Backbytes: Guess who's looking for security specialists? Why, Moonpig...
"This is an exciting opportunity to join the growing IT function at Moonpig. We are looking for a versatile Security Officer with strong web-orientated skills, alongside a proven track-record managing an e-commerce focused security programme at a ...

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

For years, Chrome, Firefox, and virtually all other browsers have offered a setting that doesn't save or refer to website cookies, browsing history, or temporary files. Privacy-conscious people rely on it to help cloak their identities and prevent websites from tracking their previous steps. Now, a software consultant has devised a simple way websites can in many cases bypass these privacy modes unless users take special care.

Ironically, the chink that allows websites to uniquely track people's incognito browsing is a much-needed and relatively new security mechanism known as HTTP Strict Transport Security. Websites use it to ensure that an end user interacts with their servers only when using secure HTTPS connections. By appending a flag to the header a browser receives when making a request to a server, HSTS ensures that all later connections to a website are encrypted using one of the widely used HTTPS protocols. By requiring all subsequent connections to be encrypted, HSTS protects users against downgrade attacks, in which hackers convert an encrypted connection back into plain-text HTTP.

Sam Greenhalgh, a technology and software consultant who operates RadicalResearch, has figured out a way to turn this security feature into a potential privacy hazard. His proof of concept is known as HSTS Super Cookies. Like normal cookies, they allow him to fingerprint users who browse to his site in non-privacy mode, so if they return later, he will know what pages they looked at. There are two things that give his cookies super powers. The first is that once set and depending on the specific browser and platform it runs on, the cookies will be visible even if a user has switched to incognito browsing. The second is that the cookies can be read by websites from multiple domain names, not just the one that originally set the identifier. The result: unless users take special precautions, super cookies will persist in their browser even when private browsing is turned on and will allow multiple websites to track user movements across the Web.

Read 6 remaining paragraphs | Comments

concrete5 Multiple Cross-Site Scripting Vulnerabilities

Sharyl Attkisson, the former CBS investigative reporter who published her claims of government intimidation, electronic surveillance, and cyber-attacks in a book last fall, has begun the process of taking the government to court over the hacking of her personal and work computers, as well as her home network.

In the process, Attkisson’s attorneys have begun to reveal the details of forensic investigations by computer security experts. In legal filings against the government, the attorneys disclosed which government agency’s network was the source of at least some of the hacks: the US Postal Service.

In an administrative claim filed on January 5­ under the provisions of the Federal Tort Claims Act and a complaint filed with the District of Columbia Superior Court, Attkisson’s attorneys gave an initial summary of their accusations against the US Justice Department, which they claim directed the surveillance of Attkisson as part of an ongoing Obama administration campaign against journalists and government employees acting as their confidential sources. Attkisson and her family have named outgoing US Attorney General Eric Holder, Postmaster General Patrick Donahoe, and “unknown named agents” of the Department of Justice and US Postal Service as defendants in the suit, seeking damages that could total approximately $35 million.

Read 4 remaining paragraphs | Comments


UK-based Bitstamp, the second largest bitcoin exchange for US dollars, suspended operations on Monday, following evidence that online thieves had stolen up to 19,000 BTC—approximately $5.2 million—from its operational store of bitcoins.

The company alerted its users of the possible attack on Monday and warned against transferring any bitcoins to the service’s old bitcoin deposit addresses. Early the following morning, Bitstamp revealed that the attack affected fewer than 19,000 bitcoins. The actual attack appeared to have occurred on Sunday, January 4, when attackers compromised the company’s operational funds, also known as the “hot wallet."

“Thank you all for your patience, we are working diligently to restore service,” Nejc Kodrič, the co-founder and CEO of Bitstamp, tweeted on Monday, adding, “To restate: the bulk of our bitcoin are in cold storage, and remain completely safe.”

Read 7 remaining paragraphs | Comments


Hardening VoIP systems: Challenges and solutions
By Albert Fruz, InfoSec Institute. VoIP systems can take many different forms. Any computer is capable of providing VoIP services. Microsoft's NetMeeting, which comes with any Windows platform, provides some VoIP services as does the Apple Macintosh ...

TinyMCE BBCode Plugin CVE-2012-4230 HTML Injection Vulnerability
Linux Kernel 'kernel/kvm.c' Local Information Disclosure Vulnerability
ZTE Datacard MF19 0V1.0.0B PCW - Multiple Vulnerabilities
LinuxSecurity.com: Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 4 Extended Life Cycle Support. Red Hat Product Security has rated this update as having Important security [More...]
LinuxSecurity.com: Updated libvirt packages that fix one security issue and three bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Low security [More...]
LinuxSecurity.com: strongSwan could be made to crash or run programs if it received speciallycrafted network traffic.
LinuxSecurity.com: Security Report Summary
Linux Kernel CVE-2010-5313 Local Denial of Service Vulnerability
[ MDVSA-2015:005 ] subversion
Apache Subversion CVE-2014-8108 Remote Denial of Service Vulnerability
Apache Subversion CVE-2014-3580 Remote Denial of Service Vulnerability

Posted by InfoSec News on Jan 06


The Wall Street Journal
Jan. 5, 2015

LAS VEGAS — Sony Corp. Chief Executive Officer Kazuo Hirai made his first
public comments Monday on the recent hacking attack on its movie division,
thanking employees and partners for support that made the movie, the
Interview, available to public audiences.

“I am very proud of all the employees...

Posted by InfoSec News on Jan 06


By Michael Cooney
Network World
Jan 5, 2015

With its increased emphasis on Internet crime it might come as small
surprise the FBI is now looking to bulk –up its cyber agent workforce.

The agency in a job posting that is open until Jan. 20 said it has “many
vacancies” for cyber special agents to investigate all manner of cyber...

Posted by InfoSec News on Jan 06


By Lucian Constantin
IDG News Service
Jan 5, 2015

A new open-source tool can be used to launch phishing attacks against
users of wireless networks in order to steal their Wi-Fi access keys.

Gaining access to a WPA-protected Wi-Fi network can be extremely valuable
for attackers because it puts them behind the firewall, in what...

Posted by InfoSec News on Jan 06


By Erin McCann
Managing Editor
Healthcare IT News
January 5, 2015

What United States Postal Service officials originally reported as a
"cybersecurity intrusion" that compromised the Social Security numbers of
some 800,000 USPS employees, turned out to be even bigger than they
thought, involving scores of protected health records too.

The cyberattack, which...

Posted by InfoSec News on Jan 06


By Everett Rosenfeld, Jeff Cox, Mary Thompson
Jan 5, 2015

Morgan Stanley said Monday that it terminated an employee for stealing
wealth management data from up to 10 percent of its clients, or about
350,000 people.

The bank said there is thus far "no evidence of any economic loss" for its
clients. Still, data for about 900 clients—including account names and
numbers—were briefly...
[SECURITY] [DSA 3119-1] libevent security update
Re: [The ManageOwnage Series, part X]: 0-day administrator account creation in Desktop Central
ESA-2014-180: EMC Documentum Web Development Kit Multiple Vulnerabilities
Internet Storm Center Infocon Status