The U.S. Department of Justice has filed its first lawsuits over counterfeit smartphone apps, charging four men who now face up to five years each in prison.
The $930 million in damages Samsung was ordered to pay Apple last year for infringing its smartphone patents is more than some device makers earn in a year, but for Samsung it's equal to just over 16 days' worth of profit.

An international law-enforcement crackdown on paid password cracking services has resulted in at least 11 arrests, including the operators of an alleged cracker-for-hire site in the US that prosecutors said compromised almost 6,000 e-mail accounts.

Mark Anthony Townsend, 45, of Cedarville, Arkansas, and Joshua Alan Tabor, 29, of Prairie Grove, Arkansas, ran a site called needapassword.com, according to court documents filed this week in federal court in Los Angeles. The site accepted user requests to hack into specific e-mail accounts hosted by Google, Yahoo, and other providers, prosecutors alleged. According to charging documents, the operators would break into the accounts, access their contents and send screenshots to the users proving the accounts had been compromised. The men would then send passwords in exchange for a fee paid to their PayPal account, prosecutors said.

"Through www.needapassword.com, defendant and others known and unknown to the United States Attorney obtained unauthorized access to over 5,900 e-mail accounts submitted by customers," a criminal information filed against Townsend stated. During the time of Tabor's involvement, needapassword.com broke into at least 250 accounts, a separate charging document claimed.

Read 3 remaining paragraphs | Comments


Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Stocks including shares of tech companies tanked on Friday mainly due to worries about slowing global economic growth, but the mixed earnings reports from IT giants did nothing to calm concerns.
The U.S. Federal Trade Commission has filed a complaint against a website operator that allegedly sent spam intended to trick consumers into signing up for health insurance in advance of the rollout of the Affordable Care Act.
The recent data breaches at Target and Neiman Marcus have once again shown that compliance with the Payment Card Industry Data Security Standard (PCI DSS) is no guarantee against an intrusion.
Experience chronic neck or back pain? Headaches or migraines? That expensive, ergonomic chair might be doing you more harm than good. But Voom, a mobile wellness app developed by two chiropractors, aims to tackle repetitive stress injuries.
Today marks the 30th anniversary of the arrival of the now-iconic Apple Macintosh computer. Columnist Ryan Faas looks back over the past three decades at some of the highlights and lowlights of the Mac's -- and Apple's -- evolution.
A broad outage rocked Gmail and a raft of other Google Web applications Friday afternoon, leading many affected users to flood Twitter, other social media sites and discussion forums with complaints.
First, Amazon dropped the price of its S3 cloud storage service by 22%. Now, Microsoft has followed suit by cutting the price for Azure by up to 50% to keep up.
A Romanian man was arrested this week under suspicion that he is the hacker known online as Guccifer who hacked into the online accounts of various public figures and politicians, including former U.S. Secretary of State Colin Powell and members of the Bush family.
Google, Comcast, AT&T and Verizon Communications ranked among the top spenders on U.S. government lobbying in 2013, with Apple and Facebook increasing their lobbying expenses significantly, according to year-end lobbying reports released this week.
NASA's newest Tracking and Data Relay (TDRS) satellite, which will provide high data-rate communications to space craft, went into orbit Thursday night.
The data breaches at Target and Neiman Marcus have re-ignited a campaign by retailers to get U.S. consumers to carry "PIN and chip" credit and debit cards instead of less-secure magnetic stripe cards. Lost in the debate are mobile payments using NFC smartphones.
Aurich Lawson / Thinkstock

Apple, Microsoft, Chegg, Newegg, and Target do the best job of safeguarding customer passwords, according to a comprehensive study of the top 100 e-commerce websites that also ranked Major League Baseball, Karmaloop, Dick's Sporting Goods, Toys R Us, and Aeropostale as performing the worst.

Apple.com was the only site to receive a perfect score of 100, which was based on 24 criteria, such as whether the site accepts "123456" and other extremely weak passwords and whether it sends passwords in plaintext by e-mail. Microsoft and academic supplier Chegg tied for second place with 65, while Newegg and Target came in third with 60. By contrast, MLB received a score of -75, Karmaloop a -70, Dick's Sporting Goods a -65, and Aeropostale and Toys R US each got a -60. Each site was awarded or deducted points based on each criterion, leading to a possible score from -100 and 100. The study was conducted by researchers from password manager Dashlane based on the password policies in effect on the top 100 e-commerce sites from January 17 through January 22.

An epidemic of poor passwords

Amazingly, 55 percent of the sites accepted weak passwords such as "123456" and "password," while Toys R US, J.Crew, 1-800-Flowers.com, and five other sites sent passwords as plaintext in e-mails. Sixty-one of the sites provided no advice on how to create a strong password when creating an account, while only seven sites provided any type of on-screen meter to help assess the strength of a chosen password.

Read 7 remaining paragraphs | Comments


Samsung has fixed a vulnerability on at least one of its Samsung.com sites that allowed attackers to take over the account of a target by creating a lookalike user name. The vulnerability, reported by security researcher Matthew Bryant (who goes by the hacker name "mandatory"), made it possible for someone to create a username using an intended victim’s e-mail address with added trailing spaces. While this created a separate account, the attacker would then be authenticated as the targeted user when going to other subdomains within Samsung.com.

The bug, caused by the way Samsung’s Web applications pruned (or “scrubbed”) extra trailing characters off of account e-mail addresses, affected all of Samsung.com’s subdomains. But according to Bryant, Samsung has now fixed the problem on its e-commerce site—the one with the most sensitive user data.

“If your username was originally ‘[email protected]<SPACE><SPACE>,’” Bryant wrote in a blog post today, “after visiting http://shop.us.samsung.com/ it would be scrubbed to ‘[email protected]’.”  While the webpage for creating new accounts prevents adding trailing spaces to user names through form validation, the spaces can be added using an HTTP intercept tool such as the Tamper Data Firefox add-on.

Read 1 remaining paragraphs | Comments


Neiman Marcus has determined that a data breach extending from July until October of 2013 exposed as many as 1.1 million payment cards to malware, and that 2,400 cards have been used fraudulently as a result.
Neiman Marcus acknowledged the breach two weeks ago and made further details available in a statement this week.

"While the forensic and criminal investigations are ongoing, we know that malicious software (malware) was clandestinely installed on our system," Neiman Marcus wrote. "It appears that the malware actively attempted to collect or 'scrape' payment card data from July 16, 2013 to October 30, 2013. During those months, approximately 1,100,000 customer payment cards could have been potentially visible to the malware. To date, Visa, MasterCard, and Discover have notified us that approximately 2,400 unique customer payment cards used at Neiman Marcus and Last Call stores were subsequently used fraudulently."

The New York Times reported that "the malware installed on terminals in Neiman Marcus stores seems to be the same malware that infiltrated Target’s systems." The Target breach was much bigger, exposing credit and debit card information for about 40 million customers and a separate set of personal information on an additional 70 million customers.

Read 2 remaining paragraphs | Comments

Cisco Video Surveillance Operations Manager Unauthorized Access Vulnerability
LIVE555 Streaming Media 'parseRTSPRequestString()' Function Buffer Overflow Vulnerability
Yum 'yum-cron/yum-cron.py' Security Bypass Vulnerability
RubyGems Action Mailer CVE-2013-4389 Denial of Service Vulnerability
Hewlett-Packard has launched a set of services designed to help organizations manage their data centers more efficiently, using the principles of DCIM (data center infrastructure management).
Cisco NX-OS Label Distribution Protocol Message Remote Denial of Service Vulnerability
Security Vulnerabilities in Apache Cordova / PhoneGap

Top 10 Influencers in Banking InfoSec
To acknowledge individuals and organizations that are playing critical roles in shaping the way financial services organizations approach information security and privacy, BankInfoSecurity and CUInfoSecurity have announced their annual list of Influencers.

To celebrate the 30th anniversary of Apple's launch of its original Macintosh personal computer, the do-it-yourself iFixit website today tore apart the beige all-in-one to find out what was inside.
Google will again host its Pwnium hacking contest at a Canadian security conference in March, putting $2.7 million at stake to draw out researchers who can hack its browser-based operating system, Chrome OS.
Google Glass is just the latest technological advance to elicit fear and dread in some quarters, including law enforcement.
The software used by many wireless IP cameras manufactured by Foscam Digital Technologies have a vulnerability that allows remote users to access their video streams and take snapshots without proper authentication.
Recently I saw yet another slide presentation showcasing the decline of enterprise IT spending and the comparable increase in public cloud business. The conclusion? Enterprises just don't have money to spend and it's killing enterprise vendors.
LinuxSecurity.com: A regression has been found on the denyhosts packages fixing CVE-2013-6890. This regression could cause an attempted breakin attempt to be missed by denyhosts, which would then fail to enforce a ban. [More...]
LinuxSecurity.com: Several security issues were fixed in OpenJDK 7.
LinuxSecurity.com: NSPR could be made to crash or run programs if it received a speciallycrafted certificate.
LinuxSecurity.com: NSS could be made to expose sensitive information over the network.
Linux Kernel 'skb_flow_dissect()' Function CVE-2013-4348 Remote Denial of Service Vulnerability
The use of social media as an attack vector is nothing new; We’ve all seen plenty of stories in the media of fake FaceBook profiles such as the one for American Admiral James Stavridis back in 2012 [1]. This tends to mean we’re more wary of Facebook and Twitter, but many of us still use LinkedIn as it is a great tool to build out professional networks, tap in to like-minded groups or be stalked approached by recruiters.
If a LinkedIn request comes from a name you recognise, do you blindly except the request or do a bit of investigating first to validate that request? Let’s say you are the cautious, security minded type and check of the profile of the sender and it looks legitimate, I’m betting most of us would then accept the request and get on with our day.
The last couple of Diaries I’ve written have been about breaches and one of the key components of any good attack is solid reconnaissance. An adversary with a clear understanding of a company’s staff can leverage that to get a much more complete picture than any port scan or pin-point key human targets to exploit. Plenty of penetration testers [2] use social media to devastating effect and so do real adversaries.  
Some of you reading this will be thinking:
A) Pah! I don’t use an form of social media so I’m safe
B) Meh, I’d never fall for any of that shenanigans, I’m too paranoid/security-minded
C) Mu-ha-ha! I use the Lynx text only browser [3] – what is this wide wide web you speak off?
Well, how about the person next to you or head of HR or the CEO? This blog post [4] illustrates a very smart, well thought out and executed social engineering attack using LinkedIn. LinkedIn have a very responsive security team and here’s one way to alert than of bogus profiles[5] should you ever run in to one, but would most people pick up on a fake profile?
I’ll leave you with this question: How would you and your security policies counter a targeted attack like that against a senior board member?
[1] http://www.telegraph.co.uk/technology/9136029/How-spies-used-Facebook-to-steal-Nato-chiefs-details.html
[2] http://pen-testing.sans.org/blog/pen-testing/2011/11/04/the-pushpin-tool-incorporating-geolocation-info-leakage-via-social-networks-in-your-pen-tests
[3] http://lynx.browser.org/

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Amazon Web Services has improved the performance of its Redshift data warehouse with new SSD-based nodes, which can also lower the cost of the service as long as storage capacity needs are also low.
Oracle Java SE CVE-2013-5805 Remote Security Vulnerability
Qualcomm has acquired a large patent portfolio related to Palm, iPaq and the Bitfone device management platform from Hewlett-Packard for an undisclosed sum.
Neiman Marcus was unaware attackers had harvested payment card details until six weeks after the activity had ended, when its merchant processor zeroed in on a fraudulent spending pattern.
A new feature on Facebook designed to keep people abreast of certain topics has sparked criticism from some users who want it gone, calling it nothing more than a cheap Twitter knock-off.
After 10 years on Mars, NASA's rover Opportunity has discovered evidence of an ancient wet and mild environment that is much older than previously thought.
Prosecutors in New York have charged 13 members of a gang accused of stealing $2 million from gas station customers using Bluetooth-enabled skimmers hidden inside pump ATMs.
A number of CNN's social media accounts and blogs were hacked Thursday by a group styling itself as the Syrian Electronic Army.
Apple Pages File Processing Remote Code Execution Vulnerability
[CTF] nullcon HackIM 2014 will start at 24-01-2014, when the clock will strike at 11:59 (+5:30 GMT)
[CVE-2014-1664] GoToMeeting Information Disclosure via Logging Output (Android)
[SECURITY] [DSA 2826-2] denyhosts regression update
[CVE-2013-6235] - Multiple Reflected XSS vulnerabilities in JAMon v2.7
[CVE-2014-1607.] Cross Site Scripting(XSS) in Drupal Event calendar module
[SECURITY] [DSA 2848-1] mysql-5.5 security update

Posted by InfoSec News on Jan 24


The New York Times
JAN. 23, 2014

The theft of consumer data from Neiman Marcus appears far deeper than had
been disclosed originally, with the luxury retailer now saying that
hackers invaded its systems for several months in a breach that involved
1.1 million credit and debit cards.


Posted by InfoSec News on Jan 24


The Onion
ISSUE 50*03
Jan 23, 2014

Following the recent data breach at retail giant Target, which exposed
credit card numbers and personal information of as many as 110 million
people, many Americans have grown concerned about their safety and privacy
online. Here is The Onion’s guide to keeping your personal information
secure from hackers:

* Always log into...

Posted by InfoSec News on Jan 24

Forwarded from: nullcon <nullcon (at) nullcon.net>

· This is blasphemy! This is madness!
· Madness? THIS IS HACKIM!
· H4x0rs! Ready your breakfast and eat hearty, for tonight, we dine in hell!
· No retreat, no surrender. That is H4x0r law. And by H4x0r law, we will stand
and fight.. and conquer.

n00bs & haXors,

We are proud to present the sixth edition of HackIM 2014
HackIM CTF will starts on 24th...

Posted by InfoSec News on Jan 24


By Hanni Fakhoury

Before Edward Snowden showed up, 2013 was shaping up as the year of
reckoning for the much criticized federal anti-hacking statute, the
Computer Fraud and Abuse Act ("CFAA"). The suicide of Aaron Swartz in
January 2013 brought the CFAA into mainstream consciousness, so Congress

Posted by InfoSec News on Jan 24


By Paul Cooper
ITPro Portal
22 Jan 2014

Jean-Yves Le Drian, the French Minister for Defence, has called for an
international response to cybercrime, and announced the beginning of a €1
billion programme over a number of years to prepare France against the
emerging threat of cyber war.

Le Drian spoke of the need to collaborate...
DenyHosts 'regex.py' Remote Denial of Service Vulnerability
Internet Storm Center Infocon Status