Language Selection

English French German Italian Portuguese Spanish


The Apache Software Foundation Blog: Apache Struts Statement on Equifax Security Breach (and More)

Filed under

Security: Microsoft Won't Patch, Kaspersky Responds, EU Cyberwar Games

Filed under
  • Microsoft won't patch Edge XSS vulnerability


    The flaw has been patched in recent versions of Google Chrome and WebKit-based browsers (such as Apple Safari for macOS and iOS), but not in Microsoft's Edge for Windows 10.

  • Microsoft shrugs off Windows kernel bug that can block malware detection


    "After digging into the matter, what started as a seemingly random issue proved to originate from a coding error in the Windows kernel itself. This flaw exists in the most recent Windows 10 release and past versions of the OS, dating back to Windows 2000."



    "We [also] contacted MSRC [Microsoft Security Response Center] about this issue at the beginning of this year. They did not deem it as a security issue.

  • Kaspersky: Ex-NSA infosec expert asks FBI to put up or shut up


    Former NSA employee and information security expert Jake Williams has told the FBI to either provide proof to the public that Kaspersky Lab products are unsafe for use or keep mum.

  • EU hosts its first cyber war games


    "The goal of the exercise is to highlight a number of strategic concerns and topics that arise in connection with any hypothetical cyber crisis. This exercise should serve as a forum for discussion at ministerial level and provide strategic guidance to address future crises," it said.

  • Cyber alert: EU ministers test responses in first computer war game [iophk: "blanket ban Microsoft in the EU"]


    After a series of global cyber attacks disrupted multinational firms, ports and public services on an unprecedented scale this year, governments are seeking to stop hackers {sic} from shutting down more critical infrastructure or crippling corporate and government networks.  

Security: Equifax Fiasco Deepening, Apache STRUTS Blamed

Filed under
  • Equifax Security Breach Is A Complete Disaster... And Will Almost Certainly Get Worse

    Okay, chances are you've already heard about the massive security breach at Equifax, that leaked a ton of important data on potentially 143 million people in the US (basically the majority of adults in America). If you haven't, you need to pay more attention to the news. I won't get into all the details of what happened here, but I want to follow a few threads:

    First, Equifax had been sitting on the knowledge of this breach since July. There is some dispute over how quickly companies should disclose breaches, and it makes sense to give companies at least some time to get everything in order before going public. But here it's not clear what Equifax actually did. The company has seemed almost comically unprepared for this announcement in so many ways. Most incredibly, the site that Equifax set up for checking if your data has been compromised (short answer: yeah, it almost certainly was...) was on a consumer hosting plan using a free shared SSL certificate, a funky domain and an anonymous Whois record. And, incredibly, it asked you for most of your Social Security Number. In short, it's set up in a nearly identical manner to a typical phishing site. Oh and it left open the fact that the site had only one user -- "Edelman" -- the name of a big PR firm.

  • Breach at Equifax May Impact 143M Americans
  • Equifax blames giant breach on vendor software flaw

    “My understanding is the breach was perpetuated via the Apache STRUTS flaw,” Meuler told The Post.

  • The hackers who broke into Equifax exploited a flaw in open-source server software

    The credit reporting agency Equifax announced on Sept. 7 that hackers stole records containing personal information on up to 143 million American consumers. The hackers behind the attack, the company said, “exploited a U.S. website application vulnerability to gain access to certain files.”

  • Apache Struts vulnerability affects versions since 2008

    A researcher discovered a remotely exploitable Apache Struts vulnerability being actively exploited in the wild and a patch was released, users urged to update software immediately.


    Man Yue Mo, researcher at the open source software project run by software analytics firm Semmle, Inc., headquartered in San Francisco, disclosed the remotely executable Apache Struts vulnerability, which he said was "a result of unsafe deserialization in Java" and could lead to arbitrary code execution. Mo originally disclosed the issue to Apache on July 17, 2017.  

  • So, Equifax says your data was hacked—now what?

    Yesterday, the credit reporting agency Equifax revealed that the personal data of 143 million US consumers, as well as "limited personal information for certain UK and Canadian residents," was exposed by an attack exploiting security flaws in the company's website. Social Security numbers, dates of birth, addresses, and some drivers license numbers were all exposed—information which could be used to pose as individuals to gain access to financial accounts, open new ones in their names, or file fraudulent tax returns.

  • Are you an Equifax breach victim? You could give up right to sue to find out [Updated]

    By all accounts, the Equifax data breach is, as we reported Thursday, "very possibly the worst leak of personal info ever." The incident affects possibly as many as 143 million people.

    The breach, via a security flaw on the Equifax website, included full names, Social Security numbers, birth dates, addresses, and driver license numbers in some cases. Many of the affected consumers have never even directly done business with the giant consumer credit reporting agency.

  • Equifax won’t bar consumers from joining lawsuits related to breach

    Equifax announced on Friday it will not stop consumers from moving to join a class action lawsuit against the company, which suffered a severe breach on Thursday when hackers gained action to personal information belonging to 143 million people. 

    The firm's was forced to clarify its terms of service after it faced backlash when it appeared that in order to receive credit protection, consumers affected by the breach would have to give up their right to join a lawsuit over the hack. 

Security: Equifax, The Shadow Brokers, Microsoft Does Not Care About Security

Filed under
  • Equifax Is Proving Why Forced Arbitration Clauses Ought to Be Banned, Just Like the CFPB Wants to Do

    Equifax, the credit reporting bureau that on Thursday admitted one of the largest data breaches in history, affecting 143 million U.S. consumers, is maneuvering to prevent victims from banding together to sue the company, according to consumer protection advocates and elected officials.

    Equifax is offering all those affected by the breach a free, one-year credit monitoring service called TrustedID Premier, which will watch credit reports for suspicious activity, lock and unlock Equifax credit reports, scan the internet for Social Security numbers, and add insurance for identity theft. But the service includes a forced arbitration clause, which pushes all disputes over the monitoring out of court. It also includes a waiver of the right to enter into a class-action lawsuit.

  • Equifax and Correlatable Identifiers

    The typical response when we hear about these security problems is "why was their security so bad?" While I don't know any specifics about Equifax's security, it's likely that their security was pretty good. But the breach still occurred. Why? Because of Sutton's Law. When Willie Sutton was asked why he robbed banks, he reputedly said "cause that's where the money is."

    So long as we insist on creating huge honeypots of valuable data, hackers will continue to target them. And since no security is perfect, they will eventually succeed. Computer security is difficult because computer systems are non-linear—small errors can result in huge losses. This makes failure points difficult to detect. These failure points are not usually obvious. But hackers have a lot of motivation to find them when the prize is so large.

  • TheShadowBrokers group returns with NSA UNITEDRAKE hacking malware and promises more leaks

    UNITEDRAKE is a remote access hacking tool that can be used to target Windows machines. Modular in nature, the malware can be expanded through the use of plugins to increase its capabilities so it can capture footage from webcams, tap into microphones, capture keystrokes, and more.

  • The Shadow Brokers Unveil United Rake Toolkit and Double Monthly NSA Dump Frequency

    Most people have come to know The Shadow Brokers as a hacker collective that successfully infiltrated the NSA and took some of its goodies. Over the past year or so, we have seen most of these exploits released to the public. More powerful tools remain part of the collective’s monthly subscription service, which has been operational for nearly three months now. If certain tools could earn them money, they would much rather take that option.

    There were some interesting recent changes made by The Shadow Brokers. Instead of doing just one dump of exploits each month, they are shifting things into a higher gear. There will now be two dumps per month, which can still only be paid in ZCash. Their PDF file clearly states that they have no interest in Monero, which is pretty interesting. All of the previously issued dumps are now available for purchase as well, should someone want to see what those are all about.

    The August software is called United Rake, and it is quite a powerful tool. It is a “fully extensible remote collection system.” As one would come to expect, it is designed for the world’s most popular operating system, which is still Microsoft Windows. As is the case with every exploit unveiled by The Shadow Brokers, the release comes with its own detailed manual, allegedly created by and distributed to NSA staffers at some point.

  • Microsoft won't patch Edge browser content security bypass

    Which of Google, Apple and Microsoft think a content security bypass doesn't warrant a browser patch?

    Thanks to Cisco Talos security bod Nicolai Grødum, who found the cross-site scripting bug that affects older Chrome and Safari plus current versions of Edge, we know the answer is "Microsoft".

  • Bug in Windows Kernel Could Prevent Security Software From Identifying Malware
  • Bug In Windows Kernel Could Prevent Security Software From Identifying Malware

    "Malware developers can abuse a programming error in the Windows kernel to prevent security software from identifying if, and when, malicious modules have been loaded at runtime," reports Bleeping Computer. "The bug affects PsSetLoadImageNotifyRoutine, one of the low-level mechanisms some security solutions use to identify when code has been loaded into the kernel or user space. The problem is that an attacker can exploit this bug in a way that PsSetLoadImageNotifyRoutine returns an invalid module name, allowing an attacker to disguise malware as a legitimate operation.

Security: Updates, Election, Lenovo and Equifax

Filed under
  • Security updates for Thursday
  • Security updates for Friday
  • Software to capture votes in upcoming national election is insecure

    The result of this analysis is somewhat of a „total loss“ for the software product. The CCC is publishing its findings in a report of more than twenty pages. [0] The technical details and the software used to exploit the weaknesses are published in a repository. [1]

    „Elementary principles of IT-security were not heeded to. The amount of vulnerabilities and their severity exceeded our worst expectations“, says Linus Neumann, a speaker for the CCC that was involved in the study.

  • The $3.5 Million Check Comes Due for Lenovo And Its Security-Compromising Superfish Adware

    You might recall that back in 2015, Lenovo was busted for installing a nasty bit of snoopware made by a company named Superfish on select models of the company's Thinkpad laptops. Superfish's VisualDiscovery wasn't just annoying adware however; it was so poorly designed that it effectively made all of Lenovo's customers vulnerable to HTTPS man-in-the-middle attacks that were relatively trivial for an attacker to carry out. More specifically, it installed a self-signed root HTTPS certificate that could intercept encrypted traffic for every website a user visits -- one that falsely represented itself as the official website certificate.

  • Equifax website hack exposes data for ~143 million US consumers

    Equifax, a provider of consumer credit reports, said it experienced a data breach affecting as many as 143 million US people after criminals exploited a vulnerability on its website. The US population is about 324 million people, so that's about 44 percent of its population.

    The data exposed in the hack includes names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers. The hackers also accessed credit card numbers for 209,000 US consumers and dispute documents with personal identifying information for about 182,000 US people. Limited personal information for an unknown number of Canadian and UK residents was also exposed. Equifax—which also provides credit monitoring services for people whose personal information is exposed—said the unauthorized access occurred from mid-May through July. Equifax officials discovered the hack on July 29.

  • Why the Equifax breach is very possibly the worst leak of personal info ever

    It's a sad reality in 2017 that a data breach affecting 143 million people is dwarfed by other recent hacks—for instance, the ones hitting Yahoo in 2013 and 2014, which exposed personal details for 1 billion and 500 million users respectively; another that revealed account details for 412 million accounts on sex and swinger community site AdultFriendFinder last year; and an eBay hack in 2014 that spilled sensitive data for 145 million users.

Security: GPG Keysigning Protocol, Reproducible Builds, Struts and Android

Filed under
  • GPG Keysigning Protocol

    With Randa approaching, I’ll be meeting some KDE people, some for the first time. So it’s time for another GPG keysigning! The usual approach to a GPG keysigning is to have Harald organise it, that ensures a maximum amount of abiding-by-rules. But .. he’s not going to be there, this year. So this post is a random bit of throw-information-out-there about how typical KDE event keysignings work, and an annoucement of my own protocol in handling keysinging.

  • Reproducible Builds: Weekly report #123
  • 'Critical' RCE vulnerability found in open-source Struts framework
  • Boffins hijack bootloaders for fun and games on Android

    The team of nine researchers decided to look at a little-studied aspect Android architecture – the interaction between OS and chip at power-up. To get inside that operation, they built a tool dubbed “BootStomp” “designed to locate problematic areas where input from an attacker in control of the OS can compromise the bootloader’s execution, or its security features”.

CyberArk open-sources Conjur

Filed under
  • CyberArk open-sources Conjur

    Security vendor CyberArk has released an open-source version of its Conjur secrets management software.

    CyberArk Conjur enables DevOps teams to automatically secure and manage secrets used by machines and users to protect containerised and cloud-native applications across the DevOps pipeline, company officials said.

  • Open-source stewardship key as CyberArk moves to help devs avoid another Heartbleed

    Conjur’s credential-management technology includes specific functionality for securely managing ‘secrets’ – access keys, privileged account credentials, API keys, and other sensitive information – and Lawler expects that the release of CyberArk Conjur Community Edition to the open-source community will drive a flurry of innovation that will further raise the level of open-source security overall.

Security: NSA Data Dumps Again

Filed under

Security: Dragonfly, Zhejiang University, ‘Internet of Things’, ShadowBrokers and Protego

Filed under
  • Hackers {sic} attacking US and European energy firms could sabotage power grids [iophk: "symantec == windoze; windoze == fraud"

    Cybersecurity firm Symantec says ‘Dragonfly’ group has been investigating and penetrating energy facilities in US, Turkey and Switzerland

  • A Simple Design Flaw Makes It Astoundingly Easy To Hack {sic} Siri And Alexa

    [...] a team from Zhejiang University translated typical vocal commands into ultrasonic frequencies that are too high for the human ear to hear, but perfectly decipherable by the microphones and software powering our always-on voice assistants. This relatively simple translation process lets them take control of gadgets with just a few words uttered in frequencies none of us can hear.

  • The ‘internet of things’ is sending us back to the Middle Ages

    By gazing into this fish tank, we can see the problem with “internet of things” devices: We don’t really control them. And it’s not always clear who does – though often software designers and advertisers are involved.

  • ShadowBrokers release UNITEDRAKE NSA malware

    The ShadowBrokers group of hackers has released a remote access and control tool used by the US NSA to capture information from Windows-based machines.

    The existence of the UNITEDRAKE RAT first came to light in 2014 as part of a series of classified documents leaked by former NSA contractor Edward Snowden.

  • Shadow Brokers appear again with new exploit

    And a second, known as ETERNALROMANCE, was used to craft ransomware that was given various names — Petya (nomenclature given to ransomware that already existed), NotPetya, ExPetr, Nyetya and GoldenEye — which attacked Windows machines in Europe in June and spread to other countries.

  • Protego

    Today, September 7th 2017, WikiLeaks publishes four secret documents from the Protego project of the CIA, along with 37 related documents (proprietary hardware/software manuals from Microchip Technology Inc.). The project was maintained between 2014 and 2015.

Syndicate content

More in Tux Machines

Security: Updates, Synopsys/Black Duck FUD, and Software Security Over Convenience

  • Security updates for Tuesday
  • With Much of the Data Center Stack Open Source, Security is a Special Challenge [Ed: Black attacking FOSS again in order to sell its proprietary products; does proprietary software have no security issues? Which cannot be fixed, either?]
  • Synopsys reveals its open-source rookies of the year [Ed: Anti-FOSS company Black Duck, which markets its proprietary software by attacking FOSS (it admitted being anti-GPL since inception, created by Microsoft employee), wants the public to think of it as a FOSS authority]
  • Software security over convenience
    Recently I got inspired (paranoid ?) by my boss who cares a lot about software security. Previously, I had almost the same password on all the websites I used, I had them synced to google servers (Chrome user previously), but once I started taking software security seriously, I knew the biggest mistake I was making was to have a single password everywhere, so I went one step forward and set randomly generated passwords on all online accounts and stored them in a keystore.

MIPI-CSI camera kit runs Linux on Apollo Lake

Congatec’s rugged, Linux-driven “Conga-CAM-KIT/MIPI” camera kit combines its Intel Apollo Lake based Conga-PA5 SBC with a MIPI-CSI 2 camera from Leopard Imaging and other components. Congatec announced a Conga-CAM-KIT/MIPI camera kit, also referred to as the MIPI-CSI 2 Smart Camera Kit. The kit runs a Yocto Project based Linux distribution on Congatec’s Conga-PA5, a Pico-ITX SBC with Intel’s Apollo Lake Atom, Pentium, and Celeron SoCs. Also included is a MIPI-CSI 2 camera (LI-AR023Z-YUV-MIP) from Leopard Imaging based on ON Semiconductor’s AR0237 HD sensor. Extended temperature ranges are supported. Read more

Latest on webOS

Red Hat Leftovers