Hackin9
LinuxSecurity.com: Multiple vulnerabilities have been reported in Chromium and V8, some of which may allow execution of arbitrary code.
 
LinuxSecurity.com: Multiple vulnerabilities have been found in ProFTPD, the worst of which leading to remote execution of arbitrary code.
 
LinuxSecurity.com: Multiple vulnerabilities have been reported in MoinMoin, the worst of which may allow execution of arbitrary code.
 
LinuxSecurity.com: Multiple vulnerabilities have been found in GNU ZRTP, some of which may allow execution of arbitrary code.
 
LinuxSecurity.com: Updated ruby193-puppet packages that fix three security issues are now available for Red Hat OpenStack 3.0. The Red Hat Security Response Team has rated this update as having critical [More...]
 
LinuxSecurity.com: Updated puppet packages that fix several security issues are now available for Red Hat OpenStack 3.0. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
LinuxSecurity.com: An updated rtkit package that fixes one security issue is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Several security issues were fixed in Django.
 
LinuxSecurity.com: Samba could be made to hang if it received specially crafted networktraffic.
 
LinuxSecurity.com: It was discovered that PyOpenSSL, a Python wrapper around the OpenSSL library, does not properly handle certificates with NULL characters in the Subject Alternative Name field. [More...]
 

Re: [>]Please Share: Privacy Icons for Email

by cheap nba swingman jerseys

Google does indeed give Whip even less to secure ads in the right half side relating to his website online. cheap nba swingman jerseys
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Ubuntu 'rtkit' Package CVE-2013-4326 Local Security Bypass Vulnerability
 
Django CVE-2013-1443 Denial of Service Vulnerability
 
Citrix updated its cloud computing strategy, saying that its platform -- which is based off the Apache CloudStack project -- can span both private on-premises deployments and public clouds and is the only one in the market that takes an application-centric approach to architecting clouds.
 
Though consumers are a big target audience for the new Surface 2 tablet, Microsoft is also hoping to woo businesses with features that could make the device easier to secure and manage in IT environments.
 
Doing battle in the $9 billion Unix server market is not for the timid. Designing a competitive microprocessor is a costly business, and with the Unix market seemingly in permanent decline, it's easy to see why smaller players might drop out.
 
Dell's XPS 10 tablet models with Windows RT have been removed from the company's website, which analysts said could leave Microsoft as the only vendor selling ARM-based tablets running versions of Windows RT.
 
Although already known for being easy to use, the Python programming language has gotten another boost in usability thanks to a new free graphical editor from development software provider JetBrains.
 
Larry Ellison had a choice on Tuesday afternoon: watch a crucial race for his America's Cup sailing team or deliver a keynote to thousands of customers and partners at Oracle OpenWorld. In the end, the Oracle CEO stayed down by the water.
 
AT&T offered more Wi-Fi coverage to international roaming customers on Tuesday through a deal with Fon, the Spanish crowdsourced wireless provider that lets users share their Wi-Fi with other Fon members.
 
Another day, another cloud app gets stung by a bug. Microsoft's SkyDrive cloud storage service began malfunctioning on Tuesday afternoon, a day after Google's Gmail got tripped by a network breakdown.
 
Cisco Unified Computing System CVE-2012-4089 Local Command Injection Vulnerability
 
An app that purportedly spoofed a Mac so that Android smartphone and tablet owners could send and receive text-like messages through Apple's iMessage service disappeared today from the Google Play app store.
 
A Virginia Tech official Tuesday blamed human error for a data breach that may have exposed sensitive data on about 145,000 people who applied online for jobs at the school over the past 10 years.
 

Wisegate Announces Key Results of First Security Benchmark Survey ...
4-traders (press release)
It includes a range of topics from company security posture to current security policies and procedures, InfoSec involvement in IT operations and CISO career challenges. "By publishing the results of the first IT Security survey developed by senior ...

 
BlackBerry said it will be at least next week until it relaunches the BlackBerry Messenger service for Android and iOS.
 
Oracle is offering a series of new services that position it as a one-stop shop for all things cloud and directly target the likes of Amazon Web Services and Salesforce.com.
 
UCLA researchers reported this week that they have created a light-emitting electronic display that can be stretched, folded and twisted, while remaining lit and snapping back into its original shape.
 

Ars expressed surprise on Monday that a hacker was able to bypass fingerprint protection less than 48 hours after its debut in Apple's newest iPhone, but not everyone felt the same. The hack, carried out by well-known German hacker Starbug, required too much expertise and pricey equipment to make it practical according to critics.

Marc Rogers, a security expert at smartphone security firm Lookout, was among the skeptics. After independently devising his own bypass of Apple's Touch ID, he concluded it was anything but easy. "Hacking Touch ID relies upon a combination of skills, existing academic research, and the patience of a Crime Scene Technician," he wrote. Rogers went on to say no one would know just how feasible Starbug's hack was until he released a step-by-step video and we learned more technical details.

We now have both. Heise Online has posted the video here, and it was enough to satisfy Rob Graham, a security expert who donated $500 to the first person to hack Touch ID. Ars has also heard directly from Starbug, who like us and several security experts, was surprised how little time and effort his bypass required.

Read 19 remaining paragraphs | Comments


    






 

This is a "guest diary" submitted by Doug Burks. We will gladly forward any responses or please use our comment/forum section to comment publicly.

I recently announced the new Security Onion 12.04.3:
http://securityonion.blogspot.com/2013/09/security-onion-12043-iso-image-now.html
 
What is Security Onion?
Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It's based on Ubuntu and contains Snort, Suricata, Bro, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!
 
Can I see it in action?
The video and slides from my recent BSidesAugusta presentation are available:
http://www.youtube.com/watch?v=l7TSGHvsPJA
https://docs.google.com/uc?export=download&id=0BzQ65xrcMwNEVnhYZ0pOeXB4ejA
 
I also just published a series of walkthrough videos as well:
https://www.youtube.com/watch?v=dyLbgrdagaA&list=PLMN5wm-C5YjyieO63g8LbaiWTSJRj0DBe
 
How do I get it?
Download our ISO image (based on Xubuntu 12.04 64-bit) OR start with your preferred flavor of Ubuntu 12.04 (Ubuntu, Kubuntu, Lubuntu, Xubuntu, or Ubuntu Server) 32-bit or 64-bit, add our PPA and install our packages.  Please see our Installation guide for further details:
https://code.google.com/p/security-onion/wiki/Installation
 
Lots o' Logs
If you connect Security Onion to a tap or span port, it will generate lots of logs out of the box:
- NIDS alerts from Snort or Suricata
- Bro conn.log (session data)
- Bro dns.log - all DNS transactions seen on your network
- Bro http.log - all HTTP transactions seen on your network
- Bro notice.log - events of interest
- Bro ssl.log - SSL cert details
- and many more!
 
In addition, you can install OSSEC agents on other boxes on your network and point them to the OSSEC Server that's already running on Security Onion.  You'll then get the raw logs from those OSSEC agents and you'll also get HIDS alerts as the OSSEC Server analyzes those logs.  For those devices that can't run an OSSEC agent, you can point their syslog to the syslog-ng collector on Security Onion.
 
How do we manage all those logs?
ELSA is a great tool for hunting through your logs.  Martin Holste, the author of ELSA, describes it like this:
"ELSA is a centralized syslog framework built on Syslog-NG, MySQL, and Sphinx full-text search. It provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy as searching the web."
 
Take a look at the following ELSA video to see how you can slice and dice your logs very quickly and easily:
https://www.youtube.com/watch?v=d4rINH22MYo&list=PLMN5wm-C5YjyieO63g8LbaiWTSJRj0DBe&index=10
 
----
Doug Burks
Want to learn more about Log Management?  Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th! 
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks Discount Code "ISC-Memphis"
 

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
[SECURITY] [DSA 2763-1] pyopenssl security update
 
The Chinese government may be about to ease up on its policy of censoring its citizens.
 
CVE-2013-5118 - XSS Good for Enterprise iOS
 
The U.S. Congress should appoint an independent committee to investigate possible surveillance abuses by the U.S. National Security Agency, two high-profile former senators said Tuesday.
 
Apple quietly refreshed its iMac desktop computer line with Intel's newest quad-core "Haswell" processor, faster solid-state storage options and support for the 802.11ac wireless standard.
 
In a move to jump ahead of other enerprise platform as a service providers, Red Hat will augment its OpenShift offering with a suite of middleware to ease the process of deploying cloud-based applications.
 
Cisco MediaSense CVE-2013-5502 Information Disclosure Vulnerability
 
IBM AIX CVE-2013-4011 Multiple Local Privilege Escalation Vulnerabilities
 
Cisco Tuesday unveiled its Internet of Everything router, a device intended to address the growth in Internet traffic brought about by cloud, mobile, video and machine-to-machine communications.
 
When it comes to building secure mobile applications, errors most often occur in session management. By themselves, these mistakes do not present a significant risk, but the more mistakes made, the more vulnerable the application. And therein lies the problem: I often find several of these errors in any given app.
 
Apple last week released its latest iPhones, the high-end iPhone 5S and midrange iPhone 5C. Among the most notable features is the iPhones' iSight camera. The new iPhone 5S has an 8MP camera, which is the same megapixel count as last year's iPhone 5. But Apple says the new device has "a redesigned camera sensor that allows for bigger pixels. Bigger pixels equal better photos. And better photos are precisely what inspired the advancements we made with the new iSight camera on iPhone 5s."
 
Plug-ins based on the NPAPI architecture will be blocked by default in Chrome starting early next year as Google moves toward completely removing support for them in the browser.
 

Study highlights the ups and downs of infosec management
CSO
September 24, 2013 — A new study from Harris Interactive, sponsored by identity and access management firm Courion, offers some interesting insight into the risk profile of more than 2,000 adults. The study was commissioned by Courion to focus on ...

and more »
 
AT&T CEO Randall Stephenson Tuesday urged the FCC to move faster in reviewing the carrier's request to move to an all-IP, all wireless network nationwide.
 
Cloud storage locker Dropbox has joined Google, Microsoft, Yahoo, LinkedIn and Facebook in their quest for permission to publish the number of data requests they have received from the U.S. government, and the number of users affected by those requests.
 
A Gmail glitch that took about 10 hours to fix and hit close to 50 percent of the webmail service's users has been fixed, ending one of the longest, most widespread Gmail disruptions in years.
 

More than two years after unknown hackers gained unfettered access over multiple computers used to maintain and distribute the Linux operating system, officials still haven't released a promised autopsy about what happened.

The compromise, which began no later than August 12, 2011, wasn't detected for at least 16 days, a public e-mail and interviews immediately following the intrusion revealed. During that time, attackers were able to monitor the activities of anyone using the kernel.org servers known as Hera and Odin1, as well as personal computers belonging to senior Linux developer H. Peter Anvin. The self-injecting rootkit known as Phalanx had access to a wealth of sensitive data, possibly including private keys used to sign and decrypt e-mails and remotely log in to servers. A follow-up advisory a few weeks later opened the possibility that still other developers may have fallen prey to the attackers.

For three weeks in September and early October, officials kept kernel.org closed so the servers that run it could be rebuilt. When the site reopened on October 4, a message on the front page prominently warned of the breach and noted the steps taken to rebuild the site. "Thanks to all for your patience and understanding during our outage and please bear with us as we bring up the different kernel.org systems over the next few weeks," the message concluded. "We will be writing up a report on the incident in the future."

Read 7 remaining paragraphs | Comments


    






 
Re: DC4420 - London DEFCON - September meet - Tuesday 24th September 2013
 
LinuxSecurity.com: Multiple vulnerabilities have been discovered in Apache HTTP Server, possibly allowing remote attackers to execute arbitrary code, cause a Denial of Service condition or perform man-in-the-middle attacks.
 
LinuxSecurity.com: Multiple vulnerabilities have been found in Subversion, allowing attackers to cause a Denial of Service, escalate privileges, or obtain sensitive information.
 
LinuxSecurity.com: Fraudulent security certificates could allow sensitive information to beexposed when accessing the Internet.
 
LinuxSecurity.com: LibRaw could be made to crash if it opened a specially crafted file.
 
LinuxSecurity.com: Multiple security issues have been found in Icedove, Debian's version of the Mozilla Thunderbird mail and news client. Multiple memory safety errors and buffer overflows may lead to the execution of arbitrary code. [More...]
 
Want to take a smartphone picture with high color fidelity even in poor light? Samsung Electronics has developed a new technology that it claims will deliver just that.
 
ZTE plans on launching another phone running Mozilla's Firefox OS, this time with a dual-core processor, a bigger screen, and a revamped user experience, a company executive said on Tuesday.
 

Pitfalls of Professionalizing InfoSec
BankInfoSecurity.com
Professionalizing occupations within the cybersecurity field won't necessarily help fill vacant IT security jobs in government and industry, says Diana Burley, an IT security workforce expert. Take, for instance, a cybersecurity occupation that ...

 
Apple's flagship iPhone 5S outsold the less-expensive iPhone 5C by at least 3 to 1 in the U.S. over the opening weekend, a mobile analytics company said.
 
While SAP has made no secret of its desire to lure customers running Oracle databases over to its own HANA in-memory platform, any doubt that Oracle would fight back has been erased.
 
Spam volumes took a usual seasonal drop in August, but phishing spiked, including a noticeable interest in hijacking Apple accounts.
 
The U.S. Food and Drug Administration intends to regulate only mobile apps that are medical devices and could pose a risk to a patient's safety if they do not function as intended.
 
Like countless others on Friday, columnist Michael deAgonia braved a sleepless night and long lines to get his hands on an iPhone 5S. Here's his first look at what Apple's newest phone has to offer.
 
Microsoft is entering China's gaming market with a new joint venture, the latest sign that its Xbox console soon arrive in the country.
 
Some Twitter users were surprised Monday when they clicked a button to share content from third-party websites but instead downloaded a mysterious torrent file.
 
Facebook is moving ahead with plans to test a new mobile feature to entice more people to buy products while shopping on smaller devices such as iPhones.
 
Taiwan's HTC has infringed on two patents held by Nokia related to cellphones and tablets, a judge at a powerful U.S. trade court said Monday.
 
Sophos UTM WebAdmin Unspecified Security Vulnerability
 
Multiple IBM Products CVE-2013-4025 Local Information Disclosure Vulnerability
 
After a quick stop for some scientific testing, NASA's Mars rover Curiosity is on the move again and heading toward its ultimate destination - Mount Sharp.
 
RETIRED: WebKit Multiple Unspecified Memory Corruption Vulnerabilities
 

Posted by InfoSec News on Sep 24

http://www.techweb.com.cn/internet/2013-09-23/1327057.shtml

[Google Translate -- WK]

By Zhang Nan
Techweb.com.cn
2013.9.23

Sina Technology News September 23 afternoon, August 25 morning, China. CN
domain name resolution failure analysis of large-scale, national DNS node
denial of service attacks. National Internet Emergency Center CNCERT / CC
Operation Management Department Director Wang Minghua today revealed that
the hacker has been in...
 

Posted by InfoSec News on Sep 24

http://www.zdnet.com/charlatan-hijacks-iphone-5s-fingerprint-hack-contest-fools-press-7000020978/

By Violet Blue
Pulp Tech
ZDNet News
September 22, 2013

Just hours after we reported the crowdfunded effort to hack the iPhone 5S
fingerprint scanner, istouchidhackedyet, a shyster hijacked the contest
and got big press for it -- and has revealed to ZDNet he does not intend
to join the bounty award after all.

And some major press outlets fell...
 

Posted by InfoSec News on Sep 24

http://www.csoonline.com/article/740164/why-the-state-of-application-security-is-not-so-healthy

By George V. Hulme
CSO Online
September 23, 2013

Application security is an alarming and persistent problem: Nearly
one-third of all breaches can be attributed to attacks against web
applications, and both web application and database attacks account for
most records breached every year. That's according to the Verizon 2013
Data Breach...
 
RaidSonic IB-NAS5220 and IB-NAS4220-B Multiple Security Vulnerabilities
 

Re: [>]Please Share: Privacy Icons for Email

by cheap hockey jerseys wholesale

hi splendid posting as i seriously cherished it a whole lot i secure bookmarked these pages hope they'll u can assist with that model of nice knowledge in possibility also thanks plenty cheap hockey jerseys wholesale
 
Internet Storm Center Infocon Status