Language Selection

English French German Italian Portuguese Spanish

Security

Security: Updates, CCleaner, and Equifax Blame

Filed under
Security
  • Security updates for Monday
  • Here’s an Open Source Alternative to CCleaner
  • Software Has a Serious Supply-Chain Security Problem

    The warnings consumers hear from information security pros tend to focus on trust: Don't click web links or attachments from an untrusted sender. Only install applications from a trusted source or from a trusted app store. But lately, devious hackers have been targeting their attacks further up the software supply chain, sneaking malware into downloads from even trusted vendors, long before you ever click to install.

    On Monday, Cisco's Talos security research division revealed that hackers sabotaged the ultra-popular, free computer-cleanup tool CCleaner for at least the last month, inserting a backdoor into updates to the application that landed in millions of personal computers. That attack betrayed basic consumer trust in CCleaner-developer Avast, and software firms more broadly, by lacing a legitimate program with malware—one distributed by a security company, no less.

  • CCleaner Compromised to Distribute Malware for Almost a Month

    Version 5.33 of the CCleaner app offered for download between August 15 and September 12 was modified to include the Floxif malware, according to a report published by Cisco Talos a few minutes ago.

    Floxif is a malware downloader that gathers information about infected systems and sends it back to its C&C server. The malware also had the ability to download and run other binaries, but at the time of writing, there is no evidence that Floxif downloaded additional second-stage payloads on infected hosts.

  • From equanimity to Equifax [Ed: It's NOT "about open-source software quality" but about Equifax not patching its software for >2 months]

Security: Failure to Patch, Failure to Set up Database Correctly, Failure to Check 'Apps'

Filed under
Security
  • Don't blame open-source software for poor security practices

    The Equifax breach is a good reminder of why organizations need to remain vigilant about properly maintaining and updating their software, especially when security vulnerabilities have been disclosed. In an ideal world, software would update itself the moment a security patch is released. WordPress, for example, offers automatic updates in an effort to promote better security, and to streamline the update experience overall. It would be interesting to consider automatic security updates for Drupal (just for patch releases, not for minor or major releases).

    In absence of automatic updates, I would encourage users to work with PaaS companies that keep not only your infrastructure secure, but also your Drupal application code. Too many organizations underestimate the effort and expertise it takes to do it themselves.

    At Acquia, we provide customers with automatic security patching of both the infrastructure and Drupal code. We monitor our customers' sites for intrusion attempts, DDoS attacks, and other suspicious activity. If you prefer to do the security patching yourself, we offer continuous integration or continuous delivery tools that enable you to get security patches into production in minutes rather than weeks or months. We take pride in assisting our customers to keep their sites current with the latest patches and upgrades; it's good for our customers and helps dispel the myth that open-source software is more susceptible to security breaches.

  • Northern Exposure: Data on 600K Alaskan Voters is Leaked

    Researchers have discovered the personal details of over half a million US voters exposed to the public internet, once again thanks to a misconfigured database.

  • Google purges malicious Android apps with millions of downloads

BlackArch Linux A Pentesting Linux Distribution

Filed under
GNU
Linux
Security

​When it comes to penetration testing, the best way to go is Linux. Distros like Kali and Parrot are quite popular. Today we're going to look at another awesome penetration testing distro known as Blackarch. Blackarch Linux is an Arch Linux-based penetration testing distribution for penetration testers and security researchers. The Blackarch comes with a tools repository that contains over 1800 tools with new ones being added quite frequently. Let us take a brief look at this Linux distro.

Read more

Security: Eugene Kaspersky, IT security in the EU, CouchDB, Telcos, D-Link, Bluetooth, and Fitbit

Filed under
Security

Security: Windows Zeo-Day, Cryptography, Updates, Reproducible Builds, Vendor Bans, AT& and More

Filed under
Security

Equifax Failed to Patch, Now Fails as a Company

Filed under
Security

​Check Point's bogus Windows Subsystem for Linux attack

Filed under
Security

Security companies, desperate for attention and headlines, love to come up with flashy, dangerous-sounding security hole names. The latest is Check Point's Bashware. This one, Check Point claims, can render 400 million Windows 10 PCs open to malware using Windows Subsystem for Linux (WSL) to launch Windows malware from a WSL Linux instance, thus bypassing most Windows security products in the process.

Read more

Security: Devices, Open Source Secure, Cybrary, and Kaspersky Lab

Filed under
Security

Security: Kaspersky, Equifax and Internet of Things (IoT) at the Open Source Summit

Filed under
Security
  • Kaspersky Banned: Federal Agencies Ditch Russian Cybersecurity Firm Over Spying Concerns

     

    Acting Department of Homeland Security secretary Elaine Duke announced the ban of Kaspersky Lab software from federal government networks. The agencies have an unspecified timeline to rid their machines of the software, which DHS declared may pose a security risk.

  • US homeland security dept bans Kaspersky use by govt

     

    The US Department of Homeland Security has ordered all government agencies to stop using products from Kaspersky Labs, with a deadline of 90 days to implement plans to discontinue the use and to remove software from information systems.  

  • U.S. moves to ban Kaspersky software in federal agencies amid concerns of Russian espionage

     

    In a binding directive, acting homeland security secretary Elaine Duke ordered that federal civilian agencies identify Kaspersky Lab software on their networks. After 90 days, unless otherwise directed, they must remove the software, on the grounds that the company has connections to the Russian government and its software poses a security risk.

  • Ayuda! (Help!) Equifax Has My Data!

    Equifax last week disclosed a historic breach involving Social Security numbers and other sensitive data on as many as 143 million Americans. The company said the breach also impacted an undisclosed number of people in Canada and the United Kingdom. But the official list of victim countries may not yet be complete: According to information obtained by KrebsOnSecurity, Equifax can safely add Argentina — if not also other Latin American nations where it does business — to the list as well.

    [...]

     

    It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”

  • Equifax hack: 44 million Britons' personal details feared stolen in major US data breach
  • On the Equifax Data Breach

    Last Thursday, Equifax reported a data breach that affects 143 million US customers, about 44% of the population. It's an extremely serious breach; hackers got access to full names, Social Security numbers, birth dates, addresses, driver's license numbers -- exactly the sort of information criminals can use to impersonate victims to banks, credit card companies, insurance companies, and other businesses vulnerable to fraud.

    Many sites posted guides to protecting yourself now that it's happened. But if you want to prevent this kind of thing from happening again, your only solution is government regulation (as unlikely as that may be at the moment).

    The market can't fix this. Markets work because buyers choose between sellers, and sellers compete for buyers. In case you didn't notice, you're not Equifax's customer. You're its product.

  • Open Source Summit: Securing IoT is About Avoiding Anti-Patterns

    The security perils inherent in Internet of Things (IoT) devices are painfully obvious at this point in 2017, but why are there so many security issues? At a session during the Open Source Summit here Marti Bolivar, senior software engineer at Linaro detailed what he described as "anti-patterns" that ultimately lead to negative security outcomes.

    Bolivar started his session by defining what security in IoT is really all about, by pulling a quote from security engineer Ross Anderson.

Security: Dlink, Equifax, Bluetooth

Filed under
Security
  • Pwning the Dlink 850L routers and abusing the MyDlink Cloud protocol

    The Dlink 850L is a router overall badly designed with a lot of vulnerabilities.

    Basically, everything was pwned, from the LAN to the WAN. Even the custom MyDlink cloud protocol was abused.

  • House Dems demand answers from Equifax CEO

    All 24 minority members of the committee signed a letter to the Equifax executive, Richard Smith, calling on him to come forward with more information about his handling of the crisis.

  • Chatbot lets you sue Equifax for up to $25,000 without a lawyer

    Even if you want to be part of the class action lawsuit against Equifax, you can still sue Equifax for negligence in small claims court using the DoNotPay bot and demand maximum damages. Maximum damages range between $2,500 in states like Rhode Island and Kentucky to $25,000 in Tennessee.

  • Bluetooth flaws leave billions of devices open to attacks

    Researchers at IoT security firm Armis say they have found eight flaws in the Bluetooth protocol that can be used to attack devices running Android, iOS, Linux and Windows.

  • Bluetooth Vulnerability BlueBorne Impacts Android, iOS, Windows, and Linux Devices

    The BlueBorne attack doesn’t even require the victim to tap or click on any malicious links. If your device has Bluetooth and is on then it is possible for an attacker to take complete control of it from 32 feet away. This even works without the attacker pairing anything to the victim’s device and the target device doesn’t need to be set to discoverable mode either. The team at Armis Labs have identified eight zero-day vulnerabilities so far and believes many more are waiting to be discovered.

Syndicate content

More in Tux Machines

Security: Uber Sued, Intel ‘Damage Control’, ZDNet FUD, and XFRM Privilege Escalation

  • Uber hit with 2 lawsuits over gigantic 2016 data breach
    In the 48 hours since the explosive revelations that Uber sustained a massive data breach in 2016, two separate proposed class-action lawsuits have been filed in different federal courts across California. The cases allege substantial negligence on Uber’s part: plaintiffs say the company failed to keep safe the data of the affected 50 million customers and 7 million drivers. Uber reportedly paid $100,000 to delete the stolen data and keep news of the breach quiet. On Tuesday, CEO Dara Khosrowshahi wrote: “None of this should have happened, and I will not make excuses for it.”
  • Intel Releases Linux-Compatible Tool For Confirming ME Vulnerabilities [Ed: ‘Damage control’ strategy is to make it look like just a bug.]
    While Intel ME security issues have been talked about for months, confirming fears that have been present about it for years, this week Intel published the SA-00086 security advisory following their own internal review of ME/TXE/SPS components. The impact is someone could crash or cause instability issues, load and execute arbitrary code outside the visibility of the user and operating system, and other possible issues.
  • Open source's big weak spot? Flawed libraries lurking in key apps [Ed: Linux basher Liam Tung entertains FUD firm Snyk and Microsoft because it suits the employer's agenda]
  • SSD Advisory – Linux Kernel XFRM Privilege Escalation

gThumb 3.6 GNOME Image Viewer Released with Better Wayland and HiDPI Support

gThumb, the open-source image viewer for the GNOME desktop environment, has been updated this week to version 3.6, a new stable branch that introduces numerous new features and improvements. gThumb 3.6 comes with better support for the next-generation Wayland display server as the built-in video player, color profiles, and application icon received Wayland support. The video player component received a "Loop" button to allow you to loop videos, and there's now support for HiDPI displays. The app also ships with a color picker, a new option to open files in full-screen, a zoom popover that offers different zoom commands and a zoom slider, support for double-click activation, faster image loading, aspect ratio filtering, and the ability to display the description of the color profile in the property view. Read more Also: Many Broadway HTML5 Backend Improvements Land In GTK4

ExTiX 18.0, 64bit, with Deepin Desktop 15.5 (made in China!) and Refracta Tools – Create your own ExTiX/Ubuntu/Deepin system in minutes!

I’ve made a new extra version of ExTiX with Deepin 15.5 Desktop (made in China!). Deepin is devoted to providing a beautiful, easy to use, safe and reliable system for global users. Only a minimum of packages are installed in ExTiX Deepin. You can of course install all packages you want. Even while running ExTiX Deepin live. I.e. from a DVD or USB stick. Study all installed packages in ExTiX Deepin. Read more Also: ExTiX, the Ultimate Linux System, Now Has a Deepin Edition Based on Ubuntu 17.10 Kali Linux 2017.3 Brings New Hacking Tools — Download ISO And Torrent Files Here

Graphics: Greenfield, Polaris, Ryzen

  • Greenfield: An In-Browser HTML5 Wayland Compositor
    Earlier this year we covered the Westfield project as Wayland for HTML5/JavaScript by providing a Wayland protocol parser and generator for JavaScript. Now that code has morphed into Greenfield to provide a working, in-browser HTML5 Wayland compositor.
  • New Polaris Firmware Blobs Hit Linux-Firmware.Git
    Updated firmware files for the command processor (CP) on AMD Polaris graphics cards have landed in linux-firmware.git. These updated firmware files for Polaris GPUs are light on details besides being for the CP and from their internal 577de7b1 Git state.
  • Report: Ryzen "Raven Ridge" APU Not Using HBM2 Memory
    Instead of the Vega graphics on Raven Ridge using HBM2 memory, it appears at least for some models they are just using onboard DDR4 memory. FUDZilla is reporting today that there is just 256MB of onboard DDR4 memory being used by the new APU, at least for the Ryzen 5 APU found on the HP Envy x360 that was the first Raven APU system to market.