Unmasking hidden Tor service users is too easy, say infosec bods
The Register
Security researchers speaking at the Hack in the Box conference in Amsterdam this week have demonstrated that users of hidden services on Tor are putting themselves at risk of being identified – if an attacker is willing to put in the time and resources.

and more »

It looks like North Korea's "hermit nation" status has paid off in at least one way: the US was unable to infect the systems controlling centrifuges for North Korea's nuclear program, even after using a variant of the Stuxnet virus designed specifically for Korean systems. According to an exclusive report by Reuters, the National Security Agency led an effort in parallel to the one that went after Iran's nuclear program, but the agency failed to get its malware into North Korea's nuclear labs because they were so isolated—both in a geographic and communications sense.

Reuters' Joseph Menn cites an unnamed US intelligence official as saying the same team that developed Stuxnet—which was reportedly a joint US-Israeli development effort called "Olympic Games"—also developed a similar set of malware that would activate itself only when it encountered Korean language settings on the computers it infected.

Like Iran, North Korea used centrifuges obtained from the Pakistani scientist, A.Q. Khan, who led his own country's nuclear weapons effort. The P-2 centrifuges used by Iran were controlled by supervisory control and data acquisition (SCADA) systems from Siemens, with control software running on the Windows operating system. It was believed that North Korea used similar software because of the similarity between the two research efforts, so the STUXNET malware could in theory be used with minor modifications.

Read 3 remaining paragraphs | Comments


Blockchain, one of the Internet's most widely used Bitcoin wallets, has rushed out an update for its Android app after discovering critical cryptographic and programming flaws that can cause users to send digital coins to the wrong people with no warning.

The vulnerabilities affect a subset of people who run Blockchain for Android on versions 4.1 or older of the mobile OS, according to an advisory published Thursday. The most serious of the flaws is the use of the unencrypted HTTP connections when the app's cryptographic engine contacts random.org to obtain random numbers used to generate private keys for Bitcoin addresses. Since January, random.org has required the use of the more secure HTTPS protocol and has returned a 301 Moved Permanently response when accessed through HTTP. As a result, vulnerable installations of Blockchain for Android generated the private key corresponding to the address 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F, regardless of the address specified by the user.

"To our knowledge, this bug resulted in one specific address being generated multiple times, leading to a loss of funds for a handful of users," Thursday's advisory stated.

Read 9 remaining paragraphs | Comments

[security bulletin] HPSBMU03223 rev.1 - HP Insight Control server provisioning running SSLv3, Remote Denial of Service (DoS), Disclosure of Information
[security bulletin] HPSBMU03261 rev.2 - HP Systems Insight Manager running OpenSSL on Linux and Windows, Remote Disclosure of Information
[security bulletin] HPSBMU03263 rev.3 - HP Insight Control running OpenSSL, Remote Disclosure of Information
[security bulletin] HPSBMU03267 rev.2 - HP Matrix Operating Environment and HP CloudSystem Matrix running OpenSSL, Remote Disclosure of Information
[security bulletin] HPSBGN03332 rev.1 - HP Operations Analytics running SSLv3, Remote Denial of Service (DoS), Disclosure of Information
JSPMyAdmin SQL Injection, CSRF & XSS Vulnerabilities
[SECURITY] [DSA 3274-1] virtualbox security update

l version="1.0" encoding="UTF-8" standalone="no"?-->
Beintentionalabouthowyouspendyour time.I believe thatevery person can incrementally improve their security program by being intentional about how they spend their time.One method is to be intentional about checking several items for compliance each and every month. While not intended to replace the value of an auditor, this approach can generate incremental value from the overall compliance process. If you have the requirement to be in compliance with PCI, you are in luck! You could easily create a table that pairs one of the 12 categories with one of the 12 months in a calendar year. Inside each month, you could list several items that are important to verify. When printed out and kept nearby, it can serve as a reminder to be diligent about tracking progress over time.Compare this table year over year and look for trends that will help identify the sometimes small areas to focus on that can make a big impact.
I have used this approach to expect more out of myself and to set the bar just a little bit higher. I found success in showing this matrix to outside auditors and received positive feedback. There was nothing magic about this table, it just forced me to be intentional each and every month. Using this approach, unexpected compliance drift can be identified and remediated on a much more timely basis. This approach can be used inside several of the regulatory compliance requirements.If you do not have one, ask friends and colleagues who do to learn what they find beneficial in their respective environments.As always, a great place to start is with the 20 Security Controls.
Can you make it easier on yourself to do the right thing by being intentional?It believe it is absolutely possible to leverage systems like this to make it easier to do the right thing.
What systems do you use to force you to be intentional? Please use the comments section to share what works for you.
Russell Eubanks
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Internet Storm Center Infocon Status