Posts tagged ‘flash’

Backblaze Blog | The Life of a Cloud Backup Company: 2014 Year In Review

This post was syndicated from: Backblaze Blog | The Life of a Cloud Backup Company and was written by: Gleb Budman. Original post: at Backblaze Blog | The Life of a Cloud Backup Company

blog-2014

Seven years ago we started on a mission to make storing data astonishingly easy and low-cost so that no one loses their wedding photos, curated music, work files, or any of the other items from their computers. In 2014, I’m proud to say we made a good dent in that mission. Here are a few of the highlights from our 2014 year in review.

Products
We launched an Android app to complement our existing iPhone app and increased restore sizes on hard drives to 4 TB and by 2x on flash drives to 128 GB so our customers could access more of their data faster. Email Notifications and Backup Summaries ensured they knew their data was safely backed up. Our refer-a-friend program gave our customers and their friends months of Backblaze for free. Upgrades to support iOS 8, Apple OS X Mavericks, and hundreds of smaller updates to keep improving the service for our customers.

Community
I am incredibly grateful to the community that has supported us over the years. Another 11 incredible people joined our team to help us scale, plus a few interns (one of whom just won a $100,000 national science award.)

On Twitter, Facebook, and other digital places we talked with you virtually and then met many of you in person at Macworld, RootsTech, and many other events.

We wrote 75 blog posts such as those sharing a bunch of data on hard drive reliability, the impact of temperature on a hard drive, and which hard drive SMART stats matter. Since about 1,000,000 of you read these posts, we revamped our blog platform and will strive to continue sharing learning worthy of your time reading.

Scale
The simplicity of the product our customers see hides the wild scale of the systems and operations required to support it. We introduced a new 270 TB Storage Pod this year, scaled up to store over 100,000,000 GB of customer data, and opened a huge new 500 petabyte data center. Our support team answered their 100,000th ticket. Our customers recovered over 6 billion files that would have been irretrievably lost.

Recognition
Famed consumer product reviewer Walt Mossberg recommends Backblaze and makes it his personal service. Gizmag calls Backblaze one of the easiest to use. And Deloitte ranks Backblaze the 128th fastest growing company in North America, with 917% revenue growth over five years.

Next
So with 2015 imminently arriving, where do we go? Keep focusing on making storing data astonishingly easy and low-cost. One of the things I’m incredibly proud of our team for is being able to support a 1000% increase in per-customer data storage while keeping the $5 unlimited pricepoint unchanged. Thus, a lot of what we have planned will continue to be in the background – enhancing our massive cloud storage system to scale bigger, be more cost-efficient, and work ever better – so that our customers can continue to store more and more data, easier and easier.

A huge thank you to all of you: our customers, our community, our partners, and our employees for helping us make this happen.

 

Author information

Gleb Budman

Co-founder and CEO of Backblaze. Founded three prior companies. He has been a speaker at GigaOm Structure, Ignite: Lean Startup, FailCon, CloudCon; profiled by Inc. and Forbes; a mentor for Teens in Tech; and holds 5 patents on security.

Follow Gleb on: Twitter / LinkedIn / Google+

The post 2014 Year In Review appeared first on Backblaze Blog | The Life of a Cloud Backup Company.

LWN.net: Tuesday’s security updates

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Mandriva has updated apache-mod_wsgi (privilege escalation).

SUSE has updated flash-player
(SLED11 SP3: multiple vulnerabilities).

Errata Security: All malware defeats 90% of defenses

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

When the FBI speaks, you can tell they don’t know anything about hacking. An example of this quote by Joseph Demarest, the assistant director of the FBI’s cyberdivision:

“The malware that was used would have slipped, probably would have gotten past 90% of the net defenses that are out there today in private industry, and I would challenge to even say government”
He’s trying to show how sophisticated, organized, and unprecedented the hackers were.
This is nonsense. All malware defeats 90% of defenses. Hackers need do nothing terribly sophisticated in order to do what they did to Sony.
Take, for example, a pentest we did of a Fortune 500 financial firm. We had some USB drives made with the logo of the corporation we were pen-testing. We grabbed a flash game off the Internet, changed the graphics so that they were punching the logo of their main competitor, and put text in the Final Score screen suggesting “email this to your friends and see what they get”. We then added some malware components to it. We then dropped the USB drives in the parking lot.
This gave us everything in the company as people passed the game around. The CEO and many high-level executives ran it on their machines. Sysadmins ran it. Once we got control of the central domain controller, we got access to everything: all files, all emails, … everything.
The point I’m trying to make here is that we used relatively unsophisticated means to hack an extremely secure company. Crafting malware to get past their anti-virus defenses is trivially easy. Everything we did was easy.
The problem isn’t that hackers are sophisticated but that company are insecure. Companies believe that anti-virus stops viruses when it doesn’t, for example. The FBI perpetuates this myth, claiming Sony hackers were sophisticated, able to get around anti-virus, when the truth is that Sony relied too much on anti-virus, so even teenagers could get around it.
The FBI perpetuates these myths because they want power. If the problem is sophisticated hackers, then there is nothing you can do to stop them. You are then helpless to defend yourself, so you need the FBI to defend you. Conversely, if the problem is crappy defense, then you you can defend yourself by fixing your defenses.

Update: Here is a previous post where I add a Metasploit exploit to a PDF containing a legal brief that gets past anti-virus.

LWN.net: Friday’s security updates

This post was syndicated from: LWN.net and was written by: n8willis. Original post: at LWN.net

CentOS has updated bind (C5; C6; C7: denial of service), bind97 (C5: denial of service), and xorg-x11-server
(C5; C6;
C7: multiple vulnerabilities).

Debian has updated dbus (denial of service)
and graphviz (code execution).

Fedora has updated antiword
(F21: denial of service), asterisk (F21: protocol downgrade), couchdb
(F20; F21:
cross-site scripting), grub2 (F20; F21: code execution), kernel (F21: denial of service), mantis (F19; F20; F21: multiple vulnerabilities), mariadb (F20: multiple vulnerabilities), mediawiki (F19; F20:
multiple vulnerabilities),
openvpn (F21: denial of service), pcre (F21: information leak), perl-YAML-LibYAML (F21: denial of service), phpMyAdmin
(F20; F21:
multiple vulnerabilities), python3
(F20: multiple vulnerabilities), qemu (F21: code execution), and xen (F19; F20; F21: multiple vulnerabilities).

Gentoo has updated emul-linux-x86-baselibs (multiple
vulnerabilities), and has issued three bulk updates—one for seven packages (multiple vulnerabilities
from 2012), one for 25 packages (multiple vulnerabilities
from 2011), and one for 27 packages (multiple vulnerabilities from
2010).

openSUSE has updated chromium (13.1, 13.2: multiple vulnerabilities),
firebird (11.4: denial of service), flash-player (11.4; 12.3,
13.1, 13.3
: multiple vulnerabilities), and libyaml (12.3, 13.1, 13.2: denial of service).

Oracle has updated kernel (O5; O5; O6; O6; O6; O7: multiple vulnerabilities)
and xorg-x11-server (O5; O6; O7: multiple vulnerabilities).

Red Hat has updated bind
(RHEL: denial of service), bind97 (RHEL5: denial of service), and
xorg-x11-server (RHEL5; RHEL6,7: multiple vulnerabilities).

Scientific Linux has updated bind (denial of service), bind97 (SL5: denial of service), and xorg-x11-server
(SL5; SL6,7: multiple vulnerabilities).

SUSE has updated Mozilla
Firefox
(SLE10 SP4, SLE11 SP3: multiple vulnerabilities) and shim (SLE11 SP3: multiple vulnerabilities).

Ubuntu has updated EC2
kernel
(10.04: multiple vulnerabilities), kernel (10.04; 12.04; 14.04; 14.10: multiple vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities), linux-lts-utopic (14.04: multiple vulnerabilities), linux-ti-omap4 (12.04: multiple vulnerabilities), mutt (denial of service), and qemu, qemu-kvm (multiple vulnerabilities).

Raspberry Pi: Christmas shopping guide

This post was syndicated from: Raspberry Pi and was written by: Liz Upton. Original post: at Raspberry Pi

Christmas is coming, and we’re all panicking because we haven’t bought all the presents yet. (My Dad’s difficult.) Waking up at 3am in a cold sweat because you don’t know what to buy the Raspberry Pi fan in your life? Sweat no longer: we’re here to help!

Raspberry Pi kits

If you want a Raspberry Pi on its own, you can buy it from one of our manufacturing distributors, from our Swag Store, and from many other vendors.

There are also some great kits available if you want to get all the extra bits and bobs you’ll need in one box. We sell a starter kit containing a lot of goodies: it’s £75.

Starter_Kit_grande

If all the extras in there make things a bit rich for your blood, check out The Pi Hut’s kit, which doesn’t have the shiny PiBow case, the special bag, the stickers or the keyboard or the mouse, but has everything else you’ll need. It’s £42.

Specialist starter kits for people wanting to use their Pi as a media centre, or focusing on using the camera board, are available from CPC in the UK, or MCM in the United States.

Books

There is now a terrifying number of books available on the Raspberry Pi – check out the electronics or computing section of your local bookshop. Some of our favourites are:

The Raspberry Pi User Guide – this book’s written by our very own Eben Upton and by Gareth Halfacree; it’s the canonical guide to the Raspberry Pi, from the person who created it. This link goes to the latest edition, which covers things we’ve done this year like the Model B+.

userguide

Sticking with the “books wot we wrote” theme, here’s Carrie Anne’s Adventures in Raspberry Pi. Aimed at kids aged 11 and up (younger kids will still get a lot out of it, but we recommend Mum or Dad lends a hand), we think it’s the biggest seller of the Raspberry Pi books so far this year; and we highly recommend it.

adventures

If you’re an adult who doesn’t mind the branding, Raspberry Pi for Dummies is a superb guide to the device and what you can do with it. It’s good for beginners, but it’ll take you a long way – much further than you might guess from the title!

dummies

You can find many, many more Pi books at Amazon.

Add-on boards and fun

One of my favourite add-ons of the year was a late entrant: it only came out last week. Pimoroni’s Skywriter is a motion and distance sensor HAT for your Pi – and you can do this sort of thing with it (click the button to turn the sound on). It’s £16.

Pimoroni’s other add-on boards are among our very favourites: Pibrella is only £10, and offers you lots of inputs and outputs; we use it a lot in our own teaching sessions. It’s a fantastic way to get started with electronics: it’ll allow you to make noises, flash lights, drive motors and much more.

Pibrella_1_of_2_grande

The Unicorn HAT is just magic. And it’s £18. That’s all we have to say about it.

Babbage the Bear is our mascot, and he’s had a very busy couple of years, going to near-space, having a camera stuck up his bum and becoming an Internet of Things device, and being cuddled by lots of small children. You can buy him at our Swag Store. He’s £9.

babbage

Today, we’re launching a NEW accessory for Babbage: the Babbage Backpack Game Kit. For £8.10 you can buy a cute little backpack for Babbage, filled with everything you’ll need to make an electronic memory game and instructions (no soldering required) – a perfect stocking-filler and a really great little project for electronics beginners. Plus, it makes Babbage look super-chic.

Backpack_1024x1024

Backpack_1_of_4_1024x1024

 

Ryan Walmsley set up his own business to make and sell electronics more than a year ago, and he’s still only 18. The RyanTeck Budget Robotics Kit is fantastic – it’s affordable at only £24.49, and contains everything you need to get started with robotics – all you need to add is a Raspberry Pi.

Pi&Bash is another new offering, this time from Piventor. THIS BOARD REQUIRES SOME SOLDERING, so it’s not ideal for first-timers. But it’s really good fun if you do fancy getting the soldering iron out, with traffic light LEDs, push buttons, a little backlit LCD screen, a thermometer, and digital and analogue inputs and outputs. It’s only £23.

piandbash

 

The CamJam EduKit is the perfect stocking filler at only £5. It’s available from The Pi Hut, and it’s my absolute favourite learning kit of the year, coming bundled with worksheets to get you building electronics projects from scratch – or at least it was until the CamJam EduKit 2: Sensors came out last week, for a simply ridiculous £7. The Sensors kit contains everything you need to make a bedroom burglar alarm, a tea-temperature-tester, a device to test whether the light in your fridge really goes off when you shut the door, and much more, with worksheets. It’s a wonderful, wonderful, versatile little kit, and we think that the CamJam team and The Pi Hut have done an amazing job in getting it out for such an affordable price.

sensors

Finally, for those not worried to get a soldering iron out (soldering is easy – it’s really worth having a go), you can get an entire Christmas tree for your Pi for only £6. I saw several of these in action at the Cambridge Raspberry Jam last weekend; great for a festive addition to your workbench. Here’s one on a Model A+.

treeMerry Christmas!

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated pdns-recursor
(denial of service), unbound (denial of
service), and xorg-server (multiple vulnerabilities).

Gentoo has updated adobe-flash
(multiple vulnerabilities), clamav (denial
of service), and libxml2 (denial of service).

Mageia has updated bind (M4:
denial of service), firebird (M4: denial of
service), and pdns-recursor (M4: denial of service).

Red Hat has updated flash-plugin
(RHEL5&6: multiple vulnerabilities).

Scientific Linux has updated kernel (SL7: multiple vulnerabilities, one
from 2013).

Slackware has updated bind
(denial of service), mozilla (multiple
vulnerabilities), openssh (tcp wrappers
support), openvpn (denial of service), pidgin (multiple vulnerabilities), seamonkey (multiple vulnerabilities), and wpa_supplicant (command execution).

Ubuntu has updated nvidia-graphics-drivers (14.10, 14.04, 12.04:
three vulnerabilities).

Backblaze Blog | The Life of a Cloud Backup Company: Holiday Gift Guide – Backblaze Style

This post was syndicated from: Backblaze Blog | The Life of a Cloud Backup Company and was written by: Yev. Original post: at Backblaze Blog | The Life of a Cloud Backup Company

blog-giftguide-2014
We all have those hard to shop for members of our family, and at Backblaze, we wanted to take a moment and make your holiday shopping conundrums a bit easier to solve. We realize this is coming out a bit late in the holiday gift guide season, so we pooled together some items that you could get fairly quickly, if you act fast!

For those of your family who just can’t shake their nostalgia this 3.5″ floppy is a great get, and best of all, a ten pack is only $7.95 at floppydisk.com:

Floppy_disk_300_dpi

Need a bit more data, but want a functional way to carry it around? May we introduce you to the Stick Around! You can prop up your phone with this beauty, plus it has a 4GB hardcore storage capability:
3

Have a budding young data fan in your family? Get them this adorable little Minion USB Key (for tons of other novelty flash keys take a gander at Amazon:
minionUSB

Too old for minions or novelty flash keys? Well, what about a nice piece of hardware? Get some wood, 1 whole TB worth:
wooden USB

OK, wood might be a bit too much, but what about something to compliment that new Mac Pro you got? How about a nice 1TB sphere:
Sphere_Artistic

Perhaps 1TB futuristic drives aren’t your thing? You need a bit more space because you collect lots of “data”? A Drobo is the thing for you:
Drobo

“5 hard drive slots? What am I? A peasant? My cat photo library itself is over 100TB!” Is that so? Fine…you deserve your own Backblaze storage pod…a Storinator:storinator_splash.1

So now that you have all that fancy hardware, you need to fill it with hard drives right? Might we humbly suggest these HGST drives:
hgst

Wait, you didn’t need to store your data at all, you just wanted your phone to look awesome? We totally misunderstood. Here’s a rad case:
hard_drive_case_for_iphone

We hope that helps with your holiday gift giving angst. If you’re still looking for something though, a great gift that keeps on giving is a Backblaze gift code. You can buy a gift code for someone today, and help keep their important data safe for the years to come! It’s better than coal right? Plus you don’t have to wait for shipping…
blog-giftguide-present

Author information

Yev

Yev

Social Marketing Manager at Backblaze

Yev enjoys speed-walking on the beach. Speed-dating. Speed-writing blog posts. The film Speed. Speedy technology. Speedy Gonzales. And Speedos. But mostly technology.

Follow Yev on:

Twitter: @YevP | LinkedIn: Yev Pusin | Google+: Yev Pusin

The post Holiday Gift Guide – Backblaze Style appeared first on Backblaze Blog | The Life of a Cloud Backup Company.

LWN.net: Security advisories for Wednesday

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

CentOS has updated kernel (C7: multiple vulnerabilities) and rpm (C7; C6; C5: code execution).

Mageia has updated flash-player-plugin (multiple
vulnerabilities), graphviz (format string
vulnerability), iceape (multiple
vulnerabilities), nodejs (multiple
vulnerabilities), openafs (multiple
vulnerabilities), php-pear-HTML_AJAX (code
execution), and util-linux (command
injection).

Oracle has updated kernel (OL7: multiple vulnerabilities) and rpm (OL7; OL6; OL5: code execution).

Red Hat has updated httpd24-httpd
(RHSCL: two vulnerabilities), kernel
(RHEL7: multiple vulnerabilities), and rpm (RHEL7; RHEL5,6; EUS products: code execution).

Scientific Linux has updated rpm (SL7; SL5,6: code execution).

Ubuntu has updated bind9 (denial
of service) and xorg-server,
xorg-server-lts-trusty
(14.10, 14.04, 12.04: multiple vulnerabilities),
xorg-server, xorg-server-lts-trusty
(14.10.14.04.12.04: incomplete fixes in previous update).

Krebs on Security: Microsoft, Adobe Push Critical Security Fixes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

If you use Microsoft or Adobe software products, chances are that software is now dangerously out of date. Microsoft today released seven update bundles to fix two dozen security vulnerabilities in Windows and supported software. Adobe pushed patches to correct critical flaws in Acrobat, Reader and Flash Player, including a bug in Flash that already is being exploited.

brokenwindowsFour of the seven updates from Microsoft earned a “critical” rating, which means the patches on fix vulnerabilities that can be exploited by malware or attackers to seize control over vulnerable systems without any help from users (save for perhaps visiting a hacked or malicious Web site). One of those critical patches — for Internet Explorer — plugs at least 14 holes in the default Windows browser.

Another critical patch plugs two vulnerabilities in Microsoft Word and Office Web Apps (including Office for Mac 2011). There are actually three patches this month that address Microsoft Office vulnerabilities, including MS14-082 and MS-14-083, both of which are rated “important.” A full breakdown of these and other patches released by Microsoft today is here.

Adobe’s Flash Player update brings the player to v. 16.0.0.235 for Windows and Mac users, and fixes at least six critical bugs in the software. Adobe said an exploit for one of the flaws, CVE-2014-9163, already exists in the wild.

“These updates address vulnerabilities that could potentially allow an attacker to take over the affected system,” the company said in its advisory.

brokenflash-aTo see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash. If your version of Chrome doesn’t show the latest version of Flash, you may need to restart the browser or manually force Chrome to check for updates (click the three-bar icon to the right of the address bar, select “About Google Chrome” and it should check then).

The most recent versions of Flash are available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Adobe Acrobat and Adobe Reader users will need to apply a critical update that fixes at least 20 critical security in these programs. See Adobe’s Reader advisory for more details on that. The latest updates live here.

LWN.net: Friday’s security updates

This post was syndicated from: LWN.net and was written by: n8willis. Original post: at LWN.net

CentOS has updated kernel
(C5: privilege escalation).

Mageia has updated mutt (M4:
denial of service), yaml,
perl-YAML-LibYAML
(M4: denial of service), phpmyadmin (M4: denial of service), and
tcpdump (M4: code execution).

openSUSE has updated clamav
(12.3, 13.1, 13.2: multiple vulnerabilities),
flash-player: code execution), and phpMyAdmin (12.3, 13.1, 13.2: multiple vulnerabilities).

Oracle has updated kernel (O5: privilege escalation; O6; O7:
multiple vulnerabilities).

Red Hat has updated kernel
(RHEL5: privilege escalation).

Ubuntu has updated MAAS
(12.04, 14.04, 14.10:
privilege escalation).

LWN.net: Security advisories for Wednesday

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Debian has updated wordpress (multiple vulnerabilities).

Fedora has updated drupal6 (F20; F19: two
vulnerabilities), drupal7 (F20; F19: denial of service), lsyncd (F20; F19:
command injection), mariadb-galera (F20: multiple vulnerabilities), and wordpress (F20; F19: multiple vulnerabilities).

Oracle has updated firefox (OL7:
multiple vulnerabilities), nss (OL7;
OL6; OL5:
man-in-the-middle attack), and thunderbird
(OL6: multiple vulnerabilities).

Red Hat has updated firefox
(RHEL5,6,7: multiple vulnerabilities), kernel-rt (RHE MRG: multiple
vulnerabilities), mariadb-galera (RHEL OSP for RHEL7; RHEL OSP for RHEL6: multiple
vulnerabilities), nss (RHEL5,6,7:
man-in-the-middle attack), openstack-neutron (RHEL OSP for RHEL7; RHEL OSP for RHEL6: denial of service),
openstack-trove (RHEL OSP for RHEL7:
information disclosure), qemu-kvm-rhev
(RHEL OSP for RHEL7: information leak), and thunderbird (RHEL5,6,7: multiple vulnerabilities).

Slackware has updated mozilla (multiple vulnerabilities).

SUSE has updated flash-player
(SLED11 SP3: code execution), IBM Java
(SLE11 SP2: multiple vulnerabilities), and java-1_7_1-ibm (SLE12: multiple vulnerabilities).

Ubuntu has updated firefox
(14.10, 14.04, 12.04: multiple vulnerabilities) and mod-wsgi (14.10, 14.04, 12.04: privilege escalation).

Krebs on Security: Sony Breach May Have Exposed Employee Healthcare, Salary Data

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The recent hacker break-in at Sony Pictures Entertainment appears to have involved the theft of far more than unreleased motion pictures: According to multiple sources, the intruders also stole more than 25 gigabytes of sensitive data on tens of thousands of Sony employees, including Social Security numbers, medical and salary information.

Screen shot from an internal audit report allegedly stolen from Sony.

Screen shot from an internal audit report allegedly stolen from Sony and circulating on file-trading networks.

Several files being traded on torrent networks seen by this author include an global Sony employee list, a Microsoft Excel file that includes the name, location, employee ID, network username, base salary and date of birth for more than 6,800 individuals.

Sony officials could not be immediately reached for comment; a press hotline for the company rang for several minutes without answer, and email requests to the company went unanswered.  But a comprehensive search on LinkedIn for dozens of the names in the list indicate virtually all correspond to current or former Sony employees.

Another file being traded online appears to be a status report from April 2014 listing the names, dates of birth, SSNs and health savings account data on more than 700 Sony employees. Yet another apparently purloined file’s name suggests it was the product of an internal audit from accounting firm Pricewaterhouse Coopers, and includes screen shots of dozens of employee federal tax records and other compensation data.

The latest revelations come more than a week after a cyberattack on Sony Pictures Entertainment brought down the company’s corporate email systems. A Sony spokesperson told Reuters that the company has since “restored a number of important services” and was “working closely with law enforcement officials to investigate the matter.”

Several media outlets reported at the time that Sony employees had been warned not to connect to the company’s corporate network or to check email, and noted that Sony’s IT departments had instructed employees to turn off their computers as well as disable Wi-Fi on all mobile devices.” Other reports cited unnamed investigators pointing to North Korean hackers as the source of the attack, although those reports could not be independently confirmed.

Such extreme precautions would make sense if the company’s network was faced with a cyber threat designed to methodically destroy files on corporate computers. Indeed, the FBI this week released a restricted “Flash Alert” warning of just such a threat, about an unnamed attack group that has been using malware designed to wipe computer hard drives — and the underlying “master boot record on the affected systems — of all data.

KrebsOnSecurity obtained a copy of the alert, which includes several file names and hashes (long strings of letters and numbers that uniquely identify files) corresponding to the file-wiping malware.

The FBI does not specify where the malware was found or against whom it might have been used, noting only that “the FBI has high confidence that these indicators are being used by CNE [computer network exploitation] operators for further network exploitation.” The report also says the language pack referenced by the malicious files is Korean.

The FBI alert references several network traffic “signatures” that organizations can use to detect the traffic seen in previous attacks from this malware — traffic that appears to beacon back to (mostly like compromised) systems in Thailand, Poland and Italy). But the alert also says this type of vigilance may only serve to let organizations know that their files are currently in the process of being deleted.

“The following Snort signature can be used to detect the beacon traffic, though by the time the beacons occur, the destructive process of wiping the files has begun,” the alert warned.

Here’s the Snort signature, in case this is useful for any readers who didn’t get this memo:

Alert tcp any any – > [88.53.215.64, 217.96.33.164, 203.131.222.102] [8080, 8000] (msg: “wiper_callout”;
dsize:42;  content:  “|ff  ff  ff  ff|”;  offset:  26;  depth:  4;  sid:  314;

This is a developing story. More to come. Stay tuned.

 

LWN.net: Thanksgiving security updates

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

A whole bunch of security updates for the US Thanksgiving holiday.

Debian has updated openjdk-6 (?:).

Fedora has updated clamav (F19:
two vulnerabilities, one from 2013) and tcpdump (F20: three vulnerabilities).

Gentoo has updated squid (three vulnerabilities).

Mageia has updated asterisk (two
vulnerabilities), avidemux (multiple
vulnerabilities), drupal (two
vulnerabilities), flash-player-plugin (code
execution), glibc (code execution), icecast (information leak), libksba (denial of service), perl-Mojolicious (code execution), phpmyadmin (multiple vulnerabilities), ruby-httpclient (SSL downgrade protection),
and wordpress (multiple vulnerabilities).

Mandriva has updated glibc
(BS1.0: code execution), icecast (BS1.0:
information leak), and kernel (BS1.0:
multiple vulnerabilities).

openSUSE has updated file (13.2,
13.1, 12.3: code
execution), flashplayer (11.4: code
execution), rubygem-actionpack-3_2 (13.2,
13.1, 12.3: two information leaks), and rubygem-sprockets (13.2; 13.1,
12.3
: directory traversal).

Oracle has updated ruby (OL7; OL6:
three vulnerabilities).

Red Hat has updated flash-plugin
(RHEL5&6: code execution), ruby (RHEL7; RHEL6:
three vulnerabilities), ruby193-ruby
(RHSC1: three vulnerabilities), and ruby200-ruby (RHSC1: three vulnerabilities).

Ubuntu has updated clamav (two vulnerabilities).

SANS Internet Storm Center, InfoCON: green: Security update for Adobe Flash player, (Tue, Nov 25th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Adobe has released an out of band security update for the Adobe Flash player. This is an additional update for CVE-2014-8439. Everyone either update or double check that Flash either is not installed or cannot be invoked via Internet web sites.”>Adrien de Beaupr”>Intru-shun.ca Inc.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: Adobe Pushes Critical Flash Patch

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

For the second time this month, Adobe has issued a security update for its Flash Player software. New versions are available for Windows, Mac and Linux versions of Flash. The patch provides additional protection on a vulnerability that Adobe fixed earlier this year for which attackers appear to have devised unique and active exploits.

brokenflash-aAdobe recommends users of the Adobe Flash Player desktop runtime for Windows and Macintosh update to v. 15.0.0.239 by visiting the Adobe Flash Player Download Center, or via the update mechanism within the product when prompted. Adobe Flash Player for Linux has been updated to v. 11.2.202.424. 

According to Adobe, these updates provide additional hardening against CVE-2014-8439, which was fixed in a Flash patch that the company released in October 2014. The bulletin for this update is here. Finnish security firm F-Secure says it reported the flaw to Adobe after receiving information from independent researcher Kafeine that indicated the vulnerability was being exploited in-the-wild by an exploit kit (malicious software designed to be stitched into hacked Web sites and foist malware on visitors via browser flaws like this one).

To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash.

The most recent versions of Flash are available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

adobeflash11-14

LWN.net: Friday’s security updates

This post was syndicated from: LWN.net and was written by: n8willis. Original post: at LWN.net

CentOS has updated libxml2
(C5: denial of service).

Debian has updated drupal7
(multiple vulnerabilities).

Fedora has updated kernel
(F20: multiple vulnerabilities).

Gentoo has updated adobe-flash (multiple vulnerabilities).

Mageia has updated boinc-client (denial of service), ffmpeg (M3; M4:
multiple vulnerabilities),
hawtjni (M3: code execution), kdebase4-runtime, kwebkitpart (code execution), kdebase4-workspace (M4: privilege escalation), kdenetwork4 (M3: multiple vulnerabilities), kernel (M3; M4: multiple vulnerabilities),
kernel-vserver (M3: multiple vulnerabilities), krb5 (ticket forgery), libvirt (information disclosure), php-smarty (M3; M4:
code execution),
privoxy (denial of service), python-djblets (M4: multiple vulnerabilities), python-imaging, python-pillow (multiple vulnerabilities), qemu (M4: multiple vulnerabilities), ruby (multiple vulnerabilities), srtp (M3: denial of service), and wireshark (multiple vulnerabilities).

Mandriva has updated asterisk (BS1: multiple vulnerabilities).

openSUSE has updated gnutls
(multiple vulnerabilities) and libvirt
(password leak).

Oracle has updated bash (O5; O6; O7: multiple vulnerabilities), libvirt (O6: multiple vulnerabilities), libXfont (O6; O7: multiple vulnerabilities),
libxml2 (O5: denial of service), mariadb (O7: multiple vulnerabilities), and mysql55-mysql (O5: multiple vulnerabilities).

Red Hat has updated java-1.5.0-ibm (RHEL5,6: multiple vulnerabilities), java-1.7.0-ibm (RHEL6: multiple vulnerabilities), java-1.7.1-ibm (RHEL6,7: multiple vulnerabilities), and libxml2 (RHEL5: denial of service).

Scientific Linux has updated libxml2 (SL5: denial of service).

Ubuntu has updated apparmor
(14.04: privilege escalation) and ruby1.8, ruby1.9.1, ruby2.0,
ruby2.1
(12.04, 14.04, 14.10: denial of service).

SANS Internet Storm Center, InfoCON: green: Google Web “Firing Range” Available, (Thu, Nov 20th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Google has released a Firing Range for assessing various web application scanners, with what looks like a real focus on Cross Site Scripting. The code was co-developed by Google and Politecnico di Milano

Targets include:

  • Address DOM XSS
  • Redirect XSS
  • Reflected XSS
  • Tag based XSS
  • Escaped XSS
  • Remote inclusion XSS
  • DOM XSS
  • CORS related vulnerabilities
  • Flash Injection
  • Mixed content
  • Reverse ClickJacking

Source code is on github at https://github.com/google/firing-range

App Engine deploy is at http://public-firing-range.appspot.com/

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Raspberry Pi: A collection of Pis

This post was syndicated from: Raspberry Pi and was written by: Liz Upton. Original post: at Raspberry Pi

Liz: Today’s guest post comes from Alex Eames, who runs the rather wonderful RasPi.TV. He’s been furtling through his drawers, and has discovered he owns a surprising number of Raspberry Pi variants. Thanks Alex! 

Now we have the A+, I thought it’d be a good time to celebrate its ‘birth’ by having a rundown of the various mass-produced models of Raspberry Pi.

I had a look through my collection and was somewhat surprised to see that I have 10 different variants of Raspberry Pi now. There is one I don’t have, but more about that later. Here’s the family photo. You can click it for a higher resolution version.

Raspberry_Pi_Family_A-annotated-15001

Rev 1 Model B

In row 1, column 1 we have the Rev 1 model B. Although I was up early on 29th February 2012, I didn’t get one of the first 10,000 Pis produced. This was delivered in May 2012. It’s a Farnell variant (I have an RS one as well, but it does full-time duty as my weather station). This was the original type of Pi to hit the market. It has 256 Mb RAM and polyfuses on the USB.

Rev 1 Model B – With Links

In row 1, column 2 you’ll see a slightly later variant of Rev 1 model B. This one has 0 Ohm links instead of polyfuses. It helped to overcome some of the voltage drop issues associated with the original Rev 1, but it introduced the “hot-swapping USB devices will now reboot your Pi” issue, which was fixed in the B+.

Rev 2 Model B (China)

Row 2, column 1. Here we have an early Rev 2 Pi. This one was manufactured in China. It originally had a sticker on saying “made in China”, but I took it off. This one was bought some time around October 2012. The Rev 2 model B has 512 Mb RAM (apart from a few early ones which had 256 Mb), mounting holes and two headers called P5 and P6.

Rev 2 Model B (UK)

Row 2, column 2. This is a much later Rev 2 Pi, made at SONY in Wales, UK.

Chinese Red Pi Rev 2 Model B

Row 3, column 1. This is one of the Red Pis made especially for the Chinese market. They are not allowed to be sold in the UK, but if you import one yourself that’s not a problem. It is manufactured to a less stringent spec than the ones at SONY, and is not EMC tested. Therefore it bears no CE/FCC marks.

Limited Edition Blue Pi Rev 2 Model B

Row 3, column 2. I’m not going to go into how I got hold of this. Suffice it to say it was not at all easy, but no laws were broken, and nobody got hurt. RS had 1000 of these made in March 2013 as a special limited anniversary edition to use as prizes and awards to people who’ve made a special contribution to education etc. I know of about 5 or 6 people who have them. (At least two of those people traded for them.) They are extremely hard to get. They come in a presentation box with a certificate. I have #0041. Other than their blueness, they are a Rev 2 model B Pi.

Model A

Row 1, Column 3 is a model A. The PCB is identical to the Rev 2 model B, but it has only one USB port, no ethernet port, no USB/ethernet chip and 256 Mb RAM. The $25 model A was released in February 2013. On the day I got mine, the day after launch, I made a quick and dirty “I’ve got mine first” video, part of which ended up on BBC Click. The model A sold about 100k units. Demand for it was outstripped by the model B, although at one point CPC was offering a brilliant deal on a camera module and model A for £25 (I snagged a couple of those).

Compute Module

Row 2, column 3 is the Compute Module, sitting atop the Compute Module development board. This was launched 23 June 2014 as a way to enable industrial use of the Pi in a more convenient form factor. The module is made so it fits in a SODIMM connector and is essentially the BCM 2835, its 512 Mb RAM and 4 Gb of eMMC flash memory with all available GPIO ports broken out. It costs $30 when bought by the hundred.

Model B+

Row 3, column 3 is the model B+. This was launched on 14 July 2014 and was a major change in form factor. Rounded corners, corner mount holes, 40 GPIO pins, 4 USB ports, improved power circuitry and a complete layout redesign. The B+ was announced as the ‘final revision’ of the B. So it would appear that it’s going to be with us for some time.

Model A+

In row 4, all by itself we have the shiny new Raspberry Pi A+, launched 10 November 2014. It’s essentially the same as a B+ with the USB end cut off. It’s the smallest, lightest, cheapest, and least power-hungry Pi of all so far. It’s 23g, $20 and uses just half a Watt at idle.

So Which One Don’t I Have?

I don’t have a Rev 2 256 MB variant. If you have one and would like to trade or sell it to me, I’d be happy to hear from you (alex AT raspi.tv).

I believe there is also now a red Chinese B+ I’ve not got one of those, but it’s only a matter of time. I wonder if there will be a red A+ at some point too? We Just Don’t Know!

 

 

Krebs on Security: Adobe, Microsoft Issue Critical Security Fixes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe and Microsoft today each issued security updates to fix critical vulnerabilities in their software. Microsoft pushed 14 patches to address problems in Windows, Office, Internet Explorer and .NET, among other products. Separately, Adobe issued an update for its Flash Player software that corrects at least 18 security issues.

brokenwindowsMicrosoft announced 16 bulletins, but curiously two of those are listed as pending. Topping the list of critical updates from Microsoft is a fix for a zero-day vulnerability disclosed last month that hackers have been using in targeted cyber espionage attacks. Another critical patch targets 17 weaknesses in Internet Explorer, including a remotely exploitable vulnerability in all supported versions of Windows that earned a CVSS score of 9.3 (meaning it is highly likely to be exploited in drive-by attacks, and probably soon).

That flaw is a rare “unicorn-like” bug according to IBM X-Force, which discovered and reported the issue privately to Microsoft. In a blog post published today, IBM researchers described how the vulnerability can be used to sidestep the Enhanced Protected Mode sandbox in IE11, as well as Microsoft’s EMET anti-exploitation tool that Microsoft offers for free.

“In this case, the buggy code is at least 19 years old, and has been remotely exploitable for the past 18 years,” writes IBM researcher Robert Freeman. “Looking at the original release code of Windows 95, the problem is present. In some respects this vulnerability has been sitting in plain sight for a long time, despite many other bugs being discovered and patched in the same Windows library (OleAut32).”

Freeman said while unpatched Internet Explorer users are most at risk from this bug, the vulnerability also could be exploited through Microsoft Office files. “The other attack vectors this vulnerability could work with are Microsoft Office with script macros, for example in Excel documents,” Freeman told KrebsOnSecurity. “Most versions of Office (since about 2003) have macros disabled by default so the user would have to enable them (which can be a fairly mindless YES click at the top of the screen). Or if a user is using an old enough version of Office, the macros will be enabled by default.”

macrosms

According to Shavlik, the two pending patches, MS14-068 and MS14-075, are both listed on the bulletin summary page as “release date to be determined,” which apparently is an anomaly we haven’t seen before. “Typically, a pulled patch is removed from the list entirely,” wrote Chris Goettl, product manager at Shavlik. “This could mean it may still come this month, but not today. These two patches were likely an OS and the Exchange patch based on the advanced notification list,” That is at least one less major product admins will need to be concerned about this Patch Tuesday, although the date to be determined could come at any time.”

As I’ve noted in previous posts, the few times I’ve experienced troubles after applying Microsoft updates have almost all included a fix for Microsoft’s widely-installed .NET platform. If you have .NET installed, it’s probably a good idea to install this one separately after applying the other updates and rebooting.

Adobe’s update addresses a whopping 18 security holes in Flash Player and Adobe AIR. Updates are available for Windows, Mac and Linux versions of Flash. Adobe says Adobe Flash Player users should update the program to the version 15.0.0.223. To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash.

The most recent versions of Flash are available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). If you have Adobe AIR installed, you’ll want to update this program. AIR ships with an auto-update function that should prompt users to update when they start an application that requires it; the newest, patched version is v. 15.0.0.356 for Windows, Mac, and Android.

adobeflash15-0-0-223

SANS Internet Storm Center, InfoCON: green: Adobe Flash Update, (Tue, Nov 11th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Adobe today released a patch for Flash/Adobe Air which fixes 18 different vulnerabilities [1]. The Flash update is rated with a priority of 1 for Windows and OS X, indicating that limited exploitation has been observed. Please consult the advisory for details.

[1] http://helpx.adobe.com/security/products/flash-player/apsb14-24.html


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Schneier on Security: Sophisticated Targeted Attack Via Hotel Networks

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Kaspersky Labs is reporting (detailed report here, technical details here) on a sophisticated hacker group that is targeting specific individuals around the world. “Darkhotel” is the name the group and its techniques has been given.

This APT precisely drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crew’s most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world. These travelers are often top executives from a variety of industries doing business and outsourcing in the APAC region. Targets have included CEOs, senior vice presidents, sales and marketing directors and top R&D staff. This hotel network intrusion set provides the attackers with precise global scale access to high value targets. From our observations, the highest volume of offensive activity on hotel networks started in August 2010 and continued through 2013, and we are investigating some 2014 hotel network events.

Good article. This seems pretty obviously a nation-state attack. It’s anyone’s guess which country is behind it, though.

Targets in the spear — phishing attacks include high-profile executives — among them a media executive from Asia­as well as government agencies and NGOs and U.S. executives. The primary targets, however, appear to be in North Korea, Japan, and India. “All nuclear nations in Asia,” Raiu notes. “Their targeting is nuclear themed, but they also target the defense industry base in the U.S. and important executives from around the world in all sectors having to do with economic development and investments.” Recently there has been a spike in the attacks against the U.S. defense industry.

We usually infer the attackers from the target list. This one isn’t that helpful. Pakistan? China? South Korea? I’m just guessing.

Errata Security: The deal with the FTDI driver scandal

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

The FTDI driver scandal is in the news, so I thought I’d write up some background, and show what a big deal this is.

Devices are connected to your computer using a serial port. Such devices include keyboards, mice, flash drives, printers, your iPhone, and so on. The original serial port standard called RS232 was created in 1962. It got faster over the years (75-bps to 115-kbps), but ultimately, the technology became obsolete.

In 1998, the RS232 standards was replaced by the new USB standard. Not only is USB faster (a million times so), it’s more complex and smarter. The initials stand for “Universal Serial Bus“, and it truly is universal. Not only does your laptop have USB ports on the outside for connecting to things like flash drives, it interconnects much of the things on the inside of your computer, such as your keyboard, Bluetooth, SD card reader, and camera.

What FTDI sells is a chip that converts between the old RS232 and the new USB. It allows old devices to be connected to modern computers. Even new devices come with RS232 instead of USB simply because it’s simple and reliable.

The FTDI chip is a simple devices that goes for about $2. While there are competitors (such as Silicon Labs), FTDI is by far the most popular vendor of RS232-to-USB converters. This $2 may sound cheap, but relatively expensive for small devices which cost less than $50. That $2 is often greater than the profit margin on the entire device. Therefore, device manufacturers have a strong incentive to find cheaper alternatives.

That’s where clones come in. While the FTDI sells them for $2, the raw chips cost only pennies to manufacture. Clone chips are similarly cheap to manufacture, and can be sold for a fraction of FTDI’s price. On Alibaba, people are advertising “real” FTDI chips for between $0.10 and $1 apiece, with the FTDI logo on the outside and everything. They are, of course, conterfeits.

FTDI is understandably upset about this. They have to sell millions of chips to make back development and support costs, which they can’t do with clones undercutting them.

FTDI’s strategy was to release a driver update that intentionally disabled the clone chips. Hardware devices in a computer need software drivers to operate. Clone chips use the same drivers from FTDI. Therefore, FTDI put code in their software that attacked the clones, disabling them. The latest FTDI driver through Windows Update contains this exploit. If your computer automatically updates itself, it may have downloaded this new driver.

Every USB devices comes with a vendor identifier (VID) and a product identifier (PID). It’s these two numbers that tells operating systems like Windows or Linux which driver to load. What FTDI did was reprogram these numbers to zero. This, in effect, ruined the devices. From that point on, they can no longer be recognized, either by FTDI’s driver or any other. In theory, somebody could write software that reprogrammed them back to the original settings, but for the moment, they are bricked (meaning, the hardware is no more useful than a brick).

This can have a devastating effect. One place that uses RS232 heavily is industrial control systems, the sort of thing that controls the power grid. This means installing the latest Windows update on one of these computers could mean blacking out an entire city.

FTDI’s actions are unprecedented. Never before has a company released a driver that deliberately damages hardware. Bad driver updates are common. Counterfeits aren’t perfect clones, therefore a new driver may fail to work properly, either intentionally or unintentionally. In such cases, users can simply go back to the older, working driver. But when FTDI changes the hardware, the old drivers won’t work either.. Because the VID/PIDs have been reprogrammed, the operating system can no longer figure out which drives to load for the device..

Many people have gotten upset over this, but it’s a complex debate.

One might think that the evil buyers of counterfeits are getting what they deserve. After all, satellite TV providers have been known to brick counterfeit access cards. But there is a difference. Buyers of satellite cards know they are breaking the rules, whereas buyers of devices containing counterfeit chips don’t. Most don’t know what chips are inside a device. Indeed, many times even the manufacturers don’t know the chips are counterfeit.

On the other hand, ignorance of the law is no excuse. Customers buying devices with clone chips harm FTDI whether they know it or not. They have the responsibility to buy from reputable vendors. It’s not FTDI’s fault that the eventual end customer chose poorly.

It rankles that FTDI would charge $2 for a chip that costs maybe $0.02 to manufacturer, but it costs money to develop such chips. It likewise costs money to maintain software drivers for over 20 operating systems, ranging from Windows to Linux to VxWorks. It can easily cost $2 million for all this work, while selling only one million chips. If companies like FTDI cannot get a return on their investment in RND, then there will be a lot less RND — and that will hurt all of us.

One way to protect RND investment is draconian intellectual-property laws. Right now, such laws are are a cure that’s worse than the disease. The alternative to bad laws is to encourage companies like FTDI to protect themselves. What FTDI did is bad, but at least nobody held a gun to anybody’s head.

Counterfeits have another problem: they are dangerous. From nuclear control systems to airplane navigation systems to medical equipment, electronics are used in places where failure costs human lives. These systems are validated using the real chips. Replacing them with counterfeits can lead to human lives lost. However, counterfeit chips have been widespread for decades with no documented loss of life, so this danger is so far purely theoretical.

Separate from the counterfeit issue is the software update issue. In the last decade we’ve learned that software is dynamic. It must be updated on a regular basis. You can’t deploy a device and expect it to run unmodified for years. That’s because hackers regularly find flaws in software, even simple drivers, so they must be patched to prevent hacker intrusions. Many industries, such as medical devices and industrial control systems, are struggling with this concept, putting lives at risk due to hackers because they are unwilling to put lives at (lesser) risk when changing software. They need more trust in the software update process. However, this action by FTDI has threatened that trust.

Conclusion

As a typical Libertarian, I simultaneously appreciate the value of protecting RND investments while hating the current draconian government regime of intellectual property protection. Therefore, I support FTDI’s actions. On the other hand, this isn’t full support — there are problems with their actions.


Update: As Jose Nazario points out, when Microsoft used Windows Update to disable pirated copies of WinXP, pirates stopped updating to fix security flaws. This resulted in hackers breaking into desktops all over the Internet, endangering the rest of us. Trust in updates is a big thing.

SANS Internet Storm Center, InfoCON: green: Flash Webcast: What you need to know about POODLE (3pm EDT, noon PDT, 9pm CEST) https://www.sans.org/webcasts/about-poodle-99032, (Wed, Oct 15th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: Microsoft, Adobe Push Critical Security Fixes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe, Microsoft and Oracle each released updates today to plug critical security holes in their products. Adobe released patches for its Flash Player and Adobe AIR software. A patch from Oracle fixes at least 25 flaws in Java. And Microsoft pushed patches to fix at least two-dozen vulnerabilities in a number of Windows components, including Office, Internet Explorer and .NET. One of the updates addresses a zero-day flaw that reportedly is already being exploited in active cyber espionage attacks.

brokenwindowsEarlier today, iSight Partners released research on a threat the company has dubbed “Sandworm” that exploits one of the vulnerabilities being patched today (CVE-2014-4114). iSight said it discovered that Russian hackers have been conducting cyber espionage campaigns using the flaw, which is apparently present in every supported version of Windows. The New York Times carried a story today about the extent of the attacks against this flaw.

In its advisory on the zero-day vulnerability, Microsoft said the bug could allow remote code execution if a user opens a specially crafted malicious Microsoft Office document. According to iSight, the flaw was used in targeted email attacks that targeted NATO, Ukrainian and Western government organizations, and firms in the energy sector.

More than half of the other vulnerabilities fixed in this month’s patch batch address flaws in Internet Explorer. Additional details about the individual Microsoft patches released today is available at this link.

brokenflash-aSeparately, Adobe issued its usual round of updates for its Flash Player and AIR products. The patches plug at least three distinct security holes in these products. Adobe says it’s not aware of any active attacks against these vulnerabilities. Updates are available for Windows, Mac and Linux versions of Flash.

Adobe says users of the Adobe Flash Player desktop runtime for Windows and Macintosh should update to Adobe Flash Player 15.0.0.189. To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash, although my installation of Chrome says it is up-to-date and yet is still running v. 15.0.0.152 (with no outstanding updates available, and no word yet from Chrome about when the fix might be available).

The most recent versions of Flash are available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). If you have Adobe AIR installed, you’ll want to update this program. AIR ships with an auto-update function that should prompt users to update when they start an application that requires it; the newest, patched version is v. 15.0.0.293 for Windows, Mac, and Android.

Finally, Oracle is releasing an update for its Java software today that corrects more than two-dozen security flaws in the software. Oracle says 22 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. Java SE 8 updates are available here; the latest version of Java SE 7 is here.

If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. Updates are available from Java.com or via the Java Control Panel. I don’t have an installation of Java handy on the machine I’m using to compose this post, but keep in mind that updating via the control panel may auto-select the installation of third-party software, so de-select that if you don’t want the added crapware.

javamessOtherwise, seriously consider removing Java altogether. I’ve long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an affirmative use or need for Java, unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

For Java power users — or for those who are having trouble upgrading or removing a stubborn older version — I recommend JavaRa, which can assist in repairing or removing Java when other methods fail (requires the Microsoft .NET Framework, which also received updates today from Microsoft).

SANS Internet Storm Center, InfoCON: green: Adobe October 2014 Bulletins for Flash Player and Coldfusion, (Tue, Oct 14th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Adobe published two security bulletins today:

APSB-22[1] : fixes 3 vulnerabilities in Adobe Flash Player as well as in Adobe Air. The vulnerabilities are rated with a priority of 1 for Flash Playerrunning onWindows and OS X , which means they have already been exploited in targeted attacks.

APSB-23 [2] : another 3 vulnerabilities, but this time in Cold Fusion. The priority for these updates is 2which indicates that they have not yet been exploited in the wild.

[1]http://helpx.adobe.com/security/products/flash-player/apsb14-22.html
[2]http://helpx.adobe.com/security/products/coldfusion/apsb14-23.html


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.