Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security

Security: France, Munich, 'Smart' Meters, MeltdownPrime and SpectrePrime

Filed under
Security
  • Highlights of the French cybersecurity strategy

    First, the document describes that in France cyberdefence and cyberoffence are separated. This is directly opposed to the models employed in Anglo-Saxon countries. But it’s shown as an asset. Key argument: it respects freedoms and civil liberties.

    The document then lists the six general objectives of cyberdefence, namely: prevention, anticipation, protection, detection, attribution, reaction (remediation). The strategy itself is complete, it focuses on civil, military, domestic, external, and international levels. Let’s say it’s a rarity in the business in strategic cybersecurity documents.

    [...]

    The strategy then mentions that one of the solutions could be to release source code and documentation after an end of support date.

  • The Munich Security Conference 2018

    Over the past five decades, the Munich Security Conference (MSC) has become the major global forum for the discussion of security policy. Each February, it brings together more than 450 senior decision-makers from around the world, including heads-of-state, ministers, leading personalities of international and non-governmental organizations, as well as high ranking representatives of industry, media, academia, and civil society, to engage in an intensive debate on current and future security challenges.

  • Smart meters could leave British homes vulnerable to cyber attacks, experts have warned

    New smart energy meters that the Government wants to be installed in millions of homes will leave householders vulnerable to cyber attacks, ministers have been warned.

  • MeltdownPrime and SpectrePrime: Researchers nail exploits

    "The flaws—dubbed Meltdown and Spectre—are in chips made by Intel and other major suppliers. They can allow hackers to steal data from the memory of running apps, including password managers, browsers and emails."

    The authors of the paper on arXiv, Caroline Trippel, Daniel Lustig, and Margaret Martonosi, discuss a tool they developed for "automatically synthesizing microarchitecture-specific programs capable of producing any user-specified hardware execution pattern of interest."

    They said they show "how this tool can be used for generating small microarchitecture-specific programs which represent exploits in their most abstracted form—security litmus tests."

Security Leftovers

Filed under
Security
  • Thousands of FedEx customers' private info exposed in legacy server data breach

    Uncovered by Kromtech Security Center, the parent company of MacKeeper Security, the breach exposed data such as passport information, driver's licenses and other high profile security IDs, all of which were hosted on a password-less Amazon S3 storage server.

  • Correlated Cryptojacking

    they include The City University of New York (cuny.edu), Uncle Sam's court information portal (uscourts.gov), Lund University (lu.se), the UK's Student Loans Company (slc.co.uk), privacy watchdog The Information Commissioner's Office (ico.org.uk) and the Financial Ombudsman Service (financial-ombudsman.org.uk), plus a shedload of other .gov.uk and .gov.au sites, UK NHS services, and other organizations across the globe.

    Manchester.gov.uk, NHSinform.scot, agriculture.gov.ie, Croydon.gov.uk, ouh.nhs.uk, legislation.qld.gov.au, the list goes on.

  • Facebook using 2FA cell numbers for spam, replies get posted to the platform

    Replies ending up as comments appears to be a bizarre bug, but the spamming seems intentional.

  • Swedish Police website hacked [sic] to mine cryptocurrency

    Remember now, it is a Police Force that allowed their website to be hijacked by this simple attack vector. The authority assigned to serve and protect. More specifically, the authority that argues that wiretapping is totally safe because the Police is competent in IT security matters, so there’s no risk whatsoever your data will leak or be mishandled.

    This is one of the websites that were trivially hacked [sic].

    It gives pause for thought.

    It also tells you what you already knew: authorities can’t even keep their own dirtiest laundry under wraps, so the notion that they’re capable or even willing to protect your sensitive data is hogwash of the highest order.

  • New EU Privacy Law May Weaken Security

    In a bid to help domain registrars comply with the GDPR regulations, ICANN has floated several proposals, all of which would redact some of the registrant data from WHOIS records. Its mildest proposal would remove the registrant’s name, email, and phone number, while allowing self-certified 3rd parties to request access to said data at the approval of a higher authority — such as the registrar used to register the domain name.

    The most restrictive proposal would remove all registrant data from public WHOIS records, and would require legal due process (such as a subpoena or court order) to reveal any information supplied by the domain registrant.

  • Intel hit with 32 lawsuits over security flaws

    Intel Corp said on Friday shareholders and customers had filed 32 class action lawsuits against the company in connection with recently-disclosed security flaws in its microchips.

  • The Risks of "Responsible Encryption"

    Federal law enforcement officials in the United States have recently renewed their periodic demands for legislation to regulate encryption. While they offer few technical specifics, their general proposal—that vendors must retain the ability to decrypt for law enforcement the devices they manufacture or communications their services transmit—presents intractable problems that would-be regulators must not ignore.

  • Reviewing SSH Mastery 2nd Ed

    It’s finally out ! Michael W Lucas is one of the best authors of technical books out there. I was curious about this new edition. It is not a reference book, but covers the practical aspects of SSH that I wish everybody knew. Rather than aggregating different articles/blogs on SSH, this book covers 90% of the common use cases for SSH that you will ever encounter.

Security Leftovers

Filed under
Security

Security: Cryptocurrency Mining, Hardware Bugs in HPC, and Dan Goodin's Latest Sensationalism

Filed under
Security
  • Cryptocurrency Mining Company Coinhive Shocked To Learn Its Product Is Being Abused

    So if you haven't noticed, the entire cryptocurrency mining thing has become a bit of an absurd stage play over the last few months. From gamers being unable to buy graphics cards thanks to miners hoping to cash in on soaring valuations, to hackers using malware to covertly infect websites with cryptocurrency miners that use visitors' CPU cycles without their knowledge or consent. As an additional layer of intrigue, some websites have also begun using such miners as an alternative to traditional advertising, though several have already done so without apparently deeming it necessary to inform visitors.

    At the heart of a lot of this drama is crypotcurreny mining software company Coinhive, whose software is popping up in both malware-based and above board efforts to cash in on the cryptocurrency mining craze. Coinhive specifically focuses on using site visitor CPU cycles to help mine Monero. The company's website insists that their product can help websites craft "an ad-free experience, in-game currency or whatever incentives you can come up with." The company says its project has already resulted in the mining of several million dollars worth of Monero (depending on what Monero's worth any given day).

  • Fluid HPC: How Extreme-Scale Computing Should Respond to Meltdown and Spectre

    The Meltdown and Spectre vulnerabilities are proving difficult to fix, and initial experiments suggest security patches will cause significant performance penalties to HPC applications. Even as these patches are rolled out to current HPC platforms, it might be helpful to explore how future HPC systems could be better insulated from CPU or operating system security flaws that could cause massive disruptions. Surprisingly, most of the core concepts to build supercomputers that are resistant to a wide range of threats have already been invented and deployed in HPC systems over the past 20 years. Combining these technologies, concepts, and approaches not only would improve cybersecurity but also would have broader benefits for improving HPC performance, developing scientific software, adopting advanced hardware such as neuromorphic chips, and building easy-to-deploy data and analysis services. This new form of “Fluid HPC” would do more than solve current vulnerabilities. As an enabling technology, Fluid HPC would be transformative, dramatically improving extreme-scale code development in the same way that virtual machine and container technologies made cloud computing possible and built a new industry.

  • Raw sockets backdoor gives attackers complete control of some Linux servers [Ed: Here goes Dan Goodin again (sued for sensationalism), using the term "back door" in relation to Linux when actually referring to already-infected (compromised) machines]

    Once installed, Chaos allows malware operators anywhere in the world to gain complete control over the server via a reverse shell.

Security: Blaming Russia for Windows Back Doors Being Exploited, New Updates, BuckHacker, and More

Filed under
Security

Security: Salon 'Malware', Georgia's Plan, Let's Encrypt, USB, and Hardware Bugs

Filed under
Security
  • Salon Offers To Remove Ads If Visitors Help Mine Cryptocurrency

    As we've been discussing, the rise of stealth cryptocurrency miners embedded on websites has become a notable problem. In some instances, websites are being hacked and embedded with stealth cryptocurrency miners that quickly gobble up visitors' CPU cycles without their knowledge. That's what happened to Showtime recently when two different domains were found to be utilizing the Coinhive miner to hijack visitor broswers without users being informed. Recent reports indicate that thousands of government websites have also been hijacked and repurposed in this fashion via malware.

    But numerous websites are also now exploring such miners voluntarily as an alternative revenue stream. One major problem however: many aren't telling site visitors this is even happening. And since some implementations of such miners can hijack massive amounts of CPU processing power while sipping a non-insubstantial amount of electricity, that's a problem.

  • Georgia Senate Thinks It Can Fix Its Election Security Issues By Criminalizing Password Sharing, Security Research

    When bad things happen, bad laws are sure to follow. The state of Georgia has been through some tumultuous times, electorally-speaking. After a presidential election plagued with hacking allegations, the Georgia Secretary of State plunged ahead with allegations of his own. He accused the DHS of performing ad hoc penetration testing on his office's firewall. At no point was he informed the DHS might try to breach his system and the DHS, for its part, was less than responsive when questioned about its activities. It promised to get back to the Secretary of State but did not confirm or deny hacking attempts the state had previously opted out of.

    To make matter worse, there appeared to be evidence the state's voting systems had been compromised. A misconfigured server left voter records exposed, resulting in a lawsuit against state election officials. Somehow, due to malice or stupidity, a server containing key evidence needed in the lawsuit was mysteriously wiped clean, just days after the lawsuit was filed.

  • Let's Encrypt Hits 50 Million Active Certificates and Counting

    In yet another milestone on the path to encrypting the web, Let’s Encrypt has now issued over 50 million active certificates. Depending on your definition of “website,” this suggests that Let’s Encrypt is protecting between about 23 million and 66 million websites with HTTPS (more on that below). Whatever the number, it’s growing every day as more and more webmasters and hosting providers use Let’s Encrypt to provide HTTPS on their websites by default.

  • Linux systems can still be hacked via USB sticks

    Linux systems could be a risk from malware on USB memory sticks, according to security researchers.

    The bug affects users running the KDE Plasma desktop environment, which is widely used in GNU/Linux distributions. The issue was discovered in soliduiserver/deviceserviceaction.cpp in KDE Plasma Workspace before 5.12.0.

  • Spectre & KPTI Get More Fixes In Linux 4.16, Offsets Some KVM Performance Losses

    While we are past the Linux 4.16 merge window, more Spectre and Meltdown related improvements and changes are still being allowed into the kernel, similar to all the KPTI/Retpoline work that landed late in Linux 4.15. On Wednesday was another big batch of KPTI and Spectre work that has already been merged.

  • Kali Linux Ethical Hacking OS Getting Fix for Meltdown & Spectre with Linux 4.15

IPFire 2.19 - Core Update 118 released

Filed under
GNU
Linux
Security

this is the official release announcement for IPFire 2.19 – Core Update 118. It comes with a number of security and bug fixes as well as some new features. Please note the that we are dropping support for some add-ons.

Read more

Security: Windows, Salon, Fraud. Skype and More

Filed under
Security
  • Critical Telegram flaw under attack disguised malware as benign images [Ed: Windows]

    The flaw, which resided in the Windows version of the messaging app, allowed attackers to disguise the names of attached files, researchers from security firm Kaspersky Lab said in a blog post. By using the text-formatting standard known as Unicode, attackers were able to cause characters in file names to appear from right to left, instead of the left-to-right order that's normal for most Western languages.

  • Salon to ad blockers: Can we use your browser to mine cryptocurrency?

    Salon explains what's going on in a new FAQ. "How does Salon make money by using my processing power?" the FAQ says. "We intend to use a small percentage of your spare processing power to contribute to the advancement of technological discovery, evolution, and innovation. For our beta program, we'll start by applying your processing power to help support the evolution and growth of blockchain technology and cryptocurrencies."

  • Why children are now prime targets for identity theft [sic] [iophk: "the real name for this is "fraud" and there are already existing laws on it"]

    SSA believed this change would make it more difficult for thieves to “guess” someone’s SSN by looking at other public information available for that person. However, now that an SSN is not tied to additional data points, such as a location or year of birth, it becomes harder for financial institutions, health care providers, and others to verify that the person using the SSN is in fact the person to whom it was issued.

    In other words: Thieves now target SSNs issued after this change as they know your 6-year-old niece or your 4-year-old son will not have an established credit file.

  • Microsoft won't plug a huge zero-day in Skype because it'd be too much work

    The bug in the automatic updater (turd polisher) for the Windows desktop app has a ruddy great hole in it that will let dodgy DLLs through.

  • ‘I Lived a Nightmare:’ SIM Hijacking Victims Share Their Stories

    The bug itself didn’t expose anything too sensitive. No passwords, social security numbers, or credit card data was exposed. But it did expose customers’ email addresses, their billing account numbers, and the phone’s IMSI numbers, standardized unique number that identifies subscribers. Just by knowing (or guessing) customer’s phone numbers, hackers could get their target’s data.

    Once they had that, they could impersonate them with T-Mobile’s customer support staff and steal their phone numbers. This is how it works: a criminal calls T-Mobile, pretends to be you, convinces the customer rep to issue a new SIM card for your number, the criminal activates it, and they take control of your number.

Plasma 5.12.1 bugfix update lands in backports PPA for Artful 17.10

Filed under
KDE
Security

After the initial release of Plasma 5.12 was made available for Artful 17.10 via our backports PPA last week, we are pleased to say the the PPA has now been updated to the 1st bugfix release 5.12.1.

The full changelog for 5.12.1 can be found here.

Including fixes and polish for Discover and the desktop.

Also included is an update to the latest KDE Frameworks 5.43.

Upgrade instructions and caveats are as per last week’s blog post, which can be found here.

The Kubuntu team wishes users a happy experience with the excellent 5.12 LTS desktop, and thanks the KDE/Plasma team for such a wonderful desktop to package.

Read more

Syndicate content

More in Tux Machines

Mozilla: Code of Conduct, Kelly Davis, Celebrate Firefox Internet Champions

  • ow We’re Making Code of Conduct Enforcement Real — and Scaling it
    This is the first line of our Community Participation Guidelines — and an nudge to keep empathy at center when designing response processes. Who are you designing for? Who is impacted? What are their needs, expectations, dependencies, potential bias and limitations?
  • Role Models in AI: Kelly Davis
    Meet Kelly Davis, the Manager/Technical Lead of the machine learning group at Mozilla. His work at Mozilla includes developing an open speech recognition system with projects like Common Voice and Deep Speech (which you can help contribute to). Beyond his passion for physics and machine learning, read on to learn about how he envisions the future of AI, and advice he offers to young people looking to enter the field.
  • Celebrate Firefox Internet Champions
    While the world celebrates athletic excellence, we’re taking a moment to share some of the amazing Internet champions that help build, support and share Firefox.

Canonical Ubuntu 2017 milestones, a year in the rulebook

So has Canonical been breaking rules with Ubuntu is 2017, or has it in been writing its own rulebook? Back in April we saw an AWS-tuned kernel of Ubuntu launched, the move to cloud is unstoppable, clearly. We also saw Ubuntu version 17.04 released, with Unity 7 as the default desktop environment. This release included optimisations for environments with low powered graphics hardware. Read more Also: Ubuntu will let upgraders ‘opt-in’ to data collection in 18.04

The npm Bug

  • ​Show-stopping bug appears in npm Node.js package manager
    Are you a developer who uses npm as the package manager for your JavaScript or Node.js code? If so, do not -- I repeat do not -- upgrade to npm 5.7.0. Nothing good can come of it. As one user reported, "This destroyed 3 production servers after a single deploy!" So, what happened here? According to the npm GitHub bug report, "By running sudo npm under a non-root user (root users do not have the same effect), filesystem permissions are being heavily modified. For example, if I run sudo npm --help or sudo npm update -g, both commands cause my filesystem to change ownership of directories such as /etc, /usr, /boot, and other directories needed for running the system. It appears that the ownership is recursively changed to the user currently running npm."
  • Botched npm Update Crashes Linux Systems, Forces Users to Reinstall
    A bug in npm (Node Package Manager), the most widely used JavaScript package manager, will change ownership of crucial Linux system folders, such as /etc, /usr, /boot. Changing ownership of these files either crashes the system, various local apps, or prevents the system from booting, according to reports from users who installed npm v5.7.0. —the buggy npm update.

Windows 10 WSL vs. Linux Performance For Early 2018

Back in December was our most recent round of Windows Subsystem for Linux benchmarking with Windows 10 while since then both Linux and Windows have received new stable updates, most notably for mitigating the Spectre and Meltdown CPU vulnerabilities. For your viewing pleasure today are some fresh benchmarks looking at the Windows 10 WSL performance against Linux using the latest updates as of this week while also running some comparison tests too against Docker on Windows and Oracle VM VirtualBox. Read more