(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The Electronic Frontier Foundation, Mozilla, Cisco, Akamai, and other organizations have teamed up to create the infrastructure and tools necessary to help websites offer more secure and private browsing to their visitors.

The group plans to establish a non-profit organization, Let’s Encrypt, that will freely offer digital certificates and open-source tools for configuring and offering the secure Web functionality known as Secure HTTP (HTTPS). While offering free digital certificates is certainly enticing, creating the tools to easily manage the certificate process and set up Web servers to properly handle HTTPS is the most important part of the effort, Peter Eckersley, technology projects director for the EFF, told Ars.

“The unfortunate truth is that there are a lot of obscure and head-spinning technical details that need to be gotten right for a top-notch HTTPS deployment,” he said. “With Let’s Encrypt, we are going to automate as much of that as we possibly can.”

Read 7 remaining paragraphs | Comments

Microsoft Windows Kerberos Checksum CVE-2014-6324 Remote Privilege Escalation Vulnerability
The "Security ID" and AAccount Name" fields in this event log don't match even though they should. The bug allowed the user account "nonadmin" to elevate privileges to "TESTLAB\Administrator."

Microsoft has released an unscheduled update to patch a critical security hole that is being actively exploited to hack Windows-based servers.

A flaw in the Windows implementation of the Kerberos authentication protocol allows attackers with credentials for low-level accounts to remotely hijack extremely sensitive Windows domain controllers that allocate privileges on large corporate or government networks. The privilege elevation bug is already being exploited in highly targeted attacks and gives hackers extraordinary control over vulnerable networks.

"The only way a domain compromise can be remediated with a high level of certainty is a complete rebuild of the domain," Microsoft engineer Joe Bialek wrote in a blog post accompanying Thursday's patch. "An attacker with administrative privilege on a domain controller can make a nearly unbounded number of changes to the system that can allow the attacker to persist their access long after the update has been installed. Therefore it is critical to install the update immediately."

Read 5 remaining paragraphs | Comments


In a coup for privacy advocates, strong end-to-end encryption is coming to Whatsapp, a cross-platform instant messaging app with more than 500 million installations on the Android platform alone.

Until now, most popular messaging apps for smartphones have offered woefully inadequate protections against eavesdropping. Whatsapp, which Facebook recently acquired for $19 billion, has itself been criticized for a series of crypto blunders only spooks in the National Security Agency would love. Most other mobile apps haven't done much better, as a recent scorecard of 39 apps compiled by the Electronic Frontier Foundation attests. Many fail to implement perfect forward secrecy, which uses a different key for each message or session to ensure that an adversary who intercepts a key can't use it to decrypt old messages. The notable exception among popular messaging apps is Apple's iMessage, but it's not available for Android handsets.

Enter Moxie Marlinspike, the highly regarded security researcher and principal developer of TextSecure, an SMS app for Android. Over the past three years, his team at Open Whisper Systems has developed a open encryption protocol for asynchronous messaging systems. That specification is now being incorporated into Whatsapp.

Read 3 remaining paragraphs | Comments

Adobe Flash Player and AIR CVE-2014-0574 Double Free Remote Code Execution Vulnerability
HP Storage Data Protector CVE-2014-2623 Unspecified Remote Code Execution Vulnerability
[ MDVSA-2014:214 ] dbus
[ MDVSA-2014:213 ] curl

Microsoft November out-of-cycle patch

Note: MS14-066 was also updated today to fix some of the issues previously discussed with the introduction of the additional TLS cipher suites. Folks running Server 2008 R2 and Server 2012 are urged to reinstall

Update (2014-11-18 19:45 UTC) - After reading Microsoft">Critical: Anything that needs little to become interesting">Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.

  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.

  • ---------------
    Jim Clausing, GIAC GSE #26
    jclausing --at-- isc [dot] sans (dot) edu

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

    The National Institute of Standards and Technology (NIST) has published for public review draft recommendations to ensure the confidentiality of sensitive federal information residing on the computers of contractors and other nonfederal ...
    Images posted of rows of federal police vehicles in a Missouri hotel garage got the employee who took them fired—and branded as a terrorist and traitor by the hotel's security chief.

    Mark Paffrath, a Navy veteran who worked as a housekeeper for the Drury hotel chain, claims he was fired from his job on Saturday after posting photos and video on Facebook of dozens of vehicles from the Department of Homeland Security massed in a Missouri hotel garage. Paffrath told CNN that Drury’s head of security “called me a terrorist, saying that I dishonorably served my country for posting those pictures and videos on Facebook.”

    The vehicles and a large number of people from Homeland Security’s Federal Protection Services arrived last week, apparently in preparation for the announcement of a grand jury decision on whether to charge police officer Darren Wilson in the death of teenager Michael Brown. They were parked at the hotel where Paffrath worked, a short drive from Ferguson in suburban St. Louis. Paffrath posted the video and images of rows of federal vehicles on Thursday, including one with the caption “Why are all these vehicles here, I wonder if it has anything to do with Ferguson? #Ferguson, #No justice, no peace."

    Paffrath’s former employer would not comment on how the hotel learned of the posted images, some of which are still publicly viewable on Paffrath’s Facebook page. A Drury hotel spokesperson told CNN, “We do not publicly discuss confidential personnel matters. The safety and privacy of our guests and our team members has always been and will remain our top priority." The hotel management may have seen the photos as a violation of the privacy of guests.

    Read on Ars Technica | Comments

    Microsoft Internet Explorer CVE-2014-6342 Remote Memory Corruption Vulnerability
    Microsoft Internet Explorer CVE-2014-6337 Remote Memory Corruption Vulnerability
    Microsoft Internet Explorer CVE-2014-6340 Cross Domain Information Disclosure Vulnerability
    Microsoft Internet Explorer CVE-2014-6346 Cross Domain Information Disclosure Vulnerability

    Today, Microsoft will release MS14-068. This is one of the bulletins that was skipped in Novembers patch Tuesday update.

    The bulletin fixes a privilege escalation vulnerability and Microsoft rated it Critical.

    It does however appear that Microsoft still has process issues with releasing updates. For example, the Monthly Bulletin Summary for November now only lists this one bulletin [1]. The bulletin page itself is still blank, but will likely be released around 1:30pm ET.

    We will update/replace this diary once the full bulletin is released.

    [1] https://technet.microsoft.com/en-us/library/security/ms14-nov.aspx

    Johannes B. Ullrich, Ph.D.

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
    LinuxSecurity.com: mountall could mount certain filesystems with the wrong permissions.
    LinuxSecurity.com: Updated bash Shift_JIS packages that fix one security issue are now available for Red Hat Enterprise Linux 5.9 Extended Update Support. Red Hat Product Security has rated this update as having Important security [More...]
    Oracle Java SE CVE-2014-6527 Remote Security Vulnerability
    Linux Kernel 'ttusbdecfe.c' Buffer Overflow Vulnerability
    Microsoft XML Core Services CVE-2014-4118 Remote Code Execution Vulnerability
    EMC RSA BSAFE-C Toolkits CVE-2014-4191 TLS Information Disclosure Vulnerability
    EMC RSA BSAFE-C Toolkits CVE-2014-4192 Information Disclosure Vulnerability
    Oracle Java SE CVE-2014-6558 Remote Security Vulnerability
    CVE-2014-8769 tcpdump unreliable output using malformed AOVD payload
    CVE-2014-8768 tcpdump denial of service in verbose mode using malformed Geonet payload
    CVE-2014-8767 tcpdump denial of service in verbose mode using malformed OLSR payload
    APPLE-SA-2014-11-17-3 Apple TV 7.0.2
    APPLE-SA-2014-11-17-2 OS X Yosemite 10.10.1
    [security bulletin] HPSBMU03183 rev.2 - HP Server Automation and Server Automation Virtual Appliance, running SSL, Remote Disclosure of Information
    [security bulletin] HPSBMU03072 rev.3 - HP Data Protector, Remote Execution of Arbitrary Code
    Internet Storm Center Infocon Status