Language Selection

English French German Italian Portuguese Spanish

Security: Defcon, GSM, Black Hat, Avaya and DARPA

Filed under
Security
  • A Remote-Start App Exposed Thousands of Cars to [Attackers]

    In a talk at the Defcon hacker conference today in Las Vegas, Jmaxxz described a series of vulnerabilities in MyCar, a system made by Canadian company Automobility, whose software is rebranded and distributed under names including MyCar Kia, Visions MyCar, Carlink, and Linkr-LT1. MyCar's devices and apps connect to radio-based remote start devices like Fortin, CodeAlarm, and Flashlogic, using GPS and a cellular connection to extend their range to anywhere with an [Internet] connection. But with any of three different security flaws present across those apps—which Jmaxxz says he reported to the company and have since been fixed—he says he could have gained access to MyCar's database backend, letting him or a less friendly hacker pinpoint and steal any car connected to the MyCar app, anywhere in the world.

  • Teen Security Researcher Suspended for Exposing Vulnerabilities in His School’s Software

    Bill Demirkapi, an 11th grader in Lexington, Massachusetts, had found a vulnerability in Aspen, the software his school uses to deliver students' grades, transcripts, and schedules. With this sort of access, an attacker could obtain a student's password, their birth city, details on their free or reduced lunch, and other information.

    But Demirkapi didn't want to abuse the vulnerability he discovered. He wanted to do the responsible thing and let the company that makes the software, Follett Corporation, know about the issue so it can fix it and make students' personal data safer. The problem was that Follett didn't respond to Demirkapi's multiple attempts to warn them about the vulnerability. So he tried a different approach and used a feature of the software to send a message to Follett.

  • [Attackers] Could Decrypt Your GSM Phone Calls

    Regular GSM calls aren't fully end-to-end encrypted for maximum protection, but they are encrypted at many steps along their path, so random people can't just tune into phone calls over the air like radio stations. The researchers found, though, that they can target the encryption algorithms used to protect calls and listen in on basically anything.

    "GSM is a well documented and analyzed standard, but it’s an aging standard and it's had a pretty typical cybersecurity journey," says Campbell Murray, the global head of delivery for BlackBerry Cybersecurity. "The weaknesses we found are in any GSM implementation up to 5G. Regardless of which GSM implementation you’re using there is a flaw historically created and engineered that you’re exposing."

  • Black Hat USA 2019 conference Highlights: IBM’s ‘warshipping’, OS threat intelligence bots, Apple’s $1M bug bounty programs and much more!

    The popular Black Hat USA 2019 conference was held from August 3 – August 8 at Las Vegas. The conference included technical training sessions conducted by international industry and subject matter experts to provide hands-on offensive and defensive skill-building opportunities. It also included briefings from security experts who shared their latest findings, open-source tools, zero-day exploits, and more.

    Tech giants including Apple, IBM, Microsoft made some interesting announcements such as Apple and Microsoft expanding their bug-bounty programs, with IBM launching a new ‘warshipping’ hack, and much more.

    Black Hat USA 2019 also launched many interesting open-source tools and products like Scapy, a Python-based Interactive packet manipulation Program, CyBot, an open-Source threat intelligence chatbot, any many other products.

  • Somu Tiny Open Source FIDO2 Security Key Enables Passwordless Login & Two-factor Authentication (Crowdfunding)

    Meet Somu open-source and secure key with FIDO2 support for two-factor authentication, or Microsoft account passwordless login.

  • Carbon Black Threat Analysis Unit (TAU) Launches “Binee,” an Open-Source Binary Emulator for Malware Researchers at DEF CON 27

    Carbon Black (NASDAQ: CBLK), a leader in cloud-native endpoint protection, today announced the launch of “Binee,” an open-source binary emulator that bridges the gap between static and dynamic analysis of real-world malware. Binee empowers researchers to extract run-time data from binaries at a cost, speed and scale previously only possible with static analysis tools, opening up a wealth of run-time malware data for behavioral analysis and machine learning applications.

  • Bishop Fox Introduces New Open-Source Hacking Tool for Testing ZigBee Networks at 2019 Black Hat Arsenal
  • Bishop Fox Introduces New AI-Based, Open Source Pentesting Tool at 2019 Black Hat Arsenal
  • empow Launches Open-Source Security Log Plugins Repository for Elasticsearch
  • 13-Year-Old Encryption Bugs Still Haunt Apps and IoT

    RSA encryption has been around for decades. Unfortunately, so have bad implementations that leave it less secure.

  • #BHUSA : Open Source is Key to Solving Cyber Skills Gap

    At Black Hat USA in Las Vegas, Anomali threat research team manager Joakim Kennedy explained to Eleanor Dallaway why he believes the open source movement in the cybersecurity industry will help to address the skills gap.

    “One way of opening up the industry to more people is to provide good free tools accessible to everyone.” The open source movement allows people “to take the toolkits and moderate them.” This, he said, is particularly relevant to teenagers and people outside of the cybersecurity industry that may have an interest in joining. “The best way to learn is to get hold of toolkits and play with them, moderate them,” he said, explaining that his own path into the industry began as a teenager, “using whatever tools were available” and self-educating himself.

    Making these open source tools available “will trigger the interest of the next generation of potential employees by giving them the tools to play with for free and get their interest. We need to get more interested people into the field and there’s a high threshold to get started.” He explained this high threshold means that the paid products and tools in the industry are very expensive. “The license price is too high.”

  • Cyber Eavesdropping Vulnerability Found On Phones Used By 90% Of Fortune 100: Report

    VoIP phones from leading provider Avaya are the latest IoT devices exposed as a cyber risk by security researchers.

  • Popular Avaya enterprise VoIP phones are vulnerable to hacking

    The issue was discovered by researchers from security firm McAfee and was disclosed Thursday at the DEF CON security conference in Vegas. However, firmware updates have been available since June 25.

    The vulnerability is located in the DHCP service, which allows the devices to automatically obtain IP addresses on the network. Attackers can exploit it by sending maliciously modified DHCP responses to the devices, which do not require authentication, and winning a race condition with the network’s legitimate DHCP server.

  • Hackers Take on Darpa's $10 Million Voting Machine

    FOR THE LAST two years, hackers have come to the Voting Village at the DefCon security conference in Las Vegas to tear down voting machines and analyze them for vulnerabilities. But this year’s Village features a fancy new target: a prototype secure voting machine created through a $10 million project at the Defense Advanced Research Projects Agency. You know it better as Darpa, the government's mad science wing.

    Announced in March, the initiative aims to develop an open source voting platform built on secure hardware. The Oregon-based verifiable systems firm Galois is designing the voting system. And Darpa wants you to know: its endgame goes way beyond securing the vote. The agency hopes to use voting machines as a model system for developing a secure hardware platform—meaning that the group is designing all the chips that go into a computer from the ground up, and isn’t using proprietary components from companies like Intel or AMD.

More in Tux Machines

Games: Underworld Ascendant, Dark Envoy and Elite Dangerous

  • Underworld Ascendant's Linux port has now been released

    Get ready to dungeon crawl! After many delays, the sequel to the classic Ultima Underworld games has finally seen a Linux release.

  • Event Horizon (Tower of Time) show off the first gameplay from their next RPG Dark Envoy

    Ah Gamescom has arrived, which means tons of games will be shown off over the next week. Event Horizon (Tower of Time dev) are getting in on the action, to show off footage from their brand new RPG called Dark Envoy. For those who missed the previous article, it is already confirmed to be coming to Linux. To save you a click, when asked they said "We spent a considerable effort to make Tower of Time run well on Linux - so now, being more experienced with it, we also plan to release on Linux at the same time as PC launch.".

  • Going where no Steam Play has gone before with Elite Dangerous

    What’s the one game keeping you a dual booter? Maybe it’s PUBG, or Rainbow Six: Siege? Maybe it used to be Overwatch? For me, that game was Elite Dangerous, and one year on from Proton’s release, I have a story to tell. There’s a certain “je ne sais quoi” about Elite Dangerous that I’ve never been able to put my finger on. It’s a game set in a scientifically modelled, full-scale replica of the whole Milky Way galaxy, and as with that setting, the game is truly vast, remarkably cold, and frequently incomprehensible. Yet, when playing Elite, I get the same feeling as when looking up at the stars on a dark and moonless night — my hungry soul is fed. Or it could just be space madness. Regardless, it’s a feeling that I like to dip into every once in a while, immerse myself in, and try not to drown.

Red Hat and Fedora: HPC, Ansible and More Flock Reports

  • HPC workloads in containers: Comparison of container run-times

    Recently, I worked on an interesting project to evaluate different container run-times for high-performance computing (HPC) clusters. HPC clusters are what we once knew as supercomputers. Today, instead of giant mainframes, they are hundreds, thousands, or tens of thousands of massively parallel systems. Since performance is critical, virtualization with tools like virtual machines or Docker containers was not realistic. The overhead was too much compared to bare metal.

  • A project manager's guide to Ansible

    For project managers, it's important to know that deploying Ansible will improve the effectiveness of a company's IT. Employees will spend less time trying to troubleshoot their own configuration, deployment, and provisioning. Ansible is designed to be a straightforward, reliable way to automate a network's IT tasks. Further, development teams can use the Ansible Tower to track applications from development to production. Ansible Tower includes everything from role-based access to graphical inventory management and enables teams to remain on the same page even with complex tasks. Ansible has a number of fantastic use cases and provides substantial productivity gains for both internal teams and the IT infrastructure as a whole. It's free, easy to use, and robust. By automating IT with Ansible, project managers will find that their teams can work more effectively without the burden of having to manage their own IT—and that IT works more smoothly overall.

  • Flock to Fedora ?19

    I had a wonderful opportunity to go to Fedora’s annual contributor summit, Flock to Fedora in Budapest, Hungary. This is me penning down my takeaway from a week full of learning! [...] Apart from the talks, the conference outshone when it came to meeting mind-blowing developers. I got to know the most about Fedora and Red Hat through those interactions and it was a really pleasant experience. It was also super amazing to finally meet all the people I had been interacting with over the course of the internship in real life. My advice for any future Flock attendee would be to always make time to talk to people at Flock. Even I have a hard time interacting but the people are extremely nice and you get to learn a lot through those small interactions and end up making friends for a life time. Definitely taking back a tonne of memories, loads of pictures, and plethora of learning from this one week of experience.

  • Paul W. Frields: Flock 2019 in Budapest, Hungary.

    Last week I attended the Flock 2019 conference in Budapest, like many Fedora community members. There was a good mix of paid and volunteer community members at the event. That was nice to see, because I often worry about the overall aging of the community. Many people I know in Fedora have been with the project a long time. Over time, people’s lives change. Their jobs, family, or other circumstances move them in different directions. Sometimes this means they have less time for volunteer work, and they might not be active in a community like Fedora. So being able to refresh my view of who’s around and interested in an event like Flock was helpful. Also, at last year’s Flock in Dresden, after the first night of the conference, something I ate got the better of me — or I might have picked up a norovirus. I was out of commission for most of the remaining time, confined to my room to ride out whatever was ailing my gut. (It wasn’t pretty.) So I was glad this year also to be perfectly well, and able to attend the whole event. That was despite trying this terrible, terrible libation called ArchieMite, provided by my buddy Dennis Gilmore... [...] I also attended several sessions on Modularity. One of them was Merlin Mathesius’ presentation on tools for building modules. Merlin is on my team at Red Hat and I happened to know he hadn’t done a lot of public speaking. But you wouldn’t have guessed from his talk! It was well organized and logically presented. He gave a nice overview of how maintainers can use the available tools to build modules for community use. The Modularity group also held a discussion to hear about friction points with modularity. Much of the feedback lined up well with other inputs the group has received. We could solve some with better documentation and awareness. In some cases the tools could benefit from ease of use enhancements. In others, people were unaware of the difficult design decisions or choices that had to be made to produce a workable system. Fortunately there are some fixes on the way for tooling like the replacement for the so-called “Ursa Major” in Fedora. It allows normal packages to build against capabilities provided by modules.

Programming Leftovers

  • Excellent Free Books to Learn Groovy

    Apache Groovy is a powerful, optionally typed and dynamic language, with static-typing and static compilation capabilities, for the Java platform aimed at improving developer productivity thanks to a concise, familiar and easy to learn syntax. It integrates seamlessly with any Java program, and immediately delivers to your application powerful features, including scripting capabilities, Domain-Specific Language authoring, runtime and compile-time meta-programming and functional programming. It’s both a static and dynamic language with features similar to those of Python, Ruby, Perl, and Smalltalk. It can be used as both a programming language and a scripting language for the Java Platform.

  • Top 9 Django Concepts - Part 2 : 5 Mins

    I will be covering 3 Django concepts, for those who had missed the first part of the 3 part series, you can head down to the Top 9 Django Concepts - Part 1 The first concept is essential Django commands that you will be using when developing in Django. The second is the concept of using either a front-end like Vue, React or Angular web framework or using Django existing template system to build UI.

  • Get Current Date & Time in Python

    In this article, you will learn the datetime module supplies classes for manipulating dates and times in both simple and complex ways.

  • RcppQuantuccia 0.0.3

    RcppQuantuccia brings the Quantuccia header-only subset / variant of QuantLib to R. At the current stage, it mostly offers date and calendaring functions. This release was triggered by some work CRAN is doing on updating C++ standards for code in the repository. Notably, under C++11 some constructs such ptr_fun, bind1st, bind2nd, … are now deprecated, and CRAN prefers the code base to not issue such warnings (as e.g. now seen under clang++-9). So we updated the corresponding code in a good dozen or so places to the (more current and compliant) code from QuantLib itself.

7 of the Best IoT Projects Using Arduino

If you’re an electronics hobbyist, chances are you’ve heard of the Arduino. It’s a tiny computer that you can use to do surprisingly complex things. It also happens to be behind a fair number of Internet of Things projects. While some people reach a for Raspberry Pi or something even more powerful, an Arduino or Arduino Uno might be all you need. We’ve put together a list of IoT projects that prove this to be true. Read more Also: mDash Cloud platform for IoT Devices Targets ESP8266/ESP32, STM32, and TI CC3220 Wireless MCUs