The Washington Post's servers were penetrated by hackers who accessed employees' user names and password data in a breach that marked the third intrusion in as many years, the paper reported.

Security personnel still don't know the full extent of the loss, an article published Wednesday said. The intrusion was discovered by outside security consultant Mandiant, which reported it to Washington Post officials Wednesday. Compromised data includes employees' user names and passwords that were "stored in encrypted form," which typically means as a cryptographic hash. Post officials, working under the assumption that a fair percentage of hashed passwords can be cracked, planned to direct all employees to change their passwords.

There's no evidence yet that subscriber information such as credit card data or home addresses was accessed. There was also no immediate sign that hackers had accessed the paper's publishing system, employee e-mail databases, or sensitive personal information  belonging to workers. Wednesday's article cited a Washington Post official as saying investigators believe the intrusion lasted at most a few days.

Read 2 remaining paragraphs | Comments



According to the Wall Street Journal and independent journalist Brian Krebs, retail giant Target was hit with a major theft of customers’ credit-card and debit-card data captured in stores during the Black Friday weekend.

The company has nearly 1,800 stores in the United States and over 100 in Canada.

"The Secret Service is investigating—we have no further comment as it is an ongoing investigation," Brian Leary, a Secret Service spokesperson, told Ars.

Read 4 remaining paragraphs | Comments


The MacBook's LED indicator is off, but its webcam is very much turned on.

A common pastime among the residents of the Internet's seedy underbelly is spying on people through their webcams then using the pictures to harass and blackmail the victims. This kind of hacking went mainstream when Miss Teen USA Cassidy Wolf was named as a victim of a blackmail attempt.

In addition to standard computer security advice given to combat this behavior—keep your computer patched, don't install malware, and so on—it's commonly suggested that you only use webcams where the activity LED is hardwired to light up whenever the camera is active. Among others, Apple's line of laptops has been identified as having such hardwired LEDs. However, researchers at Johns Hopkins University have published a paper, first reported on by the Washington Post, demonstrating that even this isn't good enough. Some hardwired LEDs turn out to be, well, software controlled after all.

As with just about every other piece of modern hardware, the webcams in the computers that the researchers looked at—an iMac G5 and 2008-vintage MacBooks, MacBook Pros, and Intel iMacs—are smart devices with their own integrated processors, running their own software. The webcams have three main components: the actual digital imaging sensor, a USB interface chip with both an integrated Intel 8051-compatible microcontroller and some RAM, as well as a little bit of EEPROM memory.

Read 9 remaining paragraphs | Comments



SANS' Tenth Annual Holiday Hacking Challenge is Now Live!
PR Newswire (press release)
SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system—the Internet Storm Center. At the heart of SANS are the many security ...

and more »
Oracle's second-quarter revenue rose 2 percent to US$9.3 billion while net income dropped 1 percent to $2.6 billion, with new software license and cloud subscription revenue flat and hardware product revenue continuing a long slide.
Encryption technology has come a long way since the Enigma machine.

A presidential advisory committee today recommended that the US government stop any efforts to undermine encryption standards or attack commercial software.

The panel's report (full text at Whitehouse.gov) comes in response to the National Security Agency leaks of Edward Snowden and makes 46 recommendations. Number 29 should please IT security researchers:

We recommend that, regarding encryption, the US Government should:

(1) fully support and not undermine efforts to create encryption standards;

(2) not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software; and

(3) increase the use of encryption, and urge US companies to do so, in order to better protect data in transit, at rest, in the cloud, and in other storage.

We reported in September on the NSA's uneasy relationship with encryption researchers, detailing how the agency has helped improve the encryption standards that secure Internet communications while in other cases undermining them. Government officials have routinely joined security researchers at technology conferences—this year, they were asked to stay away from DefCon, one of those annual events.While the White House isn't obligated to accept the advisory panel's recommendations, doing so could end any current or future efforts to insert backdoors into encryption standards. Security experts, including Bruce Schneier, have warned that the NSA's work has undermined the security of the Internet.

Read 5 remaining paragraphs | Comments


In this photograph, (A) is a Lenovo ThinkPad T61 target, (B) is a Brüel&Kjær 4190 microphone capsule mounted on a Brüel&Kjær 2669 preamplifier held by a flexible arm, (C) is a Brüel&Kjær 5935 microphone power supply and amplifier, (D) is a National Instruments MyDAQ device with a 10 kHz RC low-pass filter cascaded with a 150 kHz RC high-pass filter on its A2D input, and (E) is a laptop computer performing the attack. Full key extraction is possible in this configuration, from a distance of 1 meter.

Computer scientists have devised an attack that reliably extracts secret cryptographic keys by capturing the high-pitched sounds coming from a computer while it displays an encrypted message.

The technique, outlined in a research paper published Wednesday, has already been shown to successfully recover a 4096-bit RSA key used to decrypt e-mails by GNU Privacy Guard, a popular open source implementation of the OpenPGP standard. Publication of the new attack was coordinated with the release of a GnuPG update rated as "important" that contains countermeasures for preventing the attack. But the scientists warned that a variety of other applications are also susceptible to the same acoustic cryptanalysis attack. In many cases, the sound leaking the keys can be captured by a standard smartphone positioned close to a targeted computer as it decrypts an e-mail known to the attackers.

"We devise and demonstrate a key extraction attack that can reveal 4096-bit RSA secret keys when used by GnuPG running on a laptop computer within an hour by analyzing the sound generated by the computer during decryption of chosen ciphertexts," the researchers wrote. "We demonstrate the attack on various targets and by various methods, including the internal microphone of a plain mobile phone placed next to the computer and using a sensitive microphone from a distance of four meters [a little more than 13 feet]."

Read 9 remaining paragraphs | Comments


Oracle's second-quarter revenue rose 2 percent to US$9.3 billion while net income dropped 1 percent to $2.6 billion, with new software license and cloud subscription revenue flat and hardware product revenue continuing a long slide.
LinuxSecurity.com: GnuPG could expose sensitive information when performing decryption.
LinuxSecurity.com: Bryan Quigley discovered an integer underflow in Pixman which could lead to denial of service or the execution of arbitrary code. For the oldstable distribution (squeeze), this problem has been fixed in [More...]
LinuxSecurity.com: Bryan Quigley discovered an integer underflow in the Xorg X server which could lead to denial of service or the execution of arbitrary code. For the oldstable distribution (squeeze), this problem has been fixed in [More...]
LinuxSecurity.com: Genkin, Shamir and Tromer discovered that RSA key material could be extracted by using the sound generated by the computer during the decryption of some chosen ciphertexts. [More...]
LinuxSecurity.com: Multiple vulnerabilities has been discovered and corrected in gimp: Multiple stack-based buffer overflows in file-xwd.c in the X Window Dump (XWD) plug-in in GIMP 2.8.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via [More...]
LinuxSecurity.com: Updated gimp package fixes security vulnerabilities: An integer overflow flaw and a heap-based buffer overflow were found in the way GIMP loaded certain X Window System (XWD) image dump files. A remote attacker could provide a specially crafted XWD image file that, [More...]
LinuxSecurity.com: Fraudulent security certificates could allow sensitive information to beexposed when accessing the Internet.
LinuxSecurity.com: Updated links package fixes security vulnerability: Mikulas Patocka discovered an integer overflow in the parsing of HTML tables in the Links web browser. This can only be exploited when running Links in graphical mode (CVE-2013-6050). [More...]
LinuxSecurity.com: Updated mediawiki packages fix security vulnerabilities: Kevin Israel (Wikipedia user PleaseStand) identified and reported two vectors for injecting Javascript in CSS that bypassed MediaWiki's blacklist (CVE-2013-4567, CVE-2013-4568). [More...]
LinuxSecurity.com: Updated owncloud package fixes security vulnerability: Possible security bypass on admin page under certain circumstances and MariaDB (CVE-2013-6403). [More...]
LinuxSecurity.com: Multiple vulnerabilities has been found and corrected in the Linux kernel: The Linux kernel before 3.12.2 does not properly use the get_dumpable function, which allows local users to bypass intended ptrace [More...]
LinuxSecurity.com: An integer overflow in libsndfile might allow remote attackers to execute arbitrary code or cause a Denial of Service condition.
A U.S. National Security Agency surveillance review board report, to be released Wednesday, will recommend major changes in the way the agency tracks terrorism suspects, according to news reports.
Microsoft today reminded customers that the Windows 8.1 Preview will conk out on Jan.15.
IBM FileNet Business Process Framework XML Entity Parsing Information Disclosure Vulnerability
Microsoft's support for WIndows XP ends in less than four months, and the company has warned users repeatedly that it's time to move on. But a lot of them are sticking with the aged OS. And for Microsoft, that's a problem.

It's true that the Tor anonymity service helps people cover their tracks on the Internet. But when it's not used carefully, it can be the very thing that tips off the people the user wants to evade, as was demonstrated in a federal investigation earlier this week.

According to federal prosecutors, Tor played a key role in helping FBI agents identify a Harvard student suspected of e-mailing a hoax bomb threat to university officials so he wouldn't have to take a final exam. To conceal his Harvard IP address, he used Tor, but in a fatal mistake, he also used the school's Wi-Fi network to connect to the anonymity service. Investigators, according to a criminal complaint, took a hard look at everyone who used Tor at the time the threats were sent and ultimately fingered 20-year-old Eldo Kim of Cambridge, Massachusetts as the perpetrator.

"This is one of the problems of using a rare security tool," security analyst Bruce Schneier observed in a blog post published Wednesday. "The very thing that gives you plausible deniability also makes you the most likely suspect. The FBI didn't have to break Tor; they just used conventional police mechanisms to get Kim to confess."

Read 1 remaining paragraphs | Comments


[SECURITY] [DSA 2821-1] gnupg security update
[ MDVSA-2013:294 ] gimp
[SECURITY] [DSA 2823-1] pixman security update
[SECURITY] [DSA 2822-1] xorg-server security update

[анонс] Соревнования по информационной безопасности Infosec
С 20-го по 23-е декабря 2013 года пройдут соревнования по информационной безопасности Infosec CTF. Организатором является компания «Информзащита», техническим партнером – Check Point Software Technologies. Победителю ...
«Информзащита» приглашает принять участие в Infosec CTFDailyComm.ru

all 2 news articles »
[ MDVSA-2013:290 ] mediawiki
[ MDVSA-2013:292 ] links
[ MDVSA-2013:291 ] kernel
[ MDVSA-2013:289 ] owncloud
A design concept being floated by dataSTICKIES uses wafer-thin graphene USB thumb drives that you can write on, peel off and stick anywhere for real on-the-go capacity.
Norwegian browser company Opera Software is developing an app designed to decrease Android data consumption.

It's been two years since Nadim Kobeissi unleashed his user-friendly, feline-themed chat software, Cryptocat. At the time, Kobeissi felt that there wasn't exactly a great deal of enthusiasm for his program. "Two years ago not a lot of people cared," he comments. But times have changed. "Now a lot of people care."

Kobeissi's challenge to make encrypted online messaging user-friendly has long been a bugbear of the crypto community. A paper, written in 1999, demonstrated that the encryption program PGP completely baffled most users in a series of tests. The study, now 14 years old, is still frequently cited today as a long-unanswered call to arms.

And even though the level of security offered by PGP is slowly becoming more accessible, thanks to initiatives like the Enigmail Project, for most people it's still too esoteric and finicky. The challenges for making encryption more user-friendly are often referred to as UX headaches, which many view as being more or less insurmountable. Indeed, those who publicly advocate better interfaces for encryption feel that they represent a small minority within the wider crypto community.

Read 18 remaining paragraphs | Comments

Geographic breakdown of machines infected by DGA.Changer

Eight weeks after hackers compromised the official PHP website and laced it with attack code, outside security researchers have uncovered evidence that some visitors were exposed to malware that's highly unusual, if not unique.

Israel-based Seculert said about 6,500 computers are infected by DGA.Changer, a malware title whose sole job is to surreptitiously download other malware onto compromised systems. One of five distinct malware types served to visitors of php.net from October 22 to October 24, DGA.Changer employs a novel way of evading detection and takedown attempts. Like previous trojans equipped with domain-generation algorithms, DGA.Changer is able to make on-the-fly changes to the command-and-control (C2) domain names that infected machines contact to send data and receive instructions. That stymies takedown campaigns that simply take control of the C2 domain names. DGA.Changer takes this evasive move one step further by allowing operators to change the algorithm "seed" that generates a specific set of pseudo-random domains.

"As a result, they're extremely difficult to detect by traditional security methods (i.e. those that only use a sandbox), since the initial sample will reveal the domain name streams before the change—which no longer resolve to the C2 server," Seculert researcher and CTO Aviv Raff wrote in a blog post published Wednesday. Researchers typically use Cuckoo Sandbox and similar automated malware analysis systems to run recently discovered malware samples in a controlled environment. If the DGA.Changer seeds in the sandboxes don't match those of versions running in the wild, researchers can't continue to monitor communications sent to the C2 servers.

Read 7 remaining paragraphs | Comments


[CVE-2013-5573] Jenkins v1.523 Default markup formatter permits offsite-bound forms
X.Org X Server CVE-2013-6424 Local Denial of Service Vulnerability
[ MDVSA-2013:291 ] kernel
[CVE-2013-2627, CVE-2013-2628, CVE-2013-2629] Leed (Light Feed) - Multiple vulnerabilities
[CVE-2013-2764] Secure Entry Server - URL Redirection
Pixman CVE-2013-6425 Remote Denial of Service Vulnerability
Attackers are compromising Linux and Windows systems to install a new malware program designed for launching distributed denial-of-service (DDoS) attacks, according to researchers from the Polish Computer Emergency Response Team (CERT Polska).
CORE-2013-0903 - RealPlayer Heap-based Buffer Overflow Vulnerability
The ascent this year of Bitcoin, a virtual currency forged through hardcore mathematics and buoyed by promises of financial liberation from banks, has been nothing short of mesmerizing.
Tube Map Live Underground for Android Information Disclosure Vulnerability
Linux Kernel '/bcm/Bcmchar.c' CVE-2013-4515 Local Information Disclosure Vulnerability
InfoSec Southwest 2014 CFP now open!
[ MDVSA-2013:288 ] subversion
[ MDVSA-2013:287-1 ] drupal

My 5 Wishes For Security In 2014
Year-end security predictions are really hard for InfoSec practitioners, in no small part because so many security matters linger for years without improvement or resolution. I've chosen five issues that have long legs (think "wine"). Here's my wish ...

Most companies understand the risks associated with disaster recovery and business continuity and plan accordingly. Few can say the same thing about the software they own -- or don't own, as the case may be. That's where software asset management and software license management tools can make a difference.
Apple's radically redesigned Mac Pro workstation will go on sale Thursday, the Cupertino, Calif. company announced today.
Linux Kernel '/drivers/scsi/aacraid/commctrl.c' Pointer Dereference Denial of Service Vulnerability
Linux Kernel AACRAID Driver Compat IOCTL Local Security Bypass Vulnerability
Linux Kernel 'perf_trace_event_perm()' Function Local Security Bypass Vulnerability
Linux Kernel 'drivers/staging/wlags49_h2/wl_priv.c' Local Buffer Overflow Vulnerability
Linux Kernel 'exitcode_proc_write()' Function Local Buffer Overflow Vulnerability
Four out of five iPhone users have enabled a feature that allows them to locate, lock and wipe their phones if they are lost or stolen, according to the results of a survey by the San Francisco district attorney's office.
LG Electronics is planning to unveil its first product built around the Google Chrome operating system at the International CES show in Las Vegas next month.
Tech companies like Intel and Google are offering courses in meditation to help their workers handle stress, become more innovative and find work/life balance.
Fortinet, one of the biggest computer security vendors, is suing rival Sophos alleging it poached senior staff in breach of an agreement signed when a Fortinet executive jumped ship to Sophos earlier this year.
Ebay's PayPal division said on Tuesday it is acquiring StackMob, a company specializing in development tools for building mobile applications.
Qualcomm and Nvidia get most of the headlines in the mobile chip business, but two Chinese vendors are cornering the market for processors used in low-cost tablets, and in 2014 they might find their way into a product near you.
More than two decades ago, neural networks were widely seen as the next generation of computing, one that would finally allow computers to think for themselves.
Mediawiki CSS Tags CVE-2013-4568 HTML Injection Vulnerability
Mediawiki Caching Session Cookies Information Disclosure Vulnerability
Mediawiki CSS Tags CVE-2013-4567 HTML Injection Vulnerability
After guiding Hewlett-Packard through one crisis after another, CEO Meg Whitman is now earning more than $1 in annual salary.
ClamAV Multiple Memory Corruption Vulnerabilities

Posted by InfoSec News on Dec 18


Contact: Annie Touchette
Polytechnique Montréal

Montreal, December 16, 2013 - Installing computer security software,
updating applications regularly and making sure not to open emails from
unknown senders are just a few examples of ways to reduce the risk of
infection by malicious software, or "malware". However, even the...

Posted by InfoSec News on Dec 18


The Denver Channel

DENVER - The state is warning 18,800 former and current state workers to
watch out for identity theft because a USB drive containing their private
information is missing.

The thumb drive was lost when a state employee was transporting the USB
drive between work locations, the...

Posted by InfoSec News on Dec 18


Analysis Intelligence
December 16, 2013

The past two weeks have witnessed a series of cyber attacks against
several national oil outlets. The oil industry in Angola, Kenya, and
Mexico have all been targeted by website defacements in these past few
weeks. The names of OpAngola, OpGreenRights, and OpPemex were attached to
each, respectively. A timeline...

Posted by InfoSec News on Dec 18


By Joey Garrison and Chas Sisk
The Tennessean
Dec. 16, 2013

A state employee who resigned last week told investigators that he
downloaded data on 6,300 Nashville teachers so he could work from home,
despite having been warned to keep his computer secure.

Steven T. Hunter, a 24-year-old former information technology worker for

Posted by InfoSec News on Dec 18


By Robert Lemos
Dark Reading
November 30, 2013

For decades, opportunistic attackers have scanned the Internet for open
ports through which they can compromise vulnerable applications.

Such scanning has only gotten easier: The Shodan search engine regularly
scans the Internet and stores the results for anyone to search;
researchers from the University of...
Juvia Ruby on Rails 'secret_token.rb' Default Secret Key Security Bypass Vulnerability
CPAN 'Proc::Daemon' Module Insecure File Permissions Vulnerability
JBoss Portal CVE-2013-4424 Multiple Cross Site Scripting Vulnerabilities
Deadwood IP Spoofing Vulnerability
Internet Storm Center Infocon Status