Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Security advisories for Thursday
  • Why My Heart Bleeds for Open Source [Ed: Name-dropping bugs with brands, logos, and Web sites to make FOSS look bad]
  • 0-days hitting Fedora and Ubuntu open desktops to a world of hurt

    If you run a mainstream distribution of Linux on a desktop computer, there's a good chance security researcher Chris Evans can hijack it when you do nothing more than open or even browse a specially crafted music file. And in the event you're running Chrome on the just-released Fedora 25, his code-execution attack works as a classic drive-by.

  • Reliably compromising Ubuntu desktops by attacking the crash reporter

    In this post I’ll describe how I found a remote code execution bug in Ubuntu Desktop which affects all default installations >= 12.10 (Quantal). The bug allows for reliable code injection when a user simply opens a malicious file. The following video demonstrates the exploit opening the Gnome calculator. The executed payload also replaces the exploit file with a decoy zip file to cover its tracks.

  • Dear hackers, Ubuntu's app crash reporter will happily execute your evil code on a victim's box

    Users and administrators of Ubuntu Linux desktops are being advised to patch their systems following the disclosure of serious security flaws.

    Researcher Donncha O'Cearbhaill, who discovered and privately reported the vulnerabilities to Ubuntu, said that a successful exploit of the bugs could allow an attacker to remotely execute code by way of a maliciously booby-trapped file.

  • LibreSSL documentation status report
  • Reproducible Builds: week 85 in Stretch cycle
  • Should we be pushing OpenPGP?

    Bjarni Rúnar, the author of Mailpile released a blog about recent blogs disparaging OpenPGP. It's a good read.

    There's one reason to support OpenPGP missing from the blog: OpenPGP protects you if your mail server is hacked. I'm sure that Debbie Wasserman Schultz wishes she had been using OpenPGP.

  • Security experts: 'No one should have faith in Yahoo at this point'

    Experts have attacked Yahoo’s weak security after the revelation it suffered a hack in 2013, which exposed the personal data of 1 billion users, just months after revealing a 500-million-user data breach from 2014.

    The hack saw the potential theft of login details, personal details and any confidential or sensitive information contained within email correspondences. Yahoo provided the email services for BT and Sky customers, as well as other services.

  • Yahoo admits it’s been hacked again, and 1 billion accounts were exposed

    On December 14, Yahoo announced that after an investigation into data provided by law enforcement officials in November, the company and outside forensics experts have determined that there was in fact a previously undetected breach of data from more than 1 billion user accounts. The breach took place in August 2013 and is apparently distinct from the previous mega-breach revealed this fall—one Yahoo claims was conducted by a "state-sponsored actor."

    The information accessed from potentially exposed accounts "may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers," Yahoo's chief information security officer, Bob Lord, reported in the statement issued by the company. "The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected."

  • Hacked Yahoo Data Is for Sale on Dark Web

    Some time around August 2013, hackers penetrated the email system of Yahoo, one of the world’s largest and oldest providers of free email services. The attackers quietly scooped up the records of more than 1 billion users, including names, birth dates, phone numbers and passwords that were encrypted with an easily broken form of security.

    The intruders also obtained the security questions and backup email addresses used to reset lost passwords — valuable information for someone trying to break into other accounts owned by the same user, and particularly useful to a hacker seeking to break into government computers around the world: Several million of the backup addresses belonged to military and civilian government employees from dozens of nations, including more than 150,000 Americans.

Security News

Filed under
Security
  • Security advisories for Wednesday
  • Things That Make You Go “Hmmm” From Adobe
  • Flaws Found in Security Software, Unlicensed Code

    A flurry of industry surveys have flagged open source and unlicensed software as growing security threats. Moreover, a review released by Flexera Software also found that the very security products designed to protect IT infrastructure are themselves riddled with vulnerabilities embedded in open source software.

    While agreeing that malware is a growing threat, other observers counter that the culprit is the growing use of unlicensed software.

    The Flexera security software survey conducted between August and October found that 11 security software products from vendors such as IBM (NYSE: IBM), McAfee and Splunk showed up on its list of 20 products with the most security vulnerabilities. Hence, the survey emphasizes that software developers need greater visibility into open source components so they can identify vulnerabilities and quickly issue security patches. Those patches are generally available as soon as vulnerabilities are announced.

  • Another Yahoo Security Breach Affects a Billion Accounts

    If you’re a Yahoo user, you should strongly consider closing your account. If you decide to keep your account open, you might as well post your username and password to Facebook and send them out in a tweet, for all the good Yahoo’s security precautions will do for you.

  • ‘Refer a Friend’ Ransomware Program

    If you need any proof that malware is a business much like any other — with the big exception that it’s illegal — all you have to do is look at the latest ploy being used by the currently-in-development ransomware called Popcorn Time that was discovered December 7 by MalwareHunterTeam. The folks behind the malware are incorporating a scheme to drum up business that’s directly from a Marketing 101 textbook.

    If Popcorn Time grabs a computer and encrypts it’s files, the hapless victim is offered two choices to get the data returned to its pristine state. One is the traditional method — the authors of the malware call it “the fast and easy way” — of paying a ransom of a Bitcoin, which is about $773 at the current rate. If the price is too steep for the victim’s pocketbook, there’s another option that the malware authors call “the nasty way,” which is a new twist on the tried and true “refer a friend” promotions that have been used by legitimate businesses forever.

Proprietary Software Security News

Filed under
Security
  • Microsoft quietly emits patch to undo its earlier patch that broke Windows 10 networking

    Microsoft has sneaked out a patch to get Windows 10 PCs back online after an earlier update broke networking for people's computers around the globe.

    Since the end of last week or so, systems in the UK, US, Europe and beyond automatically installed software from Microsoft via Windows Update that broke DHCP. That meant some computers couldn't obtain their LAN-side IP addresses from their broadband routers, effectively randomly kicking them off the internet and their own local network. That confused the hell out of a lot of netizens.

  • Dec. 2016 Patch Tuesday: Microsoft releases 12 security bulletins, 6 rated critical

    Congrats for making it through another year of patching Windows! There are 12 this month, 6 rated critical and some which had been publicly disclosed.

  • Researchers Find Vulnerability That Enables Accounting Fraud, PwC Decides The Best Response Is A Legal Threat

    For years now, we've noted that some companies apparently think it's a good idea to punish security researchers that expose vulnerabilities in their products, even when the researchers use the proper channels to report their findings. This kind of absurdity runs hand-in-hand with international attempts to criminalize security research -- or the tools researchers use -- to do their jobs. Obviously, this kind of behavior has one tangible end result: it makes all of us less secure.

    The latest chapter in this saga of myopic bumbling comes courtesy of PwC, which for whatever reason decided that the best response to a major security flaw found in one of the company's products was to to fire off a cease and desist letter aimed at the researchers. More specifically, Munich-based ESNC published a security advisory earlier this month documenting how a remotely exploitable bug in a PwC security tool could allow an attacker to gain unauthorized access to an impacted SAP system.

Latest Black Duck Attack on Free/Open Source Software

Filed under
OSS
Security
Legal
  • M&A deals imperilled by failure to manage open source software risk, says expert [Ed: As is so common these days, today it's Microsoft's proxy Black Duck attacking FOSS and trying to scare people]
  • Open Source: Know It Before You Embrace It [Ed: By Josh Software, not Black Duck FUD about security and licences]

    Open source has already taken the world by storm. Businesses from across industries are embracing it. Earlier open source was just a tiny revolutionary idea that was not given any hope, but it has now become not just mainstream but possibly the only stream. The world has realized its importance and benefits over other closed source languages and tools. More importantly, start-ups have started embracing open source whole heartedly to gain an edge over their competitors. But the question is, how are they utilizing it to their advantage and how is it benefiting them?

Broken Connections

Filed under
Microsoft
Security
  • A Ton of Popular Netgear Routers Are Exposed—With No Easy Fix

    A vulnerability in some popular Netgear routers has gone unpatched for months. Left unchecked, it leaves thousands of home networking devices exposed to full control by hackers, who can then ensnare them in havoc-wreaking botnets. While Netgear has finally released a tentative fix for some models, the delays and challenges in patching all of them help illustrate just how at risk the Internet of Things is—and how hard it is to patch up when things go wrong.

    Andrew Rollins, a security researcher who also goes by Acew0rm, notified Netgear about the flaw on August 25, but says that the company never responded to him. After waiting more than three months, he went public with the vulnerability, and the Department of Homeland Security’s CERT group released an advisory about it on Friday. Its advice? Pull the plug.

  • Windows 10 is dropping WiFi connections, with no fix from Microsoft yet

    WINDOWS 10 is back to its old tricks again, with a recurrence of problems with WiFi connections dropping, something we’ve not seen since the early days.

    Although Microsoft has released a new version of Windows 10 in the last few days (1607) it doesn’t seem to be that, because most of the complaints predate the code drop by two days.

    KB3201845 was released on 9 December, but the problems started on 7 December and appear to be affecting some Windows 7 and 8.1 machines as well. There’s no pattern in terms of ISPs, routers, and WiFi cards - at the moment, at least, it’s all random.

Security News

Filed under
Security

More Security Leftovers

Filed under
Security
  • Security advisories for Monday
  • security things in Linux v4.9
  • Black Hats Leveraging PowerShell

    Those with long memories might remember that in 1996, Microsoft added support in the Internet Explorer browser for ActiveX controls. While this greatly expanded the functionality of the Internet, it also made the web a much less safe place, especially for the average user. The trouble was, ActiveX made it simple to download and install software with little or no input from users. Even those not old enough to remember have probably already figured out that this didn't work out well.

  • A security lifetime every five years

    A long time ago, it wouldn’t be uncommon to have the same job at the same company for ten or twenty years. People loved their seniority, they loved their company, they loved everything staying the same. Stability was the name of the game. Why learn something new when you can retire in a few years?

    Well, a long time ago, was a long time ago. Things are quite a bit different now. If you’ve been doing the same thing at the same company for more than five years, there’s probably something wrong. Of course there are always exceptions to every rule, but I bet more than 80% of the people in their jobs for more than five years aren’t exceptions. It’s easy to get too comfortable, it’s also dangerous.

  • Hack of Saudi Arabia Exposes Middle East Cybersecurity Flaw

    More than a year after a drowned Syrian toddler washed up on a beach in Turkey, the tiny refugee’s body, captured in a photograph that shocked the world, reappeared on computer screens across Saudi Arabia -- this time as a prelude to a cyberattack.

    The strike last month disabled thousands of computers across multiple government ministries in Saudi Arabia, a rare use of offensive cyberweapons aimed at destroying computers and erasing data. The attackers, who haven’t claimed responsibility, used the same malware that was employed in a 2012 assault against Saudi Arabian Oil Co., known as Saudi Aramco, and which destroyed 35,000 computers within hours.

  • London councils are reliant on unsupported Microsoft server software [Ed: Well, even if supported, still back doors in it. Abandon.]

    ALMOST 70 PER CENT of London councils are running unsupported server software, leaving them vulnerable to exploits for which there are no patches available.

    That's according to backup firm Databarracks, which through a Freedom of Information (FoI) request revealed that 69 per cent of London councils are running out-of-date server software.

    The firm contacted all 32 London boroughs as well as the City of London and received responses from all.

    The data revealed that 63 per cent of London councils are still running Windows Server 2003, 51 per cent run SQL Server 2005 and 10 per cent still use Windows Server 2000 - none of which are still supported by Microsoft.

  • PwC sends 'cease and desist' letters to researchers who found critical flaw

    A security research firm has released details of a "critical" flaw in a security tool, despite being threatened with legal threats.

    Munich-based ESNC published a security advisory last week detailing how a remotely exploitable bug in a security tool, developed by auditing and tax giant PwC, could allow an attacker to gain unauthorized access to an affected SAP system.

Security News

Filed under
Security
  • The sad tale of CVE-2015-1336

    Today I released man-db 2.7.6 (announcement, NEWS, git log), and uploaded it to Debian unstable. The major change in this release was a set of fixes for two security vulnerabilities, one of which affected all man-db installations since 2.3.12 (or 2.3.10-66 in Debian), and the other of which was specific to Debian and its derivatives.

    It’s probably obvious from the dates here that this has not been my finest hour in terms of responding to security issues in a timely fashion, and I apologise for that. Some of this is just the usual life reasons, which I shan’t bore you by reciting, but some of it has been that fixing this properly in man-db was genuinely rather complicated and delicate. Since I’ve previously advocated man-db over some of its competitors on the basis of a better security posture, I think it behooves me to write up a longer description.

  • Dear democracy, you need more hackers

    This is my write up from Nesta’s recent digital democracy day — I wasn’t planning to blog but it inspired me, so here you go.

    The day included two sessions; one focussed on local government and one in parliament focussed on, well, parliament. At the heart of each session were four fantastic presentations showcasing digital democracy projects from Iceland (Citizen’s Foundation —Gunnar Grímsson), Taiwan (Digital Minister — Audrey Tang), France (Cap Collectif — Nicolas Patte) and Brazil (Chamber of Deputies Hacker Lab — Cristiano Falia). Big thanks to Theo and the rest of the gang at Nesta for arranging Smile

    My main thought following the day (there was so much — it’s been hard to boil it down…) is that there needs to be more capacity in our democracy to hack. Government can no longer rely on off the shelf solutions to meet democratic challenges but needs to experiment and adapt - something brilliantly illustrated by each of the four projects.

    [...]

    The tools are not much use if the institutions of democracy are unwilling or unable to respond to them. Nicholas Patte explained how it took a long time to convince the elected representatives in France about their crowd sourced legislation project but, with perseverance, they got there in the end.

    I loved that Taiwan has a ‘Minister of Hacking’ who can get things done at the highest level of government — her sage advice is that politicians can be asked to accept ‘those things they can live with’; compromise clearly plays a role.

  • Users Told Disconnect Certain Netgear Routers

    About this time I’m wondering if I’d even purchase a Netgear router.

    You’d think that with all of the fuss recently about the insecure Internet of things, especially when it comes to routers, that any router maker would be on top of it and patching vulnerabilities as soon as they’re discovered.

    Evidently not, as far as Netgear is concerned.

  • Busted Windows 8, 10 update blamed for breaking Brits' DHCP

    Folks using Windows 10 and 8 on BT and Plusnet networks in the UK are being kicked offline by a mysterious software bug.

    Computers running the Microsoft operating systems are losing network connectivity due to what appears to be a problem with DHCP. Specifically, it seems some Windows 10 and 8 boxes can no longer reliably obtain LAN-side IP addresses and DNS server settings from their BT and Plusnet broadband routers, preventing them from reaching the internet and other devices on their networks.

    (The link between BT and Plusnet is that, while the latter bills itself as a friendly independent ISP, it's really a subsidiary of the former.)

    BT and Plusnet told The Register Microsoft is investigating the blunder. Redmond also confirmed on Thursday in its support forum that it’s looking into the problem.

  • Containers in Production – Is Security a Barrier? A Dataset from Anchore

    Over the last week we have had the opportunity to work with an interesting set of data collected by Anchore (full disclosure: Anchore is a RedMonk client). Anchore collected this data by means of a user survey ran in conjunction with DevOps.com. While the number of respondents is relatively small, at 338, there are some interesting questions asked, and a number of data points which support wider trends we are seeing around container usage. With any data set of this nature, it is important to state that survey results strictly reflect the members of the DevOps.com community.

Security Leftovers

Filed under
Security
  • The IoT: Gateway for enterprise hackers

    The risk of notoriously insecure Internet of Things devices is not so much that those devices themselves will be compromised, but that they provide dozens – perhaps hundreds – of openings that could allow attackers to get inside an enterprise network

  • Netgear users advised to stop using affected routers after severe flaw found
  • We must return transparency to voting [Ed: a real problem]

    With the passage of the Help America Vote Act in 2002, electronic voting systems became the law of the land. This law required proprietary electronic voting systems be used in America.

    It must be noted, however, that Americans would not be permitted to use open-source software to protect their right to vote. When proprietary electronic-voting systems are used for elections, Americans literally lost their right to vote.

    In America, our governments, whether local, state or federal, rely on elections that permit anyone to scrutinize the election process, including the vote count. Whether by paper ballot or electronic voting system, it is every American's right to examine the vote count process to satisfy their personal demand that the vote count is accurate and verifiable.

  • CloudLinux 7 Kernel Update Patches 5-Year-Old Privilege-Escalation Vulnerability

More Security Leftovers

Filed under
Security
Syndicate content

More in Tux Machines

Red Hat's Survey in India

From Raspberry Pi to Supercomputers to the Cloud: The Linux Operating System

Linux is widely used in corporations now as the basis for everything from file servers to web servers to network security servers. The no-cost as well as commercial availability of distributions makes it an obvious choice in many scenarios. Distributions of Linux now power machines as small as the tiny Raspberry Pi to the largest supercomputers in the world. There is a wide variety of minimal and security hardened distributions, some of them designed for GPU workloads. Read more

IBM’s Systems With GNU/Linux

  • IBM Gives Power Systems Rebates For Linux Workloads
    Big Blue has made no secret whatsoever that it wants to ride the Linux wave up with the Power Systems platform, and its marketeers are doing what they can to sweeten the hardware deals as best they can without adversely affecting the top and bottom line at IBM in general and the Power Systems division in particular to help that Linux cause along.
  • Drilling Down Into IBM’s System Group
    The most obvious thing is that IBM’s revenues and profits continue to shrink, but the downside is getting smaller and smaller, and we think that IBM’s core systems business will start to level out this year and maybe even grow by the third or fourth quarter, depending on when Power9-based Power Systems and z14-based System z mainframes hit the market. In the final period of 2016, IBM’s overall revenues were $21.77 billion, down 1.1 percent from a year ago, and net income rose by nearly a point to $4.5 billion. This is sure a lot better than a year ago, when IBM’s revenues fell by 8.4 percent to $22 billion and its net income fell by 18.6 percent to $4.46 billion. For the full 2016 year, IBM’s revenues were off 2.1 percent to $79.85 billion, but its “real” systems business, which includes servers, storage, switching, systems software, databases, transaction monitors, and tech support and financing for its own iron, fell by 8.3 percent to $26.1 billion. (That’s our estimate; IBM does not break out sales this way, but we have some pretty good guesses on how it all breaks down.)

Security News

  • DB Ransom Attacks Spread to CouchDB and Hadoop [Ed: Get sysadmins who know what they are doing, as misconfigurations are expensive]
  • Security advisories for Monday
  • Return on Risk Investment
  • Widely used WebEx plugin for Chrome will execute attack code—patch now!
    The Chrome browser extension for Cisco Systems WebEx communications and collaboration service was just updated to fix a vulnerability that leaves all 20 million users susceptible to drive-by attacks that can be carried out by just about any website they visit.
  • DDoS attacks larger, more frequent and complex says Arbor
    Distributed denial-of-service (DDoS) attacks are becoming more frequent and complex, forcing businesses to deploy purpose-built DDoS protection solutions, according to a new infrastructure security report which warns that the threat landscape has been transformed by the emergence of Internet of Things (IoT) botnets. The annual worldwide infrastructure security report from Arbor Networks - the security division of NETSCOUT - reveals that the largest distributed denial-of-service (DDoS) attack reported in 2016 was 800 Gbps, a 60% increase over 2015’s largest attack of 500 Gbps.