Hackin9

InfoSec News

Google, Microsoft and Yahoo have remedied a cryptographic weakness in their email systems that could allow an attacker to create a spoofed message that passes a mathematical security verification.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Push-to-talk, once the killer app of Nextel's iDEN network and more recently a feature offered on certain Sprint Nextel phones, has finally made the transformation into a downloadable Android app called Sprint Direct Connect Now.
 
A finding by the U.S. International Trade Commission that Samsung infringed Apple's patents would lead to less choice and higher prices for consumers, Samsung said Wednesday after an ITU judge issued a preliminary decision against the company.
 
Scott Crawford, a research director at Enterprise Management Associates, explains how some enterprises address the risk of a trusted insider turned rogue.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Advanced Micro Devices hopes to brush off a slow start to compete against ARM and Intel in the Windows 8 tablet market through new customer announcements and future chips.
 
SAP is aware of widespread user discontent over the complexity involved with licensing rules and pricing for its software and is working to remedy the situation, co-CEO Jim Hagemann Snabe said.
 
Enterprises won't move quickly to adopt Windows 8, and most will wait till 2014, according to research firm Gartner.
 
Security researcher Zoltan Balazs has developed a remote-controlled piece of malware that functions as a browser extension and is capable of modifying Web pages, downloading and executing files, hijacking accounts and bypassing two-factor authentication security features enforced by some websites.
 
Labor strikes planned for November in Portugal, Spain and Greece may force the delay or cancellation of SAP's Sapphire Now and Tech Ed conferences in Madrid.
 
The lack of an international agreement on cybercrime and terrorism is thwarting efforts to bring terrorists to justice, said a report released this week by the United Nations Office on Drugs and Crime (UNODC).
 
Microsoft will webcast the opening hour of its Windows 8 and Surface RT launch Thursday, the company said today.
 
Over the last five years or so, more organizations have used social networking sites such as Facebook and Twitter to communicate with customers. Now many organizations are taking a cue from those sites to deploy more socially minded communication and collaboration tools. Does taking a more social, collaborative approach work?
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
As Apple prepares to start selling its new iPad Mini, workers at a Chinese factory that manufactures the product have been enduring chemical fumes, 12-hour work shifts and alleged company mismanagement as they assemble the new device.
 
[SECURITY] [DSA 2564-1] tinyproxy security update
 
Rob covered ISO 27005 in his 17 OCT diary, which covers information security risk management. I believe as handlers for the Internet Storm Center we'd be remiss in failing to cover an incident response standard for Cyber Security Awareness Month. ISO 27035 fits the bill perfectly.


ISO/IEC 27035:2011 provides a structured and planned approach to:

1) detect, report and assess information security incidents

2) respond to and manage information security incidents

3) detect, assess and manage information security vulnerabilities

4) continuously improve information security and incident management as a result of managing information security incidents and vulnerabilities



This International Standard cancels and replaces 2004's ISO 18044.

In our Standard Operating Procedures, I provide direct pointers to ISO 27035 as well as NIST's SP 800-61 rev 2.

Aligning your security incident management program with these two documents lends well to meeting security incident management components for ISO and or PCI compliance. You'll definitely need to validate (with evidence) that your related activities meet muster for the audits, but with well written SOPs, documented processes, good case management, and regular drills and exercises (practice). Remember, actual incidents don't count as exercises. :-) Conduct a drill-like activity on a quarterly basis if possible, report on it, and be sure to incorporate lessons learned.
No battle plan survives contact with the enemy...but you can definitely prepare.
Cheers.
Russ McRee | @holisticinfosec (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Hewlett-Packard CEO Meg Whitman took to the stage at Gartner's Symposium/ITexpo here Wednesday looking to convince customers that that HP is on solid footing.
 
Multiple HP Products CVE-2012-3268 Multiple Information Disclosure Vulnerabilities
 
[waraxe-2012-SA#094] - Multiple Vulnerabilities in Wordpress GRAND Flash Album Gallery Plugin
 
HP/H3C and Huawei SNMP Weak Access to Critical Data
 
Microsoft Internet Explorer OnMove Use-After-Free Remote Code Execution Vulnerability
 
[SECURITY] [DSA 2563-1] viewvc security update
 
VUPEN Security Research - Oracle Java Font Processing Glyph Element Memory Corruption Vulnerability
 
VUPEN Security Research - Oracle Java Font Processing "maxPointCount" Heap Overflow Vulnerability
 

Government's Role in Information Security: Leave it to the Experts
Infosecurity Magazine
Should governments be taking an active role in developing and enforcing infosec standards? In my opinion the answer is an unequivocal 'no'. It should most certainly should be left to the experienced and qualified professionals who actually know the ...

and more »
 
Barnes & Noble has removed PIN pad devices from all of its nearly 700 stores nationwide as a precaution after detecting evidence of tampering with the devices at 63 of its stores in eight states.
 
Although Apple on Tuesday unveiled redesigned iMac desktop computers, it has none to sell, nor is it taking pre-orders for the slimmer, higher-priced all-in-one.
 
The iPad mini doesn't arrive in stores until November 2, but we got to spend some time with one on Tuesday after Apple's media event at the California Theater in San Jose. Our conclusion: Yes, it's a small iPad--but there's more (and less) to it than that. Here are our hands-on impressions.
 
The torrents of data produced by social networks, sensors, supply chains and every imaginable device are creating thousands of new jobs, as Michael Rappa projected when he created the first master's degree program in the U.S. that's devoted to data analytics.
 
SplashData has analysed millions of passwords leaked by hackers and has come up with its annual top 25 list of the worst passwords. The list includes such gems as "jesus", "password", "monkey" and "welcome"


 
Eduserv OpenAthens SP for Java CVE-2012-5353 Security Bypass Vulnerability
 
VUPEN Security Research - Microsoft Internet Explorer "scrollIntoView" Use-After-Free Vulnerability (MS12-063)
 
VUPEN Security Research - Microsoft Internet Explorer "OnMove" Use-After-Free Vulnerability (MS12-063)
 
[security bulletin] HPSBUX02824 SSRT100970 rev.1 - HP-UX Running Java, Remote Execution of Arbitrary Code, and Other Vulnerabilities
 
Anyone you care to ask will likely--and reasonably--agree that the threats against IT systems and data are serious and organizations need to take appropriate steps to protect their infrastructure and information. But if you look at the practices actually in use at many organizations, it becomes painfully apparent that there's still a wide gulf between ideals and reality.
 
AT&T reported revenue of $31.5 billion for the third quarter of this year, flat compared to the third quarter of 2011, while net income was up slightly to $3.6 billion.
 
Samsung Telecommunications America has upgraded the TecTile application, which programs NFC stickers to automate functions on its smartphones.
 
Trusted insiders often play a role in IP theft, according to a new report. Spot the warning signs and apply the right data protection, say experts.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
DC4420 - London DEFCON - October meet - tomorrow, Tuesday 23rd October.
 
[ MDVSA-2012:168 ] hostapd
 

Global infosec survey finds more talk - but not more action
CSO
Global infosec survey finds more talk - but not more action. The PWC/CSO Global Information Security Survey shows gap persists between ideals and reality . » By George V. Hulme. October 24, 2012 — CSO —. Anyone you care to ask will likely—and ...

and more »
 
As organizations continue to evaluate Hadoop for large scale data analysis, Hadoop software vendors are refining their products for enterprise use, addressing concerns around reliability and expanded use.
 
The name Foxconn has become shorthand for the human costs of building the iPhone in China, linking Apple to bad publicity about worker suicides, deaths from a plant explosion and rioting factory workers.
 
Adobe has fixed six critical vulnerabilities in Shockwave Player that could potentially be exploited by attackers to execute malicious code, via the release of version 11.6.8.638 of the software.
 
The text on Amazon's newest Kindle reads top-to-bottom and right-to-left.
 
The European Commission has made a formal statement of objections to Microsoft over the company's failure to fulfill its commitment to offer Windows users a free choice of browser in settlement of an earlier antitrust case, the Commission said on Wednesday.
 
AT&T reported revenue of $31.5 billion for the third quarter of this year, flat compared to the third quarter of 2011, while net income was up slightly to $3.6 billion.
 
[SECURITY] [DSA 2565-1] iceweasel security update
 
[security bulletin] HPSBHF02819 SSRT100920 rev.1 - HP, 3COM, and H3C Routers & Switches, Remote Disclosure of Information
 
[SECURITY] [DSA 2561-1] tiff security update
 
Re: [Full-disclosure] F5 FirePass SSL VPN 4xxx Series | Arbitrary URL Redirection
 
Samsung's Galaxy Note II is big, bright and powerful, with a number of new features. Here's an in-depth look at where it excels -- and where it falls short.
 
TrueCrypt is considered the software of choice for encrypting data. A small utility called TCHead systematically takes on this encryption


 
RETIRED: Adobe Flash Player and AIR APSB12-22 Multiple Remote Vulnerabilities
 
RETIRED: Adobe Flash Player and AIR APSB12-19 Multiple Remote Vulnerabilities
 
RETIRED: Adobe Shockwave Player APSB12-23 Multiple Code Execution Vulnerabilities
 
Samsung's Galaxy devices don't infringe on an Apple multitouch patent that describes technology that prevents smartphone users from pushing two on-screen buttons at the same time, the Court of the Hague ruled on Wednesday. The technique used in Android is sufficiently different from Apple's patent, the judge said.
 
Hewlett-Packard's Envy X2 tablet-laptop hybrid will cost from $849.99 when it starts shipping in the U.S on Nov. 14.
 
The European Commission has made a formal statement of objections to Microsoft over the company's failure to fulfill its commitment to offer Windows users a free choice of browser in settlement of an earlier antitrust case, the Commission said on Wednesday.
 
Chinese telecommunications company Huawei has offered to provide the Australian government with access to its hardware and software source code to allay fears of backdoors in its equipment


 
7-Zip Unspecified Archive Handling Vulnerability
 
Samsung's Galaxy devices don't infringe on an Apple multitouch patent that describes technology that prevents smartphone users from pushing two on-screen buttons at the same time, the Court of the Hague ruled on Wednesday.
 
Along with the long-rumored iPad Mini, Apple yesterday also refreshed its two best-selling Macs, the 13-in. MacBook Pro and the iMac.
 

Government's Role in Information Security: Involvement = Global Priority
Infosecurity Magazine
Hord Tipton knows a thing or two about the challenges infosec professionals face in the public sector. The executive director of (ISC)² and former CIO of the US Department of the Interior recently sat down with Infosecurity to discuss these issues ...

 
Linux Kernel iptables '--syn' Rules Security Bypass Vulnerability
 
Icecast 'error.log' Security Bypass Vulnerability
 
SAP reported Wednesday double-digit revenue growth in the third quarter, benefiting from a strong performance in the Americas and double-digit growth in the Asia-Pacific and Japan region, and high demand for its new technologies like HANA across all regions.
 
When 32-year-old Russian programmer Andrey N. Sabelnikov visited the U.S. for the first time in January, he had a surprise waiting for him.
 
Facebook, which had been in the doghouse with Wall Street since it went public, wowed investors with its third-quarter report on Tuesday, in particular with its improvements and early results in the crucial mobile market.
 
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2012-4179 Use After Free Memory Corruption Vulnerability
 

Posted by InfoSec News on Oct 23

Forwarded from: nullcon <nullcon (at) nullcon.net>

Hi All,

Hello! Aloha! Namaskar! Ni Hau! Guten Tag! Privet! Salam-wale-kum!
Hej! Ahoj! Bonjour! Terve! Ciao! Konnichiva! Selamat! Barev! Jum Reap
Sour! Selamat! ahnnyeong ha se yo! Salvete! Moien! Selamat datang!
Bonswa! sain baina uu! Kasto cha! Hallo! Salaam! Witaj! Sat sri akal!
Dobro jutro! Bom dia! Zdravo! Hoezit! Kumusta ka! Li ho! Vanakkam!
Sawa dee-krap! Dobriy ranok! Adaab! Xin...
 

Posted by InfoSec News on Oct 23

http://www.federalnewsradio.com/?nid=473&sid=3085029

By Jason Miller
FederalNewsRadio.com
10/19/2012

The Homeland Security Department's Office of Cybersecurity and
Communications is expanding to five divisions from three and creating a
performance-management office.

DHS is reorganizing CS&C in light of its increased responsibilities and
improved stature in the federal and private sector cyber communities.

"Our new...
 

Posted by InfoSec News on Oct 23

http://arstechnica.com/security/2012/10/cisco-machine-gets-listed-by-blackhat-org-that-rents-out-hacked-pcs/

By Dan Goodin
Ars Technica
Oct 22, 2012

A computer running inside the corporate network of Cisco Systems is one
of about 17,000 machines that is being rented out to online miscreants
looking to get a foothold inside Fortune 500 companies, according to a
published report.

The Windows Server 2003 system uses Microsoft's Remote...
 
Intellectual property theft often involves collusion between attackers and malicious insiders, according to a study of 85 breaches conducted by Verizon.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 

Posted by InfoSec News on Oct 23

http://news.cnet.com/8301-1009_3-57538742-83/hackers-steal-customer-data-from-barnes-noble-keypads/

By Steven Musil
Security
CNET News
October 23, 2012

Hackers broke into keypads at more than 60 Barnes & Noble bookstores and
made off with the credit card information for customers who shopped at
the stores as recently as last month.

The company discovered the breach on September 14 but kept it quiet
while the FBI attempted to track the...
 

Posted by InfoSec News on Oct 23

Forwarded from: Richard Forno <rforno (at) infowarrior.org>

YAWN. More "information sharing" ideas being proposed....which makes it
what, 15 years this has been brought up regularly as a major solution to
help fix our cybersecurity problems? Didn't the IPTF, PCCIP and any
number of white papers, reports, think tanks, and such since the mid-90s
already make such recommendations? Einstein had a term[1] for doing the...
 

Posted by InfoSec News on Oct 23

http://www.independent.co.uk/news/media/press/now-piers-morgans-mirror-and-the-people-accused-of-phone-hacking-8222000.html

By Rob Hastings
The Independent
23 October 2012

Two more tabloid newspapers were dragged into the phone-hacking scandal
last night with the former England football manager Sven-Goran Eriksson
among four people intending to sue the Daily Mirror and the Sunday
People.

The former nanny to David Beckham’s children, Abbie...
 

Posted by InfoSec News on Oct 23

http://www.theglobeandmail.com/commentary/editorials/article4632711.ece

By The Globe and Mail
Oct. 23 2012

Even bankers no longer observe bankers’ hours. So it is disconcerting to
learn from Canada’s Auditor General that employees at a centre in Ottawa
responsible for monitoring cyber risks and alerting the government and
private sector to threats to critical infrastructure adhere to an 8 a.m.
to 4 p.m. weekdays-only routine. Were it...
 
Internet Storm Center Infocon Status