Language Selection

English French German Italian Portuguese Spanish

Security

Security: Equifax, Grafeas, Updates and Open Source Security Podcast

Filed under
Security

Security Leftovers

Filed under
Security
  • Outlook, Office 2007 slowly taken behind the shed, shots heard

    A decade after their release, Microsoft Office 2007 and Outlook 2007 today fell out of extended support. Gaze teary-eyed at your installation discs. The software has entered the Long Dark Tea-Time of the Soul.

    The cutoff has been coming for some time, of course, but if you're of a nostalgic bent, the Outlook 2007 epitaph is here, and the somewhat longer (with more dates to absorb) Office 2007 farewell is here.

    With extended support ending for both 2007-era families, no new features, bug fixes, security patches, nor support, will be available in future for the programs.

  • Researchers Reveal Critical KRACK Flaws in WPA WiFi Security

    The WPA2 protocol which is widely used to secure WiFi traffic is at risk from multiple vulnerabilities, collectively referred to as "KRACK Attacks" that were publicly disclosed on Oct. 16

    "Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted," the vulnerability disclosure warns."The attack works against all modern protected Wi-Fi networks."

    KRACK is an acronym for Key Reinstallation Attacks, which were discovered by security research Mathy Vanhoef and Frank Piessens working at Belgian University KU Leuven. The researchers have disclosed the details of the KRACK attack in a research paper and plan on discussing it further in talks at the Computer and Communications Security (CCS) and Black Hat Europe conferences later this year.

  • The World Once Laughed at North Korean Cyberpower. No More.

Wi-Fi WPA2 Encryption Problem (and Hype About That)

Filed under
Security
  • Severe flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping

    An air of unease set into the security circles on Sunday as they prepared for the disclosure of high-severity vulnerabilities in the Wi-Fi Protected Access II protocol that make it possible for attackers to eavesdrop Wi-Fi traffic passing between computers and access points.

  • WiFi Security Is Borked - We're All Screwed... Maybe

    KRACK - or the Key Reinstallation AttaCK - looks like the new infosec word we all need to know. According to the authors of a paper that will be presented at conference in a couple of weeks, Mathy Vanhoef of KU Leuven and Frank Piessens say they have found a way to circumvent WPA2 security - one of the key tools used for protecting wireless networks. If KRACk proves to be true, all bets are off when it comes to stopping eavesdroppers from listening in to your wireless network.

  • Your Wifi router could be hiding a scary vulnerability

    Anybody that has a WiFi router might want to be sure to have their login details close at hand throughout the course of today.

    That’s because later today security researcher Mathy Vanhoef will reveal a potentially disastrous vulnerability in the WPA2 protocol.

    The Wifi Protected Access protocol appears to have been cracked by Vanhoef according to Gizmodo which took a look at the source code of the researcher’s website Krack Attacks and found this throw forward.

  • Wi-Fi WPA2 encryption possibly cracked

    Just to add on to your Monday morning blues, WPA2 (Wi-Fi Protected Access Version 2) which is the de-facto encryption method used by the majority of Wi-Fi routers is rumored to have been cracked.

Linus Torvalds lauds fuzzing for improving Linux security

Filed under
Linux
Security

Linus Torvalds release notification for Linux 4.14's fifth release candidate contains an interesting aside: the Linux Lord says fuzzing is making a big difference to the open source operating system.

Torvalds' announcement says Linux kernel 4.14 is coming along nicely, with this week's release candidate pleasingly small and “fairly normal in a release that has up until now felt a bit messier than it perhaps should have been.”

This week's most prominent changes concern “... more fixes for the whole new x86 TLB [translation lookaside buffer – Ed] handling due to the ASID [address space ID - Ed] changes that came in this release.”

Read more

Security: MalwareTech, JavaScript, Vista 10, TPM2, Intel Back Door, Linux Bug, Pizza Hut Breach, Telcos Spying

Filed under
Security
  • Let MalwareTech Surf! Status Report
  • 500 million PCs are being used for stealth cryptocurrency mining online

    A month or so ago, torrent search website The Pirate Bay raised concern among the community as visitors noticed their CPU usage surged whenever a page was opened.

  • Dutch slam Windows 10 for breaking privacy laws

    Dutch authorities claim Microsoft’s Windows 10 operating system is violating data protection and privacy laws, and warned they may impose fines on the US technology giant.

    “Microsoft breaches the Dutch data protection law by processing personal data of people that use the Windows 10 operating system on their computers,” the Dutch Data Protection Authority (DPA) said in a statement late Friday.

    The company fails to “clearly inform” users of Windows 10 that it “continuously collects personal data about the usage of apps and web surfing behavior through its web browser Edge, when the default settings are used,” the DPA said.

  • Using Elliptic Curve Cryptography with TPM2

    One of the most significant advances going from TPM1.2 to TPM2 was the addition of algorithm agility: The ability of TPM2 to work with arbitrary symmetric and asymmetric encryption schemes. In practice, in spite of this much vaunted agile encryption capability, most actual TPM2 chips I’ve seen only support a small number of asymmetric encryption schemes, usually RSA2048 and a couple of Elliptic Curves. However, the ability to support any Elliptic Curve at all is a step up from TPM1.2. This blog post will detail how elliptic curve schemes can be integrated into existing cryptographic systems using TPM2. However, before we start on the practice, we need at least a tiny swing through the theory of Elliptic Curves.

  • Sakaki's EFI Install Guide/Disabling the Intel Management Engine

    The Intel Management Engine ('IME' or 'ME') is an out-of-band co-processor integrated in all post-2006 Intel-CPU-based PCs. It has full network and memory access and runs proprietary, signed, closed-source software at ring -3,[1][2][3][4] independently of the BIOS, main CPU and platform operating system[5][6] — a fact which many regard as an unacceptable security risk (particularly given that at least one remotely exploitable security hole has already been reported[7][8]).

  • Linux vulnerable to privilege escalation

    An advisory from Cisco issued last Friday, October 13th, gave us the heads-up on a local privilege escalation vulnerability in the Advanced Linux Sound Architecture (ALSA).

    The bug is designated CVE-2017-15265, but its Mitre entry was still marked “reserved” at the time of writing. Cisco, however, had this to say about it before release:

  • Pizza Hut was hacked, company says

    According to a customer notice emailed from the pizza chain, those who placed an order on its website or mobile app between the morning of Oct. 1 and midday Oct. 2 might have had their information exposed.

    The “temporary security intrusion” lasted for about 28 hours, the notice said, and it’s believed that names, billing ZIP codes, delivery addresses, email addresses and payment card information — meaning account number, expiration date and CVV number — were compromised.

  • Want to see something crazy? Open this link on your phone with WiFi turned off

    These services are using your mobile phone’s IP address to look up your phone number, your billing information and possibly your phone’s current location as provided by cell phone towers (no GPS or phone location services required). These services are doing this with the assistance of the telco providers.

  • Telcos "selling realtime ability to associate web browsing with name & address"

Security: Kaspersky, Grafeas, Schneier Book

Filed under
Security

Microsoft Breaking the Law and Computer Security Woes

Filed under
Microsoft
Security

How do you dump the firmware from a "secure" voting machine? With a $15 open source hardware board

Filed under
Hardware
Security

One of the highlights of this year's Defcon conference in Vegas was the Voting Machine Hacking Village, where security researchers tore apart the "secure" voting machines America trusts its democracy to.

The Voting Machine Hacking Village just released its master report on the vulnerabilities they found, and the participants are talking about it on Twitter, including Joe Fitz's note that he dumped the firmware off a Accuvote TSX with one of Adafruit's $15 open source hardware FT232h breakout boards.

Read more

Security: Australia, IRS, and Grafeas

Filed under
Security
  • Australian defense firm was hacked and F-35 data stolen, DOD confirms

    The Australian Cyber Security Centre noted in its just-issued 2017 Threat Report that a small Australian defense company "with contracting links to national security projects" had been the victim of a cyber-espionage attack detected last November. "ACSC analysis confirmed that the adversary had sustained access to the network for an extended period of time and had stolen a significant amount of data," the ACSC report stated. "The adversary remained active on the network at the time."

    More details of the breach were revealed on Wednesday at an IT conference in Sydney. ASD Incident Response Manager Mitchell Clarke said, "The compromise was extensive and extreme." The attacker behind the breach has been internally referred to at the Australian Signals Directorate as "APT Alf" (named for a character in Australia's long-running television show Home and Away, not the US television furry alien). Alf stole approximately 30 gigabytes of data, including data related to Australia's involvement in the F-35 Joint Strike Fighter program, as well as data on the P-8 Poseidon patrol plane, planned future Australian Navy ships, the C-130 Hercules cargo plane, and the Joint Direct Attack Munition (JDAM) bomb. The breach began in July of 2016.

  • After second bungle, IRS suspends Equifax’s “taxpayer identity” contract

    The tax-collecting agency is now temporarily suspending the contract because of another Equifax snafu. The Equifax site was maliciously manipulated again, this time to deliver fraudulent Adobe Flash updates, which, when clicked, infected visitors' computers with adware that was detected by just three of 65 antivirus providers. The development means that at least for now, taxpayers cannot open new Secure Access accounts with the IRS. Secure Access allows taxpayers to retrieve various online tax records and provides other "tax account tools" to those who have signed up.

  • Google, IBM Partner to Tighten Container Security
  • Grafeas, new open-source API for the software supply chain, released

Security: Updates, Grafeas, Cloudwashing

Filed under
Security
Syndicate content

More in Tux Machines

OSS Leftovers

  • 20 Most Promising Open Source Solution Providers - 2017
    Open source has become an imperative part of every developer’s arsenal. The potential to gather assistance from the community and the capacity to link into a range of systems and solutions make open source incredibly powerful. As open source software becomes ubiquitous, and used by the vast majority of enterprises throughout the world, 2017 is all set for vendors of application delivery controller (ADC) to start providing improved and tighter integration packages for various open source projects, especially surrounding ADC-generated telemetry. Companies have been extensively using their analytics and machine learning capabilities for quite some time to identify actionable patterns from the collected data. With the rising demand for business intelligence, this year is foreseen to be the year of information superiority with businesses, leveraging data as a key differentiator. In the past couple of years, containers have been emerging as an imminent trend. As the business focus starkly shifts on rightsizing of resources, containers are expected to become a common phenomenon, giving businesses the ability to leverage highly portable assets and make the move into micro services much simpler. Adjacently, automation has become essential now. Mostly intensified by DevOps adoption, the automation of software delivery and infrastructure changes have freed developers to spend more time creating and less time worrying about infrastructure.
  • DevOps pros and open source: Culturally connected
    Like chocolate and peanut butter, DevOps and open source are two great tastes that taste great together. For many DevOps pros, it's the perfect cultural and technical match.
  • Interoperability: A Case For Open Source - GC@PCI Commentary
    He continues: “An open source model allows companies to see the assumptions behind the calculation and lowers the cost of entry into the cat modeling business. More importantly, the standardized and interoperable hazard, vulnerability and financial modules included in a true open source model facilitate the collaboration of data from insurers, reinsurers, entrepreneurs, scientists, computer programmers and individuals, all of which may result in a new generation of cat models.”
  • DevOps Skills Are Key to Collaboration within Organizations
    DevOps is one of the most highly sought skills employers are seeking to fill among 57 percent of respondents in the 2017 Open Source Jobs Report, from Dice and The Linux Foundation. Specifically, firms are looking for developers (73 percent) and DevOps engineers (60 percent).
  • Projects You Can Help With For Advancing Open-Source NVIDIA "Nouveau" Graphics
    Longtime Nouveau contributor Karol Herbst has been working on an updated list of project ideas for new contributors or those that may be wanting to participate in an Endless Vacation of Code / Google Summer of Code.
  • Join The Linux Foundation at Open Source Summit EU for Booth Swag, Project Updates, and More
    Going to Open Source Summit EU in Prague? While you’re there, be sure stop by The Linux Foundation training booth for fun giveaways and a chance to win one of three Raspberry Pi kits.
  • Oracle Promises To Open Source Oracle JDK And Improve Java EE
    Oracle had already announced it would be moving Java EE to the Eclipse Foundation, and the announcements at JavaOne move the language further to a more vendor-neutral future. It's worth noting that the keynote was preceded by a Safe Harbor disclaimer in which Oracle said it could not be held to plans made during the speech, so nothing is actually certain.
  • Linux Kernel Community Enforcement Statement
  • Linux Kernel Gets An "Enforcement Statement" To Deal With Copyright Trolls
    Greg Kroah-Hartman on the behalf of the Linux Foundation Technical Advisory Board has today announced the Linux Kernel Community Enforcement Statement. This statement is designed to better fend off copyright trolls. Among the copyright troll concerns is how a Netfilter developer has been trying to enforce his personal copyright claims against companies for "in secret and for large sums of money by threatening or engaging in litigation."
  • An enforcement clarification from the kernel community
    The Linux Foundation's Technical Advisory board, in response to concerns about exploitative license enforcement around the kernel, has put together this patch adding a document to the kernel describing its view of license enforcement. This document has been signed or acknowledged by a long list of kernel developers. In particular, it seeks to reduce the effect of the "GPLv2 death penalty" by stating that a violator's license to the software will be reinstated upon a timely return to compliance.

OSS Leftovers

  • 20 Most Promising Open Source Solution Providers - 2017
    Open source has become an imperative part of every developer’s arsenal. The potential to gather assistance from the community and the capacity to link into a range of systems and solutions make open source incredibly powerful. As open source software becomes ubiquitous, and used by the vast majority of enterprises throughout the world, 2017 is all set for vendors of application delivery controller (ADC) to start providing improved and tighter integration packages for various open source projects, especially surrounding ADC-generated telemetry. Companies have been extensively using their analytics and machine learning capabilities for quite some time to identify actionable patterns from the collected data. With the rising demand for business intelligence, this year is foreseen to be the year of information superiority with businesses, leveraging data as a key differentiator. In the past couple of years, containers have been emerging as an imminent trend. As the business focus starkly shifts on rightsizing of resources, containers are expected to become a common phenomenon, giving businesses the ability to leverage highly portable assets and make the move into micro services much simpler. Adjacently, automation has become essential now. Mostly intensified by DevOps adoption, the automation of software delivery and infrastructure changes have freed developers to spend more time creating and less time worrying about infrastructure.
  • DevOps pros and open source: Culturally connected
    Like chocolate and peanut butter, DevOps and open source are two great tastes that taste great together. For many DevOps pros, it's the perfect cultural and technical match.
  • Interoperability: A Case For Open Source - GC@PCI Commentary
    He continues: “An open source model allows companies to see the assumptions behind the calculation and lowers the cost of entry into the cat modeling business. More importantly, the standardized and interoperable hazard, vulnerability and financial modules included in a true open source model facilitate the collaboration of data from insurers, reinsurers, entrepreneurs, scientists, computer programmers and individuals, all of which may result in a new generation of cat models.”
  • DevOps Skills Are Key to Collaboration within Organizations
    DevOps is one of the most highly sought skills employers are seeking to fill among 57 percent of respondents in the 2017 Open Source Jobs Report, from Dice and The Linux Foundation. Specifically, firms are looking for developers (73 percent) and DevOps engineers (60 percent).
  • Projects You Can Help With For Advancing Open-Source NVIDIA "Nouveau" Graphics
    Longtime Nouveau contributor Karol Herbst has been working on an updated list of project ideas for new contributors or those that may be wanting to participate in an Endless Vacation of Code / Google Summer of Code.
  • Join The Linux Foundation at Open Source Summit EU for Booth Swag, Project Updates, and More
    Going to Open Source Summit EU in Prague? While you’re there, be sure stop by The Linux Foundation training booth for fun giveaways and a chance to win one of three Raspberry Pi kits.
  • Oracle Promises To Open Source Oracle JDK And Improve Java EE
    Oracle had already announced it would be moving Java EE to the Eclipse Foundation, and the announcements at JavaOne move the language further to a more vendor-neutral future. It's worth noting that the keynote was preceded by a Safe Harbor disclaimer in which Oracle said it could not be held to plans made during the speech, so nothing is actually certain.
  • Linux Kernel Community Enforcement Statement
  • Linux Kernel Gets An "Enforcement Statement" To Deal With Copyright Trolls
    Greg Kroah-Hartman on the behalf of the Linux Foundation Technical Advisory Board has today announced the Linux Kernel Community Enforcement Statement. This statement is designed to better fend off copyright trolls. Among the copyright troll concerns is how a Netfilter developer has been trying to enforce his personal copyright claims against companies for "in secret and for large sums of money by threatening or engaging in litigation."
  • An enforcement clarification from the kernel community
    The Linux Foundation's Technical Advisory board, in response to concerns about exploitative license enforcement around the kernel, has put together this patch adding a document to the kernel describing its view of license enforcement. This document has been signed or acknowledged by a long list of kernel developers. In particular, it seeks to reduce the effect of the "GPLv2 death penalty" by stating that a violator's license to the software will be reinstated upon a timely return to compliance.

Tizen and Android Leftovers

Tizen and Android Leftovers