The study's estimate of the proportion of known "insecure," "maybe secure" and "secure" devices over time. (credit: androidvulnerabilities.org)

It's easy to see that the Android ecosystem currently has a rather lax policy toward security, but a recent study from the University of Cambridge put some hard numbers to Android's security failings. The conclusion finds that "on average 87.7% of Android devices are exposed to at least one of 11 known critical vulnerabilities."

Data for the study was collected through the group's "Device Analyzer" app, which has been available for free on the Play Store since May 2011. After the participants opted into the survey, the University says it collected daily Android version and build number information from over 20,400 devices. The study then compared this version information against 13 critical vulnerabilities (including the Stagefright vulnerabilities) dating back to 2010. Each individual device was then labeled "secure" or "insecure" based on whether or not its OS version was patched against these vulnerabilities, or placed in a special "maybe secure" category if it could have gotten a specialized, backported fix.

As for why so many Android devices are insecure, the study found that most of the blame sits with OEMs. The group states that "the bottleneck for the delivery of updates in the Android ecosystem rests with the manufacturers, who fail to provide updates to fix critical vulnerabilities." Along with the study, the University of Cambridge is launching "AndroidVulnerabilities.org," a site that houses this data and grades OEMs based on their security record. The group came up with a 1-10 security rating for OEMs that it calls the "FUM" score. This algorithm takes into account the number of days a proportion of running devices has no known vulnerabilities (Free), the proportion of devices that run the latest version of Android (Update), and the mean number of vulnerabilities not fixed on any device the company sells (Mean). The study found that Google's Nexus devices were the most secure out there, with a FUM score of 5.2 out of 10. Surprisingly, LG was next with 4.0, followed by Motorola, Samsung, Sony, and HTC, respectively.

Read 3 remaining paragraphs | Comments

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Attackers are exploiting a previously unknown vulnerability in fully patched versions of Adobe's Flash Player so they can surreptitiously install malware on end users' computers, security researchers warned Tuesday.

So far, the attacks are known to target only government agencies as part of a long-running espionage campaign carried out by a group known as Pawn Storm, researchers from antivirus provider Trend Micro said in a blog post published Tuesday. It's not unusual for such zero-day exploits to be more widely distributed once the initial element of surprise wanes. The critical security flaw is known to reside in Flash versions and and may also affect earlier versions. At this early stage, no other technical details are available. The researchers wrote:

In this most recent campaign of Pawn Storm, several Ministries of Foreign Affairs received spear phishing e-mails. These contain links to sites that supposedly contain information about current events, but in reality, these URLs hosted the exploit. In this wave of attacks, the emails were about the following topics:

“Suicide car bomb targets NATO troop convoy Kabul”

“Syrian troops make gains as Putin defends air strikes”

“Israel launches airstrikes on targets in Gaza”

“Russia warns of response to reported US nuke buildup in Turkey, Europe”

“US military reports 75 US-trained rebels return Syria”

It’s worth noting that the URLs hosting the new Flash zero-day exploit are similar to the URLs seen in attacks that targeted North Atlantic Treaty Organization (NATO) members and the White House in April this year.

Pawn Storm has zeroed in on foreign affairs ministries in recent months. In the past, the group has targeted politicians, artists, and journalists in Russia, and it has infected the iOS devices of Western governments and news organizations. Some researchers have linked the espionage campaign to the Russian government, but the usual disclaimers about attribution of hacks apply.

Read 2 remaining paragraphs | Comments


(credit: Etan J. Tal)

A National Security Agency memo that recently resurfaced a few years after it was first published contains a detailed analysis of what very possibly was the world's first keylogger—a 1970s bug that Soviet spies implanted in US diplomats' IBM Selectric typewriters to monitor classified letters and memos.

The electromechanical implants were nothing short of an engineering marvel. The highly miniaturized series of circuits were stuffed into a metal bar that ran the length of the typewriter, making them invisible to the naked eye. The implant, which could only be seen using X-ray equipment, recorded the precise location of the little ball Selectric typewriters used to imprint a character on paper. With the exception of spaces, tabs, hyphens, and backspaces, the tiny devices had the ability to record every key press and transmit it back to Soviet spies in real time.

A “lucrative source of information”

The Soviet implants were discovered through the painstaking analysis of more than 10 tons' worth of equipment seized from US embassies and consulates and shipped back to the US. The implants were ultimately found inside 16 typewriters used from 1976 to 1984 at the US embassy in Moscow and the US consulate in Leningrad. The bugs went undetected for the entire eight-year span and only came to light following a tip from a US ally whose own embassy was the target of a similar eavesdropping operation.

Read 7 remaining paragraphs | Comments


Adobe has released APSB15-24 which addresses 56 vulnerabilities: CVE-2015-5583, CVE-2015-5586, CVE-2015-6683, CVE-2015-6684, CVE-2015-6685, CVE-2015-6686, CVE-2015-6687, CVE-2015-6688, CVE-2015-6689, CVE-2015-6690, CVE-2015-6691, CVE-2015-6692, CVE-2015-6693, CVE-2015-6694, CVE-2015-6695, CVE-2015-6696, CVE-2015-6697, CVE-2015-6698, CVE-2015-6699, CVE-2015-6700, CVE-2015-6701, CVE-2015-6702, CVE-2015-6703, CVE-2015-6704, CVE-2015-6705, CVE-2015-6706, CVE-2015-6707, CVE-2015-6708, CVE-2015-6709, CVE-2015-6710, CVE-2015-6711, CVE-2015-6712, CVE-2015-6713, CVE-2015-6714, CVE-2015-6715, CVE-2015-6716, CVE-2015-6717, CVE-2015-6718, CVE-2015-6719, CVE-2015-6720, CVE-2015-6721, CVE-2015-6722, CVE-2015-6723, CVE-2015-6724, CVE-2015-6725, CVE-2015-7614, CVE-2015-7615, CVE-2015-7616, CVE-2015-7617, CVE-2015-7618, CVE-2015-7619, CVE-2015-7620, CVE-2015-7621, CVE-2015-7622, CVE-2015-7623, CVE-2015-7624

Alex Stanford - GIAC GWEB GSEC,
Research Operations Manager,
SANS Internet Storm Center

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Overview of the October 2015 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS15-106 Cumulative Security Update for Internet Explorer (Replaces MS15-095)
Internet Explorer
KB 3096441 None Severity:Critical
Exploitability: 1,1,4,1,2,1,1,1,4,1,2,4,1,1,2
Critical Important
MS15-107 Cumulative Security Update for Microsoft Edge (Replaces MS15-094, MS15-095, MS15-097, MS15-098, MS15-101, MS15-102, MS15-105)
Microsoft Edge
KB 3096448 None Severity:Important
Exploitability: 3,3
Important Important
MS15-108 Remote Code Execution in JScript and VBScript (Replaces MS15-066)
JScript / VBScript Windows 2008 and Vista
KB 3089659 . Severity:Critical
Exploitability: 4,4,4
Critical Important
MS15-109 Remote Code Execution in Windows Shell (Replaces MS15-088, MS15-020)
Windows Shell
KB 3096443 None Severity:Critical
Exploitability: 1,4
Critical Important
MS15-110 Remote Code Execution in Microsoft Office (Replaces MS15-036, MS15-046, MS15-070, MS15-081, MS15-099)
Microsoft Office
KB 3096440 None Severity:Important
Exploitability: 2,4,4,2,3,3
Critical Important
MS15-111 Elevation of Privilege Vulnerability in Windows Kernel (Replaces MS15-025, MS15-038, MS15-052, MS15-076)
Windows Kernel
KB 3096447 CVE-2015-2553 has been publicly disclosed. Severity:Important
Exploitability: 2,2,4,1,1
Important Important
: center;">We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become interesting">Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
    • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.

Alex Stanford - GIAC GWEB GSEC,
Research Operations Manager,
SANS Internet Storm Center

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Boolean-based SQL injection Vulnerability in K2 Platforms
[SECURITY] [DSA 3372-1] linux security update
AdobeWorkgroupHelper Stack Based Buffer Overflow

Posted by InfoSec News on Oct 13


By Sean Gallagher
Ars Technica
Oct 8, 2015

A study of the information security measures at civilian nuclear energy
facilities around the world found a wide range of problems at many
facilities that could leave them vulnerable to attacks on industrial
control systems—potentially causing interruptions in electrical power or
even damage...

Posted by InfoSec News on Oct 13


By Simon Sharwood
The Register
13 Oct 2015

UK Banks Halifax and NatWest are among organisations targeted by fake
sites that have won SSL certificates from certification authorities (CAs).

Netcraft says certifiers who should know better – such as Symantec,
Comodo, CloudFlare's certification partner GlobalSign and GoDaddy – have

Posted by InfoSec News on Oct 13


By Andrew Blake
The Washington Times
October 12, 2015

China reportedly arrested several computer hackers at the behest of the
United States government weeks ahead of President Xi Jinping’s visit to
the White House last month as the U.S. continues to weigh imposing
sanctions as a result of cyberattacks blamed on Beijing.

Officials within the...

Posted by InfoSec News on Oct 13


By Peter Sayer
IDG News Service
Oct 12, 2015

Identity and access management specialist LogMeIn has agreed to buy
Marvasol, the company behind online password store LastPass.

The companies expect to close the deal, valuing Marvasol at between US$110
million and $125 million, in a matter of weeks.

LogMeIn is firmly in the enterprise...

Posted by InfoSec News on Oct 13


By Mike Gruss
October 9, 2015

WASHINGTON - A mysterious Russian military satellite parked itself between
two Intelsat satellites in geosynchronous orbit for five months this year,
alarming company executives and leading to classified meetings among U.S.
government officials.

The Russian satellite, alternatively known as Luch or Olymp, launched in...
Internet Storm Center Infocon Status