Gordon Lyon (aka Fyodor), who operates several Internet security resources and other mailing lists, has created a replacement list with the blessing of John Cartwright, one of of the creators of Full Disclosure, which served as a forum for the discussion of vulnerabilities and exploitation techniques and other security topics.
Because the list is getting a fresh start and no previous subscriber information appears to be headed to Lyon, interested users will have to manually subscribe which can be done here.
"Some have argued that we no longer need a Full Disclosure list, or even that mailing lists as a concept are obsolete," Lyon said. "I disagree. Mailing lists create a much more permanent record and their decentralized nature makes them harder to censor or quietly alter in the future."" Link to Original Source top
If successfully exploited, an attacker could gain the same user rights as the current user, Microsoft said, noting that users whose accounts are configured to have fewer user rights on the system could be less impacted than accounts with administrative privileges.
“The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer,” Microsoft explained in the advisory.
Microsoft did not share any details on the attacks that leveraged the vulnerability, but did credit Drew Hintz, Shane Huntley, and Matty Pellegrino of the Google Security Team for reporting it to Microsoft." Link to Original Source top
wiredmikey (1824622) writes "Symantec on Thursday announced that CEO Steve Bennett was terminated by the security company and has been replaced by Michael Brown as interim president and CEO. Bennett, who also resigned from Symantec's board of directors, took the top position at Symantec in July 2012, after former president and CEO Enrique Salem was pushed out by the Board of Directors.
In April 2013, Bennett, told attendees at its own Vision Conference, that the company was changing, and acknowledged that Symantec “lacked strategy” when it came to dealing with acquisitions. His plan was to move the company forward slowly, but consistently and make Symantec easier to do business with. That strategy, or at least the execution of it, hasn't impressed the board of directors, it seems." Link to Original Source top
Lidzborski said that 100 percent of email messages that Gmail users send or receive are encrypted while moving internally. “This ensures that your messages are safe not only when they move between you and Gmail's servers, but also as they move between Google's data centers—something we made a top priority after last summer’s revelations,” he said.
Joseph Hall, chief technologist at the Center for Democracy and Technology, told AFP that Google's encryption "would make it very difficult" for the NSA or others to tap into email traffic directly. "I'm reluctant to say anything is NSA-proof," Hall said. "But I think what Google is trying to do is make sure they come through the front door and not the back door."
wiredmikey (1824622) writes "The US government's PRISM Internet spying program exposed by Edward Snowden targets suspect email addresses and phone numbers but does not search for keywords like terrorism, officials said Wednesday. Top lawyers of the country's intelligence apparatus including the NSA and FBI participated Wednesday in a public hearing on the controversial US data-mining operations that intercept emails and other Internet communications including on social media networks like Facebook, Google or Skype.
"We figure out what we want and we get that specifically, that's why it's targeted collection rather than bulk collection," Robert Litt, general counsel at the Office of the Director of National Intelligence, told the hearing.
Under authority of the Foreign Intelligence Surveillance Act, the NSA asks Internet service providers to hand over messages sent from or received by certain accounts such as "email@example.com, the Justice Department's Brad Wiegmann said, using a hypothetical example." Link to Original Source top
The servers are being hijacked by a backdoor Trojan as part of a campaign the researchers are calling 'Operation Windigo.' Once infected, victimized systems are leveraged to steal credentials, redirected web traffic to malicious sites and send as much as 35 million spam messages a day. "Windigo has been gathering strength, largely unnoticed by the security community, for more than two and a half years and currently has 10,000 servers under its control," said Pierre-Marc Bureau, security intelligence program manager at ESET, in a statement.
There are many misconceptions around Linux security, and attacks are not something only Windows users need to worry about. The main threats facing Linux systems aren't zero-day vulnerabilities or malware, but things such as Trojanized applications, PHP backdoors, and malicious login attempts over SSH.
ESET recommends webmasters and system administrators check their systems to see if they are compromised, and has published a detailed report presenting the findings and instructions on how to remove the malicious code if it is present." Link to Original Source top
"Robot" Snowden Takes Stage at TED Promising More Spying Revelations
Internet creator Tim Berners-Lee briefly joined Snowden's interview with TED curator Chris Anderson, and came down in the hero camp. When Anderson posed the question to the TED audience — known for famous, innovative, and influential attendees — the idea that Snowden was a force for good met with applause. "Hero patriot or traitor; I would say I am an American citizen just like anyone else," Snowden said. "What really matters here is the kind of government we want; the kind of Internet we want."" Link to Original Source top
Surveys: Cybersecurity Jobs Pay $93k a Year, Pimps Earn 33k a Week
wiredmikey (1824622) writes "The overall IT job market has been fairly healthy, and demand for cyber-security professionals remained high in 2013, according to a new jobs study. There were 209,749 national postings for cyber-security jobs in 2013, and the average salary for a cyber-security posting was $93,028, according to the report, which is compiled by reviewing job postings across 32,000 online sites daily. In comparison, the average salary for all IT job postings was $77,642.
Meanwhile, a study released Wednesday by the Urban Institute found that pimps can bring in tens of thousands a week. According to the report, pimps took home anywhere from $5,000 to $33,000 a week, but detailed hefty expenses like hotel rooms, advertisement, and clothing, housing food for their "girls." They typically ran relatively small operations of two to 36 people and sometimes employed drivers, bodyguards, and even nannies, according to the report." Link to Original Source top
Microsoft Shares Untold Story Behind Security Development Lifecycle
The dedicated site, hosted at SDLstory.com, provides never-before-seen video footage and photos from many of the SDL’s key players, and uncovers a collection of little-known anecdotes. For example, Microsoft said that in the early 2000s, the company had to bus engineers to the customer support call center to keep up with high call volumes coming in as a result of security incidents. Microsoft also said that in early February 2002 the entire Windows division shut down development and diverted all developers to focus on security." Link to Original Source top
wiredmikey (1824622) writes "Boeing is launching "Boeing Black phone", a self-destructing Android-based smartphone that the company says has no serviceable parts, and any attempted servicing or replacing of parts would destroy the product. "Any attempt to break open the casing of the device would trigger functions that would delete the data and software contained within the device and make the device inoperable," the company explained.
Boeing's website says its device was developed because there was nothing on the market to meet the needs of the US defense and security communities. "Despite the continuous innovation in commercial mobile technology, current devices are not designed from inception with the security and flexibility needed to match their evolving mission and enterprise environment," the website says.
The device should not be confused with the new encrypted Blackphone, developed by the US secure communications firm Silent Circle with Spanish manufacturer Geeksphone." Link to Original Source top
Apple Fixes Dangerous SSL Authentication Flaw in iOS
wiredmikey (1824622) writes "Users of iOS devices will find themselves with a new software update to install, thanks to a certificate validation flaw in the mobile popular OS. While Apple provides very little information when disclosing security issues, the company said that an attacker with a “privileged network position could capture or modify data in sessions protected by SSL/TLS."
"While this flaw itself does not allow an attacker to compromise a vulnerable device, it is still a very serious threat to the privacy of users as it can be exploited through Man-in-the-Middle attacks" VUPEN's Chaouki Bekrar told SecurityWeek. For example, when connecting to an untrusted WiFi network, attackers could spy on user connections to websites and services that are supposed to be using encrypted communications, Bekrar said. Users should update their iOS devices to iOS 7.0.6 as soon as possible." Link to Original Source top
Yancey Strickler, Kickstarter’s CEO, said the company was notified by law enforcement on Wednesday night that hackers gained unauthorized access to some of its customers' data. According to Strickler, customer information accessed by the attacker(s) included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Strickler said that no credit card data was accessed by the attackers, and that so far only two Kickstarter user accounts have seen evidence of unauthorized activity." Link to Original Source top
Apple Publishes Secure Coding Guide for Developers
wiredmikey (1824622) writes "Apple has published a new secure coding guide designed to help developers of Mac OS and iOS applications build more secure programs by design. “Secure coding is important for all software; if you write any code that runs on Macintosh computers or on iOS devices, from scripts for your own use to commercial software applications, you should be familiar with the information in this document,” Apple advised in the 123-page guide.
According to a study released in Aug. 2013, just 43 percent of respondents said their organizations have a defined software development process in place. Of these, only 69 percent adhere to the defined process, while 21 percent said their organization doesn't. Ten percent were unsure.
“Security is not something that can be added to software as an afterthought; just as a shed made out of cardboard cannot be made secure by adding a padlock to the door, an insecure tool or application may require extensive redesign to secure it,” Apple said in the guide. The Secure Coding Guide from Apple is available in HTML format or as a PDF file." Link to Original Source top
IE Zero-Day Exploit Used in Attack Targeting Military Intelligence
Dubbed “Operation SnowMan” by FireEye, the attack targets IE 10 with Adobe Flash. According to a recently-released report from CrowdStrike, Strategic Web Compromises (SWC), where attackers infect strategic Websites as part of a watering hole attack to target a specific group of users, were a favorite attack method for groups operating out of Russia and China. FireEye believes the attackers behind the campaign, thought to be operating out of China, are associated with two previously identified campaigns: Operation DeputyDog and Operation Ephemeral Hydra. “A possible objective in the SnowMan attack is targeting military service members to steal military intelligence,” FireEye said." Link to Original Source top
wiredmikey (1824622) writes "The FBI has placed malware on its shopping list, and is turning to third parties to help the agency build a massive library of malicious software. According to a 'Request for a Quote' posted on the Federal Business Opportunities website, the FBI is looking for price quotes for malware for the Investigative Analysis Unit of the agency's Operational Technology Division (OTD). The unit's mission is to "Provide technical analysis of digital methods, software and data, and provide technical support to FBI investigations and intelligence operations that involve computers, networks and malicious software," according to the document.
The FBI did not say precisely how the malware will be used, but the document calls the collection of malware from law enforcement and research sources "critical to the success of the IAU's mission to obtain global awareness of malware threat."" Link to Original Source top
Syrian Electronic Army Takes Temporary Control Over Facebook.Com
wiredmikey (1824622) writes "The Sryrian Electronic Army claimed that it took control over the domain Facebook.com, Wednesday evening, likely through hacking into the domain administrator account at the social network's Domain Registrar. In a Tweet Wednesday evening, the hackers wished Facebook founder Mark Zuckerberg a happy birthday, along with an extra note: "Happy Birthday Mark! Facebook.com owned by #SEA," the Tweet read.
A check of the domain WHOIS showed that details of the three domain contacts were modified to be "firstname.lastname@example.org", though the domain name servers were not modified. Around 7:00PM ET, the registrant contact details were restored to "email@example.com", indicating that MarkMonitor and Facebook were able to react quickly before any damage was done. The hackers said that in response to being hacked, MarkMonitor took down the domain management portal, and also posted a screenshot." Link to Original Source top
Adobe said that the vulnerability (CVE-2014-0497), reported to Adobe by Alexander Polyakov and Anton Ivanov of Kaspersky Lab, has an exploit that exists in the wild. Interestingly, Kaspersky Lab said earlier this week that it has been investigating a sophisticated malware that leverages high-end exploits, and includes a bootkit and rootkit, and also has versions for Mac OS and Linux. Neither Adobe nor Kaspersky Lab disclosed if the vulnerability patched today by Adobe has any connection to the cyber-espionage operation that Kaspersky Lab is calling “one of the most advanced threats at the moment”.
“Adobe is aware of reports that an exploit for this vulnerability exists in the wild, and recommends users update their product installations to the latest versions,” the company said in a security advisory. If there is any connection between CVE-2014-0497 and the operation dubbed "The Mask" by Kaspersky Lab, it will not likely be disclosed until the company shares the details of its findings at the Kaspersky Security Analyst Summit next week." Link to Original Source top
If confirmed by lawmakers, Rogers would also take over as head of the military's cyber warfare command. Rogers, who trained as an intelligence cryptologist, would succeed General Keith Alexander, who has served in the top job since 2005. He currently heads the US Fleet Cyber Command, overseeing the navy's cyber warfare specialists, and over a 30-year career has worked in cryptology and eavesdropping, or "signals intelligence."
His confirmation hearings in the Senate are likely to be dominated by the ongoing debate about the NSA's espionage, and whether its sifting through Internet traffic and phone records violates privacy rights and democratic values." Link to Original Source top
Hackers Steal Law Enforcement Documents from Microsoft
“..We have learned that there was unauthorized access to certain employee email accounts, and information contained in those accounts could be disclosed,” said Adrienne Hall, General Manager at Microsoft's Trustworthy Computing Group. “It appears that documents associated with law enforcement inquiries were stolen,” Hall said.
Targeted attacks like this are not uncommon, especially for an organization like Microsoft. What’s interesting about this is that the incident was significant enough to disclose, indicating that a fair number of documents could have been exposed, or that the company fears some documents will make their way to the public if released by the attackers—which may be the case if this was a “hacktivist” attack." Link to Original Source