# SANS ISC

# threatpost.com

  • June Harvard Breach Hit Multiple Schools Fri, 03 Jul 2015 14:00:42 +0000
    Harvard University warned students of a data breach that may have exposed school network and email logins.
  • Threatpost News Wrap, July 3, 2015 Fri, 03 Jul 2015 13:00:15 +0000
    Dennis Fisher and Mike Mimoso discuss the OS X and iOS patches, the potential for the new cyber UL project run by Mudge, and the lawsuit against OPM after its data breach.
  • Evasion Techniques Keep Angler EK’s Cryptowall Business Thriving Thu, 02 Jul 2015 17:03:16 +0000
    The SANS Internet Storm Center reports that the Angler Exploit Kit, pushing Cryptowall 3.0 ransomware, uses rapidly changing URL patterns—almost daily changes—to evade detection and rake in profits.
  • Senator Demands Answers on FBI’s Use of Zero Days, Phishing Thu, 02 Jul 2015 15:06:30 +0000
    The chairman of the powerful Senate Judiciary Committee is asking some pointed questions of the FBI director about the bureau’s use of zero-day vulnerabilities, phishing attacks, spyware, and other controversial tools. Sen. Charles Grassley (R-Iowa) has sent a letter to FBI Director James Comey asking for “more specific information about the FBI’s current use of […]
  • Cisco UCDM Platform Ships With Default, Static Password Thu, 02 Jul 2015 13:35:53 +0000
    A week after admitting that several of its security appliances ship with static SSH keys, Cisco warned customers on Wednesday that its Unified Communications Domain Manager platform has a default, static password for an account that carries root privileges. The vulnerability affects versions of the software prior to 4.4.5 and the company said there are no […]
  • Attackers Revive Deprecated RIPv1 Routing Protocol in DDoS Attacks Wed, 01 Jul 2015 16:45:10 +0000
    An advisory from Akamai warns of a recent reflection style DDoS attack in which the deprecated RIPv1 routing protocol was leveraged against targets.
  • Pinterest Fixes Validation Vulnerability in API Wed, 01 Jul 2015 16:41:07 +0000
    Pinterest recently fixed an issue in the API of its web app that could have allowed remote attackers to compromise emails and carry out session hijacking and phishing attacks.
  • LifeLock Patches XSS That Could’ve Led to Phishing Wed, 01 Jul 2015 15:48:57 +0000
    Researchers identified a cross-site scripting vulnerability in a page on the LifeLock website that could allow an attacker to create an authentic-looking login page for the service and harvest usernames and passwords from customers. LifeLock patched the vulnerability quickly after researchers Blake Welsh and Eric Taylor from Cinder Cyber Research reported it. Welsh said via […]
  • Patched Apple QuickTime Vulnerability Details Disclosed Wed, 01 Jul 2015 14:09:37 +0000
    Researchers at Cisco Talos released details on a use-after-free vulnerability in Apple QuickTime that could lead to remote code execution.
  • Class-Action Suit Alleges OPM Officials Failed to Protect Employees’ Data Wed, 01 Jul 2015 14:02:08 +0000
    A class-action lawsuit filed by a government employees’ union against the Office of Personnel Management as a result of the massive data breach at OPM that affects more than 18 million people alleges that not only did the agency know about vulnerabilities in its network long before the attack, but that the agency’s director and […]

# Reddit netsec

# Krebs On Security

  • Banks: Card Breach at Trump Hotel Properties Wed, 01 Jul 2015 17:23:54 +0000
    The Trump Hotel Collection, a string of luxury hotel properties tied to business magnate and now Republican presidential candidate Donald Trump, appears to be the latest victim of a credit card breach, according to data shared by several U.S.-based banks.
  • Crooks Use Hacked Routers to Aid Cyberheists Mon, 29 Jun 2015 14:30:30 +0000
    Cybercriminals have long relied on compromised Web sites to host malicious software for use in drive-by download attacks, but at least one crime gang is taking it a step further: New research shows that crooks spreading the Dyre malware for use in cyberheists are leveraging hacked wireless routers to deliver their password-stealing crimeware.
  • A Busy Week for Ne’er-Do-Well News Sat, 27 Jun 2015 20:24:20 +0000
    We often hear about the impact of cybercrime, but too seldom do we read about the successes that law enforcement officials have in apprehending those responsible and bringing them to justice. Last week was an especially busy time for cybercrime justice, with authorities across the globe bringing arrests, prosecutions and some cases stiff sentences in connection with a broad range of cyber crimes, including ATM and bank account cashouts, malware distribution and "swatting" attacks.

# Bruce Schneier's blog

  • Friday Squid Blogging: Squid Fishing in the Gulf of Thailand Fri, 03 Jul 2015 16:39:42 -0500
    Long article about a very lucrative squid-fishing industry that involves bribing the Cambodian Navy. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
  • Rabbit Beating Up Snake Fri, 03 Jul 2015 12:13:08 -0500
    It's the Internet, which means there must be cute animal videos on this blog. But this one is different. Watch a mother rabbit beat up a snake to protect her children. It's impressive the way she keeps attacking the snake until it is far away from her nest, but I worry that she doesn't know enough to grab the snake...
  • Clever System of Secure Distributed Computation Fri, 03 Jul 2015 06:38:42 -0500
    This is really clever: Enigma's technique -- what cryptographers call "secure multiparty computation" -- works by mimicking a few of the features of bitcoin's decentralized network architecture: It encrypts data by splitting it up into pieces and randomly distributing indecipherable chunks of it to hundreds of computers in the Enigma network known as "nodes." Each node performs calculations on its...
  • Details of the NSA's X-KEYSCORE Thu, 02 Jul 2015 11:16:57 -0500
    The Intercept has published a highly detailed two-part article on how the NSA's X-KEYSCORE works, including a huge number of related documents from the Snowden archive. So much to digest. Please post anything interesting you notice in the comments....
  • Office of Personnel Management Data Hack Wed, 01 Jul 2015 06:32:06 -0500
    I don't have much to say about the recent hack of the US Office of Personnel Management, which has been attributed to China (and seems to be getting worse all the time). We know that government networks aren't any more secure than corporate networks, and might even be less secure. I agree with Ben Wittes here (although not the imaginary...
  • Twitter Followers: Please Use the Correct Feed Tue, 30 Jun 2015 13:16:08 -0500
    The official Twitter feed for my blog is @schneierblog. The account @Bruce_Schneier also mirrors my blog, but it is not mine. I have nothing to do with it, and I don't know who owns it. Normally I wouldn't mind, but the unofficial blog fails intermittently. Also, @Bruce_Schneier follows people who then think I'm following them. I'm not; I never log...
  • Tracking the Psychological Effects of the 9/11 Attacks Tue, 30 Jun 2015 06:27:52 -0500
    Interesting research from 2012: "The Dynamics of Evolving Beliefs, Concerns, Emotions, and Behavioral Avoidance Following 9/11: A Longitudinal Analysis of Representative Archival Samples": Abstract: September 11 created a natural experiment that enables us to track the psychological effects of a large-scale terror event over time. The archival data came from 8,070 participants of 10 ABC and CBS News polls collected...
  • TEMPEST Attack Mon, 29 Jun 2015 13:38:25 -0500
    There's a new paper on a low-cost TEMPEST attack against PC cryptography: We demonstrate the extraction of secret decryption keys from laptop computers, by nonintrusively measuring electromagnetic emanations for a few seconds from a distance of 50 cm. The attack can be executed using cheap and readily-available equipment: a consumer-grade radio receiver or a Software Defined Radio USB dongle. The...
  • Migrating from SHA-1 to SHA-2 Mon, 29 Jun 2015 06:05:05 -0500
    Here's a comprehensive document on migrating from SHA-1 to SHA-2 in Active Directory certificates....
  • Friday Squid Blogging: Classic Gary Larson Squid Cartoon Fri, 26 Jun 2015 16:32:26 -0500
    I have always liked this one. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

# WIRED Threat Level

# exploit-db.com

# Securiteam

  • WordPress WPML Missing Authentication Vulnerabilities Mon, 29 Jun 2015 00:00 GMT
    The WPML plugin before 3.1.9 for WordPress does not properly handle multiple actions in a request, which allows remote attackers to bypass nonce checks and perform arbitrary actions via a request containing an action POST parameter, an action GET parameter, and a valid nonce for the action GET parameter.
  • XZERES 442SR Wind Turbine Vulnerabilities Mon, 29 Jun 2015 00:00 GMT
    Cross-site request forgery (CSRF) vulnerability in XZERES 442SR OS on 442SR wind turbines allows remote attackers to hijack the authentication of admins for requests that modify the default user's password via a GET request.
  • Adobe Flash Player Type Confusion Remote Code Execution Vulnerabilities Tue, 30 Jun 2015 00:00 GMT
    Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute arbitrary code by leveraging an unspecified "type confusion,"
  • Apple Mac OS X And IOS Multiple Buffer Overflow Vulnerabilities Tue, 30 Jun 2015 00:00 GMT
    Multiple buffer overflows in iCloud Keychain in Apple iOS before 8.2 and Apple OS X through 10.10.2 allow man-in-the-middle attackers to execute arbitrary code by modifying the client-server data stream during keychain recovery.
  • Bsdcpio In Libarchive Absolute Path Traversal Vulnerabilities Tue, 30 Jun 2015 00:00 GMT
    Absolute path traversal vulnerability in bsdcpio in libarchive 3.1.2 and earlier allows remote attackers to write to arbitrary files via a full pathname in an archive
  • Cisco IOS-XE Common Flow Table Device Reload Vulnerabilities Tue, 30 Jun 2015 00:00 GMT
    The Common Flow Table (CFT) feature in Cisco IOS XE 3.6 and 3.7 before 3.7.1S, 3.8 before 3.8.0S, 3.9 before 3.9.0S, 3.10 before 3.10.0S, 3.11 before 3.11.0S, 3.12 before 3.12.0S, 3.13 before 3.13.0S, 3.14 before 3.14.0S, and 3.15 before 3.15.0S, when MMON or NBAR is enabled, allows remote attackers to cause a denial of service (device reload) via malformed IPv6 packets with IPv4 UDP encapsulation
  • Cisco IOS And IOS-XE ANI Device Reload Vulnerabilities Tue, 30 Jun 2015 00:00 GMT
    The Autonomic Networking Infrastructure (ANI) implementation in Cisco IOS 12.2, 12.4, 15.0, 15.2, 15.3, and 15.4 and IOS XE 3.10.xS through 3.13.xS before 3.13.1S allows remote attackers to cause a denial of service (device reload) via spoofed AN messages
  • Cisco Unified Computing System C-Series DHCP Packet Handling Denial Of Service Vulnerabilities Tue, 30 Jun 2015 00:00 GMT
    The Integrated Management Controller (IMC) in Cisco Unified Computing System (UCS) 1.4(7h) and earlier on C-Series servers allows remote attackers to bypass intended access restrictions by sending crafted DHCP response packets on the local network
  • EMC Documentum XMS Sensitive Information Disclosure Vulnerabilities Tue, 30 Jun 2015 00:00 GMT
    EMC Documentum xCelerated Management System (xMS) 1.1 before P14 stores cleartext Windows Service credentials in a batch file during Documentum Platform and xCelerated Composition Platform (xCP) provisioning, which allows local users to obtain sensitive information by reading a file.
  • Google Chrome Prior To 41.0.2272.76 Trigger Movement Of A SCRIPT Element Vulnerabilities Tue, 30 Jun 2015 00:00 GMT
    Multiple use-after-free vulnerabilities in the DOM implementation in Blink, as used in Google Chrome before 41.0.2272.76, allow remote attackers to cause a denial of service or possibly have other impact via vectors that trigger movement of a SCRIPT element to different documents, related to (1) the HTMLScriptElement::didMoveToNewDocument function in core/html/HTMLScriptElement.cpp and (2) the SVGScriptElement::didMoveToNewDocument function in core/svg/SVGScriptElement.cpp.
  • Hospira MedNet Hardcoded Cryptographic Key Vulnerabilities Tue, 30 Jun 2015 00:00 GMT
    Hospira MedNet before 6.1 uses hardcoded cryptographic keys for protection of data transmission from infusion pumps, which allows remote attackers to obtain sensitive information by sniffing the network.
  • IBM WebSphere Portal 8.5.0 Cross-Site Scripting Vulnerabilities Tue, 30 Jun 2015 00:00 GMT
    Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.5.0 before CF05 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL..
  • Libssh2 Denial Of Service Vulnerabilities Tue, 30 Jun 2015 00:00 GMT
    The kex_agree_methods function in libssh2 before 1.5.0 allows remote servers to cause a denial of service (crash) or have other impact via crafted length values in an SSH_MSG_KEXINIT packet.
  • Manage Engine AD Audit Manager Plus Admin Panel Reflected Cross-Site Scripting Vulnerabilities Tue, 30 Jun 2015 00:00 GMT
    Multiple cross-site scripting (XSS) vulnerabilities in ZOHO ManageEngine ADManager Plus before 6.2 Build 6270 allow remote attackers to inject arbitrary web script or HTML via the (1) technicianSearchText parameter to the Help Desk Technician page or (2) rolesSearchText parameter to the Help Desk Roles.
  • Microsoft Windows Registry Virtualization Local Privilege Escalation Vulnerabilities Tue, 30 Jun 2015 00:00 GMT
    The Windows Registry Virtualization feature in the kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly restrict changes to virtual stores, which allows local users to gain privileges via a crafted application, aka "Registry Virtualization Elevation of Privilege Vulnerability."
  • Mozilla Firefox Buffer Underflow Vulnerabilities Tue, 30 Jun 2015 00:00 GMT
    Stack-based buffer underflow in the mozilla::MP3FrameParser::ParseBuffer function in Mozilla Firefox before 36.0 allows remote attackers to obtain sensitive information from process memory via a malformed MP3 file that improperly interacts with memory allocation during playback
  • Multiple Cisco Products Denial Of Service Vulnerabilities Tue, 30 Jun 2015 00:00 GMT
    The Session Description Protocol (SDP) implementation in Cisco TelePresence Video Communication Server (VCS) and Cisco Expressway before X8.2 and Cisco TelePresence Conductor before XC2.4 allows remote attackers to cause a denial of service (mishandled exception and device reload) via a crafted media description
  • OpenStack Glance Denial Of Service Vulnerabilities Tue, 30 Jun 2015 00:00 GMT
    OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service (disk consumption) by creating a large number of images using the task v2 API and then deleting them before the uploads finish
  • PHP Libmagick 'src/softmagic.c' Out-Of-Bounds Read Vulnerabilities Tue, 30 Jun 2015 00:00 GMT
    The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote attackers to cause a denial of service (out-of-bounds memory access and application crash) via a crafted file.
  • Schneider Electric InduSoft Web Studio Brute-Force Password-Guessing Attack Vulnerabilities Tue, 30 Jun 2015 00:00 GMT
    Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and InTouch Machine Edition 2014 before 7.1.3.4 SP3 Patch 4 provide an HMI user interface that lists all valid usernames, which makes it easier for remote attackers to obtain access via a brute-force password-guessing attack.