# SANS ISC

# threatpost.com

# Reddit netsec

# Krebs On Security

  • Carefirst Blue Cross Breach Hits 1.1M Thu, 21 May 2015 13:03:14 +0000
    CareFirst BlueCross BlueShield on Wednesday said it had been hit with a data breach that compromised the personal information on approximately 1.1 million customers. There are indications that the same attack methods may have been used in this intrusion as with breaches at Anthem and Premera, incidents that collectively involved data on more than 90 million Americans.
  • mSpy Denies Breach, Even as Customers Confirm It Thu, 21 May 2015 00:01:43 +0000
    Last week, KrebsOnSecurity broke the news that sensitive data apparently stolen from hundreds of thousands of customers mobile spyware maker mSpy had been posted online. mSpy has since been quoted twice by other publications denying a breach of its systems. Meanwhile, this blog has since contacted multiple people whose data was published to the deep Web, all of whom confirmed they were active or former mSpy customers.
  • Security Firm Redefines APT: African Phishing Threat Wed, 20 May 2015 04:32:40 +0000
    A security firm made headlines last week when it boasted it had thwarted plans by organized Russian cyber criminals to launch an attack against multiple US-based banks. But a closer look at the details behind that report suggests that the actors in question were relatively unsophisticated Nigerian phishers who'd simply registered a bunch of new fake bank Web sites.

# Bruce Schneier's blog

  • Why the Current Section 215 Reform Debate Doesn't Matter Much Fri, 22 May 2015 05:45:35 -0500
    The ACLU's Chris Soghoian explains (time 25:52-30:55) why the current debate over Section 215 of the Patriot Act is just a minor facet of a large and complex bulk collection program by the FBI and the NSA. There were 180 orders authorized last year by the FISA Court under Section 215 -- 180 orders issued by this court. Only five...
  • New Pew Research Report on Americans' Attitudes on Privacy, Security, and Surveillance Thu, 21 May 2015 13:05:05 -0500
    This is interesting: The surveys find that Americans feel privacy is important in their daily lives in a number of essential ways. Yet, they have a pervasive sense that they are under surveillance when in public and very few feel they have a great deal of control over the data that is collected about them and how it is used....
  • The Logjam (and Another) Vulnerability against Diffie-Hellman Key Exchange Thu, 21 May 2015 06:30:31 -0500
    Logjam is a new attack against the Diffie-Hellman key-exchange protocol used in TLS. Basically: The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. The attack is reminiscent of the FREAK attack, but is due to a flaw in the...
  • Research on Patch Deployment Wed, 20 May 2015 14:15:16 -0500
    New research indicates that it's very hard to completely patch systems against vulnerabilities: It turns out that it may not be that easy to patch vulnerabilities completely. Using WINE, we analyzed the patch deployment process for 1,593 vulnerabilities from 10 Windows client applications, on 8.4 million hosts worldwide [Oakland 2015]. We found that a host may be affected by multiple...
  • Spy Dust Wed, 20 May 2015 08:06:31 -0500
    Used by the Soviet Union during the Cold War: A defecting agent revealed that powder containing both luminol and a substance called nitrophenyl pentadien (NPPD) had been applied to doorknobs, the floor mats of cars, and other surfaces that Americans living in Moscow had touched. They would then track or smear the substance over every surface they subsequently touched....
  • More on Chris Roberts and Avionics Security Tue, 19 May 2015 08:00:03 -0500
    Last month, I blogged about security researcher Chris Roberts being detained by the FBI after tweeting about avionics security while on a United flight: But to me, the fascinating part of this story is that a computer was monitoring the Twitter feed and understood the obscure references, alerted a person who figured out who wrote them, researched what flight he...
  • United Airlines Offers Frequent Flier Miles for Finding Security Vulnerabilities Mon, 18 May 2015 07:14:28 -0500
    Vulnerabilities on the website only, not in airport security or in the avionics....
  • Friday Squid Blogging: NASA's Squid Rover Fri, 15 May 2015 16:08:31 -0500
    NASA is funding a study for a squid rover that could explore Europa's oceans. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
  • Microbe Biometric Fri, 15 May 2015 06:20:06 -0500
    Interesting: Franzosa and colleagues used publicly available microbiome data produced through the Human Microbiome Project (HMP), which surveyed microbes in the stool, saliva, skin, and other body sites from up to 242 individuals over a months-long period. The authors adapted a classical computer science algorithm to combine stable and distinguishing sequence features from individuals' initial microbiome samples into individual-specific "codes."...
  • Eighth Movie-Plot Threat Contest Semifinalists Thu, 14 May 2015 23:26:29 -0500
    On April 1, I announced the Eighth Movie Plot Threat Contest: demonstrate the evils of encryption. Not a whole lot of good submissions this year. Possibly this contest has run its course, and there's not a whole lot of interest left. On the other hand, it's heartening to know that there aren't a lot of encryption movie-plot threats out there....

# WIRED Threat Level

# exploit-db.com

# Securiteam

  • Maian Uploader Load_flv.js.php Cross-Site Scripting Vulnerabilities Tue, 19 May 2015 00:00 GMT
    Multiple cross-site scripting (XSS) vulnerabilities in Maian Uploader 4.0 allow remote attackers to inject arbitrary web script or HTML via the width parameter to (1) uploader/admin/js/load_flv.js.php or (2) uploader/js/load_flv.js.php.
  • Microsoft Windows Network Location Awareness Security Bypass Vulnerabilities Tue, 19 May 2015 00:00 GMT
    The Network Location Awareness (NLA) service in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not perform mutual authentication to determine a domain connection, which allows remote attackers to trigger an unintended permissive configuration by spoofing DNS and LDAP responses on a local network, aka "NLA Security Feature Bypass Vulnerability."
  • Multiple IBM DB2 Products Remote CPU Consumption Vulnerabilities Tue, 19 May 2015 00:00 GMT
    IBM DB2 9.5 through FP10, 9.7 through FP10, 9.8 through FP5, 10.1 through FP4, and 10.5 before FP5 allows remote authenticated users to cause a denial of service (CPU consumption) via a crafted XML query.
  • OpenSSL Security Weakness Vulnerabilities Tue, 19 May 2015 00:00 GMT
    The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c.
  • Oracle PeopleSoft Enterprise PeopleTools Component Remote Security Vulnerabilities Tue, 19 May 2015 00:00 GMT
    PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52, 8.53, and 8.54 allows remote authenticated users to affect integrity via vectors related to PIA Core Technology.
  • Oracle WebLogic Server Remote Security Vulnerabilities Tue, 19 May 2015 00:00 GMT
    Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect confidentiality via vectors related to CIE Related Components.
  • PTC IsoView Activex Control Multiple Buffer Overflow Vulnerabilities Tue, 19 May 2015 00:00 GMT
    Heap-based buffer overflow in the PTC IsoView ActiveX control allows remote attackers to execute arbitrary code via a crafted ViewPort property value.
  • Samsung SmartViewer 'STWConfig' ActiveX Remote Code Execution Vulnerabilities Tue, 19 May 2015 00:00 GMT
    The STWConfig ActiveX control in Samsung SmartViewer does not properly initialize a variable, which allows remote attackers to execute arbitrary code
  • Splunk Enterprise Dashboard Cross-Site Scripting Vulnerabilities Tue, 19 May 2015 00:00 GMT
    Cross-site scripting (XSS) vulnerability in the Dashboard in Splunk Web in Splunk Enterprise 6.1.x before 6.1.4, 6.0.x before 6.0.7, and 5.0.x before 5.0.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
  • TWiki Cross Site Scripting Vulnerabilities Tue, 19 May 2015 00:00 GMT
    Incomplete blacklist vulnerability in the urlEncode function in lib/TWiki.pm in TWiki 6.0.0 and 6.0.1 allows remote attackers to conduct cross-site scripting (XSS) attacks via a "'" (single quote) in the scope parameter to do/view/TWiki/WebSearch.
  • WebsiteBaker CRLF-Injection Vulnerabilities Tue, 19 May 2015 00:00 GMT
    Multiple cross-site scripting (XSS) vulnerabilities in WebsiteBaker 2.8.3 allow remote attackers to inject arbitrary web script or HTML via the (1) QUERY_STRING to wb/admin/admintools/tool.php or (2) section_id parameter to edit_module_files.php, (3) news/add_post.php, (4) news/modify_group.php, (5) news/modify_post.php, or (6) news/modify_settings.php in wb/modules/.
  • WordPress Photo Gallery Plugin 'wp-Admin/admin-Ajax.php' SQL Injection Vulnerabilities Tue, 19 May 2015 00:00 GMT
    SQL injection vulnerability in the Photo Gallery plugin 1.2.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the order_by parameter in a GalleryBox action to wp-admin/admin-ajax.php.
  • X.Org X Server Out Of Bounds Execute Arbitrary Code Vulnerabilities Tue, 19 May 2015 00:00 GMT
    The Render extension in XFree86 4.0.1, X.Org X Window System (aka X11 or X) X11R6.7, and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) ProcRenderQueryVersion, (2) SProcRenderQueryVersion, (3) SProcRenderQueryPictFormats
  • Zenoss User Enumeration Vulnerabilities Tue, 19 May 2015 00:00 GMT
    Zenoss Core through 5 Beta 3 allows remote authenticated users to obtain sensitive (1) user account, (2) e-mail address, and (3) role information by visiting the ZenUsers (aka User Manager) page, aka ZEN-15389.
  • Antiword 'wordole.c' Buffer Overflow Vulnerabilities Wed, 20 May 2015 00:00 GMT
    Buffer overflow in the bGetPPS function in wordole.c in Antiword 0.37 allows remote attackers to cause a denial of service (crash) via a crafted document.
  • Binutils 'ihex.c' Stack Based Buffer Overflow Vulnerabilities Wed, 20 May 2015 00:00 GMT
    Stack-based buffer overflow in the ihex_scan function in bfd/ihex.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted ihex file.
  • Cisco AnyConnect Secure Mobility Client Security Vulnerabilities Wed, 20 May 2015 00:00 GMT
    Cisco AnyConnect on Android and OS X does not properly verify the host type, which allows remote attackers to spoof authentication forms and possibly capture credentials
  • Cisco Secure Access Control Server Multiple Cross-Site Scripting Vulnerabilities Wed, 20 May 2015 00:00 GMT
    Multiple cross-site scripting (XSS) vulnerabilities in the web framework in Cisco Secure Access Control System (ACS) allow remote attackers to inject arbitrary web script or HTML
  • ClamAV 'libclamav/pe.c' Heap Based Buffer Overflow Vulnerabilities Wed, 20 May 2015 00:00 GMT
    Heap-based buffer overflow in the cli_scanpe function in libclamav/pe.c in ClamAV before 0.95.4 allows remote attackers to cause a denial of service (crash) via a crafted y0da Crypter PE file.
  • Docker Local Privilege Escalation Remote Code Vulnerabilities Wed, 20 May 2015 00:00 GMT
    Docker 1.3.0 through 1.3.1 allows remote attackers to modify the default run profile of image containers and possibly bypass the container by applying security options to an image.