Oxwall Forum v1.8.1 - Persistent Cross Site Scripting Vulnerability
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Libxml2 'parser.c' Denial of Service Vulnerability
Libxml2 'xmlGROW()' Function Denial of Service Vulnerability

(credit: Amy)

A key justification for last week's court order compelling Apple to provide software the FBI can use to crack an iPhone belonging to one of the San Bernardino shooters is that there's no other way for government investigators to extract potentially crucial evidence from the device.

Technically speaking, there are ways for people to physically pry the data out of the seized iPhone, but the cost and expertise required and the failure rate are so great that the techniques aren't practical.

In an article published Sunday, ABC News lays out two of the best-known techniques. The first one is known as decapping. It involves removing the phone’s memory chip and dissecting some of its innards so investigators can read data stored in its circuitry.

Read 5 remaining paragraphs | Comments


(credit: IBM)

Carbon nanotubes are small and can be semiconducting, which makes lots of people excited about using them as a replacement for features etched in silicon. But there are two big problems: the reactions that produce them create a random mix of metallic and semiconducting nanotubes, and it's really difficult to get them to go precisely where you need them to in order to properly wire up a processor.

Now, a joint IBM-academic team has used those difficulties to their advantage. They've developed a process in which nanotubes are used to randomly wire up part of a chip that's then used to generate cryptographic information, providing an inherently secure on-chip facility for hardware-based encryption.

Most digital cryptography depends on the ability to generate a unique series of bits that acts as a key. Hardware-based cryptography generally relies on a key that's permanently wired into the chip itself. While effective, different techniques for storing the keys have various vulnerabilities, from being subject to external snooping to producing different results when the environmental conditions are changed.

Read 8 remaining paragraphs | Comments

Google Chrome Prior to 48.0.2564.109 Multiple Security Vulnerabilities
Honeyd CVE-2006-4292 ARP Packet Processing Denial of Service Vulnerability
RETIRED: Network Time Protocol CVE-2014-9298 Authentication Bypass Vulnerability
PhpCOIN Multiple Remote File Include Vulnerabilities

(credit: Wired UK/Shuttershock)

Linux Mint forum users, and anyone who downloaded and installed a copy of the 17.3 Cinnamon edition on Saturday have probably been compromised by hackers and need to take action immediately, the distro's creator has warned.

Clem Lefebvre, confirmed in a blog post that the "intrusion" had taken place over the weekend. He said: "Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it."

He added that the resultant malware infection had only affected ISOs downloaded from the Linux Mint site on Saturday, February 20. "As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition," Lefebvre said. However, by Sunday it was a different story, with Linux Mint confirming that its forums database had also been targeted in the hack of its systems.

Read 6 remaining paragraphs | Comments

[SYSS-2015-063] OpenCms - Cross Site Scripting
Ubiquiti Networks Bug Bounty #9 - Invoice Persistent Vulnerabilities
[SECURITY] CVE-2015-5345 Apache Tomcat Directory disclosure
[SECURITY] CVE-2016-0763 Apache Tomcat Security Manager Bypass
InstantCoder v1.0 iOS - Multiple Web Vulnerabilities
[SECURITY] CVE-2015-5346 Apache Tomcat Session fixation
[SECURITY] CVE-2016-0714 Apache Tomcat Security Manager Bypass
[SECURITY] CVE-2016-0706 Apache Tomcat Security Manager bypass

the number of daily attacks is so important that we cant rely on a single solution to protect us. In a previous diary, I spoke about how Unity Makes Strength (link). The idea behind this concept is to collect useful information from one side and re-inject them into another side. Thisincreases chances to detect/block interesting activity. On paper, this solution looks nice but it can also introduce false positives that can have a disastrous impact. These false positives can be">">The projectdescribed in my previous diary has been completed: the integration of FireEye and Palo Alto Networks firewall. URLs flaggedby the FireEye appliances are smoothly injected into the firewall configurations, great! But, we alsodetected that some pieces of malware are using well-knownURLs. The best example we faced was a ping to www.oracle.com. You can imagine the impact for developers or DBAs who could not access Oracless website because it was detected as malicious and blocked in the firewall. It could be easy for an attackerto write some code which will ping">">To decrease the risk of such false positives, why not use other types of open data and add extra checks? Alexa is a company providing analytics tools for websites. Amongst different types ofsubscriptions, they provide for free alist of top-ranked websites updated daily (available here).">">"> [alexa_5000]filename = top-5000.csvcase_sensitive_match = falsematch_type = WILDCARD(domain)"> sourcetype=squid | top uri_host | lookup alexa_5000 domain as uri_host">And now you can use the followed"> index=malwares eventtype=fe (category=infection-match OR category=malware-object) cs6=* | rex field=cs6 ~~Host:\s(?.*?)::~~ | dedup reURL | lookup top_5000 domain as reURL OUTPUTNEW | table reURL">This query generates a table of URLs that are _not_ present in the top-5000 Alexa file. Now you can use this output in alerts, scripts, etc.

Xavier Mertens
ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
[security bulletin] HPSBHF03544 rev.1 - HPE iMC PLAT and other HP and H3C products using Comware 7 and cURL, Remote Unauthorized Access
[SECURITY] [DSA 3485-1] didiwiki security update
[SECURITY] [DSA 3486-1] chromium-browser security update
Internet Storm Center Infocon Status