Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Proof of connection: the site check.torproject.org will show you if you're connected via Tor. (credit: Tor)

The head of the Tor Project has accused the FBI of paying Carnegie Mellon computer security researchers at least $1 million to de-anonymize Tor users and reveal their IP addresses as part of a large criminal investigation.

Neither Carnegie Mellon officials nor the FBI immediately responded to Ars' request for comment. If true, it would represent a highly unusual collaboration between computer security researchers and federal authorities.

Ed Desautels, a spokesman for Carnegie Mellon’s Software Engineering Institute, did not deny the accusations directly but told Wired: “I’d like to see the substantiation for their claim,” adding “I’m not aware of any payment.”

Read 6 remaining paragraphs | Comments

 

The Register

Robotic arm provides infosec automation for dodgy card readers
The Register
Video Blighty-based infosec firm MWR InfoSecurity has created an automated fuzz tester to shore up vulnerabilities which may be affecting any device people are slotting their "Chip and Pin" cards into. Most infosec researchers who have dug into the ...

 

BankInfoSecurity.com

4 Barriers to Hiring DHS InfoSec Experts
BankInfoSecurity.com
Although the U.S. Office of Personnel Management this week granted the Department of Homeland Security permission to hire 1,000 cybersecurity specialists, that authorization doesn't ensure that 1,000 experts will be hired anytime soon. See Also: Stop ...

and more »
 

GovInfoSecurity.com

4 Barriers to Hiring DHS InfoSec Experts
GovInfoSecurity.com
Although the U.S. Office of Personnel Management this week granted the Department of Homeland Security permission to hire 1,000 cybersecurity specialists, that authorization doesn't ensure that 1,000 experts will be hired anytime soon. See Also ...

and more »
 

Adobe released an update for Flash Player yesterday [1]. The update fixes 17 vulnerabilities and is rated with a criticality of 1 for. Microsoft Windows users will receive the related update for Internet Explorer 10 and Microsoft Edge from Microsoft directly [2].

As usual, consider the click to play option many browser provide to prevent exposing Flash Player to sites that do not need it.

[1]https://helpx.adobe.com/security/products/flash-player/apsb15-28.html
[2]https://technet.microsoft.com/library/security/2755801

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

(credit: Vizio)

The cautionary tales just keep coming for Internet-connected TVs, thermostats, and other so-called "Internet-of-Things" devices. Today's lesson comes courtesy of a smart TV from Vizio that was subjected to a man-in-the-middle attack because it couldn't be bothered to validate the HTTPS certificates of servers it connected to.

Researchers from security firm Avast found that the Vizio model in their lab broadcasted fingerprints of users' viewing habits, even when owners hadn't consented to a privacy policy displayed during set up. What's more, the researchers uncovered a vulnerability in the smart TV that could act as a potential attack vector for a hacker attempting to access a user's home network.

Read 6 remaining paragraphs | Comments

 
Secunia Research: Google Picasa CAMF Section Integer Overflow Vulnerability
 

(credit: Mike Birkenshaw)

Any law that forbids citizens from revealing what the government gets up to, or from speaking out about what they find, needs to be looked at with a very hard stare indeed. Yet that’s where we find ourselves with the draft Investigatory Powers Bill, aka the Snooper's Charter.

As Glyn Moody and George Danezis point out, the draft bill effectively makes it a crime to reveal the existence of government hacking. Along the way, the new law would also make it illegal to discuss the existence or nature of warrants with anyone under any circumstances, including in court or with your MP, no matter what’s been happening. The powers are sweeping, absolute, and carefully put beyond public scrutiny, effectively for ever. There’s no limitation of time.

Forget for one moment the wisdom of giving such powers to anyone and placing them outside the main system of law, as part of normal civil life. Ignore the chance that anyone within the security services or government or other authorised agencies might use this to cover up bad actions, either their own or those of someone else who’s been doing embarrassing things. Such things are bad and inevitable, but that’s not the worst part.

Read 10 remaining paragraphs | Comments

 

CSO Online

Hacked Opinions: Veterans who transitioned into InfoSec
CSO Online
CSO recently questioned six veterans who are all active members of the InfoSec community. The aim of this standalone Hacked Opinions post was to focus on how they transitioned into InfoSec from their military careers, and what advice they'd offer to ...

 
Microsoft .NET Framework XSS / Elevation of Privilege CVE-2015-6099
 
[SECURITY] [DSA 3397-1] wpa security update
 
[security bulletin] HPSBGN03507 rev.2 - HP Arcsight Management Center, Arcsight Logger, Remote Cross-Site Scripting (XSS)
 
Internet Storm Center Infocon Status