(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Back in the days when I worked in the computer security business, I always used to say that the one thing I could always be thankful for was that there'd be no lack of work. Today, I'm thankful that all I have to do is write about security, considering the target-rich environments that information security professionals have to deal with.

On Tuesday, December 3, I'll be in New York City at the Harvard Club to moderate a panel hosted by the Information Security Forum, discussing the top six reasons why infosec professionals will continue to collect a paycheck in the new year. The panelists for the half-day executive seminar on the 2014 "Threat Landscape"—including ISF Global Vice President Steve Durbin and Garcia Cyber Partners principal Greg Garcia—and I will discuss ISF's forecasted top six security threats to business in 2014 and what to do about them.

Here's are some of the topics that will be on the panel's "threatdown":

Read 6 remaining paragraphs | Comments


Red Hat Enterprise Virtualization Hypervisor CVE-2013-1935 Denial of Service Vulnerability
Installatron Plugin for DirectAdmin Insecure Temporary File Creation Vulnerability
Hewlett-Packard reported results for the last quarter of its fiscal year on Tuesday, and although sales were down from a year earlier there were some much-needed signs of improvement.
Acer announced the first Chromebook laptop with a touchscreen for US$299.99, which is about $100 more than the company's cheapest non-touch model.
Apache Roller CVE-2013-4212 OGNL Expression Injection Remote Code Execution Vulnerability
Fortinet FortiAnalyzer Cross Site Request Forgery Vulnerability
Drupal Core Image Module HTML Injection Vulnerability
Google is taking its cameras indoors in an effort to map international transit hubs, starting with 16 airports and more than 50 train and subway stations.
Ganglia Web 'get_context.php' Cross Site Scripting Vulnerability
Astronomers around the world are breathlessly watching comet ISON -- a relic from when our solar system was formed -- head toward the sun, where it might break up in a stunning light show.
Scientists are already receiving and analyzing information coming in from a fleet of tiny satellites launched into space last week.
LinuxSecurity.com: Multiple vulnerabilities have been found in Zabbix, possibly leading to SQL injection attacks, Denial of Service, or information disclosure.
LinuxSecurity.com: Updated glibc packages fixes the following security issues: Integer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary [More...]
LinuxSecurity.com: A vulnerability has been found in fcron, allowing local attackers to conduct symlink attacks.
LinuxSecurity.com: Multiple vulnerabilities have been discovered in Drupal, a fully-featured content management framework: Cross-site request forgery, insecure pseudo random number generation, code execution, incorrect security token validation and cross-site scripting. [More...]
LinuxSecurity.com: Multiple security issues was identified and fixed in drupal: Drupal core's Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, [More...]
LinuxSecurity.com: Multiple vulnerabilities were discovered in Quagga, a BGP/OSPF/RIP routing daemon: CVE-2013-2236 [More...]
LinuxSecurity.com: A vulnerability was found and corrected in ruby: Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of service [More...]
LinuxSecurity.com: Multiple vulnerabilities was found and corrected in bugzilla: Cross-site request forgery (CSRF) vulnerability in process_bug.cgi in Bugzilla 4.4.x before 4.4.1 allows remote attackers to hijack the authentication of arbitrary users for requests that modify bugs via [More...]
LinuxSecurity.com: Keystone would improperly remove roles when it was configured to use theLDAP backend.
LinuxSecurity.com: Andrew Tinits reported a potentially exploitable buffer overflow in the Mozilla Network Security Service library (nss). With a specially crafted request a remote attacker could cause a denial of service or possibly execute arbitrary code. [More...]
LinuxSecurity.com: Updated ruby packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having critical [More...]
LinuxSecurity.com: Multiple vulnerabilities was found and corrected in glibc: Integer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary [More...]

A company billing itself as one of Europe's biggest Bitcoin exchanges said it suffered a coordinated attack that succeeded in stealing almost $1 million worth of the digital currency, marking the latest in a string of high-stakes heists hitting companies that hold large sums online.

Kris Henriksen, CEO of Denmark-based Bitcoin Internet Payment Services (BIPS), made that claim last week in a Web post that said the attack began as a distributed denial-of-service (DDoS) attack. Two days later, Henriksen said, the same attackers targeted the BIPS network again and managed to use the damage they previously inflicted to somehow tamper with the channel that connects BIPS data storage systems to company servers.

"On November 15, BIPS was the target of a massive DDoS attack, which is now believed to have been the initial preparation for a subsequent attack on November 17 that overloaded our managed switches and disconnected the iSCSI connection to the SAN on BIPS servers," the CEO wrote. "Regrettably, despite several layers of protection, the attack caused vulnerability to the system, which has then enabled the attacker/s to gain access and compromise several wallets."

Read 4 remaining paragraphs | Comments


If your workspace is in chaos, you could be losing productivity and your job performance will likely suffer. These eight tips can help you keep it all together and get the most out of each hour of the day.
TheFBI should make public a legal opinion it used to justify a past telephone records surveillance program because other agencies may still be relying on the document for surveillance justifications, the Electronic Frontier Foundation argued in court Tuesday.
A new Trojan program that targets users of online financial services has the potential to spread very quickly over the next few months, security researchers warn.
VMware has posted a new beta release of Virtual SAN (VSAN) that lets enterprises add more storage capacity and management features.
Cogent Real-Time Systems DataHub Remote Heap Buffer Overflow Vulnerability
Black Friday is one of the few times during the year that Apple knocks down its iPad, iPhone and Mac prices, and the company has confirmed it will offer its version of bargains during a one-day shopping event on Nov. 29.
Google was hit by privacy complaints in 14 E.U. countries Tuesday over its new terms of service that allow user photos and comments in advertising.
Known for its ThinkPad laptops, Lenovo is trying to find its way into the data center, despite the dominance of the Big 3: IBM, HP and Dell
[ MDVSA-2013:286 ] ruby
[ MDVSA-2013:285 ] bugzilla
[SECURITY] [DSA 2800-1] nss security update
[ MDVSA-2013:284 ] glibc
Amazon Web Services often gets criticized as a platform that doesn't necessarily scale for the enterprise. So at re:Invent, the second annual AWS conference, Amazon made a series of announcements aimed squarely at dispelling these concerns.
Android For MSM Project CVE-2013-6392 Local Information Disclosure Vulnerability
Nano-10 PLC CVE-2013-5741 Remote Denial of Service Vulnerability
Novell ZENworks Configuration Management CVE-2013-1084 Directory Traversal Vulnerability
[ MDVSA-2013:282 ] perl-HTTP-Body
Open-Xchange Security Advisory 2013-11-25
HP LoadRunner Virtual User Generator CVE-2013-4839 Remote Code Execution Vulnerability
HP LoadRunner Virtual User Generator CVE-2013-4838 Remote Code Execution Vulnerability
Holiday e-commerce is expected to jump 14% to 17% this year compared to 2012, and increasing numbers of shoppers are doing their shopping from mobile devices.
A court in California has ruled against Samsung Electronics' attempt to stay the proceedings in a patent dispute with Apple, agreeing with Apple that the reexamination of its patent could take years, with no certainty the result would benefit Samsung.
The new iPad Mini with Retina display offers a no-compromise option for tablet fans who want the speed of an iPad Air and the portability of the smaller iPad.
After decades of fighting off viruses, worms, Trojans and other malware and cyberattacks, total victory remains beyond reach.
Microsoft Internet Explorer CVE-2013-3912 Memory Corruption Vulnerability
Microsoft Internet Explorer CVE-2013-3910 Memory Corruption Vulnerability
HP LoadRunner Virtual User Generator CVE-2013-4837 Remote Code Execution Vulnerability
HP Business Process Monitor CVE-2013-2366 Remote Code Execution Vulnerability
Splunk Unspecified Cross Site Scripting Vulnerability
Elastix 'page' Parameter Cross Site Scripting Vulnerability
Linux Kernel 'genlock_dev_ioctl()' Function Memory Leak Local Information Disclosure Vulnerability
Ruby Floating Point Parsing Heap Buffer Overflow Vulnerability

Posted by InfoSec News on Nov 26


By Gene Spafford
November 26, 2013

Willis H. Ware, a highly respected and admired pioneer in the fields of
computing security and privacy, passed away on November 22nd, 2013, aged

Born August 31,1920, Mr. Ware received a BSEE from the University of
Pennsylvania (1941), and an SM in EE from MIT (1942). He worked on
classified radar and IFF electronic systems during...

Posted by InfoSec News on Nov 26


By Anthony Brino
Associate Editor
Government Health IT
November 25, 2013

As the seminal year of 2014 approaches for American healthcare, the Office
of the National Coordinator (ONC) is getting an earful about implementing
the HIPAA Accounting of Disclosures provision.

ONC's Privacy and Security Tiger Team is slated to convene the Monday

Posted by InfoSec News on Nov 26


25 Nov 2013

THE loss of hundreds of council laptops potentially containing council
taxpayers’ confidential information has been dismissed as 'not a big
security breach’.

The Observer exclusively reported last week, an Interim Progress report
from the Royal Borough’s...

Posted by InfoSec News on Nov 26


By John E Dunn
25 November 2013

British horse racing bible Racing Post has had to suspend member access to
its website while it clears up the mess caused by a weekend breach of a
customer database.

“The Racing Post apologises for the inconvenience and worry caused to our
customers by a malicious attack on our systems,” the...

Posted by InfoSec News on Nov 26


By Dan Goodin
Ars Technica
Nov 25 2013

Engineers at content delivery network CloudFlare have released open source
encryption software that's designed to prevent rogue employees from
accessing sensitive information by decrypting data only when two or more
people provide keys.

The open source software combines known cryptographic...
Internet Storm Center Infocon Status