FCC Chairman Tom Wheeler has sharply questioned Verizon Wireless over its plan announced last week to throttle mobile data speeds for customers with unlimited plans.
Citizen Lab / Aurich Lawson

It was May of 2012 at a security conference in Calgary, Alberta, when professor Ron Deibert heard a former high-ranking official suggest he should be prosecuted.

This wasn't too surprising. In Deibert's world, these kinds of things occasionally get whispered through the grapevine, always second-hand. But this time he was sitting on a panel with John Adams, the former chief of the Communications Security Establishment Canada (CSEC), the National Security Agency's little-known northern ally. Afterward, he recalls, the former spy chief approached and casually remarked that there were people in government who wanted Deibert arrested—and that he was one of them.

Adams was referring to Citizen Lab, the watchdog group Deibert founded over a decade ago at the University of Toronto that's now orbited by a globe-spanning network of hackers, lawyers, and human rights advocates. From exposing the espionage ring that hacked the Dalai Lama to uncovering the commercial spyware being sold to repressive regimes, Citizen Lab has played a pioneering role in combing the Internet to illuminate covert landscapes of global surveillance and censorship. At the same time, it's also taken the role of an ambassador, connecting the Internet's various stakeholders from governments to security engineers and civil rights activists.

Read 41 remaining paragraphs | Comments

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
LinuxSecurity.com: Several security issues were fixed in Tomcat.
LinuxSecurity.com: Updated live fix security vulnerability: The live555 RTSP streaming server and client libraries before 2013.11.29 are vulnerable to buffer overflows in RTSP command parsing that potentially allow for arbitrary code execution when connected [More...]
How do top CIOs get that way? For many, the path to greatness includes a turning point--a moment when the landscape shifted under them and they learned lessons that served them throughout their careers. We asked a few of the 2014 inductees into the CIO Hall of Fame to recount some of those moments.
It's been a rough start for Intel's MinnowBoard Max open-source computer, which has been delayed and is now pricier.

The people at Offensive Security have announced that in the course of a penetration test for one of their customers they have found several vulnerabilities in the Symantec Endpoint Protection product. While details are limited, the vulnerabilities appear to permit privilege escalation to the SYSTEM user which would give virtually unimpeded access to the system.  Offensive Security has posted a video showing the exploitation of one of the vulnerabilities.

Symantec has indicated they are aware of the vulnerabilities and are investigating.

There is some irony in the fact that there are Zero Day vulnerabilities in the software that a large portion of users count on to protect their computer from malware and software vulnerabilities. The fact is that software development is hard and even security software is not immune from exploitable vulnerabilities. If there is a bright side, it appears that there are no exploits in the wild yet and that local access to the machine is required to exploit these vulnerabilities.

-- Rick Wanner - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
This year's CIO 100 honorees collectively spent more than $502 million on their technology projects, and many of the winning efforts focus on using advanced analytics to create new sources of revenue, improve customer experience and increase competitive advantage.
Wildly successful IT projects make great stories. They spin out profitable new lines of business. They help business partners whomp the competition. They send customer satisfaction skyrocketing.
Stanford University's medical school plans to start using Google's wearable computer, Glass, to help train students in surgery.
Mobile carriers have pulled in hundreds of millions in profits through third-party charges tacked onto customers' bills without their consent, according to a report from a U.S. Senate committee.
There's no immediate end in sight to trouble that has hit the U.S. State Department's computer system for processing visa applications and caused problems for thousands of people worldwide.
Trusted Boot 'loader.c' Security Bypass Vulnerability
Google is looking to make your work day a bit more social and is taking its Google Hangouts into the business arena.
A security audit of 10 popular Internet-connected devices -- components of the so-called "Internet of things" -- identified an alarmingly high number of vulnerabilities.
Amazon made headlines this month when it sought permission from the U.S. government to test its drone-based delivery service, but it's far from the only company that's applied for such approval.
Advanced Micro Devices is moving closer to a motherboard design that will accept both x86 and ARM chips with the shipment of its first 64-bit ARM board.
An agreement in Congress to allocate $17 billion to the Department of Veterans Affairs includes money for a major tech upgrade.
CMSimple 'required_classes.php' Remote File Include Vulnerability
Red Hat has developed a version of the Linux operating system that can be used to test chips and associated hardware based on the ARMv8-A 64-bit architecture for servers with the aim of standardizing that market.
Linux Kernel 'mac80211/sta_info.c' NULL Pointer Dereference Denial of Service Vulnerability
While 70 percent of hiring managers plan to hire more IT pros in the second half of 2014, candidates are showing they're not willing to accept just any offer. In fact, 32 percent of hiring managers and recruiters said in a recent Dice.com survey that their offers were being rejected, and a majority (61 percent) of respondents said candidates were asking for higher compensation than they did as recently as six months ago.
Hacker Gary McKinnon has reinvented himself as an online search expert, after winning a 10-year fight against extradition to the US for breaking into military computers to look for evidence of UFOs.

Officials with the Tor privacy service have uncovered an attack that may have revealed identifying information or other clues of people operating or accessing anonymous websites and other services over a five-month span beginning in February.

The campaign exploited a previously unknown vulnerability in the Tor protocol to carry out two classes of attack that together may have been enough to uncloak people using Tor Hidden Services, an advisory published Wednesday warned. Tor officials said the characteristics of the attack resembled those discussed by a team of Carnegie Mellon University researchers who recently canceled a presentation at next week's Black Hat security conference on a low-cost way to deanonymize Tor users. But the officials also speculated that an intelligence agency from a global adversary might have been able to capitalize on the exploit.

Either way, users who operated or accessed hidden services from early February through July 4 should assume they are affected. Tor hidden services are popular among political dissidents who want to host websites or other online services anonymously so their real IP address can't be discovered by repressive governments. Hidden services are also favored by many illegal services, including the Silk Road online drug emporium that was shut down earlier this year. Tor officials have released a software update designed to prevent the technique from working in the future. Hidden service operators should also consider changing the location of their services. Tor officials went on to say:

Read 5 remaining paragraphs | Comments

A U.S. appeals court has dismissed a long-running patent infringement lawsuit lodged against Lawson Software by ePlus.
It's generally accepted that antivirus programs provide a necessary protection layer, but organizations should audit such products before deploying them on their systems because many of them contain serious vulnerabilities, a researcher warned.
IP.Board Cross Site Scripting Vulnerability
Concrete5 Cross Site Scripting and Path Disclosure Vulnerabilities
ol-commerce Multiple SQL Injection and Multiple Cross Site Scripting Vulnerabilities
MyConnection Server 'test.php' Multiple Cross Site Scripting Vulnerabilities
There are known, proven approaches to reduce those risks without disabling the benefit of consumerization
LinuxSecurity.com: Multiple vulnerabilities has been discovered and corrected in phpmyadmin: Cross-site scripting (XSS) vulnerability in the PMA_getHtmlForActionLinks function in libraries/structure.lib.php in [More...]
LinuxSecurity.com: Updated apache package fixes security vulnerabilities: A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded [More...]
LinuxSecurity.com: Updated java-1.7.0-openjdk packages fix security vulnerabilities: It was discovered that the Hotspot component in OpenJDK did not properly verify bytecode from the class files. An untrusted Java application or applet could possibly use these flaws to bypass Java [More...]
LinuxSecurity.com: Updated kernel packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: Updated owncloud package fixes security vulnerability: Owncloud versions 5.0.17 and 6.0.4 fix an unspecified security vulnerability, as well as many other bugs. [More...]
LinuxSecurity.com: A vulnerability has been found and corrected in mozilla NSS: Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird [More...]
LinuxSecurity.com: Security Report Summary
Cisco Unified Customer Voice Portal CVE-2014-3325 Multiple Cross Site Scripting Vulnerabilities
phpMyAdmin CVE-2014-4348 Multiple Cross Site Scripting Vulnerabilities
phpMyAdmin CVE-2014-4349 Multiple Cross Site Scripting Vulnerabilities
Vulnerabilities in Facebook and Facebook Messenger for Android [STIC-2014-0529]

The Perfect InfoSec Mindset: Paranoia + Skepticism
Dark Reading
Obviously, true delusional paranoia has no place in infosec. Panicked reactions to fictional threats are a recipe for disaster. However, I believe the proper dose of paranoia can be a good thing for security professionals. After all, it does increase ...

Moodle Repositories CVE-2014-3541 PHP Code Injection Vulnerability
[ MDVSA-2014:141 ] java-1.7.0-openjdk
[security bulletin] HPSBMU03078 rev.1 - HP CloudSystem Foundation and HP CloudSystem Enterprise Software running OpenSSL, Remote Unauthorized Access or Disclosure of Information
[Onapsis Security Advisory 2014-026] Missing authorization check in function modules of BW-SYS-DB-DB4
The IT profession in many ways seems like a good fit for women, but the industry has a hard time attracting them and keeping those who do enter IT. (Insider; registration required)
Some of the most popular tech companies in Silicon Valley have been feeling the heat lately. We're not talking about the summer scorcher or record drought, rather the white-hot spotlight from the media.
Moodle CVE-2014-3546 Multiple Information Disclosure Vulnerabilities
[Onapsis Security Advisory 2014-025] Multiple Cross Site Scripting Vulnerabilities in SAP HANA XS Administration Tool
[Onapsis Security Advisory 2014-021] SAP HANA XS Missing encryption in form-based authentication
Barracuda Networks Web Application Firewall v6.1.5 & LoadBalancer v4.2.2 #37 - Filter Bypass & Multiple Vulnerabilities
Moodle Quiz CVE-2014-3545 Remote Code Execution Vulnerability
Moodle Shibboleth Plugin CVE-2014-3552 Authentication Bypass Vulnerability
Moodle CVE-2014-3543 XML External Entity Information Disclosure Vulnerability
Microsoft's voice-activated digital assistant Cortana is coming to China in a beta version nicknamed 'Xiao Na,' as part of several new functions packed into a Windows Phone 8.1 update.
The LG G3 Android smartphone has some impressive features, but during real-world use, problems can emerge.

Posted by InfoSec News on Jul 30


By David Braue
CSO Online (Australia)
30 July, 2014

Security pundits have warned of the imminent hacking threat to critical
infrastructure providers, but a new Ponemon Institute survey of
infrastructure operators suggests the threat is already here.

The survey found 86 per cent of executives reporting they suffered at
least one security...
Kunena Forum Extension for Joomla Multiple Reflected Cross-Site Scripting Vulnerabilities
Kunena Forum Extension for Joomla Multiple SQL Injection Vulnerabilities
[ MDVSA-2014:140 ] owncloud
Re: [FD] Beginner's error: import function of Windows Mail executes rogue program C:\Program.exe with credentials of other account
Madbits, a year-old company that uses deep learning technology to assign relevant information to raw images, has sold itself to Twitter, according to the Madbits website.
Amazon.com is investing $2 billion more in India, which is witnessing an online retail boom.
Amazon.com believes that pricing e-books at $9.99 will boost sales by over 74 percent as the books are highly price-elastic.
Get the August edition of Computerworld's all-new digital magazine, featuring the challenges CIOs face when they decide to rely on analytics, not instinct, to make decisions.
Symantec's Endpoint Protection product has three zero-day flaws that could allow a logged-in user to move to a higher access level on a computer, according to a penetration testing and training company.
An open-source project has released the first free application for the iPhone that scrambles voice calls, which would thwart government surveillance or eavesdropping by hackers.

Posted by InfoSec News on Jul 30


30 JULY 2014

Unless quick measures are put in place, your digital wallet, particularly
the payment cards which you so much treasure, may sadly be like the
proverbial basket used to store water. If recent developments are anything
to go by, only God will prevent hackers from being smarter than you.

Do you know why? Microsoft server 2003 and 2003 R2, which supports...

Posted by InfoSec News on Jul 30


By Susan D. Hall
July 29, 2014

The U.S. Department of Health and Human Services must improve its security
procedures for granting access to physical facilities as well as computer
applications and files, according to an audit from the HHS Office of
Inspector General that found security controls inadequate.


Posted by InfoSec News on Jul 30


By Thomas Claburn

Hilton Worldwide plans to allow guests to check-in and choose their rooms
using mobile devices, and even to unlock their hotel rooms.

By the end of the year, Hilton says it will offer digital check-in and
room selection at 11 of its brands, across more 4,000 properties. The
service will...

Posted by InfoSec News on Jul 30


By Prue Salasky
July 29, 2014

Newport News-based Riverside Health System has announced a security breach
at Cancer Specialists of Tidewater, a Riverside-owned practice with
offices in Virginia Beach, Suffolk and Chesapeake. More than 2,000
patients have potentially been affected by a team member accused of
identity theft.

The female...
Linux Kernel 'futex.c' Function Denial of Service Vulnerability
Internet Storm Center Infocon Status