Hackin9

Posted by InfoSec News on Mar 26

http://www.zdnet.com/e-commerce-security-startup-forter-lands-3m-in-funding-from-sequoia-capital-7000027705/

By Larry Barrett
Between the Lines
ZDNet News
March 25, 2014

Forter, an Israeli security startup that provides online retailers with
real-time e-commerce fraud prevention services, secured $3 million in
Series A funding from Menlo Park, Calif.-based venture capital firm
Sequoia Capital.

In the wake of catastrophic security breaches...
 

Posted by InfoSec News on Mar 26

http://insecure.org/news/fulldisclosure/

March 25, 2014

Like many of us in the security community, I (Fyodor) was shocked last
week by John Cartwright's abrupt termination of the Full Disclosure list
which he and Len Rose created way back in July 2002. It was a great
12-year run, with more than 91,500 posts during John's tenure. During that
time he fought off numerous trolls, DoS attacks, spammers, and legal
threats from angry...
 

Posted by InfoSec News on Mar 26

http://koreajoongangdaily.joins.com/news/article/Article.aspx?aid=2986949

JoongAng Ilbo
March 26, 2014

The Ministry of Science, ICT and Future Planning said yesterday it
confirmed that hackers accessed KT’s website more than 12 million times
over the past three months.

The ministry announced the results of a public-private task force
investigation into KT’s massive personal information leak.

The investigation found similar...
 

Posted by InfoSec News on Mar 26

http://www.au.af.mil/au/ssq/digital/pdf/spring_2014/Libicki.pdf

Strategic Studies Quarterly (SSQ)
The Strategic Journal of the United States Air Force
Volume 8, Issue 1 - Spring 2014
By Martin C. Libicki

Even assuming the cyber domain has yet to stop evolving, it is not clear a
classic strategic treatment of cyber war is possible, or, if it were, it
would be particularly beneficial. The salutary effects of such classics
are limited, the...
 
Mark Zuckerberg has seen the future, and it's inside a virtual-reality headset.
 
Facebook said late Tuesday that it is shelling out $2 billion to scoop up Oculus VR, a company that makes virtual reality gaming glasses.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Info sec industry still struggles to attract women
Network World
CSO - Even as women have made dramatic advances in medicine, law, and other fields, the proportion of women pursuing undergraduate degrees in the computer sciences has actually been dropping, from around 30 percent in 1990 to 18 percent in 2010, ...

and more »
 
RETIRED: Mozilla Firefox/Thunderbird/SeaMonkey MFSA 2014-15 through -28 Multiple Vulnerabilities
 
Multiple McAfee Products Multiple Security Vulnerabilities
 
Dell SonicWALL NSA 2400 'stats/dashboard.jsp' Cross Site Scripting Vulnerability
 
Quick.Cart 'admin.php' Cross Site Scripting Vulnerability
 
The terms "Internet of Things" (IoT) and "connected home" are two of the trendiest buzzwords in the technology world today. And while both clearly offer very real potential, they also introduce their own share of risk, particularly if they're not approached with caution, according to Jerry Irvine, an owner and CIO of IT outsourcing services firm, Prescient Solutions.
 
Using 3D laser lithography, a team of German scientists have created micro-truss and -shell structures from ceramic polymer composites that exceed the strength-to-weight ratio of all engineering materials, with a density below 1,000 kg/m.
 
U.S. President Barack Obama's administration should reverse its decision to suspend the passport of U.S. National Security Agency leaker Edward Snowden and end its efforts to prosecute him as policymakers push to change the programs he exposed, a group of activists said.
 
 
Mozilla Firefox/SeaMonkey/Thunderbird CVE-2014-1505 Information Disclosure Vulnerability
 
XStream CVE-2013-7285 Remote Code Execution Vulnerability
 
[security bulletin] HPSBMU02967 rev.2 - HP Unified Functional Testing Running on Windows, Remote Execution of Arbitrary Code
 
CVE-2013-6955 Synology DSM remote code execution
 
Open Compute Project Foundation leader Frank Frankovsky, who founded the project with colleagues at Facebook to help foster scalable data centers in large enterprises, has left the social-networking company for an optical storage startup.
 
Business groups in a growing number of companies appear to be plowing ahead on data analytics projects with little input or help from their own IT organizations.
 
Despite growing disagreement between the United State and Russia over the latter's actions in Ukraine, a NASA astronaut and two cosmonauts are slated to fly tonight to to the International Space Station on a Russian Soyuz spacecraft.
 
U.S. President Barack Obama's administration should reverse its decision to suspend the passport of U.S. National Security Agency leaker Edward Snowden and end its efforts to prosecute him as policymakers push to change the programs he exposed, a group of activists said.
 
OpenSSH 'child_set_env()' Function Security Bypass Vulnerability
 
HTC announced its One M8 smartphone on Tuesday, boasting its premium styling and asserting that it offers the world's best innovations. Those include a dual rear camera for adding depth to photos and a battery with 40% longer life than last year's HTC One M7.
 
Google has revamped its portfolio of enterprise cloud services, by cutting prices, adding new features, and touting a refreshed enthusiasm for the cloud market.
 
SAP is continuing to merge its HANA in-memory database platform with its Business Warehouse data warehousing software, with the latest update adding support for HANA's real-time data loading services.
 

Info sec industry still struggles to attract women
PC Advisor
According to latest research, such as the 2013 (ISC)2 Global Information Security Workforce Study, only 11 percent of infosec professionals are female. There are a number of barriers preventing women from entering or staying in the field, but both ...

 
Google yesterday began rolling out Google Now notifications to users of its desktop browsers on Microsoft's Windows and Apple's OS X.
 
Over the past year or so, smartphone innovation has hit a plateau. What do you think phone makers should focus on to next?
 
The evidence keeps mounting that companies that put out mobile apps are not paying nearly enough attention to security. Even big companies with large and experienced IT staffs are guilty.
 
Amazon Web Services' CloudSearch service has been upgraded with more search features and is now compatible with 33 languages.
 
BigDump Cross Site Scripting, SQL Injection, and Arbitrary File Upload Vulnerabilities
 

It has been over a month since we saw the "Moon" worm first exploiting various Linksys routers [1]. I think it is time for a quick update to summarize some of the things we learned since then:

Much of what we found so far comes thanks to the malware analysis done by Bernado Rodriges [2]. Bernado used QEMU to run the code in a virtual environment. QEMU is as far as I know the only widely available virtualization technique that can simulate a MIPS CPU while running on an x86 host. So far, most of what I have been doing relied on telnetting to an infected router. With QEMU, Bernado got additional insight into what happened with the worm. In particular, it is now easy to dump physical memory. The worm ran on OpenWRT. I am not sure if it would be possible to install the stock Linksys firmware in QEMU. Something on my list of things to try out. I think for future reverse analysis, this would provide a more realistic target. 

Infected systems will run an additional https server on a random port. The communication we observed in earlier posts is just https, using a self signed certificate. The server also provides statistics pages with summaries listing infected systems. For a screenshot, see https://twitter.com/daavidhentunen/status/441551682443300866/photo/1 .

At this point, I do still see regular hits from infected routers to my honeypot. They appear to have slowed down a bit, but I still get a number of scans a day.

[1] https://isc.sans.edu/forums/diary/Linksys+Worm+TheMoon+Summary+What+we+know+so+far/17633
[2] http://w00tsec.blogspot.com

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Info sec industry still struggles to attract women
CSO Magazine
According to latest research, such as the 2013 (ISC)2 Global Information Security Workforce Study, only 11 percent of infosec professionals are female. There are a number of barriers preventing women from entering or staying in the field, but both ...

and more »
 
HTC says its latest One flagship smartphone is akin to jewelry, placing it in the market as a premium product set apart from the competition.
 
Those who like to take selfies might be interested in the latest handset from ZTE, a smartphone that the Chinese company claims is the world's first with a 13-megapixel front-facing camera.
 
SAP has turned to long-time partner Adobe in a bid to keep pace with Oracle and Salesforce.com in the red-hot marketing software market.
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Updated net-snmp packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Moderate [More...]
 
LinuxSecurity.com: Updated net-snmp packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Moderate [More...]
 
LinuxSecurity.com: Apache HTTP server could be made to crash if it received specially craftednetwork traffic.
 
LinuxSecurity.com: ca-certificates was updated to the 20130906 package.
 
LinuxSecurity.com: initramfs-tools used incorrect mount options.
 
Liferay Portal Security Bypass and HTML Injection Vulnerabilities
 
MS14-010 CVE-2014-0293 Technical Details and Code(I changed the web permanently)
 
[CVE-2014-2531] SQL injection in InterWorx Web Control Panel <= 5.0.13
 
[oCERT-2014-002] Xalan-Java insufficient secure processing
 
Adobe Systems is stepping up its mobile efforts by integrating the company's Marketing Cloud with Apple's iBeacons and simplifying advertising in apps, while also partnering with SAP to help sell it using Hana.
 
Boston-based restaurant chain b.good started its customer loyalty program with email 12 years ago because, well, it couldn't afford much else. As the chain has grown, so has its rewards program, which now has 53,000 'Family' members using keycards and smartphone apps to connect with b.good.
 
Healthcare providers such hospitals, medical offices and clinics face an unsettling reality, according to a recent Forrester report: Embrace the cloud, big data, mobile and other emerging technology or get acquired by a healthcare organization that's successfully been there and done that.
 
Mozilla named co-founder Brendan Eich, best known as the creator of JavaScript, as its new CEO, filling the spot that had been vacant for nearly a year.
 
The Obama administration is set to propose legislation that will end the bulk collection of phone data by the National Security Agency, according to a newspaper report.
 
Google is looking to reach a wider audience for Glass with some design help from Oakley and Ray-Ban.
 
Box, the eight-year-old company that has taken on industry giants to become a leader in cloud storage and file sharing, will seek to raise US$250 million by selling shares publicly for the first time.
 
Dell rolled out products designed to help customers build and scale cloud environments.
 
If you want to record your next climb up a cliff in extreme detail, Panasonic is offering a high-resolution wearable camera that shoots in 4K at 30 frames per second progressive.
 
A group of enterprising cybercriminals have figured out how to get cash from a certain type of ATM -- by text message.
 
The administration of U.S. President Barack Obama is set to propose legislation that will end the bulk collection of phone data by the U.S. National Security Agency, according to a newspaper report.
 
Cisco Systems' "Intercloud" platform for interoperable cloud services could be combined with remote-computing technology to define the so-called Internet of Things from the weather-ravaged, intermittently connected edge to regional and global data centers.
 
Self-publishing has become an increasingly important industry for both individual authors and businesses who want to put out their own books. But how do you begin? Here are some tips for self-starters.
 
Mozilla Firefox Floating Point Conversion Heap Overflow Vulnerability
 
Jetty Cross Site Scripting and Information Disclosure Vulnerabilities
 
Multiple BSD Distributions 'gdtoa/misc.c' Memory Corruption Vulnerability
 
Internet Storm Center Infocon Status