2016 October

Google and Facebook are building the fastest trans-Pacific cable yet

Google and Facebook are teaming up to build a 120 Terabits per second (Tbps) submarine cable that will connect Los Angeles with Hong Kong. The two companies are working with Pacific Light Data Communication — a wholly owned subsidiary of China Soft Power Technology that’s relatively new to the sub-sea cable game.

When it was first announced late last year (and before Google’s or Facebook’s names were attached to the project) the estimate was that the construction of the new Pacific Light Cable Network would cost about $400 million. The cable will feature five fiber pairs. A single one of those pairs will be able to provide 24 Tbps of bandwidth.
https://techcrunch.com/2016/10/12/google-and-facebook-are-building-the-fastest-trans-pacific-cable-yet/

 

AVTECH Shuns Security Firm and Leaves All Products Vulnerable Without a Patch

AVTECH, a Taiwanese CCTV equipment manufacturer, has failed to respond to Search-Lab, a Hungarian security firm that spent more than a year trying to inform the company about 14 security bugs affecting the firmware of all its products.

Over 130,000 AVTECH products available online

Search-Lab says their researcher is not the only one who spotted these issues. Currently, the term “AVTECH” is the second most popular search term on Shodan, a search engine for discovering Internet-connected equipment, often used by hackers to find their next targets.

http://news.softpedia.com/news/avtech-shuns-security-firm-and-leaves-all-products-vulnerable-without-a-patch-509223.shtml

 

GlobalSign screw-up cancels top websites’ HTTPS certificates

Final update GlobalSign’s efforts as a root certificate authority have gone TITSUP this afternoon – that’s a total inability to support usual protocols.

The result is that many websites big and small have had their HTTPS certificates incorrectly scrapped, meaning that for some people their browsers no longer trust websites and refuse or are reluctant to access them.

Specifically, it appears GlobalSign inadvertently triggered the revocation of its intermediary certificates while updating a special cross-certificate. This smashed the chain of trust and ultimately nullified SSL/TLS certificates issued by GlobalSign to its customers. It could take days to fix, leaving folks unable to easily read their favorite webpages.

GlobalSign estimates it could take until the beginning of next week for websites’ accidentally axed certs to be corrected. The organization has set up a support page for IT administrators and folks looking to fix broken HTTPS certificates.

GlobalSign said the worldwide mass revocation was an “unexpected consequence” of internal changes it made, and claimed browsers and other software “incorrectly inferred” that certificates had been burned. (It later admitted its own systems were at fault.)

http://www.theregister.co.uk/2016/10/13/globalsigned_off/

 

“Most serious” Linux privilege-escalation bug ever is under active exploit

A serious vulnerability that has been present for nine years in virtually all versions of the Linux operating system is under active exploit, according to researchers who are advising users to install a patch as soon as possible.

While CVE-2016-5195, as the bug is cataloged, amounts to a mere privilege-escalation vulnerability rather than a more serious code-execution vulnerability, there are several reasons many researchers are taking it extremely seriously. For one thing, it’s not hard to develop exploits that work reliably. For another, the flaw is located in a section of the Linux kernel that’s a part of virtually every distribution of the open-source OS released for almost a decade. What’s more, researchers have discovered attack code that indicates the vulnerability is being actively and maliciously exploited in the wild.

As their names describe, privilege-escalation or privilege-elevation vulnerabilities allow attackers with only limited access to a targeted computer to gain much greater control. The exploits can be used against Web hosting providers that provide shell access, so that one customer can attack other customers or even service administrators. Privilege-escalation exploits can also be combined with attacks that target other vulnerabilities. A SQL injection weakness in a website, for instance, often allows attackers to run malicious code only as an untrusted user. Combined with an escalation exploit, however, such attacks can often achieve highly coveted root status.

http://arstechnica.com/security/2016/10/most-serious-linux-privilege-escalation-bug-ever-is-under-active-exploit/?comments=1

This entry was posted in Weekly Newsletter. Bookmark the permalink.