Language Selection

English French German Italian Portuguese Spanish

Security

Security: NHS Pays the Price for Windows, Imgur Cracked, Snyk FUD, and FOSS Updates

Filed under
Security

Security: KrebsOnSecurity, Uber, Bitcoin, Firefox, Imgur

Filed under
Security
  • Name+DOB+SSN=FAFSA Data Gold Mine

    KrebsOnSecurity has sought to call attention to online services which expose sensitive consumer data if the user knows a handful of static details about a person that are broadly for sale in the cybercrime underground, such as name, date of birth, and Social Security Number. Perhaps the most eye-opening example of this is on display at fafsa.ed.gov, the Web site set up by the U.S. Department of Education for anyone interested in applying for federal student financial aid.

  • Uber Hacks and Bitcoin Futures

    What is Uber? Why is it a $70-billion-or-whatever company? You could tell a bunch of stories -- it is an app company, a taxi company, a driverless-car company -- but one possibility is that it is a regulatory-evasion company. Local regulations around the world entrenched taxi companies and allowed them to capture excess value, and Uber's central innovation was not building an app or developing a surge-pricing algorithm but simply saying "what if we took that value instead?" In 2017 it spends a lot of time lobbying and buttering up local governments so that they don't ban it, but earlier on the process was simpler: It would just ignore the local regulations and hope no one would stop it. That worked really well! Not flawlessly, not permanently, not at scale -- that's why it has now pivoted to lobbying and buttering-up -- but well enough to get Uber to this point, the point where its lobbying and buttering-up can work.

  • Segwit2x Bugs Explained

    The Segwit2x hard fork was called off a little over a week ago in an email post to the 2x mailing list. Several parties threatened to split the network anyway, and we eagerly waited for block 494784 to see whether someone would mine the 2x hard fork or not.

    As it turns out, there was a bug in the Segwit2x software which caused the client to stop at block 494782. In this article, I’m going to examine the details of what caused the software to stop, why it stopped a block before it was supposed to and what would have happened had Belshe, et al, not cancelled the hard fork a week early.

  • Firefox to warn users who visit p0wned sites

    Mozilla developer Nihanth Subramanya has revealed the organisation's Firefox browser will soon warn users if they visit sites that have experienced data breaches that led to user credential leaks.

    A recently-released GitHub repo titled “Breach Alerts Prototype” revealed “a vehicle for prototyping basic UI and interaction flow for an upcoming feature in Firefox that notifies users when their credentials have possibly been leaked or stolen in a data breach.”

  • [Imgur] NOTICE OF DATA BREACH

    On November 23, Imgur was notified of a potential security breach that occurred in 2014 that affected the email addresses and passwords of 1.7 million user accounts. While we are still actively investigating the intrusion, we wanted to inform you as quickly as possible as to what we know and what we are doing in response.

Security: Necurs, Uber, and Intel ME

Filed under
Security

Security: Firefox "Breach Alerts", Uber Crack, and Intel Back Doors

Filed under
Security
  • Firefox “Breach Alerts” Will Warn If You Visit A ‘Hacked’ Website

    One more thing is coming to add to the capabilities of the recently released Firefox 57 aka Firefox Quantum.

    Mozilla is working on a new feature for Firefox, dubbed Breach Alerts, which will warn users when they visit a website, whether it was hacked in the past or not.

  • GCHQ: change your passwords now even if Uber says it contained the breach

    Uber claims to have paid $100,000 to secure 57 million accounts exposed in a breach last year, but the UK's spy agency, GCHQ, suggests consumers don't place too much faith in Uber’s claim.

    The GCHQ's National Cyber Security Centre (NCSC) on Thursday published guidance for Uber users, reminding those affected by the firm’s just revealed 2016 breach they should take precautionary action even if their personal details may not have been compromised.

    The agency warned that Uber drivers and riders should “immediately change passwords” that were used for Uber.

  • Drive-By Phishing Scams Race Toward Uber Users

    Indeed, hardly any time elapsed after Uber came clean Tuesday about the year-old breach it had concealed before crack teams of social engineers unleashed appropriately themed phishing messages designed to bamboozle the masses (see Fast and Furious Data Breach Scandal Overtakes Uber).

  • EU authorities consider creating data breach justice league to tackle uber hack

    Multiple investigations prompted by Uber's admission that it concealed a hack could join together for one big mega-probe into the incident.

    An EU working group which has responsibility for data protection will decide next week whether to co-ordinate different investigations taking place in the UK, Italy, Austria, Poland and the Netherlands.

  • Intel Didn't Heed Security Experts Warnings About ME [Ed: Intel refused to speak about back doors until it became too mainstream a topic, then pretended it's a "bug"]

    For nearly eight years, the chip maker has been turning a deaf ear on security warnings about the wisdom of Intel Management Engine.

Security: Uber Sued, Intel ‘Damage Control’, ZDNet FUD, and XFRM Privilege Escalation

Filed under
Security
  • Uber hit with 2 lawsuits over gigantic 2016 data breach

    In the 48 hours since the explosive revelations that Uber sustained a massive data breach in 2016, two separate proposed class-action lawsuits have been filed in different federal courts across California.

    The cases allege substantial negligence on Uber’s part: plaintiffs say the company failed to keep safe the data of the affected 50 million customers and 7 million drivers. Uber reportedly paid $100,000 to delete the stolen data and keep news of the breach quiet.

    On Tuesday, CEO Dara Khosrowshahi wrote: “None of this should have happened, and I will not make excuses for it.”

  • Intel Releases Linux-Compatible Tool For Confirming ME Vulnerabilities [Ed: ‘Damage control’ strategy is to make it look like just a bug.]

    While Intel ME security issues have been talked about for months, confirming fears that have been present about it for years, this week Intel published the SA-00086 security advisory following their own internal review of ME/TXE/SPS components. The impact is someone could crash or cause instability issues, load and execute arbitrary code outside the visibility of the user and operating system, and other possible issues.

  • Open source's big weak spot? Flawed libraries lurking in key apps [Ed: Linux basher Liam Tung entertains FUD firm Snyk and Microsoft because it suits the employer's agenda]
  • SSD Advisory – Linux Kernel XFRM Privilege Escalation

Security: UEFI, Updates, Uber

Filed under
Security

Recommended Privacy Tools (Apps, Add-Ons, Search Engines) for Ubuntu Users

Filed under
GNU
Linux
Security
Web
HowTos

This is an user-friendly list of tools to protect user's internet privacy for Ubuntu users. The tools including search engine (StartPagec.com), add-ons (HTTPS Everywhere, Disconnect), and programs (DNSCrypt Proxy, OpenVPN) that are easy for beginners to install on Ubuntu. This list introduces the importance of privacy for all of you (yes, please read PrivacyTools.io) and that protecting your privacy is not difficult. This list is kept short so you can learn one by one and exercise them on many computers you have. I wish this helps you a lot!

Read more

Security: Uber, Replacing x86 Firmware, 'IoT' and Chromebook

Filed under
Security
  • Key Dem calls for FTC to investigate Uber data breach

    A key Democrat is calling on the Federal Trade Commission (FTC) to investigate a massive Uber breach that released data on 57 million people, as well as the company's delay in reporting the cyber incident.

  • Multiple states launch probes into massive Uber breach
  • Replacing x86 firmware with Linux and Go

    The problem, Minnich said, is that Linux has lost its control of the hardware. Back in the 1990s, when many of us started working with Linux, it controlled everything in the x86 platform. But today there are at least two and a half kernels between Linux and the hardware. Those kernels are proprietary and, not surprisingly, exploit friendly. They run at a higher privilege level than Linux and can manipulate both the hardware and the operating system in various ways. Worse yet, exploits can be written into the flash of the system so that they persist and are difficult or impossible to remove—shredding the motherboard is likely the only way out.

  • Connected sex-toy allows for code-injection attacks on a robot you wrap around your genitals

    However, the links included base-64 encoded versions of the entire blowjob file, making it vulnerable to code-injection attacks. As Lewis notes, "I will leave you to ponder the consequences of having an XSS vulnerability on a page with no framebusting and preauthed connection to a robot wrapped around or inside someones genitals..."

  • Chromebook exploit earns researcher second $100k bounty

    For Google’s bug bounty accountants, lightning just struck twice.

    In September 2016, an anonymous hacker called Gzob Qq earned $100,000 (£75,000) for reporting a critical “persistent compromise” exploit of Google’s Chrome OS, used by Chromebooks.

    Twelve months on and the same researcher was wired an identical pay out for reporting – yes! – a second critical persistent compromise of Google’s Chrome OS.

    By this point you might think Google was regretting its 2014 boast that it could confidently double its maximum payout for Chrome OS hacks to $100,000 because “since we introduced the $50,000 reward, we haven’t had a successful submission.”

    More likely, it wasn’t regretting it at all because isn’t being told about nasty vulnerabilities the whole point of bug bounties?

  • Why microservices are a security issue

    And why is that? Well, for those of us with a systems security bent, the world is an interesting place at the moment. We're seeing a growth in distributed systems, as bandwidth is cheap and latency low. Add to this the ease of deploying to the cloud, and more architects are beginning to realise that they can break up applications, not just into multiple layers, but also into multiple components within the layer. Load balancers, of course, help with this when the various components in a layer are performing the same job, but the ability to expose different services as small components has led to a growth in the design, implementation, and deployment of microservices.

Ubuntu 17.10 Users Get Major Kernel Update, 20 Security Vulnerabilities Patched

Filed under
Security

If you're using the latest Ubuntu 17.10 (Artful Aardvark) operating system on your personal computer, you should know that it received it's first major kernel update since the official release back in October 19, 2017. The update addresses a total of 20 security vulnerabilities for Ubuntu 17.10's Linux 4.13 kernel packages, including the Raspberry Pi 2 one.

Among the security issues patched in this update, five are related to Linux kernel's USB subsystem, including a use-after-free vulnerability, which could allow a physically proximate attacker to crash the affected system by causing a denial of service (DoS attack) or possibly execute arbitrary code. Other three are related to the ALSA subsystem, including a race condition.

Read more

Security: Updates, Intel, Uber and HBO

Filed under
Security
Syndicate content

More in Tux Machines

Plasma 5.12.5 bugfix update for Kubuntu 18.04 LTS – Testing help required

Are you using Kubuntu 18.04, our current LTS release? We currently have the Plasma 5.12.5 LTS bugfix release available in our Updates PPA, but we would like to provide the important fixes and translations in this release to all users via updates in the main Ubuntu archive. This would also mean these updates would be provide by default with the 18.04.1 point release ISO expected in late July. Read more

New Arduino boards include first FPGA model

Arduino launched a “MKR Vidor 4000” board with a SAMA21 MCU and Cyclone 10 FPGA, as well as an “Uno WiFi Rev 2” with an ATmega4809 MCU. Both boards have a crypto chip and ESP32-based WiFi module. In conjunction with this weekend’s Maker Faire Bay Area, Arduino launched two Arduino boards that are due to ship at the end of June. The MKR Vidor 4000 is the first Arduino board equipped with an field programmable . The Intel Cyclone 10 FPGA. will be supported with programming libraries and a new visual editor. The Arduino Uno WiFi Rev 2, meanwhile, revises the Arduino Uno WiFi with a new Microchip ATmega4809 MCU. It also advances to an ESP32-based u-blox NINA-W102 WiFi module, which is also found on the Vidor 4000. Read more

DragonFlyBSD 5.3 Works Towards Performance Improvements

Given that DragonFlyBSD recently landed some SMP performance improvements and other performance optimizations in its kernel for 5.3-DEVELOPMENT but as well finished tidying up its Spectre mitigation, this weekend I spent some time running some benchmarks on DragonFlyBSD 5.2 and 5.3-DEVELOPMENT to see how the performance has shifted for an Intel Xeon system. Read more

Red Hat News: KVM, OpenStack Platform 13 and More