Hackin9
More than 50 million users of the daily deals site LivingSocial are being asked to reset their passwords after hackers attacked the company's servers and potentially made off with personal data.
 
RETIRED: Google Chrome Prior to 25.0.1364.152 Multiple Security Vulnerabilities
 

Infosec 2013: managing risk in the supply chain
Techworld.com
Over the years, organisations have outsourced a wide range of services, generally because third parties can manage them more efficiently and cost-effectively than they can themselves. As a result, security and regulatory requirements have increased ...

and more »
 
The Internet of Things (IoT) is a concept first suggested in 1999 by Kevin Ashton, the co-founder of Auto-ID Center at MIT. And it's popular again--thanks to mobility and the maturing of tracking technologies like RFID, NFC, and QR codes, according to Claus Mortensen, principal of emerging technologies at IDC Asia Pacific.
 
The government is scrapping the cross-government CIO role. Since the coalition took office in 2010 there has been a significant level of CIO churn in Whitehall. Liam Maxwell, currently the Government CTO, has risen through the ranks and is considered to be a major reformer. CIO UK met with Maxwell recently to discuss a wide range of issues, including the politics of his role, the Government Digital Service, G-Cloud, SME vendors and -- of course -- cuts.
 
In part one of CIO UK's Liam Maxwell interview, the Government CTO discussed the C-level shake-up in Whitehall, G-Cloud and SME vendors. In part two of the series, Maxwell spoke about centralisation, exemplar services and cuts.
 
Apple is clearly not Steve Jobs' company any longer, analysts said this week, citing examples from Tuesday's earning calls with Wall Street.
 
Key lawmakers are suggesting that the controversial Cyber Intelligence Sharing and Protection Act, better known as CISPA, will soon die in the U.S. Senate -- just like last year.
 
Setting the foundation for what may be a multitrillion-dollar marketplace, OASIS (the Organization for the Advancement of Structured Information Standards) has declared MQTT (the Message Queuing Telemetry Transport) as its messaging protocol of choice for the emerging Internet of Things.
 
Hewlett-Packard on Friday started shipping its $169.99 Slate 7 tablet with Android 4.1, which signals the company's reentry into the consumer tablet market after the TouchPad imploded in 2011.
 
Linux Kernel ext4 Local Denial of Service Vulnerability
 
The yet-unnamed certification will seek to validate skills of cloud security pros, but it's unclear how it may complement or overlap with existing certs.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
A 35-year-old Dutch man was arrested Thursday in Spain, as part of an investigation into a large-scale DDoS attack that targeted a spam-fighting organization called the Spamhaus Project in March
 
Samsung is second to Apple in tablet sales and coming on strong, though Samsung Galaxy Tab users remain well behind iPad users in how much they use the Web.
 
A damaged Russian cargo ship successfully docked with the International Space Station today, delivering 3.1 tons of food, fuel and equipment.
 

Spanish authorities have arrested a 35-year-old Dutchman they say is "suspected of unprecedented heavy attacks" on Spamhaus, the international group that helps network owners around the world block spam.

A press release (English translation here) issued by the Dutch Public Prosecutor Service identified the suspect only by the initials SK and said he was living in Barcelona. A variety of circumstantial evidence, mostly taken from this Facebook profile, strongly suggests the suspect is one Sven Olaf Kamphuis. He's the man quoted in a March 26 New York Times article saying a Dutch hosting company called CyberBunker, which Kamphuis is affiliated with, was behind distributed denial-of-service attacks aimed at Spamhaus. Kamphuis later denied he or CyberBunker had anything to do with the attacks.

With peaks of 300 gigabits per second, the March attacks were among the biggest ever recorded. Besides their size, they were also notable because they attacked the London Internet Exchange, a regional hub where multiple networks from different service providers connect. As Ars writer Peter Bright explained, the size and technique threatened to clog up the Internet's core infrastructure and make access to the rest of the Internet slow or impossible. While some critics said that assessment was overblown, Bright provided this follow-up explaining why the attacks had the potential to break key parts of the Internet.

Read 2 remaining paragraphs | Comments

 
TeeChart Professional ActiveX Remote Integer Overflow Vulnerability
 
Apple will challenge a November 2012 jury verdict that awarded $368 million in damages to Nevada patent-holding company VirnetX, a filing with U.S. regulators showed.
 
Quiksoft EasyMail 'AddAttachment()' Method ActiveX Control Buffer Overflow Vulnerability
 
EasyMail Objects EMSMTP.DLL ActiveX Control Remote Buffer Overflow Vulnerability
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Google's executive chairman acknowledged yesterday that using Glass, the company's computerized eyeglasses, can be at times a bit 'weird' and 'inappropriate.'
 
The U.S. Senate has delayed a vote on an Internet sales tax until May, after a handful of senators blocked lawmakers from voting on the legislation this week.
 
Salesforce.com, a pillow manufacturer and an employee of the pillow maker are caught up in a complex three-way legal battle, with a $125,000 American Express bill and an allegedly failed software implementation at the center of the dispute.
 
The average Facebook user has 342 friends and teenage girls and boys tend to misreport their relationship status as married, according to an analysis of Facebook data by Wolfram Alpha founder Stephen Wolfram.
 
On The H's radar over the last seven days: Java tweaks, iPhone certificates, Pwn2Own hacks, arms attacks, Nmap's summer of code, and DDoS reports...
    


 
Belkin N300 Wi-Fi N Router Cross Site Request Forgery and Security Bypass Vulnerabilities
 

On the heels of my post on Microsoft's SIRv4 earlier this week, reader Ray posed a great question that elicited some nuanced responses from fellow handlers Mark H and Swa F. All parties have agreed to allow me to share the conversation with the ISC readership.

From Ray:

What is, "up to date anti-virus software"?  Is there a de facto standard of how often or what defines when a system is up to date or not up to date?  My goal isn't to split hairs.  There are a lot of moving pieces (in the background) to this question & where I work.  I would like to know what other organizations use; besides sooner is better. 

Mark H's response:

To me the definition of up to date is the latest pattern file for that particular application.  So I tend to configure AV products to check at least hourly for updates and apply them.  Some product interestingly however still consider daily or weekly to be ok.  Putting on my QSA hat usually I accept daily updates as being ok (assuming that the AV product is therefore at the lates pattern update), go beyond that and you'd best have a very good reason for lagging.

Ray's reply:

While wearing the AV hat at my last company I expected a drop in infections when I stabilized our (pattern file) distributions, but didn't expect such a dramatic drop in the rate.  With three updates a day I hit < .5% systems were more than one day out of date.  Since moving to a different company with different responsibilities I see one update a day and a 5 day window for updates with the target of only 90% of systems updated I see...room for improvement but face a mind set challenge.  I was curious what other "standards" were.

Swa's feedback:

Agreement with Mark: hourly is THE way to go. 

Add internal servers to help distribute it and allow in the field updates for machines at home or while roaming out there.
Make it so that the machine gets isolated in quarantine on your internal network if it's more than a long weekend out of date on updates. 
I'd suggest a trade off between this aggressive updating - transparent to the user as long as they do not sabotage it - vs a daily scan of the entire drive - which is far from transparent. 
Also focus on those not getting updated on time: figure out why and how to fix it. 
There's no point in paying for AV updates if you do not use them. Any self respecting attacker checks their handy work against something like VirusTotal, so being behind even a little bit makes the AV useless. 
Sure you might someday trip over a bad AV update. So what? It's easy to know what it did wrong and recover from it? Easy to know what it did is absolutely untrue for any modern malware. Those that still think that need a reality check. The only recovery of malware that works is "nuke from high orbit" all the rest does not yield reliable machines. 
 
Russ' 2 cents:
 
I'll follow up on Swa's point. There is no "recovery" from malware in my world. There is no running a tool to "clean up" after an infection. Nuke from space is the only solution or the machine(s) remain entirely suspect.
So have a plan for reimaging systems conveniently and efficiently, store data on separare drives or partions, and practice safe backup. Because when you pop a valid AV alert in my shop? BOOM...
 

Photo courtesy of nukeitfromorbit.com 

Great discussion, Ray and handlers. Thanks for letting us share.

Russ McRee | @holisticinfosec

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
 

About six weeks ago, users of Facebook's Android application noticed that they were being asked to install a new version—without going to the Google Play app store.

Android is far more permissive than iOS regarding the installation of third-party applications, even allowing installation from third-party sources if the user explicitly allows it. However, it's unusual for applications delivered through the official Google store to receive updates outside of the store's updating mechanism.

Google has now changed the Google Play store polices in an apparent attempt to avoid Facebook-like end runs around store-delivered updates. Under the "Dangerous Products" section of the Google Play developer policies, Google now states that "[a]n app downloaded from Google Play may not modify, replace or update its own APK binary code using any method other than Google Play's update mechanism." A Droid-Life article says the language update occurred Thursday. APK (standing for application package file) is the file format used to install applications on Android.

Read 4 remaining paragraphs | Comments

 
[security bulletin] HPSBMU02830 SSRT100889 rev.2 - HP Data Protector, Local Increase of Privilege
 
Multiple Vulnerabilities in D'Link DIR-635
 
Borland Silk Central 12.1 TeeChart Pro Activex control AddSeries Remote Code Execution
 
Cybercriminals increasingly hack into shared Web hosting servers in order to use the domains hosted on them in large phishing campaigns, according to a report from the Anti-Phishing Working Group (APWG).
 
Oracle JavaFX CVE-2012-5080 Remote Security Vulnerability
 
Six years after the sale of the first iPhone and 14 years after the first BlackBerry email pager was unveiled, smartphone shipments have outnumbered sales of other types of mobile phones.
 
LG Electronics more that doubled its sales of smartphones in the first quarter, which was the first time smartphones outsold feature phones, according to IDC.
 
LinuxSecurity.com: Multiple vulnerabilities has been found and corrected in subversion: Subversion's mod_dav_svn Apache HTTPD server module will use excessive amounts of memory when a large number of properties are set or deleted on a node. This can lead to a DoS. There are no known instances of [More...]
 
LinuxSecurity.com: Multiple vulnerabilities has been found and corrected in subversion: Subversion's mod_dav_svn Apache HTTPD server module will use excessive amounts of memory when a large number of properties are set or deleted on a node. This can lead to a DoS. There are no known instances of [More...]
 
LinuxSecurity.com: Updated curl packages fix security vulnerability: libcurl is vulnerable to a cookie leak vulnerability when doing requests across domains with matching tails. This vulnerability can be used to hijack sessions in targetted attacks since registering domains [More...]
 
LinuxSecurity.com: Updated mysql packages that fix several security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...]
 

Infosec 2013: Security bosses 'Gods' of the business during incidents
SC Magazine UK
Infosec 2013 saw a panel of experts discuss incident response, and what an organisation needed to put in place so they could respond the best way. Edward Tucker, head of cyber security and response at HMRC, said it was essential to have corporate ...

 

Top 10 insights from Infosec 2013: From cyber war to Apple's App Store
V3.co.uk
Infosec Europe is always an interesting affair, drawing players big and small from the security community, government and wider industry to London's Earl's Court to talk security and issues affecting the sector. This year was as busy as ever as the ...

 

Computing

Infosec 2013: Big disagreements over European data breach law
SC Magazine UK
RSS | Log in | Register · SC Magazine UK > News > Infosec 2013: Big disagreements over European data breach law. Infosec 2013: Big disagreements over European data breach law. Asavin Wattanajantra. April 26, 2013. Print · Email · Reprint; Text: A | A ...
Infosec 2013: Incentivise staff to become aware of cyber risksComputing
Infosecurity Europe 2013: Infosec can no longer hinder business objectivesInfosecurity Magazine

all 9 news articles »
 
Passwords on their own are no longer considered to be effective in locking the internet's many doors. The FIDO Alliance aims to create new, user-friendly authentication methods and, now, Google has joined the organisation
    


 
Multiple Cybozu Products Cross-Site Request Forgery Vulnerability
 
Oracle MySQL CVE-2013-1506 Remote MySQL Server Vulnerability
 
Oracle MySQL Server CVE-2013-2389 Remote Security Vulnerability
 
Google yesterday released an add-on that lets users view Microsoft Office documents within its Chrome browser, another small step in the search giant's encroachment on Microsoft's lucrative business productivity turf.
 
Today's video editing apps have made many pro-level features available to anyone who wants to use them. We review four of the best known video editors to see what they offer and how easy it is to use them.
 
Samsung Electronics said its Galaxy S3 and Note 2 helped it to defy a shrinking smartphone market in the first quarter, boosting its overall profits by 42% from a year ago.
 
Samung has pushed back the availability of its KNOX security solution for mobile devices, but says everything is in place for future availability
    


 

Infosec 2013 : Squeezed budgets mean security education Is vital
SC Magazine UK
Subscribe to our RSS feeds RSS | Log in | Register · SC Magazine UK > News > Infosec 2013 : Squeezed budgets mean security education Is vital. Infosec 2013 : Squeezed budgets mean security education Is vital. Asavin Wattanajantra. April 26, 2013 ...

 

Infosec 2013: External auditors attacked as threat to information security
SC Magazine UK
RSS | Log in | Register · SC Magazine UK > News > Infosec 2013: External auditors attacked as threat to information security. Infosec 2013: External auditors attacked as threat to information security. Asavin Wattanajantra. April 26, 2013. Print ...

 

Posted by InfoSec News on Apr 26

https://www.computerworld.com/s/article/9238687/Adobe_s_first_CSO_sets_security_of_hosted_services_as_top_priority

By Lucian Constantin
IDG News Service
April 25, 2013

Adobe Systems has appointed Brad Arkin, the company's senior director of
security for products and services, to become its first CSO. With a
mature product security program already in place, the top priorities for
Adobe's new security chief are to strengthen the...
 

Posted by InfoSec News on Apr 26

http://www.bankinfosecurity.com/facebook-used-to-market-banking-trojans-a-5714

By Tracy Kitten
Bank Info Security
April 26, 2013

Within the last week, researchers at security vendor RSA stumbled upon a
Facebook page called Casper Spy Botnet that hackers and malware
developers were using to promote and sell the legacy banking Trojan
Zeus.

The page has since been deactivated, says RSA's Limor Kessem, a top
cyber-intelligence expert...
 

Posted by InfoSec News on Apr 26

http://www.baltimoresun.com/news/maryland/politics/bs-md-cyber-audit-20130425,0,3404521.story

By Erin Cox and Carrie Wells
The Baltimore Sun
April 25, 2013

Servers that host internet service for more than 30 state agencies are
vulnerable to a cyberattack, according to a legislative audit released
this week.

The Maryland State Archives, which oversees the five servers, did not
update the operating systems in more than five years, auditors...
 

Posted by InfoSec News on Apr 26

http://www.healthcareitnews.com/news/6-steps-keep-security-issues-bay

By Bernie Monegain
Healthcare IT News
April 25, 2013

Healthcare institutions should emulate best-of-breed privacy polices
developed by financial services firms rather than other hospitals,
recommends William Tanenbaum, partner at New York-based technology law
firm Kaye Scholer LLP.

When it comes to privacy and data security, healthcare institutions face
tremendous...
 

Posted by InfoSec News on Apr 26

http://www.washingtontimes.com/news/2013/apr/24/cyber-sunk-hackers-find-flaws-it-security-new-navy/

By Shaun Waterman
The Washington Times
April 24, 2013

The Pentagon is moving to fix cybersecurity vulnerabilities on the
Navy’s new Littoral Combat Ship (LCS), after computer systems that
control the $440 million USS Freedom were hacked by a “red team” of
network penetration testers, Bloomberg News reported Wednesday.

An anonymous...
 

Posted by InfoSec News on Apr 26

http://www.darkreading.com/attacks-breaches/many-hacked-businesses-remain-unprepared/240153520

By Kelly Jackson Higgins
Dark Reading
April 24, 2013

A company suffers a data breach. So, of course, it then retrenches and
shores up its defenses and processes to prepare for the next attack,
right? Not so much, a new survey of organizations that have suffered
breaches shows: More than one-third of organizations hit by data
breaches still have no...
 

Posted by InfoSec News on Apr 26

https://www.computerworld.com/s/article/9238665/Vulnerable_terminal_servers_could_let_bad_guys_hack_stoplights_gas_pumps

By Jaikumar Vijayan
Computerworld
April 24, 2013

Thousands of older systems, including those used to manage critical
industrial control equipment, traffic lights, fuel pumps, retail
point-of-sale terminals and building automation are vulnerable to
tampering because they're insecurely connected to the Internet via...
 

Posted by InfoSec News on Apr 26

http://www.wired.com/threatlevel/2013/04/stephen-watt-stalked-by-past/

By Kim Zetter
Threat Level
Wired.com
04.24.13

Early last week, before the suspects were identified in the Boston
Marathon bombings, a U.S. probation officer and his supervisor visited
the Manhattan apartment of programmer Stephen Watt with a question: Did
Watt happen to know anything about the attack?

“He said, ‘We want to ask you about this Boston thing. I think you...
 

Posted by InfoSec News on Apr 26

http://www.theregister.co.uk/2013/04/23/afp_claims_lulsec_scalp/

By Richard Chirgwin
The Register
23rd April 2013

Updated - The Australian Federal Police (AFP) has arrested a man
described "a self-proclaimed leader of the group ‘Lulz Security’
(Lulzsec), a computer hacking group that has existed since 2011."

The as-yet-unnamed 24-year-old man was apprehended in the coastal town
of Point Clare was arrested after using a known...
 

Posted by InfoSec News on Apr 26

Two days away from the mushroom farm and hanging out with all the cool
kids at Thotcon 0x4 - http://www.thotcon.org/ and BSidesChicago -
https://securechicago.org/

I hope to see & meet some InfoSec News subscribers over the next 72 hours!

Cheers!

William Knowles
 
Oracle MySQL CVE-2013-1526 Remote MySQL Server Vulnerability
 
Oracle MySQL CVE-2013-2378 Remote MySQL Server Vulnerability
 

InfoSec: Understanding business goals is key to embedding company-wide ...
Nettverk & Kommunikasjon
o Matthew Finnegan 26.04.2013 kl 07:09 | Computerworld UK. Tweet. Information security managers need to better align themselves with company business goals help embed security practices in an organisation, according to speakers at InfoSec 2013.

and more »
 
A U.S. judge ruled Thursday that Motorola Mobility is entitled to substantially less royalties than it wanted from Microsoft for the company's use of wireless and video-encoding patents in its Xbox products.
 

Mining for infosec talent: How CISOs can fill security positions
TechTarget
Mining for infosec talent: How CISOs can fill security positions. Ernie Hayden, Contributor. E-Mail. Print; A; AA; AAA; LinkedIn; Facebook; Twitter; Share This; RSS · Reprints. In today's world, chief information security officers (CISO) are often ...

 
Internet Storm Center Infocon Status