SymmetricalDataSecurity: June 2015

Tuesday, June 30, 2015

ハッカー集団「Team GhostShell」の活動が再び活発化

悪名高いハッカー集団が、膨大な数の Web サイトをハッキングしたと宣言し、資格情報など重要なユーザー情報を漏えいしています。

Read More

from Symantec Connect - Security - Blog Entries http://ift.tt/1T45FQ1

Apple Releases Security Updates for QuickTime, Safari, Mac EFI, OS X Yosemite, and iOS

Original release date: June 30, 2015

Apple has released security updates for QuickTime, Safari, Mac Extensible Firmware Interface (EFI), OS X Yosemite, and iOS. Exploitation of some of these vulnerabilities may allow an attacker to obtain elevated privileges or crash applications.

Available updates include:

QuickTime 7.7.7 for Windows 7 and Windows Vista
Safari 8.0.7, Safari 7.1.7, and Safari 6.2.7 for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.3
Mac EFI for OS X Mountain Lion v10.8.5 and OS X Mavericks v10.9.5
OS X Yosemite 10.10.4 for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10 to v10.10.3
iOS 8.4 for iPhone 4s and later, iPod touch 5th generation and later, and iPad 2 and later

US-CERT encourages users and administrators to review Apple security updates HT204947, HT204950, HT204934, HT204942, HT204941 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

from US-CERT: The United States Computer Emergency Readiness Team http://ift.tt/1dvQKOF

Great user experience leads to great security

Security need not be a series of walls. A UX expert says security can be gently woven into the flow of applications.

from Latest topics for ZDNet in Security http://ift.tt/1LGTQya

Venafi Snags $39Mn for Crypto Funding

Intel Capital and other new investors led the round.

from http://ift.tt/1LTtgPi

Fed Reserve: Chip and Signature Not Enough

Chip and signature is a half-measure, falling short of the chip and PIN technology deployed throughout the rest of the world.

from http://ift.tt/1LTtgPh

Pakistan Implements Biometrics for Remote Teachers

Pakistan has embraced biometrics as its preferred authentication method to identify “ghost employees” and to combat absenteeism.

from http://ift.tt/1eYOYHm

IT Pros Believe Cyberattacks Are Under-reported

87% of respondents think that large financial hacks are happening more often than reported, and right under the nose of security auditors.

from http://ift.tt/1LTrxtg

OPM Identity-Protection Phishing Campaigns

Original release date: June 30, 2015

US-CERT is aware of phishing campaigns masquerading as emails from the Office of Personnel Management (OPM) or the identity protection firm CSID. For those affected by the recent data breach, the legitimate domain used for accessing identity protection services is https://opm.csid.com.

US-CERT recommends that users visit the OPM website for more information. Users are also encouraged to report suspicious email to US-CERT.

This product is provided subject to this Notification and this Privacy & Use policy.

from US-CERT: The United States Computer Emergency Readiness Team http://ift.tt/1U5CE8a

FIDO Adds Mobile Specs to Post-Password Mix

FIDO, the Fast Identity Online Alliance, has released new specs aimed at mobile and wireless applications.

from http://ift.tt/1Jv90WS

Spikes Debuts Isolation Tech for Browser-borne Malware

The Isla family of web malware isolation appliances processes all web content on secure appliances deployed outside the network.

from http://ift.tt/1Hw0kiq

IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Access Manager for Mobile (CVE-2013-7423)

Open Source GNU C library (glibc) vulnerability that affects IBM Security Access Manager for Mobile. CVE(s): CVE-2013-7423 Affected product(s) and affected version(s): IBM Security Access Manager for...

from IBM Product Security Incident Response Team http://ift.tt/1C69UXq

IBM Security Bulletin: IBM PowerVC is impacted by OpenStack Glance v2 API unrestricted path traversal (CVE-2014-9493, CVE-2015-1195)

IBM PowerVC is impacted by OpenStack Glance v2 API unrestricted path traversal vulnerability (CVE-2014-9493, CVE-2015-1195). CVE(s): CVE-2014-9493 and CVE-2015-1195 Affected product(s) and affected...

from IBM Product Security Incident Response Team http://ift.tt/1C69UXo

IBM Security Bulletin: IBM PowerVC is impacted by OpenStack Glance v2 API unrestricted path traversal (CVE-2014-9493, CVE-2015-1195)

IBM Security Bulletin: IBM PowerVC is impacted by Apache Qpid security vulnerabilities (CVE-2015-0203, CVE-2015-0223, CVE-2015-0224)

IBM PowerVC is impacted by Apache Qpid security vulnerabilities (CVE-2015-0203, CVE-2015-0223, CVE-2015-0224) CVE(s): CVE-2015-0203 , CVE-2015-0223 and CVE-2015-0224 Affected product(s) and affected...

from IBM Product Security Incident Response Team http://ift.tt/1C69TCQ

IBM Security Bulletin: A cross-site scripting vulnerability affects IBM Security Access Manager for Mobile (CVE-2015-1966)

A cross-site scripting vulnerability affects IBM Security Access Manager for Mobile, caused by improper validation of user-supplied input. CVE(s): CVE-2015-1966 Affected product(s) and affected version(s): ...

from IBM Product Security Incident Response Team http://ift.tt/1C69S1G

IBM Security Bulletin: A cross-site scripting vulnerability affects IBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway (CVE-2015-1966)

A cross-site scripting vulnerability affects IBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway, caused by improper validation of user-supplied input. CVE(s): CVE-2015-1966 ...

from IBM Product Security Incident Response Team http://ift.tt/1C69S1E

IBM Security Bulletin: XSS Vulnerability in IBM Jazz Foundation affects multiple IBM Rational products based on IBM Jazz technology (CVE-2015-0130)

A Cross-site Scripting vulnerability affects the following IBM Jazz Team Server based Applications: Collaborative Lifecycle Management (CLM), Rational Requirements Composer (RRC), Rational DOORS Next Generation (RDNG), Rational Team Concert (RTC), and Rational...

from IBM Product Security Incident Response Team http://ift.tt/1C69TCG

My Security Strategy: The "Third Way"

from TaoSecurity http://ift.tt/1Kr4nNC

NSA can begin bulk collection of Americans' phone records again: court

The secretive Washington DC.-based court determined that the Freedom Act, passed earlier this month, would allow the data collection to begin once more.

from Latest topics for ZDNet in Security http://ift.tt/1R2nPEe

How DevOps Can Be a Model for Effective Cyber Security

The collaboration encouraged by DevOps can be a good model for cyber security.

Now more than ever before, effective cyber security requires a concerted effort across the entire enterprise. While software was once limited in both its functionality and its reach within the organization – e.g., in the occasional use of locally stored documents, spreadsheets and other programs among discrete groups – it is now inseparable from many everyday operations, in every department from IT to line-of-business. Applications such as VoIP, video conferencing and cloud storage, supported by the Internet and the cloud, have all become essential to communications and have also broadened the importance of network security as the first line of defense for this always-on connectivity.

The growing centrality of cloud-connected applications has created new security risks to enterprise data, making it vital for organizations to be able to identify any possibly suspicious activity early and often. Going to back to the collaboration we mentioned at the very beginning here, there is a clear need to include contributions from both the technical and business-oriented sides of a firm in formulating a sensible modern cyber security strategy. There is already a precedent for such heightened coordination, in the form of the increasingly popular DevOps movement that is popular among startups as well as network carriers.

DevOps and the importance of collaboration in cyber security
Can DevOps serve as a blueprint for a new approach to cyber security? Let’s look at what DevOps entails and the influence it has had so far within the software field. The word “DevOps” is a portmanteau of “development” and “operations,” meant to convey a close working relationship between two technical segments of an organization that would have been siloed from each other in a traditional arrangement.

Ideally, this setup allows for projects to be completed much more quickly than they would be if everyone was still operating within discrete silos. Moreover, many tools, including ones capable of tasks such as continuous integration and cloud orchestration, are billed as DevOps-ready solutions that enable greater business agility through their support for rapid development, testing and deployment. However, it is important to note that DevOps is not simply about technical tools – it is also a cultural movement promoting collaboration.

The relationship between DevOps and cloud computing is deep, with one commentator aptly likening the two of them to the classic combo of chocolate and peanut butter. Accordingly, as enterprises increasingly invest in cloud-based services, they will likely take a good, long look at DevOps as well, since it can provide the speed and iterability needed to make the most of cloud infrastructure. DevOps and cloud have a symbiotic relationship. Both can help encourage adaptability to rapidly changing project requirements.

“Cloud computing, whether inside your firewall or purchased from a service provider, is essential to success with DevOps,” explained Paul Gillin in an article for CIO. “The virtual platform needs to be as fluid as the application, and deployment from development to production needs to be automatic in order to meet the demanding delivery requirements.”

A 2014 survey from Puppet Labs found that organizations that had implemented DevOps had 50 percent fewer failures than ones that did not, in addition to being able to deploy code 30 times as quickly. For example, carriers like T-Mobile have taken up DevOps as a way to close the gap with larger rivals such as AT&T and Verizon. DevOps can provide the speed and efficiency that are so important for organizations with limited resources to begin with.

Applying the DevOps model to security may seem unorthodox at first glance, if only because DevOps and cyber security have sometimes been pitted against each other, as DevOps expert Gene Kim told The Wall Street Journal earlier this year. More specifically, the accelerated release cycles of DevOps culture can complicate the efforts of the security teams, which have to assess the impact of these changes on the organization’s core data and IT infrastructure. But at the same time, the collaboration at the heart of DevOps could be a guide to bridging the divide between IT and everyone else when it comes to tackling common security issues.

Cyber security: Not just the IT department’s job anymore
In a recent article for Procurement Leaders, Paul Teague pointed to the need for closer collaboration between IT and procurement in mitigating the risk of data breaches. The logic is straightforward: With the average consolidate cost of a security incident have risen to $3.8 million (up 23 percent since 2013), protecting data is not simply an exercise in privacy protection but one that also has far-reaching implications for the financial health of the whole enterprise.

These kinds of calls for tighter working relationships are merited, especially given the centrality of software (and cloud applications in particular) and the growing influence of consumer technology on IT, via bring-your-own-device policies. Moreover, some common cyber attacks such as spear-phishing are directed at end user assets like email accounts rather than directly at an enterprise’s network infrastructure.

In this context, we can see the advantages of taking a DevOps-esque approach to cyber security, one that keeps everyone on the same page throughout the enterprise’s self-improvement processes and its adjustments to new cyber threats. As Steve Hall noted for ScriptRock, the idea here is not so much putting security into DevOps, but placing DevOps into security. In practice, this entails better alignment of security with business objectives, with data protection goals implemented early on in the development of any application or service and then automated (a process staple within DevOps cultures) for easy short- and long-term management.

DevOps has been a huge boon to startups, enterprises and service providers seeking to adapt to a cloud-centric world in which popular services can be quickly rolled out to many users while still maintaining a high level of quality. Cyber security increasingly needs both this speed and attention to detail, if it is to keep up with the threats posed by denial-of-service attacks, malware and phishing. There is plenty to learn from DevOps in remaking cyber security for these new challenges.

from Trend Micro Simply Security http://ift.tt/1FOfWX8
via IFTTT

Bugtraq: APPLE-SA-2015-06-30-4 Safari 8.0.7, Safari 7.1.7, and Safari 6.2.7

APPLE-SA-2015-06-30-4 Safari 8.0.7, Safari 7.1.7, and Safari 6.2.7

from SecurityFocus Vulnerabilities http://ift.tt/1IqAco3

Bugtraq: APPLE-SA-2015-06-30-3 Mac EFI Security Update 2015-001

APPLE-SA-2015-06-30-3 Mac EFI Security Update 2015-001

from SecurityFocus Vulnerabilities http://ift.tt/1IqA6Nn

Bugtraq: APPLE-SA-2015-06-30-2 OS X Yosemite v10.10.4 and Security Update 2015-005

APPLE-SA-2015-06-30-2 OS X Yosemite v10.10.4 and Security Update 2015-005

from SecurityFocus Vulnerabilities http://ift.tt/1IqA9c4

Bugtraq: APPLE-SA-2015-06-30-1 iOS 8.4

APPLE-SA-2015-06-30-1 iOS 8.4

from SecurityFocus Vulnerabilities http://ift.tt/1T2aGso

Vulnerability Spotlight: Apple Quicktime Corrupt stbl Atom Remote Code Execution

This post was authored by Rich Johnson , William Largent , and Ryan Pentney . Earl Carter contributed to this post. Cisco Talos, in conjunction with Apple’s security advisory issued on June 30th, is disclosing the discovery of a remote code execution vulnerability within Apple Quicktime. This vulnerability was initially discovered by the Talos Vulnerability Research & Development Team and reported in accordance with responsible disclosure policies to Apple. There is a remote code execution vulnerability in Apple Quicktime (TALOS-CAN-0018, CVE-2015-3667). An attacker who can control the data [...]

from Cisco Blog » Security http://ift.tt/1U4PPGt

Amazon introduces new open-source TLS implementation 's2n'

s2n, with its mere 6,000 lines of code, focuses only on encryption.

from Latest topics for ZDNet in Security http://ift.tt/1GKu8RN

Team GhostShell hacking group back with a bang

Hackers claim to have hacked a growing list of websites, compromising credentials and other sensitive user information.

Read More

from Symantec Connect - Security - Blog Entries http://ift.tt/1T1KNsW

Scientists have Increased Fiber Optic capacity Nearly 20 Times

There’s a lot of speculations and fears regarding the fiber optic network that delivers the Internet to your home and offices — What will happen when the fiber optic cables max out? Well, there is nothing to fear about it. Your Internet is Safe! Scientists at the University of California, San Diego, have recently managed to break the "capacity limits" of fiber optic networks, opening

from The Hacker News http://ift.tt/1LSUEx1

My Prediction for Top Gun 2 Plot

from TaoSecurity http://ift.tt/1LAcSFn

'Personal' Dark Web service removes corporate cyberthreat blindness

The new service dives into the murky Dark Web to track your stolen data, hacktivism, insider threats and hackers willing to break into your network.

from Latest topics for ZDNet in Security http://ift.tt/1T14QHJ

Bugtraq: Google Chrome Address Spoofing (Request For Comment)

Google Chrome Address Spoofing (Request For Comment)

from SecurityFocus Vulnerabilities http://ift.tt/1GMaoym

Cisco to buy cybersecurity firm OpenDNS in $635m deal

The deal will give Cisco better visibility into the security and threat landscape.

from Latest topics for ZDNet in Security http://ift.tt/1CGIEcF

An explosion in apps development means security headaches for CIOs

App development teams need to test against copies of the production database — each copy increases the risk of a major security breach.

from Latest topics for ZDNet in Security http://ift.tt/1BTNU1v

MIT develops donor 'transplants' for buggy code without access to the source

'Donor' programs provide the band-aid to fix buggy code and eliminate errors.

from Latest topics for ZDNet in Security http://ift.tt/1BTNU1n

Bugtraq: CVE-2015-4674 - TimeDoctor autoupdate over plain-HTTP

CVE-2015-4674 - TimeDoctor autoupdate over plain-HTTP

from SecurityFocus Vulnerabilities http://ift.tt/1C4EOiV

USN-2652-1: Oxide vulnerabilities

Ubuntu Security Notice USN-2652-1

30th June, 2015

oxide-qt vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 15.04
Ubuntu 14.10
Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Oxide.

Software description

oxide-qt - Web browser engine library for Qt (QML plugin)

Details

It was discovered that Chromium did not properly consider the scheme when
determining whether a URL is associated with a WebUI SiteInstance. If a
user were tricked in to opening a specially crafted website, an attacker
could potentially exploit this to bypass security restrictions.
(CVE-2015-1266)

It was discovered that Blink did not properly restrict the creation
context during creation of a DOM wrapper. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
this to bypass same-origin restrictions. (CVE-2015-1267, CVE-2015-1268)

It was discovered that Chromium did not properly canonicalize DNS hostnames
before comparing to HSTS or HPKP preload entries. An attacker could
potentially exploit this to bypass intended access restrictions.
(CVE-2015-1269)