# SANS ISC

# threatpost.com

  • Appeals Court Vacates Lower Court’s Decision on National Security Letters Fri, 28 Aug 2015 18:32:33 +0000
    A federal appeals court has sent back to a lower court an appeal in a lawsuit about the way companies are allowed to publicize information about National Security Letters they receive. The appeal consolidates three separate actions against the Attorney General that question whether the government’s restrictions on how companies can talk about NSLs violates the […]
  • Latest APT 28 Campaign Incorporates Fake EFF Spearphishing Scam Fri, 28 Aug 2015 17:46:58 +0000
    An attack that uses the same path names, Java payloads, and Java exploit as one earlier this summer was found leveraging a fake EFF site.
  • Threatpost News Wrap, August 28, 2015 Fri, 28 Aug 2015 16:12:53 +0000
    Dennis Fisher and Mike Mimoso discuss the quasi-interesting fallout from the Ashley Madison hack, the appeals court decision about the Wyndham data breaches, and Charlie Miller leaving Twitter.
  • FBI: Social Engineering, Hacks Lead to Millions Lost to Wire Fraud Fri, 28 Aug 2015 14:35:24 +0000
    U.S. businesses are losing millions in fraudulent wire transfers that have their root in email compromises of accounts belonging to top executives.
  • Google to Pause Flash Ads in Chrome Starting Next Week Fri, 28 Aug 2015 13:04:55 +0000
    Google on Tuesday will begin pausing Flash ads by default in Chrome, a move that is designed mainly to help improve browser speed, but that will also be a security upgrade for users. The company announced the plan back in June and said this week that it will make the behavior the default setting for […]
  • BitTorrent Patch Throttles Reflective DDoS Attacks Thu, 27 Aug 2015 20:21:21 +0000
    BitTorrent today announced that a patch has been rolled out in the libuTP protocol used by many of its clients, fixing a vulnerability that allows attackers to carry out distributed reflective denial of service attacks.
  • Adobe Hotfix Patches XXE Vulnerability in ColdFusion Thu, 27 Aug 2015 18:08:42 +0000
    Adobe today pushed out a hotfix to ColdFusion implementations patching a vulnerability it had already patched nine days ago on the LiveCycle Data Services application framework.
  • Scanner Finds Malicious Android Apps at Scale Thu, 27 Aug 2015 17:51:51 +0000
    Indiana University researchers developed a scanner called MassVet that finds malicious apps hiding in Android markets such as Google Play.
  • Target Says SEC Won’t Pursue Enforcement Action as a Result of Data Breach Thu, 27 Aug 2015 15:13:07 +0000
    Target officials say that the Securities and Exchange Commission, one of several U.S. agencies investigating the massive data breach at the company in 2013, has decided not to punish Target as a result of the breach.
  • Endress+Hauser Patches Buffer Overflow In Dozens of ICS Products Thu, 27 Aug 2015 13:33:08 +0000
    There is a serious, remotely exploitable vulnerability in the Device Type Manager library used in a long list of industrial process automation and measurement products sold by German firm Endress+Hauser that can cause affected products to hang indefinitely.

# Krebs On Security

  • Six Nabbed for Using LizardSquad Attack Tool Fri, 28 Aug 2015 13:46:10 +0000
    Authorities in the United Kingdom this week arrested a half-dozen young males accused of using the Lizard Squad's Lizard Stresser tool, an online service that allowed paying customers to launch attacks capable of taking Web sites offline for up to eight hours at a time.
  • FBI: $1.2B Lost to Business Email Scams Fri, 28 Aug 2015 01:01:54 +0000
    The FBI today warned about a significant spike in victims and dollar losses stemming from an increasingly common scam in which crooks spoof communications from executives at the victim firm in a bid to initiate unauthorized international wire transfers. According to the FBI, thieves stole nearly $750 million in such scams from more than 7,000 victim companies in the U.S. between October 2013 and August 2015.
  • Who Hacked Ashley Madison? Wed, 26 Aug 2015 16:04:47 +0000
    AshleyMadison.com, a site that helps married people cheat and whose slogan is "Life is Short, have an Affair," recently put up a half million (Canadian) dollar bounty for information leading to the arrest and prosecution of the Impact Team, the name chosen by the hacker(s) who released data on more than 30 million Ashley Madison users. Here is the first of likely several posts examining individuals who appear to be closely connected to this attack.

# Bruce Schneier's blog

  • Friday Squid Blogging: Cephalopod Anatomy Class Fri, 28 Aug 2015 16:33:02 -0500
    Beautiful diorama. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
  • Mickens on Security Fri, 28 Aug 2015 15:58:00 -0500
    James Mickens, for your amusement. A somewhat random sample: My point is that security people need to get their priorities straight. The "threat model" section of a security paper resembles the script for a telenovela that was written by a paranoid schizophrenic: there are elaborate narratives and grand conspiracy theories, and there are heroes and villains with fantastic (yet oddly...
  • The Benefits of Endpoint Encryption Fri, 28 Aug 2015 14:36:42 -0500
    An unofficial blog post from FTC chief technologist Ashkan Soltani on the virtues of strong end-user device controls....
  • German BfV - NSA Cooperation Fri, 28 Aug 2015 09:23:34 -0500
    The German newspaper Zeit is reporting the BfV, Germany's national intelligence agency, (probably) illegally traded data about Germans to the NSA in exchange for access to XKeyscore. From Ars Technica: Unlike Germany's foreign intelligence service, the Bundesnachrichtendienst (BND), the domestic-oriented BfV does not employ bulk surveillance of the kind also deployed on a vast scale by the NSA and GCHQ....
  • Iranian Phishing Thu, 27 Aug 2015 12:36:10 -0500
    CitizenLab is reporting on Iranian hacking attempts against activists, which include a real-time man-in-the-middle attack against Google's two-factor authentication. This report describes an elaborate phishing campaign against targets in Iran's diaspora, and at least one Western activist. The ongoing attacks attempt to circumvent the extra protections conferred by two-factor authentication in Gmail, and rely heavily on phone-call based phishing and...
  • Defending All the Targets Is Impossible Thu, 27 Aug 2015 06:57:06 -0500
    In the wake of the recent averted mass shooting on the French railroads, officials are realizing that there are just too many potential targets to defend. The sheer number of militant suspects combined with a widening field of potential targets have presented European officials with what they concede is a nearly insurmountable surveillance task. The scale of the challenge, security...
  • Regularities in Android Lock Patterns Wed, 26 Aug 2015 06:24:30 -0500
    Interesting: Marte Løge, a 2015 graduate of the Norwegian University of Science and Technology, recently collected and analyzed almost 4,000 ALPs as part of her master's thesis. She found that a large percentage of them­ -- 44 percent­ -- started in the top left-most node of the screen. A full 77 percent of them started in one of the four...
  • Movie Plot Threat: Terrorists Attacking US Prisons Tue, 25 Aug 2015 14:19:38 -0500
    Kansas Senator Pat Roberts wins an award for his movie-plot threat: terrorists attacking the maximum-security federal prison at Ft. Leavenworth: In an Aug. 14 letter to Defense Secretary Ashton B. Carter, Roberts stressed that Kansas in general -- and Leavenworth, in particular -- are not ideal for a domestic detention facility. "Fort Leavenworth is neither the ideal nor right location...
  • Are Data Breaches Getting Larger? Tue, 25 Aug 2015 06:27:46 -0500
    This research says that data breaches are not getting larger over time. "Hype and Heavy Tails: A Closer Look at Data Breaches," by Benjamin Edwards, Steven Hofmeyr, and Stephanie Forrest: Abstract: Recent widely publicized data breaches have exposed the personal information of hundreds of millions of people. Some reports point to alarming increases in both the size and frequency of...
  • Heartbeat as a Biometric Mon, 24 Aug 2015 12:14:29 -0500
    Yet another biometric: your heartbeat....

# WIRED Threat Level

# exploit-db.com

# Securiteam

  • Betster Multiple SQL injection vulnerabilities Wed, 05 Aug 2015 00:00 GMT
    Multiple SQL injection vulnerabilities in Betster (aka PHP Betoffice) 1.0.4 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) showprofile.php or (2) categoryedit.php or (3) username parameter in a login to index.php.
  • Cisco TelePresence Server On Virtual Machine Local Privilege Escalation Vulnerabilities Wed, 05 Aug 2015 00:00 GMT
    Cisco Virtual TelePresence Server Software does not properly restrict use of the serial port, which allows local users to execute arbitrary OS commands as root by leveraging vSphere controller administrative privileges
  • EMC RSA Certificate Manager Administration Server Denial Of Service Vulnerabilities Wed, 05 Aug 2015 00:00 GMT
    EMC RSA Certificate Manager (RCM) before 6.9 build 558 and RSA Registration Manager (RRM) before 6.9 build 558 allow remote attackers to cause an Administration Server denial of service via an invalid MIME e-mail message with a multipart/* Content-Type header.
  • Exchange Forged Meeting Request Spoofing Vulnerabilities Wed, 05 Aug 2015 00:00 GMT
    Microsoft Exchange Server 2013 SP1 and Cumulative Update 7 allows remote attackers to spoof meeting organizers via vectors, aka "Exchange Forged Meeting Request Spoofing Vulnerability."
  • HP Point Of Sale PC OPOSMSR.ocx For Hybrid POS Printers With MICR Vulnerabilities Wed, 05 Aug 2015 00:00 GMT
    The OLE Point of Sale (OPOS) drivers before 1.13.003 on HP Point of Sale Windows PCs allow remote attackers to execute arbitrary code via vectors involving OPOSCashDrawer.ocx for PUSB Thermal Receipt printers, SerialUSB Thermal Receipt printers, Hybrid POS printers with MICR, Value PUSB Receipt printers, Value Serial/USB Receipt printers, and USB Standard Duty cash drawers
  • Multiple HP Products Multiple Cross Site Scripting Vulnerabilities Wed, 05 Aug 2015 00:00 GMT
    Multiple cross-site scripting (XSS) vulnerabilities in HP XP P9000 Command View Advanced Edition Software Online Help, as used in HP Device Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Tiered Storage Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Replication Manager 6.x and 7.x before 7.6.1-06, and HP XP7 Global Link Manager Software (aka HGLM) 6.x through 8.x before 8.1.2-00, allow remote attackers to inject arbitrary web script or HTML
  • Request Tracker Information Disclosure Vulnerabilities Wed, 05 Aug 2015 00:00 GMT
    RT 3.8.8 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to obtain sensitive RSS feed URLs and ticket data
  • The GIF Encoder In Byzanz Execute Arbitrary Code Vulnerabilities Wed, 05 Aug 2015 00:00 GMT
    The GIF encoder in Byzanz allows remote attackers to cause a denial of service (out-of-bounds heap write and crash) or possibly execute arbitrary code via a crafted Byzanz debug data recording (ByzanzRecording file) to the byzanz-playback command.
  • Webshop Hun 1.062S Cross-Site Scripting Vulnerabilities Wed, 05 Aug 2015 00:00 GMT
    Multiple cross-site scripting (XSS) vulnerabilities in Webshop hun 1.062S allow remote attackers to inject arbitrary web script or HTML via the (1) param, (2) center, (3) lap, (4) termid, or (5) nyelv_id parameter to index.php.
  • WordPress WPML Plugin SQL Injection Vulnerabilities Wed, 05 Aug 2015 00:00 GMT
    SQL injection vulnerability in the WPML plugin before 3.1.9 for WordPress allows remote attackers to execute arbitrary SQL commands via the lang parameter in the HTTP Referer header in a wp-link-ajax action to comments/feed.
  • Cisco NX-OS Software Command Injection Vulnerabilities Mon, 10 Aug 2015 00:00 GMT
    The DHCP implementation in the PowerOn Auto Provisioning (POAP) feature in Cisco NX-OS does not properly restrict the initialization process, which allows remote attackers to execute arbitrary commands as root by sending crafted response packets on the local network
  • Foreman Smart Proxy SSL Certificate Validation Security Bypass Vulnerabilities Mon, 10 Aug 2015 00:00 GMT
    Smart Proxy (aka Smart-Proxy and foreman-proxy) in Foreman before 1.5.4 and 1.6.x before 1.6.2 does not validate SSL certificates, which allows remote attackers to bypass intended authentication and execute arbitrary API requests via a request without a certificate.
  • Hospira MedNet Bypass Intended Access Restrictions Vulnerabilities Mon, 10 Aug 2015 00:00 GMT
    Hospira MedNet before 6.1 uses a hardcoded cleartext password to control SQL database authorization, which allows remote authenticated users to bypass intended access restrictions by leveraging knowledge of this password.
  • IBM Notes Traveler Companion For Windows Phones Vulnerabilities Mon, 10 Aug 2015 00:00 GMT
    The IBM Notes Traveler Companion application 1.0 and 1.1 before 201411010515 for Window Phone, as distributed in IBM Notes Traveler 9.0.1, does not properly restrict the number of executions of the automatic configuration option, which makes it easier for remote attackers to capture credentials by conducting a phishing attack involving an encrypted e-mail message.
  • OpenSSL Pointer Corruption And Application Crash Vulnerabilities Mon, 10 Aug 2015 00:00 GMT
    The multi-block feature in the ssl3_write_bytes function in s3_pkt.c in OpenSSL 1.0.2 before 1.0.2a on 64-bit x86 platforms with AES NI support does not properly handle certain non-blocking I/O cases, which allows remote attackers to cause a denial of service (pointer corruption and application crash)
  • ShareLaTeX Directory Traversal Vulnerabilities Mon, 10 Aug 2015 00:00 GMT
    Absolute path traversal vulnerability in ShareLaTeX 0.1.3 and earlier, when the paranoid openin_any setting is omitted, allows remote authenticated users to read arbitrary files via a \include command.
  • WebGate WebEyeAudio ActiveX Control Stack Buffer Overflow Vulnerabilities Mon, 10 Aug 2015 00:00 GMT
    Stack-based buffer overflow in the Connect function in the WebGate WebEyeAudio ActiveX control allows remote attackers to execute arbitrary code via a crafted value.
  • WordPress Cross Slide 2.0.5 Cross Site Request Forgery Vulnerabilities Mon, 10 Aug 2015 00:00 GMT
    Multiple cross-site request forgery (CSRF) vulnerabilities in the CrossSlide jQuery (crossslide-jquery-plugin-for-wordpress) plugin 2.0.5 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings or conduct cross-site scripting (XSS) attacks via the (2) csj_width, (3) csj_height, (4) csj_sleep, (5) csj_fade, or (6) upload_image parameter in the thisismyurl_csj.php page to wp-admin/options-general.php.
  • WordPress SEO By Yoast 1.7.3.3 Cross-Site Request Forgery Vulnerabilities Mon, 10 Aug 2015 00:00 GMT
    Multiple cross-site request forgery (CSRF) vulnerabilities in admin/class-bulk-editor-list-table.php in the WordPress SEO by Yoast plugin before 1.5.7, 1.6.x before 1.6.4, and 1.7.x before 1.7.4 for WordPress allow remote attackers to hijack the authentication of certain users for requests that conduct SQL injection attacks via the (1) order_by or (2) order parameter in the wpseo_bulk-editor page.
  • Cisco Unity Connection 'SIP Trunk Integration' Multiple Denial Of Service Vulnerabilities Tue, 11 Aug 2015 00:00 GMT
    The Connection Conversation Manager (aka CuCsMgr) process in Cisco Unity Connection 8.5 before 8.5(1)SU6, 8.6 before 8.6(2a)SU4, and 9.x before 9.1(2)SU2, when SIP trunk integration is enabled, allows remote attackers to cause a denial of service (SIP outage) via a crafted UDP packet