Hackin9
Microsoft Office CVE-2013-5057 ASLR Security Bypass Vulnerability
 
SAP is struggling to convince some customers that a pricier support service it introduced several years ago provides additional value compared to the standard support option.
 
Malicious hackers are using remote access tools to break into retail point-of-sale systems and plant malware on them, the Department of Homeland Security warned.
 
Schneider Electric OPC Factory Server Local Stack Buffer Overflow Vulnerability
 

What InfoSec can learn from the insurance industry
iT News (blog)
Step into the branch of any bank and you can see they are clearly designed to resist robbery at several levels and - up to a certain point - keep the instituion's teller staff safe. That design comes from empirical experience, as in bank robberies ...

 

InfoSec's Holy Grail: Data Sharing & Collaboration
Dark Reading
Despite all the best intentions, cooperation around internet security is a still a work in progress. Case in point: Microsoft's unilateral action against No-IP. “We need more collaboration, we need more data sharing!” This obligatory refrain perenially ...

 
An internal CIA investigation has determined its employees improperly accessed computers used by the Senate Intelligence Committee while it was working on a report about the agency's post-9/11 detention and interrogation program, according to a report by McClatchy.
 
Despite becoming one of the most widely used programming languages on the Web, PHP didn't have a formal specification -- until now.
 

The head of the Central Intelligence Agency has apologized to leaders of the Senate Intelligence Committee after determining that his officers improperly accessed computers that were supposed to be available only to committee investigators, according to multiple reports on Thursday.

The mea culpa from CIA Director John O. Brennan was in sharp contrast to a defiant statement he made in March. After US Senator Dianne Feinstein accused the agency of breaching long-recognized separations between employees of the legislative and executive branches, Brennan maintained that there had been no inappropriate monitoring of Senate staffers' computer activity.

"When the facts come out on this, I think a lot of people who are claiming that there has been this tremendous sort of spying and monitoring and hacking will be proved wrong," he said at the time.

Read 2 remaining paragraphs | Comments

 
AT&T Connect Participant Application '.SVT' File Processing Buffer Overflow Vulnerability
 
Oxwall '/admin/settings/user' Multiple Arbitrary PHP Code Execution Vulnerabilities
 
Hewlett-Packard has changed its direction on OpenVMS, giving the operating system -- and users -- something of a reprieve.
 
French mobile operator Iliad has offered to buy T-Mobile US, the fourth-largest U.S. cellular carrier, in a bid that could complicate an offer reportedly in the works at Sprint.
 
Chief information security officers (CISOs) continue to have a hard time gaining the respect of other C-suite executives despite the heightened focus overall on information security.
 
The Qi wireless charging spec added a resonance extension to its existing induction spec, meaning enabled mobile devices can be charged more than an inch away from the pad.
 

In numerous previous Diaries, my fellow Internet Storm Center Handlers have talk on honeypots, the values of full packet capture and value of sharing any attack data. In this Diary I'm going to highlight a fairly simple and cost effective way of rolling those together. 

If you have an always on internet connection, having a honeypot listening to what is being sent your way is never bad idea. There's plenty of ways to set up a honeypot, but a inexpensive way is to set up one up at home is with a Raspberry Pi [1]. The Raspberry Pi is a credit-card sized computer, which can be hidden away out of sight easily, has a very low power consumption and is silent but works very well for a home honeypot.  

These are plenty of install guides to install the OS (I like using Raspbian), secure it then, drop your pick, or mix, of honeypot such as Kippo [2], Glastopf [3] or Dionaea [4] on it. Again, guides on how to set these up litter the intertubes, so take your pick. As additional step, I like to install tcpdump and plug in a Linux formatted 4Gb USB drive in to the Pi and then do full packet capture of any traffic that is directed to the Pi's interface to the USB drive. Other than who doesn't like to sifted through packet captures during downtime, there are times capturing the full stream provides insights and additional options (like running it through your IDS of choice) on the connections being made to you.

Once you have it all set up, secured, tested and running don't forget to share the data with us, especially if you install Kippo [5]

From my observations, don't expect a massive amount of interaction with your home honeypot, but you will see plenty of scanning activity. It's a fairly interesting insight, especially if you pick a number of ports to forward on from your router/modem for the honeypot to listen on. If you do set up tcpdump to capture any traffic hitting the Raspberry Pi network interface (and haven't set up a firewall to drop all non-specified traffic) is that it'll pick up any chatty, confused or possibly malicious connections within your home network if they are broadcasting or scanning the subnet as well. With the Internet of Things being plugged in to home networks now, it's always handy to have a little bit of notification if your fridge starts port scanning every device on your network...

As one of my fellow Handler, Mark Hofman, sagely mentioned:

"if you are going to set one up, make sure you fully understand what you are about to do.  You are placing a deliberately vulnerable device on the internet.  Depending on your location you may be held liable for stuff that happens (IANAL).  It it gets compromised, make sure it is somewhere where it can't hurt you or others."

So keep an eye on your Pi!

Happy honeypotting!

 

[1] http://www.raspberrypi.org/
[2] https://github.com/desaster/kippo
[3] http://glastopf.org/
[4] http://dionaea.carnivore.it/
[5] https://isc.sans.edu/diary/New+Feature%3A+%22Live%22+SSH+Brute+Force+Logs+and+New+Kippo+Client/18433

 

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
IBM has added to its security software portfolio with the purchase of Italian access control and identity management firm CrossIdeas for an undisclosed sum, the companies said Thursday.
 

When creators of the state-sponsored Stuxnet worm used a USB stick to infect air-gapped computers inside Iran's heavily fortified Natanz nuclear facility, trust in the ubiquitous storage medium suffered a devastating blow. Now, white-hat hackers have devised a feat even more seminal—an exploit that transforms keyboards, Web cams, and other types of USB-connected devices into highly programmable attack platforms that can't be detected by today's defenses.

Dubbed BadUSB, the hack reprograms embedded firmware to give USB devices new, covert capabilities. In a demonstration scheduled at next week's Black Hat security conference in Las Vegas, a USB drive, for instance, will take on the ability to act as a keyboard that surreptitiously types malicious commands into attached computers. A different drive will similarly be reprogrammed to act as a network card that causes connected computers to connect to malicious sites impersonating Google, Facebook or other trusted destinations. The presenters will demonstrate similar hacks that work against Android phones when attached to targeted computers. They say their technique will work on Web cams, keyboards, and most other types of USB-enabled devices.

"Please don't do anything evil"

"If you put anything into your USB [slot], it extends a lot of trust," Karsten Nohl, chief scientist at Security Research Labs in Berlin, told Ars. "Whatever it is, there could always be some code running in that device that runs maliciously. Every time anybody connects a USB device to your computer, you fully trust them with your computer. It's the equivalent of [saying] 'here's my computer; I'm going to walk away for 10 minutes. Please don't do anything evil."

Read 10 remaining paragraphs | Comments

 
Oracle is fleshing out its family of cloud applications and taking a competitive step against the likes of Salesforce.com with the acquisition of TOA Technologies, maker of software for companies centered around field services. Terms were not disclosed.
 
Advanced Micro Devices wants to help gamers build cheaper, smaller desktops through new processors the company started shipping on Thursday
 
The European Commission is stepping up its inquiry into Google's alleged anti-competitive behavior in the market for mobile software, making a formal investigation into the company's Android business more likely, according to a report.
 

Posted by InfoSec News on Jul 31

http://www.news9.com/story/26146017/man-arrested-after-security-breach-at-the-oklahoma-county-jail

By Evan Anderson
News 9
July 29, 2014

OKLAHOMA CITY -- A man is accused of impersonating a law enforcement
officer and visiting an inmate after a security breach at the Oklahoma
County Jail.

James Keeter, 70, made his way inside the Oklahoma County Jail with little
resistance.

“He claimed to be an active probation officer or a deputy...
 
Elasticsearch CVE-2014-3120 Arbitrary Java Code Execution Vulnerability
 
Re: [FD] Beginner's error: import function of Windows Mail executes rogue program C:\Program.exe with credentials of other account
 
RE: [FD] Beginner's error: import function of Windows Mail executes rogue program C:\Program.exe with credentials of other account
 
Scientists at the University of California, Berkeley, are working on computer screens that would adjust their images to accommodate individual user's visual needs. Think of it as a display that wears the glasses so users don't have to.
 
Facebook introduced an app on Thursday that will give mobile phone subscribers in Zambia access to a set of free basic mobile data services -- and Facebook.
 
Xiaomi became the world's fifth-largest smartphone vendor in the second quarter, catapulted into the top five for the first time by its hit products in its home market of China, according to research firm Strategy Analytics.
 
Google's dominance of the smartphone market has reached new heights, with its Android operating system now accounting for a record 84.6 percent share of global smartphone shipments, according to research by Strategy Analytics.
 
Only one person clicks on a bad link, and she had all her files properly backed up. Maybe employees aren't a security manager's nightmare after all.
 
After years of cajoling their users into sharing every thought, emotion and selfie, online firms are seeing that providing more private online spaces might also be profitable.
 
ppc64-diag CVE-2014-4039 Multiple Insecure File Permissions Vulnerabilities
 
Re: [FD] Beginner's error: import function of Windows Mail executes rogue program C:\Program.exe with credentials of other account
 
[ MDVSA-2014:144 ] live
 
Re: [FD] Beginner's error: import function of Windows Mail executes rogue program C:\Program.exe with credentials of other account
 
[ MDVSA-2014:143 ] phpmyadmin
 

Posted by InfoSec News on Jul 31

http://allafrica.com/stories/201407300414.html

By Chusa Sichone
Times of Zambia
July 30, 2014

VISITING International Telecommunications Union (ITU) deputy
secretary-general Houlin Zhao has launched the first-ever cyber security
laboratory in Zambia, which will enable law-enforcement agencies to combat
Information Communication Technology (ICT)-related crimes.

The laboratory is based at the Zambia Police Service headquarters in
Lusaka,...
 

Posted by InfoSec News on Jul 31

http://www.defensenews.com/article/20140730/DEFFEAT05/307300017/Commentary-Cyber-Deterrence-Working

By Jason Healey
Defense News
July 30, 2014

Despite the mainstream view of cyberwar professionals and theorists, cyber
deterrence is not only possible but has been working for decades.

Cyberwar professionals are in the midst of a decades-old debate on how
America could deter adversaries from attacking us in cyberspace. In 2010,
then-Deputy...
 
phpMyAdmin 'functions.js' Multiple Cross Site Scripting Vulnerabilities
 
phpMyAdmin 'structure.lib.php' Cross Site Scripting Vulnerability
 
phpMyAdmin 'rte_list.lib.php' Cross Site Scripting Vulnerability
 
phpMyAdmin CVE-2014-4987 Remote Security Bypass Vulnerability
 
FCC Chairman Tom Wheeler has sharply questioned Verizon Wireless over its plan announced last week to throttle mobile data speeds for customers with unlimited plans.
 
Citizen Lab / Aurich Lawson

It was May of 2012 at a security conference in Calgary, Alberta, when professor Ron Deibert heard a former high-ranking official suggest he should be prosecuted.

This wasn't too surprising. In Deibert's world, these kinds of things occasionally get whispered through the grapevine, always second-hand. But this time he was sitting on a panel with John Adams, the former chief of the Communications Security Establishment Canada (CSEC), the National Security Agency's little-known northern ally. Afterward, he recalls, the former spy chief approached and casually remarked that there were people in government who wanted Deibert arrested—and that he was one of them.

Adams was referring to Citizen Lab, the watchdog group Deibert founded over a decade ago at the University of Toronto that's now orbited by a globe-spanning network of hackers, lawyers, and human rights advocates. From exposing the espionage ring that hacked the Dalai Lama to uncovering the commercial spyware being sold to repressive regimes, Citizen Lab has played a pioneering role in combing the Internet to illuminate covert landscapes of global surveillance and censorship. At the same time, it's also taken the role of an ambassador, connecting the Internet's various stakeholders from governments to security engineers and civil rights activists.

Read 41 remaining paragraphs | Comments

 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
LinuxSecurity.com: Several security issues were fixed in Tomcat.
 
LinuxSecurity.com: Updated live fix security vulnerability: The live555 RTSP streaming server and client libraries before 2013.11.29 are vulnerable to buffer overflows in RTSP command parsing that potentially allow for arbitrary code execution when connected [More...]
 
How do top CIOs get that way? For many, the path to greatness includes a turning point--a moment when the landscape shifted under them and they learned lessons that served them throughout their careers. We asked a few of the 2014 inductees into the CIO Hall of Fame to recount some of those moments.
 
It's been a rough start for Intel's MinnowBoard Max open-source computer, which has been delayed and is now pricier.
 

The people at Offensive Security have announced that in the course of a penetration test for one of their customers they have found several vulnerabilities in the Symantec Endpoint Protection product. While details are limited, the vulnerabilities appear to permit privilege escalation to the SYSTEM user which would give virtually unimpeded access to the system.  Offensive Security has posted a video showing the exploitation of one of the vulnerabilities.

Symantec has indicated they are aware of the vulnerabilities and are investigating.

There is some irony in the fact that there are Zero Day vulnerabilities in the software that a large portion of users count on to protect their computer from malware and software vulnerabilities. The fact is that software development is hard and even security software is not immune from exploitable vulnerabilities. If there is a bright side, it appears that there are no exploits in the wild yet and that local access to the machine is required to exploit these vulnerabilities.

-- Rick Wanner - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
This year's CIO 100 honorees collectively spent more than $502 million on their technology projects, and many of the winning efforts focus on using advanced analytics to create new sources of revenue, improve customer experience and increase competitive advantage.
 
Wildly successful IT projects make great stories. They spin out profitable new lines of business. They help business partners whomp the competition. They send customer satisfaction skyrocketing.
 
Stanford University's medical school plans to start using Google's wearable computer, Glass, to help train students in surgery.
 
Mobile carriers have pulled in hundreds of millions in profits through third-party charges tacked onto customers' bills without their consent, according to a report from a U.S. Senate committee.
 
There's no immediate end in sight to trouble that has hit the U.S. State Department's computer system for processing visa applications and caused problems for thousands of people worldwide.
 
Internet Storm Center Infocon Status