Information Security News
Google is offering rewards as high as $3,133.70 for software updates that improve the security of OpenSSL, OpenSSH, BIND, and several other open-source packages that are critical to the stability of the Internet.
The program announced Wednesday expands on Google's current bug-bounty program, which pays from $500 to $3,133.70 to people who privately report bugs found in the company's software and Web properties. Security researchers inside the company considered modifying the program to reward bug reports in open-source software, but eventually decided against that approach. The reason: bug bounty programs often invite a flood of reports of varying quality that can overwhelm the finite resources of open-source developers. What's more, it's frequently much harder to patch a vulnerability than merely to find it.
"So we decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug," Michael Zalewski, a member of the Google security team, wrote in a blog post. "Whether you want to switch to a more secure allocator, to add privilege separate, to clean up a bunch of sketchy calls to strcat(), or even just enable ASLR—we want to help."
A security researcher said he has found an encryption flaw that makes it possible for adversaries to decrypt communications sent with WhatsApp, a cross-platform smartphone app that processes as many as 27 billion instant messages each day.
WhatsApp developers say messages are "fully encrypted," and company CEO Jan Koum told Ars that Tuesday's vulnerability report is "sensationalized and overblown." But a computer science student at Utrecht University in the Netherlands—and several cryptographers who have reviewed his work—said the app appears to contain long-documented weaknesses, including the use of the same encryption key on both sides of a conversation. As a result, they said, it's not hard for cryptographers to decrypt WhatsApp messages that travel over Wi-Fi networks or other channels that can be monitored.
"You should assume that anyone who is able to eavesdrop on your WhatsApp connection is capable of decrypting your messages, given enough effort," Utrecht computer science and mathematics student Thijs Alkemade wrote in a blog post published Tuesday. "You should consider all your previous WhatsApp conversations compromised. There is nothing a WhatsApp user can do about this... except to stop using it until the developers can update it."
by Peter Bright
In June, Microsoft announced that it would start paying third-party security researchers for their work. Specifically, up to $11,000 was available for critical vulnerabilities discovered in the Internet Explorer 11 beta (a scheme that's now over), and up to $100,000 was available for any technique that bypassed Windows' built-in exploit mitigation schemes.
Four months later, the company has paid its first $100,000 bounty. Researcher James Forshaw from Context Information Security has created an as-yet unpublicized way of exploiting Windows applications that defeats systemic protections such as Address Space Layout Randomization and Data Execution Prevention.
Unlike other bug bounty programs like the one Google runs for its products, Microsoft is not paying out for individual bugs in released software. The company says that there are already plenty of companies willing to pay for such bugs, so there's no particular need to get in on that action. Rather, the $100,000 scheme pays out for entire classes of exploits, in principle enabling Microsoft to provide generic solutions that will make lots of bugs harder to use maliciously.
by Dan Goodin
The National Security Agency has a wide-ranging menu of software exploits at its disposal to tailor the right attack to the targets it wants to monitor, according to a blog post published Wednesday by security expert Bruce Schneier. While the program allows analysts to operate in almost absolute secrecy, the NSA's pursuit of an expansive surveillance program has largely defeated those efforts, his essay concludes.
As last week's publication of secret NSA documents showed, the agency operates servers codenamed FoxAcid that exploit software vulnerabilities on targets' computers. By the time those attacks are unleashed, analysts already know a huge amount about the person on the receiving end. Based on that information, the spies will use a complicated trade-off system to automatically choose an attack from a multitiered menu of options.
"If the target is a high-value one, FoxAcid might run a rare zero-day exploit that it developed or purchased," Schneier wrote. "If the target is technically sophisticated, FoxAcid might decide that there's too much chance for discovery, and keeping the zero-day exploit a secret is more important. If the target is a low-value one, FoxAcid might run an exploit that's less valuable. If the target is low-value and technically sophisticated, FoxAcid might even run an already-known vulnerability."
Infosec Blog Publishes Top 100 Cyber Security Blogs, Offers Insight For ...
PR-BG.com (прессъобщения) (press release)
San Diego, CA — DDoS Protection & Security, a cyber security blog and news site has recently published a list of the Top 100+ Cyber Security Blogs to highlight the best security blogs, ranked by PageRank, Domain Authority, and Alexa traffic stats.
Posted by InfoSec News on Oct 09http://www.itbusiness.ca/news/canadians-have-naive-belief-hackers-wont-target-them-trustwave/43991
Posted by InfoSec News on Oct 09http://www.smh.com.au/it-pro/security-it/microsoft-pays-australian-hacker-100000-for-finding-security-holes-20131009-hv1xt.html
Posted by InfoSec News on Oct 09http://www.theguardian.com/technology/2013/oct/08/silk-road-hack-suspicion-fbi-server
Posted by InfoSec News on Oct 09http://www.isa.org/InTechTemplate.cfm?Section=General_Information2&template=/ContentManagement/ContentDisplay.cfm&ContentID=94400
Posted by InfoSec News on Oct 09http://www.foxnews.com/tech/2013/10/08/security-compromised-at-security-companies-during-cyber-security-month/
The man believed to be responsible for distributing the notorious Blackhole malware toolkit has been arrested in Russia, a source told Reuters today. The source, a former Russian police detective in contact with Russia's federal government, said that the man went by “Paunch” in hacking circles.
No other information was given, but a spokesman for Europol in the Hague told Reuters that the police agency “had been informed that a high-level suspected cyber-criminal” had been arrested in Russia.
Blackhole is a widely known exploit toolkit that makes “drive-by” attacks easier for hackers to execute. It allows criminals to inject malware onto PCs that either visit exploit sites or are redirected to exploit sites from compromised websites. As one of the primary names behind Blackhole, Paunch kept the toolkit current as new weaknesses in commonly used programs were discovered: in 2012 Paunch released Blackhole 2.0, and recent custom versions of the toolkit incorporated ways to exploit vulnerabilities in Adobe Reader and Java's browser plugin.