Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Mozilla Funds Open Source Code Audits

    As part of the Mozilla Open Source Support program (MOSS), the Mozilla Foundation has set up a fund dedicated to helping open source software projects eradicate code vulnerabilities.

  • Intel Hidden Management Engine – x86 Security Risk?

    So it seems the latest generation of Intel x86 CPUs have implemented a Intel hidden management engine that cannot be audited or examined. We can also assume at some point it will be compromised and security researchers are labelling this as a Ring -3 level vulnerability.

  • Smart detection for passive sniffing in the Tor-network

    If you haven't yet read about my previous research regarding finding bad exit nodes in the Tor network you can read it here. But the tl;dr is that I sent unique passwords through every exit node in the Tor network over HTTP. This meant that is was possible for the exit node to sniff the credentials and use them to login on my fake website which I had control over.

  • Lone hacker, not Russian spies, responsible for Democratic Party breach

    RED-FACED SECURITY OUTFIT CrowdStrike has admitted that the Russian government wasn't responsible for a hack on the Democratic Party after lone hacker Guccifer 2 claimed that he was responsible for the breach.

Security Leftovers

Filed under
Security
  • Thursday's security updates
  • Network Security: The Unknown Unknowns

    I recently thought of the apocryphal story about the solid reliability of the IBM AS/400 systems. I’ve heard several variations on the story, but as the most common version of the story goes, an IBM service engineer shows up at a customer site one day to service an AS/400. The hapless employees have no idea what the service engineer is talking about. Eventually the system is found in a closet or even sealed in a walled off space where it had been reliably running the business for years completely forgotten and untouched. From a reliability perspective, this is a great story. From a security perspective, it is a nightmare. It represents Donald Rumsfeld’s infamous “unknown unknowns” statement regarding the lack of evidence linking the government of Iraq with the supply of weapons of mass destruction to terrorist groups.

  • The average cost of a data breach is now $4 million

    The average data breach cost has grown to $4 million, representing a 29 percent increase since 2013, according to the Ponemon Institute.

  • The story of a DDoS extortion attack – how one company decided to take a stand [iophk: “yet another way that cracked MS machines are big money”]

    Instead of simply ordering his company to defend itself in conventional fashion he was going to write to all 5,000 of Computop’s customers and partners telling them that on 15 June his firm’s website was likely to be hit with a DDoS attack big enough to cause everyone serious problems.

pfSense 2.3.1 FreeBSD Firewall Gets New Update to Patch Web GUI Security Issues

Filed under
Security
BSD

Chris Buechler from pfSense announced earlier today, June 16, 2016, that there's a new maintenance update available for the pfSense 2.3.1 FreeBSD-based firewall distribution.

pfSense 2.3.1 Update 5 (2.3.1_5) is a small bugfix release for the pfSense 2.3.1 major update announced last month, and since pfSense now lets its maintainers update only individual parts of the system, we see more and more small builds like this one, which patch the most annoying issues.

Read more

Security Leftovers

Filed under
Security
  • BadTunnel Bug Hijacks Network Traffic, Affects All Windows Versions

    The research of Yang Yu, founder of Tencent's Xuanwu Lab, has helped Microsoft patch a severe security issue in its implementation of the NetBIOS protocol that affected all Windows versions ever released.

  • 'BadTunnel' Bugs Left Every Microsoft Windows PC Vulnerable For 20 Years [Ed: no paywall/malware in this link]

    Microsoft is today closing off a vulnerability that one Chinese researcher claims has "probably the widest impact in the history of Windows." Every version of the Microsoft operating system going back to Windows 95 is affected, leaving anyone still running unsupported operating systems, such as XP, in danger of being surreptitiously surveilled.

    According to Yang Yu, founder of Tencent's Xuanwu Lab, the bug can be exploited silently with a "near-perfect success rate", as the problems lie in the design of Windows. The ultimate impact? An attacker can hijack all a target's web use, granting the hacker "Big Brother power", as soon as the victim opens a link or plugs in a USB stick, claimed Yu. He received $50,000 from Microsoft's bug bounty program for uncovering the weakness, which the researcher has dubbed BadTunnel. Microsoft issued a fix today in its Patch Tuesday list of updates.

    "Even security software equipped with active defense mechanisms are not able to detect the attack," Yu told FORBES. "Of course it is capable of execute malicious code on the target system if required."

  • Getting Things Wrong From The Beginning…

    GNU/Linux and never had any problems with software the rest of the school year. I’ve been using GNU/Linux ever since and have had no regrets. It’s been the right way to do IT. My wife saw the light a few years ago. She was tired of years of TOOS failing every now and then and needing re-installation. Once her business started using a web application, she had no more need of TOOS, none.

  • Intel x86s hide another CPU that can take over your machine (you can't audit it)

    Recent Intel x86 processors implement a secret, powerful control mechanism that runs on a separate chip that no one is allowed to audit or examine. When these are eventually compromised, they'll expose all affected systems to nearly unkillable, undetectable rootkit attacks. I've made it my mission to open up this system and make free, open replacements, before it's too late.

  • Hackers Show How To Hack Anyone’s Facebook Account Just By Knowing Phone Number

    By exploiting the SS7 flaw, a hacker can hack someone’s Facebook account just by knowing the associated phone number. This flaw allows a hacker to divert the OTP code to his/her own phone and use it to access the victim’s Facebook account. The security researchers, who have explained the hack in a video, advise the users to avoid adding their phone numbers to the public services.

Security Leftovers

Filed under
Security
  • Russian government hackers penetrated DNC, stole opposition research on Trump [Ed: Microsoft Windows again]

    Russian government hackers penetrated the computer network of the Democratic National Committee and gained access to the entire database of opposition research on GOP presidential candidate Donald Trump, according to committee officials and security experts who responded to the breach.

  • Bears in the Midst: Intrusion into the Democratic National Committee

    The COZY BEAR intrusion relied primarily on the SeaDaddy implant developed in Python and compiled with py2exe and another Powershell backdoor with persistence accomplished via Windows Management Instrumentation (WMI) system, which allowed the adversary to launch malicious code automatically after a specified period of system uptime or on a specific schedule. The Powershell backdoor is ingenious in its simplicity and power. It consists of a single obfuscated command setup to run persistently, such as...

  • Big data will fix internet security ... eventually [Ed: Microsoft’s Grimes says mass surveillance (‘big data’) will fix Internet security eventually]

    I’ve always thought that improved computer security controls would “fix” the internet and stop persistent criminality -- turns out it might be big data analytics instead.

  • Symantec dons a Blue Coat [Ed: two evil companies are now one]

    Symantec will pay US$4.65 billion in an all-cash deal to buy privately-held Blue Coat to ramp up its enterprise security offerings.

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Security advisories for Monday
  • Outdated authentication practices create an opportunity for threat hunter Infocyte

    “Having Linux allows us to look at web servers, for instance. If you’re going to bypass the biometrics, you’re going to need to get into that system itself,” Gerritz says. “That’s where we come in, is finding people who have inserted themselves under that authentication layer.”

  • Cable Sees NFV Enhancing Network Security

    Network functions virtualization is all the rage because of the money it can save, and because of the network flexibility it helps afford, but the cable industry is enthused about NFV for yet another, less publicized benefit: the potential NFV creates for improving network security.

  • IoT Consensus - A Solution Suggestion to the 'Baskets of Remote' Problem by Benedikt Herudek

    Bitcoin is able to integrate and have endpoints (in Bitcoin terminology ‘wallets’ and ‘miners’) seamlessly talk to each other in a large and dynamic network. Devices and their protocols do not have the ability to seamlessly communicate with other devices. This presentation will try to show where Bitcoin and the underlying Blockchain and Consenus Technology can offer an innovative approach to integrating members of a large and dynamic network.

  • Ready to form Voltron! why security is like a giant robot make of lions

    Due to various conversations about security this week, Voltron came up in the context of security. This is sort of a strange topic, but it makes sense when we ponder modern day security. If you talk to anyone, there is generally one thing they push as a solution for a problem. This is no different for security technologies. There is always one thing that will fix your problems. In reality this is never the case. Good security is about putting a number of technologies together to create something bigger and better than any one thing can do by itself.

  • Email Address Disclosures, Preliminary Report, June 11 2016

    On June 11 2016 (UTC), we started sending an email to all active subscribers who provided an email address, informing them of an update to our subscriber agreement. This was done via an automated system which contained a bug that mistakenly prepended between 0 and 7,618 other email addresses to the body of the email. The result was that recipients could see the email addresses of other recipients. The problem was noticed and the system was stopped after 7,618 out of approximately 383,000 emails (1.9%) were sent. Each email mistakenly contained the email addresses from the emails sent prior to it, so earlier emails contained fewer addresses than later ones.

  • Universities Become New Target for Ransomware Attacks [iophk: "Calgary has no excuse, given the particular tech activity headquartered specifically in their town. Some top Univ executives need firing +fines for having allowed Microsoft into their infrastructure."]

    This week the University of Calgary in Canada admitted paying C$20,000 (€13,900) to a hacker to regain access to files stored in 600 computers, after it suffered a ransomware attack compromising over 9,000 email accounts. In order to receive the keys, the school paid the equivalent of C$20,000 in Bitcoins.

  • Blue Coat to Sell Itself to Symantec, Abandoning I.P.O. Plans

    Blue Coat Systems seemed poised to begin life as a public company, after selling itself to a private equity firm last year.

    Now, the cybersecurity software company plans to sell itself to Symantec instead.

    Blue Coat said late on Sunday that it would sell itself to Symantec for $4.65 billion. As part of the deal, Blue Coat’s chief executive, Greg Clark, will take over as the chief executive of the combined security software maker.

    To help finance the transaction, Blue Coat’s existing majority investor, Bain Capital, will invest an additional $750 million in the deal. The private equity firm Silver Lake, which invested $500 million in Symantec in February, will invest an additional $500 million.

Security Leftovers

Filed under
Security

App stores and Linux repositories: Maybe the worst ideas ever

Filed under
Linux
Security

Technically, since we’re talking about Linux and free/open source software here, there’s nothing stopping someone from cloning the entire repository for a system before it goes offline and then providing that repository as a service to people who still want it. But this is a big undertaking and is something that a casual user of a platform simply isn’t going to do.

In my case, I absolutely would have done this for my N810. I would have cloned the entire repository, including system updates, and hosted it on my server for personal use (and provided it to anyone else who needed it). Would I have ever bothered to update it? Probably not. But I would have had it there for as long as I ran that device. But, alas, I didn’t know the company was killing the entire repository (perhaps I should have expected it, but I didn’t). So, I’m plum out of luck. Plus, I’m weird. Most people would absolutely not clone a repository and self-host it. That's just a crazy thing to do.

Read more

Security Leftovers

Filed under
Security
  • EFF's Badge Hack Pageant Returns to DEF CON

    We are proud to announce the return of EFF's Badge Hack Pageant at the 24th annual DEF CON hacking conference in Las Vegas. EFF invites all DEF CON attendees to stretch their creative skills by reinventing past conference badges as practical, artful, and over-the-top objects of their choosing. The numerous 2015 pageant entries included a crocheted badge cozy, a quadcopter, counterfeit badges, a human baby, a breathalyzer, a dazzling array of LED shows, and more than one hand-made record player that would make MacGyver weep. We encourage you to join us and contribute something whether you are a crafter, a beginner, or a hardware hacking wizard. It's a great summer project so get started now and enjoy a great show!

  • @Deray’s Twitter Hack Reminds Us Even Two-Factor Isn’t Enough

    This has been the week of Twitter hacks, from Mark Zuckerberg to a trove of millions of passwords dumped online to, most recently, Black Lives Matter activist DeRay McKesson.

  • System calls for memory protection keys

    "Memory protection keys" are an Intel processor feature that is making its first appearance in Skylake server CPUs. They are a user-controllable, coarse-grained protection mechanism, allowing a program to deny certain types of access to ranges of memory. LWN last looked at kernel support for memory protection keys (or "pkeys") at the end of 2015. The system-call interface is now deemed to be in its final form, and there is a push to stage it for merging during the 4.8 development cycle. So the time seems right for a look at how this feature will be used on Linux systems.

Syndicate content

More in Tux Machines

Android/Google Leftovers

3 open source alternatives to Office 365

It can be hard to get away from working and collaborating on the web. Doing that is incredibly convenient: as long as you have an internet connection, you can easily work and share from just about anywhere, on just about any device. The main problem with most web-based office suites—like Google Drive, Zoho Office, and Office365—is that they're closed source. Your data also exists at the whim of large corporations. I'm sure you've heard numerous stories of, say, Google locking or removing accounts without warning. If that happens to you, you lose what's yours. So what's an open source advocate who wants to work with web applications to do? You turn to an open source alternative, of course. Let's take a look at three of them. Read more

Hackable voice-controlled speaker and IoT controller hits KS

SeedStudio’s hackable, $49 and up “ReSpeaker” speaker system runs OpenWrt on a Mediatek MT7688 and offers voice control over home appliances. The ReSpeaker went live on Kickstarter today and has already reached 95 percent of its $40,000 funding goal with 29 days remaining. The device is billed by SeedStudio as an “open source, modular voice interface that allows us to hack things around us, just using our voices.” While it can be used as an Internet media player or a voice-activated IoT hub — especially when integrated with Seeed’s Wio Link IoT board — it’s designed to be paired with individual devices. For example, the campaign’s video shows the ReSpeaker being tucked inside a teddy bear or toy robot, or attached to plant, enabling voice control and voice synthesis. Yes, the plant actually asks to be watered. Read more

Security News