Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • Friday's security updates
  • Thursday's security advisories
  • Microsoft Windows UAC can be bypassed for untraceable hacks

    USER ACCOUNT Control (UAC), the thing in Microsoft Windows that creates extra menus you wish would just sod off, can be bypassed, allowing hackers to gain registry access.

    Security researcher Matt Nelson has discovered that the flaw allows someone to start PowerShell, access the registry and then leave no trace.

    The workaround/feature/bug/massive security hole works on any version of Windows with UAC, which was introduced in Windows Vista and later softened in Windows 7 as it proved such a spectacular pain in the Vista.

    The technique uses no files, no injections and leaves no trace. It's just pure direct access via a vulnerability. You could go off and do it to someone now.

    Don't do that, though.

  • all that’s not golden

    Several stories and events recently that in some way relate to backdoors and golden keys and security. Or do they? In a couple cases, I think some of the facts were slightly colored to make for a more exciting narrative. Having decided that golden keys are shitty, that doesn’t imply that all that’s shit is golden. A few different perspectives here, because I think some of the initial hoopla obscured some lessons that even people who don’t like backdoors can learn from.

    Secure Boot

    Microsoft added a feature to Secure Boot, accidentally creating a bypass for older versions. A sweet demo scene release (plain text) compares this incident to the FBI’s requested golden keys. Fortunately, our good friends over at the Register dug into this claim and explained some of the nuance in their article, Bungling Microsoft singlehandedly proves that golden backdoor keys are a terrible idea. Ha, ha, I kid.

    Matthew Garrett also has some notes on Microsoft’s compromised Secure Boot implementation. He’s purportedly a Linux developer, but he doesn’t once in this post call Windows a steaming pile, so he’s probably a Microsoft shill in disguise.

    Returning to the big question, What does the MS Secure Boot Issue teach us about key escrow? Maybe not a whole lot. Some questions to consider are how thoroughly MS tried to guard the key and whether they actually lost the key or just signed the wrong thing.

    Relevant to the crypto backdoor discussion, are the actions taken here the same? In a key escrow scheme, are iPhones sending encrypted data to the FBI or is the FBI sending encrypted messages to iPhones? The direction of information flow probably has a profound effect on the chances of the wrong thing leaking out. Not to say I want anything flowing in either direction, but it does affect how analogous the situations are.

    A perhaps more important lesson, for all security or crypto practitioners, is just barely hinted at in mjg59’s post. Microsoft created a new message format, but signed it with a key trusted by systems that did not understand this format. Misinterpretation of data formats results in many vulnerabilities. Whenever it’s possible that a message may be incorrectly handled by existing systems, it’s vital to roll keys to prevent misinterpretation.

  • Security against Election Hacking – Part 1: Software Independence

    So the good news is: our election system has many checks and balances so we don’t have to trust the hackable computers to tell us who won. The biggest weaknesses are DRE paperless touchscreen voting machines used in a few states, which are completely unacceptable; and possible problems with electronic pollbooks.

    In this article I’ve discussed paper trails: pollbooks, paper ballots, and per-precinct result printouts. Election officials must work hard to assure the security of the paper trail: chain of custody of ballot boxes once the polls close, for example. And they must use the paper trails to audit the election, to protect against hacked computers (and other kinds of fraud, bugs, and accidental mistakes). Many states have laws requiring (for example) random audits of paper ballots; more states need such laws, and in all states the spirit of the laws must be followed as well as the letter.

  • Security against Election Hacking (Freedom to Tinker)

    Over at the Freedom to Tinker blog, Andrew Appel has a two-part series on security attacks and defenses for the upcoming elections in the US (though some of it will obviously be applicable elsewhere too). Part 1 looks at the voting and counting process with an eye toward ways to verify what the computers involved are reporting, but doing so without using the computers themselves (having and verifying the audit trail, essentially). Part 2 looks at the so-called cyberdefense teams and how their efforts are actually harming all of our security (voting and otherwise) by hoarding bugs rather than reporting them to get them fixed.

Security Leftovers

Filed under
Security
  • CVE-2016-5696 and its effects on Tor

    This vulnerability is quite serious, but it doesn’t affect the Tor network any more than it affects the rest of the internet. In particular, the Tor-specific attacks mentioned in the paper will not work as described.

  • Secure Boot Failure, Response, and Mitigation

    Last week, it became public that there is an attack against Secure Boot, utilizing one of Microsoft’s utilities to install a set of security policies which effectively disables bootloader verification.

  • Static Code Analyzer Reportedly Finds 10,000 Open Source Bugs

    A Russian company behind the PVS-Studio static code analyzer claims to have used the tool to discover more than 10,000 bugs in various open source projects, including well-known offerings such as the Firefox Web browser and the Linux kernel.

  • Linux.Lady the Crypto-Currency Mining Trojan Discovered

    Organizations reliant on Redis NoSQL a most sought after database require re-checking their configurations, security researchers advise. That's because the Linux.Lady crypto-currency Trojan, which mines digital money, has been discovered as it piggybacks on insufficient out-of-the-box security.

    It is possible that a maximum of 30K Redis servers are susceptible to attack mainly since inadvertent system admins gave them an Internet connection devoid of constructing a password for them in addition to not having Redis secured by default.

  • DDoS protection in the cloud

    OpenFlow and other software-defined networking controllers can discover and combat DDoS attacks, even from within your own network.

    Attacks based on the distributed denial of service (DDoS) model are, unfortunately, common practice, often used to extort protection money or sweep unwanted services off the web. Currently, such attacks can reach bandwidths of 300GBps or more. Admins usually defend themselves by securing the external borders of their own networks and listening for unusual traffic signatures on the gateways, but sometimes they fight attacks even farther outside the network – on the Internet provider's site – by diverting or blocking the attack before it overloads the line and paralyzes the victim's services.

    In the case of cloud solutions and traditional hosting providers, the attackers and their victims often reside on the same network. Thanks to virtualization, they could even share the same computer core. In this article, I show you how to identify such scenarios and fight them off with software-defined networking (SDN) technologies.

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • Fake Linus Torvalds' Key Found in the Wild, No More Short-IDs.
  • NIST Denounces SMS 2FA - What are the Alternatives?

    Towards the end of July 2016, the National Institute of Standards and Technology (NIST) started the process of deprecating the use of SMS-based out-of-band authentication. This became clear in the issue of the DRAFT NIST Special Publication 800-63B, Digital Authentication Guideline.

  • It's pretty easy to hack traffic lights

    Researchers from the University of Michigan EE/Computer Science Department (previously) presented their work on hacking traffic signals at this year's Usenix Security Symposium (previously), and guess what? It's shockingly easy to pwn the traffic control system.

    The researchers targeted the wireless control systems at each intersection, avoiding any tampering with the actual junction boxes, which might be detected by passers-by (though seriously, some high-viz vests and a couple of traffic cones would likely serve as perfect camouflage), and worked with the permission of a local Michigan traffic authority.

Linux kernel 4.6 reaches end of life

Filed under
Linux
Security

Those using a GNU/Linux operating system powered by a kernel from the Linux 4.6 branch have been urged to move to Linux kernel 4.7.

According to a report by Softpedia, users have been advised to install the new Linux kernel 4.7.1 build.

Read more

Also: The Linux Foundation Announces 2016 LiFT Scholarship Recipients

Security News

Filed under
Security

FOSS and Security

Filed under
OSS
Security
  • Coffee Shop DevOps: How to use feedback loops to get smarter
  • How to design your project for participation

    Working openly means designing for participation. "Designing for participation" is a way of providing people with insight into your project, which you've built from the start to incorporate and act on that insight. Documenting how you intend to make decisions, which communication channels you’ll use, and how people can get in touch with you are the first steps in designing for participation. Other steps include working openly, being transparent, and using technologies that support collaboration and additional ways of inviting participation. In the end, it’s all about providing context: Interested people must be able to get up to speed and start participating in your project, team, or organization as quickly and easily as possible.

  • So long, Firefox Hello!

    After updating my PCLinuxOS install, I noticed that the icon of Firefox Hello had changed: it was read and displayed a message reading "Error!"

    I thought it was a simply login failure, so I logged in and the icon went green, as normal. However, I noticed that Hello did not display the "Start a conversation" window, but one that read "browse this page with a friend".

    A bit confused, I called Megatotoro, who read this statement from Mozilla to me. Apparently, I had missed the fact that Mozilla is discontinuing Hello starting from Firefox 49. Current Firefox version is 48, so...

  • FreeBSD 11.0 Up to Release Candidate State, Support for SSH Protocol v1 Removed

    The FreeBSD Project, through Glen Barber, has had the pleasure of announcing this past weekend the general availability of the first Release Candidate for the upcoming FreeBSD 11.0 operating system, due for release on September 2, 2016.

    It appears to us that the development cycle of FreeBSD 11.0 was accelerated a bit, as the RC1 milestone is here just one week after the release of the fourth Beta build. Again, the new snapshot is available for 64-bit (amd64), 32-bit (i386), PowerPC (PPC), PowerPC 64-bit (PPC64), SPARC64, AArch64 (ARM64), and ARMv6 hardware architectures.

  • Open Source//Open Society Conference Live Blog

    This conference offers 2 huge days of inspiration, professional development and connecting for those interested in policy, data, open technology, leadership, management and team building.

  • White House Source Code Policy Should Go Further

    A new federal government policy will result in the government releasing more of the software that it creates under free and open source software licenses. That’s great news, but doesn’t go far enough in its goals or in enabling public oversight.

    A few months ago, we wrote about a proposed White House policy regarding how the government handles source code written by or for government agencies. The White House Office of Management and Budget (OMB) has now officially enacted the policy with a few changes. While the new policy is a step forward for government transparency and open access, a few of the changes in it are flat-out baffling.

  • The Brewing Problem Of PGP Short-ID Collision Attacks
  • Starwood, Marriott, Hyatt, IHG hit by malware: HEI

    A data breach at 20 U.S. hotels operated by HEI Hotels & Resorts for Starwood, Marriott, Hyatt and Intercontinental may have divulged payment card data from tens of thousands of food, drink and other transactions, HEI said on Sunday.

  • Linux TCP Flaw Leaves 80% Android Phones Open To Spying
  • Good morning Android!

Security News

Filed under
Security
  • Serving Up Security? Microsoft Patches ‘Malicious Butler’ Exploit — Again

    It’s been a busy year for Windows security. Back in March, Microsoft bulletin MS16-027 addressed a remote code exploit that could grant cybercriminals total control of a PC if users opened “specially crafted media content that is hosted on a website.” Just last month, a problem with secure boot keys caused a minor panic among users.

    However, new Microsoft patches are still dealing with a flaw discovered in November of last year — it was first Evil Maid and now is back again as Malicious Butler. Previous attempts to slam this door shut have been unsuccessful. Has the Redmond giant finally served up software security?

  • PGP Short-ID Collision Attacks Continued, Now Targeted Linus Torvalds

    After contacted the owner, it turned out that one of the keys is a fake. In addition, labelled same names, emails, and even signatures created by more fake keys. Weeks later, more developers found their fake "mirror" keys on the keyserver, including the PGP Global Directory Verification Key.

  • Let's Encrypt: Why create a free, automated, and open CA?

    During the summer of 2012, Eric Rescorla and I decided to start a Certificate Authority (CA). A CA acts as a third-party to issue digital certificates, which certify public keys for certificate holders. The free, automated, and open CA we envisioned, which came to be called Let's Encrypt, has been built and is now one of the larger CAs in the world in terms of issuance volume.

    Starting a new CA is a lot of work—it's not a decision to be made lightly. In this article, I'll explain why we decided to start Let's Encrypt, and why we decided to build a new CA from scratch.

    We had a good reason to start building Let's Encrypt back in 2012. At that time, work on an HTTP/2 specification had started in the Internet Engineering Task Force (IETF), a standards body with a focus on network protocols. The question of whether or not to require encryption (via TLS) for HTTP/2 was hotly debated. My position, shared by my co-workers at Mozilla and many others, was that encryption should be required.

Security News

Filed under
Security
Syndicate content

More in Tux Machines

Windows, Mac or Linux... Which operating system best suits your business?

Linux is a free alternative. Apart from the zero-cost factor, it's still less prone to viruses than Windows. Most Linux machines start out as Windows computers that are reformatted. Linux is also adaptable -- Linux is an OS kernel, not a full system, but is the heart of software distributions such as Ubuntu or Fedora. As for cons, Linux is more complex to learn and use. There are also far fewer programs written for Linux systems. Of course, someone with an advanced online computer science master’s degree will help you make the most of a Linux system by supplying the skills needed to innovate and implement custom solutions for your business environment. Read more

LinuxCon, Linux at 25, and Linux Development

5 Ways to Solve the Open Source Industry's Biggest Problems

Over the last decade, open source software and its audience of end users have greatly matured. Once only used by a small subset of tech-savvy early adopters, the convenience, effectiveness and cost savings of open source solutions are now driving enterprise IT to explore more ways to take advantage of the power of open source in their daily business operations. In today's economy, enterprise IT has less to gain from developing and licensing software and more to gain from actively working with existing open source technology. However, the march toward open source still faces major obstacles before it becomes mainstream. In this slideshow, Travis Oliphant, CEO and founder of Continuum Analytics, outlines five challenges preventing enterprise IT from shifting to open source and tips for tackling them to keep the future of open source heading in the right direction. The road may be winding, but it will eventually lead companies to open source to help them innovate and as the way of the future. Read more Also: Latest attacks on privacy...

Security News

  • Jay Beale: Linux Security and Remembering Bastille Linux
    Security expert and co-creator of the Linux-hardening (and now Unix-hardening) project Bastille Linux. That’s Jay Beale. He’s been working with Linux, and specifically on security, since the late 1980s. The greatest threat to Linux these days? According to Beale, the thing you really need to watch out for is your Android phone, which your handset manufacturer and wireless carrier may or may not be good about updating with the latest security patches. Even worse? Applications you get outside of the controlled Google Play and Amazon environments, where who-knows-what malware may lurk. On your regular desktop or laptop Linux installation, Beale says the best security precaution you can take is encrypting your hard drive — which isn’t at all hard to do. He and I also talked a bit, toward the end, about how “the Linux community” was so tiny, once upon a time, that it wasn’t hard to know most of its major players. He also has some words of encouragement for those of you who are new to Linux and possibly a bit confused now and then. We were all new and confused once upon a time, and got less confused as we learned. Guess what? You can learn, too, and you never know where that knowledge can take you.
  • Automotive security: How safe is a next-generation car?
    The vehicles we drive are becoming increasingly connected through a variety of technologies. Features such as keyless entry and self-diagnostics are becoming commonplace. Unfortunately, they can also introduce IT security issues.
  • Let's Encrypt: Every Server on the Internet Should Have a Certificate
    The web is not secure. As of August 2016, only 45.5 percent of Firefox page loads are HTTPS, according to Josh Aas, co-founder and executive director of Internet Security Research Group. This number should be 100 percent, he said in his talk called “Let’s Encrypt: A Free, Automated, and Open Certificate Authority” at LinuxCon North America. Why is HTTPS so important? Because without security, users are not in control of their data and unencrypted traffic can be modified. The web is wonderfully complex and, Aas said, it’s a fool’s errand to try to protect this certain thing or that. Instead, we need to protect everything. That’s why, in the summer of 2012, Aas and his friend and co-worker Eric Rescorla decided to address the problem and began working on what would become the Let’s Encrypt project.
  • OpenSSL 1.1 Released With Many Changes
    OpenSSL 1.1.0 was released today as a major update to this free software cryptography and SSL/TLS toolkit. In addition to OpenSSL 1.1 rolling out a new build system and new security levels and support for pipelining and a new threading API, security additions to OpenSSL 1.1 include adding the AFALG engine, support for ChaChao20 in libcrypto/libssl, scrypto algorithm support, and support for X25519, among many other additions.
  • Is Windows ​10’s ‘Hidden Administrator Account’ a security risk? [Ed: Damage control from Microsoft Jack (Jack Schofield) because Microsoft Windows is vulnerable by design]