Information Security News
Zero Day Weekly: Drupal disaster, POODLE, Ebola phishing scams
Infosec communities and hacker figureheads have taken the creator to task (and called for the project to be reported to Kickstarter) and a Reddit AMA went badly for the creator; yet the project's funding has exceeded half a million dollars. The creator ...
Kickstarter removed a fundraiser for a popular Tor-based router project on Friday afternoon.
The Anonabox, which was created by August Germar, of Chico, California, aimed to be an “open source embedded networking device designed specifically to run Tor.” Its fundraising goal was $7,500, and in five days, it raised $585,549 from nearly 9,000 backers—including three Ars editors.
Germar told Ars that he was not aware that it had been suspended until Ars forwarded him an e-mail from Kickstarter outlining the possible reasons why it could have been cancelled.
by Robert Lemos
Cyber attacks on large US companies result in an average of $12.7 million in annual damages, an increase of 9.7 percent from the previous year, according to the fifth Cost of Cybercrime report published by the Ponemon Institute on Wednesday.
The report, sponsored this year by Hewlett Packard’s Enterprise Security division, found that business disruption and information loss account for nearly three-quarters of the cost of cybercrime incidents. The study also confirmed that companies that make security a priority have lower costs associated with security incidents during the year. In particular, companies that use technology that helps flag potential intrusions into critical systems have lower costs, by an average of $2.6 million.
“Business disruption, information loss and the time it takes to detect a breach collectively represented the highest cost to organizations experiencing a breach,” Larry Ponemon, chairman and founder of the Ponemon Institute, said in a statement.
Apple yesterday released the latest version of its operating system, OS X 10.10 Yosemite. As usual, the new version of the operating system does include a number of security related bug fixes, and Apple released these fixes for older versions of OS X today.
This update, Security Update 2014-005 is available for versions of OS X back to 10.8.5 (Mountain Lion).
Among the long list of fixes, here a couple of highlights:
Apple doesnt turn off SSLv3 in this release, but restricts it to non-CBC ciphers, limiting its exposure to attacks like POODLE and BEAST. The list of trusted certificate authorities has also been updates 
802.1x no longer supports LEAP by default due to weaknesses in this authentication method.
The bash fix, that was released as a standalone fix earlier to counter Shellshock, is included in this update.
An arbitrary code execution vulnerability in CUPS was fixed. (CVE-2014-3537)
And a quick note about OS 10.10 Yosemite:
After installing it, all security relevant settings Ichecked where untouched (good!). Among security relevant software, GPGMailwill not work with Yosemite yet, but according to the developers, a fix is in the work and may be release in a few weeks, but GPGMail may no longer be free. If you rely on software that you compiled with MacPorts: Wait for the release of XCode 6.1, as it is required to recompile the software for OS X 10.10. In general, it is adviced that you FIRST update all your software and then upgrade to Yosemite. Little Snitch, another popular piece of security software for OS X, works well with Yosemite, but I recommend you turn off the network filter during the upgrade (it works with it enabled, but you need to approve a lot of new connections from new software).
by Sean Gallagher
On Thursday, the Guardian reported that the developers of Whisper, a social media platform that allows individuals to post anonymous messages that can be seen by others based on a number of factors, isn’t all that anonymous after all. Whisper, which is advertised as “the safest place on the Internet,” tracks geolocation data of posters and uses their location data for a number of purposes—including censorship and reporting of posts from military bases to the Department of Defense. Whisper’s chief technology officer took to YCombinator’s Hacker News to defend the company against the report, but his explanation was torn apart by security and privacy experts in the discussion that followed.
Much like its competitor Secret, Whisper allows individuals to post anonymous messages overlaid on images or photos to share with others for comment. The application uses geolocation data to determine where the poster is and who should be able to see its contents. It has become popular with a number of communities, including members of the military.
The Guardian was exploring a potential editorial relationship with Whisper, and staff from the news organization spent three days at Whisper’s offices in Los Angeles. While there, the Guardian team witnessed Whisper employees using an in-house geolocation tool to track posts made from various locations and found that the company is tracking specific Whisper users believed to be “potentially newsworthy,” including members of the military, government employees, and employees of companies such as Disney and Yahoo. The company also shares information about posters and their locations with the Defense Department, FBI, and the UK’s MI5, the Guardian’s Paul Lewis and Dominic Rushe reported.