# SANS ISC

# threatpost.com

  • Sony Pictures Dealing With Apparent Network Compromise Tue, 25 Nov 2014 19:40:48 +0000
    Sony Pictures Entertainment is still in the process of trying to recover from an apparent compromise of some of the company’s computer systems. The attack first came to light on Monday, and the extent of the incident is still emerging. The compromise appears to affect just the networks at SPE, a division of Sony. Reports […]
  • Adobe Releases Emergency Flash Player Patch Tue, 25 Nov 2014 18:22:26 +0000
    Adobe released an emergency out-of-band Flash Player security bulletin, revising a patch released in October with an additional CVE addressing a memory corruption vulnerability.
  • Brain Science and Browser Warnings Tue, 25 Nov 2014 17:22:30 +0000
    Computer users will click through browser warnings and security alerts in order to complete a task, but once they're hacked, their behaviors change, a recent BYU study learned.
  • Experts Question Legality of Use of Regin Malware by Intel Agencies Tue, 25 Nov 2014 15:51:32 +0000
    Though security researchers involved in uncovering the attack have remained mum on the attribution of Regin, privacy experts say that if one of the intelligence agencies is involved, there's no legal basis for the operation.
  • Craigslist Back Online Following DNS Hijack Mon, 24 Nov 2014 22:11:14 +0000
    The popular classified website Craigslist is back online today following a DNS attack that forced it offline for several hours Sunday evening.
  • Remote Code Execution in Popular Hikvision Surveillance DVR Mon, 24 Nov 2014 17:48:56 +0000
    A number Hikvision digital video recorders contain vulnerabilities that an attacker could remotely exploit in order to gain full control of those devices.
  • Costin Raiu on the Regin APT Malware Mon, 24 Nov 2014 16:05:40 +0000
    Denis Fisher talks with Costin Raiu of the Kaspersky Lab GReAT Team about the discovery of the Regin APT malware, the threat's targets and tactics, its ability to compromise GSM base stations and its other capabilities.
  • Regin Cyberespionage Platform Also Spies on GSM Networks Mon, 24 Nov 2014 15:09:27 +0000
    Kaspersky Lab researchers have learned that the Regin cyberespionage platform also targets GSM telecommunications networks.
  • EFF, Privacy Groups Say NIST Crypto Standards Must be Free From Backdoors Mon, 24 Nov 2014 14:24:44 +0000
    The EFF and a long list of civil and privacy groups have sent a letter to NIST, emphasizing the need for the agency to create "a process for establishing secure and resilient encryption standards, free from back doors or other known vulnerabilities."
  • FTC Shutters $120 Million Tech Support, Bogus Software Scam Fri, 21 Nov 2014 21:09:02 +0000
    The FTC and a Florida federal court issued temporary restraining orders against a number of organizations and individuals involved in a massive telemarketing operating selling bogus software and support.

# Reddit netsec

# Krebs On Security

  • Adobe Pushes Critical Flash Patch Tue, 25 Nov 2014 18:23:10 +0000
    For the second time this month, Adobe has issued a security update for its Flash Player software. New versions are available for Windows, Mac and Linux versions of Flash. The patch provides additional protection on a vulnerability that Adobe fixed earlier this year for which attackers appear to have devised unique and active exploits.
  • Spam Nation Book Tour Highlights Mon, 24 Nov 2014 20:33:49 +0000
    Greetings from sunny Austin, Texas, where I'm getting ready to wrap up a week-long book tour that began in New York City, then blazed through Chicago, San Francisco, and Seattle. I've been trying to tweet links to various media interviews about Spam Nation over the past week, but wanted to offer a more comprehensive account and to share some highlights of the tour
  • Convicted ID Thief, Tax Fraudster Now Fugitive Fri, 21 Nov 2014 16:59:40 +0000
    In April 2014, this blog featured a story about Lance Ealy, an Ohio man arrested last year for buying Social Security numbers and banking information from an underground identity theft service that relied in part on data obtained through a company owned by big-three credit bureau Experian. Earlier this week, Ealy was convicted of using the data to fraudulently claim tax refunds with the IRS in the names of more than 175 U.S. citizens, but not before he snipped his monitoring anklet and skipped town.

# Bruce Schneier's blog

  • Regin: Another Military-Grade Malware Tue, 25 Nov 2014 06:57:03 -0600
    Regin is another military-grade surveillance malware (tech details from Symantec and Kaspersky). It seems to have been in operation between 2008 and 2011. The Intercept has linked it to NSA/GCHQ operations, although I am still skeptical of the NSA/GCHQ hacking Belgian cryptographer Jean-Jacques Quisquater....
  • The Security Underpinnnings of Cryptography Mon, 24 Nov 2014 14:21:52 -0600
    Nice article on some of the security assumptions we rely on in cryptographic algorithms....
  • New Kryptos Clue Mon, 24 Nov 2014 06:54:36 -0600
    Jim Sanborn has given the world another clue to the fourth cyphertext in his Kryptos sculpture at the CIA headquarters. Older posts on Kryptos....
  • Friday Squid Blogging: Cephalopod Cognition Fri, 21 Nov 2014 16:09:49 -0600
    Tales of cephalopod behavior, including octopuses, squid, cuttlefish and nautiluses. Cephalopod Cognition, published by Cambridge University Press, is currently available in hardcover, and the paperback edition will be available next week....
  • Pre-Snowden Debate About NSA Call-Records Collection Program Thu, 20 Nov 2014 14:42:24 -0600
    AP is reporting that in 2009, several senior NSA officials objected to the NSA call-records collection program. The now-retired NSA official, a longtime code-breaker who rose to top management, had just learned in 2009 about the top secret program that was created shortly after the Sept. 11, 2001, attacks. He says he argued to then-NSA Director Keith Alexander that storing...
  • Citadel Malware Steals Password Manager Master Passwords Thu, 20 Nov 2014 09:51:13 -0600
    Citadel is the first piece of malware I know of that specifically steals master passwords from password managers. Note that my own Password Safe is a target....
  • A New Free CA Tue, 18 Nov 2014 12:38:11 -0600
    Announcing Let's Encrypt, a new free certificate authority. This is a joint project of EFF, Mozilla, Cisco, Akamai, and the University of Michigan. This is an absolutely fantastic idea. The anchor for any TLS-protected communication is a public-key certificate which demonstrates that the server you're actually talking to is the server you intended to talk to. For many server operators,...
  • Whatsapp Is Now End-to-End Encrypted Tue, 18 Nov 2014 12:35:00 -0600
    Whatapp is now offering end-to-end message encryption: Whatsapp will integrate the open-source software Textsecure, created by privacy-focused non-profit Open Whisper Systems, which scrambles messages with a cryptographic key that only the user can access and never leaves his or her device. I don't know the details, but the article talks about perfect forward secrecy. Moxie Marlinspike is involved, which gives...
  • Snarky 1992 NSA Report on Academic Cryptography Tue, 18 Nov 2014 10:50:48 -0600
    The NSA recently declassified a report on the Eurocrypt '92 conference. Honestly, I share some of the writer's opinions on the more theoretical stuff. I know it's important, but it's not something I care all that much about....
  • The NSA's Efforts to Ban Cryptographic Research in the 1970s Mon, 17 Nov 2014 21:19:18 -0600
    New article on the NSA's efforts to control academic cryptographic research in the 1970s. It includes new interviews with public-key cryptography inventor Martin Hellman and then NSA-director Bobby Inman....

# WIRED Threat Level

# exploit-db.com

# Securiteam

  • Multiple Cobham Products Information Disclosure Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    Cobham SAILOR 900 VSAT; SAILOR FleetBroadBand 150, 250, and 500; EXPLORER BGAN; and AVIATOR 200, 300, 350, and 700D devices do not properly restrict password recovery, which allows attackers to obtain administrative privileges by leveraging physical access or terminal access to spoof a reset code.
  • OpenStack Neutron L3-Agent Remote Denial Of Service Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    The L3-agent in OpenStack Neutron before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to cause a denial of service (IPv4 address attachment outage) by attaching an IPv6 private subnet to a L3 router.
  • Oracle Java SE 6u75 Remote Security Code Execution Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality and integrity via vectors related to JMX.
  • Oracle WebCenter Portal Remote Security Code Execution Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    vulnerability in the Oracle WebCenter Portal component in Oracle Fusion Middleware 11.1.1.7 and 11.1.1.8 allows remote attackers to affect integrity via unknown vectors related to Portlet Services.
  • PHP '/ext/standard/info.c' Type Confusion Information Disclosure Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    The phpinfo implementation in ext/standard/info.c in PHP before 5.4.30 and 5.5.x before 5.5.14 does not ensure use of the string data type for the PHP_AUTH_PW, PHP_AUTH_TYPE, PHP_AUTH_USER, and PHP_SELF variables, which might allow context-dependent attackers to obtain sensitive information from process memory by using the integer data type with crafted values, related to a "type confusion" vulnerability, as demonstrated by reading a private SSL key in an Apache HTTP Server web-hosting environment with mod_ssl and a PHP 5.3.x mod_php.
  • Rocket Servergraph Multiple Security Code Execution Vulnerabilities Thu, 23 Oct 2014 00:00 GMT
    Directory traversal vulnerability in the Admin Center for Tivoli Storage Manager (TSM) in Rocket ServerGraph 1.2 allows remote attackers to (1) create arbitrary files via a .. (dot dot) in the query parameter in a writeDataFile action to the fileRequestor servlet, execute arbitrary files via a .. (dot dot) in the query parameter in a (2) run or (3) runClear action to the fileRequestor servlet, (4) read arbitrary files via a readDataFile action to the fileRequestor servlet, (5) execute arbitrary code via a save_server_groups action to the userRequest servlet, or (6) delete arbitrary files via a del action in the fileRequestServlet servlet.
  • Adobe Flash Player And AIR Incomplete Fix Security Bypass Vulnerabilities Fri, 24 Oct 2014 00:00 GMT
    Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before 14.0.0.178 on Windows and OS X and before 14.0.0.179 on Android, Adobe AIR SDK before 14.0.0.178, and Adobe AIR SDK & Compiler before 14.0.0.178 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API, in conjunction with a manipulation involving a '$' (dollar sign) or '(' (open parenthesis) character
  • APPLE 10.9.4 Security Update Execute Arbitrary Code Vulnerabilities Fri, 24 Oct 2014 00:00 GMT
    Intel Graphics Driver in Apple OS X before 10.9.4 does not properly restrict an OpenGL API call, which allows attackers to execute arbitrary code via a crafted application.
  • Apple Safari Execute Arbitrary Code Vulnerabilities Fri, 24 Oct 2014 00:00 GMT
    Use-after-free vulnerability in Safari in Apple iOS before 7.1.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an invalid URL
  • Bugzilla Cross Site Request Forgery Vulnerabilities Fri, 24 Oct 2014 00:00 GMT
    The response function in the JSONP endpoint in WebService/Server/JSONRPC.pm in jsonrpc.cgi in Bugzilla 3.x and 4.x before 4.0.14, 4.1.x and 4.2.x before 4.2.10, 4.3.x and 4.4.x before 4.4.5, and 4.5.x before 4.5.5 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted OBJECT element with SWF content consistent with the _bz_callback character set.
  • Cisco IOS XR Software Static Punt Policer Denial Of Service Vulnerabilities Fri, 24 Oct 2014 00:00 GMT
    Cisco IOS XR on Trident line cards in ASR 9000 devices lacks a static punt policer, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted packets
  • Adobe Flash Player 13.0.0.241 Execute Arbitrary Code Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    Use-after-free vulnerability in Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before 14.0.0.178 on Windows and OS X and before 14.0.0.179 on Android, Adobe AIR SDK before 14.0.0.178, and Adobe AIR SDK & Compiler before 14.0.0.178 allows attackers to execute arbitrary code
  • Apache CXF UsernameToken Information Disclosure Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the UsernameToken in cleartext, which allows remote attackers to obtain sensitive information by sniffing the network.
  • Oracle E-Business Suite 12.1.3 Remote Security Code Execution Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    vulnerability in the Oracle Concurrent Processing component in Oracle E-Business Suite 12.1.3, 12.2.2, and 12.2.3 allows remote authenticated users to affect confidentiality and integrity via unknown vectors.
  • Oracle VM VirtualBox 3.2.24 Local Security Code Execution Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Core.
  • PHP Unserialize() Function Type Confusion Security Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization, which allows remote attackers to execute arbitrary code via a crafted string that triggers use of a Hashtable destructor, related to "type confusion" issues in (1) ArrayObject and (2) SPLObjectStorage.
  • Red Hat CloudForms Management Engine 'wait_for_task()' Function Denial Of Service Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    The wait_for_task function in app/controllers/application_controller.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption)
  • Symantec Endpoint Protection Local Client ADC Buffer Overflow Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    Buffer overflow in the sysplant driver in Symantec Endpoint Protection (SEP) Client 11.x and 12.x before 12.1 RU4 MP1b, and Small Business Edition before SEP 12.1, allows local users to execute arbitrary code via a long argument to a 0x00222084 IOCTL call.
  • Wireshark ASN.1 BER Dissector Denial Of Service Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    The dissect_ber_constrained_bitstring function in epan/dissectors/packet-ber.c in the ASN.1 BER dissector in Wireshark 1.10.x before 1.10.9 does not properly validate padding values, which allows remote attackers to cause a denial of service (buffer underflow and application crash) via a crafted packet.
  • WordPress DsIDXpress IDX Plugin Cross Site Scripting Vulnerabilities Mon, 27 Oct 2014 00:00 GMT
    Cross-site scripting (XSS) vulnerability in client-assist.php in the dsIDXpress IDX plugin before 2.1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the action parameter.