Hackin9
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
When's the last time you thought about using different passwords for different websites? Perhaps after a bug called Heartbleed started crawling around them.
 
The cloud-storage arms race heated up even more on Monday when Microsoft gave its OneDrive for Business service a big capacity boost.
 

The 4 Infosec 2014 trends to watch out for
Computer Business Review
Infosec Europe 2014 arrives hot on the heels of one of the most high profile cybersecurity vulnerabilities there's been in years. The Heartbleed bug, a security flaw in the OpenSSL encryption technology that protects websites' data, has cast the ...

 
When the U.S. Federal Communications Commission announced its proposal to reinstate new net neutrality regulations that would allow broadband providers to engage in commercially reasonable traffic management, the agency set off a firestorm of protest from digital rights groups, Internet commentators and bloggers.
 
Using a home inkjet printer, special ink and photo paper, scientists from Microsoft Research have created what they hope will be the future for fabricating basic electronics. Presented at CHI 2014 in Toronto, the project uses "circuit stickers" which let users build electronics by sticking circuit elements onto paper.
 
[security bulletin] HPSBUX02963 SSRT101297 rev.2 - HP-UX m4(1), Local Unauthorized Access
 
The U.S. government's top cyber-security agency is telling Internet Explorer users they should consider running a different browser until Microsoft fixes a critical vulnerability.
 
Teardowns of more than a dozen smartwatches now on the market show that some models use processors originally designed for smartphones or tablets, according to ABI Research.
 
An independent Solaris OS support provider has countersued Oracle for unfair competition and violation of U.S. antitrust laws.
 
AT&T plans to launch an LTE in-flight connection service by late 2015 for airlines and passengers that will be available for fast passenger Wi-Fi as well as real-time cockpit and maintenance communications.
 
Maryfran Johnson says CIOs who serve on external boards add to their heavy workload but gain a valuable new perspective
 
Microsoft Internet Explorer CVE-2014-1776 Remote Code Execution Vulnerability
 
AOL is asking users to reset their passwords as it investigates a recent flurry of spam e-mails.
 

Last week, AOL confirmed that an unknown number of AOL Mail accounts have been hacked. Today, the company urged all its customers to change passwords and security questions, as it determined that information for at least two percent of all its accounts had been compromised. That's an impact of half a million users.

Attackers breached AOL’s systems and gained access to e-mail addresses, encrypted passwords, answers to security questions, and other contact information (including postal mailing addresses). While the mailboxes themselves were not compromised, the attackers used the contact information in a barrage of “spoofed” e-mails from those addresses—messages sent from outside AOL’s network with forged “from” address headers. Those e-mails are part of a large-scale phishing operation containing malicious Web links.

An AOL spokesperson said that the company is working with federal law enforcement to investigate the attack on its servers and that there was no indication that encrypted passwords were cracked by the attackers. The company has also changed its Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy to “p=reject”—meaning that other mail services will automatically discard messages sent by someone using an AOL.com mail address when a message is sent from a non-AOL server.

Read on Ars Technica | Comments

 
[security bulletin] HPSBMU02995 rev.6 - HP Software HP Service Manager, Asset Manager, UCMDB Browser, UCMDB Configuration Manager, Executive Scorecard, Server Automation, Diagnostics, LoadRunner, and Performance Center, running OpenSSL, Remote Disclosure
 
The surprising departure of Google+ chief Vic Gundotra has ignited uncertainty and speculation about the product's future, including its place in the workplace Apps suite.
 
Lawyers for Samsung got a reminder of Judge Lucy Koh's temper on Monday morning when a remark made by one of their witnesses made them the target of her anger for more than 20 minutes.
 
A fragment of the shellcode exploiting a critical vulnerability in Adobe Flash.

A day after reports that attackers are exploiting a zero-day vulnerability in Microsoft's Internet Explorer browser, researchers warned of a separate active campaign that was targeting a critical vulnerability in fully patched versions of Adobe's ubiquitous Flash media player.

The attacks were hosted on the Syrian Ministry of Justice website at hxxp://jpic.gov.sy and were detected on seven computers located in Syria, leading to theories that the campaign targeted dissidents complaining about the government of President Bashar al-Assad, according to a blog post published Monday by researchers from antivirus provider Kaspersky Lab. The attacks exploited a previously unknown vulnerability in Flash when people used the Firefox browser to access a booby-trapped page. The attackers appear to be unrelated to those reported on Sunday who exploited a critical security bug in Internet Explorer, a Kaspersky representative told Ars.

While the exploit Kaspersky observed attacked only computers running Microsoft Windows, the underlying flaw, which is formally categorized as CVE-2014-1776 and resides in a Flash component known as the Pixel Bender, is present in the Adobe application built for OS X and Linux machines as well. Adobe has updated all three versions to plug the hole. Because security holes frequently become much more widely exploited in the hours or days after they are disclosed, people on all three platforms should update as soon as possible. People using IE 10 and 11 on Windowws 8 will receive the update automatically, as will users of Google's Chrome browser. It can sometimes take hours for the automatic updates to arrive. Those who are truly cautious should consider manually installing them. Windows users with Firefox installed must run a separate update for both IE and the Mozilla browser.

Read 4 remaining paragraphs | Comments

 
[SECURITY] [DSA 2917-1] super security update
 
[SECURITY] [DSA 2916-1] libmms security update
 
Samsung Electronics has begun mass producing a more affordable SSD, seeking to help drive the technology deeper into the corporate data center.
 
In my recent post on IDC's 2014 predictions about how what it calls the "third platform" will radically disrupt the IT ecosystem, I note that the most intriguing prediction addresses how technology users will leverage the third platform to disrupt existing non-technology industries.
 
When the U.S. Federal Communications Commission announced its proposal to reinstate new net neutrality regulations that would allow broadband providers to engage in commercially reasonable traffic management, the agency set off a firestorm of protest from digital rights groups, Internet commentators and bloggers.
 
Adobe Systems released emergency security updates for Flash Player in order to fix a vulnerability that has been exploited in attacks against users since earlier this month.
 
 
[SECURITY] [DSA 2915-1] dpkg security update
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

ISC Handler Rob let us know that @hdmoore Tweeted out: "Upgraded to Ubuntu 14.04? Hold down enter to bypass the lockscreen (what is old is new again): "

The reporter indicates that he was running Ubuntu 14.04 with all the packages updated.
When the screen is locked with password, if holding ENTER, after some seconds the screen freezes and the lock screen crashes. After that the computer is fully unlocked.

The initial report states that the "bug is about the lockscreen being bypassed when Unity crashes/restarts, which is a critcal security issue. The crash will be handled from bug 1308750."

To reproduce:
1) Open the lockscreen (Super+L)
2) Hold Enter down
.... wait .....
*Crash*
Expected:
*No crash*
Stacktrace:
http://paste.ubuntu.com/7263684/

From the bug tracker, the fix has been committed and released. Be cognitive of this issue should you leave an Ubuntu 14.04 host unattended. :-)

Russ McRee | @holisticinfosec

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
TDK today announced it is licensing wireless charging technology that it plans to sell it to makers of electric vehicles to enable wireless battery recharging.
 
Google has taken on a new challenge -- city streets -- as it works to develop a self-driving car.
 
The privacy-focused Blackphone, which starts shipping in June for $629, will run an Nvidia Tegra 4i mobile processor, the phone's makers announced Monday.
 
LinuxSecurity.com: A malicious source package could write files outside the unpack directory.
 
LinuxSecurity.com: Several security issues were fixed in QEMU.
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
Microsoft is now letting Skype users make group video calls for free via PCs, Macs and the Xbox.
 
The Apache Software Foundation rushed last week to update the popular Apache Struts framework after a previous security patch for a high-risk vulnerability proved to be incomplete.
 
[ANN] Struts 2.3.16.2 GA release available - security fix
 
[security bulletin] HPSBMU03022 rev.1 - HP Systems Insight Manager (SIM) Bundled Software running OpenSSL, Remote Disclosure of Information
 
[SECURITY] [DSA 2914-1] drupal6 security update
 
[SECURITY] [DSA 2913-1] drupal7 security update
 
It's the how the future is meant to be, isn't it? The good guys need to find a bad guy in a crowd of people, so they start scanning the environment with a camera that is equipped with facial recognition technology. Seconds later, they scan a face that's a positive match with an entry in their criminal database and bam, they've smoked him out.
 
As healthcare in the United States embarks on what PwC describes as its most radical shift in 80 years, most health IT incumbents just aren't cutting it.
 
Email providers have to turn over a user's emails and other data to U.S. law enforcement when issued a search warrant, even if the data is stored overseas, a U.S. judge ruled Friday.
 
Apache Struts ClassLoader Manipulation Incomplete Fix Security Bypass Vulnerability
 
Economies of scale continued to elude Microsoft's Surface line as the tablet lost more money in the March quarter than in the preceding three-month period, regulatory filings showed.
 
Kolibri+ HTTP GET Request Buffer Overflow Vulnerability
 
IBM has assembled a vast array of hosted cloud services, and now it has somewhere to show them off.
 
Security experts have expressed doubts about a hacker claim that there's a new vulnerability in the patched version of OpenSSL, the widely used cryptographic library repaired in early April.
 
Chinese e-commerce giant Alibaba Group is partnering with an Internet browser company to try and topple Baidu's hold on the nation's mobile search market.
 

Channel Pro

InfoSec 2014: Government and industry must work together to protect against ...
Channel Pro
In a report released by Infosecurity Europe, the company warns that long-term strategies are necessary to combat evolving cyber threats. The report, Information security: From business barrier to business enabler, also highlights the disconnect between ...

 

Posted by InfoSec News on Apr 28

http://www.israelnationalnews.com/News/News.aspx/179925

By Tova Dvorin
Arutz Sheva
4/25/2014

Several weeks ago, a vigilante by the name of "Buddhax" made waves when he
exposed the true faces - and names and passwords - of several anti-Israel
hackers who participated in the #OpIsrael project to launch a cyber-attack
against Israel.

Now, nearly one month later, Channel 2 revealed Friday the existence of
another party responsible...
 

Posted by InfoSec News on Apr 28

http://www.chicagotribune.com/news/sns-rt-us-usa-cybersecurity-dhs-20140426,0,136919.story

By Doina Chiacu
Reuters
April 26, 2014

In the race to attract cybersecurity experts to protect the government's
computer networks, the Department of Homeland Security has a handicap
money can't fix.

Navigating the federal hiring system takes many months, which is too long
in the fast-paced tech world.

"Even when somebody is patriotic...
 

Posted by InfoSec News on Apr 28

http://www.wired.com/2014/04/hospital-equipment-vulnerable/

By Kim Zetter
Threat Level
Wired.com
04.25.14

When Scott Erven was given free rein to roam through all of the medical
equipment used at a large chain of Midwest health care facilities, he knew
he would find security problems–but he wasn’t prepared for just how bad it
would be.

In a study spanning two years, Erven and his team found drug infusion
pumps–for delivering morphine...
 

Posted by InfoSec News on Apr 28

http://news.techworld.com/security/3513668/tdl4-rootkit-can-be-modified-pwn-any-security-product-bromium-researchers-discover/

By John E Dunn
Techworld
28 April 2014

Kernel mode rootkits are more viable than has been realised and could be
used to bypass more or less any security product in existence, researchers
at Bromium have discovered after conducting a proof-of-concept attack
using a modified variant of in the infamous TDL4 malware....
 

Posted by InfoSec News on Apr 28

http://www.nextgov.com/cloud-computing/2014/04/lawmakers-want-pentagon-clarify-cloud-security-standards/83245/

By William Matthews
Nextgov.com
April 25, 2014

Two House members are proposing legislation they say would ease the way
for cloud computing vendors to sell services to the Defense Department.

The Defense Cloud Security Act would require department officials to set
clearer security requirements for cloud storage and other cloud...
 
Internet Storm Center Infocon Status