IBM Tealeaf Customer Experience CVE-2016-5976 Information Disclosure Vulnerability
IBM Tealeaf Customer Experience CVE-2016-5975 Cross Site Scripting Vulnerability

Enlarge (credit: David Brandt)

For the better part of a day, KrebsOnSecurity, arguably the world's most intrepid source of security news, has been silenced, presumably by a handful of individuals who didn't like a recent series of exposés reporter Brian Krebs wrote. The incident, and the record-breaking data assault that brought it on, open a troubling new chapter in the short history of the Internet.

The crippling distributed denial-of-service attacks started shortly after Krebs published stories stemming from the hack of a DDoS-for-hire service known as vDOS. The first article analyzed leaked data that identified some of the previously anonymous people closely tied to vDOS. It documented how they took in more than $600,000 in two years by knocking other sites offline. A few days later, Krebs ran a follow-up piece detailing the arrests of two men who allegedly ran the service. A third post in the series is here.

On Thursday morning, exactly two weeks after Krebs published his first post, he reported that a sustained attack was bombarding his site with as much as 620 gigabits per second of junk data. That staggering amount of data is among the biggest ever recorded. Krebs was able to stay online thanks to the generosity of Akamai, a network provider that supplied DDoS mitigation services to him for free. The attack showed no signs of waning as the day wore on. Some indications suggest it may have grown stronger. At 4 pm, Akamai gave Krebs two hours' notice that it would no longer assume the considerable cost of defending KrebsOnSecurity. Krebs opted to shut down the site to prevent collateral damage hitting his service provider and its customers.

Read 10 remaining paragraphs | Comments

OpenSSL CVE-2016-6306 Local Denial of Service Vulnerability
IBM Rational DOORS Next Generation CVE-2016-5955 Unspecified Cross Site Scripting Vulnerability
OpenSSL CVE-2016-6307 Denial of Service Vulnerability
OpenSSL CVE-2016-6308 Denial of Service Vulnerability

Enlarge / A photo of First Lady Michelle Obama's passport from a dump of the e-mail of White House contractor Ian Mellul. Mellul's password may have been in a 2013 Adobe user data breach.

On September 21, a dump of an e-mail account belonging to a White House contractor was posted to the "hacktivist" website This is the same site that already revealed e-mails from former Secretary of State Colin Powell, a Navy captain leading a weapons procurement program, and a public relations person who has done advance work for Hillary Clinton. The latest victim did advance work for travel by First Lady Michelle Obama and Vice President Joe Biden. Attributing the leak will be difficult because, as with previous "dumps" published on DCleaks, the compromised account's password information was widely available on the Internet from a previous data breach.

An unnamed US intelligence official was quoted by NBC News as calling the leak of contractor Ian Mellul's e-mails "the most damaging compromise of the security of the president of the United States that I've seen in decades"—one caused by the use of an outside personal e-mail account for government business. The e-mails included full scans Mellul had forwarded to himself from a White House e-mail account of passports, including Michelle Obama's. Mellul likely forwarded the e-mails to his Gmail account because he couldn't access White House mail offsite without a secure device.

Government sources have described as being connected to Russian intelligence organizations. But just about anyone could have gotten into Ian Mellul's e-mail if he was using the same password for his Gmail account that was exposed in a 2013 breach of Adobe user data—just as was Navy Captain Carl Pistole's. The accounts of Powell and of Sarah Hamilton were both leaked as part of a 2012 breach of Dropbox's user data, according to data from HaveIBeenPwned.

Read 2 remaining paragraphs | Comments

IBM Tealeaf Customer Experience CVE-2016-5997 Security Bypass Vulnerability
QEMU 'xilinx_ethlite.c' Heap Based Buffer Overflow Vulnerability
IBM Rational Asset Analyzer CVE-2016-5967 Local Information Disclosure Vulnerability
Apache ActiveMQ Artemis CVE-2016-4978 Remote Code Execution Vulnerability
IBM Tealeaf Customer Experience CVE-2016-5996 Information Disclosure Vulnerability
IBM Tealeaf Customer Experience CVE-2016-5977 Open Redirect Vulnerability
IBM Tealeaf Customer Experience CVE-2016-5978 Cross Site Scripting Vulnerability
ESA-2016-097: RSA Identity Governance and Lifecycle Information Disclosure Vulnerability
IBM Security Guardium CVE-2016-0248 Man in the Middle Information Disclosure Vulnerability
ImageMagick Multiple Heap Overflow Vulnerabilities
IBM Tealeaf Customer Experience CVE-2016-5976 Information Disclosure Vulnerability
ImageMagick 'viff.c' Heap Buffer Overflow Vulnerability
ImageMagick 'coders/sun.c' Heap Buffer Overflow Vulnerability
ImageMagick 'coders/pict.c' Heap Buffer Overflow Vulnerability
Geeklog IVYWE CVE-2016-4875 Multiple Cross Site Scripting Vulnerabilities
Recon Europe 2017 Call For Papers - January 27 - 29, 2017 - Brussels, Belgium
[SECURITY] [DSA 3674-1] firefox-esr security update
Internet Storm Center Infocon Status