(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

We got a number readers asking about the ongoing issues with Flash. Adobe released its regularly monthly update for Flash on Tuesday. With this update, you should be running Flash However, on Wednesday, Adobe published a security bulletin that a new, so far unpatched, vulnerability (CVE-2015-7645)is being exploited. Adobe is currently talking about targeted and limited attacks.

Sometime next week, an update to Flash will be released to address this vulnerability.

So what should you do and what does this all mean?

Next weeks patch is unlikely to change the fact that there are a large number of so far unpublished vulnerabilities in Flash. It appears that some groups exploiting these vulnerabilities are able to find these vulnerabilities faster then Adobe is willing to patch them. Even after Adobe releases a patch next week, there will likely be new vulnerabilities that will be used starting as soon as the patch will be released. So really, one more patch wont fundamentally change anything.

What should you do?

If possible uninstall Flash. If you can not uninstall it, at least make sure that your browser does not automatically launch Flash applets. This Click to Run behavior should be enabled for all plugins that support it (e.g. Java).

Here are some quick tipson how to enable click-to-run:

Firefox: It should be enabled by default. Check the plugins.click_to_play setting in about:config to make sure it is enabled.

Internet Explorer: Click the gear icon and select Manage Add-ons. For the Shockwave Flash Object, select More Information. By default, all sites are approved due to the wildcard * in the approved site box. Delete it.

Google Chrome: In chrome://settings click on Show advanced settings... at the bottom fo the page. Click on the Content Settings button under Privacy and select Let me choose when to run plugin content under Plugins. You can also review existing exceptions that you may have set up in the past, and you can disable individual plugins.

Safari: Check the Security tab in preferences. Under Plugin Settings you can enabled/disable individual plugins.

[1] https://helpx.adobe.com/security/products/flash-player/apsa15-05.html

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
[security bulletin] HPSBUX03512 SSRT102254 rev.1 - HP-UX Web Server Suite running Apache, Remote Denial of Service (DoS) and Other Vulnerabilities

(credit: BalticServers.com)

For years, privacy advocates have pushed developers of websites, virtual private network apps, and other cryptographic software to adopt the Diffie-Hellman cryptographic key exchange as a defense against surveillance from the US National Security Agency and other state-sponsored spies. Now, researchers are renewing their warning that a serious flaw in the way the key exchange is implemented is allowing the NSA to break and eavesdrop on trillions of encrypted connections.

The cost for adversaries is by no means modest. For commonly used 1024-bit keys, it would take about a year and cost a "few hundred million dollars" to crack just one of the extremely large prime numbers that form the starting point of a Diffie-Hellman negotiation. But it turns out that only a few primes are commonly used, putting the price well within the NSA's $11 billion-per-year budget dedicated to "groundbreaking cryptanalytic capabilities."

"Since a handful of primes are so widely reused, the payoff, in terms of connections they could decrypt, would be enormous," researchers Alex Halderman and Nadia Heninger wrote in a blog post published Wednesday. "Breaking a single, common 1024-bit prime would allow NSA to passively decrypt connections to two-thirds of VPNs and a quarter of all SSH servers globally. Breaking a second 1024-bit prime would allow passive eavesdropping on connections to nearly 20% of the top million HTTPS websites. In other words, a one-time investment in massive computation would make it possible to eavesdrop on trillions of encrypted connections."

Read 8 remaining paragraphs | Comments


WASHINGTON, DC—A small company from Utah has developed a composite material that combines carbon fibers with a nickel coating. The result is an extremely lightweight electric-conducting material with the properties of plastic. And now that material is being used to create cases and computer enclosures that are essentially lightweight Faraday cages—containing electromagnetic radiation from digital devices and shielding them from electronic eavesdropping or electromagnetic pulse attacks. Ars got a brief hands-on with some of the materials at the Association of the United States Army expo this week.

The company, Conductive Composites, is now selling cases built with the Nickel Chemical Vapor Deposition (NiCVD) composite material through its Faraday Cases division. The cases range in size from suitcase-sized units for carrying smaller digital devices to wheeled portable enclosures that can house servers—providing what is essentially an EMP-shielded portable data center. The cases and enclosures are being marketed not just to the military but to consumers, corporations, and first responders as well.

The materials used in Faraday Cases can also be used to create ultra-lightweight antennas, satellite communications reflector dishes, and hundreds of other things that currently need to be made with conductive metal. And they could be a boon to anyone trying to prevent electronic eavesdropping—be it through active wireless bugs, radio retroreflectors used by nation-state intelligence agencies, or passive surveillance through anything from Wi-FI hacking to electromagnetic signals leaking from computer cables and monitors. And in some cases, they could make it possible to create the kind of secure spaces used by government agencies to prevent eavesdropping nearly anywhere.

http://arstechnica.com/information-technology/2015/10/cage-against-the-emp-new-composite-cases-protect-against-the-electro-apocalypse/#p3">Read 9 remaining paragraphs | Comments

Freemake Video Downloader 3.7.1 - Code Execution Vulnerability
PayPal Inc Bug Bounty #117 - Session Fixation Vulnerability
Blat.exe v2.7.6 SMTP / NNTP Mailer Buffer Overflow

Posted by InfoSec News on Oct 15


By Sophia Pearson
October 14, 2015

Ernst & Young LLP took Bernie Madoff at his word when it signed off on
audits of a fund that helped feed the biggest Ponzi scheme in U.S.

The firm must now defend that decision at the first trial of an auditor
over losses tied to Madoff, who’s serving a...

Posted by InfoSec News on Oct 15


By Aliya Sternstein
October 13, 2015

Following one of the most devastating government data breaches ever
revealed, the Office of Personnel Management is on track to replace
password logins with two-step identification for accessing agency networks
in two years, according to new goals set by the Obama administration.


Posted by InfoSec News on Oct 15


By Tim Prudente
October 12, 2015

The same techniques guided ancient Polynesians in the open Pacific and led
Sir Ernest Shackleton to remote Antarctica, then oriented astronauts when
the Apollo 12 was disabled by lightning, the techniques of celestial

A glimmer of the old lore has returned to the Naval...
Internet Storm Center Infocon Status