[SECURITY] [DSA 3451-1] fuse security update
January 2016 - Bamboo - Critical Security Advisory
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The Verge

Review: The X-Files is back, but the fight for the future is over
The Verge
Fear of surveillance gave way to active participation in one's own surveillance The X-Files nods to infosec — Mulder has a post-it over the camera on his computer — though it's clearly inexpert (neither Mulder nor Scully remove the batteries from ...

and more »
Addressing the nations rapidly increasing need for cybersecurity employees, the National Initiative for Cybersecurity Education (NICE) is seeking members from the public and private sectors and academia to join its new working group and ...

On 11 Jan, a Python script was posted on the full-disclosure mailing list that took advantage of a hardcoded ssh password in some older versions of various products from Fortinet (see complete list in Ref [1] below). Looking at our collected ssh data, weve seen an increase in scanning for those devices in the days since the revelation of the vulnerability. Nearly all of this scanning has come from two IPs in China ( and So if you haven" />



Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Trust in Enterprise Security Drops as Budgets Tighten
If you accept both the Cisco 2016 Annual Security Report (registration required) and the HPE 2016 State of Security Operations Report (registration required) with equal weight, here's what you learn: As companies' security policies mature, their ...


(credit: AMX)

A company that supplies audio-visual and building control equipment to the US Army, the White House, and other security-conscious organizations built a deliberately concealed backdoor into dozens of its products that could possibly be used to hack or spy on users, security researchers said.

Members of Austria-based security firm SEC Consult said they discovered the backdoor after analyzing the AMX NX-1200, a programmable device used to control AV and building systems. The researchers first became suspicious after encountering a function called "setUpSubtleUserAccount" that added an highly privileged account with a hard-coded password to the list of users authorized to log in. Unlike most other accounts, this one had the ability to capture data packets flowing between the device and the network it's connected to.

"Someone with knowledge of the backdoor could completely reconfigure and take over the device and due to the highest privileges also start sniffing attacks within the network segment," SEC Consult researcher Johannes Greil told Ars. "We did not see any personal data on the device itself, besides other user accounts which could be cracked for further attacks."

Read 5 remaining paragraphs | Comments



How to be a tech security Jedi, Part 3: Three Security Lessons from 'The Force ...
With that covered, let's get down to the business of dissecting what you can learn about information security from TFA. However—spoiler warning—I can't discuss the movie's infosec learnings without pointing out some of its scenes or plot points. If ...

Executable installers are vulnerable^WEVIL (case 3): WiX Toolset's bootstrapper "burn.exe"
SEC Consult SA-20160121-0 :: Deliberately hidden backdoor account in AMX (Harman Professional) devices

(credit: Julien Sabardu)

A second state lawmaker has now introduced a bill that would prohibit the sale of smartphones with unbreakable encryption. Except this time, despite very similar language to a pending New York bill, the stated rationale is to fight human trafficking, rather than terrorism.

Specifically, California Assemblymember Jim Cooper’s (D-Elk Grove) new bill, which was introduced Wednesday, would "require a smartphone that is manufactured on or after January 1, 2017, and sold in California, to be capable of being decrypted and unlocked by its manufacturer or its operating system provider."

If the bill passes both the Assembly and State Senate and is signed into law by Gov. Jerry Brown (D), it would affect modern iOS and Android devices, which enable full-disk encryption that neither Apple nor Google can access. AB 1681’s language is nearly identical to another bill re-introduced in New York state earlier this month, but Cooper denied that it was based on any model legislation, saying simply that it was researched by his staff. He also noted that the sale of his own iPhone would be made illegal in California under this bill.

Read 18 remaining paragraphs | Comments


PECB Signs Partnership Agreement with Infosec Skills Ltd
PR.com (press release)
Therefore, teaming up with Infosec Skills to provide Lead Implementer and Lead Auditor courses for ISO 27001 is an exciting development for our company and we are determined to make a renewed and positive contribution; together we can build a strong ...

and more »
Oracle HtmlConverter.exe Buffer Overflow
Internet Storm Center Infocon Status