Information Security News

Aerohive Networks sells not just enterprise Wi-Fi gear but also cloud-based software designed to make it easier to set up and manage a customer's entire wired and wireless network. Other wireless LAN vendors are moving in the same direction, including Cisco Systems, the biggest seller of enterprise Wi-Fi, which acquired Meraki Networks in 2012.

Photo by Ville Miettinen

According to a new paper authored by two Google security engineers, 21 out of the world’s top 25 news organizations have been successfully hacked by state-sponsored actors.

Reuters reported on the duo's findings, which were presented on Friday at the Black Hat Asia security conference in Singapore.

Among targets of hacking attacks, journalists were “massively over-represented,” Shane Huntley, one of the paper's authors, told the news wire. Google has been monitoring such attacks, which are often sponsored by foreign governments that seek sensitive information held by journalistic enterprises, in many cases related to secretive corporate and governmental operations.

Read 6 remaining paragraphs | Comments

FFmpeg and Libav 'libavcodec/wmalosslessdec.c' Memory Corruption Vulnerability

FFmpeg and Libav 'libavformat/mpegtsenc.c' Buffer Overflow Vulnerability

FFmpeg and Libav 'msrle_decode_frame()' Function Out of Bounds Denial of Service Vulnerability

Forrester analyst Peter Burris says CIOs will need to work on two tracks: internal IT operations and the business systems focused on the customer experience.

Dell Research, a new division of the recently privatized Dell, is conducting early experiments with brain and body sensors to detect a person's mood for use in computers involved with education and communications. It could also be used to monitor a person's mood while driving or playing games.

Microsoft will no longer go through email messages and other personal data that users of its online services have stored on its servers, a decision taken after being sharply criticized for accessing a person's inbox as part of an internal investigation.

The latest firmware in some Philips smart TV models opens an insecure Miracast wireless network, allowing potential attackers located in the signal range to control the TV remotely and perform unauthorized actions.

The My Passport Pro comes in 2TB and 4TB models and can be set to RAID 0 or 1.

The never-ending legal battle between Apple and Samsung enters a new phase Monday when lawyers begin selecting a jury for a new trial that will address new complaints against a different set of phones.

Intel is making improvements to its smallest computer, called Edison, which is targeted at wearable devices and was introduced in January.

ricky montalvo

Developers of two popular smartphone apps—Fandango and Credit Karma—have been caught transmitting passwords, social security numbers, birth dates, and other highly sensitive user data over the Internet without properly encrypting it first, officials with the Federal Trade Commission said.

As a result, it was trivial for hackers to intercept the data when people used the apps on both Apple's iOS and Google's Android mobile operating systems, complaints filed by the FTC alleged. The complaints leveled charges of other shortcomings in the developers' security, including the failure to properly test and audit the safety of apps before making them available for download. The improper encryption, which security experts warn is akin to having no encryption at all, was allowed to persist for four years at Fandango. The company also failed to have an adequate process for receiving vulnerability reports from researchers and other third parties, FTC officials said.

Fandango has as many as 100 million downloads from the iOS App Store and Google Play market for Android. Among other things, the app allows users to buy movie tickets. Credit Karma has five million to 10 million downloads and allows users to monitor their credit scores.

Read 7 remaining paragraphs | Comments

Linux Kernel 'ip6_route_add()' Function Denial of Service Vulnerability

Deutsche Telekom CERT Advisory [DTC-A-20140324-002] update140328 - vulnerabilities in check_mk

openSUSE rubygems Unspecified Security Vulnerability

A place in your pocket is no longer enough for mobile gadget makers. Now, they want your body.

News, features, explainers, opinions and more about the Internet of Things

Several Mozilla employees yesterday took to Twitter to call for the resignation of their new CEO, JavaScript creator Branden Eich, for supporting California's Proposition 8 more than five years ago.

More so than Web-based applications, mobile apps tend to have security design flaws that attackers can exploit. (Insider; registration required)

Adobe Flash Player CVE-2014-0510 Unspecified Heap Based Buffer Overflow Vulnerability

Adobe Reader CVE-2014-0511 Use After Free Remote Code Execution Vulnerability

iStArtApp FileXChange v6.2 iOS - Multiple Web Vulnerabilities

LinuxSecurity.com: Security Report Summary

LinuxSecurity.com: ClamAV has been updated to a new version.

LinuxSecurity.com: Security Report Summary

[SECURITY] [DSA 2887-1] ruby-actionmailer-3.2 security update

[SECURITY] [DSA 2888-1] ruby-actionpack-3.2 security update

BlackBerry continued to struggle during the company's fiscal fourth quarter, experiencing a huge drop in revenue and a $423 million net loss.

The thin client has been largely disappointing from the beginning, but a partnership between VMware and Nvidia may finally give the thin client the performance, scalability, security and price it needs to catch on.

SEC Consult SA-20140328-0 :: Multiple vulnerabilities in Symantec LiveUpdate Administrator

[SECURITY] [DSA 2889-1] postfixadmin security update

Easy FileManager 1.1 iOS - Multiple Web Vulnerabilities

Lazybone Studios WiFi Music 1.0 iOS - Multiple Vulnerabilities

[oCERT-2014-003] LibYAML input sanitization errors

ESA-2014-016: EMC VPLEX Multiple Vulnerabilities

BlackBerry continued to struggle during the company's fiscal fourth quarter, experiencing a huge drop in revenue and a $423 million net loss.

While looking at the latest honeypot data for what is happening with Synology devices, I did notice one particular agressive IP connecting to a number of our honeypot IPs. At first, I figured it may just be a new Shodan scan (got tons of them in the honeypot). But when I connected to port 443 using openssl, I saw a rather interesting SSL certificate being sent:

$ openssl s_client -connect a.b.c.d:443
CONNECTED(00000003)
depth=0 C = CN, ST = ZheJiang, L = HangZhou, O = HIKVISION, OU = DVRNVR, 
CN = www.hikvision.com, emailAddress = [email protected]
verify error:num=18:self signed certificate
verify return:1
depth=0 C = CN, ST = ZheJiang, L = HangZhou, O = HIKVISION, OU = DVRNVR, 
CN = www.hikvision.com, emailAddress = [email protected]
verify return:1
GET ---
Certificate chain
 0 s:/C=CN/ST=ZheJiang/L=HangZhou/O=HIKVISION/OU=DVRNVR/CN=www.hikvision.com/[email protected]
   i:/C=CN/ST=ZheJiang/L=HangZhou/O=HIKVISION/OU=DVRNVR/CN=www.hikvision.com/[email protected]

This certificate appears to be associated with a DVR sold in conjunction with security camera systems [1]. Usually these systems run some form of Linux, so I guess it is to expected that given a weak password, these systems get mistaken for a Linux server and exploited just like one.

Right now, if I am real lucky I may be able to get a hold of the owner of the DVR, but it looks like a Chinese residential IP so not getting my hopes up too high.

[1] http://www.hikvision.com/en/us/index.asp

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft's new Office for iPad apps vaulted to the top of the free application chart on Apple's App Store shortly after their Thursday debut.

WordPress Felici Theme 'uploadify.php' Arbitrary File Upload Vulnerability

The Tokyo District Court has granted a bankruptcy examiner six more weeks to assess the convoluted situation surrounding failed Bitcoin exchange Mt. Gox.

A U.S. judge has ruled that the Chinese search engine Baidu has the right to block pro-democracy works from its query results, dismissing a lawsuit that sought to punish the company for Internet censorship.

With the launch of Office for iPad yesterday, Microsoft again effectively cut Apple out of most of the revenue stream by making the apps free to download.

A little-known U.S. space plane quietly broke its own space endurance record this week as its current unmanned mission surpassed 469 days in space.