Google developers have confirmed a cryptographic vulnerability in the Android operating system that researchers say could generate serious security glitches on hundreds of thousands of end user apps, many of them used to make Bitcoin transactions.

This weakness in Android's Java Cryptography Architecture is the root cause of a Bitcoin transaction that reportedly was exploited to pilfer about $5,720 worth of bitcoins out of a digital wallet last week. The disclosure, included in a blog post published Wednesday by Google security engineer Alex Klyubin, was the first official confirmation of the Android vulnerability since Ars and others reported the incident last weekend. Klyubin warned that other apps might also be compromised unless developers change the way they access so-called PRNGs, short for pseudo random number generators.

"We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying PRNG," he wrote. "Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected." Apps that establish encrypted connections using the HttpClient and java.net classes aren't vulnerable.

Read 5 remaining paragraphs | Comments


(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Chinese hackers are using an automated tool to exploit known vulnerabilities in Apache Struts, in order to install backdoors on servers hosting applications developed with the framework.
Cisco Systems announced Wednesday it will eliminate about 4,000 jobs, saying it needs to pare down middle management to speed up decision-making and execution.
Citing installation issues and inadequate testing, Microsoft has withdrawn an Exchange Server 2013 security update that it issued earlier this week as part of its "Patch Tuesday" release cycle.

Think tank wants dedicated infosec minister, 'modern' data retention
The Australian Strategic Policy Institute (ASPI) has issued an “Agenda for Change” (PDF) that suggests data retention is a necessary centrepiece of Australia's future homeland security needs. The document's introduction, penned by ASPI Chair Stephen ...


In a pattern that has played out repeatedly over the past year or two, researchers in the past two days have reported a string of ongoing attacks that take control of Web servers by exploiting critical vulnerabilities in Apache software, Joomla, and other applications used to deliver content and programs online.

The vulnerabilities in both the Apache Struts framework and the Joomla content management system have been fixed recently, but attackers continue to exploit the flaws on servers that have yet to install the updates, according to research published in the past two days. The attacks can have severe consequences for the websites that use the older versions, since the exploits make it possible to execute malicious code that can pilfer confidential customer data, mount malware attacks on visitors, and install applications that give attackers persistent backdoor access to some of a server's most sensitive resources.

One recent avenue for gaining backdoor access is an automated tool that exploits recently patched versions of Struts, an Apache framework for developing Java applications. The hacking tool, which researchers discovered three days after Apache's July 16 security advisory was issued, takes away much of the difficulty of manually injecting commands needed to extract sensitive information from vulnerable servers.

Read 6 remaining paragraphs | Comments


HP LoadRunner ActiveX Control CVE-2013-4801 Remote Code Execution Vulnerability
Apple's innovation problems were highlighted today when Forbes published its 2013 list of the world's most innovative companies and ranked Apple at No. 79.
Move over Hadoop, there is another highly scalable data processing powerhouse in town: Apache Giraph. Facebook is using the technology to bring a new style of search to its billion users.
Cisco Systems revenue and profit increased in the company's fourth quarter compared to a year earlier as the company continued its push to transcend its networking roots and become the world's top IT company.
HP LoadRunner CVE-2013-4797 Remote Code Execution Vulnerability
HP LoadRunner CVE-2013-4798 Remote Code Execution Vulnerability
HP LoadRunner CVE-2013-4799 Remote Buffer Overflow Vulnerability
Google is adding the voice recognition tools that have been found in Google Now to Google Search. If information you're looking for is in your Gmail, Google Calendar or Google+ account, you'll be able to ask Google Search to find it for you.
Google is shutting down its Messenger group chatting service as part of an update to its Google+ app for Android-based devices, the company recently announced. Google will also be ditching the service on iOS devices.
Intel is looking to use light and lasers to shuffle data faster among servers, and is proposing a new optical interconnect, MXC, that could change the way servers are implemented in data centers.
IBM is hoping to help create the next generation of "big data" specialists through a series of partnerships with universities around the world, as well as influence the curriculum.
HP Application Lifecycle Management Quality Center Multiple Cross Site Scripting Vulnerabilities
Microsoft Internet Explorer CVE-2013-3194 Use After Free Memory Memory Corruption Vulnerability
Oracle Database Server CVE-2013-3751 Stack Overflow Remote Code Execution Vulnerability
Dovecot 'LIST' Command Denial of Service Vulnerability
A prime example of carrier and maker adoption of Windows Phone 8 is the new ATIV S Neo. Built by Samsung and running Windows Phone 8, the Neo will go on sale at Sprint starting Friday for $149.99 with a two-year contract and rebate.
Microsoft's Outlook.com web mail application and SkyDrive cloud storage service are suffering a partial outage on Wednesday.
Oracle Endeca Server CVE-2013-3763 Remote Code Execution Vulnerability
Cybercriminals are controlling malware on Android devices through a Google service that enables developers to send messages to their applications, according to security researchers from antivirus vendor Kaspersky Lab.
At best, his presence will be a distraction for CEO Tim Cook, not exactly what the doctor ordered for Apple.
After being down for more than an hour and a half today, The New York Times website is back up and running, though still struggling at points.
Microsoft's Outlook.com web mail application and SkyDrive cloud storage service suffered a partial outage on Wednesday.
strongSwan 'is_asn1()' Function Denial of Service Vulnerability
Oracle Endeca Server CVE-2013-3764 Remote Code Execution Vulnerability
Microsoft Internet Explorer CVE-2013-3199 Use After Free Memory Corruption Vulnerability
Microsoft Internet Explorer CVE-2013-3193 Use After Free Memory Corruption Vulnerability
The New York Times website and its mobile app both crashed around noon today.
Mobile payments based on NFC chips inside smartphones have faced slow growth in the U.S., but some analysts predict that the upcoming iPhone 5S expected in September will include NFC technology after years of restraint by Apple.
LinuxSecurity.com: SPICE could be made to crash if it received specially crafted networktraffic.
LinuxSecurity.com: Updated httpd packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
LinuxSecurity.com: Updated xymon package fixes security vulnerability: A security vulnerability has been found in version 4.x of the Xymon Systems & Network Monitor tool [More...]
LinuxSecurity.com: Updated otrs package fixes security vulnerability: It was discovered that otrs2, the Open Ticket Request System, does not properly sanitise user-supplied data that is used on SQL queries. An attacker with a valid agent login could exploit this issue to craft [More...]
LinuxSecurity.com: Several vulnerabilities have been discovered in Swift, the Openstack object storage. The Common Vulnerabilities and Exposures project identifies the following problems: [More...]
Multiple OTRS Products CVE-2013-4718 Unspecified HTML Injection Vulnerability
OTRS ITSM/FAQ Module CVE-2013-2637 Multiple HTML Injection Vulnerabilities

This is a "guest diary" submitted by Russell Eubanks. We will gladly forward any responses or please use our comment/forum section to comment publically. Russell is currently enrolled in the SANS Masters Program.

The primary reason your security program is struggling is not your lack of funding. You must find a better excuse than not having the budget you are convinced you need in order for your security program to succeed. Do not blame poor security on poor funding. Blame bad security on the REAL reason you have bad security. I hope to encourage you to take a new look at what you are doing and determine if it is working. If not, I encourage you to make a change by using the tools and capabilities you currently have to help tell an accurate story of your security program - with much needed and overdue metrics.

Every person can improve their overall security posture by clearly articulating the current state of their security program. Think creatively and start somewhere. Do not just sit by and wish for a bucket of money to magically appear. It will not. What can you do today to make your world better without spending any money? With some thoughtful effort, you can begin to measure and monitor key metrics that will help articulate your story and highlight the needs that exist in your security program.

When you do start recording and distributing your metrics, make sure they are delivered on a consistent schedule. Consider tracking it yourself for several weeks to make sure trends can be identified before it is distributed to others. Consider what this metric will demonstrate not only now, but also three months from now. You do not want to be stuck with something that does not resonate with your audience or even worse, provides no value at all.

Do not hide behind the security details of your message. Ask yourself why would someone who is not the CISO care about what is being communicated? How would you expect them to use this information? Start planning now for your response ahead of being asked. Think about what you want the recipient to do with this information and be prepared with some scenarios of how you will respond they ask for your plan. Never brief an executive without a plan.

Develop and rehearse your message in advance. Look for opportunities to share your message with others during the course of your day. Every day. Practice delivering your "elevator pitch" to make sure you are comfortable with the delivery and timing of the content. Ask your non security friends if your message is clear and can be easily understood. Often those who are not as close to the message can provide much more objective feedback. Resist the urge to tell every single thing you know at your first meeting. Give enough compelling facts that the recipient wants to know more, in a manner in which they can understand (without having to be a security professional). 

I recognize this behavior every time I see it because I used to be guilty of the very same thing. I am certain that I was the worst offender. It takes no effort to sit by and complain. That only serves to make things worse. It takes commitment to conquer the problem. Unfortunately, only a few do that very well. Change your paradigm from why will no one listen to me to what is my plan to communicate the current situation in an effective manner. Have you found yourself guilty of admiring the problem? Do you stop working on problems when you realize that it is going to be simply too hard? Think beyond the current state and look to how things could be with focused effort. 

Do not ask for everything at once. Seek an initial investment in your security program and demonstrate with metrics the value of that investment. Show how you have been a good steward with the initial investment and can be trusted with incremental investments. Be open, honest and transparent about the use of the resources. Pay particular attention to schedule, scope and budget. The people you are asking for financial support sure will.

The primary reason your security program is failing is not your lack of funding. Start developing your plan today. Maybe the executives say that they think there must not be a problem, since they are not hearing from you. By using the data you already have, start to use it to tell your story about the current state of your security program. This information, properly communicated can become the catalyst for increased awareness and funding.

Here are a few ideas to get you started:

  • Monitor the percentage of systems sending their logs as compared to the total number of log sources in use
  • Monitor the percentage of blocked traffic on the firewall versus what that was permitted
  • Monitor the percentage of changes that occur outside the approved change control process
  • Monitor the percentage of findings on your risk register that have remain unchanged over the last quarter

What metrics have you found to be useful when communicating the needs and the effectiveness of your security program?

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The U.S. has verbally committed to enter into a no-spying agreement with Germany in the wake of disclosures about the U.S. National Security Agency's secret surveillance programs.
Novell iPrint Client CVE-2012-0411 Remote Code Execution Vulnerability
Microsoft Internet Explorer CVE-2013-3184 Memory Corruption Vulnerability
Oracle Endeca Server CVE-2013-3763 Remote Security Vulnerability

Update: looks like this has been fixed now. Of course bad cached data may cause this issue to persist for a while.

Currently, many users are reporting that .gov domain names (e.g. fbi.gov) will not resolve. The problem appears to be related to an error in the DNSSEC configuration of the .gov zone.

According to a quick check with dnsviz.net, it appears that there is no DS record for the current .gov KSK deposited with the root zone.

dnsviz.net Screen Shot

(excerpt from: http://dnsviz.net/d/fbi.gov/dnssec/) 

DNSSEC relies on two types of keys each zone uses:

- A "key signing key" (KSK) and
- A "zone signing key" (ZSK)

The KSK  is usually long and its hash is deposited with the parent zone as a "DS" (Digital Signing) record. This KSK is then used to sign shorter ZSKs which are then used to sign the actual records in the zone file. This way, the long key signing key doesn't have to be changed too often, and the DS record with the parent zone doesn't require too frequent updates. On the other hand, most of the "crypto work" is done using shorter ZSKs, which in turns improves DNSSEC performance.

I am guessing that the .gov zone recently rotated it's KSK, but didn't update the corresponding DS record witht he root zone. 

This will affect pretty much all .gov domains as .gov domains have to be signed using DNSSEC. You will only experience problems if your name server (or your ISP's name server) verifies DNSSEC signatures.


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Microsoft today named Oct. 18 as the launch date for Windows 8.1, the update it hopes will be better received than the original, which debuted the year before.
Oracle WebCenter Capture CVE-2013-1516 Remote Code Execution Vulnerability
Microsoft released two optional security updates to block digital certificates that use the MD5 hashing algorithm and to improve the network-level authentication for the Remote Desktop Protocol.
Worldwide smartphone sales to end users accounted for nearly 52 percent of mobile phone sales in the second quarter, surpassing feature phones sales for the first time as a result of growth in Asian countries like China, Gartner said.
China will soon roll out a plan to stimulate sales of IT products, which could help revive PC shipments in the nation, and further stimulate purchases of smartphones.
Several Bitcoin wallet applications have been upgraded following a serious cryptography problem in Android that could allow attackers to steal the virtual currency.
3D V-NAND, a new technology for packing more data into flash chips, will dramatically increase the number of PCs and enterprise storage systems that use flash in the next decade, a Samsung Electronics executive said.
Facebook is looking for some really bad flash.
Apple's new iPhone 5C will sell at an unsubsidized price between $330 and $400, analysts said, even as some questioned whether the change in the company's lower-priced strategy would pay off.
Subverting BIND's SRTT Algorithm: Derandomizing NS Selection
At a time of government cutbacks, the tenures of public-sector CIOs are growing increasingly shorter than those of their private-sector counterparts, a new Gartner survey finds.
Hitching your wagon to the latest 'it' technology can lead to lucrative pay and compelling job opportunities, but it's not without risk. dBase developer, anyone?

Zombie PCs are for crimelord chumps: Fear clusters, says infosec ace
It may be possible for a "single dedicated attacker" to run an internet "carpet-bombing" attack by applying Big Data and distributed computing technologies, security researcher Alejandro Caceres warns. The traditional botnet, or network of hijacked ...


Posted by InfoSec News on Aug 14


By Erin McCann
Associate Editor
Healthcare IT News
August 9, 2013

The protected health information of some 32,000 patients across 48 states
has been compromised after a health IT vendor's firewall was down for more
than a month, allowing, in some cases, for patient data to be indexed by
Google, officials announced Thursday.

Hospitalist and intensivist company...

Posted by InfoSec News on Aug 14


By: Holly Ellyatt
Assistant Producer
13 Aug 2013

Combating cyber-crime will become an uphill struggle, with the tools
needed to commit technological crimes readily available to anyone armed
with a computer and a few dollars, experts told CNBC.

According to numbers collated by the Center for Strategic and
International Studies, the United Nations Office on Drugs and Crime and
antivirus firm Norton,...

Posted by InfoSec News on Aug 14


By Tracy Kitten
Bank Info Security
August 13, 2013

It has been three weeks since Izz ad-Din al-Qassam Cyber Fighters declared
"The break's over and it's now time to pay off," announcing Phase 4 of
"Operation Ababil," the nearly year-long campaign of
distributed-denial-of-service attacks on major U.S. banks (see DDoS:
Attackers Announce...

Posted by InfoSec News on Aug 14


August 14, 2013

North Korea has about 200 agents who spend their time posting comments
online to undermine South Korean morale, while the whole contingent of
3,000 cyber warfare experts under the Reconnaissance General Bureau wage
cyber terrorism against the South, a private South Korean think tank

The think tank, which studies strategies against...

Posted by InfoSec News on Aug 14


By Jennifer Martinez
The Hill

The former deputy secretary of the Homeland Security Department announced
the launch of a cybersecurity nonprofit organization on Monday that's
focused on the dual goals of preserving an open Internet and encouraging
the adoption of best practices to secure computer systems against...
TYPO3 Static Methods since 2007 Extension Unspecified Cross Site Scripting Vulnerability
Anchor CMS 'name' Field HTML Injection Vulnerability
Advantech WebAccess HMI/SCADA CVE-2013-2299 Cross Site Scripting Vulnerability
[PSA-2013-0813-1] Oracle Java IntegerInterleavedRaster.verify()Signed Integer Overflow
Internet Storm Center Infocon Status