The Adobe Flash zero-day exploit that spyware developer Hacking Team made available to customers worked successfully against even the advanced defenses found in Google's Chrome browser, researchers said Friday. They also noted that it was used to infect computer users multiple times before it was leaked.

Google developers patched the underlying Flash vulnerability in Chrome on Tuesday (for proof, use enter about:version in the address bar and note the Flash version), and Adobe published a general fix a day later.

The leak of the previously unknown exploit resulting from the devastating hack of Hacking Team last weekend and exploit kits available on the black market quickly added attack code to use the flaw. It allows attackers to surreptitiously install malware on targets' computers, and there's evidence that before last weekend's breach, Hacking Team customers used the Flash zero-day against live targets.

Read 8 remaining paragraphs | Comments

SQL Injection, Reflected XSS, Path Traversal, Function Execution in ZenPhoto 1.4.8
[security bulletin] HPSBGN03373 rev.1 - HP Release Control running TLS, Remote Disclosure of Information

Less than 24 hours after the recent hack against the Office of Personnel Management (OPM) was announced to have reached 21.5 million affected individuals, its director has stepped down.

In a statement, Katherine Archuleta wrote that it was “best for me to step aside” from leading the agency charged with managing federal employees. She had been in the position for just over two years.

This is quite a reversal for the OPM boss. Speaking before a Senate hearing on June 23, Archuleta said, "I'm as angry as you are that this is happening... I am dedicated to ensuring that OPM does everything in its power to protect the federal workforce and to ensure that our systems will have the best cyber security posture the government can provide.”

Read 8 remaining paragraphs | Comments

Cisco Security Advisory: OpenSSL Alternative Chains Certificate Forgery Vulnerability (July 2015) Affecting Cisco Products
ESA-2015-115: EMC RecoverPoint for Virtual Machines (VMs) Restriction Bypass Vulnerability

If you’re a Moscow-based zero-day exploit seller, all you have to do is e-mail a spyware company like Hacking Team out of the blue. You can go from initial, unsolicited message to getting paid tens of thousands of dollars in just a matter of weeks.

After Hacking Team, the Italian spyware vendor, was itself hacked and 400GB of its internal data released onto BitTorrent, Ars reviewed internal e-mails from the company. The chain of e-mails that follow offer a rare look into exactly how new security vulnerabilities get sold to companies and governments around the globe.

The Moscow vendor’s first e-mail, dated October 13, 2013, was short and to the point:

Read 22 remaining paragraphs | Comments

[security bulletin] HPSBGN03371 rev.1 - HP IceWall Products running OpenSSL, Remote Denial of Service (DoS)
[security bulletin] HPSBGN03351 rev.2 - HP IceWall SSO Dfw, SSO Certd, MCRP, and Federation Agent running OpenSSL, Remote Disclosure of Information
CVE-2014-7952, Android ADB backup APK injection vulnerability
NEW VMSA-2015-0005 : VMware Workstation, Player and Horizon View Client for Windows updates address a host privilege escalation vulnerability
Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: New openssl packages are available for Slackware 14.0, 14.1, and -current to fix a security issue. [More Info...]
LinuxSecurity.com: Firefox could be made to crash or run programs as your login if itopened a malicious website.
LinuxSecurity.com: Updated php54-php packages that fix multiple security issues are now available for Red Hat Software Collections 2. Red Hat Product Security has rated this update as having Moderate security [More...]
LinuxSecurity.com: Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security [More...]
LinuxSecurity.com: A double free vulnerability in PyPAM could result in execution of arbitrary code or Denial of Service.
LinuxSecurity.com: Several security issues were fixed in NSS.
LinuxSecurity.com: A vulnerability in Perl allows a remote attacker to cause Denial of Service.
LinuxSecurity.com: A buffer overflow in t1utils could result in execution of arbitrary code or Denial of Service.
LinuxSecurity.com: Security Report Summary
Extra information for CVE-2014-2513 - EMC Documentum Content Server: arbitrary code execution
[SECURITY] [DSA 3305-1] python-django security update

Posted by InfoSec News on Jul 10


By Kory Grow
Rolling Stone
July 9, 2015

The Israeli man who was indicted on four charges of cyber crimes in
association with hacking into Madonna's songs and leaking Rebel Heart
tracks before the record's release has been sentenced to 14 months in
jail. Adi Lederman accepted a plea bargain with a Tel Aviv Magistrate's
Court in...

Posted by InfoSec News on Jul 10


By Michael Cooney
Network World
July 9, 2015

When it comes to the government protecting all manner of state and
personal information, the feds can use all the help it can get.

One of the most effective tools the government has is the National
Cybersecurity Protection System (NCPS), known as “EINSTEIN.” In a...

Posted by InfoSec News on Jul 10


By Senator Ben Sasse

AS A NEWLY elected Senator, I am here to tell you a hard truth: Washington
does not take cybersecurity seriously.

But you probably already knew that if you’ve read anything about the
massive OPM data breach. To recap today’s news from OPM, since 2013, a
malicious attacker—likely the Chinese...

Posted by InfoSec News on Jul 10


By Alexander J Martin
The Register
9 July 2015

Highly regarded independent privacy researcher Caspar Bowden has died
after a short battle with cancer.

Bowden was a popular titan of privacy advocacy, and was one of Microsoft's
leading privacy officers throughout his roles at the company between 2002
and 2011.

While at Microsoft Bowden expressed concerns that the...

Posted by InfoSec News on Jul 10


By Paul Tassi

Last Christmas, a hacking collective known as the “Lizard Squad” managed
to take down PSN and Xbox Live right as everyone was attempting to play
their consoles during holiday, creating one of the worst outages in the
history of either network. The attacks...

Posted by InfoSec News on Jul 10


By Brian Krebs
Krebs on Security
July 9, 2015

Service Systems Associates, a company that serves gift shops and eateries
at zoos and cultural centers across the United States, has acknowledged a
breach of its credit and debit card processing systems.

Several banking industry sources told KrebsOnSecurity they have detected a
pattern of fraud on cards that were all used...

Posted by InfoSec News on Jul 10


The Wall Street Journal
July 9, 2015

SAN FRANCISCO -- In the past decade, Moxie Marlinspike has squatted on an
abandoned island, toured the U.S. by hopping trains, he says, and earned
the enmity of government officials for writing software.

Mr. Marlinspike created an encryption program that scrambles messages
until they reach the...
Internet Storm Center Infocon Status