Language Selection

English French German Italian Portuguese Spanish

Security

Security: Telstra, Google+ and Facebook Incidents, and Latest Updates

Filed under
Security

Security: Cracking, Elections and Apache

Filed under
Security
  • Hack [sic] on 8 adult websites exposes oodles of intimate user data

    A recent [crack] of eight poorly secured adult websites has exposed megabytes of personal data that could be damaging to the people who shared pictures and other highly intimate information on the online message boards. Included in the leaked file are (1) IP addresses that connected to the sites, (2) user passwords protected by a four-decade-old cryptographic scheme, (3) names, and (4) 1.2 million unique email addresses, although it’s not clear how many of the addresses legitimately belonged to actual users.

  • Professors discuss election security, voting systems at panel

    Amid questions of election security and potential system hacking in the upcoming midterm elections, Engineering prof. J. Alex Halderman spoke at the University of Michigan Alumni Center Thursday night about vulnerabilities in U.S. voting systems. Last June, Halderman appeared before the Senate Select Committee on Intelligence to testify about such.

    [...]

    “If an attack takes place, we won’t necessarily see the physical evidence," Halderman said. "The physical evidence that it took place is a discrepancy between what’s written on a piece of paper and what a computer total of that paper says. Because elections are so complicated, they’re so noisy, because the [crackers] can hide their traces in various ways, we won’t necessarily see when something like this happen for the first time. We've got to be ready.”

  • Apache Access Vulnerability Could Affect Thousands of Applications

    A recently discovered issue with a common file access method could be a major new attack surface for malware authors.
    Vulnerabilities in Apache functions have been at the root of significant breaches, including the one suffered by Equifax. Now new research indicates that another such vulnerability may be putting thousands of applications at risk.

    Lawrence Cashdollar, a vulnerability researcher and member of Akamai's Security Incident Response Team, found an issue with the way that thousands of code projects are using Apache .htaccess, leaving them vulnerable to unauthorized access and a subsequent file upload attack in which auto-executing code is uploaded to an application.

Security: U.S. CMS Breach and New Security Woes for Popular 'IoT' Protocols

Filed under
Security
  • U.S. CMS says 75,000 individuals' files accessed in data breach
  • CMS Responding to Suspicious Activity in Agent and Broker Exchanges Portal

    At this time, we believe that approximately 75,000 individuals’ files were accessed. While this is a small fraction of consumer records present on the FFE, any breach of our system is unacceptable.

  • New Security Woes for Popular IoT Protocols

    Researchers at Black Hat Europe will detail denial-of-service and other flaws in MQTT, CoAP machine-to-machine communications protocols that imperil industrial and other IoT networks online.
    Security researcher Federico Maggi had been collecting data – some of it sensitive in nature – from hundreds of thousands of Message Queuing Telemetry Transport (MQTT) servers he found sitting wide open on the public Internet via Shodan. "I would probe them and listen for 10 seconds or so, and just collect data from them," he says.

    He found data on sensors and other devices sitting in manufacturing and automotive networks, for instance, as well as typical consumer Internet of Things (IoT) gadgets.

    The majority of data, Maggi says, came from consumer devices and sensors or was data he couldn’t identify. "There was a good amount of data from factories, and I was able to find data coming from pretty expensive industrial machines, including a robot," he says.

Security: ZDNet/CBS FUD, WiFi4EU, and Krack Wi-Fi

Filed under
Security
  • Open source web hosting software compromised with DDoS malware [Ed: CBS hired Catalin Cimpanu for him to have a broader platform with which to associate "Open Source" with security issues (does he say "proprietary" when it's proprietary, too?). Microsoft has long financed efforts to associate FOSS/copyleft with security issues and stigmatise it with licensing terror.]
  • Commission tried to hide details of 'WiFi4EU' glitch

    The European Commission has tried to hide information related to technical problems its free wifi fund portal suffered, by claiming that it was "out of scope".

    It released documents to EUobserver following an access to documents request - but heavily redacted some of the key papers.

    However, one of the documents has been leaked and published online. A comparison between the leaked version and the one released by the commission clearly shows that the commission went too far with its redactions.

  • The Flawed System Behind the Krack Wi-Fi Meltdown

    "If there is one thing to learn from this, it's that standards can't be closed off from security researchers," says Robert Graham, an analyst for the cybersecurity firm Erratasec. "The bug here is actually pretty easy to prevent, and pretty obvious. It's the fact that security researchers couldn't get their hands on the standards that meant that it was able to hide."

    The WPA2 protocol was developed by the Wi-Fi Alliance and the Institute of Electrical and Electronics Engineers (IEEE), which acts as a standards body for numerous technical industries, including wireless security. But unlike, say, Transport Layer Security, the popular cryptographic protocol used in web encryption, WPA2 doesn't make its specifications widely available. IEEE wireless security standards carry a retail cost of hundreds of dollars to access, and costs to review multiple interoperable standards can quickly add up to thousands of dollars.

Security Leftovers

Filed under
Security

Open-source hardware could defend against the next generation of hacking

Filed under
Hardware
OSS
Security

Imagine you had a secret document you had to store away from prying eyes. And you have a choice: You could buy a safe made by a company that kept the workings of its locks secret. Or you could buy a safe whose manufacturer openly published the designs, letting everyone – including thieves – see how they’re made. Which would you choose?

It might seem unexpected, but as an engineering professor, I’d pick the second option. The first one might be safe – but I simply don’t know. I’d have to take the company’s word for it. Maybe it’s a reputable company with a longstanding pedigree of quality, but I’d be betting my information’s security on the company upholding its traditions. By contrast, I can judge the security of the second safe for myself – or ask an expert to evaluate it. I’ll be better informed about how secure my safe is, and therefore more confident that my document is safe inside it. That’s the value of open-source technology.

Read more

Security: DMARC, ShieldX, Spectre V2, Equifax/TransUnion and More

Filed under
Security
  • DMARC Email Security Adoption Soars as US Government Deadline Hits
  • ShieldX Integrates Intention Engine Into Elastic Security Platform

    ShieldX announced its new Elastic Security Platform on Oct. 17 providing organizations with Docker container based data center security, that uses advanced machine learning to determine intent.

    At the core of the Elastic Security Platform is a technology that ShieldX calls the Adaptive Intention Engine that automatically determines the right policy and approach for security controls across multicloud environments. The intent-based security model can provide network microsegmentation, firewall and malware detection capabilities, among other features.

  • Spectre V2 "Lite" App-To-App Protection Mode Readying For The Linux Kernel

    We are approaching one year since the Spectre and Meltdown CPU vulnerabilities shocked the industry, and while no new CPU speculative execution vulnerabilities have been made public recently, the Linux kernel developers continue improving upon the Spectre/Meltdown software-based mitigation techniques for helping to offset incurred performance costs with current generation hardware.

  • Another Massive Credit Reporting Database Breached By Criminals

    Lots of companies like gathering lots of data. Many do this without explicit permission from the people they're collecting from. They sell this info to others. They collect and collect and collect and it's not until there's a problem that many people seem to feel the collection itself is a problem.

    The Equifax breach is a perfectly illustrative case. Lenders wanted a service that could rate borrowers quickly to determine their trustworthiness. This required a massive amount of data to be collected from numerous creditors, along with personally-identifiable information to authenticate the gathered data. The database built by Equifax was a prime target for exploitation. That this information would ultimately end up in the hands of criminals was pretty much inevitable.

    But Equifax isn't the only credit reporting service collecting massive amounts of data but failing to properly secure it. TransUnion not only collects a lot of the same information, but it sells access to cops, lenders, private investigators, landlords… whoever might want to do one-stop shopping for personal and financial data. This includes criminals, because of course it does.

  • Security updates for Wednesday
  • LibSSH Flaw Allows Hackers to Take Over Servers Without Password
  • This iPhone Passcode Bypass Allows Hackers To View And Share Your Images

    If you look at the video, the iOS vulnerability can be seen as part of running accessibility features on the device. He used the iPhone VoiceOver feature and the Siri assistant to access the Photo Library, open photos and send them to another device chosen by the attacker.

Security: Facebook, GNU Binutils and Epson/HP

Filed under
Security
  • What To Do If Your Account Was Caught in the Facebook Breach

    Keeping up with Facebook privacy scandals is basically a full-time job these days. Two weeks ago, it announced a massive breach with scant details. Then, this past Friday, Facebook released more information, revising earlier estimates about the number of affected users and outlining exactly what types of user data were accessed. Here are the key details you need to know, as well as recommendations about what to do if your account was affected.

    30 Million Accounts Affected

    The number of users whose access tokens were stolen is lower than Facebook originally estimated. When Facebook first announced this incident, it stated that attackers may have been able to steal access tokens—digital “keys” that control your login information and keep you logged in—from 50 to 90 million accounts. Since then, further investigation has revised that number down to 30 million accounts.

    The attackers were able to access an incredibly broad array of information from those accounts. The 30 million compromised accounts fall into three main categories. For 15 million users, attackers access names and phone numbers, emails, or both (depending on what people had listed).

  • GNU Binutils read_reloc Function Denial of Service Vulnerability [CVE-2018-18309]
  • Security Updates Are Even Breaking Your Printer (On Purpose)

    Printer manufacturers hate third-party ink cartridges. They want you buying the expensive, official ones. Epson and HP have issued sneaky “updates” that break these cheaper cartridges, forcing you to buy the expensive ones.

    HP pioneered this technique back in 2016, rolling out a “security update” to its OfficeJet and OfficeJet Pro printers that activated a helpful new feature—helpful for HP’s bottom line, at least. Now, before printing, the printer would verify you’re using new HP ink cartridges. If you’re using a competitor’s ink cartridge or a refilled HP ink cartridge, printing would stop. After some flaming in the press, HP sort-of apologized, but not really.

Security: Stamos, E-mail and RAT Arrest

Filed under
Security

Security: Patches, FUD and Voting Machines

Filed under
Security
  • libssh 0.8.4 and 0.7.6 security and bugfix release

    libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.

  • A Cybersecurity Weak Link: Linux and IoT [Ed: Blaming "Linux" for companies that put default passwords on all their products? Windows has back doors.]
  • Undetectably bypass voting machines' anti-tamper mechanism with a bit of a soda-can

    But University of Michigan grad student Matt Bernhard has demonstrated that he can bypass the tamper-evident seals in seconds, using a shim made from a slice of a soda can. The bypass is undetectable and doesn't damage the seal, which can be resecured after an attacker gains access to the system.

  • Security Seals Used to Protect Voting Machines Can Be Easily Opened With Shim Crafted from a Soda Can

    Bernhard, who is an expert witness for election integrity activists in a lawsuit filed in Georgia to force officials to get rid of paperless voting machines used in that state, said the issue of security ties and seals came up in the lawsuit earlier this year when Fulton County Elections Director Richard Barron told the court that his Georgia county relies on tamper-evident metal and plastic ties to seal voting machines and prevent anyone with physical access to the machines from subverting them while they sit in polling places days before an election.

    [...]

    He noted that defeating ties and seals in non-tamper-evident ways isn’t the only method to wreak havoc on an election in Michigan. The state has a unique law that prohibits ballots from being used in a recount if the number of voters doesn't match the number of ballots cast at a precinct or if the seal on a ballot box is broken or has a different serial number than what it should have. Someone who wanted to wreak havoc on an election or alter an election outcome in Michigan could purposely tamper with ballot box seals in a way that is evident or simply replace them with a seal bearing a different serial number in order to get ballots excluded from a recount. The law came into sharp relief after the 2016 presidential election when Green Party candidate Jill Stein sought to get a statewide recount in Michigan and two other critical swing states and found that some precincts in Wayne County couldn't be recounted because the number of voters who signed the poll books—which get certified with a seal signed by officials—didn't match the number of ballots scanned on the voting machines.

Syndicate content

More in Tux Machines

Red Hat: OpenShift and Awards

  • OpenShift Commons Briefing: OpenShift 3.11 Release Update with Scott McCarty (Red Hat)
    In this briefing, Red Hat’s Scott McCarty and numerous other members of the OpenShift Product Management team gave an in-depth look at Red Hat’s OpenShift’s latest release 3.11 and some insights in to the road ahead.
  • Awards roll call: Red Hat awards, June to October 2018
    Depending on the weather in your region, it’s safe to say that the seasons are changing so it’s a good time to look back at what was a busy few months for Red Hat, especially when it came to industry awards for our technical and product leadership. In recent months, Red Hat products and technologies took home twenty awards, highlighting the breadth and depth of our product portfolio as well as the expertise that we provide to our customers. In addition, Red Hat as a company won five awards recognizing its growth and culture as a leader in the industry.
  • More advice from a judge - what it takes to win a Red Hat Innovation Award
    Last year I penned the below post to provide insight into what the judges of the Red Hat Innovation Awards are looking for when reviewing submissions. Looking back, I would give almost the identical advice again this year...maybe with a few tweaks. With all the stellar nominations that we receive, the question I often get is, “how can we make our entry standout?” There’s no magic formula for winning the Red Hat Innovation Awards, but there are things that the other judges and I look for in the entries. Overall, we’re looking for the project that tells a compelling story. It’s not just about sharing what Red Hat products and services you used, we want to hear the full narrative. What challenges did you face; how you implemented the project; and ultimately, what was the true business impact and transformation that took place? Submissions that are able to showcase how open source culture and values were key to success, or how the project is making a difference in the lives of others, are the entries that most often rise to the top.

today's howtos

OSS Leftovers

  • How to be an effective and professional member of the Samba user and development Community
    For many years we have run these lists dedicated to developing and promoting Samba, without any set of clear guidelines for people to know what to expect when participating.  What do we require? What kind of behavior is encouraged?
  • Blockcerts Updates Open Source Blockchain Architecture
    Learning Machine is making changes to its Blockcerts Credential Issuer, Verifier and Wallet to enable native support for records issuance and verification using any blockchain. Blockcerts was launched by Learning Machine and MIT Media Lab in 2016 as new way to allow students to receive digital diplomas through an app, complementing a traditional paper degree. Blockcerts was originally designed to be blockchain-agnostic, which means that open standards can be used to anchor records in any blockchain. The Blockcerts Universal Identifier recognizes which blockchain is being used and verifies accordingly. Currently, the open source project has added support for bitcoin and Ethereum blockchains, but anyone can add support through the project's GitHub page.
  • First full featured open-source Ethereum block explorer BlockScout launched by POA Network
  • Amsterdam-based ING Bank Introduces Open-Source Zero Knowledge Technology
  • ING Bank Launches Open Source Privacy Improvement Add-On for Blockchains
  • Imec tool accelerates DNA sequencing 10x
    As a result, in a typical run, elPrep is up to ten times faster than other software tools using the same resources. It is designed as a seamless replacement that delivers the exact same results as GATK4.0 developed by the Broad Institute. elPrep has been written in the Go programming language and is available through the open-source GNU Affero General Public License v3 (AGPL-3.0).
  • On the low adoption of automated testing in FOSS
    A few times in the recent past I've been in the unfortunate position of using a prominent Free and Open Source Software (FOSS) program or library, and running into issues of such fundamental nature that made me wonder how those issues even made it into a release. In all cases, the answer came quickly when I realized that, invariably, the project involved either didn't have a test suite, or, if it did have one, it was not adequately comprehensive. I am using the term comprehensive in a very practical, non extreme way. I understand that it's often not feasible to test every possible scenario and interaction, but, at the very least, a decent test suite should ensure that under typical circumstances the code delivers all the functionality it promises to. [...] Most FOSS projects, at least those not supported by some commercial entity, don't come with any warranty; it's even stated in the various licenses! The lack of any formal obligations makes it relatively inexpensive, both in terms of time and money, to have the occasional bug in the codebase. This means that there are fewer incentives for the developer to spend extra resources to try to safeguard against bugs. When bugs come up, the developers can decide at their own leisure if and when to fix them and when to release the fixed version. Easy! At first sight, this may seem like a reasonably pragmatic attitude to have. After all, if fixing bugs is so cheap, is it worth spending extra resources trying to prevent them?
  •  
  • Chrome for Linux, Mac, and Windows Now Features Picture-in-Picture by Default
    Chromium evanghelist at Google François Beaufort announced today that Picture-in-Picture (PiP) support is now enabled by defualt in the Google Chrome web browser for Linux, Mac, and Windows platforms. Google's engineers have been working for months to add Picture-in-Picture (PiP) support to the Google Chrome web browser, but the long-anticipated feature is finally here, enabled by default in the latest version for Linux, Mac, and Windows operating systems. The feature lets you detach a video in a floating window so you can watch it while doing something else on your computer.
  • Teaching With an Index Card: the Benefits of Free, Open-Source Tools
  • Decentralized Authentication for Self-Sovereign Identities using Name Systems
    The GNU Name System (GNS) is a fully decentralized public key infrastructure and name system with private information retrieval semantics. It serves a holistic approach to interact seamlessly with IoT ecosystems and enables people and their smart objects to prove their identity, membership and privileges - compatible with existing technologies. In this report we demonstrate how a wide range of private authentication and identity management scenarios are addressed by GNS in a cost-efficient, usable and secure manner. This simple, secure and privacy-friendly authentication method is a significant breakthrough when cyber peace, privacy and liability are the priorities for the benefit of a wide range of the population. After an introduction to GNS itself, we show how GNS can be used to authenticate servers, replacing the Domain Name System (DNS) and X.509 certificate authorities (CAs) with a more privacy-friendly but equally usable protocol which is trustworthy, human-centric and includes group authentication. We also built a demonstrator to highlight how GNS can be used in medical computing to simplify privacy-sensitive data processing in the Swiss health-care system. Combining GNS with attribute-based encryption, we created ReclaimID, a robust and reliable OpenID Connect-compatible authorization system. It includes simple, secure and privacy-friendly single sign-on to seamlessly share selected attributes with Web services, cloud ecosystems. Further, we demonstrate how ReclaimID can be used to solve the problem of addressing, authentication and data sharing for IoT devices. These applications are just the beginning for GNS; the versatility and extensibility of the protocol will lend itself to an even broader range of use-cases. GNS is an open standard with a complete free software reference implementation created by the GNU project. It can therefore be easily audited, adapted, enhanced, tailored, developed and/or integrated, as anyone is allowed to use the core protocols and implementations free of charge, and to adopt them to their needs under the terms of the GNU Affero General Public License, a free software license approved by the Free Software Foundation.
  • Make: an open source hardware, Arduino-powered, 3D-printed wire-bending machine
    How To Mechatronics has pulled together detailed instructions and a great video explaining how to make an Arduino-powered, 3D-printed wire-bending machine whose gears can create arbitrary vector images out of precision-bent continuous lengths of wire.
  • RApiDatetime 0.0.4: Updates and Extensions
    The first update in a little while brings us release 0.0.4 of RApiDatetime which got onto CRAN this morning via the lovely automated sequence of submission, pretest-recheck and pretest-publish. RApiDatetime provides seven entry points for C-level functions of the R API for Date and Datetime calculations. The functions asPOSIXlt and asPOSIXct convert between long and compact datetime representation, formatPOSIXlt and Rstrptime convert to and from character strings, and POSIXlt2D and D2POSIXlt convert between Date and POSIXlt datetime. This releases brings asDatePOSIXct as a seventh courtesy of Josh Ulrich. All these functions are all fairly useful, but not one of them was previously exported by R for C-level use by other packages. Which is silly as this is generally extremely carefully written and tested code.
  • 6 JavaScript books you should know
    If there was ever the potential for a giant book list it's one based on our favorite Javascript books. But, this list is short and easy to digest. Maybe it will help you get started, gently. Plus, check out three of our top Javascript articles with even more books, resources, and tips.

Security: Telstra, Google+ and Facebook Incidents, and Latest Updates