# SANS ISC

# threatpost.com

  • FTC Shutters $120 Million Tech Support, Bogus Software Scam Fri, 21 Nov 2014 21:09:02 +0000
    The FTC and a Florida federal court issued temporary restraining orders against a number of organizations and individuals involved in a massive telemarketing operating selling bogus software and support.
  • Threatpost News Wrap, November 21, 2014 Fri, 21 Nov 2014 18:20:41 +0000
    In this week's news wrap podcast, Threatpost editors discuss an out-of-band Microsoft patch, the compromised Joomla and WordPress plug-inattack campaign and the Detekt anti-surveillance tool.​
  • Buffer Overflow Haunts Advantech WebAccess SCADA Product Fri, 21 Nov 2014 16:00:31 +0000
    The ICS-CERT is warning users about a stack buffer overflow in the Advantech WebAccess SCADA product that could lead to arbitrary code execution. Advantech WebAccess is a SCADA and human-machine interface product that’s accessible over the Web. It’s used in a variety of industries, including energy, manufacturing, government and the commercial sector. The vulnerability affects […]
  • WordPress 4.0.1 Update Patches Critical XSS Vulnerability Fri, 21 Nov 2014 14:52:46 +0000
    The latest version of WordPress, 4.0.1, patches a critical cross-site scripting vulnerability in comment fields that enables admin-level control over a website.
  • Most Targeted Attacks Exploit Privileged Accounts Thu, 20 Nov 2014 21:51:17 +0000
    Most targeted attacks exploit privileged account access according to a new report commissioned by the security firm CyberArk.
  • Detekt Tool Puts Surveillance Spyware on Notice Thu, 20 Nov 2014 19:08:59 +0000
    Civil rights activists and hacker Claudio Guarnieri along with partners such as the EFF and Amnesty International released Detekt, open source security software targeting activists and oppressed people that scans Windows machines for dangerous spyware.
  • Attackers Using Compromised Web Plug-Ins in CryptoPHP Blackhat SEO Campaign Thu, 20 Nov 2014 15:54:29 +0000
    Researchers have discovered a group of attackers who have published a variety of compromised WordPress themes and plug-ins on legitimate-looking sites, tricking developers into downloading and installing them on their own sites. The components then give the attackers remote control of the compromised sites and researchers say the attack may have been ongoing since September 2013. […]
  • Drupal Patches Denial of Service Vulnerability; Details Disclosed Thu, 20 Nov 2014 15:03:05 +0000
    Drupal has released a patched a denial of service and account hijacking vulnerability, details of which were disclosed by the researchers who discovered the issue.
  • Angler Exploit Kit Adds New Flash Exploit for CVE-2014-8440 Thu, 20 Nov 2014 13:02:52 +0000
    Exploit kit authors are nothing if not opportunistic, and they know a prime opportunity when they see one. Adobe Flash bugs fit that description nicely, and the people behind the Angler exploit kit already are exploiting one of the Flash bugs patched last week in the kit’s arsenal. This is a common tactic for exploit […]
  • Citadel Variant Targets Password Managers Wed, 19 Nov 2014 19:54:34 +0000
    Some Citadel-infected computers have received a new configuration file, a keylogger triggered to go after the master passwords from three leading password management tools.

# Reddit netsec

# Krebs On Security

  • Convicted ID Thief, Tax Fraudster Now Fugitive Fri, 21 Nov 2014 16:59:40 +0000
    In April 2014, this blog featured a story about Lance Ealy, an Ohio man arrested last year for buying Social Security numbers and banking information from an underground identity theft service that relied in part on data obtained through a company owned by big-three credit bureau Experian. Earlier this week, Ealy was convicted of using the data to fraudulently claim tax refunds with the IRS in the names of more than 175 U.S. citizens, but not before he snipped his monitoring anklet and skipped town.
  • Microsoft Releases Emergency Security Update Tue, 18 Nov 2014 22:00:09 +0000
    Microsoft today deviated from its regular pattern of releasing security updates on the second Tuesday of each month, pushing out an emergency patch to plug a security hole in all supported versions of Windows. The company urged Windows users to install the update as quickly as possible, noting that miscreants already are exploiting the weaknesses to launch targeted attacks.
  • Link Found in Staples, Michaels Breaches Mon, 17 Nov 2014 20:50:28 +0000
    The breach at office supply chain Staples impacted roughly 100 stores and was powered by some of the same criminal infrastructure seen in the intrusion disclosed earlier this year at Michaels craft stores, according to sources close to the investigation.

# Bruce Schneier's blog

  • Friday Squid Blogging: Cephalopod Cognition Fri, 21 Nov 2014 16:09:49 -0600
    Tales of cephalopod behavior, including octopuses, squid, cuttlefish and nautiluses. Cephalopod Cognition, published by Cambridge University Press, is currently available in hardcover, and the paperback edition will be available next week....
  • Pre-Snowden Debate About NSA Call-Records Collection Program Thu, 20 Nov 2014 14:42:24 -0600
    AP is reporting that in 2009, several senior NSA officials objected to the NSA call-records collection program. The now-retired NSA official, a longtime code-breaker who rose to top management, had just learned in 2009 about the top secret program that was created shortly after the Sept. 11, 2001, attacks. He says he argued to then-NSA Director Keith Alexander that storing...
  • Citadel Malware Steals Password Manager Master Passwords Thu, 20 Nov 2014 09:51:13 -0600
    Citadel is the first piece of malware I know of that specifically steals master passwords from password managers. Note that my own Password Safe is a target....
  • A New Free CA Tue, 18 Nov 2014 12:38:11 -0600
    Announcing Let's Encrypt, a new free certificate authority. This is a joint project of EFF, Mozilla, Cisco, Akamai, and the University of Michigan. This is an absolutely fantastic idea. The anchor for any TLS-protected communication is a public-key certificate which demonstrates that the server you're actually talking to is the server you intended to talk to. For many server operators,...
  • Whatsapp Is Now End-to-End Encrypted Tue, 18 Nov 2014 12:35:00 -0600
    Whatapp is now offering end-to-end message encryption: Whatsapp will integrate the open-source software Textsecure, created by privacy-focused non-profit Open Whisper Systems, which scrambles messages with a cryptographic key that only the user can access and never leaves his or her device. I don't know the details, but the article talks about perfect forward secrecy. Moxie Marlinspike is involved, which gives...
  • Snarky 1992 NSA Report on Academic Cryptography Tue, 18 Nov 2014 10:50:48 -0600
    The NSA recently declassified a report on the Eurocrypt '92 conference. Honestly, I share some of the writer's opinions on the more theoretical stuff. I know it's important, but it's not something I care all that much about....
  • The NSA's Efforts to Ban Cryptographic Research in the 1970s Mon, 17 Nov 2014 21:19:18 -0600
    New article on the NSA's efforts to control academic cryptographic research in the 1970s. It includes new interviews with public-key cryptography inventor Martin Hellman and then NSA-director Bobby Inman....
  • Friday Squid Blogging: The Story of Inventing the SQUID Fri, 14 Nov 2014 16:37:29 -0600
    The interesting story of how engineers at Ford Motor Co. invented the superconducting quantum interference device, or SQUID. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
  • The Return of Crypto Export Controls? Fri, 14 Nov 2014 09:18:34 -0600
    Last month, for the first time since US export restrictions on cryptography were relaxed over a decade ago, the US government has fined a company for exporting crypto software without a license. News article. No one knows what this means....
  • Pew Research Survey on Privacy Perceptions Thu, 13 Nov 2014 14:07:54 -0600
    Pew Research has released a new survey on American's perceptions of privacy. The results are pretty much in line with all the other surveys on privacy I've read. As Cory Doctorow likes to say, we've reached "peak indifference to surveillance."...

# WIRED Threat Level

# exploit-db.com

# Securiteam

  • Microsoft Internet Explorer 7 Denial Of Service Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability
  • Microsoft Internet Explorer Denial Of Service Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability
  • Multiple Cobham Products Information Disclosure Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    Cobham SAILOR 900 VSAT; SAILOR FleetBroadBand 150, 250, and 500; EXPLORER BGAN; and AVIATOR 200, 300, 350, and 700D devices do not properly restrict password recovery, which allows attackers to obtain administrative privileges by leveraging physical access or terminal access to spoof a reset code.
  • OpenStack Neutron L3-Agent Remote Denial Of Service Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    The L3-agent in OpenStack Neutron before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to cause a denial of service (IPv4 address attachment outage) by attaching an IPv6 private subnet to a L3 router.
  • Oracle Java SE 6u75 Remote Security Code Execution Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality and integrity via vectors related to JMX.
  • Oracle WebCenter Portal Remote Security Code Execution Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    vulnerability in the Oracle WebCenter Portal component in Oracle Fusion Middleware 11.1.1.7 and 11.1.1.8 allows remote attackers to affect integrity via unknown vectors related to Portlet Services.
  • PHP '/ext/standard/info.c' Type Confusion Information Disclosure Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    The phpinfo implementation in ext/standard/info.c in PHP before 5.4.30 and 5.5.x before 5.5.14 does not ensure use of the string data type for the PHP_AUTH_PW, PHP_AUTH_TYPE, PHP_AUTH_USER, and PHP_SELF variables, which might allow context-dependent attackers to obtain sensitive information from process memory by using the integer data type with crafted values, related to a "type confusion" vulnerability, as demonstrated by reading a private SSL key in an Apache HTTP Server web-hosting environment with mod_ssl and a PHP 5.3.x mod_php.
  • Rocket Servergraph Multiple Security Code Execution Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    Directory traversal vulnerability in the Admin Center for Tivoli Storage Manager (TSM) in Rocket ServerGraph 1.2 allows remote attackers to (1) create arbitrary files via a .. (dot dot) in the query parameter in a writeDataFile action to the fileRequestor servlet, execute arbitrary files via a .. (dot dot) in the query parameter in a (2) run or (3) runClear action to the fileRequestor servlet, (4) read arbitrary files via a readDataFile action to the fileRequestor servlet, (5) execute arbitrary code via a save_server_groups action to the userRequest servlet, or (6) delete arbitrary files via a del action in the fileRequestServlet servlet.
  • Adobe Flash Player And AIR Incomplete Fix Security Bypass Vulnerabilities Fri, 24 Oct 2014 00:00 GMT
    Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before 14.0.0.178 on Windows and OS X and before 14.0.0.179 on Android, Adobe AIR SDK before 14.0.0.178, and Adobe AIR SDK & Compiler before 14.0.0.178 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API, in conjunction with a manipulation involving a '$' (dollar sign) or '(' (open parenthesis) character
  • APPLE 10.9.4 Security Update Execute Arbitrary Code Vulnerabilities Fri, 24 Oct 2014 00:00 GMT
    Intel Graphics Driver in Apple OS X before 10.9.4 does not properly restrict an OpenGL API call, which allows attackers to execute arbitrary code via a crafted application.
  • Apple Safari Execute Arbitrary Code Vulnerabilities Fri, 24 Oct 2014 00:00 GMT
    Use-after-free vulnerability in Safari in Apple iOS before 7.1.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an invalid URL
  • Bugzilla Cross Site Request Forgery Vulnerabilities Fri, 24 Oct 2014 00:00 GMT
    The response function in the JSONP endpoint in WebService/Server/JSONRPC.pm in jsonrpc.cgi in Bugzilla 3.x and 4.x before 4.0.14, 4.1.x and 4.2.x before 4.2.10, 4.3.x and 4.4.x before 4.4.5, and 4.5.x before 4.5.5 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted OBJECT element with SWF content consistent with the _bz_callback character set.
  • Cisco IOS XR Software Static Punt Policer Denial Of Service Vulnerabilities Fri, 24 Oct 2014 00:00 GMT
    Cisco IOS XR on Trident line cards in ASR 9000 devices lacks a static punt policer, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted packets
  • Adobe Flash Player 13.0.0.241 Execute Arbitrary Code Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    Use-after-free vulnerability in Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before 14.0.0.178 on Windows and OS X and before 14.0.0.179 on Android, Adobe AIR SDK before 14.0.0.178, and Adobe AIR SDK & Compiler before 14.0.0.178 allows attackers to execute arbitrary code
  • Apache CXF UsernameToken Information Disclosure Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the UsernameToken in cleartext, which allows remote attackers to obtain sensitive information by sniffing the network.
  • Oracle E-Business Suite 12.1.3 Remote Security Code Execution Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    vulnerability in the Oracle Concurrent Processing component in Oracle E-Business Suite 12.1.3, 12.2.2, and 12.2.3 allows remote authenticated users to affect confidentiality and integrity via unknown vectors.
  • Oracle VM VirtualBox 3.2.24 Local Security Code Execution Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Core.
  • PHP Unserialize() Function Type Confusion Security Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization, which allows remote attackers to execute arbitrary code via a crafted string that triggers use of a Hashtable destructor, related to "type confusion" issues in (1) ArrayObject and (2) SPLObjectStorage.
  • Red Hat CloudForms Management Engine 'wait_for_task()' Function Denial Of Service Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    The wait_for_task function in app/controllers/application_controller.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption)
  • Symantec Endpoint Protection Local Client ADC Buffer Overflow Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    Buffer overflow in the sysplant driver in Symantec Endpoint Protection (SEP) Client 11.x and 12.x before 12.1 RU4 MP1b, and Small Business Edition before SEP 12.1, allows local users to execute arbitrary code via a long argument to a 0x00222084 IOCTL call.