Language Selection

English French German Italian Portuguese Spanish

Security

Leak: CIA Targets SSH

Filed under
Security
  • BothanSpy

    Today, July 6th 2017, WikiLeaks publishes documents from the BothanSpy and Gyrfalcon projects of the CIA. The implants described in both projects are designed to intercept and exfiltrate SSH credentials but work on different operating systems with different attack vectors.

    BothanSpy is an implant that targets the SSH client program Xshell on the Microsoft Windows platform and steals user credentials for all active SSH sessions. These credentials are either username and password in case of password-authenticated SSH sessions or username, filename of private SSH key and key password if public key authentication is used. BothanSpy can exfiltrate the stolen credentials to a CIA-controlled server (so the implant never touches the disk on the target system) or save it in an enrypted file for later exfiltration by other means. BothanSpy is installed as a Shellterm 3.x extension on the target machine.

    Gyrfalcon is an implant that targets the OpenSSH client on Linux platforms (centos,debian,rhel,suse,ubuntu). The implant can not only steal user credentials of active SSH sessions, but is also capable of collecting full or partial OpenSSH session traffic. All collected information is stored in an encrypted file for later exfiltration. It is installed and configured by using a CIA-developed root kit (JQC/KitV) on the target machine.

Security: Public Database Dumps, Default Passwords, Microsoft Breach, Back Doors, and OpenBSD

Filed under
Security
  • How 2,000 Unsecured Databases Landed on the Internet [Ed: System administrators made a serious error.]

    There is a simple explanation for why this particular filename was used: In the instructions for the widely used database software MySQL, the name is used in an explanatory example.

  • Linux systems under fire [Ed: Unchanged default passwords on a "Linux" system are not a GNU/Linux issue]

    There was a marked increase in the recorded attacks on Linux systems, which are often connected to the Internet unprotected.

  • Private not state hackers likely to have targeted UK parliament: sources [Ed: Microsoft system]

    A cyber attack on email accounts of British lawmakers last month is likely to have been by amateur or private hackers rather than state-sponsored, European government sources said.

    The private email accounts of up to 90 of the 650 members of Britain's House of Commons were targeted in late June, with some news reports suggesting that the attack was carried out by a foreign government, such as Russia.

    However, cyber security experts had found that the hackers only managed to access accounts of lawmakers who used primitive and easily discovered passwords, the sources, who are familiar with the investigations into the attacks, said.

  • Backdoor built in to widely used tax app seeded last week’s NotPetya outbreak

    The third-party software updater used to seed last week's NotPetya worm that shut down computers around the world was compromised more than a month before the outbreak. This is yet another sign the attack was carefully planned and executed.

    Researchers from antivirus provider Eset, in a blog post published Tuesday, said the malware was spread through a legitimate update module of M.E.Doc, a tax-accounting application that's widely used in Ukraine. The report echoed findings reported earlier by Microsoft, Kaspersky Lab, Cisco Systems, and Bitdefender. Eset said a "stealthy and cunning backdoor" used to spread the worm probably required access the M.E.Doc source code. What's more, Eset said the underlying backdoored ZvitPublishedObjects.dll file was first pushed to M.E.Doc users on May 15, six weeks before the NotPetya outbreak.

  • Moving Beyond Backdoors To Solve The FBI's 'Going Dark' Problem

    Former FBI Director James Comey stated on more than one occasion that he'd like to have an "adult conversation" about device encryption. He wasn't sincere. What he actually meant was he'd like to have all the "smart people" in the tech world solve his problems for him, either by capitulating to his requests for encryption backdoors or by somehow crafting the impossible: a secure backdoor.

    Comey is gone, but his legacy lives on. The FBI wants to keep the "going dark" narrative alive. Deputy Attorney General Rod Rosenstein has already asked Congress for $21 million in "going dark" money, supposedly to help the agency explore its options.

    The problem is, the options could be explored for a much lower price. Kevin Bankston offers up a few solutions -- or at least a few improved adult conversational gambits -- for the low price of $free over at Lawfare. The starting point is Comey's "adult conversation" talking point. Bankston points out you can't hold an adult conversation if you refuse to act like one.

  • OpenBSD Will Get Unique Kernels on Each Reboot. Do You Hear That Linux, Windows?

    A new feature added in test snapshots for OpenBSD releases will create a unique kernel every time an OpenBSD user reboots or upgrades his computer.

    This feature is named KARL — Kernel Address Randomized Link — and works by relinking internal kernel files in a random order so that it generates a unique kernel binary blob every time.

    Currently, for stable releases, the OpenBSD kernel uses a predefined order to link and load internal files inside the kernel binary, resulting in the same kernel for all users.

Security: ZIP Bombs, Shadow Brokers, Linux Bashing Over Weak Passwords etc.

Filed under
Security
  • How to defend your website with ZIP bombs
  • Shadow Brokers translation

    As a service to non native English speakers I am translating the Shadow Brokers “Borat” into simple English. I am not going to do any analysis in this post, just simple translation for people who have difficulty with Shadow Brokers posts.

  • Feelin' safe and snug on Linux while the Windows world burns? Stop that [Ed: Well, with proprietary software the holes (or back doors) are sometimes intentional, unlike in GNU]

    The ransomware problems reported by The Reg over the past few weeks are enough to make you, er, wanna cry. Yet all that's happened is that known issues with Windows machines – desktop and server – have now come to everyone's attention and the bandwidth out of Microsoft's Windows Update servers has likely increased a bit relative to the previous few weeks.

  • Linux is not as safe as you think [Ed: Having default passwords on a router (or other device) is not as safe as you think]
  • IoT Fuels Growth of Linux Malware [Ed: John P. Mello Jr. is the latest among many to cite a Microsoft ally from Seattle to make Linux look terrible]

Security: Updates, Bounties, SS7 Attacks

Filed under
Security
  • Security updates for Wednesday
  • At $30,000 for a flaw, bug bounties are big and getting bigger

    Hackers are being paid as much as $30,000 for finding a single critical flaw in a company's systems, and the amount companies are willing to pay is increasing.

    While the use of such bug hunting programmes is still limited, some large organisations are offering hackers rewards for spotting flaws in their systems.

  • Windows ransomware found to be incredibly rare [Ed: Android and Linux basher Liam Tung seems to be doing some Microsoft PR today]
  • Linux and macOS malware threats tripled in 2016, according to report [Ed: Microsoft-linked sites like to the above]
  • Researchers Build Firewall to Deflect SS7 Attacks

    Security researchers will release an open-source SS7 firewall at Black Hat USA that aims to bolster security of mobile operators' core networks.

    Mobile security software can do little to protect end users and BYOD workers when Signaling System 7 (SS7) vulnerabilities are exploited in mobile operotors' core mobile networks, according to security researchers.

    SS7 vulnerabilities, which can allow cybercriminals to hijack two-factor authentication codes texted to mobile phones, read and redirect text messages, eavesdrop on phone calls, and track a phone's location, have existed since 2014.

Security: Cyberweapons, Kaspersky, and Microsoft-Connected Linux FUD

Filed under
Security
  • When Cyberweapons Go Missing
  • Kaspersky Lab row: Russian minister warns of blowback

    Russian Communications Minister Nikolay Nikiforov said in a Bloomberg interview that Russia was using a "a huge proportion of American software and hardware solutions in the IT sphere, even in very sensitive areas".

    Microsoft and Cisco are said to be the American companies whose products have the highest usage in Russia.

  • Threats to Linux IoT devices on the rise [Ed: there are still puff pieces like these, citing Microsoft partner WatchGuard from Seattle, attacking perception of Linux security]

    Many of these devices, which often use old versions of Linux, have a default username and password which users often do not bother to change. Logging in with these credentials — which are easy to find on the Web — gives root access to the device in question.

  • Cybersecurity battleground shifting to Linux and web servers - report [Ed: another one of those; there have been half a dozen, mostly quoting the press release]

Security: libgcrypt20, NSA, CIA, US Independence Day Updates, Reproducible Builds, and Debian LTS

Filed under
Security
  • GnuPG crypto library cracked, look for patches

    Linux users need to check out their distributions to see if a nasty bug in libgcrypt20 has been patched.

    The patch, which has landed in Debian and Ubuntu, is to address a side-channel attack published last week.

    The researchers published their work at the International Association for Cryptologic Research's e-print archive last week. The paper was authored by David Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal and Yuval Yarom (who hail variously from the Technical University of Eindhoven, the University of Illinois, the University of Pennsylvania, the University of Maryland, and the University of Adelaide).

  • It’s time for the NSA to speak up about its stolen cyber weapons [Not just that; it should be held accountable, along with accomplices like Microsoft]

    After a global ransomware attack extending from Russia to the U.S. hit computer systems last week, security analysts quickly realized the perpetrators were using stolen cyber weapons that were part of the National Security Agency’s (NSA) arsenal — for the second time in just six weeks.

    While the NSA has yet to acknowledge publicly that their hacking tools have fallen into the wrong hands, at least one congressman asked them to take action. “As a computer science major, my long-term fear — which is shared by security researchers — is that this is the tip of the iceberg and many more malware attacks will soon be released based on NSA’s hacking tools,” Rep. Ted Lieu, D-Calif., wrote in a letter to NSA Director Michael Rogers.

  • Linux malware: Leak exposes CIA's OutlawCountry hacking toolkit
  • Security updates for US Independence Day
  • Reproducible Builds: week 114 in Stretch cycle
  • My Free Software Activities in June 2017

    My monthly report covers a large part of what I have been doing in the free software world. I write it for my donors (thanks to them!) but also for the wider Debian community because it can give ideas to newcomers and it’s one of the best ways to find volunteers to work with me on projects that matter to me.

Security: SPAM and AA Breach

Filed under
Security
  • Malicious ReplyTo
  • Is it Time to Can the CAN-SPAM Act?

     

    The “CAN” in CAN-SPAM was a play on the verb “to can,” as in “to put an end to,” or “to throw away,” but critics of the law often refer to it as the YOU-CAN-SPAM Act, charging that it essentially legalized spamming. That’s partly because the law does not require spammers to get permission before they send junk email. But also because the act prevents states from enacting stronger anti-spam protections, and it bars individuals from suing spammers except under laws not specific to email.  

  • AA downplays breach that exposed details of more than 100,000 customers

     

    Car insurance outfit the AA has suffered a major data breach that has exposed the personal information - including partial credit card data - of more than 100,000 customers.

  • The AA Exposed Emails, Credit Card Data, and Didn’t Inform Customers

     

    However, an exposed server contained sensitive information on over 100,000 AA customers, in many cases including partial credit card data, according to a database obtained by Motherboard. Judging by interviews with victims, the AA never directly informed affected customers either, even though the company says it knew about the breach in April.  

Security: Security Updates, WikiLeaks, Let's Encrypt, SystemD

Filed under
Security
  • Security updates for Monday
  • WikiLeaks reveals CIA malware for hacking Linux computers
  • Let's Encrypt Has Issued 100 Million Certificates

    This evening, the Let's Encrypt certificate authority issued its hundred millionth digital certificate. This is a remarkable milestone in just a year and a half of public operation; Let's Encrypt is likely now either the largest or second-largest public CA by volume of certificates issued.

    Let's Encrypt was created by Mozilla, the University of Michigan, and EFF, with Cisco and Akamai as founding sponsors, and is operated by the Internet Security Research Group, a non-profit organization. (See also the thoughts of Josh Aas, ISRG's executive director, on reaching this milestone.)

    Free certificates from Let's Encrypt allow web sites to offer secure HTTPS connections to their users, protecting the privacy and security of those connections against many network-based threats. EFF continues to help develop the Boulder software that Let's Encrypt uses internally, as well as Certbot, Let's Encrypt's recommended software for obtaining and installing certificates on web servers.

  • Linux Bug Gets Squashed Two Years After Being Introduced

    The cycle in which ideas turn into software is getting shorter and shorter. By and large, this is a good thing as new functions are delivered to users faster than ever before. But one of the consequences is software bugs are introduced and sometimes missed. I suspect part of the reason is testing cycles are being squeezed. This is part of the root cause, I think, as to why a two year old bug was introduced into Linux.

Security: Hacker’s Preference, OutlawCountry, and the Latest Black Duck FUD

Filed under
Security

Security: KeyChest, Manjaro Password Weakness in Calamares, systemd Bug, and OutlawCountry

Filed under
Security
Syndicate content

More in Tux Machines

Interview with FreeDOS Founder and Lead Dev Jim Hall

It’s been 23 years to the FreeDOS project. FreeDOS founder Jim Hall shares some interesting insight into this veteran open source project. Read more

Programming and howtos: Python, Swift and Recipes

Security: Updates, Intel, Torvalds

  • Security updates for Tuesday
  • Intel: We've found severe bugs in secretive Management Engine, affecting millions
    Thanks to an investigation by third-party researchers into Intel's hidden firmware in certain chips, Intel decided to audit its firmware and on Monday confirmed it had found 11 severe bugs that affect millions of computers and servers. The flaws affect Management Engine (ME), Trusted Execution Engine (TXE), and Server Platform Services (SPS).
  • Open Source Security Podcast: Episode 71 - GitHub's Security Scanner
    Josh and Kurt talk about GitHub's security scanner and Linus' security email. We clarify the esoteric difference between security bugs and non security bugs.
  • Linus Torvalds 'sorry' for swearing, blames popularity of Linux itself
    Linux overlord Linus Torvalds has apologised – a bit – for calling some security-centric kernel contributors “f*cking morons”. Torvalds unleashed a profanity-laden rant at Google developer Kees Cook, over the latter's proposal to harden the kernel. Another Google security chap, Matthew Garret, asked Torvalds “ Can you clarify a little with regard to how you'd have liked this patchset to look?” To which Torvalds responded that “I think the actual status of the patches is fairly good with the default warning.”

Benchmarks: Linux Power Use, Sabrent EC-SS31, Phoronix Test Suite 7.6 M3