Hackin9
Dylan Wheeler, a computer security and gaming enthusiast who lives near Perth in Western Australia, could very well be in a lot of trouble.
 
FusionForge CVE-2013-1423 Multiple Local Privilege Escalation Vulnerabilities
 
In a talk critical of cyberattack finger-pointing, Art Coviello stressed the need for infosec strategy to emphasize big data, interconnectivity.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
At Security B-Sides 2013, Joshua Corman railed against PCI DSS and vendor profit measures, calling for a renewed information security focus on what really matters.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Linux Kernel 'call_console_drivers()' Local Denial of Service Vulnerability
 
Monkey 'master.log' Insecure File Permissions Vulnerability
 

Fox-IT Introduces Fox InTELL Real-Time Cyber Intelligence Portal to InfoSec ...
Virtual-Strategy Magazine (press release)
Fox-IT is the company that first spotted last week's malware hack of NBC.com; the firm tracks and analyzes client-specific cyber threats and potential attacks in real-time as they are planned within the cybercrime underworld. Fox InTELL's unique ...

and more »
 
Researchers from security firm Symantec have found and analyzed a version of the Stuxnet cybersabotage malware that predates previously discovered versions by at least two years and used a different method of disrupting uranium enrichment processes at Iran's nuclear facility at Natanz.
 
dbus-glib CVE-2013-0292 Local Privilege Escalation Vulnerability
 

Fox-IT Introduces Fox InTELL Real-Time Cyber Intelligence Portal to InfoSec ...
DigitalJournal.com (press release)
Fox-IT was the first to detect the NBC.com Citadel malware hack within minutes of its launch last week in the normal course of monitoring its customers, officials at the Dutch security firm today announced. The analysis performed on the malware itself ...

 
Acer plans to release a Windows RT tablet this year as it looks to aggressively expand its lineup of mobile devices, including smartphones.
 
Adobe today patched new vulnerabilities in Flash Player that hackers are now exploiting in attacks aimed at Firefox users, the company said.
 
Google is making it easier for app developers to connect with users on its social network through Google+ Sign-In, a new feature that allows people to sign into third-party apps using their Google+ credentials.
 
Intel has released its own Hadoop distribution in a move intended to accelerate adoption of the big data platform while ensuring more of those workloads run on Intel's Xeon processors.
 

===============
Rob VandenBrink
Metafore
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Java just cant catch a break! A number of our readers have pointed out that Security Explorations claims they have 2 new Java zero days (no verification from Oracle on this yet).



This of course has fueled the fire of its time to just say no and uninstall Java in many quarters. And for general purpose internet browsing, maybe you can. If you do need Java, and if you do, changing the security settings to ask every time is a good way to go. Of course, if you run a business app that needs Java, you need to make it transparent to your user community somehow - this can be particular problem if your app needs a specific (aka old / vulnerable) Java version - weve talked about this in a few different stories over the last few months.



But this got me to thinking, as security folks, what tools or processes do we use daily that need Java?



My list is pretty short:

Burp Suite for Web Assessments - www.portswigger.net

ZAP - Zed Attack Proxy, also for Web Assessments - https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

Nessus, for straight up vulnerability assessments and security scans (Java is only needed for PDF exports in Nessus I think) - http://www.tenable.com

Network appliance administration is often Java based as well - for instance, the GUI for Cisco ASA firewalls and many wirelss controllers requires Java to run.



Whats in your I only need Java for this or that infosec tool list? Please, let us know through our comment form.



============ Update ============

Our friends at PaulDotCom tell us (in the comments below) that Nessus no longer needs Java for PDF exports, as of November of 2012

Thanks for the heads-up on that, my bad for not noticing the change when it came !

===============

Rob VandenBrink

Metafore
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Google confirmed today that it has ported part of QuickOffice, a popular iOS and Android app substitute for Microsoft Office, to a technology baked into Chrome OS and the company's Chrome browser.
 
The note-taking application OneNote, cloud storage service SkyDrive and Yammer enterprise social networking software have emerged as rising stars in the Office family, according to Microsoft's Office Division chief.
 
It's time to dive into realms where you don't have all the answers, says Chris Curran of PwC. Ditch outmoded ways of thinking, ask business managers and employees what they need to innovate, and find out what customers want before they even know.
 
A healthcare CIO moves aggressively to cloud computing so the IT staff is freed up to focus on IT innovations that advance the company's core mission.
 
 
"There's no such thing as bad publicity"
 
Three CIOs describe how they define and develop IT staff capabilities that keep pace with business needs
 
CEOs are hiring hotshot chief digital officers to run strategic, customer-facing operations such as online sales. Is this good news or bad news for CIOs?
 
Denial of Service vulnerability in War FTP Daemon 1.82
 
Finnish company Jolla and its CEO Marc Dillon are hoping to convince consumers that buying a new smartphone isn't just about the number of cores available and the size of the screen when the company later this year releases the first smartphone based on the Sailfish OS.
 
Seven companies are expected to release chips this year based on ARM's Big.Little processor technology, ARM said at the Mobile World Congress.
 
ZeroClipboard 'id' Parameter Cross Site Scripting Vulnerability
 
[ MDVSA-2013:015 ] apache
 
[SECURITY] [DSA 2632-1] linux-2.6 security update
 
Cricket Communications' unlimited music download service, Muve, has blossomed in the past 18 months and will soon expand in another month outside the U.S., a Cricket executive said Tuesday.
 
Toshiba plans to add something new to the tiny cameras in smartphones -- depth.
 
Japan's NEC has come up with a different way to answer consumer demands for bigger screens on smartphones. Rather than use a single, larger display, which makes the entire phone larger, the company has fitted a second screen to its Medias W handset that folds out when needed to double the display area.
 
A vulnerability made it possible to compromise Google accounts protected by two-factor authentication. This problem has now been fixed, but it took Google seven months to do so


 
With a settlement in the FTC case against HTC's security holes in their mobile phones leading to leaking sensitive data, the door is open for the FTC to enforce good privacy and security practice upon smartphone makers and carriers


 
[slackware-security] seamonkey (SSA:2013-056-01)
 
The National Institute of Standards and Technology (NIST) today issued a Request for Information (RFI) in the Federal Register as its first step in the process to develop a Cybersecurity Framework, a set of voluntary standards and best ...
 
Software as a service is here to stay. So CIOs need the tools to manage their sprawling portfolios of SaaS applications with the same rigor they use for on-premise software.
 
After Katrina, the New Orleans Hornets built a stronger disaster-recovery operation: a hot site with a diesel engine big enough to 'power a locomotive.'
 
Toshiba plans to add something new to the tiny cameras in smartphones -- depth.
 
BI vendor MicroStrategy is getting out of the contact center software business, having sold off its Angel subsidiary to Genesys for roughly $110 million in cash. The deal is expected to close in March.
 
Cisco's acquisition of network optimization vendor Intucell closed just three days before the start of Mobile World Congress this week, great timing for a deal that is likely to play a big role in the networking firm's mobile future.
 
If you have a habit of dropping smartphones or tablets in toilets or sinks, Fujitsu may have an answer for you. The company showed off a new Windows 8 tablet and Android smartphones that can resist drops into water.
 
Micron released today announced a new SAS SSD that it said is aimed at tier one, mission critical applications. The SSD can withstand up to 10 full data fills per day for five years, Micron says.
 
Microsoft today released a final version of Internet Explorer 10 (IE10) for Windows 7, nearly two years after it introduced the browser at a company conference.
 
Researchers from two-factor authentication provider Duo Security found a loophole in Google's authentication system that allowed them to bypass the company's 2-step login verification by abusing the unique passwords used to connect individual applications to Google accounts.
 
IBM HTTP Server Multiple Modules Cross Site Scripting Vulnerabilities
 
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0777 Remote Code Execution Vulnerability
 
RACO Wireless has signed deals with Sprint Nextel and Telefonica to give users of its Omega machine-to-machine platform more choices when connecting their devices.
 
Twitter plans to offer an official app to run on the new Firefox OS, in a significant endorsement of the operating system.
 
Bit9 said a common Web application vulnerability was responsible for allowing hackers to ironically use the security vendor's systems as a launch pad for attacks on other organizations.
 
Microsoft needs to make up its mind whether it wants to stay a software company or if it's really serious about being a hardware power as well.
 
Salesforce.com is planning to add a series of mobile applications to its Service Cloud line of customer service software, in a response to the rampant rise of mobile devices both in the consumer and business worlds.
 
RACO Wireless has signed deals with Sprint Nextel and Telefonica to give users of its Omega machine-to-machine platform more choices when connecting their devices.
 
Hewlett-Packard made some noise at Mobile World Congress show with its new Slate 7-inch tablet and then the sale of webOS assets, but the company is looking to put past distractions behind and will release more tablets in the future, the company said.
 
Apple has reached a settlement in a class-action lawsuit that claimed that its app purchase policy did not prevent minor children from running huge expenses for in-app purchases.
 
A system that aims to curb Internet users from sharing copyrighted content is being rolled out in the U.S. after a number of delays.
 
Security researchers have informed Oracle of another two vulnerabilities in the current version of Java 7. Meanwhile, exploit kits are now being armed with exploits for the January update of Java


 
CUPS 'Listen localhost:631' Option Unauthorized Access Vulnerability
 
Linux Kernel CVE-2013-1763 Local Privilege Escalation Vulnerability
 

Posted by InfoSec News on Feb 25

http://www.cio.com/article/729401/Hacking_Victim_Bit9_Blames_SQL_Injection_Flaw

By Jeremy Kirk
IDG News Service
February 25, 2013

Bit9 said a common Web application vulnerability was responsible for allowing
hackers to ironically use the security vendor's systems as a launch pad for
attacks on other organizations.

Based in Waltham, Massachusetts, the company sells a security platform that is
designed in part to stop hackers from...
 

Posted by InfoSec News on Feb 25

http://forbesindia.com/article/beyond-business/ankit-fadia-revealed/34793/0

By Charles Assisi
Forbes India
FEATURES/BEYOND BUSINESS
Feb 26, 2013

Dear Ankit Fadia,

First of all, I’d like to place my unconditional apologies on the record. In
fact, before I started to write you this letter, I promised my colleagues these
pages will be used to crucify and call your bluff before your 16th book on
computer security hits the shelves a few months...
 

Posted by InfoSec News on Feb 25

http://www.theregister.co.uk/2013/02/26/no_degree_needed_for_infosec_pros/

By Jack Clark in San Francisco
The Register
26th February 2013

RSA 2013 HR and in-house recruitment types should get rid of the myopic idea
that to work in IT you must have been to university, says a Department of
Homeland Security honcho.

Many "corporate and government jobs actually require a college degree or
equivalent work experience," DHS deputy...
 
Internet Storm Center Infocon Status