Language Selection

English French German Italian Portuguese Spanish

Security

Security: Updates, Deloitte Crack, 'Optionsbleed', Browsers Will Store Credit Card Details

Filed under
Security
  • Security updates for Monday
  • Deloitte hack hit server containing emails from across US government

    The hack into the accountancy giant Deloitte compromised a server that contained the emails of an estimated 350 clients, including four US government departments, the United Nations and some of the world’s biggest multinationals, the Guardian has been told.

    Sources with knowledge of the hack say the incident was potentially more widespread than Deloitte has been prepared to acknowledge and that the company cannot be 100% sure what was taken.

    Deloitte said it believed the hack had only “impacted” six clients, and that it was confident it knew where the hackers had been. It said it believed the attack on its systems, which began a year ago, was now over.

    However, sources who have spoken to the Guardian, on condition of anonymity, say the company red-flagged, and has been reviewing, a cache of emails and attachments that may have been compromised from a host of other entities.

  • Apache Patches Optionsbleed Flaw in HTTP Server

    The Apache HTTP Web Server (commonly simply referred to as 'Apache') is the most widely deployed web server in the world, and until last week, it was at risk from a security vulnerability known as Optionsbleed.

  • Browsers Will Store Credit Card Details Similar to How They Save Passwords

    A new W3C standard is slowly creeping into current browser implementations, a standard that will simplify the way people make payments online.

    Called the Payment Request API, this new standard relies on users entering and storing payment card details inside browsers, just like they currently do with passwords.

Security: gnURL 7.56.0, CyberShaolin, Open Source Security Podcast

Filed under
Security
  • gnURL 7.56.0 released

    Merges from cURL 7.56.0 upstream release and some gnURL specific fixes.
    For more info you can read the git log or the generated CHANGELOG file (only present in the tarball).

  • CyberShaolin: Teaching the Next Generation of Cybersecurity Experts

    Reuben Paul is not the only kid who plays video games, but his fascination with games and computers set him on a unique journey of curiosity that led to an early interest in cybersecurity education and advocacy and the creation of CyberShaolin, an organization that helps children understand the threat of cyberattacks. Paul, who is now 11 years old, will present a keynote talk at Open Source Summit in Prague, sharing his experiences and highlighting insecurities in toys, devices, and other technologies in daily use.

  • [Open Source Security Podcast] Episode 65 - Will aliens overthrow us before AI?

Security: AWS, Disqus, Drone Program

Filed under
Security
  • Forget stealing data — these hackers broke into Amazon's cloud to mine bitcoin

    A report from the security intelligence group RedLock found at least two companies which had their AWS cloud services compromised by hackers [sic] who wanted nothing more than to use the computer power to mine the cryptocurrency bitcoin. The hackers [sic] ultimately got access to Amazon's cloud servers after discovering that their administration consoles weren't password protected.

  • Disqus discovers hack [sic] of 17.5m user details after five years

    The biggest Web comment hosting service Disqus was breached in 2012 but the company only knew of it last week, according to an announcement made on Friday.

  • A Mysterious Virus Has Infiltrated America's Drone Program

    There’s something deeply wrong at Creech Air Force Base, the notorious home of America’s drone program, where pilots remotely order US Reaper and Predator drones to unleash destructive missile strikes on unsuspecting villagers in Yemen, Libya, Iraq, Syria, Afghanistan and other war zones.

    Less than a week after the Department of Homeland Security advised all federal agencies using anti-virus software created by Kaspersky Labs to remove the programs from their systems immediately, Ars Technica reports that two weeks ago the Defense Information Systems Agency detected mysterious spyware embedded in the drone “cockpits” – the control stations that pilots use to control the deadly machines.

Security: FireEye, Disqus, EFF on Apple

Filed under
Security
  • FireEye Warns of Expanding FormBook Malware Attacks

    "Because of the affiliate model (or Malware-as-a-Service) set up and its open availability on the web, it is difficult to determine the attack origins, and could be attributed to anyone who has subscribed to the service," Randi Eitzman, FireEye Analyst, told eSecurityPlanet.

    FormBook is being distributed via different document formats, including PDF, DOC and archive files that have some form of download link, macro or executable payload.

  • Disqus hacked [sic] : More than 17.5 million users' details stolen by hackers in 2012 data breach

    About a third of the compromised accounts contained passwords that were salted and hashed using the weak SHA-1 algorithm. Disqus said the exposed user data dates back to 2007 with the most recent data exposed from July 2012.

  • iOS 11’s Misleading “Off-ish” Setting for Bluetooth and Wi-Fi is Bad for User Security

    Turning off your Bluetooth and Wi-Fi radios when you’re not using them is good security practice (not to mention good for your battery usage). When you consider Bluetooth’s known vulnerabilities, it’s especially important to make sure your Bluetooth and Wi-Fi settings are doing what you want them to. The iPhone’s newest operating system, however, makes it harder for users to control these settings.

    On an iPhone, users might instinctively swipe up to open Control Center and toggle Wi-Fi and Bluetooth off from the quick settings. Each icon switches from blue to gray, leading a user to reasonably believe they have been turned off—in other words, fully disabled. In iOS 10, that was true. However, in iOS 11, the same setting change no longer actually turns Wi-Fi or Bluetooth “off.”

    Instead, what actually happens in iOS 11 when you toggle your quick settings to “off” is that the phone will disconnect from Wi-Fi networks and some devices, but remain on for Apple services. Location Services is still enabled, Apple devices (like Apple Watch and Pencil) stay connected, and services such as Handoff and Instant Hotspot stay on. Apple’s UI fails to even attempt to communicate these exceptions to its users.

IPFire 2.19 - Core Update 114 released

Filed under
GNU
Linux
Security

This is the official release announcement for IPFire 2.19 – Core Update 114. It brings some changes under the hood and modernises the base system. On top of that, minor issues are being fixed and some packages have been updated.

Read more

Security: Updates, Apple APFS Passwords, WordPress, Microsoft FUD, and Internet of Broken Things

Filed under
Security
  • Security updates for Friday
  • Apple fixes Keychain vulnerability, but only in macOS High Sierra

     

    The zero-day vulnerability in macOS's Keychain has been addressed by Apple, along with some other issues in High Sierra. But other recent versions of the operating system are still vulnerable.  

  • macOS High Sierra bug exposes APFS passwords in plain text

     

    A Brazilian software developer has uncovered a bug in Apple's macOS High Sierra software that exposes the passwords of encrypted Apple File System (APFS) volumes in plain text.

  • The September 2017 WordPress Attack Report

    This edition of the WordPress Attack Report is a continuation of the monthly series we’ve been publishing since December 2016. Reports from the previous months can be found here.

    This report contains the top 25 attacking IPs for September 2017 and their details. It also includes charts of brute force and complex attack activity for the same period, along with a new section revealing changes to the Wordfence real-time IP blacklist throughout the month. We also include the top themes and plugins that were attacked and which countries generated the most attacks for this period.

  • Step aside, Windows! Open source and Linux are IT’s new security headache [Ed: Microsoft propagandist Preston Gralla is back from the woods. The typical spin, lies. Deflection. Windows has back doors.]
  • Sex Toys Are Just As Poorly-Secured As The Rest Of The Internet of Broken Things

    At this point we've pretty well documented how the "internet of things" is a privacy and security dumpster fire. Whether it's tea kettles that expose your WiFi credentials or smart fridges that leak your Gmail password, companies were so busy trying to make a buck by embedding network chipsets into everything, they couldn't be bothered to adhere to even the most modest security and privacy guidelines. As a result, billions upon billions of devices are now being connected to the internet with little to no meaningful security and a total disregard to user privacy -- posing a potentially fatal threat to us all.

Security: Forseti, Updates, FormBook, Kaspersky, and APFS

Filed under
Security

Security: India's Internet, Equifax, and Yahoo!

Filed under
Security

Security: RoboCyberWall, Updates, Dnsmasq, SEC, and Yahoo!

Filed under
Security
  • RoboCyberWall Aims to Block Linux Server Hacks [Ed: ad disguised as an article]
  • Security updates for Wednesday
  • Google Patches Open-Source Flaw, Requires TLD Encryption

    Google has made a couple of notable moves on the security front this week: One, it has patched flaws in a DNS software package known as Dnsmasq; and two, it said it would start requiring encryption for 45 top-level domains (TLDs) that it controls as a registrar.

    Dnsmasq, an open-source package, is widely installed in desktop Linux distributions (like Ubuntu), home routers and IoT devices, and provides functionality for serving DNS, DHCP, router advertisements and network boot. Google discovered seven distinct issues within the kit: three potential remote code executions, one information leak, and three denial of service vulnerabilities affecting the latest version at the project git server as of September 5.

  • SEC hack came as internal security team begged for funding

    Last month, the Securities and Exchange Commission revealed a 2016 breach of a test system that allowed an unknown party to get access to unpublished corporate information in the SEC's Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system. The breach potentially allowed the bad actors to profit from trades based on the information. SEC Chairman Jay Clayton revealed the extent of that breach in a policy statement on the importance of the commission's cyber-security mission. But just a few months before the SEC discovered the initial breach last year, as Reuters reports, members of the SEC's own internal digital forensics and security team wrote a letter bemoaning the lack of support they received from the agency's Office of Information Technology and SEC leadership.

  • Hacks Are Always Worse Than Reported: All Of Yahoo Email Was Hacked In 2013. All. Of. It.

    Given recent and massive stories about data security breaches by some very, very large players in the technology and financial spaces, we have developed a mantra that you should have on repeat in your head any time you read stories about a breach: however big the breach is reported to be initially, it's always bigger. We formulated that 12 years ago and it has continually held true. We saw it with Equifax. We saw it with Deloitte. And you will also likely recall that 2013 and 2014 were not banner years for data security at a little company called Yahoo. Hacks of Yahoo's email platform were reported initially to be in the hundreds of thousands in terms of the number of accounts compromised. As Verizon began negotiating the purchase of Yahoo, that number crept into the hundreds of millions. Eventually, Yahoo settled on a billion compromised accounts resulting from the hacks.

Security: Yahoo 'Search Secrets', Breach Secrets, Bluetooth Woes, and Phishing

Filed under
Security
  • Yahoo Reveals Its Search Secrets, Vespa Tool is Now Available as Open Source

    Oath Inc., the Verizon company that has owned Yahoo since June, announced that Vespa is now available as open source on GitHub. According to a company blog post, making the big data processing and serving engine open source is a step further in Oath’s commitment to opening up its big data infrastructure to developers.

  • If you have a Yahoo account, do this now

    The company, which along with AOL is now part of a Verizon subsidiary called Oath, disclosed Tuesday that a 2013 hack had potentially stolen the information of all of its 3 billion users at the time — or triple the number of vulnerable users it had earlier reported.

  • Yahoo revises number of hacked accounts from 500,000,000 to 3,000,000,000

    Just over a year ago, Yahoo admitted that it had been hacked in 2013, and estimated that 500 million accounts had been compromised (the company blamed state-sponsored actors, and federal prosecutors have indicted two Russian spies for ordering the operation). Now the company has admitted that all three billion of its accounts were affected.

  • Yahoo Says All 3 Billion Accounts Hacked in 2013 Data Theft

    Yahoo on Tuesday said that all 3 billion of its accounts were hacked in a 2013 data theft, tripling its earlier estimate of the size of the largest breach in history, in a disclosure that attorneys said sharply increased the legal exposure of its new owner, Verizon Communications.

  • Bluetooth sex toys are trivial to compromise just by walking around neighborhoods

    Lomas demonstrated the attack by wandering the streets of Berlin, compromising Lovesense Hush buttplugs. He also demonstrated that he could attack and compromise his father's BLE-enabled hearing aid, controlling what sound was played, allowing him to put voices in his father's head, or selectively alter his hearing.

  • Screwdriving. Locating and exploiting smart adult toys

    It’s hopefully well known by now that Bluetooth’s baby brother, BLE, isn’t exactly stellar when it comes to security. What you save in battery life and complexity comes at the price of easy discoverability and exploitability. Whilst BLE does have support for security, it is rarely implemented. When it is implemented it’s often done poorly.

  • Councils attacked over email ‘phishing’

    Banks and other financial institutions, including PayPal and Ebay, have been targeted frequently by crooks, as has the government’s tax collection agency HMRC - which often appears to be the source of emails promising lucrative tax rebates.

    But the government’s National Cyber Security Centre, which is part of GCHQ, has said that fewer than five per cent of other public sector organisations have taken sufficient steps to prevent similar attacks, by using the validation protocol known as DMARC.

Syndicate content

More in Tux Machines

Kernel and Graphics: ZenStates, AMDGPU, RADV, Vulkan, NVIDIA

  • ZenStates Allows Adjusting Zen P-States, Other Tweaking Under Linux
    ZenStates is an independent effort to offer P-States-based overclocking from the Linux desktop of AMD Ryzen processors and other tuning. ZenStates-Linux is an open-source Python script inspired by some available Windows programs for offering Ryzen/Zen CPU overclocking from the desktop by manipulating the performance states of the processor.
  • AMDGPU DC Gets A Final Batch Of Changes Before Linux 4.15
    The AMDGPU DC display code has a final batch of feature updates that were sent in this weekend for DRM-Next staging and is the last set besides fixes for the "DC" code for the 4.15 target.
  • Valve Developer Lands VK_EXT_global_priority For RADV Vulkan Driver
  • Vulkan 1.0.64 Adds In Another AMD-Developed Extension
    Vulkan 1.0.64 is out this weekend as the newest specification refinement to this high-performance graphics/compute API. As usual, most of the changes for this minor Vulkan revision are just documentation clarifications and corrections. This week's update brings just under a dozen fixes.
  • NVIDIA TX2 / Tegra186 Display Support Isn't Ready For Linux 4.15
    While the Jetson TX2 has been out since this past March and it's a phenomenal ARM development board, sadly the Direct Rendering Manager (DRM) driver support for it still isn't ready with the mainline Linux kernel. Thierry Reding of NVIDIA sent in the Tegra DRM driver changes for DRM-Next that in turn is staged for Linux 4.15. Reding commented that there is prepatory work for the TX2 (Tegra186) but it's not all ready for upstream yet.

Ubuntu: Mir running on Fedora and Ubuntu 17.10 Guidance

  • Mir running on Fedora
    Last week we released Mir 0.28 and this week we settled down to tidy up a few bugs fixes and feature requests that didn’t make the release. I’ve started collecting these for a Mir 0.28.1 release to come in the next few weeks. The most interesting of these comes from conversations at the Ubuntu Rally: there were several requests from community members around getting Mir working (or even building!) on other distributions.
  • Ubuntu Developer Gets Mir Running On Fedora
    Lead Mir developer Alan Griffiths has spent the time getting the Mir display server running on Fedora. This is part of a broader feature request of getting Mir running on more Linux distributions than just Ubuntu. The changes to get Mir running on at least Fedora should be merged for the upcoming Mir 0.28.1 point release. Mir 0.28.1 will also incorporate other bug fixes.
  • How To Remove the Unity Desktop from Ubuntu 17.10
  • 9 Things to do After Installing Ubuntu 17.10
  • How To Install Ubuntu 17.10 Artful Aardvark

Purism Librem 5 Linux Smartphone Campaign Set To End At Around $2 Million

Tomorrow marks the end of the crowdfunding campaign for Purism's Librem 5 smartphone campaign. The campaign is looking like it will close at around two million dollars with the current tally as of this morning being at $1,962,517 in funds raised for this effort to build an original GNU/Linux smartphone stack with either GNOME Shell or KDE Plasma Mobile comprising the UI/UX elements. Read more

Games: The Coma: Recut, Mushroom Wars 2 and Team Fortress 2