A screenshot of the log-in for SnapSaved.com, a failed (or perhaps malicious) web-based front end for Snapchat that saved users' private images and allowed them to be hacked.

A cache of about 13 gigabytes of stolen images from Snapchat—some of them apparently of nude, underage users of the “ephemeral” messaging platform—was posted online Thursday night, many of them to the image-sharing site 4chan’s /b/ discussion board. However, the threads linking to the images have largely been shut down by 4Chan over concerns of trafficking in what could be considered child pornography. Over 100,000 user images and videos were in the cache, according to 4chan discussions.

The images are apparently not from Snapchat’s own network but from the database of a third-party application that allows Snapchat users to save images and videos sent over the service online. In an official statement to the press, a Snapchat spokesperson said, “We can confirm that Snapchat’s servers were never breached, and were not the source of these leaks. Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Service precisely because they compromise our users’ security.”

According to a report by Business Insider, 4chan users who gained access to the images downloaded them and started to create a searchable database indexed by the usernames associated with the images. The files were also briefly hosted on a Web server that hosted Web exploits and malware.

Read 6 remaining paragraphs | Comments

Cisco IOS XE Software CVE-2014-3403 Certificate Validation Security Bypass Vulnerability

A class of coding vulnerabilities could allow attackers to fool Windows system administrators into running malicious code because of a simple omission: quotation marks.

The attack relies on scripts or batch files that use the command-line interface, or "shell," on a Windows system but contain a simple coding error—allowing untrusted input to be run as a command. In the current incarnation of the exploit, an attacker appends a valid command onto the end of the name of a directory using the ampersand character. A script with the coding error then reads the input and executes the command with administrator rights.

"The scenario... requires a ‘standard’ user with access rights to create a directory to a fileserver and an administrator executing a vulnerable script," Frank Lycops and Raf Cox, security researchers with The Security Factory, said in an e-mail interview. "This allows the attacker to gain the privileges of the user running the script, thus becoming an administrator."

Read 5 remaining paragraphs | Comments


Hewlett-Packard has alerted some customers that it will be revoking a digital certificate used to sign a huge swath of software—including hardware drivers and other software essential to running on older HP computers. The certificate is being revoked because the company learned it had been used to digitally sign malware that had infected a developer’s PC.

An HP executive told security reporter Brian Krebs that that the certificate itself wasn’t compromised. HP Global Chief Information Security Officer Brett Wahlin said that HP had recently been alerted to the signed malware—a four-year old Windows Trojan—by Symantec. Wahlin said that it appears the malware, which had infected an HP employee's computer, accidentally got digitally signed as part of a separate software package—and then sent a signed copy of itself back to its point of origin. Though the malware has since been distributed over the Internet while bearing HP's certificate, Wahlin noted that the Trojan was never shipped to HP customers as part of the software package.

“When people hear this, many will automatically assume we had some sort of compromise within our code signing infrastructure, and that is not the case,” Wahlin told Krebs. “We can show that we’ve never had a breach on our [certificate authority] and that our code-signing infrastructure is 100 percent intact.”

Read 1 remaining paragraphs | Comments

Cisco Intrusion Prevention System CVE-2014-3402 Denial of Service Vulnerability
Linux Kernel CVE-2014-3631 Local Denial of Service Vulnerability
LinuxSecurity.com: Rsyslog could be made to crash if it received specially crafted input.
LinuxSecurity.com: Updated nss packages that fix one security issue are now available for Red Hat Enterprise Linux 4 Extended Life Cycle Support, Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat [More...]
Linux Kernel CVE-2014-3184 Multiple Local Denial Of Service Vulnerabilities

Posted by InfoSec News on Oct 10


National Journal
October 9, 2014

The Obama administration's top cybersecurity official wants to get rid of

"Frankly, I would love to kill the password dead as a primary security
method, because it's terrible," said Michael Daniel, the White House
cybersecurity coordinator, during a...

Posted by InfoSec News on Oct 10


By William Knowles @c4i
Senior Editor
InfoSec News
October 10, 2014

Last month a web server at ARRL Headquarters was breached by an unknown
party. ARRL IT Manager Mike Keane, said that League members have no reason
to be concerned about sensitive personal information being leaked, and
assures members that there’s nothing of financial value on the compromised
Zend Framework Sqlsrv Driver Multiple SQL Injection Vulnerabilities

Posted by InfoSec News on Oct 10


By Vince Lattanzio
Oct 9, 2014

Nearly every case Homeland Security Investigations (HSI) opens has some
sort of digital evidence to be collected and analyzed.

But the work can’t be done by just anyone. The data must be meticulously
cared for by agents trained to preserve the integrity of the...

Posted by InfoSec News on Oct 10


Russian Legal Information Agency

MOSCOW, October 10 (RAPSI) - An additional 11 cyber fraud charges will be
brought against Russian national Roman Seleznev on October 16 in Seattle,
spokeswoman for Washington’s Western District attorney Emily Langley told
RIA Novosti on Friday.

A pretrial hearing on Seleznev’s case is scheduled for November 3.

Langley could not say...

Posted by InfoSec News on Oct 10


By Patrick Ouellette
Health IT Security
October 9, 2014

Nearly two years after Alere Home Monitoring, Inc. reported that an
employee’s password-protected laptop was stolen from their car and 116,000
patients’ data was potentially compromised, a California federal judge
threw out a possible class action suit that sought $116 million in...

Microsoft have announced the heads-up for this month security patches. With nine bulletins three are rated as critical, one as moderate and five as important.


(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Internet Storm Center Infocon Status