Language Selection

English French German Italian Portuguese Spanish

Security

Security: 'Rich' E-mail, BlackBerry, and D-Link

Filed under
Security
  • The only safe email is text-only email

    The real issue is that today’s web-based email systems are electronic minefields filled with demands and enticements to click and engage in an increasingly responsive and interactive online experience. It’s not just Gmail, Yahoo mail and similar services: Desktop-computer-based email programs like Outlook display messages in the same unsafe way.

  • BlackBerry admits: We could do better at patching

    BlackBerry has confirmed that its first Android device, the Priv, will be stuck on Google's 2015 operating system forevermore, which Google itself will cease supporting next year.

    Having been promised "the most secure Android", BlackBerry loyalists have seen the promise of monthly security updates stutter recently, with distribution of the monthlies getting patchy (no pun intended).

  • Researcher publicly discloses 10 zero-day flaws in D-Link 850L routers

    Peeved about previous vulnerability disclosures experiences with D-Link, a security researcher has publicly disclosed 10 zero-day vulnerabilities in D-Link DIR 850L wireless AC1200 dual-band gigabit cloud routers.

    Security researcher Pierre Kim opted to publicly disclose the vulnerabilities this time, citing a “very badly coordinated” disclosure with D-Link in February. That time around he had reported nine vulnerabilities, but he said it took D-Link five months to release new firmware that ended up patching only one of the flaws he found.

A look at TAILS – Privacy oriented GNU/Linux Distribution

Filed under
Reviews
Security
Debian

The Amensic Incognito Live System, is a Debian based distribution that routes all internet traffic through the TOR network, and leaves no trace of its existence or anything done on the system when the machine is shut down. The obvious aim in this, is to aid in keeping the user anonymous and private. Tails is not installed to a users computer, but instead is run strictly as a LiveUSB / LiveDVD.

TAILS does not utilize the host machines Hard Disk at all, and is loaded entirely into RAM. When a machine is shut down, the data that is stored in RAM disappears over the course of a few minutes, essentially leaving no trace of whatever had been done. Granted, there is a method of attack known as a Cold Boot Attack, where data is extracted from RAM before it has had a chance to disappear, but TAILS has you covered on that front too; the TAILS website says,

“To prevent this attack, the data in RAM is overwritten by random data when shutting down Tails. This erases all traces from your session on that computer.”

Read more

Security: Equifax Blame Game and Germany's Election Software

Filed under
Security

Security: Minnesota, Equifax, Virginia, Kaspersky, F-35

Filed under
Security

The Apache Software Foundation Blog: Apache Struts Statement on Equifax Security Breach (and More)

Filed under
Security

Security: Microsoft Won't Patch, Kaspersky Responds, EU Cyberwar Games

Filed under
Security
  • Microsoft won't patch Edge XSS vulnerability

     

    The flaw has been patched in recent versions of Google Chrome and WebKit-based browsers (such as Apple Safari for macOS and iOS), but not in Microsoft's Edge for Windows 10.

  • Microsoft shrugs off Windows kernel bug that can block malware detection

     

    "After digging into the matter, what started as a seemingly random issue proved to originate from a coding error in the Windows kernel itself. This flaw exists in the most recent Windows 10 release and past versions of the OS, dating back to Windows 2000."

    [...]

     

    "We [also] contacted MSRC [Microsoft Security Response Center] about this issue at the beginning of this year. They did not deem it as a security issue.

  • Kaspersky: Ex-NSA infosec expert asks FBI to put up or shut up

     

    Former NSA employee and information security expert Jake Williams has told the FBI to either provide proof to the public that Kaspersky Lab products are unsafe for use or keep mum.

  • EU hosts its first cyber war games

     

    "The goal of the exercise is to highlight a number of strategic concerns and topics that arise in connection with any hypothetical cyber crisis. This exercise should serve as a forum for discussion at ministerial level and provide strategic guidance to address future crises," it said.

  • Cyber alert: EU ministers test responses in first computer war game [iophk: "blanket ban Microsoft in the EU"]

     

    After a series of global cyber attacks disrupted multinational firms, ports and public services on an unprecedented scale this year, governments are seeking to stop hackers {sic} from shutting down more critical infrastructure or crippling corporate and government networks.  

Security: Equifax Fiasco Deepening, Apache STRUTS Blamed

Filed under
Security
  • Equifax Security Breach Is A Complete Disaster... And Will Almost Certainly Get Worse

    Okay, chances are you've already heard about the massive security breach at Equifax, that leaked a ton of important data on potentially 143 million people in the US (basically the majority of adults in America). If you haven't, you need to pay more attention to the news. I won't get into all the details of what happened here, but I want to follow a few threads:

    First, Equifax had been sitting on the knowledge of this breach since July. There is some dispute over how quickly companies should disclose breaches, and it makes sense to give companies at least some time to get everything in order before going public. But here it's not clear what Equifax actually did. The company has seemed almost comically unprepared for this announcement in so many ways. Most incredibly, the site that Equifax set up for checking if your data has been compromised (short answer: yeah, it almost certainly was...) was on a consumer hosting plan using a free shared SSL certificate, a funky domain and an anonymous Whois record. And, incredibly, it asked you for most of your Social Security Number. In short, it's set up in a nearly identical manner to a typical phishing site. Oh and it left open the fact that the site had only one user -- "Edelman" -- the name of a big PR firm.

  • Breach at Equifax May Impact 143M Americans
  • Equifax blames giant breach on vendor software flaw

    “My understanding is the breach was perpetuated via the Apache STRUTS flaw,” Meuler told The Post.

  • The hackers who broke into Equifax exploited a flaw in open-source server software

    The credit reporting agency Equifax announced on Sept. 7 that hackers stole records containing personal information on up to 143 million American consumers. The hackers behind the attack, the company said, “exploited a U.S. website application vulnerability to gain access to certain files.”

  • Apache Struts vulnerability affects versions since 2008

    A researcher discovered a remotely exploitable Apache Struts vulnerability being actively exploited in the wild and a patch was released, users urged to update software immediately.

    [...]

    Man Yue Mo, researcher at the open source software project LGTM.com run by software analytics firm Semmle, Inc., headquartered in San Francisco, disclosed the remotely executable Apache Struts vulnerability, which he said was "a result of unsafe deserialization in Java" and could lead to arbitrary code execution. Mo originally disclosed the issue to Apache on July 17, 2017.  

  • So, Equifax says your data was hacked—now what?

    Yesterday, the credit reporting agency Equifax revealed that the personal data of 143 million US consumers, as well as "limited personal information for certain UK and Canadian residents," was exposed by an attack exploiting security flaws in the company's website. Social Security numbers, dates of birth, addresses, and some drivers license numbers were all exposed—information which could be used to pose as individuals to gain access to financial accounts, open new ones in their names, or file fraudulent tax returns.

  • Are you an Equifax breach victim? You could give up right to sue to find out [Updated]

    By all accounts, the Equifax data breach is, as we reported Thursday, "very possibly the worst leak of personal info ever." The incident affects possibly as many as 143 million people.

    The breach, via a security flaw on the Equifax website, included full names, Social Security numbers, birth dates, addresses, and driver license numbers in some cases. Many of the affected consumers have never even directly done business with the giant consumer credit reporting agency.

  • Equifax won’t bar consumers from joining lawsuits related to breach

    Equifax announced on Friday it will not stop consumers from moving to join a class action lawsuit against the company, which suffered a severe breach on Thursday when hackers gained action to personal information belonging to 143 million people. 

    The firm's was forced to clarify its terms of service after it faced backlash when it appeared that in order to receive credit protection, consumers affected by the breach would have to give up their right to join a lawsuit over the hack. 

Security: Equifax, The Shadow Brokers, Microsoft Does Not Care About Security

Filed under
Security
  • Equifax Is Proving Why Forced Arbitration Clauses Ought to Be Banned, Just Like the CFPB Wants to Do

    Equifax, the credit reporting bureau that on Thursday admitted one of the largest data breaches in history, affecting 143 million U.S. consumers, is maneuvering to prevent victims from banding together to sue the company, according to consumer protection advocates and elected officials.

    Equifax is offering all those affected by the breach a free, one-year credit monitoring service called TrustedID Premier, which will watch credit reports for suspicious activity, lock and unlock Equifax credit reports, scan the internet for Social Security numbers, and add insurance for identity theft. But the service includes a forced arbitration clause, which pushes all disputes over the monitoring out of court. It also includes a waiver of the right to enter into a class-action lawsuit.

  • Equifax and Correlatable Identifiers

    The typical response when we hear about these security problems is "why was their security so bad?" While I don't know any specifics about Equifax's security, it's likely that their security was pretty good. But the breach still occurred. Why? Because of Sutton's Law. When Willie Sutton was asked why he robbed banks, he reputedly said "cause that's where the money is."

    So long as we insist on creating huge honeypots of valuable data, hackers will continue to target them. And since no security is perfect, they will eventually succeed. Computer security is difficult because computer systems are non-linear—small errors can result in huge losses. This makes failure points difficult to detect. These failure points are not usually obvious. But hackers have a lot of motivation to find them when the prize is so large.

  • TheShadowBrokers group returns with NSA UNITEDRAKE hacking malware and promises more leaks

    UNITEDRAKE is a remote access hacking tool that can be used to target Windows machines. Modular in nature, the malware can be expanded through the use of plugins to increase its capabilities so it can capture footage from webcams, tap into microphones, capture keystrokes, and more.

  • The Shadow Brokers Unveil United Rake Toolkit and Double Monthly NSA Dump Frequency

    Most people have come to know The Shadow Brokers as a hacker collective that successfully infiltrated the NSA and took some of its goodies. Over the past year or so, we have seen most of these exploits released to the public. More powerful tools remain part of the collective’s monthly subscription service, which has been operational for nearly three months now. If certain tools could earn them money, they would much rather take that option.

    There were some interesting recent changes made by The Shadow Brokers. Instead of doing just one dump of exploits each month, they are shifting things into a higher gear. There will now be two dumps per month, which can still only be paid in ZCash. Their PDF file clearly states that they have no interest in Monero, which is pretty interesting. All of the previously issued dumps are now available for purchase as well, should someone want to see what those are all about.

    The August software is called United Rake, and it is quite a powerful tool. It is a “fully extensible remote collection system.” As one would come to expect, it is designed for the world’s most popular operating system, which is still Microsoft Windows. As is the case with every exploit unveiled by The Shadow Brokers, the release comes with its own detailed manual, allegedly created by and distributed to NSA staffers at some point.

  • Microsoft won't patch Edge browser content security bypass

    Which of Google, Apple and Microsoft think a content security bypass doesn't warrant a browser patch?

    Thanks to Cisco Talos security bod Nicolai Grødum, who found the cross-site scripting bug that affects older Chrome and Safari plus current versions of Edge, we know the answer is "Microsoft".

  • Bug in Windows Kernel Could Prevent Security Software From Identifying Malware
  • Bug In Windows Kernel Could Prevent Security Software From Identifying Malware

    "Malware developers can abuse a programming error in the Windows kernel to prevent security software from identifying if, and when, malicious modules have been loaded at runtime," reports Bleeping Computer. "The bug affects PsSetLoadImageNotifyRoutine, one of the low-level mechanisms some security solutions use to identify when code has been loaded into the kernel or user space. The problem is that an attacker can exploit this bug in a way that PsSetLoadImageNotifyRoutine returns an invalid module name, allowing an attacker to disguise malware as a legitimate operation.

Security: Updates, Election, Lenovo and Equifax

Filed under
Security
  • Security updates for Thursday
  • Security updates for Friday
  • Software to capture votes in upcoming national election is insecure

    The result of this analysis is somewhat of a „total loss“ for the software product. The CCC is publishing its findings in a report of more than twenty pages. [0] The technical details and the software used to exploit the weaknesses are published in a repository. [1]

    „Elementary principles of IT-security were not heeded to. The amount of vulnerabilities and their severity exceeded our worst expectations“, says Linus Neumann, a speaker for the CCC that was involved in the study.

  • The $3.5 Million Check Comes Due for Lenovo And Its Security-Compromising Superfish Adware

    You might recall that back in 2015, Lenovo was busted for installing a nasty bit of snoopware made by a company named Superfish on select models of the company's Thinkpad laptops. Superfish's VisualDiscovery wasn't just annoying adware however; it was so poorly designed that it effectively made all of Lenovo's customers vulnerable to HTTPS man-in-the-middle attacks that were relatively trivial for an attacker to carry out. More specifically, it installed a self-signed root HTTPS certificate that could intercept encrypted traffic for every website a user visits -- one that falsely represented itself as the official website certificate.

  • Equifax website hack exposes data for ~143 million US consumers

    Equifax, a provider of consumer credit reports, said it experienced a data breach affecting as many as 143 million US people after criminals exploited a vulnerability on its website. The US population is about 324 million people, so that's about 44 percent of its population.

    The data exposed in the hack includes names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers. The hackers also accessed credit card numbers for 209,000 US consumers and dispute documents with personal identifying information for about 182,000 US people. Limited personal information for an unknown number of Canadian and UK residents was also exposed. Equifax—which also provides credit monitoring services for people whose personal information is exposed—said the unauthorized access occurred from mid-May through July. Equifax officials discovered the hack on July 29.

  • Why the Equifax breach is very possibly the worst leak of personal info ever

    It's a sad reality in 2017 that a data breach affecting 143 million people is dwarfed by other recent hacks—for instance, the ones hitting Yahoo in 2013 and 2014, which exposed personal details for 1 billion and 500 million users respectively; another that revealed account details for 412 million accounts on sex and swinger community site AdultFriendFinder last year; and an eBay hack in 2014 that spilled sensitive data for 145 million users.

Security: GPG Keysigning Protocol, Reproducible Builds, Struts and Android

Filed under
Security
  • GPG Keysigning Protocol

    With Randa approaching, I’ll be meeting some KDE people, some for the first time. So it’s time for another GPG keysigning! The usual approach to a GPG keysigning is to have Harald organise it, that ensures a maximum amount of abiding-by-rules. But .. he’s not going to be there, this year. So this post is a random bit of throw-information-out-there about how typical KDE event keysignings work, and an annoucement of my own protocol in handling keysinging.

  • Reproducible Builds: Weekly report #123
  • 'Critical' RCE vulnerability found in open-source Struts framework
  • Boffins hijack bootloaders for fun and games on Android

    The team of nine researchers decided to look at a little-studied aspect Android architecture – the interaction between OS and chip at power-up. To get inside that operation, they built a tool dubbed “BootStomp” “designed to locate problematic areas where input from an attacker in control of the OS can compromise the bootloader’s execution, or its security features”.

Syndicate content

More in Tux Machines

Linux and Graphics: AMD, Linux 4.14 LTS, Etnaviv Gallium3D

  • Linux 4.14 Ensures The "Core Performance Boost" Bit Gets Set For AMD Ryzen CPUs
    Recently making waves in our forums was talk of a kernel patch to address a case where the AMD CPB (Core Performance Boost) isn't being exposed by Ryzen processors. Here's more details on that and some benchmarks. Being talked about recently is f7f3dc0: "CPUID Fn8000_0007_EDX[CPB] is wrongly 0 on models up to B1. But they do support CPB (AMD's Core Performance Boosting cpufreq CPU feature), so fix that."
  • Linus Torvalds Is Confident That Linux Kernel 4.14 LTS Will Arrive on November 5
    Development of Linux 4.14, the next LTS (Long Term Support) kernel series, continues with the fifth RC (Release Candidate) milestone, which was announced by Linus Torvalds himself this past weekend. According to Linus Torvalds, things have finally starting to calm down for the development of the Linux 4.14 LTS kernel, and it looks like the RC5 snapshot is smaller than he would have expected, at least smaller than last week's RC4, which is a good thing, meaning that there won't be need for eight RCs during this cycle.
  • Etnaviv Gallium3D Is Almost To OpenGL 2.0 Compliance
    The Etnaviv Gallium3D driver that provides reverse-engineered, open-source graphics support for Vivante graphics hardware is almost to exposing OpenGL 2.0. Etnaviv contributor Christian Gmeiner today posted a set of patches for adding occlusion queries support to the driver. The code at just over one thousand lines of code is the last major feature needed for exposing desktop OpenGL 2.0 capabilities with this community-driven driver.
  • AMD Developers Begin Making Open-Source FreeSync/AdaptiveSync Plans
    While the AMDGPU DC code is expected to land for Linux 4.15 with goodies like Vega display support, HDMI/DP audio, and atomic mode-setting, one of the sought after display features won't be initially supported: FreeSync or the VESA-backed AdaptiveSync. As we've known for a while, while AMDGPU DC fills out the requirements for being able to support FreeSync, the last bits of the implementation are not present as the interfaces are basically yet to be decided among the open-source driver developers. While AMD can post their existing FreeSync code as found in AMDGPU-PRO hybrid driver, they are trying to come up with a more standardized interface that will satisfy the other upstream Linux driver developers too that might want to support AdaptiveSync.

Servers and Red Hat: Cloud Foundry, Docker, CRI-O 1.0, Alibaba and Elasticsearch

  • How to deploy multi-cloud serverless and Cloud Foundry APIs at scale
    Ken Parmelee, who leads the API gateway for IBM and Big Blue’s open source projects, has a few ideas about open-source methods for “attacking” the API and how to create micro-services and make them scale. “Micro-services and APIs are products and we need to be thinking about them that way,” Parmelee says. “As you start to put them up people rely on them as part of their business. That’s a key aspect of what you’re doing in this space.”
  • Docker Opens Up to Support Kubernetes Container Orchestration
    There's been a lot of adoption of Kubernetes in the last few years, and as of Oct. 17 the open-source container orchestration technology has one more supporter. Docker Inc. announced at its DockerCon EU conference here that it is expanding its Docker platform to support Kubernetes. Docker had been directly competing against Kubernetes with its Swarm container orchestration system since 2015. The plan now is to provide a seamless platform that supports a heterogenous deployment that can include both Swarm and Kubernetes clusters. "Docker adapts to you because it's open," Docker founder Solomon Hykes said during his keynote address at DockerCon.
  • Introducing CRI-O 1.0
    Last year, the Kubernetes project introduced its Container Runtime Interface (CRI) -- a plugin interface that gives kubelet (a cluster node agent used to create pods and start containers) the ability to use different OCI-compliant container runtimes, without needing to recompile Kubernetes. Building on that work, the CRI-O project (originally known as OCID) is ready to provide a lightweight runtime for Kubernetes.
  • Red Hat brings its open source solutions to Alibaba Cloud
    Alibaba Cloud has joined the Red Hat Certified Cloud and Service Provider program, with Red Hat solutions to become directly available to Alibaba Cloud customers in the coming months.
  • Elasticsearch now on Alibaba Cloud, eyes China market
    The Amsterdam-based company behind Elasticsearch and Elastic Stack said the new offering would be available to Alibaba Cloud customers as an add-on, giving them access to real-time search, logging, and data analytics capabilities.

Software: VirtualBox 5.1.30, Cockpit 153, GNOME Mutter 3.27.1, KDE Neon

  • Oracle Releases VirtualBox 5.1.30 to Patch Glibc 2.26 Compile Bug on Linux Hosts
    Oracle released VirtualBox 5.1.30, a minor maintenance update to the open-source and cross-platform virtualization software that addresses a few important issues reported by users from previous versions. Coming one month after the VirtualBox 5.1.28 release, which probably most of you out there use right now on your personal computers, VirtualBox 5.1.30 contains a fix for a Glibc 2.26 compilation bug for Linux hosts and a 3D-related crash for Windows guest that use the Windows Additions package.
  • Cockpit 153
    Cockpit is the modern Linux admin interface. We release regularly. Here are the release notes from version 153.
  • GNOME Mutter 3.27.1 Brings Hybrid GPU Support
    Mutter 3.27.1 has just been released as the first development release for the GNOME 3.28 cycle of this compositor / window manager. The change most interesting to us about Mutter 3.27.1 is support for hybrid GPU systems. The context for the hybrid GPU system support is explained via this bug report, "supporting systems with multiple GPUs connected to their own connectors. A common configuration is laptops with an integrated Intel GPU connected to the panel, and a dedicated Nvidia/AMD GPU connected to the HDMI ports."
  • #KDE #KDENEON Release bonanaza! Frameworks, Plasma, KmyMoney and Digikam

Intel Ads as 'Articles'