Security: Fingerprinting, Extensible Unix, Gentoo Cracked at GitHub, Debian Discusses Updates Integrity, Ticketing Giants Cracked
-
Fingerprinting: A new security for open source software
Open Source Software (OSS) has changed the way software works. It’s found in almost everything, with almost all new apps and modern systems incorporating some open source components. The vast majority, 78 per cent, of companies run open source software, and two-thirds create software for customers built on open source; but like many things that come free, there are always rules to follow.
The problem? Some members of the developer community can also be very casual about copying files, code snippets, images, binaries or entire modules without respecting their open source licences. Even if the developers are strict about reporting licences for their main components, chances are they’re using code that was already casually copied and enhanced.
-
How can a text editor plug-in enable privilege escalation? [Ed: Shock and surprise that installing rogue or bad software ("plug-in") can cause issues? It's not insulated.]
Extensible Unix and Linux text editors that allow for the use of third-party plug-ins give users a useful way to add functionality, but the text editor plug-ins can also be exploited by local attackers to take control of a victim's machine through privilege escalation.
Dor Azouri, a security researcher at SafeBreach, examined how text editor plug-ins for leading text editors, including Emacs, Vim, Sublime, gedit and pico/nano, could be exploited by attackers for privilege escalation -- and crafted proof of concept exploits for all of them except pico/nano.
-
Github Gentoo organization hacked
Today 28 June at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there. We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on github should for the moment be considered compromised.
-
Protecting Software Updates
I'm pleased to say that Debian has already implemented many of the technical recommendations we describe, including leading the way on reproducible builds. But as individual developers we might also be targeted, as lamby points out, and it's worth thinking about how you'd defend your users from such a situation.
-
FastBooking breach sees hackers steal customer data from 'hundreds' of hotels
-
Identity theft warning after major data breach at Ticketmaster
The Guardian understands that a number of Ticketmaster customers have already had fraudulent transactions debited from their accounts, with the fraudsters spending people’s cash on money transfer service Xendpay, Uber gift cards and Netflix, among other items.
Ticketmaster said customers who bought concert, theatre and sporting event tickets between February and 23 June 2018 may have been affected by the incident, which involved malicious software being used to steal people’s names, addresses, email addresses, phone numbers, payment details and Ticketmaster login details.
-
Ticketmaster’s data breach - what to do next
Strictly speaking, it wasn’t Ticketmaster that was the target, but one of its suppliers. The company said malicious software had infected a customer support product hosted by Ibenta Technologies, which runs on Ticketmaster’s websites. Ibenta is an external third party supplier to the ticketing giant, offering products such as chatbots, knowledge management and case management such as queries that come in over email or social media.
-
'Monitor your accounts': Ticketmaster customers in suspected data breach
-
Ticketmaster Discloses Breach That Impacts Nearly 5 Percent of Its Customers
The company said the breach occurred at Ibenta Technologies, a third-party supplier hosting a Ticketmaster customer support product. According to Ibenta’s website, the company provides an AI chat-based support agent able to reply to customer questions when live staff are unavailable.
An attempt to reach an Ibenta spokesperson by phone was unsuccessful.
-
