via TeamShatter, comes their eponymous quarterly Oracle Corporation (NYSE: ORCL) Oracle Critical Patch Update (CPU) for October 2013; in which (the CPU, that is) contains 127 targeted bug, security and breakfix code, spanning the company's wide range of product. This time, inclusive of Enterprise Manager, Fusion Middleware bits, the Oracle Database proper, Peoplesoft, and SUN Systems, MySQL and of course, the bane of my information security existence - Java, and other cruft-laden bits, enumerated in Oracle'sverbose, descriptive accompanying documentation...
Or, how I learned to love the ads, as long as my face was in it... via PCWorlds' Brad Chacos, comes this astonishingly well written screed, detailing the latest indication of the death of privacy. To wit: Google Inc.'s (NasdaqGS: GOOG) plan to utilize your countenance, commentary and legal name within their advertising inventory. See any problems with this?
Web delivered advertising is intrusive, privacy defeating (through tracking, data mining, et cetera), or often malware laden (this includes non-profit organizational advertising insertions and government public service ad vehicles as well). Further, web users (including RSS, SMTP, POP and IMAP mail application users) are also paying for this interweb detritus (e.g., cost per transmitted byte on mobile devices with minuscule data plans). Advertising blocking software is not merely a method to de-cruft the web experience (if you will), but also an essential component of both cost-saving efforts and anti-malware bits for any user's security kit, as it were.
News, last week, via the eponymous Fyodor, of the release of the latest verison of NMap, now at 6.40. Outstanding.
"It includes 14 new NSE scripts, hundreds of new OS and service detection signatures, a new --lua-exec feature for scripting Ncat, initial support for NSE and version scanning through a chain of proxies, improved target specification, many performance enhancements and bug fixes, and much more! So many improvements, in fact, that our source code repository recently reached revision number 31337. In addition to our normal developers, this release showcases the efforts of our 3 Google Summer of Code students who have all been doing great work since June. Congratulations George, Jacek, and Yang! Nmap 6.40 source code and binary packages for Linux, Windows, and Mac are available for free download from: http://nmap.org/download.html ' - via Gordon Lyon
Workman-like screed via Ars Technica, authored by the inimitable Dan Goodin; in which, the Good Mr. Goodin, enlightens us with the latest attacks demolishing the apparently decrepit fences of tunneled connectivity. Today's MustRead.
Reports indicae, commercial banking institutions in the United States are peeved with the federal response to data security related attacks (evidence fingers Iranian sources for the specific attacks under scrutiny)...
Ostensibly dropped by the Metasploit Project to disambiguate supported product responsibility, both are still availble and under active development for inclusion in customized environments for your penetration testing efforts. Notwitstanding the lack of a default install [through the Kali Linuxinstall routines] the Kali Linux team has included an Armitage package [apt-get install armitage] in the repository.
Web application privilege escalation, the Movie, from last years Security BSides London 2012. This year's event, Security BSides London 2013 [slated for 2013/04/24; at the Kensington and Chelsea Town Hall, ensconced on Hornton Street in London ] is this month's MustAttend event.
News, via the inimitable Brian Krebs, detailing the astonishing malfeasance displayed by Google Inc. (NasdaqGS: GOOG) in policing the Google Play storefornt. Essentially, Krebs On Security reports discovering a thriving marketplace in the buying and selling of verified developer accounts by Android malware authors. Thinking about moving to the Android platform? Think again. Read it and weep.
Saturday, twas a wet and stormy day... First came a new sub-version update to Evernote, then comes word of a service-wide password reset due to suspicious activity...
'The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts, and encrypted passwords.' - Evernote' Operations & Security Team
"explore some specifics of the digital information
revolution, notably theory and practice in securing, authenticating and
maintaining the integrity of information (Cerf); and roots of modern
cryptography and current topics in this area (Rivest and Shamir)..." - ACM
Meanwhile, in flawed intelligence analysis news (now promoted by elected officials) the latest 'Iranian State Sponsored Financial Institution Attacks' attribution statements lack both clarity and firm evidential artifacts. Kudos to InformationWeek's'Mathew J. Schwartz for making the appalling flaws clear.
Notwithstanding the reported lack of evidence, the reality of the overt linkage between and betwixt the Iranian national defense infrastructure (e.g., the IRIA, Gendarmerie, IRGC, Oghab 2, Quds Force, and the Army of the Guardians of the Islamic Revolution, etc.) and external-to-the-government hacker collectives is is just that - overt, rather than covert.
The smoking gun, as it were, will likely target those Iranian nationals [rather than the theocratic State]; but again, predicated on conjecture, rather than evidentiary proof.
Whilst a multitude of electronic acts of warfare can be sourced to the Islamic Republic of Iran or the nations-states' thralls, the current activities cannot yet be attributed with finality of judgment. The key concept here is evidence leading to a reasoned and prudent understanding of attribution within the scope of information security and electronic warfare realms, specifically focused on the attacks under scrutiny.