Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The seventh annual Safeguarding Health Information: Building Assurance through HIPAA Security conference will be held September 23-24, 2014, in Washington, D.C. The meeting is co-hosted by the National Institute of Standards and ...
 
Now that BlackBerry has fallen significantly behind Apple and Google in the race to offer features and third-party apps for its smartphones, the company is concentrating on providing devices that, it claims, have the strongest available security -- the killer feature for the enterprise.
 
In August 2012, SAIC, the $11B national security, engineering, and enterprise IT provider, announced that it would split in two: SAIC would deliver enterprise IT services to the government sector, and a new company, Leidos, would provide services in security, health and engineering.
 
Oracle has responded to a former employee's claim that a new in-memory processing option is turned on by default with the latest release of Database 12c, insisting that the process of enabling it requires a series of deliberate steps.
 
Twitter more than doubled its sales in the second quarter, the company reported Tuesday, showing a strong advertising business.
 
The Alliance of Artists and Recording Companies is suing Ford and General Motors for violating copyrights with the CD-ripping capability of their cars.
 
Samsung and Apple, in the second quarter, sunk to their lowest shares of the global smartphone market in recent years as Chinese smartphone vendors came on strong, market research firm IDC said.
 
Regulators in China today said that they made sudden appearances at several Microsoft offices on Monday to gather evidence for an antitrust probe.
 
When Cathy Lee started working at New York startup Faith Street last year, she quickly learned a lesson that could benefit other recent college graduates who want to advance their IT careers -- soft skills like being flexible, taking on new tasks and asking questions matter a lot.
 
Ericsson plans to acquire MetraTech, a vendor of billing systems based on metadata, as service providers eye new services using the Internet of Things.
 
Bad relationships are bound to happen from time to time. In the workplace, they are typically based on fear and insecurity. However, you can repair them with a little work. Here are three things you do always, sometimes and never do.
 
Uber and Airbnb, which have already proved popular with travelers and urbanites with smartphones, have unveiled new features and links to other services designed to attract more business users.
 
Early one morning in April last year, someone accessed an underground vault just south of San Jose, California, and cut through fiber-optic cables there. The incident blacked out phone, Internet and 911 service for thousands of people in Silicon Valley.
 
Oracle has granted CEO Larry Ellison 3 million stock options, a significant reduction from the 7 million options he received in previous years, according to a regulatory filing.
 
Google is working with open-source development organization Linaro to develop a special edition of Android for the Project Ara customizable smartphone.
 
U.S. Senator Patrick Leahy has introduced a new version of a bill to rein in the National Security Agency's bulk collection of U.S. phone records in an effort to strengthen legislation that passed the House of Representatives this year.
 
Audi demonstrated a highly automated driving technology in an Audi A7 equipped to handle driving functions on freeway conditions at up to 40 mph.
 
U.S. broadband providers appear to be embracing monthly data caps, but customers are confused about the amount of data they use and broadband plan options, according to preliminary findings by the U.S. Government Accountability Office.
 
Microsoft and IBM are gaining momentum in the cloud infrastructure services market, putting pressure on Amazon and outpacing rival Google, according to a new study.
 
The beta of Apple's latest operating system, OS X 10.10 Yosemite, promises a sparkling new design and some very useful features.
 
 

The Perfect InfoSec Mindset: Paranoia + Skepticism
Dark Reading
Obviously, true delusional paranoia has no place in infosec. Panicked reactions to fictional threats are a recipe for disaster. However, I believe the proper dose of paranoia can be a good thing for security professionals. After all, it does increase ...

 
Iron Dome

The technology behind Iron Dome, the missile defense system Israel has been using since 2011, was allegedly stolen by Chinese military hackers.

That claim was made by Cyber Engineering Services to Brian Krebs of security news site Krebs On Security, and it identifies Elisra Group, Israel Aerospace Industries (IAI), and Rafael Advanced Defense Systems as the three defense companies that were compromised during the cyber assault. The perpetrators, Cyber Engineering Services says, are the same ones behind a spate of attacks that have come to light in the past few years, all attributed to Unit 61398, a Shanghai-based arm of the Chinese army. The five Chinese military officers indicted by the US earlier this year for allegedly hacking energy firms in the country also belong to the same unit.

The hacks took place from October 2011, some six months after Iron Dome became operational, and continued up until August 2012. Israel Defense Forces (IDF) has said that many hundreds of rockets fired from Gaza, particularly during the current military operation and a series of clashes in 2012, have been scuppered by the system, which is thought to be one of the most effective missile-defense technologies in the world.

Read 7 remaining paragraphs | Comments

 
This isn't the only way Instagram and sheep are related.
Sean Gallagher

Stevie Graham, a London-based developer, recently submitted a bug report to Facebook outlining what he saw as a security vulnerability in Instagram that would allow someone to hijack a user’s session based on data captured over a public Wi-Fi network. When he was told that he wouldn’t get a bug bounty from Facebook, which owns Instagram, he tweeted about it—and set about building a proof-of-concept tool to exploit it. “Denied bug bounty. Next step is to write automated tool enabling mass hijacking of accounts,” he wrote. “Pretty serious vuln, FB. please fix.”

As we reported in our recent coverage of mobile application privacy holes, Instagram uses HTTP for much of its communications, passing the user’s account name and an identifying account number in the clear. And as Graham demonstrated, there are other pieces of data sent between Instagram’s iOS client and the service that are passed in the clear. Even though the user’s credentials are submitted using a secure connection, information passed back by Instagram’s application interface to the phone client provides a cookie that can be used on the same network without reauthentication to connect via the Web to Instagram as that user and gain access to private messages and other data. “Once you have a cookie, any endpoint can be authenticated with the cookie, HTTPS or HTTP,” he wrote. Graham said that he has known about the flaw for years.

Graham posted the following steps to reproduce his findings:

Read 3 remaining paragraphs | Comments

 
Parts for the 32GB Amazon Fire smartphone cost $205, just shy of the cost of parts of a similarly configured Apple iPhone 5S and well below the Samsung Galaxy S5, both with the same 32GB storage tally.
 
What's the most important quality leaders should have? Discipline? Drive? Obsession? The ability to motivate others? No, no, no and no. The answer is emotional IQ - or what's referred to in laymen's terms as empathy.
 
Apple today refreshed the MacBook Pro line with minor upgrades of the processor, a small price cut to the aged non-Retina model, and additional RAM for the least-expensive Retina configurations.
 
Before flying from Rome to Philadelphia earlier this summer, I stopped in the hotel lobby to print my boarding pass. The hotel had one computer dedicated solely to this task. It was the only public computer available to guests. I could access only airline websites and input my name and confirmation number for the ticket. That was it.
 
Wearables will make it infinitely easier for companies to track employees. But without transparency, that will foster suspicion.
 
New York's plan to turn pay phones into free Wi-Fi stations could be a template for other cities, and bad news for IT departments trying to protect corporate data and intellectual property.
 
U.S. and EU privacy and consumer groups called on privacy regulators to stop Facebook's plans to gather the Internet browsing patterns of its users while they visit other sites.
 
A slide from next week's Black Hat talk titled Android Fake ID vulnerability.
Bluebox Security

The majority of devices running Google's Android operating system are susceptible to hacks that allow malicious apps to bypass a key security sandbox so they can steal user credentials, read e-mail, and access payment histories and other sensitive data, researchers have warned.

The high-impact vulnerability has existed in Android since the release of version 2.1 in early 2010, researchers from Bluebox Security said. They dubbed the bug Fake ID, because, like a fraudulent driver's license an underage person might use to sneak into a bar, it grants malicious apps special access to Android resources that are typically off-limits. Google developers have introduced changes that limit some of the damage that malicious apps can do in Android 4.4, but the underlying bug remains unpatched, even in the Android L preview.

The Fake ID vulnerability stems from the failure of Android to verify the validity of cryptographic certificates that accompany each app installed on a device. The OS relies on the credentials when allocating special privileges that allow a handful of apps to bypass Android sandboxing. Under normal conditions, the sandbox prevents programs from accessing data belonging to other apps or to sensitive parts of the OS. Select apps, however, are permitted to break out of the sandbox. Adobe Flash in all but version 4.4, for instance, is permitted to act as a plugin for any other app installed on the phone, presumably to allow it to add animation and graphics support. Similarly, Google Wallet is permitted to access Near Field Communication hardware that processes payment information.

Read 8 remaining paragraphs | Comments

 
Huawei Technologies shipped 62% more smartphones in the first half of 2014 than the same period last year, with shipments to some countries outside its home market of China doubling or even tripling.
 
Researchers at Stanford University have made progress toward designing a battery with a lithium anode, a development that could increase battery power in electronics.
 
A configuration problem in Facebook's popular Instagram application for Apple devices could allow a hacker to hijack a person's account if they're both on the same public Wi-Fi network.
 
An OpenVMS user group in France has posted an 'open letter' to Hewlett-Packard CEO Meg Whitman urging her to reconsider HP's decision to begin pulling support for the system.
 
A Florida man was arrested and charged with wire fraud after he allegedly bilked more than three-dozen Apple stores across the country of more than $309,000 worth of products over a several-month stretch.
 

Posted by InfoSec News on Jul 29

http://www.washingtonpost.com/lifestyle/style/hackers-conference-celebrates-one-of-the-oldest-tricks-in-the-book-picking-locks/2014/07/25/c6ef22be-133d-11e4-98ee-daea85133bc9_story.html

By Anna Hiatt
The Washington Post
July 25, 2014

NEW YORK -- Babak Javadi is discussing his obsession with lock picking —
how successfully pressing each pin into place and feeling the lock
cylinder release is “so pleasant,” how quickly he fell in love...
 

Posted by InfoSec News on Jul 29

Forwarded from: GroundZero Summit CFP <g0s.cfp (at) gmail.com>

Ground Zero Summit 2014

13 - 16 November 2014, New Delhi, India

Ground Zero Summit (G0S) 2014 in its second year promises to be Asia's largest
Information Security gathering and proposes to be the ultimate platform for
showcasing researches and sharing knowledge in the field of cyber security. G0S
rationale: The increasing volume and complexity of cyber threats -...
 

Posted by InfoSec News on Jul 29

http://nypost.com/2014/07/27/medical-examiner-employees-have-seen-dead-celebrities-files/

By Susan Edelman
NYPOST.com
July 27, 2014

Employees in the city Medical Examiner’s Office have sneaked peeks at
graphic photos and autopsy reports in recent celebrity deaths, including
those of Mick Jagger girlfriend L’Wren Scott and actor Philip Seymour
Hoffman, whistleblowers say.

ME workers not involved in the high-profile cases, or not...
 

Posted by InfoSec News on Jul 29

http://www.nextgov.com/cybersecurity/2014/07/hacker-breached-noaa-satellite-data-contractors-pc/89771/

By Aliya Sternstein
Nextgov.com
July 28, 2014

National Oceanic and Atmospheric Administration satellite data was stolen
from a contractor's personal computer last year, but the agency could not
investigate the incident because the employee refused to turn over the PC,
according to a new inspector general report.

This is but one of the...
 

Posted by InfoSec News on Jul 29

http://krebsonsecurity.com/2014/07/hackers-plundered-israeli-defense-firms-that-built-iron-dome-missile-defense-system/

By Brian Krebs
Krebs on Security
July 28, 2014

Three Israeli defense contractors responsible for building the “Iron Dome”
missile shield currently protecting Israel from a barrage of rocket
attacks were compromised by hackers and robbed of huge quantities of
sensitive documents pertaining to the shield technology,...
 

Posted by InfoSec News on Jul 29

http://www.ctvnews.ca/canada/chinese-cyberattack-forces-computer-shutdown-at-national-research-council-1.1936483

By CTVNews.ca Staff
July 28, 2014

The federal government’s National Research Council was forced to shut down
its computers to stop cyberattacks from China, CTV News has learned.

Sources told CTV’s Ottawa Bureau Chief Robert Fife that Chinese hackers
had been trying to get into NRC computers for the past month.

On Monday, it...
 
WordPress Vitamin Plugin 'path' Parameter Multiple Remote File Disclosure Vulnerabilities
 
Internet Storm Center Infocon Status