No, the NSA was not behind the DigiNotar hack: According to the slide depicted above, a GCHQ program called “FLYING PIG” (SSL profiling) was used to identify a foreign intelligence service (“FIS” in intelligence-speak) that used the stolen private keys to launch a man-in-the-middle attack. It’s highly unlikely that the identified foreign intelligence service refers […]

Brazil’s Rousseff targets internet companies after NSA spying: Angered by reports that the U.S. government spied on her and other Brazilians, President Dilma Rousseff is pushing new legislation that would seek to force Google, Facebook and other internet companies to store locally gathered data inside Brazil. The requirement would be difficult to execute, technology experts […]

FBI Admits It Controlled Tor Servers Behind Mass Malware Attack: It wasn’t ever seriously in doubt, but the FBI yesterday acknowledged that it secretly took control of Freedom Hosting last July, days before the servers of the largest provider of ultra-anonymous hosting were found to be serving custom malware designed to identify visitors. Freedom Hosting’s […]

Kim Dotcom’s Mega: File-sharing tycoon Kim Dotcom has a plan to become a multi-millionaire again: He’s filed a seven-figure lawsuit against the New Zealand government over the spectacular 2012 assault on his mansion, and the electronic spying that preceded it. Court filings released this week show Dotcom and associates have made good on a threat […]

Congress will rein in NSA’s domestic snooping, predicts top U.S. intel official: Congress will curtail or even shut down the National Security Agency’s domestic snooping program over concerns that it violates Americans’ privacy, the top U.S. intelligence official predicted Thursday. “It’s very clear that — to the extent we get to keep these tools at […]

WordPress < 3.6.1 PHP Object Injection: That gives us three functions we can work with: __wakeup(), __destruct() and __toString(). “Unfortunately” I was unable to find an occurrence of a WordPress class that was loaded at the time the unserialization happens which could lead to a severe exploitation. Please note that this is not due to […]

WordPress issues security fixes, advises “update your sites immediately”: Mega-popular blogging and content management system WordPress has just put out version 3.6.1. Since it’s a maintenance release (an update from 3.6), it doesn’t have a huge raft of new features, but it does fix three security holes. One of them is a Remote Code Execution […]

Windows win32k.sys menus and some “close, but no cigar” bugs: Welcome after one of the more lengthy breaks in the blog’s activity. Today, I would like to discuss none other than several interesting weaknesses around the implementation of menus (like, window menus) in the core component of the Microsoft Windows kernel – the infamous win32k.sys […]

Dropbox…opening my docs?: I had the opportunity recently to beta-test HoneyDocs, a web app that generates documents that can ‘buzz home.’ This is done by a unique, embedded GET request that is initiated when the generated document has been opened. Several use cases came to mind, but I was most interested in seeing if my […]

Yahoo CEO Mayer: we faced jail if we revealed NSA surveillance secrets: Marissa Mayer, the CEO of Yahoo, and Mark Zuckerberg of Facebook struck back on Wednesday at critics who have charged tech companies with doing too little to fight off NSA surveillance. Mayer said executives faced jail if they revealed government secrets. Yahoo and […]