Language Selection

English French German Italian Portuguese Spanish

Security: Updates, Equifax, Black Duck FUD, Emacs 25.3, and Measuring Security

Filed under
Security
  • Security updates for Monday
  • Researchers use Windows 10 Linux subsystem to run malware

    The provision of a Linux subsystem on Windows systems — a new Windows 10 feature known as Subsystem for Linux (WSL) — has made it possible to run known malware on such systems and bypass even the most common security solutions, security researchers at Check Point claim.

    In a detailed blog post, researchers Gal Elbaz and Dvir Atias said they had dubbed this technique of getting malware onto a Windows system as Bashware, with Bash being the default shell on a large number of Linux distributions.

  • Episode 62 - All about the Equifax hack
  • Equifax moves to fix weak PINs for “security freeze” on consumer credit reports

    As Equifax moved to provide consumers the ability to protect their credit reports on the heels of a major data breach, some of the details of the company's response were found lacking. As consumers registered and moved to lock their credit reports—in order to prevent anyone who had stolen data from opening credit in their name—they found that the security personal identification number (PIN) provided in the locking process was potentially insecure.

    [...]

    The PIN revelation came on the heels of concerns that Equifax was attempting to block the ability of those checking to see if their data was exposed or enrolling in the TrustedID Premiere service to sue Equifax over the breach. An Equifax spokesperson said that the arbitration clause in the Terms of Service for TrustedID Premier only applied to the service itself, not to the breach.

  • Unpatched Open Source Software Flaw Blamed for Massive Equifax Breach [Ed: But this claim has since then been retracted, so it might be fake news]
  • Equifax Breach Blamed on Open-Source Software Flaw [Ed: This report from a News Corp. tabloid has since been retracted, so why carry on linking to it?]
  • The hidden threat lurking in an otherwise secure software stack [Ed: Yet another attack on FOSS security, courtesy of the Microsoft-connected Black Duck]
  • [ANNOUNCE] Emacs 25.3 released
  • Emacs 25.3 Released To Fix A Security Vulnerability Of Malicious Lisp Scripts

    GNU --
    Emacs 25.3 is now available, but it doesn't offer major new features, rather it fixes a security vulnerability.

    Emacs' x-display decoding feature within the Enriched Text mode could lead to executing arbitrary malicious Lisp code within the text.

  • Measuring security: Part 1 - Things that make money

    If you read my previous post on measuring security, you know I broke measuring into three categories. I have no good reason to do this other than it's something that made sense to me. There are without question better ways to split these apart, I'm sure there is even overlap, but that's not important. What actually matters is to start a discussion on measuring what we do. The first topic is about measuring security that directly adds to revenue such as a product or service.

    [...]

    I see a lot of groups that don't do any of this. They wander in circles sometimes adding security features that don't matter, often engineering solutions that customers only need or want 10% of. I'll never forget when I first looked at actual metrics on new features and realized something we wanted to add was going to have a massive cost and generate zero additional revenue (it may have actually detracted in future product sales). On this day I saw the power in metrics. Overnight my group became heroes for saving everyone a lot of work and headaches. Sometimes doing nothing is the most valuable action you can take.

More in Tux Machines

Debian GNU/Linux 10 "Buster" Installer Updated with Linux Kernel 4.16 Support

Developed under the Debian Testing umbrella, the forthcoming Debian GNU/Linux 10 "Buster" operating system series just received today the third alpha milestone of its installer, which lets people install the Linux-based operating system on their personal computers, servers, and IoT devices, such as the Raspberry Pi. One of the most interesting changes that caught out eyes is the bump of the kernel support from Linux kernel 4.13, which was used in the second alpha build, to Linux kernel 4.16. Of course, this means that there's better hardware support, so chances are you'll be able to install the development version of Debian GNU/Linux 10 "Buster" on newer machines or if you have some exotic components on your PC. Read more

The New Microsoft

  • Microsoft ICE Contract Draws Fire

    “ICE’s decision to accelerate IT modernization using Azure Government will help them innovate faster while reducing the burden of legacy IT. The agency is currently implementing transformative technologies for homeland security and public safety, and we’re proud to support this work with our mission-critical cloud,” he wrote.

  • Microsoft faces outrage for blog post touting ICE contract

    As outrage grew online, a Microsoft employee quietly removed mention of ICE from the January press release this morning. Social media users noticed that, too. The company has since restored the press release's original language, and called its removal a "mistake."

  • Microsoft Removes Mention of ICE Cloud Work After Protests

    Microsoft Corp. scrubbed an online reference to its work for U.S. Immigration and Customs Enforcement as the agency faces criticism for its role in separating families at the U.S.-Mexican border.

  • Microsoft briefly removes blog post mentioning ICE contract after backlash
  • Microsoft's Ethical Reckoning Is Here

    Tech Workers Coalition, a labor group for tech industry employees, urged Microsoft employees to coordinate their opposition. “If you are a worker building these tools or others at Microsoft, decide now that you will not be complicit,” the group tweeted.

Android Leftovers

First Ubuntu Touch OTA-4 Release Candidate Based on Ubuntu 16.04 LTS Is Here

The latest Ubuntu Touch update from UBports, OTA-3, was released last year near the Christmas holidays, but it was still based on Ubuntu 15.04 (Vivid Vervet), so if you though Ubuntu Phones are dead, think again, because the UBports team has been hard at work to bring you the OTA-4, which will be the first to rebase the operating system on Ubuntu 16.04 LTS (Xenial Xerus). "The main reason why the arrival of OTA-4 seemed to take so long is because Ubuntu Touch switched its base to Ubuntu 16.04 LTS Xenial Xerus. This is a mammoth milestone for the project, because it allowed us to transition from the unsupported Ubuntu 15.04 Vivid Vervet to a Long Term Support (LTS) base," reads today's announcement. Read more Also: UBports' Ubuntu Touch OTA-4 RC Released, Upgrades To Ubuntu 16.04 LTS