HackDig : Dig high-quality web security articles for hacker

ITsecurity Daily News: 09/17/2014

2014-09-17 10:50
ITsecurity Daily News: 09/17/2014

The ITsecurity daily security briefing: Wednesday, September 17, 2014.
If you find this security briefing useful, please spread the word via social media. If you have any comments or recommendations, please email kevtownsend at gmail dot com.

NewsPapers/ReportsWebThingsEventsM&AAlerts

line

News

pirate_skullWhy you shouldn’t ignore those ‘low’ severity patches
  Bromium recently detected an active watering hole attack on a start-up Oil and Gas firm, using a vulnerability (CVE-2013-7331) that has long been patched. “If the ‘low’ severity from Microsoft is not motivating to patch, then hopefully some of these details are useful to jump over that hoop. It’s obvious that various exploit kits are using this vulnerability actively in the wild.” Bromium adds, “The exploits code seems to be taken from Metasploit Framework which is also quite typical.” This suggests that when a low severity vulnerability finds its way into Metasploit, its patch should automatically be reclassified as ‘critical’ and urgent.
Bromium:
http://labs.bromium.com/2014/09/16/pirates-of-the-internetz-the-curse-of-the-waterhole/

Which is best: parental responsibility or security technology?
  New statistics collected from Kaspersky Lab reveal that of the ‘inappropriate’ sites visited by children in the UK, almost half feature pornography. Kaspersky’s David Emm comments, “Regardless of how their children are accessing the internet, parents must remain vigilant, supervise their internet use and consider parental control technologies. The most worrying thing today is the increasing number of children using connected smartphones; after all, when children use mobile devices to access the web, they are using the same internet, with the same risks – yet parents are often not as aware of the dangers and so are not protecting these devices as they would a PC.”
  Personally, I would always go for education over legislation — whether that is parental or governmental. In both cases, legislation is an admission of failure.
Kaspersky Lab:
http://www.kaspersky.com/

Microsoft releases Azure Active Directory Basic
  Aimed at the army of ‘deskless’ employees, who “tend to use fewer SaaS apps than a traditional information worker. They don’t have on premises records in AD, so synching back to AD on premises isn’t important. They don’t need to do a lot of collaborative authoring and sharing at work, so being able to manage their own groups is not a big requirement. Based on this learning, we’ve added a new version of Azure AD, Azure AD Basic, built specifically for these employees and the types of work they do.”
MS Active Directory Team Blog:
http://blogs.technet.com/b/ad/archive/2014/09/15/azure-active-directory-basic-is-now-ga.aspx

Identity theft ring operating around NYC taken down
  “Attorney General Eric T. Schneiderman today announced the arrest and indictment of five individuals for running an alleged identity-theft ring targeting customers of local banks. The defendants stole over $850,000 by having bank tellers access and steal personal information of hundreds of unsuspecting customers – account numbers and Social Security numbers, for example – and use it to withdraw money from those accounts, according to today’s allegations. The tellers indicted today worked for branches of Bank of America, JP Morgan Chase, HSBC, TD Bank and Wachovia in the Bronx, and Westchester and Orange Counties among others.”
Office of Inadequate Security:
http://www.databreaches.net/ny-a-g-schneiderman-announces-takedown-of-identity-theft-ring-targeting-bank-customers-across-nyc-and-surrounding-counties/

When is a bribe not corruption? When it’s state-sponsored…
  “State and local officials in Ohio are courting Amazon.com Inc with tax breaks and other perks to convince the No. 1 U.S. online retailer to build a $1.1 billion data center in central Ohio and create 120 jobs, according to public records… Separately, city officials in Dublin, Ohio, are also looking to transfer 68.7 acres of city-owned land to the company from 2015 until 2024 – worth $6.75 million – among other perks, according to city documents posted online.”
Reuters:
http://www.reuters.com/article/2014/09/16/us-amazon-aws-tax-idUSKBN0HB2ED20140916

Is the security industry ready for CVE version 2?
  The planned change in the way vulnerabilities are named will be implemented 1 January 2015 whether strictly necessary or not. The existing format (CVE-YEAR-1234) can only handle 9,999 vulnerabilities per year and is no longer considered enough. The digit section will become variable with no upper limit to the maximum possible number. 1-999 will have leading zeros (eg, 0001-0999, 12345).
  Mitre wants to be sure that everyone is ready. “Many vendors and consumers are still unaware that this change has happened,” says Steve Christey Coley, principal information security engineer at MITRE. “We’re producing CVEs at such a fast rate that we could cross into needing the new syntax in just a few months. But even so, the time has come and people have had enough notice. This is our last widespread pitch to get people on-board because the change is coming.”
Dark Reading:
http://www.darkreading.com/vulnerabilities—threats/new-cve-naming-convention-could-break-vulnerability-management-/d/d-id/1315788

MEP Albrecht fears ‘lame duck’ Oettinger may not be up to the job
  Günther Oettinger is the new Commissioner for the Digital Agenda in Europe; but MEP Jan Philippe Albrecht is concerned he may not be up to it. One of Albrecht’s biggest fears is that Oettinger will buckle under pressure from the internet and telecoms giants who want to weaken data protection and remove net neutrality. “If Oettinger makes a poor impression in front of committee members in the European Parliament and cannot offer any answers to key questions, he will quickly be circumvented by other commissioners. In that case he would lose the authority to oversee his topics.”
EurActiv:
http://www.euractiv.com/sections/infosociety/mep-albrecht-oettinger-appointment-win-google-amazon-and-co-308385

Two-factor verification for iCloud.com is back following recent hacks
  “Back in June, Apple rolled out a two-factor authentication system for the iCloud.com suite of web apps. The feature quickly disappeared, but today, users are noticing that it has returned. The feature requires users to verify their identity via a ping to a SMS text number or device connected to their particular iCloud login ID. This adds an extra layer of protection so that if even another person knows your iCloud password, they will still need one of your iOS devices or SMS-connected cell phones to access Mail, Contacts, Calendar, Notes, Reminders, and iWork on the web.”
9TO5MAC:
http://9to5mac.com/2014/09/16/two-factor-verification-for-icloud-com-is-back-following-recent-hacks/

line

Whitepapers and Reports

line

Webcasts and Webinars

Maximize The Value of Your Organization’s Media Assets
  “Enterprises face a growing need for robust online video solutions. With internationally distributed workforces and the need to reach employees on any device, solutions get even more diverse. Increasingly, organizations are focusing their efforts on creating centralized access and consolidating between synchronous and a-synchronous video needs, while maintaining secure information delivery and behind the firewall control.”
DATE: September 17, 2014  |  TIME: 2 pm ET / 11 am PT  |  DURATION: 1 hour
FierceEnterpriseCommunications:
http://www.fierceenterprisecommunications.com/offer/kaltura_sept2014

line

Events

Infosecurity The Netherlands
  The Dutch iteration of Infosecurity Europe.
Jaarbeurs Utrecht: 29-30 October 2014
http://www.infosecurity.nl/

line

Mergers and Acquisitions

line

Alerts

iPhone 6 scams
  Avast has published a warning on the rapid rise of iPhone 5 scams. For example, on Facebook: “The offer of a new device, like the iPhone 6, entices people to click the like button then spam their friends with the bogus promotion. Thousands of likes can accumulate within a few hours, making the page quite valuable on the black market. The new owner rebrands it to peddle more questionable products and services with their built-in audience.”
Avast:
http://blog.avast.com/2014/09/16/win-iphone-6-scams-fool-facebook-users-pad-scammers-pockets/

Security Updates available for Adobe Reader and Acrobat
  “Adobe has released security updates for Adobe Reader and Acrobat for Windows and Macintosh. These updates address vulnerabilities that could potentially allow an attacker to take over the affected system. Adobe recommends users update their product installations to the latest versions.”
Adobe Security Bulletin:
http://helpx.adobe.com/security/products/reader/apsb14-20.html


Source: /41027190-swen-yliad-ytirucesti/90/4102/ku.oc.ytirucesti

Read:1471 | Comments:0 | Tags:News 2FA Amazon Apple Azure Digital Agenda iCloud identity t

“ITsecurity Daily News: 09/17/2014”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud