[SECURITY] [DSA 3067-1] qemu-kvm security update
[SECURITY] [DSA 3066-1] qemu security update
CA20141103-01: Security Notice for CA Cloud Service Management

Customer data protection is a corporate social responsibility
"You could bring cost considerations into it, but typically, the way we've seen organisations do this is that it becomes more of a governing philosophy of sorts — not just for the infosec team, but for management in general," Shey said. "It no longer ...

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Aurich Lawson

On Verizon Wireless’ website, the company advises customers to “[n]ever give your passwords to anyone over the phone, include them in e-mail messages, [or] give them to anyone.” This is good security advice that experts would agree with. Yet Verizon itself is seeking out customers on Twitter and asking for their billing passwords over the social network’s direct messages platform.

This, obviously, isn’t the best security practice. Security experts who spoke to Ars disagreed on just how dangerous it is but agreed that Verizon should find a better way to verify the identities of customers.

It’s not a new strategy for Verizon, but I wasn’t aware of it until this week when the Verizon Wireless customer support account inserted itself into a Twitter conversation I was having, urged me to follow the account so we could exchange direct messages, and then asked for my mobile number and billing password. (Note: The billing password is akin to a PIN and separate from a customer's primary account password, but I didn't know that because Verizon's customer service account did not make this clear to me, and it seems likely other customers could be confused as well.)

Read 22 remaining paragraphs | Comments


Ushering in a new threat landscape for iPhone users, security researchers have uncovered an active malware operation that compromised the OS X and iOS devices of hundreds of thousands of people.

WireLurker, as the new family of malware has been dubbed, first took hold of Macs when users installed pirated software that had been laced with malicious code, according to a report published Wednesday by researchers from Palo Alto Networks. The trojan then installed itself as an OS X system daemon and waited for iOS devices to connect over USB interfaces. The infected Macs would then grab the serial number, iTunes store identifier, and if available, phone number of the iOS device and send the data to a server controlled by the operators. WireLurker-infected phones were also loaded up with a variety of unwanted apps. Palo Alto Networks researchers found 467 OS X WireLurker-infected applications available on Maiyadi, a third-party app store located in China. The apps were downloaded 356,104 times, a figure indicating that hundreds of thousands of people likely were hit by the infection.

"Viable means of attack"

At first blush, WireLurker doesn't look like much of a threat. For one thing, it targeted a relatively small number of people in a limited geography who all appeared to have ties to pirated software. On top of that, once it gained persistence on a Mac or iDevice, WireLurker stole only a small amount of data and installed mostly innocuous apps. But there are reasons WireLurker could be important to iOS users everywhere. Chief among them, the infected Macs were able to compromise non-jailbroken iPhones and iPads by abusing the trusted iOS pairing relationship and enterprise provisioning, a mechanism that allows businesses to install custom-written apps on employee devices.

Read 4 remaining paragraphs | Comments

PHP 'date_from_ISO8601()' Function Buffer Overflow Vulnerability
FedUp CVE-2013-6494 Insecure Temporary File Creation Vulnerability
Smarty CVE-2014-8350 Remote Arbitrary Code Execution Vulnerability

When the first Silk Road and its alleged operator, Ross William Ulbricht, were taken down by the US government just over a year ago, it took some technical mojo to track down the server and its operator. That apparently wasn’t the case with Ulbricht’s successor. According to the US Attorney’s office for the Southern District of New York, Silk Road 2.0 was the victim of some old-fashioned social engineering of the most damaging kind. An undercover federal agent was able to join the site's administration team and gather the intelligence that led to the arrest of Blake Benthall—the alleged operator of the Silk Road successor site who went by the name “Defcon.”

The first Silk Road site, like version 2.0, operated as a “hidden service” on the Tor .onion anonymized network. The FBI claimed that it was able to exploit a flaw in a “captcha” feature of the concealed website to obtain Silk Road 1.0's actual IP address and track the server to a data center in Iceland. Ulbricht’s attorneys called the explanation “implausible,” accusing the FBI of unlawfully hacking the server.

However, in its investigation of Silk Road 2.0, the government took a different technical tack. In a statement issued by the US Attorney’s Office about the arrest, a spokesperson said, ”During the Government’s investigation, which was conducted jointly by the FBI and [Homeland Security Investigations], an HSI agent acting in an undercover capacity (the “HSI-UC”) successfully infiltrated the support staff involved in the administration of the Silk Road 2.0 website and was given access to private, restricted areas of the site reserved for Benthall and his administrative staff. By doing so, the HSI-UC was able to interact directly with Benthall throughout his operation of the website.”

Read 4 remaining paragraphs | Comments


Infosec services firms Accuvant and FishNet to merge
Two of the largest players in information security services and consulting, Accuvant Inc. and FishNet Security Inc., announced merger plans Wednesday. Financial details of the merger, set to be completed during Q1 of 2015, have not been made available ...

and more »

Posted by InfoSec News on Nov 06


By Aliya Sternstein
November 5, 2014

The House and Senate have hit a road bump trying to update a 2002 law that
collects binders of paper once a year, as a way of monitoring federal
computer security.

Folding an overhaul of the Federal Information Security Management Act, or
FISMA, into an annual must-pass defense law is one...

Regular reader and contributor Gebhard sent us a pointer to Crypto 101, an introductory course on cryptography, freely available for programmers of all ages and skill levels byLaurens Van Houtven (lvh) available for everyone, for free, forever. Its a pre-release PDF read of a project that will be released in more formats later.

The Crypto 101 course allows you to learn by doing and includes everything you need to understand complete systems such as SSL/TLS: block ciphers, stream ciphers, hash functions, message authentication codes, public key encryption, key agreement protocols, and signature algorithms.

  • Learn how to exploit common cryptographic flaws, armed with nothing but a little time and your favorite programming language.
  • Forge administrator cookies, recover passwords, and even backdoor your own random number generator.

Lvh has written a fine book here, its comprehensive yet accessible, robust but not overwhelming, and accomplishes its intended mission as a learning guide. And did I mention that it">|">@holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

WordPress XCloner - Backup and Restore Plugin Multiple Security Vulnerablities
VLC Media Player '.m3u' File Denial of Service Vulnerability

Posted by InfoSec News on Nov 06


By John Leyden
The Register
6 Nov 2014

Sneaky hackers are using Gmail and Yahoo! drafts to control compromised
devices, with the tactic designed to make detection of malware-related
communications more difficult to pick up in enterprise environments.

Attacks occur in two phases. Hackers first infect a targeted machine via
simple malware...

Posted by InfoSec News on Nov 06


By Alex Hern
The Guardian
6 November 2014

Users of Apple’s Mac OS X are being warned to watch out for not one, but
two new weaknesses in the platform which can be used in attacks – one of
which is already in the wild.

The first, known as Rootpipe, affects multiple versions of Mac OS X,
including the newest release, Yosemite. It lets an attacker gain...

Posted by InfoSec News on Nov 06


The Korea Herald

Police said Thursday they have booked a 20-year-old student without
physical detention for allegedly hacking into websites and leaking more
than 10,000 IDs and passwords of their users online.

The Seoul Metropolitan Police Agency said the college freshmen in Seoul
spread malicious software on 104 websites in 24 countries between November
2013 and August this...

Posted by InfoSec News on Nov 06


By Lucian Constantin
06 November 2014

Cisco Systems released patches for its small business RV Series routers
and firewalls to address vulnerabilities that could allow attackers to
execute arbitrary commands and overwrite files on the vulnerable devices.

The affected products are Cisco RV120W Wireless-N VPN...
Oracle MySQL Server CVE-2014-6496 Remote Security Vulnerability
Oracle MySQL Server CVE-2014-6555 Remote Security Vulnerability
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: A buffer overflow in TigerVNC could result in execution of arbitrary code or Denial of Service.
LinuxSecurity.com: Multiple vulnerabilities have been found in the MySQL and MariaDB, possibly allowing attackers to cause unspecified impact.
LinuxSecurity.com: Multiple vulnerabilities have been found in VLC, the worst of which could lead to user-assisted execution of arbitrary code.
LinuxSecurity.com: LibreOffice could be made to crash or run programs if it received speciallycrafted network traffic.
[SECURITY] [DSA 3065-1] libxml-security-java security update
Linux Kernel CVE-2014-3673 Denial of Service Vulnerability
[CVE-2014-8338] Cross Site Scripting (XSS) vulnerability in videowhisper

Horrible Apple iOS virus; vectored via USB: WireLurker is 'new brand of threat ...
Apple says it's already fixed the problem, but independent infosec geeks say the company still has a long way to go, and that the problem isn't limited to China. In IT Blogwatch, bloggers cut the cord. Your humble blogwatcher curated these bloggy bits ...

and more »
SEC Consult SA-20141106-0 :: XXE & XSS & Arbitrary File Write vulnerabilities in Symantec Endpoint Protection
Cisco RV Series multiple vulnerabilities
[The ManageOwnage Series, part VI]: 0day database info and superuser credential disclosure in EventLog Analyser
i.Mage Local Crash Poc
ESA-2014-135: RSA® Web Threat Detection SQL Injection Vulnerability
Internet Storm Center Infocon Status