sthttpd 'thttpd.log' Insecure File Permissions Vulnerability

The National Security Agency can easily defeat the world's most widely used cellphone encryption, a capability that means the agency can decode most of the billions of calls and texts that travel over public airwaves each day, according to published report citing documents leaked by Edward Snowden.

The NSA "can process encrypted A5/1" calls even when agents don't have the underlying cryptographic key, The Washington Post reported Friday, citing this top-secret document provided by former NSA contractor Snowden. A5/1 is an encryption cipher developed in the 1980s that researchers have repeatedly cracked for more than a decade. It remains widely used to encrypt older, 2G cellphone calls. Newer phones can still use A5/1, even when showing they're connected to 3G or 4G networks.

In the past five years, cracking A5/1 has grown increasingly easier and less costly. In 2010 researchers unveiled a technique that cost about $650 and relied on open-source software and off-the-shelf hardware. Next-generation spy devices sold to militaries and law-enforcement groups have long marketed the ability to eavesdrop on A5/1-protected calls, too. Despite the growing susceptibility of A5/1, it remains widely used, Karsten Nohl, chief scientist at Security Research Labs in Berlin, told The Washington Post. Reporters Craig Timberg and Ashkan Soltani explained:

Read 2 remaining paragraphs | Comments



Microsoft has joined the board of directors of the FIDO ("Fast IDentity Online") Alliance, an industry consortium that is attempting to create a set of protocols to enable consistent, secure, passwordless access to Web-based applications. Other members include Google, BlackBerry, PayPal, Lenovo, and MasterCard.

The problems with passwords are well-known. They're poorly chosen, regularly stolen, and routinely reused across sites, meaning that a compromise of one account can lead to compromises of many others.

FIDO hopes to replace passwords with a system built around public key cryptography. To register with a FIDO site, you won't enter a password into the site. Instead, hitting register will alert your authentication devices—typically an app on your smartphone—of the attempt to register. If that attempt is approved (for example, by using a registered fingerprint or entering a PIN), the device will generate a public/private key pair. The public key will be sent to the online service; the private key will be retained on the authentication device.

Read 4 remaining paragraphs | Comments


PHP CVE-2013-6712 Remote Denial of Service Vulnerability
Multiple HP Products CVE-2013-4810 Remote Code Execution Vulnerabilities
JDA has been hit with a lawsuit from online lingerie and underwear seller Andra Group, which claims its business suffered millions in damages after a new e-commerce system wasn't delivered as promised.
D-Link DAP-1522 Wireless Router Hardcoded Credentials Security Bypass Vulnerability
Cisco Adaptive Security Appliance CVE-2013-5515 Denial of Service Vulnerability

The magical list of security predictions for 2014
CSO (blog)
About this time every year, journalists covering the InfoSec beat start seeing prediction lists being pitched. Sadly, we will see the same pitch, from the same vendor, several times, often because we're on multiple blast lists. Thus, our inbox is ...

Despite growing pushback from some companies and powerful industry groups, the Federal Trade Commission continues to insist that it wants to be the nation's enforcer of data security standards.
Security concerns raised by Republican critics of the U.S. Department of Health and Human Services' botched rollout of HealthCare.gov have been overstated, according to a memo released Friday by two Democratic members of Congress.
Critics of the U.S. Department of Health and Human Services' botched deployment of HealthCare.gov can point to a series of management mistakes, but many observers point to a more systematic problem with government IT contracts.
[security bulletin] HPSBGN02951 rev.1 - HP Operations Orchestration, Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF)
[security bulletin] HPSBMU02874 rev.3 - HP Service Manager and ServiceCenter, Java Runtime Environment (JRE) Security Update
[security bulletin] HPSBMU02872 rev.4 - HP Service Manager Web Tier, Remote Disclosure of Information, Cross Site Scripting (XSS)
[security bulletin] HPSBGN02952 rev.1 - HP Application Lifecycle Manager (ALM) Running JBoss Application Server, Remote Code Execution
The North Korean state propaganda machine has edited and deleted hundreds of news articles that mention Jang Song Thaek, the former top government and party official who was executed Thursday.
Microsoft will return to San Francisco in April to reprise its BUILD developers conference.
Linux Kernel CVE-2013-2929 Local Privilege Escalation Vulnerability
Making voice calls via cell phone aboard a plane doesn't hold much interest for U.S. airline passengers or airlines, but there isn't a technological reason to ban them, according to federal authorities.
Microsoft is likely to bring back the Start menu to Windows 8 and let users run "Metro" apps inside windows on the desktop, restoring traditional elements to its newest operating system.
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-5613 Multiple Memory Corruption Vulnerabilities
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-5609 Multiple Memory Corruption Vulnerabilities
The Android 4.4.2 update that began to roll out Monday to Google's Nexus devices removed a feature that gave users fine-grained control over app permissions, prompting criticism from the Electronic Frontier Foundation.
Google's soon-to-be-publicly-available wearable technology exposes your company to problems ranging from illegal wiretapping and surveillance to a wild spectrum of inappropriate uses. Columnist Rob Enderle writes that you should do yourself a favor and ban Google Glass before it is even available to your employees.
TYPO3 Content Editing Wizards Unspecified Cross Site Scripting Vulnerability
TYPO3 Content Editing Wizards Information Disclosure Vulnerability
TYPO3 Backend User Administration Extension Unspecified Cross Site Scripting Vulnerability
TYPO3 Extension Manager Unspecified Cross Site Scripting Vulnerability
I spy.

A presidential advisory committee set up to examine the National Security Agency (NSA) is recommending the continuation of "a program to collect data on every phone call made in the United States," but with new restrictions "intended to increase privacy protections," The New York Times reported yesterday.

The report by the Review Group on Intelligence and Communications Technology, expected to be delivered to the White House by Sunday, wasn't released publicly, but officials described its contents to newspapers. The group concluded that NSA surveillance programs are legal but recommended various changes to their structure, transparency, and security.

The Wall Street Journal reported that the panel's draft proposals "would change the spy agency's leadership from military to civilian and limit how it gathers and holds the electronic information of Americans. The task force, for example, proposed that the records of nearly every US phone call now collected in a controversial NSA program be held instead by the phone company or a third-party organization." There would be "stricter standards" for allowing NSA officials to search the data.

Read 9 remaining paragraphs | Comments


Dropbox is getting help from Dell to persuade enterprises to pick its hosted storage and file-sharing platform, and also to make it more secure.
Chip maker Qualcomm will promote current COO Steve Mollenkopf to the role of CEO next year. He will replace long-standing CEO Paul Jacobs, son of one of the company's founders, Irwin Jacobs, the company said Friday.
As Yahoo goes into another day of an email outage, angry users are venting their frustrations on social networks.
Monitorix HTTP Server CVE-2013-7072 Multiple Unspecified Security Vulnerabilities
Debian devscripts 'uscan' Filename Handling Arbitrary File Deletion Vulnerability
Bitrix Site Manager CVE-2013-6788 'BITRIX_SM_SALE_UID' Cookie User Identity Spoofing Vulnerability
Twitter reversed a controversial policy change announced Thursday that would let a user block others on Twitter, but the blocked people could still continue to follow and see the user's tweets and interact with them.
If you get a spam message advertising an application called "Bitcoin Alarm," the name may tell you all you need to know.
The top five U.S. mobile operators have agreed to let their customers unlock their devices and move to another provider under pressure from the U.S. Congress and Federal Communications Commission.
Foxconn Technology Group has come up short in trying to limit the overtime hours of its workers in China, but still made progress in improving the working conditions at three of its factories that make products for Apple, a labor group said Thursday.
Microsoft has joined the FIDO Alliance, an industry group attempting to craft industry standards that reduce reliance on passwords, long regarded as a weak point in Web security.
As Yahoo goes into a fourth day of an email outage, angry users are venting their frustrations on social networks.

World Federation of Exchanges launch global cyber-security committee
Bobsguide (press release)
The role of the new WFE cyber-security committee is to identify and communicate global infosec best practice in regard to protecting market infrastructures against cyber-attacks and to protect the world's critical capital markets. The working group ...

and more »
Phone Drive Eightythree 4.1.1 iOS - Multiple Vulnerabilities

PCI-DSS 30 Brings New Penetrating Testing Requirements, Explains Rhino ...
IT Business Net
The Payment Card Industry Data Security Standard (PCI-DSS) is a proprietary infosec standard for organizations that handle payment card information, including debit, credit, 'e-purse', and POS cards. It was founded by the Payment Card Industry Security ...

and more »
[SECURITY] [DSA 2816-1] php5 security update
Microsoft Yammer - Persistent Profile Vulnerabilities
Microsoft PhotoStory - CS Cross Site Scripting Vulnerability
[CVE-2013-5112] Evernote Android Insecure Storage of PIN data / Bypass of PIN protection
[CVE-2013-5116] Evernote Android Insecure Password Change (one-click setup)
Internet Storm Center Infocon Status