Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Microsoft Warns about Worm Attacking Exim Servers on Azure [Ed: Microsoft should also warn "customers" of Windows back doors for the NSA, but it does not (this one was patched ages ago; the Microsoft back doors aren't). Shouldn't Microsoft ask its proxies and partners, as usual, to come up with buzzwords and logos and Web sites for bugs in FOSS, then talk about how FOSS is the end of the world?]
  • The Highly Dangerous 'Triton' [Attackers] Have Probed the US Grid [Ed: It's Windows]

     

    Over the past several months, security analysts at the Electric Information Sharing and Analysis Center (E-ISAC) and the critical-infrastructure security firm Dragos have been tracking a group of sophisticated [attackers] carrying out broad scans of dozens of US power grid targets, apparently looking for entry points into their networks. Scanning alone hardly represents a serious threat. But these [attackers], known as Xenotime—or sometimes as the Triton actor, after their signature malware—have a particularly dark history. The Triton malware was designed to disable the so-called safety-instrument systems at Saudi Arabian oil refinery Petro Rabigh in a 2017 cyberattack, with the apparent aim of crippling equipment that monitors for leaks, explosions, or other catastrophic physical events. Dragos has called Xenotime "easily the most dangerous threat activity publicly known."

  • A Researcher Found a Bunch of Voting Machine Passwords Online

    A little more than a week ago, the Department of Homeland Security confirmed that it was going to forensically analyze computer equipment associated with part of the 2016 elections in North Carolina in association with questions about Russian hacking. The news prompted an information security researcher to announce that he’d found evidence of other election security issues in North Carolina last fall, which he’d kept quiet until now.

    Chris Vickery, the director of cyber-risk research at UpGuard, a cybersecurity services firm, tweeted June 7 that he had found an unlocked online repository that contained what he said were passwords for touchscreen voting machines. The repository, he said, also contained other information, including serial numbers for machines that had modems, which theoretically could have allowed them to connect to the internet.

    Vickery said that after he found the open repository in September 2018, he immediately told state officials, who locked the file. State officials have told Mother Jones that the passwords were nearly 10 years old and encrypted—a claim disputed by Vickery and a Democratic technology consultant in North Carolina—but admitted that the file shouldn’t have been publicly available online.

  • TPM now stands for Tiny Platform Module: TCG shrinks crypto chip to secure all the Things [Ed: Misusing the word "trust" to obliterate computer freedom and general-purpose computing]

    The Trusted Computing Group (TCG), a nonprofit developing hardware-based cybersecurity tools, has started work on the "world's tiniest" Trusted Platform Module (TPM).

    TPMs are silicon gizmos designed to protect devices by verifying the integrity of essential software – like firmware and BIOS − and making sure no dodgy code has been injected into the system prior to boot.

    These are widely used to protect servers. Now TCG wants to adopt the technology for devices that are so small that the inclusion of a full TPM chip might be impractical due to cost, space and power considerations.

    The first tiny TPM prototype, codenamed Radicle, was demonstrated last week at a TCG members' meeting in Warsaw, Poland.

    [...]

    We have to mention that for years, TCG and its TPMs were criticised by the open-source software community, which suspected the tech could be used for vendor lock-in – GNU father Richard Stallman called trusted computing "treacherous computing", but it looks like his worst fears have not come to pass.

    That doesn't mean TPMs haven't seen their share of dark days: back in 2017, it emerged that security chips made by Infineon contained a serious flaw, with experts estimating that 25 to 30 per cent of all TPMs used globally were open to attack.

  • What Is a Buffer Overflow

    A buffer overflow vulnerability occurs when you give a program too much data. The excess data corrupts nearby space in memory and may alter other data. As a result, the program might report an error or behave differently. Such vulnerabilities are also called buffer overrun.

    Some programming languages are more susceptible to buffer overflow issues, such as C and C++. This is because these are low-level languages that rely on the developer to allocate memory. Most common languages used on the web such as PHP, Java, JavaScript or Python, are much less prone to buffer overflow exploits because they manage memory allocation on behalf of the developer. However, they are not completely safe: some of them allow direct memory manipulation and they often use core functions that are written in C/C++.

  • Any iPhone can be hacked

    Apple’s so called secure iPhones can be turned over by US coppers using a service promoted by an Israeli security contractor.

    Cellebrite publicly announced a new version of its product known as a Universal Forensic Extraction Device or UFED, one that it's calling UFED Premium. In marketing that update, it says that the tool can now unlock any iOS device cops can lay their hands on, including those running iOS 12.3.

    Cellebrite claims UFED Premium can extract files from many recent Android phones as well, including the Samsung Galaxy S9 but no-one ever called them secure and safe.

    What is unusual is that Cellebrite is making  broad claims about turning over Apple gear. This is not a cat-and-mouse claim where they exploit a tiny flaw which one day might be fixed. It would appear that Cellebrite has its paw on a real howler.

  • Cellebrite Claims It Can Unlock ‘Any’ iPhone And iPad, 1.4 Billion Apple Devices Hackable

    Israel-based Cellebrite has announced a new version of its system Universal Forensic Extraction Device (UFED) — UFED Premium — which is capable of unlocking any iPhone, high-end Android device, or an iPad.

    The forensics company has suggested that UFED Premium is meant to help the police in unlocking iPhones and Android smartphones and getting data from locked smartphones.

  • Web-based DNA sequencers getting compromised through old, unpatched flaw

    DnaLIMS is developed by Colorado-based dnaTools. It provides software tools for processing and managing DNA sequencing requests.

    These tools use browsers to access a UNIX-based web server on the local network, which is responsible for managing all aspects of DNA sequencing.

    A simple Google search shows that dnaLIMS is used by a number of scientific, academic and medical institutions.

  • Generrate Cryptographically Secure RANDOM PASSWORD
  • DMARC, mailing list, yahoo and gmail

    Gmail was blocking one person’s email via our list (he sent that using Yahoo and from his iPhone client), and caused more than 1700 gmail users in our list in the nomail block unless they check for the mailman’s email and click to reenable their membership.

    I panicked for a couple of minutes and then started manually clicking on the mailman2 UI for each user to unblock them. However, that was too many clicks. Suddenly I remembered the suggestion from Saptak about using JavaScript to do this kind of work. Even though I tried to learn JavaScript 4 times and failed happily, I thought a bit searching on Duckduckgo and search/replace within example code can help me out.

  • Tired of #$%& passwords? Single Sign-on could be savior

    So how is single sign-on more secure, if Facebook is in charge? It's not, say security experts. "They’ve shown they can’t be trusted with our information," says Rudis.

  • Are SSO Buttons Like “Sign-in With Apple” Better Than Passwords?

    Apple recently announced a new product that could prevent users from giving away their email ID to every other site on the internet. It’s expected to launch sometime later in 2019.

    Called “Sign-in with Apple,” it is similar to other Single Sign-on services provided by Google and Facebook. The button lets you login to websites without creating a new user account every time.

  • App Makers Are Mixed on ‘Sign In With Apple’

    But other app makers have mixed feelings on what Apple has proposed. I spoke to a variety of developers who make apps for iOS and Android, one of whom asked to remain anonymous because they aren’t authorized to speak on behalf of their employer. Some are skeptical that Sign In with Apple will offer a solution dramatically different from what’s already available through Facebook or Google. Apple’s infamous opacity around new products means the app makers don’t have many answers yet as to how Apple’s sign in mechanism is going to impact their apps. And one app maker went as far as referring to Apple’s demand that its sign-in system be offered if any other sign-in systems are shown as “petty.”

  • Chinese Cyberattack Hits Telegram, App Used by Hong Kong Protesters

    “This case was not an exception,” he wrote.

    The Hong Kong police made their own move to limit digital communications. On Tuesday night, as demonstrators gathered near Hong Kong’s legislative building, the authorities arrested the administrator of a Telegram chat group with 20,000 members, even though he was at his home miles from the protest site.

  • Security News This Week: Telegram Says China Is Behind DDoS

    As protests erupted in the streets of Hong Kong this week, over a proposed law that would allow criminal suspects to be extradited to mainland China, the secure messaging app Telegram was hit with a massive DDoS attack. The company tweeted on Wednesday that it was under attack. Then the app’s founder and CEO Pavel Durov followed up and suggested the culprits were Chinese state actors. He tweeted that the IP addresses for the attackers were coming from China. “Historically, all state actor-sized DDoS (200-400 Gb/s of junk) we experienced coincided in time with protests in Hong Kong (coordinated on @telegram). This case was not an exception,” he added. As Reuters notes, Telegram was DDoSed during protests in China in 2015, as well. Hong Kong does not face the strict [Internet] censorship that exists in mainland China, although activists have expressed concern about increased pressure from Beijing on the region.

  • Nextcloud signs public letter, opposing German plan to force decryption of chat

Latest Security FUD

Filed under
Security

Security Leftovers

Filed under
Security
  • Industry Watch: Of open source, data breaches and speed [Ed: And proprietary software is a lot less suitable for security and privacy purposes because there are surveillance 'features' disguised and back doors too]

    Open-source software helps developers work faster and smarter, as they don’t have to ‘re-invent the wheel’ every time create an application. They just need to be sure the license attached to that software allows them to use the component the way they want. They also need to stay on top of that application, so if the component changes, or an API changes, their application isn’t affected and they are still in compliance.

    Data protection is also something organizations must get serious about. While the GDPR only affects users in the European Union, it’s only a matter of time before those or similar regulations are in place in the U.S. and elsewhere. Companies should get a jump on that by doing a thorough audit of their data, to know they are prepared to be compliant with whatever comes down from the statehouses or from Washington, D.C.

    On the speed side, the benefits of Agile and DevOps are clear. These methodologies enable companies to bring new software products to market faster, with the result of getting a jump on the competition, working more efficiently and ultimately serving your customers.

    Unfortunately, these efforts are usually done by different teams of developers, database administrators and security experts. If the Equifax and Facebook breaches have taught us anything, it’s that you can’t expect developers to be security experts, and you can’t expect DB admins to understand the ramifications on the business when data is misunderstood.

    It will take a coordinated approach to IT to achieve business goals while not leaving the company — and its IP and PII data — exposed.

  • VLC patches critical flaws through EU open source bug bounty program

    More than 30 security issues have been fixed in VLC, the popular open source media player, with developers praising an EU-funded bug bounty program for helping produce its most secure update yet.

    VLC media player, created by the software non-profit VideoLAN, was found to have 33 vulnerabilities within various versions, including two that were considered critical.

    An out-of-bounds write was one of the severe vulnerabilities found to affect all VLC versions, and a stack buffer overflow was also discovered in VLC 4.0.

    Less severe vulnerabilities consisted of out-of-band reads, heap overflows, NULL-dereference, and use-after-free bugs.

    An updated version, VLC 3.0.7, has since been released for users to download.

  • VLC Player Gets Patched for Two High Severity Bugs
  • Asigra FreeNAS plugin brings open source data protection [Ed: Some openwashing of proprietary software]

    Asigra is trying to capture FreeNAS users with a free-to-try plugin version of its backup software.

    The Asigra FreeNAS plugin released this week allows customers to turn their iXsystems FreeNAS storage systems into backup targets. It encrypts and deduplicates data before it is sent to the FreeNAS system. The plugin also detects and quarantines malware and ransomware so that it doesn't get backed up.

  • TrueCommand Brings Single Pane of Glass Management to TrueNAS and FreeNAS Fleets
  • WSO2 and Ping Identity Partner to Provide Comprehensive, AI-Powered Cyber-Attack Protection for APIs
  • The Open Source Cookbook: A Baker’s Guide to Modern Application Development

    Let’s begin our cookbook by selecting our recipe. I’ve had some phenomenal baked goods, and I’ve had some not-so-phenomenal baked goods (there is rarely a bad baked good). But I’ve been surprised before, by a croissant from a diner that didn’t taste like the one from the local French bakery, or by a buttercream frosting at a supermarket that just didn’t have the same delicate touch as the one I make at home. In each case, I expected the same as I had before – by title – yet encountered a much different experience. When selecting your recipes, it’s important to understand which type of a particular food you are expecting to make, or you may be met with a different taste when you finish than you were hoping for when you began.

    [...]

    As with cooking, when incorporating open source components into applications, it’s important to understand origin and evolution of what you’re baking into your software. Carefully review your open source component versions, and evaluate the community’s activity in order to have the greatest chance possible to predict the possible technical debt you may inherit.

Security Leftovers

Filed under
Security
  • Yubico recalls government-grade security keys due security bug

    If you buy a government-grade security key, the one thing you really want from it is government-grade security. It's the very dictionary definition of "you had one job." That's why it's somewhat embarrassing that Yubico has put out a recall notice on its FIPS series of authentication keys which, it turns out, aren't completely secure.

  • [Microsoft's] EternalBlue exploit surfaces in bog standard mining attack Featured

    A bog standard attack aimed at planting a cryptocurrency miner has been found to be using advanced targeted attack tools as well, the security firm Trend Micro says, pointing out that this behaviour marks a departure from the norm.

Security Leftovers: Patches, FUD, and Management Engine 12 (Intel Back Door)

Filed under
Security

Security Leftovers

Filed under
Security
  • Security updates for Thursday
  • WSL2 and Kali
  • Security service tracks embedded Linux vulnerabilities

    Timesys has launched a Vigiles security monitoring and management platform with CVE tracking for embedded Linux available as free software or as a subscription service.

    Timesys Vigiles automates the identification, tracking, and analysis of vulnerabilities by comparing embedded Linux firmware with NIST’s daily Common Vulnerabilities and Exposures (CVE) notifications. The software helps customers focus on vulnerabilities that pose the biggest threats to a customer’s specific software components, thereby “eliminating the need to manually monitor and analyze thousands of vulnerabilities,” says Timesys.

  • Vim devs fix system-pwning text editor bug [Ed: This requires obtaining and opening malicious files though]

    The attack exploits a vulnerability in a Vim feature called modelines, which lets you set variables specific to a file. As long as these statements are in the first few lines, Vim interprets them as instructions. They might tell Vim to display the file with a text width of 60 characters, for example. Or maybe you want to expand tabs to spaces to avoid another geek’s ire.

  • Mail servers running Exim come under attack

    Mail servers running the Exim mail transport agent are being exploited, with the attackers using a vulnerability disclosed a few days ago to run arbitrary commands as root, a security practitioner has warned.

    Exim, one of the four MTAs commonly used on Unix servers, is developed by Phillip Hazel at the University of Cambridge. It is the default on some Linux distributions, like Debian.

    [...]

    The original post about the vulnerability was released by Qualys Research Labs on 5 June, which said it was trivially exploitable in local and non-default cases, but with the default configuration an attack would take a long time to succeed.

  • Exim email servers are now under attack [Ed: The drama queen that CBS hired (Cimpanu) says "Almost half of the internet's email servers are now being attacked with a new exploit." It sounds a lot worse when in fact many are patched and the "half" refers to number of installs, not attacks. Misreporting. FUD. ZDNet is not a news site but a tech tabloid. It should be regarded as such.]

Security Leftovers

Filed under
Security
  • Securing The Nation With Insecure Databases: CBP Vendor Hacked, Exposing Thousands Of License Plate, Car Passenger Photos

    US Customs and Border Protection has suffered an inevitability in the data collection business. The breach was first reported by the Washington Post. It first appeared to affect the DHS's airport facial recognition system, but further details revealed it was actually a border crossing database that was compromised.

    The breach involved photos of travelers and their vehicles, which shows the CPB is linking people to vehicles with this database, most likely to make it easier to tie the two together with the billions of records ICE has access to through Vigilant's ALPR database.

    The breach involved a contractor not following the rules of its agreement with the CBP. According to the vendor agreement, all harvested data was supposed to remain on the government's servers. This breach targeted the vendor, which means the contractor had exfiltrated photos and plate images it was specifically forbidden from moving to its own servers.

  • PHP version 7.2.20RC1 and 7.3.7RC1
  • The GoldBrute botnet is trying to crack open 1.5 million RDP servers

    The latest round of bad news emerged last week when Morphus Labs’ researcher Renato Marinho announced the discovery of an aggressive brute force campaign against 1.5 million RDP servers by a botnet called ‘GoldBrute’.

  • New Brute-Force Botnet Targeting Over 1.5 Million RDP Servers Worldwide

    The campaign, discovered by Renato Marinho at Morphus Labs, works as shown in the illustrated image, and its modus operandi has been explained in the following steps: [...]

  • 32 bit is dead - Long live 32 bit

    This is another follow-up post on the Intel processor vulnerabilities. Yay. With more bad news. Yay!

    Instead of a long build-up, I will just give you the point: 32 bit is broken

    Well, is that really news? Not really. The real news is that Intel processors are broken - but you already know that. You also know that there are fixes around. Patches for the kernel. Disabling Intel(R) Hyper-Threading.

Security FUD Leftovers

Filed under
Security

Security: Updates, "Smart" Cards and More

Filed under
Security
  • Security updates for Wednesday
  • Why Smart Cards Are Smart

    I hope you've found this discussion of the benefits of OpenPGP smart cards useful. With the large market of USB security tokens out there (which has grown even larger with the interest in secure cryptocurrency storage), you have a lot of options to choose from in a number of price ranges. Be sure to check which GPG key sizes and algorithms a smart card supports before you buy it, especially if you use newer elliptic curve algorithms or larger (3072- or 4096-bit) RSA keys.

  • Are Your Linux Servers Really Protected?
  • ProdataKey, DW Partner to Integrate Access Control and VMS

    DW customers can add a pdk io system to their site via a Cloud platform that reduces upfront investment in on premise hardware and management. DW Spectrum IPVMS is accessed with freely distributed client software for Windows/Linux/Mac, the DW Cloud web client for all leading web browsers and via the free DW Spectrum mobile app for iOS and Android.

    The server software is included with pre-configured DW Blackjack NVR servers or it can be installed on third-party Windows or Ubuntu Linux-based systems.

Security Leftovers

Filed under
Security
  • A [Windows] virus has thrown Philadelphia’s court system into chaos

     

    Since May 21st, a virus has shut down Philadelphia’s online court system, bringing network access to a standstill. The problems started unexpectedly: suddenly, no one could seem to access the system to file documents. “It wasn’t working,” says Rachel Gallegos, a senior staff attorney with the civil legal aid organization Community Legal Services. “I thought it was my computer.”

  • Linux Command-Line Editors Vulnerable to High-Severity Bug

     

    Vim and Neovim have both released patches for the bug (CVE-2019-12735) that the National Institute of Standards and Technology warns, “allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline.”
     

    “Beyond patching, it’s recommended to disable modelines in the vimrc (set nomodeline), to use the securemodelinesplugin, or to disable modelineexpr (since patch 8.1.1366, Vim-only) to disallow expressions in modelines,” the researcher said.

  • Beware Linux users! Vulnerability in Vim or Neovim Editor could compromise your Linux
  • The bits and bytes of PKI

    In two previous articles—An introduction to cryptography and public key infrastructure and How do private keys work in PKI and cryptography?—I discussed cryptography and public key infrastructure (PKI) in a general way. I talked about how digital bundles called certificates store public keys and identifying information. These bundles contain a lot of complexity, and it's useful to have a basic understanding of the format for when you need to look under the hood.

  • Update Uncertainty | TechSNAP 405

    We explore the risky world of exposed RDP, from the brute force GoldBrute botnet to the dangerously worm-able BlueKeep vulnerability.

    Plus the importance of automatic updates, and Jim’s new backup box.

  • Microsoft's June 2019 Patch Tuesday fixes many of SandboxEscaper's zero-days

    Microsoft has published today its monthly roll-up of security updates, known as Patch Tuesday. This month, the OS maker has patched 88 vulnerabilities, among which 21 received a rating of "Critical," the company's highest severity ranking.

    Furthermore, the May 2019 Patch Tuesday also included fixes for four of the five zero-days that a security researcher and exploit seller by the name of SandboxEscaper published online over the course of the last month.

  • Researchers use Rowhammer bit flips to steal 2048-bit crypto key [Ed: Mass slanderer and FUDmeister from Ars Technica (he got sued for his style) recalls Rowhammer (which is more theoretical a risk then a real one)]
  • RAMBleed Attack Can Steal Sensitive Data From Computer Memory[Ed: Rowhammer was mentioned by another site of FUDmeisters (one of whom CBS hired for clickbait)]
Syndicate content

More in Tux Machines

10 Excellent Free Mind Mapping Software for Linux Users

Mind maps are diagrams used to organize information visually in hierarchical ways that show relationships among the elements that make up the map. Drawing mind maps have been proven to be highly effective for getting information in and out of the brain especially when combined with logical note-taking that typically details or summarizes the roles of the map’s components along the way. There are various mind mapping software out there ranging from free to paid to open source options. Today, my job is to list the best mind mapping software available to users for free. They are all modern, easy enough to use, and offer sufficient consumer support. Read more

today's howtos

Android Leftovers

Filesystem Hierarchy Standard

If you are new to the Linux command line, you may find yourself wondering why there are so many unusual directories, what they are there for, and why things are organized the way they are. In fact, if you aren't accustomed to how Linux organizes files, the directories can seem downright arbitrary with odd truncated names and, in many cases, redundant names. It turns out there's a method to this madness based on decades of UNIX convention, and in this article, I provide an introduction to the Linux directory structure. Although each Linux distribution has its own quirks, the majority conform (for the most part) with the Filesystem Hierarchy Standard (FHS). The FHS project began in 1993, and the goal was to come to a consensus on how directories should be organized and which files should be stored where, so that distributions could have a single reference point from which to work. A lot of decisions about directory structure were based on traditional UNIX directory structures with a focus on servers and with an assumption that disk space was at a premium, so machines likely would have multiple hard drives. Read more