Hackin9
Microsoft's profit dropped and its revenue was almost flat in its third fiscal quarter, during which the company replaced Steve Ballmer with Satya Nadella as CEO.
 
Oracle Java SE CVE-2014-2414 Remote Security Vulnerability
 
Google is considering deploying Wi-Fi networks in towns and cities covered by its Google Fiber high-speed Internet service.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Oracle Java SE CVE-2014-0458 Remote Security Vulnerability
 
Microsoft's profit dropped and its revenue was almost flat in its third fiscal quarter, during which the company replaced Steve Ballmer with Satya Nadella as CEO.
 
Lookout

Researchers scouring the official Google Play market have unearthed more Android apps that surreptitiously abuse end-user devices to carry out the computationally intensive process of mining Bitcoins.

The malware, dubbed "BadLepricon" by its creators, was stowed away inside six five separate wallpaper apps that had from 100 to 500 downloads each, according to a blog post published Thursday by researchers from Lookout, an anti-malware provider for smartphones. Google employees promptly removed the offending apps once Lookout reported them. It's at least the second time in a month that third-party researchers have discovered cryptocurrency-mining apps available for download on Google servers. Four weeks ago, researchers from Trend Micro reported they found two apps downloaded one million to five million times that mined the Litecoin and Dogecoin cryptocurrencies without explicitly informing end users.

"These apps did fulfill their advertised purpose in that they provided live wallpaper apps, which vary in theme from anime girls to 'epic smoke' to attractive men," Meghan Kelly, a Lookout security communications manager, wrote in Thursday's blog post. "However, without alerting you in the terms of service, BadLepricon enters into an infinite loop where—every five seconds—it checks the battery level, connectivity, and whether the phone’s display was on."

Read 3 remaining paragraphs | Comments

 
Combined U.S. business and consumer spending on technology will rise 5.3 percent this year to US$1.315 trillion and 6.0 percent to $1.4 trillion in 2015, thanks to an improving economy and an acceleration in purchases by businesses and government agencies, according to Forrester Research.
 
Oregon's CIO has recommended state officials adopt the federal government's Healthcare.gov insurance exchange in time to meet a Nov. 15 open enrollment deadline, rather than attempt to fix the troubled site it built along with Oracle.
 
The four remaining defendants in Silicon Valley's closely watched employee hiring case -- Google, Apple, Adobe and Intel -- have agreed to a settlement, according to a new court filing.
 
Apple exposed iOS users to security threats by taking three weeks longer to patch the same vulnerabilities in the mobile OS that it previously fixed in Safari on OS X, a former Apple security engineer said.
 
The public cloud market is set for what one analyst firm calls 'hypergrowth.'
 
San Diego's $50 million SAP system has ended up tripling employees' workloads for certain types of tasks, but the city has also failed to devote enough attention to training, according to a consultant's report released earlier this month.
 
Vic Gundotra, a key executive at Google who helped to create Google+, is leaving the company, he announced on Thursday.
 
Facebook is moving into the hot space of fitness tracking by acquiring a Finland-based mobile app maker.
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Updated qemu-kvm-rhev packages that fix several security issues are now available for Red Hat Enterprise Linux OpenStack Platform 4.0. The Red Hat Security Response Team has rated this update as having Moderate [More...]
 
LinuxSecurity.com: Updated qemu-kvm-rhev packages that fix several security issues are now available for Red Hat Enterprise Linux OpenStack Platform 3.0. The Red Hat Security Response Team has rated this update as having Moderate [More...]
 
LinuxSecurity.com: Updated kernel packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 6.4 Extended Update Support. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Updated kernel packages that fix two security issues, three bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Moderate [More...]
 
LinuxSecurity.com: CUPS could be made to expose sensitive information over the network.
 
LinuxSecurity.com: Updated tomcat6 packages that fix three security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Moderate [More...]
 
LinuxSecurity.com: rsync could be made to consume resources if it received specially craftednetwork traffic.
 
LinuxSecurity.com: Several security issues were fixed in MySQL.
 
LinuxSecurity.com: Updated openshift-origin-broker and rubygem-openshift-origin-auth-remote-user packages that fix one security issue are now available for Red Hat OpenShift Enterprise 2.0.5. [More...]
 
LinuxSecurity.com: Updated openshift-origin-broker and rubygem-openshift-origin-auth-remote-user packages that fix one security issue are now available for Red Hat OpenShift Enterprise 1.2.7. [More...]
 
LinuxSecurity.com: USN-2169-1 introduced a regression in Django.
 

Thanks to Gebhard for letting us know about a new vulnerability in Apache Struts.

If you recall the classloader vulnerability of few months ago, the fix for that seems to be case and punctuation sensitive (using [] instead of "."  was not accounted for)

In any case, they have posted a mitigation how-to here: http://struts.apache.org/announce.html#a20140424

This affects all versions up to 2.3.16.1

Find more information on this here:
http://www.pwntester.com/blog/2014/04/24/struts2-0day-in-the-wild/

================
Rob VandenBrink
Metafore



 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
PaperThin CommonSpot CMS Multiple Input Validation Vulnerabilities
 
Oracle Data Integrator CVE-2014-2415 Remote Code Execution Vulnerability
 
Microsoft may be prepping to ship a mini version of its Surface tablets within a month, based on an Amazon.com listing for a case custom made for the device.
 
Apple on Wednesday conceded that it sold 16% fewer iPads in the March quarter than in the same period last year, fulfilling analysts' expectations -- in spades -- that iPad sales have slowed.
 
Facebook, looking to provide more valuable news information, is providing a new tool to that will post real-time content related to the day's news.
 
Apple CEO Tim Cook is back on an auction block, repeating an offer that last year brought in $610,000 for the Washington, D.C.-based Robert F. Kennedy Center for Justice and Human Rights.
 
OpenStack Neutron CVE-2014-0187 CIDR Security Bypass Vulnerability
 
Oracle Java SE CVE-2014-0457 Remote Code Execution Vulnerability
 
Oracle Data Integrator CVE-2014-2407 Remote Code Execution Vulnerability
 
[security bulletin] HPSBMU03020 rev.1 - HP Version Control Agent (VCA) and Version Control Repository Manager (VCRM) running OpenSSL on Linux and Windows, Remote Disclosure of Information
 
[security bulletin] HPSBPI03014 rev.1 - HP LaserJet Pro MFP Printers, HP Color LaserJet Pro MFP Printers, Remote Disclosure of Information
 
[security bulletin] HPSBHF03021 rev.1 - HP Thin Client with ThinPro OS or Smart Zero Core Services, Running OpenSSL, Remote Disclosure of Information
 
A new net neutrality proposal from the U.S. Federal Communications Commission meets the goals of past efforts and does not destroy open Internet principles, as critics have feared, FCC officials said Thursday.
 
Driven by growth in mobile and Fios broadband customers, Verizon Communications on Thursday reported first quarter 2014 revenue of $30.8 billion, up from $29.4 billion a year earlier.
 
Oracle Java SE CVE-2014-2421 Buffer Overflow Vulnerability
 
Oracle Java SE CVE-2014-0432 Remote Code Execution Vulnerability
 
IBM Lotus Quickr for Domino ActiveX Control CVE-2013-6748 Buffer Overflow Vulnerability
 
Oracle Java SE CVE-2014-0455 Remote Code Execution Vulnerability
 
A new net neutrality proposal from the U.S. Federal Communications Commission meets the goals of past efforts and does not destroy open Internet principles, as critics have feared, FCC officials said Thursday.
 
Computerworld offers a Tip of the Hat to Jon Brodkin of Ars Technica for an incisive look at how only a potential disaster could convince top tech execs to finally help fund the OpenSSL and other open-source projects.
 
The road to revenue for ephemeral and anonymous apps like Snapchat, Secret and Whisper is uncharted. How these social apps will ever achieve a level of revenue that would justify their sky-high valuations is foggy at best.
 
For most people, XP patches will be unobtainable through legitimate channels. Sounds like a market to me.
 
Microsoft Internet Explorer CVE-2014-0235 Memory Corruption Vulnerability
 
EMC Connectrix Manager Converged Network Edition Remote Information Disclosure Vulnerability
 
WebKit CVE-2014-1303 Heap Based Buffer Overflow Vulnerability
 
[security bulletin] HPSBHF03006 rev.1 - HP Integrated Lights-Out 2 (iLO 2) Denial of Service
 

Business Technology

Infosec and healthcare: Prescribing the right tablets
Business Technology
Infosec and healthcare: Prescribing the right tablets. 24 April 2014 • By Joanne Frearson. Information security is a fundamental part of the healthcare research industry. Joanne Frearson talks to Sarah Lawson, head of IT at one of Oxford University's ...

 
WellinTech KingSCADA CVE-2014-0787 Stack-Based Buffer Overflow Vulnerability
 
Driven by growth in mobile and Fios broadband customers, Verizon Communications on Thursday reported first quarter 2014 revenue of $30.8 billion, up from $29.4 billion a year earlier.
 
The innovative HTC One (M8) smartphone first went on sale a month ago and appears to be attracting plenty of buyers looking to upgrade olderApple or Samsung smartphones.
 

Hector Xavier Monsegur, the hacker known as “Sabu,” became a confidential FBI informant following his 2011 arrest. But he continued to direct other hackers to attack more than 2,000 Internet domains in 2012, including sites operated by the Iranian, Syrian, and Brazilian governments.

Based on documents obtained by the New York Times, those attacks were carried out with the knowledge of the FBI agents supervising Monsegur. The Times report suggests that the data obtained in the attacks—including information on Syrian government sites—was passed to US intelligence agencies by the FBI.

The attacks, which were carried out by hacker Jeremy “Anarchos” Hammond and others, targeted sites that ran on servers managed by Plesk, a commonly used “control panel” application for shared Web hosting services. In a prison interview, Hammond—who participated in the hacking of Stratfor Global Intelligence and was later arrested based on information provided by Monsegur—told the Times that he and Monsegur had learned of a vulnerability in Plesk from another hacker. Monsegur then began feeding Hammond a list of foreign websites to attempt to exploit using the bug.

Read 1 remaining paragraphs | Comments

 
Check_MK CVE-2014-2331 Multiple Arbitrary File Upload Vulnerabilities
 
Check_MK CVE-2014-2332 Arbitrary File Deletion Vulnerability
 
Check_MK CVE-2014-2329 Multiple HTML Injection and Cross Site Scripting vulnerabilities
 
Check_MK CVE-2014-2330 Unspecified Cross-Site Request Forgery Vulnerability
 
Driven by growth in mobile and Fios broadband customers, Verizon Communications on Thursday reported first quarter 2014 revenue of $30.8 billion, up from $29.4 billion a year earlier.
 
3D printers may be gaining ground in the workplace, but the same isn't true for consumers, according to Juniper Research.
 
strongSwan CVE-2014-2338 Authentication Bypass Vulnerability
 
syncevolution '/src/syncevo/installcheck-local.sh' Insecure Temporary File Creation Vulnerability
 
Salesforce.com was so impressed by the Mayday customer support feature that Amazon.com rolled out for its Kindle Fire HDX tablets that it's now working to create its own version.
 
Despite its setbacks in the U.S., Huawei Technologies still expects growth from its carrier business in the nation, and is focusing on the market's smaller network operators to increase sales.
 
Reeling from the Heartbleed security fiasco, major IT vendors including Microsoft, IBM, Intel, Google and Cisco are backing a Linux Foundation initiative designed to boost open source projects considered critical to the industry.
 
Aurich Lawson / Thinkstock

The important role OpenSSL plays in securing the Internet has never been matched by the financial resources devoted to maintaining it.

The open source cryptographic software library secures hundreds of thousands of Web servers and many products sold by multi-billion-dollar companies, but it operates on a shoestring budget. OpenSSL Software Foundation President Steve Marquess wrote in a blog post last week that OpenSSL typically receives about $2,000 in donations a year and has just one employee who works full time on the open source code.Given that, perhaps we shouldn’t be surprised by the existence of Heartbleed, a security flaw in OpenSSL that can expose user passwords and the private encryption keys needed to protect websites.

OpenSSL’s bare-bones operations are in stark contrast to some other open source projects that receive sponsorship from corporations relying on their code. Chief among them is probably the Linux operating system kernel, which has a foundation with multiple employees and funding from HP, IBM, Red Hat, Intel, Oracle, Google, Cisco, and many other companies. Workers at some of these firms spend large amounts of their employers’ time writing code for the Linux kernel, benefiting everyone who uses it.

Read 23 remaining paragraphs | Comments

 
Misli.com Android App SSL certificate validation weakness
 
Birebin.com Android App SSL certificate validation weakness
 
 ===============
Rob VandenBrink
Metafore
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
ZNC 'CWebAdminMod::ChanPage()' Function Denial of Service Vulnerability
 
QEMU Block Drivers CVE-2014-0143 Multiple Integer Overflow Vulnerabilities
 
QEMU CVE-2014-0147 Multiple Local Denial of Service Vulnerabilities
 
Weak firmware encryption and predictable WPA key on Sitecom routers
 
Qualcomm's activities in China could result in regulatory penalties for the chip vendor, this time from the U.S. Securities and Exchange Commission over bribery allegations.
 
[security bulletin] HPSBST03015 rev.2 - HP 3PAR OS running OpenSSL, Remote Disclosure of Information
 
[security bulletin] HPSBGN03011 rev.1 - HP IceWall MCRP running OpenSSL on Red Hat Enterprise Linux 6 (RHEL6), Remote Disclosure of Information
 
The toughest part about earning a Master of Science in Analytics at North Carolina State University may be deciding which job to accept.
 
AT&T, Sprint, T-Mobile and Verizon Wireless are no longer the only mobile phone games in town -- there are some great no-contract alternatives out there. Here are 16 of them.
 
3D printers may be gaining ground in the workplace, but the same isn't true for consumers, according to Juniper Research.
 

Posted by InfoSec News on Apr 24

http://www.csoonline.com/article/2146363/security-leadership/self-taught-hackers-rule.html

By Taylor Armerding
CSO Online
April 23, 2014

Ilio Kolochenko, CEO of High-Tech Bridge, a Swiss information security
company, gave the keynote address on governments’ role in cybersecurity
this past Sunday at the Regional cybersecurity Summit in Oman.

Before his speech, he talked with CSO about why self-taught hackers are
generally superior to those...
 

Posted by InfoSec News on Apr 24

http://www.nytimes.com/2014/04/24/world/fbi-informant-is-tied-to-cyberattacks-abroad.html

By Mark Mazzetti
The New York Times
April 23, 2014

WASHINGTON -- An informant working for the F.B.I. coordinated a 2012
campaign of hundreds of cyberattacks on foreign websites, including some
operated by the governments of Iran, Syria, Brazil and Pakistan, according
to documents and interviews with people involved in the attacks.

Exploiting a...
 

Posted by InfoSec News on Apr 24

http://complex.foreignpolicy.com/posts/2014/04/22/it_s_not_beijing_s_hackers_you_should_be_worried_about_it_s_moscow_s

By Shane Harris
Foreign Policy
April 22, 2014

When U.S. officials warn of the threat foreign cyber spies pose to
American companies and government agencies, they usually focus on China,
which has long been home to the world's most relentless and aggressive
hackers. But new information shows that Russian and Eastern...
 

Posted by InfoSec News on Apr 24

http://arstechnica.com/security/2014/04/bug-can-cause-deadly-failures-when-anesthesia-device-is-connected-to-cell-phones/

By Dan Goodin
Ars Technica
April 22, 2014

Federal safety officials have issued an urgent warning about software
defects in an anesthesia delivery system that can cause life-threatening
failures at unexpected times, including when a cellphone or other device
is plugged into one of its USB ports.

The ARKON anesthesia...
 

Posted by InfoSec News on Apr 24

http://www.healthcareitnews.com/news/stolen-laptops-mean-2m-mega-fines

By Mike Miliard
Managing Editor
Healthcare IT News
April 23, 2014

Serving notice that "covered entities and business associates must
understand that mobile device security is their obligation," the HHS
Office for Civil Rights has settled with two organizations for a combined
$1,975,220 penalty after their unencrypted computers were stolen.

That's a big...
 
Internet Storm Center Infocon Status