Language Selection

English French German Italian Portuguese Spanish

Security

Security: FUD, Adobe, Cybersecurity Improvement Act, Updates and More

Filed under
Security
  • Focusing on Healthcare Open Source Security Awareness [Ed: More Flexera marketing in the form of scare-mongering]
  • Adobe patches zero-day vulnerability used to plant gov't spying software

    Adobe has patched a zero-day vulnerability used by the BlackOasis APT to plant surveillance software developed by Gamma International.

    On Monday, researchers from Kaspersky Lab revealed the new, previously unknown vulnerability, which has been actively used in the wild by advanced persistent threat (APT) group BlackOasis.

  • IoT Cybersecurity: What's Plan B?

    In August, four US Senators introduced a bill designed to improve Internet of Things (IoT) security. The IoT Cybersecurity Improvement Act of 2017 is a modest piece of legislation. It doesn't regulate the IoT market. It doesn't single out any industries for particular attention, or force any companies to do anything. It doesn't even modify the liability laws for embedded software. Companies can continue to sell IoT devices with whatever lousy security they want.

  • Security updates for Wednesday
  • Security updates for Thursday
  • Abuse of RESTEasy Default Providers in JBoss EAP

    Red Hat JBoss Enterprise Application Platform (EAP) is a commonly used host for Restful webservices. A powerful but potentially dangerous feature of Restful webservices on JBoss EAP is the ability to accept any media type. If not configured to accept only a specific media type, JBoss EAP will dynamically process the request with the default provider matching the Content-Type HTTP Header which the client specifies. Some of the default providers where found to have vulnerabilities which have now been removed from JBoss EAP and it's upstream Restful webservice project, RESTEasy.

  • “Security concerns” lead to LTE service shutdown on Chinese Apple Watches

Security: WPA2, Smartwatches, Google, NSA, Microsoft and Flexera FUD

Filed under
Security
  • WPA2 flaw's worst impact on Android, Linux devices

    The flaw in the WPA2 wireless protocol revealed recently has a critical impact on Android phones running version 6.0 of the mobile operating system and Linux devices, a security researcher says.

  • Why the Krack Wi-Fi Mess Will Take Decades to Clean Up

    But given the millions of routers and other IoT devices that will likely never see a fix, the true cost of Krack could play out for years.

  • 'All wifi networks' are vulnerable to hacking, security expert discovers

    WPA2 protocol used by vast majority of wifi connections has been broken by Belgian researchers, highlighting potential for internet traffic to be exposed

  • Kids' smartwatches can be 'easily' hacked, says watchdog

    Smartwatches bought for children who do not necessarily need them can be hacked [sic], according to a warning out of Norway and its local Consumer Council (NCC).

  • John Lewis pulls children's smartwatch from sale over spying fears

    The Norwegian Consumer Council (NCC) revealed that several brands of children’s smartwatch, have such poor security controls that hackers [sic] could easily follow their movements and eavesdrop on conversations.

  • Google's 'Advanced Protection' Locks Down Accounts Like Never Before

    Google hasn't shared the details of what that process entails. But the CDT's Hall, whom Google briefed on the details, says it will include a "cooling-off" period that will lock the account for a period of time while the user proves his or her identity via several other factors. That slowed-down, intensive check is designed to make the account-recovery process a far less appealing backdoor into victims' data.

  • NSA won't say if it knew about KRACK, but don't look to this leaked doc for answers

    Given how involved the NSA has been with remote and local exploitation of networks, systems, devices, and even individuals, many put two and two together and assumed the worst.

    What compounded the matter was that some were pointing to a 2010-dated top secret NSA document leaked by whistleblower Edward Snowden, which detailed a hacking tool called BADDECISION, an "802.11 CNE tool" -- essentially an exploit designed to target wireless networks by using a man-in-the-middle attack within range of the network. It then uses a frame injection technique to redirect targets to one of the NSA's own servers, which acts as a "matchmaker" to supply the best malware for the target device to ensure it's compromised for the long-term. The slide said the hacking tool "works for WPA/WPA2," suggesting that BADDECISION could bypass the encryption.

    Cue the conspiracy theories. No wonder some thought the hacking tool was an early NSA-only version of KRACK.

  • You're doing open source wrong, Microsoft tsk-tsk-tsks at Google: Chrome security fixes made public too early [Ed: Says the company that gives back doors to the NSA and attacks FOSS with patents, lobbying etc.]
  • Why Open Source Security Matters for Healthcare Orgs [Ed: marketing slant for firms that spread FUD]

    Open source software can help healthcare organizations remain flexible as they adopt new IT solutions, but if entities lack open source security measures it can lead to larger cybersecurity issues. A recent survey found that organizations in numerous industries might not be paying enough attention to potential open source risk factors.

    Half of all code used in commercial and Internet of Things (IoT) software products is open source, but only 37 percent of organizations have an open source acquisition or usage policy, according to a recent Flexera report.

    More than 400 commercial software suppliers and in-house software development teams were interviewed, with respondent roles including software developers, DevOps, IT, engineering, legal, and security.

Security: WPA2, RSA/TPM, and Microsoft Breach

Filed under
Security
  • Google and Apple yet to fix Wi-Fi hole in a billion devices

    The WPA2 security protocol has been a mandatory requirement for all devices using the Wi-Fi protocol since 2006, which translates into billions of laptops, mobiles and routers. The weakness identified by Mathy Vanhoef, a digital security researcher at the Catholic University of Leuven (KUL) in Belgium, lies in the way devices running WPA2 encrypt information.

  • The Flawed System Behind the Krack Wi-Fi Meltdown

    No software is perfect. Bugs are inevitable now and then. But experts say that software standards that impact millions of devices are too often developed behind closed doors, making it difficult for the broader security community to assess potential flaws and vulnerabilities early on. They can lack full documentation even months or years after their release.

  • Factorization Flaw in TPM Chips Makes Attacks on RSA Private Keys Feasible

    Security experts say the bug has been present since 2012 and found specifically in the Infineon’s Trusted Platform Module used on a large number of business-class HP, Lenovo and Fijitsu computers, Google Chromebooks as well as routers and IoT devices.

  • ROCA: RSA encryption key flaw puts 'millions' of devices at risk

    This results in cyber criminals computing the private part of an RSA key and affects chips manufactured from 2012 onwards, which are now commonplace in the industry.

  • Infineon RSA Key Generation Issue

    Yubico estimates that approximately 2% of YubiKey customers utilize the functionality affected by this issue. We have addressed this issue in all shipments of YubiKey 4, YubiKey 4 Nano, and YubiKey 4C, since June 6, 2017.

  • Microsoft remains tight-lipped about 2013 internal database hack [sic]

    A secretive internal database used by Microsoft to track bugs in its software was compromised by hackers [sic] in 2013.

  • Exclusive: Microsoft responded quietly after detecting secret database hack in 2013

    Microsoft Corp’s secret internal database for tracking bugs in its own software was broken into by a highly sophisticated hacking [sic] group more than four years ago, according to five former employees, in only the second known breach of such a corporate database.

Microsoft never disclosed 2013 hack of secret vulnerability database

Filed under
Microsoft
Security

Hackers broke into Microsoft's secret, internal bug-tracking database and stole information related to vulnerabilities that were exploited in later attacks. But the software developer never disclosed the breach, Reuters reported, citing former company employees.

In an article published Tuesday, Reuters said Microsoft's decision not to disclose details came after an internal review concluded the exploits used in later attacks could have been discovered elsewhere. That investigation relied, in part, on automated reports Microsoft receives when its software crashes. The problem with that approach, Reuters pointed out, is that advanced computer attacks are written so carefully they rarely cause crashes.

Reuters said Microsoft discovered the database breach in early 2013, after a still-unknown hacking group broke into computers belonging to a raft of companies. Besides Microsoft, the affected companies included Apple, Facebook, and Twitter. As reported at the time, the hackers infected a website frequented by software developers with attack code that exploited a zero-day vulnerability in Oracle's Java software framework. When employees of the targeted companies visited the site, they became infected, too.

Read more

Parrot Security OS 3.9 Ethical Hacking & Penetration Testing Distro Now in Beta

Filed under
Security

The Parrot Project began work on a new version of their Linux-based ethical hacking and penetration testing operating system, Parrot Security OS 3.9, and they recently put out a call for testing.

Read more

Security: Let’s Encrypt, Updates, Google, DHS, Adobe

Filed under
Security

Security: WPA2, CVE-2017-15265, Fuzzing, Hyperledger

Filed under
Security
  • Fedora Dev Teaches Users How to Protect Their Wi-Fi Against WPA2 KRACK Bug

    Former Fedora Project leader Paul W. Frields talks today about how to protect your Fedora computers from the dangerous WPA2 KRACK security vulnerability that affects virtually any device using the security protocol to connect to the Internet.

  • WPA2 was kracked because it was based on a closed standard that you needed to pay to read

    How did a bug like krack fester in WPA2, the 13-year-old wifi standard whose flaws have rendered hundreds of millions of devices insecure, some of them permanently so?

    Thank the IEEE's business model. The IEEE is the standards body that developed WPA2, and they fund their operations by charging hundreds of dollars to review the WPA2 standard, and hundreds more for each of the standards it builds upon, so that would-be auditors of the protocol have to shell out thousands just to start looking.

    It's an issue that Carl Mamamud, Public Resource and the Electronic Frontier Foundation have been fighting hard on for years, ensuring that the standards that undergird public safety and vital infrastructure are available for anyone to review, audit and criticize.

  • Patch Available for Linux Kernel Privilege Escalation

    The issue — tracked as CVE-2017-15265 — is a use-after-free memory corruption issue that affects ALSA (Advanced Linux Sound Architecture), a software framework included in the Linux kernel that provides an API for sound card drivers.

  • ​Linus Torvalds says targeted fuzzing is improving Linux security

    Announcing the fifth release candidate for the Linux kernel version 4.14, Linus Torvalds has revealed that fuzzing is producing a steady stream of security fixes.

    Fuzzing involves stress testing a system by generating random code to induce errors, which in turn may help identify potential security flaws. Fuzzing is helping software developers catch bugs before shipping software to users.

  • Devsecops: Add security to complete your devops process [Ed: more silly buzzwords]
  • Companies overlook risks in open source software [Ed: marketing disguised as "news" (and which is actually FUD)]
  • Q&A: Does blockchain alleviate security concerns or create new challenges?

    According to some, blockchain is one of the hottest and most intriguing technologies currently in the market. Similar to the rising of the internet, blockchain could potentially disrupt multiple industries, including financial services. This Thursday, October 19 at Sibos in Toronto, Hyperledger’s Security Maven Dave Huseby will be moderating a panel “Does Blockchain technology alleviate security concerns or create new challenges?” During this session, experts will explore whether the shared nature of blockchain helps or hinders security.

Ubuntu, Debian, Fedora and elementary OS All Patched Against WPA2 KRACK Bug

Filed under
Security

As you are aware, there's a major WPA2 (Wi-Fi Protected Access II) security vulnerability in the wild, affecting virtually any device or operating system that uses the security protocol, including all GNU/Linux distributions.

Read more

Security Leftovers

Filed under
Security
  • Google and IBM launch open-source security tool for containers

    Google and IBM, together with a few other partners, released an open-source project that gathers metadata that developers can use to secure their software.

    According to an IBM blog post, the goal of the project is to help developers keep security standards, while microservices and containers cut the software supply chain.

  • Top 10 Hacking Techniques Used By Hackers

    We live in a world where cyber security has become more important than physical security, thousands of websites and emails are hacked daily. Hence, It is important to know the Top hacking techniques used by hackers worldwide to exploit vulnerable targets all over the internet.

  • Protect your wifi on Fedora against KRACK

    You may have heard about KRACK (for “Key Reinstallation Attack”), a vulnerability in WPA2-protected Wi-Fi. This attack could let attackers decrypt, forge, or steal data, despite WPA2’s improved encryption capabilities. Fear not — fixes for Fedora packages are on their way to stable.

  • Federal watchdog tells Equifax—no $7.25 million IRS contract for you

    The Government Accountability Office (GAO) on Monday rejected Equifax's bid to retain its $7.25 million "taxpayer identity" contract—the one awarded days after Equifax announced it had exposed the Social Security numbers and other personal data of some 145 million people.

  • Adobe Flash vulnerability exploited by BlackOasis hacking group to plant FinSpy spyware

    Security researchers have discovered a new Adobe Flash vulnerability that has already been exploited by hackers to deploy the latest version of FinSpy malware on targets. Kaspersky Lab researchers said a hacker group called BlackOasis has already taken advantage of the zero-day exploit – CVE-2017-11292 – to deliver its malicious payload via a Microsoft Word document.

  • Companies turn a blind eye to open source risk [Ed: No, Equifax got b0rked due to bad practices, negligence, incompetence, not FOSS]

    For instance, criminals who potentially gained access to the personal data of the Equifax customers exploited an Apache Struts CVE-2017-5638 vulnerability.

  • Checking Your Passwords Against the Have I Been Pwned List

    Two months ago, Troy Hunt, the security professional behind Have I been pwned?, released an incredibly comprehensive password list in the hope that it would allow web developers to steer their users away from passwords that have been compromised in past breaches.

Security: Equifax, Grafeas, Updates and Open Source Security Podcast

Filed under
Security
Syndicate content

More in Tux Machines

Red Hat and Fedora Leftovers

Devices: Beelink S1 Mini PC, Aaeon’s SBC, Kobo and LEDE

  • Beelink S1 Mini PC and Linux – Comedy Gold
    The Beelink S1 is a small, silent mini PC released in August 2017 retailing for around 300 dollars (250 euros). It’s produced by Shenzhen AZW Technology Co Ltd, a Chinese company that focuses on Android smart TV boxes, Intel mini PCs, and home cloud TV boxes. The S1 ships with an activated copy of Windows 10. But what makes this mini PC interesting? For starters, it purports to run Ubuntu. Combined with a quad core Celeron CPU, dual monitor support (HDMI and VGA), 4K video, expansion options, together with a raft of other features, the machine looks a mouthwatering prospect compared to many other mini PCs.
  • Kaby Lake Pico-ITX SBC features dual M.2 slots
    Aaeon’s “PICO-KBU1” SBC is built on Intel 7th Gen U-series CPUs with up to 16GB DDR4, dual GbE ports, and M.2 B-key and E-Key expansion. The PICO-KBU1 SBC is equipped with Intel’s dual-core, 15W TDP 7th Gen U-series CPUs from the latest Kaby Lake generation. Other 100 x 72mm Pico-ITX boards that run Kaby Lake U-Series processors include Axiomtek’s PICO512. As usual with Aaeon, no OS support is listed.
  • Kobo firmware 4.6.9995 mega update (KSM, nickel patch, ssh, fonts)
    It has been ages that I haven’t updated the MegaUpdate package for Kobo. Now that a new and seemingly rather bug-free and quick firmware release (4.6.9995) has been released, I finally took the time to update the whole package to the latest releases of all the included items. The update includes all my favorite patches and features: Kobo Start Menu, koreader, coolreader, pbchess, ssh access, custom dictionaries, and some side-loaded fonts.
  • LEDE v17.01.4 service release
    Version 17.01.4 of the LEDE router distribution is available with a number of important fixes. "While this release includes fixes for the bugs in the WPA Protocol disclosed earlier this week, these fixes do not fix the problem on the client-side. You still need to update all your client devices. As some client devices might never receive an update, an optional AP-side workaround was introduced in hostapd to complicate these attacks, slowing them down."

Samsung Leftovers

OSS Leftovers

  • FOSDEM 2018 Real-Time Communications Call for Participation
  • Top Bank, Legal and Software Industry Executives to Keynote at the Open Source Strategy Forum
  • Copyleft is Dead. Long live Copyleft!
    As you may have noticed, we recently re-licensed mgmt from the AGPL (Affero General Public License) to the regular GPL. This is a post explaining the decision and which hopefully includes some insights at the intersection of technology and legal issues.
  • Crowdsourcing the way to a more flexible strategic plan
    Trust the community. Opening a feedback platform to anyone on campus seems risky, but in hindsight I'd do it again in a heartbeat. The responses we received were very constructive; in fact, I rarely received negative and unproductive remarks. When people learned about our honest efforts at improving the community, they responded with kindness and support. By giving the community a voice—by really democratizing the effort—we achieved a surprising amount of campus-wide buy-in in a short period of time. Transparency is best. By keeping as many of our efforts as public as possible, we demonstrated that we were truly listening to our customers and understanding the effects of the outdated technology policies and decisions that were keeping them from doing their best work. I've always been a proponent of the idea that everyone is an agent of innovation; we just needed a tool that allowed everyone to make suggestions. Iterate, iterate, iterate. Crowdsourcing our first-year IT initiatives helped us create the most flexible and customer-centric plan we possibly could. The pressure to move quickly and lay down a comprehensive strategic plan is very real; however, by delaying that work and focusing on the evolving set of data flowing from our community, we were actually able to better demonstrate our commitment to our customers. That helped us build critical reputational capital, which paid off when we did eventually present a long-term strategic plan—because people already knew we could achieve results. It also helped us recruit strong allies and learn who we could trust to advance more complicated initiatives.
  • Reform is a DIY, modular, portable computer (work in progress)
    Want a fully functional laptop that works out of the box? There are plenty to choose from. Want a model that you can upgrade? That’s a bit tougher to find: some modern laptops don’t even let you replace the RAM. Then there’s the Reform. It’s a new DIY, modular laptop that’s designed to be easy to upgrade and modify. The CAD designs will even be available if you want to 3D print your own parts rather than buying a kit. You can’t buy a Reform computer yet. But developer Lukas Hartmann and designer Ana Dantes have developed a prototype and are soliciting feedback on the concept.
  • New neural network teaches itself Go, spanks the pros
    While artificial intelligence software has made huge strides recently, in many cases, it has only been automating things that humans already do well. If you want an AI to identify the Higgs boson in a spray of particles, for example, you have to train it on collisions that humans have already identified as containing a Higgs. If you want it to identify pictures of cats, you have to train it on a database of photos in which the cats have already been identified.