Security News #0x5E
- The folks at Adallom describe an attack against Office365 that would allow an attacker to pilfer an organization’s SharePoint Online site. The vulnerability (CVE 2013-5054) was reported to Microsoft in the spring, and just patched in MS13-104.
- Many of my students are interested in possibly working at the NSA. For those of you in that situation, you may want to read the experiences of Loren Sands-Ramshaw.
- Three Israeli researchers have found a way to crack RSA on a remote computer solely by listening to the sounds it emits. I don’t know if this is something to worry about, but the coolness factor is high.
- The continuing saga of malware in JPEG images well, umm, continues. Definitely an area that is worthy of some additional attention.
- If you visited the official php.net site back in October, then you may have been exposed to something more worrying than typical malware, and instead were exposed to a new kind of DGA changer.
- The Washington Post has a nice piece on how attackers can activate Macbook webcams remotely without also activating the camera light, making this quite stealthy. Although the Post piece only mentions Macs, Windows folks appear to be vulnerable to similar attacks.
- You already know about the massive breach at Target stores; data for as many as 40,000,000 credit card accounts may have been pilfered.
- There is a serious vulnerability in OpenSSL’s use of the the Dual EC DRBG algorithm, however as they report "The nature of the bug shows that no one has been using the OpenSSL Dual EC DRBG." You can get some perspective at Ars Technica.
- Reuters reports that RSA received $10 million to use an NSA preferred algorithm in some of their products.