Language Selection

English French German Italian Portuguese Spanish

Security

An update on GnuPG

Filed under
GNU
Security

The GNU Privacy Guard (GnuPG) is one of the fundamental tools that allows a distributed group to have trust in its communications. Werner Koch, lead developer of GnuPG, spoke about it at Kernel Recipes: what's in the new 2.2 version, when older versions will reach their end of life, and how development will proceed going forward. He also spoke at some length on the issue of best-practice key management and how GnuPG is evolving to assist.

It is less than three years since attention was focused on the perilous position of GnuPG; because of systematic failure of the community to fund its development, Koch was considering packing it all in. The Snowden revelations persuaded him to keep going a little longer, then in the wake of Heartbleed there was a resurgent interest in funding the things we all rely on. Heartbleed led to the founding of the Core Infrastructure Initiative (CII). A grant from CII joined commitments from several companies and other organizations and an upsurge in community funding has put GnuPG on a more secure footing going forward.

Read more

Security: Google Play, WPA2, FERC, HackerOne

Filed under
Security
  • 8 'Minecraft' apps infected with Sockbot malware on Google Play found adding devices to botnet

    Security researchers have discovered that at least eight malware-laced apps on Google Play Store are ensnaring devices to a botnet to potentially carry out distributed denial-of-service (DDoS) and other malicious attacks. These apps claimed to provide skins to tweak the look of characters in the popular Minecraft: Pocket Edition game and have been downloaded as many as 2.6 million times.

  • KRACK Vulnerability: What You Need To Know

    This week security researchers announced a newly discovered vulnerability dubbed KRACK, which affects several common security protocols for Wi-Fi, including WPA (Wireless Protected Access) and WPA2. This is a bad vulnerability in that it likely affects billions of devices, many of which are hard to patch and will remain vulnerable for a long time. Yet in light of the sometimes overblown media coverage, it’s important to keep the impact of KRACK in perspective: KRACK does not affect HTTPS traffic, and KRACK’s discovery does not mean all Wi-Fi networks are under attack. For most people, the sanest thing to do is simply continue using wireless Internet access.

  • FERC sets rules to protect grid from malware spread through laptops

    The Federal Energy Regulatory Commission on Thursday proposed new mandatory cybersecurity controls to protect the utility system from the threat posed by laptops and other mobile devices that could spread malicious software.

    The standards are meant to "further enhance the reliability and resilience of the nation's bulk electric system" by preventing malware from infecting utility networks and bringing down the power grid, according to the nation's grid regulator.

  • Hack These Apps And Earn $1,000 — Bug Bounty Program Launched By Google And HackerOne
  • Security Vulnerability Puts Linux Kernel at Risk

Security: FUD, Adobe, Cybersecurity Improvement Act, Updates and More

Filed under
Security
  • Focusing on Healthcare Open Source Security Awareness [Ed: More Flexera marketing in the form of scare-mongering]
  • Adobe patches zero-day vulnerability used to plant gov't spying software

    Adobe has patched a zero-day vulnerability used by the BlackOasis APT to plant surveillance software developed by Gamma International.

    On Monday, researchers from Kaspersky Lab revealed the new, previously unknown vulnerability, which has been actively used in the wild by advanced persistent threat (APT) group BlackOasis.

  • IoT Cybersecurity: What's Plan B?

    In August, four US Senators introduced a bill designed to improve Internet of Things (IoT) security. The IoT Cybersecurity Improvement Act of 2017 is a modest piece of legislation. It doesn't regulate the IoT market. It doesn't single out any industries for particular attention, or force any companies to do anything. It doesn't even modify the liability laws for embedded software. Companies can continue to sell IoT devices with whatever lousy security they want.

  • Security updates for Wednesday
  • Security updates for Thursday
  • Abuse of RESTEasy Default Providers in JBoss EAP

    Red Hat JBoss Enterprise Application Platform (EAP) is a commonly used host for Restful webservices. A powerful but potentially dangerous feature of Restful webservices on JBoss EAP is the ability to accept any media type. If not configured to accept only a specific media type, JBoss EAP will dynamically process the request with the default provider matching the Content-Type HTTP Header which the client specifies. Some of the default providers where found to have vulnerabilities which have now been removed from JBoss EAP and it's upstream Restful webservice project, RESTEasy.

  • “Security concerns” lead to LTE service shutdown on Chinese Apple Watches

Security: WPA2, Smartwatches, Google, NSA, Microsoft and Flexera FUD

Filed under
Security
  • WPA2 flaw's worst impact on Android, Linux devices

    The flaw in the WPA2 wireless protocol revealed recently has a critical impact on Android phones running version 6.0 of the mobile operating system and Linux devices, a security researcher says.

  • Why the Krack Wi-Fi Mess Will Take Decades to Clean Up

    But given the millions of routers and other IoT devices that will likely never see a fix, the true cost of Krack could play out for years.

  • 'All wifi networks' are vulnerable to hacking, security expert discovers

    WPA2 protocol used by vast majority of wifi connections has been broken by Belgian researchers, highlighting potential for internet traffic to be exposed

  • Kids' smartwatches can be 'easily' hacked, says watchdog

    Smartwatches bought for children who do not necessarily need them can be hacked [sic], according to a warning out of Norway and its local Consumer Council (NCC).

  • John Lewis pulls children's smartwatch from sale over spying fears

    The Norwegian Consumer Council (NCC) revealed that several brands of children’s smartwatch, have such poor security controls that hackers [sic] could easily follow their movements and eavesdrop on conversations.

  • Google's 'Advanced Protection' Locks Down Accounts Like Never Before

    Google hasn't shared the details of what that process entails. But the CDT's Hall, whom Google briefed on the details, says it will include a "cooling-off" period that will lock the account for a period of time while the user proves his or her identity via several other factors. That slowed-down, intensive check is designed to make the account-recovery process a far less appealing backdoor into victims' data.

  • NSA won't say if it knew about KRACK, but don't look to this leaked doc for answers

    Given how involved the NSA has been with remote and local exploitation of networks, systems, devices, and even individuals, many put two and two together and assumed the worst.

    What compounded the matter was that some were pointing to a 2010-dated top secret NSA document leaked by whistleblower Edward Snowden, which detailed a hacking tool called BADDECISION, an "802.11 CNE tool" -- essentially an exploit designed to target wireless networks by using a man-in-the-middle attack within range of the network. It then uses a frame injection technique to redirect targets to one of the NSA's own servers, which acts as a "matchmaker" to supply the best malware for the target device to ensure it's compromised for the long-term. The slide said the hacking tool "works for WPA/WPA2," suggesting that BADDECISION could bypass the encryption.

    Cue the conspiracy theories. No wonder some thought the hacking tool was an early NSA-only version of KRACK.

  • You're doing open source wrong, Microsoft tsk-tsk-tsks at Google: Chrome security fixes made public too early [Ed: Says the company that gives back doors to the NSA and attacks FOSS with patents, lobbying etc.]
  • Why Open Source Security Matters for Healthcare Orgs [Ed: marketing slant for firms that spread FUD]

    Open source software can help healthcare organizations remain flexible as they adopt new IT solutions, but if entities lack open source security measures it can lead to larger cybersecurity issues. A recent survey found that organizations in numerous industries might not be paying enough attention to potential open source risk factors.

    Half of all code used in commercial and Internet of Things (IoT) software products is open source, but only 37 percent of organizations have an open source acquisition or usage policy, according to a recent Flexera report.

    More than 400 commercial software suppliers and in-house software development teams were interviewed, with respondent roles including software developers, DevOps, IT, engineering, legal, and security.

Security: WPA2, RSA/TPM, and Microsoft Breach

Filed under
Security
  • Google and Apple yet to fix Wi-Fi hole in a billion devices

    The WPA2 security protocol has been a mandatory requirement for all devices using the Wi-Fi protocol since 2006, which translates into billions of laptops, mobiles and routers. The weakness identified by Mathy Vanhoef, a digital security researcher at the Catholic University of Leuven (KUL) in Belgium, lies in the way devices running WPA2 encrypt information.

  • The Flawed System Behind the Krack Wi-Fi Meltdown

    No software is perfect. Bugs are inevitable now and then. But experts say that software standards that impact millions of devices are too often developed behind closed doors, making it difficult for the broader security community to assess potential flaws and vulnerabilities early on. They can lack full documentation even months or years after their release.

  • Factorization Flaw in TPM Chips Makes Attacks on RSA Private Keys Feasible

    Security experts say the bug has been present since 2012 and found specifically in the Infineon’s Trusted Platform Module used on a large number of business-class HP, Lenovo and Fijitsu computers, Google Chromebooks as well as routers and IoT devices.

  • ROCA: RSA encryption key flaw puts 'millions' of devices at risk

    This results in cyber criminals computing the private part of an RSA key and affects chips manufactured from 2012 onwards, which are now commonplace in the industry.

  • Infineon RSA Key Generation Issue

    Yubico estimates that approximately 2% of YubiKey customers utilize the functionality affected by this issue. We have addressed this issue in all shipments of YubiKey 4, YubiKey 4 Nano, and YubiKey 4C, since June 6, 2017.

  • Microsoft remains tight-lipped about 2013 internal database hack [sic]

    A secretive internal database used by Microsoft to track bugs in its software was compromised by hackers [sic] in 2013.

  • Exclusive: Microsoft responded quietly after detecting secret database hack in 2013

    Microsoft Corp’s secret internal database for tracking bugs in its own software was broken into by a highly sophisticated hacking [sic] group more than four years ago, according to five former employees, in only the second known breach of such a corporate database.

Microsoft never disclosed 2013 hack of secret vulnerability database

Filed under
Microsoft
Security

Hackers broke into Microsoft's secret, internal bug-tracking database and stole information related to vulnerabilities that were exploited in later attacks. But the software developer never disclosed the breach, Reuters reported, citing former company employees.

In an article published Tuesday, Reuters said Microsoft's decision not to disclose details came after an internal review concluded the exploits used in later attacks could have been discovered elsewhere. That investigation relied, in part, on automated reports Microsoft receives when its software crashes. The problem with that approach, Reuters pointed out, is that advanced computer attacks are written so carefully they rarely cause crashes.

Reuters said Microsoft discovered the database breach in early 2013, after a still-unknown hacking group broke into computers belonging to a raft of companies. Besides Microsoft, the affected companies included Apple, Facebook, and Twitter. As reported at the time, the hackers infected a website frequented by software developers with attack code that exploited a zero-day vulnerability in Oracle's Java software framework. When employees of the targeted companies visited the site, they became infected, too.

Read more

Parrot Security OS 3.9 Ethical Hacking & Penetration Testing Distro Now in Beta

Filed under
Security

The Parrot Project began work on a new version of their Linux-based ethical hacking and penetration testing operating system, Parrot Security OS 3.9, and they recently put out a call for testing.

Read more

Security: Let’s Encrypt, Updates, Google, DHS, Adobe

Filed under
Security

Security: WPA2, CVE-2017-15265, Fuzzing, Hyperledger

Filed under
Security
  • Fedora Dev Teaches Users How to Protect Their Wi-Fi Against WPA2 KRACK Bug

    Former Fedora Project leader Paul W. Frields talks today about how to protect your Fedora computers from the dangerous WPA2 KRACK security vulnerability that affects virtually any device using the security protocol to connect to the Internet.

  • WPA2 was kracked because it was based on a closed standard that you needed to pay to read

    How did a bug like krack fester in WPA2, the 13-year-old wifi standard whose flaws have rendered hundreds of millions of devices insecure, some of them permanently so?

    Thank the IEEE's business model. The IEEE is the standards body that developed WPA2, and they fund their operations by charging hundreds of dollars to review the WPA2 standard, and hundreds more for each of the standards it builds upon, so that would-be auditors of the protocol have to shell out thousands just to start looking.

    It's an issue that Carl Mamamud, Public Resource and the Electronic Frontier Foundation have been fighting hard on for years, ensuring that the standards that undergird public safety and vital infrastructure are available for anyone to review, audit and criticize.

  • Patch Available for Linux Kernel Privilege Escalation

    The issue — tracked as CVE-2017-15265 — is a use-after-free memory corruption issue that affects ALSA (Advanced Linux Sound Architecture), a software framework included in the Linux kernel that provides an API for sound card drivers.

  • ​Linus Torvalds says targeted fuzzing is improving Linux security

    Announcing the fifth release candidate for the Linux kernel version 4.14, Linus Torvalds has revealed that fuzzing is producing a steady stream of security fixes.

    Fuzzing involves stress testing a system by generating random code to induce errors, which in turn may help identify potential security flaws. Fuzzing is helping software developers catch bugs before shipping software to users.

  • Devsecops: Add security to complete your devops process [Ed: more silly buzzwords]
  • Companies overlook risks in open source software [Ed: marketing disguised as "news" (and which is actually FUD)]
  • Q&A: Does blockchain alleviate security concerns or create new challenges?

    According to some, blockchain is one of the hottest and most intriguing technologies currently in the market. Similar to the rising of the internet, blockchain could potentially disrupt multiple industries, including financial services. This Thursday, October 19 at Sibos in Toronto, Hyperledger’s Security Maven Dave Huseby will be moderating a panel “Does Blockchain technology alleviate security concerns or create new challenges?” During this session, experts will explore whether the shared nature of blockchain helps or hinders security.

Ubuntu, Debian, Fedora and elementary OS All Patched Against WPA2 KRACK Bug

Filed under
Security

As you are aware, there's a major WPA2 (Wi-Fi Protected Access II) security vulnerability in the wild, affecting virtually any device or operating system that uses the security protocol, including all GNU/Linux distributions.

Read more

Syndicate content