Thursday, December 31, 2015

Must-see talks from 2015's Chaos Communication Congress hacker conference

The world's longest-running hacker conference Chaos Communication Congress celebrates its 32nd year with a bevy of important talks and discussions, including the drop of a "new" attack vector.










from Latest topics for ZDNet in Security http://ift.tt/1mrYwh6

IBM Security Bulletin: Local escalation of privilege vulnerability in IBM® DB2® LUW (CVE-2015-1947)

A vulnerability in IBM DB2 for Linux, Unix and Windows could allow a local user to gain elevated privilege. CVE(s): CVE-2015-1947 Affected product(s) and affected version(s): All fix pack levels of IBM DB2 V9.7, V10.1 and V10.5...

from IBM Product Security Incident Response Team http://ift.tt/1kw1y2E

IBM Security Bulletin: Vulnerability in OpenSSL affects Rational Tau (CVE-2015-3194)

OpenSSL vulnerabilities were disclosed on December 3, 2015 by the OpenSSL Project. OpenSSL is used by Rational Tau. Rational Tau has addressed the applicable CVE (CVE-2015-3194). CVE(s): CVE-2015-3194 Affected product(s) and affected version(s): 4.3, 4.3.0.1,...

from IBM Product Security Incident Response Team http://ift.tt/1VrTUUv

IBM Security Bulletin: Vulnerability in Apache Commons affects IBM Kenexa LCMS Premier on Cloud (CVE-2015-7450)

An Apache Commons Collections vulnerability for handling Java object deserialization is being addressed by IBM Kenexa LCMS Premier on Cloud CVE(s): CVE-2015-7450 Affected product(s) and affected version(s): All Refer to the following reference URLs for...

from IBM Product Security Incident Response Team http://ift.tt/1JhAgJj

IBM Security Bulletin: Vulnerabilities in OpenSource Dojo ToolKit affects IBM InfoSphere Master Data Management ( CVE-2015-5654)

Vulnerabilities in OpenSource Dojo ToolKit affects IBM InfoSphere Master Data Management ( CVE-2015-5654) CVE(s): CVE-2015-5654 Affected product(s) and affected version(s): These vulnerabilities are known to affect the following offerings: IBM Initiate Master...

from IBM Product Security Incident Response Team http://ift.tt/1JhAf7W

IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Partner Gateway Advanced/Enterprise editions(CVE-2015-4872)

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Technology Edition, Version 6.0 that is used by WebSphere Partner Gateway Advanced/Enterprise edition. These issues were disclosed as part of the IBM Java SDK updates for October 2015....

from IBM Product Security Incident Response Team http://ift.tt/1JhAgJ9

IBM Security Bulletin: Local escalation of privilege vulnerability in IBM® DB2® LUW (CVE-2015-1947)

A vulnerability in IBM DB2 for Linux, Unix and Windows could allow a local user to gain elevated privilege. CVE(s): CVE-2015-1947 Affected product(s) and affected version(s): All fix pack levels of IBM DB2 V9.7, V10.1 and V10.5 editions listed below and...

from IBM Product Security Incident Response Team http://ift.tt/1JhAgJ2

Microsoft pledges to inform users of state surveillance, account hacking

The tech giant will now tell you if your account has been targeted or compromised by government authorities.










from Latest topics for ZDNet in Security http://ift.tt/1PyFq4E

Tor Project launches bug bounty program

Following reports of security flaws which could compromise the network, Tor is launching a program to weed out additional problems.










from Latest topics for ZDNet in Security http://ift.tt/1VrNtAZ

Bugtraq: Joomla 1.5.x to 3.4.5 Object Injection Exploit (golang)

Joomla 1.5.x to 3.4.5 Object Injection Exploit (golang)

from SecurityFocus Vulnerabilities http://ift.tt/1RaPOzC

Bugtraq: Executable installers are vulnerable^WEVIL (case 16): Trend Micro's installers allows arbitrary (remote) code execution

Executable installers are vulnerable^WEVIL (case 16): Trend Micro's installers allows arbitrary (remote) code execution

from SecurityFocus Vulnerabilities http://ift.tt/1OyQv72

Microsoft will Inform You If Government is Spying on You

Following in the footsteps of Twitter, Facebook and Google, Microsoft promises to notify users of its e-mail (Outlook) and cloud storage (OneDrive) services if government hackers may have targeted their accounts. The company already notifies users if an unauthorized person tries to access their Outlook or OneDrive accounts. But from now on, the company will also inform if it suspects


from The Hacker News http://ift.tt/1YQoaxS

Wednesday, December 30, 2015

Bugtraq: FTPShell Client v5.24 Buffer Overflow

FTPShell Client v5.24 Buffer Overflow

from SecurityFocus Vulnerabilities http://ift.tt/1YTMlpV

Steam confirms DoS revealed 34K user details

A denial-of-service attack was responsible for Steam account details being revealed to other users and the service shutting down on Christmas Day, with the company working on identifying affected users.










from Latest topics for ZDNet in Security http://ift.tt/1PyrrtP

Industry Experts Share Top Data Breach Threats in 2016

There’s no shortage of frontiers in the world of data breaches, with new avenues expanding each year. Watch our short video to hear what top threats industry experts foresee for 2016, ranging from political campaigns to healthcare and more. To hear full predictions, stay tuned for more dialogue between Michael Bruemmer with each of the […]

The post Industry Experts Share Top Data Breach Threats in 2016 appeared first on Data Breach Resolution.



from Data Breach Resolution http://ift.tt/1kuFCVO

R.I.P Ian Murdock, Founder of Debian Linux, Dead at 42

Ian Murdock, the founder the Debian Linux operating system and the creator of apt-get, has passed away. Yes, it is very sad to announce that Ian Murdock is not between us. His death has touched the entire software community. He was just 42. <!-- adsense --> The announcement of Murdock death came out via a blog post on Docker website, where Murdock was working as a member of the technical


from The Hacker News http://ift.tt/1SmWlZ1

Bugtraq: [oCERT 2015-012] Ganeti multiple issues

[oCERT 2015-012] Ganeti multiple issues

from SecurityFocus Vulnerabilities http://ift.tt/1NRJlqV

Diamonds Aren’t a Girl’s Best Friend…Her Dog Is!

Loyal Protector at All Times

In the 1950s film Gentlemen Prefer Blondes, Marilyn Monroe’s character sang “Diamonds Are A Girl’s Best Friend.” The theme of this song is that when all is said and done, a woman should rely more on the “ice” she gets from a man than on the man who gave her the diamonds.

Clearly, Marilyn’s character Lorelei Lee needed a dog. With a canine pet, she would have had “pawtection” to alert her of potential danger. I think you’ll agree that this security attribute alone makes a good pup worth his/her weight in gold or diamonds.

To drive home the point of how dogs service their owners by alerting them to and guarding them from danger, Trend Micro made a series of seven entertaining short Family PAWtector films – all featuring dogs as the heroes. The videos show why we love dogs and the heart-warming way they can “pawtect” us both online and IRL (in real life).

Watch video now: A Girl’s Best Friend

After watching all the Family PAWtector videos, why not share them with family and friends. And please do visit our website to learn more about Trend Micro Maximum Security 10.

With their diligence and dedication to protecting their families, dogs inspire us at Trend Micro to continue developing comprehensive, multi-device security so you can do doggone great things online safely.



from Trend Micro Simply Security http://ift.tt/1VpC30D
via IFTTT

Google 'Android N' Will Not Use Oracle's Java APIs

Google appears to be no longer using Java application programming interfaces (APIs) from Oracle in future versions of its Android mobile operating system, and switching to an open source alternative instead. Google will be making use of OpenJDK – an open source version of Oracle’s Java Development Kit (JDK) – for future Android builds. This was first highlighted by a "mysterious Android


from The Hacker News http://ift.tt/1RRrvbq

Tor Project to Start Bug Bounty Program — Get Paid for HACKING!

The non-profit organization behind TOR – the largest online anonymity network that allows people to hide their real identity online – will soon be launching a "Bug Bounty Program" for researchers who find loopholes in Tor apps. The bounty program was announced during the recurring 'State of the Onion' talk by Tor Project at Chaos Communication Congress held in Hamburg, Germany. Bug


from The Hacker News http://ift.tt/1VprPNJ

North Korea's Red Star OS (Looks Like Mac OS X) Spies on its Own People

North Korea has its own homegrown computer operating system that looks remarkably just like Apple’s OS X, which not only prevents potential foreign hacking attempts but also provides extensive surveillance capabilities. Two German researchers have just conducted an in-depth analysis of the secretive state's operating system and found that the OS does more than what is known about it.


from The Hacker News http://ift.tt/1MGp5og

Tuesday, December 29, 2015

Early IT adoption doesn't mean Singapore e-gov systems need overhaul

Cybersecurity posture involves balancing usability, cost, and security, says national security agency head David Koh, who explains how glitches in Singapore's e-government systems should be managed.










from Latest topics for ZDNet in Security http://ift.tt/1QWFOLY

Digital privacy about to feel real-world shock to its system

Can the EU's new regulations provide definition, legal structure for on-going privacy concerns of both citizens and businesses?










from Latest topics for ZDNet in Security http://ift.tt/1Vo2hk5

Why 2016 Could be a Big Year for Global Cyber Security Efforts

LEGISLATION 1

Reading the IT press can be a pretty depressing thing sometimes. The past 12 months in particular have seen an avalanche of cyber-attacks on public and private bodies all over the country. Whether it’s nation state actors, financially driven cybercriminals or personal motivated hacktivists, the effect on organizations and individuals from the federal government down, has been devastating. Just consider some of the tragic alleged outcomes of the Ashley Madison hack.

The good news is that Trend Micro predicts 2016 will see things get better. Building on some good work done already this past year, governments and law enforcers across the globe will refocus their efforts on more arrests, more convictions and more effective laws to turn the tide in their favor.

A good year

Despite all the sensational cyber-attack headlines over the past 12 months, there have also been a fair number of wins for the white hats. Here are just a few:

  • The US and EU have finalized an agreement allowing both parties to exchange more data during investigations
  • Trend Micro worked with industry partners, the FBI and the UK’s NCA to help dismantle the Dridex botnet
  • Trend Micro collaborated with Interpol and other industry players to takedown the Simda botnet
  • A Russian national was sentenced to over four years in prison for his role in infecting more than 11 million machines with the Citadel malware, after being first arrested in Spain
  • Another Russian national admitted his role in a massive data breach scheme which compromised more than 160 million credit card numbers, after being arrested in the Netherlands
  • A coalition of law enforcers from 20 countries helped to charge, arrest and search members of the infamous Darkode hacking forum, leading to its dismantling

We’re clearly seeing more global co-operation between law enforcement agencies so that they can act quickly and decisively to bring known or suspected cybercriminals to justice. Partnerships with industry players like Trend Micro will also continue and deepen. In fact, we signed a landmark MoU with the UK’s National Crime Agency this year which has seen members of our Forward-Looking Threat Research Team work hand-in-hand with the agency on entire cases. It’s already led to the arrest of two suspected cybercriminals.

Challenges and optimism

Building on the momentum of the past year, we think cybercrime legislation will take a significant step towards becoming a truly global movement in 2016. But it won’t be without its challenges. There are still far too many regions of the world in which hackers can sit tight and operate with virtual impunity – safe in the knowledge that as long as they don’t focus their efforts on domestic vested interests the authorities will turn a blind eye

Suspected JPMorgan hack ringleader Joshua Aaron, wanted by the FBI, is known to have traveled frequently to Russia, for example. Many more countries across the Middle East and Asia also represent something of a blind spot for police, despite the best efforts of Interpol.

For there to be movement on this we need politicians to forge closer bonds with the common understanding that economic cybercrime does no country any good. The deal between the US and China on this was a step in the right direction. There will always be nation state espionage, but if we can differentiate that from economic cybercrime, there may be a way to forge an agreement on improved co-operation on cases going forward.

Within the US and the EU, the escalation of cybercrime incidents may be reaching a tipping point where the potential loss of private information to criminals begins to be a greater public concern than vulnerability to governmental surveillance. The perplexing trade-off between these issues has largely chilled effective cybercrime legislation for the last several years, with many proposed schemes being criticized for overbroad language that could unnecessarily expose citizens to further risks or be abused for law enforcement or even private litigation objectives that are largely unrelated to cybercrime.

In the US, 2016 will be a very important year for cybersecurity policy due to the Cybersecurity Information Sharing Act of 2015 (“CISA”) that was attached to the omnibus budget bill recently passed by Congress, and the pressing controversy about strong encryption technology. Although a slightly more privacy friendly version of CISA passed the Senate in October, and White House Cybersecurity Coordinator Michael Daniel was quoted as saying that “the [Obama] administration will be pushing to ensure that there are very robust privacy provisions” in the final version, the current CISA version is actually less narrowly tailored for its ostensible purpose. In the current version, data shared with government authorities could be used for non-cybersecurity purposes where there’s a “specific threat” (vs. an “imminent threat” in the prior version), and the contributor is no longer required to make an effort to remove irrelevant personal information from the data prior to submission. While we expect to see some benefit from broader sharing of threat and incident data, the benefits may be tempered by reduced participation and backlash from privacy and consumer advocates if the data is used for purposes that don’t have a legitimate security nexus (e.g., illegal downloads of copyrighted music and films on p2p networks being characterized as cybercrime to encourage ISPs to monitor customers).

As the debate about strong encryption seems to be rekindled with each new revelation of terrorist conspiracy, there has been an increasingly urgent call for cryptographic communications and software companies to enable governmental access to encryption keys or “back doors” for surveillance purposes. While these calls are often well intended, and hidden communications are indeed an important tool for terrorists and cybercriminals, most technology industry groups (including the Business Software Alliance, of which Trend Micro is a member) oppose the weakening of encryption technologies or the concentration of encryption keys in a single repository because of the high probability that cybercriminals would soon learn to exploit those weaknesses and gain access to any key repositories, jeopardizing the privacy and security of millions of citizens. There’s no easy answer to this conundrum, but any laws adopted by the US or other countries requiring the compromise of encryption technologies may well drive the bad actors to use offshore or “rogue” encrypted communications apps and services, defeating the primary purpose of the laws while still increasing the vulnerability of the legitimate users of the affected products. A technology breakthrough to solve this problem is something of a “holy-grail”, and could become the biggest cybersecurity of the year if someone can figure it out.

Although the cybersecurity threats we’re facing have never been greater, the unprecedented level of attention on these issues we’ll see in 2016 make it a year for optimism and the acceptance of new challenges!

To find out more on this and all of our security predictions for 2016, check out Trend Micro’s new report, The Fine Line.



from Trend Micro Simply Security http://ift.tt/1PuQ8as
via IFTTT

Five Ways Your Employees Sidestep Information Security Policies

By Susan Richardson, Manager/Content Strategy, Code42 A good employee finds ways to overcome roadblocks and get the job done. But in the case of enterprise IT security, good employees may be your biggest threat. In fact, a recent Dell survey found that nearly seventy percent of IT professionals believe employee workarounds are the greatest risk to […]

The post Five Ways Your Employees Sidestep Information Security Policies appeared first on Cloud Security Alliance Blog.



from Cloud Security Alliance Blog http://ift.tt/1IB1TwS

Jail Authorities Mistakenly Early Released 3,200 Prisoners due to a Silly Software Bug

Washington State Department of Corrections (DoC) is facing an investigation after it early released around 3,200 prisoners per year, since 2002, when a bug was introduced in the software used to calculate time credits for inmates' good behavior. The software glitch led to a miscalculation of sentence reductions that US prisoners were receiving for their good behaviour. Over the next 13


from The Hacker News http://ift.tt/1JGHxxc