# SANS ISC

# threatpost.com

  • Apache Warns of Faulty Zero Day Patch for Struts Thu, 24 Apr 2014 19:48:35 +0000
    The Apache Software Foundation will re-issue at patch for a ClassLoader manipulation zero-day vulnerability in Struts. The fix is expected to be ready within 72 hours; a workaround is available.
  • NetSupport Manager Vulnerability Could Lead to Data Leakage Thu, 24 Apr 2014 18:29:46 +0000
    A vulnerability in NetSupport Manager could yield sensitive configuration settings and lead to compromise.
  • DDoS Attacks an Increasing Cover for Theft, Fraud Thu, 24 Apr 2014 18:03:22 +0000
    DDoS attacks are growing in scale and volume, and experts say attackers are also using them as a cover for secondary attacks resulting in financial fraud or loss of intellectual property.
  • Mozilla Offers Bug Bounty for New Certificate Verification Library Thu, 24 Apr 2014 16:17:38 +0000
    Mozilla is offering a $10,000 bug bounty for serious security vulnerabilities in a new cryptography library it plans to release along with Firefox 31.
  • Group Backed by Google, Microsoft to Help Fund OpenSSL and Other Open Source Projects Thu, 24 Apr 2014 14:08:45 +0000
    After the dust had started to settle in the wake of the OpenSSL Heartbleed vulnerability earlier this month, one of the common sentiments that emerged was that the small group developing and maintaining the software needed some help. And money. And resources. But mostly money. Now, the OpenSSL Foundation, along with a number of other […]
  • New NIST Tool Streamlines Government App Vetting Wed, 23 Apr 2014 19:19:46 +0000
    Developers who produce apps intended for use on internal networks at government agencies are getting a vetting process of their own called AppVet.
  • Google Adding Security Checks to Non-OAuth 2.0 Compliant Apps Wed, 23 Apr 2014 18:49:45 +0000
    Google announced it will add additional security checks to log-in attempts from applications or devices that do not support OAuth 2.0.
  • LibreSSL Sticks a Fork in OpenSSL Wed, 23 Apr 2014 16:57:55 +0000
    LibreSSL, a fork of OpenSSL, has already made "improvements" in OpenSSL programming practices according to OpenBSD officials.
  • Iowa State Hacked–To Mine Bitcoins Wed, 23 Apr 2014 15:25:23 +0000
    Officials at Iowa State University said Tuesday that the personal data of nearly 30,000 alumni, including Social Security numbers, was compromised during a data breach.
  • OpenSSL Heartbleed Highlights Crypto Pitfalls Wed, 23 Apr 2014 13:36:08 +0000
    There is no shortage of bad advice online about crypto–or anything else, for that matter. And the recent mess involving the OpenSSL heartbleed vulnerability has brought out plenty of advice on building, implementing and repairing cryptosystems, but experts say that the fundamental truths about how to do these tasks hasn’t changed much. Cryptosystems are the […]

# Reddit netsec

# Krebs On Security

  • Phishers Divert Home Loan Earnest Money Wed, 23 Apr 2014 15:31:57 +0000
    It looks like it's time to update my Value of a Hacked Email Account graphic: Real estate and title agencies are being warned about a new fraud scheme in which email bandits target consumers who are in the process of purchasing a home.
  • States: Spike in Tax Fraud Against Doctors Tue, 22 Apr 2014 15:12:07 +0000
    An unusual number of physicians in several U.S. states are just finding out that they've been victimized by tax return fraud this year, KrebsOnSecurity has learned. An apparent spike in tax fraud cases against medical professionals is fueling speculation that the crimes may have been prompted by a data breach at some type of national organization that certifies or provides credentials for physicians.
  • An Allegation of Harm Mon, 21 Apr 2014 04:01:42 +0000
    In December 2013, an executive from big-three credit reporting bureau Experian told Congress that the company was not aware of any consumers who had been harmed by an incident in which a business unit of Experian sold consumer records directly to an online identity theft service for nearly 10 months. This blog post examines the harm allegedly caused to consumers by just one of the 1,300 customers of that ID theft service -- an Ohio man the government claims used the data to file fraudulent tax returns on dozens of Americans last year.

# Bruce Schneier's blog

  • Is Google Too Big to Trust? Thu, 24 Apr 2014 06:45:05 -0500
    Interesting essay about how Google's lack of transparency is hurting their trust: The reality is that Google's business is and has always been about mining as much data as possible to be able to present information to users. After all, it can't display what it doesn't know. Google Search has always been an ad-supported service, so it needs a way...
  • Conversnitch Wed, 23 Apr 2014 14:33:24 -0500
    Surveillance is getting cheaper and easier: Two artists have revealed Conversnitch, a device they built for less than $100 that resembles a lightbulb or lamp and surreptitiously listens in on nearby conversations and posts snippets of transcribed audio to Twitter. Kyle McDonald and Brian House say they hope to raise questions about the nature of public and private spaces in...
  • The Security of Various Programming Languages Wed, 23 Apr 2014 07:53:07 -0500
    Interesting research on the security of code written in different programming languages. We don't know whether the security is a result of inherent properties of the language, or the relative skill of the typical programmers of that language. The report....
  • Dan Geer on Heartbleed and Software Monocultures Tue, 22 Apr 2014 07:52:48 -0500
    Good essay: To repeat, Heartbleed is a common mode failure. We would not know about it were it not open source (Good). That it is open source has been shown to be no talisman against error (Sad). Because errors are statistical while exploitation is not, either errors must be stamped out (which can only result in dampening the rate of...
  • Info on Russian Bulk Surveillance Mon, 21 Apr 2014 05:55:55 -0500
    Good information: Russian law gives Russia’s security service, the FSB, the authority to use SORM (“System for Operative Investigative Activities”) to collect, analyze and store all data that transmitted or received on Russian networks, including calls, email, website visits and credit card transactions. SORM has been in use since 1990 and collects both metadata and content. SORM-1 collects mobile and...
  • Friday Squid Blogging: Squid Jigging Fri, 18 Apr 2014 16:16:41 -0500
    Good news from Malaysia: The Terengganu International Squid Jigging Festival (TISJF) will be continued and become an annual event as one of the state's main tourism products, said Menteri Besar Datuk Seri Ahmad Said. He said TISJF will become a signature event intended to enhance the branding of Terengganu as a leading tourism destination in the region. "Beside introducing squid...
  • Metaphors of Surveillance Fri, 18 Apr 2014 14:21:06 -0500
    There's a new study looking at the metaphors we use to describe surveillance. Over 62 days between December and February, we combed through 133 articles by 105 different authors and over 60 news outlets. We found that 91 percent of the articles contained metaphors about surveillance. There is rich thematic diversity in the types of metaphors that are used, but...
  • Reverse Heartbleed Fri, 18 Apr 2014 07:29:13 -0500
    Heartbleed can affect clients as well as servers....
  • Overreacting to Risk Fri, 18 Apr 2014 06:26:32 -0500
    This is a crazy overreaction: A 19-year-old man was caught on camera urinating in a reservoir that holds Portland's drinking water Wednesday, according to city officials. Now the city must drain 38 million gallons of water from Reservoir 5 at Mount Tabor Park in southeast Portland. I understand the natural human disgust reaction, but do these people actually think that...
  • Tails Thu, 17 Apr 2014 13:38:41 -0500
    Nice article on the Tails stateless operating system. I use it. Initially I would boot my regular computer with Tails on a USB stick, but I went out and bought a remaindered computer from Best Buy for $250 and now use that....

# WIRED Threat Level

  • Inside the ‘DarkMarket’ Prototype, a Silk Road the FBI Can Never Seize Thu, 24 Apr 2014 10:30:55 GMT
    The Silk Road, for all its clever uses of security protections like Tor and Bitcoin to protect the site's lucrative drug trade, still offered its enemies a single point of failure. When the FBI seized the server that hosted the market, the billion-dollar drug bazaar came crashing down. If one group of Bitcoin black market enthusiasts has their way, the next online free-trade zone could be a much more elusive target.






  • Feds Beg Supreme Court to Let Them Search Phones Without a Warrant Wed, 23 Apr 2014 21:22:00 GMT
    American law enforcement has long advocated for universal "kill switches" in cellphones to cut down on mobile device thefts. Now the Department of Justice argues that the same remote locking and data-wiping technology represents a threat to police investigations--one that means they should be free to search phones without a warrant.






  • An Eavesdropping Lamp That Livetweets Private Conversations Wed, 23 Apr 2014 10:30:36 GMT
    Conversnitch, a device they built for less than $100 that resembles a lightbulb or lamp and surreptitiously listens in on nearby conversations and posts snippets of transcribed audio to Twitter.






  • Heartbleed Bug Sends Bandwidth Costs Skyrocketing Thu, 17 Apr 2014 21:01:06 GMT
    The exposure of the Heartbleed vulnerability last week had a number of repercussions, one of which was to set off a mad scramble by companies to revoke the SSL certificates for their domains and services and obtain new ones. The total costs of Heartbleed are yet to be calculated, but CloudFlare has come up with […]






  • New ‘Google’ for the Dark Web Makes Buying Dope and Guns Easy Thu, 17 Apr 2014 10:30:22 GMT
    The dark web just got a little less dark with the launch of a new search engine that lets you easily find illicit drugs and other contraband online.






  • Snowden’s Email Provider Loses Appeal Over Encryption Keys Wed, 16 Apr 2014 17:07:23 GMT
    A federal appeals court has upheld a contempt citation against the founder of the defunct secure e-mail company Lavabit, finding that the weighty internet privacy issues he raised on appeal should have been brought up earlier in the legal process. The decision disposes of a closely watched privacy case on a technicality, without ruling one way or the other on the substantial issue: whether an internet company can be compelled to turn over the master encryption keys for its entire system to facilitate court-approved surveillance on a single user.






  • Obama: NSA Must Reveal Bugs Like Heartbleed, Unless They Help the NSA Tue, 15 Apr 2014 10:30:43 GMT
    According to Obama, any flaws that have "a clear national security or law enforcement" use can be kept secret and exploited.






  • Report: NSA Exploited Heartbleed to Siphon Passwords for Two Years Fri, 11 Apr 2014 20:57:52 GMT
    The NSA knew about and exploited the Heartbleed vulnerability for two years before it was publicly exposed this week, and used it to steal account passwords and other data, according to a news report.






  • Appeals Court Overturns Conviction of AT&T Hacker ‘Weev’ Fri, 11 Apr 2014 17:12:15 GMT
    Andrew "Weev" Auernheimer, a hacker sentenced to three and a half years in prison for obtaining the personal data of more than 100,000 iPad owners from AT&T’s unsecured website is about to go free, after a ruling today that prosecutors were wrong to charge him in a state where none of his alleged crimes occurred.






  • Booking Video: Aaron Swartz Jokes, Jousts With Cops After MIT Bust Fri, 11 Apr 2014 10:30:38 GMT
    The booking video is an exhibit in miniature of the qualities that made Swartz such an effective activist, and makes his loss such an enduring shame.






# exploit-db.com

# Securiteam