Language Selection

English French German Italian Portuguese Spanish

Security

Security: IoT Cybersecurity Improvement Act, Linux Security Summit 2017, CII on NTP

Filed under
Security
  • IoT Cybersecurity Improvement Act of 2017: The pros and cons from a hacker

    We have early on recognized the state of such security. Our IoT Village has highlighted the problem at many conferences, such as DEFCON and RSA, for the past three years.

  • Linux Security Summit 2017 Roundup

    The 2017 Linux Security Summit (LSS) was held last month in Los Angeles over the 14th and 15th of September.  It was co-located with Open Source Summit North America (OSSNA) and the Linux Plumbers Conference (LPC).

  • Securing Network Time

    Since its inception the CII has considered network time, and implementations of the Network Time Protocol, to be “core infrastructure.” Correctly synchronising clocks is critical both to the smooth functioning of many services and to the effectiveness of numerous security protocols; as a result most computers run some sort of clock synchronization software and most of those computers implement either the Network Time Protocol (NTP, RFC 5905) or the closely related but slimmed down Simple Network Time Protocol (SNTP, RFC 4330).

Security: Cyber Operators , EFI, Equifax, Tor

Filed under
Security
  • Cyber Operators — Differences Matter
  • Equitablefax

    I’m calling this mostly a problem with Equihax architecture. This isn’t about a struts bug, this is about a terrible network design that allows random kiddies to scrape the data store clean via a single shell (well, 30, but still). That Equihax was focussing on buying boxes to protect against 0day, and (from stories I’ve read circa 2015) working on ensuring employee phones are compartmented for BYOD. Well, they were clearly spending money out of the security budget. And it wasn’t trivial sums either, FireEye boxes aren’t exactly free. But from the looks of it, the problem wasn’t that they got compromised, the problem was that they couldn’t detect a compromise and prevent it from becoming a breach (seriously: 30 webshells exfiltrating data on 143 million people would have left some pretty hefty “access.log” files).

  • Critical Code in Millions of Macs Isn't Getting Apple's Updates

    For certain models of Apple laptops and desktop computers, close to a third or half of machines have EFI versions that haven't kept pace with their operating system system updates. And for many models, Apple hasn't released new firmware updates at all, leaving a subset of Apple machines vulnerable to known years-old EFI attacks that could gain deep and persistent control of a victim's machine.

  • Report Bugs, Get $$ Like @atechdad

    The day after Julian Jackson (@atechdad) reported the bug through HackerOne, we released Tor Browser 7.0.3. We saw no indication that it was used in the wild, and the bug didn't affect users of Tails, Whonix, or our sandboxed Tor Browser.

  • Here's What to Ask the Former Equifax CEO

    Richard Smith -- who resigned as chief executive of big-three credit bureau Equifax this week in the wake of a data breach that exposed 143 million Social Security numbers -- is slated to testify in front of no fewer than four committees on Capitol Hill next week. If I were a lawmaker, here are some of the questions I'd ask when Mr. Smith goes to Washington.

  • Without Fanfare, Equifax Makes Bankruptcy Change That Affects Hundreds of Thousands

    For what appears to be decades, the credit rating agency Equifax has quietly layered three more years of tarnish on the credit histories of hundreds of thousands of people who had filed for bankruptcy under Chapter 13.

    While its competitors, TransUnion and Experian, placed a flag on such histories for seven years, Equifax left it on the reports of Chapter 13 filers who failed to complete their bankruptcy plans for 10.

    After ProPublica asked about the difference in its policy, the company said it now leaves the flag on for seven years, but refused to say when and why the change was made.

Security: Updates, EFI Mess, Clarence Birdseye

Filed under
Security
  • Security updates for Friday
  • An alarming number of patched Macs remain vulnerable to stealthy firmware hacks

    An alarming number of Macs remain vulnerable to known exploits that completely undermine their security and are almost impossible to detect or fix even after receiving all security updates available from Apple, a comprehensive study released Friday has concluded.

  • What Clarence Birdseye can teach us about container security

    Clarence Birdseye is generally considered to be the founder of the modern frozen food industry. In 1925, after a couple of false starts, he moved his General Seafood Corporation to Gloucester, Massachusetts. There, he used his newest invention, the double belt freezer, to freeze fish quickly using a pair of brine-cooled stainless steel belts. This and other Birdseye innovations centered on the idea that flash-freezing meant that only small ice crystals could form, and therefore cell membranes were not damaged. Over time, these techniques were applied to a wide range of food — including the ubiquitous frozen peas.

Security: CII, Policy, Investment, and More

Filed under
Security

Security: Updates or Patches

Filed under
Security

Tails 3.2 is out

Filed under
Security
Debian

This release fixes many security issues and users should upgrade as soon as possible.

Read more

Security: Patches and Unpatched Systems

Filed under
Security

Security: "Bad Microsoft", Deloitte, Ransom, Equifax, Linux and Phish For the Future

Filed under
Security
  • Risky Business #471 -- Good Microsoft, bad Microsoft

    On this week’s show we’re taking a look at a mediocre response from Microsoft’s security response centre in the face of a fairly run-of-the-mill bug report. Our guest today found some Microsoft software was failing to validate SSL certificates. He reported it, but Microsoft said it wasn’t a security issue because, drum roll please, the attacker would require man in the middle to exploit the failure. Ummm. What?

  • Deloitte did little to ensure safety of data: claim

    The data breach at accountancy firm Deloitte shows that while the company may know a great deal about security, it appears to have done little to make sure that the vast amount of data it has is safe, the head of a cyber security firm claims.

  • SMBs paid US$301m as ransom in last year: survey

    Data protection company Datto has released the results of a ransomware survey based on data from 1700 managed service providers which shows that a sum of US$301 million was paid to attackers between the second quarter of 2016 and the second quarter of 2017.

  • Equifax CEO to collect $90 million: report

    Smith, who announced his retirement Tuesday, will collect about $72 million this year and $17.9 million in coming years, according to Fortune. This reportedly adds up to about 63 cents for each customer who was potentially exposed in the company’s data breach.

  • Linux Kernel Bug Reclassified as Security Issue After Two Years

    Multiple Linux distros are issuing security updates for OS versions that still use an older kernel branch after it recently came to light that a mild memory bug was in reality much worse, and the bug was recently categorized as a security flaw.

    The original bug was discovered by Michael Davidson, a Google employee, back in April 2015 and was fixed in Linux kernel 4.0.

  • Phish For the Future

    This report describes “Phish For The Future,” an advanced persistent spearphishing campaign targeting digital civil liberties activists at Free Press and Fight For the Future. Between July 7th and August 8th of 2017 we observed almost 70 spearphishing attempts against employees of internet freedom NGOs Fight for the Future and Free Press, all coming from the same attackers.

    This campaign appears to have been aimed at stealing credentials for various business services including Google, Dropbox, and LinkedIn. At least one account was compromised and was used to send out additional spearphishing emails to others in the organization. Because the compromised account had been neglected for years and contained no recent activity, we suspect the attackers were trying to leverage trust in order to compromise a more recent or high-value account. We were unable to determine what the secondary goal of the campaign was after the credentials were stolen. The attackers were remarkably persistent, switching up their attacks after each failed attempt and becoming increasingly creative with their targeting over time.

Security: Wi-Fi Patches, Equifax, Deloitte, NSA's EternalBlue Exploit and TalkTalk

Filed under
Security

Security: Deloitte, AWS, CCleaner, Equifax, Optionsbleed

Filed under
Security
  • Source: Deloitte Breach Affected All Company Email, Admin Accounts

     

    Deloitte, one of the world’s “big four” accounting firms, has acknowledged a breach of its internal email systems, British news outlet The Guardian revealed today. Deloitte has sought to downplay the incident, saying it impacted “very few” clients. But according to a source close to the investigation, the breach dates back to at least the fall of 2016, and involves the compromise of all administrator accounts at the company as well as Deloitte’s entire internal email system.  

  • Security breach exposes data from half a million vehicle tracking devices

     

    The exposed data, which includes customer credentials, was unearthed through a misconfigured Amazon AWS S3 bucket that was left publically available, and because it wasn't protected by a password, could allow anyone to pinpoint locations visited by customers of the vehicle tracking firm.

  • CCleaner backdoor infecting millions delivered mystery payload to 40 PCs

    At least 40 PCs infected by a backdoored version of the CCleaner disk-maintenance utility received an advanced second-stage payload that researchers are still scrambling to understand, officials from CCleaner's parent company said.

  • Will the Equifax Data Breach Finally Spur the Courts (and Lawmakers) to Recognize Data Harms?

    This summer 143 million Americans had their most sensitive information breached, including their name, addresses, social security numbers (SSNs), and date of birth. The breach occurred at Equifax, one of the three major credit reporting agencies that conducts the credit checks relied on by many industries, including landlords, car lenders, phone and cable service providers, and banks that offer credits cards, checking accounts and mortgages. Misuse of this information can be financially devastating. Worse still, if a criminal uses stolen information to commit fraud, it can lead to the arrest and even prosecution of an innocent data breach victim.    

    Given the scope and seriousness of the risk that the Equifax breach poses to innocent people, and the anxiety that these breaches cause, you might assume that legal remedies would be readily available to compensate those affected. You’d be wrong.

    While there are already several lawsuits filed against Equifax, the pathway for those cases to provide real help to victims is far from clear.  That’s because even as the number and severity of data breaches increases, the law remains too narrowly focused on people who have suffered financial losses directly traceable to a breach.

  • New breach, same lessons

    The story of recent breaches at the credit-rating agency Equifax, which may have involved the personal details of nearly 150 million people, has probably just begun, given the confusion that still surrounds events. But it’s brought the security of open source software to the fore yet again, and highlighted the ongoing struggle organizations still have with cybersecurity.

  • Apache “Optionsbleed” vulnerability – what you need to know [Ed: The security FUD complex came up with a buzzword: Optionsbleed. But it fails to (over)sell this hype.]
Syndicate content

More in Tux Machines

Today in Techrights

Security Leftovers

  • One-stop counterfeit certificate shops for all your malware-signing needs

    The Stuxnet worm that targeted Iran's nuclear program almost a decade ago was a watershed piece of malware for a variety of reasons. Chief among them, its use of cryptographic certificates belonging to legitimate companies to falsely vouch for the trustworthiness of the malware. Last year, we learned that fraudulently signed malware was more widespread than previously believed. On Thursday, researchers unveiled one possible reason: underground services that since 2011 have sold counterfeit signing credentials that are unique to each buyer.

  • How did OurMine hackers use DNS poisoning to attack WikiLeaks? [Ed: False. They did not attack Wikileaks; they attacked the DNS servers/framework. The corporate media misreported this at the time.
    The OurMine hacking group recently used DNS poisoning to attack WikiLeaks and take over its web address. Learn how this attack was performed from expert Nick Lewis.
  • Intel didn't give government advance notice on chip flaws

    Google researchers informed Intel of flaws in its chips in June. The company explained in its own letter to lawmakers that it left up to Intel informing the government of the flaws.

    Intel said that it did not notify the government at the time because it had “no indication of any exploitation by malicious actors,” and wanted to keep knowledge of the breach limited while it and other companies worked to patch the issue.

    The company let some Chinese technology companies know about the vulnerabilities, which government officials fear may mean the information was passed along to the Chinese government, according to The Wall Street Journal.

  • Intel hid CPU bugs info from govt 'until public disclosure'

    As iTWire reported recently, Intel faces a total of 33 lawsuits over the two flaws. Additionally, the Boston law firm of Block & Leviton is preparing a class action lawsuit against Intel chief executive Brian Krzanich for allegedly selling a vast majority of his Intel stock after the company was notified of the two security flaws and before they became public.

  • Intel did not tell U.S. cyber officials about chip flaws until made public [iophk: "yeah right"]

    Current and former U.S. government officials have raised concerns that the government was not informed of the flaws before they became public because the flaws potentially held national security implications. Intel said it did not think the flaws needed to be shared with U.S. authorities as hackers [sic] had not exploited the vulnerabilities.

  • LA Times serving cryptocurrency mining script [iophk: "JS"]

    The S3 bucket used by the LA Times is apparently world-writable and an ethical hacker [sic] appears to have left a warning in the repository, warning of possible misuse and asking the owner to secure the bucket.

  • Facebook's Mandatory Malware Scan Is an Intrusive Mess

    When an Oregon science fiction writer named Charity tried to log onto Facebook on February 11, she found herself completely locked out of her account. A message appeared saying she needed to download Facebook’s malware scanner if she wanted to get back in. Charity couldn’t use Facebook until she completed the scan, but the file the company provided was for a Windows device—Charity uses a Mac.

  • Tinder plugs flaw that enabled account takeover using just a phone number

    As Tinder uses Facebook profile pics for its users to lure in a mate or several, the 'dating' app is somewhat tied to the social network. When a swipe-hungry Tinder user comes to login to their account they can either do so via Facebook or use their mobile number.

  • `

Android Leftovers

Report from Debian SnowCamp and a Look at Solyd XK, a Debian-Based Distribution

  • Report from Debian SnowCamp: day 1
  • Report from Debian SnowCamp: day 2
    Of course, we’re still sorely lacking volunteers who would really care about mentors.debian.net; the codebase is a pile of hacks upon hacks upon hacks, all relying on an old version of a deprecated Python web framework. A few attempts have been made at a smooth transition to a more recent framework, without really panning out, mostly for lack of time on the part of the people running the service. I’m still convinced things should restart from scratch, but I don’t currently have the energy or time to drive it… Ugh.
  • Installing Solyd XK, a Debian based Linux distribution : Cooking With Linux
    It's time for some more "Cooking With Linux" without a net, meaning the video you are about to watch was recorded live. Today, I'm going to install a new Linux distribution (new to me, anyhow) called Solyd XK.