Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Friday's security updates
  • Security updates for Thursday
  • nsenter gains SELinux support

    nsenter is a program that allows you to run program with namespaces of other processes

  • Iceland boosts ICT security measures, shares policy

    Iceland aims to shore up the security of its ICT infrastructure by raising awareness and increasing resilience. And next to updating its legislation, Iceland will also bolster the police’s capabilities to tackle cybercrime.

  • A Project to Guarantee Better Security for Open-Source Projects

    Open-source developers, however, can take steps to help catch these vulnerabilities before software is released. Secure development practices can catch many issues before they become full-blown problems. But, how can you tell which open-source projects are following these practices? The Core Infrastructure Initiative has launched a new "Best Practice Badge Program" this week to provide a solution by awarding digital badges to open-source projects that are developed using secure development practices.

Security Leftovers

Filed under
Security
  • London Calling: Two-Factor Authentication Phishing From Iran

    This report describes an elaborate phishing campaign against targets in Iran’s diaspora, and at least one Western activist. The ongoing attacks attempt to circumvent the extra protections conferred by two-factor authentication in Gmail, and rely heavily on phone-call based phishing and “real time” login attempts by the attackers. Most of the attacks begin with a phone call from a UK phone number, with attackers speaking in either English or Farsi.

    The attacks point to extensive knowledge of the targets’ activities, and share infrastructure and tactics with campaigns previously linked to Iranian threat actors. We have documented a growing number of these attacks, and have received reports that we cannot confirm of targets and victims of highly similar attacks, including in Iran. The report includes extra detail to help potential targets recognize similar attacks. The report closes with some security suggestions, highlighting the importance of two-factor authentication.

  • Ins0mnia: Unlimited Background Time and Covert Execution on Non-Jailbroken iOS Devices

    FireEye mobile researchers discovered a security vulnerability that allowed an iOS application to continue to run, for an unlimited amount of time, even if the application was terminated by the user and not visible in the task switcher. This flaw allowed any iOS application to bypass Apple background restrictions. We call this vulnerability Ins0mnia.

  • Why is the smart home insecure? Because almost nobody cares

    It's easy to laugh-and-point at Samsung over its latest smart-thing disaster: after all, it should have already learned its lesson from the Smart TV debacle, right?

    Except, of course, that wherever you see “Smart Home”, “Internet of Things”, “cloud” and “connected” in the same press release, there's a security debacle coming. It might be Nest, WeMo, security systems, or home gateways – but it's all the same.

  • Critical PayPal XSS vulnerability left accounts open to attack

    PayPal has patched a security vulnerability which could have been used by hackers to steal users' login details, as well as to access unencrypted credit card information. A cross site scripting bug was discovered by Egyptian 'vulnerabilities hunter' Ebrahim Hegazy -- ironically on PayPal's Secure Payments subdomain.

  • Important Notice Regarding Public Availability of Stable Patches

    Grsecurity has existed for over 14 years now. During this time it has been the premier solution for hardening Linux against security exploits and served as a role model for many mainstream commercial applications elsewhere. All modern OSes took our lead and implemented to varying degrees a number of security defenses we pioneered; some have even been burned into silicon in newer processors. Over the past decade, these defenses (a small portion of those we've created and have yet to release) have single-handedly caused the greatest increase in security for users worldwide.

  • Finland detains Russian accused of U.S. malware crimes

    Finland confirmed on Thursday it has detained a Russian citizen, Maxim Senakh, at the request of U.S. federal authorities on computer fraud charges, in a move that Russia calls illegal.

  • Finland confirms arrest of Russian citizen accused of crimes in the US

    Finnish authorities have confirmed the detention of Maxim Senakh, a Russian citizen accused of committing malware crimes in the US. The Russian Foreign Ministry has expressed concern and called on Finland to respect international law.

  • More than 80% of healthcare IT leaders say their systems have been compromised

    Eighty-one percent of healthcare executives say their organizations have been compromised by at least one malware, botnet or other kind of cyberattack during the past two years, according to a survey by KPMG.

    The KPMG report also states that only half of those executives feel that they are adequately prepared to prevent future attacks. The attacks place sensitive patient data at risk of exposure, KPMG said.

    The 2015 KPMG Healthcare Cybersecurity Survey polled 223 CIOs, CTOs, chief security officers and chief compliance officers at healthcare providers and health plans.

  • Removal of SSLv3 from LibreSSL
  • Kansas seeks to block release of voting machine paper tapes

    The top election official in Kansas has asked a Sedgwick County judge to block the release of voting machine tapes sought by a Wichita mathematician who is researching statistical anomalies favoring Republicans in counts coming from large precincts in the November 2014 general election.

Security Leftovers

Filed under
Security
  • Tuesday's security updates
  • Security updates for Wednesday
  • Court rules FTC can prosecute companies over lax online security

    The Third Circuit US Court of Appeals in Philadelphia has ruled that the Federal Trade Commission does have the right to prosecute firms who mishandle their customers' data.

    Between 2008 and 2009, hotel chain Wyndham Worldwide – which runs hotels under the Days Inn, Howard Johnson, Ramada, Super 8, and Travelodge brands – suffered three computer intrusions. The hackers stole the personal information and credit card numbers of over 619,000 customers, causing at least $10.6m in thefts.

  • The Basic Principles of Security (and Why They Matter)

    Yet, despite the frequent complaints about the unrealistic demands of security, today the problem is just as likely to be the insistence on convenience. With the rise of desktop Linux and the popularity of Android, the pressure to be as easy to use as Windows is almost irresistible. As a result, there is no question that the average distribution is less secure than those of a decade ago. That is the price we pay for automounting external devices and giving new users automatic access to printers and scanners — and will continue to pay.

  • GitHub combats DDoS cyberattack

    At the time, the code repository said the cyberattack involved "a wide combination of attack vectors," as well as new techniques including the hijacking of unsuspecting user traffic to flood GitHub, killing the service.

  • Jails – High value but shitty Virtualization

    Virtualization is nothing new, and depending how fundamentalist you define “virtualized environment” one can point to the earliest of timesharing systems as the origin.

    IBM’s mainframe hardware, the 360 machine series, introduced hardware virtualization, so that it was possible to run several of IBMs different and incompatible operating systems on the same computer at the same time.

    It’s more than a little bit ironic that a platform which have lasted 50 years now, were beset by backwards-compatibility issues almost from the start, and even more so that IBMs patents on this area of technology prevented anybody else from repeating their mistake for that long.

    Everybody else did software virtualization.

  • How to crack Ubuntu encryption and passwords

    During Positive Hack Days V, I made a fast track presentation about eCryptfs and password cracking. The idea came to me after using one feature of Ubuntu which consists in encrypting the home folder directory. This option can be selected during installation or activated later.

  • AT&T Hotspots: Now with Advertising Injection

    While traveling through Dulles Airport last week, I noticed an Internet oddity. The nearby AT&T hotspot was fairly fast—that was a pleasant surprise.

    But the web had sprouted ads. Lots of them, in places they didn’t belong.

  • Advertising malware rates have tripled in the last year, according to report

    Ad networks have been hit with a string of compromises in recent months, and according to a new report, many of the infections are making it through to consumers. A study published today by Cyphort found that instances of malware served by ad networks more than tripled between June 2014 and February 2015, based on monthly samples taken during the period. Dubbed "malvertising," the attacks typically sneaking malicious ads onto far-reaching ad networks. The networks deliver those malware-seeded ads to popular websites, which pass them along to a portion of the visitors to the site. The attacks typically infect computers by exploiting vulnerabilities in Adobe Flash, typically triggered as soon as an ad is successfully loaded.

  • How security flaws work: the buffer overflow

    The most important central concept is the memory address. Every individual byte of memory has a corresponding numeric address. When the processor loads and stores data from main memory (RAM), it uses the memory address of the location it wants to read and write from. System memory isn't just used for data; it's also used for the executable code that makes up our software. This means that every function of a running program also has an address.

  • Lessons learned from cracking 4,000 Ashley Madison passwords

    When hackers released password data for more than 36 million Ashley Madison accounts last week, big-league cracking expert Jeremi Gosney didn't bother running them through one of his massive computer clusters built for the sole purpose of password cracking. The reason: the passwords were protected by bcrypt, a cryptographic hashing algorithm so strong Gosney estimated it would take years using a highly specialized computer cluster just to check the dump for the top 10,000 most commonly used passwords.

Hardened Linux stalwarts grsecurity pull the pin after legal fight

Filed under
Linux
Security

The gurus behind the popular and respected Linux kernel hardening service Grsecurity have decided to stop providing support for its stable offering.

Patches will be ceased in the next two weeks in response to an expensive and lengthy court case between the small outfit and a “multi-billion dollar” corporation which it says flagrantly infringed its trademark.

Read more

How Scotland can protect itself from GCHQ spying by going open source

Filed under
OSS
Security

One of the key lies out out in last years referendum was that we couldn’t exist securely without the British Security Services (the ones that brought you extraordinary rendition).

Read more

Security Leftovers

Filed under
Security
  • Security advisories for Monday
  • John McAfee: McAfee antivirus is one of the worst products on the planet
  • Highway to hack: why we’re just at the beginning of the auto-hacking era

    Imagine it’s 1995, and you’re about to put your company’s office on the Internet. Your security has been solid in the past—you’ve banned people from bringing floppies to work with games, you’ve installed virus scanners, and you run file server backups every night. So, you set up the Internet router and give everyone TCP/IP addresses. It’s not like you’re NASA or the Pentagon or something, so what could go wrong?

    That, in essence, is the security posture of many modern automobiles—a network of sensors and controllers that have been tuned to perform flawlessly under normal use, with little more than a firewall (or in some cases, not even that) protecting it from attack once connected to the big, bad Internet world. This month at three separate security conferences, five sets of researchers presented proof-of-concept attacks on vehicles from multiple manufacturers plus an add-on device that spies on drivers for insurance companies, taking advantage of always-on cellular connectivity and other wireless vehicle communications to defeat security measures, gain access to vehicles, and—in three cases—gain access to the car’s internal network in a way that could take remote control of the vehicle in frightening ways.

  • backdooring your javascript using minifier bugs

    In addition to unforgettable life experiences and personal growth, one thing I got out of DEF CON 23 was a copy of POC||GTFO 0x08 from Travis Goodspeed. The coolest article I’ve read so far in it is “Deniable Backdoors Using Compiler Bugs,” in which the authors abused a pre-existing bug in CLANG to create a backdoored version of sudo that allowed any user to gain root access. This is very sneaky, because nobody could prove that their patch to sudo was a backdoor by examining the source code; instead, the privilege escalation backdoor is inserted at compile-time by certain (buggy) versions of CLANG.

    That got me thinking about whether you could use the same backdoor technique on javascript. JS runs pretty much everywhere these days (browsers, servers, arduinos and robots, maybe even cars someday) but it’s an interpreted language, not compiled. However, it’s quite common to minify and optimize JS to reduce file size and improve performance. Perhaps that gives us enough room to insert a backdoor by abusing a JS minifier.

Linus Torvalds: Security is never going to be perfect

Filed under
Linux
Security

One of the best kept secrets at this week’s LinuxCon was the presence of Linus Torvalds. I’ve never not seen Linus at any of the LinuxCons I’ve attended since 2009, whether in Europe or North America, but no matter who you asked, the answer was, “He’s not here.” This morning, though, a little bird sang that the surprise guest for the upcoming keynote was none other than Torvalds.

Read more

Also: ​Securing the Internet: Let's Encrypt to release first security certificates September 7

Linux Foundation to Launch New Security-Focused Badge Program for Open-Source Software

Linux Foundation to Launch New Security-Focused Badge Program for Open-Source Software

Filed under
Linux
Security

During the LinuxCon and CloudOpen events that took place last week in Seattle, North America, Linux Foundation's Core Infrastructure Initiative announced that they are developing a new free Badge Program and that they want to know the open source community's opinion on the matter.

Read more

Linux Machines Produce Easy to Guess Random Numbers

Filed under
Linux
Security

A study carried out by two security researchers revealed that the internal system used by Linux systems to produce random numbers, which are later utilized to encrypt data, is much weaker than previously thought.

Read more

Android Smart lock: Should you be using it?

Filed under
Android
Security

Here's my suggestion... at least on a user level. If you want to use Smart lock to be able to gain quick and easy access to certain aspects of your device (such as the phone), but keep a modicum of security on other aspects (such as email, messages, etc), employ an app locker app (such as AppLock) to lock down the applications that require security.

Read more

Syndicate content

More in Tux Machines

Leftovers: Gaming

Fedora: The Latest

Leftovers: KDE

  • ocs-client GSoC
    So my GSoC is coming to its end. I have no cool screenshots to upload this time and I have no new great features to talk about, in fact Caludio and I manly focused on bugfixing and testing. We have spent time also discussing about possible changes and improvements to the current OCS protocol. So is the client ready do be lunched? In short I would say that no, not yet.. although most of its features are implemented and it is usable, it is still an “under construction” project, we both still have to make some important decisions to make it usable to everyone.
  • The Fiber Engine Poll, Updates, and Breeze
  • Bringing Akonadi Next up to speed
    and refactoring it again, to make sure the codebase remains as clean as possible. The result of that is that an implementation of a simple resource only takes a couple of template instantiations, apart from code that interacts with the datasource (e.g. your IMAP Server) which I obviously can’t do for the resource.
  • New linter integration plugins for KDevelop
  • Artikulate Plans for Randa
    Language learning is often considered as the task of memorizing new vocabulary and understanding the new grammar rules. Yet for most, the most challenging part is to actually get used to speak the new language. This is a problem that Artikulate approaches with a simple idea: to learn the correct pronunciation of a word or even a longer phrase, the learner listens to a native speaker recording, repeats and recordings it, and finally compares both recordings to improve herself/himself with the next try.

Tails 1.5.1 is out

Tails, The Amnesic Incognito Live System, version 1.5.1, is out. This is an emergency release, triggered by an unscheduled Firefox release meant to fix critical security issues. Read more