VMware has released an new and updated security advisory today. The two security advisories, listed below, address numerous vulnerabilities in the VMware platform. For information regarding the impacted versions, affected components, and related CVE">">Updated Advisory: ">">">tony d0t carothers --gmail

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

InfoSec Community Get Ready to Arm Yourself with New Cyber Defence Tactics ...
The Independent Singapore News (blog)
The SANS Technology Institute, a regionally accredited independent subsidiary, offers master's degrees in cyber security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters ...

and more »
APPLE-SA-2015-01-27-4 OS X 10.10.2 and Security Update 2015-001
APPLE-SA-2015-01-27-3 Safari 8.0.3, Safari 7.1.3, and Safari 6.2.3
APPLE-SA-2015-01-27-2 iOS 8.1.3
APPLE-SA-2015-01-27-1 Apple TV 7.0.3

Qualys discovered a criticalbuffer overflow in the gethostbyname() and gethostbyname2() functions in glibc. According to the announcement by Qualys, they were able to create an in-house exploit that will execute arbitrary code via the Exim">glibcbefore version 2.18 (released August ) is vulnerable. You can quickly check your glibc version by using ldd --version">These glibc">What should you do: Apply this update as soon as you see patched offered by your Linux/Unix distribution. Some Windows software (and of course OS X) uses glibcas well and may be vulnerable. Use thegetaddrinfo() function, not">[1]">You shouldn">Highly critical Ghost">GHOST glibc Remote Code Execution Vulnerability Affects All Linux Systems - Michael Mimoso, Threatpost

"https://www.us-cert.gov/ncas/current-activity/2015/01/27/Linux-Ghost-Remote-Code-Execution-Vulnerability" target="_blank">LinuxGhostRemoteCode">---
B. Ullrich, Ph.D.
STI|Twitter|LinkedIn (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Graham Cluley Security News

Extrasignum complexitus! My infosec superpower
Graham Cluley Security News
The guys at the Tripwire State of Security blogger recently asked a bunch of infosec luminaries (and me) what our infosecurity superpower would be if Grace Hopper waved her magic wand and granted us a wish. Graham Cluley infosec superpower.


Business Wire (press release)

Insider Threat Summit Boasts Monterey as InfoSec Hub
Business Wire (press release)
MONTEREY, Calif.--(BUSINESS WIRE)--Significant progress is being made to enhance the technology industry on the Monterey Peninsula in California. The Insider Threat Summit, hosted by Advanced Onion and Tech Regiment, will be an integral part of ...

Qualys Security Advisory CVE-2015-0235 - GHOST: glibc gethostbyname buffer overflow
The Organization of Scientific Area Committees (OSAC), which coordinates the development of standards and guidelines for the forensic science community under the auspices of the National Institute of Standards and Technology (NIST), will ...

An extremely critical vulnerability affecting most Linux distributions gives attackers the ability to execute malicious code on servers used to deliver e-mail, host webpages, and carry out other vital functions.

The vulnerability in the GNU C Library (glibc) represents a major Internet threat, in some ways comparable to the Heartbleed and Shellshock bugs that came to light last year. The bug, which is being dubbed "Ghost" by some researchers, has the common vulnerability and exposures designation of CVE-2015-0235. While a patch was issued two years ago, most Linux versions used in production systems remain unprotected at the moment. What's more, patching systems requires core functions or the entire affected server to be rebooted, a requirement that may cause some systems to remain vulnerable for some time to come.

The buffer overflow flaw resides in __nss_hostname_digits_dots(), a glibc function that's invoked by the gethostbyname() and gethostbyname2() function calls. A remote attacker able to call either of these functions could exploit the flaw to execute arbitrary code with the permissions of the user running the application. In a blog post published Tuesday, researchers from security firm Qualys said they were able to write proof-of-concept exploit code that carried out a full-fledged remote code execution attack against the Exim mail server. The exploit bypassed all existing exploit protections available on both 32-bit and 64-bit systems, including address space layout randomization, position independent executions, and no execute protections. Qualys has not yet published the exploit code but eventually plans to make it available as a Metasploit module.

Read 6 remaining paragraphs | Comments

LinuxSecurity.com: Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Critical security [More...]
LinuxSecurity.com: Security Report Summary

Apple has just released the final build of OS X 10.10.2, the second major update for OS X Yosemite since its release. Version 10.10.1, published just a month after Yosemite's release, focused mostly on quick fixes for the new OS' most noticeable problems. Apple has been issuing betas for 10.10.2 since November, though, and a longer testing period usually implies that there are more extensive fixes.

First up, the new release is supposed to fix more of the Wi-Fi problems that some users have been experiencing since Yosemite's launch. 10.10.1 also included Wi-Fi fixes, though it apparently didn't resolve the problems for all. The new update will also address "an issue that may cause webpages to load slowly" and improve general stability in Safari, all of which should go a long way toward improving Yosemite's network and Internet performance.

Several privacy and security problems that we've reported on have been resolved in 10.10.2, as well. Though Apple will still share limited search and location information with Microsoft to enable Spotlight's Bing-powered Web searching feature, the company has fixed a bug that caused Spotlight to "load remote e-mail content" even when the setting was disabled in Mail.app itself. Our original report describes why this is a problem:

Read 3 remaining paragraphs | Comments


SC Magazine UK

Infosec teams unprepared for new EU data protection laws
SC Magazine UK
More than a third of IT security teams are unprepared for the EU's two incoming data protection laws, according to a new study from FireEye. Infosec teams unprepared for new EU data protection laws. In its latest survey entitled “Mixed State of ...

and more »

The National Football League's official app for both iOS and Android puts users at risk by leaking their usernames, passwords, and e-mail addresses in plaintext to anyone who may be monitoring the traffic, according to a report published just five days before Superbowl XLIX, traditionally one of the world's most popular sporting events.

Update: About seven hours after Ars published this post, a spokesman for the NFL said the vulnerability has been "addressed." The spokesman said the fix involved only changes to the servers the app connects to. Users aren't required to update their apps in order to be protected.

As Ars has chronicled in the past, large numbers of people use the same password and e-mail address to log into multiple accounts. That means that people who have used the NFL app on public Wi-Fi hotspots or other insecure networks are at risk of account hijackings. The threat doesn't stop there: the exposed credentials allow snoops to log in to users' accounts on http://www.nfl.com, where still more personal data can be accessed, researchers from mobile data gateway Wandera warned. Profile pages, for instance, prompt users to enter their first and last names, full postal address, phone number, occupation, TV provider, date of birth, favorite team, greatest NFL Memory, sex, and links to Facebook, Twitter, and other social networks. Combined with "about me" data, the personal information could prove invaluable to spear phishers, who send e-mails purporting to come from friends or employers in hopes of tricking targets into clicking on malicious links or turning over financial data. Adding to the risk, profile pages are transmitted in unencrypted HTTP, making the data susceptible to still more monitoring over unsecured networks, the researchers reported.

Read 3 remaining paragraphs | Comments

[SECURITY] [DSA 3142-1] eglibc security update
[SECURITY] [DSA 3141-1] wireshark security update
[SECURITY] [DSA 3140-1] xen security update
[SYSS-2014-013] FancyFon FAMOC - Use of a One-Way Hash without a Salt
LinuxSecurity.com: USN-2458-1 introduced a regression in Firefox
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: Several security issues were fixed in Oxide.
LinuxSecurity.com: Updated java-1.6.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security [More...]
LinuxSecurity.com: Updated java-1.6.0-sun packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security [More...]
Linux Kernel 'vdso_addr()' Function Local Security Bypass Vulnerability
Django CVE-2015-0219 Security Bypass Vulnerability
Django 'django.util.http.is_safe_url()' Cross Site Scripting Vulnerability
Castor Library CVE-2014-3004 XML External Entity Information Disclosure Vulnerability
Google Chrome 40.0.2214.91 Multiple Security Vulnerabilities

The Register

Brits need chutzpah to copy Israeli cyberspies' tech creche – ex-spooks
The Register
Yoni Heilbronn, VP Marketing at Argus Cyber Security, which specialises in the emerging field of infosec for automobiles, is another Unit 8200 alumnus. "Experience with technology gained in [military] service is applied in private firms," Heilbronn ...

CVE-2015-0223: anonymous access to qpidd cannot be prevented
CVE-2015-0224: qpidd can be crashed by unauthenticated user

Posted by InfoSec News on Jan 27


By Virgina Bridges
January 26, 2015

I could tell that Leon Grodski de Barrera was skeptical when I told him
that my list of three things small-business owners should watch in 2015
included cybersecurity.

Why would hackers be interested in the likes of his and his wife’s Durham
coffee shop Cocoa Cinnamon, he asked, versus larger...

Posted by InfoSec News on Jan 27


By Dan Goodin
Ars Technica
Jan 26 2015

Adobe Systems is once again rolling out an emergency Flash update that
patches a critical vulnerability under active attack to compromise the
computers of unsuspecting users.

The latest Flash versions fix a remote code-execution bug that, as Ars
reported last week, recently came under...

Posted by InfoSec News on Jan 27


By Brian Krebs
Krebs on Security
January 26, 2015

When Karim Rattani isn’t manning the till at the local Subway franchise in
his adopted hometown of Cartersville, Ga., he’s usually tinkering with
code. The 21-year-old Pakistani native is the lead programmer for two very
different yet complementary online services: One lets people launch
powerful attacks that...

Posted by InfoSec News on Jan 27


By Tim Greene
Network World
Jan 26, 2015

PFP Cybersecurity, a startup with roots in academia and the military,
seeks out malware by analyzing the performance of hardware - not software
and not the behavior of devices on the network.

PFP’s system compares ongoing radio-frequency output from processors...

Posted by InfoSec News on Jan 27


By Erin McCann
Managing Editor
Healthcare IT News
January 26, 2015

Electronic health records not only enable faster access to real-time
patient data; they also make it a heck of a lot easier to catch snooping
employees who inappropriately view patients' confidential information, as
one California hospital has observed this past week.

Officials at the 785-bed...

Posted by InfoSec News on Jan 27


By https://twitter.com/addelindh and
Jan 26th, 2015

Today I got into an argument on Twitter that started with me saying
something sarcastic in reference to a recent statement by a vendor and
ended with a discussion about the skills shortage in security. Twitter can
be a difficult medium sometimes and I don’t...

Posted by InfoSec News on Jan 27


BBC News
26 January 2015

David Cameron has said a hoax call he received from someone claiming to be
taking part in a high level conference call, did not "breach security".

The prime minister revealed he received the call on his Blackberry while
out for a walk with his family.

Mr Cameron said he quickly hung up when he realised the caller was not

He told journalists "these things...
WebKitGTK+ Security Advisory WSA-2015-0001
[CORE-2015-0002] - Android WiFi-Direct Denial of Service
Internet Storm Center Infocon Status