# SANS ISC

# threatpost.com

  • Robert Hansen on Aviator, Search Revenue and the $250,000 Security Guarantee Fri, 29 Aug 2014 19:43:58 +0000
    Dennis Fisher talks with Robert Hansen of WhiteHat Security about the company's decision to change default search providers to Disconnect and the $250,000 guarantee for users of the Sentinel Elite product.​
  • Backoff Sinkhole Reveals Sorry Point-of-Sale Security Fri, 29 Aug 2014 18:25:09 +0000
    A new analysis of sinkholes Backoff point-of-sale malware paints a bleak picture of the state of point-of-sale security.
  • CryptoWall’s Haul: $1M in Six Months Fri, 29 Aug 2014 16:41:07 +0000
    The CryptoWall ransomware has proven to be a profitable criminal enterprise, netting more than $1.1 million in six months. More than 1,600 victims have surfaced and more than 5 billion files have been encrypted.
  • Mozilla to Support Key Pinning in Firefox 32 Fri, 29 Aug 2014 15:12:20 +0000
    Mozilla is planning to add support for public-key pinning in its Firefox browser in an upcoming version. In version 32, which would be the next stable version of the browser, Firefox will have key pins for a long list of sites, including many of Mozilla’s own sites, all of the sites pinned in Google Chrome […]
  • Nearly 100k Bugzilla Users Affected by Data Disclosure Fri, 29 Aug 2014 13:31:28 +0000
    The email addresses and encrypted passwords of nearly 100,000 users of Mozilla’s Bugzilla system were left on a publicly accessible server for several months earlier this year, the company said. The disclosure comes just a few weeks after Mozilla advised members of its Mozilla Developer Network to change their passwords because of a similar incident. On […]
  • IEEE Guides Software Architects Toward Secure Software Design Thu, 28 Aug 2014 18:18:07 +0000
    The IEEE's Center for Secure Design's new guidance for software architects called "Avoiding the Top 10 Software Security Design Flaws" debuted this week.
  • Windows XP-Heavy Turkey Overrun with GameOver Zeus Infections Thu, 28 Aug 2014 12:50:31 +0000
    GameOver Zeus and Sality banking malware infections are rampant in emerging countries such as Turkey where older, unpatched computers are prevalent, and security awareness is low.
  • Microsoft Fixes Broken Security Patch MS14-045 Wed, 27 Aug 2014 18:08:58 +0000
    Microsoft re-released MS14-045 today two weeks after pulling it from Windows Update because the patch was causing system crashes and blue screens of death.
  • Verizon Bolsters User Authentication With QR Codes Wed, 27 Aug 2014 18:04:16 +0000
    Verizon announced Tuesday it will soon begin using QR codes to allow users to log in to sites and programs in its Universal Identity Services portfolio.
  • Java.com, TMZ Serving Malvertising Redirects to Angler Exploit Kit Wed, 27 Aug 2014 15:48:17 +0000
    Popular websites TMZ and Java.com are among a handful serving malicious ads redirecting visitors to the Angler Exploit Kit.

# Reddit netsec

# Krebs On Security

  • Fun With Funny Money Mon, 01 Sep 2014 05:27:34 +0000
    Readers or "fans" of this blog have sent some pretty crazy stuff to my front door over the past few years, including a gram of heroin, a giant bag of feces, an enormous cross-shaped funeral arrangement, and a heavily armed police force. Last week, someone sent me a far less menacing package: an envelope full of cash. Granted, all of the cash turned out to be counterfeit money, but hey it's the thought that counts, right?
  • DQ Breach? HQ Says No, But Would it Know? Wed, 27 Aug 2014 01:12:20 +0000
    Sources within the financial industry say they're seeing signs that Dairy Queen may be the latest retail chain to be victimized by cybercrooks bent on stealing credit card data. Dairy Queen says it has no indication of a card breach at any of its thousands of locations, but the company also acknowledges that nearly all stores are franchises and that there is no established company process or requirement that franchisees communicate security issues or card breaches to Dairy Queen headquarters.
  • Stealthy, Razor Thin ATM Insert Skimmers Thu, 21 Aug 2014 19:59:37 +0000
    An increasing number of ATM skimmers targeting banks and consumers appear to be of the razor-thin insert variety. These card-skimming devices are made to fit snugly and invisibly inside the throat of the card acceptance slot. Here's a look at a stealthy new model of insert skimmer pulled from a cash machine in southern Europe just this past week.

# Bruce Schneier's blog

  • Pencil-and-Paper Codes Used by Central American Criminal Gangs Mon, 01 Sep 2014 09:30:17 -0500
    No mention of how good the codes are. My guess is not very....
  • Squid Skin Inspires Eye-Like Photodetector Fri, 29 Aug 2014 16:45:03 -0500
    Squid are color-blind, but may detect color directly through their skin. A researcher is working on a system to detect colored light the way squid do....
  • Cell Phone Kill Switches Mandatory in California Fri, 29 Aug 2014 12:31:42 -0500
    California passed a kill-switch law, meaning that all cell phones sold in California must have the capability to be remotely turned off. It was sold as an antitheft measure. If the phone company could remotely render a cell phone inoperative, there would be less incentive to steal one. I worry more about the side effects: once the feature is in...
  • ISIS Threatens US with Terrorism Fri, 29 Aug 2014 06:08:51 -0500
    They're openly mocking our profiling. But in several telephone conversations with a Reuters reporter over the past few months, Islamic State fighters had indicated that their leader, Iraqi Abu Bakr al-Baghdadi, had several surprises in store for the West. They hinted that attacks on American interests or even U.S. soil were possible through sleeper cells in Europe and the United...
  • Hacking Traffic Lights Thu, 28 Aug 2014 06:14:24 -0500
    New paper: "Green Lights Forever: Analyzing the Security of Traffic Infrastructure," Branden Ghena, William Beyer, Allen Hillaker, Jonathan Pevarnek, and J. Alex Halderman. Abstract: The safety critical nature of traffic infrastructure requires that it be secure against computer-based attacks, but this is not always the case. We investigate a networked traffic signal system currently deployed in the United States and...
  • Security Flaws in Rapiscan Full-Body Scanners Wed, 27 Aug 2014 07:38:25 -0500
    Security researchers have finally gotten their hands on a Rapiscan backscatter full-body scanner. The results aren't very good. Website with paper and images. News articles and commentary. Note that these machines have been replaced in US airports with millimeter wave full-body scanners....
  • Security by Obscurity at Healthcare.gov Site Tue, 26 Aug 2014 06:21:42 -0500
    The White House is refusing to release details about the security of healthcare.gov because it might help hackers. What this really means is that the security details would embarrass the White House....
  • Eavesdropping Using Smart Phone Gyroscopes Tue, 26 Aug 2014 05:56:58 -0500
    The gyroscopes are sensitive enough to pick up acoustic vibrations. It's crude, but it works. Paper. Wired article. Hacker News thread....
  • The Problems with PGP Mon, 25 Aug 2014 12:04:53 -0500
    Matthew Green has a good post on what's wrong with PGP and what should be done about it....
  • People Are Not Very Good at Matching Photographs to People Mon, 25 Aug 2014 07:08:23 -0500
    We have an error rate of about 15%: Professor Mike Burton, Sixth Century Chair in Psychology at the University of Aberdeen said: "Psychologists identified around a decade ago that in general people are not very good at matching a person to an image on a security document. "Familiar faces trigger special processes in our brain -- we would recognise a...

# WIRED Threat Level

  • Bitcoin’s Earliest Adopter Is Cryonically Freezing His Body to See the Future Fri, 29 Aug 2014 03:06:29 GMT
    "He’s always been optimistic about the future," says Hal Finney's wife, Fran. "Every new advance, he embraced it, every new technology. Hal relished life, and he made the most of everything."






  • Creators of New Fed-Proof Bitcoin Marketplace Swear It’s Not for Drugs Thu, 28 Aug 2014 10:30:23 GMT
    When the recording industry smashed Napster with a $20 billion lawsuit more than a decade ago, filesharing morphed into Bittorrent, a fully peer-to-peer system with no central server for law enforcement to attack. Now the developers behind one software project are trying to pull off a similar trick with the anarchic model of bitcoin e-commerce […]






  • We Must Secure America’s Cell Networks—From Criminals and Cops Wed, 27 Aug 2014 10:30:26 GMT
    The FCC’s new task force against illegal use of phone-spying "Stingrays" is a positive first step, but it doesn't address the underlying problem.






  • Federal Cybersecurity Director Found Guilty on Child Porn Charges Wed, 27 Aug 2014 01:56:40 GMT
    As the acting cybersecurity chief of a federal agency, Timothy DeFoggi should have been well versed in the digital footprints users leave behind online when they visit web sites and download images. But DeFoggi—convicted today in Nebraska on three child porn charges including conspiracy to solicit and distribute child porn—must have believed his use of […]






  • How Cops and Hackers Could Abuse California’s New Phone Kill-Switch Law Tue, 26 Aug 2014 21:44:21 GMT
    Beginning next year, if you buy a cell phone in California that gets lost or stolen, you’ll have a built-in ability to remotely deactivate the phone under a new “kill switch” feature being mandated by California law—but the feature will make it easier for police and others to disable the phone as well, raising concerns […]






  • These 3-D Printed Skeleton Keys Can Pick High-Security Locks in Seconds Tue, 26 Aug 2014 10:30:36 GMT
    One of the hairier unintended consequences of cheap 3-D printing is that any troublemaker can duplicate a key without setting foot in a hardware store. But clever lockpickers like Jos Weyers and Christian Holler already are taking that DIY key-making trick a step further: They can 3-D print a slice of plastic or metal that opens […]






  • Your Anonymous Posts to Secret Aren’t Anonymous After All Fri, 22 Aug 2014 10:30:45 GMT
    White hat hacker Ben Caudill is halfway through his sandwich when he casually reaches over to his iPhone, swipes the screen a few times, then holds it up to me. “Is that you?” he asks. It is, but nobody was supposed to know. He’s showing me one of my posts to Secret, the popular anonymous […]






  • How Hackers Could Mess With 911 Systems and Put You at Risk Thu, 21 Aug 2014 10:30:30 GMT
    The female caller was frantic. Why, she asked 911 dispatchers, hadn’t paramedics arrived to her home? She’d already called once to say her husband was writhing on the floor in pain. “Hurry up!,” she’d pleaded, as she gave the operator her address. And then she hung up and waited for help to arrive, but it […]






  • Researchers Easily Slipped Weapons Past TSA’s X-Ray Body Scanners Wed, 20 Aug 2014 13:00:56 GMT
    Additionally, they found that they could infect the scanner with malware---most practically for an attacker by picking the lock on the scanner's cabinet and physically installing the malware on the PC inside.






  • This Android Shield Could Encrypt Apps So Invisibly You Forget It’s There Tue, 19 Aug 2014 10:30:52 GMT
    In the post-Snowden era, everyone wants to make encryption easier. Now, one group of researchers has created a tool intended to make it invisible. A team from Georgia Tech has designed software that acts as an overlay on Android smartphones’ communication apps—like Gmail or Whatsapp—and mimics the apps’ user interfaces. When users type, the text […]






# exploit-db.com

# Securiteam