Information Security News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

AT&T gained subscribers for both its mobile and high-speed wireline services in the fourth quarter, posting revenue and profit increases from a year earlier.

Yahoo reported a 6 percent drop in revenue for the fourth quarter as sales of its display and search ads dropped compared to last year.

Russian Aleksandr Andreevich Panin has pleaded guilty to conspiracy to commit wire and bank fraud for his role as primary developer and distributor of the SpyEye bank fraud Trojan, the U.S. Department of Justice said Tuesday.

Kaspersky Lab

Researchers have uncovered a piece of botnet malware that is capable of infecting computers running Windows, Mac OS X, and Linux that have Oracle's Java software framework installed.

The cross-platform HEUR:Backdoor.Java.Agent.a, as reported in a blog post published Tuesday by Kaspersky Lab, takes hold of computers by exploiting CVE-2013-2465, a critical Java vulnerability that Oracle patched in June. The security bug is present on Java 7 u21 and earlier. Once the bot has infected a computer, it copies itself to the autostart directory of its respective platform to ensure it runs whenever the machine is turned on. Compromised computers then report to an Internet relay chat channel that acts as a command and control server.

The botnet is designed to conduct distributed denial-of-service attacks on targets of the attackers' choice. Commands issued in the IRC channel allow the attackers to specify the IP address, port number, intensity, and duration of attacks. The malware is written entirely in Java, allowing it to run on Windows OS X and Linux machines. For added flexibility, the bot incorporates PircBot, an IRC programming interface based on Java.

Read 1 remaining paragraphs | Comments

We all don't like spam, but sometimes, there are good reasons to send large amounts of automatically created e-mails. Order confirmations, newsletters or similar services. Sadly, I often see how it is done wrong, and would like to propose some rules how to send mass e-mails correctly.

The risks of doing it incorrectly are two fold: Your e-mail will get caught in spam filters, or your e-mail will teach users to fall for phishing, endangering your brand.

So here are some of the rules:

- Always use an address as "From" address that is within your domain. Even if you use a third party to send the e-mail. They can still use your domain if you set them up correctly. If necessary, use a subdomain ("mail.example.com" vs "example.com").
- Use DKIM and or SPF to label the e-mail as coming from a source authorized to send e-mail on your behalf. DKIM can be a bit challenging if a third party is involved, but SPF should be doable. Using a subdomain as From address can make it easier to configure this. For extra credit, use full DMARC to setup e-mail addresses to receive reports about delivery issues.
- Use URLs only if you have to, and if you do, don't "obscure" them by making them look like they link to a different location then they actually do. Use links to your primary domain (subdomain as a work around).
- Try to keep them "plain text", but if you have to use HTML markup, make sure it matches the look and feel of your primary site well. You don't want the fake e-mail to look better then your real e-mail.
- watch for bounces, and process them to either remove dead e-mail addresses or find our about configuration issues or spam blacklisting quickly.

Of course, I would like to see more digitally signed e-mail, but I think nobody really cares about that.

Any other ideas?

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

With the official release of Google Glass expected later this year, the company is taking big steps to make its computerized eyeglasses ready for launch.

Google in recent months has agreed to use billions of dollars gained in profits from its wildly successful search and advertising business to buy an array of companies developing artificial technology and robotics technologies.

Brace yourself. The Internet is about to get a lot busier and more cluttered. The Internet addresses that we are accustomed to using -- .com, .net and .edu - will be getting a lot of company next week.

Samsung will unveil a Galaxy Glass wearable computer, a competitor to Google Glass, as early as September at the IFA trade show in Germany, according to unnamed officials quoted by a Korean news site.

Oracle is continuing its legal battle against third-party software support providers it alleges are performing such services in a manner that violates its intellectual property.

Microsoft will roll out over the coming weeks enhanced administration tools for partners that manage their customers' Office 365 deployments.

The scoop: BEAN Quiet Sound Amplifier, by Etymotic Research, about $480 (for one; $860 for two)

Last week, we explained how a feature designed to make Google Calendar easier to use can tip off your boss that you plan to ask for a raise. In short, putting some valid addresses in the subject line of your calendar—as part of, say, a reminder to "e-mail [email protected] to demand a pay raise"—automatically adds the reminder to the calendar associated with the boss' address.

None of that is new, but given the continuing risk of inadvertently leaking sensitive data to bosses, spouses, or others, it was worth repeating. After all, Google engineers have no plans of changing the behavior. It is similarly worth remembering that the behavior is regularly exploited by spammers as a means to get their messages in front of live bodies. Just paste a single message into the body of a calendar entry, fill in as many addresses as possible into the subject line, and voila, the message will pop up as a reminder on desktops and smartphones all over the world.

The image below depicts one of the scams currently circulating over Google Calendar. Again, it's not a new threat, and it's not always limited to Google's service. Similar scams have long plagued users of Microsoft's Outlook as well. Still, the image is a reminder of why you can't automatically trust something just because it's entered into your calendar.

Read on Ars Technica | Comments

Apple has been awarded the patent for a MacBook shell that would combine smart glass and solar cells to generate power.

A vulnerability in Android allows malicious applications to bypass an active VPN (virtual private network) connection and force traffic from the device through an attacker-controlled system where it can be intercepted, according to security researchers from Ben-Gurion University of the Negev in Israel.

Munin CVE-2013-6359 Remote Denial of Service Vulnerability

Munin CVE-2013-6048 Remote Denial of Service Vulnerability

Xen 'PHYSDEVOP_{prepare,release}_msix' Operations Local Privilege Escalation Vulnerability

Apple's iPod business collapsed last quarter, with revenue plummeting 55% and the number of music players dropping by more than half compared to the same period the year before.

For the first time ever, just over 1 billion smartphones shipped to vendors worldwide in 2013, double the number of just two years earlier, IDC said late Monday.

LinuxSecurity.com: Updated java-1.6.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having [More...]

LinuxSecurity.com: Several security issues were fixed in Munin.

Mac sales jumped 19% in the fourth quarter of 2013 over the year before, the first uptick in more than a year, Apple said Monday.

As software-defined networking and network function virtualization begin to take hold in the enterprise, it's worth examining each concept to see how they complement each other. The end result: More generic network hardware and more open software.

As Windows 8 struggles to gain traction, you can hear the criticism mounting, that Microsoft's latest OS is the new Vista. If that turns out to be true, the company has some big decisions to make.

-Kevin -- ISC Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

, the open source software management company, picks the top 10 open source projects launched in the past year, based on stats collected from the

Your Klout score serves as an important indicator of your social media influence. These tips will help you increase your Klout score while also improving social engagement.

Cisco Secure Access Control System Portal Interface Access Security Bypass Vulnerability

Cisco Video Surveillance 5000 Series IP Dome Cameras Multiple Cross Site Scripting Vulnerabilities

Google Glass is now compatible with prescription lenses thanks to a set of four titanium frames designed to carry the company's Internet-enabled wearable computer.

Microsoft is contributing the designs of the cloud servers that run some of its services like Bing and Windows Azure to the Open Compute Project, in a bid to help standardize and reduce hardware costs.

If you had any doubts about the popularity of smartphones, new numbers suggest they've notched a significant milestone. The global smartphone market topped 1 billion shipments for the first time in 2013, covering about one-seventh of the world's population, according to research by IDC.

Starbucks released a mobile app that stored passwords in clear text. There's a good chance that a lot of other companies just don't know whether they could find themselves in the same situation.

Researchers at Virginia Tech have developed a battery that runs on sugar and could one day replace traditional batteries with ones that are cheaper, refillable and biodegradable.

When you're running a large-scale simulation or editing a professional video, you need more computing power than most laptops can give. In this roundup, we review three high-powered Windows mobile workstations.

Mozilla Thunderbird Remote Security Bypass Vulnerability

Mozilla Bug Bounty #5 - WireTap Remote Web Vulnerability

Multiple Vulnerabilities in Eventum

DC4420 - London DEFCON - January meet - Tuesday 28th January 2014