(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Aussie students expose Snapchat's inner workings
iT News
A group of Australian youngsters - all students with no formal education - have reverse engineered the Snapchat service using only its API (application program interface) and readily available InfoSec tools. Calling themselves 'Gibson Security' or ...


The National Security Agency's X-KEYSCORE program gives the spy agency access to a wide range of Internet traffic. Any information that isn't encrypted is, naturally, visible to passive Internet wiretaps of the kind the NSA and other intelligence agencies use. This in turn will typically expose such things as e-mails, online chats, and general browsing behavior.

And, according to slides published this weekend by Der Spiegel, this information also includes crash reports from Microsoft's Windows Error Reporting facility built in to Windows.

These reports will tell eavesdroppers what versions of what software someone is running, what operating system they use, and whenever that software has crashed. Windows also sends messages in the clear whenever a USB or PCI device is plugged in as part of its hunt for suitable drivers.

Read 3 remaining paragraphs | Comments

Most malware is mundane, but these innovative techniques are exploiting systems and networks of even the savviest users

Dell, others named in NSA spying program
SC Magazine Australia
Applebaum told the 30c3 audience that he expects the InfoSec community to now search systems for evidence of the NSA malware in use. “A lot of malware researchers will have a lot to say about this in the future,” he said. Indeed, Applebaum referred to ...

and more »
SAP NetWeaver Web Dynpro Live Update XML External Entity Information Disclosure Vulnerability
ESRI ArcGIS for Server CVE-2013-5222 Multiple Input Validation Vulnerabilities
What will be the best ways to reach mobile shoppers in the new year? Mobile marketing experts reveal which new mobile marketing apps and strategies can help you reach customers on the go.
HPLIP 'pkit.py' Insecure Temporary File Creation Vulnerability
The software development landscape in 2013 saw technologies like JavaScript rise to new heights while others -- Java, for example -- maintained their prominence out of sheer inertia.
Japan intends to deliver an exascale supercomputer in six years. The firm completion date makes Japan novel among the nations in the race to build exascale systems.

Server vendors named in NSA spying toolkit
iT News
That said, the NSA's ANT team claimed to be pursuing a remote installation capability. THE SEARCH FOR MALWARE. Applebaum told the 30c3 audience that he expects the InfoSec community to now search systems for evidence of the NSA malware in use.

and more »
Simple Machines Forum User Impersonation and Clickjacking Vulnerabilities

Salted Links: 30 December 2013
CSO (blog)
The final weeks of December, including Christmas and New Year's Eve, are the slowest days of the year for those who work in IT (and InfoSec). Offices are open, but only for a few days. The staffing is low, due to vacations or clipped overhead, and ...

Although Apple CEO Tim Cook's 2013 salary raise was less than half the 7.5% increase given to his subordinates, he stands to rake in as much as $115 million in 2014.
[SECURITY] [DSA 2829-1] hplip security update
[SECURITY] [DSA 2828-1] drupal6 security update
CALL FOR PAPERS - Hackers 2 Hackers Conference 11th edition
Zenphoto Cross Site Scripting and SQL Injection Vulnerabilities
Red Hat CloudForms Management Engine 'MiqPolicyController' Component SQL Injection Vulnerability
Samsung Electronics has announced a new chip that will make it possible for the company and others to build smartphones and tablets with up to 4GB of RAM.
A special hacking unit of the U.S. National Security Agency intercepts deliveries of new computer equipment en route to plant spyware, according to a report on Sunday from Der Spiegel, a German publication.
Python 'readline()' Function Denial of Service Vulnerability
HP Autonomy Ultraseek Unspecified Cross Site Scripting Vulnerability
No matter who Microsoft names as its new CEO early in 2014, the pick will trigger comments from experts and technology leaders who question the sanity of the board, the person who took the job or everyone involved.
CGI Federal, the lead contractor at Healthcare.gov, is a veritable black belt in software development, with the highest possible certification from CMMI. So what does the website's flawed rollout say about how useful CMMI is?
Take a moment to retool your personal and professional priorities with some of our most insightful tech management and careers articles. Insider (registration required)
Don't be fooled by the company's rocky 2013. There are strong signs that it has turned the corner.

Managing Cyber Security Threats from Inside
Smart Data Collective
Note: The following article is part of a shared content agreement between Online Tech and InfoSec Institute. This post is by Tom Olzak, a security researcher for the InfoSec Institute and an IT professional with over 27 years of experience in programming.

Internet Storm Center Infocon Status