Google is offering rewards as high as $3,133.70 for software updates that improve the security of OpenSSL, OpenSSH, BIND, and several other open-source packages that are critical to the stability of the Internet.

The program announced Wednesday expands on Google's current bug-bounty program, which pays from $500 to $3,133.70 to people who privately report bugs found in the company's software and Web properties. Security researchers inside the company considered modifying the program to reward bug reports in open-source software, but eventually decided against that approach. The reason: bug bounty programs often invite a flood of reports of varying quality that can overwhelm the finite resources of open-source developers. What's more, it's frequently much harder to patch a vulnerability than merely to find it.

"So we decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug," Michael Zalewski, a member of the Google security team, wrote in a blog post. "Whether you want to switch to a more secure allocator, to add privilege separate, to clean up a bunch of sketchy calls to strcat(), or even just enable ASLR—we want to help."

Read 2 remaining paragraphs | Comments


Cisco NX-OS 'file name' Parameter Arbitrary File Write Vulnerability
Cisco NX-OS CVE-2012-4121 Arbitrary File Access Vulnerability
Disney announced a new touch-screen technology prototype that offers users tactile sensations that mimic real surfaces.
Aiming at budget laptops, Intel has started shipping new Pentium and Celeron processors based on the Haswell microarchitecture.
Facebook continues to push the boundaries of storage and server technology in order to more quickly serve its billion users, and the results are being offered as open-source technology that can also benefit other companies.
Flexible PKard Reader and elegant Tactivo bring smart card authentication to your favorite mobile device

A security researcher said he has found an encryption flaw that makes it possible for adversaries to decrypt communications sent with WhatsApp, a cross-platform smartphone app that processes as many as 27 billion instant messages each day.

WhatsApp developers say messages are "fully encrypted," and company CEO Jan Koum told Ars that Tuesday's vulnerability report is "sensationalized and overblown." But a computer science student at Utrecht University in the Netherlands—and several cryptographers who have reviewed his work—said the app appears to contain long-documented weaknesses, including the use of the same encryption key on both sides of a conversation. As a result, they said, it's not hard for cryptographers to decrypt WhatsApp messages that travel over Wi-Fi networks or other channels that can be monitored.

"You should assume that anyone who is able to eavesdrop on your WhatsApp connection is capable of decrypting your messages, given enough effort," Utrecht computer science and mathematics student Thijs Alkemade wrote in a blog post published Tuesday. "You should consider all your previous WhatsApp conversations compromised. There is nothing a WhatsApp user can do about this... except to stop using it until the developers can update it."

Read 9 remaining paragraphs | Comments


Cyrus SASL Library CVE-2013-4122 NULL Pointer Dereference Denial of Service Vulnerability
The security researcher who was awarded $100,000 by Microsoft said he spent about two weeks pondering, then demonstrating a new way to circumvent Windows' defensive technologies.
It doesn't take much to please Hewlett-Packard's investors these days. HP confirmed Wednesday that its revenue will decline slightly next year, but the mention of "pockets of growth" sent hearts aflutter.
The popular mobile messaging application WhatsApp Messenger has a major design flaw in its cryptographic implementation that could allow attackers to decrypt intercepted messages, according to a Dutch developer.
SLiM NULL Pointer Dereference Denial of Service Vulnerability
RubyGems Wicked Arbitrary File Access Vulnerability
Microsoft faces competition for its Surface Pro 2 tablet, and it's from an expected source: One of its own hardware partners, Dell.
Cloud provider Nirvanix went belly up. Even if you weren't one of its clients, you can learn things from that mess.
Is the curved display on Samsung's new Round smartphone a significant innovation, or is the phone maker churning out another niche-market product to prove that it can do so faster and more efficiently than anyone else? Maybe both.
I'm curious to find out what blog system you have been using? I'm experiencing some small security issues with my latest site and I'd like to find something more risk-free. Do you have any solutions? Casio 時計
Network Audio System CVE-2013-4258 Format String Vulnerability
Network Audio System CVE-2013-4257 Heap Buffer Overflow Vulnerability
Network Audio System CVE-2013-4256 Multiple Buffer Overflow Vulnerabilities
Telaen CVE-2013-2623 Cross Site Scripting Vulnerability
If you think your house has bad cellular coverage, Verizon Wireless has you beat: A small, windowless room high up in a San Francisco office building gets no service at all.
The director of the U.S. National Security Agency wants you to trust his people.
AT&T and GE have teamed up to connect what could be millions of future GE industrial lights, engines and other hardware with AT&T's global wireless network.

In June, Microsoft announced that it would start paying third-party security researchers for their work. Specifically, up to $11,000 was available for critical vulnerabilities discovered in the Internet Explorer 11 beta (a scheme that's now over), and up to $100,000 was available for any technique that bypassed Windows' built-in exploit mitigation schemes.

Four months later, the company has paid its first $100,000 bounty. Researcher James Forshaw from Context Information Security has created an as-yet unpublicized way of exploiting Windows applications that defeats systemic protections such as Address Space Layout Randomization and Data Execution Prevention.

Unlike other bug bounty programs like the one Google runs for its products, Microsoft is not paying out for individual bugs in released software. The company says that there are already plenty of companies willing to pay for such bugs, so there's no particular need to get in on that action. Rather, the $100,000 scheme pays out for entire classes of exploits, in principle enabling Microsoft to provide generic solutions that will make lots of bugs harder to use maliciously.

Read 2 remaining paragraphs | Comments


Telaen CVE-2013-2621 Open Redirection Vulnerability
[SECURITY] [DSA 2771-1] nas security update
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Firewall Services Module Software
Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software
It pays to be CIO -- millions, in some cases. Take Filippo Passerini. He joined Procter & Gamble in 1981 as a systems analyst in Italy and rose through the techie ranks. Today Passerini is CIO and leads the company's global business services organization -- a dual role that netted him $5 million last year.
Ford has announced a new fully automated parking and accident avoidance system that removes control of the car from the driver.
For Apple developers that want an easy way to add cloud storage or device-to-device push notifications to their apps, Google has announced Mobile Backend Starter for iOS.
[SECURITY] [DSA 2770-1] torque security update
[ISecAuditors Security Advisories] Multiple Reflected XSS vulnerabilities in BoltWire <= v3.5
[ISecAuditors Security Advisories] Multiple Vulnerabilities in Uebimiau <= 2.7.11
MediaTek is promising smartphone buyers they will get more bang for their buck now that it plans to introduce its LTE chipsets and use ARM's upcoming 64-bit processor designs.

The National Security Agency has a wide-ranging menu of software exploits at its disposal to tailor the right attack to the targets it wants to monitor, according to a blog post published Wednesday by security expert Bruce Schneier. While the program allows analysts to operate in almost absolute secrecy, the NSA's pursuit of an expansive surveillance program has largely defeated those efforts, his essay concludes.

As last week's publication of secret NSA documents showed, the agency operates servers codenamed FoxAcid that exploit software vulnerabilities on targets' computers. By the time those attacks are unleashed, analysts already know a huge amount about the person on the receiving end. Based on that information, the spies will use a complicated trade-off system to automatically choose an attack from a multitiered menu of options.

"If the target is a high-value one, FoxAcid might run a rare zero-day exploit that it developed or purchased," Schneier wrote. "If the target is technically sophisticated, FoxAcid might decide that there's too much chance for discovery, and keeping the zero-day exploit a secret is more important. If the target is a low-value one, FoxAcid might run an exploit that's less valuable. If the target is low-value and technically sophisticated, FoxAcid might even run an already-known vulnerability."

Read 2 remaining paragraphs | Comments



Infosec Blog Publishes Top 100 Cyber Security Blogs, Offers Insight For ...
PR-BG.com (прессъобщения) (press release)
San Diego, CA — DDoS Protection & Security, a cyber security blog and news site has recently published a list of the Top 100+ Cyber Security Blogs to highlight the best security blogs, ranked by PageRank, Domain Authority, and Alexa traffic stats.

The popular mobile messaging application WhatsApp Messenger has a major design flaw in its cryptographic implementation that could allow attackers to decrypt intercepted messages, according to a Dutch developer.
Feng Office 'index.php' Cross Site Scripting Vulnerability
LinuxSecurity.com: Updated glibc packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...]
Cross-Site Scripting (XSS) in Feng Office
Mozilla Foundation is improving the performance of its Firefox OS software for smartphones, and devices running it will soon go on sale in more European and Latin American countries.
Forget softball games. Hackathons promote togetherness among techies while benefiting the enterprise, and no one gets pitcher's elbow.
Network Solutions is investigating an attack by a pro-Palestinian hacking group that redirected websites belonging to several companies.
IBM's decision to license its future Power8 processor to third parties doesn't mean life has ended for the current Power 7+, which will go alongside x86 chips into new PureFlex System preconfigured servers announced on Wednesday.
Apple will introduce new iPad tablets on Oct. 22, coinciding with the unveiling of the company's fourth-generation iPad and iPad Mini in 2012.
Breaking away from the flat screens found in so many smartphones, Samsung is releasing its Galaxy Round handset with a curved display.
IBM has begun integrating its cloud portfolio with cloud computing infrastructure from its $2 billion acquisition of SoftLayer Technologies, starting with its social learning platform targeted at a variety of industries.
Mountain View is installing new Wi-Fi hotspots in parts of the city to supplement the poorly performing network operated by Google.
Automakers, the Linux Foundation and private developers are working to create an open-source OS for cars that would standardize up to 95% of the software in infotainment systems.
The ongoing government shutdown could leave desktop and server systems in many federal agencies vulnerable to new threats disclosed Tuesday by Microsoft in its latest round of security updates.
With its apps, sensors and devices, Nike is increasingly becoming a technology company. It's found the best development teams come from onshore, not offshore, outsourcers.
Microsoft Internet Explorer CVE-2013-3874 Memory Corruption Vulnerability
Microsoft Internet Explorer CVE-2013-3873 Memory Corruption Vulnerability
Microsoft Internet Explorer CVE-2013-3872 Memory Corruption Vulnerability

Posted by InfoSec News on Oct 09


By Candice So
October 8th, 2013

Small businesses worried about their IT need to find better ways to guard
their data -- especially as they present easy, unsecured targets, with
hackers levelling their sights at them.

Contrary to what small to mid-sized businesses (SMBs) often believe,
hackers often go for them since they're...

Posted by InfoSec News on Oct 09


By Ben Grubb and Jim Finkle
October 9, 2013

Microsoft is paying a well-known Australian hacking expert more than
$100,000 for finding security holes in its software, one of the largest
bounties awarded to date by a tech company.

The company also released a much anticipated update to Internet Explorer,...

Posted by InfoSec News on Oct 09


By Charles Arthur
8 October 2013

There's a new theory about how the FBI And CIA tracked down the physical
location of the Silk Road servers, and it has nothing to do with the man
accused of being the site's operator, Ross Ulbricht, or queries he might
have made on StackExchange.

Instead, the rumour in hacker circles is that the...

Posted by InfoSec News on Oct 09


By Norman Anderson, P.E., and Bill Phillips, P.E.
September/October 2013

This article is based on presentations made at the 2013 ISA
Water/Wastewater and Automatic Controls Symposium on 7 August 2013
(www.isawwsymposium.com). Network security for water sector process
control systems (PCS), such as...

Posted by InfoSec News on Oct 09


October 08, 2013

Now who do you trust?

To celebrate the beginning of National Cyber Security Month, hackers have
turned up the heat on the security companies themselves.

On Tuesday morning, hackers briefly compromised the website of AVG, the
maker of one of the world’s most popular free anti-virus products, as well...
Microsoft Windows TrueType Font CMAP Table CVE-2013-3894 Remote Code Execution Vulnerability
Microsoft Internet Explorer CVE-2013-3897 Memory Corruption Vulnerability
Microsoft Internet Explorer CVE-2013-3871 Memory Corruption Vulnerability
RETIRED: Microsoft October 2013 Advance Notification Multiple Vulnerabilities
RETIRED: Adobe Reader and Acrobat APSB13-25 Prenotification Multiple Vulnerabilities
[security bulletin] HPSBGN02930 rev.1 - HP Intelligent Management Center(iMC) and HP IMC Service Operation Management Software Module, Remote Authentication Bypass, Disclosure of Information, Unauthorized Access, SQL Injection
[security bulletin] HPSBGN02929 rev.1 - HP Intelligent Management Center (iMC), HP IMC Branch Intelligent Management System Software Module (BIMS), and Comware Based Switches and Routers, Remote Code Execution, Disclosure of Information

The man believed to be responsible for distributing the notorious Blackhole malware toolkit has been arrested in Russia, a source told Reuters today. The source, a former Russian police detective in contact with Russia's federal government, said that the man went by “Paunch” in hacking circles.

No other information was given, but a spokesman for Europol in the Hague told Reuters that the police agency “had been informed that a high-level suspected cyber-criminal” had been arrested in Russia.

Blackhole is a widely known exploit toolkit that makes “drive-by” attacks easier for hackers to execute. It allows criminals to inject malware onto PCs that either visit exploit sites or are redirected to exploit sites from compromised websites. As one of the primary names behind Blackhole, Paunch kept the toolkit current as new weaknesses in commonly used programs were discovered: in 2012 Paunch released Blackhole 2.0, and recent custom versions of the toolkit incorporated ways to exploit vulnerabilities in Adobe Reader and Java's browser plugin.

Read 1 remaining paragraphs | Comments


Internet Storm Center Infocon Status