Language Selection

English French German Italian Portuguese Spanish

Security

Security: Updates, CCleaner, and Equifax Blame

Filed under
Security
  • Security updates for Monday
  • Here’s an Open Source Alternative to CCleaner
  • Software Has a Serious Supply-Chain Security Problem

    The warnings consumers hear from information security pros tend to focus on trust: Don't click web links or attachments from an untrusted sender. Only install applications from a trusted source or from a trusted app store. But lately, devious hackers have been targeting their attacks further up the software supply chain, sneaking malware into downloads from even trusted vendors, long before you ever click to install.

    On Monday, Cisco's Talos security research division revealed that hackers sabotaged the ultra-popular, free computer-cleanup tool CCleaner for at least the last month, inserting a backdoor into updates to the application that landed in millions of personal computers. That attack betrayed basic consumer trust in CCleaner-developer Avast, and software firms more broadly, by lacing a legitimate program with malware—one distributed by a security company, no less.

  • CCleaner Compromised to Distribute Malware for Almost a Month

    Version 5.33 of the CCleaner app offered for download between August 15 and September 12 was modified to include the Floxif malware, according to a report published by Cisco Talos a few minutes ago.

    Floxif is a malware downloader that gathers information about infected systems and sends it back to its C&C server. The malware also had the ability to download and run other binaries, but at the time of writing, there is no evidence that Floxif downloaded additional second-stage payloads on infected hosts.

  • From equanimity to Equifax [Ed: It's NOT "about open-source software quality" but about Equifax not patching its software for >2 months]

Security: Failure to Patch, Failure to Set up Database Correctly, Failure to Check 'Apps'

Filed under
Security
  • Don't blame open-source software for poor security practices

    The Equifax breach is a good reminder of why organizations need to remain vigilant about properly maintaining and updating their software, especially when security vulnerabilities have been disclosed. In an ideal world, software would update itself the moment a security patch is released. WordPress, for example, offers automatic updates in an effort to promote better security, and to streamline the update experience overall. It would be interesting to consider automatic security updates for Drupal (just for patch releases, not for minor or major releases).

    In absence of automatic updates, I would encourage users to work with PaaS companies that keep not only your infrastructure secure, but also your Drupal application code. Too many organizations underestimate the effort and expertise it takes to do it themselves.

    At Acquia, we provide customers with automatic security patching of both the infrastructure and Drupal code. We monitor our customers' sites for intrusion attempts, DDoS attacks, and other suspicious activity. If you prefer to do the security patching yourself, we offer continuous integration or continuous delivery tools that enable you to get security patches into production in minutes rather than weeks or months. We take pride in assisting our customers to keep their sites current with the latest patches and upgrades; it's good for our customers and helps dispel the myth that open-source software is more susceptible to security breaches.

  • Northern Exposure: Data on 600K Alaskan Voters is Leaked

    Researchers have discovered the personal details of over half a million US voters exposed to the public internet, once again thanks to a misconfigured database.

  • Google purges malicious Android apps with millions of downloads

BlackArch Linux A Pentesting Linux Distribution

Filed under
GNU
Linux
Security

​When it comes to penetration testing, the best way to go is Linux. Distros like Kali and Parrot are quite popular. Today we're going to look at another awesome penetration testing distro known as Blackarch. Blackarch Linux is an Arch Linux-based penetration testing distribution for penetration testers and security researchers. The Blackarch comes with a tools repository that contains over 1800 tools with new ones being added quite frequently. Let us take a brief look at this Linux distro.

Read more

Security: Eugene Kaspersky, IT security in the EU, CouchDB, Telcos, D-Link, Bluetooth, and Fitbit

Filed under
Security

Security: Windows Zeo-Day, Cryptography, Updates, Reproducible Builds, Vendor Bans, AT& and More

Filed under
Security

Equifax Failed to Patch, Now Fails as a Company

Filed under
Security

​Check Point's bogus Windows Subsystem for Linux attack

Filed under
Security

Security companies, desperate for attention and headlines, love to come up with flashy, dangerous-sounding security hole names. The latest is Check Point's Bashware. This one, Check Point claims, can render 400 million Windows 10 PCs open to malware using Windows Subsystem for Linux (WSL) to launch Windows malware from a WSL Linux instance, thus bypassing most Windows security products in the process.

Read more

Security: Devices, Open Source Secure, Cybrary, and Kaspersky Lab

Filed under
Security

Security: Kaspersky, Equifax and Internet of Things (IoT) at the Open Source Summit

Filed under
Security
  • Kaspersky Banned: Federal Agencies Ditch Russian Cybersecurity Firm Over Spying Concerns

     

    Acting Department of Homeland Security secretary Elaine Duke announced the ban of Kaspersky Lab software from federal government networks. The agencies have an unspecified timeline to rid their machines of the software, which DHS declared may pose a security risk.

  • US homeland security dept bans Kaspersky use by govt

     

    The US Department of Homeland Security has ordered all government agencies to stop using products from Kaspersky Labs, with a deadline of 90 days to implement plans to discontinue the use and to remove software from information systems.  

  • U.S. moves to ban Kaspersky software in federal agencies amid concerns of Russian espionage

     

    In a binding directive, acting homeland security secretary Elaine Duke ordered that federal civilian agencies identify Kaspersky Lab software on their networks. After 90 days, unless otherwise directed, they must remove the software, on the grounds that the company has connections to the Russian government and its software poses a security risk.

  • Ayuda! (Help!) Equifax Has My Data!

    Equifax last week disclosed a historic breach involving Social Security numbers and other sensitive data on as many as 143 million Americans. The company said the breach also impacted an undisclosed number of people in Canada and the United Kingdom. But the official list of victim countries may not yet be complete: According to information obtained by KrebsOnSecurity, Equifax can safely add Argentina — if not also other Latin American nations where it does business — to the list as well.

    [...]

     

    It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”

  • Equifax hack: 44 million Britons' personal details feared stolen in major US data breach
  • On the Equifax Data Breach

    Last Thursday, Equifax reported a data breach that affects 143 million US customers, about 44% of the population. It's an extremely serious breach; hackers got access to full names, Social Security numbers, birth dates, addresses, driver's license numbers -- exactly the sort of information criminals can use to impersonate victims to banks, credit card companies, insurance companies, and other businesses vulnerable to fraud.

    Many sites posted guides to protecting yourself now that it's happened. But if you want to prevent this kind of thing from happening again, your only solution is government regulation (as unlikely as that may be at the moment).

    The market can't fix this. Markets work because buyers choose between sellers, and sellers compete for buyers. In case you didn't notice, you're not Equifax's customer. You're its product.

  • Open Source Summit: Securing IoT is About Avoiding Anti-Patterns

    The security perils inherent in Internet of Things (IoT) devices are painfully obvious at this point in 2017, but why are there so many security issues? At a session during the Open Source Summit here Marti Bolivar, senior software engineer at Linaro detailed what he described as "anti-patterns" that ultimately lead to negative security outcomes.

    Bolivar started his session by defining what security in IoT is really all about, by pulling a quote from security engineer Ross Anderson.

Security: Dlink, Equifax, Bluetooth

Filed under
Security
  • Pwning the Dlink 850L routers and abusing the MyDlink Cloud protocol

    The Dlink 850L is a router overall badly designed with a lot of vulnerabilities.

    Basically, everything was pwned, from the LAN to the WAN. Even the custom MyDlink cloud protocol was abused.

  • House Dems demand answers from Equifax CEO

    All 24 minority members of the committee signed a letter to the Equifax executive, Richard Smith, calling on him to come forward with more information about his handling of the crisis.

  • Chatbot lets you sue Equifax for up to $25,000 without a lawyer

    Even if you want to be part of the class action lawsuit against Equifax, you can still sue Equifax for negligence in small claims court using the DoNotPay bot and demand maximum damages. Maximum damages range between $2,500 in states like Rhode Island and Kentucky to $25,000 in Tennessee.

  • Bluetooth flaws leave billions of devices open to attacks

    Researchers at IoT security firm Armis say they have found eight flaws in the Bluetooth protocol that can be used to attack devices running Android, iOS, Linux and Windows.

  • Bluetooth Vulnerability BlueBorne Impacts Android, iOS, Windows, and Linux Devices

    The BlueBorne attack doesn’t even require the victim to tap or click on any malicious links. If your device has Bluetooth and is on then it is possible for an attacker to take complete control of it from 32 feet away. This even works without the attacker pairing anything to the victim’s device and the target device doesn’t need to be set to discoverable mode either. The team at Armis Labs have identified eight zero-day vulnerabilities so far and believes many more are waiting to be discovered.

Syndicate content

More in Tux Machines

Android Leftovers

Red Hat: Patent 'Promise', Proprietary 'Gifts', Imminent Results, Fedora 27 Delays

  • Red Hat pledges patent protection for 99 per cent of FOSS-ware [Ed: And when Red Hat gets taken over (like Sun and Oracle) this promise will be worthless]
    Red Hat says it has amassed over 2,000 patents and won't enforce them if the technologies they describe are used in properly-licensed open source software. The company's made more or less the same offer since the year 2002, when it first made a “Patent Promise” in order to “to discourage patent aggression in free and open source software.” In 2002 the company didn't own many patents and claimed its non-enforcement promise covered per cent of open source software. The Promise was revised in order to reflect the company's growing patent trove and to spruce up the language it uses to make it more relevant. The revised promise “applies to all software meeting the free software or open source definitions of the Free Software Foundation (FSF) or the Open Source Initiative (OSI)”. That verbiage translates into any software licensed on terms the OSI approves on this list, or which meet the Initiative’s definition of open source offered here. Licenses listed by the Free Software Foundation as a free software license at https://www.gnu.org/licenses/license-list.html#SoftwareLicenses also come under the Promise's purview, as do those here as of the date this edition of Our Promise is published.
  • Red Hat Open Source Day rewards with proprietary hardware. For the fourth time
    The above is an excerpt of the 2017 event announcement. Which, as you can see below, will be at least the fourth consecutive one in which Red Hat Italia will award participants with some of the most proprietary devices around. Please note the absence of anything like, e.g. Matchstick, “100% Linux compatible laptop, with Linux preinstalled”, or a Fairphone, in the screenshots...
  • Red Hat (RHT) to Report Q2 Earnings: Will it Beat Estimates?
    We expect Red Hat Inc. RHT to beat expectations when it reports fiscal second-quarter 2018 results on Sep 25.
  • Needle Action Activity Spotted in Enbridge Inc (ENB) and Red Hat Inc (RHT)
  • Fedora 27 Beta Hit By A Second Delay
    Last week it was decided to delay the Fedora 27 beta due to bugs while this week they've been forced to delay the release a second time. The first beta delay wasn't too bad as the F27 schedule already had a built-in "rain date", in acknowledging Fedora's frequent release delays. But today a second unplanned delay is pushing back F27 Beta by at least one more week. This will now also push back the Fedora 27 final release by at least one week.
  • Fedora 27 Beta status is NO-GO
  • News: The new Krita 3.3.0

Security: Apple's Betrayal, Intel ME Back Doors Backfire, and Optionsbleed

  • iOS 11 Muddies WiFi and Bluetooth Controls
    Turning WiFi and Bluetooth off is often viewed as a good security practice. Apple did not rationalize these changes in behavior.
  • How To Hack A Turned-Off Computer, Or Running Unsigned Code In Intel Management Engine
    Intel Management Engine is a proprietary technology that consists of a microcontroller integrated into the Platform Controller Hub (PCH) microchip with a set of built-in peripherals. The PCH carries almost all communication between the processor and external devices; therefore Intel ME has access to almost all data on the computer, and the ability to execute third-party code allows compromising the platform completely. Researchers have been long interested in such "God mode" capabilities, but recently we have seen a surge of interest in Intel ME. One of the reasons is the transition of this subsystem to a new hardware (x86) and software (modified MINIX as an operating system) architecture. The x86 platform allows researchers to bring to bear all the power of binary code analysis tools.
  • Optionsbleed: Don’t get your panties in a wad
    To be honest, this isn’t the first security concern you’ve run in to, and it isn’t the first security issue you’re vulnerable to, that will remain exploitable for quite some time, until after someone you rely on fixed the issue for you, meanwhile compromising your customers. [...] Is it a small part of the SSL public key? A small part of the web request response? A chunk of the path to the index.php? Or is it a chunk of the database password used? Nobody knows until you get enough data to analyse the results of all data. If you can’t appreciate the maths behind analysing multiple readings of 8 arbitrary bytes, choose another career. Not that I know what to do and how to do it, by the way.

OSS: Puppet Acquires Distelli, Mozilla Adds Tracking Protection, Fake List of Open Source Companies, and Open Source Summit

  • Puppet Acquires Distelli, Boosting Its Cloud Automation Offerings
    Puppet, the open source company that markets cloud-native software management tools, has acquired startup Distelli. Based in Seattle, Distelli offers a software as a service platform used by developers to build, test, and deploy code written in any language to any server, including cloud platforms. This is an obvious good match, as both platforms enable developers to manage infrastructure and applications across the entire software delivery process to make app development quicker. "Today, a company's success is predicated on how quickly and successfully it can deliver new experiences to customers through software," Puppet's CEO, Sanjay Mirchandani, said in a statement. "Automation makes world-class application delivery straightforward for every enterprise, not just for companies born in the cloud. Together with Distelli, we are bringing a comprehensive solution for orchestrating and automating the entire software delivery lifecycle, from infrastructure, all the way up through containers."
  • Mozilla Adds Tracking Protection to Firefox for iOS, Focus Gets Multitasking
    Mozilla released on Thursday new updates for its Firefox for iOS and Firefox Focus for Android apps adding new features like tracking protection and multi-tasking, along with various other improvements. Firefox for iOS has been updated today to version 9.0, a release that's available on the App Store for iPhone, iPad, and iPod touch devices running iOS 10.3 or later. It comes with support for Apple's recently launched iOS 11 operating system, as well as tracking protection, which is enabled by default in the private browsing mode to automatically block third-party trackers in an attempt to increase browsing speed.
  • 35 Top Open Source Companies [Ed: Easy to see that this list will be a 'scam' when the company listed in number one is Adobe. It has even listed Black Duck as "Open Source Company". It’s PROPRIETARY and ANTI-FOSS.]
  • Open Source Summit in Los Angeles: Day 1 in 5 Minutes
    Open Source Summit North America in Los Angeles was packed with keynotes, technical sessions, and special presentations, including a conversation with Linux creator Linus Torvalds. In case you couldn't make it, CodePop.com's Gregg Pollack has put together some short videos recapping highlights of the event.