By selling Motorola Mobility to Lenovo, Google is ending a combination that never really worked out while keeping assets that could prove valuable down the road.
Imagine using a separate Facebook app just for sharing status updates with your closest friends, or maybe co-workers. In the next few years, such an app could exist.
Target said Wednesday that intruders accessed its systems by using credentials "stolen" from a vendor, one of the first details the retailer has revealed about how hackers got inside.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

I mentioned this vulnerability earlier this week in a podcast, but believe it deserves a bit more attention, in particular as exploits are now public, and a metasploit module appears in the works.

Dana Taylor (NI @root) released details about the vulnerabilities first in her blog [1]. The post included quite a bit of details about respecitve vulnerabilities. Extended support for Oracle 10g ended July 2013 and a patch is not expected.

If for some reason you are still running Oracle 10g or earlier, please check on possible workarounds or upgrade to 11g

The vulnerabilities were assigned following CVE numbers 

CVE-2012-3153 - PARSEQUERY keymap vulnerabiilty

      Oracle details (requires login): https://support.oracle.com/rs?type=doc&id=279683.1

CVE-2012-3152 - URLPARAMETER code execution

Please let us know if you have any workarounds to share, or if you have any logs showing exploit attempts.

[1] http://netinfiltration.com


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
A man charged with aiding a terrorist organization has asked a U.S. court to throw out information collected by the National Security Agency, saying NSA surveillance of his Internet communications violates the Fourth Amendment of the U.S. Constitution.
The U.S. Department of Justice is investigating the data breach at Target stores, which compromised as many as 110 million payment cards and personal records in one of the largest such attacks on record.
The era of the monolithic, highly customized enterprise ERP system is fading, according to Gartner.
More than half of Facebook's ad sales came from mobile devices in the fourth quarter, showing continued strength in the site's ability to monetize its service on smaller screens.
Global tablet shipments are still on the rise, but are showing signs of dramatic slowing as consumer markets such as the U.S. become saturated, IDC said.
Federal courts have started ruling against companies using the much-reviled Computer Fraud and Abuse Act to pursue employees and others who allegedly misappropriate proprietary data.
Lenovo Group is buying the Motorola handset division at Google for nearly $3 billion, Google confirmed late today.

Widely used management software running on Target's internal network may have given an important leg up to attackers who compromised 40 million payment cards belonging to people who recently shopped at the retail giant, according to an article published Wednesday by KrebsonSecurity.

As journalist Brian Krebs reported two weeks ago, malware that infected Target's point-of-sale terminals used the account name "Best1_user" and the password "BackupU$r" to log in to a control server inside the Target network. The malware used the privileged insider access to temporarily stash payment card data siphoned out of the terminals used in checkout lines so it could then periodically be downloaded to a different service for permanent storage. In Wednesday's post, Krebs filled in some intriguing new details that suggest a poorly secured feature inside a widely used server management program may have played a role. Krebs explained:

That “Best1_user” account name seems an odd one for the attackers to have picked at random, but there is a better explanation: That username is the same one that gets installed with an IT management software suite called Performance Assurance for Microsoft Servers. This product, according to its maker — Houston, Texas based BMC Software — includes administrator-level user account called “Best1_user.”

This knowledge base article (PDF) published by BMC explains the Best1_user account is used by the software to do routine tasks. That article states that while the Best1_user account is essentially a “system” or “administrator” level account on the host machine, customers shouldn’t concern themselves with this account because “it is not a member of any group (not even the ‘users’ group) and therefore can’t be used to login to the system.”

“The only privilege that the account is granted is the ability to run as a batch job,” the document states, indicating that it could be used to run programs if invoked from a command prompt.

Krebs went on to quote a part of the BMC article that said:

Read 3 remaining paragraphs | Comments


Tiny, self-powered sensors that can be embedded in bridge structures and networked wirelessly to continuously monitor the structureaposs health. Little fly-by-wire vehicles that can flit around bridges to measure and inspect their ...
The highly customized ERP (enterprise resource planning) systems in place at companies around the world are looking a bit long in the tooth, to the point where by 2016 it will be common practice to refer to them as "legacy" software, according to analyst firm Gartner.
Senator Patrick Leahy questioned how the Constitution allows the National Security Agency's bulk collection of U.S. telephone records and repeated his calls for President Barack Obama's administration to end the program during a hearing Wednesday.

DKIM is one way to make it easier for other servers to figure out if an e-mail sent on behalf of your domain is spoofed. Your mail server will add a digital signature to each email authenticating the source. This isn't as good a signing the entire e-mail, but it is a useful tool to at least validate the domain used as part of the "From" header.

The problem is that DKIM can be tricky to debug. If you have mail rejected, it is useful to be able to manually verify what went wrong. For example, you may have different keys, and the wrong key was used, which is one of the trickier issues to debug.

Lets start with the basics: first make sure the e-mail you send is actually signed. Look for the "DKIM-Signature" header:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dshield.org;

s=default; t=1391023518;





There are a couple of important pieces to look for:

  • d=dshield.org - this is the domain for which the signature is good for
  • s=default - this can be used to define different keys.

Using these two values, we can retrieve the public keys from DNS:

$ dig +short TXT default._domainkey.dshield.org

"v=DKIM1\; k=rsa\; p=MIGfMA0G...AQAB" 

At this point we know which key was used to sign the headers, and we got the public key to verify it. You probably already spotted the algorithm used to sign the header: "a=rsa-sha256". 

DKIM only signs specific headers. In our case, we signed the To, Subject, Date and From headers which can be learned from the "h=..." field above.

For the sample e-mail above, these headers are:

To: [email protected]

Subject: Testing DKIM

Date: Wed, 29 Jan 2014 19:25:18 +0000 (UTC)

From: [email protected] (Johannes Ullrich)

Luckily, we don't have to do all the verification "by hand". Instead, we can use the "opendkim-testmsg" tool. We jst pass the raw e-mail message to it.
The tool is pretty basic, in that it does not provide any output if the verification succeeds. The tool will retrieve the key automatically.
For example:
$ opendkim-testmsg  < TestingDKIM.eml
On failure, you will get a generic error:
$ opendkim-testmsg  < TestingDKIM.eml
opendkim-testmsg: dkim_eom(): Bad signature
If you do implement DKIM, I highly recommend you also configure reporting addresses via DMARC. This way, some larger ISPs will send you reports if the DKIM verification fails.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Sprint is expected to report a big loss of subscribers in its next earnings report, expected Feb. 11, further fueling speculation that No. 3 carrier Sprint has to merge with brash and bold "Un-Carrier" T-Mobile US.
Yahoo is acquiring Tomfoolery, a startup that makes software to better connect employees on the desktop and mobile, it was announced Wednesday.
ARM's emerging challenge to the x86 architecture in the server space just picked up some serious momentum as AMD announced it will start shipping sample 64-bit ARM processors, along with associated development kits, to partners in the upcoming months.
For enterprises that are thinking about switching from fixed to wireless Internet access, Sierra Wireless has launched the AirLink ES440 LTE gateway.
President Barack Obama last night urged Congress to increase federal research funding or the U.S. lead in technology is in danger.
Nike is debuting a new cleat in the upcoming Super Bowl, and for the first time, the footwear was designed on a 3D printer.
A pair of organizations with ties to Microsoft today slammed a report that Google and European antitrust regulators were set to strike a deal without running it by them.
Simple E-Document 'upload.php' Arbitrary File Upload Vulnerability
President Obama's State of the Union address had people tweeting their support or their disdain and lighting up Twitter with nearly 2 million tweets.
If the hardest part of the "Internet of Things" is getting to the Things, Cisco Systems is offering a lifeline.
Cisco WebEx Meetings Server CVE-2014-0682 Security Bypass Vulnerability
Microsoft has joined a new project to accelerate the development of ARM-based servers, suggesting ARM versions of products like Windows Server and Hyper-V could be in the works.
Virtually every analyst who follows Apple has jumped on the bigger iPhone bandwagon, asserting that the company will step into the quickly-growing large-screen market this year.

The official Angry Birds website was briefly defaced on Tuesday by people protesting reports government spy agencies abuse it and other "leaky" mobile apps to mine the personal details of smartphone users.

For a brief span of time on Tuesday some visitors saw an image of the iconic bird and pig, but with some notable modifications. The image carried the caption "Spying Birds," and the bird had an NSA logo emblazoned on its forehead. The image was captured here on the Zone-H website.

Angry Birds developer Rovio has confirmed its website was briefly hijacked, most likely by hackers who managed to tamper with domain name system settings that ultimately control what server receives requests for a particular domain name. Differences in which servers cached the malicious domain name entries and the amount of time those malicious entries were allowed to persist mean that the spoofed page was visible to only some of the people who were trying to visit the site on Tuesday. The site was not available at the time this post was being prepared for publication.

Read 1 remaining paragraphs | Comments



This article originally appeared on Medium.com: How I Lost My $50,000 Twitter Username

I had a rare Twitter username, @N. Yep, just one letter. I've been offered as much as $50,000 for it. People have tried to steal it. Password reset instructions are a regular sight in my e-mail inbox. As of today, I no longer control @N. I was extorted into giving it up.

While eating lunch on January 20, 2014, I received a text message from PayPal for a one-time validation code. Somebody was trying to steal my PayPal account. I ignored it and continued eating.

Read 27 remaining paragraphs | Comments


The official Angry Birds website was defaced by hackers following reports that U.S. and U.K. intelligence agencies have been collecting user information from the game and other popular mobile apps.
LinuxSecurity.com: A vulnerability has been found in the Digest-Base Perl module, allowing remote attackers to execute arbitrary code.
LinuxSecurity.com: New mozilla-nss packages are available for Slackware 14.0, 14.1, and -current to fix a security issue. [More Info...]
LinuxSecurity.com: New bind packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. [More Info...]
LinuxSecurity.com: Updated libvirt packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
LinuxSecurity.com: Updated kernel-rt packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise MRG 2.4. The Red Hat Security Response Team has rated this update as having [More...]
Red Hat's core business isn't software. It's actually customer service, and in order to take it to the next level the company turned to a domestic outsourcing provider to solve customer problems before they happen using predictive big data analytics.
Google has been ordered by a court in Virginia to pay royalty to I/P Engine for infringing some claims of two of its patents through the AdWords advertising system.
President Obama repeated his call to reform intelligence surveillance programs, saying U.S. intelligence agencies need the trust of people inside and outside the country, during his State of the Union speech Tuesday night.
JavaScript is the reigning programming language across platforms and devices. Harness that power with the right frameworks and tools
The ThinkPad X240 is the latest X-series laptop from Lenovo. We take the touchscreen version of the 12.5-inch laptop through the paces to see how it fares as a business tool.
Technology trade groups faulted President Obama for not using his State of the Union address Tuesday night to address domestic and international concerns over the National Security Agency's surveillance programs.
The National Security Agency has reportedly appointed Rebecca Richards, a former deputy privacy official at the Department of Homeland Security, as its first privacy officer.
Linux Kernel 'nf_nat_irc.c' Local Information Disclosure Vulnerability
IBM QRadar Security Information and Event Manager Multiple Security Vulnerabilities
McAfee Vulnerability Manager 'cert_cn' Parameter Cross Site Scripting Vulnerability
Companies place a high priority on the ability to harness data to help make better and speedier business decisions.
Nutanix Virtual Computing Platform brings resilient, cloud-like server and storage infrastructure to traditional virtualization deployments
The day when 3D-bioprinted human organs will be readily available is drawing closer, and will result in a complex debate involving a great many political, moral and financial interests.
If you want to build your own Internet of Things, try the toy monkey hack.

Posted by InfoSec News on Jan 29


By Tamlin Magee

Neal Hindocha, a senior security consultant for Trustwave, has built
proof-of-concept 'screenlogging' malware that monitors finger swipes on
smart devices in combination with taking screenshots, painting a picture
of exactly how the user is interacting with their...
SiteCore XML Control Script Insertion
Vulnerabilities within Mura CMS / Sitecore MCS / SmarterMail
[slackware-security] mozilla-nss (SSA:2014-028-02)
Pidgin 'asn_getUtf8()' Function Buffer Overflow Vulnerability

Posted by InfoSec News on Jan 29


By Eugene K. Chow
The Week
January 28, 2014

While American lawmakers and security officials repeatedly warn of a
catastrophic cyberattack that will cripple the nation's power grids, in
reality, squirrels and tree branches are proving more troublesome than
hackers when it comes to actual power outages.

According to numerous...

Posted by InfoSec News on Jan 29


By Tom Simonite
MIT Technology Review
January 29, 2014

Ari Juels, an independent researcher who was previously chief scientist at
computer security company RSA, thinks something important is missing from
the cryptography protecting our sensitive data: trickery.

"Decoys and deception are really underexploited tools in fundamental...

Posted by InfoSec News on Jan 29


By Ken Dilanian
The Los Angeles Times
January 27, 2014

WASHINGTON -- Navy cryptologist Michael S. Rogers is President Obama's top
choice to take over the embattled National Security Agency -- which
conducts electronic surveillance operations worldwide -- and the
Pentagon's cyber warfare command, officials say.

Rogers' experience includes 30 years in the...

Posted by InfoSec News on Jan 29


The Yomiuri Shimbun
January 27, 2014

Japan will send members of its Self-Defense Forces to receive specialized
training in cyberdefense with U.S. forces, in a cooperative program to
bolster Japan’s defense against cyber-attacks, sources said.

SDF members will learn from the technologies and experiences of the more
advanced U.S. forces in countering cyber-attacks.

The project aims not only...
Linux Kernel 'net_ctl_permissions()' Function Local Security Bypass Vulnerability
Internet Storm Center Infocon Status