Information Security News
by Sam Machkovech
Archive.org has gone to great lengths to preserve and host dated software, but up until last week, its vast collection of classic games and MS-DOS executables skewed toward the overly safe side. Sure, you could run the original Oregon Trail—even on your web browser, through a DOSBOX emulator—and burden virtual pioneers with dysentery, but what about acquiring an actual virus?
That changed on Friday with the site's unveiling of the Malware Museum, a website collection of 78 viruses from the MS-DOS era of the late '80s and early '90s, all ready to either launch on a DOSBOX web browser emulator or be downloaded to your hard drive. Before you fret about some kind of crazy dated-virus outbreak, know that Archive.org went to the trouble of "defanging" every virus in its collection.
The "museum" began to take shape when longtime Finnish computer security expert Mikko Hypponen offered his personal collection of roughly 30 viruses, which he'd already disassembled to remove their drive-destructive capabilities, to Archive.org software curator Jason Scott. "He contacted me a week ago, out of the blue, asking if I wanted to do anything with this collection [of viruses]," Scott said in a phone interview with Ars. "I just put them all up and said, 'Yes, I like it, and I already put them all up [on the site]!'"
Today, the Obama administration released the president's Cybersecurity National Action Plan (CNAP), a set of executive actions and budget requests that seeks to fix federal agencies' information security woes. The plan aims to spur broader efforts to protect citizens' privacy and the security of the nation's businesses and infrastructure from criminals and other threats. And it starts off by creating a commission to figure out how to do that.
The Federal government's information security posture, as demonstrated by the Office of Personnel Management breach last year, is at best antiquated and at worst horrific in its inadequacy. The CNAP looks to rapidly infuse money into efforts to modernize the decrepit information security systems at agencies such as the Social Security Administration, which as President Obama wrote in an op-ed piece published today by the Wall Street Journal, "uses systems and code from the 1960s. No successful business could operate this way.”
To make the fixes, the Obama administration is asking for over $19 billion in spending scattered across the proposed 2017 budget and is making a number of immediate moves that require funding now—$3.1 billion for an Information Technology Modernization Fund and to pay a new Federal Chief Information Security Officer (with a salary of between $123,175 and $185,100 a year, Top Secret/SCI clearance required—apply by February 26 if interested).
Camtasia, uTorrent, and a large number of other Mac apps are susceptible to man-in-the-middle attacks that install malicious code, thanks to a vulnerability in Sparkle, the third-party software framework the apps use to receive updates.
Here's a video showing a proof-of-concept attack performed against a vulnerable version of the Sequel Pro app:
3 critical vulnerabilities that could lead to code execution with a priority rating of 3 (low): CVE-2016-0951, CVE-2016-0952, CVE-2016-0953. You may have to download the updates directly from Adobe as they will not show up in Creative Cloud Packager!
22 critical vulnerabilities that could lead to code execution. The priority rating is 1 for Flash Player (including the Flash Player embedded in Chrome/Edge/Internet Explorer 11) .
4 important vulnerabilities that could lead to information disclosure. This includes fixes for the Java deserialization issues.
3 important vulnerabilities that lead to input validation and content spoofing issues. (including cross siterequest forgery). The priority rating for this update is 1 (low).
Overview of the February 2016 Microsoft patches and their status.
|#||Affected||Contra Indications - KB||Known Exploits||Microsoft rating(**)||ISC rating(*)|
|MS16-009||Cumulative Security Update for Internet Explorer (Replaces MS16-001 )|
|Cumulative Security Update for Microsoft Edge (Replaces KB3124266 )|
CyberTech – The Golden Globes of information security
Using that analogy, and with some license, the CyberTech conference in Tel Aviv may be the Golden Globes with the RSA Security Conference in San Francisco being the Oscar's of information security. Strictly speaking, CyberTech would be the Israeli ...
Oracle released an emergency update for Java . The nature of the flaw, and how the update fixes the flaw, is somewhat obscured. According to Oracles advisory, the user would first have to install malicious software, then install Java. So it doesnt appear to be exploitable on any system that has Java already installed. The Oracle advisory also states that an exploit is complex.
At this point, I dont see a compelling reason to rush out this patch. Deal with it as part of your regular patch process. Some of the Microsoft patches to be released later today are likely more important.
Information Security Heavy-Hitters Join Peerlyst SecureDrop Review Board
PR Newswire (press release)
9, 2016 /PRNewswire/ -- Peerlyst, the preeminent information security community, announced the lineup of InfoSec journalists and experts to review vulnerabilities and breaches coming in via Peerlyst SecureDrop, a Tor network site for anonymously ...
Surviving infosec's perfect storm
Enterprise security is very complex and constantly changing. Gigamon's CEO Paul Hooper says “Security is one of the most interesting attributes of enterprise infrastructure”. Reflecting back over the past decade, Hooper says security is evolving faster ...