Software with the most vulnerabilities in 2015: Mac OS X, iOS, and Flash Software with the most vulnerabilities in 2015: Mac OS X, iOS, and Flash

Which software had the most publicly disclosed vulnerabilities this year? The winner is none other than Apple’s Mac OS X, with 384 vulnerabilities. The runner-up? Apple’s iOS, with 375 vulnerabilities.

Rounding out the top five are Adobe’s Flash Player, with 314 vulnerabilities; Adobe’s AIR SDK, with 246 vulnerabilities; and Adobe AIR itself, also with 246 vulnerabilities. For comparison, last year the top five (in order) were: Microsoft’s Internet Explorer, Apple’s Mac OS X, the Linux Kernel, Google’s Chrome, and Apple’s iOS.

These results come from CVE Details, which organizes data provided by the National Vulnerability Database (NVD). As its name implies, the Common Vulnerabilities and Exposures (CVE) system keeps track of publicly known information-security vulnerabilities and exposures.

You’ll notice that Windows versions are split separately, unlike OS X. Many of the vulnerabilities across various Windows versions are the same, so there is undoubtedly a lot of overlap. The argument for separating them is probably one of market share, though that’s a hard one to agree to, given that Android and iOS are not split into separate versions. This is the nature of CVEs.

It’s also worth pointing out that the Linux kernel is separate from various Linux distributions. This is likely because the Linux kernel can be upgraded independently of the rest of the operating system, and so its vulnerabilities are split off.

If we take the top 50 list of products and categorize them by company, it’s easy to see that the top three are Microsoft, Adobe, and Apple:

Schneier on Security: Choosing Secure Passwords

Schneier on Security: Choosing Secure Passwords
The attacker will feed any personal information he has access to about the password creator into the password crackers. A good password cracker will test names and addresses from the address book, meaningful dates, and any other personal information it has. Postal codes are common appendages. If it can, the guesser will index the target hard drive and create a dictionary that includes every printable string, including deleted files. If you ever saved an e-mail with your password, or kept it in an obscure file somewhere, or if your program ever stored it in memory, this process will grab it. And it will speed the process of recovering your password. Last year, Ars Technica gave three experts a 16,000-entry encrypted password file, and asked them to break as many as possible. The winner got 90% of them, the loser 62% — in a few hours. It’s the same sort of thing we saw in 2012, 2007, and earlier. If there’s any new news, it’s that this kind of thing is getting easier faster than people evercookie – virtually irrevocable persistent cookies evercookie – virtually irrevocable persistent cookies
evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they’ve removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others. evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available. Specifically, when creating a new cookie, it uses the following storage mechanisms when available: – Standard HTTP Cookies – Local Shared Objects (Flash Cookies) – Silverlight Isolated Storage – Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out – Storing cookies in Web History – Storing cookies in HTTP ETags Encryption Works: How to Protect Your Privacy in the Age of NSA Surveillance | Freedom of the Press Foundation Encryption Works: How to Protect Your Privacy in the Age of NSA Surveillance | Freedom of the Press Foundation
hreat Model Crypto Systems Software You Can Trust Anonymize Your Location with Tor Off-the-Record (OTR) Chat “Pretty Good Privacy” (PGP) Email Encryption Tails: The Amnesic Incognito Live System A Fighting Chance

Washington Post: Here’s what you find when you scan the entire Internet in an hour

Washington Post: Here’s what you find when you scan the entire Internet in an hour
Until recently, scanning the entire Internet, with its billions of unique addresses, was a slow and labor-intensive process. For example, in 2010 the Electronic Frontier Foundation conducted a scan to gather data on the use of encryption online. The process took two to three months. A team of researchers at the University of Michigan believed they could do better. A lot better. On Friday, at the Usenix security conference in Washington, they announced ZMap, a tool that allows an ordinary server to scan every address on the Internet in just 44 minutes. The EFF team used a tool called Nmap that sends a request to a machine and then listens for the recipient to reply. These requests can be conducted in parallel, but keeping records for each outstanding request still creates a lot of overhead, which slows down the scanning process. In contrast, ZMap is “stateless,” meaning that it sends out requests and then forgets about them. Instead of keeping a list of oustanding requests, ZMap cleverl ZMap – The Internet Scanner ZMap – The Internet Scanner
ZMap is an open-source network scanner that enables researchers to easily perform Internet-wide network studies. With a single machine and a well provisioned network uplink, ZMap is capable of performing a complete scan of the IPv4 address space in under 45 minutes, approaching the theoretical limit of gigabit Ethernet. ZMap can be used to study protocol adoption over time, monitor service availability, and help us better understand large systems distributed across the Internet. While ZMap is a powerful tool for researchers, please keep in mind that by running ZMap, you are potentially scanning the ENTIRE IPv4 address space and some users may not appreciate your scanning. We encourage ZMap users to respect requests to stop scanning and to exclude these networks from ongoing scanning. We suggest that users coordinate with local network administrators before performing any scans and we have developed a set of scanning best practices, which we encourage researchers to consider. It The Heartbleed Hit List: The Passwords You Need to Change Right Now The Heartbleed Hit List: The Passwords You Need to Change Right Now
An encryption flaw called the Heartbleed bug is already being called one of the biggest security threats the Internet has ever seen. The bug has affected many popular websites and services — ones you might use every day, like Gmail and Facebook — and could have quietly exposed your sensitive account information (such as passwords and credit card numbers) over the past two years. But it hasn’t always been clear which sites have been affected. Mashable reached out some of the most popular social, email, banking and commerce sites on the web. We’ve rounded up their responses below.