Announcements

Podcasts

• Sans internet storm center stormcast (definitely listen to this one!)
• Info Sec Sync
• Defensive Security Podcast
• The Cyber Jungle

Security in the News

• Yahoo Data Breach
• What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability.
• The global struggle to prevent cyberwar
• 500 million users at risk of compromise via unpatched WinRAR bug
• State Trooper Vehicles Hacked
• Thousands of medical devices are vulnerable to hacking, security researchers say
• Newly found TrueCrypt flaw allows full system compromise
• THE BIG SECRET THAT MAKES THE FBI’S ANTI-ENCRYPTION CAMPAIGN A BIG LIE
• SANS Internet Storm Center InfoSec Podcasts
• I am Mikko Hypponen, a computer security expert. Ask me anything!
• Santa or the Grinch: Android Tablet Analysis for the 2014 Holiday Season
• Just interesting
• Martin points out ...RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis
• U.S. government probes medical devices for possible cyber flaws
• Delivering malicious Android apps hidden in image files
• Ghost in the (Bourne Again) Shell: Fallout of Shellshock far from over
• Drupal SQL Injection Flaw (or on slashdot)
• The Adultery Arms Race (or on slashdot)
• Signed Malware = Expensive “Oops” for HP
• Poor punctuation leads to Windows shell vulnerability
• CVE-2014-6271: remote code execution through bash
• Details of iOS and Android Device Encryption
• New OS X backdoor malware roping Macs into botnet
• Security stories on Slashdot
• CVE-2014-6271 Shellshock, Bash specially-crafted environment variables code injection attack, From Ubuntu (an example of command injection)
• CVE-2014-0160 Heartbleed
• How I hacked your Instagram account
• OWASP Top 10 2013 Released, or locally
• In ram rootkit
• Has Surveillance Gone Too Far
• Hacker Bypasses Windows 7/8 Address Space Layout Randomization
• iPad Hack Statement Of Responsibility
• Youth expelled from Montreal college after finding ‘sloppy coding’ that compromised security of 250,000 students personal data
• Java Zero-Day Vulnerability Rolled Into Exploit Packs
• NTLM Challenge Response is 100% Broken (Yes, this is still relevant)
• ELI5: How do hackers ... hack?
• Slashdot/security
• Nvidia Display Driver Service Attack Escalates Privileges on Windows Machines
• Geek Researcher Spends Three Years Living With Hackers
• Canadian company collecting info on millions of habitual illegal downloaders
• The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software
• In the US Sniffing open WiFi networks is not wiretapping, judge says, Judge correctly rules WiFi sniffing legal.
• Amazing mind reader reveals his 'gift' , from the safe internet banking campaign
• US and Canada Launch joint cybersecurity plan
• Researchers develop surveillance system that can watch and predict
• Craig Mundie Blames Microsoft's Product Delays On Cybercrime
• Secret Stingray Warrantless Cellphone Tracking
• Critical flaw found in software used by many industrial control systems
• Canada slow to respond to cyber threats: auditor
• Attack code for Firefox 16 privacy vulnerability now available online
• Honeynet map
• Cert.org vulnerability database (browse the Recent Vulnerability Notes)
• Mozilla Firefox browser upgrade taken offline due to vulnerability
• Facebook confirms researcher exploited privacy settings to quickly collect user phone numbers
• Telemarketers Recorded Through Virtual Machine
• Zip bomb
• Sandia builds self-contained, Android-based network to study cyber disruptions and help secure hand-held devices
• White House confirms cyberattack
• Unconventional Adversaries vs. Conventional Wisdom
• Honeytrap reveals mass monitoring of downloaders
• Leave Your Cellphone at Home
• Roxon edges towards keeping online data for two years
• Oracle Java JRE 1.7 Expression.execute() and SunToolkit.getField() fail to restrict access to privileged code
• Super-critical Java zero-day exploits TWO bugs
• The Breakdown of a Fake AV Scammer
• How Pixar nearly deleted Toy Story 2 before its release.
• Divide and Conquer: Cracking MS-CHAPv2 with a 100% success rate
• How SQL Injection Attacks Work
• Crisis Trojan Makes Its Way onto Virtual Machines
• Expert: Huawei routers are riddled with vulnerabilities
• Criminals Distribute Infected USB Sticks In Parking Lot
• Author Kills DarkComet Spyware After Syria Uses It
• How to write a Linux virus in 5 easy steps
• Lessons Learned From Cracking 2M LinkedIn Passwords
• Meet 'Flame'
• How online black markets work
• SSH Security and You - /bin/false is *not* security
• Linux Local Privilege Escalation via SUID /proc/pid/mem Write
• The Rootkit Of All Evil – CIQ and [DEV|APPv7] CIQ / HTC & Google Checkin / HTC loggers / Tell HTC Info & Removal
• Stolen Government Certificate Used to Sign Malware
• Duqu Installer Contains Windows Kernel Zero Day
• Top 35 Mitigation Strategies
• Lousy code opens up Bluetooth hands-free kits, smartphones to hackers and Vulnerability in Bluetooth Stack Could Allow Remote Code Execution
• Cracking OS X Lion Passwords
• Hackers break SSL encryption used by millions of sites
• Security firms: Android malware set to skyrocket
• Microsoft Windows Server 2008 R1 Denial Of Service
• Openwall GNU/*/Linux - a security-enhanced server platform
• NSA Considers its networks compromised
• The golden hour of phishing attacks
• SSL and Digital Certificates (an interesting exchange on Slashdot)
• 'Scary stuff': Cyberattack arrest highlights risk , Related XKCD
• TDL4 Rootkit Bypasses Windows Code-Signing Protection
• Sophos Researcher Suggests Password 'Free' to Spur Wi-Fi Encryption. Interesting slashdot exchange (you should be able to understand a lot of this now).
• Insecure Handling of URL Schemes in Apple's iOS
• Speaking of SQL Injection...
• Firesheep countermeasure tool BlackSheep
• Online services security report card
• Silver Tail Systems Receives Strategic Investment from CIA's Venture Capital Arm
• Aussie Kids Foil Finger Scanner With Gummi Bears
• Firefox Extension Makes Social-Network ID Spoofing Trivial (as Nicolay Mentioned!)
• Human error gave spammers keys to Microsoft systems
• Survey Reveals How Stupid People are With Their Passwords
• (not a topic for the assignment but ...) IT Salary Guide Shows Increase in Salaries for IT Security Professionals
• You can no longer rely on encryption to protect a BlackBerry, BlackBerry backup encryption broken by Russians
• Some Android apps caught covertly sending GPS data to advertisers, the paper
• E-mail infections decline as exploits propagated via social media increase
• Security Lessons Learned From The Diaspora Launch
• (not a topic for the assignment but ...) Did Little Bobby Tables migrate to Sweden?
• Australian 17-year-old takes blame for Twitter chaos
• Demo of ASP.NET Padding Oracle Attack
• Stuxnet Attacks Used 4 Windows Zero-Day Exploits
• New Email Worm Squirming Through Windows Users' Inboxes and Anti-US Hacker Takes Credit For Worm
• New Crypto Attack Affects Millions of ASP.NET Apps
• Criminals Steal House Thanks To Hacked Email