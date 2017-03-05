Security Leftovers
Payments Giant Verifone Investigating Breach
Verifone circled back post-publication with the following update to their statement: “According to the forensic information to-date, the cyber attempt was limited to controllers at approximately two dozen gas stations, and occurred over a short time frame. We believe that no other merchants were targeted and the integrity of our networks and merchants’ payment terminals remain secure and fully operational.”
Terabytes of Government Data Copied [iophk: "they need to publish via bittorrent more often to take out the single point of failure; they need to learn to use torrents from day one of their research"]
Millions of websites still using vulnerable SHA-1 certificate
At least 21 percent of all public websites are using insecure SHA-1 certificates – past the migration deadline and after Google researchers demonstrated a real-world collision attack. And this is without taking into account private or closed networks that also might be using the hash.
Widespread Bug Bounty Program Could Help Harden Open Source Security
One company is adding to its bug bounty program efforts by offering its professional services to the open source community for free. HackerOne’s platform, known as HackerOne Community Edition, will help open source software teams create a comprehensive approach to vulnerability management, including a bug bounty program.
Consumer Reports Proposes Open Source Security Standard To Keep The Internet Of Things From Sucking
Thanks to a laundry list of lazy companies, everything from your Barbie doll to your tea kettle is now hackable. Worse, these devices are now being quickly incorporated into some of the largest botnets ever built, resulting in some of the most devastating DDoS attacks the internet has ever seen. In short: thanks to "internet of things" companies that prioritized profits over consumer privacy and the safety of the internet, we're now facing a security and privacy dumpster fire that many experts believe will, sooner or later, result in mass human fatalities.
Hoping to, you know, help prevent that, the folks at Consumer Reports this week unveiled a new open source digital consumer-protection standard that safeguards consumers’ security and privacy in the internet-of-broken things era. According to the non-profit's explanation of the new standard, it's working with privacy software firm Disconnect, non-profit privacy research firm Ranking Digital Rights (RDR), and nonprofit software security-testing organization Cyber Independent Testing Lab (CITL) on the new effort, which it acknowledges is early and requires public and expert assistance.
Researchers warn augmented mobile and open source = malware opportunity [Ed: Well, and proprietary is never a malware ramp (sarcasm)]
ESET researchers warn that augments mobile applications plus open source platforms like Google's open could be a recipe for clever malware to come, in a recent security post.
Currently, Google only requires developers to make a onetime payment of $25 and within 24 hours they can have an application in the Google Play Store compared to Apple which requires a yearly license which costs more than $100 and a vetting period of up to two weeks.
Operation Rosehub patches Java vulnerabilities in open source projects
Google employees recently completed Operation Rosehub, a grass roots effort that patches a set of serious Java vulnerabilities in thousands of open source projects.
[Video] CPU Backdoors Could Allow Government Spying
Moving Git past SHA-1 [Ed: no longer behind LWN paywall]
The SHA-1 hash algorithm has been known for at least a decade to be weak; while no generated hash collisions had been reported, it was assumed that this would happen before too long. On February 23, Google announced that it had succeeded at this task. While the technique used is computationally expensive, this event has clarified what most developers have known for some time: it is time to move away from SHA-1. While the migration has essentially been completed in some areas (SSL certificates, for example), there are still important places where it is heavily used, including at the core of the Git source-code management system. Unsurprisingly, the long-simmering discussion in the Git community on moving away from SHA-1 is now at a full boil.
Linux kernel: CVE-2017-2636: local privilege escalation flaw in n_hdlc
Spammergate: The Fall of an Empire
