Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Secunia Research: LibGD "_gdContributionsAlloc()" Integer Overflow Denial of Service Vulnerability
[security bulletin] HPSBGN03633 rev.1 - HPE Release Control, Remote Denial of Service (DoS), Disclosure of Information, Unauthorized Access to Files or Server-Side Request Forgery(SSRF)
Cisco Security Advisory: Cisco RV180 VPN and RV180W Wireless-N Multifunction VPN Routers Remote Code Execution Vulnerability
Cisco Security Advisory: Cisco RV180 VPN and RV180W Wireless-N Multifunction VPN Routers Unauthorized Access Vulnerability

A report by Reuters suggests that the FBI was aware of a possibly Russian-sponsored intrusion into the network of the Democratic National Committee as early as last fall. But investigators from the FBI only initially told DNC staff that they should be on the lookout for strange activity on their network—and the feds didn't mention a potential state-sponsored attack until they informed the Clinton campaign in March about a phishing campaign.

Unnamed DNC staffers told Reuters' Mark Hosenball and John Walcott that the FBI had been investigating a potential intrusion into the DNC's network since the fall of 2015. After the initial warning to look for anything suspicious, DNC IT staff checked network logs and scanned files, finding nothing suspicious. When asked to provide more information to help identify a problem, the FBI "declined to provide it," according to the Reuters report.

It was not until March that the DNC IT team realized the severity of the intrusion of their systems, though Reuters did not report what triggered their realization. At about the same time, the FBI reportedly warned the Clinton campaign of the attempted attacks, according to a Yahoo News report. Spear-phishing attacks were detected in March and April against the DNC and the presidential campaign organization of Hillary Clinton by the security company SecureWorks, as Ars has previously reported.

Read 4 remaining paragraphs | Comments


Enlarge / A demo planned for Wednesday will show how an ad hosted on nytimes.com could attack other HTTPS-protected sites. (credit: Vanhoef, Van Goethem)

The HTTPS cryptographic scheme protecting millions of websites is vulnerable to a newly revived attack that exposes encrypted e-mail addresses, social security numbers, and other sensitive data even when attackers don't have the ability to monitor a targeted end user's Internet connection.

The exploit is notable because it doesn't require a man-in-the-middle position. Instead, an end user need only encounter an innocuous-looking JavaScript file hidden in an Web advertisement or hosted directly on a webpage. The malicious code can then query a variety of pages protected by the secure sockets layer or transport layer security protocols and measure the precise file sizes of the encrypted data they transmit. As its name suggests, the HEIST technique—short for HTTP Encrypted Information can be Stolen Through TCP-Windows—works by exploiting the way HTTPS responses are delivered over the transmission control protocol, one of the Internet's most basic building blocks.

Once attackers know the size of an encrypted response, they are free to use one of two previously devised exploits to ferret out the plaintext contained inside it. Both the BREACH and the CRIME exploits are able to decrypt payloads by manipulating the file compression that sites use to make pages load more quickly. HEIST will be demonstrated for the first time on Wednesday at the Black Hat security conference in Las Vegas.

Read 14 remaining paragraphs | Comments

ImageMagick 'MagickCore/enhance.c' Remote Buffer Overflow Vulnerability
[SECURITY] [DSA 3639-1] wordpress security update

The value of bitcoins plummeted 20 percent after almost 120,000 units of the digital currency were stolen from Bitfinex, a major Bitcoin exchange.

The Hong Kong-based exchange said it had discovered a security breach late Tuesday and has suspended all transactions.

“We are investigating the breach to determine what happened, but we know that some of our users have had their Bitcoins stolen. We are undertaking a review to determine which users have been affected by the breach. While we conduct this initial investigation and secure our environment, bitfinex.com will be taken down and the maintenance page will be left up,” said the company on its website.

Read 7 remaining paragraphs | Comments


(credit: Photograph by Randy Stewart)

A notorious black hat says he has more than 200 million hacked Yahoo accounts for sale on the dark Web. The company says it is "aware of [the] claim," but is refusing to comment on its veracity. Yahoo accounts are primarily used to log into the company's webmail service, but also for other sites like Flickr.

It's unclear at this point whether Yahoo has itself been breached, but the account data has been publicly available on a Tor-accessible marketplace called The Real Deal since Monday, and is apparently being sold by a hacker known as Peace, who has previously been linked to large-scale sales of MySpace and LinkedIn account details in 2012.

A Yahoo spokesperson said:

Read 4 remaining paragraphs | Comments

WorldCIST'17 - Call for Workshops Proposals; Deadline: September 5
OpenSSL DROWN Attack CVE-2016-0800 Security Bypass Vulnerability
[SECURITY] [DSA 3638-1] curl security update
Arbitrary File Content Disclosure in Atutor
Liferay Portal 'barebone.jsp' Directory Traversal Vulnerability
Internet Storm Center Infocon Status