Language Selection

English French German Italian Portuguese Spanish

Security

Security: Updates, CCleaner, and Capsule8

Filed under
Security
  • Security updates for Monday
  • CCleaner malware may be from Chinese group: Avast

    Security company Avast says it has found similarities between the code injected into CCleaner and the APT17/Aurora malware created by a Chinese advanced persistent threat group in 2014/2015.

  • Capsule8 Raises New Funds to Help Improve Container Security

    Container security startup Capsule8 is moving forward with beta customer deployments and a Series A round of funding, to help achieve its vision of providing a secure, production-grade approach to container security.

    The Series A round of funding was announced on Sept. 19, with the company raising $6 million, led by Bessemer and ClearSky, bringing total funding to date up to $8.5 million. Capsule8 first emerged from stealth in February 2017, though its' core technology product still remains in private beta as the company fine-tunes the platform for production workload requirements.

Security: Adobe and Apple Fail/Fare Badly

Filed under
Security
  • In spectacular fail, Adobe security team posts private PGP key on blog

    Having some transparency about security problems with software is great, but Adobe's Product Security Incident Response Team (PSIRT) took that transparency a little too far today when a member of the team posted the PGP keys for PSIRT's e-mail account—both the public and the private keys. The keys have since been taken down, and a new public key has been posted in its stead.

  • Hackers Using iCloud's Find My iPhone Feature to Remotely Lock Macs and Demand Ransom Payments

    Over the last day or two, several Mac users appear to have been locked out of their machines after hackers signed into their iCloud accounts and initiated a remote lock using Find My iPhone. 

    With access to an iCloud user's username and password, Find My iPhone on iCloud.com can be used to "lock" a Mac with a passcode even with two-factor authentication turned on, and that's what's going on here.

Security: DHS on Potential Voting Machines Cracking, Joomla Patches Critical Flaw

Filed under
Security
  • DHS tells 21 states they were Russia hacking targets before 2016 election
  • 1. WikiLeaks, Russian edition: how it’s being viewed

    Russia has been investing heavily in a vision of cyberdemocracy that will link the public directly with government officials to increase official responsiveness. But it is also enforcing some of the toughest cybersecurity laws to empower law enforcement access to communications and ban technologies that could be used to evade surveillance. Could WikiLeaks put a check on Russia’s cyber regime? This week, the online activist group released the first of a promised series of document dumps on the nature and workings of Russia’s surveillance state. So far, the data has offered no bombshells. “It’s mostly technical stuff. It doesn’t contain any state contracts, or even a single mention of the FSB [security service], but there is some data here that’s worth publishing,” says Andrei Soldatov, coauthor of “The Red Web,” a history of the Soviet and Russian internet. But, he adds, “Anything that gets people talking about Russia's capabilities and actions in this area should be seen as a positive development.”

  • Joomla patches eight-year-old critical CMS bug

    Joomla has patched a critical bug which could be used to steal account information and fully compromise website domains.

    This week, the content management system (CMS) provider issued a security advisory detailing the flaw, which is found in the LDAP authentication plugin.

    Lightweight Directory Access Protocol (LDAP) is used by Joomla to access directories over TCP/IP. The plugin is integrated with the CMS.

    Joomla considers the bug a "medium" severity issue, but according to researchers from RIPS Technologies, the problem is closer to a critical status.

  • Joomla! 3.7.5 - Takeover in 20 Seconds with LDAP Injection

    With over 84 million downloads, Joomla! is one of the most popular content management systems in the World Wide Web. It powers about 3.3% of all websites’ content and articles. Our code analysis solution RIPS detected a previously unknown LDAP injection vulnerability in the login controller. This one vulnerability could allow remote attackers to leak the super user password with blind injection techniques and to fully take over any Joomla! <= 3.7.5 installation within seconds that uses LDAP for authentication. Joomla! has fixed the vulnerability in the latest version 3.8.

Security: FOSS Updates, SEC, CCleaner

Filed under
Security
  • Security updates for Friday
  • SEC Chairman reveals financial reporting system was hacked
  • CCleaner malware outbreak is much worse than it first appeared
  • CCleaner Hack May Have Been A State-Sponsored Attack On 18 Major Tech Companies

    At the beginning of this week, reports emerged that Avast, owner of the popular CCleaner software, had been hacked. Initial investigations by security researchers at Cisco Talos discovered that the intruder not only compromised Avast's servers, but managed to embed both a backdoor and "a multi-stage malware payload" that rode on top of the installation of CCleaner. That infected software -- traditionally designed to help scrub PCs of cookies and other tracking software and malware -- was subsequently distributed by Avast to 700,000 customers (initially, that number was thought to be 2.27 million).

    And while that's all notably terrible, it appears initial reports dramatically under-stated both the scope and the damage done by the hack. Initially, news reports and statements by Avast insisted that the hackers weren't able to "do any harm" because the second, multi-stage malware payload was never effectively delivered. But subsequent reports by both Avast and Cisco Talos researchers indicate this payload was effectively delivered -- with the express goal of gaining access to the servers and networks of at least 18 technology giants, including Intel, Google, Microsoft, Akamai, Samsung, Sony, VMware, HTC, Linksys, D-Link and Cisco itself.

IoT botnet Linux.ProxyM turns its grubby claws to spam rather than DDoS

Filed under
Security

An IoT botnet is making a nuisance of itself online after becoming a conduit for spam distribution.

Linux.ProxyM has the capability to engage in email spam campaigns with marked difference to other IoT botnets, such as Mirai, that infamously offered a potent platform for running distributed-denial-of-service attacks (DDoSing). Other IoT botnets have been used as proxies to offer online anonymity.

Read more

Security: Antipatterns in IoT Security, Signing Programs for Linux, and Guide to Two-Factor Authentication

Filed under
Security
  • Antipatterns in IoT security

    Security for Internet of Things (IoT) devices is something of a hot topic over the last year or more. Marti Bolivar presented an overview of some of the antipatterns that are leading to the lack of security for these devices at a session at the 2017 Open Source Summit North America in Los Angeles. He also had some specific recommendations for IoT developers on how to think about these problems and where to turn for help in making security a part of the normal development process.

    A big portion of the talk was about antipatterns that he has seen—and even fallen prey to—in security engineering, he said. It was intended to help engineers develop more secure products on a schedule. It was not meant to be a detailed look at security technologies like cryptography, nor even a guide to what technical solutions to use. Instead, it targeted how to think about security with regard to developing IoT products.

  • Signing programs for Linux

    At his 2017 Open Source Summit North America talk, Matthew Garrett looked at the state of cryptographic signing and verification of programs for Linux. Allowing policies that would restrict Linux from executing programs that are not signed would provide a measure of security for those systems, but there is work to be done to get there. Garrett started by talking about "binaries", but programs come in other forms (e.g. scripts) so any solution must look beyond simply binary executables.

    There are a few different reasons to sign programs. The first is to provide an indication of the provenance of a program; whoever controls the key actually did sign it at some point. So if something is signed by a Debian or Red Hat key, it is strong evidence that it came from those organizations (assuming the keys have been securely handled). A signed program might be given different privileges based on the trust you place in a particular organization, as well.

  • A Guide to Common Types of Two-Factor Authentication on the Web

    Two-factor authentication (or 2FA) is one of the biggest-bang-for-your-buck ways to improve the security of your online accounts. Luckily, it's becoming much more common across the web. With often just a few clicks in a given account's settings, 2FA adds an extra layer of security to your online accounts on top of your password.

    In addition to requesting something you know to log in (in this case, your password), an account protected with 2FA will also request information from something you have (usually your phone or a special USB security key). Once you put in your password, you'll grab a code from a text or app on your phone or plug in your security key before you are allowed to log in. Some platforms call 2FA different things—Multi-Factor Authentication (MFA), Two Step Verification (2SV), or Login Approvals—but no matter the name, the idea is the same: Even if someone gets your password, they won't be able to access your accounts unless they also have your phone or security key.

    There are four main types of 2FA in common use by consumer websites, and it's useful to know the differences. Some sites offer only one option; other sites offer a few different options. We recommend checking twofactorauth.org to find out which sites support 2FA and how, and turning on 2FA for as many of your online accounts as possible. For more visual learners, this infographic from Access Now offers additional information.

    Finally, the extra layer of protection from 2FA doesn't mean you should use a weak password. Always make unique, strong passwords for each of your accounts, and then put 2FA on top of those for even better log-in security.

Security: SEC Breach, DNSSEC, FinFisher, CCleaner and CIA

Filed under
Security

Security: Apple's Betrayal, Intel ME Back Doors Backfire, and Optionsbleed

Filed under
Security
  • iOS 11 Muddies WiFi and Bluetooth Controls

    Turning WiFi and Bluetooth off is often viewed as a good security practice. Apple did not rationalize these changes in behavior.

  • How To Hack A Turned-Off Computer, Or Running Unsigned Code In Intel Management Engine

    Intel Management Engine is a proprietary technology that consists of a microcontroller integrated into the Platform Controller Hub (PCH) microchip with a set of built-in peripherals. The PCH carries almost all communication between the processor and external devices; therefore Intel ME has access to almost all data on the computer, and the ability to execute third-party code allows compromising the platform completely. Researchers have been long interested in such "God mode" capabilities, but recently we have seen a surge of interest in Intel ME. One of the reasons is the transition of this subsystem to a new hardware (x86) and software (modified MINIX as an operating system) architecture. The x86 platform allows researchers to bring to bear all the power of binary code analysis tools.

  • Optionsbleed: Don’t get your panties in a wad

    To be honest, this isn’t the first security concern you’ve run in to, and it isn’t the first security issue you’re vulnerable to, that will remain exploitable for quite some time, until after someone you rely on fixed the issue for you, meanwhile compromising your customers.

    [...]

    Is it a small part of the SSL public key? A small part of the web request response? A chunk of the path to the index.php? Or is it a chunk of the database password used? Nobody knows until you get enough data to analyse the results of all data. If you can’t appreciate the maths behind analysing multiple readings of 8 arbitrary bytes, choose another career. Not that I know what to do and how to do it, by the way.

Security: Patches, CCleaner, Equifax Story Changes, 'Trusted IoT Alliance', Kali Linux 2017.2 and NBN

Filed under
Security

Security: SEC Cracked, Back Doors in Manchester Police, NBN Scans, and Securing Wi-Fi

Filed under
Security
  • SEC reveals it was hacked, information may have been used for illegal stock trades
  • Manchester Police still runs Windows XP on 20 per cent of PCs

    The Met has recently signed a deal with storage company Box which will, amongst other things, reduce the amount of data held locally.

  • Manchester police still relies on Windows XP [Ed: update below]

    The BBC has appealed against its refusal to provide an update.

  • NBN leverages open source software to analyse faults

    A new NBN initiative will use a range of open source projects including Apache SPARK, Kafka, Flume, Cassandra and JanusGraph to help analyse and improve the end user experience on the National Broadband Network.

    The government-owned company today announced it was launching a new ‘Tech Lab’, which it hopes will provide insights into pain points for customers on its network and help resolve faults sooner.

  • 5 Ways to Secure Wi-Fi Networks

    Wi-Fi is one entry-point hackers can use to get into your network without setting foot inside your building because wireless is much more open to eavesdroppers than wired networks, which means you have to be more diligent about security.

    But there’s a lot more to Wi-Fi security than just setting a simple password. Investing time in learning about and applying enhanced security measures can go a long way toward better protecting your network. Here are six tips to betters secure your Wi-Fi network.

Syndicate content

More in Tux Machines

Today in Techrights

GNU/Linux in Ataribox

  • Ataribox will run Linux and AMD custom processor, will cost $300
    In June, Atari declared itself "back in the hardware business" with the announcement of the Ataribox—a retro-styled PC tech-based console. One month later it emerged Atari plans to crowdfund the project, and now we have some hard facts on cost, and what's under its hood. Speaking to VentureBeat, the Ataribox creator and general manager Feargal Mac says an Indiegogo funding campaign will launch this year, and that the final product will ship in spring of 2018. When it does, it'll cost between $250—$300 and will boast an AMD custom processor with Radeon graphics.
  • Atari are launching a new gaming system, the 'Ataribox' and it runs Linux
    Another Linux-based gaming system is coming, this time from Atari. The Ataribox [Official Site] will run on an AMD processor and it sounds quite interesting.

SUSE on Storage

Games: The Spicy Meatball Saves The Day, Uebergame, DwarfCorp