Information Security News

It has been reported that Bitcoin mining malware has been found in the Google Play store. If your battery is draining faster than usual, your phone maybe running a copy of the BadLepricon Bitcoin mining malware. "The malware comes in the form of a wallpaper app. Google promptly removed five of these applications after we alerted them to the issue. The apps had between 100-500 installs each at the time of removal."[1]

[1] https://blog.lookout.com/blog/2014/04/24/badlepricon-bitcoin/

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

To be as competitive as possible more organizations today are creating more agile development and operations teams who are collaborating more closely together than before -- and moving more applications and more application updates than ever before as a result. Some are moving many dozens of updates and infrastructure changes a day.

Stanford University network engineers have unveiled a refreshingly enlightened password policy. By allowing extremely long passcodes and relaxing character complexity requirements as length increases, the new standards may make it easier to choose passwords that resist the most common types of cracking attacks.

Students, faculty, and staff can use passwords as short as eight characters, but only if they contain a mix of upper- and lower-case letters, numbers, and symbols, according to the policy, which was published last week on Stanford's IT Services website. Even then, the short passwords must pass additional checks designed to flag common or weak passcodes (presumably choices such as "[email protected]", which can usually be cracked in a matter of seconds). The standards gradually reduce the character complexity requirements when lengths reach 12, 16, or 20 characters. At the other end of the spectrum, passcodes that have a length of 20 or more can contain any character type an end user wants, including all lower case.

Ars hasn't tested the new system to ensure commonly used phrases found in the Bible, on YouTube, or myriad other places are automatically rejected. As Ars reported in October, even when such passphrases contain 40 or more characters, they are becoming increasingly susceptible to "off-line" cracking. Such attacks scrape popular websites and books, carve up the text into different phrases or sentences, and use them as guesses when cracking cryptographic hashes found in compromised password databases.

Read 5 remaining paragraphs | Comments

A group of Stanford students have created a working prototype of a 3D printer head that lays down sensors and circuitry along with thermoplastics to create functioning electronic devices.

Game consoles helped Advanced Micro Devices pick up market share in x86 processors during the first quarter of this year, while rival Intel's share dipped slightly.

[security bulletin] HPSBMU02994 rev.3 - HP BladeSystem c-Class Onboard Administrator (OA) running OpenSSL, Remote Disclosure of Information

U.S. officials applauded the outcome of this week's NETmundial conference on Internet governance while downplaying its strong language on surveillance and disagreements on net neutrality.

Bluetooth 4.1, due out by the end of the year, will directly connect devices to cloud services.

Opera Web Browser 'dtoa()' Remote Code Execution Vulnerability

You say you want more from your IT outsourcing service provider, yet you fall back on the same old negotiating tactics. To find out how to develop a more collaborative relationship with service providers, CIO.com talked Kate Vitasek, who wrote the book on the subject.

A mega-battle is brewing between corporate giants such as AT&T, Google and Time Warner Cable to build Wi-Fi hotspots in U.S. cities connected to massive gigabit fiber-optic or fast networks of cable providers.

LinuxSecurity.com: Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, information leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: [More...]

LinuxSecurity.com: Security Report Summary

KDE KDELibs 'dtoa()' Remote Code Execution Vulnerability

MATLAB 'dtoa' Implementation Memory Corruption Vulnerability

Farmers in southwest Georgia's Flint River Valley could one day get accurate, hyperlocal weather forecasts just for their individual farms up to three days in advance.

IBM almost fell apart in the 1980s because it treated its customers like cash machines and not, well, customers. Oracle (and Sun) happily swept in to take this business. Now Oracle customers increasingly feel a similar squeeze -- and guess who's ready to take advantage of that?

Now that Microsoft has finally closed its acquisition of Nokia's devices and services business the company needs to accelerate efforts to attract more developers, help cut the cost of smartphones running Windows Phone and make sure its new employees feel welcome.

Oracle Java SE CVE-2014-0464 Remote Security Vulnerability

Oracle Java SE CVE-2014-2401 Remote Security Vulnerability

[security bulletin] HPSBMU03017 rev.2 - HP Software Connect-IT running OpenSSL, Remote Disclosure of Information

[security bulletin] HPSBMU03023 rev.1 - HP BladeSystem c-Class Virtual Connect Support Utility (VCSU) running OpenSSL on Linux and Windows, Remote Disclosure of Information

Critics have derided Microsoft's $7.5 billion acquisition of Nokia's Devices and Services business but the deal may be closing at the perfect moment -- during a slowdown in smartphone innovation.

Oracle Java SE CVE-2014-2412 Remote Security Vulnerability

ISACA introduces Cybersecurity Nexus program to help fill the infosec skills gap
Network World
Network World - Every organization that has recently tried to recruit and hire qualified information security professionals knows it's a tough environment for hiring. The demand for cybersecurity professionals has grown more than 3.5 times faster than ...

Firing a worker for not reporting a lost or stolen tablet or smartphone may seem extreme, but at some companies things have come to that. How can CIOs get workers to take BYOD policies seriously?

CoDeSys CVE-2012-6069 Directory Traversal Vulnerability

[CVE-2014-2715] Cross-site scripting (XSS) vulnerability in Videowhisper

Depot WiFi v1.0.0 iOS - Multiple Web Vulnerabilities

CSG Invotas to Participate in InfoSec Europe 2014
Business Wire (press release)
Infosecurity Europe is Europe's number one information security event. It features more than 325 exhibitors, the most diverse range of new products and services, an unrivalled education program, and over 13,000 unique visitors from every segment of the ...

and more »

Microsoft today officially closed its $7.2 billion acquisition of Nokia's handset business, welcoming approximately 30,000 new employees to its rolls.

Linux Kernel CVE-2013-7339 NULL Pointer Dereference Local Denial of Service Vulnerability

Mozilla plans to more strictly enforce industry best practices for SSL certificates in future versions of Firefox with a new certificate verification system.

A global Internet governance conference in Brazil concluded Thursday with a strong focus on countering surveillance, including asking for a review of the implications on privacy of existing practices and legislation.

How do you find the best food recipes or clothing on Pinterest that's just right for you? The site thinks it has a way.

[SECURITY] [DSA 2906-1] linux-2.6 security update

[SECURITY] [DSA 2912-1] openjdk-6 security update

[security bulletin] HPSBST03016 rev.1 - HP P2000 G3 MSA Array Systems, HP MSA 2040 Storage, and HP MSA 1040 Storage Remote Disclosure of Information

[security bulletin] HPSBMU02895 SSRT101253 rev.2 - HP Data Protector, Remote Increase of Privilege, Denial of Service (DoS), Execution of Arbitrary Code

Now that Google's Vic Gundotra, a senior vice president and the head of Google+ is leaving the company, changes are likely afoot at the social network he championed since its inception, industry analysts said.

Download this companion to our story, to more easily follow along tricks, tips and code.

Some Excel tips and tricks for manipulating dates, and for getting data into the format you need, are also ready for your R pleasure.

Apple isn't disclosing details about its Maiden, N.C., data center operations, except at the 30,000-foot level, so it's unknown at exactly what temperatures it's operating. But it is possible to estimate a range.

We can do things now to make things a little easier should we face another widespread security defect in code like OpenSSL.

Help Net Security

Infosec problems create stress for IT departments
Help Net Security
A new IT Admin Stress Survey from GFI Software revealed that 68% of IT staff are actively considering leaving their current role due to job-related stress, despite apparent economic and staffing improvements in many businesses across the country.

and more »