Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Survey of bug bounty hunters shows who pans for pwns

    Asking the crowd for help in fixing security problems is going mainstream. Microsoft, Facebook, and other tech giants have offered "bug bounties"—cash rewards or other prizes and recognition—to individuals discovering vulnerabilities in their products for years. (Ars even made it onto Google's security wall of fame in 2014 for reporting a Google search bug, though we didn't get a cash payout.)

  • Mother-Son Duo Fools iPhone X Face ID Like It’s No Big Deal

    Uploaded by Attaullah Malik on YouTube, the 41-second clip shows his 10-year-old son unlocking Face ID on an iPhone X which was configured to accept the mother’s face.

  • Watch a 10-Year-Old's Face Unlock His Mom's iPhone X

     

    Malik offered to let Ammar look at his phone instead, but the boy picked up his mother's, not knowing which was which. And a split second after he looked at it, the phone unlocked.

  • This 10-year-old was able to unlock his mom’s iPhone using Face ID

     

    Although Apple says Face ID is more secure than Touch ID, this raises questions about the possibility of false positives not only happening with twins and siblings around the same age, but with people of different sexes and significantly different ages. It is possible that the son’s age played a role as Apple has said that the “undeveloped facial features” in those under the age of 13 could cause issues with Face ID.

  • Safety alert: see how easy it is for almost anyone to hack [sic] your child’s connected toys

    Watch our video below to see just how easy it is for anyone to take over the voice control of a popular connected toy, and speak directly to your child through it. And we’re not talking professional hackers [sic]. It’s easy enough for almost anyone to do.

  • Trump administation to release rules on disclosure of cybersecurity flaws: NSA

    The Trump administration is expected to publicly release on 15 November its rules for deciding whether to disclose cybersecurity flaws or keep them secret, a national security official told Reuters.

Tails 3.3 is out

Filed under
Security
Debian

This release fixes many security issues and users should upgrade as soon as possible.

Read more

Security: USB Bugs, OnePlus 'Back Door', and ME 'Back Door'

Filed under
Security

Security: Kaspersky in the UK and Apple's Face ID

Filed under
Security

Security: Kaspersky, Shadow Brokers, Core Infrastructure Initiative, Face ID

Filed under
Security
  • The Daily Mail whisks up Kaspersky fears - but where's the meat?

    Make a note. Whenever you see the Daily Mail publish a headline which asks a question, the correct answer is invariably "no". If they had any reason to believe it was "yes", then they wouldn't have posed it as a question.

    The truth is that newspapers post these "Is the Loch Ness Monster on Tinder?"-style headlines because they know they'll get more clicks than if they use a headline which reflects the actual conclusion of the article.

  • NSA Cyber Weapons Turned Against Them in Hack

    A hack on the National Security Agency, claimed by a group called the “Shadow Brokers,” has caused a chilling effect on agency staffers, as they wonder whether it was a foreign hacker or someone on the inside.

  • Why the cybersecurity industry should care about Open Source maintenance

    In June of this year, Thales eSecurity joined the Core Infrastructure Initiative (CII), a project both founded and managed by The Linux Foundation, with the aim of collaboratively enhancing and strengthening the security and resilience of critical Open Source projects. Many of the world’s largest technology companies already belong to the CII, with Thales being officially recognised as the first global security firm to join the initiative.

  • You Can Easily Beat iPhone X Face ID Using This 3D-Printed Mask

    When it launched the iPhone X, Apple said that the company has worked with professional mask makers and Hollywood makeup artists. It was to make sure their facial recognition tech doesn’t fail when someone attempts to beat it.

Security: Proprietary Software and Microsoft's Back Doors

Filed under
Microsoft
Security
  • Hackers Can Use Your Antivirus Software To Spread Malware [Ed: Crackers can use just about any proprietary software to spread other (even more malicious) proprietary software]
  • NYT: NSA Spy Units Forced to 'Start Over' After Leaks, Hacks
  • Media: homeland security USA “shocked” by the data theft [Ed: "shocked" by impact of its own collusion with Microsoft]
  • Report: NSA Hunts for Moles Amid Crippling Information Leaks

    The National Security Agency has spent more than a year investigating a series of catastrophic breaches and has yet to determine whether it’s fighting foreign hackers or a mole inside the agency, The New York Times reports. At the center of the saga is a mysterious group called the Shadow Brokers, which has been taunting the agency with periodic dumps of secret code online—leaks that employees say are much more damaging to national security than the information leaked by former NSA contractor Edward Snowden. Some of the stolen code has been used in global malware attacks such as the WannaCry cyberattack, which crippled hospitals and government institutions across the world. Current and former employees have described a mole hunt inside the agency, with some employees reportedly asked to hand over their passports and undergo questioning. Yet investigators still don’t know who the culprits are, be it an insider who stole an entire thumb drive of sensitive code, or a group of Russian hackers—for some, the prime suspects—who managed to breach NSA defenses. “How much longer are the releases going to come?” one former employee was cited as saying. “The agency doesn’t know how to stop it—or even what ‘it’ is.”

pfSense: Not Linux, Not Bad

Filed under
Security
BSD

Through the years, I've used all sorts of router and firewall solutions at home and at work. For home networks, I usually recommend something like DD-WRT, OpenWRT or Tomato on an off-the-shelf router. For business, my recommendations typically are something like a Ubiquiti router or a router/firewall solution like Untangled or ClearOS. A few years ago, however, a coworker suggested I try pfSense instead of a Linux-based solution. I was hesitant, but I have to admit, pfSense with its BSD core is a rock-solid performer that I've used over and over at multiple sites.

Read more

Security: Minix, Shadow Brokers, Kaspersky

Filed under
Security
  • The Truth About the Intel’s Hidden Minix OS and Security Concerns

    That supplemental unit is part of the chipset and is NOT on the main CPU die. Being independent, that means Intel ME is not affected by the various sleep state of the main CPU and will remain active even when you put your computer in sleep mode or when you shut it down.

  • Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core

    Mr. Williams had written on his company blog about the Shadow Brokers, a mysterious group that had somehow obtained many of the hacking tools the United States used to spy on other countries. Now the group had replied in an angry screed on Twitter. It identified him — correctly — as a former member of the National Security Agency’s hacking group, Tailored Access Operations, or T.A.O., a job he had not publicly disclosed. Then the Shadow Brokers astonished him by dropping technical details that made clear they knew about highly classified hacking operations that he had conducted.

  • UK spymasters raise suspicions over Kaspersky software's Russia links

Security: Fancy Bear, MINIX, WikiLeaks Vault 8, Face ID

Filed under
Security
  • New Microsoft Word attacks infect PCs sans macros

    Fancy Bear, the advanced hacking group researchers say is tied to the Russian government, is actively exploiting a newly revived technique that gives attackers a stealthy means of infecting computers using Microsoft Office documents, security researchers said this week.

    Fancy Bear is one of two Russian-sponsored hacking outfits researchers say breached Democratic National Committee networks ahead of last year's presidential election. The group was recently caught sending a Word document that abuses a feature known as Dynamic Data Exchange. DDE allows a file to execute code stored in another file and allows applications to send updates as new data becomes available.

  • Minix Inside!

    Everything was find but in May a major security flaw was discovered and the fix required an update data to the AMT code. An update that many machines are unlikely to get. Since then various security researchers, mostly Google-based, have been looking into the hardware and the software and have made the discovery that there is an additional layer in the hardware that Intel doesn't talk about. Ring 3 is user land, Ring 0 is OS land and Ring -1 is for hypervisors. These we know about, but in addition there is Ring -2, used for the secure UEFI kernel and Ring -3, which is where the management OS runs. Guess what the management OS is Minix 3 - or rather a closed commercial version of Minix 3.

  • WikiLeaks: CIA impersonated Kaspersky Labs as a cover for its malware operations

    WikiLeaks, under its new Vault 8 series of released documents, has rolled out what it says is the source code to a previously noted CIA tool, called Hive, that is used to help hide espionage actions when the Agency implants malware.
    Hive supposedly allows the CIA to covertly communicate with its software by making it hard or impossible to trace the malware back to the spy organization by utilizing a cover domain. Part of this, WikiLeaks said, is using fake digital certificates that impersonate other legitimate web groups, including Kaspersky Labs.

  • My Younger Brother Can Access My iPhone X: Face ID Is Not Secure

    What this means is family members, who are probably the people you don’t want accessing your device, can now potentially access your iPhone. Especially your younger brother, or Mom… or Grandma.

Security: Intel Back Door, Hacking a Fingerprint Biometric, Dashlane, Vault 8, Cryptojacking, MongoDB and More

Filed under
Security
  • Recent Intel Chipsets Have A Built-In Hidden Computer, Running Minix With A Networking Stack And A Web Server

    The "Ring-3" mentioned there refers to the level of privileges granted to the ME system. As a Google presentation about ME (pdf) explains, operating systems like GNU/Linux run on Intel chips at Ring 0 level; Ring-3 ("minus 3") trumps everything above -- include the operating system -- and has total control over the hardware. Throwing a Web server and a networking stack in there too seems like a really bad idea. Suppose there was some bug in the ME system that allowed an attacker to take control? Funny you should ask; here's what we learned earlier this year...

    [...]

     Those don't seem unreasonable requests given how serious the flaws in the ME system have been, and probably will be again in the future. It also seems only fair that people should be able to control fully a computer that they own -- and that ought to include the Minix-based computer hidden within.

  •  

     

  • “Game Over!” — Intel’s Hidden, MINIX-powered ME Chip Can Be Hacked Over USB

    Even the creator of MINIX operating system didn’t know that his for-education operating system is on almost every Intel-powered computer.

  • Researchers find almost EVERY computer with an Intel Skylake and above CPU can be owned via USB

     

    Turns out they were right. Security firm Positive Technologies reports being able to execute unsigned code on computers running the IME through USB. The fully fleshed-out details of the attack are yet to be known, but from what we know, it’s bad.

  •  
     

  • Hacking a Fingerprint Biometric
  •  

  • Dashlane Password Manager Now Supports Linux [Ed: But why would anyone with a clue choose to upload his/her passwords?]

    Dashlane, the popular password manager, now supports Linux (and ChromeOS and Microsoft Edge) thanks to new web extension and web app combination.

  • Source Code For CIA’s Spying Tool Hive Released By Wikileaks: Vault 8

    From November 9, Wikileaks has started a new series named Vault 8. As a part of this series, the first leak contains the source code and analysis for Hive software project. Later, the other leaks of this series are expected to contain the source code for other tools as well.

  • Cryptojacking found on 2496 online stores

    Cryptojacking - running crypto mining software in the browser of unsuspecting visitors - is quickly spreading around the web. And the landgrab extends to online stores. The infamous CoinHive software was detected today on 2496 e-commerce sites.

  • 2,500+ Websites Are Now “Cryptojacking” To Use Your CPU Power And Mine Cryptocurrency
  • MongoDB update plugs security hole and sets sights on the enterprise

    Document database-flinger MongoDB has long positioned itself as the dev's best friend, but after ten years it is now fluffing itself up for the enterprise.

    The firm, which went public just last month and hopes to earn up to $220m, has now launched the latest version of its database, which aims to appeal to these bigger customers.

  • How AV can open you to attacks that otherwise wouldn’t be possible [Ed: Any proprietary software put on top of any other software (FOSS included) is a threat and a possible back door]

    Antivirus programs, in many cases, make us safer on the Internet. Other times, they open us to attacks that otherwise wouldn't be possible. On Friday, a researcher documented an example of the latter—a vulnerability he found in about a dozen name-brand AV programs that allows attackers who already have a toehold on a targeted computer to gain complete system control.

    AVGater, as the researcher is calling the vulnerability, works by relocating malware already put into an AV quarantine folder to a location of the attacker's choosing. Attackers can exploit it by first getting a vulnerable AV program to quarantine a piece of malicious code and then moving it into a sensitive directory such as C:\Windows or C:\Program Files, which normally would be off-limits to the attacker. Six of the affected AV programs have patched the vulnerability after it was privately reported. The remaining brands have yet to fix it, said Florian Bogner, a Vienna, Austria-based security researcher who gets paid to hack businesses so he can help them identify weaknesses in their networks.

  • Estonia arrests suspected FSB agent accused of “computer-related crime”

    Estonian authorities announced this week that they had recently arrested a Russian man suspected of being an agent of the Federal Security Service (FSB) who was allegedly planning "computer-related crime."

    The 20-year-old man, whose identity was not made public, was arrested last weekend in the Estonian border city of Narva as he was trying to return to Russia.

Syndicate content

More in Tux Machines

today's leftovers

Software: VirtualBox, TeX Live Cockpit, Mailspring, Qt, Projects, and Maintainers

  • VirtualBox 5.2.2 Brings Linux 4.14 Fixes, HiDPI UI Improvements
    The Oracle developers behind VM VirtualBox have released a new maintenance build in the VirtualBox 5.2 series that is a bit more exciting than their usual point releases.
  • TeX Live Cockpit
    I have been working quite some time on a new front end for the TeX Live Manager tlmgr. Early versions have leaked into TeX Live, but the last month or two has seen many changes in tlmgr itself, in particular support for JSON output. These changes were mostly driven by the need (or ease) of the new frontend: TLCockpit.
  • Mailspring – A New Open Source Cross-Platform Email Client
    Mailspring is a fork of the now discontinued Nylas Mail client. It does, however, offer a much better performance, and is built with a native C++ sync engine instead of JavaScript. According to the development team, the company is sunsetting further development of Mailspring. Mailspring offers virtually all the best features housed in Nylas Mail, and thanks to its native C++ sync engine it uses fewer dependencies which results in less lag and a reduction in RAM usage by 50% compared to Nylas Mail.
  • Removing Qt 4 from Debian testing (aka Buster): some statistics
    We started filing bugs around September 9. That means roughly 11 weeks, which gives us around 8 packages fixed a week, aka 1.14 packages per day. Not bad at all!
  • Products Over Projects
    However, projects are not the only way of funding and organizing software development. For instance, many companies that sell software as a product or a service do not fund or organize their core product/platform development in the form of projects. Instead, they run product development and support using near-permanent teams for as long as the product is sold in the market. The budget may vary year on year but it is generally sufficient to fund a durable, core development organization continuously for the life of the product. Teams are funded to work on a particular business problem or offering over a period of time; with the nature work being defined by a business problem to address rather than a set of functions to deliver. We call this way of working as “product-mode” and assert that it is not necessary to be building a software product in order to fund and organize software development like this.
  • Why we never thank open source maintainers

    It is true that some of you guys can build a tool in a hackathon, but maintaining a project is a lot more difficult than building a project. Most of the time they are not writing code, but [...]

today's howtos

Tizen News