Cisco Adaptive Security Appliance CVE-2013-3463 Denial of Service Vulnerability
YingZhi Python Programming Language for iOS Arbitrary File Upload Vulnerability
Facebook's motto may be "move fast and break things," but the 3,000 employees at its headquarters in Menlo Park, California, now have the chance to do just the opposite.
SDN (software-defined networking) promises some real benefits for people who use networks, but to the engineers who manage them, it may represent the end of an era.

The federal government is pouring almost $11 billion per year into a 35,000-employee program dedicated to "groundbreaking" methods to decode encrypted messages such as e-mails, according to an intelligence black budget published by The Washington Post.

The 17-page document, leaked to the paper by former National Security Agency (NSA) contractor Edward Snowden, gives an unprecedented breakdown of the massive amount of tax-payer dollars—which reached $52 billion in fiscal 2013—that the government pours into surveillance and other intelligence-gathering programs. It also details the changing priorities of the government's most elite spy agencies. Not surprisingly, in a world that's increasingly driven by networks and electronics, they are spending less on the collection of some hard-copy media and satellite operations while increasing resources for sophisticated signals intelligence, a field of electronic spying feds frequently refer to as "SIGINT."

"We are bolstering our support for clandestine SIGINT capabilities to collect against high priority targets, including foreign leadership targets," James Clapper, director of national intelligence, wrote in a summary published by the WaPo. "Also, we are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit Internet traffic."

Read 3 remaining paragraphs | Comments



The Tor Metrics Portal is reporting a jump in their user metrics (https://metrics.torproject.org/users.html)

This is causing a bit of discussion and as people share observations and data with each other a few hypotheses bubble up.

  • It's a new malware variant.
  • It's people responding to news of government surveillance.
  • It's a reporting error.

We've received a few reports here about vulnerability scans coming in from Tor nodes, and a report of a compromised set of machines that had tor clients installed on them.  As more data are shared and samples come to the surface, let's look at the Tor Project's own data a little more closely.

First, what are they actually counting?  According to their site:

"After being connected to the Tor network, users need to refresh their list of running relays on a regular basis. They send their requests to one out of a few hundred directory mirrors to save bandwidth of the directory authorities. The following graphs show an estimate of recurring Tor users based on the requests seen by a few dozen directory mirrors."

So we're seeing an uptick in directory requests.  When did this start?  Looks mid August, so let's zoom in and see.  I try a little binary search to narrow it down.  First zooming to AUG-15 through AUG-30:

Zooming in further to find were the jump really starts:

Things are still flat on the 19th.

I'm liking the 19th as the beginning.

Has this happened before?  Let's really widen the scope a bit.


So we had a recent spike in early 2012.

There appears to be a similar doubling of users between 06-JAN and 11-JAN in 2012

Are you seeing an uptick in TOR activity in your networks?  Share you observations, and especially any malware (https://isc.sans.edu/contact.html)

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Microsoft general counsel Brad Smith Friday said that the company would move ahead with its lawsuit against the U.S. government seeking permission to release more information on demands Microsoft receives from the National Security Agency and others for Internet user data.

Two weeks ago I rambled a bit about trying to dig a signal out of the noise of SSH scans reported in to Dshield (https://isc.sans.edu/diary/Filtering+Signal+From+Noise/16385).  I tried to build a simple model to predict the next 14-days worth of SSH scans and promised that we'd check back in to see how wrong I was.

Looks like I was pretty wrong.

I have built and trained the model to do a tolerable job of describing past performance and wondered if we let it run if it'd do any better at predicting future behavior than simply taking the recent average and projecting that out linearly.  I fed the numbers into the black box and click "publish" on the article before I really took a close look at what it was spitting out.  There was a spike in the 48-hours between turing the model and publishing and it's imapct on the trend was a bit.. severe.

The Results

None of the approaches did an amazing job at predicting the total number of 6423, although it's amazing at how badly the Exponential model did.  I have had really good results using that method with other data.  I encourage you to give it a try on other problems.

Method SSH scan source total for 14-days Error (%)
Exponential Smoothing 19963 13540 (210%)
7-day average projection 7197 774 (12%)
30-day average projection 7054 631 (10%)
MCMC estimate 5390 1033 (16%)

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Apple faces a threat from an unexpected quarter: Chinese developers crafting Android apps, an analytics firm said.
Salesforce.com's second-quarter earnings conference call featured the usual dose of chest-thumping by CEO Marc Benioff as the company posted US$957 million in revenue and raised its full fiscal year forecast to at least $4 billion.
When it comes to tapping into U.S. telecommunications networks for surreptitious surveillance, the U.S. National Security Agency can't be accused of not paying its way.
VoloMetrix's enterprise analytics technology uses social engineering to let CIOs quickly identify bottlenecks and pain points in their organization. Using that data, they can better allocate time, energy and resources. The only catch is they have to mine employees email to get that data.
[ MDVSA-2013:223 ] asterisk
VUPEN Security Research - Microsoft Internet Explorer Protected Mode Sandbox Bypass (Pwn2Own 2013 / MS13-059)
VUPEN Security Research - Microsoft Internet Explorer "ReplaceAdjacentText" Use-after-free (MS13-059)
The U.S. intelligence community is reportedly using 20% of its $52.6 billion annual budget to fund cryptography-related programs and operations.
LinuxSecurity.com: Updated asterisk packages fix security vulnerabilities: A remotely exploitable crash vulnerability exists in the SIP channel driver if an ACK with SDP is received after the channel has been terminated. The handling code incorrectly assumes that the channel [More...]
LinuxSecurity.com: New gnutls packages are available for Slackware 14.0, and -current to fix a security issue. [More Info...]
LinuxSecurity.com: New php packages are available for Slackware 14.0, and -current to fix a security issue. [More Info...]
LinuxSecurity.com: Multiple security issues have been found in Icedove, Debian's version of the Mozilla Thunderbird mail and news client. Multiple memory safety errors, missing permission checks and other implementation errors may lead to the execution of arbitrary code or cross-site scripting. [More...]
VUPEN Security Research - Microsoft Windows "LdrHotPatchRoutine" Remote ASLR Bypass (Pwn2Own 2013 / MS13-063)
[slackware-security] php (SSA:2013-242-02)
NEW VMSA-2013-0011 VMware ESXi and ESX address an NFC Protocol Unhandled Exception
Good Technology has integrated its Dynamics Secure Mobility Platform with Salesforce.com's Mobile SDK to help developers build mobile applications that are more secure and easily managed.

VMware recently released Security Advisorty VMSA-2013-0011 addressing an NFC protocol vulnerability affecting ESXi and EXI (CVE-2013-1661.)  Details are available at https://www.vmware.com/support/support-resources/advisories/VMSA-2013-0011.html

The NFC (Near Field Communication) Protocol is used in tap-to-pay cards and sharing contacts between mobile devices.  This vulnerability exposes the hypervisor to a denial-of-service.

UPDATE: NFC in this case refers to Network File Copy.  Which makes a lot more sense, I was wondering how you'd tap two VMs together. Thank you sine nomine.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Microsoft yesterday made permanent the $100 price cut to its Surface Pro tablet that it ran as a temporary sale through most of August.
Like some other Chinese brands, Xiaomi doesn't have the easiest name for Westerners to pronounce. But on Thursday, the name was spoken worldwide after the company hired a former Google executive to lead its global expansion.
Samsung Electronics has started mass producing DDR4 memory that it expects will go into enterprise servers in next-generation data centers.
The U.S. government has decided to release data annually on its secret spy orders and the number of people affected by them, the country's intelligence chief said Thursday.
The PC industry's problems continue to worsen, research firm IDC said yesterday as it again lowered shipment forecasts for the year. And the personal computer business's problems are Microsoft's problems.
Band that happen to be secured in the arms thereafter connected for the drink station may properly emphasize your own hold, eventhough employing facilitates like that puts a stop to a person's hands' energy because of establishing thoroughly along with obviously. Ties will often be made use of any time removing barehanded since by using clear possession it all can often be very difficult to support over to a fabulous extra fat that basically difficulties your current back again within a large physical exercise. With regards to leather gloves, winner strength lifters tend not to usage secure as well, even while training extensive body fat. christian louboutin discount
Agnitum Outpost Security Suite Pro Memory Corruption And Directory Traversal Vulnerabilities
For all the privacy concerns raised by Edward Snowden's leaks about government data collection activities, the U.S. is not alone or even always the most demanding when it comes to law enforcement requests for customer data from Internet service providers.
Judging by initial appearances, our security testing turned up a ton of vulnerabilities a nearly 150 of them. In reality, however, none represented actual issues in the Huawei switch.

Posted by InfoSec News on Aug 30


By Andrea Peterson
The Switch
Washington Post
August 29, 2013

Our Post colleagues have had a busy day. First, they released documents
revealing the U.S. intelligence budget from National Security Agency (NSA)
leaker Edward Snowden. Then they recounted exactly how the hunt for Osama
bin Laden went down.

In that second report, Craig...

Posted by InfoSec News on Aug 30


By Mathew J. Schwartz
August 28, 2013

Three men have been charged by Manhattan district attorney Cyrus Vance Jr.
with stealing proprietary information from Amsterdam-based trading house
Flow Traders.

All three, who are in their 20s, were arrested earlier this month -- based
on information provided by Flow Traders -- and...

Posted by InfoSec News on Aug 30


By John Fontana
Identity Matters
ZDNet News
August 29, 2013

I think I detected a discernible sigh of relief this week from billions of
Internet users with 56-character passwords.

I could be wrong. Likely I am.

People try all sorts of crazy things to manage passwords, but 55 character
strings are not anywhere near the top of the list.

This week has been another example of the...

Posted by InfoSec News on Aug 30


By Brian Merchant
August 29, 2013

The Syrian Electronic Army topped the news cycle again this week,
following takedowns of The New York Times, Twitter, and Huffington Post
UK. They're just the most recent efforts in a long string of high-profile
hacks, which targeted the likes of the Associated Press, the Onion, and

The SEA has said it is...

Posted by InfoSec News on Aug 30


By Jon Brodkin
Ars Technica
Aug 29 2013

A medical testing laboratory called LabMD has been accused of exposing the
personal information of about 10,000 customers on a peer-to-peer file
sharing network.

The company has been fighting the claims, saying a security firm that
uncovered the breach victimized LabMD by downloading a...
Internet Storm Center Infocon Status