Information Security News
Last year, the Chinese government started laying out new rules for technology products used by government agencies and banks, in part as a response to revelations about the National Security Agency’s exploitation of Chinese networks. Now, new rules for selling products to China’s financial sector have drawn a protest from North American and European technology vendors because of how intrusive they are—including demands for back-doors into hardware and complete source code.
In May, China’s State Internet Information Office announced it would institute a “cyber security vetting process” for screening all IT products sold in China. (The Chinese government also banned the use of Windows 8 on government PCs, citing “energy consumption” issues). Late last year, the government approved the final rules for vetting technology sold to key industries in China.
The New York Times reports that the rules include a requirement for turning over the source code of all software and firmware for computing and network equipment to the Chinese government, and providing management ports for the government to use to observe and control the equipment. The rules for banking systems require that 75 percent of technology products used in the financial sector be “secure and controllable” by 2019. Additionally, a new anti-terror law being drafted by China would require all companies doing business with Chinese citizens to keep that data within the country on servers that could be monitored by the Chinese government.
by Kyle Orland
The emulator behind the Nintendo 3DS' Virtual Console is usually locked down to only run ROMs officially distributed through the Nintendo eShop. A new exploit released this week, however, opens the platform to load and run any existing Game Boy or Game Boy Color ROM.
The exploit relies on a buffer overflow error in the current version of the 3DS' Web browser. When loaded with specific timing, this overflow can be used to replace a legitimately purchased Game Boy Color game in the Virtual Console's memory with a ROM loaded on an SD card or stored at a Web address, as long as both ROMs are the same size. Game Boy Advance games currently aren't supported by the hack, and in-game saving functions don't work on side-loaded ROMs, though users can store progress using the Virtual Console's save state function.
While the exploit seems to work with any 3DS firmware up to the latest release (9.4), it doesn't seem to work with the Web browser found on the new 3DS that will launch in the US next month. This suggests it will be trivial for Nintendo to patch the memory hole out in a future release of the 3DS firmware and Web browser.
Adobe has released an update to the Flash vulnerability CVE-2015-0311 discussed earlier this week here on the ISC. The update released from Adobe addresses Flash vulnerabilities documented in CVE-2015-0311 CVE-2015-0312, which now has exploits being seen in the wild. Given that we are seeing exploits in the wild, the criticality of this exploit should be re-evaluated for prioritization and implementation. ">tony d0t carothers --gmail(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Infosec Rock Star: Geek Will Only Get You So Far, Guide Released
Most information security people are known for their technical skills and little else. Effective communication, leadership, working well with others, creativity, time and project management, and many other critical success skills are rarely strong ...
Dealing with the Stress of an Infosec Job
IT security professionals are in great demand, as the need to protect and defend information systems environments from data leaks and/or malicious attacks is becoming essential to the survival and prosperity of all organizations. A recent spur in ...
Posted by InfoSec News on Jan 28http://boingboing.net/2015/01/26/barrett-browns-sentence-is.html
Posted by InfoSec News on Jan 28http://www.independent.co.uk/life-style/gadgets-and-tech/news/who-are-lizard-squad-10007363.html
Posted by InfoSec News on Jan 28http://www.computerworld.com/article/2875780/ghost-flaws-poses-high-risk-to-linux-distributions.html
Posted by InfoSec News on Jan 28http://www.globenewswire.com/newsarchive/noc/press/pages/news_releases.html?d=10116947
Posted by InfoSec News on Jan 28http://www.techworld.com/news/security/worlds-largest-ddos-attack-reached-400gbps-says-arbor-networks-3595715/
A recently fixed vulnerability in the BlackPhone instant messaging application gave attackers the ability to decrypt messages, steal contacts, and control vital functions of the device, which is marketed as a more secure way to protect communications from government and criminal snoops.
Mark Dowd, a principal consultant with Australia-based Azimuth Security, said would-be attackers needed only a user's Silent Circle ID or phone number to remotely exploit the bug. From there, the attacker could surreptitiously decrypt and read messages, read contacts, monitor geographic locations of the phone, write code or text to the phone's external storage, and enumerate the accounts stored on the device. He said engineers at BlackPhone designer Silent Circle fixed the underlying bug after he privately reported it to them.
The vulnerability resided in SilentText, the secure text messaging application bundled with the BlackPhone and also as a free Android App in Google Play. A component known as libscimp contained a type of memory corruption flaw known as a type confusion vulnerability. Libscimp is the BlackPhone implementation of the Silent Circle Instant Messaging Protocol (SCIMP) and runs on top of the extensible messaging and presence protocol (XMPP). SCIMP is used to create secure end-to-end channels between people sending text messages. It handles the transportation of the encrypted data through the channel.