Information Security News

The mobile gift-giving app Karma announced Friday it has been acquired by Facebook. The announcement came shortly after the markets closed on Facebook's first day as a publicly traded company.

The U.S. International Trade Commission issued an import ban Friday on any Android devices from Motorola that infringe one of Microsoft's patents.

The latest addition to Adonit's family of disc styluses for iOS devices, the Jot Flip seeks to fill the 2-in-1--stylus combined with pen--niche treasured by those still chained to paper and pen. And while the problems I've had with the Jot line in the past are still present in the Flip, it largely succeeds in conquering the 2-in-1 challenges.

pidgin-otr 'log_message_cb()' Function Format String Vulnerability

HP is expected to announce a large layoff at its quarterly investors briefing on Wednesday, losing as many as 30,000 employees. But for now, the company isn't talking about its plans.

Facebook's IPO got off to a shaky start as its share price ended the first day of trading with small gains.

[Ask the iTunes Guy is a regular column in which we answer your questions on everything iTunes related. If there's something you'd like to know, send an email to the iTunes Guy for consideration.]

Twitter has announced support for "Do Not Track," immediately implementing it to halt online tracking of users who trigger a setting in their browsers.

With the arrival of the Mercury Accelsior PCI Express SSD, OWC claims to have the only Mac bootable PCIe solid state drive currently on the market. The Mercury Accelsior comes in four different size configurations, 120GB, 240GB, 480GB, and 960GB, and will set you back $360, $530, $950, or $2080, respectively. Despite its relatively high price point, the Accelsior's performance is among the best SSDs we've seen, and its ability to upgrade capacity as needed is definitely a plus.

Hewlett-Packard Virtual SAN Appliance 'hydra.exe' Remote Buffer Overflow Vulnerability

Oracle mod_wl HTTP POST Request Remote Buffer Overflow Vulnerability

PolarSSL Diffie Hellman Key Exchange Security Bypass Vulnerability

Liferay Portal Multiple Security Vulnerabilities

The first hours of Facebook's IPO got off to a shaky start today with the share price wavering around the $40 mark, never gaining the astronomical momentum many had anticipated.

True privacy can be hard to come by in the socially enabled online world, but Twitter on Thursday announced that it has joined Firefox maker Mozilla in taking a big step forward for users.

Liferay Portal 'updateOrganizations()' Method Security Bypass Vulnerability

ikiwiki CVE-2012-0220 Multiple Cross Site Scripting Vulnerabilities

Microsoft will repeat last year's back-to-school promotion, kicking off the deal Sunday with an offer of a free Xbox 360 game console to eligible U.S. students who buy a new Windows 7 PC.

After all the buildup, Facebook's long-anticipated initial public offering is finally here.

Adoption of Android devices in large businesses has been 'severely limited' because of the complexities of managing the wide variety of Android models and versions, according to research firm Gartner.

H2HC Brazil 9th Edition - Call for Papers

SEC Consult SA-20120518 :: Memory overwrite vulnerability in libwpd (OpenOffice.org) - CVE-2012-2149

Re: [oss-security] CVE Request: Planeshift buffer overflow

After all the buildup, Facebook's long-anticipated initial public offering is finally here.

Re: [oss-security] CVE Request: Planeshift buffer overflow

[SECURITY] [DSA 2475-1] openssl security update

[security bulletin] HPSBOV02780 SSRT100766 rev.1 - HP OpenVMS ACMELOGIN, Local Unauthorized

Re: [oss-security] CVE Request: Planeshift buffer overflow

After all the buildup, Facebook's long-anticipated initial public offering is finally here.

HP OpenVMS Integrity Server Unspecified Local Privilege Escalation Vulnerability

The ZTE Score M phone, apparently available via Metro PCS in the US, comes with a special suid backdoor. The backdoor for a change does not use a fixed secret root password. But instead, the suid binary sync_agent has to be called with a special parameter.
If you do have an Android phone, take a look if you have this application in /systen/bin. At this point, only this one particular model is reported to have this application present, but it would be odd to not have ZTE use the same backdoor on other models.
Cataloging and limiting suid applications should be a standard unix hardening step. The simplest way in my opinion to find suid binaries is to use this find command:
find / -x -type f -perm +u=s
Files with the suid bit set will run as the user owning the file, not as the user executing the file. This is typically used to allow normal users to execute particular administrative tasks. So verify if you need or don't need to execute a particular binary as normal user before removing the suid bit.
Update: The file has also been found on the ZTE Skate.

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Despite the rumors, developers are focused on making apps -- and money -- from today's Android

Fully 95% of 600 businesses surveyed by Cisco permit the use of employee-owned smartphones and tablets at the office and found productivity gains for workers who use their own hardware.