Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • Computers That Don't Track You

    Todd Weaver, the Founder and CEO of Purism shows Leo Laporte and Aaron Newcomb the Librem line of secure Linux computers. They discuss PureOS the operating system based on Debian, and how the computers are sourced and built. Plus, he talks about their line of no-carrier, encrypted smartphone coming next year.

  • The state of cyber security: we’re all screwed

    When cybersecurity professionals converged in Las Vegas last week to expose vulnerabilities and swap hacking techniques at Black Hat and Defcon, a consistent theme emerged: the internet is broken, and if we don’t do something soon, we risk permanent damage to our economy.

    “Half of all Americans are backing away from the net due to fears regarding security and privacy,” longtime tech security guru Dan Kaminsky said in his Black Hat keynote speech, citing a July 2015 study by the National Telecommunications and Information Administration. “We need to go ahead and get the internet fixed or risk losing this engine of beauty.”

  • Oh, not again: US reportedly finds new secret software in VW diesels [Ed: cannot trust proprietary software]

    Volkswagen first ended up in this situation after it admitted to intentionally installing secret software in its 2.0-liter diesels. That software curtailed nitrogen oxide emissions in lab-testing environments, but once on the road, the diesels would pollute well in excess of legal limitations. It was allegedly used in response to ever-stricter emissions regulations.

  • Chinese Hunting Chinese Over POP3 In Fjord Country

    More specifically, here at bsdly.net we've been seeing attempts at logging in to the pop3 mail retrieval service using usernames that sound distinctively like Chinese names, and the attempts originate almost exclusively from Chinese networks.

  • 'Sauron' spyware attacking targets in Belgium, China, Russia and Sweden

    A previously unknown hacking group called Strider has been conducting cyber espionage against selected targets in Belgium, China, Russia and Sweden, according to Symantec.

    The security firm suggested that the product of the espionage would be of interest to a nation state's intelligence services.

    Strider uses malware known as Remsec that appears primarily to have been designed for espionage, rather than as ransomware or any other nefarious software.

    Symantec has linked Strider with a group called Flamer which uses similar attack techniques and malware.

    The Lord of the Rings reference is deliberate as the Remsec stealth tool contains a reference to Sauron, the necromancer and main protagonist in a number of Tolkien's stories.

    "Strider has been active since at least October 2011. The group has maintained a low profile until now and its targets have been mainly organisations and individuals that would be of interest to a nation state's intelligence services," said Symantec in a blog post.

  • New MacBooks expected to feature Touch ID power button as well as OLED touch-panel [iophk: "as UID or password? Former is ok latter is insecure"]

    A source who has provided reliable information in the past has informed us that the new MacBook Pro models, expected to be launched in the fall, will feature a Touch ID power button as well as the previously-reported OLED touch-sensitive function keys.

  • it’s hard work printing nothing

    It all starts with a bug report to LibreSSL that the openssl tool crashes when it tries to print NULL. This bug doesn’t manifest on OpenBSD because libc will convert NULL strings to ”(null)” when printing. However, this behavior is not required, and as observed, it’s not universal. When snprintf silently accepts NULL, that simply leads to propagating the error.

  • London's Met Police has missed the Windows XP escape deadline [Ed: known problem, London's police is a prisoner of NSA and also China, Russia etc. [1, 2]]

    London’s Metropolitan Police has missed its deadline to dump Windows XP, with tens of thousands of copper still running the risky OS.

    The force, on the front line against terrorist threats and criminals in the capital city, is running Windows XP on around 27,000 PCs.

    At last count, in May 2015, the Met had a total of 35,640 PCs, with 34,920 of them running XP. Policemen set themselves a deadline of March 2016 to finish migrating to Windows 8.1.

    London Mayor Sadiq Khan, however, has apparently now revealed that just 8,000 of the force’s PCs have moved to Windows 8.1 since last September. The target is for another 6,000 by the end of September 2016.

    Khan provided the update in response to a question from Conservative Greater London Assembly member Andrew Boff.

  • Met Police still running Windows XP on 27,000 computers [iophk: "forget XP, Windows in general is dangerously out of date"]

    LONDON BOYS IN BLUE the Metropolitan Police may be armed with tasers and extendable batons, but they are backed up by Windows XP in a lot of cases, which is a really bad thing.

    Windows XP no longer gets official security updates, and Microsoft sees it as the sort of thing that should be scraped off shoes before walking on the carpet.

    The company will let people pay to keep using it, but only on a case-by-case basis. We do not know the police arrangement with Microsoft, but the Met needs to accelerate the updating of its computer systems as it puts Londoners' information at risk, according to London Assembly member Andrew Boff.

Security News

Filed under
Security

Security News

Filed under
Security
  • Protect yourself from cyberattacks

    3. Install Linux (free). One big decision making factor will be the age of your computer. If your hardware is old, you may well be better off replacing it with something new.

    I mentioned Linux, which has a few advantages. Windows as you are familiar with, is susceptible to infections by malware (viruses, adware, spyware, etc.), whereas Linux is practically invulnerable to infection. Part of that is down to the dominance of Windows, making it a big fat target, but it is also down to the Linux architecture making it extremely hard to hack. Another advantage with Linux (from my experience using Ubuntu), is that updates are generally installed without having to restart your machine. When a restart is needed, it is nice and quick, unlike a certain other operating system that spends ages ‘configuring updates’.

  • Nigerian Scammers Infect Themselves With Own Malware, Revealing New Wire-Wire Fraud Scheme [Ed: Windows]

    Once they’re in, the scammers allow the employee to continue with business as usual and discreetly monitor the account for potential financial transactions. As soon as they see that the employee is sending an invoice to a customer, they reroute it through their own email account and physically alter the account number and routing number before forwarding it on to the customer. The email address they use is often very similar to the original email address, so it’s easy to miss. Unlike spoofing, BEC techniques such as wire-wire rely on earning internal account access rather than externally impersonating a company account.

  • Is Hidden Linux Subsystem In Windows 10 Making Your PC Unsafe? [Ed: not any worse than a keylogger with back doors]
  • DARPA Cyber Grand Challenge Ends With Mayhem

    After three years of planning and lead-up contests, the finals of the Defense Advanced Research Projects Agency's Cyber Grand Challenge (CGC) to show the best in autonomous computer security concluded with a win by the Mayhem system from the ForAllSecure team, which won the $2 million grand prize. The Xandra system finished in second place, winning $1 million, while the Mechaphish system placed third, claiming $750,000.

Security Leftovers

Filed under
Security
  • Hackers Could Break Into Your Monitor To Spy on You and Manipulate Your Pixels

    We think of our monitors as passive entities. The computer sends them data, and they somehow—magically?—turn it into pixels which make words and pictures.

    But what if that wasn’t the case? What if hackers could hijack our monitors and turn them against us?

    As it turns out, that’s possible. A group of researchers has found a way to hack directly into the tiny computer that controls your monitor without getting into your actual computer, and both see the pixels displayed on the monitor—effectively spying on you—and also manipulate the pixels to display different images.

  • Computer Expert Hacks Into Common Voting Machine in Minutes to Reveal Shocking 2016 Election Threat

    It took Princeton computer science professor Andrew Appel and one of his graduate students just minutes to hack into a voting machine still used in Louisiana, New Jersey, Virginia, and Pennsylvania, Politico reports.

    Professor Andrew Appel purchased for $82 a Sequoia AVC Advantage, one of the oldest machines still in use. Within 7 seconds, he and his student, Alex Halderman, had picked the lock open. Within minutes, the duo had removed the device’s unsecured ROM chips with their own hardware that makes it easy to alter the machine’s results.

  • Researchers Bypass Chip-and-Pin Protections at Black Hat

    Credit card companies for the most part have moved away from “swipe and signature” credit cards to chip and pin cards by this point; the technology known as EMV (Europay, MasterCard, and Visa) which is supposed to provide consumers with an added layer of security is beginning to see some wear, according to researchers.

Security News

Filed under
Security
  • PLC-Blaster Worm Targets Industrial Control Systems [Ed: Remember Stuxnet?]

    PLC-Blaster was designed to target Siemens SIMATIC S7-1200 PLCs. Siemens is Europe’s biggest engineering company and a PLC market share leader. Siemens said in March shortly after the worm was unveiled at Black Hat Asia that the malware was not exploiting a vulnerability in Siemens gear. Maik Brüggemann, software developer and security engineer at OpenSource Security, said that worms like this one are a threat to any industrial network.

    [...]

    When OpenSource Security took its findings to Siemens, the researchers were told there were no flaws in its PLC platforms using its SIMATIC S7-1200 PLC. “We were told these were not vulnerabilities and that everything worked as expected,” Brüggemann said.

  • Security Reseacher explains security issues related to Windows 10 Linux subsystem at Blackhat
  • Def Con: Do smart devices mean dumb security?

    From net-connected sex toys to smart light bulbs you can control via your phone, there's no doubt that the internet of things is here to stay.

    More and more people are finding that the devices forming this network of smart stuff can make their lives easier.

  • 1 billion computer monitors vulnerable to undetectable firmware attacks

    A team led by Ang Cui (previously) -- the guy who showed how he could take over your LAN by sending a print-job to your printer -- have presented research at Defcon, showing that malware on your computer can poison your monitor's firmware, creating nearly undetectable malware implants that can trick users by displaying fake information, and spy on the information being sent to the screen.

    It's a scarier, networked, pluripotent version of Van Eck phreaking that uses an incredibly sly backchannel to communicate with the in-device malware: attackers can blink a single pixel in a website to activate and send instructions to the screen's malware.

    What's more, there's no existing countermeasure for it, and most monitors appear to be vulnerable.

Security News

Filed under
Security
  • Surveillance video shows a case of high-tech grand theft auto, more than 100 cars stolen [Ed: proprietary software, recall this about Jeep]

    Houston, Texas police announced the arrest of two men accused of stealing about 30 Jeep and Dodge vehicles. Authorities say they did it by using a laptop computer.

    Police tell KTRK they've been watching these guys for a while but were never able to catch them in the act stealing Jeeps - until last Friday.

    Police say Michael Arce and Jesse Zelaya stole more than 30 Jeeps in the Houston area over the last six months.

  • Openssh backdoor used on compromised Linux servers

    Some times ago, I have installed honeypot services on one of my servers, in order to see what happens in the real outside world. I especially installed the cowrie ssh honeypot which simulate a Linux shell and gather binaries that people want to install on the server (this tool is awesome, check here to install it).

  • random failures

    Lots of examples of random numbers failing, leading to cryptographic failure.

    The always classic Debian, OpenSSL, and the year of the zero.

    The time Sony signed Playstation code with the same nonce and leaked the keys.

    Samy phpwned session IDS.

    The Bitcoin app Blockchain used random.org for entropy. Bonus giggles for not following the HTTP redirect, but actually using “301 Moved Permanently” as a random number.

    The paper Mining Your Ps and Qs has pretty extensive investigation into weak keys on network devices, many of which result from poor entropy.

    Now here’s a question. How many of these vulnerabilities could have been prevented by plugging in some sort of “true random” USB gizmo of the sort that regularly appears on kickstarter? I’m going to go with not many. USB gizmos don’t prevent inopportune calls to memset. USB gizmos don’t prevent nonce reuse. USB gizmos don’t block utterly retarded HTTP requests.

Security Leftovers

Filed under
Security
  • Desktop / Laptop privacy & security of web browsers on Linux part 1: concepts and theory
  • In DARPA challenge, smart machines compete to fend off cyberattacks

    The first all-machine hacking competition is taking place today in Las Vegas.

    Seven teams, each running a high-performance computer and autonomous systems, are going head-to-head to see which one can best detect, evaluate and patch software vulnerabilities before adversaries have a chance to exploit them.

    It’s the first event where machines – with no human involvement – are competing in a round of "capture the flag, according to DARPA (Defense Advanced Research Projects Agency), which is sponsoring and running the event. DARPA is the research arm of the U.S. Defense Department.

    The teams are vying for a prize pool of $3.75 million, with the winning team receiving $2 million, the runner-up getting $1 million and the third-place team taking home $750,000. The winner will be announced Friday morning.

  • Let's Encrypt will be trusted by Firefox 50

Security News

Filed under
Security
  • How Public Shame Might Force a Revolution in Computer Security

    The numbers are depressing. An estimated 700 million data records were stolen in 2015. But despite the billions spent on computer security, flaws that allow such attacks are fixed slowly. A June report found that financial companies, for example, take on average over five months to fix known online security vulnerabilities.

    “The security industry gets $75 billion every year to try to secure things, and what you get for that is everybody is hacked all the time,” said Jeremiah Grossman, chief of security strategy at SentinelOne, speaking at the Black Hat security conference in Las Vegas on Wednesday.

    Yet Grossman and some other veterans of the security industry have lately become more optimistic. They see a chance that companies will soon have much stronger financial incentives to invest in securing and maintaining software.

  • DefCon: How the Hacker Tracker Mobile App Stays Secure

    The DefCon hacker conference here at the Bally's and Paris Hotels is a massive affair with many rooms, events and workshops spread across multiple times and days. While there is a paper schedule, many hackers now rely on Hacker Tracker, which has become the de facto mobile app of the DefCon conference.

    The Hacker Tracker was developed by two volunteers, Whitney Champion, systems engineer at SPARC, and Seth Law, chief security officer at nVisium. Champion built the Android version of the app while Law built the iOS version.

    In a video interview at DefCon, Law provided details on how Hacker Tracker is built and the steps he and Champion have taken to keep it and hacker data secure.

  • Windows 10 Linux Feature Brings Real, but Manageable Security Risks [Ed: Vista 10 is malware with intentional (baked in) back doors, Linux and GNU won’t make it any worse]

    The Bash shell support in the Anniversary Update for Windows 10 is a valuable tool for developers, but it needs to be used carefully because of potential security risks.

  • Linux Botnets Dominate the DDoS Landscape [Ed: Kaspersky marketing]

Security News

Filed under
Security
  • Friday's security updates
  • How to Hack an Election in 7 Minute

    When Princeton professor Andrew Appel decided to hack into a voting machine, he didn’t try to mimic the Russian attackers who hacked into the Democratic National Committee's database last month. He didn’t write malicious code, or linger near a polling place where the machines can go unguarded for days.

  • Apache OpenOffice and CVE-2016-1513

    The Apache OpenOffice (AOO) project has suffered from a lack of developers for some time now; releases are infrequent and development of new features is relatively slow. But a recent security advisory for CVE-2016-1513 is rather eye-opening in that it further shows that the project is in rough shape. Announcing a potential code execution vulnerability without quickly providing a new release of AOO may be putting users of the tool at more risk than they realize.

Syndicate content

More in Tux Machines

Lubuntu 16.10 Beta Out Now with Linux Kernel 4.4 LTS and the Latest LXDE Desktop

As part of today's Ubuntu 16.10 (Yakkety Yak) Beta launch, Simon Quigley from the Lubuntu Linux team released the first Beta build of the upcoming Lubuntu 16.10 operating system. Read more Also: Ubuntu MATE 16.10 (Yakkety Yak) Beta Removes the Heads-Up Display (HUD) Feature Ubuntu GNOME 16.10 Beta 1 Released with GNOME 3.20 and GNOME 3.22 Beta Apps Ubuntu 16.10 "Yakkety Yak" Beta Released, Ubuntu GNOME Has Experimental Wayland

Facebook open sources its computer vision tools

Red Hat Enterprise Linux 7.3 Beta Adds NVDIMM Support, Improves Security

Today, August 25, 2016, Red Hat announced that version 7.3 of its powerful Red Hat Enterprise Linux operating system is now in development, and a Beta build is available for download and testing. Red Hat Enterprise Linux 7.3 Beta brings lots of improvements and innovations, support for new hardware devices, and improves the overall security of the Linux kernel-based operating system used by some of the biggest enterprises and organizations around the globe. Among some of the major new features implemented in the Red Hat Enterprise Linux 7.3 release, we can mention important networking improvements, and support for Non-Volatile Dual In-line Memory Modules (NVDIMMs). Read more Also: CentOS 6 Linux OS Receives Important Kernel Security Update from Red Hat Release of Red Hat Virtualization 4 Offers New Functionality for Workloads