This OpenSSL security advisory is notable in that it's the second one in four days; sites that updated after the first one may need to do so again.
If you're paying attention, you saw the news about Yahoo's breach. Five hundred million accounts. That's a whole lot of data if you think about it. But here's the thing. If you're a security person, are you surprised by this? If you are, you've not been paying attention.
Krebs on Security in record DDOS attack: Everybody’s go-to site for news and views of security issues, has been temporarily knocked offline in a DDOS attack for the record books. We first heard about the attack on Thursday morning after Brian Krebs reported that his site was being hit by as much as 620 Gbs, more than double the previous record which was considered to be a mind-blower back in 2013 when the anti-spam site Spamhaus was brought to its knees.
Security sites such as Krebs’ that perform investigative research into security issues are often targets of the bad guys. In this latest case, Ars Technica reported the attack came after Krebs published the identity of people connected with vDOS, Israeli black hats who launched DDOS attacks for pay and took in $600,000 in two years doing so. Akamai had been donating DDoS mitigation services to Krebs, but by 4 p.m. on the day the attack began they withdrew the service, motivated by the high cost of defending against such a massive attack. At this point, Krebs decided to shut down his site.
When generating the keypair, you're asked for a passphrase to encrypt the private key with. If you will ever lose your private key it should protect others from impersonating you because it will be encrypted with the passphrase. To actually prevent this, one should make sure to prevent easy brute-forcing of the passphrase.
OpenSSH key generator offers two options to resistance to brute-force password cracking: using the new OpenSSH key format and increasing the amount of key derivation function rounds. It slows down the process of unlocking the key, but this is what prevents efficient brute-forcing by a malicious user too. I'd say experiment with the amount of rounds on your system. Start at about 100 rounds. On my system it takes about one second to decrypt and load the key once per day using an agent. Very much acceptable, imo.
Today we’d like to explain what it costs to run Let’s Encrypt. We’re doing this because we strive to be a transparent organization, we want people to have some context for their contributions to the project, and because it’s interesting.
Let’s Encrypt will require about $2.9M USD to operate in 2017. We believe this is an incredible value for a secure and reliable service that is capable of issuing certificates globally, to every server on the Web free of charge.
We’re currently working to raise the money we need to operate through the next year. Please consider donating or becoming a sponsor if you’re able to do so! In the event that we end up being able to raise more money than we need to just keep Let’s Encrypt running we can look into adding other services to improve access to a more secure and privacy-respecting Web.
One of North Korea’s top level DNS servers was mis-configured today (20th September 2016) accidentally allowing global DNS zone transfers. This allowed anyone who makes a zone transfer request (AXFR) to retrieve a copy of the nation’s top level DNS data.
This data showed there are 28 domains configured inside North Korea, here is the list:
As a number of outlets have reported, Yahoo has announced that 500 million of its users’ accounts got hacked in 2014 by a suspected state actor.
But that massive hack is actually one of three interesting hacks of Yahoo in recent years.
Microsoft's decision to force Windows 10's patch and maintenance model on customers running the older-but-more-popular Windows 7 has patch experts nervous.
"Bottom line, everyone is holding their breath, hoping for the best, expecting the worst," said Susan Bradley in an email. Bradley is well known in Windows circles for her expertise on Microsoft's patching processes: She writes on the topic for the Windows Secrets newsletter and moderates the PatchMangement.org mailing list, where business IT administrators discuss update tradecraft.
Yahoo Inc (YHOO.O) was sued on Friday by a user who accused it of gross negligence over a massive 2014 hacking in which information was stolen from at least 500 million accounts.
The lawsuit was filed in the federal court in San Jose, California, one day after Yahoo disclosed the hacking, unprecedented in size, by what it believed was a "state-sponsored actor."
Ronald Schwartz, a New York resident, sued on behalf of all Yahoo users in the United States whose personal information was compromised. The lawsuit seeks class-action status and unspecified damages.
A Yahoo spokeswoman said the Sunnyvale, California-based company does not discuss pending litigation.
Yahoo’s admission that the personal data of half a billion users has been stolen by “state-sponsored” hackers leaves pressing questions unanswered, according to security researchers.
Details, including names, email addresses, phone numbers and security questions were taken from the company’s network in late 2014. Passwords were also taken, but in a “hashed” form, which prevents them from being immediately re-used, and the company believes that financial information held with it remains safe.
On Thursday afternoon Yahoo confirmed a massive data leak of at least 500 million user accounts, which is a very big deal.
Though the data breach obviously spells trouble for those with YahooMail accounts, users with hacked accounts need to keep in mind that the breach goes so much further.
Yahoo owns a bunch of other major sites like Flickr, Tumblr and fantasy football site Rivals.com, which means the 500 million users affected by the data breach also have to worry about their personal information associated with all additional Yahoo services.
Hackers strongly believed to be state-sponsored swiped account records for 500 million Yahoo! webmail users. And who knew there were that many people using its email?
The troubled online giant said on Thursday that the break-in occurred in late 2014, and that names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers, were lifted.
This comes after a miscreant calling themselves Peace was touting copies of the Yahoo! account database on the dark web. At the time, in early August, Yahoo! said it was aware of claims that sensitive information was being sold online – and then today, nearly two months later, it alerted the world to the embarrassing security breach.
YOU KNOW that Brian Krebs guy? Well, his website has been hit with a huge denial-of-service (DDoS) attack that he couldn't handle on his own.
Krebs is that security guy. He is bound to have some enemies out there, so we expect that sooner or later someone will take the credit for ruining the pathway to his pages.
For now we have Krebs to explain what happened and who helped him deal with it. The short version is that there was great big whack of an attack on him, and that he needed assistance from security firm Akamai.
Matthew Garrett Explains How to Increase Security at Boot Time [Ed: Microsoft apologist Matthew Garrett is promoting UEFI again, even after the Lenovo debacle]
Security of the boot chain is a vital component of any other security solution, said Matthew Garrett of CoreOS in his presentation at Linux Security Summit. If someone is able to tamper with your boot chain then any other security functionality can be subverted. And, if someone can interfere with your kernel, any amount of self-protection the kernel might have doesn’t really matter.
“The boot loader is in a kind of intermediate position,” Garrett said. It can modify the kernel before it passes control to it, and then there’s no way the kernel can verify itself once it’s running. In the Linux ecosystem, he continued, the primary protection in the desktop and server space is UEFI secure boot, which is a firmware feature whereby the firmware verifies a signature on the bootloader before it executes it. The bootloader in turn verifies a signature on the next step of the boot process, and so on.
Is open source security software too much of a risk for enterprises? [Ed: inverses the truth; proprietary software has secret back doors that cannot be found and patched]
Although free, there are many institutions that are reluctant to use open source software, for obvious reasons. Using open source software that is not controlled by the enterprise -- in production environments and in mission-critical applications -- introduces risks that could be detrimental to the basic tenants of cybersecurity, such as confidentiality, integrity and availability. This includes open source security software like the tools Netflix uses.