Language Selection

English French German Italian Portuguese Spanish

Security

Security: Updates, Reaper, KRACK, Cryptographic kKeycards, Flexera's FUD, Google Play, Windows BadRabbit

Filed under
Security
  • Security updates for Friday
  • Assessing the threat the Reaper botnet poses to the Internet—what we know now
  • KRACK, ROCA, and device insecurity

    It is a fairly bleak picture from a number of different viewpoints. One almost amusing outcome of this mess is contained near the end of Vanhoef's KRACK web page. He notified OpenBSD of the flaw in mid-July with an embargo (at the time) until the end of August. OpenBSD leader Theo de Raadt complained about the length of the embargo, so Vanhoef allowed OpenBSD to silently patch the flaw. "In hindsight this was a bad decision, since others might rediscover the vulnerability by inspecting their silent patch. To avoid this problem in the future, OpenBSD will now receive vulnerability notifications closer to the end of an embargo." That might not quite be the outcome De Raadt was hoping for with his (quite reasonable) complaint, especially given that Vanhoef strongly hints that there are other WiFi vulnerabilities in the pipeline.

  • A comparison of cryptographic keycards

    An earlier LWN article showed that private key storage is an important problem to solve in any cryptographic system and established keycards as a good way to store private key material offline. But which keycard should we use? This article examines the form factor, openness, and performance of four keycards to try to help readers choose the one that will fit their needs.

    I have personally been using a YubiKey NEO, since a 2015 announcement on GitHub promoting two-factor authentication. I was also able to hook up my SSH authentication key into the YubiKey's 2048 bit RSA slot. It seemed natural to move the other subkeys onto the keycard, provided that performance was sufficient. The mail client that I use, (Notmuch), blocks when decrypting messages, which could be a serious problems on large email threads from encrypted mailing lists.

    So I built a test harness and got access to some more keycards: I bought a FST-01 from its creator, Yutaka Niibe, at the last DebConf and Nitrokey donated a Nitrokey Pro. I also bought a YubiKey 4 when I got the NEO. There are of course other keycards out there, but those are the ones I could get my hands on. You'll notice none of those keycards have a physical keypad to enter passwords, so they are all vulnerable to keyloggers that could extract the key's PIN. Keep in mind, however, that even with the PIN, an attacker could only ask the keycard to decrypt or sign material but not extract the key that is protected by the card's firmware.

  • Study Examines Open Source Risks in Enterprise Software [Ed: Microsoft network promotes anti FOSS 'study' (marketing by Flexera)]
  • Google Play Protect is 'dead last' at fingering malware on Android

    Last month, German software testing laboratory AV-Test threw malware at 20 Android antivirus systems – and now the results aren't particularly great for Google.

    Its Play Protect system, which is supposed block malicious apps from running on your handheld, was beaten by every other anti-malware vendor.

  • NSA hacking tool EternalRomance found in BadRabbit

Security: UEFI Risks and Bad Rabbit (Microsoft Windows Strikes Again)

Filed under
Security

Security: Reaper, Bad Rabbit, Kaspersky, CAPTCHA Weaknesses

Filed under
Security

Security: Updates, Microsoft Windows TCO (Bad Rabbit), Back Doors, Honeypot, Security by Obscurity

Filed under
Security
  • Security updates for Thursday
  • Security updates for Wednesday
  • New ransomware strain spreads in some European countries [iophk: "Microsoft Windows TCO"]

     

    A new strain of Windows ransomware, dubbed Bad Rabbit, is spreading in eastern Europe through drive-by attacks, the security firm Kaspersky Lab reported overnight.  

  • Bad Rabbit Ransomware Attack Is On The Rise — Here’s What You Need To Know
  • New wave of data-encrypting malware hits Russia and Ukraine

    Beaumont went on to say that Bad Rabbit relies on hard-coded credentials that are commonly used in enterprise networks for file sharing and takes aim at a particularly vulnerable portion of infected computers' hard drives known as the master boot record. A malicious file called infpub.dat appears to be able to use the credentials to allow the Bad Rabbit to spread to other Windows computers on the same local network, Kaspersky Labs' blog post added. In a second blog post, Eset said the malware also uses the Mimikatz network administrative tool to harvest credentials from the affected systems.

  • What is Bad Rabbit ransomware?
  • The DOJ's Bizarre Subpoena Over An Emoji Highlights Its Ridiculous Vendetta Against A Security Researcher

    Yesterday we broke the crazy story of how the DOJ issued a subpoena to Twitter attempting to identify five Twitter users, not because of anything they had done, but because someone else the DOJ disliked -- a security researcher named Justin Shafer -- had tweeted an emoji at them in response to a discussion about a different case. You can read all the details in that original post, in case you missed it yesterday. There was so much craziness in that story that I didn't even get to cover all of it. Some of those named in the subpoena have posted their thoughts -- including Ken "Popehat" White and Keith Lee. I suggest reading both, as the subpoena directed at each of them was particularly silly, given that both freely make their identities public. The DOJ didn't seem to do even the slightest research into the accounts it was demanding info on, or it would have known just how easy it was to "unmask" White and Lee.

  • Modern Cybersecurity Totally Futile in Quantum Computing Era

    Quantum computing uses the power of atoms to perform memory and processing tasks and remains a theoretical concept. However, it is widely believed that its creation is possible. Most experts now agree that the creation of a quantum computer is simply a matter of engineering, and that the theoretical application will happen. Optimistic estimates for commercialization by the private sector vary between 5 and 15 years, while more conservative estimates by academics put it at 15-25 years.

  • 4 extra-strength container security tools for Docker and Kubernetes

    Docker-style containers aren’t just a way to deploy software more quickly or flexibly. They can also be a way to make software more secure. Automatic analysis of the software components that go into containers, behavioral policies that span container clusters and multiple application versions, and innovative new developments in tracking and managing vulnerability data are just some of the ways containers are bolstering security for the entire application lifecycle.

    How much of this comes out of the box, though, is another story. Container products provide the basics, but not always more than that, leaving more advanced monitoring or management solely in the hands of the admin. Here are four recently revamped products and services that bring additional kinds of security to containers, both in the cloud and in your own datacenter.

  • Worker who snuck NSA malware home had his PC backdoored, Kaspersky says

    The NSA worker's computer ran a home version of Kaspersky AV that had enabled a voluntary service known as Kaspersky Security Network. When turned on, KSN automatically uploads new and previously unknown malware to company Kaspersky Lab servers. The setting eventually caused the previously undetected NSA malware to be uploaded to Kaspersky Lab servers, where it was then reviewed by a company analyst.

  • Open Source Security Podcast:  Episode 67 - Cyber won
  • Increase your network security: Deploy a honeypot
  • Security by Obscurity

    Today this blog post turned up on Hacker News, titled “Obscurity is a Valid Security Layer”. It makes some excellent points on the distinction between good and bad obscurity and it gives an example of good obscurity with SSH.

  • My password keeps me safe. (Not necessarily!)

Security: Security Standards, New Windows Malware, Flexera FUD, Microsoft’s Sonar

Filed under
Security

Security: Updates, Kaspersky Code, FUD, WPA2, and Crippling Crypto

Filed under
Security

Security Leftovers

Filed under
Security
  • Where Did That Software Come From?

    The article explores how cryptography, especially hashing and code signing, can be use to establish the source and integrity. It examines how source code control systems and automated build systems are a key part of the software provenance story. (Provenance means “a record of ownership of a work of art or an antique, used as a guide to authenticity or quality.” It is increasingly being applied to software.)

  • Judge: MalwareTech is no longer under curfew, GPS monitoring [Updated]

    A judge in Milwaukee has modified the pre-trial release conditions of Marcus Hutchins, also known online as "MalwareTech," who was indicted two months ago on federal criminal charges.

    Under US Magistrate Judge William Duffin’s Thursday order, Hutchins, who is currently living in Los Angeles, will no longer be subject to a curfew or to GPS monitoring.

  • [Older] Leicester teen tries to hack CIA and FBI chiefs' computers

    A teenager attempted to hack senior US government officials' computers from his home.

    Kane Gamble, 18, from Coalville, Leicestershire, pleaded guilty to 10 charges relating to computer hacking.

    His targets included the then CIA director John Brennan and former FBI deputy director Mark Giuliano.

An update on GnuPG

Filed under
GNU
Security

The GNU Privacy Guard (GnuPG) is one of the fundamental tools that allows a distributed group to have trust in its communications. Werner Koch, lead developer of GnuPG, spoke about it at Kernel Recipes: what's in the new 2.2 version, when older versions will reach their end of life, and how development will proceed going forward. He also spoke at some length on the issue of best-practice key management and how GnuPG is evolving to assist.

It is less than three years since attention was focused on the perilous position of GnuPG; because of systematic failure of the community to fund its development, Koch was considering packing it all in. The Snowden revelations persuaded him to keep going a little longer, then in the wake of Heartbleed there was a resurgent interest in funding the things we all rely on. Heartbleed led to the founding of the Core Infrastructure Initiative (CII). A grant from CII joined commitments from several companies and other organizations and an upsurge in community funding has put GnuPG on a more secure footing going forward.

Read more

Security: Google Play, WPA2, FERC, HackerOne

Filed under
Security
  • 8 'Minecraft' apps infected with Sockbot malware on Google Play found adding devices to botnet

    Security researchers have discovered that at least eight malware-laced apps on Google Play Store are ensnaring devices to a botnet to potentially carry out distributed denial-of-service (DDoS) and other malicious attacks. These apps claimed to provide skins to tweak the look of characters in the popular Minecraft: Pocket Edition game and have been downloaded as many as 2.6 million times.

  • KRACK Vulnerability: What You Need To Know

    This week security researchers announced a newly discovered vulnerability dubbed KRACK, which affects several common security protocols for Wi-Fi, including WPA (Wireless Protected Access) and WPA2. This is a bad vulnerability in that it likely affects billions of devices, many of which are hard to patch and will remain vulnerable for a long time. Yet in light of the sometimes overblown media coverage, it’s important to keep the impact of KRACK in perspective: KRACK does not affect HTTPS traffic, and KRACK’s discovery does not mean all Wi-Fi networks are under attack. For most people, the sanest thing to do is simply continue using wireless Internet access.

  • FERC sets rules to protect grid from malware spread through laptops

    The Federal Energy Regulatory Commission on Thursday proposed new mandatory cybersecurity controls to protect the utility system from the threat posed by laptops and other mobile devices that could spread malicious software.

    The standards are meant to "further enhance the reliability and resilience of the nation's bulk electric system" by preventing malware from infecting utility networks and bringing down the power grid, according to the nation's grid regulator.

  • Hack These Apps And Earn $1,000 — Bug Bounty Program Launched By Google And HackerOne
  • Security Vulnerability Puts Linux Kernel at Risk
Syndicate content

More in Tux Machines

Security: FOSS Versus Windows

Linux/Android hacker SBC with hexa-core Rockchip SoC debuts at $75

The Vamrs “RK3399 Sapphire” SBC is on sale for $75, or $349 for a full kit. Vamrs is also prepping an RK3399-based “Rock960” 96Boards SBC. Rockchip’s RK3399 is one of the most powerful ARM-based system-on-chips available on hacker boards, featuring two server-class Cortex-A72 cores clocked to up to 2.0GHz, as well as four Cortex-A53 at up to 1.42GHz and a quad-core Mali-T864 GPU. The hexa-core SoC has appeared on T-Firefly’s Firefly-RK3399 SBC and RK3399 Coreboard computer-on-module, as well as Videostrong’s VS-RD-RK3399 SBC and Theobroma’s RK3399-Q7 Qseven module. Now we have a new contender: Shenzhen based Vamrs, which built the limited edition Rockchip RK3399 Sapphire SBC as the official RK3399 dev board for Rockchip, is now re-launching the board, which features a 40-pin Raspberry Pi compatible connector, with “many in stock” for a discounted price of $75. Read more

With government approval, OpenStack adoption continues apace in China

Deployments of OpenStack cloud are growing faster in China and the APAC region than anywhere else in the world, backed in part by the Chinese government's vocal support for the open source infrastructure. It is China in particular where some of the biggest deployments are running. China UnionPay recently overtook Visa for the largest volume of card payments in the world. The state-operated railway network China Rail oversees billions of passengers every year. By total number of subscribers China Mobile tops the list for biggest mobile phone operator globally. And the massive utility organisation the State Grid Corporation of China employs 1.5 million people. All of these enormous enterprises are running OpenStack clouds. Why? Read more Also:

The Fox Hunt - Firefox and friends compared

So what should you use? Well, it depends. You want extensions, the entire repertoire as it's meant to be? Go with Pale Moon, but be aware of the inconsistencies and problems down the road. However, another piece of penalty is less than optimal looks. If you are more focused on speed and future development, then it's Firefox, as it offers the most complete compromise. The add-ons will make it or break it. Waterfox makes less sense, because the margins of benefit are too small. My take is - Firefox. It's not ideal, but Pale Moon does not solve the problem fully, it combines nostalgia with technicals, and that's a rough patch, even though the project is quite admirable in what it's trying to do. Alas, I'm afraid the old extensions will die, and the new ones won't be compatible, so the browser will be left stranded somewhere in between. But hopefully, this little comparison test gives you a better overview and understanding how things work. Finally, we go back to the question of speed. We've seen how one flavor of Fox stacks against another, but what about Chrome? I will answer that in a follow-up article, which will compare Chrome to Vivaldi, again based on popular demand, and then we will also check how all these different browsers compare using my small, limited and entirely personal corner of the Web. Stay tuned. Read more Also: Firefox Private Browsing vs. Chrome Incognito: Which is Faster?