Language Selection

English French German Italian Portuguese Spanish

Security

Security: Linux 4.13, Superfish (Windows), VPN in China, Marcus Hutchins and Estonia

Filed under
Security

Security: Updates, Podcast, and PDFs

Filed under
Security

Security: Updates, B. F. Skinner, and Yahoo

Filed under
Security
  • Security updates for Monday
  • The father of modern security: B. F. Skinner

    What I mean with that statement is our security process is often based on ideas that don't really work. As an industry we have built up a lot of ideas and processes that aren't actually grounded in facts and science. We don't understand why we do certain things, but we know that if we don't do those things something bad will happen! Will it really happen? I heard something will happen. I suspect the answer is no, but it's very difficult to explain this concept sometimes.

    [...]

    Here's where it gets real. It's easy to pick on the password example because it's in the past. We need to focus on the present and the future. You have an organization that's full of policy, ideas, and stuff. How can we try to make a dent in what we have today? What matters? What doesn't work, and what's actually harmful?

  • US judge says that Yahoo must face lawsuits over data breaches

    B. F. Skinner

    The lawsuit concerns two major breaches: one that occurred in 2013 that impacted more than a billion users, and another in late 2014 that affected at least 500 million accounts. in December, a judicial panel consolidated five putative class action suits that sought to represent account holders who had e-mails, passwords, and other sensitive information compromised.

  • Yahoo must face litigation by data breach victims: U.S. judge

    A U.S. judge said Yahoo must face nationwide litigation brought on behalf of well over 1 billion users who said their personal information was compromised in three massive data breaches.

Spyware Dolls and Intel's vPro

Filed under
Security

For a number of years now there has been growing concern that the management technologies in recent Intel CPUs (ME, AMT and vPro) also conceal capabilities for spying, either due to design flaws (no software is perfect) or backdoors deliberately installed for US spy agencies, as revealed by Edward Snowden. In a 2014 interview, Intel's CEO offered to answer any question, except this one.

The LibreBoot project provides a more comprehensive and technical analysis of the issue, summarized in the statement "the libreboot project recommends avoiding all modern Intel hardware. If you have an Intel based system affected by the problems described below, then you should get rid of it as soon as possible" - eerily similar to the official advice German authorities are giving to victims of Cayla the doll.

All those amateur psychiatrists suggesting LibreBoot developers suffer from symptoms of schizophrenia have had to shut their mouths since May when Intel confirmed a design flaw (or NSA backdoor) in every modern CPU had become known to hackers.

Bill Gates famously started out with the mission to put a computer on every desk and in every home. With more than 80% of new laptops based on an Intel CPU with these hidden capabilities, can you imagine the NSA would not have wanted to come along for the ride?

Read more

IPFire 2.19 - Core Update 113 released

Filed under
GNU
Linux
Security

This is the official release announcement for IPFire 2.19 – Core Update 113. The change log is rather short, but comes with a big new feature...

Read more

Security in Android, Windows

Filed under
Android
Microsoft
Security
  • With Android Oreo, Google is introducing Linux kernel requirements

    Android may be a Linux-based operating system, but the Linux roots are something that few people pay much mind. Regardless of whether it is known or acknowledged by many people, the fact remains that Android is rooted in software regarded as horrendously difficult to use and most-readily associated with the geekier computer users, but also renowned for its security.

  • Exclusive: India and Pakistan hit by spy malware - cybersecurity firm [Ed: When you use Microsoft Windows in government in spite of back doors]

    Symantec Corp, a digital security company, says it has identified a sustained cyber spying campaign, likely state-sponsored, against Indian and Pakistani entities involved in regional security issues.

    In a threat intelligence report that was sent to clients in July, Symantec said the online espionage effort dated back to October 2016. 

    [...]

    Symantec’s report said an investigation into the backdoor showed that it was constantly being modified to provide “additional capabilities” for spying operations.

Security: “Roboto Condensed”, Tor, and TigerSwan

Filed under
Security
  • “Roboto Condensed” Social Engineering Attack Targets Both Chrome and Firefox Users. Various Payloads Being Delivered.
  • [Older] One Week With Tor

    A few people have asked me why I don't trust exit nodes with sensitive tasks like online banking. My distrust is mainly in the horrible state of SSL/TLS PKI. With hundreds of trusted roots, each with SSL/TLS certificate resellers, the amount of trust I must place in the least secure certificate vendor is huge. Any certificate vendor whose chain of trust resolves to a trusted root can issue certificates for any domain I visit. If a malicious exit node also has compromised or coerced a certificate vendor to produce (what we would consider, but our browser wouldn't) fraudulent certificate, I'm now in a pickle.

  • Thousands of mercenary resumés found exposed on Web

    The sensitive personal details of the job applicants, many claiming top-secret security clearance from the US government, were left unsecured by a recruiting company with whom TigerSwan had cut ties in February 2017, according to UpGuard.

Security: Updates, Windows EOL Meltdown, and Intel Back Doors

Filed under
Security
  • Security updates for Friday
  • Two years after Windows 10: Windows 7 is still threatening a 2020 EOL meltdown

    No. The issue is Windows 7. People and more especially businesses are still refusing to give it up. Yes, it has lost its market share - down from 60.75 in August 2015 to 48.43 percent in August 2017. But again - it's actually UP on this time last year, where it was at 47.25.

  • Intel ME controller chip has secret kill switch

    Security researchers at London-based Positive Technologies have identified an undocumented configuration setting that disables Intel Management Engine 11, a CPU control mechanism that has been described as a security risk.

    Intel's ME consists of a microcontroller that works with the Platform Controller Hub chip, in conjunction with integrated peripherals. It handles much of the data travelling between the processor and external devices, and thus has access to most of the data on the host computer.

Security: Onity, Instagram and Intel Management Engine (ME) Back Doors

Filed under
Security
  • The Epic Crime Spree Unleashed By Onity's Ambivalence To Its Easily Hacked Hotel Locks

    Back in 2012, we wrote about Onity, the company that makes a huge percentage of the keycard hotel door locks on the market, and how laughably easy it was to hack its locks with roughly $50 of equipment. Surprisingly, Onity responded to the media coverage and complaints from its hotel customers with offers of fixes that ranged from insufficient (a piece of plastic that covered the port used to hack the door locks) to cumbersome (replacing the circuit boards on the locks entirely) and asked many of these customers to pay for these fixes to its broken product. Many of these customers wanted to sue Onity for obvious reasons, but a judge ruled against allowing a class action suit to proceed. That was our last story on the subject.

  • Site sells Instagram users’ phone and e-mail details, $10 a search

    At first glance, the Instagram security bug that was exploited to obtain celebrities' phone numbers and e-mail addresses appeared to be limited, possibly to a small number of celebrity accounts. Now a database of 10,000 credentials published online Thursday night suggests the breach is much bigger.

  • Celebs’ phone numbers and e-mail addresses exposed in active Instagram hack
  • Intel kill switch code indicates connection to NSA

    Dmitry Sklyarov, Mark Ermolov and Maxim Goryachy, security researchers for Positive Technologies, based in Framingham, Mass., found the Intel kill switch that has the ability to disable the controversial Intel Management Engine (ME).

    Experts have been wary of the Intel ME because it is an embedded subsystem on every chip that essentially functions as a separate CPU with deep access to system processes and could be active even if the system were hibernating or shut off.

Security: Pacemaker Security, Female Hackers, Internet of Things 'Leaks'

Filed under
Security
  • FDA, Homeland Security Issue First Ever Recall, Warnings About Flimsy Pacemaker Security

    We've well established that the internet of things (IOT) market is a large, stinky dumpster fire when it comes to privacy and security. But the same problems that plague your easily hacked thermostat or e-mail password leaking refrigerator take on a decidedly darker tone when we're talking about your health. The health industry's outdated IT systems are a major reason for a startling rise in ransomware attacks at many hospitals, but this same level of security and privacy apathy also extends to medical and surgical equipment -- and integral medical implants like pacemakers.

    After a decade of warnings about dubious pacemaker security, researchers at Medsec earlier this year discovered that a line of pacemakers manufactured by St. Jude Medical were vulnerable to attacks that could kill the owner. The researchers claimed that St. Jude had a history of doing the bare minimum to secure their products, and did little to nothing in response to previous warnings about device security. St. Jude Medical's first response was an outright denial, followed by a lawsuit against MedSec for "trying to frighten patients and caregivers."

  • What Being a Female Hacker {sic} Is Really Like
  • Even encrypted data streams from the Internet of Things are leaking sensitive information; here’s what we can do

    As the Internet of Things (IoT) begins to enter the mainstream, concerns about the impact such “smart” devices will have on users’ privacy are growing. Many of the problems are obvious, but so far largely anecdotal. That makes a new paper from four researchers at Princeton University particularly valuable, because they analyze in detail how IoT devices leak private information to anyone with access to Internet traffic flows, and what might be done about it. Now that basic privacy protections for Internet users have been removed in the US, allowing ISPs to monitor traffic and sell data about their customers’s online habits to third parties, it’s an issue with heightened importance.

Syndicate content

More in Tux Machines

today's leftovers

  • [LabPlot] Improved data fitting in 2.5
    Until now, the fit parameters could in principle take any values allowed by the fit model, which would lead to a reasonable description of the data. However, sometimes the realistic regions for the parameters are known in advance and it is desirable to set some mathematical constrains on them. LabPlot provides now the possibility to define lower and/or upper bounds for the fit parameters and to limit the internal fit algorithm to these regions only.
  • [GNOME] Maps Towards 3.28
    Some work has been done since the release of 3.26 in September. On the visual side we have adapted the routing sidebar to use a similar styling as is used in Files (Nautilus) and the GTK+ filechooser.
  • MX 17 Beta 2
  • MiniDebconf in Toulouse
    I attended the MiniDebconf in Toulouse, which was hosted in the larger Capitole du Libre, a free software event with talks, presentation of associations, and a keysigning party. I didn't expect the event to be that big, and I was very impressed by its organization. Cheers to all the volunteers, it has been an amazing week-end!
  • DebConf Videoteam sprint report - day 0
    First day of the videoteam autumn sprint! Well, I say first day, but in reality it's more day 0. Even though most of us have arrived in Cambridge already, we are still missing a few people. Last year we decided to sprint in Paris because most of our video gear is stocked there. This year, we instead chose to sprint a few days before the Cambridge Mini-Debconf to help record the conference afterwards.
  • Libre Computer Board Launches Another Allwinner/Mali ARM SBC
    The Tritium is a new ARM single board computer from the Libre Computer Board project. Earlier this year the first Libre Computer Board launched as the Le Potato for trying to be a libre and free software minded ARM SBC. That board offered better specs than the Raspberry Pi 3 and aimed to be "open" though not fully due to the ARM Mali graphics not being open.
  • FOSDEM 2018 Will Be Hosting A Wayland / Mesa / Mir / X.Org Developer Room
    This year at the FOSDEM open-source/Linux event in Brussels there wasn't the usual "X.Org dev room" as it's long been referred to, but for 2018, Luc Verhaegen is stepping back up to the plate and organizing this mini graphics/X.Org developer event within FOSDEM.
  • The Social Network™ releases its data networking code
    Facebook has sent another shiver running up Cisco's spine, by releasing the code it uses for packet routing. Open/R, its now-open source routing platform, runs Facebook's backbone and data centre networks. The Social Network™ first promised to release the platform in May 2017. In the post that announced the release, Facebook said it began developing Open/R for its Terragraph wireless system, but since applied it to its global fibre network, adding: “we are even starting to roll it out into our data center fabrics, running inside FBOSS and on our Open Compute Project networking hardware like Wedge 100.”
  • Intel Icelake Support Added To LLVM Clang
    Initial support for Intel's Icelake microarchitecture that's a follow-on to Cannonlake has been added to the LLVM/Clang compiler stack. Last week came the Icelake patch to GCC and now Clang has landed its initial Icelake enablement too.
  • Microsoft's Surface Book 2 has a power problem
     

    Microsoft’s Surface Book 2 has a power problem. When operating at peak performance, it may draw more power than its stock charger or Surface Dock can handle. What we’ve discovered after talking to Microsoft is that it’s not a bug—it’s a feature.

Kernel: Linux 4.15 and Intel

  • The Big Changes So Far For The Linux 4.15 Kernel - Half Million New Lines Of Code So Far
    We are now through week one of two for the merge window of the Linux 4.15 kernel. If you are behind on your Phoronix reading with the many feature recaps provided this week of the different pull requests, here's a quick recap of the changes so far to be found with Linux 4.15:
  • Intel 2017Q3 Graphics Stack Recipe Released
    Intel's Open-Source Technology Center has put out their quarterly Linux graphics driver stack upgrade in what they are calling the latest recipe. As is the case with the open-source graphics drivers just being one centralized, universal component to be easily installed everywhere, their graphics stack recipe is just the picked versions of all the source components making up their driver.
  • Intel Ironlake Receives Patches For RC6 Power Savings
    Intel Ironlake "Gen 5" graphics have been around for seven years now since being found in Clarkdale and Arrandale processors while finally now the patches are all worked out for enabling RC6 power-savings support under Linux.

Red Hat: OpenStack and Financial News

Security: Google and Morgan Marquis-Boire

  • Google: 25 per cent of black market passwords can access accounts

    The researchers used Google's proprietary data to see whether or not stolen passwords could be used to gain access to user accounts, and found that an estimated 25 per cent of the stolen credentials can successfully be used by cyber crooks to gain access to functioning Google accounts.

  • Data breaches, phishing, or malware? Understanding the risks of stolen credentials

    Drawing upon Google as a case study, we find 7--25\% of exposed passwords match a victim's Google account.

  • Infosec star accused of sexual assault booted from professional affiliations
    A well-known computer security researcher, Morgan Marquis-Boire, has been publicly accused of sexual assault. On Sunday, The Verge published a report saying that it had spoken with 10 women across North America and Marquis-Boire's home country of New Zealand who say that they were assaulted by him in episodes going back years. A woman that The Verge gave the pseudonym "Lila," provided The Verge with "both a chat log and a PGP signed and encrypted e-mail from Morgan Marquis-Boire. In the e-mail, he apologizes at great length for a terrible but unspecified wrong. And in the chat log, he explicitly confesses to raping and beating her in the hotel room in Toronto, and also confesses to raping multiple women in New Zealand and Australia."