65940833
submission
Gunkerty Jeb writes:
The maintainers of the Drupal content management system are warning users that any site owners who haven’t patched a critical vulnerability in Drupal Core disclosed earlier this month should consider their sites to be compromised.
65515291
submission
Gunkerty Jeb writes:
FBI Director James Comey said Thursday that the recent movement toward default encryption of smartphones and other devices could “lead us to a very, very dark place.” Echoing comments made by law enforcement officials for the last several decades, Comey said that the advanced cryptosystems available today threaten to cripple the ability of intelligence and law enforcement agencies to gather vital information on criminals.
65298603
submission
Gunkerty Jeb writes:
The Ninth Circuit appeals court in San Francisco took oral arguments from the Electronic Frontier Foundation and the Department of Justice yesterday over the constitutionality of National Security Letters and the gag orders associated with them. The EFF defended a lower court's ruling that NSLs are unconstitutional, while the DoJ defended a separate ruling that NSLs can be enforced. Whatever the court rules, the issue of NSLs is all but certainly headed for the Supreme Court in the not too distant future.
58086913
submission
Gunkerty Jeb writes:
A visually stunning representation of global threats as detected (in real time) by Kaspersky Lab's security network.
57065557
submission
Gunkerty Jeb writes:
RSA Security executive chairman Art Coviello today at RSA Conference 2014 made his first public comments about the security company’s relationship with the National Security Agency, painting the landmark firm as a victim of the spy agency’s blurring of the lines between its offensive and defensive missions.
A Reuters report in December alleged RSA Security was paid $10 million in a secret contract with the NSA to use encryption software—specifically the Dual EC DRBG random number generator—that the spy agency could easily crack as part of its surveillance programs. The deal goes back nearly a decade to 2006, and according to Reuters, represented one third of the company’s crypto revenue at the time.
56540313
submission
Gunkerty Jeb writes:
A group of high-level, nation-state attackers has been targeting government agencies, embassies, diplomatic offices and energy companies with a cyber-espionage campaign for more than five years that researchers say is the most sophisticated APT operation they’ve seen to date. The attack, dubbed the Mask, includes a number of unique components and functionality and the group behind it has been stealing sensitive data such as encryption and SSH keys and wiping and deleting other data on targeted machines.
55841667
submission
Gunkerty Jeb writes:
After months of public calls from privacy advocates and security experts, Verizon on Wednesday released its first transparency report, revealing that it received more than 164,000 subpoenas and between 1,000 and 2,000 National Security Letters in 2013. The report, which covers Verizon’s landline, Internet and wireless services, shows that the company also received 36,000 warrants, most of which requested location or stored content data.
54753161
submission
msm1267 writes:
eBay users remain vulnerable to account hijacking nearly five months after it was initially informed of a cross-site request forgery flaw by a U.K. security researcher. Ebay has three times communicated to the researcher that the code causing the XSRF situation has been fixed, but it still remains vulnerable to his exploit.
The attack allows a hacker who lures a victim to a website hosting the exploit to change the user's contact information necessary to perform a password reset. The hacker eventually is able to log in as the victim and make purchases on their behalf.
54402023
submission
Gunkerty Jeb writes:
It’s taken more than six months, but top officials at the National Security Agency are finally discussing some of the details of how former agency contractor Edward Snowden got access to all of the documents he stole and what kind of damage they believe the publication of the information they contain could do. A senior NSA employee tasked with investigating what Snowden did and how he did it said that Snowden simply used the legitimate access he had as a systems administrator to steal and store the millions of documents he’s been slowly leaking to the media, and that the information in those documents could give U.S. enemies a “road map” of the country’s intelligence capabilities and blind spots.
54196241
submission
Gunkerty Jeb writes:
Researchers at Kaspersky Lab’s Global Research and Analysis Team spotted a new, 64-bit version of the Zeus trojan that behaves much like its 32-bit contemporaries: it too uses Web injects to steal banking credentials to drain online accounts, steal digital certificates and even log keystrokes. Unlike its contemporaries, this new variety of Zeus is — of course — 64-bit compatible, but also communicates with its command and control server over the Tor anonymity network.
53431115
submission
Gunkerty Jeb writes:
A lingering security issue in Ruby on Rails that stems from a setting in the framework’s cookie-based storage mechanism is still present in almost 2,000 websites.
Sites using an old version of Ruby on Rails that relies on CookieStore, the framework’s default cookie storage mechanism, are at risk. CookieStore saves each user’s session hash in the cookie on the client side, something that keeps each cookie valid for life. This makes it possible for an attacker to glean a user’s log-in information – either via cross-side scripting or session sidejacking – and log in as them at a later date.
52952147
submission
Gunkerty Jeb writes:
In a Senate hearing debating the NSA's contentious surveillance programs and a proposed bill that would impose more transparency onto those practices, Sen. Patrick Leahy of (D-Vt.) asked Google's director for law enforcement and information security matters, Richard Salgado, if government imposed gag orders on requests for user data were making the country safer. Salgado answered that he did not believe that his inability answer questions about data requests had any impact on national security.
In addition, the general counsel for the Director of National Intelligence claimed enumerating the exact number of U.S. citizens monitored under NSA surveillance programs would be too difficult and resource-intensive.
The general consensus of those not advocating for the NSA was that the bill introduced by Sen. Al Franken (D-Mich.) would be a great step forward, but that transparency alone would not undo the damages done to U.S. companies and its government by PRISM and other similar surveillance programs. Nor, they seemed to agree, would the addition of transparency make the NSA’s programs lawful or constitutional.
52635833
submission
Gunkerty Jeb writes:
Having found some initial success with its first foray into the bug bounty world, Microsoft is expanding the program to open up payments of up to $100,000 to incident response teams and forensics experts who come across active attacks in the wild that include new techniques that bypass exploit mitigations in place on the newest version of Windows.
52000163
submission
Trailrunner7 writes:
Lavabit, the now-shuttered secure email provider that has become something of a rallying point for privacy advocates and security experts in the ongoing NSA surveillance saga, is giving its former users until Thursday night to change their passwords on the service. They will then have a short window to download their email archives and get to their account data.
Ladar Levison, the founder of Lavabit, in August decided to make the dramatic move of shutting down the service rather than giving the government broad access to his users’ data. The FBI, in the wake of the Edward Snowden leaks of NSA surveillance methods, went to Levison with a court order demanding the SSL keys for the company’s service. Rather than comply, which Levison said would have spelled death for the Lavabit service anyway, he decided to shut down the secure email system. The Department of Justice was not pleased, to say the least, but Levison has held out and recently filed an appeal of the court order.
51810155
submission
Gunkerty Jeb writes:
The Google domain for Malaysia was hijacked on Thursday night, redirecting visitors to a page that said a group called Madleets from Pakistan had performed the attack. The domain has been restored now, but the name servers for the domain had been changed to a pair controlled by the attackers.
