijacking Vulnerabilities
 

IT Security News Sources to be Thankful for
CIO (blog)
InfoSec Island: Another blog from a security company, InfoSec tends to have white paper type posts along with a pretty good news feed. I've undoubtedly missed some other good ones. All suggestions welcomed. Constantine von Hoffman writes CIO.com's IT ...

and more »
 

IT Security News Sources to be Thankful for
CIO (blog)
InfoSec Island: Another blog from a security company, InfoSec tends to have more white paper type posts along with a pretty good news feed. I've undoubtedly missed some other good ones. All suggestions welcomed. Constantine von Hoffman writes CIO.com's ...

 
Staff at the U.S. Federal Communications Commission have decided that AT&T's proposed acquisition of mobile carrier T-Mobile is contrary to the public interest. So what's next?
 
The Department of Homeland Security today said there is nothing to suggest that a recent pump failure at a Springfield, Ill. water utility was caused by a cyberattack.
 
Intel is giving new life to its Pentium processor for servers, and has started shipping the new Pentium 350 chip for low-end servers.
 
Given the FCC staff opposition to the proposed AT&T merger with T-Mobile USA, it's fair to ask: Is the $39 billion deal dead?
 
PmWiki <= 2.2.34 (pagelist) Remote PHP Code Injection Vulnerability
 
The failure of the Congressional Super Committee to reach a deficit reduction agreement triggers automatic federal spending cuts beginning the next fiscal year, which will likely make a lot of government IT contractors nervous.
 
Recent flooding in Thailand has affected many hard drive manufacturers, resulting in price hikes for hard drives of as much as 50 to 100 percent. How long this will last is unclear, but in the meantime, you can postpone new purchases of storage gear by implementing these methods to help reduce unnecessary files, reduce the space used on the system, and allow for expansion with existing systems.
 
For the eighth time, Gibbs awards those who deserve opprobrium for epic reasons
 
A document tied to an internal Hewlett-Packard sexual harassment investigation of former CEO Mark Hurd will remain sealed, according to a ruling handed down this week by the Delaware Supreme Court.
 
NGS00145 Patch Notification: FFmpeg Libavcodec out of bounds write remote code execution
 
NGS00144 Patch Notification: FFmpeg Libavcodec buffer overflow remote code execution
 
Multiple vulnerabilities in Dolibarr
 
NGS00148 Patch Notification: FFmpeg Libavcodec memory corruption remote code execution
 
Three Republican presidential candidates at Tuesday's CNN-sponsored GOP debate said that cyberattacks pose an emerging national security threat to the U.S.
 
Salesforce.com's Heroku division has launched a stand-alone version of its PostgreSQL-based database, giving developers a "battle-tested" way to build applications with the cloud platform of their choosing, the company announced this week.
 

pastebin.com has become a simple platform to publish evidence of various attacks. Lenny a few months back already noted that it may be useful for organizations to occasionally search pastebin for data leakage. Recently, an individual using the alias of pr0f published evidence of attacking the South Houston water system.
This made me look for other pastes by pr0f. What I found:
More Simatic HTML (not clear were it comes from)
http://pastebin.com/wY6XD97L
A Vacuum gauge configuration file from Caltech
http://pastebin.com/TgRTgrAK
A control system from smu.edu. Looks like power generation to me, but may be an experiment, not production
http://pastebin.com/HLNB6SAZ
Another paste, showing the (pretty good) password for a spanish water utility has since been removed.
------
Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The mobile device management market offers options for mobile device security challenges, but there's no clear consensus on how to choose a product.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Western Digital will be allowed to take over Hitachi’s hard disk drive business, but only if it sells off a 3.5-inch hard disk drive production plant.
 
So far in this 30 Days With the Cloud series I have selected cloud-based solutions for writing, emailing, and storing my data. Now, it is time to move on to perhaps the most important function of my PC and mobile devices--playing my music.
 
A Dutch organization responsible for allocating IP addresses to network providers in Europe is questioning an order by police to not allow changes to the registrations of four blocks of addresses that were used until recently by a known criminal network.
 
Struggling network infrastructure vendor Nokia Siemens Networks is planning to cut 17,000 jobs worldwide, as it aims to cut €1 billion (US$1.35 billion) from its costs by the end of 2013, the company said Wednesday.
 
Google has modified the encryption method used by its HTTPS-enabled services including Gmail, Docs and Google+, in order to prevent current traffic from being decrypted in the future when technological advances make this possible.
 
There is a worldwide race to build the next generation of supercomputers, but U.S. efforts have stalled.
 
Samsung will update the Galaxy Nexus as soon as possible to fix an issue that is causing problems with sound volume, the company said on Wednesday.
 
L&L Products, an automotive supplier in Michigan, grew dramatically after adding high performance computing to its manufacturing process.
 
Microsoft will build a Kinect device specifically for use with PCs, as the company prepares to launch a program to support commercial products developed for Kinect and Windows.
 
Oracle AutoVue 'AutoVueX.ocx' ActiveX Control 'Export3DBom()' Insecure Method Vulnerability
 
bzexe '/tmp/$prog' Insecure Temporary File Creation Privilege Escalation Vulnerability
 

Posted by InfoSec News on Nov 22

http://www.wired.com/threatlevel/2011/11/scada-hack-report-wrong/

By Kim Zetter
Threat Level
Wired.com
November 22, 2011

A report from an Illinois intelligence fusion center saying that a water
utility was hacked cannot be substantiated, according to an announcement
released Tuesday by the Department of Homeland Security.

Additionally, the department disputes assertions in the fusion center
report that an infrastructure-control software...
 

Posted by InfoSec News on Nov 22

http://www.darkreading.com/vulnerability-management/167901026/security/security-management/232200133/firms-slow-to-secure-flaws-in-embedded-devices.html

By Robert Lemos
Contributing Editor
Dark Reading
Nov 22, 2011

At the Black Hat Security conference earlier this year, Jerome
Radcliffe, a security researcher who has diabetes, showed off weaknesses
in the security of a popular insulin pump. Last month, another
researcher at security firm...
 

Posted by InfoSec News on Nov 22

http://www.theregister.co.uk/2011/11/22/google_perfect_secrecy/

By Dan Goodin in San Francisco
The Register
22nd November 2011

Google engineers have enhanced the encryption offered in Gmail, Google
Docs, and other services to protect users against retroactive attacks
that allow hackers to decrypt communications months or years after they
were sent.

The feature, a type of key-establishment protocol known as forward
secrecy, ensures that...
 

Posted by InfoSec News on Nov 22

http://www.computerworlduk.com/news/security/3319825/nasdaq-out-of-date-software-helped-hackers--report/?intcmp=focus;home%20page;3319825;nasdaq-out-of-date-software-helped-hackers--report

By Leo King
Computerworld UK
21 November 11

NASDAQ’s ageing software and out of date security patches played a key
part in the stock exchange being hacked last year, according to the
reported preliminary results of an FBI investigation.

Forensic...
 

Posted by InfoSec News on Nov 22

http://themoscownews.com/siloviks_scoundrels/20111121/189221309.html

By Mark Galeotti
siloviks and scoundrels
The Moscow Times
21/11/2011

Last month, the US Office of the National Counterintelligence Executive
identified two countries as most eagerly trying to steal American
secrets through cyberspace. This month, the FBI’s ‘Operation Ghost
Click,’ the investigation of a $14 million cybercrime case, led to six
arrests and a hunt for a...
 
Internet Storm Center Infocon Status