Monday, October 31, 2016

Shadow Brokers reveals list of Servers Hacked by the NSA

The hacker group calling itself the Shadow Brokers, who previously claimed to have leaked a portion of the

and exploits, is back with a Bang!

The

published more files today, and this time the group dumped a list of foreign servers allegedly compromised by the NSA-linked hacking unit, Equation Group, in various countries to expand its espionage operations.

Top 3 Targeted Countries — China, Japan, and Korea

The

data dump

that experts believe contains 306 domain names, and 352 IP addresses belong to at least 49 countries. As many as 32 domains of the total were run by educational institutes in China and Taiwan.

A few target domains were based in Russia, and at least nine domains include .gov websites.

The top 10 targeted countries include China, Japan, Korea, Spain, Germany, India, Taiwan, Mexico, Italy, and Russia.

The latest dump has been signed by the same key as the first Shadow Brokers’ dump of NSA exploits, though there is a lot to be done to validate the contents of the leaked data dump fully.

Targeted Systems — Solaris, Unix, Linux and FreeBSD

Most of the affected servers were running Solaris, Oracle-owned Unix-based operating system, while some were running FreeBSD or Linux.

Each compromised servers were reportedly targets of INTONATION and PITCHIMPAIR, code-names given for cyber-spy hacking programs.

The data dump also contains references to a list of previously undisclosed

Equation Group tools

, including Dewdrop, Incision, Orangutan, Jackladder, Reticulum, Patchicillin, Sidetrack and Stoicsurgeon.

The tools as mentioned above could be hacking implants, tools or exploits used by the NSA's notorious group.

Security researcher Mustafa Al-Bassam, an ex-member of Lulzsec and the Anonymous hacking collective,

said

the NSA likely compromised all the servers between 2000 and 2010.

"So even the NSA hacks machines from compromised servers in China and Russia. This is why attribution is hard," Al-Bassam added.

Are Hackers trying to influence U.S. Presidential elections?

A message accompanying the leaked data dump calls for attempts to disrupt the forthcoming United States presidential election. The portion of message from the Shadow Brokers

reads

"TheShadowBrokers is having suggestion. On November 8th, instead of not voting, maybe be stopping the vote all together? Maybe being grinch who stopped the election from coming? Maybe hacking election is being the best idea? #hackelection2016."

Targeted victims can use the leaked files in an effort to determine if they were the potential target of the NSA-linked hacking unit.

Since the records are old, many servers should now be clean of infection. However, a brief Shodan scan of these domains indicates that some of the affected servers are still active and still running old, possibly-vulnerable systems.

The latest release comes after the FBI arrested

Harold Thomas Martin

, an NSA contractor, who was reportedly a

prime suspect

in The Shadow Brokers case.

from The Hacker News http://ift.tt/2eN6OjC

WiGig — New Ultra-Fast Wi-Fi Standard Ready to Boost Your Internet Speed in 2017

Get ready for faster Internet because the WiFi you know today is about to change and get much, much faster.

The WiFi Alliance, a self-described "worldwide network of companies that brings you Wi-Fi," has finally certified "

WiGig

," an ultra-fast, short-range wireless network technology that will nearly double Wi-Fi's current top speed.

As many as 180 Million devices, including routers, smartphones, laptops, tablets, and other devices, arriving by the end of next year will support WiGig or multi-gigabit Wi-Fi 802.11ad on the 60 gigahertz band, the Alliance

announced

This certification program aims to encourage the production of devices and hardware that not only operate in the "less congested" 60 GHz spectrum but can also fall back to the regular Wi-Fi – 2.4 or 5 gigahertz bands – for maximum interoperability.

"Wi-Fi has delighted users for more than 15 years, and WiGig now gives users even higher performance in a rich variety of applications unleashing an unparalleled Wi-Fi experience," Wi-Fi Alliance CEO Edgar Figueroa said.

"WiGig further expands the Wi-Fi CERTIFIED portfolio into 60 GHz, and will augment existing and developing Wi-Fi programs and technologies."

WiGig can provide speeds of up to 8 Gbps, or nearly 1GB per second from a distance of up to 33 feet (10 meters). 8 Gbps is around three times faster than the best available devices on 802.11ac protocol right now.

This speed boost will help you download high-quality HD movies in just seconds. Also, the technology will make it possible to have super-fast wireless docks and wireless VR and AR headsets.

However, both ends of a connection should support WiGig the technology to achieve supported speeds.

The major issues with WiGig are adoption and compatibility. The WiFi Alliance also uncovered the first five certified WiGig products from Intel, Qualcomm, and Dell, among others.

The first certified consumer products to carry the WiGig standard is the Dell's Latitude 7450 and 7470 laptops, though the technology is eventually making its way into routers, tablets, notebooks, smartphones, and other categories.

Both Intel and Qualcomm have also certified router solutions. However, some companies such as Samsung have already released uncertified WiGig hardware.

The Wi-Fi Alliance expects its new WiGig standard to take off by 2017.

from The Hacker News http://ift.tt/2efbnCw

The Evolution of Scoring Security Vulnerabilities: The Sequel

What if China or India was behind Yahoo spying order?

Orlando Hospital Foots the Bill Post Data Breach

After the Pulse nightclub incident in Orlando, FL, a majority of the victims were treated at Orlando Regional Hospital. Not too long after their treatment, the hospital suffered a data breach, which included those victims’ PHI. Here’s what happened:

Survivors of the Orlando shooting at the Pulse LGBT club will not be billed for their hospital stays.

Orlando Regional Hospital and Florida Hospital, which treated a combined 56 survivors of the incident, issued a joint statement on Wednesday announcing that Pulse shooting victims would not be billed for care.

“It was incredible to see how our community came together in the wake of the senseless Pulse shooting,” said Florida Hospital CEO Daryl Tol in a statement quoted by Yahoo News. “We hope this gesture can add to the heart and goodwill that defines Orlando.”

Orlando Health, the network that oversees the Orlando Regional Hospital, treated the bulk of the victims—44 patients in total. The announcement that patients would be treated free-of-charge came just two days after the Daily Dot reported that the Pulse victims’ private health data had been compromised by “curious” hospital employees.

“Numerous team members across our system require access to vital records and information in order to provide our patients with the highest levels of care,” an Orlando Health spokesperson told the Daily Dot on Tuesday. “As a result of this incident, we are re-educating our workforce members and increasing our already vigilant program of auditing and monitoring of patient record access.”

To get the full scoop, click here.

Tags: Data Breach, HIPAA, Orlando Regional Hospital, PHI, Pulse

Del.icio.us

Facebook

TweetThis

Digg

StumbleUpon

Comments: 0 (Zero), Be the first to leave a reply!

You might be interested in this:

The post Orlando Hospital Foots the Bill Post Data Breach appeared first on Data Breach Watch.

from Data Breach Watch http://ift.tt/2e5eHNi

IBM Security Bulletin: Security Bulletin: InfoSphere Information Server is vulnerable to XML External Entity Injection (XXE) (CVE-2016-6059)

IBM InfoSphere Information Server is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data.

CVE(s): CVE-2016-6059

Affected product(s) and affected version(s):

The following product, running on all supported platforms, is affected:
IBM Information Server Framework: versions 11.3, and 11.5
IBM InfoSphere Information Server on Cloud: version 11.5

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2dV58Fx
X-Force Database: http://ift.tt/2ergRIg

from IBM Product Security Incident Response Team http://ift.tt/2dV4UhK

IBM Security Bulletin: Vulnerability in Apache Commons FileUpload affects IBM Forms Server (CVE-2016-3092 )

An Apache Commons FileUpload vulnerability for handling string edge case was addressed by IBM Forms Server.

CVE(s): CVE-2016-3092

Affected product(s) and affected version(s):

IBM Forms Server 8.0.*
IBM Forms Server 8.1
IBM Forms Server 8.2

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2dV4Cr9
X-Force Database: http://ift.tt/2bozrA8

from IBM Product Security Incident Response Team http://ift.tt/2dV5IDg

IBM Security Bulletin: Vulnerabilities in NTP affect Power Hardware Management Console

NTP is used by Power Hardware Management Console (HMC). HMC has addressed the applicable CVEs

CVE(s): CVE-2015-7703, CVE-2016-1547, CVE-2016-1548, CVE-2016-1550, CVE-2016-2518

Affected product(s) and affected version(s):

Power HMC V7.7.9.0
Power HMC V8.8.1.0
Power HMC V8.8.2.0
Power HMC V8.8.3.0
Power HMC V8.8.4.0
Power HMC V8.8.5.0

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2dV3Eek
X-Force Database: http://ift.tt/1UrnSIt
X-Force Database: http://ift.tt/28MbfXh
X-Force Database: http://ift.tt/28PlwWo
X-Force Database: http://ift.tt/28Plttu
X-Force Database: http://ift.tt/28MbhOU

from IBM Product Security Incident Response Team http://ift.tt/2dV95tC

IBM Security Bulletin: Vulnerability in OpenSSL affects IBM InfoSphere Information Server (CVE-2016-2107)

OpenSSL vulnerabilities were disclosed on May 3, 2016 by the OpenSSL Project. OpenSSL is used by IBM InfoSphere Information Server. IBM InfoSphere Information Server has addressed the applicable CVE.

CVE(s): CVE-2016-2107

Affected product(s) and affected version(s):

The following product, running on all supported platforms, is affected:
IBM InfoSphere Information Server: versions 8.5, 8.7, 9.1, 11.3 and 11.5
IBM InfoSphere Information Server on Cloud: version 11.5

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2dV3DqO
X-Force Database: http://ift.tt/1NwOQz5

from IBM Product Security Incident Response Team http://ift.tt/2dV5ImK

IBM Security Bulletin: OpenStack Nova vulnerabilities affect IBM Cloud Manager with OpenStack (CVE-2016-2140)

IBM Cloud Manager with Openstack is vulnerable to a OpenStack Nova vulnerablities. An attacker could exploit this vulnerability to obtain sensitive information by a host data leak in resize/migration.

CVE(s): CVE-2016-2140

Affected product(s) and affected version(s):

IBM Cloud Manager with OpenStack 4.3.0 through 4.3.0.6
IBM Cloud Manager with OpenStack 4.2.0 through 4.2.0.3
IBM Cloud Manager with OpenStack 4.1.0 through 4.1.0.5

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2dV58W4
X-Force Database: http://ift.tt/2erliTb

from IBM Product Security Incident Response Team http://ift.tt/2dV5EDk

IBM Security Bulletin: Response splitting vulnerability in WebSphere Application server impacts IBM Connections Docs (CVE-2016-0359 )

To use IBM Connections Docs, you need to install WebSphere Application server. IBM WebSphere Application Server is vulnerable to HTTP response splitting attacks. This bulletin provides the information on how to fix the issue in your systems.

CVE(s): CVE-2016-0359

Affected product(s) and affected version(s):

IBM Docs 2.0.0, 1.0.7

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2dV6Sib
X-Force Database: http://ift.tt/28YBUiZ

from IBM Product Security Incident Response Team http://ift.tt/2dV6BeT

Healthcare's paltry tech coffers put industry in hacker crosshairs

National Cybersecurity: A Collaborative Approach is Required

To Include or Not to Include – Scoping ISO 27001 and Colocation Service Providers

By Ryan Mackie, Principal and ISO Certification Services Practice Director, Schellman & Co.

Introduction
ISO 27001 North American GrowthISO/IEC 27001:2015 (ISO 27001) certification is becoming more of a conversation in most major businesses in the United States. To provide some depth, there was a 20% increase in ISO 27001 certificates maintained globally (comparing the numbers from 2014 to 2015 as noted in the recent ISO survey).

As for North America, there was a 78% growth rate in ISO 27001 certificates maintained, compared to those in North America in 2014. So it is clear evidence that the compliance effort known as ISO 27001 is making its imprint on organizations in the United States. However, it’s just the beginning. Globally, there are 27,563 ISO 27001 certificates maintained, of which only 1,247 are maintained in the United States; that is 4.5% of all ISO 27001 certificates.

As the standard makes its way into board room and compliance department discussions, one of the first questions is understanding the scope of the effort. What will be discussed in this short narrative is something that we, as an ANAB and UKAS accredited ISO 27001 certification body, deal with often when current clients or prospects ask about scoping their ISO 27001 information security management system (ISMS), and specifically related to how to handle third party data centers or colocation service providers.

Scenario
Consider an organization is a software as a services (SaaS) provider with customers throughout the world. All operations are centrally managed out of one location in the United States but to meet the needs of global customers, the organization has placed their infrastructure at colocation facilities located in India, Ireland, and Germany. They have a contractual requirement to obtain ISO 27001 certification for their SaaS services and are now starting from the ground up. First things first, they need to determine what their scope should be.

Considerations
It is quite clear that given the scenario above, the scope will include their SaaS offering. As with ISO 27001, the ISMS will encompass the full SaaS offering (to ensure that the right people, processes, procedures, policies, and controls are in place to meet their confidentiality, integrity, and availability requirements as well as their regulatory and contractual requirements). When determining the reach of the control set, organizations typically consider those that are straight forward: the technology stack, the operations and people supporting it, its availability and integrity, as well as the supply chain fostering it. This example organization is no different but struggles with how it should handle its colocation service providers. Ultimately, there are two options – Inclusion and Carve-out.

Inclusion
The organization can include the sites in scope of its ISMS. The key benefit is that the locations themselves would be included on the final certificate. But, with an ISMS, an organization cannot include the controls of another organization within its scope as there is no responsibility for the design, maintenance, and improvement of those controls in relation to the risk associated with the services provided.

So, to include a colocation service provider, it would be no different than including an office space that is rented in a multi-tenant building. The organization is responsible for and maintains the controls once the individual enters its boundaries but all other controls would be the responsibility of the landlord. The controls within the rented space of the colocation service provider would be considered relevant to the scope of the ISMS. These controls would be limited, which is understandable given their already very low risk; however, they would still require to be assessed. That would mean that an onsite audit would be required to be performed to ensure that the location, should it be included within the scope and ultimately on the final certificate, has the proper controls in place and has been physically validated by the certification body.

As a result, the inclusion of these locations would allow for them to be on the certificate but would require the time and cost necessary to audit them (albeit the assessment would be limited and focused only on those controls the organization is responsible for within the rented space of the colocation service provider).

Carve-out
The organization can choose to carve out the colocation service provider locations. As compared to the inclusion method, this is by far cheaper in that onsite assessments are not required. More reliance would be applied to the controls supporting the Supplier Relations control domain in Annex A of ISO 27001; however, these controls would be critical for both the inclusive and carve-out method. The downside of this option – the locations could not be included on the final ISO 27001 certificate (as they were not included within the scope of the ISMS), and it may require additional conversations with customers highlighting that though those locations were not physically assessed as part of the audit, the logical controls of the infrastructure sited within those locations were within the scope of the assessment and were tested.

Conclusion
Ultimately, it is a clear business decision. Nothing in the ISO 27001 standard requires certain locations to be included within the scope of the ISMS, and the organization is free to scope their ISMS as it suits. Additionally, unlike other compliance efforts (such as AICPA SOC examinations), there is not a required assertion from the third party regarding their controls, as the ISMS, by design, does not include any controls outside of the responsibility of the organization being assessed. However, the organization should keep in mind the final certificate and if it will be fully accepted by the audience that is receiving it. Does the cost of requiring the onsite audit warrant these locations to be included or is the justification just not there.

If this scenario is applicable to your situation or scoping, Schellman can have further discussions to talk through the benefits and drawbacks of each option so that there is scoping confidence heading into the certification audit.

The post To Include or Not to Include – Scoping ISO 27001 and Colocation Service Providers appeared first on Cloud Security Alliance Blog.

from Cloud Security Alliance Blog http://ift.tt/2e4WSha

I stopped using Google search and saved a lot of time

US DMCA rules updated to give security experts legal backing to research

Sunday, October 30, 2016

Mirai: 先週の大規模な DDoS 攻撃に使われたボットネットについての心得

The IoT security doomsday is lurking, but we cannot talk about it properly

Standards group working on ID federation recipes to ease implementation

A group building open identity standards is crafting recipes that help identity providers and application developers quickly configure infrastructure to support stronger access controls that provide a single sign-on to cloud-based and mobile applications.

The OpenID Foundation, which develops and promotes standards for internet-based identity, last week introduced an initiative called Fast Federation. The idea is to craft sets of directions to explicitly walk enterprises, identity providers (IdP), and developers through steps to build federation into their identity infrastructure and cloud-based or mobile apps. Fast Federation hopes to eliminate mistakes, ignite federation roll outs, and to cut the number of passwords a user needs.

"Federated identity is maturing as a strategic option for enterprise architects working on interoperability across disparate systems," said Don Thibeau, executive director of the OpenID Foundation. "The mission and membership of the OpenID Foundation "Fast Fed" Working Group reflects the high priority industry leaders place on a common approach to this complex challenge."

Identity federation supports the concept of single sign-on (SSO), which allows a user to log-in within their enterprise network or identity provider (IdP) and leverage that same authentication to gain access to any number of cloud-based apps and services.

Federation is a known identity concept with some lingering issues, namely that it can be tricky for enterprises and IdPs to configure and for developers to build into their applications. Fast Federation hopes to harness the collective wisdom gained by those that have already implemented federation. Noted identity expert Dick Hardt, who is the author and editor of the OAuth 2.0 identity standard, is leading the OpenID Foundation group.

With Fast Federation, prescriptive "recipes" will dictate the federation technologies that an app or IdP needs, including well-known identity standards such as the Security Assertion Markup Language (SAML), OAuth 2.0, OpenID Connect, and System for Cross-Domain Identity Management (SCIM). New apps that follow Fast Federation recipes will be able to plug into IdPs that have followed the same principals, therefore eliminating one-off integrations that slow federation adoption.

The group is still working on initial "profiles" that will ensure best practices are followed. The recipes will address configurations as simple as just knowing a user's identity and why they need to use an application to detailing permissions a user needs to access a resource. Other more sophisticated recipes will consider requirements for pre-provisioning a user before SSO can happen.

The recipes will guide users to the best federation technologies for the way an application operates. The group, however, is not creating a brand new specification, but intends to fill the gaps between existing specifications focusing on current technologies.

from Latest Topic for ZDNet in... http://ift.tt/2eJBzpv

Saturday, October 29, 2016

Teenage Hacker Arrested For Disrupting 911 Service With DDoS Attack

Just last month, researchers explained how an attacker can

knock the 911 service offline

in an entire state by launching automated Distributed Denial of Service (DDoS) attacks using a botnet of just 6000 smartphones.

But, doing so, in reality, could not only land public in danger but the attacker as well.

The same happened to an 18-year-old teen from Arizona, who was

arrested

this week following a severe disruption of 911 emergency systems caused due to one of his iOS exploits.

Meetkumar Hiteshbhai Desai discovered an iOS vulnerability that could be exploited to manipulate devices, including trigger pop-ups, open email, and abuse phone features, according to a

press release

from the Cyber Crimes Unit of Maricopa County Sheriff's Office.

In order to prove the flaw, Desai allegedly created several exploits and posted a link to one of his

JavaScript exploits

on his Twitter account and other websites.

People accessing the exploit link from their iPhones and iPads were forced to call 911 non-stop, which flooded a 911 call center with more than 100 hang-up calls within a "matter of minutes" earlier this week.

After being notified of disruption to the 911 service around the Phoenix, Arizona, area, investigators immediately launched an investigation and traced the Twitter link back to a web page registered to 'Meet Desai.'

The authorities identified Desai as the possible suspect behind the attack against the 911 service and took him into custody late Wednesday.

On his part, Desai claimed he just meant to upload a script that simply displayed pop-ups and caused iOS devices to reboot, but he mistakenly published a link to an exploit that caused iOS devices to dial 911 and hang up continually.

According to authorities, Desai shared the critical iOS exploit on Twitter with over 12,000 followers, out of which over 1,849 clicked on that link.

Maricopa officers arrested Desai, took him to jail and booked him on three counts of felony computer tampering charges, on Monday, October 24.

from The Hacker News http://ift.tt/2dRmjrv

Mirai Botnet Itself is Flawed; Hacking Back IoTs Could Mitigate DDoS Attacks

The infamous botnet that was used in the recent massive distributed denial of service (DDoS) attacks against the popular DNS provider Dyn, causing

vast internet outage

on last Friday, itself is flawed.

Yes, Mirai malware, which has already enslaved millions of

Internet of Things

(IoT) devices across 164 countries, contains several vulnerabilities that might be used against it in order to destroy botnet's DDoS capabilities and mitigate future attacks.

Early October, the developer of the malware publically released the

source code of Mirai

, which is designed to scan for IoT devices – mostly

routers, cameras, and DVRs

– that are still using their default passwords and then enslaves them into a botnet, which is then used to launch DDoS attacks.

However, after a close look at the source code, a researcher

discovered

three vulnerabilities, one of which could be used to shut down Mirai's ability to flood targets with HTTP requests.

A stack buffer overflow vulnerability was found by

Scott Tenaglia

, a researcher at endpoint security firm Invincea, in the segment of the Mirai's code that carries out HTTP flood attacks.

However, if exploited, the vulnerability could crash the attack process, thereby terminating the attack from that bot (infected IoT device), but leaving that compromised device intact and running.

Tenaglia has publically released the exploit, saying his exploit would not have helped in the recent DNS-based

DDoS attack against Dyn

that rendered major websites inaccessible, but would also shut down Layer 7 attack capabilities present in Mirai.

That's because Mirai is capable of launching HTTP floods as well as various network DDoS attacks, including DNS floods, UDP floods, SYN and ACK floods, GRE IP and GRE ETH floods, STOMP (Simple Text Oriented Message Protocol) flood attacks.

"This simple 'exploit' is an example of active defense against an IoT botnet that could be used by any DDoS mitigation service to guard against a Mirai-based HTTP flood attack in real time," Tenaglia writes in a blog post. "Although it cannot be used to remove the bot from the IoT device, it can be used to halt the attack originating from that particular device."

Legal Concerns of Hacking Back:

However, exploiting this vulnerability is to hack back tens of hundreds of IoT devices, which is a controversial and illegit approach and could put defenders in a gray area.

Hacking back involves making changes to systems across various countries without permission from a device's owner, an ISP or its carrier, and Invincea adds a disclaimer on its research, saying it is not advocating a counterattack.

But since the flaw has the capability of thwarting the threat, white-hat vigilante hackers can silently use this vulnerability against the malware and take Mirai-infected devices away from the criminals.

As we have seen numerous court-ordered botnet takedowns in the past, the authorities can get a court order and hack back Mirai-compromised devices in order to shut down the infamous botnets.

The DDoS attack that hit French Internet service and hosting provider

OVH with 1.1 Tbps

of junk traffic, which is the largest DDoS attack known to date, also came from Mirai bots.

from The Hacker News http://ift.tt/2fgpxWw

Friday, October 28, 2016

To be Effective, Security Must be Simple, Open, and Automated

FBI reopens investigation into Hillary Clinton's use of private email server

How did one contractor steal 50TB of NSA data? Easily, say former spies

IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM Sterling Connect:Express for Unix

OpenSSL vulnerabilities were disclosed on September 22 and 26, 2016 by the OpenSSL Project. OpenSSL is used by IBM Sterling Connect:Express for UNIX. IBM Sterling Connect:Express for UNIX has addressed the applicable CVEs.

CVE(s): CVE-2016-6302, CVE-2016-6304, CVE-2016-6305, CVE-2016-6303, CVE-2016-2182, CVE-2016-2180, CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308, CVE-2016-2181, CVE-2016-2183, CVE-2016-6309, CVE-2016-7052

Affected product(s) and affected version(s):

IBM Sterling Connect:Express for UNIX 1.5.0.13
– All versions prior to 1.5.0.13

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2dTsEO5
X-Force Database: http://ift.tt/2dR4fNY
X-Force Database: http://ift.tt/2dmY7tO
X-Force Database: http://ift.tt/2dR3XX1
X-Force Database: http://ift.tt/2dmXjFz
X-Force Database: http://ift.tt/2dR45pA
X-Force Database: http://ift.tt/2dmWOvf
X-Force Database: http://ift.tt/2aPXjQq
X-Force Database: http://ift.tt/2asKHex
X-Force Database: http://ift.tt/2dR5fBu
X-Force Database: http://ift.tt/2dmYpRr
X-Force Database: http://ift.tt/2dR3Smm
X-Force Database: http://ift.tt/2dmYa8Y
X-Force Database: http://ift.tt/2dmXLUk
X-Force Database: http://ift.tt/2dR3VyC
X-Force Database: http://ift.tt/2fn8D82
X-Force Database: http://ift.tt/2dTp6vD

from IBM Product Security Incident Response Team http://ift.tt/2fn5JjJ

IBM Security Bulletin: Vulnerabilities CVE-2016-5387 and CVE-2016-5388 in IBM i HTTP Server

HTTP Server is supported by IBM i. IBM i has addressed the applicable CVEs.

CVE(s): CVE-2016-5388, CVE-2016-5387

Affected product(s) and affected version(s):

Releases 6.1, 7.1 and 7.2 of IBM i are affected.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2fn7AET
X-Force Database: http://ift.tt/2dTp7zH
X-Force Database: http://ift.tt/2aO8XMj

from IBM Product Security Incident Response Team http://ift.tt/2dTsPsW

IBM Security Bulletin: Security vulnerability in Apache Commons FileUpload might affect IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2016-3092)

A denial of service vulnerability has been reported for Apache Commons FileUpload 1.3.1 which is used in WebSphere Lombardi Edition and IBM Business Process Manager.

CVE(s): CVE-2016-3092

Affected product(s) and affected version(s):

WebSphere Lombardi Edition V7.2.0.0 – V7.2.0.5
IBM Business Process Manager Advanced V7.5.0.0 – V7.5.1.2
IBM Business Process Manager Advanced V8.0.0.0 – V8.0.1.3
IBM Business Process Manager Advanced V8.5.0.0 – V8.5.7.0 prior to cumulative fix 2016.09

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2dTpFFH
X-Force Database: http://ift.tt/2bozrA8

from IBM Product Security Incident Response Team http://ift.tt/2fn5WTR

IBM Security Bulletin: Open Source Apache Tomcat vulnerability affects IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2016-3092)

This vulnerability to Open Source Apache Tomcat was reported by The Apache Software Foundation on 20 June 2016.

CVE(s): CVE-2016-3092

Affected product(s) and affected version(s):

TADDM 7.2.2.0 – 7.2.2.5
TADDM 7.3.0.0 (TADDM 7.3.0.1-3 – not affected – using WebSphere Liberty Profile)

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2fn5bdz
X-Force Database: http://ift.tt/2bozrA8

from IBM Product Security Incident Response Team http://ift.tt/2fn75ux

IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect Tivoli Provisioning Manager for OS Deployment and Tivoli Provisioning Manager for Images

OpenSSL vulnerabilities were disclosed on May 3, 2016 by the OpenSSL Project. OpenSSL is used by Tivoli Provisioning Manager for OS Deployment and Tivoli Provisioning Manager for Images. Tivoli Provisioning Manager for OS Deployment and Tivoli Provisioning Manager for Images have addressed the applicable CVEs

CVE(s): CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, CVE-2016-2176

Affected product(s) and affected version(s):

IIBM Tivoli Provisioning Manager for Images 7.1.1.x

IBM Tivoli Provisioning Manager for OS Deployment 7.1.1.x

IBM Tivoli Provisioning Manager for Images (and System X Edition) 7.1.1.x

IBM Tivoli Provisioning Manager for OS Deployment 5.1.x

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2fn8tNT
X-Force Database: http://ift.tt/1NwOQz5
X-Force Database: http://ift.tt/1NwOPLs
X-Force Database: http://ift.tt/25myFMu
X-Force Database: http://ift.tt/1Z0wO8Z
X-Force Database: http://ift.tt/25mym4p

from IBM Product Security Incident Response Team http://ift.tt/2fn3tsC

IBM Security Bulletin: Multiple Security Vulnerabilities exist in IBM Cognos Express.

There are multiple vulnerabilities in IBM SDK, Java Technology Edition Quarterly CPU – Oct 2015 – Includes Oracle Oct 2015 CPU + CVE-2015-5006; IBM SDK, Java Technology Edition Quarterly CPU – Jan 2016 – Includes Oracle Jan 2016 CPU + 3 IBM CVEs; IBM SDK, Java Technology Edition Quarterly CPU – Apr 2016 – Includes Oracle Apr 2016 CPU + 3 IBM CVEs and OpenSSL vulnerabilities.

CVE(s): CVE-2015-1794, CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-3197, CVE-2015-4803, CVE-2015-4893, CVE-2015-4911, CVE-2015-5006, CVE-2016-0466, CVE-2016-0448, CVE-2016-0702, CVE-2016-0705, CVE-2016-0799, CVE-2016-2107, CVE-2016-2176, CVE-2016-2842, CVE-2016-3427

Affected product(s) and affected version(s):

IBM Cognos Express 10.1.x

IBM Cognos Express 10.2.1

IBM Cognos Express 10.2.2

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2fn5HbB
X-Force Database: http://ift.tt/1rd26hz
X-Force Database: http://ift.tt/1rd28Gc
X-Force Database: http://ift.tt/1KB3Vh1
X-Force Database: http://ift.tt/1QmYT4z
X-Force Database: http://ift.tt/1KB3SSD
X-Force Database: http://ift.tt/1rd26hw
X-Force Database: http://ift.tt/1SAJU8S
X-Force Database: http://ift.tt/1NzQEaa
X-Force Database: http://ift.tt/1SAJU8Q
X-Force Database: http://ift.tt/1NzQEae
X-Force Database: http://ift.tt/1N2N3Bz
X-Force Database: http://ift.tt/1WhPjpX
X-Force Database: http://ift.tt/1Tg5v6h
X-Force Database: http://ift.tt/1Tg5wqO
X-Force Database: http://ift.tt/1N2N4p5
X-Force Database: http://ift.tt/1NwOQz5
X-Force Database: http://ift.tt/25mym4p
X-Force Database: http://ift.tt/24fOBfM
X-Force Database: http://ift.tt/1N2N48r

from IBM Product Security Incident Response Team http://ift.tt/2fna2eQ

New Privacy Rules require ISPs to must Ask you before Sharing your Sensitive Data

Good News for privacy concerned people! Now, your online data will not be marketed for business; at least by your Internet Service Providers (ISPs).

Yes, it's time for your ISPs to ask your permission in order to share your sensitive data for marketing or advertisement purposes, the FCC rules.

On Thursday, the United States Federal Communications Commission (FCC) has imposed

new privacy rules

on Internet Service Providers (ISPs) that restrict them from sharing your online history with third parties without your consent.

In a 3-2 vote, the FCC approved the new rules by which many privacy advocates seem pleased, while some of them wanted the Commission to even apply the same rules to web-based services like Google and Facebook as well.

Initially proposed earlier this year, the new rule says:

"ISPs are required to obtain affirmative 'opt-in' consent from consumers to use and share sensitive information."

What does 'sensitive' information mean here? The rule lists the following:

Your precise geo-location
Your children's information
Information about your health
Your financial data
Social Security Numbers (SNNs)
Your Web browsing history
App usage history
The content of your communication

Note:

Your broadband provider can use and share this information if you give them explicit permission. So, you need to watch out for those invites and gently worded dialog boxes.

What's non-sensitive is information like your email address, service tier, IP address, bandwidth used and other information along those lines, but you can still officially opt-out.

The new rule also requires Internet providers to tell customers with

"clear, conspicuous and persistent notice"

about the information they are collecting on them and how/when they share it, and the

"types of entities"

they share it with.

The ISPs even need to notify its customers in the event of a data breach.

The FCC aims to provide consumers an increased choice, transparency, and security online over their personal information. Here's what the Commission writes:

"ISPs serve as a consumer's "on-ramp" to the Internet. Providers have the ability to see a tremendous amount of their customers' personal information that passes over that Internet connection, including their browsing habits. Consumers deserve the right to decide how that information is used and shared — and to protect their privacy and their children's privacy online."

Meanwhile, the advertisers are, of course, not at all happy with the FCC's move. The Association of National Advertisers called the new rules

"unprecedented, misguided and extremely harmful,"

saying the move is bad for consumers as well as the U.S. economy.

However, ISPs have a year to comply with the new rules. So, it won't go into effect for at least a year.

from The Hacker News http://ift.tt/2eD0YRX

Android のランチャーに偽装して自動起動の制限を回避するランサムウェア

ProtonMail strikes out at Google for crippling encrypted email service searches

Hacker thrown behind bars after stealing nude celebrity photos

This Code Injection Technique can Potentially Attack All Versions of Windows

Guess what? If you own a Windows PC, which is fully-patched, attackers can still hack your computer.

Isn't that scary? Well, definitely for most of you.

Security researchers have discovered a new technique that could allow attackers to inject malicious code on every version of Microsoft's Windows operating system, even Windows 10, in a manner that no existing anti-malware tools can detect, threaten millions of PCs worldwide.

Dubbed "

AtomBombing

," the technique does not exploit any vulnerability but abuses a designing weakness in Windows.

New Code Injection Attack helps Malware Bypass Security Measures

AtomBombing attack abuses the system-level Atom Tables, a feature of Windows that allows applications to store information on strings, objects, and other types of data to access on a regular basis.

And since Atom are shared tables, all sorts of applications can access or modify data inside those tables. You can read a more detailed explanation of Atom Tables on

Microsoft's blog

A team of researchers from cyber security company

enSilo

, who came up with the AtomBombing technique, say this design flaw in Windows can allow malicious code to modify atom tables and trick legitimate apps into executing malicious actions on its behalf.

Once injected into legitimate processes, the malware makes it easier for attackers to bypass security mechanisms that protect such systems from malware infections, the researchers said.

AtomBombing can Perform MITM Browser attack, Decrypt Passwords, and More

Besides process level restrictions bypass, the AtomBombing code injection technique also allows attackers to perform man-in-the-middle (MITM) browser attacks, remotely take screenshots of targeted user desktops, and access encrypted passwords stored on a browser.

Google Chrome encrypts your saved passwords using Windows Data Protection API (DPAPI), which uses data derived from the current user to encrypt or decrypt the data and access the passwords.

So, if malware is injected into a process which is already running in the context of the current user, it is easy to access those passwords in plain text.

Moreover, by injecting code into a web browser, attackers can modify the content shown to the user.

"For example, in a banking transaction process, the customer will always be shown the exact payment information as the customer intended via confirmation screens," the firm wrote. "However, the attacker modifies the data so that the bank receives false transaction information in favor of the attacker, i.e. a different destination account number and possibly amount."

No Patch for AtomBombing Attack

What's worse? The company said all versions of Windows operating system, including Microsoft's newest Windows 10, were affected. And What's even worse? There is no fix at this moment.

"Unfortunately, this issue cannot be patched since it does not rely on broken or flawed code – rather on how these operating system mechanisms are designed,"

the researchers said.

Since the AtomBombing technique exploits legitimate operating system functions to carry out the attack, Microsoft can not patch the issue without changing how the entire operating system works. This is not a feasible solution, so there is no notion of a patch.

from The Hacker News http://ift.tt/2eYsjdX

Mirai：对于最近几次DDoS大型攻击，您都需要了解些什么

'Celebgate' Hacker Gets 18 Months in Prison for Hacking Celebrity Nude Photos

The hacker who stole nude photographs of female celebrities two years ago in a massive data breach — famous as "

The Fappening

" or "Celebgate" scandal — has finally been sentenced to 18 months in federal prison, authorities said on Thursday.

36-year-old Lancaster, Pennsylvania man

Ryan Collins was arrested

in March and charged with hacking into

"at least 50 iCloud accounts and 72 Gmail accounts,"

most of which owned by Hollywood stars, including Jennifer Lawrence, Kim Kardashian, and Kate Upton.

Now, a judge in Harrisburg, Pennsylvania, on Wednesday

sentenced

Collins to 18 months in federal prison after violating the Computer Fraud and Abuse Act.

Here's How Collins Stole Celebrities' Nude Photos

Federal prosecutors said Collins ran

phishing scheme

between November 2012 and September 2014 and hijacked more than 100 people using fake emails disguised as official notifications from Google and Apple, asking victims for their account credentials.

"When the victims responded, Collins then had access to the victims' e-mail accounts. After illegally accessing the e-mail accounts, Collins obtained personal information including nude photographs and videos," the Justice Department said in a statement.

"In some instances, Collins would use a software program to download the entire contents of the victims' Apple iCloud backups. In addition, Collins ran a modeling scam in which he tricked his victims into sending him nude photographs."

Many of the compromised accounts belonged to

famous female celebrities

including Jennifer Lawrence, Kim Kardashian, Kate Upton, Kirsten Dunst, Aubrey Plaza, Rihanna, Avril Lavigne and Gabrielle Union.

Another suspect,

Edward Majerczyk

, 28-years-old of Illinois, pleaded guilty in July and charged with hacking 300 Gmail and

iCloud accounts

. However, authorities have yet to identify the uploader or 'leaker' of the photographs stolen by Collins and Majerczyk.

According to officials, Collins and Majerczyk hacked over 600 victims by their social engineering tricks.

Collins faced a maximum of five years in prison, but as part of his plea deal, prosecutors proposed a lighter sentence of only 18 months.

from The Hacker News http://ift.tt/2eWko2k

Thursday, October 27, 2016

安卓勒索软件伪装成启动器以躲避自动启动限制

Australian Red Cross apologises for massive data leak

网络攻击者利用Flash零日漏洞发起目标性攻击

Flash のゼロデイ脆弱性、標的型攻撃での悪用を確認

USN-3112-1: Thunderbird vulnerabilities

Ubuntu Security Notice USN-3112-1

27th October, 2016

thunderbird vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 16.10
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Thunderbird.

Software description

thunderbird - Mozilla Open Source mail and newsgroup client

Details

Catalin Dumitru discovered that URLs of resources loaded after a
navigation start could be leaked to the following page via the Resource
Timing API. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to obtain sensitive information. (CVE-2016-5250)

Christoph Diehl, Andrew McCreight, Dan Minor, Byron Campen, Jon Coppeard,
Steve Fink, Tyson Smith, and Carsten Book discovered multiple memory
safety issues in Thunderbird. If a user were tricked in to opening a
specially crafted message, an attacker could potentially exploit these to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-5257)

Atte Kettunen discovered a heap buffer overflow during text conversion
with some unicode characters. If a user were tricked in to opening a
specially crafted message, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-5270)

Abhishek Arya discovered a bad cast when processing layout with input
elements in some circumstances. If a user were tricked in to opening a
specially crafted website in a browsing context, an attacker could
potentially exploit this to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2016-5272)

A use-after-free was discovered in web animations during restyling. If a
user were tricked in to opening a specially crafted website in a browsing
context, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2016-5274)

A use-after-free was discovered in accessibility. If a user were tricked
in to opening a specially crafted website in a browsing context, an
attacker could potentially exploit this to cause a denial of service via
application crash, or execute arbitrary code. (CVE-2016-5276)

A use-after-free was discovered in web animations when destroying a
timeline. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-5277)

A buffer overflow was discovered when encoding image frames to images in
some circumstances. If a user were tricked in to opening a specially
crafted message, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code.
(CVE-2016-5278)

Mei Wang discovered a use-after-free when changing text direction. If a
user were tricked in to opening a specially crafted website in a browsing
context, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2016-5280)

Brian Carpenter discovered a use-after-free when manipulating SVG content
in some circumstances. If a user were tricked in to opening a specially
crafted website in a browsing context, an attacker could potentially
exploit this to cause a denial of service via application crash, or
execute arbitrary code. (CVE-2016-5281)

An issue was discovered with the preloaded Public Key Pinning (HPKP). If
a man-in-the-middle (MITM) attacker was able to obtain a fraudulent
certificate for a Mozilla site, they could exploit this by providing
malicious addon updates. (CVE-2016-5284)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.10:: thunderbird 1:45.4.0+build1-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:: thunderbird 1:45.4.0+build1-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:: thunderbird 1:45.4.0+build1-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:: thunderbird 1:45.4.0+build1-0ubuntu0.12.04.1

To update your system, please follow these instructions: http://ift.tt/17VXqjU.

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References

CVE-2016-5250, CVE-2016-5257, CVE-2016-5270, CVE-2016-5272, CVE-2016-5274, CVE-2016-5276, CVE-2016-5277, CVE-2016-5278, CVE-2016-5280, CVE-2016-5281, CVE-2016-5284

from Ubuntu Security Notices http://ift.tt/2eS1fP8

USN-3111-1: Firefox vulnerabilities

Ubuntu Security Notice USN-3111-1

27th October, 2016

firefox vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 16.10
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Firefox.

Software description

firefox - Mozilla Open Source web browser

Details

A use-after-free was discovered in service workers. If a user were tricked
in to opening a specially crafted website, an attacker could potentially
exploit this to cause a denial of service via program crash, or execute
arbitrary code. (CVE-2016-5287)

It was discovered that web content could access information in the HTTP
cache in some circumstances. An attacker could potentially exploit this
to obtain sensitive information. (CVE-2016-5288)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.10:: firefox 49.0.2+build2-0ubuntu0.16.10.2
Ubuntu 16.04 LTS:: firefox 49.0.2+build2-0ubuntu0.16.04.2
Ubuntu 14.04 LTS:: firefox 49.0.2+build2-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:: firefox 49.0.2+build2-0ubuntu0.12.04.1

To update your system, please follow these instructions: http://ift.tt/17VXqjU.

After a standard system update you need to restart Firefox to make
all the necessary changes.

References

CVE-2016-5287, CVE-2016-5288

from Ubuntu Security Notices http://ift.tt/2eWFR9N

MS16-128 - Critical: Security Update for Adobe Flash Player (3201860) - Version: 1.0

This documentation is archived and is not being maintained.

Microsoft Security Bulletin MS16-128 - Critical

Security Update for Adobe Flash Player (3201860)

Published: October 27, 2016

Version: 1.0

This security update resolves a vulnerability in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.

This security update is rated Critical. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge. For more information, see the Affected Software section.

For more information about this update, see Microsoft Knowledge Base Article 3201860.

This security update addresses the following vulnerabilities, which are described in Adobe Security Bulletin APSB16-36:

CVE-2016-7855

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

Operating System	Component	Aggregate Severity and Impact	Updates Replaced*
Windows 8.1
Windows 8.1 for 32-bit Systems	Adobe Flash Player (3201860)	Critical Remote Code Execution	3194343 in MS16-127
Windows 8.1 for x64-based Systems	Adobe Flash Player (3201860)	Critical Remote Code Execution	3194343 in MS16-127
Windows Server 2012 and Windows Server 2012 R2
Windows Server 2012	Adobe Flash Player (3201860)	Moderate Remote Code Execution	3194343 in MS16-127
Windows Server 2012 R2	Adobe Flash Player (3201860)	Moderate Remote Code Execution	3194343 in MS16-127
Windows RT 8.1
Windows RT 8.1	Adobe Flash Player (3201860)[1]	Critical Remote Code Execution	3194343 in MS16-127
Windows 10
Windows 10 for 32-bit Systems	Adobe Flash Player (3201860)[2]	Critical Remote Code Execution	3194343 in MS16-127
Windows 10 for x64-based Systems	Adobe Flash Player (3201860)[2]	Critical Remote Code Execution	3194343 in MS16-127
Windows 10 Version 1511 for 32-bit Systems	Adobe Flash Player (3201860)[2]	Critical Remote Code Execution	3194343 in MS16-127
Windows 10 Version 1511 for x64-based Systems	Adobe Flash Player (3201860)[2]	Critical Remote Code Execution	3194343 in MS16-127
Windows 10 Version 1607 for 32-bit Systems	Adobe Flash Player (3201860)[2]	Critical Remote Code Execution	3194343 in MS16-127
Windows 10 Version 1607 for x64-based Systems	Adobe Flash Player (3201860)[2]	Critical Remote Code Execution	3194343 in MS16-127

[1]This update is available via Windows Update.

[2]The Adobe Flash Player updates for Windows 10 updates are available via Windows Update or via the Microsoft Update Catalog.

Note The vulnerabilities discussed in this bulletin affect Windows Server 2016 Technical Preview 5. To be protected from the vulnerabilities, Microsoft recommends that customers running this operating system apply the current update, which is available exclusively from Windows Update.

*The Updates Replaced column shows only the latest update in any chain of superseded updates. For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is provided on the Package Details tab).

How could an attacker exploit these vulnerabilities?
In a web-based attack scenario where the user is using Internet Explorer for the desktop, an attacker could host a specially crafted website that is designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit any of these vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by clicking a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email.

In a web-based attack scenario where the user is using Internet Explorer in the Windows 8-style UI, an attacker would first need to compromise a website already listed in the Compatibility View (CV) list. An attacker could then host a website that contains specially crafted Flash content designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by clicking a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email. For more information about Internet Explorer and the CV List, please see the MSDN Article, Developer Guidance for websites with content for Adobe Flash Player in Windows 8.

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

In a web-based attack scenario where the user is using Internet Explorer for the desktop, an attacker could host a website that contains a webpage that is used to exploit any of these vulnerabilities. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit any of these vulnerabilities. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.
Internet Explorer in the Windows 8-style UI will only play Flash content from sites listed on the Compatibility View (CV) list. This restriction requires an attacker to first compromise a website already listed on the CV list. An attacker could then host specially crafted Flash content designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by clicking a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email.
By default, all supported versions of Microsoft Outlook and Windows Live Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables scripts and ActiveX controls, helps reduce the risk of an attacker being able to use any of these vulnerabilities to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of any of these vulnerabilities through the web-based attack scenario.
By default, Internet Explorer on Windows Server 2012 and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode can help reduce the likelihood of the exploitation of these Adobe Flash Player vulnerabilities in Internet Explorer.

Workaround refers to a setting or configuration change that would help block known attack vectors before you apply the update.

Prevent Adobe Flash Player from running
You can disable attempts to instantiate Adobe Flash Player in Internet Explorer and other applications that honor the kill bit feature, such as Office 2007 and Office 2010, by setting the kill bit for the control in the registry.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To set the kill bit for the control in the registry, perform the following steps:
1. Paste the following into a text file and save it with the .reg file extension.
  Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}] "Compatibility Flags"=dword:00000400 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}] "Compatibility Flags"=dword:00000400
2. Double-click the .reg file to apply it to an individual system.
  
  You can also apply this workaround across domains by using Group Policy. For more information about Group Policy, see the TechNet article, Group Policy collection.
Note You must restart Internet Explorer for your changes to take effect.

Impact of workaround. There is no impact as long as the object is not intended to be used in Internet Explorer.

How to undo the workaround. Delete the registry keys that were added in implementing this workaround.

Prevent Adobe Flash Player from running in Internet Explorer through Group Policy
Note The Group Policy MMC snap-in can be used to set policy for a machine, for an organizational unit, or for an entire domain. For more information about Group Policy, visit the following Microsoft Web sites:

Group Policy Overview

What is Group Policy Object Editor?

Core Group Policy tools and settings

To disable Adobe Flash Player in Internet Explorer through Group Policy, perform the following steps:

Note This workaround does not prevent Flash from being invoked from other applications, such as Microsoft Office 2007 or Microsoft Office 2010.
1. Open the Group Policy Management Console and configure the console to work with the appropriate Group Policy object, such as local machine, OU, or domain GPO.
2. Navigate to the following node:
  
  Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Add-on Management
3. Double-click Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects.
4. Change the setting to Enabled.
5. Click Apply and then click OK to return to the Group Policy Management Console.
6. Refresh Group Policy on all systems or wait for the next scheduled Group Policy refresh interval for the settings to take effect.

Prevent Adobe Flash Player from running in Office 2010 on affected systems
Note This workaround does not prevent Adobe Flash Player from running in Internet Explorer.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

For detailed steps that you can use to prevent a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow the steps in the article to create a Compatibility Flags value in the registry to prevent a COM object from being instantiated in Internet Explorer.

To disable Adobe Flash Player in Office 2010 only, set the kill bit for the ActiveX control for Adobe Flash Player in the registry using the following steps:
1. Create a text file named Disable_Flash.reg with the following contents:
  Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common\COM\Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}] "Compatibility Flags"=dword:00000400
2. Double-click the .reg file to apply it to an individual system.
3. Note You must restart Internet Explorer for your changes to take effect.
  
  You can also apply this workaround across domains by using Group Policy. For more information about Group Policy, see the TechNet article, Group Policy collection.

Prevent ActiveX controls from running in Office 2007 and Office 2010
To disable all ActiveX controls in Microsoft Office 2007 and Microsoft Office 2010, including Adobe Flash Player in Internet Explorer, perform the following steps:
1. Click File, click Options, click Trust Center, and then click Trust Center Settings.
2. Click ActiveX Settings in the left-hand pane, and then select Disable all controls without notifications.
3. Click OK to save your settings.
Impact of workaround. Office documents that use embedded ActiveX controls may not display as intended.

How to undo the workaround.

To re-enable ActiveX controls in Microsoft Office 2007 and Microsoft Office 2010, perform the following steps:
1. Click File, click Options, click Trust Center, and then click Trust Center Settings.
2. Click ActiveX Settings in the left-hand pane, and then deselect Disable all controls without notifications.
3. Click OK to save your settings.

Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
You can help protect against exploitation of these vulnerabilities by changing your settings for the Internet security zone to block ActiveX controls and Active Scripting. You can do this by setting your browser security to High.

To raise the browsing security level in Internet Explorer, perform the following steps:
1. On the Internet Explorer Tools menu, click Internet Options.
2. In the Internet Options dialog box, click the Security tab, and then click Internet.
3. Under Security level for this zone, move the slider to High. This sets the security level for all websites you visit to High.
4. Click Local intranet.
5. Under Security level for this zone, move the slider to High. This sets the security level for all websites you visit to High.
6. Click OK to accept the changes and return to Internet Explorer.
Note If no slider is visible, click Default Level, and then move the slider to High.

Note Setting the level to High may cause some websites to work incorrectly. If you have difficulty using a website after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.

Impact of workaround. There are side effects to blocking ActiveX Controls and Active Scripting. Many websites on the Internet or an intranet use ActiveX or Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX Controls to provide menus, ordering forms, or even account statements. Blocking ActiveX Controls or Active Scripting is a global setting that affects all Internet and intranet sites. If you do not want to block ActiveX Controls or Active Scripting for such sites, use the steps outlined in "Add sites that you trust to the Internet Explorer Trusted sites zone".
Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
You can help protect against exploitation of these vulnerabilities by changing your settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. To do this, perform the following steps:
1. In Internet Explorer, click Internet Options on the Tools menu.
2. Click the Security tab.
3. Click Internet, and then click Custom Level.
4. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
5. Click Local intranet, and then click Custom Level.
6. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
7. Click OK to return to Internet Explorer, and then click OK again.
Note Disabling Active Scripting in the Internet and Local intranet security zones may cause some websites to work incorrectly. If you have difficulty using a website after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly.

Impact of workaround. There are side effects to prompting before running Active Scripting. Many websites that are on the Internet or on an intranet use Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use Active Scripting to provide menus, ordering forms, or even account statements. Prompting before running Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run Active Scripting. If you do not want to be prompted for all these sites, use the steps outlined in "Add sites that you trust to the Internet Explorer Trusted sites zone".
Add sites that you trust to the Internet Explorer Trusted sites zone
After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted websites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.

To do this, perform the following steps:
1. In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.
2. In the Select a web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.
3. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.
4. In the Add this website to the zone box, type the URL of a site that you trust, and then click Add.
5. Repeat these steps for each site that you want to add to the zone.
6. Click OK two times to accept the changes and return to Internet Explorer.
Note Add any sites that you trust not to take malicious action on your system. Two sites in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and they require an ActiveX control to install the update.

For Security Update Deployment information, see the Microsoft Knowledge Base article referenced here in the Executive Summary.

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information.

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

V1.0 (October 26, 2016): Bulletin published.

Page generated 2016-10-27 9:19Z-07:00.

from Microsoft Security Bulletins http://ift.tt/2eQLwzT

USN-3114-2: nginx regression

Ubuntu Security Notice USN-3114-2

27th October, 2016

nginx regression

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 16.10
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS

Summary

USN-3114-1 introduced a regression in nginx packaging.

Software description

nginx - small, powerful, scalable web/proxy server

Details

USN-3114-1 fixed a vulnerability in nginx. A packaging issue prevented
nginx from being reinstalled or upgraded to a subsequent release. This
update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Dawid Golunski discovered that the nginx package incorrectly handled log
file permissions. A remote attacker could possibly use this issue to obtain
root privileges.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.10:: nginx-extras 1.10.1-0ubuntu1.2; nginx-full 1.10.1-0ubuntu1.2; nginx-common 1.10.1-0ubuntu1.2; nginx-light 1.10.1-0ubuntu1.2; nginx-core 1.10.1-0ubuntu1.2
Ubuntu 16.04 LTS:: nginx-extras 1.10.0-0ubuntu0.16.04.4; nginx-full 1.10.0-0ubuntu0.16.04.4; nginx-common 1.10.0-0ubuntu0.16.04.4; nginx-light 1.10.0-0ubuntu0.16.04.4; nginx-core 1.10.0-0ubuntu0.16.04.4
Ubuntu 14.04 LTS:: nginx-extras 1.4.6-1ubuntu3.7; nginx-full 1.4.6-1ubuntu3.7; nginx-common 1.4.6-1ubuntu3.7; nginx-light 1.4.6-1ubuntu3.7; nginx-core 1.4.6-1ubuntu3.7

To update your system, please follow these instructions: http://ift.tt/17VXqjU.

In general, a standard system update will make all the necessary changes.

References

LP: 1637058

from Ubuntu Security Notices http://ift.tt/2eW68Fs

FCC imposes new consumer privacy rules on ISPs

The Federal Communications Commission (FCC) on Thursday approved new rules governing how internet service providers handle their customers' information. For the first time, ISPs like Comcast, as well as mobile data carriers like Verizon Wireless, will be required to get a customer's permission before sharing their sensitive information.

The rules were first proposed back in March and are part of a new regulatory push that started after the FCC reclassifed broadband companies as utilities under the Telecommunications Act.

The new rules, approved in a three-to-two vote that came down along partisan lines, create tiers of information with different requirements ISPs must follow.

Opt-in: ISPs must obtain affirmative "opt-in" consent from consumers to use and share sensitive information. The rules specify that "sensitive information" includes precise geo-location, financial information, health information, children's information, social security numbers, web browsing history, app usage history and the content of communications.
Opt-out: ISPs can use and share non-sensitive information unless a customer opts out. This category includes individually identifiable information that doesn't fall into the "opt in" category, such as email addresses or service tier information.

The new rules also include requirements for ISPs to protect consumer information and keep customers informed of their practices. Specifically, they call on ISPs to give consumers clear and persistent notice about the information they collect, how it may be used with whom it may be shared and how customers can change their privacy preferences. It requires ISPs to engage in reasonable security practices and gives guidelines for steps they should consider taking, such as implementing customer authentication tools. Lastly, the rules require ISPs to inform consumers and law enforcement about data breaches.

The FCC noted that the rules don't apply when it comes to government surveillance, encryption or law enforcement. Additionally, they only apply to broadband service providers and other telecommunications carriers -- websites like Google and edge devices are off the hook in this case.

It's also possible ISPs may try to charge customers more if they refuse to "opt in" to certain practices. The rules prohibit ISPs from denying service to those who refuse to share their information, but it doesn't specifically ban so-called "pay for privacy" offerings.

Back in August, Comcast said in a filing with the FCC that it wants to give "discounts or other value to consumers in exchange for allowing ISPs to use their data." The filing said that the FCC has "no authority" to limit or prohibit these programs, which effectively allow the internet provider to turn over web histories to advertisers.

The new rules, however, do require "heightened disclosure" for these kinds of plans, and the FCC says it will review their legitimacy on a case-by-case basis. "Consumers should not be forced to choose between paying inflated prices and maintaining their privacy," the FCC said in a release.

from Latest Topic for ZDNet in... http://ift.tt/2ezZqrA

You Can Hijack Nearly Any Drone Mid-flight Using This Tiny Gadget

Now you can hijack nearly any drone mid-flight just by using a tiny gadget.

Security researcher Jonathan Andersson has devised a small hardware, dubbed Icarus, that can hijack a variety of popular drones mid-flight, allowing attackers to lock the owner out and give them complete control over the device.

Andersson, who is the manager of Trend Micro's TippingPoint DVLab division, demonstrated this new hack at this year's PacSec security conference in Tokyo, Japan on Wednesday.

Besides Drones, the new gadget has the capability of fully hijacking a wide variety of radio-controlled devices, including helicopters, cars, boats and other remote control gears that run over the most popular wireless transmission control protocol called DSMx.

DSMx is a protocol used to facilitate communication between radio controllers and devices, including drones, helicopters, and cars.

This is not the first hardware that can

hijack drones mid-flight

. There are jamming devices available in the market that block controlling radio signals and render a drone useless. However, these devices do not give you control like Icarus does.

Icarus

works by exploiting DMSx protocol, granting attackers complete control over target drones that allows attackers to steer, accelerate, brake and even crash them.

The loophole relies on the fact that DSMx protocol does not encrypt the 'secret' key that pairs a controller and hobbyist device. So, it is possible for an attacker to steal this secret key by launching several brute-force attacks, Andersson explained in his

presentation

Once the drone hijacker,

Icarus box

, grabs the key, an attacker can send malicious packets to restrict the original owner of the drone from sending legitimate control commands. Instead, the drone will accept commands from the attacker.

You can also watch the demonstration video to learn more about Icarus box.

VIDEO

There's little to be done to mitigate this issue, and affected manufacturers are releasing patches and updated hardware, and securing the industry-wide encryption protocol in future drones.

"My guess is that it will not be easy to completely remedy the situation. The manufacturers and partners in the ecosystem sell standalone radio transmitters, models of all kinds, transmitters that come with models and standalone receivers," Andersson told Ars Technica.

"Only a certain set of standalone transmitters have a firmware upgrade capability, though the fix is needed on the model/receiver side."

Icarus has not been made available for sale, but this kind of gadget could benefit law enforcement as well as people who are worried about their safety and privacy. However, same could also be used for nefarious purposes.

So, next time if any annoying drone fly your overhead? Just hijack it and land it safely, rather than shooting it down.

from The Hacker News http://ift.tt/2eKGRl0