Universal Plug and Play (UPnP), a common networking technology, is found vulnerable on several fronts, especially with respect to multiple buffer overflow vulnerabilities. The US Department of Homeland Security advises users to disable UPnP on their devices.
Ruby on Rails is found vulnerable to a new parsing attack, distinct from the flaws found earlier this month. A social engineering Trojan steals Facebook login credentials from players of Zynga Poker. Phony Windows 8 activators are stealing private information from those who download them.
HP disputes recent reports of printer vulnerabilities. Nonetheless printers that don't need Internet connectivity continue to open their networks to attack—they're often easy to locate through a simple Google search. Users are advised to secure them.
Alabama authorities release more information on the mid-January attack the state sustained, reassuring citizens that private information wasn't compromised.
The US economy unexpectedly contracted last quarter, and the news is expected to affect business purchasing, inventories, etc. The US Congress and Administration make little progress in avoiding budget sequestration, which the Pentagon regards as "more likely than unlikely." Michael Dell moves toward purchasing a controlling interest in his company. RIM renames itself "BlackBerry" as it launches BlackBerry 10. HP rolls out a suite of cyber security services.
Germany proposes requiring that search engines pay publishers for short blocks of text typically regarded as open to fair use.
The FBI intensifies its hunt for those who leaked information about Stuxnet last year. Congress asks Justice to justify its prosecution of Aaron Swartz.
Today's issue includes events affecting Australia, China, Germany, Indonesia, South Africa, United States..
Cyber Attacks, Threats, and Vulnerabilities
Portable SDK for UPnP Devices (libupnp) contains multiple buffer overflows in SSDP(CERT: Software Engineering Institute, Carnegie Mellon University) The Portable SDK for UPnP Devices libupnp library contains multiple buffer overflow vulnerabilities. Devices that use libupnp may also accept UPnP queries over the WAN interface, therefore exposing the vulnerabilities to the internet…Universal Plug and Play (UPnP) is a set of network protocols designed to support automatic discovery and service configuration. The Portable SDK for UPnP Devices (libupnp) has its roots in the Linux SDK for UPnP Devices and software from Intel (Intel Tools for UPnP Technologies and later Developer Tools for UPnP Technologies). Many different vendors produce UPnP-enabled devices that use libupnp. As part of a large scale security research project, Rapid7 investigated internet-connected UPnP devices and found, among other security issues, multiple buffer overflow vulnerabilities in the libupnp implementation of the Simple Service Discovery Protocol (SSDP). Rapid7's report summarizes these vulnerabilities
Warning: New Hack Threat Leaves Millions at Risk of Cyber Attack(CNBC) The US Department of Homeland Security urged computer users on Tuesday to disable a common networking technology feature, after researchers warned that hackers could exploit flaws to gain access to tens of millions of vulnerable devices. The U.S. government's Computer Emergency Readiness Team advised consumers and businesses to disable a feature known as Universal Plug and Play or UPnP, and some other related features that make devices from computers to printers accessible over the open Internet
Trojan stole over 16,000 Facebook credentials(Help Net Security) ESET discovered a social engineering Trojan horse that managed to steal the login credentials of more than 16,000 Facebook users. The "PokerAgent" Trojan targeted Zynga Poker, the most popular
Indonesian hackers protest hacker's arrest…by hacking(The Register) Hackers have been hard at work in Indonesia, defacing web sites left right and center in protest at the treatment of a local hacker who defaced the presidents web site earlier this month and could now face a 12 year jail term. Internet caf worker Wildan Yani Ashari, 22, was cuffed by police last Friday just over a fortnight after he replaced the home page of president Susilo Bambang Yudhoyono (SBY) with the message: This is a PayBack From Jember Hacker Team. Ashari, who hails from the East Java district of Jember, has been charged under local laws which could land him 12 years in the slammer and a maximum fine of IDR 12bn (784,000), according to local news site Detik
11 Sub-domains of University of New South Wales UNSW Hacked by s13doeL(Hack Read) A hacker going with the handle of s13doeL has hacked and defaced 11 sub-domains of Australias University of New South Wales. The hacker seems to found some kind of vulnerability on universitys server, allowing him to get it and hacked only the sub-domains but not the main domain. The hacked sub-domains belong to different departments and labs of the university such as Coastal and Regional Oceanography Lab, Neilan Laboratory of Microbial and Molecular Diversity, Water Information System for the Environment, The Australian Wetlands & Rivers Centre (AWRC), School of Computer Science and Engineering, Community Eye Health Program, Test domain of Physics Science, School of Materials Science and Engineering, Workshop & Conferences on Science program and sub-domain of Department of Psychology
Woolworths SA in cyber attack(iafrica.com) A website belonging to Woolworths South Africa has been subjected to a cyber attack. User data from the firm's media relations firm, including names, addresses, dates of birth and matric marks, was posted on the dumpz.org website
Cheyney University Admits Security Breach(eSecurity Planet) Cheyney University of Pennsylvania recently announced that an e-mail sent to university students on January 24 included an attachment containing current and former students' names, mailing addresses and Social Security numbers."Investigators say the employee in the Thornbury Township college's Bursar's Office sent the email but inadvertently attached more than 241 pages of personal information," writes NBC 10's Danielle Johnson. According to the AP, approximately 2,100 current and former students were affected
Anonymous threatens the US government with WikiLeak style revelations(Generation-NT) Late last week, the USSC governmental site was hacked by Anonymous, signalling the start of a hacking operation similar to WikiLeaks whereby they aim at revealing secrets sensitive to the United States of America. While citing the recent death of Aaron Swartz, Anonymous explains "With the death of Aaron, we couldnt wait any longer. The time has come to show the United States Justice department and their affiliates the real meaning of the word infiltration."Aaron Swartz was facing up to 50 years in prison and a 4 million dollar fine for having made 4 million scientific articles taken from universities public
The dangers of third-party code for cloud security(Help Net Security) Imperva announced a new report which examines the dangers of third-party code in cloud computing. In December 2012, a hacker breached Yahoo! with an SQL injection attack that took advantage of a vulnerability
Cross-site scripting attacks up 160%(Help Net Security) Each quarter, FireHost reports on the Superfecta - a group of four cyberattacks that are the most dangerous - and warns that both Cross-Site Scripting and SQL Injection attacks have become even more
Internet-facing printers remain a huge risk(Help Net Security) Despite repeated warnings about office and home devices being accessible from the Internet when there is no good reason for them to be, every now and then someone gets the idea of using Google Search
ALDHS details cyber intrusion of Alabama IT system(WSFA) Alabama Department of Homeland Security Director Spencer Collier on Tuesday discussed the recent cyber intrusion at the Alabama Information Services Division (ISD) and outlined action items he said the state is currently following as part of a
20 notorious worms, viruses and botnets(IT World) The earliest worms and viruses were created for geeky fun and did little harm - oh, how times have changed. Here are 20 worms, viruses and botnets that show the evolution of malware, from Creeper to Flame
Security Patches, Mitigations, and Software Updates
iOS 6.1 Fixes 27 Vulnerabilities(Dark Reading) 20 remote code execution errors in the WebKit browser engine, a staple of Apple security updates, are fixed in the new release for iPhones, iPads, and iPod Touches. Some of the bugs fixed are quite old, with one reported in 2011
Internet, social media least trusted industries for privacy(CNet) Internet and social media ranked at the bottom on a list of the most trusted industries for privacy, according to the Ponemon Institute. Released yesterday, Ponemon's "2012 Most Trusted Companies for Privacy" was compiled from a survey of U.S. adults asked to name the five companies they trust the most to protect the privacy of their personal information. Based on more than 6,700 responses, the Top 20 list did not include several tech players that had been on it in past years
The Two Classes of Cyber Threats(Slate) Against this backdrop, it is interesting to consider a recent report that the government plans to add 4,000 people to the Department of Defense's Cyber Command, which currently comprises only 900 personnel. In the current era of tightening federal
Video Surveillance Feeds Big Data(InformationWeek) For tasks including security and retail optimization, video increasingly meets data analytics. It's one more pressure on enterprise storage needs
US Economy Unexpectedly Contracts in Fourth Quarter(Wall Street Journal) U.S. economic momentum screeched to a halt in the final months of 2012, as lawmakers' struggle to reach a deal on tax increases and budget cuts likely led businesses to pare inventories and the government to cut spending
No Deal In Sight To Stop Sequester(Washington Post) Less than a month after averting one fiscal crisis, Washington began bracing Tuesday for another, as lawmakers in both parties predicted that deep, across-the-board spending cuts would probably hit the Pentagon and other federal agencies on March 1
Fort Meade commander Rothstein to leave in August(CapitalGazette.com) Chad Jones, spokesman for Fort Meade, confirmed Monday that Rothstein will be reassigned Aug. 8 at the end of his two-year tour of duty. The Army has not announced his next post, and isn't expected to name a successor to head the massive military
IBM, SAP team up on big data, cloud(Fierce Big Data) After thumbing its nose at Oracle recently by building its own in-memory database for big data called HANA, SAP expanded its long-time partnership with IBM (NYSE: IBM), in which IBM announced the launch of new new global cloud and big data services as part of the IBM SmartCloud Enterprise
Actian builds big data portfolio with Pervasive Software merger(Fierce Big Data) Actian Corp. a big data management solutions provider and owner of the analytic database Vectorwise, and Pervasive Software Inc. have announced that they are merging today. Actian will acquire all of Pervasive's outstanding shares for $9.20 per share or approximately $161.9 million
Oracle Wants Cloud Cake And Hardware Wins(InformationWeek) Oracle hopes infrastructure-as-a-service (IaaS) plan will help the company have its cake and eat it, too -- boosting Oracle hardware use and increasing cloud subscription revenue
Battelle Experts to Support U.S. Army Cyber Security(MarketWire) Battelle has won a contract to conduct in-depth information assurance research supporting the United States Army's Identity Management and Cryptographic initiatives. The $22. 4 million contract has a base of 10 months with two option years."Battelle is focused on delivering high-impact technical cyber solutions to address mission needs," said David Fisher, Vice President of Battelle's Cyber Innovation business
RIM changes its name to BlackBerry, launches BlackBerry 10(Ars Technica) Can the new OS win the hearts of BlackBerry loyalists and new customers alike? It's been leaked and previewed and speculated about for months now: the only thing left to do with the BlackBerry 10 operating system is release it, and RIM—now formally known as BlackBerry—finally did that today at its press event in New York City
Why the new BlackBerry 10 phones won't stop RIM's dramatic contraction(Quartz) Tomorrow (Jan. 30), Research in Motion announces a handful of new BlackBerry 10 phones. The world already knows what they will look like and how they'll function, thanks to copious leaks. But that won't lessen enthusiasm for a slick new alternative to the mobile duopolists, Apple's iPhone and Google's Android. And doubtless it will inspire yet more breathless accountsof RIM's resurgence
CRGT Names ICF, Northrop Vet Sal Fazzolari Strategic Development SVP(Govconwire) CRGT has appointed 30-year information technology industry veteran Sal Fazzolari senior vice president of strategic development, the company said Tuesday. He will report directly to Tom Ferrando, CEO and president, and have responsibility for identifying and developing strategies to grow revenue in the defense, intelligence and civilian government markets
Can RIM persuade Indonesians to keep loving their BlackBerrys?(Quartz) The gym inside Royal Condominium, an upscale apartment and leisure complex in Medan, a fast-growing city on the island of Sumatra, has a safety problem. People are reluctant to let go of their BlackBerrys while they exercise. At the start of spinning classes, instructors say, "Remember to drink water, and no BBM!"
Seagate teams up with Virident on next-gen PCIe SSDs(FierceCIO: TechWatch) Hard disk drive maker Seagate Technology and NAND flash memory specialist Virident Systems on Monday announced a partnership to work jointly on next-generation NAND flash-based storage products for the enterprise storage market. This includes both hardware and software components that can be deployed in data centers
HP helps organizations define a security strategy(Help Net Security) HP announced a new set of security services that help organizations respond to, remediate and mitigate the impact of security breaches as they occur. Security breaches are increasingly disruptive
Technologies, Techniques, and Standards
Are Your Databases Audit-Ready?(Dark Reading) Development of policies, configuration management, encryption implementations, access control and monitoring all contribute to databases passing compliance checks
OMB releases Section 508 strategy(Fierce Government IT) Among the deliverables called for by OMB are for all agency chief information officers to appoint by March 25 a Section 508 coordinator and for CIOs and chief acquisition officers to by May 24 develop a plan and a schedule for completing a baseline assessment of Section 508 compliance on their websites and in IT procurement. The results of those assessments are due in December
Keep it secret, keep it safe: A beginner's guide to Web safety(Ars Technica) Understanding encryption is key to protecting yourself on the Web.My family has been on the Internet since 1998 or so, but I didn't really think much about Internet security at first. Oh sure, I made sure our eMachines desktop (and its 433Mhz Celeron CPU) was always running the latest Internet Explorer version and I tried not to use the same password for everything. But I didn't give much thought to where my Web traffic was going or what path it took from our computer to the Web server and back. I was dimly aware that e-mail, as one of my teachers put it, was in those days "about as private as sticking your head out the window and yelling." And I didn't do much with that knowledge
Implementing a Data De-Identification Framework(Infosec Island) Growing numbers of organizations are trying to figure out the benefits of anonymizing, or as HIPAA (the only regulation that provides specific legal requirements for such actions) puts it de-identifying, personal information. Healthcare organizations see benefits for improving healthcare. Their business associates (BAs) see benefits in the ways in which they can minimize the controls around such data
Surface Mapping Pays Off(Infosec Island) You have heard us talk about surface mapping applications during an assessment before. You have likely even seen some of our talks about surface mapping networks as a part of the 80/20 Rule of InfoSec. But, we wanted to discuss how that same technique extends into the physical world as well
H.265 video standard approved(FierceCIO: TechWatch) Work on a new video compression technology has been completed, heralding the promise of even higher quality video in the near future. The new High Efficiency Video Coding standard, or H.265, has been designed as a successor to the current H.264 standard, which is heavily used in online video streaming and Blue-ray discs today
The effectiveness of bug bounty programs(Help Net Security) Veracode released an infographic that examines the success of bug bounty programs. The past decade has witnessed major growth in demand for bug hunters, with online giants such as Google, Mozilla, Facebook
Practical steps to minimize data privacy threats(Help Net Security) Google comes across 9,500 new malicious websites each day and responds by sending notifications to webmasters. Nevertheless, these websites are just one of the many dangers threatening data privacy
Doing evil with data: a beginner's guide(Fierce Big Data) The concept of evil has been co-opted by spiritualists and makers of horror films to represent something otherworldly, an amoral force impressing its will from beyond. But evil is often simply a choice. It is a choice among humans deciding how they want to wield a new-found power or advantage. Big data presents such an advantage and there will be those who choose to use it for public and private benefit, and those who purposely choose to apply it in ways that harm others and benefit only themselves
Design and Innovation
Superb Realtime 3D Cyber-Attack Alert System in Japan(Hacker News) In the movies we always see mega bunkers with screens covering entire walls, all displaying ridiculous hacker related information. As the Internet grows larger, the cyber-attacks get ever more sinister and elaborate. Keeping an eye on all of them is of course an impossible task.
Linganore High seniors team up, create FBI logo(Frederick News Post) Three Linganore High School seniors can now say they've done work for the FBI. Helen Snell, Alex McCaslin and Kate Russo teamed up to design a logo for the Baltimore bureau's newly formed Cyber Task Force. Their finished work will be featured on staff uniforms, letterhead and ceremonial items. "It's unreal," McCaslin, 18, said Monday during an interview at Linganore. "I feel like it does look professional." The badge features an eagle holding the state flags of Maryland and Delaware, which the Baltimore bureau encompasses, and binary code
Legislation, Policy, and Regulation
German Proposal For Search Engines To Pay For Displaying Publishers' Text Snippets Gets Expert Hearing(TechCrunch) Google is sounding a warning klaxon about a proposed law change in Germany which aims to strengthen copyright law for publishers by requiring search engines and online news aggregators to pay a royalty to display snippets of copyrighted text — such as the first paragraph of an article displayed within a Google News search. If the law passes, fines would be imposed for unlicensed use of snippets Text Snippets Gets Expert Hearing. Google Dubs It "Bad Law"
Partnering for Cyber Resilience (PCR)(World Economic Forum) The ability to provide a trusted environment for individuals and business to interact online is a critical enabler for innovation and growth. Digital transformation makes the protection and resilience of our shared digital environment a critical enabler for the economic growth of companies and countries. In recognition of this, and in response to the growing threats and risks in a digitally interconnected world, over 70 companies and government bodies across 15 sectors and 25 countries have joined forces to create the Partnering for Cyber Resilience initiative
Senate Democrats Outline Cyber-Security Intentions(Security Defence Agenda) Senate Democrats have released their cyber-security legislative agenda for the forthcoming Congress. With no reference to the Federal government regulating industries responsible for critical national infrastructures, the proposals stop short of the more ambitious Cyber-security Act 2012, which was defeated by Republicans. Keen Washington observers note that sense of Congress bills typically serve as a starting point, from which more comprehensive legislation can be introduced further down the line
Calling for a spectrum of intent in prosecuting hackers(Fierce Big Data) Not having a spectrum of intent for prosecuting and even pursuing hackers--that ranges from the innocuous to the most malicious--is like having only one murder charge that doesn't take into account manslaughter or self-defense. Christina Gagnier, a lawyer leading the Intellectual Property, Internet & Technology practice at Gagnier Margossian LLP, says it is time we created such a spectrum
Congress Demands Justice Department Explain Aaron Swartz Prosecution(Wired) The two leaders of a congressional committee have sent a letter to the Department of Justice demanding a briefing on why the department chose to so fervently pursue charges against coder and internet activist Aaron Swartz, who committed suicide earlier this month. The committee leaders asked the Justice Department to explain what factors influenced its decision to prosecute Swartz and whether his advocacy against the Stop Online Piracy Act played any role in that decision
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
North American ICS & SCADA Summit(Lake Buena Vista, Florida, USA, February 6 - 15, 2013) The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along...
ATMiA US Conference 2013(Scottsdale, Arizona, US, February 19 - 21, 2013) A conference devoted to the design of ATMs, and the future of the ATM industry.
#BSidesBOS(Cambridge, Massachusetts, USA, February 23, 2013) Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of...
RSA USA 2013(San Francisco, California, USA, February 25 - March 1, 2013) RSA Conference continually evolves program offerings to meet the ever-changing needs of our delegates in the dynamic infosec industry.
Nullcon Goa 2013(Bogmallo Beach Resort, Goa, India, February 26 - March 2, 2013) An international information security conference that will feature speakers and training. Topics include security and politics, vulnerability elimination, Android hacking, SCADA and smart grid penetration...
TechMentor Orlando 2013(Orland, Florida, USA, March 4 - 8, 2013) Celebrating 15 years of educational events for the IT community, TechMentor is returning to Orlando, Florida, March 4-8, for 5 days of information-packed sessions and workshops. Surrounded by your fellow...
Business Insurance Risk Management Summit(New York City, New York, USA, March 5 - 6, 2013) The annual Risk Management Summit, now in it its fourth year, provides attendees with focused insight via specific, timely general sessions and strategic, thought-provoking discussions with peers and industry...
CanSecWest 2013(Vancouver, British Columbia, Canada, March 6 - 8, 2013) CanSecWest, the world's most advanced conference focusing on applied digital security, is about bringing the industry luminaries together in a relaxed environment which promotes collaboration and social...
e-Crime Congress 2013(London, England, March 12 - 13, 2013) The e-Crime Congress is designed to meet the needs of key stakeholders and decision makers who are responsible for designing and coordinating information security and risk management strategy, safeguarding...
CTIN Digital Forensics Conference(Seattle, Washington, USA, March 13 - 15, 2013) Speakers include experts and published authors in the field of digital forensics and cybersecurity. Topics include; Mobile Device Forensics, Internet Forensics, Physical Memory Analysis, Open Source Tools,...
IT Security Entrepreneurs' Forum (ITSEF 2013)(Palo Alto, California, USA, March 19 - 20, 2013) Supported by the U.S. Department of Homeland Security, Office of Science and Technology, ITSEF 2013 aims to connect the ecosystem of the entrepreneur: industry, government, and academia. The conference...
The Future of Cyber Security 2013(London, England, UK, March 21, 2013) Cyber Security and the Citizen 2013 is a one-day conference and exhibition for senior decision-makers of central and local government organisations, NGOs and major private sector enterprises.
CSO40(Braselton, Georgia, USA, April 2 - 3, 2013) The CSO40 Security Confab + Awards will honor and share the critical viewpoints of today's leading CSOs, CISOs and security executives at the nation's leading CSO thought leadership conference.
Cloud Connect Silicon Valley(Santa Clara, California, USA, April 2 - 5, 2013) Cloud Connect returns to Silicon Valley, April 2-5, 2013, for four days of lectures, panels, tutorials and roundtable discussions on a comprehensive selection of cloud topics taught by leading industry...
Cyber 1.3(, January 1, 1970) Maj. Gen. Suzanne Vautrinot, USAF, commander, 24th Air Force, and commander, Air Force Network Operations, will discuss the global strategic implications that relate to the cyber domain at the Space Foundation...
INFILTRATE 2013(Miami, Florida, USA, April 11 - 12, 2013) INFILTRATE is a deep technical conference that focuses entirely on offensive security issues. Researchers focused on the latest technical issues will demonstrate techniques that you cannot find elsewhere.
InfoSec World Conference & Expo 2013(Orlando, Florida, USA, April 15 - 17, 2013) With the primary objective of providing top-notch education to all levels of information security and IT auditing professionals, InfoSec World delivers practical sessions that give you the tools to strengthen...
Infosec Southwest 2013(Austin, Texas, USA, April 19 - 21, 2013) InfoSec Southwest is intended to be a general security and hacking conference with no specific industry or topical focus. As such, nearly all topics (other than vendor pitches) are fair game and the attending...
Consumerization of IT in the Enterprise Conference and Expo(San Francisco, California, USA, June 2 - 4, 2013) From smartphones to mobile apps, social software and 4G networks, the wave of innovation in the consumer space is transforming the way companies do business, both inside and outside of the enterprise.
25th Annual FIRST Conference(Bangkok, Thailand, June 16 - 21, 2013) The annual FIRST conference provides a setting for conference participants to attend a wide range of presentations delivered by leading experts in both the CSIRT field and from the global security community.
SECRYPT 2013(Reykjavik, Iceland, July 29 - 31, 2013) The 10th International Conference on Security and Cryptography (SECRYPT 2013) will take place from 29 to 31 July 2013 in Reykjavik, Iceland…The conference will focus on information systems and network...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.