Sep 30, 2016

読み物いろいろ

某所のDM中心に。まだ読めていないのだが、メモ代わりに載せておく

   Microsoft Foresight
「うちの会社は大丈夫だよな?」に応えるために
~事業責任者のためのサイバー セキュリティ経営入門
←資料ダウンロード可

    IT (亦賀 忠明)
ガートナーに聞く「デジタル時代に求められる人、ノウハウ、テクノロジ」(1):
日本の企業とエンジニアが「クラウドでコスト削減」に失敗し続ける本当の理由

    ITmediaエンタープライズ (堀内 秀明)
セルフサービスBIの「光と闇」(後編):機能ばかり見ていると、セルフBIの導入は必ず失敗する

    エンタープライズ/ジン (ロブ・マクミラン)
セキュリティ予算を経営層から引き出すための7つの戦術
――米ガートナー ロブ・マクミラン氏が指南

    IT Leaders (トム・ショルツ)
エンドユーザーを「格好の標的」から「最高の防御壁」へ

    日刊工業新聞 (シド・デシュパンデ)
【電子版】デジタル編集部から(6)進化するサイバーセキュリティー

    IT Leaders (ニール・マクドナルド)
「敵への“あざむき”などセキュリティ対策には発想転換が必要だ」─米ガートナー

    日本経済新聞 (08/20) p11 (礒田 優一)
半導体・パソコン…次々縮小 
NEC次の「顔」見えたか 「セキュリティー」に的、ブラジル社買収


米の天気、健康などの話題、CNNから

Where's winter? Record-setting warmth on tap for much of U.S. (2015.12.13)

It's beginning to look a lot like – September?

The first snow normally occurs by November 8 and well over a foot would have accumulated by now on average.

This weekend's snow in D.C. could be one 'for the record books' (01/21)

Blizzard conditions possible in Washington, D.C., area later Friday
Forecasts show the mid-Atlantic is likely to take the biggest wallop; effects on Northeast are less certain

Houston flooding: 7 dead, 1,200 rescued -- and more rain to come (04/20)
State of disaster
Slow recovery

Seven dead after record-setting floods in Texas, Kansas (06/01)

One Texas city sets a record for wettest calendar day
Crews in Texas, Kansas search for missing children

Should I worry about chromium-6 in my drinking water? (09/21)


A report found chromium-6 in almost 90% of the water systems sampled across the nation
Chromium-6 can be filtered from water by certified products"

See also the section 'How do I test my water for chromium-6?'.

CNN Student News - September 21, 2016 - English CC 

 Are there too many antibiotics in your fast food meat? (09/22)

A new report examines antibiotics in the meat supply at America's largest fast food restaurants
For the second year in a row, Panera Bread and Chipotle received the highest grades"

A good rule of thumb is to avoid eating foods that contain ingredients you can't pronounce


Getting a flu shot? It may be better to wait (09/27)


Marketing for flu shots has become almost year-round
It's unclear how long protection lasts, and flu season peaks in mid-winter
Experts say an early vaccination is still better than none at all

 文脈はユラユラするが、最後の節に結論が

 - H1N1亜型(Influenza A virus subtype H1N1

 - H3N2亜型(Influenza A virus subtype H3N2

・アメリカで警官から職務質問 

海外の反応「ニュージャージー州のホーボーケン駅で電車事故。100人以上が負傷。」 (09/30)

 CNN Student News | October 7, 2016 (Friday) | English Subtitle
forecasters couldn't say for sure 
Its exact path was uncertain
The military started naming storms after their wives, their girlfriends,
but none of these names were made public.
  
(Transcript)

CNN Student News - October 10, 2016 - English CC
Hurricane Matthew slowly made its way up Florida's coast

Hurricane Matthew Evacuation Orders for Florida, Georgia, Carolinas (10/08)
North Carolina

Hurricane Matthew (10/10)
Roads and Traffic
In Fayetteville City limits, all major thoroughfares are open. Eight or nine minor thoroughfares will be open as soon as debris and downed powerlines are cleaned.

Residents in need of non-emergency Hurricane Matthew assistance are advised to call 211 or 910-677-5509. Trained professionals are available 24 hours a day, 7 days a week.

Map Fayetteville NC

///

Sep 28, 2016

モバイルアプリの「食べ合わせ」にご注意

・【特集】モバイルアプリの「食べ合わせ」にご注意、不正なデータ流出の恐れも (06/29)
『それぞれ単体では無害なアプリが共謀?』
言われてみれば確かに

個人情報の流出

・個人情報の流出
 ←該当ニュースの一覧

Sep 27, 2016

米Yahoo!、個人情報流出

・米Yahoo!ハッキング、5億件の個人情報流出。Yahoo!ユーザーが今やるべき5つのこと (09/23)

http://www.gizmodo.jp/2016/09/what-to-do-with-hacked-yahoo-account.html

 『1)パスワードをすぐ変更
  2)その他サービスのパスワードも変更
  3)二段階認証を有効に
  4)変なメールに警戒
  5)その他あれこれに警戒
   ... 利用しているオンラインサービスすべてにおいて警戒
  』

 『Yahoo!は捨ててGoogleへ』とも。

 Googleは、過去のログイン記録が見れたり、
 古いバージョンのデバイスからのアクセスの通知を受けられるなど
 充実度が高い印象だしなぁ、、、


・米ヤフーで5億人の情報流出 Yahoo!Japan、サービス独自で「被害なし」 (09/23)


 http://www.j-cast.com/2016/09/23278832.html
 とは言え、米ヤフーと酷似IDだったり、
 パスワード使いまわしていたら、対処すべきだろう


・警鐘鳴らすヤフーの情報流出 (09/25)


 http://www.nikkei.com/article/DGXKZO07605050V20C16A9PE8000/
 納得感ある記事
『(企業側は)やみくもに個人情報を集めないことも重要... そうした姿勢が ... 企業としての信用を高める

個人も自衛の意識が要る ... 情報の流出や消失のリスクを忘れてはならない。大事な情報は安易にネットに流さず、バックアップをとるなど、注意点は多い
--> 09/28 追記

・アングル:米ヤフーの個人情報流出、ハッキング認識時期が問題 (09/27)

7月に中核事業を48億3000万ドルで米通信大手ベライゾン・コミュニケーションズ(VZ.N)に売却することで合意』

・米ヤフー、ユーザー代表が個人情報流出で提訴 (09/24)



今日はここまで。
手口、発表までに時間のかかった理由など、引き続き調査結果を待ちたい

---> 10.12 追記

Yahoo!の情報漏えいについてまとめてみた (09/22)


 ←後半に、ユーザへの注意もまとめられている。

--> 10.17 追記

VerizonによるYahoo!買収計画が見直しか、大量データ流出の影響で (10/14)


--> 11.29 追記

Yahoo!の情報流出事件、国家関与のサイバー攻撃説に疑問の声 (09/30)

事件について、セキュリティ企業の米InfoArmor928日、盗まれた情報の内容や事件に関与した集団などについて分析した結果を明らかにした ... 
この情報を入手して高く売ろうとした人物が、センセーショナルに宣伝する目的で実態をゆがめて伝えたとInfoArmorは推定 ...
最近の報道や公開された情報の多くに重大な誤りがあったことがはっきりした」

Sep 26, 2016

いろいろ (9/26)

・「シン・ゴジラ」にみる、ニッポンのITインフラの虚構と現実 (09/23)
 見てないので勘違いしているかもだが、
 ゴジラの放つ放射線の影響が(意図的に?)スルーされている気がする。
 核の脅威に備えたIX設備シールド化の議論を始めても良い情勢。実は実施済み?

・日本を支えた“中間管理職”の苦悩(第7回)
 才覚で上司を喜ばせ追い詰めた中間管理職・明智光秀 (09/19)
 『意思疎通を率先して行うことが、手痛い裏切りに遭わないための最善策』

・深層中国 ~巨大市場の底流を読む 第83
 「個」の自立を阻む中国社会 ~ますます強まる同調圧力 (09/23)

Sep 20, 2016

今日のCVE (09/20) adobe, cisco, google, MS ...etc


Primary
Vendor -- Product
Description
Published
CVSS Score
Source & Patch Info
adobe -- digital_editions
Adobe Digital Editions before 4.5.2 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-4257, CVE-2016-4258, CVE-2016-4259, CVE-2016-4260, CVE-2016-4261, and CVE-2016-4262.
2016-09-16

adobe -- flash_player
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.375 and 19.x through 23.x before 23.0.0.162 on Windows and OS X and before 11.2.202.635 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-4279, CVE-2016-6921, CVE-2016-6923, CVE-2016-6925, CVE-2016-6926, CVE-2016-6927, CVE-2016-6929, CVE-2016-6930, CVE-2016-6931, and CVE-2016-6932.
2016-09-14

cisco -- spa300_series_ip_phone_firmware
The HTTP framework on Cisco SPA300, SPA500, and SPA51x devices allows remote attackers to cause a denial of service (device outage) via a series of malformed HTTP requests, aka Bug ID CSCut67385.
2016-09-11
cisco -- ace_application_control_engine_module_a1
Cisco ACE30 Application Control Engine Module through A5 3.3 and ACE 4700 Application Control Engine appliances through A5 3.3 allow remote attackers to cause a denial of service (device reload) via crafted (1) SSL or (2) TLS packets, aka Bug ID CSCvb16317.
2016-09-12
google -- android
Buffer overflow in drivers/soc/qcom/subsystem_restart.c in the Qualcomm subsystem driver in Android before 2016-09-05 on Nexus 5X and 6P devices allows attackers to gain privileges via a crafted application that provides a long string, aka Android internal bug 28675151 and Qualcomm internal bug CR1022641.
2016-09-11

google -- chrome
Multiple unspecified vulnerabilities in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
2016-09-11
microsoft -- edge
Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Microsoft Edge Memory Corruption Vulnerability," a different vulnerability than CVE-2016-3330.
2016-09-14
microsoft -- edge
Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Microsoft Edge Memory Corruption Vulnerability," a different vulnerability than CVE-2016-3294.
2016-09-14
microsoft -- windows_10
The SMBv1 server in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Authenticated Remote Code Execution Vulnerability."
2016-09-14
microsoft -- windows_10
Microsoft Windows 10 Gold, 1511, and 1607 does not properly enforce permissions, which allows local users to obtain Administrator access via a crafted DLL, aka "Windows Permissions Enforcement Elevation of Privilege Vulnerability."
2016-09-14
microsoft -- windows_10
The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability."
2016-09-14
microsoft -- windows_10
The kernel-mode drivers in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability."
2016-09-14
microsoft -- edge
The Chakra JavaScript engine in Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-3377.
2016-09-14
microsoft -- windows_10
The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allows local users to gain privileges via a crafted application, aka "GDI Elevation of Privilege Vulnerability."
2016-09-14
microsoft -- windows_10
The Graphics Device Interface (GDI) in Microsoft Windows 10 1607 allows remote attackers to execute arbitrary code via a crafted document, aka "GDI Remote Code Execution Vulnerability."
2016-09-14
microsoft -- office
Microsoft Office 2007 SP3, Office 2010 SP2, Office 2013 SP1, Office 2013 RT SP1, Office 2016, Word for Mac 2011, Word 2016 for Mac, Word Viewer, Word Automation Services on SharePoint Server 2010 SP2, SharePoint Server 2013 SP1, Excel Automation Services on SharePoint Server 2013 SP1, Word Automation Services on SharePoint Server 2013 SP1, Office Web Apps 2010 SP2, and Office Web Apps Server 2013 SP1 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office Memory Corruption Vulnerability."
2016-09-14
microsoft -- excel
Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 RT SP1, Excel 2016, Excel 2016 for Mac, Office Compatibility Pack SP3, Excel Viewer, Excel Services on SharePoint Server 2007 SP3, Excel Services on SharePoint Server 2010 SP2, Excel Automation Services on SharePoint Server 2013 SP1, and Office Online Server allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office Memory Corruption Vulnerability."
2016-09-14
microsoft -- excel
Microsoft Excel 2007 SP3, Excel 2010 SP2, Office Compatibility Pack SP3, and Excel Viewer allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office Memory Corruption Vulnerability."
2016-09-14
microsoft -- office_compatibility_pack
Microsoft PowerPoint 2007 SP3, PowerPoint 2010 SP2, PowerPoint 2013 SP1, PowerPoint 2013 RT SP1, PowerPoint 2016 for Mac, Office Compatibility Pack SP3, PowerPoint Viewer, SharePoint Server 2013 SP1, Office Web Apps 2010 SP2, and Office Web Apps Server 2013 SP1 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office Memory Corruption Vulnerability."
2016-09-14
microsoft -- excel
Microsoft Excel 2010 SP2 allows remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office Memory Corruption Vulnerability."
2016-09-14
microsoft -- excel
Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 RT SP1, Excel 2016, Office Compatibility Pack SP3, Excel Viewer, Excel Services on SharePoint Server 2007 SP3, Excel Services on SharePoint Server 2010 SP2, Excel Automation Services on SharePoint Server 2013 SP1, and Office Online Server allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office Memory Corruption Vulnerability," a different vulnerability than CVE-2016-3365.
2016-09-14
microsoft -- excel
Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 RT SP1, Excel 2016, Office Compatibility Pack SP3, and Excel Viewer allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office Memory Corruption Vulnerability," a different vulnerability than CVE-2016-3381.
2016-09-14
microsoft -- visio
Microsoft Visio 2016 allows remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office Memory Corruption Vulnerability."
2016-09-14
microsoft -- excel
Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 RT SP1, Excel 2016, Office Compatibility Pack SP3, Excel Viewer, Excel Services on SharePoint Server 2007 SP3, Excel Services on SharePoint Server 2010 SP2, Excel Automation Services on SharePoint Server 2013 SP1, and Office Online Server allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office Memory Corruption Vulnerability," a different vulnerability than CVE-2016-3362.
2016-09-14
microsoft -- silverlight
StringBuilder in Microsoft Silverlight 5 before 5.1.50709.0 does not properly allocate memory for string-insert and string-append operations, which allows remote attackers to execute arbitrary code via a crafted web site, aka "Microsoft Silverlight Memory Corruption Vulnerability."
2016-09-14
microsoft -- windows_10
Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allow remote authenticated users to execute arbitrary code by leveraging a domain account to make a crafted request, aka "Windows Remote Code Execution Vulnerability."
2016-09-14
microsoft -- windows_10
Microsoft Windows 10 Gold and 1511 allows attackers to cause a denial of service via unspecified vectors, aka "Windows Denial of Service Vulnerability."
2016-09-14
microsoft -- internet_explorer
The OLE Automation mechanism and VBScript scripting engine in Microsoft Internet Explorer 9 through 11, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability."
2016-09-14
microsoft -- edge
The Chakra JavaScript engine in Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-3350.
2016-09-14
microsoft -- excel
Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 RT SP1, Excel 2016, Office Compatibility Pack SP3, and Excel Viewer allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office Memory Corruption Vulnerability," a different vulnerability than CVE-2016-3363.
2016-09-14
openssl -- openssl
The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 does not properly validate division results, which allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.
2016-09-16
openssl -- openssl
Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.
2016-09-16
php -- php
ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.
2016-09-11