# SANS ISC

# threatpost.com

# Reddit netsec

# Krebs On Security

  • Chip & PIN vs. Chip & Signature Thu, 30 Oct 2014 20:13:12 +0000
    The Obama administration recently issued an executive order requiring that federal agencies migrate to more secure chip-and-PIN based credit cards for all federal employees that are issued payment cards. The move marks a departure from the far more prevalent "chip-and-signature" standard, an approach that has been overwhelmingly adopted by a majority of U.S. banks that are currently issuing chip-based cards. This post seeks to explore some of the possible reasons for the disparity.
  • How to Tell Data Leaks from Publicity Stunts Wed, 29 Oct 2014 14:35:06 +0000
    In an era when new consumer data breaches are disclosed daily, fake claims about data leaks are sadly becoming more common. These claims typically come from fame-seeking youngsters who enjoy trolling journalists and corporations, and otherwise wasting everyone's time. Fortunately, a new analysis of recent bogus breach claims provides some simple tools that anyone can use to quickly identify fake data leak claims.
  • ‘Replay’ Attacks Spoof Chip Card Charges Mon, 27 Oct 2014 04:09:43 +0000
    An odd new pattern of credit card fraud emanating from Brazil and targeting U.S. financial institutions could spell costly trouble for banks that are just beginning to issue customers more secure chip-based credit and debit cards.

# Bruce Schneier's blog

  • Friday Squid Blogging: 1,057 Squid T-Shirts Fri, 17 Oct 2014 17:17:51 -0500
    That's a lot. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Commenting has been broken for the past few days. We hope to get it fixed on Monday....
  • Hacking a Video Poker Machine Fri, 17 Oct 2014 06:35:45 -0500
    Kevin Poulsen has written an interesting story about two people who successfully exploited a bug in a popular video poker machine....
  • NSA Classification ECI = Exceptionally Controlled Information Thu, 16 Oct 2014 06:22:09 -0500
    ECI is a classification above Top Secret. It's for things that are so sensitive they're basically not written down, like the names of companies whose cryptography has been deliberately weakened by the NSA, or the names of agents who have infiltrated foreign IT companies. As part of the Intercept story on the NSA's using agents to infiltrate foreign companies and...
  • DEA Sets Up Fake Facebook Page in Woman's Name Wed, 15 Oct 2014 07:06:52 -0500
    This is a creepy story. A woman has her phone seized by the Drug Enforcement Agency and gives them permission to look at her phone. Without her knowledge or consent, they steal photos off of the phone (the article says they were "racy") and use it to set up a fake Facebook page in her name. The woman sued the...
  • FOXACID Operations Manual Wed, 15 Oct 2014 06:29:19 -0500
    A few days ago, I saw this tweet: "Just a reminder that it is now *a full year* since Schneier cited it, and the FOXACID ops manual remains unpublished." It's true. The citation is this: According to a top-secret operational procedures manual provided by Edward Snowden, an exploit named Validator might be the default, but the NSA has a variety...
  • Surveillance in Schools Tue, 14 Oct 2014 05:59:32 -0500
    This essay, "Grooming students for a lifetime of surveillance," talks about the general trends in student surveillance. Related: essay on the need for student privacy in online learning....
  • How James Bamford Came to Write The Puzzle Palace Mon, 13 Oct 2014 06:55:37 -0500
    Interesting essay about James Bamford and his efforts to publish The Puzzle Palace over the NSA's objections. Required reading for those who think the NSA's excesses are somehow new....
  • NSA Has Undercover Operatives in Foreign Companies Sat, 11 Oct 2014 14:54:11 -0500
    The latest Intercept article on the Snowden documents talks about the NSA's undercover operatives working in foreign companies. There are no specifics, although the countries China, Germany, and South Korea are mentioned. It's also hard to tell if the NSA has undercover operatives working in companies in those countries, or has undercover contractors visiting those companies. The document is dated...
  • Friday Squid Blogging: Flash-Fried Squid Recipe Fri, 10 Oct 2014 16:13:32 -0500
    Recipe from Tom Douglas. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
  • Online Activism and the Computer Fraud and Abuse Act Fri, 10 Oct 2014 12:31:14 -0500
    Good essay by Molly Sauter: basically, there is no legal avenue for activism and protest on the Internet. Also note Sauter's new book, The Coming Swarm....

# WIRED Threat Level

# exploit-db.com

# Securiteam

  • Microsoft Internet Explorer 7 Denial Of Service Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability
  • Microsoft Internet Explorer Denial Of Service Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability
  • Multiple Cobham Products Information Disclosure Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    Cobham SAILOR 900 VSAT; SAILOR FleetBroadBand 150, 250, and 500; EXPLORER BGAN; and AVIATOR 200, 300, 350, and 700D devices do not properly restrict password recovery, which allows attackers to obtain administrative privileges by leveraging physical access or terminal access to spoof a reset code.
  • OpenStack Neutron L3-Agent Remote Denial Of Service Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    The L3-agent in OpenStack Neutron before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to cause a denial of service (IPv4 address attachment outage) by attaching an IPv6 private subnet to a L3 router.
  • Oracle Java SE 6u75 Remote Security Code Execution Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality and integrity via vectors related to JMX.
  • Oracle WebCenter Portal Remote Security Code Execution Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    vulnerability in the Oracle WebCenter Portal component in Oracle Fusion Middleware 11.1.1.7 and 11.1.1.8 allows remote attackers to affect integrity via unknown vectors related to Portlet Services.
  • PHP '/ext/standard/info.c' Type Confusion Information Disclosure Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    The phpinfo implementation in ext/standard/info.c in PHP before 5.4.30 and 5.5.x before 5.5.14 does not ensure use of the string data type for the PHP_AUTH_PW, PHP_AUTH_TYPE, PHP_AUTH_USER, and PHP_SELF variables, which might allow context-dependent attackers to obtain sensitive information from process memory by using the integer data type with crafted values, related to a "type confusion" vulnerability, as demonstrated by reading a private SSL key in an Apache HTTP Server web-hosting environment with mod_ssl and a PHP 5.3.x mod_php.
  • Rocket Servergraph Multiple Security Code Execution Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    Directory traversal vulnerability in the Admin Center for Tivoli Storage Manager (TSM) in Rocket ServerGraph 1.2 allows remote attackers to (1) create arbitrary files via a .. (dot dot) in the query parameter in a writeDataFile action to the fileRequestor servlet, execute arbitrary files via a .. (dot dot) in the query parameter in a (2) run or (3) runClear action to the fileRequestor servlet, (4) read arbitrary files via a readDataFile action to the fileRequestor servlet, (5) execute arbitrary code via a save_server_groups action to the userRequest servlet, or (6) delete arbitrary files via a del action in the fileRequestServlet servlet.
  • Adobe Flash Player And AIR Incomplete Fix Security Bypass Vulnerabilities Fri, 24 Oct 2014 00:00 GMT
    Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before 14.0.0.178 on Windows and OS X and before 14.0.0.179 on Android, Adobe AIR SDK before 14.0.0.178, and Adobe AIR SDK & Compiler before 14.0.0.178 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API, in conjunction with a manipulation involving a '$' (dollar sign) or '(' (open parenthesis) character
  • APPLE 10.9.4 Security Update Execute Arbitrary Code Vulnerabilities Fri, 24 Oct 2014 00:00 GMT
    Intel Graphics Driver in Apple OS X before 10.9.4 does not properly restrict an OpenGL API call, which allows attackers to execute arbitrary code via a crafted application.
  • Apple Safari Execute Arbitrary Code Vulnerabilities Fri, 24 Oct 2014 00:00 GMT
    Use-after-free vulnerability in Safari in Apple iOS before 7.1.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an invalid URL
  • Bugzilla Cross Site Request Forgery Vulnerabilities Fri, 24 Oct 2014 00:00 GMT
    The response function in the JSONP endpoint in WebService/Server/JSONRPC.pm in jsonrpc.cgi in Bugzilla 3.x and 4.x before 4.0.14, 4.1.x and 4.2.x before 4.2.10, 4.3.x and 4.4.x before 4.4.5, and 4.5.x before 4.5.5 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted OBJECT element with SWF content consistent with the _bz_callback character set.
  • Cisco IOS XR Software Static Punt Policer Denial Of Service Vulnerabilities Fri, 24 Oct 2014 00:00 GMT
    Cisco IOS XR on Trident line cards in ASR 9000 devices lacks a static punt policer, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted packets
  • Adobe Flash Player 13.0.0.241 Execute Arbitrary Code Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    Use-after-free vulnerability in Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before 14.0.0.178 on Windows and OS X and before 14.0.0.179 on Android, Adobe AIR SDK before 14.0.0.178, and Adobe AIR SDK & Compiler before 14.0.0.178 allows attackers to execute arbitrary code
  • Apache CXF UsernameToken Information Disclosure Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the UsernameToken in cleartext, which allows remote attackers to obtain sensitive information by sniffing the network.
  • Oracle E-Business Suite 12.1.3 Remote Security Code Execution Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    vulnerability in the Oracle Concurrent Processing component in Oracle E-Business Suite 12.1.3, 12.2.2, and 12.2.3 allows remote authenticated users to affect confidentiality and integrity via unknown vectors.
  • Oracle VM VirtualBox 3.2.24 Local Security Code Execution Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Core.
  • PHP Unserialize() Function Type Confusion Security Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization, which allows remote attackers to execute arbitrary code via a crafted string that triggers use of a Hashtable destructor, related to "type confusion" issues in (1) ArrayObject and (2) SPLObjectStorage.
  • Red Hat CloudForms Management Engine 'wait_for_task()' Function Denial Of Service Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    The wait_for_task function in app/controllers/application_controller.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption)
  • Symantec Endpoint Protection Local Client ADC Buffer Overflow Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    Buffer overflow in the sysplant driver in Symantec Endpoint Protection (SEP) Client 11.x and 12.x before 12.1 RU4 MP1b, and Small Business Edition before SEP 12.1, allows local users to execute arbitrary code via a long argument to a 0x00222084 IOCTL call.