Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • More good news: Medical equipment is still prone to [cracker] attacks [iophk: Windows TCO]

    A new report from Unit 42 says 72% of health care networks mix [Internet] of things (IoT) and information technology assets, allowing malware to spread from users’ computers to vulnerable IoT devices on the same network. The report also offers a lot of data on non-medical IoT attacks.

    There is a 41% rate of attacks exploiting device vulnerabilities, as IT-borne attacks scan through network-connected devices in an attempt to exploit known weaknesses. And Unit 42 has seen a shift from IoT botnets conducting denial-of-service attacks to more sophisticated attacks targeting patient identities, corporate data, and monetary profit via ransomware.

  • Conficker a Twelve Years Old Malware Attack Connected Objects [iophk: Windows TCO]

    Twelve years after its creation Conficker malware is now attacking connected objects. The American firm Palo Alto Networks announces that it has detected Conficker on the connected devices of a hospital, activating a resurgence of the twelve-year-old computer worm. It calls on all owners of connected objects to adopt the security measures recommended by specialists.

    According to a report released Tuesday, March 10, 2020, by IT expert Palo Alto Networks, a twelve years old computer worm called Conficker has recently made a comeback. The latter, which emerged in 2008 by taking advantage of security vulnerabilities in Microsoft’s Windows XP operating system, has generated a whole network of zombie machines.

    In 2009, Conficker reportedly infected up to 15 million machines. Still active, although it is considered a minor phenomenon and without real risk, it still infected some 400,000 computers in 2015. The proliferation of connected objects would have increased this number to 500,000 devices today.

  • [Older] Maastricht Univ. paid €250K to ransomware [attackers]: report [iophk: Windows TCO]

    Maastricht University paid between 200 thousand and 300 thousand euros to [attackers] who had blocked access to the university's digital systems with ransomware, various people involved told the Volkskrant. The university board was forced to pay because the university's backups were also hijacked. The backups [sic] - stored on the university servers - contain research data and data from students and staff from the past decades.

  • [Older] University of Maastricht says it paid [attackers] 200,000-euro ransom [iophk: Windows TCO]

    The University of Maastricht on Wednesday disclosed that it had paid [attackers] a ransom of 30 bitcoin — at the time worth 200,000 euros ($220,000) — to unblock its computer systems, including email and computers, after an attack that unfolded on Dec. 24.

  • [Older] Maastricht University Pays 30 Bitcoins as Ransom to TA505 Group[iophk: Windows TCO]

    A management summary of the Fox-IT report and Maastricht University’s response found that during the time frame of October 15 to 23 December 2019 (inclusive of both dates), the TA505 gained control over multiple servers. Following is the timeline of the events in the leadup to the final ransomware attack: [...]

  • FBI warns Zoom, teleconference meetings vulnerable to hijacking

    “The FBI has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language,” the FBI cautioned. “As individuals continue the transition to online lessons and meetings, the FBI recommends exercising due diligence and caution in your cybersecurity efforts.”

    It’s not just private businesses and children whose meetings could be Zoombombed. Privacy and security issues in conferencing software may also pose risks to national security, as world leaders convene Zoom meetings. In some cases, world leaders such as U.K. Prime Minister Boris Johnson have shared screenshots of their teleconferencing publicly only to reveal Zoom meeting IDs, raising concerns that sensitive information could be compromised.

  • Qakbot malspam sent from an infected Windows host [iophk: Windows TCO]

    Every once in a while, I'll see spambot-style traffic from the Windows hosts I infect in my lab environment. On Tuesday 2020-03-31, this happened during a Qakbot infection. I've covered examining Qakbot traffic before, but that didn't include examples of spambot emails sent from an infected Windows computer. Today's diary provides a quick review of some email examples from spambot traffic by my Qakbot-infected lab host.

  • Varonis Exposes Global Cyber Campaign: C2 Server Actively Compromising Thousands of Victims [iophk: Windows TCO]

    During the analysis, we reversed this strain of Qbot and identified the attacker’s active command and control server, allowing us to determine the scale of the attack. Based on direct observation of the C2 server, thousands of victims around the globe are compromised and under active control by the attackers. Additional information uncovered from the C&C server exposed traces of the threat actors behind this campaign.

    [...]

    Qbot (or Qakbot) was first identified in 2009 and has evolved significantly. It is primarily designed for collecting browsing activity and data related to financial websites. Its worm-like capabilities allow it to spread across an organization’s network and infect other systems.

  • os x ssh fails when using -p flag/a>

    /usr/bin/ssh in macos 10.15.4 hangs if used with the -p flag to specify an alternate port and used with a hostname. This was not present in macos 10.15.3

Security: Software Updates, Kali NetHunter Updates, OpenWRT Bug and Scams That Exploit COVID-19

Filed under
Security
  • Security updates for Wednesday

    Security updates have been issued by Debian (apng2gif, gst-plugins-bad0.10, and libpam-krb5), Fedora (coturn, libarchive, and phpMyAdmin), Mageia (chromium-browser-stable, nghttp2, php, phpmyadmin, sympa, and vim), openSUSE (GraphicsMagick, ldns, phpMyAdmin, python-mysql-connector-python, python-nltk, and tor), Red Hat (advancecomp, avahi, bash, bind, bluez, buildah, chromium-browser, cups, curl, docker, dovecot, doxygen, dpdk, evolution, expat, file, gettext, GNOME, httpd, idm:DL1, ImageMagick, kernel, kernel-rt, lftp, libosinfo, libqb, libreoffice, libsndfile, libxml2, mailman, mariadb, mod_auth_mellon, mutt, nbdkit, net-snmp, nss-softokn, okular, php, podman, polkit, poppler and evince, procps-ng, python, python-twisted-web, python3, qemu-kvm, qemu-kvm-ma, qt, rsyslog, samba, skopeo, squid, systemd, taglib, texlive, unzip, virt:8.1, wireshark, and zziplib), Slackware (gnutls and httpd), and SUSE (glibc, icu, kernel, and mariadb).

  • Kali NetHunter Updates

    Many outstanding discoveries have been made by our vibrant NetHunter community since 2020.1, so we have decided to publish a mid-term release to showcase these amazing developments on selected devices.

    [..].

    The Android 8.1 image is considered the recommended release with a proven track record of supporting NetHunter under the most extreme conditions, including force encryption of the data partition.

    Considering the current maturity of Android 10 for this platform, we would consider this version to be most suited for those who love to experiment and don’t mind getting things working by themselves. We had to edit the vendor fstab file on a laptop to disable force encryption because TWRP didn’t support it at the time of writing. If that doesn’t scare you then this image might be just right for you.

  • OpenWRT code-execution bug puts millions of devices at risk

    For almost three years, OpenWRT—the open source operating system that powers home routers and other types of embedded systems—has been vulnerable to remote code-execution attacks because updates were delivered over an unencrypted channel and digital signature verifications are easy to bypass, a researcher said.

    OpenWRT has a loyal base of users who use the freely available package as an alternative to the firmware that comes installed on their devices. Besides routers, OpenWRT runs on smartphones, pocket computers and even laptops and desktop PCs. Users generally find OpenWRT to be a more secure choice because it offers advanced functions and its source code is easy to audit.

    [...]

    These code-execution exploits are limited in their scope because adversaries must either be in a position to conduct a man-in-the-middle attack or tamper with the DNS server that a device uses to find the update on the Internet. That means routers on a network that has no malicious users and using a legitimate DNS server are safe from attack. Vranken also speculates that packet spoofing or ARP cache poisoning may also make attacks possible, but he cautions that he didn’t test either method.

    Despite the requirements, many networks connect people who are unknown or untrusted by the device operator. What’s more, attacks that replace router settings pointing to a legitimate DNS to a malicious one are a fact of life on the Internet, as in-the-wild attack here, here, here, and here (to name just a few) demonstrate.

  • OpenWRT code-execution bug puts millions of devices at risk

    The headline may be a bit overwrought, though.

  • How Hackers Are Targeting Networks Amidst Coronavirus Threat?

    There is no doubt that COVID-19 has created fear, panic and uncertainty among the public, but it has also opened new possibilities for hackers to increase cyber attacks using different approaches. According to reports in the last few weeks, hackers are taking advantage of the current situation to spread fake news about important information related to government notices, school closures, health risks etc.

Security Leftovers

Filed under
Security
  • Security updates for Tuesday

    Security updates have been issued by Debian (tinyproxy), Fedora (okular), Gentoo (ffmpeg, libxls, and qemu), openSUSE (GraphicsMagick), Red Hat (qemu-kvm-rhev), SUSE (cloud-init and spamassassin), and Ubuntu (bluez, libpam-krb5, linux-raspi2, linux-raspi2-5.3, and Timeshift).

  • Why Understanding CVEs Is Critical for Data Scientists

    CVEs are Common Vulnerabilities and Exposures found in software components. Because modern software is complex with its many layers, interdependencies, data input, and libraries, vulnerabilities tend to emerge over time. Ignoring a high CVE score can result in security breaches and unstable applications.

    Because data scientists work with vast stores of data, they need to take responsibility for the software components they use to minimize risk and protect customer data. A golden rule in security is, wherever valuable data can be found, hackers will go.

    Software developers refer to CVE databases and scores on a regular basis to minimize the risk of using vulnerable components (packages and binaries) in their applications or web pages. They also monitor for vulnerabilities in components they currently use. To reduce the risk of a security breach from open-source packages, data science teams need to take this page from the software developer’s playbook and apply it to their data science and machine learning pipeline.

  • pam-krb5 4.9

    This is a security release fixing a one-byte buffer overflow when relaying prompts from the underlying Kerberos library. All users of my pam-krb5 module should upgrade as soon as possible. See the security advisory for more information.

    There are also a couple more minor security improvements in this release: The module now rejects passwords as long or longer than PAM_MAX_RESP_SIZE (normally 512 octets) since they can be a denial of service attack via the Kerberos string-to-key function, and uses explicit_bzero where available to clear passwords before releasing memory.

  • rethinking openbsd security

    OpenBSD aims to be a secure operating system. In the past few months there were quite a few security errata, however. That’s not too unusual, but some of the recent ones were a bit special. One might even say bad. The OpenBSD approach to security has a few aspects, two of which might be avoiding errors and minimizing the risk of mistakes. Other people have other ideas about how to build secure systems. I think it’s worth examining whether the OpenBSD approach works, or if this is evidence that it’s doomed to failure.

KDE Plasma 5.18.4 LTS Desktop Environment Brings More Than 40 Fixes

Filed under
KDE
Security

Coming three weeks after the Plasma 5.18.3 point release, which introduced a bunch of Flatpak improvements and more than 60 fixes, the KDE Plasma 5.18.4 LTS release is here to add more than 40 bug fixes to various of the desktop environments core components.

Among the changes, there’s improved support for the upcoming Qt 5.15 application framework for Breeze and libksysguard components and better support for the fwupd open-source daemon for installing firmware updates on devices in the Discover package manager.

Flatpak support in Discover was also improved by fixing two issues. Moreover, XSettingsd was added as a runtime dependency to KDE GTK Config, kwallet-pam now works with pam_fscrypt, and KWin now allow the creation of more than one row on the “Virtual Desktops” settings page.

Read more

Critical Linux Kernel Vulnerability Patched in Ubuntu 19.10 and 18.04.4 LTS

Filed under
Linux
Security
Ubuntu

Discovered by Manfred Paul, the security vulnerability (CVE-2020-8835) was found in Linux kernel’s BPF (Berkeley Packet Filter) verifier, which incorrectly calculated register bounds for certain operations.

This could allow a local attacker to either expose sensitive information (kernel memory) or gain administrative privileges and run programs as root user.

The security issue affects all Ubuntu 19.10 (Eoan Ermine) and Ubuntu 18.04.4 LTS (Bionic Beaver) releases running Linux kernel 5.3 on 64-bit, Raspberry Pi, KVM, as well as cloud environments like AWS, Azure, GCP, GKE, and Oracle Cloud.

Read more

WireGuard 1.0.0 for Linux 5.6 Released

Filed under
Linux
Security

Hi folks,

Earlier this evening, Linus released [1] Linus 5.6, which contains our
first release of WireGuard. This is quite exciting. It means that
kernels from here on out will have WireGuard built-in by default. And
for those of you who were scared away prior by the "dOnT uSe tHiS
k0de!!1!" warnings everywhere, you now have something more stable to
work with.

The last several weeks of 5.6 development and stabilization have been
exciting, with our codebase undergoing a quick security audit [3], and
some real headway in terms of getting into distributions.

We'll also continue to maintain our wireguard-linux-compat [2]
backports repo for older kernels. On the backports front, WireGuard
was backported to Ubuntu 20.04 (via wireguard-linux-compat) [4] and
Debian Buster (via a real backport to 5.5.y) [5]. I'm also maintaining
real backports, not via the compat layer, to 5.4.y [6] and 5.5.y [7],
and we'll see where those wind up; 5.4.y is an LTS release.

Meanwhile, the usual up-to-date distributions like Arch, Gentoo, and
Fedora 32 will be getting WireGuard automatically by virtue of having
5.6, and I expect these to increase in number over time.

Enjoy!
Jason

Read more

Also: WireGuard 1.0.0 Christened As A Modern Secure VPN Alternative To OpenVPN/IPsec

Security and FUD

Filed under
Security
  • Surviving the Frequency of Open Source Vulnerabilities

    One hurdle in any roll-your-own Linux platform development project is getting the necessary tools to build system software, application software, and the Linux kernel for your target embedded device. Many developers use a set of tools based on the GNU Compiler Collection, which requires two other software packages: a C library used by the compiler; and a set of tools required to create executable programs and associated libraries for your target device. The end result is a toolchain.

    [...]

    In preference to working on features or product differentiation, developers often spend valuable time supporting, maintaining, and updating a cross-compilation environment, Linux kernel, and root file system. All of which, requires a significant investment of personnel and wide range of expertise.

  • Netgate® Extends Free pfSense® Support and Lowers pfSense Support Subscription Pricing to Aid in COVID-19 Relief

    Free zero-to-ping support, free VPN configuration and connection support, free direct assistance for first responder | front line healthcare agencies, and reduced pfSense TAC support subscription prices all introduced

  • How the hackers are using Open Source Libraries to their advantage [Ed: Conflating hackers with crackers]

    Ben Porter, Chief Product Officer at Instaclustr, writes about how the potential of Open Source Libraries must be balanced with the growing risk of library jacking by hackers.

  • Three Cases Where the Open Source Model Didn't Work [Ed: Lots of anti-GPL FUD and not taking any account of Microsoft crimes, monopoly abuse, bribes and blackmail]

    So, why didn’t the open source model work in these three cases?

    The main reason is that in all of these cases, data structure specs and the description of algorithms are not the most important piece of the picture.

    The root of the problem is in the variety of real-life situations where bugs and failures may occur and lead to a data-loss situations, which is a total no-go in the real world. 

    The open source community is successful, though it has been in create open source programs and platforms, is still no guarantee of industrial-grade software development(3). The core to success in developing a highly reliable solution is a carefully nurtured auto-test environment. This assures a careful track record and in-depth analysis for every failure, as well as effective work-flow, making sure any given bug or failure never repeats. It’s obvious that building such an environment can take years, if not decades, and the main thing here is not to know how something should work according to specs, but to know how and where exactly it fails. In other words, the main problem is not the resources needed to develop the code, the main problem is time needed to build up a reliable test-coverage that will provide a sufficient barrier for data-loss bugs.

    Another problem with open source is that it is usually accompanied by a GPL license. This limits the contribution to such projects almost solely to the open source community itself. One of the major requirements of the GPL license is to disclose changes to source code in case of further distribution, making it pointless for commercial players to participate.

Gresecurity maker finally coughs up $300k to foot open-source pioneer Bruce Perens' legal bill in row over GPL

Filed under
Linux
Security
Legal

After three years of legal wrangling, the defamation lawsuit brought by Brad Spengler and his company Open Source Security (OSS) against open-source pioneer Bruce Perens has finally concluded.

It was clear that the end was nigh last month when California's Ninth Circuit Court of Appeals affirmed a lower court ruling against the plaintiffs.

Spengler and OSS sued Perens for a June 2017 blog post in which Perens ventured the opinion that grsecurity, Open Source Security's Linux kernel security enhancements, could expose customers to potential liability under the terms of the General Public License (GPL).

OSS says that customers who exercise their rights to redistribute its software under the GPL will no longer receive software updates – the biz wants to be paid for its work, a problem not really addressed by the GPL. Perens, the creator of the open-source definition, pointed out that section six of the GPLv2 prohibits modifications of the license terms.

Read more

Security Leftovers

Filed under
Security
  • Russian [Attackers] Exploited Windows Flaws in Attacks on European Firms

    Analysis of the infrastructure used by the [attackers] led to the discovery of an executable named comahawk.exe that incorporated two local privilege escalation exploits targeting Windows.

    The vulnerabilities, tracked as CVE-2019-1405 and CVE-2019-1322, were patched by Microsoft in November 2019 and October 2019, respectively. Microsoft’s advisories for both these flaws say “exploitation [is] less likely”

    In mid-November 2019, NCC Group, whose researchers reported the vulnerabilities to Microsoft, published a blog post describing the weaknesses. Shortly after, someone made public an exploit named COMahawk that weaponizes CVE-2019-1405 and CVE-2019-1322.

  • Global insurer Chubb hit by Maze ransomware: claim [iophk: Windows TCO]

    According to its own website, Chubb had more than US$177 billion (A$291 billion) in assets and reported US$40 billion of gross premiums in 2019. The company says it has offices in Zurich, New York, London, Paris and other locations, and has more than 30,000 employees.

    iTWire contacted Chubb's Australian office for comment. A spokesperson responded: "We are currently investigating a computer security incident that may involve unauthorised access to data held by a third-party service provider.

  • Operation Poisoned News: Hong Kong Users Targeted With Mobile Malware via Local News Links

    A recently discovered watering hole attack has been targeting iOS users in Hong Kong. The campaign uses links posted on multiple forums that supposedly lead to various news stories. While these links lead users to the actual news sites, they also use a hidden iframe to load and execute malicious code. The malicious code contains exploits that target vulnerabilities present in iOS 12.1 and 12.2. Users that click on these links with at-risk devices will download a new iOS malware variant, which we have called lightSpy (detected as IOS_LightSpy.A).

Security: The Keyring Concept in Ubuntu, Phishing and Malicious JavaScript

Filed under
Security
Syndicate content

More in Tux Machines

21 Important Penetration Tools in Kali Linux

Kali Linux uses many kinds of penetration tools to assess the security situation of your devices and networks. Whether you are looking to advance your career as an ethical tester or find the vulnerabilities of your systems, these powerful tools yield excellent results. Almost all of them should be accessible from the main Kali Linux terminal. Note: if you are an ethical tester, you must have the necessary permissions to access another person’s device, unless you’re testing on your own devices. Read more

Hello, LineageOS 17.1

We have been working extremely hard since Android 10’s release last August to port our features to this new version of Android. Thanks to massive refactoring done in some parts of AOSP, we had to work harder than anticipated to bring some features forward, and in some cases, introduced implementations similar to some of our features into AOSP (but we’ll get to that later). First, let’s talk about naming versioning - you may be thinking “Shouldn’t this be 17.0, as AOSP is on 10, and not 10.1?”. and given our previous versioning, you’d be correct. When the December Android Security Bulletin (ASB) dropped, we rebased on the more feature filled Google Pixel 4/4 XL tag of AOSP. We decided that, in the future, if we decide for any reason to rebase a large number of repos on a different tag, we will uprev our subversion, eg. 17.0 -> 17.1. As per this migration, on March 4th, we locked all lineage-17.0 branches and abandoned existing 17.0 changes. Not to fear, you can always cherry-pick your changes to 17.1, even via the Gerrit UI if you’d like! Read more Also: LineageOS 17.1 released

Red Hat Enterprise Linux helps pioneering unmanned marine research

In 1620, the Mayflower embarked on an uncertain journey across the Atlantic Ocean, with more than 100 pilgrims on board hoping to begin a new life in the New World. Now, 400 years later, The Mayflower Autonomous Ship (MAS) will follow in the footsteps of the original ship from Plymouth, England to Plymouth, Massachusetts. Only this time, there will be no human captain or onboard crew. It will be one of the first full-sized, fully-autonomous and unmanned vessels to cross the Atlantic Ocean. The MAS project is a global collaboration led by marine research organization Promare. Conceived as a way to commemorate the 400th anniversary of the Mayflower voyage, it could have long-lasting implications for the shipping industry and the future of oceanographic research. The autonomous shipping market is projected to grow from $90BN today to over $130BN by 2030. However; many of today's autonomous ships are just automated and do not dynamically adapt to new situations. Using an integrated set of IBM's AI, cloud, and edge technologies, ProMare is aiming to give the Mayflower the ability to operate independently in some of the most challenging circumstances on the planet. Read more

Android Leftovers