InfoSec News

Dropbox said Tuesday one of its employee's accounts was compromised, leading to a raft of spam last month that irritated users of the cloud-storage service.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Apple and Samsung Electronics hurled strong statements at each other in the opening rounds of their Silicon Valley patent trial on Tuesday, kicking off a case that could result in billions of dollars in damages.
Outlook.com, which Microsoft is positioning as a reinvention of its Hotmail and of competing consumer webmail services, appears at first glance more evolutionary than groundbreaking, according to several industry analysts.
The eBook reader's web browser executes arbitrary shell commands with root privileges when a specially crafted web page is visited. The hole is already being used by the jailbreak community to install unauthorised software

The Hypercom Artema Hybrid, probably the most widely-used card terminal in Germany, contains critical security holes that can be exploited to harvest card data and PIN numbers

Cyber criminals have used an elaborate multi-stage concept to attack Maplesoft customers: on behalf of the software company, they asked customers to install a malicious "security update" that contained the Zeus trojan

The Twitter-owned security firm has published the source code for its voice encryption system for Android to GitHub under the GPLv3 licence. RedPhone uses the ZRTP open standard to encrypt voice calls between Android users

Dropbox users are currently receiving massive volumes of spam sent to email addresses that they have used solely to register with the cloud storage service provider. Dropbox is looking into the incident

Apple's iPhones permanently store the PIN from an installed SIM card in the keychain. From there, the PIN can quite easily be retrieved even on a locked device

After releasing updates for Firefox, Thunderbird and SeaMonkey, Mozilla has now detailed the security fixes that the new versions include, many of which are rated as "Critical" by the project

Among the updated components are Oracle Fusion Middleware 11g, Oracle Database 10g and 11g, Solaris and MySQL. The closed holes include one with the highest possible severity score

Systemd developer Lennart Poettering has extended his init system for Linux to include seccomp support. This allows users to limit the system calls that are permitted for background services

Skype has confirmed that current verions of its VoIP software contain a serious privacy bug that could result in instant messages (IMs) being sent to unintended recipients
With the release of Android 4.1 (Jelly Bean) Google has finally given its smartphone operating system fully-featured address space layout randomisation (ASLR). This means that exploit coders can no longer try to jump to targeted memory addresses

The Android Open Source Project has released documentation on the security features of the operating system. The document explains the application sandbox, the permission management framework, inter-process communication and more

Future versions of Google's Chrome web browser will no longer allow extensions, apps and user scripts to be installed from third-party servers. Instead, developers will be required to submit them to the Chrome Web Store so they can be checked for malicious functionality

The Team Apollo hacker group has claimed responsibility for the database break-in at NVIDIA and, as proof, has released several hundred users' data, with more to come

Microsoft's new email service, Outlook.com, is more than an update to its free email offering. It's also a one-two punch against major rival Google, analysts said.

It's been a while since we published the diary about the lilupophilupop SQL injection(https://isc.sans.edu/diary.html?storyid=12127) that back in January had infected LOTS of web sites. But guess what, they are b-aaa-ck, and are trying pretty much the same thing.
The big difference is that while the old exploits only worked with SQL Server, this one appears to be targeting MySQL. SQL Server uses table like sys_objects and sys_tables to manage its schema. MySQL on the other hand has a special information_schema schema that is used to manage this information. Other then that, to the casual observer this exploit looks pretty much the same.

which decoded looks as usual:

Searching for the injected lasimp04risioned URL via Google shows that bad guys don't seem to be as 'successful' with this attack as last time, but this can change. If you have additional information from your web server logs, especially also information on which server or content management system is being targeted this time, please let us know.
Thanks to ISC reader Mike for sharing the excerpt from his web logs!
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
No one is more vigilant about protecting the data of EU citizens than European Commission Vice-President Viviane Reding. She is spearheading and vigorously advocating for the Commission's proposals to update and modernize the privacy framework in Europe through a detailed new Regulation. She worries a lot about the privacy and security of EU citizens' data. And she can be a tough critic of the US privacy protection framework.
Reader Nick Hamilton finds himself stuck between old hardware and a new operating system. He writes:
Seagate's stock price dropped 8% today after the company projected a weak first-quarter outlook based on slowing PC sales.

Digital Defense Conducts Complimentary Cyber Security Seminars
Virtual-Strategy Magazine
Insight is DDI's annual industry benchmarking study that provides key information on Information Security (InfoSec) programs and practices from respondents in multiple sectors across the nation. This study serves as the foundation for DDI's ...

and more »
Microsoft's rebranding of Hotmail as Outlook.com is a move by the company to hold its first-place position in free email while pushing the domain as more of a consumer destination, an analyst said today.
Verizon Wireless has agreed to pay US$1.25 million to the U.S. Federal Communications Commission to resolve a complaint that it blocked third-party tethering applications on Android phones, the FCC said Tuesday.
With the latest release of its Tuxedo transaction processing server (TPC), Oracle is hoping to lure mainframe users onto the cloud.
Publishing the contact database of a former special advisor and blocking the anti-terrorist hotline with prank calls attract a six month prison sentence

MITKRB5-SA-2012-001: KDC heap corruption and crash [CVE-2012-1014 CVE-2012-1015]
Samsung Tuesday unveiled a mobile music service, called Music Hub, that will initially run on its Galaxy S III smartphone that is sold by all the major U.S. carriers.
A new kind of data center claiming to employ "the world's most efficient cooling system" turns the traditionally unbearable "hot aisle" between server racks into a rather pleasant air-conditioned hallway, all the while using significantly less energy.
Microsoft announced in a blog post that when users do a search, they can tag Facebook friends by name and get their recommendations on the search.
Crucial today announced a new line of SSDs aimed at users who want to upgrade their pre-2011 notebooks with 128GB and 256GB models that sell for $100 and $190, respectively.
Microsoft on Tuesday began publicly previewing a new webmail service for consumers called Outlook.com that will eventually replace Hotmail.
Oracle OpenSSO CVE-2011-3517 Remote Vulnerability
Oracle OpenSSO CVE-2012-0079 Remote Security Vulnerability
The 10 California jurors who will decide the rights and wrongs in the battle between Apple and Samsung were sworn in late Monday and alongside instructions on how to proceed during the case, the U.S. judge presiding over the case explained to them the basics of the high-profile battle.
Verizon Wireless will sell the Android 4.0 Pantech Maraudersmartphone for $49.99, after rebate, with a two-year service agreement starting Thursday.
Google is adding the Google+ Hangout feature to Gmail, the company's popular cloud-based email service.
Secure Sockets Layer has been implicated in several security problems of late. Certificate pinning might patch it up for a bit longer.
Microsoft last week warned IT administrators that critical vulnerabilities in code licensed from Oracle could give attackers access to Exchange Server 2007 and Exchange Server 2010 systems.
Mozilla Firefox/Thunderbird/Seamonkey CVE-2012-1961 Clickjacking Vulnerability
Mozilla Firefox, SeaMonkey, and Thunderbird CVE-2012-1955 Location Bar Spoofing Vulnerability
After more than 25 years the venerable VGA port is finally disappearing from computers, but the interface is proving tough to phase out completely and will linger for years in projectors, monitors and TV sets.
Box has received $125 million in funding, an infusion the company will use to boost its international expansion and strengthen its cloud-hosted enterprise collaboration, storage, file-sharing and content management software.
The health care industry's increased use of electronic medical records (EMRs), wireless medical devices and personal mobile technology has turned hospital networks into important components in patient treatment. Practicing medicine now requires maintaining constant wireless connectivity and possibly managing wired network traffic if doctors and nurses are to fully leverage health IT according to health care professionals.
Mobile malware is rising fast, infecting nearly 13 million phones in the world during the first half of 2012, up 177% from the same period a year ago, according to Beijing-based security vendor NetQin.
Oracle is hoping to differentiate its cloud CRM (customer relationship management) software from that sold by rivals such as Salesforce.com with a new set of industry-specific capabilities.
Paper, created by design studio Fiftythree, may be one of my favorite drawing apps ever to grace the iPad. If I didn't put so much trust in reality, I would've sworn that the company found some way to magically turn its supply of charcoal, watercolors, markers, and inkwell pens into lines of code that, when run on an iPad, made beautiful artwork.
CloudCracker claims to be able to crack VPN and WiFi connections secured using MS-CHAPv2 within 24 hours, whatever password is used. The cost? Around $200

Home and small business users are printing less while making wider use of the Web and offline print services.
Swiss bank UBS is planning to take legal action against Nasdaq OMX Group to recoup losses it made related to the Facebook IPO, the company said on Tuesday as it reported its second quarter results.
Facebook said Monday it has defenses in place to detect click fraud despite one company's claim it detected suspicious clicks on its advertisements billed to it by the social-networking site.
Google engineers have volunteered the company's VP8 video codec for an emerging standards project, called WebRTC, that could provide a real time communications protocol for the Web.

Posted by InfoSec News on Jul 31


By Dan Goodin
Ars Technica
July 28 2012

The WiFi at the annual Defcon hacker conference has long been inhabited
by a battery of live and automated mischief makers that sniff packets,
scan ports, and exploit whatever weaknesses can be found. Last year,
cellular networks were also rumored to be compromised, raising the
question: How does one stay both safe and connected...

Posted by InfoSec News on Jul 31


By Lucian Constantin
IDG News Service
July 30, 2012

Security researchers disclosed critical vulnerabilities in routers from
Chinese networking and telecommunications equipment manufacturer Huawei
at the Defcon hackers conference on Sunday.

The vulnerabilities -- a session hijack, a heap overflow and a stack
overflow -- were...

Posted by InfoSec News on Jul 31


By Tracy Kitten
BankInfo Security
July 30, 2012

Two men were sentenced this week in connection with fraudulent
transactions they made with compromised debit cards tied to the Michaels
point-of-sale breach.

In 2011, banking institutions reported tens of thousands of fraudulent
transactions linked to consumers who had visited Michaels craft stores
that were affected...

Posted by InfoSec News on Jul 31


By Patience Wait
July 30, 2012

The National Institute of Standards and Technology has released updated
guidance on how federal agencies and businesses can deal with network
attacks and malware.

The advice comes in the form of two publications that have been revised
to reflect the latest in security best practices: NIST's Guide to
Intrusion Detection and...

Posted by InfoSec News on Jul 31


By Kim Zetter
Threat Level
July 30, 2012

LAS VEGAS -- At least three widely used credit and debit card purchasing
terminals in the U.S. and U.K. have vulnerabilities that would allow
attackers to install malware on them and sniff card data and PINs.

The vulnerabilities can also be used to make a fraudulent card
transaction look like it’s been accepted when it hasn’t been,...
Internet Storm Center Infocon Status