Once on the cutting edge of vulnerability disclosure, Full-Disclosure has become too unpleasant to read or moderate.
From the time I first started writing regularly about IT security in 2003 until today, the Full-Disclosure mailing list has been a must-read resource every day—but that apparently is ending today.
iophk: "Maybe it's time for the wireless industry to consult cryptography and security professionals before embarking on drafting the next encryption standard."
We've been covering the ridiculous DOJ case against Andrew "weev" Auernheimer for quite some time. If you don't recall, Auernheimer and a partner found a really blatant security hole on AT&T's servers that allowed them to very easily find out the email addresses of iPad owners. There was no breaking in to anything. The issue was that AT&T left this all exposed. But, with a very dangerous reading of the CFAA (Computer Fraud and Abuse Act) and a bunch of folks who don't understand basic technology, weev was sentenced to 3.5 years in jail (and has been kept in solitary confinement for much of his stay so far). Part of the case is complicated by the fact that weev is kind of a world class jerk -- who took great thrill in being an extreme online troll, getting a thrill out of making others miserable. But, that point should have no standing in whether or not exposing a security hole by basically entering a URL that AT&T failed to secure, becomes a criminal activity.
Windigo, as the attack campaign has been dubbed, has been active since 2011 and has compromised systems belonging to the Linux Foundation's kernel.org and the developers of the cPanel Web hosting control panel, according to a detailed report published Tuesday by researchers from antivirus provider Eset. During its 36-month run, Windigo has compromised more than 25,000 servers with robust malware that sends more than 35 million spam messages a day and exposes Windows-based Web visitors to drive-by malware attacks. It also feeds people running any type of computer banner ads for porn services.
A revamped early random number generator in iOS 7 is weaker than its vulnerable predecessor and generates predictable outcomes.
A researcher today at CanSecWest said an attacker could brute force the Early Random PRNG used by Apple in its mobile operating system to bypass a number of kernel exploit mitigations native to iOS.
The Tor network is in danger of being swamped by criminals abusing its anonymity to hide an underworld of parasitic botnets, malicious command and control and ‘darknet’ markets, according to research from Kaspersky Lab.
For years, security researchers have warned about the risks of keylogging software on computing platforms. Keyloggers, quite literally log and record the keystrokes taken by a user in a bid to learn passwords and other valuable information.