# SANS ISC

# threatpost.com

  • New Google Security Dashboard Manages Device Activity Wed, 26 Nov 2014 19:04:03 +0000
    Google released a new Devices and Activity Dashboard, along with a new security wizard for Google for Work accounts.
  • Siemens Patches WinCC Vulnerabilities Likely Being Exploited Wed, 26 Nov 2014 15:04:32 +0000
    Siemens has patched two critical vulnerabilities in the WinCC application in a number of its products; the flaws are likely being exploited, ICS-CERT and Siemens said.
  • Home Depot Breach Cost Company $43 Million in Third Quarter Wed, 26 Nov 2014 13:18:55 +0000
    The massive Home Depot data breach disclosed earlier this fall involved the theft of 56 million credit and debit card numbers, and now the company has revealed that the incident so far has cost it $43 million. The costs are the result of both the investigation into the data breach as well as the recovery […]
  • Sony Pictures Dealing With Apparent Network Compromise Tue, 25 Nov 2014 19:40:48 +0000
    Sony Pictures Entertainment is still in the process of trying to recover from an apparent compromise of some of the company’s computer systems. The attack first came to light on Monday, and the extent of the incident is still emerging. The compromise appears to affect just the networks at SPE, a division of Sony. Reports […]
  • Adobe Releases Emergency Flash Player Patch Tue, 25 Nov 2014 18:22:26 +0000
    Adobe released an emergency out-of-band Flash Player security bulletin, revising a patch released in October with an additional CVE addressing a memory corruption vulnerability.
  • Brain Science and Browser Warnings Tue, 25 Nov 2014 17:22:30 +0000
    Computer users will click through browser warnings and security alerts in order to complete a task, but once they're hacked, their behaviors change, a recent BYU study learned.
  • Experts Question Legality of Use of Regin Malware by Intel Agencies Tue, 25 Nov 2014 15:51:32 +0000
    Though security researchers involved in uncovering the attack have remained mum on the attribution of Regin, privacy experts say that if one of the intelligence agencies is involved, there's no legal basis for the operation.
  • Craigslist Back Online Following DNS Hijack Mon, 24 Nov 2014 22:11:14 +0000
    The popular classified website Craigslist is back online today following a DNS attack that forced it offline for several hours Sunday evening.
  • Remote Code Execution in Popular Hikvision Surveillance DVR Mon, 24 Nov 2014 17:48:56 +0000
    A number Hikvision digital video recorders contain vulnerabilities that an attacker could remotely exploit in order to gain full control of those devices.
  • Costin Raiu on the Regin APT Malware Mon, 24 Nov 2014 16:05:40 +0000
    Denis Fisher talks with Costin Raiu of the Kaspersky Lab GReAT Team about the discovery of the Regin APT malware, the threat's targets and tactics, its ability to compromise GSM base stations and its other capabilities.

# Reddit netsec

# Krebs On Security

  • Skimmer Innovation: ‘Wiretapping’ ATMs Wed, 26 Nov 2014 19:48:26 +0000
    Banks in Europe are warning about the emergence of a rare form of ATM skimmer involving a wire-like device that is inserted through a tiny hole cut in the cash machine's front. The hole is covered up by a fake decal, and the thieves somehow attach the device to the place inside the ATM where the customer's card is inserted.
  • Adobe Pushes Critical Flash Patch Tue, 25 Nov 2014 18:23:10 +0000
    For the second time this month, Adobe has issued a security update for its Flash Player software. New versions are available for Windows, Mac and Linux versions of Flash. The patch provides additional protection on a vulnerability that Adobe fixed earlier this year for which attackers appear to have devised unique and active exploits.
  • Spam Nation Book Tour Highlights Mon, 24 Nov 2014 20:33:49 +0000
    Greetings from sunny Austin, Texas, where I'm getting ready to wrap up a week-long book tour that began in New York City, then blazed through Chicago, San Francisco, and Seattle. I've been trying to tweet links to various media interviews about Spam Nation over the past week, but wanted to offer a more comprehensive account and to share some highlights of the tour

# Bruce Schneier's blog

  • "Cooperating with the Future" Thu, 27 Nov 2014 08:32:40 -0600
    This is an interesting paper -- the full version is behind a paywall -- about how we as humans can motivate people to cooperate with future generations. Abstract: Overexploitation of renewable resources today has a high cost on the welfare of future generations. Unlike in other public goods games, however, future generations cannot reciprocate actions made today. What mechanisms can...
  • New Snowden Documents Show GCHQ Paying Cable & Wireless for Access Wed, 26 Nov 2014 13:29:21 -0600
    A new story based on the Snowden documents and published in the German newspaper Süddeutsche Zeitung shows how the GCHQ worked with Cable & Wireless -- acquired by Vodafone in 2012 -- to eavesdrop on Internet and telecommunications traffic. New documents on the page, and here. Ars Technica article. Slashdot thread....
  • FBI Agents Pose as Repairmen to Bypass Warrant Process Wed, 26 Nov 2014 06:50:06 -0600
    This is a creepy story. The FBI wanted access to a hotel guest's room without a warrant. So agents broke his Internet connection, and then posed as Internet technicians to gain access to his hotel room without a warrant. From the motion to suppress: The next time you call for assistance because the internet service in your home is not...
  • Regin: Another Military-Grade Malware Tue, 25 Nov 2014 06:57:03 -0600
    Regin is another military-grade surveillance malware (tech details from Symantec and Kaspersky). It seems to have been in operation between 2008 and 2011. The Intercept has linked it to NSA/GCHQ operations, although I am still skeptical of the NSA/GCHQ hacking Belgian cryptographer Jean-Jacques Quisquater....
  • The Security Underpinnnings of Cryptography Mon, 24 Nov 2014 14:21:52 -0600
    Nice article on some of the security assumptions we rely on in cryptographic algorithms....
  • New Kryptos Clue Mon, 24 Nov 2014 06:54:36 -0600
    Jim Sanborn has given the world another clue to the fourth cyphertext in his Kryptos sculpture at the CIA headquarters. Older posts on Kryptos....
  • Friday Squid Blogging: Cephalopod Cognition Fri, 21 Nov 2014 16:09:49 -0600
    Tales of cephalopod behavior, including octopuses, squid, cuttlefish and nautiluses. Cephalopod Cognition, published by Cambridge University Press, is currently available in hardcover, and the paperback edition will be available next week. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
  • Pre-Snowden Debate About NSA Call-Records Collection Program Thu, 20 Nov 2014 14:42:24 -0600
    AP is reporting that in 2009, several senior NSA officials objected to the NSA call-records collection program. The now-retired NSA official, a longtime code-breaker who rose to top management, had just learned in 2009 about the top secret program that was created shortly after the Sept. 11, 2001, attacks. He says he argued to then-NSA Director Keith Alexander that storing...
  • Citadel Malware Steals Password Manager Master Passwords Thu, 20 Nov 2014 09:51:13 -0600
    Citadel is the first piece of malware I know of that specifically steals master passwords from password managers. Note that my own Password Safe is a target....
  • A New Free CA Tue, 18 Nov 2014 12:38:11 -0600
    Announcing Let's Encrypt, a new free certificate authority. This is a joint project of EFF, Mozilla, Cisco, Akamai, and the University of Michigan. This is an absolutely fantastic idea. The anchor for any TLS-protected communication is a public-key certificate which demonstrates that the server you're actually talking to is the server you intended to talk to. For many server operators,...

# WIRED Threat Level

# exploit-db.com

# Securiteam

  • Multiple Cobham Products Information Disclosure Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    Cobham SAILOR 900 VSAT; SAILOR FleetBroadBand 150, 250, and 500; EXPLORER BGAN; and AVIATOR 200, 300, 350, and 700D devices do not properly restrict password recovery, which allows attackers to obtain administrative privileges by leveraging physical access or terminal access to spoof a reset code.
  • OpenStack Neutron L3-Agent Remote Denial Of Service Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    The L3-agent in OpenStack Neutron before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to cause a denial of service (IPv4 address attachment outage) by attaching an IPv6 private subnet to a L3 router.
  • Oracle Java SE 6u75 Remote Security Code Execution Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality and integrity via vectors related to JMX.
  • Oracle WebCenter Portal Remote Security Code Execution Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    vulnerability in the Oracle WebCenter Portal component in Oracle Fusion Middleware 11.1.1.7 and 11.1.1.8 allows remote attackers to affect integrity via unknown vectors related to Portlet Services.
  • PHP '/ext/standard/info.c' Type Confusion Information Disclosure Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    The phpinfo implementation in ext/standard/info.c in PHP before 5.4.30 and 5.5.x before 5.5.14 does not ensure use of the string data type for the PHP_AUTH_PW, PHP_AUTH_TYPE, PHP_AUTH_USER, and PHP_SELF variables, which might allow context-dependent attackers to obtain sensitive information from process memory by using the integer data type with crafted values, related to a "type confusion" vulnerability, as demonstrated by reading a private SSL key in an Apache HTTP Server web-hosting environment with mod_ssl and a PHP 5.3.x mod_php.
  • Rocket Servergraph Multiple Security Code Execution Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    Directory traversal vulnerability in the Admin Center for Tivoli Storage Manager (TSM) in Rocket ServerGraph 1.2 allows remote attackers to (1) create arbitrary files via a .. (dot dot) in the query parameter in a writeDataFile action to the fileRequestor servlet, execute arbitrary files via a .. (dot dot) in the query parameter in a (2) run or (3) runClear action to the fileRequestor servlet, (4) read arbitrary files via a readDataFile action to the fileRequestor servlet, (5) execute arbitrary code via a save_server_groups action to the userRequest servlet, or (6) delete arbitrary files via a del action in the fileRequestServlet servlet.
  • Adobe Flash Player And AIR Incomplete Fix Security Bypass Vulnerabilities Fri, 24 Oct 2014 00:00 GMT
    Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before 14.0.0.178 on Windows and OS X and before 14.0.0.179 on Android, Adobe AIR SDK before 14.0.0.178, and Adobe AIR SDK & Compiler before 14.0.0.178 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API, in conjunction with a manipulation involving a '$' (dollar sign) or '(' (open parenthesis) character
  • APPLE 10.9.4 Security Update Execute Arbitrary Code Vulnerabilities Fri, 24 Oct 2014 00:00 GMT
    Intel Graphics Driver in Apple OS X before 10.9.4 does not properly restrict an OpenGL API call, which allows attackers to execute arbitrary code via a crafted application.
  • Apple Safari Execute Arbitrary Code Vulnerabilities Fri, 24 Oct 2014 00:00 GMT
    Use-after-free vulnerability in Safari in Apple iOS before 7.1.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an invalid URL
  • Bugzilla Cross Site Request Forgery Vulnerabilities Fri, 24 Oct 2014 00:00 GMT
    The response function in the JSONP endpoint in WebService/Server/JSONRPC.pm in jsonrpc.cgi in Bugzilla 3.x and 4.x before 4.0.14, 4.1.x and 4.2.x before 4.2.10, 4.3.x and 4.4.x before 4.4.5, and 4.5.x before 4.5.5 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted OBJECT element with SWF content consistent with the _bz_callback character set.
  • Cisco IOS XR Software Static Punt Policer Denial Of Service Vulnerabilities Fri, 24 Oct 2014 00:00 GMT
    Cisco IOS XR on Trident line cards in ASR 9000 devices lacks a static punt policer, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted packets
  • Adobe Flash Player 13.0.0.241 Execute Arbitrary Code Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    Use-after-free vulnerability in Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before 14.0.0.178 on Windows and OS X and before 14.0.0.179 on Android, Adobe AIR SDK before 14.0.0.178, and Adobe AIR SDK & Compiler before 14.0.0.178 allows attackers to execute arbitrary code
  • Apache CXF UsernameToken Information Disclosure Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the UsernameToken in cleartext, which allows remote attackers to obtain sensitive information by sniffing the network.
  • Oracle E-Business Suite 12.1.3 Remote Security Code Execution Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    vulnerability in the Oracle Concurrent Processing component in Oracle E-Business Suite 12.1.3, 12.2.2, and 12.2.3 allows remote authenticated users to affect confidentiality and integrity via unknown vectors.
  • Oracle VM VirtualBox 3.2.24 Local Security Code Execution Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Core.
  • PHP Unserialize() Function Type Confusion Security Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization, which allows remote attackers to execute arbitrary code via a crafted string that triggers use of a Hashtable destructor, related to "type confusion" issues in (1) ArrayObject and (2) SPLObjectStorage.
  • Red Hat CloudForms Management Engine 'wait_for_task()' Function Denial Of Service Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    The wait_for_task function in app/controllers/application_controller.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption)
  • Symantec Endpoint Protection Local Client ADC Buffer Overflow Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    Buffer overflow in the sysplant driver in Symantec Endpoint Protection (SEP) Client 11.x and 12.x before 12.1 RU4 MP1b, and Small Business Edition before SEP 12.1, allows local users to execute arbitrary code via a long argument to a 0x00222084 IOCTL call.
  • Wireshark ASN.1 BER Dissector Denial Of Service Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    The dissect_ber_constrained_bitstring function in epan/dissectors/packet-ber.c in the ASN.1 BER dissector in Wireshark 1.10.x before 1.10.9 does not properly validate padding values, which allows remote attackers to cause a denial of service (buffer underflow and application crash) via a crafted packet.
  • WordPress DsIDXpress IDX Plugin Cross Site Scripting Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    Cross-site scripting (XSS) vulnerability in client-assist.php in the dsIDXpress IDX plugin before 2.1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the action parameter.