# SANS ISC

# threatpost.com

  • Most Targeted Attacks Exploit Privileged Accounts Thu, 20 Nov 2014 21:51:17 +0000
    Most targeted attacks exploit privileged account access according to a new report commissioned by the security firm CyberArk.
  • Detekt Tool Puts Surveillance Spyware on Notice Thu, 20 Nov 2014 19:08:59 +0000
    Civil rights activists and hacker Claudio Guarnieri along with partners such as the EFF and Amnesty International released Detekt, open source security software targeting activists and oppressed people that scans Windows machines for dangerous spyware.
  • Attackers Using Compromised Web Plug-Ins in CryptoPHP Blackhat SEO Campaign Thu, 20 Nov 2014 15:54:29 +0000
    Researchers have discovered a group of attackers who have published a variety of compromised WordPress themes and plug-ins on legitimate-looking sites, tricking developers into downloading and installing them on their own sites. The components then give the attackers remote control of the compromised sites and researchers say the attack may have been ongoing since September 2013. […]
  • Drupal Patches Denial of Service Vulnerability; Details Disclosed Thu, 20 Nov 2014 15:03:05 +0000
    Drupal has released a patched a denial of service and account hijacking vulnerability, details of which were disclosed by the researchers who discovered the issue.
  • Angler Exploit Kit Adds New Flash Exploit for CVE-2014-8440 Thu, 20 Nov 2014 13:02:52 +0000
    Exploit kit authors are nothing if not opportunistic, and they know a prime opportunity when they see one. Adobe Flash bugs fit that description nicely, and the people behind the Angler exploit kit already are exploiting one of the Flash bugs patched last week in the kit’s arsenal. This is a common tactic for exploit […]
  • Citadel Variant Targets Password Managers Wed, 19 Nov 2014 19:54:34 +0000
    Some Citadel-infected computers have received a new configuration file, a keylogger triggered to go after the master passwords from three leading password management tools.
  • FREEDOM Act Rejection Should Keep ‘Encrypt Everything’ Bandwagon Rolling Wed, 19 Nov 2014 18:11:30 +0000
    The U.S. Senate failed to pass the USA FREEDOM Act last night, but that should matter little to security and technology companies rolling out encryption everywhere.
  • Nasty Security Bug Fixed in Android Lollipop 5.0 Wed, 19 Nov 2014 15:54:03 +0000
    A bug was recently fixed in Android Lollipop that could allow an attacker to bypass ASLR and run arbitrary code on a target device under certain circumstances.
  • Tor Reins in Concerns After Academic Paper on De-Anonymization Tue, 18 Nov 2014 19:33:13 +0000
    Leaders at the Tor Project call for calm after an academic paper spells out how funded hackers could use NetFlow data from Cisco routers to de-anonymize Tor users.
  • Google Removes SSLv3 Fallback Support From Chrome Tue, 18 Nov 2014 18:42:18 +0000
    Google has released Chrome 39, fixing 42 security vulnerabilities and removing support for the fallback to SSLv3, the component that was the target of the POODLE attack revealed last month.

# Reddit netsec

# Krebs On Security

  • Microsoft Releases Emergency Security Update Tue, 18 Nov 2014 22:00:09 +0000
    Microsoft today deviated from its regular pattern of releasing security updates on the second Tuesday of each month, pushing out an emergency patch to plug a security hole in all supported versions of Windows. The company urged Windows users to install the update as quickly as possible, noting that miscreants already are exploiting the weaknesses to launch targeted attacks.
  • Link Found in Staples, Michaels Breaches Mon, 17 Nov 2014 20:50:28 +0000
    The breach at office supply chain Staples impacted roughly 100 stores and was powered by some of the same criminal infrastructure seen in the intrusion disclosed earlier this year at Michaels craft stores, according to sources close to the investigation.
  • Amazon: Spam Nation one of “Best of Month” Mon, 17 Nov 2014 05:50:43 +0000
    A quick update on my new book, Spam Nation, The Inside Story of Organized Cybercrime -- From Global Epidemic to Your Front Door: Amazon has named it to their "Best Books of the Month" picks for November. In addition, my publisher has graciously extended the free ZeusGard offer until Nov. 25 for the next 500 people who order more than one copy of the book.

# Bruce Schneier's blog

  • Pre-Snowden Debate About NSA Call-Records Collection Program Thu, 20 Nov 2014 14:42:24 -0600
    Reuters is reporting that in 2009, several senior NSA officials objected to the NSA call-records collection program. The now-retired NSA official, a longtime code-breaker who rose to top management, had just learned in 2009 about the top secret program that was created shortly after the Sept. 11, 2001, attacks. He says he argued to then-NSA Director Keith Alexander that storing...
  • Citadel Malware Steals Password Manager Master Passwords Thu, 20 Nov 2014 09:51:13 -0600
    Citadel is the first piece of malware I know of that specifically steals master passwords from password managers. Note that my own Password Safe is a target....
  • A New Free CA Tue, 18 Nov 2014 12:38:11 -0600
    Announcing Let's Encrypt, a new free certificate authority. This is a joint project of EFF, Mozilla, Cisco, Akamai, and the University of Michigan. This is an absolutely fantastic idea. The anchor for any TLS-protected communication is a public-key certificate which demonstrates that the server you're actually talking to is the server you intended to talk to. For many server operators,...
  • Whatsapp Is Now End-to-End Encrypted Tue, 18 Nov 2014 12:35:00 -0600
    Whatapp is now offering end-to-end message encryption: Whatsapp will integrate the open-source software Textsecure, created by privacy-focused non-profit Open Whisper Systems, which scrambles messages with a cryptographic key that only the user can access and never leaves his or her device. I don't know the details, but the article talks about perfect forward secrecy. Moxie Marlinspike is involved, which gives...
  • Snarky 1992 NSA Report on Academic Cryptography Tue, 18 Nov 2014 10:50:48 -0600
    The NSA recently declassified a report on the Eurocrypt '92 conference. Honestly, I share some of the writer's opinions on the more theoretical stuff. I know it's important, but it's not something I care all that much about....
  • The NSA's Efforts to Ban Cryptographic Research in the 1970s Mon, 17 Nov 2014 21:19:18 -0600
    New article on the NSA's efforts to control academic cryptographic research in the 1970s. It includes new interviews with public-key cryptography inventor Martin Hellman and then NSA-director Bobby Inman....
  • Friday Squid Blogging: The Story of Inventing the SQUID Fri, 14 Nov 2014 16:37:29 -0600
    The interesting story of how engineers at Ford Motor Co. invented the superconducting quantum interference device, or SQUID. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
  • The Return of Crypto Export Controls? Fri, 14 Nov 2014 09:18:34 -0600
    Last month, for the first time since US export restrictions on cryptography were relaxed over a decade ago, the US government has fined a company for exporting crypto software without a license. News article. No one knows what this means....
  • Pew Research Survey on Privacy Perceptions Thu, 13 Nov 2014 14:07:54 -0600
    Pew Research has released a new survey on American's perceptions of privacy. The results are pretty much in line with all the other surveys on privacy I've read. As Cory Doctorow likes to say, we've reached "peak indifference to surveillance."...
  • ISPs Blocking TLS Encryption Thu, 13 Nov 2014 07:10:01 -0600
    It's not happening often, but it seems that some ISPs are blocking STARTTLS messages and causing web encryption to fail. EFF has the story....

# WIRED Threat Level

# exploit-db.com

# Securiteam

  • Microsoft Internet Explorer 7 Denial Of Service Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability
  • Microsoft Internet Explorer Denial Of Service Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability
  • Multiple Cobham Products Information Disclosure Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    Cobham SAILOR 900 VSAT; SAILOR FleetBroadBand 150, 250, and 500; EXPLORER BGAN; and AVIATOR 200, 300, 350, and 700D devices do not properly restrict password recovery, which allows attackers to obtain administrative privileges by leveraging physical access or terminal access to spoof a reset code.
  • OpenStack Neutron L3-Agent Remote Denial Of Service Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    The L3-agent in OpenStack Neutron before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to cause a denial of service (IPv4 address attachment outage) by attaching an IPv6 private subnet to a L3 router.
  • Oracle Java SE 6u75 Remote Security Code Execution Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality and integrity via vectors related to JMX.
  • Oracle WebCenter Portal Remote Security Code Execution Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    vulnerability in the Oracle WebCenter Portal component in Oracle Fusion Middleware 11.1.1.7 and 11.1.1.8 allows remote attackers to affect integrity via unknown vectors related to Portlet Services.
  • PHP '/ext/standard/info.c' Type Confusion Information Disclosure Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    The phpinfo implementation in ext/standard/info.c in PHP before 5.4.30 and 5.5.x before 5.5.14 does not ensure use of the string data type for the PHP_AUTH_PW, PHP_AUTH_TYPE, PHP_AUTH_USER, and PHP_SELF variables, which might allow context-dependent attackers to obtain sensitive information from process memory by using the integer data type with crafted values, related to a "type confusion" vulnerability, as demonstrated by reading a private SSL key in an Apache HTTP Server web-hosting environment with mod_ssl and a PHP 5.3.x mod_php.
  • Rocket Servergraph Multiple Security Code Execution Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    Directory traversal vulnerability in the Admin Center for Tivoli Storage Manager (TSM) in Rocket ServerGraph 1.2 allows remote attackers to (1) create arbitrary files via a .. (dot dot) in the query parameter in a writeDataFile action to the fileRequestor servlet, execute arbitrary files via a .. (dot dot) in the query parameter in a (2) run or (3) runClear action to the fileRequestor servlet, (4) read arbitrary files via a readDataFile action to the fileRequestor servlet, (5) execute arbitrary code via a save_server_groups action to the userRequest servlet, or (6) delete arbitrary files via a del action in the fileRequestServlet servlet.
  • Adobe Flash Player And AIR Incomplete Fix Security Bypass Vulnerabilities Fri, 24 Oct 2014 00:00 GMT
    Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before 14.0.0.178 on Windows and OS X and before 14.0.0.179 on Android, Adobe AIR SDK before 14.0.0.178, and Adobe AIR SDK & Compiler before 14.0.0.178 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API, in conjunction with a manipulation involving a '$' (dollar sign) or '(' (open parenthesis) character
  • APPLE 10.9.4 Security Update Execute Arbitrary Code Vulnerabilities Fri, 24 Oct 2014 00:00 GMT
    Intel Graphics Driver in Apple OS X before 10.9.4 does not properly restrict an OpenGL API call, which allows attackers to execute arbitrary code via a crafted application.
  • Apple Safari Execute Arbitrary Code Vulnerabilities Fri, 24 Oct 2014 00:00 GMT
    Use-after-free vulnerability in Safari in Apple iOS before 7.1.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an invalid URL
  • Bugzilla Cross Site Request Forgery Vulnerabilities Fri, 24 Oct 2014 00:00 GMT
    The response function in the JSONP endpoint in WebService/Server/JSONRPC.pm in jsonrpc.cgi in Bugzilla 3.x and 4.x before 4.0.14, 4.1.x and 4.2.x before 4.2.10, 4.3.x and 4.4.x before 4.4.5, and 4.5.x before 4.5.5 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted OBJECT element with SWF content consistent with the _bz_callback character set.
  • Cisco IOS XR Software Static Punt Policer Denial Of Service Vulnerabilities Fri, 24 Oct 2014 00:00 GMT
    Cisco IOS XR on Trident line cards in ASR 9000 devices lacks a static punt policer, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted packets
  • Adobe Flash Player 13.0.0.241 Execute Arbitrary Code Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    Use-after-free vulnerability in Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before 14.0.0.178 on Windows and OS X and before 14.0.0.179 on Android, Adobe AIR SDK before 14.0.0.178, and Adobe AIR SDK & Compiler before 14.0.0.178 allows attackers to execute arbitrary code
  • Apache CXF UsernameToken Information Disclosure Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the UsernameToken in cleartext, which allows remote attackers to obtain sensitive information by sniffing the network.
  • Oracle E-Business Suite 12.1.3 Remote Security Code Execution Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    vulnerability in the Oracle Concurrent Processing component in Oracle E-Business Suite 12.1.3, 12.2.2, and 12.2.3 allows remote authenticated users to affect confidentiality and integrity via unknown vectors.
  • Oracle VM VirtualBox 3.2.24 Local Security Code Execution Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Core.
  • PHP Unserialize() Function Type Confusion Security Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization, which allows remote attackers to execute arbitrary code via a crafted string that triggers use of a Hashtable destructor, related to "type confusion" issues in (1) ArrayObject and (2) SPLObjectStorage.
  • Red Hat CloudForms Management Engine 'wait_for_task()' Function Denial Of Service Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    The wait_for_task function in app/controllers/application_controller.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption)
  • Symantec Endpoint Protection Local Client ADC Buffer Overflow Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    Buffer overflow in the sysplant driver in Symantec Endpoint Protection (SEP) Client 11.x and 12.x before 12.1 RU4 MP1b, and Small Business Edition before SEP 12.1, allows local users to execute arbitrary code via a long argument to a 0x00222084 IOCTL call.