SECURITY WARNINGS & Notices - Please post them here

[Asyn]

Microsoft Security Bulletin Summary for March 2016
https://technet.microsoft.com/en-us/library/security/ms16-mar.aspx

[Secondmineboy]

KeRanger Is Actually A Rewrite of Linux.Encoder

https://labs.bitdefender.com/2016/03/keranger-is-actually-a-rewrite-of-linux-encoder/

[Para-Noid]

Seagate employees’ W-2 forms exposed in another payroll phish

http://arstechnica.com/security/2016/03/seagate-employees-w-2-forms-exposed-in-another-payroll-phish/

It’s 2016, so why is the world still falling for Office macro malware?

http://arstechnica.com/security/2016/03/its-2016-so-why-is-the-world-still-falling-for-office-macro-malware/

How Minecraft undermined my digital defences

http://www.bbc.com/news/technology-34474883

Want Safer Passwords? Don’t Change Them So Often

http://www.wired.com/2016/03/want-safer-passwords-dont-change-often/

[polonus]

Firm sells tablet/computers for children with vulnerable Flash Player 
Read: http://www.mikecarthy.com/offensive-security/childrens-tablet-computer-vulnerable-flash-exploit/
So Polonus would like to know and scanned the firms server address for DROWn attcak vulnerability and DANG.
So our poor kids are additionally also threatened from the DROWn attack 
see here: https://test.drownattack.com/?site=LeapFrog.com

polonus (volunteer website security analyst and website error.hunter)

[bob3160]

Firm sells tablet/computers for children with vulnerable Flash Player 
Read: http://www.mikecarthy.com/offensive-security/childrens-tablet-computer-vulnerable-flash-exploit/
So Polonus would like to know and scanned the firms server address for DROWn attcak vulnerability and DANG.
So our poor kids are additionally also threatened from the DROWn attack 
see here: https://test.drownattack.com/?site=LeapFrog.com

polonus (volunteer website security analyst and website error.hunter)

http://www.ibtimes.co.uk/leapfrog-weak-security-kid-friendly-tablet-could-leave-children-exposed-online-snooping-1548905

[Asyn]

Adobe Security Bulletin
https://helpx.adobe.com/security/products/flash-player/apsb16-08.html

[polonus]

Cloud service providers are failing when it comes to protecting their clients against the recently disclosed DROWN attack, with only 33 providers having patched their servers from a total of 653 surveyed services. : http://news.softpedia.com/news/one-week-later-drown-vulnerability-still-affects-620-of-653-cloud-services-501599.shtml
link article author -  Catalin Cimpanu.

polonus

[bob3160]

Cloud service providers are failing when it comes to protecting their clients against the recently disclosed DROWN attack, with only 33 providers having patched their servers from a total of 653 surveyed services. : http://news.softpedia.com/news/one-week-later-drown-vulnerability-still-affects-620-of-653-cloud-services-501599.shtml
link article author -  Catalin Cimpanu.

polonus

Not much help when they don't list the effected and patched services.

[polonus]

Hi bob3160,

This is one outside that 5.1% patched against DROWn with CloudFlare, Inc. as Netblock owner.
https://test.drownattack.com/?site=ns1.hostmonster.com
You could test here for your cloud service of choice: https://test.drownattack.com/?site=
But DROWn should be patched on all underlying servers and services that share that same certificate and are vulnerable,
that it is why that exploit is that lively dangerous. Forgotten to mitigate or patch somewhere or forgotten to disable SSLv2/3  and DANG PRESTO!

polonus

P.S. And do not forget to scan your cloud apps: example : https://test.drownattack.com/?site=just.cloud  & https://test.drownattack.com/?site=express.vpn  and a long row of other vulnerable app services.

Oh, and we have to see this exploit in a clear light as not everybody will spend 400 bucks on resources to be able to compromise to decrypt the key  But some parties might take an interest there.... (info credits: Eric Wingfield)

Damian

[Pondus]

3 year old java bug, still there

Broken security fix in Oracle Java SE 7/8/9
http://seclists.org/fulldisclosure/2016/Mar/31

[polonus]

How can you quarrel about mouseclick-surveillance, when we all already got it?
The only discussion is on making that mouse-click surveillance even simpler and more straight-forward,
to do away with all encryption obstacles that might hinder Big Brother´s dragnet.
The rest is just made-up for discussion´s sake.
Re: https://www.eff.org/deeplinks/2016/03/next-front-new-crypto-wars-whatsapp
First it is the iPhone, now it is WhatsApp.

polonus

[Secondmineboy]

Attacker leaves “SECURITY TIPS” after invading anti-DDoS firm Staminus

https://nakedsecurity.sophos.com/2016/03/15/attacker-leaves-security-tips-after-invading-anti-ddos-firm-staminus/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nakedsecurity+%28Naked+Security+-+Sophos%29

[REDACTED]

I use firefox with all of the blockers in place, turn off history, run a cookie cleaner and always use startpage as my search engine.  I never had an issue.  Never had an issue. 

[Para-Noid]

Large Angler Malvertising Campaign Hits Top Publishers

https://blog.malwarebytes.org/malvertising-2/2016/03/large-angler-malvertising-campaign-hits-top-publishers/?utm_source=linkedin&utm_medium=social

[polonus]

Security of AV code is meshy, insecure, and not of this time,
it is like hacking like in 1999. That means we´re in peril when the next big threat comes knocking at the door!
Read: http://blog.cmpxchg8b.com/2016/03/security-software-certification.html )link article author = Tavis Ormandy.
Mondern security is not what AV has to offer us.
Anyone.

polonus