Hackin9
Amazon Web Services has increased the number of simultaneous queries its hosted data warehouse Redshift can handle, improving performance in cases where many small queries are now forced to wait.
 
Google AdWords does not infringe a location-based search patent owned by a company called GeoTag, a U.S. judge ruled in a case in which Google and Microsoft teamed up to come to the aid of customers who use their mapping services.
 
QEMU 'vhdx' Block Driver Local Denial of Service Vulnerability
 
QEMU CVE-2014-0145 Multiple Buffer Overflow Vulnerabilities
 
QEMU CVE-2014-0144 Multiple Buffer Overflow Vulnerabilities
 
QEMU CVE-2014-0146 NULL Pointer Dereference Local Denial of Service Vulnerability
 
AirPhoto WebDisk v4.1.0 iOS - Code Execution Vulnerability
 
CVE-2014-2042 - Unrestricted file upload in Livetecs Timelive
 
CVE-2014-1217 - Unauthenticated access to sensitive information and functionality in Livetecs Timelive
 
CVE-2014-2383 - Arbitrary file read in dompdf
 
Some Android apps thought to be vulnerable to the Heartbleed bug were spared because of a common coding error in the way they implemented their own native OpenSSL library.
 
AT&T and Google have talked up plans to extend supercharged broadband speeds to several U.S. cities and offer lesser service for free to underserved areas. But whether they, and other providers, can bridge the nation's digital divide without federal help remains to be seen.
 
Using lambda expressions can make your Java code leaner, more powerful, and easier to read
 
Partners Toshiba and SanDisk have developed 15-nanometer process technology for NAND flash memory widely used in smartphones and tablets.
 
The U.S. Federal Communications Commission will vote Wednesday on a proposal to pump $1.8 billion into a fund that subsidizes broadband deployments in rural communities.
 

US Accountability Body Criticizes SEC Infosec Approach
www.waterstechnology.com
US Accountability Body Criticizes SEC Infosec Approach. By James Rundle; Sell-Side Technology; 23 April 2014. Tweet. LinkedIn. Facebook. Google plus. Send to Kindle. Send to. sec-building. The SEC has been found to have major faults in its approach to ...

and more »
 
In just a few mouse clicks, Tableau Desktop users can create forecasts from time series data.
 

Posted by InfoSec News on Apr 23

http://krebsonsecurity.com/2014/04/states-spike-in-tax-fraud-against-doctors/

By Brian Krebs
Krebs on Security
April 22, 2014

An unusual number of physicians in several U.S. states are just finding
out that they’ve been victimized by tax return fraud this year,
KrebsOnSecurity has learned. An apparent spike in tax fraud cases against
medical professionals is fueling speculation that the crimes may have been
prompted by a data breach at...
 

Posted by InfoSec News on Apr 23

http://www.press-citizen.com/story/news/2014/04/22/data-breach-could-affect-30000-iowa-state-students/8007523/

By Sharyn Jackson
Des Moines Register
April 22, 2014

Servers containing the social security numbers of almost 30,000 Iowa State
University students were compromised in a security breach, university
officials announced Tuesday.

Information technology staff discovered a breach of five departmental
servers that contained social...
 

Posted by InfoSec News on Apr 23

http://www.nextgov.com/cybersecurity/2014/04/gsa-has-new-plan-cloud-providers-navigating-changing-security-standards/83014/

By Frank Konkel
Nextgov.com
April 22, 2014

The General Services Administration released a transition plan on Tuesday
that provides guidance to cloud computing service providers that will have
to adhere to new baseline security standards slated for release in June.

The transition plan will govern how CSPs adhere to...
 

Think-tank to infosec: You're doing it wrong
Register
Tomorrow's Internet is a scary, scary place, according to think-tank The Atlantic Council, so much so that we're all apparently on the brink of “a cyber sub-prime meltdown”. The council has published a report co-prepared with Zurich Insurance which ...

 
Apple today followed Microsoft in opening up pre-release, or beta, versions of its personal computer operating system to all comers.
 
A partnership between Microsoft and Violin Memory will let enterprises tightly tie a new all-flash storage array to their servers, speeding up popular Microsoft applications.
 
Installment plans for cellphones are starting to squeeze out the time-honored practice of paying a subsidized price up front, AT&T says.
 
Google agreed to take over some of Samsung's defense against patent claims brought by Apple under a secret agreement reached in 2012, a federal court jury heard Tuesday.
 
Can your tablet withstand a 2-meter drop or be submerged in water for 30 minutes and keep functioning? The new $5,000 tablets from Xplore Technologies can.
 
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
WebKit CVE-2014-1305 Unspecified Memory Corruption Vulnerability
 
WebKit CVE-2014-1307 Unspecified Memory Corruption Vulnerability
 

Unlike announced a few month ago, the infamous "Port 32764" backdoor was not fully patched in new routers [1]. As a reminder, the original backdoored allowed unrestricted/unauthenticated root access to a router by connecting to port 32764. The backdoor was traced back to components manufactures by Sercomm. Sercomm delivers parts for a number of name brand routers sold under the brands of Cisco, Linksys, Netgear, Diamond and possibly others.

An analysis of an updates router by Synacktive revealed that the code implementing the backdoor is still present, and can be activated to listen again by sending a specific Ethernet packet. The packet would not be routed, so an attacker has to have access to the local network the router is connected to, which significantly lowers the probability of exploitation, but doesn't eliminate it.

The packet activating the backdoor is identified by an Ethernet type of 0x8888.

[1] http://www.synacktiv.com/ressources/TCP32764_backdoor_again.pdf

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Apple today released patches for OS X, iOS and Apple TV. The OS X patches apply for versions of OS X back to Lion (10.7.5). Vulnerabilities fixed by these patches can lead to remote code execution by visiting malicious web sites.

For more details, see Apples security update page [1]. Links to the actual update details should become available shortly.

[1] http://support.apple.com/kb/HT1222

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
WebKit Unspecified Heap Based Buffer Overflow Vulnerability
 
WebKit CVE-2014-1299 Unspecified Memory Corruption Vulnerability
 

Apple has patched versions of its iOS and OS X operating systems to fix yet another extremely critical cryptography vulnerability that leaves some users open to surreptitious eavesdropping. Readers are urged to install the updates immediately.

The flaw resides in the secure transport mechanism of iOS version 7.1 and earlier for iPhones and iPads and the Mountain Lion 10.8.5 and Mavericks 10.9.2 versions of Mac OS X, according to advisories here and here. The bug makes it possible to bypass HTTPS encryption protections that are designed to prevent eavesdropping and data tampering by attackers with the capability to monitor traffic sent by and received from vulnerable devices. Such "man-in-the-middle" attackers could exploit the bug by abusing the "triple handshake" carried out when secure connections are established by applications that use client certificates to authenticate end users.

"In a 'triple handshake' attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker's data in one connection, and renegotiate so that the connections may be forwarded to each other," Apple's warning explained. "To prevent attacks based on this scenario, Secure Transport was changed so that, by default, a renegotiation must present the same server certificate as was presented in the original connection."

Read 4 remaining paragraphs | Comments

 
The first open source web application for managing the mobile app vetting process is available for free from the National Institute of Standards and Technology (NIST).Because mobile 'apps' on smart phones and tablets can be just as big a ...
 

Federal safety officials have issued an urgent warning about software defects in an anesthesia delivery system that can cause life-threatening failures at unexpected times, including when a cellphone or other device is plugged into one of its USB ports.

The ARKON anesthesia delivery system is used in hospitals to deliver oxygen, anesthetic vapor, and nitrous oxide to patients during surgical procedures. It is manufactured by UK-based Spacelabs Healthcare Ltd., which issued a recall in March. A bug in Version 2.0 of the software running on the device is so serious that it could cause severe injury or death, the US Food and Drug Administration warned last week in what's known as a Class I recall. In part, the FDA advisory read:

Reason for Recall: Spacelabs Healthcare is recalling the ARKON Anesthesia System with Version 2.0 Software due to a software defect. This software issue may cause the System to stop working and require manual ventilation of patients. In addition, if a cell phone or other USB device is plugged into one of the four USB ports for charging, this may also cause the System to stop working.

This defect may cause serious adverse health consequences, including hypoxemia and death. Spacelabs Healthcare received one report related to the software defect. There has been no injuries or deaths associated with this malfunction.

At least 16 vulnerable units were in place at hospitals in North Carolina and South Carolina, according to the Class I advisory, the most serious type of recall notice issued by the FDA.

Read 2 remaining paragraphs | Comments

 
Apple Mac OS X CoreGraphics PDF Handling Buffer Overflow Vulnerability
 
Computers were once 'just' tools to improve worker productivity, now information systems are recognized as an essential component of a successful organization. The best example is the rise of former computer department managers to the ...
 
Apple today issued a security-only update for OS X, patching 25 vulnerabilities in Mavericks, its newest operating system, and 7 bugs in older editions.
 
APPLE-SA-2014-04-22-3 Apple TV 6.1.1
 
APPLE-SA-2014-04-22-2 iOS 7.1.1
 
APPLE-SA-2014-04-22-1 Security Update 2014-002
 
Mobile users of Google's search and YouTube service will soon see more targeted ads that take them straight to the installation pages for advertisers' mobile apps.
 
A notorious Windows leaker dubbed 'Wzor' says Microsoft will issue yet another update to Windows 8.1 later this year, evidence of an even-faster acceleration in the company's development tempo.
 
If the U.S. Supreme Court rules that streaming video provider Aereo violates the copyrights of TV networks, it may also put cloud storage services at risk, the company's lawyer argued Monday.
 
As data centers demand faster and faster storage, Micron is answering the call with long-lasting, solid-state drives that offer up to 800GB of capacity.
 
As Google added a taste of iOS functionality to Glass, one analyst said this is just the beginning of efforts to draw in Apple users to the computerized eyewear.
 
A battle for rights to U.S. airspace is brewing between the Federal Aviation Administration and organizations looking to operate small, unmanned aerial vehicles, or drones, for commercial and other purposes.
 

OpenBSD founder Theo de Raadt has created a fork of OpenSSL, the widely used open source cryptographic software library that contained the notorious Heartbleed security vulnerability.

OpenSSL has suffered from a lack of funding and code contributions despite being used in websites and products by many of the world's biggest and richest corporations.The decision to fork OpenSSL is bound to be controversial given that OpenSSL powers hundreds of thousands of Web servers. When asked why he wanted to start over instead of helping to make OpenSSL better, de Raadt said the existing code is too much of a mess.

"Our group removed half of the OpenSSL source tree in a week. It was discarded leftovers," de Raadt told Ars in an e-mail. "The Open Source model depends [on] people being able to read the code. It depends on clarity. That is not a clear code base, because their community does not appear to care about clarity. Obviously, when such cruft builds up, there is a cultural gap. I did not make this decision... in our larger development group, it made itself."

Read 12 remaining paragraphs | Comments

 
Oracle Java SE CVE-2013-5902 Remote Security Vulnerability
 
Oracle Java SE CVE-2013-5904 Remote Security Vulnerability
 
[SECURITY] [DSA 2911-1] icedove security update
 
Apple is expected Wednesday to confirm Wall Street's fears, that iPad sales growth not only slackened in the March quarter, but reversed course with fewer of the iconic tablets sold than the year before.
 
Dell released a new virtualized storage accelerator appliance called Fluid Cache for SAN on Tuesday, designed to help customers keep data-intensive applications working quickly under load.
 
Redmine 'redirect_back_or_default()' Function Open Redirection Vulnerability
 
Oracle Identity Manager 'backUrl' Parameter URL Redirection Vulnerability
 
[security bulletin] HPSBMU03018 rev.1 - HP Software Asset Manager running OpenSSL, Remote Disclosure of Information
 
[security bulletin] HPSBMU03017 rev.1 - HP Software Connect-IT running OpenSSL, Remote Disclosure of Information
 
[security bulletin] HPSBMU03019 rev.1 - HP Software UCMDB Browser and Configuration Manager running OpenSSL, Remote Disclosure of Information
 
Oracle Java SE CVE-2014-2420 Remote Security Vulnerability
 
When faced with technology options, we are choosing the ones that require the least commitment to undivided attention.
 
Internet Storm Center Infocon Status