# SANS ISC

# threatpost.com

  • Pharming Attack Targets Home Router DNS Settings Fri, 27 Feb 2015 19:07:25 +0000
    A pharming attack has been detected targeting home routers distributed from Brazil's largest telco, a rare instance of a web-based attack changing DNS settings in order to redirect traffic.
  • Threatpost News Wrap, February 27, 2015 Fri, 27 Feb 2015 16:30:39 +0000
    Mike Mimoso and Dennis Fisher discuss the news of the last week, including the Superfish fiasco, the Gemalto SIM hack controversy and the continuing NSA drama.
  • Video: Vitaly Kamluk on The Equation Group APT Fri, 27 Feb 2015 16:17:46 +0000
    Kaspersky Lab researcher Vitaly Kamluk discusses the Equation Group, claiming it is the most sophisticated advanced persistent threat group in the world.
  • Twitter Changes Abuse Reporting Process to Address Doxing Fri, 27 Feb 2015 16:11:32 +0000
    Twitter has revised and simplified its rules and process for reporting abusive behavior on the service, and users now have the ability to report people who are posting their personal information. The change essentially gives Twitter users a method to combat doxing, which is the process of dumping a victim’s personal information online. This often […]
  • Komodia Certificate Manipulation Likely Led To Man-In-The-Middle Attacks Thu, 26 Feb 2015 21:02:12 +0000
    The EFF's Decentralized SSL Observatory turned up 1,600 certificates that should have been rejected but instead passed browser checks because they were manipulated by Komodia's SSL Digester interception module.
  • Up to 18.8 Million Non-Anthem Customers Affected in Breach Thu, 26 Feb 2015 17:40:16 +0000
    In addition to roughly 80 million Anthem customers, nearly 20 million more individuals who aren’t customers of the health insurer could ultimately wind up implicated in this month’s massive data breach.
  • DDoS Exploit Targets Open Source Rejetto HFS Thu, 26 Feb 2015 15:01:53 +0000
    An automated attack targeting users of the open source Rejetto webserver and file-sharing application tried to inject the IptabLes DDoS tool.
  • Firefox 36 Arrives With Patches For Three Critical Flaws Thu, 26 Feb 2015 14:41:05 +0000
    Mozilla has patched 16 security vulnerabilities in Firefox, including three critical flaws in the browser. One of the critical vulnerabilities patched with the release of Firefox 36 is a buffer overflow in the libstagefright library that can be exploitable under some circumstances. “Security researcher Pantrombka reported a buffer overflow in the libstagefright library during video […]
  • Ransomware Looming As Major Long-Term Threat Thu, 26 Feb 2015 13:00:16 +0000
    On May 30, 2014, law enforcement officials from the FBI and Europol seized a series of servers that were being used to help operate the GameOver Zeus botnet, an especially pernicious and troublesome piece of malware. The authorities also began an international manhunt for a Russian man they said was connected to operating the botnet, […]
  • Facebook Bug Bounty Submissions Climb in 2014 Wed, 25 Feb 2015 18:25:25 +0000
    Facebook released final numbers on 2014 submissions and payouts from its bug bounty program, showing continued growth in both areas.

# Reddit netsec

# Krebs On Security

  • Spam Uses Default Passwords to Hack Routers Thu, 26 Feb 2015 17:06:08 +0000
    In case you needed yet another reason to change the default username and password on your wired or wireless Internet router: Phishers are sending out links that, when clicked, quietly alter the settings on vulnerable routers to harvest online banking credentials and other sensitive data from victims. Sunnyvale, Calif. based security firm Proofpoint said it recently detected a four-week spam […]
  • Webnic Registrar Blamed for Hijack of Lenovo, Google Domains Thu, 26 Feb 2015 06:41:30 +0000
    Two days ago, attackers allegedly associated with the fame-seeking group Lizard Squad briefly hijacked Google's Vietnam domain (google.com.vn). On Wednesday, Lenovo.com was similarly attacked. Sources now tell KrebsOnSecurity that both hijacks were possible because the attackers seized control over Webnic.cc, the Malaysian registrar that serves both domains and 600,000 others.
  • FBI: $3M Bounty for ZeuS Trojan Author Wed, 25 Feb 2015 15:42:07 +0000
    The FBI this week announced it is offering a USD $3 million bounty for information leading to the arrest and conviction of one Evgeniy Mikhailovich Bogachev, a Russian man the government believes is responsible for building and distributing the ZeuS banking Trojan.So much of the intelligence gathered about Bogachev and his alleged accomplices has been scattered across various court documents and published reports over the years, but probably just as much on this criminal mastermind and his associates has never seen the light of day. What follows is a compendium of knowledge -- a bit of a dossier, if you will -- of Bogachev and his trusted associates.

# Bruce Schneier's blog

  • Friday Squid Blogging: Humboldt Squid Communicate by Flashing Each Other Fri, 27 Feb 2015 16:00:16 -0600
    Scientists are attaching cameras to Humboldt squid to watch them communicate with each other. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
  • Data and Goliath Book Tour Fri, 27 Feb 2015 14:32:59 -0600
    Over the next two weeks, I am speaking about my new book -- Data and Goliath, if you've missed it -- in New York, Boston, Washington, DC, Seattle, San Francisco, and Minneapolis. Stop by to get your book signed, or just to say hello....
  • Everyone Wants You To Have Security, But Not from Them Thu, 26 Feb 2015 06:47:07 -0600
    In December, Google's Executive Chairman Eric Schmidt was interviewed at the CATO Institute Surveillance Conference. One of the things he said, after talking about some of the security measures his company has put in place post-Snowden, was: "If you have important information, the safest place to keep it is in Google. And I can assure you that the safest place...
  • Snowden-Greenwald-Poitras AMA Wed, 25 Feb 2015 13:54:15 -0600
    Glenn Greenwald, Laura Poitras, and Edward Snowden did an "Ask Me Anything" on Reddit. Point out anything interesting in the comments. And note that Snowden mentioned my new book: One of the arguments in a book I read recently (Bruce Schneier, "Data and Goliath"), is that perfect enforcement of the law sounds like a good thing, but that may not...
  • "Surreptitiously Weakening Cryptographic Systems" Wed, 25 Feb 2015 06:09:12 -0600
    New paper: "Surreptitiously Weakening Cryptographic Systems," by Bruce Schneier, Matthew Fredrikson, Tadayoshi Kohno, and Thomas Ristenpart. Abstract: Revelations over the past couple of years highlight the importance of understanding malicious and surreptitious weakening of cryptographic systems. We provide an overview of this domain, using a number of historical examples to drive development of a weaknesses taxonomy. This allows comparing different...
  • Twitpic Tue, 24 Feb 2015 13:17:04 -0600
    On Monday, I asked Adm. Rogers a question. EDITED TO ADD: The question....
  • AT&T Charging Customers to Not Spy on Them Tue, 24 Feb 2015 06:33:04 -0600
    AT&T is charging a premium for gigabit Internet service without surveillance: The tracking and ad targeting associated with the gigabit service cannot be avoided using browser privacy settings: as AT&T explained, the program "works independently of your browser's privacy settings regarding cookies, do-not-track and private browsing." In other words, AT&T is performing deep packet inspection, a controversial practice through which...
  • Cell Phones Leak Location Information through Power Usage Mon, 23 Feb 2015 10:30:57 -0600
    New research on tracking the location of smart phone users by monitoring power consumption: PowerSpy takes advantage of the fact that a phone's cellular transmissions use more power to reach a given cell tower the farther it travels from that tower, or when obstacles like buildings or mountains block its signal. That correlation between battery use and variables like environmental...
  • Friday Squid Blogging: Squid Can Recode Their Genetic Makeup Fri, 20 Feb 2015 16:06:33 -0600
    This is freaky: A new study showcases the first example of an animal editing its own genetic makeup on-the-fly to modify most of its proteins, enabling adjustments to its immediate surroundings. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
  • Man-in-the-Middle Attacks on Lenovo Computers Fri, 20 Feb 2015 15:43:26 -0600
    It's not just national intelligence agencies that break your https security through man-in-the-middle attacks. Corporations do it, too. For the past few months, Lenovo PCs have shipped with an adware app called Superfish that man-in-the-middles TLS connections. Here's how it works, and here's how to get rid of it. And you should get rid of it, not merely because it's...

# WIRED Threat Level

# exploit-db.com

# Securiteam

  • Cisco IOS Running On Aironet Access Points Denial Of Service Vulnerabilities Thu, 26 Feb 2015 00:00 GMT
    Cisco IOS on Aironet access points, when "dot11 aaa authenticator" debugging is enabled, allows remote attackers to cause a denial of service via a malformed EAP packet
  • CPUMiner Stack Overflow Vulnerabilities Thu, 26 Feb 2015 00:00 GMT
    Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote attackers to have an unspecified impact by sending a mining.subscribe response with a large nonce2 length, then triggering the overflow with a mining.notify request.
  • Digi Online Examination System Arbitrary File Upload Vulnerabilities Thu, 26 Feb 2015 00:00 GMT
    Unrestricted file upload vulnerability in the Photo functionality in DigitalVidhya Digi Online Examination System 2.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in assets/uploads/images/.
  • Drupal Site Banner Module Cross Site Scripting Vulnerabilities Thu, 26 Feb 2015 00:00 GMT
    Cross-site scripting (XSS) vulnerability in the context administration sub-panel in the Site Banner module before 7.x-4.1 for Drupal allows remote authenticated users with the "Administer contexts" Context UI module permission to inject arbitrary web script or HTML via vectors related to context settings.
  • Epicor Enterprise Password Disclosure Vulnerabilities Thu, 26 Feb 2015 00:00 GMT
    Epicor Enterprise 7.4 before FS74SP6_HotfixTL054181 allows attackers to obtain the (1) Database Connection and (2) E-mail Connection passwords by reading HTML source code of the database connection and email settings page.
  • FFmpeg Mmvideo.c Denial Of Service Vulnerabilities Thu, 26 Feb 2015 00:00 GMT
    libavcodec/mmvideo.c in FFmpeg before 2.4.2 does not consider all lines of HHV Intra blocks during validation of image height, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted MM video data.
  • Fortinet FortiManager And FortiAnalyzer Multiple Cross-Site Scripting Vulnerabilities Thu, 26 Feb 2015 00:00 GMT
    Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML
  • IBM Cognos Mobile Server Does Not Terminate Session At Logoff Vulnerabilities Thu, 26 Feb 2015 00:00 GMT
    IBM Cognos Mobile 10.1.1 before FP3 IF1, 10.2.0 before FP2 IF1, and 10.2.1 before FP4 IF1 preserves a session between the Cognos Mobile server and the Cognos Business Intelligence server after a logoff action on a mobile device, which makes it easier for remote attackers to bypass intended Business Intelligence restrictions by leveraging access to authentication data that was captured before this logoff.
  • InterWorx Web Control Panel Xhr.php SQL Injection Vulnerabilities Thu, 26 Feb 2015 00:00 GMT
    SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search action to the (1) NodeWorx , (2) SiteWorx, or (3) Resellers interface, as demonstrated by the "or" key in a pgn8state object in an i object in a JSON object.
  • Libxml2 Entities Expansion Denial of Service Vulnerability Thu, 26 Feb 2015 00:00 GMT
    parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack.
  • Microsoft Internet Explorer Cross-Domain Obtain Sensitive Information Vulnerabilities Thu, 26 Feb 2015 00:00 GMT
    Microsoft Internet Explorer 8 through 11 allows remote attackers to read content from a different (1) domain or (2) zone via a crafted web site, aka "Internet Explorer Cross-domain Information Disclosure Vulnerability."
  • Microsoft Internet Explorer Denial-Of-Service Memory Corruption Vulnerabilities Thu, 26 Feb 2015 00:00 GMT
    Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."
  • Microsoft Secure Channel Code Execution Vulnerabilities Thu, 26 Feb 2015 00:00 GMT
    Schannel in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via crafted packets, aka "Microsoft Schannel Remote Code Execution Vulnerability."
  • Microsoft Windows Kernel Mode Driver Denial Of Service Vulnerabilities Thu, 26 Feb 2015 00:00 GMT
    Array index error in win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to cause a denial of service (reboot) via a crafted TrueType font, aka "Denial of Service in Windows Kernel Mode Driver Vulnerability."
  • Shim Memory Corruption Vulnerabilities Thu, 26 Feb 2015 00:00 GMT
    Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption
  • Shim Remote Denial Of Service Vulnerabilities Thu, 26 Feb 2015 00:00 GMT
    Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.
  • WordPress Clean And Simple Contact Form Plugin 'cscf' Parameter Cross Site Scripting Vulnerabilities Thu, 26 Feb 2015 00:00 GMT
    Cross-site scripting (XSS) vulnerability in the Contact Form Clean and Simple (clean-and-simple-contact-form-by-meg-nicholas) plugin 4.4.0 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the cscf[name] parameter to contact-us/.
  • WordPress Links.all.php Could Allow An Attacker To Include PHP Files Vulnerabilities Thu, 26 Feb 2015 00:00 GMT
    PHP remote file inclusion vulnerability in wp-links/links.all.php in WordPress 0.70 allows remote attackers to execute arbitrary PHP code via a URL in the $abspath variable.
  • WordPress WpSS Plugin 'ss_handler.php' Cross Site Scripting Vulnerabilities Thu, 26 Feb 2015 00:00 GMT
    Cross-site scripting (XSS) vulnerability in ss_handler.php in the WordPress Spreadsheet (wpSS) plugin 0.62 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ss_id parameter.
  • Zarafa WebAccess And WebApp Tmp Directories Information Disclosure Vulnerabilities Thu, 26 Feb 2015 00:00 GMT
    Zarafa WebAccess 4.1 and WebApp uses world-readable permissions for the files in their tmp directory, which allows local users to obtain sensitive information by reading temporary session data.