(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Macs older than a year are vulnerable to exploits that remotely overwrite the firmware that boots up the machine, a feat that allows attackers to control vulnerable devices from the very first instruction.

The attack, according to a blog post published Friday by well-known OS X security researcher Pedro Vilaca, affects Macs shipped prior to the middle of 2014 that are allowed to go into sleep mode. He found a way to reflash a Mac's BIOS using functionality contained in userland, which is the part of an operating system where installed applications and drivers are executed. By exploiting vulnerabilities such as those regularly found in Safari and other Web browsers, attackers can install malicious firmware that survives hard drive reformatting and reinstallation of the operating system.

The attack is more serious than the Thunderstrike proof-of-concept exploit that came to light late last year. While both exploits give attackers the same persistent and low-level control of a Mac, the new attack doesn't require even brief physical access as Thunderstrike did. That means attackers half-way around the world may remotely exploit it.

Read 14 remaining paragraphs | Comments


Hola is a VPN provider that purports to offer its users freedom from censorship, a way to access geoblocked content, and anonymous browsing. The service claims that more than 47 million people are part of its peer-to-peer network. But according to a group of researchers (calling themselves Adios), it's dangerously insecure: the client software has flaws that allow for remote code execution and features of the client enabled tracking. On top of that, critically, Hola sells access to its peer-to-peer network with little oversight, enabling it to be used maliciously. The nature and scale of problems with Hola has researchers now saying users should bid adieu to the software.

Since the initial reports, Hola has made some changes. One method of remote code execution was removed—though the Adios team says that others remain—and the tracking flaw has also been fixed. But the deeper problems remain, and they're fundamental to the way that Hola is built.

The company doesn't hide the fact that the Hola network is peer-to-peer. Users of the service form a large network, and Hola traffic is routed through this network, using the connections of other Hola users. This is great for Hola; it means that the company doesn't need to operate points of presence in different countries in order to make traffic appear to originate in these countries. But this is very risky for end users.

Read 7 remaining paragraphs | Comments

CVE-2015-4038 - WordPress WP Membership plugin [Privilege escalation]
CVE-2015-4039 - WordPress WP Membership plugin [Stored XSS]

Facebook has announced that its users can add an OpenPGP public key to their profile. This will allow Facebook to encrypt notification e-mails, and for others to use the public keys for encrypted communications. Facebook is "gradually rolling out" this experimental feature, which will be available from your account's Contact and Basic Info page.

Facebook says it has chosen to use GNU Privacy Guard (GPG) for its implementation. Back in February, the company stepped in with a $50,000 donation when the GPG project was struggling to raise funds to secure its future. As far as the detailed implementation is concerned, Facebook's notifications will be encrypted using the RSA or ElGamal algorithms, and the company is "investigating the addition of support for GPG's newer elliptic curve algorithms in the near future." Facebook is also looking at ways of offering public key management on mobile devices, not currently supported.

When encrypted notifications are enabled on an account, Facebook will sign outbound messages using its own private key to provide greater assurance that the contents of inbound e-mails are genuine—one of the chief benefits of the new feature. It means, for example, that users can be sure that password reset messages do indeed come from Facebook rather than someone masquerading as the company.

Read 1 remaining paragraphs | Comments

WebDrive Buffer OverFlow PoC
Ektron CMS 9.10 SP1 - XSS Vulnerability
Ektron CMS 9.10 SP1 - CSRF Vulnerability
[SECURITY] [DSA 3276-1] symfony security update
[SECURITY] [DSA 3269-2] postgresql-9.1 regression update
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: Security fix for CVE-2015-0552
LinuxSecurity.com: Security fix for CVE-2014-9655, CVE-2015-1547
LinuxSecurity.com: Bugfix - #1215207 create/install service files for these
LinuxSecurity.com: This update fixes a bug in the DER parser which is used todecode SSL/TLS certificates could crash Suricata. Also, those processing large numbers of (untrusted) pcap files need to updateas a malformed pcap could crash Suricata.
LinuxSecurity.com: Bugfix - #1215207 create/install service files for these
LinuxSecurity.com: Bugfix - #1215207 create/install service files for these
LinuxSecurity.com: Cherry-pick a fix for the protocol downgrade attack (CVE-2014-9721)
LinuxSecurity.com: **Zend Framework 1.12.13*** 567: Cast int and float to string when creating headers**Zend Framework 1.12.12*** 493: PHPUnit not being installed* 511: Add PATCH to the list of allowed methods in Zend_Controller_Request_HttpTestCase* 513: Save time and space when cloning PHPUnit* 515: !IE conditional comments bug* 516: Zend_Locale does not honor parentLocale configuration* 518: Run travis build also on PHP 7 builds* 534: Failing unit test: Zend_Validate_EmailAddressTest::testIdnHostnameInEmaillAddress* 536: Zend_Measure_Number convert some decimal numbers to roman with space char* 537: Extend view renderer controller fix (#440)* 540: Fix PHP 7 BC breaks in Zend_XmlRpc/Amf_Server* 541: Fixed errors in tests on PHP7* 542: Correctly reset the sub-path when processing routes* 545: Fixed path delimeters being stripped by chain routes affecting later routes* 546: TravisCI: Skip memcache(d) on PHP 5.2* 547: Session Validators throw 'general' Session Exception during Session start* 550: Notice "Undefined index: browser_version"* 557: doc: Zend Framework Dependencies table unreadable* 559: Fixes a typo in Zend_Validate messages for SK* 561: Zend_Date not expected year* 564: Zend_Application tries to load ZendX_Application_Resource_FrontController during instantiation**Security*** **ZF2015-04**: Zend_Mail and Zend_Http were both susceptible to CRLF Injection Attack vectors (for HTTP, this is often referred to as HTTP Response Splitting). Both components were updated to perform header value validations to ensure no values contain characters not detailed in their corresponding specifications, and will raise exceptions on detection. Each also provides new facilities for both validating and filtering header values prior to injecting them into header classes. If you use either Zend_Mail or Zend_Http, we recommend upgrading immediately.
LinuxSecurity.com: Multiple vulnerabilities have been found in phpMyAdmin, the worst of which could lead to arbitrary code execution.
LinuxSecurity.com: Multiple vulnerabilities have been found in Adobe Flash Player, the worst of which allows remote attackers to execute arbitrary code.
[SECURITY] [DSA 3275-1] fusionforge security update

Posted by InfoSec News on Jun 01


By Dave Lee and Nick Kwek
BBC News
29 May 2015

North Korean hackers are capable of attacks that could destroy critical
infrastructure and even kill people, a high-profile defector has warned.

Speaking exclusively to BBC Click, Prof Kim Heung-Kwang said the country
had around 6,000 trained military hackers.

The warning follows last year's Sony Pictures hack - an attack attributed
to North...

Posted by InfoSec News on Jun 01


By David Geer
May 28, 2015

Hit too many times with successful attacks and compromises, an
enterprise’s human resources can develop a victim mentality, a.k.a.
learned helplessness. When this happens, employees who feel they are
helpless to do anything effective to fight cyber attacks lose...

Recently I made some small modifications to the Dshield Linux Cisco PIX submission perl script (https://www.dshield.org/clients/framework/cisco.tar.gz). This allows anyone with an ASA or Cisco Security Manager(CSM) to submit logs to the project with ease.

">Setup a cron, to submit the logs.

">Initially its best to have it cc you the logs so you can validate that everything is working via the dshield.cnf file.

">If using postfix, make sure that the message size limit is very high, as this will not attach a compressed file, it">message_size_limit =

">If the email goes through, check the ISC portal My Account - My Reports. You should see when you last submitted logs. This may lag behind several hours before the website updates, so dont worry on first submission if it takes a bit.

">Now get submitting your logs!


Tom Webb

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Naked Security

Coming to Infosec Europe this week? Would you like a free T-shirt?
Naked Security
Infosec Europe begins tomorrow and we're busy putting the finishing touches to the Sophos stand. Sophos stand setup. If you're attending the event, please do stop by the stand (D260) and say hi, and make sure you listen to one or more of the talks from ...


Posted by InfoSec News on Jun 01


By Deborah Galea
Manager, OPSWAT.

According to the recently released 2015 Dell Security Annual Threat
Report, SCADA attacks are on the rise. The report found that in 2014 the
number of attacks on Supervisory Control and Data Acquisition (SCADA)
systems doubled compared to the previous year. Most of...

Posted by InfoSec News on Jun 01


By Todd R. Weiss

Wearables vendor Jawbone is suing rival Fitbit based on allegations that
Fitbit hired away some Jawbone employees who then took confidential
corporate information with them to their new jobs.

The lawsuit, which was filed in California State Court in San Francisco,
charges that Fitbit employees were...

Posted by InfoSec News on Jun 01


By Jeremy Kirk
IDG News Service
June 1, 2015

A zero-day software vulnerability in the firmware of older Apple computers
could be used to slip hard-to-remove malware onto a computer, according to
a security researcher.

Pedro Vilaca, who studies Mac security, wrote on his blog that the flaw he
found builds on previous ones...

Posted by InfoSec News on Jun 01


By Liam Tung and Ben Grubb
The Age
May 29, 2015

The cat's out of the bag for about 60 Australians who thought they could
anonymously rent a hacker from a website to do their dirty work.

If you've used the hacker-for-hire site Hacker's List to contract out a
hack job then your name, address and the...

Posted by InfoSec News on Jun 01


By Ashley Deeks
May 31, 2015

This past week, the NATO Cooperative Cyber Defense Center of Excellence
put on its annual Cyber Conflict conference in Tallinn, Estonia. The
conference boasted a number of experienced cyber-hands, including Adm.
Mike Rodgers, DefCon founder Jeff Moss, and law of armed conflict expert
Mike Schmitt.

One of the most...

The Register

56 MEEELLION credentials exposed by apps say infosec boffins
The Register
Researchers from the University of Darmstadt say app developers have exposed 56 million credentials by borking login processes using services from Google, Amazon, and Facebook. The research team tested 750,000 Android and iOS applications, ...

and more »
Internet Storm Center Infocon Status