Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • Serving Up Security? Microsoft Patches ‘Malicious Butler’ Exploit — Again

    It’s been a busy year for Windows security. Back in March, Microsoft bulletin MS16-027 addressed a remote code exploit that could grant cybercriminals total control of a PC if users opened “specially crafted media content that is hosted on a website.” Just last month, a problem with secure boot keys caused a minor panic among users.

    However, new Microsoft patches are still dealing with a flaw discovered in November of last year — it was first Evil Maid and now is back again as Malicious Butler. Previous attempts to slam this door shut have been unsuccessful. Has the Redmond giant finally served up software security?

  • PGP Short-ID Collision Attacks Continued, Now Targeted Linus Torvalds

    After contacted the owner, it turned out that one of the keys is a fake. In addition, labelled same names, emails, and even signatures created by more fake keys. Weeks later, more developers found their fake "mirror" keys on the keyserver, including the PGP Global Directory Verification Key.

  • Let's Encrypt: Why create a free, automated, and open CA?

    During the summer of 2012, Eric Rescorla and I decided to start a Certificate Authority (CA). A CA acts as a third-party to issue digital certificates, which certify public keys for certificate holders. The free, automated, and open CA we envisioned, which came to be called Let's Encrypt, has been built and is now one of the larger CAs in the world in terms of issuance volume.

    Starting a new CA is a lot of work—it's not a decision to be made lightly. In this article, I'll explain why we decided to start Let's Encrypt, and why we decided to build a new CA from scratch.

    We had a good reason to start building Let's Encrypt back in 2012. At that time, work on an HTTP/2 specification had started in the Internet Engineering Task Force (IETF), a standards body with a focus on network protocols. The question of whether or not to require encryption (via TLS) for HTTP/2 was hotly debated. My position, shared by my co-workers at Mozilla and many others, was that encryption should be required.

Security News

Filed under
Security

Security News

Filed under
Security
  • New FFS Rowhammer Attack Hijacks Linux VMs

    Researchers from the Vrije University in the Netherlands have revealed a new version of the infamous Rowhammer attack that is effective at compromising Linux VMs, often used for cloud hosting services.

  • Fixing Things

    Recent reports that TCP connections can be hijacked have kicked an anthill at Kernel.org. Linus and others have a patch.

  • Minica - lightweight TLS for everyone!

    A while back, I found myself in need of some TLS certificates set up and issued for a testing environment.

    I remembered there was some code for issuing TLS certs in Docker, so I yanked some of that code and made a sensable CLI API over it.

  • Guy Tricks Windows Tech Support Scammers Into Installing Ransomware Code

    A man named Ivan Kwiatkowski managed to install Locky ransomware on the machine of a person who was pretending to be a tech support executive of a reputed company. Ivan wrote his experiences in a blog post tells that how the tech support scammer fell into the pit he dug for innocent people.

Security News

Filed under
Security
  • Hacker demonstrates how voting machines can be compromised [Ed: Microsoft inside]

    Concerns are growing over the possibility of a rigged presidential election. Experts believe a cyberattack this year could be a reality, especially following last month's hack of Democratic National Committee emails.

    The ranking member of the Senate Homeland Security Committee sent a letter Monday to the Department of Homeland Security, saying in part: "Election security is critical, and a cyberattack by foreign actors on our elections systems could compromise the integrity of our voting process."

    Roughly 70 percent of states in the U.S. use some form of electronic voting. Hackers told CBS News that problems with electronic voting machines have been around for years. The machines and the software are old and antiquated. But now with millions heading to the polls in three months, security experts are sounding the alarm, reports CBS News correspondent Mireya Villarreal.

  • Another Expert Weighs in on Election Hacking

    Today the old Gray Lady, the New York Times, no less, weighed in on election hacking in an Op/Ed piece titled The Election Won't be Rigged. But it Could be Hacked. Of course, anyone who's read my second cybersecurity thriller, The Lafayette Campaign, a Tale of Election and Deceptions, already knew that.

    The particular focus of the NYT article is that since voting can be hacked, it's vital to have a way to audit elections after they occur to see whether that has been the case, and to reveal the true electoral result.

  • New release: usbguard-0.5.11
  • Linux.Lady Trojan Turns Redis Servers to Mining Rigs

Security Leftovers

Filed under
Security
  • Troyan Virus Turns Linux Servers into Bitcoin Miners

    A new and dangerous computer virus has been targeting Linux servers, its goal: to turn computer servers into Bitcoin miners. The attack is aimed at environments running the Redis NoSQL database, the virus is also able to probe the network interfaces of its hosts to propagate itself.

    Approximately more than 30,000 servers running the Redis database are in danger due to the lack of an access password. The virus is named “Linux.Lady” and it was discovered first by the Russian IT-security solutions vendor Dr. Web. The company released a report on the virus, classifying it into the Troyan subcategory.

  • A New Wireless Hack Can Unlock 100 Million Volkswagens

    In 2013, when University of Birmingham computer scientist Flavio Garcia and a team of researchers were preparing to reveal a vulnerability that allowed them to start the ignition of millions of Volkswagen cars and drive them off without a key, they were hit with a lawsuit that delayed the publication of their research for two years. But that experience doesn’t seem to have deterred Garcia and his colleagues from probing more of VW’s flaws: Now, a year after that hack was finally publicized, Garcia and a new team of researchers are back with another paper that shows how Volkswagen left not only its ignition vulnerable but the keyless entry system that unlocks the vehicle’s doors, too. And this time, they say, the flaw applies to practically every car Volkswagen has sold since 1995.

  • Almost every Volkswagen sold since 1995 can be unlocked with an Arduino

    The first affects almost every car Volkswagen has sold since 1995, with only the latest Golf-based models in the clear. Led by Flavio Garcia at the University of Birmingham in the UK, the group of hackers reverse-engineered an undisclosed Volkswagen component to extract a cryptographic key value that is common to many of the company's vehicles.

  • Road Warriors: Beware of ‘Video Jacking’

    A little-known feature of many modern smartphones is their ability to duplicate video on the device’s screen so that it also shows up on a much larger display — like a TV. However, new research shows that this feature may quietly expose users to a simple and cheap new form of digital eavesdropping.

    Dubbed “video jacking” by its masterminds, the attack uses custom electronics hidden inside what appears to be a USB charging station. As soon as you connect a vulnerable phone to the appropriate USB charging cord, the spy machine splits the phone’s video display and records a video of everything you tap, type or view on it as long as it’s plugged in — including PINs, passwords, account numbers, emails, texts, pictures and videos.

Security News

Filed under
Security
  • One bug to rule them all: 'State-supported' Project Sauron malware attacks world's top PCs

    Two top electronic security firms have discovered a new powerful malware suite being used to target just dozens of high-value targets around the world. The research shows that it was likely developed on the orders of a government engaging in cyber espionage.

    The California-based Symantec has labeled the group behind the attack Strider, while Moscow-based Kaspersky Labs dubbed it ProjectSauron. Both are references to J. R. R. Tolkien’s Lord of the Rings, a nod to the fact that the original malware code contained the word “Sauron.”

  • Disable WPAD now or have your accounts and private data compromised

    The Web Proxy Auto-Discovery Protocol (WPAD), enabled by default on Windows and supported by other operating systems, can expose computer users' online accounts, web searches, and other private data, security researchers warn.

    Man-in-the-middle attackers can abuse the WPAD protocol to hijack people's online accounts and steal their sensitive information even when they access websites over encrypted HTTPS or VPN connections, said Alex Chapman and Paul Stone, researchers with U.K.-based Context Information Security, during the DEF CON security conference this week.

  • With Anonymous' latest attacks in Rio, the digital games have begun

    A wave of denial of service (DDoS) attacks on state and city websites followed immediately after Anonymous delivered their statement. The group boasted taking down at least five sites, including www.brasil2016.gov.br, www.rio2016.com, www.esporte.gov.br, www.cob.org.br and www.rj.gov.br. They broadcast their exploits using the hashtags #OpOlympicHacking, #Leaked and #TangoDown, some of which were set up months ago.



  • Kaminsky Advocates for Greater Cloud Security

    There are a lot of different reasons why organizations choose to move to the cloud and many reasons why they do not. Speaking at a press conference during the Black Hat USA security event, security researcher Dan Kaminsky provided his views on what's wrong with the Internet today and where the cloud can fit in.

    "There's a saying we have," Kaminsky said. "There is no such thing as cloud, just other people's computers."

    While the cloud represents a utility model for computing, Kaminsky also suggests that there are ways to use the cloud to improve overall security. With the cloud, users and applications can be isolated or 'sandboxed' in a way that can limit risks.

    With proper configurations, including rate limiting approaches, the impact of data breaches could potentially be reduced as well. As an example, Kaminsky said that with rate limiting controls, only the money from a cash register is stolen by a hacker, as opposed to stealing all of a company's corporate profits for a month.

  • Linux TCP Flaw allows Hackers to Hijack Internet Traffic and Inject Malware Remotely
  • Our Encrypted Email Service is Safe Against Linux TCP Vulnerability

    ProtonMail is not vulnerable to the recently announced Linux TCP Vulnerability

In limiting open source efforts, the government takes a costly gamble

Filed under
OSS
Security

The vast majority of companies are now realizing the value of open sourcing their software and almost all have done so for at least certain projects. These days Google, Facebook, Microsoft, Apple and almost every major company is releasing code to the open source community at a constant rate.

As is the case with many cutting edge developments it’s taking governments a while to catch on and understand the value in going open source. But now governments around the world are beginning to take the view that as their software is funded by the public, it belongs to the public and should be open for public use and are starting to define codified policies for its release.

[...]

The vast majority of code is still not classified and therefore, much higher levels of open sourcing are possible. While a bigger embrace of open source may seem like a risk, the real danger lies in small, overly-cautious implementation which is costing taxpayers by the day and making us all less secure.

Read more

More Security Leftovers

Filed under
Security
  • Volkswagen Created A 'Backdoor' To Basically All Its Cars... And Now Hackers Can Open All Of Them

    In other words, VW created a backdoor, and assumed that it would remain hidden. But it did not.

    This is exactly the kind of point that we've been making about the problems of requiring any kind of backdoor and not enabling strong encryption. Using a single encryption key across every device is simply bad security. Forcing any kind of backdoor into any security system creates just these kinds of vulnerabilities -- and eventually someone's going to figure out how they work.

    On a related note, the article points out that the researchers who found this vulnerability are the same ones who also found another vulnerability a few years ago that allowed them to start the ignition of a bunch of VW vehicles. And VW's response... was to sue them and try to keep the vulnerability secret for nearly two years. Perhaps, rather than trying to sue these researchers, they should have thrown a bunch of money at them to continue their work, alert VW and help VW make their cars safer and better protected.

  • Software Freedom Doesn't Kill People, Your Security Through Obscurity Kills People

    The time has come that I must speak out against the inappropriate rhetoric used by those who (ostensibly) advocate for FLOSS usage in automotive applications.

    There was a catalyst that convinced me to finally speak up. I heard a talk today from a company representative of a software supplier for the automotive industry. He said during his talk: "putting GPLv3 software in cars will kill people" and "opening up the source code to cars will cause more harm than good". These statements are completely disingenuous. Most importantly, it ignores the fact that proprietary software in cars is at least equally, if not more, dangerous. At least one person has already been killed in a crash while using a proprietary software auto-control system. Volkswagen decided to take a different route; they decided to kill us all slowly (rather than quickly) by using proprietary software to lie about their emissions and illegally polluting our air.

    Meanwhile, there has been not a single example yet about use of GPLv3 software that has harmed anyone. If you have such an example, email it to me and I promise to add it right here to this blog post.

  • Linux Networking Flaw Allows Attacker To Trick Safety Mechanism

Security News

Filed under
Security
  • White House aims to secure open source government programs

    The White House unveils a new open source government policy and new research estimates the government's zero-day exploit stockpile to be smaller than expected.

  • How Governments Open Sourcing Code Helps Us Be More Secure

    The idea of governments releasing their proprietary code isn’t some pipe dream, it’s slowly becoming a reality in many countries and starting a much needed public discussion in others. Governments around the world are beginning to understand that their software is funded by the public, and therefore belongs to the public and should be accessible for their use. Bulgaria just passed a law which mandates that all code written for the government must be released as open source. Similarly, the United States is starting a 3-year pilot requiring all US agencies to release at least 20% of all federally-funded custom code as open source. France, Norway, Brazil and other countries have also initiated their own government open source programs to ensure more government funded code will be released as open source.

  • 2046 is the last year your CEO has a business major [Ed: says Juniper which put back doors in its software?]
  • DARPA's Machine Challenge Solves CrackAddr Puzzle

    Seven autonomous supercomputers faced off against each other in DARPA's Cyber Grand Challenge (CGC) event on the first day of the DEFCON security conference. In the end, a system known as 'Mayhem' won the $2 million grand prize and in the process helped solve a decade-old security challenge that revolved around detecting a particular type of vulnerability.

    Mike Walker, the DARPA program manager responsible for CGC, commented during a press conference that some bugs are so well known that they become famous. One such example is CrackAddr, the name of a function that can split up parts of an email address.

  • New Linux Malware Installs Bitcoin Mining Software on Infected Device

Security News

Filed under
Security
  • Security updates for Friday
  • Linux malware turns victim's machines into crypto-currency miners [Ed: Linux "malware exploits flaw in Redis NoSQL" is not correct. Not Linux problem, not a flaw either but misconfiguration]
  • Researchers announce Linux kernel “network snooping” bug
  • Microsoft's compromised Secure Boot implementation

    There's been a bunch of coverage of this attack on Microsoft's Secure Boot implementation, a lot of which has been somewhat confused or misleading. Here's my understanding of the situation.

    Windows RT devices were shipped without the ability to disable Secure Boot. Secure Boot is the root of trust for Microsoft's User Mode Code Integrity (UMCI) feature, which is what restricts Windows RT devices to running applications signed by Microsoft. This restriction is somewhat inconvenient for developers, so Microsoft added support in the bootloader to disable UMCI. If you were a member of the appropriate developer program, you could give your device's unique ID to Microsoft and receive a signed blob that disabled image validation. The bootloader would execute a (Microsoft-signed) utility that verified that the blob was appropriately signed and matched the device in question, and would then insert it into an EFI Boot Services variable[1]. On reboot, the boot loader reads the blob from that variable and integrates that policy, telling later stages to disable code integrity validation.

Syndicate content

More in Tux Machines

Having offended everyone else in the world, Linus Torvalds calls own lawyers a 'nasty festering disease'

Coding curmudgeon Linus Torvalds has gone off on yet another rant: this time against his own lawyers and free software activist Bradley Kuhn. On a mailing list about an upcoming Linux conference, a discussion about whether to include a session on the GPL that protects the open source operating system quickly devolved in an angry rant as its founder piled in. Read more

The Battle of The Budgie Desktops – Budgie-Remix vs SolusOS!

Ladies and gentleman, it’s the moment you have all been waiting for… the main even of the evening! In this corner, wearing Budgie trunks, fighting out of Ireland, created by Ikey Doherty, the man behind Linux Mint Debian Edition — SolusOS! And in this corner, built on the defending champion, also wearing Budgie trunks, aiming to be the next flavor of Ubuntu, Budgie-Remix! Read more

Leftovers: Software

  • 5 Cool Unikernels Projects
    Unikernels are poised to become the next big thing in microservices after Docker containers. Here’s a look at some of the cool things you can do with unikernels. First, though, here’s a quick primer on what unikernels are, for the uninitiated. Unikernels are similar to containers in that they let you run an app inside a portable, software-defined environment. But they go a step further than containers by packaging all of the libraries required to run the app directly into the unikernel.
  • Cedrus Is Making Progress On Open-Source Allwinner Video Encode/Decode
    The developers within the Sunxi camp working on better Allwinner SoC support under Linux have been reverse-engineering Allwinner's "Cedar" video engine. Their project is being called Cedrus with a goal of "100% libre and open-source" video decode/encode for the relevant Cedar hardware. The developers have been making progress and yesterday they published their initial patches that add a V4L2 decoder driver for the VPU found on Allwinner's A13 SoC.
  • Phoronix Test Suite 6.6 Milestone 3 Released For Linux Benchmarking
  • Calibre 2.65.1 eBook Viewer Adds Driver for Kobo Aura One and Aura 2 Readers
    Kovid Goyal released today, August 26, 2016, a new maintenance update of his popular, cross-platform, and open-source Calibre e-book viewer, converter and library management tool. Calibre 2.65 was announced earlier, and it looks like it's both a feature and bugfix release that adds drivers for the Kobo Aura One and Kobo Aura Edition 2 ebook readers, along with a new option to the Kobo driver to allow users to ignore certain collections on their ebook reader. The list of new features continues with support for right-to-left text and tables to the DOCX Input feature, as well as the implementation of a new option to allow users to make searching case-sensitive. This option can be found and enabled in the "Searching" configuration section under Preferences.
  • Calamares 2.4 Universal Installer Framework Polishes Existing Functionality
    A new stable version of the Calamares universal installer framework used by various GNU/Linux distributions as default graphical installer has been released with various improvements and bug fixes. Calamares 2.4 is now the latest build, coming two months after the release of the previous version, Calamares 2.3, which introduced full-disk encryption support. However, Calamares 2.4 is not as big as the previous update as it only polished existing functionality and address various annoying issues reported by users.
  • RcppArmadillo 0.7.400.2.0
    Another Armadillo 7.* release -- now at 7.400. We skipped the 7.300.* serie release as it came too soon after our most recent CRAN release. Releasing RcppArmadillo 0.7.400.2.0 now keeps us at the (roughly monthly) cadence which works as a good compromise between getting updates out at Conrad's sometimes frantic pace, while keeping CRAN (and Debian) uploads to about once per month. So we may continue the pattern of helping Conrad with thorough regression tests by building against all (by now 253 (!!)) CRAN dependencies, but keeping release at the GitHub repo and only uploading to CRAN at most once a month.
  • Spotio Is A Light Skin for Spotify’s Desktop App — And Its Coming To Linux
    Spotify’s dark design is very much of its identity. No-matter the platform you use it on, the dark theme is there staring back at you. Until now. A bunch of ace websites, blogs and people I follow have spent the past 24 hours waxing lyrical over a new Spotify skin called Spotio.