If you use the same user name and password on multiple sites, all it takes is for one of them to get cracked, and it doesn't matter how secure your password is or how securely all the other sites store it: You are in trouble. So, you should use a different secure password for each site. Of course, trying to remember dozens or hundreds of different secure passwords borders on impossible.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Microsoft XML Core Services Transfer Encoding Cross Domain Information Disclosure Vulnerability
As the Internet Corporation for Assigned Names and Numbers launches a new trademark clearinghouse on Tuesday, businesses that own trademarks should consider getting involved in the program, some ICANN watchers said.
The ability to trade securities at nanosecond speeds has become a reality.
A new version of the TDL rootkit-type malware program downloads and abuses an open-source library called the Chromium Embedded Framework that allows developers to embed the Chromium Web rendering engine inside their own applications, according to security researchers from antivirus vendor Symantec.
More subscribers, networks with better coverage and devices that can be used in more countries are converging to make LTE roaming a more viable proposition, with some operators already offering such services on a limited scale and more on the way.
Microsoft will push updated versions of several long-criticized Windows 8 apps, including Mail, Calendar and People, the "Modern"-style program for keeping track of contacts, to the Windows Store tomorrow.
Safari dominates the mobile browser market despite Android smartphones and tablets outselling iOS devices by wide margins. Which mobile browser do you use most often?

Initially, most IPv6 deployments will be Dual Stack. In this case, a host will be able to connect via IPv4 and IPv6. This brings up the question which protocol will be preferred, and if multiple addresses are possible, which source and destination address are used. RFC 6724 describes the current standard how addresses should be selected, but operating systems and applications, in particular browsers, do not always obey this RFC.

Lets consider a case where a web browser attempts to connect to a web server. Initially, the browser will resolve the web servers host name. The reply may include multiple IPv4 and IPv6 addresses, and the browser needs to select one destination address from the set of addresses returned. RFC 6724 offers a number of rules to accomplish this selection. I dont want to recite the detailed rules (which are a bit hard to parse and best left to the original RFC), but instead focus on the rules that are used in current operating systems and can explain some behavior seen in connections:

Rule 1: Rule one allows the operating system to maintain a list of addresses that turned out to be unreachable in the past. OS X for example does so. This rule takes into account that some connections may use tunnels or other mechanisms that make IPv6 (and later maybe IPv4) less stable. However, if an address once turned out to be bad and got blacklisted, it will remain unused even if connectivity is later repaired.

Rule 7: To continue with unstable tunneling mechanisms, Rule 7 will prefer native connectivity over tunneled connectivity. A native IPv4 address will be preferred over an automatically configured 6-to-4 tunnel with a 2002::/16 prefix. Teredo, another tunnel mechanism, was for example never meant to be preferred over IPv4 and is considered a connection of last resort. But for other tunnels it may not be obvious that they are tunnels (e.g. statically configured tunnels) and they are treated as native addresses)

In addition, applications may try to recover from a bad address choice on their own. This algorithm is usually referred to as Happy Eyeballs and Chrome is probably the most prominent implementation of it at this point. Normally, the preferred address pair is determined using an algorithm like the one outlined in RFC 6724, and a connection is attempted. Only after the connection timed out (which can take a while), the respective address is considered unreachable and a different address is used. Chrome on the other hand will wait only 300 ms to consider an address bad. In addition, the address will not be added to a blacklist. Instead the address may be attempted again for the next connection. The result is that Chrome may flip forth and back between IPv4 and IPv6 as it connects to retrieve multiple pages from a dual stack web server. This can make it for example more difficult to analyze logs or conduct network forensics.

Happy Eyeballs is defined in more detail in RFC6555. It suggests not giving up too quickly on the IPv6 connection to avoid wasted network bandwidth. The recommended timeout per this RFC is 150-250ms.



References: RFC6555: http://tools.ietf.org/html/rfc6555

RFC6724: http://tools.ietf.org/html/rfc6724

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
A single nanowire can capture 15 times more energy from the sun than standard metal conductors, according to scientists from the Nano-Science Center at the Niels Bohr Institut, Denmark.
LinkedIn has revamped its search engine with changes intended to make it easier for members to find information on the business networking site, whose volume of content has increased and grown more diverse in recent years.
An exploit for MongoDB which allows code to be remotely injected and executed is in the wild and a Metasploit module is coming. MongoDB 2.4 is immune because of its switch to the V8 JavaScript engine

mod_ruid2 CVE-2013-1889 Security Bypass Vulnerability
[slackware-security] php (SSA:2013-081-01)
Oracle is filling out its product stack for communications with the acquisition of Tekelec, which provides network signaling, policy control and subscriber data management software for mobile data networks. Terms of the deal, which is expected to close in the first half of this year, were not disclosed.
As these words are being written, an Austrian citizen is held captive in Yemen, the attack on the Amenas gas complex in Algeria has claimed a toll of 37 foreigners including three Americans, and reports suggest homicides in Mexico are on the rise (86 at the Estado de Mexico in January, 2013 alone).
Nokia said on Monday it is not prepared to license any of its patented technologies that might be essential to the VP8 video codec that is backed by Google.

Follow Monday! Five infosec pros who stand out
CSO (blog)
He's also done a lot to build up the infosec community, spearheading the Security Twits and Beansec for a time. 5.) @pauldotcom: Paul Asadoorian, product evangelist at Tenable Network Security, is perhaps best known for his weekly podcast, which I've ...

Apple has acquired mapping startup WiFiSlam, which is developing an indoor location service for smartphones, Apple said Monday.
Apple is in the midst of another public relations battle in China and is trying to clarify its warranty policies, as local-state controlled press continue to slam the U.S. company for allegedly offering subpar warranty services to Chinese customers.
The Apache Software Foundation (ASF) has approved CloudStack as a top-level project (TLP), helping the open-source cloud software effort further establish its independence from Citrix, which acquired the program's codebase in its 2011 purchase of Cloud.com.
As businesses make more use of social networks, the number of engagement, analysis and monitoring tools has exploded. Enterprises are trying to understand their return on social media investments, to find out if their Twitter and Facebook marketing campaigns are actually delivering customers. They want to track social mentions across multiple networks and be responsive to both kudos and complaints.
Dell has received two counter-offers related to its plans to go private, with rival bids coming in from private equity fund manager Blackstone and entities associated with investor Carl Icahn.
Mobile-based browsing has tripled in the last two years, and is making significant inroads on traditional Internet access from personal computers, according to statistics from a Web metrics company.
LinuxSecurity.com: New php packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix security issues. [More Info...]
LinuxSecurity.com: Several security issues were fixed in the kernel.
LinuxSecurity.com: Several security issues were fixed in the kernel.
LinuxSecurity.com: Several security issues were fixed in the kernel.
The NSA's Cryptolog archive, "Wipe the drive", piracy in armament circles, keeping phishers busy, a crusade against malware, and chatty encryption checking – just some of the things that caught The H's eye over the past seven days

Oracle Java SE CVE-2013-1485 Security Bypass Vulnerability
Despite all the talk about the economic recovery, the IT purse strings are still pretty tight, at least based on an informal poll of practitioners at the recent Network World IT Roadmap conference in Chicago.
Shaw reviews Roku's Roku 3 Internet streaming TV box and Jabra's Revo wireless headphones.
An incorrect bracket in the program code of NetBSD causes systems to generate weak cryptographic keys. OpenSSH server keys are particularly affected

Drupal Views Module Cross Site Scripting Vulnerability
The online ad industry has attacked Mozilla over its decision to block third-party cookies in a future release of Firefox, calling the move "dangerous and highly disturbing," and claiming that it will result in more ads shown to users.
Fujitsu has paid $1.2 billion into its pension funds for current and former U.K. employees, and renegotiated cuts to ongoing pension contributions, freeing up cash to grow other areas of its U.K. business, the company said Monday.
The schism between Python 2.x and 3.x and other deficiencies frustrate its enthusiastic developer community
Microsoft Internet Explorer CVE-2013-0093 Use-After-Free Remote Code Execution Vulnerability
Microsoft Internet Explorer CVE-2013-0092 Use-After-Free Remote Code Execution Vulnerability
Microsoft Internet Explorer CVE-2013-0089 Use-After-Free Remote Code Execution Vulnerability
Microsoft Internet Explorer CVE-2013-0094 Use-After-Free Remote Code Execution Vulnerability
Boston residents are using city-provided apps to improve municipal operations, and South Bend, Ind., is using sensors to detect sewer problems.
Intel has expanded a BYOD program that it calls a resounding success, providing around 5 million hours of annual productivity gains last year.
Employers are having a hard time finding the Linux talent they need, and they're holding on to the pros they already have.
It's clear that hardware makers are experimenting far more with Windows devices than Apple is with the iPad. But that does that herald a revival of the PC?
For once, security isn't an afterthought, as the R&D department plans its own sandbox for testing the company's software products.
There's a maxim in the data center business that you can't manage what you can't measure, and eBay has come up with a new measurement for doing both.
Service interruptions seem unavoidable as companies move to the cloud. Here are four areas you should manage well if youre going to be dependent on cloud computing.
OpenStack gained some momentum when IBM decided to use it as the foundation of its cloud services, but the three-year-old technology may not have experienced its rapid rise without NASA. Insider (registration required)
Facebook COO Sheryl Sandberg's belief that the women's revolution has 'stalled' and that 'men still run the world' may hold true in IT.
The number of new undergraduate computer science majors at Ph.D.-granting U.S. universities rose by more than 29% last year, an increase that the Computing Research Association called 'astonishing.'
Novell Messenger Client CVE-2013-1085 Buffer Overflow Vulnerability
WellinTech KingView CVE-2012-4711 Memory Corruption Vulnerability
OpenCart 'filemanager.php' Multiple Directory Traversal Vulnerabilities
Mutiny CVE-2012-3001 Command Injection Vulnerability

Posted by InfoSec News on Mar 25


By Nate Anderson
Ars Technica
Mar 24 2013

At the beginning of a sunny Monday morning earlier this month, I had never
cracked a password. By the end of the day, I had cracked 8,000. Even though I
knew password cracking was easy, I didn't know it was ridiculously easy—well,
ridiculously easy once I overcame the urge to bash my laptop with a
sledgehammer and...

Posted by InfoSec News on Mar 25


BBC News Asia
22 March 2013

Officials in South Korea say they incorrectly linked a Chinese IP address to a
cyber-attack earlier this week.

On Thursday, the Korean Communications Commission said it had traced the attack
to an internet address in China, although the identity of those behind the
attack could not be confirmed.

But it said further investigation showed the malware came from a local...

Posted by InfoSec News on Mar 25


The Times of Israel
March 24, 2013

In an unsettling announcement, the hacker group known as Anonymous and
affiliates proclaimed over the weekend that they had broken into the Mossad’s
servers and stolen the names and personal details of top IDF officials,
politicians and, especially, Mossad agents. But those claims are inflated, to...

Posted by InfoSec News on Mar 25


The New York Times
March 24, 2013

WASHINGTON — In the eighth grade, Arlan Jaska figured out how to write a simple
script that could switch his keyboard’s Caps Lock key on and off 6,000 times a
minute. When friends weren’t looking, he slipped his program onto their
computers. It was all fun and games until the...

Posted by InfoSec News on Mar 25


By Jackie Campo
World Radio Switzerland
22 March, 2013

The corporate espionage case involving Nestle, Securitas and Attac is closed.

Nestle and Securitas have waived their right to appeal after being found guilty
of unlawfully obtaining information on employees of anti-globalization
organization Attac.

Nestle was found guilty earlier this year of spying...
Linux Kernel Netlink Interface CVE-2013-1873 Multiple Information Disclosure Vulnerabilities
Linux Kernel KVM CVE-2013-1798 Denial of Service Vulnerability
ZeroClipboard 'ZeroClipboard10.swf' Cross Site Scripting Vulnerability
Twit Cleaner is a popular web app that has been used by hundreds of thousands of Twitter users to clear deadwood from their accounts.
mimeTeX Multiple Stack Buffer Overflow Vulnerabilities
mimeTeX Multiple Information Disclosure Vulnerabilities
Internet Storm Center Infocon Status