Maintainers of the open-source PHP programming language have opened an investigation after security researchers discovered the php.net website was serving malicious code that attempted to surreptitiously install malware on visitors' computers.

The compromise was discovered Thursday morning by Google's safe browsing service, which helps the Chrome, Firefox, and Safari browsers automatically block sites that serve drive-by exploits. Traces of the malicious JavaScript code served to some php.net visitors were captured and posted to Hacker News here and, in the form of a pcap file, to a Barracuda Networks blog post here. The attacks may have started as early as Tuesday, an official with Barracuda told IDG News.

Eventually, the entire site was moved to a new set of servers, PHP officials wrote in a brief statement. There's no evidence any of the code they maintain has been altered, they added. At time of writing, there was no indication of any further compromise.

Read 7 remaining paragraphs | Comments


WebCollab 'item' Parameter HTTP Response Splitting Vulnerability
NASA is pooling the power of three major space telescopes to unravel some of the biggest mysteries of the universe.
Twitter's Vine video sharing app and Instagram now share a useful feature: editing.
If just 10% of all vehicles in the U.S. were computer operated, the number of accidents would drop by 211,000 and as many as 1,100 lives would be saved, according to a new study.
Twitter plans to price its IPO shares between US$17 and $20 when it lists on the New York Stock Exchange, the company said Thursday in a filing
Microsoft's revenue and earnings per share grew more than 15 percent each in its first fiscal quarter of 2014, during which enterprise server software products sold particularly well, the company said Thursday.

Author Nick Sullivan worked for six years at Apple on many of its most important cryptography efforts before recently joining CloudFlare, where he is a systems engineer. He has a degree in mathematics from the University of Waterloo and a Masters in computer science with a concentration in cryptography from the University of Calgary. This post was originally written for the CloudFlare blog and has been lightly edited to appear on Ars.

Readers are reminded that elliptic curve cryptography is a set of algorithms for encrypting and decrypting data and exchanging cryptographic keys. Dual_EC_DRBG, the cryptographic standard suspected of containing a backdoor engineered by the National Security Agency, is a function that uses elliptic curve mathematics to generate a series of random-looking numbers from a seed. This primer comes two months after internationally recognized cryptographers called on peers around the world to adopt ECC to avert a possible "cryptopocalypse."

Elliptic curve cryptography (ECC) is one of the most powerful but least understood types of cryptography in wide use today. An increasing number of websites make extensive use of ECC to secure everything from customers' HTTPS connections to how they pass data between data centers. Fundamentally, it's important for end users to understand the technology behind any security system in order to trust it. To that end, we looked around to find a good, relatively easy-to-understand primer on ECC in order to share with our users. Finding none, we decided to write one ourselves. That is what follows.

Be warned: this is a complicated subject, and it's not possible to boil it down to a pithy blog post. In other words, settle in for a bit of an epic because there's a lot to cover. If you just want the gist, here's the TL;DR version: ECC is the next generation of public key cryptography, and based on currently understood mathematics, it provides a significantly more secure foundation than first-generation public key cryptography systems like RSA. If you're worried about ensuring the highest level of security while maintaining performance, ECC makes sense to adopt. If you're interested in the details, read on.

Read 88 remaining paragraphs | Comments


Apple earlier this week cut the prices of its Retina MacBook Pro laptops by as much as 13%, a move one retail analyst said was driven in part by increased competition from higher-end Windows systems.
In a move to fight back against governments that try to block their citizens' Internet access, Google released tools to keep people around the world online.
OpenStack Keystone Tokens Validation CVE-2013-4222 Security Bypass Vulnerability
IBM has licensed smartphone and tablet processor designs from ARM, which will be used in new communications and networking gear.
Being introverted doesn't have to slow your progress when it comes time to ramp up your career. In fact, introverts have many characteristics that help them succeed in the IT world. However, it's important you understand your characteristics and can control -- and even take advantage of -- them.
Oracle is rolling out a series of new features for its Eloqua marketing automation suite, hoping to get a leg up on rivals such as Salesforce.com and IBM in the red-hot software segment.
OpenStack Nova CVE-2013-4278 Security Bypass Vulnerability
OpenStack Nova CVE-2013-4261 Denial of Service Vulnerability
Microsoft has upgraded its Windows RT tablet: The new Surface 2 offers a well-built case, better performance, a great display and the same old operating system.
OS X Mavericks, the Mac operating system Apple offered Tuesday as a free upgrade, could end up on more than 90% of Macs, according to statistics from Web analytics firm Net Applications.
Despite a long-ago vow to retain its well-regarded simple and clean web design, Google has started testing banner ads on its search results pages.
Verizon announced the launch of its Converged Health Management service, which stores data from patient remote monitoring devices to be shared with clinicians.
The U.S. Department of Health and Human Services took too little time testing how the many components of the troubled HealthCare.gov worked together before rolling out the insurance marketplace, contractors involved in the project said Thursday.
RadioLinx ControlScape CVE-2013-2803 Predictable Random Number Generator Weakness
Re: RPS/APS vulnerability in snom/yealink and others
[WorldCIST'14]: World Conference on IST; Proceedings by Springer
[ISecAuditors Security Advisories] HTTP Response Splitting Vulnerability in WebCollab <= v3.30
This chart accompanies JR Raphael's blog The Chromebook buying guide: Which model should you get?
LinuxSecurity.com: An updated gnupg2 package that fixes three security issues is now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
LinuxSecurity.com: An updated gnupg package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...]
LinuxSecurity.com: An updated libgcrypt package that fixes one security issue is now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
German Chancellor Angela Merkel said Thursday that allegations the United States' National Security Agency hacked her phone is relevant for every citizen that needs to trust digital communications.
ICANN has introduced the first new generic top-level domains (gTLDs) to the Internet's root zone, the central database for the Internet's Domain Name System, paving the way for possibly 1,400 new domain names from the current 22.
Germany's foreign minister has summoned the U.S. ambassador to Berlin to discuss allegations that the mobile phone of Chancellor Angela Merkel has been monitored by American intelligence services.
Taiwan has slapped Korean electronics giant Samsung with a fine for fabricating Internet forum posts that praised the company at the expense of rivals including its home-country handset competitor HTC.
LinuxSecurity.com: python-glanceclient could be made to expose sensitive information over thenetwork.
LinuxSecurity.com: Cinder could be made to crash or expose sensitive information.
LinuxSecurity.com: Keystone would improperly grant access to invalid tokens under certaincircumstances.
LinuxSecurity.com: Glance could be made to expose sensitive information over the networkunder certain circumstances.
LinuxSecurity.com: Nova could be made to crash if it received specially crafted networkrequests.
LinuxSecurity.com: Swift could cause the system to crash if it received specially craftedrequests over the network.
Cisco Systems released software security updates Wednesday to address denial-of-service and arbitrary command execution vulnerabilities in several products, including a known flaw in the Apache Struts development framework used by some of them.
MantisBT 'account_sponsor_page.php' HTML Injection Vulnerability
At its event on Tuesday, Apple announced it was giving OS X Mavericks away for free to user of Snow Leopard and later. Why do you think Apple decided to do this?
The Irish High Court is going to review whether the Irish Data Protection Commissioner's refusal to investigate Facebook's involvement with the U.S. government surveillance program Prism was lawful.
A federal jury in Texas found that Apple had not infringed on a patent related to CDMA and HSPA communications technologies owned by patent-licensing firm Wi-LAN.
Yahoo has decided to shut down its office in Cairo, Egypt by the end of this year as the company tries to revitalize its business.
China's Alibaba Group is poised to invest more in U.S. tech companies with the start of a new investment group that the e-commerce giant is setting up in San Francisco .
Months after Apple apologized to consumers in China, Korean rival Samsung is doing the same after the country's state media criticized the vendor for failing to fix glitches in several of its phone models.
A 40-year-old NEC account manager has been charged with mail fraud for allegedly obtaining replacement networking parts from Cisco using bogus names, the U.S. Department of Justice said Wednesday.
Adobe has worked with Apple to sandbox Flash Player under Safari in Mac OS X, restricting the ability of attackers to exploit any vulnerabilities they might find in the browser plug-in.
Jive revamped the employee directory of its enterprise social-networking suite to make it easier for users to find colleagues whose expertise they can tap.
AT&T won't be matching T-Mobile's offer of free wireless data for the iPad Air when the device debuts at the company's stores across the U.S. next month.
Five years after the FBI launched its National Data Exchange data warehouse initiative, more than three quarters of law enforcement agencies still aren't sharing. Here's why.
Some localities are shying away from predicting who will commit a crime, even though the technology exists, in favor of when and where.
Your brighter end. Do you need a fantastic featherweight topcoat with the abrupt the hot months attack? Ended up one mindful that her Barbour coat will be able to look after an individual on the the hot months warmth just as properly as it might clearly a bitterly cold winter winter? Barbour incorporates a unique various lighter weight spencer that happen to be just as defensive as being a richer coat, although are equally for the reason that smart-looking. Reasonably priced. Nevertheless may be repaired Barbour coat you have chosen, this Barbour brand not only for methods wonderful pattern and also security measure because of sun and rain, but they're also cheap. omit

Re: Apple fast falling behind in China

by cheap canada goose jackets

Add style and beauty to your bracelet with a handmade clasp.Making your own handmade clasps allows you to add personal style to your jewelry. Not only do they look stylish, but they add security to your bracelet. When a clasp is properly added to your bracelet you can be sure it won't fall off or get lost. The most common styles of clasps are toggle, lobster claw and magnetic. You can add clasps to chain or string bracelets. cheap canada goose jackets http://www.theslamminsalmonmovie.com/canada-goose-jackets.html

Posted by InfoSec News on Oct 24


By Choe Sang-Hun
October 23, 2013

Seoul, South Korea: Military investigators raided South Korea's
Cyberwarfare Command on Tuesday after four of its officials were found to
have posted political messages online last year, in what opposition
lawmakers have called a smear campaign against President Park Geun-hye's
Drupal Spaces Module Access Bypass Vulnerability

Posted by InfoSec News on Oct 24


By John Leyden
The Register
23rd October 2013

A US district court has ruled that anyone calling themselves a "hacker"
loses their Fourth Amendment protections against unreasonable searches and
property seizures.

The court in Idaho decided that a software developer’s computer could be
seized without him being notified primarily because his website...

Posted by InfoSec News on Oct 24


By ARLnow.com
October 22, 2013

Police are on the scene of a robbery at the Pentagon Federal Credit Union
branch in Pentagon City.

The PenFed branch is located on the ground floor of the Transportation
Security Administration headquarters at 701 12th Street S.

Two men entered the credit union around 1:20 p.m. and passed a backpack
and a note demanding cash to...

Posted by InfoSec News on Oct 24


By Mathew J. Schwartz
October 22, 2013

The Department of Energy has revised its count of the number of people
whose information was compromised in a July 2013 intrusion that resulted
in the theft of personal information.

"The department has now identified approximately 104,179 past and current
federal employees, including...

Posted by InfoSec News on Oct 24


By Charles Pauka
October 22, 2013

Cyber attacks on container ships and port infrastructure will get more
sophisticated as time goes on and companies should be doing more to
protect their supply chain security.

Maritime and IT security companies have raised their concerns after
hackers attacked the container terminal software...
RPS/APS vulnerability in snom/yealink and others
Internet Storm Center Infocon Status