Language Selection

English French German Italian Portuguese Spanish

Security

Security: WPA2, Smartwatches, Google, NSA, Microsoft and Flexera FUD

Filed under
Security
  • WPA2 flaw's worst impact on Android, Linux devices

    The flaw in the WPA2 wireless protocol revealed recently has a critical impact on Android phones running version 6.0 of the mobile operating system and Linux devices, a security researcher says.

  • Why the Krack Wi-Fi Mess Will Take Decades to Clean Up

    But given the millions of routers and other IoT devices that will likely never see a fix, the true cost of Krack could play out for years.

  • 'All wifi networks' are vulnerable to hacking, security expert discovers

    WPA2 protocol used by vast majority of wifi connections has been broken by Belgian researchers, highlighting potential for internet traffic to be exposed

  • Kids' smartwatches can be 'easily' hacked, says watchdog

    Smartwatches bought for children who do not necessarily need them can be hacked [sic], according to a warning out of Norway and its local Consumer Council (NCC).

  • John Lewis pulls children's smartwatch from sale over spying fears

    The Norwegian Consumer Council (NCC) revealed that several brands of children’s smartwatch, have such poor security controls that hackers [sic] could easily follow their movements and eavesdrop on conversations.

  • Google's 'Advanced Protection' Locks Down Accounts Like Never Before

    Google hasn't shared the details of what that process entails. But the CDT's Hall, whom Google briefed on the details, says it will include a "cooling-off" period that will lock the account for a period of time while the user proves his or her identity via several other factors. That slowed-down, intensive check is designed to make the account-recovery process a far less appealing backdoor into victims' data.

  • NSA won't say if it knew about KRACK, but don't look to this leaked doc for answers

    Given how involved the NSA has been with remote and local exploitation of networks, systems, devices, and even individuals, many put two and two together and assumed the worst.

    What compounded the matter was that some were pointing to a 2010-dated top secret NSA document leaked by whistleblower Edward Snowden, which detailed a hacking tool called BADDECISION, an "802.11 CNE tool" -- essentially an exploit designed to target wireless networks by using a man-in-the-middle attack within range of the network. It then uses a frame injection technique to redirect targets to one of the NSA's own servers, which acts as a "matchmaker" to supply the best malware for the target device to ensure it's compromised for the long-term. The slide said the hacking tool "works for WPA/WPA2," suggesting that BADDECISION could bypass the encryption.

    Cue the conspiracy theories. No wonder some thought the hacking tool was an early NSA-only version of KRACK.

  • You're doing open source wrong, Microsoft tsk-tsk-tsks at Google: Chrome security fixes made public too early [Ed: Says the company that gives back doors to the NSA and attacks FOSS with patents, lobbying etc.]
  • Why Open Source Security Matters for Healthcare Orgs [Ed: marketing slant for firms that spread FUD]

    Open source software can help healthcare organizations remain flexible as they adopt new IT solutions, but if entities lack open source security measures it can lead to larger cybersecurity issues. A recent survey found that organizations in numerous industries might not be paying enough attention to potential open source risk factors.

    Half of all code used in commercial and Internet of Things (IoT) software products is open source, but only 37 percent of organizations have an open source acquisition or usage policy, according to a recent Flexera report.

    More than 400 commercial software suppliers and in-house software development teams were interviewed, with respondent roles including software developers, DevOps, IT, engineering, legal, and security.

Security: WPA2, RSA/TPM, and Microsoft Breach

Filed under
Security
  • Google and Apple yet to fix Wi-Fi hole in a billion devices

    The WPA2 security protocol has been a mandatory requirement for all devices using the Wi-Fi protocol since 2006, which translates into billions of laptops, mobiles and routers. The weakness identified by Mathy Vanhoef, a digital security researcher at the Catholic University of Leuven (KUL) in Belgium, lies in the way devices running WPA2 encrypt information.

  • The Flawed System Behind the Krack Wi-Fi Meltdown

    No software is perfect. Bugs are inevitable now and then. But experts say that software standards that impact millions of devices are too often developed behind closed doors, making it difficult for the broader security community to assess potential flaws and vulnerabilities early on. They can lack full documentation even months or years after their release.

  • Factorization Flaw in TPM Chips Makes Attacks on RSA Private Keys Feasible

    Security experts say the bug has been present since 2012 and found specifically in the Infineon’s Trusted Platform Module used on a large number of business-class HP, Lenovo and Fijitsu computers, Google Chromebooks as well as routers and IoT devices.

  • ROCA: RSA encryption key flaw puts 'millions' of devices at risk

    This results in cyber criminals computing the private part of an RSA key and affects chips manufactured from 2012 onwards, which are now commonplace in the industry.

  • Infineon RSA Key Generation Issue

    Yubico estimates that approximately 2% of YubiKey customers utilize the functionality affected by this issue. We have addressed this issue in all shipments of YubiKey 4, YubiKey 4 Nano, and YubiKey 4C, since June 6, 2017.

  • Microsoft remains tight-lipped about 2013 internal database hack [sic]

    A secretive internal database used by Microsoft to track bugs in its software was compromised by hackers [sic] in 2013.

  • Exclusive: Microsoft responded quietly after detecting secret database hack in 2013

    Microsoft Corp’s secret internal database for tracking bugs in its own software was broken into by a highly sophisticated hacking [sic] group more than four years ago, according to five former employees, in only the second known breach of such a corporate database.

Microsoft never disclosed 2013 hack of secret vulnerability database

Filed under
Microsoft
Security

Hackers broke into Microsoft's secret, internal bug-tracking database and stole information related to vulnerabilities that were exploited in later attacks. But the software developer never disclosed the breach, Reuters reported, citing former company employees.

In an article published Tuesday, Reuters said Microsoft's decision not to disclose details came after an internal review concluded the exploits used in later attacks could have been discovered elsewhere. That investigation relied, in part, on automated reports Microsoft receives when its software crashes. The problem with that approach, Reuters pointed out, is that advanced computer attacks are written so carefully they rarely cause crashes.

Reuters said Microsoft discovered the database breach in early 2013, after a still-unknown hacking group broke into computers belonging to a raft of companies. Besides Microsoft, the affected companies included Apple, Facebook, and Twitter. As reported at the time, the hackers infected a website frequented by software developers with attack code that exploited a zero-day vulnerability in Oracle's Java software framework. When employees of the targeted companies visited the site, they became infected, too.

Read more

Parrot Security OS 3.9 Ethical Hacking & Penetration Testing Distro Now in Beta

Filed under
Security

The Parrot Project began work on a new version of their Linux-based ethical hacking and penetration testing operating system, Parrot Security OS 3.9, and they recently put out a call for testing.

Read more

Security: Let’s Encrypt, Updates, Google, DHS, Adobe

Filed under
Security

Security: WPA2, CVE-2017-15265, Fuzzing, Hyperledger

Filed under
Security
  • Fedora Dev Teaches Users How to Protect Their Wi-Fi Against WPA2 KRACK Bug

    Former Fedora Project leader Paul W. Frields talks today about how to protect your Fedora computers from the dangerous WPA2 KRACK security vulnerability that affects virtually any device using the security protocol to connect to the Internet.

  • WPA2 was kracked because it was based on a closed standard that you needed to pay to read

    How did a bug like krack fester in WPA2, the 13-year-old wifi standard whose flaws have rendered hundreds of millions of devices insecure, some of them permanently so?

    Thank the IEEE's business model. The IEEE is the standards body that developed WPA2, and they fund their operations by charging hundreds of dollars to review the WPA2 standard, and hundreds more for each of the standards it builds upon, so that would-be auditors of the protocol have to shell out thousands just to start looking.

    It's an issue that Carl Mamamud, Public Resource and the Electronic Frontier Foundation have been fighting hard on for years, ensuring that the standards that undergird public safety and vital infrastructure are available for anyone to review, audit and criticize.

  • Patch Available for Linux Kernel Privilege Escalation

    The issue — tracked as CVE-2017-15265 — is a use-after-free memory corruption issue that affects ALSA (Advanced Linux Sound Architecture), a software framework included in the Linux kernel that provides an API for sound card drivers.

  • ​Linus Torvalds says targeted fuzzing is improving Linux security

    Announcing the fifth release candidate for the Linux kernel version 4.14, Linus Torvalds has revealed that fuzzing is producing a steady stream of security fixes.

    Fuzzing involves stress testing a system by generating random code to induce errors, which in turn may help identify potential security flaws. Fuzzing is helping software developers catch bugs before shipping software to users.

  • Devsecops: Add security to complete your devops process [Ed: more silly buzzwords]
  • Companies overlook risks in open source software [Ed: marketing disguised as "news" (and which is actually FUD)]
  • Q&A: Does blockchain alleviate security concerns or create new challenges?

    According to some, blockchain is one of the hottest and most intriguing technologies currently in the market. Similar to the rising of the internet, blockchain could potentially disrupt multiple industries, including financial services. This Thursday, October 19 at Sibos in Toronto, Hyperledger’s Security Maven Dave Huseby will be moderating a panel “Does Blockchain technology alleviate security concerns or create new challenges?” During this session, experts will explore whether the shared nature of blockchain helps or hinders security.

Ubuntu, Debian, Fedora and elementary OS All Patched Against WPA2 KRACK Bug

Filed under
Security

As you are aware, there's a major WPA2 (Wi-Fi Protected Access II) security vulnerability in the wild, affecting virtually any device or operating system that uses the security protocol, including all GNU/Linux distributions.

Read more

Security Leftovers

Filed under
Security
  • Google and IBM launch open-source security tool for containers

    Google and IBM, together with a few other partners, released an open-source project that gathers metadata that developers can use to secure their software.

    According to an IBM blog post, the goal of the project is to help developers keep security standards, while microservices and containers cut the software supply chain.

  • Top 10 Hacking Techniques Used By Hackers

    We live in a world where cyber security has become more important than physical security, thousands of websites and emails are hacked daily. Hence, It is important to know the Top hacking techniques used by hackers worldwide to exploit vulnerable targets all over the internet.

  • Protect your wifi on Fedora against KRACK

    You may have heard about KRACK (for “Key Reinstallation Attack”), a vulnerability in WPA2-protected Wi-Fi. This attack could let attackers decrypt, forge, or steal data, despite WPA2’s improved encryption capabilities. Fear not — fixes for Fedora packages are on their way to stable.

  • Federal watchdog tells Equifax—no $7.25 million IRS contract for you

    The Government Accountability Office (GAO) on Monday rejected Equifax's bid to retain its $7.25 million "taxpayer identity" contract—the one awarded days after Equifax announced it had exposed the Social Security numbers and other personal data of some 145 million people.

  • Adobe Flash vulnerability exploited by BlackOasis hacking group to plant FinSpy spyware

    Security researchers have discovered a new Adobe Flash vulnerability that has already been exploited by hackers to deploy the latest version of FinSpy malware on targets. Kaspersky Lab researchers said a hacker group called BlackOasis has already taken advantage of the zero-day exploit – CVE-2017-11292 – to deliver its malicious payload via a Microsoft Word document.

  • Companies turn a blind eye to open source risk [Ed: No, Equifax got b0rked due to bad practices, negligence, incompetence, not FOSS]

    For instance, criminals who potentially gained access to the personal data of the Equifax customers exploited an Apache Struts CVE-2017-5638 vulnerability.

  • Checking Your Passwords Against the Have I Been Pwned List

    Two months ago, Troy Hunt, the security professional behind Have I been pwned?, released an incredibly comprehensive password list in the hope that it would allow web developers to steer their users away from passwords that have been compromised in past breaches.

Security: Equifax, Grafeas, Updates and Open Source Security Podcast

Filed under
Security

Security Leftovers

Filed under
Security
  • Outlook, Office 2007 slowly taken behind the shed, shots heard

    A decade after their release, Microsoft Office 2007 and Outlook 2007 today fell out of extended support. Gaze teary-eyed at your installation discs. The software has entered the Long Dark Tea-Time of the Soul.

    The cutoff has been coming for some time, of course, but if you're of a nostalgic bent, the Outlook 2007 epitaph is here, and the somewhat longer (with more dates to absorb) Office 2007 farewell is here.

    With extended support ending for both 2007-era families, no new features, bug fixes, security patches, nor support, will be available in future for the programs.

  • Researchers Reveal Critical KRACK Flaws in WPA WiFi Security

    The WPA2 protocol which is widely used to secure WiFi traffic is at risk from multiple vulnerabilities, collectively referred to as "KRACK Attacks" that were publicly disclosed on Oct. 16

    "Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted," the vulnerability disclosure warns."The attack works against all modern protected Wi-Fi networks."

    KRACK is an acronym for Key Reinstallation Attacks, which were discovered by security research Mathy Vanhoef and Frank Piessens working at Belgian University KU Leuven. The researchers have disclosed the details of the KRACK attack in a research paper and plan on discussing it further in talks at the Computer and Communications Security (CCS) and Black Hat Europe conferences later this year.

  • The World Once Laughed at North Korean Cyberpower. No More.
Syndicate content

More in Tux Machines

Android Leftovers

Linux Foundation Leftovers

  • Cloud Foundry eyes China’s market with Alibaba Cloud’s membership
    Alibaba Cloud announced it is deploying Cloud Foundry on its infrastructure alongside joining the Cloud Foundry Foundation as a gold member.
  • Cloud Foundry Remains Committed, Cautious on Kubernetes
    The Cloud Foundry Foundation continues to garner strong support from the developer community. But the ongoing surge in interest around the use of Kubernetes to exploit containers for cloud deployments has placed a focus on how the Cloud Foundry Foundation will evolve. The topic of Kubernetes integration with Cloud Foundry was part of several sessions and keynote addresses at this week’s Cloud Foundry Summit. While the organization has tangentially begun to integrate the container orchestrator into its work, it remains cautious on a stronger embrace.
  • Kubernetes and Cloud Foundry grow closer
    Containers are eating the software world — and Kubernetes is the king of containers. So if you are working on any major software project, especially in the enterprise, you will run into it sooner or later. Cloud Foundry, which hosted its semi-annual developer conference in Boston this week, is an interesting example for this.
  • Cloud Foundry PaaS shops hone software delivery process
    Enterprises that have deployed Cloud Foundry platform as a service found it catalyzed new thinking about the application delivery process and other organizational practices.
  • Hyperledger bug bounty program goes public
    Hyperledger is an open-source project and hub for developers to work on blockchain technologies. The Hyperledger infrastructure is being developed in order to support cross-industry uses of distributed ledger technologies, most commonly associated with the exchange of cryptocurrency. [...] Over the past year, Hyperledger has formalized how blockchain projects can move from development to their first 1.0 release. This process now includes a number of security requirements, including meeting the demands of the Core Infrastructure Initiative (CII), which sets "best practice" requirements for open-source project security. In addition, up to three members of a project must be nominated to the Hyperledger security team to help triage and resolve vulnerabilities.
  • iconectiv Brings Device ID Expertise to the Linux Foundation
    The Bridgewater, New Jersey-based company iconectiv this week joined the Linux Foundation Networking Fund. iconectiv is perhaps most well-known as a Local Number Portability Administrator (LNPA). In this role the company handles the administrative work to enable people to port their phone numbers between different service providers. It operates as the LNPA for the majority of countries in the world. It was named as the LNPA for the United States in 2016, taking over the role from Neustar.

Android/Chrome: GNU/Linux on Chrome OS and Surveillance 'Apps' on Android

Mozilla: Virtual Reality in Mixed Reality, Taskcluster Development

  • Building Bold New Worlds With Virtual Reality
    From rich text to video to podcasts, the Internet era offers an array of new ways for creators to build worlds. Here at Mozilla, we are particularly excited about virtual reality. Imagine moving beyond watching or listening to a story; imagine also feeling that story. Imagine being inside it with your entire mind and body. Now imagine sharing and entering that experience with something as simple as a web URL. That’s the potential before us.
  • This Week in Mixed Reality: Issue 3
    This week we’re heads down focusing on adding features in the three broad areas of Browsers, Social and the Content Ecosystem.
  • New to me: the Taskcluster team
    At this time last year, I had just moved on from Release Engineering to start managing the Sheriffs and the Developer Workflow teams. Shortly after the release of Firefox Quantum, I also inherited the Taskcluster team. The next few months were *ridiculously* busy as I tried to juggle the management responsibilities of three largely disparate groups.
  • Taskcluster migration update: we're finished!
    Over the past few weeks we've hit a few major milestones in our project to migrate all of Firefox's CI and release automation to taskcluster. Firefox 60 and higher are now 100% on taskcluster!