Hackin9
Cisco Unified Communications Domain Manager Self-Care HTTP Open Redirection Vulnerability
 
Cisco Unified Communications Domain Manager Number Translation Information Disclosure Vulnerability
 
Cisco Unified Communications Domain Manager Remote Information Disclosure Vulnerability
 
Cisco Unified Communications Domain Manager VOSS Operating System User Enumeration Vulnerability
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
OpenStack Glance Sheepdog Backend Remote Code Execution Vulnerability
 
Apple confirmed its long-rumored acquisition of Beats Music and Beats Electronics, saying it will pay $3 billion for the companies.
 
Mozilla Firefox/SeaMonkey CVE-2014-1528 Out of Bounds Memory Corruption Vulnerability
 
Mumble CVE-2014-3755 Denial of Service Vulnerability
 
The CIO at the $14 billion company hunts for job candidates who understand cloud, big data -- and the special nature of the food business.
 
Data insights are the key to providing customer value. The first steps are creating a culture of innovation and finding a CIO who is a business strategist.
 

What Happened To TrueCrypt? Encryption Software Development Ends Abruptly ...
iDigitalTimes.com
News. What Happened To TrueCrypt? Encryption Software Development Ends Abruptly As InfoSec Community Searches For Answers. By Cammy Harbison on May 28, 2014 5:11 PM EDT 0. What happened to TrueCrypt? Why has development ceased?

and more »
 
 
Shipments of servers from Chinese vendors grew at a fast clip while the top server vendors in the U.S. tumbled during the first quarter of this year.
 
Inspired by Facebook's efforts to speed performance of PHP, the core development team behind the popular open-source Web programming language has embarked on an effort to redesign PHP for faster performance.
 
Apple confirmed its long-rumored acquisition of Beats Music and Beats Electronics, saying it will pay $3 billion for the companies.
 
Samsung demonstrated a concept watch, the Simband, that's designed to be a platform for sensors from third-party vendors and to work with Samsung's SAMI wireless data broker service.
 
Traditionally viewed as a geek's paradise, the Computex trade show will turn into a battlefield for the body next week.
 
A company that advises institutional shareholders on governance risk and proxy voting issues wants seven of Target's 10 board directors voted out over the massive data breach disclosed by the retailer last December.
 

One of the official webpages for the widely used TrueCrypt encryption program says that development has abruptly ended and warns users of the decade-old tool that it isn't safe to use.

"WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues," text in red at the top of TrueCrypt page on SourceForge states. The page continues: "This page exists only to help migrate existing data encrypted by TrueCrypt. The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform."

The advisory, which Ars couldn't immediately confirm was authentic, touched off a tsunami of comments on Twitter and other social media sites. For more than a decade, the open source and freely available TrueCrypt has been the program of choice of many security-minded people for encrypting sensitive files and even entire hard drives. Last year, amid revelations that the NSA can decode large swaths of the Internet's encrypted data, supporters ponied up large sums of money to audit TrueCrypt. Results from phase one of the audit released last month revealed no evidence of any backdoors. Additional audits were pending.

Read 4 remaining paragraphs | Comments

 

Earlier today, the popular disk encryption tool Truecrypt was essentially removed from Sourceforge, and replaced with a warning that Truecrypt is no longer secure and people should switch to Bitlocker  (with instructions as to how to do this). The source code was updated and essentially all functionality was removed but the installer will now just show a message similar to the one displayed on the homepage.

What you probably are asking first about: What does this mean for me if I use Truecrypt?

At this point, there are many rumors, and few facts. It is my recommendation (as always) to stay calm. One thing you want to do right away: Get a copy of the last working version and burn it to CD (actually: 3 CDs) in case it is no longer available and you need to access offline media that are encrypted using Truecrypt. Find out what your alternatives are. In Windows you have Bitlocker, in OS X you got FileVault and in Linux you got LUKS. Sadly, these are not compatible with each other. You will need to find a replacement for portable media that need to move between operating systems. PGP/GnuPG comes to mind as an option. 

Now back to what we know so far:

Recently, a community effort was launched to review the Truecrypt code, in particular to check for backdoors and incorrectly implemented crypto algorithms. As far as I know, no significant issue was found to date.

This very much smells to me like a compromised Sourceforge repository. Truecrypt uses Sourceforge for all of its content. At this point, sit back, don't visit the Truecrypt Sourceforge page or download the crippled version, but don't panic (yet).

But, via twitter and e-mail, some additional disturbing facts came in that make this look worse then a simple web site compromise:

  • The new "decrypt only" binary was signed with what looks like a valid Truecrypt code signing key (I believe GRC.com investigated this)
  • The PGP signature was valid as well
  • The Truecrypt development team is anonymous, and so far, no word if the code review team was able to reach them.

Correction about the earlier note that Sourceforge was compromised: Turns out that they asked users to change passwords NOT because of a compromise, but because they changed the hashing algorithm.

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A company that advises institutional shareholders on governance risk and proxy voting issues wants seven of Target's 10 board directors voted out over the massive data breach disclosed by the retailer last December.
 
Advocates of strong net neutrality rules are calling for the U.S. Federal Communications Commission to reclassify broadband as a regulated utility, but such a move would trigger a lengthy court fight between the agency and broadband providers, some telecom law experts say.
 
 

Software used by law enforcement organizations to intercept the communications of suspected criminals contains a litany of critical weaknesses, including an undocumented backdoor secured with a hardcoded password, security researchers said today.

In a scathing advisory published Wednesday, the researchers recommended people stop using the Nice Recording eXpress voice-recording package. It is one of several software offerings provided by Ra’anana, Israel-based Nice Systems, a company that markets itself as providing "mission-critical lawful interception solutions to support the fight against organized crime, drug trafficking and terrorist activities." The advisory warned that critical weaknesses in the software expose users to attacks that compromise investigations and the security of the agency networks.

"Attackers are able to completely compromise the voice recording/surveillance solution as they can gain access to the system and database level and listen to recorded calls without prior authentication," the researchers from security consultancy SEC Consult wrote. "Furthermore, attackers would be able to use the voice recording server as a jumphost for further attacks of the internal voice VLAN [virtual local area network], depending on the network setup."

Read 7 remaining paragraphs | Comments

 
GeoCore Multiple SQL Injection Vulnerabilities
 
Aiming to provide more transparency in how it develops Internet Explorer, Microsoft has launched a website to help keep developers abreast of the latest changes and plans for the browser.
 
After working on developing a self-driving car for several years, Google has built an autonomous car from the ground up -- with no steering wheel, no accelerator and no brake.
 
Microsoft plans to boost its Azure cloud services with its acquisition of Capptain, whose product helps developers track and analyze usage of their Web and mobile apps and implement customer retention strategies.
 
Facebook is reportedly requesting that the European Commission review its pending WhatsApp acquisition, in what is likely an effort to avoid multiple, parallel antitrust scrutiny in several countries.
 
If you're looking for a way to more easily identify talent from underrepresented groups, Entelo Diversity offers a service that it claims leads to a more diverse tech team.
 
Microsoft launched a Web-based security dashboard for IT professionals that displays a customized view of the company's past patches.
 
Earlier this week, some iOS device owners woke up to discover that "Oleg Pliss" had hacked their iPhones and iPads and locked them up. The hack could have been worse, says Ryan Fass, which is why it's a good lesson in security that IT staffers should use.
 
D-Link DAP-1350 SQL Injection Vulnerability
 
WordPress bib2html Plugin 'styleShortName' Parameter Cross Site Scripting Vulnerability
 
Microsoft today spelled out its priorities for Internet Explorer, and at the top of the list is to get users on the latest version possible. That's easier said than done, however.
 
If we're lucky, We'll all have a chance once in our careers to take a risk and use our skills and experience to do something we truly love. Sometimes the career risk is low, but sometimes it's truly a leap of faith--one that offers potentially big rewards as well as the risk of major setbacks.
 
The newest smartphone and tablet docking station combo from Asus, the PadFone X, can be ordered starting June 6 exclusively from AT&T stores and at its website, the carrier announced Wednesday.
 
After working on developing a self-driving car for several years, Google has built an autonomous car from the ground up -- with no steering wheel, no accelerator and no brake.
 
Linux Kernel CVE-2014-1738 Local Privilege Escalation Vulnerability
 
Linux Kernel CVE-2014-1737 Function Local Privilege Escalation Vulnerability
 
Aiming to connect more people speaking different languages, Microsoft plans to roll out a beta version of its speech-translation technology on Skype later this year.
 
Multiple vulnerabilities in Sharetronix
 
SEC Consult SA-20140528-0 :: Root Backdoor & Unauthenticated access to voice recordings in NICE Recording eXpress
 
LSE Leading Security Experts GmbH - LSE-2014-05-21 - Check_MK - Arbitrary File Disclosure Vulnerability
 
[SECURITY] [DSA 2938-1] Availability of LTS support for Debian 6.0 / squeeze
 

China's Shot at Cisco Latest Salvo in InfoSec War of Words
Channelnomics
In global information security battle, the rhetoric pendulum this week is swinging decidedly in China's favor as Beijing unleashes a torrent of accusations and warnings at U.S.-based technology companies. The latest salvo came Tuesday when China state ...

and more »
 
The Netflix-backed Encrypted Media Extensions (EME) proposal, and recent revelations that requirements for DRM in HTML5 are confidential, have generated furor among advocates of the Open Web. Let's cut through the hyperbole.
 
LinuxSecurity.com: A remote command injection vulnerability has been discovered in xmonad-contrib.
 
LinuxSecurity.com: Updated curl packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Moderate [More...]
 
LinuxSecurity.com: Updated libvirt packages that fix one security issue and three bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Moderate [More...]
 
LinuxSecurity.com: Updated kernel-rt packages that fix multiple security issues are now available for Red Hat Enterprise MRG 2.5. The Red Hat Security Response Team has rated this update as having [More...]
 
CVE-2014-3445 - Unauthenticated Backup and Password Disclosure in HandsomeWeb SOS Webpages
 
[SECURITY] CVE-2014-0097 Apache Tomcat information disclosure
 
Data protection officials are bewildered by the German federal prosecutor's decision not to start a criminal investigation into the alleged mass surveillance of German citizens by the U.S. National Security Agency (NSA).
 
xmonad XMonad.Hooks.DynamicLog Module Multiple Remote Command Injection Vulnerabilities
 
[SECURITY] CVE-2014-0096 Apache Tomcat information disclosure
 
[SECURITY] CVE-2014-0095 Apache Tomcat denial of service
 
[SECURITY] CVE-2014-0075 Apache Tomcat denial of service
 
A simple hack of Windows XP tricks Microsoft's update service into delivering patches intended for a close cousin of the aged OS, potentially extending support for some components until 2019, a security researcher confirmed today.
 
Today's always-connected culture has wrought huge changes at global advertising giant Ogilvy & Mather. John Seifert, chairman of global brand community, talks about how the firm approached this, especially in the aftermath of the economy's financial meltdown.
 
EBay';s security team isn't going to get a break for a while.
 
Low-cost Android tablets from little-known vendors with 3G capabilities may soon hit shelves with chips from Intel, which is looking to replace ARM processors in devices starting at $100.
 

Posted by InfoSec News on May 28

http://www.theregister.co.uk/2014/05/27/bmw_password_security_shortcomings/

By John Leyden
The Register
27 May 2014

Exclusive New BMW cars have security shortcomings that could allow thieves
to pop open a victim's flash motor from a smartphone.

Ken Munro, a partner at Pen Test Partners, uncovered security issues in
the systems that pair the latest generation of beamers with owners'
mobiles. By stringing together the flaws, a crook...
 

Posted by InfoSec News on May 28

http://healthitsecurity.com/2014/05/27/how-it-security-experts-handle-healthcare-network-access/

By Patrick Ouellette
Health IT Security
May 27, 2014

Healthcare network security has become more complicated over the years
because of the explosion of mobile device connectivity. And because it’s
so difficult for healthcare organizations to have a firm grasp on where
their perimeters begin and end, they must look for new ways to ensure...
 

Posted by InfoSec News on May 28

http://www.nytimes.com/2014/05/28/nyregion/hacker-who-helped-disrupt-cyberattacks-is-allowed-to-walk-free.html

By Benjamin Weiser
The New York Times
May 27, 2014

The New York man whose cooperation helped the authorities infiltrate the
shadowy world of computer hacking and disrupt at least 300 cyberattacks on
targets that included the United States military, courts and private
companies was given a greatly reduced sentence on Tuesday of time...
 

Posted by InfoSec News on May 28

http://www.foreignpolicy.com/articles/2014/05/27/exclusive_inside_the_fbi_s_fight_against_chinese_cyber_espionage

By Shane Harris
Foreign Policy
May 27, 2014

SolarWorld was fighting a losing battle. The U.S. subsidiary of the German
solar panel manufacturer knew that its Chinese competitors, backed by
generous government subsidies, were flooding the American market with
steeply discounted solar panels and equipment, making it practically...
 

Posted by InfoSec News on May 28

http://www.defenseone.com/management/2014/05/are-paychecks-problem-senate-considers-bonuses-pentagons-cyber-workforce/85258/

By Aliya Sternstein
Nextgov
May 27, 2014

Current and aspiring Defense Department personnel with cyber skills could
see a boost in pay under a Senate 2015 defense policy bill that lawmakers
detailed on Friday.

Defense is up against the private sector’s lucrative salaries as it
endeavors to boost cyber mission forces....
 
RuggedCom Rugged Operating System CVE-2014-2590 Denial of Service Vulnerability
 
Internet Storm Center Infocon Status