(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
As the dust settles on a new European Parliament, digital rights and IT lobbyists try to work out what it will mean for the tech industry.
Pimcore 'Pimcore_Tool_Newsletter::getObjectByToken()' PHP Object Injection Vulnerability

Memo to anyone who logs in to a WordPress-hosted blog from a public Wi-Fi connection or other unsecured network: It's trivial for the script kiddie a few tables down to hijack your site even if it's protected by two-factor authentication.

Yan Zhu, a staff technologist at the Electronic Frontier Foundation, came to that determination after noticing that WordPress servers send a key browser cookie in plain text, rather than encrypting it, as long mandated by widely accepted security practices. The cookie, which carries the tag "wordpress_logged_in," is set once an end user has entered a valid WordPress user name and password. It's the website equivalent of a plastic bracelets used by nightclubs. Once a browser presents the cookie, WordPress servers will usher the user behind a velvet rope to highly privileged sections that reveal private messages, update some user settings, publish blog posts, and more. The move by WordPress engineers to allow the cookie to be transmitted unencrypted makes them susceptible to interception in many cases.

Zhu snagged a cookie for her own account the same way a malicious hacker might and then pasted it into a fresh browser profile. When she visited WordPress she was immediately logged in—without having to enter her credentials and even though she had enabled two-factor authentication. She was then able to publish blog posts, read private posts and blog stats, and post comments that were attributed to her account. As if that wasn't enough, she was able to use the cookie to change the e-mail address assigned to the account and, if two-factor authentication wasn't already in place, set up the feature. That means a hacker exploiting the vulnerability could lock out a vulnerable user. When the legitimate user tried to access the account, the attempt would fail, since the one-time passcode would be sent to a number controlled by the attacker. Remarkably, the pilfered cookie will remain valid for three years, even if the victim logs out of the account before then. Zhu blogged about the vulnerability late Thursday.

Read 3 remaining paragraphs | Comments

A new computer Trojan that targets users of 450 financial institutions from around the world appears to borrow functionality and features directly from the notorious Zeus and Carberp malware programs.

The National Institute of Standards and Technology (NIST) Information Technology Laboratory (ITL) has announced both an updated, and a new initial draft publication, over the past two weeks that is fairly significant to most of us in the security field.  The NIST ITL group is charged with “promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology through research and development in information technology”.

NIST ITL has published an online database of controls for NIST 800-53 rev. 4 “Recommended Security Controls for Federal Information Systems and Organizations”.  This will enable organizations to quickly search and download the catalog of security controls and procedures defined in this publication.  The link above contains additional information, as well as a link to the files available for download for both revisions 3 and 4 of NIST 800-53.

The second release is an initial publication of NIST 800-160 “Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems”.   This document is an excellent source of information for all security professionals, whether in the role of a Security Engineer as a full time position, or an Operations Analyst who is part of a ‘one stop shop’ for delivery and operations of security systems.  The document does a good job of explaining how Security integrates into the planning, design, and delivery of systems, and how our efforts integrate with the overall systems engineering program.  I hope to have some time for a more comprehensive summary in the coming weeks as this is one of the most useful publications I’ve seen come out of NIST in a number of years.

tony d0t carothers --gmail

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Zabbix CVE-2014-1685 Security Bypass Vulnerability
WordPress TinyMCE Color Picker Plugin Unspecified Security Vulnerability
VUPEN Security Research - Adobe Acrobat & Reader XI-X Barcode Heap Overflow (Pwn2Own)
U.S. prosecutors say a hacking group's mastermind should be spared a long prison sentence due to his quick and fruitful cooperation with law enforcement.
Following up on a jury verdict, Apple has asked a court in California to order Samsung Electronics to stop using features that were found to infringe three of its patents.
As the Internet of Things evolves, will it free up human potential? WIll everyone benefit -- or just a few? And how will it change the way people use technology. A conference in July hopes to find some answers.
[security bulletin] HPSBUX02960 SSRT101419 rev.3 - HP-UX Running NTP, Remote Denial of Service (DoS)
[security bulletin] HPSBMU03009 rev.3 - HP CloudSystem Foundation and HP CloudSystem Enterprise Software running OpenSSL, Remote Disclosure of Information
Fish-shell 'psub' Function Insecure Temporary File Creation Vulnerability
Internet Storm Center Infocon Status