# SANS ISC

# threatpost.com

  • Targeted Attack Uses Heartbleed to Hijack VPN Sessions Fri, 18 Apr 2014 19:33:20 +0000
    Details of a targeted attack have emerged where hackers are using the Heartbleed OpenSSL vulnerability to hijack active VPN sessions to remotely access an enterprise.
  • 3 Million Cards Impacted in Michaels Breach Fri, 18 Apr 2014 18:33:02 +0000
    The arts and crafts retail chain Michaels confirmed yesterday that most of its U.S. stores were breached for eight months and that the payment card information of nearly 3 million of its customers may have been compromised.
  • ICS-CERT Warns of Heartbleed Vulnerabilities in Siemens Gear Fri, 18 Apr 2014 17:20:31 +0000
    A number of ICS products from Siemens and Innominate are vulnerable to the OpenSSL heartbleed flaw, some of which do not have updates available yet. The list of products affected by the heartbleed vulnerability continues to grow by the day, with OpenVPN being one of the latest. A researcher on Friday said that he was […]
  • Heartbleed Used to Steal Private Keys from OpenVPN Fri, 18 Apr 2014 16:27:33 +0000
    Swedish VPN providers Mullvad report that private keys moving through OpenVPN installations are not immune to Heartbleed OpenSSL exploits.
  • Experts Worry About Future of Critical Infrastructure Security Fri, 18 Apr 2014 15:42:18 +0000
    SAN FRANCISCO–The problem of critical infrastructure security has become a key issue in the last few years, as high-profile attacks such as Stuxnet and others have grabbed headlines and alerted politicians and others to the weaknesses facing these vital systems. It’s an issue that Eugene Kaspersky has been thinking about for a long time, and […]
  • Like Apple’s TouchID, Galaxy S5 Vulnerable to Fingerprint Hack Thu, 17 Apr 2014 19:03:18 +0000
    Researchers published a video this week demonstrating that Samsung’s latest entry in the smartphone arena, the Galaxy S5, is vulnerable to a hack that as crude as may seem involves lifting and copying fingerprints to trick the phone’s sensor.
  • Certificate Revocations Shoot Up in Wake of OpenSSL Heartbleed Bug Thu, 17 Apr 2014 17:50:08 +0000
    The openSSL heartbleed has led to a huge increase in the number of SSL certificates being revoked, as site owners and hosting providers go through the process of replacing vulnerable certificates.
  • Tor Begins Blacklisting Exit Nodes Vulnerable to Heartbleed Thu, 17 Apr 2014 15:40:41 +0000
    The Tor Project is in the process of rejecting exit nodes vulnerable to the Heartbleed OpenSSL vulnerability after researcher Collin Mulliner discovered more than 1,000 leaking plaintext traffic.
  • Kurt Baumgartner on APT Attacks in the Enterprise Thu, 17 Apr 2014 14:59:08 +0000
    Dennis Fisher talks with Kaspersky Lab security researcher Kurt Baumgartner about the specter of APT attacks in enterprises, what kind of tactics APT attackers are using now and the effect of the Heartbleed openSSL bug on the certificate authority system.
  • Federal Court Rejects Lavabit’s Contempt Appeal Wed, 16 Apr 2014 19:33:25 +0000
    A Federal court struck down Lavabit’s appeal today, affirming contempt sanctions against the now-shuttered secure email provider that was forced to release SSL keys to the FBI.

# Reddit netsec

# Krebs On Security

  • 3 Million Customer Credit, Debit Cards Stolen in Michaels, Aaron Brothers Breaches Thu, 17 Apr 2014 21:19:42 +0000
    Nationwide arts and crafts chain Michaels Stores Inc. said today that two separate, eight-month-long security breaches at its stores last year may have exposed as many as 3 million customer credit and debit cards.
  • Critical Java Update Plugs 37 Security Holes Wed, 16 Apr 2014 14:17:12 +0000
    Oracle has pushed a critical patch update for its Java SE platform that fixes at least 37 security vulnerabilities in the widely-installed program. Several of these flaws are so severe that they are likely to be exploited by malware or attackers in the days or weeks ahead. So -- if you have Java installed -- it is time to update (or to ditch the program once and for all).
  • Hardware Giant LaCie Acknowledges Year-Long Credit Card Breach Tue, 15 Apr 2014 14:39:12 +0000
    Computer hard drive maker LaCie has acknowledged that a hacker break-in at its online store exposed credit card numbers and contact information on customers for the better part of the past year. The disclosure comes almost a month after the breach was first disclosed by KrebsOnSecurity.

# Bruce Schneier's blog

  • Friday Squid Blogging: Squid Jigging Fri, 18 Apr 2014 16:16:41 -0500
    Good news from Malaysia: The Terengganu International Squid Jigging Festival (TISJF) will be continued and become an annual event as one of the state's main tourism products, said Menteri Besar Datuk Seri Ahmad Said. He said TISJF will become a signature event intended to enhance the branding of Terengganu as a leading tourism destination in the region. "Beside introducing squid...
  • Metaphors of Surveillance Fri, 18 Apr 2014 14:21:06 -0500
    There's a new study looking at the metaphors we use to describe surveillance. Over 62 days between December and February, we combed through 133 articles by 105 different authors and over 60 news outlets. We found that 91 percent of the articles contained metaphors about surveillance. There is rich thematic diversity in the types of metaphors that are used, but...
  • Reverse Heartbleed Fri, 18 Apr 2014 07:29:13 -0500
    Heartbleed can affect clients as well as servers....
  • Overreacting to Risk Fri, 18 Apr 2014 06:26:32 -0500
    This is a crazy overreaction: A 19-year-old man was caught on camera urinating in a reservoir that holds Portland's drinking water Wednesday, according to city officials. Now the city must drain 38 million gallons of water from Reservoir 5 at Mount Tabor Park in southeast Portland. I understand the natural human disgust reaction, but do these people actually think that...
  • Tails Thu, 17 Apr 2014 13:38:41 -0500
    Nice article on the Tails stateless operating system. I use it. Initially I would boot my regular computer with Tails on a USB stick, but I went out and bought a remaindered computer from Best Buy for $250 and now use that....
  • Book Title Wed, 16 Apr 2014 09:32:27 -0500
    I previously posted that I am writing a book on security and power. Here are some title suggestions: Permanent Record: The Hidden Battles to Capture Your Data and Control Your World Hunt and Gather: The Hidden Battles to Capture Your Data and Control Your World They Already Know: The Hidden Battles to Capture Your Data and Control Your World We...
  • Auditing TrueCrypt Tue, 15 Apr 2014 06:56:11 -0500
    Recently, Matthew Green has been leading an independent project to audit TrueCrypt. Phase I, a source code audit by iSEC Partners, is complete. Next up is Phase II, formal cryptanalysis. Quick summary: I'm still using it....
  • Schneier Talks and Interviews Mon, 14 Apr 2014 16:12:54 -0500
    Here are three articles about me from the last month. Also these three A/V links....
  • Schneier Speaking Schedule: April–May Mon, 14 Apr 2014 14:11:30 -0500
    Here's my upcoming speaking schedule for April and May: Stanford Law School on April 15. Brown University in Providence, RI -- two times -- on April 24. The Global Summit for Leaders in Information Technology in Washington, DC, on May 7. The Institute of World Politics on May 8. The University of Zurich on May 21. IT Security Inside in...
  • GoGo Wireless Adds Surveillance Capabilities for Government Mon, 14 Apr 2014 09:19:59 -0500
    The important piece of this story is not that GoGo complies with the law, but that it goes above and beyond what is required by law. It has voluntarily decided to violate your privacy and turn your data over to the government....

# WIRED Threat Level

  • Heartbleed Bug Sends Bandwidth Costs Skyrocketing Thu, 17 Apr 2014 21:01:06 GMT
    The exposure of the Heartbleed vulnerability last week had a number of repercussions, one of which was to set off a mad scramble by companies to revoke the SSL certificates for their domains and services and obtain new ones. The total costs of Heartbleed are yet to be calculated, but CloudFlare has come up with […]






  • New ‘Google’ for the Dark Web Makes Buying Dope and Guns Easy Thu, 17 Apr 2014 10:30:22 GMT
    The dark web just got a little less dark with the launch of a new search engine that lets you easily find illicit drugs and other contraband online.






  • Snowden’s Email Provider Loses Appeal Over Encryption Keys Wed, 16 Apr 2014 17:07:23 GMT
    A federal appeals court has upheld a contempt citation against the founder of the defunct secure e-mail company Lavabit, finding that the weighty internet privacy issues he raised on appeal should have been brought up earlier in the legal process. The decision disposes of a closely watched privacy case on a technicality, without ruling one way or the other on the substantial issue: whether an internet company can be compelled to turn over the master encryption keys for its entire system to facilitate court-approved surveillance on a single user.






  • Obama: NSA Must Reveal Bugs Like Heartbleed, Unless They Help the NSA Tue, 15 Apr 2014 10:30:43 GMT
    According to Obama, any flaws that have "a clear national security or law enforcement" use can be kept secret and exploited.






  • Report: NSA Exploited Heartbleed to Siphon Passwords for Two Years Fri, 11 Apr 2014 20:57:52 GMT
    The NSA knew about and exploited the Heartbleed vulnerability for two years before it was publicly exposed this week, and used it to steal account passwords and other data, according to a news report.






  • Appeals Court Overturns Conviction of AT&T Hacker ‘Weev’ Fri, 11 Apr 2014 17:12:15 GMT
    Andrew "Weev" Auernheimer, a hacker sentenced to three and a half years in prison for obtaining the personal data of more than 100,000 iPad owners from AT&T’s unsecured website is about to go free, after a ruling today that prosecutors were wrong to charge him in a state where none of his alleged crimes occurred.






  • Booking Video: Aaron Swartz Jokes, Jousts With Cops After MIT Bust Fri, 11 Apr 2014 10:30:38 GMT
    The booking video is an exhibit in miniature of the qualities that made Swartz such an effective activist, and makes his loss such an enduring shame.






  • Has the NSA Been Using the Heartbleed Bug as an Internet Peephole? Thu, 10 Apr 2014 10:30:39 GMT
    The Heartbleed bug is unusually worrisome because it could possibly be used by the NSA or other spy agencies to steal your usernames and passwords — for sensitive services like banking, ecommerce, and web-based email — as well as the private keys that vulnerable web sites use to encrypt your traffic to them.






  • The Feds Cut a Deal With In-Flight Wi-Fi Providers, and Privacy Groups Are Worried Wed, 09 Apr 2014 10:30:08 GMT
    Gogo, the inflight Wi-Fi provider, is used by millions of airline passengers each year to stay connected while flying the friendly skies. But if you think the long arm of government surveillance doesn't have a vertical reach, think again.






  • Barrett Brown Signs Plea Deal in Case Involving Stratfor Hack Thu, 03 Apr 2014 18:30:19 GMT
    Barrett Brown, whose case became a cause célèbre after he was charged with crimes related to the Stratfor hack, has agreed to a plea deal with prosecutors, according to court filings.






# exploit-db.com

# Securiteam