Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security

  • You're taking the p... Linux encryption app Cryptkeeper has universal password: 'p'

    Linux encryption app Cryptkeeper has a bug that causes it to use a single-letter universal decryption password: "p".

    The flawed version is in Debian 9 (Stretch), currently in testing, but not in Debian 8 (Jessie). The bug appears to be a result of a bad interaction with the encfs encrypted filesystem's command line interface: Cryptkeeper invokes encfs and attempts to enter paranoia mode with a simulated 'p' keypress – instead, it sets passwords for folders to just that letter.

  • Reproducible Builds: week 92 in Stretch cycle

    John Gilmore wrote an interesting mail about how Cygnus.com worked on reproducible builds in the early 1990s. (It's eye opening to see how the dealt with basically the very same problems we're dealing with today, how they solved them and then to realize that most of this has been forgotten and bit-rotted in the last 20 years. How will we prevent history repeating it)self here?)

  • MongoDB ransom attacks continue to plague administrators

    Earlier this month, Salted Hash reported on a surge in attacks against publicly accessible MongoDB installations.

    Since January 3, the day of that first report, the number of victims has climbed from about 200 databases to more than 40,000. In addition to MongoDB, those responsible for the attacks have started targeting Elasticsearch and CouchDB.

    No matter the platform being targeted, the message to the victim is the same; send a small Bitcoin payment to the listed address, or forever lose access to your files.

OPNsense 17.1 “Eclectic Eagle” Released

Filed under
Security
BSD

The OPNsense team is proud to announce the final availability of version 17.1, nicknamed “Eclectic Eagle”. This major release features FreeBSD 11.0, the SSH remote installer, new languages Italian / Czech / Portuguese, state-of-the-art HardenedBSD security features, PHP 7.0, new plugins for FTP Proxy / Tinc VPN / Let’s Encrypt, native PAM authentication against e.g. 2FA (TOTP), as well a rewritten Nano-style card images that adapt to media size to name only a few.

Read more

Security Leftovers

Filed under
Security
  • Linux.Proxy.10 infects thousands of devices with standard settings
  • 4 ways to improve your security online right now

    Regardless of how monumental a task digital security can seem, you can lay a strong foundation when you get started. Remember that being secure is an ongoing process, rather than a state of being. Keep the tools you use up to date and periodically check your habits and tools to ensure your security is the best it can be. Security doesn't have to be overly complex if you take it one step at a time.

  • Security advisories for Monday
  • Linux Security Threats: Attack Sources and Types of Attacks

    In part 1 of this series, we discussed the seven different types of hackers who may compromise your Linux system. White hat and black hat hackers, script kiddies, hacktivists, nation states, organized crime, and bots are all angling for a piece of your system for their own nefarious/various reasons.

  • OpenSSL issues new patches as Heartbleed still lurks [Ed: Dramatic sensationalism from IDG again, with FUD logo created by a Microsoft-connected firm]

    The OpenSSL Project has addressed some moderate-severity security flaws, and administrators should be particularly diligent about applying the patches since there are still 200,000 systems vulnerable to the Heartbleed flaw.

  • Linux: The 10 best privacy and security distributions

    Privacy has become an important issue for many users as corporations and governments stop at nothing to gather personal information. But Linux users do have some choices when it comes to distributions that help protect their privacy and security.

  • openssh authorized_keys "restrict" option lessens worries

    Starting with OpenSSH 7.2, a new “restrict” option for authorized_keys lines has become available. It sets all available restrictions that the current OpenSSH version can do (like no-agent-forwarding, no-x11-forwarding etc). One can individually turn on those features again by corresponding new options.

Security News

Filed under
Security
  • ATM ‘Shimmers’ Target Chip-Based Cards

    Several readers have called attention to warnings coming out of Canada about a supposedly new form of card skimming called “shimming” that targets chip-based credit and debit cards. Shimming attacks are not new (KrebsOnSecurity first wrote about them in August 2015), but they are likely to become more common as a greater number of banks in the United States shift to issuing chip-based cards. Here’s a brief primer on shimming attacks, and why they succeed.

  • Senior journo slams 'frustrating' Windows 10 updates

    A senior editor at the American technology news website Cnet has slammed Microsoft over what he calls the most "frustrating" thing about Windows 10: the update process that happens automatically and cannot be stopped by users.

    Sean Hollister wrote about issues that he had faced and also problems encountered by a large number of Windows 10 users, all of whom had lost work or been forced to interrupt their schedules due to a Windows 10 update.

  • Does Trump's Old Android Phone Pose Major Security Threat?

    Donald Trump is a big fan of the phones in the White House. “These are the most beautiful phones I’ve ever used in my life,” he told the New York Times in an interview this week. It’s not their aesthetics he’s drawn to, but the security built into the system that ensures no one is tapping his calls.

  • President Trump's Insecure Android

    Once compromised, the phone becomes a bug—even more catastrophic than Great Seal—able to record everything around it and transmit the information once it reattaches to the network. And to be clear even a brand new, fully updated Android or iPhone is insufficient: The President of the United States is worth a great many multiples of expensive zero-day exploits.

  • Everything you know about security is wrong, stop protecting your empire!

    Let’s start with AV. A long time ago everyone installed an antivirus application. It’s just what you did, sort of like taking your vitamins. Most people can’t say why, they just know if they didn't do this everyone would think they're weird. Here’s the question for you to think about though: How many times did your AV actually catch something? I bet the answer is very very low, like number of times you’ve seen bigfoot low. And how many times have you seen AV not stop malware? Probably more times than you’ve seen bigfoot. Today malware is big business, they likely outspend the AV companies on R&D. You probably have some control in that phone book sized policy guide that says you need AV. That control is quite literally wasting your time and money. It would be in your best interest to get it changed.

    Usability vs security is one of my favorite topics these days. Security lost. It’s not that usability won, it’s that there was never really a battle. Many of us security types don’t realize that though. We believe that there is some eternal struggle between security and usability where we will make reasonable and sound tradeoffs between improving the security of a system and adding a text field here and an extra button there. What really happened was the designers asked to use the bathroom and snuck out through the window. We’re waiting for them to come back and discuss where to add in all our great ideas on security.

  • Reproducible Builds: week 91 in Stretch cycle

    Verifying Software Freedom with Reproducible Builds will be presented by Vagrant Cascadian at Libreplanet2017 in Boston, March 25th-26th.

  • Linux devices with standard settings infected by Linux.Proxy.10 malware

    Linux operating system was once known to be the most secure OS in the world, but things have changed since security researchers have found malware like Mirai and Bashlite infecting Linux-devices turning them into DDoS botnets. Now, another malware has been discovered targeting Linux.

Hardened Tor Browser 7.0 Enters Development, Uses Tor 0.3 and Firefox 45.7.0 ESR

Filed under
Security
Web

The Tor Project announced earlier this week the release of Tor Browser 6.5 as the newest stable version of the open-source and hardened web browser that utilizes the latest Tor technologies to keep your online presence anonymous at all times.

Read more

Security Leftovers

Filed under
Security
  • Majority of Android VPNs can’t be trusted to make users more secure
  • Microsoft won't fix the most frustrating thing about Windows

    Maybe you're delivering a presentation to a huge audience. Maybe you're taking an online test. Maybe you just need to get some work done on a tight deadline.

    Windows doesn't care.

    Windows will take control of your computer, force-feed it updates, and flip the reset switch automatically -- and there's not a damn thing you can do about it, once it gets started.

    If you haven't saved your work, it's gone. Your browser tabs are toast. And don't expect to use your computer again soon; depending on the speed of your drive and the size of the update, it could be anywhere from 10 minutes to well over an hour before your PC is ready for work.

  • Thoughts on the Systemd Root Exploit

    Sebastian Krahmer of the SUSE Security Team has discovered a local root exploit in systemd v228. A local user on a system running systemd v228 can escalate to root privileges. That's bad.

  • [Slackware] Openjdk (Java8) updated with January fixes

    The icedtea project have released version 3.3.0 of their IcedTea build framework. This release updates the OpenJDK 8 support with the October 2016 bug fixes from OpenJDK 8 u112 and the January 2017 security fixes from OpenJDK 8 u121. Another point of notice is that improved font rendering is being worked on. The ‘infinality patches’ to freetype will be used for this. While I did not enable it in my package, IcedTea no longer requires a patched freetype. Infinality support should be enabled by default from IcedTea 3.4.0 onwards.

Windows Ransom

Filed under
Microsoft
Security
  • Police dept loses evidence in Windows ransomware strike

    In an incident that again underlines the danger posed by Windows ransomware, the police department of a city in Texas has lost video evidence dating back to 2009 and a host of documents following an attack by what appears to be a new strain of the Locky ransomware.

    The affected station is Cockrell Hill, a city in Dallas County. The story was first published by the TV station WFAA.

    In a media release, the police department said: "This virus affected all Microsoft Office Suite documents, such as Word documents and Excel files.

    "In addition, all body camera video, some in-car video, some in-house surveillance video, and some photographs that were stored on the server were corrupted and were lost."

  • Backup?

    Of course, complexity grew too and intruders and malware attacked over the network. About 2003/4 the situation got so bad that the Wintel empire was threatened. Resources were poured into the problem. Code got better. Users became more aware of danger. The problem remains that the number of users and the number of attackers has grown to the point that no one anywhere at any time can be 100% secure. Of course, there is the backup, a copy of everything that can be rolled out to put things back the way they were. That’s what this police-department needed but it didn’t have a good backup, just a copy of the corrupted data where the backup should have been. Someone had the right idea but lacked the imagination to put in more depth.

  • Hotel ransomed by hackers as guests locked in rooms

    Hotel management said that they have now been hit three times by cybercriminals who this time managed to take down the entire key system. The guests could no longer get in or out of the hotel rooms and new key cards could not be programmed.

    The attack, which coincided with the opening weekend of the winter season, was allegedly so massive that it even shut down all hotel computers, including the reservation system and the cash desk system.

    The hackers promised to restore the system quickly if just 1,500 EUR (1,272 GBP) in Bitcoin was paid to them.

Security News

Filed under
Security
  • WordPress 4.7.2 Security Release

    WordPress 4.7.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

  • Alleged LinkedIn hacker is stuck between a Trump and a hard face

    PITY ALLEGED LINKEDIN HACKER Yevgeniy Nikulin. He is currently facing extradition requests from both the USA and Russia, suggesting that he is doomed for Putin or Trump style punishment.

    Nikulin is suspected of hacking LinkedIn, which is a glue-like social network for businesses and business people. If you are not on it, someone has probably still tried to connect you to it. If you are on it, you were probably hacked when it was. A lot of people were.

  • Security is now 'number one priority' in app development

    VESTED INTEREST AND APP TESTING COMPANY F5 Networks has advised that security is now a more important consideration than availability when it comes to application deployment.

    What a trade off to make. Security or availability? Surely there is equal room for both? We don't make the rules and we don't do the surveys. F5 does the latter, studying how the companies that buy and use apps decide where to spend their money.

    It produces this regular report called ‘The State of Application Delivery'. 2017's is just out, and it finds that the whims of companies has changed because of the cloud and insecurity.

  • Securing MySQL DBMS

    MySQL, owned by Oracle since 2009, is the number one open source database for successful startups and Web-based applications, loved by such iconic social networks as Facebook, Twitter, YouTube and many others. The database comes in two different editions: the open source MySQL Community Server and the proprietary Enterprise Server. Today, we will discuss the MySQL Community Server, and more specifically the basic security aspects of setting up this DBMS.

Security Leftovers

Filed under
Security
  • Friday's security updates
  • Guest View: The perils of open-source software security [Ed: Citing Microsoft-connected Black Duck to badmouth FOSS again. Does FOSS rely on third-party libraries (that may have flaws)? Yes. Do blobs rely on proprietary libraries (that may have flaws)? Yes.]
  • Federal lawmakers introduce bipartisan bill to study cyber security in connected cars

    Connected cars are the future for the automotive industry, with more than 90 percent of vehicles expected to have built-in connectivity by 2020. But, as more vehicles link up to the internet, lawmakers are worried about their security.

    On Wednesday, lawmakers introduced a bipartisan bill in the U.S. House of Representatives that would direct the National Highway Traffic Safety Administration (NHTSA) to study cyber security in vehicles. Rep. Joe Wilson, R-SC, and Rep. Ted Lieu, D-Calif., co-sponsored The Security and Privacy in Your Car Study Act, which hopes to create a standard for safety in connected cars.

Security Leftovers

Filed under
Security
  • Thursday's security advisories
  • Security advisories for Wednesday
  • Malware Authors Switch Focus from Windows to Linux, Thousands of PCs Infected

    Linux has always been considered a more secure operating system, but malware writers are now trying to take advantage of this premise with new forms of infections spreading across the web as we speak.

    Security firm Dr. Web warns that it has already discovered thousands of Linux computers infected with a malware called Linux.Proxy.10, which is used by cybercriminals to remain anonymous online.

  • Linux.Proxy.10 Trojan Infects a Few Thousand Linux Machines and Turns Them Into Proxy Servers

    When the backdoor is active, the hacker logs onto the machine that has been infected using an SSH protocol and then uses the Linux malware to install the SOCKS5 proxy server.

  • Tor Browser 7.0a1-hardened is released

    A new hardened Tor Browser release is available. It can be found in the 7.0a1-hardened distribution directory and on the download page for hardened builds.

    This release features important security updates to Firefox.

    Tor Browser 7.0a1-hardened is the first hardened alpha in the 7.0 series. Apart from the usual Firefox update (to 45.7.0 ESR) it contains the first alpha in the tor 0.3.0 series (0.3.0.1-alpha) and an updated HTTPS-Everywhere (5.2.9) + NoScript (2.9.5.3).

  • Disable Your Antivirus Software (Except Microsoft's)

    Furthermore, as Justin Schuh pointed out in that Twitter thread, AV products poison the software ecosystem because their invasive and poorly-implemented code makes it difficult for browser vendors and other developers to improve their own security. For example, back when we first made sure ASLR was working for Firefox on Windows, many AV vendors broke it by injecting their own ASLR-disabled DLLs into our processes. Several times AV software blocked Firefox updates, making it impossible for users to receive important security fixes. Major amounts of developer time are soaked up dealing with AV-induced breakage, time that could be spent making actual improvements in security (recent-ish example).

  • Security Risks of the President's Android Phone

    I'm not concerned about the data. Anything he reads on that screen is coming from the insecure network that we all use, and any e-mails, texts, Tweets, and whatever are going out to that same network. But this is a consumer device, and it's going to have security vulnerabilities. He's at risk from everybody, ranging from lone hackers to the better-funded intelligence agencies of the world. And while the risk of a forged e-mail is real -- it could easily move the stock market -- the bigger risk is eavesdropping. That Android has a microphone, which means that it can be turned into a room bug without anyone's knowledge. That's my real fear.

Syndicate content

More in Tux Machines

Leftovers: BSD

Security Leftovers

  • Stop using SHA1 encryption: It’s now completely unsafe, Google proves
    Security researchers have achieved the first real-world collision attack against the SHA-1 hash function, producing two different PDF files with the same SHA-1 signature. This shows that the algorithm's use for security-sensitive functions should be discontinued as soon as possible. SHA-1 (Secure Hash Algorithm 1) dates back to 1995 and has been known to be vulnerable to theoretical attacks since 2005. The U.S. National Institute of Standards and Technology has banned the use of SHA-1 by U.S. federal agencies since 2010, and digital certificate authorities have not been allowed to issue SHA-1-signed certificates since Jan. 1, 2016, although some exemptions have been made. However, despite these efforts to phase out the use of SHA-1 in some areas, the algorithm is still fairly widely used to validate credit card transactions, electronic documents, email PGP/GPG signatures, open-source software repositories, backups and software updates.
  • on pgp
    First and foremost I have to pay respect to PGP, it was an important weapon in the first cryptowar. It has helped many whistleblowers and dissidents. It is software with quite interesting history, if all the cryptograms could tell... PGP is also deeply misunderstood, it is a highly successful political tool. It was essential in getting crypto out to the people. In my view PGP is not dead, it's just old and misunderstood and needs to be retired in honor. However the world has changed from the internet happy times of the '90s, from a passive adversary to many active ones - with cheap commercially available malware as turn-key-solutions, intrusive apps, malware, NSLs, gag orders, etc.
  • Cloudflare’s Cloudbleed is the worst privacy leak in recent Internet history
    Cloudflare revealed today that, for months, all of its protected websites were potentially leaking private information across the Internet. Specifically, Cloudflare’s reverse proxies were dumping uninitialized memory; that is to say, bleeding private data. The issue, termed Cloudbleed by some (but not its discoverer Tavis Ormandy of Google Project Zero), is the greatest privacy leak of 2017 and the year has just started. For months, since 2016-09-22 by their own admission, CloudFlare has been leaking private information through Cloudbleed. Basically, random data from random sites (again, it’s worth mentioning that every site that used CloudFlare in the last half year should be considered to having fallen victim to this) would be randomly distributed across the open Internet, and then indefinitely cached along the way.
  • Serious Cloudflare bug exposed a potpourri of secret customer data
    Cloudflare, a service that helps optimize the security and performance of more than 5.5 million websites, warned customers today that a recently fixed software bug exposed a range of sensitive information that could have included passwords and cookies and tokens used to authenticate users. A combination of factors made the bug particularly severe. First, the leakage may have been active since September 22, nearly five months before it was discovered, although the greatest period of impact was from February 13 and February 18. Second, some of the highly sensitive data that was leaked was cached by Google and other search engines. The result was that for the entire time the bug was active, hackers had the ability to access the data in real-time by making Web requests to affected websites and to access some of the leaked data later by crafting queries on search engines. "The bug was serious because the leaked memory could contain private information and because it had been cached by search engines," Cloudflare CTO John Graham-Cumming wrote in a blog post published Thursday. "We are disclosing this problem now as we are satisfied that search engine caches have now been cleared of sensitive information. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence."

Security Leftovers

  • Change all the passwords (again)
    Looks like it is time to change all the passwords again. There’s a tiny little flaw in a CDN used … everywhere, it seems.
  • Today's leading causes of DDoS attacks [Ed: The so-called 'Internet of things' (crappy devices with identical passwords) is a mess; programmers to blame, not Linux]
    Of the most recent mega 100Gbps attacks in the last quarter, most of them were directly attributed to the Mirai botnet. The Mirai botnet works by exploiting the weak security on many Internet of Things (IoT) devices. The program finds its victims by constantly scanning the internet for IoT devices, which use factory default or hard-coded usernames and passwords.
  • How to Set Up An SSL Certificate on Your Website [via "Steps To Secure Your Website With An SSL Certificate"]
  • SHA-1 is dead, long live SHA-1!
    Unless you’ve been living under a rock, you heard that some researchers managed to create a SHA-1 collision. The short story as to why this matters is the whole purpose of a hashing algorithm is to make it impossible to generate collisions on purpose. Unfortunately though impossible things are usually also impossible so in reality we just make sure it’s really really hard to generate a collision. Thanks to Moore’s Law, hard things don’t stay hard forever. This is why MD5 had to go live on a farm out in the country, and we’re not allowed to see it anymore … because it’s having too much fun. SHA-1 will get to join it soon.
  • SHA1 collision via ASCII art
    Happy SHA1 collision day everybody! If you extract the differences between the good.pdf and bad.pdf attached to the paper, you'll find it all comes down to a small ~128 byte chunk of random-looking binary data that varies between the files.
  • PayThink Knowledge is power in fighting new Android attack bot
    Android users and apps have become a major part of payments and financial services, carrying an increased risk for web crime. It is estimated that there are 107.7 million Android Smartphone users in the U.S. who have downloaded more than 65 million apps from the Google App Store, and each one of them represents a smorgasbord of opportunity for hackers to steal user credentials and other information.
  • Red Hat: 'use after free' vulnerability found in Linux kernel's DCCP protocol IPV6 implementation
    Red Hat Product Security has published details of an "important" security vulnerability in the Linux kernel. The IPv6 implementation of the DCCP protocol means that it is possible for a local, unprivileged user to alter kernel memory and escalate their privileges. Known as the "use-after-free" flaw, CVE-2017-6074 affects a number of Red Hat products including Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 and Red Hat Openshift Online v2. Mitigating factors include the requirement for a potential attacker to have access to a local account on a machine, and for IPV6 to be enabled, but it is still something that will be of concern to Linux users. Describing the vulnerability, Red Hat says: "This flaw allows an attacker with an account on the local system to potentially elevate privileges. This class of flaw is commonly referred to as UAF (Use After Free.) Flaws of this nature are generally exploited by exercising a code path that accesses memory via a pointer that no longer references an in use allocation due to an earlier free() operation. In this specific issue, the flaw exists in the DCCP networking code and can be reached by a malicious actor with sufficient access to initiate a DCCP network connection on any local interface. Successful exploitation may result in crashing of the host kernel, potential execution of code in the context of the host kernel or other escalation of privilege by modifying kernel memory structures."

Android Leftovers