Language Selection

English French German Italian Portuguese Spanish

Security

Security: Updates, Bounties, SS7 Attacks

Filed under
Security
  • Security updates for Wednesday
  • At $30,000 for a flaw, bug bounties are big and getting bigger

    Hackers are being paid as much as $30,000 for finding a single critical flaw in a company's systems, and the amount companies are willing to pay is increasing.

    While the use of such bug hunting programmes is still limited, some large organisations are offering hackers rewards for spotting flaws in their systems.

  • Windows ransomware found to be incredibly rare [Ed: Android and Linux basher Liam Tung seems to be doing some Microsoft PR today]
  • Linux and macOS malware threats tripled in 2016, according to report [Ed: Microsoft-linked sites like to the above]
  • Researchers Build Firewall to Deflect SS7 Attacks

    Security researchers will release an open-source SS7 firewall at Black Hat USA that aims to bolster security of mobile operators' core networks.

    Mobile security software can do little to protect end users and BYOD workers when Signaling System 7 (SS7) vulnerabilities are exploited in mobile operotors' core mobile networks, according to security researchers.

    SS7 vulnerabilities, which can allow cybercriminals to hijack two-factor authentication codes texted to mobile phones, read and redirect text messages, eavesdrop on phone calls, and track a phone's location, have existed since 2014.

Security: Cyberweapons, Kaspersky, and Microsoft-Connected Linux FUD

Filed under
Security
  • When Cyberweapons Go Missing
  • Kaspersky Lab row: Russian minister warns of blowback

    Russian Communications Minister Nikolay Nikiforov said in a Bloomberg interview that Russia was using a "a huge proportion of American software and hardware solutions in the IT sphere, even in very sensitive areas".

    Microsoft and Cisco are said to be the American companies whose products have the highest usage in Russia.

  • Threats to Linux IoT devices on the rise [Ed: there are still puff pieces like these, citing Microsoft partner WatchGuard from Seattle, attacking perception of Linux security]

    Many of these devices, which often use old versions of Linux, have a default username and password which users often do not bother to change. Logging in with these credentials — which are easy to find on the Web — gives root access to the device in question.

  • Cybersecurity battleground shifting to Linux and web servers - report [Ed: another one of those; there have been half a dozen, mostly quoting the press release]

Security: libgcrypt20, NSA, CIA, US Independence Day Updates, Reproducible Builds, and Debian LTS

Filed under
Security
  • GnuPG crypto library cracked, look for patches

    Linux users need to check out their distributions to see if a nasty bug in libgcrypt20 has been patched.

    The patch, which has landed in Debian and Ubuntu, is to address a side-channel attack published last week.

    The researchers published their work at the International Association for Cryptologic Research's e-print archive last week. The paper was authored by David Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal and Yuval Yarom (who hail variously from the Technical University of Eindhoven, the University of Illinois, the University of Pennsylvania, the University of Maryland, and the University of Adelaide).

  • It’s time for the NSA to speak up about its stolen cyber weapons [Not just that; it should be held accountable, along with accomplices like Microsoft]

    After a global ransomware attack extending from Russia to the U.S. hit computer systems last week, security analysts quickly realized the perpetrators were using stolen cyber weapons that were part of the National Security Agency’s (NSA) arsenal — for the second time in just six weeks.

    While the NSA has yet to acknowledge publicly that their hacking tools have fallen into the wrong hands, at least one congressman asked them to take action. “As a computer science major, my long-term fear — which is shared by security researchers — is that this is the tip of the iceberg and many more malware attacks will soon be released based on NSA’s hacking tools,” Rep. Ted Lieu, D-Calif., wrote in a letter to NSA Director Michael Rogers.

  • Linux malware: Leak exposes CIA's OutlawCountry hacking toolkit
  • Security updates for US Independence Day
  • Reproducible Builds: week 114 in Stretch cycle
  • My Free Software Activities in June 2017

    My monthly report covers a large part of what I have been doing in the free software world. I write it for my donors (thanks to them!) but also for the wider Debian community because it can give ideas to newcomers and it’s one of the best ways to find volunteers to work with me on projects that matter to me.

Security: SPAM and AA Breach

Filed under
Security
  • Malicious ReplyTo
  • Is it Time to Can the CAN-SPAM Act?

     

    The “CAN” in CAN-SPAM was a play on the verb “to can,” as in “to put an end to,” or “to throw away,” but critics of the law often refer to it as the YOU-CAN-SPAM Act, charging that it essentially legalized spamming. That’s partly because the law does not require spammers to get permission before they send junk email. But also because the act prevents states from enacting stronger anti-spam protections, and it bars individuals from suing spammers except under laws not specific to email.  

  • AA downplays breach that exposed details of more than 100,000 customers

     

    Car insurance outfit the AA has suffered a major data breach that has exposed the personal information - including partial credit card data - of more than 100,000 customers.

  • The AA Exposed Emails, Credit Card Data, and Didn’t Inform Customers

     

    However, an exposed server contained sensitive information on over 100,000 AA customers, in many cases including partial credit card data, according to a database obtained by Motherboard. Judging by interviews with victims, the AA never directly informed affected customers either, even though the company says it knew about the breach in April.  

Security: Security Updates, WikiLeaks, Let's Encrypt, SystemD

Filed under
Security
  • Security updates for Monday
  • WikiLeaks reveals CIA malware for hacking Linux computers
  • Let's Encrypt Has Issued 100 Million Certificates

    This evening, the Let's Encrypt certificate authority issued its hundred millionth digital certificate. This is a remarkable milestone in just a year and a half of public operation; Let's Encrypt is likely now either the largest or second-largest public CA by volume of certificates issued.

    Let's Encrypt was created by Mozilla, the University of Michigan, and EFF, with Cisco and Akamai as founding sponsors, and is operated by the Internet Security Research Group, a non-profit organization. (See also the thoughts of Josh Aas, ISRG's executive director, on reaching this milestone.)

    Free certificates from Let's Encrypt allow web sites to offer secure HTTPS connections to their users, protecting the privacy and security of those connections against many network-based threats. EFF continues to help develop the Boulder software that Let's Encrypt uses internally, as well as Certbot, Let's Encrypt's recommended software for obtaining and installing certificates on web servers.

  • Linux Bug Gets Squashed Two Years After Being Introduced

    The cycle in which ideas turn into software is getting shorter and shorter. By and large, this is a good thing as new functions are delivered to users faster than ever before. But one of the consequences is software bugs are introduced and sometimes missed. I suspect part of the reason is testing cycles are being squeezed. This is part of the root cause, I think, as to why a two year old bug was introduced into Linux.

Security: Hacker’s Preference, OutlawCountry, and the Latest Black Duck FUD

Filed under
Security

Security: KeyChest, Manjaro Password Weakness in Calamares, systemd Bug, and OutlawCountry

Filed under
Security

Security: TIOCSTI, OutlawCountry, Jeep, and Older News Catchup

Filed under
Security
  • On the Insecurity of TIOCSTI
  • OutlawCountry: CIA’s Hacking Tool For Linux Computers Revealed
  • Feds: Mexican motorcycle club used stolen key data to fuel massive Jeep heist

     

    Once inside, the thieves connected a "handheld vehicle program computer" into the Jeep's diagnostic port. Then, using the second key, the microchip on the duplicate key would be programmed, or "paired." With that complete, the alarm would cease, and the rear lights would stop flashing. Finally, the thieves would drive the Jeep into Mexico.

  • [Old] How Big Fuzzing helps find holes in open source projects

    Is “fuzzing” software to find security vulnerabilities using huge robot clusters an idea whose time has come?

    The latest numbers to emerge from Google’s OSS-Fuzz, a beta launched last December to automatically search for flaws in open source software, look encouraging.

  • [Old] Google's Fuzz Tester IDs Hundreds of Potential Open Source Security Flaws [Ed: This site is connected to Microsoft and cites Black Duck to make FOSS look bad.]

    Also, Black Duck Software Inc. recently revealed the results of security audits it undertook that show "widespread weakness in addressing open source security vulnerability risks."

  • [Old] Buy vs. build to reduce insider threats [Ed: False dichotomy. You do not ever BUY proprietary software, you license or rent. And FOSS is commercial. This site is connected to Microsoft.]

    There is no arguing that cybersecurity is a huge concern for the public, industry and government alike. The general consensus is that we need to be doing more, but we also need to be doing something different.

    The federal government and its agencies spend a lot of money on cybersecurity. The 2017 federal fiscal budget for information security was $19 billion. In recent years, a single cybersecurity contract has cost up to $1 billion. These contracts are largely awarded to federal contractors so that they can build custom solutions for agencies. And there is no lack of research pointing to the fact that the government pays contractors far more than it pays its own employees. All of this spending on cybersecurity could actually be weakening the government’s security posture.

    [...]

    Commercially supported open source has one other feature the contractor-implemented open source doesn't -- economies of scale. Because the majority of financial support for commercially supported software comes from the private sector and not the government, cost savings over the lifetime of a supported feature are massive. Though the government may be the first to request or introduce a software feature, when it's commercially supported those private sector companies co-fund the software O&M. Whenever a major bank adopts the same software the government uses, they both benefit from those advances. But government is one funding contributor among many, saving taxpayers a great deal of money.

  • [Old] #Infosec17 Dangers and Dependencies of Open Source Modules Detailed

    A common attack was by making a spelling mistake, as this can allow you to take over a legitimate account based on the module identity name. “The developers are here to develop and don’t always consider security,” he said.

Security: Security Updates, Systemd, OutlawCountry, Microsoft Cyberattacks, Microsoft Abuses, and Restrictions

Filed under
Security
  • Security updates for Friday
  • USN-3341-1: Systemd vulnerability

    An out-of-bounds write was discovered in systemd-resolved when handling specially crafted DNS responses. A remote attacker could potentially exploit this to cause a denial of service (daemon crash) or execute arbitrary code.

  • About the OutlawCountry Linux malware

    Isn’t that clear? The attacker is loading a custom kernel module as root in your machine. They don’t use Netfilter to break into your system. The problem is not Netfilter, the problem is your whole machine being under their control.

  • Wikileaks Reveals CIA Malware that Hacks & Spy On Linux Computers
  • OutlawCountry: Project of the CIA Targets Computers Running the Linux Operating System
  • NotPetya developers may have obtained NSA exploits weeks before their public leak [Updated]
  • Exclusive: India presses Microsoft for Windows discount in wake of cyber attacks [iophk: "Canonical ought to jump on this, why are they so quiet?"]

     

    India is pressing Microsoft Corp to offer a sharply discounted one-time deal to the more than 50 million Windows users in the country so that they can upgrade to the latest Windows 10 operating system in the wake of ransomware attacks.  

  • So You Think You Can Spot a Skimmer?

     

    Thanks to the myriad methods thieves have devised to fleece unsuspecting cash machine users over the years, there are now more ways than ever to get ripped off at the ATM. Think you’re good at spotting the various scams? A newly released ATM fraud inspection guide may help you test your knowledge.

  • Attacking the kernel via its command line
  • As A New Wave Of Cyberattacks Rolls Out, Rep. Ted Lieu Asks What The NSA's Going To Do About It

    Leaked NSA exploits have now been the basis for two massive cyberattacks. The first -- Wannacry -- caught hospitals and other critical infrastructure across several nations in the crossfire, using a tool built on the NSA's ETERNALBLUE exploit backbone. The second seems to be targeting Ukraine, causing the same sort of havoc but with a couple of particularly nasty twists.

    This one, called Petya, demanded ransom from victims. Things went from bad to worse when email provider Posteo shut down the attacker's account. Doing so prevented affected users from receiving decryption keys, even if they paid the ransom.

    It soon became apparent it didn't matter what Posteo did, no matter how clueless or ill-advised. There was no retrieving files even if ransoms were paid. Two separate sets of security researchers examined the so-called ransomware and discovered Petya is actually a wiper. Once infected, victims' files are as good as gone. No amount of bitcoin is going to reverse the inevitable. The ransomware notices were only there to draw attention to the infection and away from the malware's true purpose.

  • Microsoft, please stop doing things for our own good

    For over 20 years, Microsoft stomped on its competitors and then defended itself against the resulting antitrust lawsuits. But with desktop Windows waning in importance and its desktop software rivals largely gone, Microsoft seemed to have turned a new leaf. Or had it?

    In the one software sphere left where it still has rivals — antivirus and security software — Microsoft is up to its old anti-competitive tricks. Late last year, Eugene Kaspersky, founder of the eponymous antivirus company, said, “When you upgrade to Windows 10, Microsoft automatically and without any warning deactivates all ‘incompatible’ security software and in its place installs… you guessed it — its own Defender antivirus. But what did it expect when independent developers were given all of one week before the release of the new version of the OS to make their software compatible?”

  • Yet more linux security module craziness ..
  • ThunderBolt Security Levels and Linux desktop

    Recently I got Dell XPS 13 as my new work laptop and I use it with the TB16 dock. This dock doesn’t seem to fully work with Linux, only monitors work. But if you go to BIOS settings and set the Thunderbolt Security level to “No security”. Then suddenly almost everything is working.

Warning: Grsecurity: Potential contributory infringement risk for customers

Filed under
Linux
Security

It’s my strong opinion that your company should avoid the Grsecurity product sold at grsecurity.net because it presents a contributory infringement risk.

Grsecurity is a patch for the Linux kernel which, it is claimed, improves its security. It is a derivative work of the Linux kernel which touches the kernel internals in many different places. It is inseparable from Linux and can not work without it. it would fail a fair-use test (obviously, ask offline if you don’t understand). Because of its strongly derivative nature of the kernel, it must be under the GPL version 2 license, or a license compatible with the GPL and with terms no more restrictive than the GPL. Earlier versions were distributed under GPL version 2.

Currently, Grsecurity is a commercial product and is distributed only to paying customers. My understanding from several reliable sources is that customers are verbally or otherwise warned that if they redistribute the Grsecurity patch, as would be their right under the GPL, that they will be assessed a penalty: they will no longer be allowed to be customers, and will not be granted access to any further versions of Grsecurity. GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition.

Read more

Syndicate content

More in Tux Machines

Oracle Adds Initial Support for Linux Kernel 4.14 LTS to VirtualBox

Oracle recently updated their VirtualBox open-source and cross-platform virtualization software with initial support for the latest Linux 4.14 LTS kernel series. VirtualBox 5.2.2 is the first maintenance update to the latest VirtualBox 5.2 stable series of the application, and it looks like it can be compiled and used on GNU/Linux distribution running the recently released Linux 4.14 LTS kernel. It also makes it possible to run distros powered by Linux kernel 4.14 inside VirtualBox VMs. Read more

Today in Techrights

today's leftovers

  • How a Linux stronghold turned back to Windows: Key dates in Munich's LiMux project [Ed: This explains the progression of Microsoft's war on GNU/Linux, typically using proxies]
    The project is temporarily put on hold while a study investigates whether it could be derailed by software patents.
  • End of an open source era: Linux pioneer Munich confirms switch to Windows 10 [Ed: Microsoft paid (bribed) all the right people, got a Microsoft fan -- by his own admission -- in power, gifted him for this]
    Mayor Dieter Reiter said there's never been a unified Linux landscape in the city. "We always had mixed systems and what we have here is the possibility of going over to a single system. Having two operating systems is completely uneconomic.
  • Ubuntu Podcast: S10E38 – Soft Knowledgeable Burn
    This week we refactor a home network, discuss how gaming on Linux has evolved and grown in recent years, bring you a blend of love and go over your feedback.
  • Live ISOs for Slackware-current 20171122
    I have released an update of the ‘liveslak‘ scripts. I needed the tag for a batch of new ISO images for the Slackware Live Edition. These are based on the latest Slackware-current dated “Wed Nov 22 05:27:06 UTC 2017“) i.e. yesterday and that means, the ISOs are going to boot into the new 4.14.1 kernel.
  • Am I willing to pay the price to support ethical hardware?
    The planned obsolescence is even worse with tablets and smartphones, whose components are all soldered down. The last tablet with a removable battery was the Dell Venue 11 Pro (Haswell version) announced in October 2013, but it was an expensive Windows device that cost as much as a mid-range laptop. The last Android tablet with a removable battery was the Samsung Galaxy Note 10.1 (GT-N8000 series), released in August 2012. It is still possible to find mid-range smartphones with removable batteries. Last year the only high end phones with removable batteries were the LG G5 and V20, but even LG has given up on the idea of making phones that will last longer than 2 years once the battery starts to degrade after roughly 500 full charge and discharge cycles. Every flagship phone introduced in 2017 now has its battery sealed in the case. According to the gmsarena.com database, the number of new smartphone models with non-replaceable batteries grew from 1.9% in 2011 to 26.7% in 2014, and now to 90.3% in 2017. It is highly likely that not a single model of smartphone introduced next year will have a replaceable battery.

More Coverage of New Lumina Release

  • Lumina 1.4 Desktop Environment Released
    The TrueOS BSD folks working on their Qt5-powered Lumina Desktop Environment have issued a new feature update of their open-source desktop.
  • Lumina Desktop 1.4.0 Released
    Lumina 1.4.0 carries a number of changes, optimisations, and feature improvements. Lumina is the default desktop of TrueOS, a BSD-based operating system. The desktop itself is lightweight, modular, built using Qt, and uses Fluxbox for window management. Although Lumina is mostly aimed at BSD users it also runs on Linux, including Fedora, Arch and — *mario coin sfx* — Ubuntu.