Information Security News
Why InfoSec Pay Shows Lackluster Gains
Conventional wisdom dictates that the high demand for IT security practitioners would cause salaries to rise, perhaps significantly - a simple example of supply and demand. But the recovery from the Great Recession - which lasted from December 2007 to ...
Applying Engineering Values to InfoSec
The National Institute of Standards and Technology is developing new cybersecurity standards based on the same principles engineers use to build bridges and jetliners. At the University of Minnesota College of Science and Engineering's Technology ...
Server-to-server e-mail encryption using the STARTTLS protocol has reached an important tipping point that hardens the majority of messages Facebook sends its users against wholesale snooping by well-financed adversaries, according to figures released Tuesday by site.
The social network said 58 percent of the notification e-mails it sends users are successfully encrypted using STARTTLS. Even more impressive, 76 percent of unique Mail Exchange hostnames are set up to support the protection, although only about half of them use valid digital certificates to cryptographically validate connections. STARTTLS ensures that plaintext e-mails are encrypted before being transferred from the sending server to the receiving server. Amid revelations of an expansive surveillance program by the National Security Agency and other state-sponsored groups, the extension is seen as a way of thwarting such programs or at least making them more costly to carry out. But like most network-based technologies, its value is proportional to the square of the number of servers that use it, meaning it provides benefit only when widely used.
"It's clear to us that STARTTLS has achieved critical mass and there is immediate value in deploying it," Facebook officials wrote in a blog post. "We encourage anyone who has not already deployed STARTTLS to at least deploy it for opportunistic encryption. As more systems support e-mail encryption, the value increases for everyone."
Last year, Ars documented how Skype encryption posed little challenge to Microsoft abuse filters that scanned instant messages for potentially abusive Web links. Within hours of newly created, never-before-visited URLs being transmitted over the service, the scanners were able to pluck them out of a cryptographically protected stream and test if they were malicious. Now comes word that the National Security Agency is also able to work around Skype crypto—so much so that analysts have deemed the Microsoft-owned service "vital" to a key surveillance regimen known as PRISM.
"PRISM has a new collection capability: Skype stored communications," a previously confidential NSA memo from 2013 declared. "Skype stored communications will contain unique data which is not collected via normal real-time surveillance collection." The data includes buddy lists, credit card information, call records, user account data, and "other material" that is of value to the NSA's special source operations.
The memo, which was leaked by former NSA contractor Edward Snowden and released Tuesday by Glenn Greenwald to coincide with the publication of his book No Place to Hide, said the FBI's Electronic Communications Surveillance Unit had approved "over 30 selectors to be sent to Skype for collection."
by Cyrus Farivar
On Tuesday, Doge Vault, one of the most popular online repositories for the cryptocurrency Dogecoin, formally acknowledged that it had been hacked two days earlier.
“On the 11th of May, the Doge Vault online wallet service was compromised by attackers, resulting in a service disruption and tampering with wallet funds,” the site wrote. “As soon as the administrator of Doge Vault was alerted, the service was halted. The attackers had already accessed and destroyed all data on the hosted virtual machines.”
While Doge Vault hasn’t officially said how much was lost, a newly created Dogecoin wallet shows that 121,550,030 dogecoins have been transferred into it over the last 24 hours. At present exchange rates, that’s worth about $56,000.
We are now up to 3 bulletins from Adobe.
TL;DR ? Current versions in one simple table (I hope I got that right):
|Adobe Reader XI||11.0.07||11.0.07||-|
|Adobe Reader X||10.1.10||10.1.10||-|
|Adobe Flash Player 13||184.108.40.206||220.127.116.11||18.104.22.1689|
|Adobe Flash Player (Google Chrome)||22.214.171.124||126.96.36.199||188.8.131.52|
|Adobe Flash Player (MSFT Internet Expl)||184.108.40.206||-||-|
|Adobe Air SDK||220.127.116.11||Â||Â|
|Adobe Illustrator Subscription||16.2.2||16.2.2||Â|
|Adobe Illustrator Non-Subscription||16.0.5||16.0.5||Â|
APSB14-14: covering Flash Player . It fixes 6 different vulnerabilities, one of which was found earlier this year during the pwn2own contest (CVE-2014-0510).
These vulnerabilities affect Windows, Linux and OS X. Adobe assigned them "Priority 1" indicating that they may have been used in targeted exploits. This makes this a "Patch Now!" vulnerability for us.
CVE-2014-0510: pwn2own vulnerability. remote code execution with sandbox bypass.
CVE-2014-0516: Same origin bypass
CVE-2014-0517: Security feature bypass
CVE-2014-0518: Security feature bypass
CVE-2014-0519: Security feature bypass
CVE-2014-0520: Security feature bypass
APSB14-15: For Adobe Acrobat and Reader 
CVE-2014-0511: pwn2own vulnerability. remote code execution wiht sandbox bypass
CVE-2014-0512: pwn2own vulnerability. remote code execution wiht sandbox bypass
CVE-2014-0522: code execution (memory corruption)
CVE-2014-0523: code execution (memory corruption)
CVE-2014-0524: code execution (memory corruption)
CVE-2014-0525: code exectution (use after free?)
CVE-2014-0526: code execution (memory corruption)
CVE-2014-0527: code execution (use after free)
CVE-2014-0528: code execution (double free)
CVE-2014-0529: code execution (buffer overflow)
Like the Flash bulletin, this one is rated "Priority 1".
APSB14-11: Hotfix for Adobe Illustrator
CVE-2014-0513: code execution (Stack Overflow)
This bulletin is only rated "Priority 3".
Is Infosec Getting More Stressful?
As the security landscape changes, infosec pros find it tough to keep up, said Bill Gardner, an assistant professor who teaches Digital Forensics and Information Assurance at Marshall University and is also president and principal security consultant ...
Overview of the May 2014 Microsoft patches and their status.
|#||Affected||Contra Indications - KB||Known Exploits||Microsoft rating(**)||ISC rating(*)|
(released May 1st)
|Security Update for Internet Explorer|
|Microsoft Windows, Internet Explorer
|MS14-022||Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution|
|Microsoft Server Software,Productivity Software
|MS14-023||Vulnerabilities in Microsoft Office Could Allow Remote Code Execution|
|MS14-024||Vulnerability in a Microsoft Common Control Could Allow Security Feature Bypass (ASLR Bypass)|
|MS14-025||Vulnerability in Group Policy Preferences Could Allow Elevation of Privilege|
|Group Policy Preferences
|MS14-026||Vulnerability in .NET Framework Could Allow Elevation of Privilege|
|Microsoft Windows,Microsoft .NET Framework
|MS14-027||Vulnerability in Windows Shell Handler Could Allow Elevation of Privilege|
|MS14-028||Vulnerability in iSCSI Could Allow Denial of Service|
|MS14-029||Security Update for Internet Explorer|
|Microsoft Windows, Internet Explorer
Data breach detection and remediation share spotlight at InfoSec
Most of the vendors interviewed at InfoSec were more than willing to talk about their latest strategies for the proactive protection of business systems and networks, the data they hold, and the applications they use. But at the same time many seemed ...
Posted by InfoSec News on May 13http://www.theregister.co.uk/2014/05/12/ge_patches_gap_in_capabilities_with_infosec_buy/
Posted by InfoSec News on May 13http://www.tradearabia.com/news/IT_257994.html
Posted by InfoSec News on May 13http://www.csoonline.com/article/2153713/security-leadership/how-to-optimize-your-security-budget.html
Posted by InfoSec News on May 13http://krebsonsecurity.com/2014/05/teen-arrested-for-30-swattings-bomb-threats/
Posted by InfoSec News on May 13http://www.independent.co.uk/news/uk/crime/cybercrime-boss-offers-a-ferrari-for-hacker-who-dreams-up-the-biggest-scam-9349931.html
Posted by InfoSec News on May 13http://www.bankinfosecurity.com/ffiec-cyber-assessments-what-to-expect-a-6831
Posted by InfoSec News on May 13http://english.vietnamnet.vn/fms/science-it/102081/vietnam-china-cyberwar-breaking-out-.html
Posted by InfoSec News on May 13http://www.defenseone.com/technology/2014/05/what-most-secure-email-universe-would-look/84247/