iT News (blog)

The danger of infosec ignorance in IoT - Security - Blogs - iTnews.com.au
iT News (blog)
Hackers taking remote control of our cars is a frightening prospect for many of us, but what are the real risks and what should we do about them? Last week two security researchers used a feature in the Fiat Chrysler Jeep called Uconnect to hook in ...

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

iT News

Officeworks spooked into infosec overhaul by Target breach
iT News
Wesfarmers-owned office supply chain Officeworks will upgrade its firewalls, vulnerability analysis and endpoint security systems after being scared into action by the 2013 attack against US retailer Target. On the sidelines of the RSA APJ conference ...

and more »

Last November, Charles Tendell quietly launched a website called Hacker's List. Its name was literal. In this online marketplace, white-hat security experts could sell their services in bite-size engagements to people with cyber-problems beyond their grasp.

"Hacker's List is meant to connect consumers who have online issues to hackers or professionals out there who have the skills to service them," Tendell told Ars. "Consumers get bullied online, they lose personal information, they have things stolen from them, they get locked out of things, and they have people post negative things or post personal information. They didn't have a place to go to be able to get help and make sure they're getting the right price or the best person for a particular job. That's what Hacker's List is for."

The idea seemed clever enough. Soon after launch, The New York Times found the site and brought a stampede of traffic that initially caused it to go down under the strain. In the six months or so since, Hacker's List has been running without technical hitches. (The site is also utilizing CloudFlare's content delivery network nowadays.)

Read 19 remaining paragraphs | Comments

Researchers looking for information on the properties of methane at high temperatures or the isotopic composition of an element know they can rely on standard reference data from the National Institute of Standards and Technology (NIST). ...

Almost all Android mobile devices available today are susceptible to hacks that can execute malicious code when they are sent a malformed text message or the user is lured to a malicious website, a security researcher reported Monday.

The vulnerability affects about 950 million Android phones and tablets, according to Joshua Drake, vice president of platform research and exploitation at security firm Zimperium. It resides in "Stagefright," an Android code library that processes several widely used media formats. The most serious exploit scenario is the use of a specially modified text message using the multimedia message (MMS) format. All an attacker needs is the phone number of the vulnerable Android phone. From there, the malicious message will surreptitiously execute malicious code on the vulnerable device with no action required by the end user and no indication that anything is amiss.

In a blog post published Monday, Zimperium researchers wrote:

Read 9 remaining paragraphs | Comments

The National Institute of Standards and Technology (NIST) is hosting Safeguarding Health Information: Building Assurance through HIPAA Security-2015, September 2-3, 2015, in Washington, D.C. The meeting is the eighth in an annual series, ...

The Pakistan Telecommunication Authority (PTA) has issued a directive to mobile phone network operators to shut down access to BlackBerry Enterprise Services for all mobile customers by November 30. The new order is "for security reasons," a PTA spokesperson told The Guardian.

The order comes just six days after Privacy International issued a report warning that Pakistan's intelligence agencies are ramping up electronic surveillance efforts. The ongoing battle with the Pakistani Taliban and other insurgents has been used as justification for an increasingly broad surveillance campaign by Pakistan's intelligence community.

"The Pakistani government has been trying for years to capture all domestic phone and internet traffic across the nation’s networks," the authors of the Privacy International report noted. "As of 2013, they are significantly closer to achieving this goal."

Read 3 remaining paragraphs | Comments


Valve has patched a bug in its Steam system that let an attacker easily take over an arbitrary account using nothing but the account's username.

The hijacking exploit took advantage of a hole in Steam's password recovery feature, which sends a recovery code to the registered e-mail address associated with the account. That e-mailed code needs to be entered on a form through the Steam website, but an attacker could simply skip that code entry step, leaving the recovery code area blank, and have full access to the password change dialog, as demonstrated in this video.

In a statement to Kotaku, Valve said it quickly fixed the bug when made aware of it on Saturday, July 25 but that "a subset of Steam accounts" could have been affected since July 21. It's hard to know precisely how often the attack was used in that time, but a number of prominent Counter-Strike: GO streamers and others with well-known Steam usernames seem to have been affected.

Read 2 remaining paragraphs | Comments

Apple iTunes & AppStore - Filter Bypass & Persistent Invoice Vulnerability

Posted by InfoSec News on Jul 27


By Darren Pauli
The Register
27 Jul 2015

Security researcher Robert Simmons has released a tool that offers a new
level of stealth to the malware cat-and-mouse skirmish by shrouding binary

"Plague Scanner" is a free on-premise anti-virus framework - a class of
tool that drives multiple anti-virus scanners at once -...
[SECURITY] [DSA 3317-1] lxc security update
[SECURITY] [DSA 3318-1] expat security update

Posted by InfoSec News on Jul 27


By Andrew Tilghman
Staff writer
Military Times
July 25, 2015

The utility systems that provide water, electricity and other essential
services to military installations worldwide have limited defenses against
cyber-attacks, putting many bases at risk for a "serious mission-disabling
event," a new Government Accountability Office report says.


Posted by InfoSec News on Jul 27


By Thomas Lifson
American Thinker
July 22, 2015

Perhaps the very worst aspect of the Iran deal reached in Vienna is the
commitment of the U.S. and European powers to teach the Iranians how to
resist attacks such as Stuxnet. Although it has received very little
media coverage (Adam Kredo of the Free Beacon is the notable...

Posted by InfoSec News on Jul 27


By Bill Gertz
Washington Free Beacon
July 27, 2015

The commander of U.S. Cyber Command said last week that the Office of
Personnel Management hack of millions of records of federal workers shows
a new trend toward using Big Data analytics for both nation-state and
criminal cyber attacks.

“One of the lessons from OPM for...

Posted by InfoSec News on Jul 27


By Warwick Ashford
Security Editor
23 Jul 2015

Smartwatches with network and communication functionality represent a new
and open frontier for cyber attack, according to a study by HP Fortify.

The study revealed that 100% of the tested smartwatches contained
significant vulnerabilities, including insufficient...

Posted by InfoSec News on Jul 27


By Steve Ragan
Salted Hash
July 23, 2015

Next month, thousands of hackers will travel to Las Vegas, and hundreds of
journalists are going follow them. The adversarial relationship between
hackers and the press has existed for years, but there are ways to
navigate the playing field and...

Posted by InfoSec News on Jul 27


Crain's Detroit Business
July 26, 2015

Twenty-three percent of executives at technology companies say their firms
have suffered a security breach in the past 12 months, according to the
national annual Technology Industry Business Outlook survey conducted by
KPMG LLP, the audit, tax and advisory firm....
[SECURITY] [DSA 3316-1] openjdk-7 security update
Integer overflow in .NET Framework System.DirectoryServices.Protocols.Utility class
Hawkeye-G v3.0.1 Persistent XSS & Information Leakage

Naked Security

Monday review – the hot 19 infosec stories of the week | Naked Security ...
Naked Security
... daily newsletter to make sure you don't miss anything. You can easily unsubscribe if you decide you no longer want it. Days of the week image courtesy of Shutterstock. Tags: computer security, Infosec, monday review, news, security news, weekly ...

and more »
Internet Storm Center Infocon Status