Today, the New York Times reported that an algorithm for generating random numbers, which was adopted in 2006 by the National Institute of Standards and Technology (NIST), contains a backdoor for the NSA. The news followed a NYT report from last week, which indicated that the National Security Agency (NSA) had circumvented widely used (but then-unnamed) encryption schemes by placing backdoors in the standards that are used to implement the encryption.

In 2007, cryptographers Niels Ferguson and Dan Shumow presented research suggesting that there could be a potential backdoor in the Dual_EC_DRBG algorithm, which NIST had included in Special Publication 800-90. If the parameters used to define the algorithm were chosen in a particular way, they would allow the NSA to predict the supposedly random numbers produced by the algorithm. It wasn't entirely clear at the time that the NSA had picked the parameters in this way; as Ars noted last week, the rationale for choosing the particular Dual_EC_DRBG parameters in SP 800-90 was never actually stated.

Today, the NYT says that internal memos leaked by Edward Snowden confirm that the NSA generated the Dual_EC_DRBG algorithm. Publicly, however, the agency's role in development was significantly underbilled: “In publishing the standard, NIST acknowledged 'contributions' from NSA, but not primary authorship,” wrote the NYT. From there, the NSA pushed the International Organization for Standardization to adopt the algorithm, calling it “a challenge in finesse” to convince the organization's leadership.

Read 4 remaining paragraphs | Comments


(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
If you think maybe this will likely often be leading to your own arid itchy problem, choose a utility room laundry detergent in which affirms "hypoallergenic" at the ingredients label. An alternative option is almost always to present any bedding another rinse off any time carrying out the particular wash. A surplus rinse out will assist secure the washing liquid outside the bed linens.. supra shoes uk
Multiple HP Products Multiple Unspecified Remote Security Vulnerabilities
Citing low profit margins, IBM has sold its customer care outsourcing business to Synnex for US$505 million, the companies said Tuesday.
The U.S. National Institute of Standards and Technology (NIST) has vigorously denied that the U.S. National Security Agency (NSA) tampered with NIST's process of vetting and choosing encryption algorithms.
The fingerprint sensor in Apple's new iPhone 5S has the potential to enhance the security of the device, but the devil will be in the details.
Sophos Web Appliance CVE-2013-4983 Remote Command Injection Vulnerability
OpenPNE 3 XML External Entity Injection Vulnerability

Our regular readers know this, but on Patch Tuesday aka Black Tuesday we get a bit wider audience and hence it's worth repeating it even more:

Do not forget to also patch your Macs!

E.g. a Trojan was recently discoverd that targets Macs with unpatched java flaws. See the Intego writeup.
Not only that.  Microsoft Office, Adobe Flash, shockwave, reader or acrobat all need to get update too.

Swa Frantzen -- Section 66

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

It's going to be a busy reboot Wednesday it seems:

  • Wireshark 1.8.10 and 1.10.2 have been released today
  • Java 7u40 has been released today
    Thanks Neil for reporting it the first to us.

Swa Frantzen

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Microsoft has shipped fixes for critical vulnerabilities in Internet Explorer and Outlook as part of September's round of vulnerability fixes.
Here are my immediate first impressions on Apple's iPhone models, the 5C and 5S, which the company launched on Tuesday and allowed reporters to test after the press conference at its Cupertino, California, headquarters.
Intel hopes to pump more computing horsepower into servers with new Xeon chips based on the Ivy Bridge microarchitecture, which will also have the ability to dynamically adapt to cloud, database or supercomputing workloads.
A U.S. official Tuesday defended the government's encryption efforts in follwing disclosures that the NSA has the ability to crack encryption protections.
As Apple introduced two new iPhones today, Twitter lit up with excited comments and digs.
Swiftpage has launched a new version of the Act contact manager and CRM software it acquired this year from Sage, a move that could reassure the product's many small-business users that it is in good hands under the new ownership.
Intel provided a glimpse into the PC future by showing off a laptop based on the Broadwell architecture that is faster and more battery-friendly than current ones based on Haswell processors.
In a new push to compete with Twitter and its lock on immediacy, Facebook took the wraps off two new APIs that enable news organizations to tap into user comments and display them online or on TV in real time.
Apple CEO Tim Cook and other executives today unveiled the iPhone 5S and the plastic-backed iPhone 5C, the first time in the six-year history of the iconic smartphone that the company has gone with a two-tier strategy.
Green's original post.

Andrew Douglas, interim dean of the Whiting School of Engineering at Johns Hopkins University, has apologized publicly today for asking one of his cryptography professors to remove a blog post critical of the National Security Agency's (NSA) newly revealed mass spying programs.

Matthew Green.

Douglas contacted professor Matthew Green yesterday, asking him to pull the mirrored copy of his "On the NSA" blog post from university servers on the grounds that it "contained a link or links to classified material and also used the NSA logo," according to a Johns Hopkins statement released yesterday afternoon.

This was a strange request on its face—there's nothing illegal about linking to classified information published by news organizations, nor is there anything illegal about using the NSA's logo in a post about the NSA. (Some restrictions on the NSA logo do exist as a matter of law, but these are limited to the logo's use in a way "reasonably calculated to convey the impression that such use is approved, endorsed, or authorized by the National Security Agency." Green's hypercritical post was in no danger of crossing this threshold.)

Read 6 remaining paragraphs | Comments


Intel has made its move to target the emerging market for wearable computers with a new family of low-power chips called Quark.
SAP is expanding its arsenal of data-analysis software with the acquisition of predictive analytics vendor KXEN, announced Tuesday.
Ossia unwrapped a wireless charging technology called Cota that's based on the same unlicensed spectrum that powers Wi-Fi, Bluetooth, Zigbee and other wireless communication standards, and that can charge devices from as much as 10 feet and eventually 30 feet.
[security bulletin] HPSBPV02918 rev.1 - HP ProCurve Manager (PCM), HP PCM+ and HP Identity Driven Manager (IDM), SQL Injection, Remote Code Execution, Session Reuse

Overview of the September 2013 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS13-067 A multitude of vulnerabilities in sharepoint (Office Server) have been fixed. It could lead to a Denial of Service over privilege escalation  to random code execution with the rights of the W3WP service account.
CVE-2013-1315 is also mentioned in MS13-073.
CVE-2013-3847, CVE-2013-3848, CVE-2013-3849, CVE-2013-3857 and CVE-2013-3858 are also mentioned in MS13-072.
Also contains functional changes for Visio Services.

KB 2834052 CVE-2013-3180 was publicly disclosed. Severity:Critical
NA Critical
MS13-068 A input validation error dealign with S/MIME messages leads to random code execution with the rights of the logged on user. The vulnerability can be triggered by merely viewing or previewing a message.

KB 2756473 No publicly known exploits Severity:Critical
Critical Important
MS13-069 A set of 10 new memory corruption vulnerabilities in this monthly instance of the cumulative MSIE patch. They lead to random code execution withthe rights of the logged on user.

KB 2870699 No publicly known exploits Severity:Critical
Critical Important
MS13-070 A memory handling error in OLE allows for random code execution with the rights of the logged on user.

KB 2876217 No publicly known exploits Severity:Critical
Critical Important

A vulnerability in handling the theme files allows for random code execution with the rights of the logged on user.


KB 2864063 No publicly known exploits Severity:Important
Critical Important
MS13-072 Multiple vulnerabilities allow information leaks and random code execution with the rights of the logged on user.
CVE-2013-3847, CVE-2013-3848, CVE-2013-3849, CVE-2013-3857 and CVE-2013-3858 are also mentioned in MS13-067.

KB 2845537 No publicly known exploits Severity:Important
Critical Important
MS13-073 Multiple vulnerabilities in Excel allow for information leak and random code execution with the rights of the logged on user.
CVE-2013-1315 is also mentioned in MS13-067.

KB 2858300 No publicly known exploits Severity:Important
Critical Important
MS13-074 Multiple vulnerabilities allow random code execution with the rights of the logged on user.

KB 2848637 No publicly known exploits Severity:Important
Critical Important
MS13-075 Pinyn Input Method Editor (IME) for Simplified Chinese allows for a privilege escalation by the user to local system. 
Office IME (Chinese)

KB 2878687 No publicly known exploits Severity:Important
Important Less urgent
MS13-076 Multiple memory corruption vulnerabilities allow privilege escalation. 
Kernel Mode Drivers

KB 2876315 No publicly known exploits Severity:Important
Important Less urgent
MS13-077 A double free vulnerability in the Service Control manager (SCM) allows privilege escalation.
Service Control Manager

KB 2872339 No publicly known exploits Severity:Important
Important Less Urgent

An information leak vulnerability in Frontpage while handling the DTD of an XML file.


KB 2825621 No publicly known exploits Severity:Important
Important Less Urgent
MS13-079 A Denial of Service vulnerability in Active Directory by a query to the LDAP service. Lasts till an administroator restarts the service.
Active Directory

KB 2853587 No publicly known exploits Severity:Important
NA Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.

Swa Frantzen

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
[ MDVSA-2013:229 ] bzr

So - you have IT equipment you no longer need?
ComputerWeekly.com (blog)
Low level stuff may be capable of being overwritten or otherwise erased (for example, via degaussing the drive or overwriting it to the British HMG Infosec Enhanced Standard 5). Although this will generally make any data irretrievable to those without ...

Android malware is following in the footsteps of Windows malware with attackers adopting some of the same distribution and monetization techniques despite the major differences between the platforms.
A new draft law on net neutrality and mobile roaming in Europe has caused division between lawmakers.
Nearly two years after the purchase of Gluster, Red Hat continues to polish the scale-out storage software for enterprises, making it more compatible with cloud services and Microsoft enterprise software.
If software development teams can take the time they spend estimating how long a project will take and start to execute that project instead, they can go that much faster. But what does a world without estimates look like -- and what might it mean for the business?
LinuxSecurity.com: A vulnerability has been discovered and corrected in python-setuptools/python-virtualenv: easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on [More...]
LinuxSecurity.com: New subversion packages are available for Slackware 14.0 and -current to fix a security issue. [More Info...]
LinuxSecurity.com: Andreas Beckmann discovered that phpBB, a web forum, as installed in Debian, sets incorrect permissions for cached files, allowing a malicious local user to overwrite them. [More...]
LinuxSecurity.com: Several security issues were fixed in the kernel.
LinuxSecurity.com: Updated bzr packages fix security vulnerabilities: A denial of service flaw was found in the way SSL module implementation of Python 3 performed matching of the certificate's name in the case it contained many '*' wildcard characters. A remote attacker, able to [More...]
LinuxSecurity.com: Multiple vulnerabilities has been discovered and corrected in cacti: Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the step parameter to install/index.php or (2) the id [More...]
LinuxSecurity.com: Fraudulent security certificates could allow sensitive information tobe exposed when accessing the Internet.
FreeBSD Security Advisory FreeBSD-SA-13:09.ip_multicast [REVISED]

Adobe released their September 2013 Black Tuesday bulletins:

# Affected CVE Adobe rating
APSB13-21 Flash Player CVE-2013-3361
APSB13-22 Acrobat & Reader CVE-2013-3351
APSB13-23 Shockwave CVE-2013-3359

Swa Frantzen

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
FreeBSD Security Advisory FreeBSD-SA-13:11.sendfile
FreeBSD Security Advisory FreeBSD-SA-13:13.nullfs

Security heavyweights to keynote HITB conference in Malaysia
Help Net Security
"As I've studied, I've found many analyses of the way the human brain learns, operates, and responds to new inputs to be quite explanatory of some of the effects we, as InfoSec professionals, often observe in the field," he added. "Rather than ...

and more »
Smartphones are taking over, but feature phones still matter to Google, which has updated Gmail for the cheap devices with an improved user interface.
Google will team with the online-learning consortium backed by Harvard, MIT, Stanford and others to build a new site that can be used to host courses online.
The feud between Cisco Systems and maintenance service provider Multiven has come to Europe with the filing of a new antitrust compliant over how Cisco provides software updates.
FreeBSD Security Advisory FreeBSD-SA-13:12.ifioctl
[ MDVSA-2013:228 ] cacti
Open-Xchange Security Advisory 2013-09-10
LibRaw CVE-2013-1439 Multiple NULL Pointer Dereference Denial of Service Vulnerabilities
Nonprofit organizations will be able to sign up for Office 365 for free or at a reduced price as part of a new program Microsoft launched on Tuesday.
The feud between Cisco Systems and maintenance service provider Multiven has come to Europe with the filing of a new antitrust compliant over how Cisco provides software updates.
Cisco today said it would add a security arm to its existing services division with an eye toward pushing its support of its security products as well as offering a range of managed security services.
Workday is hoping to give rival Oracle and other ERP vendors fits with an upcoming product aimed at institutions of higher education.
Opera Software yesterday launched a new browser, dubbed Coast, for the iPad, touting it as a radical departure from run-of-the-mill mobile Web browsers.
Philadelphia Eagles fans attending Sunday's home opener at Lincoln Financial Field will be able to access a new free Wi-Fi network to watch game video, visit social networks or even order food.

Cisco takes aim at security services
Demonstrate the Business Value of Security In this whitepaper, Forrester Research demonstrates how to calculate the value InfoSec provides. You'll learn how to justify and defend tough financial decisions... Choose the Right Web Security Solution In ...

and more »
China Mobile, the country's largest mobile carrier, will release its first voice-over-LTE phones next year as part of its plan to bring a full range of handsets to its upcoming 4G network.
freeFTPd 'PASS' Command Buffer Overflow Vulnerability
Twitter has acquired MoPub, a mobile-focused advertising exchange that could help the social network grow its ad business as more users move away from the desktop.
The Polish Central Anti-Corruption Bureau and U.S. agencies are investigating potential violations of the Foreign Corrupt Practices Act by an employee of an indirect subsidiary of Hewlett-Packard in Poland, the company said in a filing Monday.
Advanced Micro Devices unveiled its plan on Monday to release a line of chips next year for embedded systems in products such as digital signs and Internet-enabled televisions.
Workday has unveiled a new software module for its cloud-based human capital management (HCM) application that allows customers to analyze data from both Workday and third-party sources.
Apple just can't keep a secret these days. Experts expect few surprises after 'a thorough leaking of Apple's most likely plans.'
New Chromebooks running Intel's latest Haswell processors are expected to be announced at the Intel Developer Forum this week, according to a source familiar with the plans.
In its bid to boost its acceptance in physical retail stores, PayPal has introduced technology that will enable people running its app on smartphones to automatically check in at stores and restaurants.
Satellites the size of shoe boxes, which are expected to one day let researchers explore space more economically, will soon have a much longer reach.
Multiple vulnerabilities on D-Link Dir-505 devices

Steven J. Vaughan-Nichols: Does Windows 8 help the government to spy on us?
Computerworld (blog)
Demonstrate the Business Value of Security In this whitepaper, Forrester Research demonstrates how to calculate the value InfoSec provides. You'll learn how to justify and defend tough financial decisions... Choose the Right Web Security Solution In ...

[slackware-security] subversion (SSA:2013-251-01)
[CVE-2013-5701] Watchguard Server Center v11.7.4 wgpr.dll Insecure Library Loading Local Privilege Escalation Vulnerability
[SECURITY] [DSA 2752-1] phpbb3 security update
HP SiteScope CVE-2013-2367 Multiple Unspecified Remote Code Execution Vulnerabilities
[ MDVSA-2013:227 ] python-setuptools

Posted by InfoSec News on Sep 10


The New York Times
September 9, 2013

Newly released documents reveal how the government uses border crossings
to seize and examine travelers’ electronic devices instead of obtaining a
search warrant to gain access to the data.

The documents detail what until now has been a largely secretive process
that enables the government...

Posted by InfoSec News on Sep 10


By Michael Lee
ZDNet News
September 10, 2013

Whether it's resisting change from necessary security measures, not
understanding the risk to a business, or being a rogue employee who
circumvents corporate security completely, people are at the centre of
security failures or compromises.

In a ZDNet Australia panel discussion held on Thursday,...

Posted by InfoSec News on Sep 10


By Peter Sayer
09 September 2013

The U.S. National Security Agency is able to read messages sent via a
corporate BlackBerry Enterprise Server (BES), according to a report by
German news magazine Der Spiegel. The purpose of this spying is economic
or political, and not to counter terrorism, the magazine hints.

The report,...

Posted by InfoSec News on Sep 10


By Nate Anderson
Ars Technica
Sept 9 2013

Matthew Green is a well-known cryptography professor, currently teaching
in the computer science department of Johns Hopkins University in
Baltimore. Last week, Green authored a long and interesting blog post
about the recent revelations that the National Security Agency (NSA) has,
among much else, subverted...

Posted by InfoSec News on Sep 10


By Tracy Kitten
Bank Info Security
September 9, 2013

Federal regulators are urging banking institutions to pay more attention
to vendor management in light of recent breaches, such as one that
compromised core processor Fidelity National Information Services, better
known as FIS.

During a recent Community Bankers Advisory Committee meeting in
Washington, D.C., examiners...
Internet Storm Center Infocon Status