Home Tags Development

Tag: Development

DDoS protection biz Incapsula knackers its customers’ websites

An unwelcome PITSTOP Glitches at distributed denial-of-service mitigation biz Incapsula left the websites it defends offline twice on Thursday. Incapsula blamed "connectivity issues" for the global PITSTOP, aka the worldwide degradation of its services. "A rare case triggered an issue on the Incapsula service and caused two system-wide errors at 9:44 UTC and 14:50 UTC making sites inaccessible," a spokeswoman told us. "The issue was identified immediately and actions were taken to contain it and restore service.

The root cause has been identified and the Incapsula development and ops teams have corrected the issue. We apologize for the inconvenience to our customers." The data center security firm elaborated on the situation on its system status page and in a string of tweets. Affected sites included the blog of IT security industry veteran Graham Clulely. He tweeted: "Apologies to those trying to get to my site. @Incapsula_com is down for the second time today, bring my site with it." ® Incapsula Incapsulating Thursday's problems Bootnote PITSTOP – Partial Inability To Support Totally Optimal Performance: Not quite a full TITSUP, which is a Total Inability To Support Usual Packets. Sponsored: Speed up incident response with actionable forensic analytics

RHBA-2016:0407-1: vdsm-jsonrpc-java bug fix and enhancement update

Details Updated vdsm-jsonrpc-java packages that fix several bugs and add variousenhancements are now available. The vdsm-jsonrpc-java package provides to VDSM the JSON-RPC implementation forthe Java programming language. Solution Before applying this update, make sure all previously released erratarelevant to your system have been applied.For details on how to apply this update, refer to:https://access.redhat.com/articles/11258 Updated packages Red Hat Enterprise Virtualization 3.6 SRPMS: vdsm-jsonrpc-java-1.1.9-1.el6ev.src.rpm     MD5: cd2ffc2c464e9647357457e1df6af135SHA-256: 7a852ee4c6eed236fd347f2e57fb8d16d6961cbaddc6341ecaef60c58001aa7f   x86_64: vdsm-jsonrpc-java-1.1.9-1.el6ev.noarch.rpm     MD5: a6a713662a1d4e02879c4288abf10bc4SHA-256: e16e60938b859fd5263aecde04c71a4b9b694a68c6b81992c2568b89bc99a142   (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 1193901 - [vdsmfake] - Volume.create missing parameters These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/

There are ways the FBI can crack the iPhone PIN without...

Not that kind of crack.Geoff Parsons Apple's encryption battle Feds: New judge must force iPhone unlock, overturning ruling that favored Apple Amazon will restore Fire OS‘ encryption support in the spring What is a “lying-dormant cyber pathogen?” San Bernardino DA says it’s made up [Updated] San Bernardino DA says seized iPhone may hold “dormant cyber pathogen” [Update] To get back at Apple, GOP congressman introduces pointless bill View all…The custom firmware that the FBI would like Apple to produce in order to unlock the San Bernardino iPhone would be the most straightforward way of accessing the device, allowing the federal agency to rapidly attempt PIN codes until it found the one that unlocked the phone. But it's probably not the only way to achieve what the FBI wants.

There may well be approaches that don't require Apple to build a custom firmware to defeat some of the iPhone's security measures. The iPhone 5c used by the San Bernardino killers encrypts its data using a key derived from a combination of an ID embedded in the iPhone's processor and the user's PIN.

Assuming that a 4-digit PIN is being used, that's a mere 10,000 different combinations to try out. However, the iPhone has two protections against attempts to try every PIN in turn.

First, it inserts delays to force you to wait ever longer between PIN attempts (up to one hour at its longest).
Second, it has an optional capability to delete its encryption keys after 10 bad PINs, permanently depriving access to any encrypted data. The FBI would like to use a custom firmware that allows attempting multiple PINs without either of these features.

This custom firmware would most likely be run using the iPhone's DFU mode.

Device Firmware Update (DFU) mode is a low-level last resort mode that can be used to recover iPhones that are unable to boot.

To use DFU mode, an iPhone must be connected via USB to a computer running iTunes. iTunes will send a firmware image to the iPhone, and the iPhone will run that image from a RAM disk.

For the FBI's purposes, this image would include the PIN-attack routines to brute-force the lock on the device. Developing this firmware should not be particularly difficult—jailbreakers have developed all manner of utilities to build custom RAM disks to run from DFU mode, so running custom code from this environment is already somewhat understood—but there is a problem.

The iPhone will not run any old RAM disk that you copy to it.
It first verifies the digital signature of the system image that is transferred. Only if the image has been properly signed by Apple will the phone run it. The FBI cannot create that signature itself. Only Apple can do so.

This means also that the FBI cannot even develop the code itself.

To test and debug the code, it must be possible to run the code, and that requires a signature.

This is why it is asking for Apple's involvement: only Apple is in a position to do this development. Do nothing at all The first possibility is that there's simply nothing to do.

Erasing after 10 bad PINs is optional, and it's off by default.
If the erase option isn't enabled, the FBI can simply brute force the PIN the old-fashioned way: by typing in new PINs one at a time.
It would want to reboot the phone from time to time to reset the 1 hour delay, but as tedious as the job would be, it's certainly not impossible. It would be a great deal slower on an iPhone 6 or 6s.
In those models, the running count of failed PIN attempts is preserved across reboots, so resetting the phone doesn't reset the delay period.

But on the 5c, there's no persistent record of bad PIN trials, so restarting the phone allows an attacker to short-circuit the delay. Why it might not work Obviously, if the phone is set to wipe itself, this technique wouldn't work, and the FBI would want to know one way or the other before starting.
It ought to be a relatively straightforward matter for Apple to tell, as the phone does have the information stored in some accessible way so that it knows what to do when a bad PIN is entered. But given the company's reluctance to assist so far, getting them to help here may be impossible.Update: It turns out that this bug was fixed in iOS 8.1, so it probably wouldn't work after all. Acid and laserbeams One risky solution that has been discussed extensively already is to use lasers and acid to remove the outer layers of the iPhone's processor and read the embedded ID. Once this embedded ID is known, it's no longer necessary to try to enter the PIN directly on the phone itself.
Instead, it would be possible to simply copy the encrypted storage onto another computer and attempt all the PINs on that other computer.

The iPhone's lock-outs and wiping would be irrelevant in this scenario. Why it might not work The risk of this approach is not so much that it won't work, but that if even a tiny mistake is made, the hardware ID could be irreparably damaged, rendering the stored data permanently inaccessible. Jailbreak the thing The iPhone's built-in lockouts and wipes are unavoidable if running the iPhone's operating system... assuming that the iPhone works as it is supposed to.
It might not.

The code that the iPhone runs to enter DFU mode, load a RAM image, verify its signature, and then boot the image is small, and it should be simple and quite bullet-proof. However, it's not impossible that this code, which Apple calls SecureROM, contains bugs.
Sometimes these bugs can enable DFU mode (or the closely related recovery mode) to run an image without verifying its signature first. There are perhaps six known historic flaws in SecureROM that have enabled jailbreakers to bypass the signature check in one way or another.

These bugs are particularly appealing to jailbreakers, because SecureROM is baked into hardware, and so the bugs cannot be fixed once they are in the wild: Apple has to update the hardware to address them.

Exploitable bugs have been found in the way SecureROM loads the image, verifies the signature, and communicates over USB, and in all cases they have enabled devices to boot unsigned firmware. If a seventh exploitable SecureROM flaw could be found, this would enable jailbreakers to run their own custom firmwares on iPhones.

That would give the FBI the power to do what it needs to do: it could build the custom firmware it needs and use it to brute force attack the PIN.
Some critics of the government's demand have suggested that a government agency—probably the NSA—might already know of such a flaw, arguing that the case against Apple is not because of a genuine need to have Apple sign a custom firmware but merely to give cover for their own jailbreak. Why it might not work Of course, the difficulty with this approach is that it's also possible that no such flaw exists, or that even if it does exist, nobody knows what it is.

Given the desirability of this kind of flaw—it can't be fixed through any operating system update—jailbreakers have certainly looked, but thus far they've turned up empty-handed.

As such, this may all be hypothetical. Ask Apple to sign an FBI-developed firmware Apple doesn't want to develop a firmware to circumvent its own security measures, saying that this level of assistance goes far beyond what is required by law.

The FBI, however, can't develop its own firmware because of the digital signature requirements. But perhaps there is a middle ground.

Apple, when developing its own firmwares, does not require each test firmware to be signed.
Instead, the company has development handsets that have the signature restriction removed from SecureROM and hence can run any firmware.

These are in many ways equivalent to the development units that game console manufacturers sell to game developers; they allow the developers to load their games to test and debug them without requiring those games to be signed and validated by the console manufacturer each time. Unlike the consoles, Apple doesn't distribute these development phones.
It might not even be able to, as it may not have the necessary FCC certification.

But they nonetheless exist.
In principle, Apple could lend one of these devices to the FBI so that the FBI would then be responsible for developing the firmware.

This might require the FBI to do the work on-site at Cupertino or within a Faraday cage to avoid FCC compliance concerns, but one way or another this should be possible. Once it had a finished product, Apple could sign it.
If the company was truly concerned with how the signed firmware might be used, it might even run the firmware itself and discard it after use. This would relieve Apple of the burden of creating the firmware, and it could be argued that it was weakening Apple's first amendment argument against unlocking the firmware. While source code is undoubtedly expressive and protected by the first amendment, it seems harder to argue that a purely mechanical transformation such as stamping a file with a digital signature should be covered by the same protection. Why it might not work Apple may very well persist in saying no, and the courts may agree. Andrew Cunningham Stop the phone from wiping its encryption keys The way the iPhone handles encryption keys is a little more complex than outlined above.

The encryption key derived from the PIN combined with the hardware ID isn't used to encrypt the entire disk directly.
If it were, changing the PIN would force the entire disk to be re-encrypted, which would be tiresome to say the least.
Instead, this derived key is used to encrypt a second key, and that key is used to encrypt the disk.

That way, changing the PIN only requires re-encryption of the second key.

The second key is itself stored on the iPhone's flash storage. Normal flash storage is awkward to securely erase, due to wear leveling.

Flash supports only a limited number of write cycles, so to preserve its life, flash controllers spread the writes across all the chips. Overwriting a file on a flash drive may not actually overwrite the file but instead write the new file contents to a different location on the flash drive, potentially leaving the old file's contents unaltered. This makes it a bad place to store encryption keys that you want to be able to delete.

Apple's solution to this problem is to set aside a special area of flash that is handled specially.

This area isn't part of the normal filesystem and doesn't undergo wear leveling at all.
If it's erased, it really is erased, with no possibility of recovery.

This special section is called effaceable storage. When the iPhone wipes itself, whether due to bad PIN entry, a remote wipe request for a managed phone, or the built-in reset feature, this effaceable storage area is the one that gets obliterated. Apart from that special handling, however, the effaceable area should be readable and writeable just like regular flash memory. Which means that in principle a backup can be made and safely squirreled away.
If the iPhone then overwrites it after 10 bad PIN attempts, it can be restored from this backup, and that should enable a further 10 attempts.

This process could be repeated indefinitely. This video from a Shenzhen market shows a similar process in action (we came at it via 9to5Mac after seeing a tweet in February and further discussion in March). Here, a 16GB iPhone has its flash chip desoldered and put into a flash reader.

A full image of that flash is made, including the all-important effaceable area.
In this case, the chip is then replaced with a 128GB chip, and the image restored, with all its encryption and data intact.

The process for the FBI's purposes would simply use the same chip every time. By restoring every time the encryption keys get destroyed, the FBI could—slowly—perform its brute force attack.
It would probably want to install a socket of some kind rather than continuously soldering and desoldering the chip, but the process should be mechanical and straightforward, albeit desperately boring. A more exotic possibility would be to put some kind of intermediate controller between the iPhone and its flash chip that permitted read instructions but blocked all attempts to write or erase data. Hardware write blockers are already routinely used in other forensic applications to prevent modifications to SATA, SCSI, and USB disks that are being used as evidence, and there's no reason why such a thing could not be developed for the flash chips themselves.

This would allow the erase/restore process to be skipped, requiring the phone to be simply rebooted every few attempts. Why it might not work The working assumption is that the iPhone's processor has no non-volatile storage of its own.
So it simply doesn't remember that it is supposed to have wiped its encryption keys, and thus will offer another ten attempts if the effaceable storage area is restored, or that even if it does remember, it doesn't care.

This is probably a reasonable assumption; the A6 processor used in the iPhone 5c doesn't appear to have any non-volatile storage of its own, and allowing restoration means that even a securely wiped phone can be straightforwardly restored from backup by connecting it to iTunes. For newer iPhones, that's less clear.

Apple implies that the A7 processor—the first to include the "Secure Enclave" function—does have some form of non-volatile storage of its own. On the A6 processor and below, the time delay between PIN attempts resets every time the phone is rebooted. On the A7 and above, it does not; the Secure Enclave somehow remembers that there has been some number of bad PIN attempts earlier on.

Apple also vaguely describes the Secure Enclave as having an "anti-replay counter" for data that is "saved to the file system." It's not impossible that this is also used to protect the effaceable storage in some way, allowing the phone to detect that it has been tampered with.

Full restoration is similarly still likely to be possible. There is also some risk to disassembling the phone, but if the process is reliable enough for Shenzhen markets, the FBI ought to be able to manage it reliably enough. This last technique in particular should be quite robust.

There's no doubt that Apple's assistance would help a great deal; creating a firmware to allow brute-forcing the PIN would be faster and lower risk than any method that requires disassembly.

But if the FBI is truly desperate to bypass the PIN lockout and potential disk wipe, there do appear to be options available to it that don't require Apple to develop the firmware.

RHSA-2016:0371-1: Critical: nss security update

Updated nss packages that fix one security issue are now available forRed Hat Enterprise Linux 5.Red Hat Product Security has rated this update as having Critical securityimpact.

A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available from the CVE link in theReferences section. Network Security Services (NSS) is a set of libraries designed to supportthe cross-platform development of security-enabled client and serverapplications.A heap-based buffer overflow flaw was found in the way NSS parsed certainASN.1 structures.

An attacker could use this flaw to create a speciallycrafted certificate which, when parsed by NSS, could cause it to crash, orexecute arbitrary code, using the permissions of the user running anapplication compiled against the NSS library. (CVE-2016-1950)Red Hat would like to thank the Mozilla project for reporting this issue.Upstream acknowledges Francis Gabriel as the original reporter.All nss users are advised to upgrade to these updated packages, whichcontain a backported patch to correct this issue.

For the update to takeeffect, all applications linked to the nss library must be restarted, orthe system rebooted. Before applying this update, make sure all previously released erratarelevant to your system have been applied.For details on how to apply this update, refer to:https://access.redhat.com/articles/11258RHEL Desktop Workstation (v. 5 client) SRPMS: nss-3.19.1-4.el5_11.src.rpm     MD5: 544778df37f1d2d9ce9e11098bc3b210SHA-256: e2ed10921358fe438dc597b79575e0288375277682c1f794f616d118703cec72   IA-32: nss-debuginfo-3.19.1-4.el5_11.i386.rpm     MD5: d8f4b1ead7c0738185923b7485a9f4f1SHA-256: e1dca4fae0064ec73069503185f570703b50abe5d1186e83465d84fbc0ad01dd nss-devel-3.19.1-4.el5_11.i386.rpm     MD5: e9ac998fc83624b5e42b8ef508c70db4SHA-256: 7d77d7819b16fc71965ed86ca7e10f6be48c5997a13512fb8d77f56d3bf13b74 nss-pkcs11-devel-3.19.1-4.el5_11.i386.rpm     MD5: 472d167a003745770ca3d0b7c7109ed4SHA-256: 333a39e4714a367ac8f46a26c3adb6981b8e54b09b4a241c43a84c0a2a8195fd   x86_64: nss-debuginfo-3.19.1-4.el5_11.i386.rpm     MD5: d8f4b1ead7c0738185923b7485a9f4f1SHA-256: e1dca4fae0064ec73069503185f570703b50abe5d1186e83465d84fbc0ad01dd nss-debuginfo-3.19.1-4.el5_11.x86_64.rpm     MD5: 45061cba17fae1dfe581a415d44773bfSHA-256: 72a6d9440442e9e6765d9f22877b72a83bfa00dcfe9a704b50e565f69795d1d3 nss-devel-3.19.1-4.el5_11.i386.rpm     MD5: e9ac998fc83624b5e42b8ef508c70db4SHA-256: 7d77d7819b16fc71965ed86ca7e10f6be48c5997a13512fb8d77f56d3bf13b74 nss-devel-3.19.1-4.el5_11.x86_64.rpm     MD5: 4d831042af7dfa6e80ad6bf9579cd4efSHA-256: 65ddd0935783f0ac00c61fd3e13d7fb6509f01d3afa423c7dbfdb4c3aabc4281 nss-pkcs11-devel-3.19.1-4.el5_11.i386.rpm     MD5: 472d167a003745770ca3d0b7c7109ed4SHA-256: 333a39e4714a367ac8f46a26c3adb6981b8e54b09b4a241c43a84c0a2a8195fd nss-pkcs11-devel-3.19.1-4.el5_11.x86_64.rpm     MD5: c1a2ac387761f45260de137e35545280SHA-256: fb02c20684a651c675e5b81fcba40487e1c8e6cfdcb90d261888347980b9bef9   Red Hat Enterprise Linux (v. 5 server) SRPMS: nss-3.19.1-4.el5_11.src.rpm     MD5: 544778df37f1d2d9ce9e11098bc3b210SHA-256: e2ed10921358fe438dc597b79575e0288375277682c1f794f616d118703cec72   IA-32: nss-3.19.1-4.el5_11.i386.rpm     MD5: 83ca14029531b9d549bb8df9f5aac525SHA-256: 450dd70148a25759d516bb7f9ee6864a8038221cd23cffa78dd4c97a6fcaf5b2 nss-debuginfo-3.19.1-4.el5_11.i386.rpm     MD5: d8f4b1ead7c0738185923b7485a9f4f1SHA-256: e1dca4fae0064ec73069503185f570703b50abe5d1186e83465d84fbc0ad01dd nss-devel-3.19.1-4.el5_11.i386.rpm     MD5: e9ac998fc83624b5e42b8ef508c70db4SHA-256: 7d77d7819b16fc71965ed86ca7e10f6be48c5997a13512fb8d77f56d3bf13b74 nss-pkcs11-devel-3.19.1-4.el5_11.i386.rpm     MD5: 472d167a003745770ca3d0b7c7109ed4SHA-256: 333a39e4714a367ac8f46a26c3adb6981b8e54b09b4a241c43a84c0a2a8195fd nss-tools-3.19.1-4.el5_11.i386.rpm     MD5: 4dc8eec54f5690c46382ff359057ab2aSHA-256: 8fe0677dc573438c67b08a066581839480190c417fd42f45b426bf9a35a27693   IA-64: nss-3.19.1-4.el5_11.i386.rpm     MD5: 83ca14029531b9d549bb8df9f5aac525SHA-256: 450dd70148a25759d516bb7f9ee6864a8038221cd23cffa78dd4c97a6fcaf5b2 nss-3.19.1-4.el5_11.ia64.rpm     MD5: a35672e89acaa20191c2a1d75da4cf71SHA-256: 27ea8e9c557bd3ec8ee5c1f44c9c73a44e55887d83216f6b529c6cb78c95fdd7 nss-debuginfo-3.19.1-4.el5_11.i386.rpm     MD5: d8f4b1ead7c0738185923b7485a9f4f1SHA-256: e1dca4fae0064ec73069503185f570703b50abe5d1186e83465d84fbc0ad01dd nss-debuginfo-3.19.1-4.el5_11.ia64.rpm     MD5: ac3a0adacec8c1952bc40e06d3435bdfSHA-256: 192132ea5cc4e1ba95fdd88208fbf20b0f9b55bbbfe86e749f060a9c30b83c3f nss-devel-3.19.1-4.el5_11.ia64.rpm     MD5: b002cc06061fe42fa347d0c058ea4811SHA-256: 6a9a2d5772f1ed63cbd4c26a5614ece8fe687840ca3da17d1fb114864085852c nss-pkcs11-devel-3.19.1-4.el5_11.ia64.rpm     MD5: 2a10e4e1437184cd437d1a43b5501d0cSHA-256: 47c9c10468f87486ecda09fde342a1a5279d2fddc83d20fb090ac8bfa73c82a6 nss-tools-3.19.1-4.el5_11.ia64.rpm     MD5: 12b8332fe8ac7dc222bb58d44e3708cdSHA-256: 501dba43ca3c730875eb36dfaadebed45504d76fd1a7ca08b7f8a52127d2c097   PPC: nss-3.19.1-4.el5_11.ppc.rpm     MD5: 5f7cba235a6dfda6d50ca13db34ce18dSHA-256: b25d4537c0b393d46ec963030f6fc920e062f70a38dc63ff575a7fc875dd03cf nss-3.19.1-4.el5_11.ppc64.rpm     MD5: f4e685a10dfcf8347dad8d1a2a644933SHA-256: d037cd5df70a5548f0f6fb385e0cdfaa45c1a08ba0c3377c0e39461925b08d68 nss-debuginfo-3.19.1-4.el5_11.ppc.rpm     MD5: 63f5dcca54604214dc325f4b611ab278SHA-256: 3232b8e8c0ca0442031caf6ee5cfc59b164ddbae71ea0647877d8e000a20dc93 nss-debuginfo-3.19.1-4.el5_11.ppc64.rpm     MD5: 202e7f031d0f9c208146a3122d6e2254SHA-256: a935fa28c0fe4abd58ee34124089aa04c36f83032b86ca2425b03773b0e412e0 nss-devel-3.19.1-4.el5_11.ppc.rpm     MD5: baf4fc80ff841213fd3a7c3a67960cdcSHA-256: f34e24e14ba59f3d4c6cfe02155fe10bbb4ad62a8d41e356477a22ef35f84238 nss-devel-3.19.1-4.el5_11.ppc64.rpm     MD5: 914d98205a78f05982fc15b82f5eaf73SHA-256: f25ab7119e9df59585263f5fabc8ca336d592d16ef2e742ad0cbcf9b83a4ae6f nss-pkcs11-devel-3.19.1-4.el5_11.ppc.rpm     MD5: 818fad2e71a84adfc38100213c7a45dcSHA-256: 8e0c8f779047f96ed7511e28b159e4dfc4aa2fbd6e3aaf6f6529d7c30afe0b74 nss-pkcs11-devel-3.19.1-4.el5_11.ppc64.rpm     MD5: 5bc98dee078cc79717e2f213d0bfc727SHA-256: 55fe6615b778c780abf646158796a8e4d659205dc2f3bb55b5d58dddedf51450 nss-tools-3.19.1-4.el5_11.ppc.rpm     MD5: 18b786adc652500b133554e106a5d1eaSHA-256: 160ef3d5462c29caaaba55dafdaea301158c696a3671f9195a0683f858b76200   s390x: nss-3.19.1-4.el5_11.s390.rpm     MD5: 6952cec820827c2a220c5dd037bceb68SHA-256: 0c6e38e62e89941560c23c04f2a6bbc1015a484f8859719d323680f1de3574c1 nss-3.19.1-4.el5_11.s390x.rpm     MD5: 791a8d37c6cba0c5a1dfed5b2d05f984SHA-256: 203c91421553c236aa4510142607ad9faa771e3ede0b4ea1f189e21d447feb46 nss-debuginfo-3.19.1-4.el5_11.s390.rpm     MD5: 5a3c7b1fb3d3cd3ca8715ecf68c57c27SHA-256: c72d63adf72c06f88911d929276e94f8e178629a66b01ca12eddfa25df7da77c nss-debuginfo-3.19.1-4.el5_11.s390x.rpm     MD5: bb2633f65366110d759fe4a52c048ae5SHA-256: efd7c0a5246413c2b753a562948d24ca4c30746925281295ef4fbc34cf749f41 nss-devel-3.19.1-4.el5_11.s390.rpm     MD5: 9624cff8b5026550f9d649ea5a64e56fSHA-256: e954423ebfc1da59eaf7323b08824d8eac9757e8944dd6dcbd1546eedd98392a nss-devel-3.19.1-4.el5_11.s390x.rpm     MD5: ee26742a2127da92358babfd40a579e6SHA-256: e6969d38708320399711a4d97829d92643899420cfd11608eafe12437435474e nss-pkcs11-devel-3.19.1-4.el5_11.s390.rpm     MD5: c19938f16265b38c90a1180a6a06d044SHA-256: 73506eaa4e80c3bd63fc77724d5861a7d2c8288d1042057629e5630b6f0f7612 nss-pkcs11-devel-3.19.1-4.el5_11.s390x.rpm     MD5: de2245af4b71574cbaef743c42af6c5fSHA-256: ed427c79215cfc23771c775776ea90e4d10601f069f65e41806f6dabda2caade nss-tools-3.19.1-4.el5_11.s390x.rpm     MD5: 8f3644756fef8157ab0459a4829562b2SHA-256: 7a9873d6f863882a8456341af4ac51c03b4f88586872accb5143c2865f0b2f8a   x86_64: nss-3.19.1-4.el5_11.i386.rpm     MD5: 83ca14029531b9d549bb8df9f5aac525SHA-256: 450dd70148a25759d516bb7f9ee6864a8038221cd23cffa78dd4c97a6fcaf5b2 nss-3.19.1-4.el5_11.x86_64.rpm     MD5: 4976117843e939b48d8944c3d863c2b3SHA-256: 943076eece09883a2319211f72064bb9cbd3ca45ee8f0d754a58e0a91e38ea8b nss-debuginfo-3.19.1-4.el5_11.i386.rpm     MD5: d8f4b1ead7c0738185923b7485a9f4f1SHA-256: e1dca4fae0064ec73069503185f570703b50abe5d1186e83465d84fbc0ad01dd nss-debuginfo-3.19.1-4.el5_11.x86_64.rpm     MD5: 45061cba17fae1dfe581a415d44773bfSHA-256: 72a6d9440442e9e6765d9f22877b72a83bfa00dcfe9a704b50e565f69795d1d3 nss-devel-3.19.1-4.el5_11.i386.rpm     MD5: e9ac998fc83624b5e42b8ef508c70db4SHA-256: 7d77d7819b16fc71965ed86ca7e10f6be48c5997a13512fb8d77f56d3bf13b74 nss-devel-3.19.1-4.el5_11.x86_64.rpm     MD5: 4d831042af7dfa6e80ad6bf9579cd4efSHA-256: 65ddd0935783f0ac00c61fd3e13d7fb6509f01d3afa423c7dbfdb4c3aabc4281 nss-pkcs11-devel-3.19.1-4.el5_11.i386.rpm     MD5: 472d167a003745770ca3d0b7c7109ed4SHA-256: 333a39e4714a367ac8f46a26c3adb6981b8e54b09b4a241c43a84c0a2a8195fd nss-pkcs11-devel-3.19.1-4.el5_11.x86_64.rpm     MD5: c1a2ac387761f45260de137e35545280SHA-256: fb02c20684a651c675e5b81fcba40487e1c8e6cfdcb90d261888347980b9bef9 nss-tools-3.19.1-4.el5_11.x86_64.rpm     MD5: e6937b5083bac59f1f9a23eeeb650f43SHA-256: 8076efffecd7eb91da1bb1115921bfd4b250e599597c1daeb920a9e620fa7550   Red Hat Enterprise Linux Desktop (v. 5 client) SRPMS: nss-3.19.1-4.el5_11.src.rpm     MD5: 544778df37f1d2d9ce9e11098bc3b210SHA-256: e2ed10921358fe438dc597b79575e0288375277682c1f794f616d118703cec72   IA-32: nss-3.19.1-4.el5_11.i386.rpm     MD5: 83ca14029531b9d549bb8df9f5aac525SHA-256: 450dd70148a25759d516bb7f9ee6864a8038221cd23cffa78dd4c97a6fcaf5b2 nss-debuginfo-3.19.1-4.el5_11.i386.rpm     MD5: d8f4b1ead7c0738185923b7485a9f4f1SHA-256: e1dca4fae0064ec73069503185f570703b50abe5d1186e83465d84fbc0ad01dd nss-tools-3.19.1-4.el5_11.i386.rpm     MD5: 4dc8eec54f5690c46382ff359057ab2aSHA-256: 8fe0677dc573438c67b08a066581839480190c417fd42f45b426bf9a35a27693   x86_64: nss-3.19.1-4.el5_11.i386.rpm     MD5: 83ca14029531b9d549bb8df9f5aac525SHA-256: 450dd70148a25759d516bb7f9ee6864a8038221cd23cffa78dd4c97a6fcaf5b2 nss-3.19.1-4.el5_11.x86_64.rpm     MD5: 4976117843e939b48d8944c3d863c2b3SHA-256: 943076eece09883a2319211f72064bb9cbd3ca45ee8f0d754a58e0a91e38ea8b nss-debuginfo-3.19.1-4.el5_11.i386.rpm     MD5: d8f4b1ead7c0738185923b7485a9f4f1SHA-256: e1dca4fae0064ec73069503185f570703b50abe5d1186e83465d84fbc0ad01dd nss-debuginfo-3.19.1-4.el5_11.x86_64.rpm     MD5: 45061cba17fae1dfe581a415d44773bfSHA-256: 72a6d9440442e9e6765d9f22877b72a83bfa00dcfe9a704b50e565f69795d1d3 nss-tools-3.19.1-4.el5_11.x86_64.rpm     MD5: e6937b5083bac59f1f9a23eeeb650f43SHA-256: 8076efffecd7eb91da1bb1115921bfd4b250e599597c1daeb920a9e620fa7550   (The unlinked packages above are only available from the Red Hat Network) 1310509 - CVE-2016-1950 nss: Heap buffer overflow vulnerability in ASN1 certificate parsing (MFSA 2016-35) These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

Google Offers Tool to Help Evaluate Vendor Security

The vendor security evaluation framework provides questions that organizations need to ask to accurately assess a third-party's security and privacy readiness, Google said. Google has released a framework to open source that it implements internally to...

Samsung To Launch Certification Program For Samsung Knox Mobile Security Platform

Samsung is planning to launch a new partner certification program for its Samsung Knox mobile security platform aimed at helping solution providers generate new revenue from their mobile business. Richard Hutton, director of channel marketing for Samsu...

IDC: Smart MFPs are ‘redefining workflow’

New whitepaper sponsored by OKI Europe says latest multifunctional devices extend the remit of printers from paper-based processes to a ‘customisable digital transformation tool’Egham, 8 March 2016 – Smart multifunction printers (MFPs) are helping to ‘redefine how workflow is performed’ a new IDC whitepaper has confirmed. OKI Smart MFP Portfolio Entitled ‘Are your business processes stifling your market opportunity? Cost-efficient print and document management through smart MFPs’, it was written by Jacqui Hendriks, IDC's Head of European Managed Print Services and Document Solutions research and consulting practice. Highlighting the need for workflow improvements, IDC’s research found 67% of small to medium-sized businesses in Europe are making productivity a priority. However, while cloud services are giving businesses affordable access to sophisticated technology, just one in three businesses are planning how they will accommodate and manage information growth in an increasingly digital world. The whitepaper also identified that legacy document-related challenges are wasting time and causing a huge 20% loss in employee productivity – the equivalent to over 2 working months a year.
Similarly, despite the fact that emerging technologies including mobility, big data, social business and cloud raise security concerns, three-quarters of SMBs were found to have no security system in place, leaving them exposed to risk. In addition to raising these challenges, the IDC whitepaper outlined the functionality now available in the latest smart MFPs that help to improve workflow and productivity by facilitating smarter business operations and process efficiencies for SMBs.
It states: “Acting as on-ramps and off-ramps to the cloud, smart MFPs extend the utilisation of the device from primarily printing and copying paper-based pages to a customisable digital transformation tool, enabling companies to capture, integrate and communicate information.” Looking closely at other factors driving the need for change, such as expanding IT challenges, the whitepaper points to the fact that companies must make crucial decisions about investment and priorities that support growth and competitive performance. However, rather than turning straight to costly enterprise resource planning (ERP) systems, organisations should first consider making smaller investments in customising workflow tools, which could provide them with sufficient automation and integration to drive up productivity in a shorter timeframe. According to IDC’s research, smart MFPs have the potential to act as a platform for growth by providing cost- and time-efficient workflow solutions that improve compliance and security while supporting key business objectives such as mobility, along with cost-cutting initiatives.
In this regard, they have the potential to help redefine how day-to-day business workflow is performed. This is particularly essential for smaller businesses (SMBs), many of which are seeing growth hindered by internal processes, as well as coming under pressure to manage mobility and optimise their resources. Using smart MFPs, SMBs have the opportunity to alleviate these pressures and achieve substantial workflow benefits. In addition to workflow strategy, smart MFPs also provide the many businesses without any document security in place, the opportunity to control access to sensitive information with authentication tools and to protect customers’ details using permission-based access. “This comprehensive whitepaper by IDC identifies a number of business challenges and priorities that today’s smart MFPs can go a long way to address,” says Tetsuya Kuri, vice president Marketing, OKI Europe Ltd. “It also establishes a clear link between the devices and the requirements of modern businesses.” OKI Europe’s portfolio of smart MFPs combines a range of features to capture and process information more intelligently, helping employees work more productively.

The cost-effective solutions combine sophisticated software, advanced technology and open architecture, enabling them to integrate seamlessly with existing document workflows. This in-built flexibility responds to the 70% of European SMBs that IDC has found adopt business process automation tools for increased employee productivity and means MFPs can be scaled up in line with future growth, as well as new business and technology trends. For further information and to receive a copy of the whitepaper and infographic, visit www.okieurope.com/smartmfps -Ends- Notes to Editors: About OKI EuropeOKI Europe Ltd is a division of OKI Data Corporation, a global business-to-business brand dedicated to creating cost-effective, professional in-house printers, applications and services which are designed to increase the efficiency of today’s and tomorrow’s businesses. The company is well-established as one of Europe’s leading printer brands, in terms of value and units shipped.

For over 60 years OKI Europe has been delivering advanced printing solutions worldwide, introducing ground-breaking technologies that support the needs of businesses large and small. Our pioneering development of digital LED printing technology has placed OKI at the forefront of the market in delivering high-definition, eco-friendly printing devices. In addition to a vast portfolio of award-winning printers and MFPs, OKI Europe offers a range of services to help optimise print and document workflows.

This, together with an integrated suite of software technologies and tools, can help businesses take control of their print and document costs in a secure environment, whether office based, mobile or in the cloud. Today OKI Europe employs approximately 1,000 people in 21 locations (sales offices and production sites) and is represented in 60 countries throughout the EMEA region. Visit www.okieurope.com for further information. OKI Data Corporation is a subsidiary of Tokyo-based Oki Electric Industry Co. Ltd., established in 1881 and Japan’s first telecommunications manufacturer. Media Contacts:OKI Europe Ltd: Pamela Ghosal: Pamela.Ghosal@okieurope.com, +44 (0) 208 2192127Whiteoaks: Jen Rook: jenniferr@whiteoaks.co.uk +44 (0) 1252 727313

What are you doing to spot a breach?

It’s probably already happened, but you just haven't seen it... Technology moves quickly, not just in legitimate business, but in the cybercriminal world too.

Advanced attack tools are now available on the black market, lowering the barrier to entry for the average online lowlife.

They are happy to target large and small organizations alike, and they only have to be lucky once. Security pros have been forced to prepare for a world of constant, sustained attack by understanding the threats and choosing the right measures to prepare for them.

Companies are realising the extent of the threat and gearing up for it, say experts. “We have seen information security budgets increasing in the last 12 months to address the challenges that cyber crime is bringing to the organisation,” said Steve Durbin, managing director of the Information Security Forum. So what kinds of threats are they dealing with, and how can they prepare? What are the threats and where are they coming from? The cyberthreats facing modern companies fall into various categories, and they’re loosely linked to the type of cybercriminal that you’re dealing with and the kind of information that they’re after. Hacktivism has traditionally been characterised by attacks with a relatively low barrier to entry such as DDoS and web site defacements, for example. While hackers’ motives are frequently political or ideological, financial cybercriminals are interested purely in money, and are adept in their pursuit of it.
Some will attempt to transfer money out of an organization, while others will focus on saleable information. Malware typically underpins a financial cybercrime attack. One notable recent example is Carbanak, an extensive attack on financial institutions that netted $1bn in stolen assets.
It was a devilish attack, starting with a backdoor sent as an attachment that then moved through the network until it found an administrative machine. Then, the malware intercepted clerks’ computers, recording their sessions, and subsequently used that information to transfer money fraudulently using online banking sessions and to dispense money from ATMs. Carbanak was a sophisticated attack that sought to directly manipulate systems, but cybercriminals typically look to steal specific types of information such as personally identifiable information (PII) when they attack. Malware delivery via phishing and drive-by downloads is still a highly effective tool to steal this data.

Exploit kits designed to target enterprise clients with malicious payloads are on the rise.
In its 2015 Threat Report, Forcepoint found three times more exploit kits in circulation than it had in 2013. This information can be about your customers or your employees.

The latter can be just as damaging, because you’re likely to have financial and other data about the people who work for you. One of the most egregious attacks on employee data recently must be the Office of Personnel and Management hack that compromised 5.6 million fingerprint records, and more than 21 million former and government employees, harvesting social security numbers and addresses. PII isn’t the only threat category, though.
Intellectual property is another rich seam for online criminals to mine. Often the subject of targeted attacks, this information can take many forms, from email archives through to launch plans for new products, or details of new products currently under development. “We see a lot of intellectual property theft out there, coming from assumed nation states based on the IPs that they’re coming from, and from industry, too,” said Eric Stevens, director of strategic security consulting services at Forcepoint. “It’s a lot cheaper to steal development time than it is to do that development yourself,” he pointed out. While these different groups will typically seek different types of information, there is also an increasing amount of overlap. Hacktivists have begun targeting both customer data and intellectual property where it suits their needs.

Anonymous was behind the theft of ticketholder data for the 2012 F1 Grand Prix in Montreal, which was posted online. Hacktivist faction Lulzsec mined intellectual property from private security firm Stratfor in 2011. How do you live with attackers getting in, and continue to fight them? Over the years, the focus on keeping attackers out at all costs has shifted towards managing them when they break into an organization.
Security professionals seem to be tacitly admitting that network intrusion is a question of ‘when’, rather than ‘if’. “15 years ago, the focus was keeping them out.

Today, organizations are starting to realize they have to deal with a certain degree of compromise,” explained Stephen Northcutt, director of academic advising for the SANS Technology Institute. This is something that at least one of the three-letter agencies has understood for years.
In 2010, Deborah Plunkett, then-head of the Information Assurance Directorate at the NSA, said that the agency assumed that there were already intruders inside its network.

Considering itself already compromised forced it to protect critical data inside the network, rather than relying on a single ring of iron. The Open Group’s Jericho Forum focused on containing rather than preventing threats with its de-perimeterization principle, first espoused in the mid-2000s, which stated that the traditional trusted network boundary had eroded. One of the group’s commandments to survive in a de-perimeterized future was the assumption that your network was untrusted. Clearly, the NSA didn’t protect its resources especially well, though.

Ed Snowden, working for third party contractor Booz-Allen Hamilton, happily vacuumed up gigabytes of sensitive data for a sustained trickle-feed campaign to the media. No matter what side of the Snowden debate you’re on, for CISOs his case highlights the need for controls to stop the theft of information through authorized accounts. “Over the next few years, you will see a lot of growth in privilege and identity management,” said Northcutt. “At the network level you are going to see more segmentation and isolation.” To fully protect themselves with these techniques, though, organizations need a deep understanding of the data that they have and how it is used in their business, said Stevens.

There are many roles and sets of responsibilities in an organisation.
Some of them may even transcend internal employees altogether. “You have to understand what your business processes are surrounding that data,” he said.
It’s necessary to understand what a normal process looks like.

A hospital may send data to a third party company that produces its invoices for it. How can you distinguish between a legitimate business process like that, and an illegitimate one that is sending sensitive data to bad people? How do you distinguish between normal behaviour/threats Distinguishing between these different modes of behaviour is an important skillset for IT departments trying to spot attackers inside their network, but it’s doable with the right tools, say experts.
It’s all a question of mathematics, said Northcutt. “Twenty years ago the US Navy spent about a million dollars for a bunch of PhD statisticians to determine that like groups of people using like systems have a very similar network traffic footprint,” he said, adding that we have been using statistical techniques to baseline normal behaviour for years now. One form of attack involves malware that enters a network and then moves laterally, trying to find any data it can, and then exfiltrating it.
Software designed to baseline regular employee behaviour and then spot anything that deviates from the norm may be able to spot the unusual patterns that this malware may generate. Is a user account sending large amounts of data from an account that normally doesn’t? Is it encrypting that data, when it is normally sent over the internal company network in plain text? Why is it sending it at 2am when all employees are normally long gone? All of these things can raise flags in a suitably-equipped system. Where do you start when choosing tools Training people to be security aware is an important part of stopping breaches, but CISOs will never eradicate those problems entirely.

A technology layer provides a vital layer of protection.

Don’t be distracted by emotions or industry buzzwords when choosing these tools, said Stevens. He recommends first identifying what data you want to protect (adding that this is more difficult than you’d imagine for many companies).

Talk to compliance managers and line of business owners to identify this information, and then work out what category of tool would best block the egress of that data. Companies can hone their priorities by focusing on a security framework like NIST’s, using it to establish areas where they need to improve. “Then it’s about ensuring that those purchases are improving your security posture as well as catering to compliance requirements that you may have,” he said. At the very least, though, he recommends a web and email security gateway, along with a data leak prevention (DLP) tool to monitor and prevent things from leaving. “Essentials are always going to be network monitoring tools,” said the ISF’s Durbin, adding that companies can build out their tool sets as they become more sophisticated. “The more advanced will focus on big data and trying to anticipate breaches and identify weaknesses in the security perimeter. Best of breed vs holistic approach Should companies buy a single security platform offering a holistic approach, or focus on point solutions instead? “I would always vote on holistic, mainly because we aren’t seeing point channel solutions that are very effective,” said Stevens.

The main problem with best of breed solutions is visibility, he argued.
If you’re purchasing point solutions from multiple vendors, then integrating them to create a coherent view of your organizations’ security incidents can be challenging. Your view of security needs to be watertight, not least because incidents in one domain that seem incongruous might suddenly gain more significance if you’re able to correlate them with other incidents happening elsewhere. A single pane of glass can help to ensure a consistent view of everything that’s happening across the various aspects of your infrastructure, from email scanning through to web gateways. The good news is that while many of the threats facing companies are sophisticated, many of them rely on the least amount of effort to infiltrate a company.

Attackers will go for unpatched, out of date software versions and misconfigured machines if they can, to avoid giving away their zero-day secrets. Using tools to keep a watchful eye on your network, endpoints and data is one part of the solution.

Good threat intelligence is another. Just as important, though, are proper conversations with business counterparts to understand what data you should be trying to protect in the first place. ®

Rohde & Schwarz Cybersecurity redefines next generation UTM firewalls

In data transmission, bandwidths in the Gigabit range call for new IT security solutions.

This applies in particular to traditional unified threat management (UTM) firewalls, which have limited performance.

At this year's CeBIT, the IT security company Rohde & Schwarz Cybersecurity will present an innovative solution that for the first time meets the challenges posed by higher bandwidths: the UTM+ firewall series with an integrated next-generation engine.

The integrated software also comes with high-end features.Munich, March 8, 2016 — The UTM+ firewall series was designed especially for the needs of medium sized businesses.
It is just as powerful as a next-generation firewall (NGFW) due to the integrated single-pass technology. While the efficiency of a traditional UTM appliances ends in the megabit range, UTM+ appliances provide performance in the Gigabit range.

And they offer even more: the UTM+ models are easy-to-use, all-in-one solutions and are significantly less expensive than next-generation firewalls. In addition to single-pass technology, further high-performance next-generation firewall features were integrated into the new UTM+ solution.

These include, for example, security mechanisms such as port-independent SSL decryption for automatic analysis of encrypted data traffic.

The permanent layer 7 scanner ensures complete and continuous analysis of data packets – even after successful validation.

The application control feature allows a fine-grained analysis of network traffic.

The firewall operating system is additionally protected with a highly secure firewall container system. Like all new Rohde & Schwarz Cybersecurity products to be showcased at CeBIT, the UTM+ firewalls follow the innovative approach "security by design", which prevents attacks proactively rather than reactively. Security certificate: made in GermanyAt CeBIT 2016, the Rohde & Schwarz security companies gateprotect, Sirrix, Rohde & Schwarz SIT and ipoque will, for the first time, bundle their broad ranges of technologically leading IT and network security solutions under the umbrella of the new Rohde & Schwarz Cybersecurity GmbH.

The first product of this new big player is the UTM+ V16. The UTM+ V16 is the improved successor model to the successful GP series with V15 software from gateprotect.

The V16 software is not only more powerful, but can be optically recognized as a Rohde & Schwarz product.
Instead of the familiar red, it now comes in the blue and gray Rohde & Schwarz corporate colors. Rohde & Schwarz Cybersecurity, a 100 % subsidiary of the Rohde & Schwarz electronics group, develops and manufactures its products exclusively in Germany.

Customers can therefore rely on the stringent German quality and data protection standards as well as maximum performance for all Rohde & Schwarz Cybersecurity products. Contact:Svenja Borgschulte, Tel.: +49 (0)221 801087 85, Fax: +49 (0)221 801087 77, E-Mail: sb@moeller-pr.de Kontakt für Leser:Christian Reschke, Tel.: +49 (0)30 65884 232, Fax: +49 (0)30 65884 184, E-Mail: christian.reschke@rohde-schwarz.com https://cybersecurity.rohde-schwarz.com/de CeBIT 2016 in Hanover, March 14 to 18 hall 6/booth G16 Rohde & Schwarz CybersecurityThe IT security company Rohde & Schwarz Cybersecurity protects companies and public institutions around the world against espionage and cyberattacks.

The company offers high-end encryption solutions, next-generation firewalls, network traffic analytics and endpoint security software in addition to producing cutting-edge technical solutions for IT and network security.

These “Made in Germany” IT security solutions range from compact all-in-one products to custom solutions for critical infrastructures.

The “security by design” approach, which employs a proactive rather than reactive approach to dealing with cyberattacks, is central to the development of trusted IT solutions.

Around 400 employees work at the current sites in Berlin, Bochum, Darmstadt, Hamburg, Leipzig, Munich and Saarbrücken. R&S® is a registered trademark of Rohde & Schwarz GmbH & Co. KG.All press releases are available online at https://cybersecurity.rohde-schwarz.com/de.Image material can also be downloaded there.

Google fixes Android bugs, including lingering Mediaserver flaw

Google addressed 19 security vulnerabilities, seven of them rated critical, in its latest Android security update.  The updates addressed critical security vulnerabilities in the keyring component, MediaTek Wi-Fi Driver, Conscrypt, the libvpx library, Mediaserver component, and the Qualcomm Performance component.

The most severe vulnerability is the remote code execution flaw in Mediaserver that could be exploited through multiple methods, including email, Web browsing, and MMS, when processing maliciously crafted media files. Mediaserver still vulnerable Google has patched more than two dozen Mediaserver flaws since August, when the original Stagefright flaw was disclosed.
Since then, Google's internal security team has been identifying and fixing other security vulnerabilities scattered throughout the rest of the Mediaserver and the libstagefright library code. The steady stream of Mediaserver vulnerabilities has slowed, as this month's update fixed only two critical flaws (CVE 2016 0815, CVE 2016 0816) and three high-priority issues in Mediaserver. "During the media file and data processing of a specially crafted file, vulnerabilities in Mediaserver could allow an attacker to cause memory corruption and remote code execution as the Mediaserver process," wrote Google in the security bulletin. Google also patched an information disclosure vulnerability in libstagefright (CVE 2016 0824), two elevation of privilege vulnerabilities in Mediaserver (CVE 2016 0826, CVE 2016 0827), and two information disclosure vulnerabilities in Mediaserver (CVE-2016-0828, CVE 2016-0829).

They are all rated as high priority because they cannot be used for remote code execution, but they can be used by attackers to gain elevated capabilities, such as Signature or SignatureOrSystem permissions, which most third-party apps should not have access to.

The information disclosure flaws can be used to bypass security measures, while the elevation of privilege flaw could be used by a malicious app to execute arbitrary code. The critical flaw in libvpx (CVE 2016 1621) is related to previous Mediaserver vulnerabilities, as attackers could exploit this issue to cause memory corruption and remote code execution as the mediaserver process.

The flaw can be triggered with remote content, such as MMS messages or playing media files through the browser. Multiple elevation of privilege bugs fixed The remaining critical vulnerabilities are elevation of privilege flaws.

The Conscrypt bug (CVE 2016 0818) could allow a specific type of invalid certificate to be trusted, resulting in a man-in-the-middle attack.

A malicious app could trigger the flaw in the Qualcomm performance component (CVE 2016-0819) to execute arbitrary code in the kernel.

The only way to repair the compromised device would be by re-flashing the operating system.

The Kernel Keyring bug (CVE 2016-0728) will also let a malicious app execute arbitrary code locally, requiring reflashing the operating system. However, the Kernel Keyring component is protected in Android versions 5.0 and above because SELinux rules prevent third-party applications from accessing the vulnerable code, according to the bulletin. The final critical vulnerability in the MediaTek Wi-Fi kernel driver (CVE 2016 0820) could also be abused by a malicious app. While another MediaTek flaw (CVE 2016 0822) could result in arbitrary code execution, it was rated only as high priority because the attacker would first have to compromise the conn_launcher service, "which may not even be possible," Google said. The patches for Qualcomm and MediaTek components are posted on the Google Developer site and not in the Android Open Source Project repository. High priority and medium priority bugs also addressed Google fixed a mitigation bypass vulnerability in the kernel (CVE 2016 0821) that could let attackers bypass security measures in place.

The vulnerability is related to a change made to poison pointer values in the Linux kernel back in September.

The updates also addressed an information disclosure vulnerability in the kernel (CVE 2016 0823) that could result in malicious apps locally bypassing exploit mitigation technologies like ASLR in a privileged process.

The bug was also fixed in the Linux upstream back in March 2015. The information disclosure vulnerability in the Widevine Trusted Application component could allow code running in the kernel context to access information in TrustZone secure storage, Google said in its bulletin. Like the high-priority Mediaserver flaws, this bug could be used to gain permissions typically not granted to third-party apps.

The final high-priority bug is a remote denial-of-service flaw in Bluetooth that could allow an attacker within a certain distance of the target device to block access.

The attacker could cause an overflow of identified Bluetooth devices in the component, leading to memory corruption and service stop.

The issue could potentially only be fixed by flashing the device, Google said. The two moderate-priority bugs are in the Telephony component and the Setup Wizard.

The information disclosure vulnerability in the telephony component could allow an app to access sensitive data on the device.

The elevation of privilege vulnerability in Setup Wizard can be exploited by an attacker who has physical access to the device and can perform a manual device reset. Patch if possible None of these issues have been exploited in the wild. Builds LMY49H or later and Android M with Security Patch Level of "March 01, 2016" or later contain fixes for these issues.

The Build information is available through the Settings app on Android devices, under the About phone option.

The Security Patch Level is shown in the same location on Android M devices and some Samsung devices running the latest Lollipop versions. Since phone makers and carriers control when the updates are actually pushed to Android devices, for most users, the best ways to stay up-to-date with the security fixes are to buy Nexus devices, upgrade to newer devices frequently, or install custom Android versions themselves. Partners, including handset makers and phone carriers, received the bulletin on Feb. 1.

The Nexus devices will receive over-the-air updates and the patches are expected to be posted to the Android Open Source Project repository. Non-Nexus devices will follow schedules determined by the manufacturers or the carriers. While Samsung has committed to updates for its latest models, many Android phones remain on older versions. Google's Android Security team is actively monitoring for abuse with Verify Apps and SafetyNet, which both warn users of potentially harmful applications about to be installed. Introduced in Android 4.2, Verify Apps works by scanning all .apk packages downloaded from Google Play and other sources for potentially harmful applications. "Google's systems use machine learning to see patterns and make connections that humans would not," Elena Kovakina, a senior security analyst at Google, said in Febrary at the Kaspersky Lab Security Analyst Summit. Verify Apps scan for known attack vectors and scenarios such as phishing, rooting operations, ransomware, backdoors, spyware, harmful sites, SMS fraud, WAP fraud, and call fraud.

Because it's enabled by default, most malicious attacks are thwarted, Kovakina said.

An example is the recent Lockdroid malware, which could have affected a large percentage of Android devices, but turned out to have not infected any Android users. Even if users can't update their Android devices to the latest versions, the SafetyNet and Verify Apps features filter out the majority of bad apps which could take advantage of these flaws.

VXL celebrates 40 years of IT hardware and software innovation with...

Manchester, UK – 2016 marks a historical milestone for VXL as it celebrates its 40th year anniversary.

Established in 1976 and currently employing over 450 employees worldwide, VXL has developed into a leading global provider of both IT hardware and software solutions for the SMB and enterprise sectors.To celebrate this important landmark, VXL is offering a fantastic opportunity for a hundred lucky recipients to win forty, free Fusion UDM Premium licences, including one-year full support, worth over $1700. Launched last year, Fusion UDM Premium, VXL Software’s universal and powerful device management software, is already proving to be one of the industry’s leading solutions for both SMB and enterprise customers. Fusion UDM Premium To take part, all entrants need do is to follow the link below and correctly answer three simple questions to which answers can be found by watching the Fusion UDM Premium explainer video - VXL 40th Anniversary – 40 Free Fusion UDM Premium Licenses. Together with its other leading software solutions, including Illumineye Digital Signage, Smart Client and CloudDesktop PC Repurposing Software, the VXL Technology hardware portfolio represents one of the widest available including entry-level, mid-range and high- performance cloud, thin and zero clients. Headquartered in Bangalore, India’s ‘Silicon Valley’, VXL’s worldwide operations has grown over the last forty years to include the Americas Group HQ in Houston, Texas, the European Group HQ in Manchester, UK and dedicated subsidiaries in key strategic markets including Germany, France, United Arab Emirates and Singapore. Frank Noon, VP Worldwide Sales commented: "This historical milestone represents a fantastic achievement for the company and reflects our ongoing strategy of developing innovative hardware and software solutions that meet our customer needs”. “For the last four decades we’ve been delivering successful IT projects for some of the world’s leading companies and we look forward to continued success for the next 40 years.” Ends. For further information, please contact Ian Cope, PR Manager at ian.cope@vxl.net About VXLVXL Technology and VXL Software are both divisions of VXL Instruments.
VXL Technology is a global leading manufacturer of thin-, zero- and cloud-client hardware devices.
VXL Software develops world-class software for a range of business-focused uses including its universal device management, Fusion UDM Premium, Illumineye digital signage, Smart Client and CloudDesktop PC repurposing software. VXL Instruments is a worldwide company, with locations in the USA, United Kingdom, France, Germany, the United Arab Emirates, India and Singapore.
VXL’s Americas Group is headquartered in Houston, Texas.

The European headquarters is in Manchester, UK.
VXL Technology and Software development teams, and the Asia Pacific headquarters, are based in Bangalore, India.

Google vendor security review tool goes open source

Choose-your-own-adventure must be solved before entry to the Gates of Google. Or yours Google's decided that the first-phase questionnaire it uses to vet vendors might be useful to the rest of the world. Until now an internal document, the Vendor Security Assessment Questionnaire (VSAQ) was created to help Mountain View cope with the huge number of vendor approaches it receives. The questionnaires help vendors describe their security posture to Google, so as to thin out the amount of stuff the Chocolate Factory has to let in the door for a presentation. The VSAQs are high-level rather than high-detail stuff.

For example, the questionnaire dealing with physical and data centre security might be answered in as few as five responses (the questionnaire forks some responses into further questions). There are four templates provided with the VSAQ Framework: the Web and Application Security Questionnaire, the Security and Privacy Program Questionnaire, the Infrastructure Security Questionnaire, and the Physical and Data Centre Security Questionnaire. Because of the choose-your-own-adventure nature of the questionnaires, Google's written its own rendering engine to work with the standard templates.

The post includes demonstrations of the questionnaires. “We hope it will help companies spin up, or further improve their own vendor security programs. We also hope the base questionnaires can serve as a self-assessment tool for security-conscious companies and developers looking to improve their security posture,” Googlers Lukas Weichselbaum and Daniel Fabian write in the company's security blog. The VSAQ, posted to GitHub, includes a client-side reference implementation for low-volume users.
If you want to run assessments at Google-like scale, Mountain View recommends you develop a server-side component. ® Sponsored: Eliminating cybersecurity blind spots