Mozilla Firefox/Thunderbird CVE-2013-1682 Multiple Memory Unspecified Corruption Vulnerabilities
In the wee hours of Sunday morning, Sprint Nextel will give its iDEN push-to-talk network the final push -- over the edge.
Yahoo is slimming itself down again by axing 12 of its products, part of an ongoing effort to sharpen its focus on services it thinks people need in their daily lives.
Some of the goodies included with Carberp.

The recent leak of source code for a powerful piece of bank-fraud malware may spawn a surge of advanced botnet attacks carried out by copycat hackers who previously didn't have the skill to pull off such feats, security researchers warned.

Carberp, as the botnet-creation toolkit is known, previously sold in underground crime forums for as much as $40,000 a license. In the last week, source code for the crimeware began circulating online for free and can now be acquired by many people who have a few hours to poke around. While the leak is a boon for researchers who want to know as much as possible about the inner workings of sophisticated malware, it also comes with a dark side: it isn't that hard for malware newcomers to get their hands on the 1.88 GB package of code.

"In short, it does not take a genius to get a copy of the leaked source code, which makes this whole thing dangerous," Christopher Elisan, principal malware scientist in security firm RSA's FirstWatch department, wrote in a blog post published Friday. "Any script kiddie, who probably does not understand the technology, can use this which may result in dire consequences. It's like handing a bazooka to a child."

Read 1 remaining paragraphs | Comments


This week, you've joined us for the liveblogs and heard the many different announcements from Microsoft's Build developer conference. We got an extensive hands-on look at the new features in Windows 8.1 and its many interface changes. We also touched on Windows' new out-of-the-box 3D printing capabilities and took a stroll through the vastly improved Windows Store. After all that, we perused the miniature show floor, which was mostly a showcase of some of the latest Windows products. Take a peek.

Read on Ars Technica | Comments

Oracle Java SE CVE-2013-2418 Remote Java Runtime Environment Vulnerability
Oracle Java SE CVE-2013-2416 Remote Java Runtime Environment Vulnerability
Closing out June, tech stocks are up for the year but have not enjoyed the full fruits of a bull market that has boosted the Dow to its best first half since 1999, right before the dot-com crash.
Oracle's string of high-profile cloud-computing partnership announcements with Microsoft, Salesforce.com and NetSuite dominated tech news headlines this week.
Facebook is launching an aggressive strategy for better detecting violent, graphic, sexual and otherwise controversial content across its site and removing ads that appear alongside that content.
Oracle Java SE CVE-2013-2438 Remote Java Runtime Environment Vulnerability
Oracle Java SE CVE-2013-2440 Remote Java Runtime Environment Vulnerability
Oracle Java SE CVE-2013-2435 Remote Java Runtime Environment Vulnerability
It is still early days in the emergence of software defined networking, so there aren't many users around to share their experiences and expectations, but there are a few. Network World's editor in chief tracked down Steve Wallace, executive director of InCNTRE, Indiana University's Indiana Center for Network Translational Research and Education, which is already using the technology in a production environment. The school is also playing a role in the tech's evolution.

Amid a new wave of attacks hitting government and media networks in South Korea, researchers have uncovered yet another piece of malware that destroys sensitive hard drive data and renders computers unusable.

Trojan.Korhigh, as the new wiper program is called by security firm Symantec, contains the same kind of functionality that simultaneously shut down the networks of a half-dozen banks and broadcasters in March. Like the earlier Jojka malware, Korhigh can permanently destroy stored data and overwrite a hard drive's master boot record, which contains information required for computers to reboot.

Korhigh accepts several commands that allow attackers to inflict additional damage. One "switch" changes passwords on compromised computers to "highanon2013" according to a blog post published Thursday by Symantec. Another wipes specific types of files, including those that end in .gif, .php, .dll, and 21 other extensions. Korhigh's discovery on Thursday came a day after Symantec researchers said they had identified the hacking group responsible for the March attacks. The newly identified DarkSeoul group is also responsible for a new wave of attacks that hit South Korea on Tuesday and were timed to coincide with the 63rd anniversary of the state of the Korean War.

Read 5 remaining paragraphs | Comments

A House committee has approved legislation that would more than double the current skilled immigration H-1B cap with the focus on science and technology workers.
Wireshark GTPv2 Dissector Denial of Service Vulnerability
The company has built a new protocol into Chrome Canary that transmits HTTP with UDP instead of TCP, the current standard. This should reduce latency and simplify multiplexing, but for now it's still in the experimental stage

Microsoft has released its Windows 8.1 beta as a disk image, making it more convenient to upgrade multiple devices within an organization or enterprise.
Infosys recently announced that it won a $49.5 million contract to develop a health benefit exchange for the District of Columbia. It is one of the larger government contracts won by an offshore outsourcing firm, but it's unclear whether any of the work will be done overseas.
The National Institute of Standards and Technology (NIST) has issued a Request for Information (RFI)* seeking guidance for a new special publication focused on improving coordination between Computer Security Incident Response Teams ...
Microsoft has released a SkyDrive Pro mobile application that gives SharePoint Online users access to the cloud storage service from iOS and Windows 8 devices.
Microsoft eventually learned that you can't win a battle against the government. Google appears poised to learn the same lesson. The difference: Google's fight goes well beyond separating a browser from an operating system and involves illegal drugs and illicit activities. There's a teachable moment here, writes CIO.com columnist Rob Enderle, but it may cost Google its advertisers.
JR Raphael compares the photo quality from two related Android cameras -- the Galaxy S4 Google Play Edition and the regular GS4
JR Raphael compares the cameras in the HTC One Google Play Edition and the regular HTC One.
OS X might not be getting as much attention this year as iOS 7, but as is usually the case, Apple is refining OS X to make it work better for users, says columnist Michael deAgonia.

Few Internet frustrations are so familiar as the password restriction. After creating a few (dozen) logins for all our Web presences, the use of symbols, mixed cases, and numbers seems less like a security measure and more like a torture device when it comes to remembering a complex password on a little-used site. But at least that variety of characters keeps you safe, right? As it turns out, there is some contrary research that supports both how frustrating these restrictions are and suggests it’s possible that the positive effect of complexity rules on security may not be as great as long length requirements.

Let's preface this with a reminder: the conventional wisdom is that complexity trumps length every time, and this notion is overwhelmingly true. Every security expert will tell you that “Supercalifragilistic” is less secure than “gj7B!!!bhrdc.” Few password creation schemes will render any password uncrackable, but in general, length does less to guard against crackability than complexity.

A password is not immune from cracking simply by virtue of being long—44,991 passwords recovered from a dump of LinkedIn hashes last year were 16 characters or more. The research we describe below refers specifically to the effects of restrictions placed by administrators on password construction on their crackability. By no means does it suggest that a long password is, by default, more secure than a complex one.

Read 13 remaining paragraphs | Comments

Re: EMC Avamar: World writable cache files
[ MDVSA-2013:186 ] puppet
BlackBerry shipped 6.8 million smartphones and recorded a US$84 million loss during the three months to June 1, as it struggles to turn around its fortunes.
T-Mobile said Friday that it has signed an agreement to buy 10MHz of Advanced Wireless Services (AWS) wireless spectrum from U.S. Cellular for $308 million in cash.
As the IT outsourcing industry is undergoing some fundamental changes, CIOs will need to take their vendor management game to a new level. Forrester vice president and principal analyst John C. McCarthy discusses how CIOs can move from outsourcing procurement to true vendor management.
Pioneer has launched a car navigation system that uses heads-up displays and virtual reality to guide drivers.
Securing important corporate or personal information has never been more challenging. Every day, new vulnerabilities are discovered, more breaches are reported and we all become less secure. Just look at the headlines, whether it is Anonymous latest attack, state sponsored Cyber espionage or warfare, criminal activity or just someone being exploited by five year old malicious code that still finds victims, the picture metaphor is of a snowball rolling downhill and getting bigger and bigger as it rolls.
A new piece of malware designed to delete files from hard disk drives and render computers unable to boot targets South Korean users, according to researchers from security firm Symantec.
Trimble SketchUp CVE-2013-3662 Remote Buffer Overflow Vulnerability
Drupal Fonecta Verify Module Cross Site Scripting Vulnerability
TYPO3 WEC Discussion Forum Unspecified SQL Injection Vulnerability
BlackBerry shipped 6.8 million smartphones and recorded a $84 million loss during the three months to June 1, as it struggles to turn around its fortunes.
LinuxSecurity.com: Updated puppet packages fix remote code execution vulnerability When making REST api calls, the puppet master takes YAML from an untrusted client, deserializes it, and then calls methods on the resulting object. A YAML payload can be crafted to cause the [More...]
LinuxSecurity.com: New ruby packages are available for Slackware 13.1, 13.37, 14.0, and -current to fix a security issue. [More Info...]
LinuxSecurity.com: Updated perl-Module-Signature package fixes CVE-2013-2145 Arbitrary code execution vulnerability in Module::Signature before 0.72 (CVE-2013-2145). [More...] _______________________________________________________________________
LinuxSecurity.com: Updated Foreman packages that fix two security issues and multiple bugs are now available for Red Hat OpenStack 3.0 (Grizzly) Preview. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: Updated openstack-swift packages that fix one security issue and one bug are now available for Red Hat OpenStack 3.0 (Grizzly) Preview. The Red Hat Security Response Team has rated this update as having moderate [More...]
LinuxSecurity.com: Updated openstack-keystone packages that fix one security issue and various bugs are now available for Red Hat OpenStack 3.0 (Grizzly) Preview. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: Updated python-keystoneclient packages that fix two security issues, one bug, and add one enhancement are now available for Red Hat OpenStack 3.0 (Grizzly) Preview. [More...]
LinuxSecurity.com: ubuntu-release-upgrader would crash when attempting to upgrade.
LinuxSecurity.com: Several security issues were fixed in Subversion.
LinuxSecurity.com: Updated perl-Dancer package fixes CVE-2012-5572 A security flaw was found in the way Dancer.pm, lightweight yet powerful web application framework / Perl language module, performed sanitization of values to be used for cookie() and cookies() methods. A [More...]
LinuxSecurity.com: Updated java-1.7.0-openjdk packages fix multiple security vulnerabilities Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D [More...]
The beta of version 23 of the open source browser includes a new API that social networks can use to add their share buttons. Meanwhile, JavaScript will no longer be able to be deactivated with one click in the settings

Oracle Java SE CVE-2013-2464 Memory Corruption Vulnerability
Oracle Java SE CVE-2013-2448 Remote Code Execution Vulnerability
Oracle Java SE CVE-2013-2463 Remote Code Execution Vulnerability
Oracle Java SE CVE-2013-2469 Memory Corruption Vulnerability
Oracle Java SE CVE-2013-2473 Buffer Overflow Vulnerability
Oracle Java SE CVE-2013-2465 Memory Corruption Vulnerability
Microsoft Internet Explorer 'CHtmTagStm' Use After Free Memory Corruption Vulnerability
Oracle announced a string of partnerships this week that concluded Thursday with a joint call by Oracle CEO Larry Ellison and Salesforce CEO Marc Benioff. The only thing missing, as one analyst pointed out, was a laser light show for this joining of forces of one tech titan with an emerging one.
LTE is simultaneously being pushed forward on several fronts, and the result for users will be faster networks, better coverage and the ability to access networks while travelling abroad.
Microsoft Internet Explorer CVE-2013-3121 Use After Free Memory Corruption Vulnerability
Microsoft Internet Explorer 'CSVGMaskElement' Double Free Memory Corruption Vulnerability
Microsoft Internet Explorer CVE-2013-3123 Memory Corruption Vulnerability
Re: Barracuda CudaTel - Persistent Web Vulnerability
Oracle Java SE CVE-2013-2472 Buffer Overflow Vulnerability
In the continuing war between Verizon and AT&T, the battle has come down to LTE network size vs. LTE network speed. But new LTE technology isn't far over the horizon.
Teradata's enterprise customers have a fresh set of options for integrating Hadoop into their environments.
8 apps for iPhones, iPads and Android devices that help you maintain your car, save money on gas, avoid accidents and make life on the road easier.
Antivirus company Avira will discontinue sales of all of its Linux products at the end of June citing almost exclusive use of Windows and Mac OS X in the consumer and small business market

Opera has announced that unknown attackers had gained access to their internal network on 19 June and gained access to an expired code signing certificate. The attackers then signed malware and pushed it as an update to users
Barracuda CudaTel - Persistent Web Vulnerability
Microsoft Internet Explorer CVE-2013-3112 Memory Corruption Vulnerability
[slackware-security] ruby (SSA:2013-178-01)
Barracuda CudaTel - Multiple Web Vulnerabilities
Nintendo warned Friday against the use of a smartphone app that can be used to create custom, all-powerful Pokemon characters for use in its handheld games.

Posted by InfoSec News on Jun 28


By Dan Goodin
Ars Technica
June 26 2013

Hackers penetrated network servers belonging to Opera Software, stole at
least one digital certificate, and then used it to distribute malware that
incorrectly appeared to be published by the browser maker.

The attack was uncovered, halted, and contained on June 19, according to a

Posted by InfoSec News on Jun 28


By Robert Lemos
Dark Reading
June 26, 2013

Security researchers have warned that mobile phones could easily be made
into surveillance devices that can track users, record audio and video of
their surroundings, and eavesdrop on their communications. Now one
researcher plans to show off a proof-of-concept program at the Black Hat
Security Briefings this...

Posted by InfoSec News on Jun 28


By Lucian Constantin
IDG News Service
June 27, 2013

Cisco Systems released security patches for its email, Web and content
security appliances in order to address vulnerabilities that could allow
attackers to execute commands on the underlying OS or disrupt critical

The vulnerabilities affect different...

Posted by InfoSec News on Jun 28


HITBSecConf series is a deep-knowledge technical conference.

Talks that discuss new and never before seen attack and defense methods
are of more interest than a subject that has been covered several times
before. Summaries not exceeding 1250 words should be submitted (in plain
text format) to us through our online CFP system for review and possible
inclusion in the programme.

Each accepted submission will...

Posted by InfoSec News on Jun 28


By Aliya Sternstein
June 27, 2013

This story has been updated with a statement from NSA.

A National Security Agency information security official who left the agency in
the summer of 2012, said that at that time, there was no anti-leak technology
on networks to help prevent the disclosure of sensitive information. Such...
Mobile USB Drive HD 1.2 - Arbitrary File Upload Vulnerability
eFile Wifi Transfer Manager 1.0 iOS - Multiple Vulnerabilities
Re: Re: EMC Avamar: World writable cache files
[ MDVSA-2013:185 ] perl-Module-Signature
More than 1,600 websites selling pharmaceutical products, including some spoofing CVS and Walgreens pharmacies, were shut down this week in a sting involving 99 countries, the U.S. Food and Drug Administration said Thursday.
Intel's CTO and director of its labs Justin Rattner is stepping down to meet a requirement under the company's bylaws that employees cannot serve as corporate officers after the age of 65.
Myanmar is a step closer to offering affordable mobile services after selecting two international carriers to launch telecommunications networks in one of Asia's last untapped markets.
A former high-ranking U.S. military official is reportedly under investigation for leaking classified information related to the use of malicious software to disrupt Iran's uranium refinement program.
Internet Storm Center Infocon Status