Language Selection

English French German Italian Portuguese Spanish

Security

Security: Microsoft Word, Hyatt Hotels, Australian Megabreach, Impersonating iOS Password Prompts, and Equifax

Filed under
Security

Security: Updates, Accenture, Equifax, Passwords, United Airlines, Grafeas Project

Filed under
Security

pfSense 2.4.0-RELEASE Now Available!

Filed under
Security
BSD

We are excited to announce the release of pfSense® software version 2.4, now available for new installations and upgrades!

pfSense software version 2.4.0 was a herculean effort! It is the culmination of 18 months of hard work by Netgate and community contributors, with over 290 items resolved. According to git, 671 files were changed with a total 1651680 lines added, and 185727 lines deleted. Most of those added lines are from translated strings for multiple language support!

pfSense 2.4.0-RELEASE updates and installation images are available now!

Read more

Also: pfSense 2.4 Released, Rebased To FreeBSD 11.1 & New Installer

Security: Updates, Reproducible Builds, T-Mobile, ATMs, Microsoft Outlook "Fake Crypto" and Accenture

Filed under
Security
  • Security updates for Tuesday
  • Reproducible Builds: Weekly report #128
  • T-Mobile customer data plundered thanks to bad API

    A bug disclosed and patched last week by T-Mobile in a Web application interface allowed anyone to query account information by simply providing a phone number. That includes customer e-mail addresses, device identification data, and even the answers to account security questions. The bug, which was patched after T-Mobile was contacted by Motherboard's Lorenzo Franceschi-Bicchierai on behalf of an anonymous security researcher, was apparently also exploited by others, giving them access to information that could be used to hijack customers' accounts and move them to new phones. Attackers could potentially gain access to other accounts protected by SMS-based "two factor" authentication simply by acquiring a T-Mobile SIM card.

  • Criminals stole millions from E. Europe banks with ATM “overdraft” hack

    Banks in several former Soviet states were hit with a wave of debit card fraud earlier this year that netted millions of dollars worth of cash. These bank heists relied on a combination of fraudulent bank accounts and hacking to turn nearly empty bank accounts into cash-generating machines. In a report being released by TrustWave's SpiderLabs today, SpiderLabs researchers detailed the crime spree: hackers gained access to bank systems and manipulated the overdraft protection on accounts set up by proxies and then used automated teller machines in other countries to withdraw thousands of dollars via empty or nearly empty accounts.

    While SpiderLabs' investigation accounted for about $40 million in fraudulent withdrawals, the report's authors noted, "when taking into account the undiscovered or uninvestigated attacks along with investigations undertaken by internal groups or third parties, we estimate losses to be in the hundreds of millions in USD." This criminal enterprise was a hybrid of traditional credit fraud and hacking. It relied on an army of individuals with fake identity documents, as these folks were paid to set up accounts at the targeted institutions with the lowest possible deposit. From there, individuals requested debit cards for the accounts, which were forwarded to co-conspirators in other countries throughout Europe and in Russia.

  • Buggy Microsoft Outlook Sending Encrypted S/MIME Emails With Plaintext Copy For Months

    Beware, If you are using S/MIME protocol over Microsoft Outlook to encrypt your email communication, you need to watch out.

    From at least last 6 months, your messages were being sent in both encrypted and unencrypted forms, exposing all your secret and sensitive communications to potential eavesdroppers.

    S/MIME, or Secure/Multipurpose Internet Mail Extensions, is an end-to-end encryption protocol—based on public-key cryptography and works just like SSL connections—that enables users to send digitally signed and encrypted messages.

  • Fake Crypto: Microsoft Outlook S/MIME Cleartext Disclosure (CVE-2017-11776)

    Outlook version XXX (we are still waiting for Microsoft to release detailed information and update the blog accordingly) was the first affected version. So any S/MIME encrypted mail written since that date might be affected.

    Unfortunately there is no easy solution to remediate the impact of this vulnerability (we are still waiting for Microsoft to release detailed information and update the blog).

    In cases where mails have been send to third parties (recipient is outside of the sender’s organization) remediation is not possible by the sending party, since the sender has no authority over the recipient’s mail infrastructure.

  • Accenture data leak: 'Keys to the kingdom' left exposed via multiple unsecured cloud servers

    A massive trove of sensitive corporate and customer data was left freely exposed to the public by Accenture, one of the world's biggest management firms. The tech giant left at least four cloud storage servers, which contained highly sensitive decryption keys and passwords, exposed to the public, without any password protections.

Security: Updates, Accenture, Microsoft and More

Filed under
Security
  • Security updates for Wednesday
  • Accenture left a huge trove of highly sensitive data on exposed servers

    Technology and cloud giant Accenture has confirmed it inadvertently left a massive store of private data across four unsecured cloud servers, exposing highly sensitive passwords and secret decryption keys that could have inflicted considerable damage on the company and its customers.

  • Crypto Anchors: Exfiltration Resistant Infrastructure

    The obvious way to implement a tokenization service is to generate a random token and store a mapping of that token and a one-way hash of the sensitive piece of data.

    Unfortunately, the maximum number of possible SSNs is just under 1 billion, making it trivial for an attacker that downloads the database to brute-force them offline.

  • Detecting DDE in MS Office documents

    Dynamic Data Exchange is an old Microsoft technology that can be (ab)used to execute code from within MS Office documents. Etienne Stalmans and Saif El-Sherei from Sensepost published a blog post in which they describe how to weaponize MS Office documents.

  • Stack Overflow Considered Harmful?

    What proportion of Android apps in the Play store include security-related code snippets copied directly from Stack Overflow? Does the copied code increase or decrease application security?

  • ‘UK teen almost hacking US officials a serious concern for American security’

    It should be very concerning for the US security services that a teenager almost got to access to private information of top officials, including that of the CIA chief, as other hackers might actually do some real harm, Mark Chapman of the UK Pirate Party believes.

    British teenager Kane Gamble pleaded guilty to trying to hack top US officials’ personal computers.

    Gamble is autistic and was only 15 years old when he attempted to hack the computers of former CIA chief John Brennan and the head of security of the Obama administration. He was released on bail and is due to be sentenced by a British regional court in December.

Security: Accenture, Australian Cyber Security Centre, Voting and North Korea

Filed under
Security
  • Accenture's crown jewels found exposed in unsecured AWS buckets

    Global corporate consulting and management firm Accenture left at least four cloud-based storage servers unsecured and open to the public, the security company UpGuard has found.

    Exposed to the world were secret API data, authentication credentials, certificates, decryption keys, customer information and other data that could have been used to attack both the company and its clients.

  • Cyber terror? Ain't seen it yet, says Australian Cyber Security Centre

    Despite all the hyper-ventilation by politicians who paint grim scenarios of cyber Armageddon always being around the corner, Australia is yet to face malicious activity that would constitute a cyber attack, according to the Australian Cyber Security Centre.

  • The Race to Secure Voting Tech Gets an Urgent Jumpstart

    On Tuesday, representatives from the hacking conference DefCon and partners at the Atlantic Council think tank shared findings from a report about DefCon's Voting Village, where hundreds of hackers got to physically interact with—and compromise—actual US voting machines for the first time ever at the conference in July. Work over three days at the Village underscored the fundamental vulnerability of the devices, and raised questions about important issues, like the trustworthiness of hardware parts manufactured in other countries, including China. But most importantly, the report highlights the dire urgency of securing US voting systems before the 2018 midterm elections.

  • North Korean Hack [sic] of U.S. War Plans Shows Off Cyber Skills

Security: Kromtech, Nginx, Equifax, Kickstarter, Microsoft Windows

Filed under
Security
  • [Older] The creepiest data breach till date: Passwords of 540,000 Car Tracking Devices Leaked Online

    Data breaches have become so common these days that every single day we get news about a data breach. We have seen data breaches from big to small, from dangerous to embarrassing, but this is one is the creepiest data breach of 2017, this leak of credentials of almost 540,000 Car Tracking Devices might take the biscuit.

    The Kromtech Security Center recently found over half a million login credentials belonging to SVR, a company specializes in “vehicle recovery”, is leaked online and is publicly accessible. SVR provides its customers with around-the-clock surveillance of cars and trucks, just in case those vehicles are towed or stolen.

  • Nginx 1.13.6 Patches Web Server for the Year 2038 Flaw

    Developers and organizations around the world rushed to fix the Y2K bug nearly 20 years ago as the calendar rolled over to the new millennium. There is also a similar bug that is resident in Unix/Linux systems known as the Year 2038 bug.

    The latest vendor to fix its software for the 2038 bug is open-source web application server vendor nginx. The new nginx 1.13.6 release debuts on Oct. 10, fixing 11 different bugs.

    "Bugfix: nginx did not support dates after the year 2038 on 32-bit platforms with 64-bit time_t," the nginx changelog noted.

  • Equifax: About those 400,000 UK records we lost? It's now 15.2M. Yes, M for MEELLLIOON

    Last month, US credit score agency Equifax admitted the personal data for just under 400,000 UK accounts was slurped by hackers raiding its database. On Tuesday this week, it upped that number ever-so-slightly to 15.2 million.

    In true buck-passing fashion, at the time of writing, Equifax hadn't even released a public statement on the matter. Instead it fell to Blighty's National Cyber Security Centre to reveal the bad news that a blundering American firm had put them at risk of phishing attacks.

    “We are aware that Equifax was the victim of a criminal cyber attack in May 2017," the NCSC said in a statement today.

    “Equifax have today updated their guidance to confirm that a file containing 15.2m UK records dating from between 2011 and 2016 was attacked in this incident. NCSC advises that passwords are not re-used on any accounts if you have been told by Equifax that any portion of your membership details have been accessed.”

  • Major Data Breach Left 15 Million Accounts from These Popular Sites Vulnerable

    In what seems like an ever-lengthening line of data breaches in recent weeks (This restaurant, this financial services company, and this supermarket have all been breached in the past month), Lifehacker has reported that information from 15 million Kickstarter and Bitly accounts are now available to the public due to a 2014 data breach. The breach itself isn’t new, much like the fresh news about Yahoo’s massive breach, but it’s much less disconcerting. Although the information is now public, it is still encrypted, and both Kickstarter and Bitly took swift action to notify users of the breach when it originally occurred, urging them to change their passwords and nullifying the breach ones if user action was not taken.

  • It's 2017... And Windows PCs can be pwned via DNS, webpages, Office docs, fonts – and some TPM keys are fscked too

    Microsoft today released patches for more than 60 CVE-listed vulnerabilities in its software. Meanwhile, Adobe is skipping October's Patch Tuesday altogether.

    Among the latest holes that need papering over via Windows Update are three vulnerabilities already publicly disclosed – with one being exploited right now by hackers to infect vulnerable machines. That flaw, CVE-2017-11826, is leveraged when a booby-trapped Microsoft Office document is opened, allowing malicious code within it to run with the same rights as the logged-in user, and should be considered a top priority to patch.

    Dustin Childs, of Trend Micro's Zero Day Initiative, noted today that users and administrators should also pay special attention to Microsoft's ADV170012, an advisory warning of weak cryptographic keys generated by Trusted Platform Modules (TPMs) on Infineon motherboards.

Security: Equifax, Forrester, Akamai, Disqus, WhatsApp, FBI, Accenture

Filed under
Security
  • Equifax will give your salary history to anyone with your SSN and date of birth
  • Forrester Research Discloses Limited Website Data Breach

    At 6:17 ET PM on Oct.6, Forrester Research publicly admitted that it was the victim of a cyber-attack. According to the firm, the attack had limited impact, with no evidence that confidential client data had been stolen.

    According to Forrester Research's preliminary investigation, attackers were able to gain access to Forrester.com content that was intended to be limited exclusively to clients.

    "We recognize that hackers will attack attractive targets—in this case, our research IP," George F. Colony, chairman and chief executive officer of Forrester, stated.

    "We also understand there is a tradeoff between making it easy for our clients to access our research and security measures," Colony added. "We feel that we have taken a common-sense approach to those two priorities; however, we will continuously look at that balance to respond to changing cyber-security risk."

  • Akamai Reports Fast Flux Botnets Remain a Security Risk

    Attackers are continuing to benefit from the use many different technique to remain hidden. New research released Oct.10 by Akamai reveals that a botnet with over 14,000 IP addresses has been using the fast flux DNS technique to evade detection, while still causing damage to users and organizations.

    Fast Flux is an attacker technique that uses the Domain Name System (DNS) to hide the source of an attack. DNS operates by referring a domain name to a specific IP address

  • Disqus reveals data breach, but wins points for transparency

    Disqus has publicly announced that its user database leaked in 2012, exposing the usernames, email addresses, sign-up dates, and last login dates of more than 17 million users.

    In addition, the data included crackable SHA1-hashed passwords of “about one-third” of users. Presumably many accounts registered with the popular blog-commenting service do not have associated passwords due to many users signing-in using third-party social media accounts such as Google or Facebook.

    Quite how the security breach occurred is currently a mystery, and – frankly – despite their good intentions, Disqus may find it difficult to pinpoint exactly what happened five years after the event.

  • WhatsApp Exploit Can Allow Hackers To Monitor Your Sleep And Other Things
  • Multi-Layered Defenses Needed to Improve Cyber-Security, FBI Says
  • Hacking is inevitable, so it’s time to assume our data will be stolen

    If recent hacking attacks such as the one at Equifax, which compromised personal data for about half of all Americans, have taught us anything, it’s that data breaches are a part of life. It’s time to plan for what happens after our data is stolen, according to Rahul Telang, professor of information systems at Carnegie Mellon University.

    Companies are prone to understating the scale of hacks, which suggests that there needs to be better standards for disclosing breaches. Yahoo recently confessed that its data breach actually impacted 3 billion user accounts, three times what it disclosed in December. Equifax also boosted the number of people it says were affected by its hack.

  • 7 Security Risks User and Entity Behavior Analytics Helps Detect
  • UpGuard Reports Accenture Data Exposure, Debuts Risk Detection Service

    Security vendor UpGuard announced on Oct.10 that it discovered that global consulting firm Accenture had left at least four cloud-based storage servers publicly available. UpGuard alleges that the exposed cloud servers could have left Accenture customers to risk, though Accenture is publicly downplaying the impact of the cloud data exposure.

    "There was no risk to any of our clients – no active credentials, PII and other sensitive information was compromised," Accenture noted in a statement sent to eWEEK. "The information involved could not have provided access to client systems and was not production data or applications."

    Accenture added that the company has a multi-layered security model and the data in question would not have allowed anyone that found it to penetrate any of those layers.

Security: Updates, Deloitte Crack, 'Optionsbleed', Browsers Will Store Credit Card Details

Filed under
Security
  • Security updates for Monday
  • Deloitte hack hit server containing emails from across US government

    The hack into the accountancy giant Deloitte compromised a server that contained the emails of an estimated 350 clients, including four US government departments, the United Nations and some of the world’s biggest multinationals, the Guardian has been told.

    Sources with knowledge of the hack say the incident was potentially more widespread than Deloitte has been prepared to acknowledge and that the company cannot be 100% sure what was taken.

    Deloitte said it believed the hack had only “impacted” six clients, and that it was confident it knew where the hackers had been. It said it believed the attack on its systems, which began a year ago, was now over.

    However, sources who have spoken to the Guardian, on condition of anonymity, say the company red-flagged, and has been reviewing, a cache of emails and attachments that may have been compromised from a host of other entities.

  • Apache Patches Optionsbleed Flaw in HTTP Server

    The Apache HTTP Web Server (commonly simply referred to as 'Apache') is the most widely deployed web server in the world, and until last week, it was at risk from a security vulnerability known as Optionsbleed.

  • Browsers Will Store Credit Card Details Similar to How They Save Passwords

    A new W3C standard is slowly creeping into current browser implementations, a standard that will simplify the way people make payments online.

    Called the Payment Request API, this new standard relies on users entering and storing payment card details inside browsers, just like they currently do with passwords.

Security: gnURL 7.56.0, CyberShaolin, Open Source Security Podcast

Filed under
Security
  • gnURL 7.56.0 released

    Merges from cURL 7.56.0 upstream release and some gnURL specific fixes.
    For more info you can read the git log or the generated CHANGELOG file (only present in the tarball).

  • CyberShaolin: Teaching the Next Generation of Cybersecurity Experts

    Reuben Paul is not the only kid who plays video games, but his fascination with games and computers set him on a unique journey of curiosity that led to an early interest in cybersecurity education and advocacy and the creation of CyberShaolin, an organization that helps children understand the threat of cyberattacks. Paul, who is now 11 years old, will present a keynote talk at Open Source Summit in Prague, sharing his experiences and highlighting insecurities in toys, devices, and other technologies in daily use.

  • [Open Source Security Podcast] Episode 65 - Will aliens overthrow us before AI?
Syndicate content

More in Tux Machines

Linux: To recurse or not

Linux and recursion are on very good speaking terms. In fact, a number of Linux command recurse without ever being asked while others have to be coaxed with just the right option. When is recursion most helpful and how can you use it to make your tasks easier? Let’s run through some useful examples and see. Read more

Today in Techrights

Android Leftovers

today's leftovers

  • MX Linux Review of MX-17 – For The Record
    MX Linux Review of MX-17. MX-17 is a cooperative venture between the antiX and former MEPIS Linux communities. It’s XFCE based, lightning fast, comes with both 32 and 64-bit CPU support…and the tools. Oh man, the tools available in this distro are both reminders of Mepis past and current tech found in modern distros.
  • Samsung Halts Android 8.0 Oreo Rollouts for Galaxy S8 Due to Unexpected Reboots
    Samsung stopped the distribution of the Android 8.0 Oreo operating system update for its Galaxy S8 and S8+ smartphones due to unexpected reboots reported by several users. SamMobile reported the other day that Samsung halted all Android 8.0 Oreo rollouts for its Galaxy S8/S8+ series of Android smartphones after approximately a week since the initial release. But only today Samsung published a statement to inform user why it stopped the rollouts, and the cause appears to be related to a limited number of cases of unexpected reboots after installing the update.
  • Xen Project Contributor Spotlight: Kevin Tian
    The Xen Project is comprised of a diverse set of member companies and contributors that are committed to the growth and success of the Xen Project Hypervisor. The Xen Project Hypervisor is a staple technology for server and cloud vendors, and is gaining traction in the embedded, security and automotive space. This blog series highlights the companies contributing to the changes and growth being made to the Xen Project and how the Xen Project technology bolsters their business.
  • Initial Intel Icelake Support Lands In Mesa OpenGL Driver, Vulkan Support Started
    A few days back I reported on Intel Icelake patches for the i965 Mesa driver in bringing up the OpenGL support now that several kernel patch series have been published for enabling these "Gen 11" graphics within the Direct Rendering Manager driver. This Icelake support has been quick to materialize even with Cannonlake hardware not yet being available.
  • LunarG's Vulkan Layer Factory Aims To Make Writing Vulkan Layers Easier
    Introduced as part of LunarG's recent Vulkan SDK update is the VLF, the Vulkan Layer Factory. The Vulkan Layer Factory aims to creating Vulkan layers easier by taking care of a lot of the boilerplate code for dealing with the initialization, etc. This framework also provides for "interceptor objects" for overriding functions pre/post API calls for Vulkan entry points of interest.