Language Selection

English French German Italian Portuguese Spanish

Security

Security: Updates, Anonymity, EFF and Open Source Security Podcast

Filed under
Security
  • Security updates for Monday
  • For Hackers, Anonymity Was Once Critical. That’s Changing.

    “This is a profession for a lot of people now,” she added. “And you can’t fill out a W-9 with your hacker handle.”

    [...]

    “The thing I worry about today,” he added, taking a more serious tone, “is that people don’t get do-overs.” Young people now have to contend with the real-name policy on Facebook, he said, along with the ever-hovering threats of facial-recognition software and aggregated data. “How are you going to learn to navigate in this world if you never get to make a mistake — and if every mistake you do make follows you forever?”

  • EFF Leader: Security Decisions Are Different When Women Are In The Room

    Women will have their technical credentials doubted throughout their career, said the Electronic Frontier Foundation's Eva Galperin, but being able to participate in important privacy and security decisions makes it worthwhile.

  • Open Source Security Podcast: Episode 115 - Discussion with Brian Hajost from SteelCloud

    Josh and Kurt talk to Brian Hajost from SteelCloud about public sector compliance. The world of public sector compliance can be confusing and strange, but it's not that bad when it's explained by someone with experience.

pfSense 2.4.4-RELEASE now available

Filed under
Security
BSD

We are excited to announce the release of pfSense® software version 2.4.4, now available for new installations and upgrades!

pfSense software version 2.4.4 brings security patches, numerous new features, support for new Netgate hardware models, and stability fixes for issues present in previous pfSense 2.4.x branch releases.

pfSense 2.4.4-RELEASE updates and installation images are available now!

Read more

Also: MagicPoint presentation foils

Sabri Haddouche Finds Crashy Bugs

Filed under
Moz/FF
Security
  • New Firefox browser bug causes crashes on Windows, Mac and Linux

    Only a week after disclosing a new web code exploit that can cause an iPhone to crash, security researcher Sabri Haddouche, has uncovered another browser bug that can force Firefox to crash on all three popular desktop operating systems – Mac, Linux and Windows – reports ZDNet.

  • Firefox bug crashes your browser and sometimes your PC

    A security researcher who two weeks ago found a bug that could crash all WebKit-based apps on iPhones, iPads, and Macs, has now discovered another browser bug that can crash Firefox browsers, and sometimes the entire operating system underneath it.

  • This Firefox Bug Can Crash Your Browser On Windows, Mac, And Linux

    Security researcher Sabri Haddouche has found a bug in the Firefox web browser that can crash the browser and also the entire operating system running underneath.

    As reported by ZDNet, this Firefox bug can force the browser to crash on all the three popular desktop platforms — Mac, Linux, and Windows.

Microsoft Flaws and Windows Back Doors (Coordinated with NSA) Show Their Cost/Toll

Filed under
Microsoft
Security

Security: 0-Days and Back Doors

Filed under
Security

Security: Windows/NSA Back Doors and Exploits (EternalBlue), Rust Flaw, Roughtime, DDOS Hype and "The Lucy Gang"

Filed under
Security
  • Leaked NSA Exploits Shifting From Ransomware To Cryptocurrency Mining

    This report, from Zack Whittaker at TechCrunch, says there's really no endpoint in sight for the unintended consequences of exploit hoarding. But at this point, it's really no longer the NSA or Microsoft to blame for the continued rampage. Stats from Shodan show more than 300,000 unpatched machines in the United States alone.

    EternalBlue-based malware still runs rampant, but the focus has shifted from ransom to cryptocurrency. An unnamed company recently watched the NSA's exploit turn its computers into CPU ATMs.

    [...]

    There will never be a full accounting of the damage done. Yes, the NSA never thought its secret stash would go public, but that doesn't excuse its informal policy of never disclosing massive vulnerabilities until it's able to wring every last piece of intel from their deployment. And there's a chance this will happen again in the future if the agency isn't more proactive on the disclosure front. It was foolhardy to believe its tools would remain secret indefinitely. It's especially insane to believe this now.

  • The Rust Programming Language Blog: Security advisory for the standard library

    The Rust team was recently notified of a security vulnerability affecting the standard library’s str::repeat function. When passed a large number this function has an integer overflow which can lead to an out of bounds write. If you are not using str::repeat, you are not affected.

    We’re in the process of applying for a CVE number for this vulnerability. Fixes for this issue have landed in the Rust repository for the stable/beta/master branches. Nightlies and betas with the fix will be produced tonight, and 1.29.1 will be released on 2018-09-25 with the fix for stable Rust.

  • Cloudflare Secures Time With Roughtime Protocol Service

    If time is money, then how important is it to secure the integrity of time itself? Time across many computing devices is often synchronized via the Network Time Protocol (NTP), which isn't a secure approach, but there is another option.

    On Sept. 21, Cloudflare announced that it is deploying a new authenticated time service called Roughtime, in an effort to secure certain timekeeping efforts. The publicly available service is based on an open-source project of the same name that was started by Google.

    "NTP is the dominant protocol used for time synchronisation and, although recent versions provide for the possibility of authentication, in practice that‘s not used," Google's project page for Roughtime states. " Most computers will trust an unauthenticated NTP reply to set the system clock meaning that a MITM [man-in-the-middle] attacker can control a victim’s clock and, probably, violate the security properties of some of the protocols listed above."

  • DDoS Vulnerability Can Disrupt The Whole Bitcoin Infrastructure [Ed: Latest FUD about Bitcoin. A DDOS attack can disrupt anything at sufficient capacity levels, including Wall Street and ANY financial market.]
  • Crippling DDoS vulnerability put the entire Bitcoin market at risk
  • This Russian botnet mimics your click to prevent Android device factory resets

    According to researchers from Check Point, the botnet has been developed by a group of Russian-speaking hackers known as "The Lucy Gang," and demos have already been provided to potential subscribers to the system looking for Malware-as-a-Service (MaaS) solutions.

    Botnets are a thorn in the side for cybersecurity firms, hosting providers, and everyday businesses alike. The systems are made up of enslaved devices including mobile devices, Internet of Things (IoT) gadgets, and PCs.

Security: Updates, Mirai and Singapore's Massive Breach

Filed under
Security
  • Security updates for Friday
  • Mirai botnet hackers [sic] avoid jail time by helping FBI

    The three men, Josiah White, 21, Dalton Norman, 22, and Paras Jha, 22, all from the US, managed to avoid the clink by providing "substantial assistance in other complex cybercrime investigations", according to the US Department of Justice. Who'd have thought young hacker [sic] types would roll over and show their bellies when faced with prison time....

  • A healthcare IT foundation built on gooey clay

    Today, there was a report from the Solicitor General of Singapore about the data breach of the SingHealth systems that happened in July.

    These systems have been in place for many years. They are almost exclusively running Microsoft Windows along with a mix of other proprietary software including Citrix and Allscript. The article referred to above failed to highlight that the compromised “end-user workstation” was a Windows machine. That is the very crucial information that always gets left out in all of these reports of breaches.

    I have had the privilege of being part of an IT advisory committee for a local hospital since about 2004 (that committee has disbanded a couple of years ago, btw).

    [...]

    Part of the reason is because decision makers (then and now) only have experience in dealing with proprietary vendor solutions. Some of it might be the only ones available and the open source world has not created equivalent or better offerings. But where there are possibly good enough or even superior open source offerings, they would never be considered – “Rather go with the devil I know, than the devil I don’t know. After all, this is only a job. When I leave, it is someone else’s problem.” (Yeah, I am paraphrasing many conversations and not only from the healthcare sector).

    I recall a project that I was involved with – before being a Red Hatter – to create a solution to create a “computer on wheels” solution to help with blood collection. As part of that solution, there was a need to check the particulars of the patient who the nurse was taking samples from. That patient info was stored on some admission system that did not provide a means for remote, API-based query. The vendor of that system wanted tens of thousands of dollars to just allow the query to happen. Daylight robbery. I worked around it – did screen scrapping to extract the relevant information.

    Healthcare IT providers look at healthcare systems as a cashcow and want to milk it to the fullest extent possible (the end consumer bears the cost in the end).

    Add that to the dearth of technical IT skills supporting the healthcare providers, you quickly fall into that vendor lock-in scenario where the healthcare systems are at the total mercy of the proprietary vendors.

Security: Updates, NewEgg Breach, "Master Password" and CLIP OS

Filed under
Security
  • Security updates for Thursday
  • NewEgg cracked in breach, hosted card-stealing code within its own checkout

    The popular computer and electronics Web retailer NewEgg has apparently been hit by the same payment-data-stealing attackers who targeted TicketMaster UK and British Airways. The attackers, referred to by researchers as Magecart, managed to inject 15 lines of JavaScript into NewEgg's webstore checkout that forwarded credit card and other data to a server with a domain name that made it look like part of NewEgg's Web infrastructure. It appears that all Web transactions over the past month were affected by the breach.

  • "Master Password" Is A Password Manager Alternative That Doesn't Store Passwords

    Master Password is a different way of using passwords. Instead of the "know one password, save all others somewhere" way of managing passwords used by regular password managers, Master Password's approach is "know one password, generate all the others".

  • French cyber-security agency open-sources CLIP OS, a security hardened OS

    The National Cybersecurity Agency of France, also known as ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information), has open-sourced CLIP OS, an in-house operating system its engineers had developed to address the needs of the French government administration.

    In a press release, ANSSI described CLIP OS as a "Linux-based operating system [that] incorporates a set of security mechanisms that give it a very high level of resistance to malicious code and allow it to protect sensitive information."

Purism Launches First Security Key with Tamper Evident Protection for Laptops

Filed under
OSS
Security

Developed in partnership with Nitrokey, a company known for manufacturing open-source USB keys that enable secure encryption and signing of data for laptops, Purism's Librem Key is dedicated to Librem laptop users, allowing them to store up to 4096-bit RSA keys and up to 512-bit ECC keys on the security key, as well as to securely generate new keys directly on the device. Librem Key integrates with the secure boot process of the latest Librem 13 and 15 laptops.

"It’s not feasible or healthy to monitor your computing devices every second - and that's especially the case when you travel," says Kyle Rankin, Chief Security Officer at Purism. "With the Librem Key, we are giving Librem users the keys to completely lock their computer if they're in an unfamiliar network environment in the same way one would want to have the keys to their car if they needed to drive to an unfamiliar neighborhood."

Read more

Q&A—Red Hat's Brian Gracely on open source and doubling down on Kubernetes

Filed under
Red Hat
OSS
Security

I think a couple of things. I think in general, in terms of filling technology holes and driving new innovation, open source has no problems and no lack of projects right now. In fact, probably the biggest thing we hear from a lot of companies is it's great that there's so much out there, how do we keep up with all of them?

Right now, I think there's a general sentiment from a lot of enterprise companies, telco companies and so-forth that most of innovation that's happening these days are in open source, moreso than it is coming from many vendors. So on one hand, that's a really good thing, a really positive thing.

The flip side of that is, because there's so much going on and there's so many things happening so fast. Open source has never been known for being the people that sit and finish up projects. They've always sort of gotten it to a good solid point that does 80% of what you want it to do, or it works well enough but there's not great interfaces and things on it.

Read more

Syndicate content