Researcher Finds Hole in Windows ASLR Security Defense

Researcher Finds Hole in Windows ASLR Security DefenseA security expert found a way to work around Microsoft’s Address Space Randomization Layer, which protects the OS from memory-based attacks.The latest versions of Microsoft Windows are vulnerable to attacks due to a newly discovered vulnerability in Address Space Layout Randomization (ASLR).
重要文件加密是有效的保护措施之一,公司用户还应当配备能够跟踪敏感信息发送路径的系统。
The vulnerability affects Windows 8, Windows 8.1, and Windows 10 systems with system-wide ASLR enabled via Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) or Windows Defender Exploit Guard.
Will Dormann, a senior vulnerability analyst at Carnegie Mellon’s CERT-CC discovered and reported the vulnerability. System-wide mandatory ASLR on all affected systems, enabled via EMET, has zero entropy, “essentially making it worthless,” he explained on Twitter.
His discovery means an attacker can more easily exploit memory corruption vulnerabilities in Windows 8 and newer systems, which ASLR would normally protect. The advantage of ASLR is it makes exploiting memory corruption bugs more difficult; however, it isn’t working as intended.
ASLR arrived in Windows Vista to prevent code-reuse attacks, which rely on code executing at predictable memory locations, by loading executable modules at random addresses. Starting in Windows 8, Microsoft began to offer system-wide mandatory ASLR. Admins could enable programs to randomize locations even for applications without ASLR support.
EMET is a free tool Microsoft previously released to protect applications not opted into ASLR and other exploit mitigation tools. Admins could enable them through the EMET interface. When Microsoft launched the Windows 10 Fall Creators Update, it integrated EMET’s key capabilities into the Windows Defender Exploit Guard.
Exploit Guard has an option to enable system-wide bottom-up ASLR. However, as Dormann discovered, setting system-wide ASLR in Windows, Windows 8.1, and Windows 10 does not actually randomize memory locations. If the default GUI in Exploit Guard says “On by default,” programs will still be relocated, but to the same address across different reboots and systems.
This could lead to a “wide variety” of common types of attacks, explains a DHS spokesman.
People who believe they are protected by ASLR may take risks they wouldn’t normally take; for example, opening an attachment in an unsolicited message. If the message is a spearphish and ASLR is working properly, the exploit would fail. However, without ASLR, the attacker could gain complete control of the victim’s system and view their access to other systems.
Microsoft says the problem is not a flaw. It says the issue, discovered by CMU’s CERT/CC and reported by US-CERT, is with configuring non-default settings for ASLR using Exploit Guard and EMET, and providing workarounds. The company is investigating and will address the configuration issue.
“The issue described by the US CERT is not a vulnerability,” a Microsoft spokesperson says. “ASLR is functioning as designed and customers running default configurations of Windows are not at increased risk.”

CERT/CC is currently unaware of a practical solution to the problem, Dormann says, adding a workaround for administrators in his blog post on the discovery. He advises enabling both bottom-up and mandatory ASLR system-wide for all systems running Windows 8 or later, using a certain registry value. Businesses should also use defense-in-depth strategies to protect networks, users, and data from unauthorized access, he adds.
Related Content:
North Korea’s Lazarus Group Evolves Tactics, Goes Mobile
Terdot Banking Trojan Spies on Email, Social Media
安全文化宣传之互联网搜索公司专利保护及信息安全意识
Forget APTs: Let’s Talk about Advanced Persistent Infrastructure
White House Releases New Charter for Using, Disclosing Security Vulnerabilities
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.
牢记“涉密不上网,上网不涉密”。

猜您喜欢

大疆漏洞奖励计划引发争议:信息安全研究员遭威胁
安全月安全生产教育动画片——小李的一天
Security-Frontline-安全前线
揭秘轰-20:中国新战略轰炸机竟然如此强悍
WEBTICARI OYSTERGUIDE
如何防范假冒WiFi热点

Intel today admitted its Management Engine (ME), Server Platform Services (SPS), and Trusted Execution Engine (TXE) are vulnerable to multiple worrying security flaws, based on the findings of external security experts.
The firmware-level bugs allow logged-in administrators, and malicious or hijacked high-privilege processes, to run code beneath the operating system to spy on or meddle with the computer completely out of sight of other users and admins. The holes can also be exploited by network administrators, or people masquerading as admins, to remotely infect machines with spyware and invisible rootkits, potentially.
Meanwhile, logged-in users, or malicious or commandeered applications, can leverage the security weaknesses to extract confidential and protected information from the computer’s memory, potentially giving miscreants sensitive data – such as passwords or cryptographic keys – to kick off other attacks. This is especially bad news on servers and other shared machines.
In short, a huge amount of Intel silicon is secretly running code that is buggy and exploitable by attackers and malware to fully and silently compromise computers. The processor chipsets affected by the flaws are as follows:
6th, 7th and 8th Generation Intel Core processors
Intel Xeon E3-1200 v5 and v6 processors
Intel Xeon Scalable processors
Intel Xeon W processors
Intel Atom C3000 processors
Apollo Lake Intel Atom E3900 series
Apollo Lake Intel Pentiums
Celeron N and J series processors
Intel’s Management Engine, at the heart of today’s disclosures, is a computer within your computer. It is Chipzilla’s much maligned coprocessor at the center of its vPro suite of features, and it is present in various chip families. It has been assailed as a “backdoor” – a term Intel emphatically rejects – and it is a mechanism targeted by researchers at UK-based Positive Technologies, who are set to reveal in detail new ways to exploit the ME next month.
The Management Engine is a barely documented black box. it has its own CPU and its own operating system – recently, an x86 Quark core and MINIX – that has complete control over the machine, and it functions below and out of sight of the installed operating system and any hypervisors or antivirus tools present.
It is designed to allow network administrators to remotely or locally log into a server or workstation, and fix up any errors, reinstall the OS, take over the desktop, and so on, which is handy if the box is so messed up it can’t even boot properly.
The ME runs closed-source remote-administration software to do this, and this code contains bugs – like all programs – except these bugs allow hackers to wield incredible power over a machine. The ME can be potentially abused by to install rootkits and other forms of spyware that silently snoop on users, steal information, or tamper with files.
SPS is based on ME, and allows you to remotely configure Intel-powered servers over the network. TXE is Intel’s hardware authenticity technology. Previously, the AMT suite of tools, again running on ME, could be bypassed with an empty credential string.
Today, Intel has gone public with more issues in its firmware. It revealed it “has identified several security vulnerabilities that could potentially place impacted platforms at risk” following an audit of its internal source code:
In response to issues identified by external researchers, Intel has performed an in-depth comprehensive security review of our Intel Management Engine (ME), Intel Server Platform Services (SPS), and Intel Trusted Execution Engine (TXE) with the objective of enhancing firmware resilience.
The flaws, according to Intel, could allow an attacker to impersonate the ME, SPS or TXE mechanisms, thereby invalidating local security features; “load and execute arbitrary code outside the visibility of the user and operating system”; and crash affected systems. The severity of the vulnerabilities is mitigated by the fact that most of them require local access, either as an administrator or less privileged user; the rest require you to access the management features as an authenticated sysadmin.
Intel ME controller chip has secret kill switch
READ MORE
But as Google security researcher Matthew Garrett pointed out in the past hour or so, the aforementioned AMT flaw, if not patched, could allow remote exploitation.
In other words, if a server or other system with the AMT hole hasn’t been updated to kill off that vulnerabilities, these newly disclosed holes will allow anyone on the network to potentially log in and execute malicious code within the powerful ME coprocessor.
“The ME compromise presumably gives you everything the AMT compromise gives you, plus more,” said Garrett via Twitter. “If you compromise the ME kernel, you compromise everything on the ME. That includes AMT, but it also includes PTT.”
He explained, “PTT is Intel’s ‘Run a TPM in software on the ME’ feature. If you’re using PTT and someone compromises your ME, the TPM is no longer trustworthy. That probably means your Bitlocker keys are compromised, but it also means all your remote attestation credentials are toast.”
Garrett said if an exploit allows unsigned data to be installed and interpreted by the ME, an attacker could effectively trigger the reinfection of malware after every ME reboot. Were that to happen, the only way to fix things would be to reflash the hardware by hand. At that point, he said, it would probably be cheaper just to get new hardware.
Thanks, Intel. pic.twitter.com/w16IyKuCtu
— The Register (@TheRegister) November 20, 2017
Intel said systems using ME Firmware versions 11.0, 11.5, 11.6, 11.7, 11.10, and 11.20, SPS Firmware version 4.0, and TXE version 3.0 are affected. The cited CVE-assigned bugs are as follows:
Intel Manageability Engine Firmware 11.0.x.x/11.5.x.x/11.6.x.x/11.7.x.x/11.10.x.x/11.20.x.x
CVE-2017-5705: “Multiple buffer overflows in kernel in Intel Manageability Engine Firmware 11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code.” Logged-in superusers, or high-privilege programs, can execute code within the hidden Management Engine, below the OS and any other software.
CVE-2017-5708: “Multiple privilege escalations in kernel in Intel Manageability Engine Firmware 11.0/11.5/11.6/11.7/11.10/11.20 allow unauthorized process to access privileged content via unspecified vector.” Logged-in users or running apps can slurp confidential information out of memory. This is very bad news on a shared system.
安全互动教学培训游戏设计制作服务
CVE-2017-5711: “Multiple buffer overflows in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code with AMT execution privilege.” Logged-in superusers, or high-privilege programs, can execute code within the AMT suite, below the OS and any other software.
CVE-2017-5712: “Buffer overflow in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allows attacker with remote Admin access to the system to execute arbitrary code with AMT execution privilege.” People with network access to a machine, and can log in as an admin, can execute code within the AMT suite.
Intel Manageability Engine Firmware 8.x/9.x/10.x
CVE-2017-5711: “Multiple buffer overflows in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code with AMT execution privilege.” Logged-in superusers, or high-privilege programs, can execute code within the AMT suite, below the OS and any other software.

CVE-2017-5712: “Buffer overflow in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allows attacker with remote Admin access to the system to execute arbitrary code with AMT execution privilege.” People with network access to a machine, and can log in as an admin, can execute code within the AMT suite.
Server Platform Service 4.0.x.x
CVE-2017-5706: “Multiple buffer overflows in kernel in Intel Server Platform Services Firmware 4.0 allow attacker with local access to the system to execute arbitrary code.” Logged-in superusers, or high-privilege programs, can execute code within the hidden Management Engine, below the OS and any other software.
CVE-2017-5709: “Multiple privilege escalations in kernel in Intel Server Platform Services Firmware 4.0 allows unauthorized process to access privileged content via unspecified vector.” Logged-in users or running apps can slurp confidential information out of memory. This is very bad news on a shared system.
Intel Trusted Execution Engine 3.0.x.x
CVE-2017-5707: “Multiple buffer overflows in kernel in Intel Trusted Execution Engine Firmware 3.0 allow attacker with local access to the system to execute arbitrary code.” Logged-in superusers, or high-privilege programs, can execute code within the hidden Management Engine, below the OS and any other software.
CVE-2017-5710: “Multiple privilege escalations in kernel in Intel Trusted Execution Engine Firmware 3.0 allows unauthorized process to access privileged content via unspecified vector.” Logged-in users or running apps can slurp confidential information out of memory. This is very bad news on a shared system.
Chipzilla thanked Mark Ermolov and Maxim Goryachy at Positive for discovering and bringing to its attention the flaw CVE-2017-5705, which sparked the aforementioned review of its source code for vulnerabilities.
Intel advises Microsoft and Linux users to download and run the Intel-SA-00086 detection tool to determine whether their systems are vulnerable to the above bugs. If you are at risk, you must obtain and install firmware updates from your computer’s manufacturer, if and when they become available. The new code was developed by Intel, but it needs to be cryptographically signed by individual hardware vendors in order for it to be accepted and installed by the engine.
Lenovo was quick off the mark with patches for its gear ready to download.
We’ll give you a roundup of fixes as soon as we can. It’s not thought Apple x86 machines are affected as they do not ship with Intel’s ME, as far as we can tell.
移动设备为了方便用户往往会保存登录时的用户名和密码,所以为了防止丢失,移动设备的物理安全要加强,在公共场所或出差在外时,注意要像对待钱包一样对待移动设备,保证机不离身。
Today’s news will no doubt fuel demands for Intel to ship components free of its Management Engine – or provide a way to fully disable it – so people can use their PCs without worrying about security bugs on mysterious secluded coprocessors. ®
网站如果没有足够的内部安全技术力量,需要订阅在线漏洞扫描和网站安全监控的服务,也要购买定期的网站安全渗透测试服务。

猜您喜欢

用户信息安全
信息安全治理中人的要素
网络安全法普法宣传 004《网络安全法》的突出亮点
AI研究生应届生年薪可达50万 没出校门已被"抢光"
BEGINNINGGRANNY MAZDA
网络窃密预防与黑客入侵响应中心

Get FREE threat intelligence on hackers and exploits with the Recorded Future Cyber Daily

Recorded Future provides deep, detailed insight into emerging threats by automatically collecting, analyzing, and organizing billions of data points from the Web.

And now, with its FREE Cyber Daily email all IT security professionals can access information about the top trending threat indicators – helping you use threat intelligence to help make better decisions quickly and easily.
光一科技股权激励实施首年推高送转 拟10转15派0.3元
Which means that you will be able to benefit from a daily update of the following:
Information Security Headlines: Top trending news stories.
Top Targeted Industries: Companies targeted by cyber attacks, grouped by their industries.
Top Hackers: Organizations and people recognized as hackers by Recorded Future.
Top Exploited Vulnerabilities: Identified vulnerabilities with language indicating malcode activity. These language indicators range from security research (“reverse engineering,” “proof of concept”) to malicious exploitation (“exploited in the wild,” “weaponized”).
Top Vulnerabilities: Identified vulnerabilities that generated significant amounts of event reporting, useful for general vulnerability management.
Infosec professionals agree that the Cyber Daily is an essential tool:
“I look forward to the Cyber Daily update email every morning to start my day. It’s timely and exact, with a quick overview of emerging threats and vulnerabilities. For organizations looking to strengthen their security program with threat intelligence, Recorded Future’s Cyber Daily is the perfect first step that helps to prioritize security actions.” – Tom Doyle, CIO at EBI Consulting.
So, what are you waiting for?
Sign up for the Cyber Daily today, and starting tomorrow you’ll receive the top trending threat indicators.
当与组织相关的新闻成为媒体焦点时,组织很容易成为公众和黑客的攻击目标,安全管理部门要做好相应的安全应急响应预案,多放些值班人手和提高监控的频率必不可少,必要时可请求外部技术支援。
If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.
落实科学发展观,构建和谐组织,开展信息安全重要性的广泛宣传,提高广大干部和群众的安全意识,确保实现可持续发展的宏伟目标。

猜您喜欢

云技术如何改变业务灾难恢复计划?
保密讲堂第一弹:准确定密并正确标识国家秘密
网络安全法宣传视频系列001《网络安全法》背景知识
废弃的牛奶纸箱千万不要扔 注满清水能变成坚固屋子
NEXERCISE PREMIERHOMEMORTGAGE
为何中国公司较少遭遇黑客攻击

Amazon Key摄像头易被攻击,攻击者可任意进出房间

  Rhino安全实验室的研究人员演示了如何禁用Amazon Key上的相机,这可能会让快递员能够进入客户的家中。

  本月早些时候,亚马逊宣布为Prime用户提供Amazon Key,这是一个新计划,让快递员在视频监控下进入你的家,安全地放下包裹,并在离开时候锁上门锁。这个系统还可以让你信任的人访问房间,比如您的家人,朋友或房屋清洁工。

信息安全不能完全依赖某一项控制措施,想要获得适当的安全保障,我们需要多层防御体系,这些防御体系所包含的控制措施还要简单易用,以便用户理解和接受,所以我们加强了防御体系中人员安全意识培训的环节。

  但是Rhino安全实验室的专家证明,攻击Amazon Key非常容易,这就让那些不速之客能够进入你的房间。

网络安全法宣传推广视频 004《网络安全法》的突出亮点
  研究人员发现Amazon Key的传送服务和Cloud Cam安全摄像头存在漏洞,黑客可以篡改相机并将其关闭,就会看起来没有人进入家中。

  房主可以使用Amazon Key应用程序,通过视频源远程监控家门,并接收亚马逊的快递提醒,Prime使用的应用程序可用于解锁和锁定家门。

  Rhino实验室的专家开发了一个应用程序,可以向Wi-Fi路由器伪造来自Cloud Cam设备连接的请求,要求关闭摄像头。

(责任编辑:宋编辑)

多家游戏厂商几乎同时遭受到黑客攻击,太多黑客新闻让人们都麻木不仁了。

猜您喜欢

360虚拟化下一代防火墙入驻青云
无节操黑客为不良搜索公司蝇头小利而入侵其竞争对手并窃取商业机密
Cyber Security Law 网络安全法宣传视频系列001
王毅介绍中方在“罗兴亚人”问题上立场
ONETEAMLLC CLINTOTHEMUFFINMAN
防病毒理念并非深入人心

$1 Billion Lawsuit Focuses on EHR Data Integrity Concerns

安泰科技(000969):关于12安泰债公司债券跟踪评级结果的公
Some legal experts say a nearly $1 billion class action lawsuit filed against electronic health records vendor eClinicalWorks could be the first of many cases scrutinizing the data integrity issues of EHR vendors. Others, however, contend that those filing such lawsuits will face many hurdles.
See Also: Ransomware: The Look at Future Trends
The suit alleges that eClinicalWorks’ cloud-based EHR system failed to provide reliable health information for potentially millions of patients, which means “patients and doctors cannot rely on the veracity of those records.”
The lawsuit against eClinicalWorks comes about five months after the Department of Justice announced that the Westborough, Massachusetts-based vendor agreed to pay a $155 million financial settlement, as well as enter into a five-year corporate integrity agreement, with the Department of Health and Human Services’ Office of Inspector General (see eClinicalWorks Case Shines Spotlight on Data Integrity).
安全是一种状态,是一种人文精神,是一种企业灵魂,安全是对商业风险的平衡。
The Justice Department alleged the company falsely claimed it met the HITECH Act EHR incentive program’s certification requirements. Among the requirements it didn’t meet, according to DoJ: accurately recording user actions – such as orders for diagnostic tests – that are conducted in the course of a patient’s treatment and ensuring data portability.
Alleged Shortcomings
The civil lawsuit against eClinicalWorks alleges that as a result of the failure of the vendor to meet certification requirements of the HITECH Act EHR incentive program, the company’s software:
Periodically displayed incorrect medical information in the right chart panel of the patient screen;

Periodically displayed multiple patients’ information concurrently;
In specific workflows, failed to accurately display medical history on progress notes;
Failed to have audit logs accurately record user actions, and in some cases the audit logs misled users as to the events that were conducted in the course of a patient’s treatment.
“As a direct result of these deficiencies, millions of patients have had their medical records compromised, i.e. they can no longer rely on the accuracy and veracity of their medical records,” the lawsuit complaint claims.
“Because the audit history does not accurately record user actions, there is no way for any patient to know if there records were deleted/altered/modified. In other words, ECW was grossly negligent, or in the alternative, intentionally coded their software to not accurately record user actions,” the complaint says.
The lawsuit, which seeks class action status and $999 million in damages for breach of fiduciary duty and gross negligence, was filed on Thursday in a New York district court by Kristina Tot, the administrator of the Estate of Stjepan Tot, “on behalf of herself and all others similarly situated.”
The complaint alleges that prior to his death from cancer, Stjepan Tot learned that eClinicalWorks “failed to accurately display his medical history on progress notes. In particular, he was unable to determine reliably when his first symptoms of cancer appeared in that his medical record failed to accurately display his medical history on progress notes.”
More Cases to Come?
Attorney Steven Teppler of the Abbott Law Group, who is not involved in the eClinicalWorks case, says the lawsuit against the EHR vendor is likely the first of other similar legal cases that could be filed against vendors focusing on the data integrity of their EHR products and the potential impact on patients.
“How do you make these [electronic health records] testably reliable?” Teppler says. “He who controls the computing environment controls history,” he says. “As long as you have … super-user control, you can backdate, alter undetectably [patient record information]” he says. “There’s no independent audit agent in the digital world.”
Lisa Rivera, a healthcare regulatory and fraud attorney at law firm Bass, Berry and Sims, says eClinicalWorks, like Equifax, which reported a data breach affecting more than 143 million individuals, “was in the business of … information gathering and storing of protected and very private and personal information.” That’s because eClinicalWorks processes and stores EHR data in the cloud.
The case against eClinicalWorks puts a spotlight on vendors’ overall software practices for “what security is in place, how it’s being monitored, how it’s being tested,” she says.
Commenting on the lawsuit, privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek says: “It is difficult to forecast how this action will progress.”
A complaint alleging a third-party service provider caused injury to an individual has to overcome several hurdles, he points out. “Does the plaintiff allege that the defendant directly, or indirectly caused them demonstrable injury? Did the defendant have a recognized duty of care to prevent the injury? Is there some remedy available to make the plaintiff whole?” he asks.
“Patient safety has long been a concern in the use of electronic health records. One aspect that has received attention is the occurrence of medication errors that can potentially harm patients.”
He notes that some research has shown “that electronic health record use is a direct or indirect cause of medication errors that reach the patient. It is likely that incidents which can be tied to serious patient harm could be litigated, although it is much more likely that the healthcare provider administering the treatment will be the more likely target for lawsuits.”
Attorney Stephen Wu of Silicon Valley Law Group notes that the lawsuit doesn’t specifically claim Tot’s clinicians made poor treatment decisions about his care based on information in a record created using eClinicalWorks’ EHR system, causing harm to Tot. “Damages will be very hard to prove,” he says.
Holtzman adds: “It is both expensive and time-consuming to investigate if the electronic health record was the cause of serious patient harm. While it is possible that incidents which can be tied to serious patient harm could be litigated, it is much more likely that the healthcare provider administering the treatment will be the target for lawsuits.”
eClinicalWorks did not respond to an Information Security Media Group request for comment on the lawsuit.
报告称网站漏洞在减少但黑客水平在提高,互联网开发人员在接手项目和制定计划时应该考虑为“安全”分配更多的时间,还有要在软件中加入必要的安全控管功能,应对黑客不断提升的社会工程学诈骗水平,还需提升最终用户的防范意识。

猜您喜欢

信息安全管理体系ISMS实施课程
保密培训第一课:准确定密并正确标识国家秘密
网络安全法宣传推广视频 004《网络安全法》的突出亮点
阿里巴巴224亿港币入股高鑫零售 零售业升级进一步加速
PHYSIO-PEDIA MIMECAST
IT安全规则,要的是落实而不是死守

Texas Rangers have obtained a search warrant for the contents of a blood-splattered iPhone SE belonging to gunman Devin Kelley who killed 26 people in a murder-suicide at a church.
Over the weekend, the US state’s cops served the Cupertino phone-flinger a warrant demanding photos, messages and other potential evidence on Kelley’s iPhone as well as those stored on its associated iCloud account. Investigators also have a warrant to extract data stored on Kelley’s second handset, an LG flip-phone. He was named as the shooter in the November 5 Sutherland Springs mass-murder.

Specifically, the cops want all the messages, calls, social media passwords, contacts, photos, videos and other data since January 1, 2016, from the bloodied iPhone and iCloud account.
At this point it is not known if the files sought can all be pulled from backups held in the iCloud account, or if some will need to be obtained directly from the iPhone. Using iCloud for backups is optional.
通州区与廊坊北三县地区整合规划将出 万通地产涨停
The iPhone SE has a fingerprint sensor – so the dead man’s fingertips could be used to log into the device – however, it is now too late to use prints: a passcode must be entered after several hours have passed without a login.
Since the iPhone cannot be unlocked, and its file system is likely encrypted, Apple will be needed to find a way to extract and decrypt the data within, just like it was ordered to do in the San Bernardino murder case in California. In that investigation, Apple refused to comply with the government’s demands that it assist g-men in physically accessing the contents of a killer’s iPhone 5C.
网上撒谎可能会导致网络犯罪,在交友、约会或社交网站上撒谎可能会违反网络使用条款,国内也有婚介网站要求全体会员实名制,从侧面反映出社交网络中存在很多的欺骗行为。
The distinction between what is in the cloud and what is kept locally on the phone is important to make, as Apple maintains a policy of handing over data stored on its cloud service to agents and cops who show up armed with a warrant, while getting info from a locked and encrypted device itself is a far more complex and contentious issue.
Evidence … Kelley’s bloodied iPhone SE after the killer blew his brains out (Source: Court records)
Should investigators be unable to get the files from the iCloud backups, Apple could once again find itself battling a court order to hack into the handset to give officials access.
Last year, such an order was issued for an iPhone owned by one of San Bernardino shooters, prompting Apple to refuse the order on the grounds it would spark days of bad publicity, er, sorry, jeopardize the security of all its handsets and set a terrible precedent. The FBI eventually found a secret means to forcibly unlock the phone.
Now, with another iPhone at the heart of a mass-shooting tragedy, it is widely expected authorities will once again demand that Apple, somehow, open up a secured iThing.
In this case, the battle could be the catalyst to give law enforcement agencies backdoor access to break encryption in any device on demand – something privacy and security advocates alike have strongly opposed.
Apple declined to comment. ®
安全是重要的保证,没有信息安全的保证,也就没有效率的实现。

猜您喜欢

2017湖南中安密码安全测评中心招聘公告(3)
中国企业试探海外,培养跨国人才,管控海外风险需高招:
网络安全法宣传片 002 国家网络安全的现状与重要性概述
相亲时男方抢着买单 晚上却给女孩发来这样的要求
AGRO-MEDIA PAYITFORWARDEXPERIENCE
面向全体员工的OHSAS18001体系在线培训课程问世

US-CERT Warns of ASLR Implementation Flaw In Windows

The U.S. Computer Emergency Readiness Team is warning of a vulnerability in Microsoft’s implementation of Address Space Layout Randomization that affects Windows 8, Windows 8.1 and Windows 10. The vulnerability could allow a remote attacker to take control of an affected system.
Microsoft said it is investigating the matter.
Related Posts
Address Space Layout Randomization (ASLR) is championed as a system hardening technology used in most major desktops and mobile operating systems. ASLR is used to thwart memory-based code-execution attacks. iOS, Android, Windows, macOS and Linux each use ASLR to keep systems safer.
Over the years bypassing ASLR has become somewhat of a sport for attackers and white-hat researchers. However, this latest ASLR issue has to do with Microsoft’s implementation of ASLR in Windows.
According to Will Dormann, a senior vulnerability analyst at CERT, Microsoft introduced an error in how it implemented ASLR in 2012, with the release of Windows 8. Ever since then, according to Dormann, the vulnerability has continued, also affecting Windows 10.
Check Point Infinity NGFW 在NSS下一代防火墙测试中获推荐评级
“Windows 8 and later fail to properly randomize every application if system-wide mandatory ASLR is enabled via EMET or Windows Defender Exploit Guard,” Dormann wrote. Under those specific conditions a flawed implementation could create an opportunity for an attacker to pull off a memory-based attack.
Microsoft told Threatpost it acknowledges the issue.
“The issue described by the US-CERT is not a vulnerability. ASLR is functioning as designed and customers running default configurations of Windows are not at increased risk. The US-CERT discovered an issue with configuring non-default settings for ASLR using Windows Defender Exploit Guard and EMET, and provided workarounds. Microsoft is investigating and will address the configuration issue accordingly,” Microsoft said.
The problem is tied to how the way ASLR protects against attacks. It does so by randomizing where programs execute in memory locations. Instead of executing at predictable memory locations that a hacker can anticipate, ASLR randomizes the process.
But what Dormann found was that Microsoft’s flawed application of ASLR results in programs being relocated to predictable address every time.
“Both EMET and Windows Defender Exploit Guard enable system-wide ASLR without also enabling system-wide bottom-up ASLR. Although Windows Defender Exploit guard does have a system-wide option for system-wide bottom-up-ASLR, the default GUI value of ‘On by default’ does not reflect the underlying registry value (unset). This causes programs without /DYNAMICBASE to get relocated, but without any entropy. The result of this is that such programs will be relocated, but to the same address every time across reboots and even across different systems,” Dormann wrote in a US-CERT vulnerability note.
Dormann said he discovered the vulnerability when he enabled system-wide ASLR in Windows 8. The researcher explained it this way on Twitter: “Starting with Windows 8.0, system-wide mandatory ASLR (enabled via EMET) has zero entropy, essentially making it worthless.”
Starting with Windows 8.0, system-wide mandatory ASLR (enabled via EMET) has zero entropy, essentially making it worthless. Windows Defender Exploit Guard for Windows 10 is in the same boat. More details to come…https://t.co/xMR5qIKVGH

— Will Dormann (@wdormann) November 16, 2017
EMET stands for Enhanced Mitigation Experience Toolkit and it is a utility that works to prevent software vulnerabilities from being exploited.
The impact of this type of ASLR misconfiguration, Dormann said is:
“Windows 8 and newer systems that have system-wide ASLR enabled via EMET or Windows Defender Exploit Guard will have non-DYNAMICBASE applications relocated to a predictable location, thus voiding any benefit of mandatory ASLR. This can make exploitation of some classes of vulnerabilities easier.”
No patch exists yet for this vulnerability, the US-CERT bulleting said. However, a workaround is offered starting with enabling system-wide bottom-up ASLR on systems that have system-wide mandatory ASLR.
大型互联网公司的网站宕机时而有之,实际上很多高可用性方案本身并不可靠,因为所最终依靠的还是人,快速正确地进行安全事故响应才是根本。
Dormann also credits Matt Miller, a security engineer working for the Microsoft Security Response Center of Microsoft, for research assistance. Microsoft did respond to a request for comment for this report.
研究发现,有大约20%的数据丢失是通过社交网络造成的。另有约20%的企业对通过社交网络发送公司数据的员工进行了相应的管教,9%的案例中开除了员工。

猜您喜欢

美军开发非加密网传输数据:在实战中作用巨大
勿让网络安全人才培养走“中国足球”的老路
网络安全法宣传推广视频 https://v.qq.com/x/page/p050493s0f5.html
惊魂!男孩路中间系鞋带被轿车卷入车底(图)
STORAGE REICHARDBUICK
安全基础理论课程助力培养全民网络安全意识

Android曝出新漏洞 可记录声音和屏幕活动

Android用户要注意了,现在一个存在于MediaProjection功能服务中的新漏洞已被曝出。利用该漏洞,攻击者可以记录终端设备的声音和屏幕活动。预估约有77.5%的Android设备受此漏洞影响。

“可信”的人在存在漏洞的制度体系下,可能会变得更加“可怕”。多人负责,任期有限,职责分离,工作分开等原则一定要严格执行,还有要加大对关键控制点的审计频率。

  Android曝出新漏洞 可记录声音和屏幕活动
安全厂商试水路由器 其实卖的还是软件

MediaProjection是一个自从推出以来就存在于Android中的系统级服务,负责屏幕采集,但是为了使用它,应用程序需要具有root访问权限,并且必须使用设备的系统密钥进行签名。这就在早期限制了MediaProjection仅针对于Android OEM们开发的系统级应用程序而使用。

但随着Android Lolipop(5.0)的发布,Google向所有人开放了这项服务。这就让Android APP开发商无需拥有上述权限或用户授权,即可收集用户的屏幕内容,或记录系统声音。

问题在于,要使用MediaProjection服务时,APP只需通过intent来调用系统的录屏程序,便会触发一个SystemUI的弹出窗口,来提示用户该APP正在使用录屏功能。不过此时攻击者就可以在SystemUI弹出窗口上覆盖任意信息界面,来诱导用户同意,进而录制屏幕活动。

由于SystemUI弹出窗口是防止滥用MediaProjection服务的唯一访问控制机制,因此,攻击者就能够轻松绕过此机制来劫持该弹窗机制,从而获得录屏授权,所以安全威胁较大。

  目前只有Android 8.0针对该漏洞打了补丁

据悉,目前只有Android 8.0为该漏洞打了补丁,大量Android设备仍然面临着安全威胁,建议安卓用户尽快升级系统固件吧。此外,APP开发商也可以在WindowsManager中启动FLAG_SECURE参数,来确保APP界面内容不被屏幕截图,或是在不安全环境下显示。

(责任编辑:安博涛)

在安全区域内,佩戴工卡证明可以您的工作身份,可以将您和可疑的入侵者区分出来;在安全区域外如公共场所,佩戴工卡,则是在泄露自己的身份,可能会为自己和组织带来更多安全隐患。

猜您喜欢

网络安全微课——移动终端设备安全基础
网络安全公益短片社交网络安全基础
网络安全法宣传视频系列001《网络安全法》背景知识
中国“天使”亮相维秘秀场 明星大腕现场观秀
CFP LBUTAMPA
信息安全基础试题

Texas Rangers have obtained a search warrant for the contents of a blood-splattered iPhone SE belonging to gunman Devin Kelley who killed 26 people in a murder-suicide at a church.
Over the weekend, the US state’s cops served the Cupertino phone-flinger a warrant demanding photos, messages and other potential evidence on Kelley’s iPhone as well as those stored on its associated iCloud account. Investigators also have a warrant to extract data stored on Kelley’s second handset, an LG flip-phone. He was named as the shooter in the November 5 Sutherland Springs mass-murder.
技术高超的犯罪分子惯于发现漏洞,他们往往会不惜重金收集高价值目标信息。当用户联网,犯罪分子便会使用恶意软件,并且配合虚假广告,流氓安全软件和点击付费方式欺诈用户。
Specifically, the cops want all the messages, calls, social media passwords, contacts, photos, videos and other data since January 1, 2016, from the bloodied iPhone and iCloud account.
光一科技股权激励实施首年推高送转 拟10转15派0.3元
At this point it is not known if the files sought can all be pulled from backups held in the iCloud account, or if some will need to be obtained directly from the iPhone. Using iCloud for backups is optional.
The iPhone SE has a fingerprint sensor – so the dead man’s fingertips could be used to log into the device – however, it is now too late to use prints: a passcode must be entered after several hours have passed without a login.
Since the iPhone cannot be unlocked, and its file system is likely encrypted, Apple will be needed to find a way to extract and decrypt the data within, just like it was ordered to do in the San Bernardino murder case in California. In that investigation, Apple refused to comply with the government’s demands that it assist g-men in physically accessing the contents of a killer’s iPhone 5C.

The distinction between what is in the cloud and what is kept locally on the phone is important to make, as Apple maintains a policy of handing over data stored on its cloud service to agents and cops who show up armed with a warrant, while getting info from a locked and encrypted device itself is a far more complex and contentious issue.
Evidence … Kelley’s bloodied iPhone SE after the killer blew his brains out (Source: Court records)
Should investigators be unable to get the files from the iCloud backups, Apple could once again find itself battling a court order to hack into the handset to give officials access.
Last year, such an order was issued for an iPhone owned by one of San Bernardino shooters, prompting Apple to refuse the order on the grounds it would spark days of bad publicity, er, sorry, jeopardize the security of all its handsets and set a terrible precedent. The FBI eventually found a secret means to forcibly unlock the phone.
Now, with another iPhone at the heart of a mass-shooting tragedy, it is widely expected authorities will once again demand that Apple, somehow, open up a secured iThing.
In this case, the battle could be the catalyst to give law enforcement agencies backdoor access to break encryption in any device on demand – something privacy and security advocates alike have strongly opposed.
Apple declined to comment. ®
打击黑客必须从源头上对黑客工具进行打击,培训网络安全无罪,但提供侵入、控制计算机系统程序、工具是有罪的。

猜您喜欢

勿让网络安全人才培养走“中国足球”的老路
自动应答给攻击者开了方便之门
Cyber Security Law 网络安全法宣传视频《网络安全法》背景知识
河南省慈善总会注销14个问题基金
COMSLON WTG-GNIAZDO
信息安全培训评估

Amazon Echo and Google Home patched against BlueBorne threat

Share on Twitter
Share on Google+

Share on LinkedIn
Share on Reddit
The Amazon Echo and Google Home are being marketed to the world as the “smart speakers” to put helpful, voice-assisted Internet of Things (IoT) AI into people’s homes.
This week we had wearying confirmation that they also, less helpfully, distribute the same security failings into people’s homes as every other device.
Specifically, Amazon and Google have quietly patched flaws in these devices to protect them against BlueBorne, a haul of eight Bluetooth security vulnerabilities reported by Armis Labs in September:
BlueBorne affects ordinary computers, mobile phones, and the expanding realm of IoT devices. The attack does not require the targeted device to be paired to the attacker’s device, or even to be set on discoverable mode.
Nobody knew Amazon and Google’s products were affected until Armis announced the following issues, which mercifully should already have been automatically patched for the Echo’s 15 million, and the Google Home’s five million users, respectively:
For the Echo range:
2017下半年重庆渝北区卫生事业单位考核招聘拟聘用公示
A remote code execution vulnerability in the Linux kernel (CVE-2017-1000251)
An information leak in the SDP (Service Discovery Protocol) Server (CVE-2017-1000250)
If left unpatched, the first of these can allow an attacker to gain full control of an Echo device (demonstrated in a proof-of-concept video), while the second exposes it to what Armis described as a Heartbleed-style attack on the encryption keys used to secure wireless communication.
Updated Echo devices will be running software version 591448720, which can be checked by following the company’s instructions.
For Google Home:
An information leak vulnerability in the Android Bluetooth stack (CVE-2017-0785) that could be used to run a DoS (Denial of Service) attack on the device.
信息安全意识培训成为确保组织成功的关键要素,尽管创新的科技在很大程度上修补了一些技术上的安全漏洞,然而信息安全中最大的安全漏洞莫过于员工脆弱的安全意识。
The updated Google Home software version is 1.28.99956 (1.28.100429 for the Home Mini). Instructions on how to find this are on Google’s support pages.
Armis has also released a Google Play Store app that will scan for devices vulnerable to BlueBorne.
In fairness to Amazon and Google, BlueBorne is a family of vulnerabilities affecting a technology used by huge numbers of Bluetooth devices across many product classes, including computers, phones and other IoT devices.
What this episode hints at is the potential damage a vulnerability in this kind of device (now being bought by businesses as well as home users) could cause, were it successfully exploited.
Take for instance last month’s glitch in Google’s Home Mini that caused a device to secretly record its owner’s conversations for two days. That was a product design issue but the surveillance potential of these devices was being spelled out.
Armis is also worried about the general sprawl of the Internet of Things itself:
Unlike in the PC and mobile world, in which two or three main OSs control the absolute majority of the market, for IoT devices, no such dominant players exist.
The point being that in a fragmented market, vendors can struggle to work out whether an issue affects them or not.
Perhaps, then, the Echo and Home are at the positive end of the spectrum because, unlike too many IoT devices, at least they can be updated without the user having to do anything. But what happens when they are declared obsolete a few years from now and their makers have moved on to greater things?
History tells us that some of the Echo and Home speakers being bought today will still be out there somewhere. The simple but troubling truth is that while these always-listening products will eventually become obsolete, their vulnerabilities will hang around indefinitely.
多数青少年曾目睹网上残忍行为两成受过网络欺凌,加强青少年儿童上网安全需要从家庭和学校教育引导入手。

猜您喜欢

红日E家厨房安全技术大扫描
让环安卫小伙伴们惊呆了的EHS培训方法
Security-Frontline-安全前线
大发888网址开户 :谈宁泽涛称运动员
LETRASLIBRES SHALETAVERNANDGRILLE
安全月安全周安全意识宣传——移动支付中间人攻击防范