On Friday, the National Institute of Standards and Technology (NIST), which sets many of the standards that cryptographers use to create robust security systems, gave notice that it would formally review its standards development process. This comes about two months after a report from the New York Times that the National Security Agency may have included a backdoor in an algorithm called Dual EC_DRBG, which is used to create a widely-adopted, NIST-approved encryption standard.

The fallout from the September New York Times report, which was based on internal memos leaked by former NSA contractor Edward Snowden, made many security experts wary of NIST and its standards. At the time of the report, NIST issued a statement saying that it would reopen its public vetting process for the encryption standard that was in question. “We want to assure the IT cybersecurity community that the transparent, public process used to rigorously vet our standards is still in place,” a memo from the Institute read.

Now, NIST is apparently going a step further. In its latest November 1 statement, the organization promised to do a full audit of its standards development process. “Recent news reports about leaked classified documents have caused concern from the cryptographic community about the security of NIST cryptographic standards and guidelines,” the statement read.

Read 2 remaining paragraphs | Comments


Perhaps it's a premonition of good things to come, or a dream to identify what I'm aspiring to. Or maybe it's just really weird that I had a dream about driving in UGG boots. Insole is textile and sheepskin padding, flexible EVA midsole and soft outsole for traction. Together, at the side of the 1/2 inch shaft, there is wooden buttons fitting in security. We are always here for your visiting, offering high services and excellent quality to you. Our crochet ugg boots with buttons cover a large range of colors, and the more you buy, the more discount you will get. ugg
HP Service Manager CVE-2013-2321 Unspecified Cross Site Scripting Vulnerability
HP Service Manager CVE-2012-5222 Unspecified Information Disclosure Vulnerability
Apache Struts CVE-2013-4316 Remote Code Execution Vulnerability
A project aims to bring an inexpensive 9-inch portable monitor to the popular US$25 Raspberry Pi PC, which comes without a keyboard, mouse or monitor.
The U.S. Senate Intelligence Committee Thursday voted to back a "spying reform" bill that critics contend codifies and extends the National Security Agency's controversial phone metadata collection practices.
A report today says the mystery barges docked in San Francisco and Portland, Maine, will hold luxury showrooms for displaying Google X products, such as Google's digital eyewear called Glass.
J.D. Power and Associates yesterday gave its top ranking in tablet satisfaction to Samsung, the first time since it debuted the award that Apple did not take the prize.
Response times at the ailing HealthCare.gov have improved significantly in recent days as a technology team tries to fix the problems with the U.S. government's health-insurance shopping website, officials said.
Officials in Marin County, Calif., have begun the search for new ERP (enterprise resource planning) software to replace a troubled SAP implementation that generated an ugly legal battle between the county, SAP and systems integrator Deloitte.
Panasonic is discontinuing production of plasma televisions and shuttering the three factories that made them in the wake of stiff competition from LCD TVs.
Apple's new Mac operating system ended October with an 11% user share of all Macs that went online during the month, the strongest start ever for an OS X upgrade.
[security bulletin] HPSBMU02935 rev.1 - HP LoadRunner Virtual User Generator, Remote Code Execution
[security bulletin] HPSBMU02934 rev.1 - HP Application LifeCycle Management, GossipService SOAP Request, Remote Code Execution
Google has paid extra attention to Android's performance on low-cost smartphones when developing version 4.4 of the OS, which could be very good news for consumers and developers but a problem for competitors like Mozilla and Nokia.
Everybody knows that the use case for CRM. It's in its name, after all: Customer relationship management. But how does that really improve the way your company does business?
Google has long been known as a mobile tech innovator with its Gigabit Fiber and Google Glass projects, among others. Now it's emerging as a radical strategist in the wireless ecosystem.
Intel's Galileo open-source computer for the hacker and do-it-yourself crowd can now be ordered for $69.90, and is scheduled to ship at the end of November.
[SECURITY] [DSA 2789-1] strongswan security update
[security bulletin] HPSBMU02933 rev.1 - HP SiteScope, issueSiebelCmd SOAP Request, Remote Code Execution
[security bulletin] HPSBMU02874 SSRT101184 rev.2 - HP Service Manager, Java Runtime Environment (JRE) Security Update
[security bulletin] HPSBMU02872 SSRT101185 rev.3 - HP Service Manager, Remote Disclosure of Information, Cross Site Scripting(XSS)
CIO.com columnist Rob Enderle suffered a brutal beating after police broke up an illegal rave next door to his house. The rave attracted hundreds of teens who saw the party invite on Facebook. The incident left Enderle to wonder why Facebook, other social sites and even government agencies are so reluctant to use their data to prevent bad things from happening.
LinuxSecurity.com: A vulnerability has been found in the ASN.1 parser of strongSwan, an IKE daemon used to establish IPsec protected links. By sending a crafted ID_DER_ASN1_DN ID payload to a vulnerable pluto or [More...]
LinuxSecurity.com: Updated kernel-rt packages that fix multiple security issues and one bug are now available for Red Hat Enterprise MRG 2.4. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: Several security issues were fixed in Thunderbird.
LinuxSecurity.com: Multiple security issues was identified and fixed in mozilla firefox: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption [More...]
LinuxSecurity.com: Multiple security issues have been found in iceweasel, Debian's version of the Mozilla Firefox web browser: multiple memory safety errors, and other implementation errors may lead to the execution of arbitrary code. [More...]
LinuxSecurity.com: An updated thunderbird package that fixes several security issues is now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having critical [More...]
LinuxSecurity.com: Updated postgresql and postgresql84 packages that fix two security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
LinuxSecurity.com: Updated qspice packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: An updated spice-server package that fixes one security issue is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: Firefox could be made to crash or run programs as your login if itopened a malicious website.
New research projects that of the 35.1 million mobile connected infotainment systems available by 2018, 43.6% will be equipped with MirrorLink, 49.8% with Apple's "iOS in the Car," and 28.2% with other technologies.
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-5600 Remote Memory Corruption Vulnerability

Four weeks ago, Adobe disclosed a sustained hack on its corporate network that threatened to spawn a wave of meaner malware attacks by giving criminals access to the raw source code for the company's widely used Acrobat and ColdFusion applications. Now, researchers are warning the same breach could significantly strengthen the password crackers' collective hand by revealing a staggering 130 million passcodes used over the years by Adobe customers, many of them from the FBI, large corporations, and other sensitive organizations.

That's because Adobe engineers used reversible encryption to scramble the passwords contained in a 9.3-gigabyte file that's now available online. Surprisingly, they flouted almost universally recognized best practices that call for stored passwords to be protected by bcrypt or another one-way cryptographic hashing algorithm. Just as ground hamburger can't be converted back into steak, there's no mathematical way to reverse cryptographic hashes and return them to their plaintext origins. One-way hashing is designed to thwart cracking by requiring crackers to pass individual password guesses through the same algorithm and see if it produces the same long string of random-looking characters. When done correctly, it can take centuries to decipher long lists of credentials.

That's not at all the way the passwords for the 130 million active and inactive Adobe accounts are protected. They were scrambled using standard symmetric encryption. If crackers are able to figure out the key or keys that encrypt the data, they will have instant access to every single plaintext user password in the list.

Read 10 remaining paragraphs | Comments


IBM DB2 and DB2 Connect CVE-2013-4033 Multiple Unauthorized Access Vulnerabilities
AudioCoder '.m3u' File Buffer Overflow Vulnerability
Africa's demand for Internet links to the rest of the world will grow by an average of 51% every year until 2019, ahead of all other regions, according to a forecast by research company Telegeography.
A new variant of a Trojan program that targets online banking accounts also contains code to search if infected computers have SAP client applications installed, suggesting that attackers might target SAP systems in the future.
Internet companies are demanding reforms to U.S. government surveillance practices to enhance privacy protections and provide "appropriate oversight and accountability mechanisms."
The Rockstar Consortium that acquired Nortel Networks' patents filed patent infringement suits against Google, Samsung, HTC and five other companies.
A U.S. Senate committee has voted to approve a bill that would leave in place the U.S. National Security Agency's bulk telephone-records collection program, with some limits.
Somewhere along the way, Facebook apparently became your father's social network. And that could be a problem for the popular social networking site.
New research projects that of the 35.1 million mobile connected infotainment systems available by 2018, 43.6% will be equipped with MirrorLink, 49.8% with Apple's "iOS in the Car," and 28.2% with other technologies.
Part 1 of our annual cornucopia of gift ideas features speakers, headphones and earbuds that will delight the ears of audiophiles and casual listeners alike.
Supercomputer maker Cray has hired the founders and key engineers of Gnodal who will be working to develop new technology.
Long before Apple started selling its iPad Air today, more than double the number of consumers asked for price quotes on their older tablets than last year, a pair of buyback companies said.

Posted by InfoSec News on Nov 01


By Sheera Frenkel
BuzzFeed Staff
October 30, 2013

CAESARIA, Israel -- Three hackers sit in a darkened room, grey hoodies
pulled over their faces and glowing computer screens lighting up the rapid
typing of their fingers. Graffiti covers the walls around them quoting
Anonymous and other hacking collectives.

It may be a cliched picture of hacking...

Posted by InfoSec News on Nov 01


By Warwick Ashford
31 October 2013

The success of cyber security at the London 2012 Olympic Games is down to
security by design, extensive testing, and having the right people,
according to Mark Hughes, chief executive of BT Security.

"Knowing the Olympics were coming years in advance gave us a lot of time

Posted by InfoSec News on Nov 01


By John Leyden
The Register
31st October 2013

RSA Europe 2013 Declining support for young science and technology researchers
from the US government could hurt technology innovation in the long term, a top
computer scientist has warned.

Robert Griffin, chief security architect at information security biz RSA, said
complaints about funding featured in all three pairs of...

Posted by InfoSec News on Nov 01


By Dan Goodin
Ars Technica
Oct 31 2013

Three years ago, security consultant Dragos Ruiu was in his lab when he
noticed something highly unusual: his MacBook Air, on which he had just
installed a fresh copy of OS X, spontaneously updated the firmware that
helps it boot. Stranger still, when Ruiu then tried to boot the machine
off a CD...

Posted by InfoSec News on Nov 01


By Gus Venditto
Healthcare IT News
October 29, 2013

As healthcare facilities launch their own patient portals, technology is
only the first step. Administrators are learning that decisions need to be
made on everything from patient login protocols to support for patient
record revisions.

HIPAA regulations, always a primary concern when patient records are...
IBM Tivoli Monitoring HTTP Monitoring Console Cross Site Scripting Vulnerability
Internet Storm Center Infocon Status