Hackin9

忘れ物が見つかり、本人確認ができれば、着払いで配送してもらいましょう。初心者のタイトリスト913d3ゴルフクラブ選びはとてもむずかしいです。一般に販売されている初心者用ゴルフクラブ(キャディーバッグまで付いていることが多いです)は、あまりおススメできません。毎回言うようですが、もしも、ゴルフはこの1回きりだ!ということであれば、712 MBアイアン知り合いに借りるか、ゴルフ場の貸しクラブを借りた方が無難です。

 
Backdoors. Useful on buildings. Crappy in cryptography.

The mission of the US' National Institute of Standards and Technology, NIST, is to create technical and measurement standards to make US manufacturing and industry more competitive.

In 1987, the Computer Security Act tasked NIST (then known as the National Bureau of Standards, NBS) with the creation of computer standards to ensure the security of federal computer systems. The best known standard that came from this work is probably the Advanced Encryption Standard (AES) algorithm. NIST held a competition between 1997 and 2000 to pick a symmetric cipher (that is, one where the same key is used for both encryption and decryption). The winner of the competition was Belgian algorithm Rijndael, and accordingly, Rijndael is known as AES.

The CSA explicitly required NIST to seek the advice and guidance of the National Security Agency when creating these standards. The NSA is, after all, where the government's cryptography experts work, and once upon a time, the organization was pretty helpful in this area. Before the CSA, the NSA had helped develop old NBS standards. In the 1970s, NBS created a standard for AES's predecessor, called the Data Encryption Standard (DES).

Read 15 remaining paragraphs | Comments


    






 
To prevent SharePoint Online customers from feeling boxed in, Microsoft wants to improve the way they upload and store documents in the platform, Office 365's cloud collaboration server.
 
Aurich Lawson / Thinkstock

Ever since Edward Snowden began leaking NSA secrets earlier this year, President Obama has insisted that they weren't "whistleblowing" in any useful sense because they didn't reveal any abuses. Instead, they simply revealed secret programs that were:

  • Operating with rigorous NSA oversight and without real problems;
  • Extensively vetted by the secret Foreign Intelligence Surveillance Court (FISC);
  • In compliance with US law, which didn't need any significant changes; and
  • Generally speaking, a good idea.

For instance, here was Obama at an August 9 press conference at the White House, answering a couple of questions from journalists about the NSA's programs.

And if you look at the reports, even the disclosures that Mr. Snowden's put forward, all the stories that have been written, what you're not reading about is the government actually abusing these programs and, you know, listening in on people's phone calls or inappropriately reading people's e-mails. What you're hearing about is the prospect that these could be abused. Now part of the reason they're not abused is because they're—these checks are in place, and those abuses would be against the law and would be against the orders of the FISC.

As for any needed changes, they were minor. Obama's team already made some small modifications of its own—"some bolts needed to be tightened up on some of the programs," was how he put it. His changes involved things like more "compliance officers." But the programs and the laws they rested on were fine. Still, in the spirit of having a "discussion," Obama agreed that "people may want to jigger slightly sort of the balance between the information that we can get versus the incremental encroachments on privacy" that might be possible "in a future administration or as technology's developed further." (Remember, everything now is fine!)

Read 12 remaining paragraphs | Comments


    






 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

RIght on schedule (see their lifecycle doc at https://www.pcisecuritystandards.org/pdfs/pci_lifecycle_for_changes_to_dss_and_padss.pdf), the folks at PCI DSS have released a "what to expect" document for PCI 3.0.  I'm a bit late commenting on this - somehow I missed this when it was posted in August.  Specifically called out in the doc are:

  • Lack of education and awareness
  • Weak passwords, authentication
  • Third-party security challenge
  • Slow self-detection, malware
  • Inconsistency in assessments


The change document is here: https://www.pcisecuritystandards.org/documents/DSS_and_PA-DSS_Change_Highlights.pdf

It'll be interesting to see what the final document will look like when it's released in November, and what happens when QSA's turn the PCI guidance into audit findings and recommendations.

==============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
This IP-based network camera provides homeowners with a convenient way to monitor remote surroundings from within the home or across the Internet.
 

The National Security Agency (NSA) and its British counterpart have successfully defeated encryption technologies used by a broad swath of online services, including those provided by Google, Facebook, Microsoft, and Yahoo, according to new reports published by The New York Times, Pro Publica, and The Guardian. The revelations, which include backdoors built into some technologies, raise troubling questions about the security that hundreds of millions of people rely on to keep their most intimate and business-sensitive secrets private in an increasingly networked world.

The reports, published simultaneously by the NYT, Pro Publica, and The Guardian, are based on newly disclosed documents provided by former NSA contractor Edward Snowden. They reveal a highly classified program codenamed Bullrun, which according to the reports relied on a combination of "supercomputers, technical trickery, court orders, and behind-the-scenes persuasion" to undermine basic staples of Internet privacy, including virtual private networks (VPNs) and the widely used secure sockets layer (SSL) and transport layer security (TLS) protocols.

"For the past decade, NSA has led an aggressive, multipronged effort to break widely used Internet encryption technologies," the NYT reported, quoting a 2010 memo describing a briefing of NSA capabilities to employees of the Government Communications Headquarters, or GCHQ. "Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable."

Read 8 remaining paragraphs | Comments


    






 

A recent academic paper (PDF) shows “that Tor faces even greater risks from traffic correlation than previous studies suggested.” In other words, one of the world’s best tools for keeping online speech anonymous is at risk in a previously known—but now even clearer—fashion.

In the wake of a recent uptick of Tor usage (whether from a botnet or from people inspired by former National Security Agency [NSA] contractor Edward Snowden), a reminder of these risks is certainly germane to today’s Internet.

The new research has shown that a potential adversary with control of Internet Exchange Points (IXPs) or autonomous systems (ASes) that have large-scale network control (like an ISP), could expose and identify a Tor user, given enough time.

Read 10 remaining paragraphs | Comments


    






 
Microsoft today said it will ship 14 security updates next week to patch critical vulnerabilities in Internet Explorer, Windows, Office and SharePoint, its enterprise collaboration platform.
 
Google lawyers are in court today seeking the dismissal of a lawsuit that would stop the company from scanning Gmail users' email messages for advertising purposes.
 
Belgium-based brewer Anheuser-Busch has set up a "Bud Lab" at the University of Illinois in Urbana-Champaign as part of an effort to gain access to young engineering talent.
 
Facebook is seen as a website for connecting people. Now the company also wants to make it easier for outside developers to build their apps and connect them with users, by providing back-end hosting tools.
 
The U.S. National Security Agency has been circumventing many online encryption efforts through a combination of supercomputers, back doors built into technology products, court orders and other efforts, according to a new report from The New York Times and ProPublica.
 
It's difficult to predict how an appeals court will rule after it hears arguments Monday in Verizon Communication's challenge of the U.S. Federal Communications Commission's net neutrality rules.
 
Smartphones are everywhere, and smartwatches are poised to follow. Techies are eying Google Glass. And we now wear our technology on our sleeve. Have we finally reached gadget overload? CIO.com senior writer Tom Kaneshige isn't afraid to say, 'Enough!'
 
Chip makers are responding to the hot wearable-computer trend with new processor designs as they also seize the opportunity to breathe life into existing chip technologies that previously failed to catch hold.
 
Google has wheeled out a new type of application for its Chrome browser that according to the company combines the best of desktop and cloud software.
 
If damage to SK Hynixs large FAB facility in China is extensive, production could take as long as six months to resume and as much as 10% of the worlds DRAM supply would be affected.
 
After Samsung's Galaxy Gear smartwatch was roundly criticized by some reviewers and analysts after its unveiling Wednesday, it seems to fair to ask: Will the technology be a hit or a dud?
 
NASA engineers have finished launch preparations for a robotic probe that will lift off Friday night for a mission to explore the moon's atmosphere.
 
Aries - Secure For the Space/Time Procession AndMember From the Fellowship On the Thing231. Reefgirl - Thingite Librarian232. nighthoover - That Gentleman So, who Differences The Lightbulbs233. Typically the sneakerhead town has a imaginative, ardent, in addition to educated group that easily adore footwear. People certainly stay for the purpose of innovative, artistically developed footwear which might be furnished with superior in addition to general performance. And even in all of the designs and even models. gucci shoes for men
 
Tor Project

Researchers have found a new theory to explain the sudden spike in computers using the Tor anonymity network: a massive botnet that was recently updated to use Tor to communicate with its mothership.

Mevade.A, a network of infected computers dating back to at least 2009, has mainly used standard Web-based protocols to send and receive data to command and control (C&C) servers, according to researchers at security firm Fox-IT. Around the same time that Tor Project leaders began observing an unexplained doubling in Tor clients, Mevade overhauled its communication mechanism to use anonymized Tor addresses ending in .onion. In the week that has passed since Tor reported the uptick, the number of users has continued to mushroom.

"The botnet appears to be massive in size as well as very widespread," a Fox-IT researcher wrote in a blog post published Thursday. "Even prior to the switch to Tor, it consisted of tens of thousands of confirmed infections within a limited amount of networks. When these numbers are extrapolated on a per country and global scale, these are definitely in the same ballpark as the Tor users increase."

Read 6 remaining paragraphs | Comments


    






 

Are you interested in where IPS Systems (Intrusion Prevention Systems) are going over the next few years?  Do you think we'll see more HIPs (Host Intrusion Prevention Systems) feeds into IPS consoles, or more integration with SIEMs?  Or will we just see better versions of what we have today?

Or are you maybe just wondering if your organization needs an IPS?

Either way, we're interested in our input!  We've got a survey running to collect your take on IPS's, and where you expect (or would like) to see them evolve over the next few years:   https://www.surveymonkey.com/s/2013SANSNetworkSecuritySurvey

We'll be collecting the results shortly, and will be sharing them in a SANS Analyst Webcast in October - more details here: https://www.sans.org/webcasts/survey-network-security-96967

Looking forward to your views !

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Long-time partners SAP and Accenture are deepening their relationship with a new offering that calls for Accenture to serve as a single point of contact on projects involving SAP's HANA in-memory database platform and Accenture's own intellectual property.
 
The spike in the number of clients using the Tor anonymity networkA was likely caused by a botnet, according to Tor and third-party security researchers.
 
Xen 'xc_vcpu_setaffinity()' Function Buffer Overflow Vulnerability
 

With one "extracurricular" project winding up, I figured it was time to start the next one, and playing with the new crop of GPUs for hash and password cracking seems like a fun way to go.

At first glance, using specialized hardware like a GPU would mean that you'd be working in a physical machine, that using a VM is not in the cards.  Not so, it's actually pretty easy to make it fly in a VM, with a bit of planning.  For me, it also means that I don't need to find a spot for a new server.

First of all, you'll need a short list of "must haves":

  • a Hypervisor that supports Vt-d - I'm using VMware ESXi (this is NOT something you want to try in Workstation)
  • A motherboard and CPU that supports Vt-d.  I'm using a Tyan board and a XEON E3 processor.  
  • Be sure that your system board will support PCIe x16 cards.  You don't need x16 throughput, even an x2 slot will do nicely, but it needs to be able to accept an x16 card (my board has an x8 slot)
  • If you plan to use more than one GPU card, be sure the system board has enough slots, and that they are far enough apart (GPUs generally take 2 slots).  Also, with more cards, a tower configuration will tend to overheat the top card(s) - be sure  you have lots of fans in the case, and try to end up with the cards mounted vertically after all is said and done.
  • Be sure you've got a power supply with lots of connectors and power - the card I ended up buying needed both an 8 pin and a 6 pin PCIe power connector.  I've got a 650Watt modular power supply to play with in this machine, so all is well.
  • Finally, the right GPU.

For folks like me that are on a budget, there are two main choices in GPUs - NVIDIA and AMD. 

While both of these cards perform great for graphics, the AMD has and edge in crypto work - it seems to have better integer computing support, so tools like Hashcat or John the Ripper tend to run quicker.
In a virtual environment, the AMD cards seem to work better with Vt-d (called Device Passthrough in the ESXi interface).   If you want to use NVIDIA GPU's, you'll actually install drivers in ESXi, and you'll be confined to the most expensive NVIDIA cards (Quadro 6000, 5000, 4000, or the Tesla or Grid cards).  This is actually pretty cool, as you can spread the GPU's across multiple VM's for Virtual Desktop applications like CAD and the like.  But splitting the power of a GPU card across multiple VM's defeats the whole point of building a VM for cracking.

For my lab, I chose an AMD RADEON 7970 - it's got great processing power and it was on sale that week.  The 7900's seem to be right at the knee of the curve, right where more processing power starts to cost you disproportionally more money.

So, once all the prerequisites are in place, we're ready to go.

1/ First, install your card.  

2/ Next, over to ESXi, we'll need to enable Device Passthrough (Vt-d) for our new device.  You'll find this in Server Settings / Advanced / Edit.  Select the new card (which also selects the PCIe slot that it's in), and save.  You'll need to reboot the server after this done.

3/  Next, over to our VM.  We'll go to the "Edit Settings / Add Hardware" screen, and add this new PCI device.  Once this is done, vMotion and HA will no longer be possible for this VM, since it's tied to a specific PCIe slot in the server.  Even a cold migrate (migration with the VM powered off) will involve some jumping through hoops - removing the card, migrating then re-adding the card after the migrate (you'll of course need identical hardware on the destination server once the migration is complete)


4/ After installing the correct AMD driver in the VM, and we see our card!  I left the card at stock values for everything, nothing was overclocked or outside of the default settings.


5/ Next we'll need to install then the OpenCL SDK in the VM (Downloaded from AMD).

At this point, you'll be able to use the processing power of the GPU in any app written for it - I'm using Hashcat and John the Ripper, they both work great!

Running the hashcat benchmark (oclHashcat-lite64.exe -b) sees the card as a "Tahiti" (the codename for the 7900 series) gives us some really impressive numbers - for instance 8765.0M/s for MD5 (yes, that's in MILLION Hashes per second). While real throughput on the "no-lite" version will be slightly slower, these numbers are all pretty close to truth.

Just for fun, I installed the identical setup on a similar but PHYSICAL machine (3.5 GHz i7 quard core, as poosed to the 3.3 Ghz XEON quad in my ESXi server).  You can see from the table below that the throughput on hash calculations are very close, with the i7 setup a bit slower.  It's in situations like this where you'll see the features in "server class" processors make a difference - things like larger CPU cache for instance.  My ESXi server was running my kid's Minecraft server (with him and all his friends on it), plus we were streaming video off of another VM running DLNA services for our TV, and hashcat in the VM is still is consistently faster than the physical host running a workstation CPU of similar specs.

The numbers for both the physical and virtual and physical servers are shown below.  From this, we can draw a few critical conclusions:

  • Hashing and encryption algorithms have worked well in the past, as CPU power has increased, we've been able to stay ahead of the curve with better encryption (DES followed by 3DES then AES for instance).  While you could always brute-force short strings like passwords, the additional computation involved in each successive algorithm meant that at any point in time, cracking the current algorithm on current hardware would take too long to be practical (unless you had nation-state budgets that is) - essentially this is Moore's Law in action. The power these new GPU cards bring to the table gives the hardware side of the equation a "leapfrog effect" - we're increasing the decryption capability by several orders of magnitude - by lots of zeros!.  And I'm not seeing a fundamental shift on the other side, no new "1,000 or 1,000,000 times harder" algorithm that makes it "difficult enough" to make brute forcing passwords impractical.  Our best defense today is longer passwords - this is an area where size does matter, and bigger is better.  But what's really needed is an alternative to passwords, or a whole other method of storing them.
  • MD5 and SHA1 should no longer be used to store passwords, EVER - with this kind of throughput available to attackers with even minimal budgets, it's just too easy to crack these still commonly used algorithms.  You should be able to draw your own conclusions as to what's a better way to go (look towards the bottom of the list, or look at what's not on the list yet).
  • PBKDF2 (RFC 2898) is not currently on HASHCAT's list of supported algorithms.  This new algorithm isn't widely deployed yet, but it goal is to "eat" a much higher number of compute cycles, making it ideal for password storage (especially if SHA256 is used instead of the default SHA1).  This may be our best bet for password storage, short term (I don't have benchmarks for it yet). We are however, seeing GPU support for this algorithm in John the Ripper.

 

Hash Type Benchmark Values
  On VM On Physical
 md4($pass.$salt)  16582.8M/s  14963.5M/s
 MD4  15715.4M/s  14578.4M/s
 NTLM  15485.1M/s  14246.9M/s
 MD5   8765.0M/s   8291.2M/s
 md5($pass.$salt)   8725.6M/s   8324.7M/s
 Joomla   8464.9M/s   8349.0M/s
 NetNTLMv1-VANILLA / NetNTLMv1+ESS   7624.8M/s   7034.0M/s
 Cisco-PIX MD5   5895.5M/s   5703.7M/s
 Half MD5   5291.4M/s   5230.3M/s
 DCC, mscash   4438.9M/s   4297.6M/s
 Double MD5   2502.7M/s   2448.9M/s
 vBulletin < v3.8.5   2492.4M/s   2427.9M/s
 SSHA-1(Base64), nsldaps, Netscape LDAP SSHA   2361.5M/s   2314.3M/s
 sha1($pass.$salt)   2359.4M/s   2314.3M/s
 SHA1   2355.9M/s   2314.5M/s
 Oracle 11g   2350.3M/s   2303.0M/s
 MSSQL(2005)   2334.3M/s   2299.4M/s
 MSSQL(2000)   2311.3M/s   2309.7M/s
 SHA-1(Base64), nsldap, Netscape LDAP SHA   2276.0M/s   2295.8M/s
 vBulletin > v3.8.5   1697.7M/s   1628.0M/s
 IPB2+, MyBB1.2+   1693.8M/s   1670.8M/s
 LM   1221.7M/s   1002.0M/s
 MySQL   1141.9M/s   1121.0M/s
 Cisco-IOS SHA256   1114.7M/s 1039.1M/s
 sha256($pass.$salt)   1111.6M/s   1056.1M/s
 SHA256   1109.7M/s   1053.8M/s
 NetNTLMv2    448.0M/s    447.1M/s
 Oracle 7-10g    210.7M/s    181.8M/s
 descrypt, DES(Unix), Traditional DES  47052.0k/s  44934.1k/s
 SHA512  86120.7k/s  85831.9k/s
 sha512($pass.$salt)  86108.5k/s  85799.1k/s
 SHA-3(Keccak)  79302.0k/s  78995.5k/s

 

 

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
With sales of larger 'phablet' smartphones booming in Asia, Apple will likely respond next year, but it will face the same pricing predicament it's staring at now for the iPhone 5C.
 
The National Institute of Standards and Technology (NIST) has issued an updated version of the standard specification Personal Identification Verification (PIV) Card that federal employees and contractors use to enter government ...
 
In the world of 4K television -- TVs with four times the resolution of today's high-def sets -- size is king, because you need a big screen to benefit from all those extra pixels. But at this year's IFA consumer electronics show Toshiba is displaying one of the smallest 4K prototypes yet seen.
 
Audi's autonomous car technology will remove mundane tasks from every day driving, such as parking in packed garages and driving during rush-hour traffic.
 
One of the most intriguing products to appear at the IFA consumer electronics show in Berlin is Sony's QX-series of 'lens cameras.';
 
Lenovo sells most of its smartphones in China but it hopes to break out internationally with a new line of handsets called the Vibe.
 
Panasonic's Toughpad 4K UT-MB5 is mostly for professional users, but the tablet's 20-inch, 3840 x 2560 pixel screen may attract some consumers, as long as they are willing to part with $5,900.
 
Lenovo introduced a new wave of Yoga hybrids, shaving off size and weight so the devices are lighter when used as tablets, and faster in laptop mode.
 
Xiaomi is bringing the low-price strategy that has driven its success in mobile phones to the China's smart TV arena with a new 47-inch television that it says is the most affordable on the market.
 
OpenStack Nova XML Parsing CVE-2013-4179 Multiple Denial of Service Vulnerabilities
 
Python 'setuptools' Man in The Middle Vulnerability
 
[ MDVSA-2013:226 ] roundcubemail
 
GNU glibc 'pt_chown()' Function CVE-2013-2207 Local Security Bypass Vulnerability
 
Six privacy groups have asked the U.S. Federal Trade Commission to strike down proposed changes to Facebook's policies, as they violate a 2011 settlement with the agency over user privacy.
 
A search for "Hash Hunters" turns up marijuana-themed t-shirts for sale. It also brings up a password-cracking outsourcing service, payable in bitcoin.
 
A jury in Seattle, Washington, has ruled in favor of Microsoft in a patent dispute with Motorola Mobility over standards patents, according to court records.
 
Parallels has interesting ideas that only half work, and Fusion adds almost nothing new beyond better hardware support
 
A majority of U.S. Internet users polled in a recent survey report taking steps to remove or mask their digital footprints online, according to a report from the Pew Research Center's Internet Project and Carnegie Mellon University.
 
Here's why some customers are adopting the technology and which vendors they turned to for help.
 
A labor watchdog group is slamming one of Apple's suppliers for allegedly exploiting its Chinese workers to build the upcoming budget iPhone.
 
Yahoo's logo is now a little bit sleeker, under a redesign unveiled Wednesday in keeping with the company's reinvention efforts.
 
Cisco Secure Access Control System CVE-2013-5470 Remote Denial of Service Vulnerability
 
libmodplug CVE-2013-4234 Multiple Heap Buffer Overflow Vulnerabilities
 

InfoSec Skills Launches Strategic Partnership with Wisdom Education Group in ...
Watch List News (press release)
London, United Kingdom, September 04, 2013 –(PR.com)– InfoSec Skills (www.infosecskills.com) has announced a new strategic partnership with the Wisdom Education Group, based in the United Arab Emirates (UAE). Wisdom Education is a leading Group ...

and more »
 

InfoSec Skills Launches Strategic Partnership with Wisdom Education Group in ...
PR-BG.com (прессъобщения) (press release)
InfoSec Skills (www.infosecskills.com) has announced a new strategic partnership with the Wisdom Education Group, based in the United Arab Emirates (UAE). Wisdom Education is a leading Group of Institutions in UAE having branches in Dubai, Abu Dhabi, ...

 

Posted by InfoSec News on Sep 05

http://www.csoonline.com/article/739117/aggressive-social-engineering-campaign-uncovered-in-europe

By Steve Ragan
Staff Writer
CSO Online
September 04, 2013

Earlier this year, Symantec discovered an aggressive social engineering
campaign targeting a limited set of multi-national firms in Europe. The attacks
were by the book, employing classic techniques, eventually netting the
criminals vast sums of stolen funds for their efforts.

In April,...
 

Posted by InfoSec News on Sep 05

http://www.computerworld.com/s/article/9242086/Amazon_hiring_top_secret_IT_staff_as_it_fights_for_CIA_work

By Patrick Thibodeau
Computerworld
September 4, 2013

The U.S. isn't doing a good job keeping secrets. Think Edward Snowden. But
demand for trustworthy IT professionals is strong, especially if they want
to work for Amazon Web Services.

Amazon has more than 100 job openings for people who can get a top secret
clearance, which...
 

Posted by InfoSec News on Sep 05

http://www.nextgov.com/cybersecurity/2013/09/are-your-g20-briefings-laced-spyware/69888/

By Aliya Sternstein
Nextgov.com
September 4, 2013

Infected emails seemingly bearing feedback on UK government draft G20
briefings -- that actually steal data -- are targeting government
officials and economic development leaders ahead of this week's global
summit in Russia, researchers say. Spearphishing campaigns that coincide
with the G20 are...
 

Posted by InfoSec News on Sep 05

Forwarded from: nullcon <nullcon (at) nullcon.net>

V are V

On our fifth Anniversary we are super excited to officially open the
CFP (Call for PARTYcipation!). Yes, this is going to be the biggest
nullcon till now with lot of sub-events, CTFs, villages, workshops,
talks, parties.

Time to tickle your gray cells and submit your research.

Date:
Training 12-13th Feb 2014
Conference: 14-15th Feb 2014

CFP V

----------

Submit under any of...
 

Posted by InfoSec News on Sep 05

http://www.forbes.com/sites/andygreenberg/2013/09/04/startup-bugcrowd-raises-1-6-million-to-pay-hacker-hordes-to-hunt-clients-bugs/

By Andy Greenberg
Forbes Staff
Security
9/04/2013

Google, Facebook and PayPal offer thousands of dollars in rewards to friendly
hackers who find and report security bugs in their products. Now a handful of
venture capital firms are betting that your company will pay to have your
products hacked, too.

On...
 

Posted by InfoSec News on Sep 05

http://20committee.com/2013/09/04/snowden-nsa-and-counterintelligence/

By John R. Schindler
The XX Committee
September 4, 2013

Ever since the remarkable case of Edward Snowden broke into the limelight at
the beginning of the summer that’s now winding down, I’ve had a great deal to
say about it here, on Twitter, and on radio and television. As one of the very
few former NSA officers who’s in the public eye and willing to talk about...
 

Posted by InfoSec News on Sep 05

http://www.wired.com/threatlevel/2013/09/nsa-router-hacking/

By Kim Zetter
Threat Level
Wired.com
09.04.13

The NSA runs a massive, full-time hacking operation targeting foreign systems,
the latest leaks from Edward Snowden show. But unlike conventional
cybercriminals, the agency is less interested in hacking PCs and Macs. Instead,
America’s spooks have their eyes on the internet routers and switches that form
the basic infrastructure of...
 
[SECURITY] [DSA 2751-1] libmodplug security update
 
Cisco Security Advisory: Multiple Vulnerabilities in the Cisco WebEx Recording Format and Advanced Recording Format Players
 
Internet Storm Center Infocon Status