RSS 생중계

Over 60 South Korean Crypto Exchanges Set To Suspend Services Next Week

Slashdot - 토, 2021/09/18 - 12:21오전
More than 60 cryptocurrency exchanges in South Korea must notify customers of a partial or full suspension of trading by Friday midnight, a week before a new regulation comes into effect. An anonymous reader writes: To continue operating, exchanges must register with the Financial Intelligence Unit by Sept. 24, providing a security certificate from the internet security agency. They must also partner with banks to ensure real-name accounts. Exchanges that have not registered must shut down services after Sept. 24, while those that have registered but failed to secure partnerships with banks will be prohibited from trading in won. "Should some or all services need to be closed, (exchanges) should notify customers of the expected closing date and procedures to withdraw money by at least seven days before the closure," the Financial Services Commision said earlier this week. It said this should be completed no later than Sept. 17.

Read more of this story at Slashdot.

카테고리:

CVE-2021-41315

Latest 7 days CVE Lists - 토, 2021/09/18 - 12:15오전
The Device42 Remote Collector before 17.05.01 does not sanitize user input in its SNMP Connectivity utility. This allows an authenticated attacker (with access to the console application) to execute arbitrary OS commands and escalate privileges.

CVE-2021-41316

Latest 7 days CVE Lists - 토, 2021/09/18 - 12:15오전
The Device42 Main Appliance before 17.05.01 does not sanitize user input in its Nmap Discovery utility. An attacker (with permissions to add or edit jobs run by this utility) can inject an extra argument to overwrite arbitrary files as the root user on the Remote Collector.

Tencent Opens WeChat To Rivals' Links as App Walls Crumble

Slashdot - 금, 2021/09/17 - 11:41오후
Tencent allowed users of its main WeChat social media service to link to rivals' content for the first time in years, taking initial steps to comply with Beijing's call to dismantle walls around platforms run by the country's online giants. From a report: From Friday, users who upgrade to the latest version of the messaging service can access external services such as Alibaba's Taobao online mall or ByteDance's video app Douyin, both of which were previously walled off from WeChat's billion-plus members. That applies however only to one-on-one messaging, not group chats nor Facebook-like Moments pages. While it's unclear whether the social giant has opened up more of its scores of online services, it's a major step for Tencent, which along with Alibaba and ByteDance controls vast swathes of China's internet. In a statement announcing the move Friday, Tencent said it will also provide ways for its users to report suspicious content, and work on features for sharing links in wider group discussions. China's top technology regulator has warned internet firms to stop blocking links to rival services, prising open so-called walled gardens in a broader campaign to curb their growing monopoly on data and protect consumers. The government has accused a handful of companies of unfairly protecting their respective spheres: Tencent in social media via WeChat, Alibaba in e-commerce with Taobao and Tmall and, more recently, ByteDance in video via TikTok-cousin Douyin.

Read more of this story at Slashdot.

카테고리:

CVE-2021-31842

Latest 7 days CVE Lists - 금, 2021/09/17 - 11:15오후
XML Entity Expansion injection vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 September 2021 Update allows a local user to initiate high CPU and memory consumption resulting in a Denial of Service attack through carefully editing the EPDeploy.xml file and then executing the setup process.

CVE-2021-31843

Latest 7 days CVE Lists - 금, 2021/09/17 - 11:15오후
Improper privileges management vulnerability in McAfee Endpoint Security (ENS) Windows prior to 10.7.0 September 2021 Update allows local users to access files which they would otherwise not have access to via manipulating junction links to redirect McAfee folder operations to an unintended location.

CVE-2021-31844

Latest 7 days CVE Lists - 금, 2021/09/17 - 11:15오후
A buffer overflow vulnerability in McAfee Data Loss Prevention (DLP) Endpoint for Windows prior to 11.6.200 allows a local attacker to execute arbitrary code with elevated privileges through placing carefully constructed Ami Pro (.sam) files onto the local system and triggering a DLP Endpoint scan through accessing a file. This is caused by the destination buffer being of fixed size and incorrect checks being made on the source size.

CVE-2021-31845

Latest 7 days CVE Lists - 금, 2021/09/17 - 11:15오후
A buffer overflow vulnerability in McAfee Data Loss Prevention (DLP) Discover prior to 11.6.100 allows an attacker in the same network as the DLP Discover to execute arbitrary code through placing carefully constructed Ami Pro (.sam) files onto a machine and having DLP Discover scan it, leading to remote code execution with elevated privileges. This is caused by the destination buffer being of fixed size and incorrect checks being made on the source size.

CVE-2021-39227

Latest 7 days CVE Lists - 금, 2021/09/17 - 11:15오후
ZRender is a lightweight graphic library providing 2d draw for Apache ECharts. In versions prior to 5.2.1, using `merge` and `clone` helper methods in the `src/core/util.ts` module results in prototype pollution. It affects the popular data visualization library Apache ECharts, which uses and exports these two methods directly. The GitHub Security Advisory page for this vulnerability contains a proof of concept. This issue is patched in ZRender version 5.2.1. One workaround is available: Check if there is `__proto__` in the object keys. Omit it before using it as an parameter in these affected methods. Or in `echarts.util.merge` and `setOption` if project is using ECharts.

CVE-2021-39228

Latest 7 days CVE Lists - 금, 2021/09/17 - 11:15오후
Tremor is an event processing system for unstructured data. A vulnerability exists between versions 0.7.2 and 0.11.6. This vulnerability is a memory safety Issue when using `patch` or `merge` on `state` and assign the result back to `state`. In this case, affected versions of Tremor and the tremor-script crate maintains references to memory that might have been freed already. And these memory regions can be accessed by retrieving the `state`, e.g. send it over TCP or HTTP. This requires the Tremor server (or any other program using tremor-script) to execute a tremor-script script that uses the mentioned language construct. The issue has been patched in version 0.11.6 by removing the optimization and always cloning the target expression of a Merge or Patch. If an upgrade is not possible, a possible workaround is to avoid the optimization by introducing a temporary variable and not immediately reassigning to `state`.

Telegram Emerges as New Dark Web for Cyber Criminals

Slashdot - 금, 2021/09/17 - 11:01오후
Telegram has exploded as a hub for cybercriminals looking to buy, sell and share stolen data and hacking tools, new research shows, as the messaging app emerges as an alternative to the dark web. From a report: An investigation by cyber intelligence group Cyberint, together with the Financial Times, found a ballooning network of hackers sharing data leaks on the popular messaging platform, sometimes in channels with tens of thousands of subscribers, lured by its ease of use and light-touch moderation. In many cases, the content resembled that of the marketplaces found on the dark web, a group of hidden websites that are popular among hackers and accessed using specific anonymising software. "We have recently been witnessing a 100 per cent-plus rise in Telegram usage by cybercriminals," said Tal Samra, cyber threat analyst at Cyberint. "Its encrypted messaging service is increasingly popular among threat actors conducting fraudulent activity and selling stolen dataâ... as it is more convenient to use than the dark web." The rise in nefarious activity comes as users flocked to the encrypted chat app earlier this year after changes to the privacy policy of Facebook-owned rival WhatsApp prompted many to seek out alternatives. Launched in 2013, Telegram allows users to broadcast messages to a following via "channels," or create public and private groups that are simple for others to access. Users can also send and receive large data files, including text and zip files, directly via the app.

Read more of this story at Slashdot.

카테고리:

Security updates for Friday

lwn.net - 금, 2021/09/17 - 10:59오후
Security updates have been issued by CentOS (firefox and thunderbird), Fedora (haproxy, wordpress, and xen), openSUSE (apache2-mod_auth_openidc, fail2ban, ghostscript, haserl, libcroco, nextcloud, and wireshark), Oracle (kernel and kernel-container), Slackware (httpd), SUSE (crmsh, gtk-vnc, libcroco, Mesa, postgresql12, postgresql13, and transfig), and Ubuntu (libgcrypt20, linux-gcp, linux-gcp-4.15, linux-hwe-5.4, linux-oem-5.13, python3.4, python3.5, and qtbase-opensource-src).
카테고리:

Solar Power Could Become a Catalyst For a Major Synthetic Fuel Upgrade

Slashdot - 금, 2021/09/17 - 10:00오후
An anonymous reader quotes a report from InterestingEngineering: As global carbon emissions that stem from fossil fuels keep adding to our ever-growing climate change issue, energy companies have turned their focus on renewables to generate fuel. One of those companies is Synhelion from Switzerland. The company harnesses the energy of the heat of the sun and converts the collected carbon dioxide into synthetic fuels, in turn offering a green and sustainable solution. The system is quite genius. Synhelion uses a mirror field filled with heliostats to reflect the radiation of solar power. The radiation is then concentrated in the solar receiver and turned into clean, high-temperature process heat at around 2.732F (1.500C). Next, the produced heat is turned into a CO2 and H2O mixture in a thermochemical reactor. The end product, the syngas, is then turned into gasoline, diesel, or jet fuel with a gas-to-liquid technology process. What makes this sustainable is the fact that the company's thermal energy storage (TES) saves the excess heat after each process which keeps the operation going 24/7. And how does the solar receiver work? The company says the technology is inspired by nature. To reach ultra-high temperatures, the solar receiver mimics Earth's greenhouse gas effect. The chamber is filled with greenhouse gases that are usually water vapor or water and CO2 mixtures. After solar radiation collected with heliostats enters the chamber, the black surface of the chamber absorbs the heat, thermalizes, and re-radiates it. The greenhouse gas then absorbs the thermal radiation, acting as a heat transfer fluid (HTF), which can, later on, be turned into any type of liquid fuel. And liquid fuels are easy to transport which makes them low-cost compared to their solid counterparts. When there's no sun, the HTF flows through the TES in the opposite direction to recover the previously stored thermal energy. The hot HTF from the storage drives the thermochemical processes in the reactor that keeps the operation working. "The company states that through this technology, it can provide fuels at a cheaper price with a 50 to 100 percent lower carbon footprint compared to fossil fuels," the report adds. "In addition to Synhelion's aligned motives with the Paris Agreement's CO2 reduction targets, it is supported by larger industries looking to cut their emissions -- and eventually achieve net-zero -- by 2030."

Read more of this story at Slashdot.

카테고리:

CVE-2021-39327

Latest 7 days CVE Lists - 금, 2021/09/17 - 8:15오후
The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible ~/db_backup_log.txt file which grants attackers the full path of the site, in addition to the path of database backup files. This affects versions up to, and including, 5.1.

CVE-2021-23442

Latest 7 days CVE Lists - 금, 2021/09/17 - 7:15오후
This affects all versions of package @cookiex/deep. The global proto object can be polluted using the __proto__ object.

Razer Says Its New Mechanical Keyboards Have 'Near-Zero' Input Latency

Slashdot - 금, 2021/09/17 - 7:00오후
Razer has announced an update to its popular Huntsman lineup of mechanical keyboards that reduces input latency to "near-zero," the company claims. The Verge reports: [T]he newly announced Huntsman V2 and Huntsman V2 Tenkeyless (which omits the numpad, volume wheel, and media controls for a more compact board) both have a polling rate of 8,000Hz, meaning they can theoretically detect key presses eight times faster than the original Huntsman keyboards. Combined with the keyboards' optical switches, which use an infrared beam of light to sense when they've been pressed rather than metal contact points, Razer reckons the two new Huntsman keyboards will feel more responsive for gaming, especially when combined with a high-refresh rate monitor. In contrast, standard mechanical switches can suffer from what's known as a "debounce delay," when the keyboard has to take a moment to work out if a key has actually been pressed or not. Other improvements introduced with the V2 keyboards include new doubleshot PBT keycaps, which have a more durable design with legends that shouldn't wear away over time. The doubleshot design also allows the keyboard's programmable RGB backlighting to shine through the caps. There are seven preset lighting effects built into the keyboard, and you can customize them via Razer's software and save them to the board's firmware. Both keyboards are available with either Razer's clicky or linear optical switches. The linear switches have also seen improvements since the keyboard's first iteration, with the addition of a silicon sound dampener inside, and more lubricant to make them feel smoother to press. Razer also says it's improved the acoustics of the keyboards, with the addition of a new layer of sound dampening foam, and there's now a wrist rest included in the box with both keyboards. The full-size Huntsman V2 features a volume wheel and media controls on its top right, but only the smaller tenkeyless model has a detachable USB-C cable.

Read more of this story at Slashdot.

카테고리:

CVE-2021-41303

Latest 7 days CVE Lists - 금, 2021/09/17 - 6:15오후
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.

CVE-2021-30260

Latest 7 days CVE Lists - 금, 2021/09/17 - 4:15오후
Possible Integer overflow to buffer overflow issue can occur due to improper validation of input parameters when extscan hostlist configuration command is received in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking

CVE-2021-30261

Latest 7 days CVE Lists - 금, 2021/09/17 - 4:15오후
Possible integer and heap overflow due to lack of input command size validation while handling beacon template update command from HLOS in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables

CVE-2021-3803

Latest 7 days CVE Lists - 금, 2021/09/17 - 4:15오후
nth-check is vulnerable to Inefficient Regular Expression Complexity

페이지

KLDP 수집기 구독하기