Hackin9

SC Magazine UK

Infosec teams unprepared for new EU data protection laws
SC Magazine UK
More than a third of IT security teams are unprepared for the EU's two incoming data protection laws, according to a new study from FireEye. Infosec teams unprepared for new EU data protection laws. In its latest survey entitled “Mixed State of ...

and more »
 

The National Football League's official app for both iOS and Android puts users at risk by leaking their usernames, passwords, and e-mail addresses in plaintext to anyone who may be monitoring the traffic, according to a report published just five days before Superbowl XLIX, traditionally one of the world's most popular sporting events.

As Ars has chronicled in the past, large numbers of people use the same password and e-mail address to log into multiple accounts. That means that people who have used the NFL app on public Wi-Fi hotspots or other insecure networks are at risk of account hijackings. The threat doesn't stop there: the exposed credentials allow snoops to log in to users' accounts on http://www.nfl.com, where still more personal data can be accessed, researchers from mobile data gateway Wandera warned. Profile pages, for instance, prompt users to enter their first and last names, full postal address, phone number, occupation, TV provider, date of birth, favorite team, greatest NFL Memory, sex, and links to Facebook, Twitter, and other social networks. Combined with "about me" data, the personal information could prove invaluable to spear phishers, who send e-mails purporting to come from friends or employers in hopes of tricking targets into clicking on malicious links or turning over financial data. Adding to the risk, profile pages are transmitted in unencrypted HTTP, making the data susceptible to still more monitoring over unsecured networks, the researchers reported.

"Wandera's scanning technologies have discovered that after the user securely signs into the app with their NFL.com account, the app leaks their username and password in a secondary, insecure (unencrypted) API call," a report published Tuesday warned. "The app also leaks the user’s username and e-mail address in an unencrypted cookie immediately following login and on subsequent calls by the app to nfl.com domains."

Read 2 remaining paragraphs | Comments

 
[SECURITY] [DSA 3142-1] eglibc security update
 
[SECURITY] [DSA 3141-1] wireshark security update
 
[SECURITY] [DSA 3140-1] xen security update
 
[SYSS-2014-013] FancyFon FAMOC - Use of a One-Way Hash without a Salt
 
LinuxSecurity.com: USN-2458-1 introduced a regression in Firefox
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Several security issues were fixed in Oxide.
 
LinuxSecurity.com: Updated java-1.6.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Updated java-1.6.0-sun packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security [More...]
 
Linux Kernel 'vdso_addr()' Function Local Security Bypass Vulnerability
 
Django CVE-2015-0219 Security Bypass Vulnerability
 
Django 'django.util.http.is_safe_url()' Cross Site Scripting Vulnerability
 
Castor Library CVE-2014-3004 XML External Entity Information Disclosure Vulnerability
 
Google Chrome 40.0.2214.91 Multiple Security Vulnerabilities
 

The Register

Brits need chutzpah to copy Israeli cyberspies' tech creche – ex-spooks
The Register
Yoni Heilbronn, VP Marketing at Argus Cyber Security, which specialises in the emerging field of infosec for automobiles, is another Unit 8200 alumnus. "Experience with technology gained in [military] service is applied in private firms," Heilbronn ...

 
CVE-2015-0223: anonymous access to qpidd cannot be prevented
 
CVE-2015-0224: qpidd can be crashed by unauthenticated user
 

Posted by InfoSec News on Jan 27

http://www.newsobserver.com/2015/01/26/4502592_cybersecurity-proves-to-be-a-necessity.html

By Virgina Bridges
newsobserver.com
January 26, 2015

I could tell that Leon Grodski de Barrera was skeptical when I told him
that my list of three things small-business owners should watch in 2015
included cybersecurity.

Why would hackers be interested in the likes of his and his wife’s Durham
coffee shop Cocoa Cinnamon, he asked, versus larger...
 

Posted by InfoSec News on Jan 27

http://arstechnica.com/security/2015/01/those-teeth-gnashings-you-hear-are-flash-users-installing-a-new-0day-patch/

By Dan Goodin
Ars Technica
Jan 26 2015

Adobe Systems is once again rolling out an emergency Flash update that
patches a critical vulnerability under active attack to compromise the
computers of unsuspecting users.

The latest Flash versions fix a remote code-execution bug that, as Ars
reported last week, recently came under...
 

Posted by InfoSec News on Jan 27

http://krebsonsecurity.com/2015/01/spreading-the-disease-and-selling-the-cure/

By Brian Krebs
Krebs on Security
January 26, 2015

When Karim Rattani isn’t manning the till at the local Subway franchise in
his adopted hometown of Cartersville, Ga., he’s usually tinkering with
code. The 21-year-old Pakistani native is the lead programmer for two very
different yet complementary online services: One lets people launch
powerful attacks that...
 

Posted by InfoSec News on Jan 27

http://www.networkworld.com/article/2875517/security0/startup-finds-malware-intrusions-by-keeping-an-eye-on-processor-radio-frequencies.html

By Tim Greene
Network World
Jan 26, 2015

PFP Cybersecurity, a startup with roots in academia and the military,
seeks out malware by analyzing the performance of hardware - not software
and not the behavior of devices on the network.

PFP’s system compares ongoing radio-frequency output from processors...
 

Posted by InfoSec News on Jan 27

http://www.healthcareitnews.com/news/ehr-audit-catches-snooping-employee

By Erin McCann
Managing Editor
Healthcare IT News
January 26, 2015

Electronic health records not only enable faster access to real-time
patient data; they also make it a heck of a lot easier to catch snooping
employees who inappropriately view patients' confidential information, as
one California hospital has observed this past week.

Officials at the 785-bed...
 

Posted by InfoSec News on Jan 27

http://3vildata.tumblr.com/post/109188919632/about-the-infosec-skills-shortage

By https://twitter.com/addelindh and
https://twitter.com/0xtero
http://3vildata.tumblr.com/
Jan 26th, 2015

Today I got into an argument on Twitter that started with me saying
something sarcastic in reference to a recent statement by a vendor and
ended with a discussion about the skills shortage in security. Twitter can
be a difficult medium sometimes and I don’t...
 

Posted by InfoSec News on Jan 27

http://www.bbc.com/news/uk-30977267

BBC News
26 January 2015

David Cameron has said a hoax call he received from someone claiming to be
taking part in a high level conference call, did not "breach security".

The prime minister revealed he received the call on his Blackberry while
out for a walk with his family.

Mr Cameron said he quickly hung up when he realised the caller was not
genuine.

He told journalists "these things...
 
WebKitGTK+ Security Advisory WSA-2015-0001
 
[CORE-2015-0002] - Android WiFi-Direct Denial of Service
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Adobe Systems is once again rolling out an emergency Flash update that patches a critical vulnerability under active attack to compromise the computers of unsuspecting users.

The latest Flash versions fix a remote code-execution bug that, as Ars reported last week, recently came under attack in the Angler exploit kit. Malware purveyors and other types of online crooks use such kits to seed compromised websites with attack code. Once people visit the sites with vulnerable computers, the booby-trapped pages surreptitiously exploit the vulnerabilities and install backdoors that can be used to log keystrokes, steal passwords, and install new pieces of malware at will.

An advisory Adobe published late last week warned that the bug resides in versions running on Windows, Macs, and Linux systems. So far, reports suggest that in-the-wild exploits are limited only to Windows systems. The vulnerability stems from a so-called use-after-free bug that allows attackers to corrupt the memory of affected computers. Trend Micro has additional technical details here.

Read 5 remaining paragraphs | Comments

 
Internet Storm Center Infocon Status