CVE-2017-15289

CVE-2017-15289

http://ift.tt/2xKcN3m

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because
they may have information that would be of interest to you. No inferences should be drawn on account of other sites
being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose.
NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further,
NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about
this page to nvd@nist.gov.

Technical Details

Vulnerability Type
(View All)

Security News

via National Vulnerability Database http://ift.tt/OD63ZH

October 16, 2017 at 04:23PM

Spinrilla Wants RIAA Case Thrown Out Over ‘Lies’ About ‘Hidden’ Piracy Data

Spinrilla Wants RIAA Case Thrown Out Over ‘Lies’ About ‘Hidden’ Piracy Data

http://ift.tt/2xKcIg4

Earlier this year, a group of well-known labels targeted Spinrilla, a popular hip-hop mixtape site and app which serves millions of users.

The coalition of record labels, including Sony Music, Warner Bros. Records, and Universal Music Group, filed a lawsuit against the service over alleged copyright infringements.

While the discovery process is still ongoing, Spinrilla recently informed the court that the record labels have “just about derailed” the entire case. The company has submitted a motion for sanctions, which is currently sealed, but additional information submitted to the court this week reveals what’s going on.

When the labels filed their original complaint they listed 210 tracks, without providing the allegedly infringing URLs. These weren’t shared during the early stages of the discovery process either, forcing the site to manually search for potentially infringing links.

Then, early October, Spinrilla received a massive spreadsheet with over 2,000 tracks, including the infringing URLs. This data came from the RIAA and supported the long list of infringements in the amended complaint submitted around the same time.

The spreadsheet would have made the discovery process much easier for Spinrilla. In a supplemental brief supporting a motion for sanctions, Spinrilla accuses the labels of hiding the piracy data from them and lying about it, “derailing” the case in the process.

“Significantly, Plaintiffs used that lie to convince the Court they should be allowed to add about 1,900 allegedly infringed sound recordings to their original list of 210. Later, Plaintiffs repeated that lie to convince the Court to give them time to add even more sound recordings to their list.”

vbcn

Spinrilla says they were forced to go down an expensive and unnecessary rabbit hole to find the infringing files, even though the RIAA data was available all along.

“By hiding and lying about the RIAA data, Plaintiffs forced Defendants to spend precious time and money fumbling through discovery. Not knowing that Plaintiffs had the RIAA data,” the company writes.

The hip-hop mixtape site argues that the alleged wrongdoing is severe enough to have the entire complaint dismissed, as the ultimate sanction.

“It is without exaggeration to say that by hiding the RIAA spreadsheets and that underlying data, Defendants have been severely prejudiced. The Complaint should be dismissed with prejudice and, if it is, Plaintiffs can only blame themselves,” Spinrilla concludes.

The stakes are certainly high in this case. With well over 2,000 infringing tracks listed in the amended complaint, the hip-hop mixtape site faces statutory damages as high as $300 million, at least in theory.

Spinrilla’s supplement brief in further support of the motion for sanctions is available here (pdf).

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Security News

via TorrentFreak http://ift.tt/JHJIUI

October 16, 2017 at 04:22PM

Vuln: Fortinet FortiWLC CVE-2017-7335 Multiple Cross Site Scripting Vulnerabilities

Vuln: Fortinet FortiWLC CVE-2017-7335 Multiple Cross Site Scripting Vulnerabilities

http://ift.tt/2yNKbq3

Fortinet FortiWLC CVE-2017-7335 Multiple Cross Site Scripting Vulnerabilities

Bugtraq ID: 101287
Class: Input Validation Error
CVE:

CVE-2017-7335

Remote: Yes
Local: No
Published: Oct 13 2017 12:00AM
Updated: Oct 13 2017 12:00AM
Credit: Ali Ardic
Vulnerable:

Fortinet FortiWLC 8.3.2

Fortinet FortiWLC 8.3

Fortinet FortiWLC 8.2

Fortinet FortiWLC 8.1

Fortinet FortiWLC 8.0

Fortinet FortiWLC 7.0-9

Fortinet FortiWLC 7.0-8

Fortinet FortiWLC 7.0-7

Fortinet FortiWLC 7.0-10

Fortinet FortiWLC 6.1-5

Fortinet FortiWLC 6.1-4

Fortinet FortiWLC 6.1-2

Not Vulnerable:

Fortinet FortiWLC 8.3.3

Fortinet FortiWLC 7.0.11

Security News

via SecurityFocus Vulnerabilities http://ift.tt/Y0pFEv

October 16, 2017 at 04:09PM

Aussies Propose Crackdown On Insecure IoT Devices

Aussies Propose Crackdown On Insecure IoT Devices

http://ift.tt/2x1dBg1

Aussies Propose Crackdown On Insecure IoT Devices

We’ve all seen the stories about IoT devices with laughably poor security. Both within our community as fresh vulnerabilities are exposed and ridiculed, and more recently in the wider world as stories of easily compromised baby monitors have surfaced in mass media outlets. It’s a problem with its roots in IoT device manufacturers treating their products as appliances rather than software, and in a drive to produce them at the lowest possible price.

The Australian government have announced that IoT security is now firmly in their sights, announcing a possible certification scheme with a logo that manufacturers would be able to use if their products meet a set of requirements. Such basic security features as changeable, non-guessable, and non-default passwords are being mentioned, though we’re guessing that would also include a requirement not to expose ports to the wider Internet. Most importantly it is said to include a requirement for software updates to fix known vulnerabilities. It is reported that they are also in talks with other countries to harmonize some of these standards internationally.

It is difficult to see how any government could enforce such a scheme by technical means such as disallowing Internet connection to non-compliant devices, and if that was what was being proposed it would certainly cause us some significant worry. Therefore it’s likely that this will be a consumer certification scheme similar to for example the safety standards for toys, administered as devices are imported and through enforcement of trading standards legislation. The tone in which it’s being sold to the public is one of “Think of the children” in terms of compromised baby monitors, but as long-time followers of Hackaday will know, that’s only a small part of the wider problem.

Thanks [Bill Smith] for the tip.

Baby monitor picture: Binatoneglobal [CC BY-SA 3.0].

Posted in security hacksTagged , , ,

Security News

via Hackaday https://hackaday.com

October 16, 2017 at 04:04PM

Security Flaw Prompts Fears on Wi-Fi Connections

Security Flaw Prompts Fears on Wi-Fi Connections

http://ift.tt/2wYWICl

A newly discovered flaw in the widely used Wi-Fi encryption protocol could leave millions of users vulnerable to attacks, prompting warnings Monday from the US government and security researchers worldwide.

The US government’s Computer Emergency Response Team (CERT) issued a security bulletin saying the flaw can open the door to hackers seeking to eavesdrop on or hijack devices using wireless networks.

“Exploitation of these vulnerabilities could allow an attacker to take control of an affected system,” said CERT, which is part of the US Department of Homeland Security.

The agency’s warning came on the heels of research by computer scientists at the Belgian university KU Leuven, who dubbed the flaw KRACK, for Key Reinstallation Attack.

According to the news site Ars Technica, the discovery was a closely guarded secret for weeks to allow Wi-Fi systems to develop security patches.

Attackers can exploit the flaw in WPA2 — the name for the encryption protocol — “to read information that was previously assumed to be safely encrypted,” said a blog post by KU Leuven researcher Mathy Vanhoef.

“This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks.”

The researcher said the flaw may also allow an attacker “to inject ransomware or other malware into websites.”

The KRACK vulnerability allows attackers to circumvent the “key” on a Wi-Fi connection that keeps data private.

The Belgian researchers said in a paper that devices on all operating systems may be vulnerable to KRACK, including 41 percent of Android devices.

– ‘Be afraid’ –

The newly discovered flaw was serious because of the ubiquity of Wi-Fi and the difficulty in patching millions of wireless systems, according to researchers.

“Wow. Everyone needs to be afraid,” said Rob Graham of Errata Security in a blog post.

“It means in practice, attackers can decrypt a lot of Wi-Fi traffic, with varying levels of difficulty depending on your precise network setup.”

Alex Hudson, of the British-based digital service firm Iron Group, said the discovery means that “security built into Wi-Fi is likely ineffective, and we should not assume it provides any security.”

Hudson said Wi-Fi users who browse the internet should still be safe due to encryption on most websites but that the flaw could affect a number of internet-connected devices.

“Almost certainly there are other problems that will come up, especially privacy issues with cheaper Internet-enabled devices that have poor security,” Hudson said in a blog post.

Researchers at Finland-based security firm F-Secure said in a statement the discovery highlights longstanding concerns about Wi-Fi systems’ vulnerability.

“The worst part of it is that it’s an issue with Wi-Fi protocols, which means it affects practically every single person in the world that uses Wi-Fi networks,” F-Secure said in a statement.

The F-Secure researchers said wireless network users can minimize the risks by using virtual private networks, and by updating devices including routers.

The Wi-Fi Alliance, an industry group which sets standards for wireless connections, said computer users should not panic.

“There is no evidence that the vulnerability has been exploited maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on Wi-Fi to deliver strong security protections,” the group said in a statement.

“Wi-Fi Alliance now requires testing for this vulnerability within our global certification lab network and has provided a vulnerability detection tool for use by any Wi-Fi Alliance member.”

Microsoft said it released a patch on October 10 to protect users of Windows devices. “Customers who have Windows Update enabled and applied the security updates, are protected automatically,” Microsoft said.

A Google spokesman said, “We’re aware of the issue, and we will be patching any affected devices in the coming weeks.”

Tags:

Security News

via SecurityWeek RSS Feed http://ift.tt/T5XpCH

October 16, 2017 at 03:52PM

Prepare for the internet of things invasion – CRN Australia

Prepare for the internet of things invasion – CRN Australia

http://ift.tt/2gJ1QVe

COMMENT  |  So, the army of internet of things is growing. Near as Rabid can tell, this is all the toys that can connect to the internet but don’t let you check your email or Facebook on them. Stuff like rainfall monitors, and flood level monitors, electricity meters, and GPS …

Hi! You’ve reached one of our premium articles available exclusively to subscribers. It’s our way of saying thanks to our loyal readership.

It’s free to register, and only takes a few minutes.

Once you sign up you’ll have unlimited access to all of our content, as well as a daily newsletter delivered straight to your inbox to keep you up to date.

Register now

Security News,IoT News

via IoT – Google News http://ift.tt/2pYPKZV

October 16, 2017 at 03:41PM