Language Selection

English French German Italian Portuguese Spanish

Security

Security: Updates, Equifax, Black Duck FUD, Emacs 25.3, and Measuring Security

Filed under
Security
  • Security updates for Monday
  • Researchers use Windows 10 Linux subsystem to run malware

    The provision of a Linux subsystem on Windows systems — a new Windows 10 feature known as Subsystem for Linux (WSL) — has made it possible to run known malware on such systems and bypass even the most common security solutions, security researchers at Check Point claim.

    In a detailed blog post, researchers Gal Elbaz and Dvir Atias said they had dubbed this technique of getting malware onto a Windows system as Bashware, with Bash being the default shell on a large number of Linux distributions.

  • Episode 62 - All about the Equifax hack
  • Equifax moves to fix weak PINs for “security freeze” on consumer credit reports

    As Equifax moved to provide consumers the ability to protect their credit reports on the heels of a major data breach, some of the details of the company's response were found lacking. As consumers registered and moved to lock their credit reports—in order to prevent anyone who had stolen data from opening credit in their name—they found that the security personal identification number (PIN) provided in the locking process was potentially insecure.

    [...]

    The PIN revelation came on the heels of concerns that Equifax was attempting to block the ability of those checking to see if their data was exposed or enrolling in the TrustedID Premiere service to sue Equifax over the breach. An Equifax spokesperson said that the arbitration clause in the Terms of Service for TrustedID Premier only applied to the service itself, not to the breach.

  • Unpatched Open Source Software Flaw Blamed for Massive Equifax Breach [Ed: But this claim has since then been retracted, so it might be fake news]
  • Equifax Breach Blamed on Open-Source Software Flaw [Ed: This report from a News Corp. tabloid has since been retracted, so why carry on linking to it?]
  • The hidden threat lurking in an otherwise secure software stack [Ed: Yet another attack on FOSS security, courtesy of the Microsoft-connected Black Duck]
  • [ANNOUNCE] Emacs 25.3 released
  • Emacs 25.3 Released To Fix A Security Vulnerability Of Malicious Lisp Scripts

    GNU --
    Emacs 25.3 is now available, but it doesn't offer major new features, rather it fixes a security vulnerability.

    Emacs' x-display decoding feature within the Enriched Text mode could lead to executing arbitrary malicious Lisp code within the text.

  • Measuring security: Part 1 - Things that make money

    If you read my previous post on measuring security, you know I broke measuring into three categories. I have no good reason to do this other than it's something that made sense to me. There are without question better ways to split these apart, I'm sure there is even overlap, but that's not important. What actually matters is to start a discussion on measuring what we do. The first topic is about measuring security that directly adds to revenue such as a product or service.

    [...]

    I see a lot of groups that don't do any of this. They wander in circles sometimes adding security features that don't matter, often engineering solutions that customers only need or want 10% of. I'll never forget when I first looked at actual metrics on new features and realized something we wanted to add was going to have a massive cost and generate zero additional revenue (it may have actually detracted in future product sales). On this day I saw the power in metrics. Overnight my group became heroes for saving everyone a lot of work and headaches. Sometimes doing nothing is the most valuable action you can take.

Security: 'Rich' E-mail, BlackBerry, and D-Link

Filed under
Security
  • The only safe email is text-only email

    The real issue is that today’s web-based email systems are electronic minefields filled with demands and enticements to click and engage in an increasingly responsive and interactive online experience. It’s not just Gmail, Yahoo mail and similar services: Desktop-computer-based email programs like Outlook display messages in the same unsafe way.

  • BlackBerry admits: We could do better at patching

    BlackBerry has confirmed that its first Android device, the Priv, will be stuck on Google's 2015 operating system forevermore, which Google itself will cease supporting next year.

    Having been promised "the most secure Android", BlackBerry loyalists have seen the promise of monthly security updates stutter recently, with distribution of the monthlies getting patchy (no pun intended).

  • Researcher publicly discloses 10 zero-day flaws in D-Link 850L routers

    Peeved about previous vulnerability disclosures experiences with D-Link, a security researcher has publicly disclosed 10 zero-day vulnerabilities in D-Link DIR 850L wireless AC1200 dual-band gigabit cloud routers.

    Security researcher Pierre Kim opted to publicly disclose the vulnerabilities this time, citing a “very badly coordinated” disclosure with D-Link in February. That time around he had reported nine vulnerabilities, but he said it took D-Link five months to release new firmware that ended up patching only one of the flaws he found.

A look at TAILS – Privacy oriented GNU/Linux Distribution

Filed under
Reviews
Security
Debian

The Amensic Incognito Live System, is a Debian based distribution that routes all internet traffic through the TOR network, and leaves no trace of its existence or anything done on the system when the machine is shut down. The obvious aim in this, is to aid in keeping the user anonymous and private. Tails is not installed to a users computer, but instead is run strictly as a LiveUSB / LiveDVD.

TAILS does not utilize the host machines Hard Disk at all, and is loaded entirely into RAM. When a machine is shut down, the data that is stored in RAM disappears over the course of a few minutes, essentially leaving no trace of whatever had been done. Granted, there is a method of attack known as a Cold Boot Attack, where data is extracted from RAM before it has had a chance to disappear, but TAILS has you covered on that front too; the TAILS website says,

“To prevent this attack, the data in RAM is overwritten by random data when shutting down Tails. This erases all traces from your session on that computer.”

Read more

Security: Equifax Blame Game and Germany's Election Software

Filed under
Security

Security: Minnesota, Equifax, Virginia, Kaspersky, F-35

Filed under
Security

The Apache Software Foundation Blog: Apache Struts Statement on Equifax Security Breach (and More)

Filed under
Security

Security: Microsoft Won't Patch, Kaspersky Responds, EU Cyberwar Games

Filed under
Security
  • Microsoft won't patch Edge XSS vulnerability

     

    The flaw has been patched in recent versions of Google Chrome and WebKit-based browsers (such as Apple Safari for macOS and iOS), but not in Microsoft's Edge for Windows 10.

  • Microsoft shrugs off Windows kernel bug that can block malware detection

     

    "After digging into the matter, what started as a seemingly random issue proved to originate from a coding error in the Windows kernel itself. This flaw exists in the most recent Windows 10 release and past versions of the OS, dating back to Windows 2000."

    [...]

     

    "We [also] contacted MSRC [Microsoft Security Response Center] about this issue at the beginning of this year. They did not deem it as a security issue.

  • Kaspersky: Ex-NSA infosec expert asks FBI to put up or shut up

     

    Former NSA employee and information security expert Jake Williams has told the FBI to either provide proof to the public that Kaspersky Lab products are unsafe for use or keep mum.

  • EU hosts its first cyber war games

     

    "The goal of the exercise is to highlight a number of strategic concerns and topics that arise in connection with any hypothetical cyber crisis. This exercise should serve as a forum for discussion at ministerial level and provide strategic guidance to address future crises," it said.

  • Cyber alert: EU ministers test responses in first computer war game [iophk: "blanket ban Microsoft in the EU"]

     

    After a series of global cyber attacks disrupted multinational firms, ports and public services on an unprecedented scale this year, governments are seeking to stop hackers {sic} from shutting down more critical infrastructure or crippling corporate and government networks.  

Security: Equifax Fiasco Deepening, Apache STRUTS Blamed

Filed under
Security
  • Equifax Security Breach Is A Complete Disaster... And Will Almost Certainly Get Worse

    Okay, chances are you've already heard about the massive security breach at Equifax, that leaked a ton of important data on potentially 143 million people in the US (basically the majority of adults in America). If you haven't, you need to pay more attention to the news. I won't get into all the details of what happened here, but I want to follow a few threads:

    First, Equifax had been sitting on the knowledge of this breach since July. There is some dispute over how quickly companies should disclose breaches, and it makes sense to give companies at least some time to get everything in order before going public. But here it's not clear what Equifax actually did. The company has seemed almost comically unprepared for this announcement in so many ways. Most incredibly, the site that Equifax set up for checking if your data has been compromised (short answer: yeah, it almost certainly was...) was on a consumer hosting plan using a free shared SSL certificate, a funky domain and an anonymous Whois record. And, incredibly, it asked you for most of your Social Security Number. In short, it's set up in a nearly identical manner to a typical phishing site. Oh and it left open the fact that the site had only one user -- "Edelman" -- the name of a big PR firm.

  • Breach at Equifax May Impact 143M Americans
  • Equifax blames giant breach on vendor software flaw

    “My understanding is the breach was perpetuated via the Apache STRUTS flaw,” Meuler told The Post.

  • The hackers who broke into Equifax exploited a flaw in open-source server software

    The credit reporting agency Equifax announced on Sept. 7 that hackers stole records containing personal information on up to 143 million American consumers. The hackers behind the attack, the company said, “exploited a U.S. website application vulnerability to gain access to certain files.”

  • Apache Struts vulnerability affects versions since 2008

    A researcher discovered a remotely exploitable Apache Struts vulnerability being actively exploited in the wild and a patch was released, users urged to update software immediately.

    [...]

    Man Yue Mo, researcher at the open source software project LGTM.com run by software analytics firm Semmle, Inc., headquartered in San Francisco, disclosed the remotely executable Apache Struts vulnerability, which he said was "a result of unsafe deserialization in Java" and could lead to arbitrary code execution. Mo originally disclosed the issue to Apache on July 17, 2017.  

  • So, Equifax says your data was hacked—now what?

    Yesterday, the credit reporting agency Equifax revealed that the personal data of 143 million US consumers, as well as "limited personal information for certain UK and Canadian residents," was exposed by an attack exploiting security flaws in the company's website. Social Security numbers, dates of birth, addresses, and some drivers license numbers were all exposed—information which could be used to pose as individuals to gain access to financial accounts, open new ones in their names, or file fraudulent tax returns.

  • Are you an Equifax breach victim? You could give up right to sue to find out [Updated]

    By all accounts, the Equifax data breach is, as we reported Thursday, "very possibly the worst leak of personal info ever." The incident affects possibly as many as 143 million people.

    The breach, via a security flaw on the Equifax website, included full names, Social Security numbers, birth dates, addresses, and driver license numbers in some cases. Many of the affected consumers have never even directly done business with the giant consumer credit reporting agency.

  • Equifax won’t bar consumers from joining lawsuits related to breach

    Equifax announced on Friday it will not stop consumers from moving to join a class action lawsuit against the company, which suffered a severe breach on Thursday when hackers gained action to personal information belonging to 143 million people. 

    The firm's was forced to clarify its terms of service after it faced backlash when it appeared that in order to receive credit protection, consumers affected by the breach would have to give up their right to join a lawsuit over the hack. 

Security: Equifax, The Shadow Brokers, Microsoft Does Not Care About Security

Filed under
Security
  • Equifax Is Proving Why Forced Arbitration Clauses Ought to Be Banned, Just Like the CFPB Wants to Do

    Equifax, the credit reporting bureau that on Thursday admitted one of the largest data breaches in history, affecting 143 million U.S. consumers, is maneuvering to prevent victims from banding together to sue the company, according to consumer protection advocates and elected officials.

    Equifax is offering all those affected by the breach a free, one-year credit monitoring service called TrustedID Premier, which will watch credit reports for suspicious activity, lock and unlock Equifax credit reports, scan the internet for Social Security numbers, and add insurance for identity theft. But the service includes a forced arbitration clause, which pushes all disputes over the monitoring out of court. It also includes a waiver of the right to enter into a class-action lawsuit.

  • Equifax and Correlatable Identifiers

    The typical response when we hear about these security problems is "why was their security so bad?" While I don't know any specifics about Equifax's security, it's likely that their security was pretty good. But the breach still occurred. Why? Because of Sutton's Law. When Willie Sutton was asked why he robbed banks, he reputedly said "cause that's where the money is."

    So long as we insist on creating huge honeypots of valuable data, hackers will continue to target them. And since no security is perfect, they will eventually succeed. Computer security is difficult because computer systems are non-linear—small errors can result in huge losses. This makes failure points difficult to detect. These failure points are not usually obvious. But hackers have a lot of motivation to find them when the prize is so large.

  • TheShadowBrokers group returns with NSA UNITEDRAKE hacking malware and promises more leaks

    UNITEDRAKE is a remote access hacking tool that can be used to target Windows machines. Modular in nature, the malware can be expanded through the use of plugins to increase its capabilities so it can capture footage from webcams, tap into microphones, capture keystrokes, and more.

  • The Shadow Brokers Unveil United Rake Toolkit and Double Monthly NSA Dump Frequency

    Most people have come to know The Shadow Brokers as a hacker collective that successfully infiltrated the NSA and took some of its goodies. Over the past year or so, we have seen most of these exploits released to the public. More powerful tools remain part of the collective’s monthly subscription service, which has been operational for nearly three months now. If certain tools could earn them money, they would much rather take that option.

    There were some interesting recent changes made by The Shadow Brokers. Instead of doing just one dump of exploits each month, they are shifting things into a higher gear. There will now be two dumps per month, which can still only be paid in ZCash. Their PDF file clearly states that they have no interest in Monero, which is pretty interesting. All of the previously issued dumps are now available for purchase as well, should someone want to see what those are all about.

    The August software is called United Rake, and it is quite a powerful tool. It is a “fully extensible remote collection system.” As one would come to expect, it is designed for the world’s most popular operating system, which is still Microsoft Windows. As is the case with every exploit unveiled by The Shadow Brokers, the release comes with its own detailed manual, allegedly created by and distributed to NSA staffers at some point.

  • Microsoft won't patch Edge browser content security bypass

    Which of Google, Apple and Microsoft think a content security bypass doesn't warrant a browser patch?

    Thanks to Cisco Talos security bod Nicolai Grødum, who found the cross-site scripting bug that affects older Chrome and Safari plus current versions of Edge, we know the answer is "Microsoft".

  • Bug in Windows Kernel Could Prevent Security Software From Identifying Malware
  • Bug In Windows Kernel Could Prevent Security Software From Identifying Malware

    "Malware developers can abuse a programming error in the Windows kernel to prevent security software from identifying if, and when, malicious modules have been loaded at runtime," reports Bleeping Computer. "The bug affects PsSetLoadImageNotifyRoutine, one of the low-level mechanisms some security solutions use to identify when code has been loaded into the kernel or user space. The problem is that an attacker can exploit this bug in a way that PsSetLoadImageNotifyRoutine returns an invalid module name, allowing an attacker to disguise malware as a legitimate operation.

Security: Updates, Election, Lenovo and Equifax

Filed under
Security
  • Security updates for Thursday
  • Security updates for Friday
  • Software to capture votes in upcoming national election is insecure

    The result of this analysis is somewhat of a „total loss“ for the software product. The CCC is publishing its findings in a report of more than twenty pages. [0] The technical details and the software used to exploit the weaknesses are published in a repository. [1]

    „Elementary principles of IT-security were not heeded to. The amount of vulnerabilities and their severity exceeded our worst expectations“, says Linus Neumann, a speaker for the CCC that was involved in the study.

  • The $3.5 Million Check Comes Due for Lenovo And Its Security-Compromising Superfish Adware

    You might recall that back in 2015, Lenovo was busted for installing a nasty bit of snoopware made by a company named Superfish on select models of the company's Thinkpad laptops. Superfish's VisualDiscovery wasn't just annoying adware however; it was so poorly designed that it effectively made all of Lenovo's customers vulnerable to HTTPS man-in-the-middle attacks that were relatively trivial for an attacker to carry out. More specifically, it installed a self-signed root HTTPS certificate that could intercept encrypted traffic for every website a user visits -- one that falsely represented itself as the official website certificate.

  • Equifax website hack exposes data for ~143 million US consumers

    Equifax, a provider of consumer credit reports, said it experienced a data breach affecting as many as 143 million US people after criminals exploited a vulnerability on its website. The US population is about 324 million people, so that's about 44 percent of its population.

    The data exposed in the hack includes names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers. The hackers also accessed credit card numbers for 209,000 US consumers and dispute documents with personal identifying information for about 182,000 US people. Limited personal information for an unknown number of Canadian and UK residents was also exposed. Equifax—which also provides credit monitoring services for people whose personal information is exposed—said the unauthorized access occurred from mid-May through July. Equifax officials discovered the hack on July 29.

  • Why the Equifax breach is very possibly the worst leak of personal info ever

    It's a sad reality in 2017 that a data breach affecting 143 million people is dwarfed by other recent hacks—for instance, the ones hitting Yahoo in 2013 and 2014, which exposed personal details for 1 billion and 500 million users respectively; another that revealed account details for 412 million accounts on sex and swinger community site AdultFriendFinder last year; and an eBay hack in 2014 that spilled sensitive data for 145 million users.

Syndicate content

More in Tux Machines

Firefly COM dual boots Android and Ubuntu on hexa-core RK3399

GNOME developer Bastien Nocera talks in his latest blog post about the enhancements he managed to implement in the past few weeks to the Bluetooth stack of the Fedora Linux operating system. Read more

Games: Morphite, Mooseman, Arma, and PlayStation 4 DualShock Controller

  • Stylish FPS 'Morphite' released without Linux support, but it's coming
    Sadly, Morphite [Steam] has seen a delay with the Linux version. Thankfully, the developer was quick to respond and it's still coming.
  • The Mooseman, a short side-scrolling adventure just released for Linux
    In the mood for something a little out there? Well, The Mooseman [Steam] a short side-scroller might just hit the spot.
  • Arma 3 1.76 for Linux is planned, work on it to start "soon"
    Bohemia Interactive have announced in their latest "SITREP" that the Linux version of Arma 3 will be updated to the latest version of 1.76, work is set to start on it "soon".
  • Sony's PlayStation 4 DualShock Controller Now Supported in Fedora Linux, GNOME
    GNOME developer Bastien Nocera talks in his latest blog post about the enhancements he managed to implement in the past few weeks to the Bluetooth stack of the Fedora Linux operating system. The patches submitted by the developer to the Bluetooth packages in the latest Fedora Linux release promise to bring improvements to the way PlayStation 3 DualShock controllers are set up in the environment if you're using the GNOME desktop environment. Until now, to set up a DualShock 3 controller, users had to plug it in via USB, then disconnect it, and then press the "P" button on the joypad, which would have popped-up a dialog to confirm the Bluetooth connection. But this method had some quirks though.

Debian Development Reports

  • Free software log (July and August 2017)
    August was DebConf, which included a ton of Policy work thanks to Sean Whitton's energy and encouragement. During DebConf, we incorporated work from Hideki Yamane to convert Policy to reStructuredText, which has already made it far easier to maintain. (Thanks also to David Bremner for a lot of proofreading of the result.) We also did a massive bug triage and closed a ton of older bugs on which there had been no forward progress for many years. After DebConf, as expected, we flushed out various bugs in the reStructuredText conversion and build infrastructure. I fixed a variety of build and packaging issues and started doing some more formatting cleanup, including moving some footnotes to make the resulting document more readable.
  • Freexian’s report about Debian Long Term Support, August 2017
    Like each month, here comes a report about the work of paid contributors to Debian LTS.
  • Reproducible Builds: Weekly report #125
    16 package reviews have been added, 99 have been updated and 92 have been removed in this week, adding to our knowledge about identified issues.

The GNOME Foundation Backs Librem 5

  • GNOME Foundation partners with Purism to support its efforts to build the Librem 5 smartphone
    The GNOME Foundation has provided their endorsement and support of Purism’s efforts to build the Librem 5, which if successful will be the world’s first free and open smartphone with end-to-end encryption and enhanced user protections. The Librem 5 is a hardware platform the Foundation is interested in advancing as a GNOME/GTK phone device. The GNOME Foundation is committed to partnering with Purism to create hackfests, tools, emulators, and build awareness that surround moving GNOME/GTK onto the Librem 5 phone. As part of the collaboration, if the campaign is successful the GNOME Foundation plans to enhance GNOME shell and general performance of the system with Purism to enable features on the Librem 5.
  • Now GNOME Foundation Wants to Support Purism's Privacy-Focused Linux Smartphone
    GNOME Foundation, the non-profit organization behind the popular GNOME desktop environment designed for Linux-based operating systems, announced on Wednesday that they plan on supporting Purism's Librem 5 smartphone. The announcement comes only a week after KDE unveiled their plans to work with Purism on an implementation of their Plasma Mobile interface into the security- and privacy-focused Librem 5 Linux smartphone, and now GNOME is interested in advancing the Librem 5 hardware platform as a GNOME/GTK+ phone device. "Having a Free/Libre and Open Source software stack on a mobile device is a dream-come-true for so many people, and Purism has the proven team to make this happen. We are very pleased to see Purism and the Librem 5 hardware be built to support GNOME," said Neil McGovern, Executive Director, GNOME Foundation.
  • GNOME Joins The Librem 5 Party, Still Needs To Raise One Million More Dollars
    One week after announcing KDE cooperation on the proposed Librem 5 smartphone with plans to get Plasma Mobile on the device if successful, the GNOME Foundation has sent out their official endorsement of Purism's smartphone dream. Purism had been planning to use GNOME from the start for their GNU/Linux-powered privacy-minded smartphone while as of today they have the official backing of the GNOME Foundation.