Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Last year, the Chinese government started laying out new rules for technology products used by government agencies and banks, in part as a response to revelations about the National Security Agency’s exploitation of Chinese networks. Now, new rules for selling products to China’s financial sector have drawn a protest from North American and European technology vendors because of how intrusive they are—including demands for back-doors into hardware and complete source code.

In May, China’s State Internet Information Office announced it would institute a “cyber security vetting process” for screening all IT products sold in China. (The Chinese government also banned the use of Windows 8 on government PCs, citing “energy consumption” issues). Late last year, the government approved the final rules for vetting technology sold to key industries in China.

The New York Times reports that the rules include a requirement for turning over the source code of all software and firmware for computing and network equipment to the Chinese government, and providing management ports for the government to use to observe and control the equipment. The rules for banking systems require that 75 percent of technology products used in the financial sector be “secure and controllable” by 2019. Additionally, a new anti-terror law being drafted by China would require all companies doing business with Chinese citizens to keep that data within the country on servers that could be monitored by the Chinese government.

Read 1 remaining paragraphs | Comments

 

The emulator behind the Nintendo 3DS' Virtual Console is usually locked down to only run ROMs officially distributed through the Nintendo eShop. A new exploit released this week, however, opens the platform to load and run any existing Game Boy or Game Boy Color ROM.

The exploit relies on a buffer overflow error in the current version of the 3DS' Web browser. When loaded with specific timing, this overflow can be used to replace a legitimately purchased Game Boy Color game in the Virtual Console's memory with a ROM loaded on an SD card or stored at a Web address, as long as both ROMs are the same size. Game Boy Advance games currently aren't supported by the hack, and in-game saving functions don't work on side-loaded ROMs, though users can store progress using the Virtual Console's save state function.

While the exploit seems to work with any 3DS firmware up to the latest release (9.4), it doesn't seem to work with the Web browser found on the new 3DS that will launch in the US next month. This suggests it will be trivial for Nintendo to patch the memory hole out in a future release of the 3DS firmware and Web browser.

Read 2 remaining paragraphs | Comments

 
Apple iOS and TV CVE-2014-4461 Remote Code Execution Vulnerability
 

Adobe has released an update to the Flash vulnerability CVE-2015-0311 discussed earlier this week here on the ISC. The update released from Adobe addresses Flash vulnerabilities documented in CVE-2015-0311 CVE-2015-0312, which now has exploits being seen in the wild. Given that we are seeing exploits in the wild, the criticality of this exploit should be re-evaluated for prioritization and implementation. ">tony d0t carothers --gmail

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
 
[SECURITY] [DSA 3143-1] virtualbox security update
 
Multiple vulnerabilities in MantisBT
 
Two XSS Vulnerabilities in SupportCenter Plus
 
[CVE-2015-1394] Photo Gallery (Wordpress Plugin) - Multiple XSS Vulnerabilities Version 1.2.8
 
[CVE-2015-1393] Photo Gallery (Wordpress Plugin) - SQL Injection in Version 1.2.8
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
[CORE-2015-0003] - FreeBSD Kernel Multiple Vulnerabilities
 
FreeBSD Security Advisory FreeBSD-SA-15:03.sctp
 
FreeBSD Security Advisory FreeBSD-SA-15:02.kmem
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Infosec Rock Star: Geek Will Only Get You So Far, Guide Released
Digital Journal
Most information security people are known for their technical skills and little else. Effective communication, leadership, working well with others, creativity, time and project management, and many other critical success skills are rarely strong ...

 
LinuxSecurity.com: Several security issues were fixed in OpenJDK 7.
 
LinuxSecurity.com: An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. Red Hat Product Security has rated this update as having Critical security [More...]
 
LinuxSecurity.com: Updated chromium-browser packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Updated kernel packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Several security issues were fixed in OpenJDK 6.
 
LinuxSecurity.com: Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Critical security [More...]
 

Dealing with the Stress of an Infosec Job
Infosecurity Magazine
IT security professionals are in great demand, as the need to protect and defend information systems environments from data leaks and/or malicious attacks is becoming essential to the survival and prosperity of all organizations. A recent spur in ...

 

Posted by InfoSec News on Jan 28

http://boingboing.net/2015/01/26/barrett-browns-sentence-is.html

By Trevor Timm
Jan 26, 2015

Investigative journalist Barrett Brown was sentenced to an obscene 63
months in prison on Thursday, in part for sharing a hyperlink to a stolen
document that he did not steal, and despite the fact that he was not
guilty of a crime for linking to it.

Maybe journalists think this is an anomaly, and some will ignore his case
entirely since Brown also...
 

Posted by InfoSec News on Jan 28

http://www.independent.co.uk/life-style/gadgets-and-tech/news/who-are-lizard-squad-10007363.html

By KIRAN MOODLEY
The Independent
28 January 2015

With a hacker affiliated with Lizard Squad apparently hacking Taylor
Swift’s Twitter account yesterday, many will be asking who exactly are
these latest online mischiefs.

In a world where names such as LulzSec, Anonymous and the Syrian
Electronic Army are banded around in an ever-increasingly...
 

Posted by InfoSec News on Jan 28

http://www.computerworld.com/article/2875780/ghost-flaws-poses-high-risk-to-linux-distributions.html

By Jeremy Kirk
IDG News Service
Jan 27, 2015

A fault in a widely used component of most Linux distributions could allow
an attacker to take remote control of a system after merely sending a
malicious email.

The vulnerability, nicknamed "Ghost," is in the GNU C Library known as
glibc, according to security vendor Qualys, which...
 

Posted by InfoSec News on Jan 28

http://www.globenewswire.com/newsarchive/noc/press/pages/news_releases.html?d=10116947

FALLS CHURCH, Va. – Jan. 26, 2015 – The Northrop Grumman Foundation,
presenting sponsor for CyberPatriot VII, is proud to congratulate the top
25 high school and three middle school teams advancing to the national
finals competition on March 13 in Washington, D.C.

CyberPatriot, established by the Air Force Association, is the National
Youth Cyber...
 

Posted by InfoSec News on Jan 28

http://www.techworld.com/news/security/worlds-largest-ddos-attack-reached-400gbps-says-arbor-networks-3595715/

By John E Dunn
Techworld
Jan 27, 2015

Some time in December 2014 an unnamed ISP experienced an NTP reflection
DDoS attack that peaked at a router-straining 400Gbps, easily the largest
denial of service event in Internet history, Arbor Networks' 10th Annual
Infrastructure Report has revealed.

It’s an apparently small detail...
 
CodeWrights 'HART DTM' Library CVE-2014-9191 Denial of Service Vulnerability
 

A recently fixed vulnerability in the BlackPhone instant messaging application gave attackers the ability to decrypt messages, steal contacts, and control vital functions of the device, which is marketed as a more secure way to protect communications from government and criminal snoops.

Mark Dowd, a principal consultant with Australia-based Azimuth Security, said would-be attackers needed only a user's Silent Circle ID or phone number to remotely exploit the bug. From there, the attacker could surreptitiously decrypt and read messages, read contacts, monitor geographic locations of the phone, write code or text to the phone's external storage, and enumerate the accounts stored on the device. He said engineers at BlackPhone designer Silent Circle fixed the underlying bug after he privately reported it to them.

The vulnerability resided in SilentText, the secure text messaging application bundled with the BlackPhone and also as a free Android App in Google Play. A component known as libscimp contained a type of memory corruption flaw known as a type confusion vulnerability. Libscimp is the BlackPhone implementation of the Silent Circle Instant Messaging Protocol (SCIMP) and runs on top of the extensible messaging and presence protocol (XMPP). SCIMP is used to create secure end-to-end channels between people sending text messages. It handles the transportation of the encrypted data through the channel.

Read 3 remaining paragraphs | Comments

 
Internet Storm Center Infocon Status