Federal Cybersecurity by the Numbers: The Biggest Spenders and the Biggest Threats
But the annual scorecard tracking agencies' compliance with the Federal Information Security Management Act, shows some agencies are, in fact, backsliding when it comes to robust security measures. ... First, the good news. The chart above shows the ...

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


NoScript, Firebug, and other popular Firefox add-on extensions are opening millions of end users to a new type of attack that can surreptitiously execute malicious code and steal sensitive data, a team of researchers reported.

The attack is made possible by a lack of isolation in Firefox among various add-ons installed by an end user. The underlying weakness has been described as an extension reuse vulnerability because it allows an attacker-developed add-on to conceal its malicious behavior by invoking the capabilities of other add-ons. Instead of directly causing a computer to visit a booby-trapped website or download malicious files, the add-on exploits vulnerabilities in popular third-party add-ons that allow the same nefarious actions to be carried out. Nine of the top 10 most popular Firefox add-ons contain exploitable vulnerabilities. By piggybacking off the capabilities of trusted third-party add-ons, the malicious add-on faces much better odds of not being detected.

"These vulnerabilities allow a seemingly innocuous extension to reuse security-critical functionality provided by other legitimate, benign extensions to stealthily launch confused deputy-style attacks," the researchers wrote in a paper that was presented last week at the Black Hat security conference in Singapore. "Malicious extensions that utilize this technique would be significantly more difficult to detect by current static or dynamic analysis techniques, or extension vetting procedures."

Read 9 remaining paragraphs | Comments


The VAR Guy

Let's Talk About Security
The VAR Guy
The report is full of good information, including the size of the security market, the growing prospects for InfoSec professionals, and the technologies that channel firms feature in their portfolios. The most practical data, though, centers on ...


(credit: samazgor)

WhatsApp has enabled end-to-end encryption across all versions of its messaging and voice calling software, according to a Tuesday announcement on the company's website.

Given that WhatsApp is already in use by over 1 billion people worldwide, as users upgrade to the latest version, it will become the most widely used end-to-end crypto tool.

"We live in a world where more of our data is digitized than ever before," Jan Koum, a WhatsApp co-founder, wrote in a company blog post on Tuesday. "Every day we see stories about sensitive records being improperly accessed or stolen. And if nothing is done, more of people's digital information and communication will be vulnerable to attack in the years to come. Fortunately, end-to-end encryption protects us from these vulnerabilities."

Read 6 remaining paragraphs | Comments


We have added new features relating to our coverage of Microsoft patches andimported the legacy patch diary tables into our new system going back to 2006.

API methods:https://isc.sans.edu/api/#getmspatchday

Web interface:https://isc.sans.edu/mspatchdays.html

Please note that the data may be incomplete or inaccurate in some cases. If you find errors, please leave a comment on this thread.

Alex Stanford - GIAC GWEB GSEC,
Research Operations Manager,
SANS Internet Storm Center

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
[SECURITY] [DSA 3543-1] oar security update
[SECURITY] [DSA 3542-1] mercurial security update
Apple iOS 9.3.1 (iPhone 6S & iPhone Plus) - (3D Touch) Passcode Bypass Vulnerability

Diana Kelley of IBM to Speak at Rock Stars of Risk-Based Security on the Tie Between the Animal Kingdom and ...
PR Newswire (press release)
She also served on the Advisory Board for InfoSec World 2015 and on the IBM Network Science Research Center Smart Grid Advisory Group. Kelley joins a roster of the top minds and innovators in the cyber security field at Rock Stars of Risk-Based ...

and more »
[SECURITY] [DSA 3541-1] roundcube security update
[security bulletin] HPSBGN03569 rev.1 - HPE OneView for VMware vCenter (OV4VC), Remote Disclosure of Information
[slackware-security] mozilla-thunderbird (SSA:2016-095-01)
Internet Storm Center Infocon Status