Information Security

News aggregatorDELETE

Conversnitch

Bruce Shneier's Blog - 2 hours 31 min ago
Surveillance is getting cheaper and easier: Two artists have revealed Conversnitch, a device they built for less than $100 that resembles a lightbulb or lamp and surreptitiously listens in on nearby conversations and posts snippets of transcribed audio to Twitter. Kyle McDonald and Brian House say they hope to raise questions about the nature of public and private spaces in...
Categories: Security News

The Security of Various Programming Languages

Bruce Shneier's Blog - 9 hours 11 min ago
Interesting research on the security of code written in different programming languages. We don't know whether the security is a result of inherent properties of the language, or the relative skill of the typical programmers of that language. The report....
Categories: Security News

The Security of Various Programming Languages

Bruce Shneier's Blog - 9 hours 11 min ago
Interesting research on the security of code written in different programming languages. We don't know whether the security is a result of inherent properties of the language, or the relative skill of the typical programmers of that language. The report....
Categories: Security News

An Eavesdropping Lamp That Livetweets Private Conversations

Wired Threat Level - 11 hours 33 min ago
Conversnitch, a device they built for less than $100 that resembles a lightbulb or lamp and surreptitiously listens in on nearby conversations and posts snippets of transcribed audio to Twitter.






Categories: Security News

Vuln: Apache Tomcat CVE-2013-4286 Security Bypass Vulnerability

Linux Security - Tue, 04/22/2014 - 19:00
Apache Tomcat CVE-2013-4286 Security Bypass Vulnerability
Categories: Vulnerability Pipes

Apple Patches for OS X, iOS and Apple TV., (Tue, Apr 22nd)

Other Security - Tue, 04/22/2014 - 18:27

Apple today released patches for OS X, iOS and Apple TV. The OS X patches apply for versions of OS X back to Lion (10.7.5). Vulnerabilities fixed by these patches can lead to remote code execution by visiting malicious web sites.

For more details, see Apples security update page [1]. Links to the actual update details should become available shortly.

[1] http://support.apple.com/kb/HT1222

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Vulnerability Pipes

Dan Geer on Heartbleed and Software Monocultures

Bruce Shneier's Blog - Tue, 04/22/2014 - 07:52
Good essay: To repeat, Heartbleed is a common mode failure. We would not know about it were it not open source (Good). That it is open source has been shown to be no talisman against error (Sad). Because errors are statistical while exploitation is not, either errors must be stamped out (which can only result in dampening the rate of...
Categories: Security News

Dan Geer on Heartbleed and Software Monocultures

Bruce Shneier's Blog - Tue, 04/22/2014 - 07:52
Good essay: To repeat, Heartbleed is a common mode failure. We would not know about it were it not open source (Good). That it is open source has been shown to be no talisman against error (Sad). Because errors are statistical while exploitation is not, either errors must be stamped out (which can only result in dampening the rate of...
Categories: Security News

OpenSSL Rampage, (Mon, Apr 21st)

Other Security - Mon, 04/21/2014 - 08:19

OpenSSL, in spite of its name, isn't really a part of the OpenBSD project. But as one of the more positive results of the recent Heartbleed fiasco, the OpenBSD developers, who are known for their focus on readable and secure code, have now started a full-scale review and cleanup of the OpenSSL codebase.

If you are interested in writing secure code in C (not necessarily a contradiction in terms), I recommend you take a look at http://opensslrampage.org/archive/2014/4, where the OpenBSD-OpenSSL diffs and code changes are coming in fast, and are often accompanied by cynical but instructive comments. As one poster put it, "I don't know if I should laugh or cry". The good news though definitely is that the OpenSSL code is being looked at, carefully and expertly, and everyone will be better off for it.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Vulnerability Pipes

Info on Russian Bulk Surveillance

Bruce Shneier's Blog - Mon, 04/21/2014 - 05:55
Good information: Russian law gives Russia’s security service, the FSB, the authority to use SORM (“System for Operative Investigative Activities”) to collect, analyze and store all data that transmitted or received on Russian networks, including calls, email, website visits and credit card transactions. SORM has been in use since 1990 and collects both metadata and content. SORM-1 collects mobile and...
Categories: Security News

Friday Squid Blogging: Squid Jigging

Bruce Shneier's Blog - Fri, 04/18/2014 - 16:16
Good news from Malaysia: The Terengganu International Squid Jigging Festival (TISJF) will be continued and become an annual event as one of the state's main tourism products, said Menteri Besar Datuk Seri Ahmad Said. He said TISJF will become a signature event intended to enhance the branding of Terengganu as a leading tourism destination in the region. "Beside introducing squid...
Categories: Security News

Metaphors of Surveillance

Bruce Shneier's Blog - Fri, 04/18/2014 - 14:21
There's a new study looking at the metaphors we use to describe surveillance. Over 62 days between December and February, we combed through 133 articles by 105 different authors and over 60 news outlets. We found that 91 percent of the articles contained metaphors about surveillance. There is rich thematic diversity in the types of metaphors that are used, but...
Categories: Security News

Bugtraq: [security bulletin] HPSBMU02998 rev.2 - HP System Management Homepage (SMH) running OpenSSL on Linux and Windows, Remote Disclosure of Information, Denial of Service (DoS)

Windows Security - Fri, 04/18/2014 - 13:30
[security bulletin] HPSBMU02998 rev.2 - HP System Management Homepage (SMH) running OpenSSL on Linux and Windows, Remote Disclosure of Information, Denial of Service (DoS)
Categories: Vulnerability Pipes

Reverse Heartbleed

Bruce Shneier's Blog - Fri, 04/18/2014 - 07:29
Heartbleed can affect clients as well as servers....
Categories: Security News

Overreacting to Risk

Bruce Shneier's Blog - Fri, 04/18/2014 - 06:26
This is a crazy overreaction: A 19-year-old man was caught on camera urinating in a reservoir that holds Portland's drinking water Wednesday, according to city officials. Now the city must drain 38 million gallons of water from Reservoir 5 at Mount Tabor Park in southeast Portland. I understand the natural human disgust reaction, but do these people actually think that...
Categories: Security News

Heartbleed CRL Activity Spike Found, (Wed, Apr 16th)

Other Security - Thu, 04/17/2014 - 20:51

Update: CloudFlare posted in their blog twice today claiming responsibility for the majority of this spike. Quoting: "If you assume that the global average price for bandwidth is around $10/Mbps, just supporting the traffic to deliver the CRL would have added $400,000USD to Globalsign's monthly bandwidth bill."

Update: We've also seen articles from ZDNet and WIRED today in response to the below insights, with further analysis therein.

It looks like, as I had suspected, the CRL activity numbers we have been seeing did not reflect the real volume caused by the OpenSSL Heartbleed bug.

This evening I noticed a massive spike in the amount of revocations being reported by this CRL: http://crl.globalsign.com/gs/gsorganizationvalg2.crl

The spike is so large that we initially thought it was a mistake, but we have since confirmed that it's real! We're talking about over 50,000 unique revocations from a single CRL:

This is by an order of magnitude the largest spike in revocation activity seen in years, according to our current data.

I have set up a new page for everyone to monitor the activity as well as see how we are obtaining this data. The page can be found at https://isc.sans.edu/crls.html.

How will you use this page in your projects or general analysis? We'd love to hear some ideas.

If you know of other CRLs that we can add, please let us know in the comments! Additionally, if you would like to see an API call added so that you can automatically query us for this information, please let us know so that we are aware of the demand.

On a side note, we can see a clear upward trend in revocations over the past 3 or 4 years:

What do you attribute this consistent growth in revocations to? What do you think caused the previous spikes?

-- 
Alex Stanford - GIAC GWEB,
Research Operations Manager,
SANS Internet Storm Center
/in/alexstanford | @alexstanford

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Vulnerability Pipes

Heartbleed Bug Sends Bandwidth Costs Skyrocketing

Wired Threat Level - Thu, 04/17/2014 - 16:01
The exposure of the Heartbleed vulnerability last week had a number of repercussions, one of which was to set off a mad scramble by companies to revoke the SSL certificates for their domains and services and obtain new ones. The total costs of Heartbleed are yet to be calculated, but CloudFlare has come up with […]






Categories: Security News

Tails

Bruce Shneier's Blog - Thu, 04/17/2014 - 13:38
Nice article on the Tails stateless operating system. I use it. Initially I would boot my regular computer with Tails on a USB stick, but I went out and bought a remaindered computer from Best Buy for $250 and now use that....
Categories: Security News

Bugtraq: [SECURITY] [DSA 2907-1] Announcement of long term support for Debian oldstable

Linux Security - Thu, 04/17/2014 - 07:14
[SECURITY] [DSA 2907-1] Announcement of long term support for Debian oldstable
Categories: Vulnerability Pipes

New ‘Google’ for the Dark Web Makes Buying Dope and Guns Easy

Wired Threat Level - Thu, 04/17/2014 - 05:30
The dark web just got a little less dark with the launch of a new search engine that lets you easily find illicit drugs and other contraband online.






Categories: Security News
Syndicate content