DMCA Ruling Ensures You Can’t Be Sued For Hacking Your Car, Your Games Or Your iPhone

“This ‘access control’ rule is supposed to protect against unlawful copying,” said EFF staff attorney Kit Walsh. “But as we’ve seen in the recent Volkswagen scandal – where VW was caught manipulating smog tests – it can be used instead to hide wrongdoing hidden in computer code. We are pleased that analysts will now be able to examine the software in the cars we drive without facing legal threats from car manufacturers.”

Walsh expressed disappointment the exemption would not come into force for another year. There may also be a limitation on what tinkerers can do, as the exemption does not allow for modification of “computer programs primarily designed for the control of telematics or entertainment systems for such vehicle”, though security researchers should still be allowed to poke holes in them.

“This is a significant step forward for security research and acknowledges the value research plays in protecting consumers from risk of harm. There is still more work to be done – for example the exemption is limited in its application, and the Computer Fraud and Abuse Act still presents many challenges – but this represents an important shift in the discussion around security research at the Government level,” added Jen Ellis, vice president of community and public affairs at Rapid7, and one of the campaigners for the exemption.

“We look forward to continuing to collaborate with both Congress and the administration to build even greater understanding of, and protections for, security research.”

Tuesday, October 27, 2015
Advertisements

New zero-day exploit hits fully patched Adobe Flash

Attackers are exploiting a previously unknown vulnerability in fully patched versions of Adobe’s Flash Player so they can surreptitiously install malware on end users’ computers, security researchers warned Tuesday.

So far, the attacks are known to target only government agencies as part of a long-running espionage campaign carried out by a group known as Pawn Storm, researchers from antivirus provider Trend Micro said in a blog post published Tuesday. It’s not unusual for such zero-day exploits to be more widely distributed once the initial element of surprise wanes. The critical security flaw is known to reside in Flash versions 19.0.0.185 and 19.0.0.207 and may also affect earlier versions. At this early stage, no other technical details are available. The researchers wrote:

In this most recent campaign of Pawn Storm, several Ministries of Foreign Affairs received spear phishing e-mails. These contain links to sites that supposedly contain information about current events, but in reality, these URLs hosted the exploit. In this wave of attacks, the emails were about the following topics:

“Suicide car bomb targets NATO troop convoy Kabul”

“Syrian troops make gains as Putin defends air strikes”

“Israel launches airstrikes on targets in Gaza”

“Russia warns of response to reported US nuke buildup in Turkey, Europe”

“US military reports 75 US-trained rebels return Syria”

It’s worth noting that the URLs hosting the new Flash zero-day exploit are similar to the URLs seen in attacks that targeted North Atlantic Treaty Organization (NATO) members and the White House in April this year.

Pawn Storm has zeroed in on foreign affairs ministries in recent months. In the past, the group hastargeted politicians, artists, and journalists in Russia, and it has infected the iOS devices of Western governments and news organizations. Some researchers have linked the espionage campaign to the Russian government, but the usual disclaimers about attribution of hacks apply.

An Adobe spokeswoman said that company researchers received a proof-of-concept exploit on Tuesday morning and are in the process of investigating. If confirmed, it wouldn’t be surprising to see Adobe publish an emergency update in the next few days. As always, readers should consider disabling Flash on as many sites as possible, since it’s not unusual for attackers to compromise trusted sites and use them to attack the people who visit them. Most browsers by default provide a click-to-play mechanism that blocks Flash-based content for each site visited unless explicitly approved by the end user. A more thorough approach is to uninstall Flash altogether.

by

North America is out of IPv4 addresses …

Capture

Two months ago, THN reported about a similar announcement made by The American Registry for Internet Numbers (ARIN), which said that the agency is no longer able to produce IPv4 addresses in North America.
Within a time frame of few months, ARIN, which handles Internet addresses in America, has announced the final exhaustion of their free pool of IPv4 addresses has reached zero…
…i.e. the availability of IPv4 (Internet Protocol version 4) addresses no more exists.
Meanwhile, they are going to accept requests for IPv4, which will be approved via two ways:
  1. Wait List for Unmet IPv4 RequestsJoin the waitlist for unmet requests in the hopes that a block of the desired size will be available in the future.
  2. IPv4 Transfer Market – Can be purchased from another organization that has more than it needs.
So, in the future, IPv4 address space will be allocated to the approved requests on the Waiting List for Unmet Requests, if ARIN:
  • receives any IPv4 address space from IANA (Internet Assigned Numbers Authority),
  • recovers from cancellations, or
  • returns from organizations.
They say, “The source entity (-ies within the ARIN Region (8.4)) will be ineligible to receive any further IPv4 address allocations or assignments from ARIN for a period of 12 months after a transfer approval, or until the exhaustion of ARIN’s IPv4 space, whichever occurs first.”
These changes will impact the organizations existing in Transfers between Specified Recipients within the ARIN Region (Transfer 8.3) and Inter-RIR Transfers to Specified Recipients (Transfer 8.4).
RIR refers to Regional Internet Registry, like ARIN, which is one of the RIRs.
Also, if they are successful in allotting IPv4 address pool to the waiting list entities and are still left with IPv4 addresses, then they will open the free pool for IPv4 addresses and add them there for future use.
We see this is just the start of an era (IPv6).
IPv6 was invented in about two decades ago in 1998, and it features much longer addresses, such as — FE80:0000:0000:0000:0202:B3FF:FE1E:8329. This means that IPv6 will offer a total available pool of 340 Trillion Trillion Trillion addresses, providing capacity for a very long term.

 

Microsoft issues emergency patch for critical vulnerability in Windows

Don’t ask Questions just install your updates!!!

Microsoft has released an emergency update to patch a security bug that allows attackers to remotely execute malicious code on computers running every supported version of Windows.

The critical vulnerability, which is present in all supported version of Windows, involves the way the Windows Adobe Type Manager Library handles fonts that use Microsoft’s OpenType format. The bug allows attackers to take complete control of vulnerable computers. Attackers can exploit it by luring targets to booby-trapped websites or by tricking a target into opening a malicious file.

There are no indications at the moment that the vulnerability is being actively exploited in the wild. Still, the unscheduled issuance on Monday is an indication that the chances of exploitation are high enough to merit installation as soon as possible.

“When this security bulletin was issued, Microsoft had information to indicate that this vulnerability was public but did not have any information to indicate this vulnerability had been used to attack customers,” Microsoft officials wrote in an advisory published Monday. “Our analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability.”

The easiest way to close the security hole is to use Windows Update to install the patch. For organizations where immediate patching isn’t an option, Microsoft’s advisory recommended several workarounds. The update isn’t available for Windows Server 2003, which as of last week no longer receives support.

The patch comes six days after Microsoft fixed a separate vulnerability in the Adobe Type Manager Font Driver. Despite the similarity to the Windows Adobe Type Manager Library being patched in Monday’s emergency release, this appears to be a separate bug. The earlier security bug became public knowledge following the breach two weeks ago of Hacking Team networks and has been actively exploited in the wild, presumably in combination with an Adobe Flash exploit, so attackers could break out of the Google Chrome security sandbox and achieve remote code execution.