Hackin9

In January, Naoki Hiroshima lost his Twitter handle, @N, to the hands of a hacker who used social engineering and extortion to wrest the username from Hiroshima's hands. But today Twitter restored it to him after more than a month of the username being suspended.

After @N was stolen, Hiroshima wrote a post explaining how the theft happened. Ars published the story (which originally appeared on Medium), as well as an account of a man whose more valuable @jb handle was almost hijacked using the same methods.

In Hiroshima's case, a hacker was able to obtain some credit card information from his PayPal account and used that to reset the login credentials on his GoDaddy account. Then, the thief modified several details pertaining to Hiroshima's domain so that he was unable to access his own site's information. When the thief couldn't reset the password for @N, he turned to extortion, contacting Hiroshima and demanding he reset the password to his Twitter account or suffer the destruction of his website's domains.

Read 3 remaining paragraphs | Comments

 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
If paychecks are any kind of a measure, then people with Linux skills are doing better than most.
 
Aerospace company Terrafugia is working on a robotic, autonomous flying car.
 
From ocean sensors to orbiting satellites, the National Oceanic and Atmospheric Administration collects about 30 petabytes of environmental data a year. Now it wants ideas about how best to use what its collected.
 
Apple Mac OS X LaunchServices CVE-2013-5178 Remote Security Vulnerability
 
Apple today updated OX Mavericks, plugging the embarrassing security hole the Cupertino, Calif. company left wide open in the operating system's implementation of basic Internet encryption.
 
Faster memory is a focal point in the race to boost application performance, and an industry consortium aims to make computers zippy with a new specification released on Tuesday.
 
Apple has released an update for OS X which patches the SSL vulnerability discussed by Rick on Sunday. For more information visit Apple's page about it. In addition, Apple has also released a security update for Safari and QuickTime. (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Facebook will shutter its email service next month, and it's likely that not many people will even notice.
 
Some former supporters of a mobile phone unlocking bill in the U.S. Congress have withdrawn their support for the legislation because of a new provision added to it as it heads to the House of Representatives floor for a vote.
 
Calling it an 'on-ramp to the Internet,' Mark Zuckerberg advocates for carriers and other gatekeepers to provide free basic services for all in his first-ever keynote at Mobile World Congress.
 
One day after announcing the Galaxy S5 smartphone with a security-focused fingerprint scanner, Samsung announced that second-generation Knox software for enterprise-level security and management of Samsung devices will ship sometime in the second quarter.
 
A former Microsoft architect has founded a startup called Azuqua aimed at tackling the problem of joining together and automating business processes from multiple SaaS (software-as-a-service) applications.
 
Visiting one of the many test sites for the "goto fail" bug in Safari in OS X 10.9.2 confirms that the problem has been fixed.
Andrew Cunningham

After several months of testing, Apple has released OS X version 10.9.2 to the general public. In addition to the typical laundry list of updates and security fixes, the second major update to Mavericks fixes the "goto fail" SSL/TLS bug that Apple patched in iOS 7 on Friday. The SSL bug isn't mentioned in the release notes that appear in Software Update, but the bug is mentioned on Apple's security page for 10.9.2. We were also able to confirm the fix by visiting several goto fail test sites in Safari after applying the update. Security updates for Mountain Lion and Lion have been provided as well, but previous versions of OS X were never affected by the goto fail bug in the first place—those patches will fix other problems, but users won't need to worry about the goto fail bug either way.

Apple has been criticized by members of the security community for patching the iOS flaw without providing a fix for OS X. iOS 7.0.6 was taken apart within hours of its release, demonstrating the bug to anyone who cared to look for it and leaving the unpatched OS X exposed for four days. Mac users could avoid having their communications exposed by avoiding Safari and Mail.app in favor of other applications, but any applications that use OS X's SSL implementation were still unsafe. As of this writing, working proof-of-concept attacks that exploit the bug have already appeared.

Since news of the goto fail bug broke on Friday, some people have noted the apparent irony of relying on Apple-implemented encryption to download a fix for a critical iOS and Mac crypto bug. Fortunately, those concerns turned out to be misplaced, since goto fail does nothing to break the code signing protections Apple uses to ensure only authentic updates get installed.

Read 4 remaining paragraphs | Comments

 
NISTaposs National Cybersecurity Center of Excellence (NCCoE) has proposed two new building blocks, one to help organizations develop capabilities for attribute based access control, the other to help enterprises address security issues ...
 
People will one day depend on wearable computers to monitor not just their activities but a myriad of data about their health, making the devices basically like a sixth sense.
 
Mastercard and roaming infrastructure company Syniverse have come up with a way to protect credit card transactions abroad with help from a phone's location.
 
Delays affected the delivery of messages to Gmail users Tuesday morning, days after key Google Web apps, including Docs and Drive, were hit by a bug lasting more than five hours.
 
Phone manufacturers are once again hoping improved cameras and bigger and better screens will be enough to get users to upgrade, while at the same time increasing efforts to get consumers in emerging countries to buy their first smartphone.
 

Update: Shortly after this brief went live, Apple released OS X version 10.9.2, which finally patches the critical "goto fail" bug.

It has been four days since Mac users began learning of a critical vulnerability in the latest version of OS X that gives attackers an easy way to surreptitiously circumvent the most widely used technology for preventing Internet eavesdropping. Three days ago, Apple told Reuters that it plans to release a patch "very soon," but it didn't elaborate on the details.

If it wasn't clear before, it should be painfully obvious now. The security and privacy of millions of Mavericks users depend on a patch becoming available soon. The vulnerability is taking on renewed urgency given the increasing availability of proof-of-concept code that exploits it. On Tuesday, security consultant Aldo Cortesi was the latest to create working attack code that targets the bug. Other public sites that do much the same thing include gotofail.com and this test page, which is signed with a key that doesn't match the underlying transport layer security certificate. The proliferation of code makes life easier for less-skilled hackers who may want to exploit the vulnerability maliciously.

Read 4 remaining paragraphs | Comments

 
Apple iOS and TV Secure Transport Connection Validation Security Bypass Vulnerability
 
Analysts were uncertain today whether the recent stretch of "go-low" moves by Microsoft means that the company has tweaked its strategy to emphasize services at the expense of devices.
 

BARCELONA, SPAIN—Here at Mobile World Congress, Silent Circle and Geeksphone have just announced more details on the Blackphone, a phone focused on security and privacy. "Blackphone" seems to be both a product and a company, as in the company Blackphone will provide updates and support for the product Blackphone. Having been cofounded by Phil Zimmerman, the creator of PGP e-mail encryption, the company has tons of security talent. Blackphone was announced about a month ago, but this is the first time we're getting details on just what the Blackphone is and how it works.

First to be announced were the specs of the Blackphone. The hardware is being built by Geeksphone, and the current specs are a 2GHz quad-core SoC, a 4.7-inch "HD" IPS screen, 2GB of RAM, 16GB of storage, 8MP rear and 1.3MP front cameras, and HSPA+ and LTE connectivity. Blackphone notes that "certain specifications are subject to change" but the Geeksphone CEO said that any change would be "better," and that the goal is to offer a premium phone. At $629 for a contract-free, unlocked phone, the cost is certainly in line with that goal. Blackphone notes that it "does not use proprietary hardware in any way," which will allow it to release source code for "as much of the Blackphone code base as possible.”

While Geeksphone is handling the hardware, Silent Circle is handling the software. The Blackphone runs a Google-less version of Android called "PrivatOS." Besides removing the user-tracking Google parts, most of the Blackphone's security and privacy advantages seem to come from the integration of Silent Circle apps. The suite of apps mentioned at the event were the existing Silent Phone and Silent Text apps, and a new product called "Silent Contacts." Silent Phone and Silent Text encrypt your phone calls, text messages, and file transfers to other users of the apps.

Read 5 remaining paragraphs | Comments

 
[RT-SA-2014-001] McAfee ePolicy Orchestrator: XML External Entity Expansion in Dashboard
 
Barracuda Networks Firewall Bug Bounty #32 - Filter Bypass & Persistent Web Vulnerabilities
 

Recruiting InfoSec Pros in Tight Market
GovInfoSecurity.com
In light of the critical shortage of information security professionals, organizations must strive to become a "center for security excellence" to successfully recruit the specialists they need, says analyst John Oltsik of Enterprise Strategy Group ...

 

Cyber Defense Magazine Announces Infosec Awards Winners for #RSAC 2014
PR Web (press release)
Cyber Defense Magazine, the industry's leading electronic information security magazine and a media partner of the RSA® Conference 2014, has named winners in numerous categories for their innovations in the field of information security. While most of ...
AFORE Selected by Cyber Defense Magazine 2014 Awards as Hot Company ...IT Business Net

all 3 news articles »
 
Samsung on Monday added the much anticipated Galaxy S5 to its flagship line of smartphones during an event at Mobile World Congress in Barcelona.
 
[SECURITY] CVE-2013-4590 Information disclosure via XXE when running untrusted web applications
 
[SECURITY] CVE-2013-4322 Incomplete fix for CVE-2012-3544 (Denial of Service)
 
[SECURITY] CVE-2014-0033 Session fixation still possible with disableURLRewriting enabled
 
Hollywood isn't afraid to bend the truth to tell a tale. The data centers depicted in five popular movies prove this point -- as do the ways characters get into them and steal data from them.
 
Advanced Micro Devices has optimized a version of Android for tablets and PCs containing its chips, and will sell it on new PCs through retail stores in Europe.
 
The first BlackBerry phone produced by China's Foxconn will debut in April in Indonesia, the CEO of the phone maker said Tuesday.
 
A new call for transparency about what data mobile apps are retaining sounds fine and noble, but too many companies don't even know what their apps know about consumers.
 
Julie Larson-Green, the Microsoft executive who co-led Windows development as recently as last summer and now heads the company's hardware efforts, will move to the group responsible for Office, where she once worked, according to an internal email obtained by the website GeekWire
 
Security researchers identified a vulnerability in iOS that allows apps to record all touch screen and button presses while running in the background on non-jailbroken devices.
 
BlackBerry will launch a new version of its enterprise management server software later this year that the company hopes will strengthen its business with major corporations and help turn around its fortunes.
 
Sierra Wireless has debuted the Linux-based Legato platform, which aims to simplify and accelerate the development of machine-to-machine (M2M) applications.
 
It's disturbing that Apple would release an essential fix for iOS while ignoring the exact same problem in OS X.
 
China-based Lenovo is on a roll, with the goal of becoming a globally recognized brand in nearly all shapes and sizes of computing hardware, including laptops, servers and smartphones.
 
Vendors who have been calling tablets 'the new PCs' can now prove it. The development of 64-bit mobile processors opens the door for more addressable memory and PC-like performance on tablets and smartphones.
 
From a beginner's guide to data-wrangling how-to and searchable collection of additional tutorials and videos, we've got you covered.
 
[security bulletin] HPSBMU02971 rev.1 - HP Application Information Optimizer, Remote Execution of Code, Information Disclosure
 
[security bulletin] HPSBST02937 rev.1 - HP StoreVirtual 4000 and StoreVirtual VSA Software dbd_manager, Remote Execution of Arbitrary Code
 

Posted by InfoSec News on Feb 25

http://healthitsecurity.com/2014/02/24/himss14-10-healthcare-data-security-challenges/

By Mac McMillan
Health IT Security
February 24, 2014

This week many of us will head off to the HIMSS14 annual conference in
Orlando. For some this will represent a break from this years harsh winter
weather, for others a welcome break from the routine and a chance to see
what’s new, and for others a chance to look for that thing they have been
wanting...
 

Posted by InfoSec News on Feb 25

Forwarded from: security curmudgeon <jericho (at) attrition.org>

Says the man running EC-Council, who's web site was defaced multiple times
this weekend.

: http://businesstoday.intoday.in/story/secure-coding-jay-bavisi-ec-council-nasscom-hcl/1/203605.html
:
: By Manu Kaushik
: Business Today
: February 22, 2014
:
: The National Cyber Security Policy released by Indian government last year
: aims to create a workforce of 500,000...
 

Posted by InfoSec News on Feb 25

http://www.startribune.com/business/246983121.html

By: JENNIFER BJORHUS
Star Tribune
February 24, 2014

A group of First Farmers & Merchants banks in southern Minnesota have sued
Target Corp. over alleged damages from the retailer’s data breach late
last year.

While a number of financial institutions from around the country have sued
the company since news of the data heist broke, the First Farmer &
Merchants lawsuit is believed...
 

Posted by InfoSec News on Feb 25

http://www.forbes.com/sites/andygreenberg/2014/02/25/ex-googlers-at-shape-security-get-40-million-more-to-fund-their-war-on-bots/

By Andy Greenberg
Forbes Staff
Security
2/25/2014

Shape security spent more than two years working in secret before
officially launching its buzzy web security appliance last month. But at
its first public appearance at the RSA security conference this week, the
company is coming out of stealth with a bang.

On...
 

Posted by InfoSec News on Feb 25

http://www.wired.com/wiredenterprise/2014/02/bitcoins-mt-gox-implodes/

BY ROBERT MCMILLAN
Enterprise
Wired.com
02.24.14

Mt. Gox, once the world’s largest bitcoin exchange, has gone offline,
apparently after losing hundreds of millions of dollars due to a
years-long hacking effort that went unnoticed by the company.

The hacking attack is detailed in a leaked “crisis strategy draft” plan,
apparently created by Gox and published Monday...
 
Puppet Security Bypass Vulnerability
 

PerspecSys Wins First Annual Cyber Defense Magazine InfoSec Technologies ...
IT Business Net
MCLEAN, VA and SAN FRANCISCO, CA -- (Marketwired) -- 02/24/14 -- RSA Conference -- PerspecSys Inc., the leader in enterprise cloud data protection, today announced it has been selected by Cyber Defense Magazine as a 2014 winner in its InfoSec ...

and more »
 

Cyber Defense Magazine Announces Infosec Awards Winners for #RSAC 2014
PR Urgent (press release)
These are the First Annual Hot Companies, Best Products and Most Innovative New InfoSec Technologies Awards. Our submission requirements are for any startup, early stage, later stage or public companies in the INFORMATION SECURITY (INFOSEC...
AFORE Selected by Cyber Defense Magazine 2014 Awards as Hot Company ...IT Business Net

all 2 news articles »
 

Researchers said they have identified a flaw in Apple's iOS that makes it possible for attackers to surreptitiously log every touch a user makes, including characters typed into the keyboard, TouchID presses, and adjustments to the volume control.

The vulnerability affects even non-jailbroken iPhones and iPads running iOS versions 7.0.4, 7.0.5, and 7.0.6, as well as those running on 6.1.x, researchers from security firm FireEye wrote in a blog post published Monday night. They said attackers could carry out the covert monitoring using an app that bypasses Apple's stringent app review process. The app uses multitasking capabilities built into iOS to capture user inputs. The blog post explained:

We have created a proof-of-concept "monitoring" app on non-jailbroken iOS 7.0.x devices. This “monitoring” app can record all the user touch/press events in the background, including touches on the screen, home button press, volume button press and TouchID press, and then this app can send all user events to any remote server, as shown in Fig.1. Potential attackers can use such information to reconstruct every character the victim inputs.

Note that the demo exploits the latest 7.0.4 version of iOS system on a non-jailbroken iPhone 5s device successfully. We have verified that the same vulnerability also exists in iOS versions 7.0.5, 7.0.6 and 6.1.x. Based on the findings, potential attackers can either use phishing to mislead the victim to install a malicious/vulnerable app or exploit another remote vulnerability of some app, and then conduct background monitoring.

iOS apps can surreptitiously record all user touch/press events in the background and send them to a remote server. Attackers can use such information to reconstruct every character the victim inputs.
FireEye

Shortly before the blog post went live, FireEye published a separate brief that was quickly removed. According to an RSS reader cache that preserved the earlier post, part of it said: "FireEye successfully delivered a proof-of-concept monitoring app through the App Store that records user activity and sends it to a remote server. We have been collaborating with Apple on this issue."

Read 4 remaining paragraphs | Comments

 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status