Information Security News |
We got a number readers asking about the ongoing issues with Flash. Adobe released its regularly monthly update for Flash on Tuesday. With this update, you should be running Flash 19.0.0.207. However, on Wednesday, Adobe published a security bulletin that a new, so far unpatched, vulnerability (CVE-2015-7645)is being exploited. Adobe is currently talking about targeted and limited attacks.
Sometime next week, an update to Flash will be released to address this vulnerability.
So what should you do and what does this all mean?
Next weeks patch is unlikely to change the fact that there are a large number of so far unpublished vulnerabilities in Flash. It appears that some groups exploiting these vulnerabilities are able to find these vulnerabilities faster then Adobe is willing to patch them. Even after Adobe releases a patch next week, there will likely be new vulnerabilities that will be used starting as soon as the patch will be released. So really, one more patch wont fundamentally change anything.
What should you do?
If possible uninstall Flash. If you can not uninstall it, at least make sure that your browser does not automatically launch Flash applets. This Click to Run behavior should be enabled for all plugins that support it (e.g. Java).
Here are some quick tipson how to enable click-to-run:
Firefox: It should be enabled by default. Check the plugins.click_to_play setting in about:config to make sure it is enabled.
Internet Explorer: Click the gear icon and select Manage Add-ons. For the Shockwave Flash Object, select More Information. By default, all sites are approved due to the wildcard * in the approved site box. Delete it.
Google Chrome: In chrome://settings click on Show advanced settings... at the bottom fo the page. Click on the Content Settings button under Privacy and select Let me choose when to run plugin content under Plugins. You can also review existing exceptions that you may have set up in the past, and you can disable individual plugins.
Safari: Check the Security tab in preferences. Under Plugin Settings you can enabled/disable individual plugins.
[1] https://helpx.adobe.com/security/products/flash-player/apsa15-05.html
---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn
(credit: BalticServers.com)
For years, privacy advocates have pushed developers of websites, virtual private network apps, and other cryptographic software to adopt the Diffie-Hellman cryptographic key exchange as a defense against surveillance from the US National Security Agency and other state-sponsored spies. Now, researchers are renewing their warning that a serious flaw in the way the key exchange is implemented is allowing the NSA to break and eavesdrop on trillions of encrypted connections.
The cost for adversaries is by no means modest. For commonly used 1024-bit keys, it would take about a year and cost a "few hundred million dollars" to crack just one of the extremely large prime numbers that form the starting point of a Diffie-Hellman negotiation. But it turns out that only a few primes are commonly used, putting the price well within the NSA's $11 billion-per-year budget dedicated to "groundbreaking cryptanalytic capabilities."
"Since a handful of primes are so widely reused, the payoff, in terms of connections they could decrypt, would be enormous," researchers Alex Halderman and Nadia Heninger wrote in a blog post published Wednesday. "Breaking a single, common 1024-bit prime would allow NSA to passively decrypt connections to two-thirds of VPNs and a quarter of all SSH servers globally. Breaking a second 1024-bit prime would allow passive eavesdropping on connections to nearly 20% of the top million HTTPS websites. In other words, a one-time investment in massive computation would make it possible to eavesdrop on trillions of encrypted connections."
Read 8 remaining paragraphs | Comments
A Faraday Cases travel case, configured to keep communications gear safe in transit from unfriendly electromagnetism.
2 more images in gallery
WASHINGTON, DC—A small company from Utah has developed a composite material that combines carbon fibers with a nickel coating. The result is an extremely lightweight electric-conducting material with the properties of plastic. And now that material is being used to create cases and computer enclosures that are essentially lightweight Faraday cages—containing electromagnetic radiation from digital devices and shielding them from electronic eavesdropping or electromagnetic pulse attacks. Ars got a brief hands-on with some of the materials at the Association of the United States Army expo this week.
The company, Conductive Composites, is now selling cases built with the Nickel Chemical Vapor Deposition (NiCVD) composite material through its Faraday Cases division. The cases range in size from suitcase-sized units for carrying smaller digital devices to wheeled portable enclosures that can house servers—providing what is essentially an EMP-shielded portable data center. The cases and enclosures are being marketed not just to the military but to consumers, corporations, and first responders as well.
The materials used in Faraday Cases can also be used to create ultra-lightweight antennas, satellite communications reflector dishes, and hundreds of other things that currently need to be made with conductive metal. And they could be a boon to anyone trying to prevent electronic eavesdropping—be it through active wireless bugs, radio retroreflectors used by nation-state intelligence agencies, or passive surveillance through anything from Wi-FI hacking to electromagnetic signals leaking from computer cables and monitors. And in some cases, they could make it possible to create the kind of secure spaces used by government agencies to prevent eavesdropping nearly anywhere.
>http://arstechnica.com/information-technology/2015/10/cage-against-the-emp-new-composite-cases-protect-against-the-electro-apocalypse/#p3">Read 9 remaining paragraphs | Comments
Posted by InfoSec News on Oct 15
http://www.bloomberg.com/news/articles/2015-10-14/ernst-young-confronts-madoff-s-specter-in-trial-over-audits?cmpid=twtr1Posted by InfoSec News on Oct 15
http://www.nextgov.com/cybersecurity/2015/10/opm-fully-do-away-passwords-network-access-2-years/122768/Posted by InfoSec News on Oct 15
http://www.capitalgazette.com/news/naval_academy/ph-ac-cn-celestial-navigation-1014-20151009-story.html