Information Security News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

A survey of U.S. utilities shows many are facing frequent cyberattacks that could threaten a highly interdependent power grid supplying more than 300 million people, according to a congressional report.

Some teens are growing tired of the excessive sharing and "drama" on Facebook and more are turning to sites like Twitter and Instagram to express themselves, according to a new study.

More that three years after what came to be known as Operation Aurora, it appears that the cyber marauders were after more than just information on activists.

RETIRED: Moodle Multiple Remote Security Vulnerabilities

TerraCom's website offers free cell phones to low income customers; its call center company gave customers' personal data away.

Call it security through absurdity: a pair of telecom firms have branded reporters for Scripps News as "hackers" after they discovered the personal data of over 170,000 customers—including social security numbers and other identifying data that could be used for identity theft—sitting on a publicly accessible server. While the reporters claim to have discovered the data with a simple Google search, the firms' lawyer claims they used "automated" means to gain access to the company's confidential data and that in doing so the reporters violated the Computer Fraud and Abuse Act with their leet hacker skills.

The files were records of applicants for the Federal Communications Commission's (FCC) Lifeline subsidized cell phone program for low-income consumers. The applicants' information was collected for the telecom providers YourTel and TerraCom by Vcare, an India-based call center service contracted to verify applicants' eligibility. To qualify for the program, customers need to submit proof that they are enrolled in a federal or state assistance program such as Supplemental Security Income, food stamp programs, and the federally funded free school lunch program.

Vcare and the telecom providers are explicitly required to not retain this data under the regulations of the FCC program. However, the data was retained on Vcare's servers and posted to an open file-sharing area—and apparently indexed by Google's search engine in the process.

Read 3 remaining paragraphs | Comments

Moodle CVE-2012-6098 Security Bypass Vulnerability

Moodle CVE-2012-6101 Multiple URI Redirection Vulnerabilities

Moodle CVE-2012-6104 Information Disclosure Vulnerability

New network software from Ericsson is designed to make sure mobile users get the best possible connection when there is both a Wi-Fi and a cellular network available.

RETIRED: Moodle Multiple Remote Security Vulnerabilities

Cisco Secure Access Control System (ACS) CVE-2013-1200 Session Fixation Vulnerability

Apple pays a fair share of the taxes it owes the U.S. and other nations, its CEO said Tuesday, despite criticism from U.S. senators that the company is ducking taxes by shifting profits to subsidiaries that the company does not consider tax residents of any nation.

VMware has launched its long-anticipated public infrastructure as a service (IaaS), touting its virtual networking capabilities as a differentiator from other established hybrid cloud offerings.

Developers being overly trusting is one of them.

Yahoo again ranks as one of the world's 100 most valuable brands.

Google today upgraded Chrome to version 27, touting it as 5% faster as it patched 13 vulnerabilities.

Security researchers found serious vulnerabilities in the engines of several popular first-person shooter video games that could allow attackers to compromise their online servers and the computers of players accessing them.

trial run

Microsoft is making a big play for the living room with a new Xbox console that marries games with live TV, Internet browsing, music and Skype.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

I find it sad that in times when people are facing disaster, many have died, others missing, and the survivors facing having lost everything that there are scumbags who will try to take advantage. Be very wary of any charity that is raising funds for victims of any disaster, particularly one that has not been around for very long. There are many legit charities, I would recommend sticking to ones you are already familiar with. The American Red Cross for example has been around for a long time, does amazing work, and is always in need of funding. They are just one example of a well established charity that does good work and is already involved in helping out in Moore, Oklahoma.

Routine monitoring of newly registered domain names shows a number of brand new ones that have words like Oklahoma, Moore, tornado, recovery, help, assistance, and similar. I am certain that a number are registered by well meaning people, however I am equally sure that many are fake or scams. It does not take long for any recent newsworthy topic to be the subject line of phishing, malware, and scammers.

Another handler remarked that the new trend seems to be crowd funding, hopefully the money raised will make its way to the charity where it belongs.

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
My SANS Teaching Schedule

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Merging electronics with human tissue, scientists at Princeton University have used 3D printing tools to build a functioning ear. Yes, an ear.

Yoking cognitive computing with customer service, IBM has launched a system that can reference large amounts of unstructured data to help companies better field customer phone calls.

Unity Technologies has added the ability to develop for Android and iOS games for free using its platform.

Donations to WikiLeaks since January have only been enough to cover expenditures in essential infrastructure, such as servers, according to a transparency report.

Oracle Java SE CVE-2013-2426 Multiple Remote Code Execution Vulnerabilities

Oracle Java SE CVE-2013-1561 Remote Java Runtime Environment Vulnerability

CVE-2013-3496. Local privilege escalation vulnerability in Infotecs products (ViPNet Client\Coordinator, SafeDisk, Personal Firewall)

Sprint Nextel has increased its offer to buy out Clearwire, bidding US$3.40 per share, to counter a competing offer by Dish Network.

The Khronos Group has announced plans to create an open and royalty-free application programming interface for controlling mobile and embedded cameras and sensors, giving developers access to features such as burst modes and flash.

Sony PS3 Firmware v4.31 - Code Execution Vulnerability

[slackware-security] kernel (SSA:2013-140-01)

Revision of "IPv6 Stable Privacy Addresses" (Fwd: I-D Action: draft-ietf-6man-stable-privacy-addresses-07.txt)

Defense in depth -- the Microsoft way

Vendors are rebuilding the mainframe with converged infrastructure, collapsed kit or integrated compute platforms -- whatever you want to call it. And customers are loving it.

Apple's dominance in smartphone customer satisfaction faded last year, with rivals like Samsung and Motorola dramatically closing the gap, a national survey said today.

Static analysis tool exposition (SATE) V Call for participation

Atlassian has revamped the Jira bug tracking tool with a new user interface, which the company said will offer faster navigation and a simplified workflow.

Mobile operators collect huge amounts of data about how their subscribers use mobile data, and that information is starting to go on sale as targeted intelligence that enterprises can use to better reach consumers.

NASA's rover Curiosity has drilled into a rock on Mars for just the second time during its mission.s

Customer satisfaction with Microsoft's software, primarily Windows, dropped slightly in the last year, likely part of the fallout over Windows 8, according to the American Customer Satisfaction Index.

Amazon Web Services has finally received certification under the Federal Risk and Authorization Management Program, which the company said will lower the cost of implementing its cloud services among government organizations and agencies in the U.S.

LinuxSecurity.com: New Linux kernel packages are available for Slackware 13.37 and 14.0 to fix a security issue. [More Info...]

LinuxSecurity.com: Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 6.2 Extended Update Support. The Red Hat Security Response Team has rated this update as having [More...]

LinuxSecurity.com: Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 6.1 Extended Update Support. The Red Hat Security Response Team has rated this update as having [More...]

LinuxSecurity.com: Updated kernel-rt packages that fix several security issues and multiple bugs are now available for Red Hat Enterprise MRG 2.3. The Red Hat Security Response Team has rated this update as having [More...]

Apache Tomcat CVE-2013-2071 Information Disclosure Vulnerability

MIT Kerberos 5 kadmind CVE-2002-2443 Remote Denial of Service Vulnerability

Vodafone's revenue dropped 4.2 percent for its fiscal year to March 31, because of tough economic conditions, particularly in Southern Europe.

Back in February, a report by cybersecurity firm Mandiant exposed a Chinese military unit that targeted companies and media in the US. When the New York Times ran a feature on the APT1 group, things went quiet around the group. Now, APT1 has resumed operation

Alerted by the levels of outgoing traffic, Yahoo Japan believes that 22 million user IDs were leaked from their systems but it is confident that no password or other verification data was involved in the exfiltration

The latest version of the live Debian Linux distribution for anonymity and privacy especially in repressive environments is now available with on the fly package updating and support for the latest obfuscation bridges

RedHat Multiple JBoss Enterprise Products CVE-2013-0218 Local Information Disclosure Vulnerability

Toshiba said it will soon begin mass producing a new type of 64Gbit NAND flash that is the smallest and fastest in its class, though it still lags rival Samsung Electronics in the development of an even denser flash technology.

The European Union may be trying to protect its telecom equipment industry with its recent threat to investigate China over networking equipment imports. But the move could end up hurting the chances of Western vendors intent on supplying technology to China's upcoming 4G services launch, according to analysts.

HGST has announced its highest capacity 9.5mm-high mobile drive, a 1.5TB, three-platter model that is being targeted at the "prosumer" market.

Just a month after a top Google executive said Glass wouldn't be officially released for another year, sources say the computerized eyeglasses actually should ship by the end of this year.

Linux Kernel 'tg3.c' Integer Overflow Vulnerability

Inspired by the latest James Bond film, a House Democrat has filed legislation that would require all U.S. gun manufacturers to build smart technology into handguns to keep unauthorized people from using them.

It appears Canada's anti-money laundering regulator will leave Bitcoin exchanges in the country alone for now.

RETIRED:Microsoft Internet Explorer CVE-2013-1313 Use-After-Free Remote Code Execution Vulnerability

Microsoft Internet Explorer JSON Array CVE-2013-1297 Information Disclosure Vulnerability

Wireshark ASN.1 BER Dissector CVE-2013-3556 Denial of Service Vulnerability

Mobile network builder Nokia Siemens Networks unveiled tools to optimize video performance on mobile devices on Monday, just in time for the CTIA Wireless trade show that begins Tuesday in Las Vegas.

The European Union may be trying to protect its telecom equipment industry with its recent threat to investigate China over networking equipment imports. But the move could end up hurting the chances of Western vendors intent on supplying technology to China's upcoming 4G services launch, according to analysts.

Wireshark DCP ETSI Dissector NULL Pointer Dereference Denial of Service Vulnerability

Wireshark ETCH Dissector Denial of Service Vulnerability

Wireshark Websocket Dissector Denial of Service Vulnerability

Wireshark Websocket Dissector 'packet-websocket.c' Denial of Service Vulnerability

Posted by InfoSec News on May 21

http://www.wired.com/threatlevel/2013/05/google-surveillance-database/

By Kim Zetter
Threat Level
Wired.com
05.20.13

Hackers who breached Google’s network in 2010 obtained access to the company’s
system for tracking surveillance requests from law enforcement, according to a
news report.

The hackers gained access to a database that Google used to process court
orders from law enforcement agencies seeking information about customer...

Posted by InfoSec News on May 21

http://www.nytimes.com/2013/05/18/technology/financial-times-site-is-hacked.html

By NICOLE PERLROTH
The New York Times
May 17, 2013

It’s the question of the moment inside the murky realm of cybersecurity: Just
who -- or what -- is the Syrian Electronic Army?

The hacking group that calls itself the S.E.A. struck again on Friday, this
time breaking into the Twitter accounts and blog headlines of The Financial
Times. The attack was part of a...

Posted by InfoSec News on May 21

http://healthitsecurity.com/2013/05/20/how-anticipating-a-health-data-breach-can-boost-security/

By Patrick Ouellette
Health IT Security
May 20, 2013

A healthcare chief information officer (CIO) saying that he expects to
experience a health data breach is not only unusual, but may produce
shock and awe in some parts of the healthcare industry. However, having
this type of outlook, regardless of whether the CIO ends up having to
deal with a...

Google will retire its Checkout payment processing tool on Nov. 20, and warned retailers they will need to move to a different payment processing platform.

Sprint Nextel said it had received permission from SoftBank to negotiate a rival acquisition offer from Dish Network.