Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • Computers That Don't Track You

    Todd Weaver, the Founder and CEO of Purism shows Leo Laporte and Aaron Newcomb the Librem line of secure Linux computers. They discuss PureOS the operating system based on Debian, and how the computers are sourced and built. Plus, he talks about their line of no-carrier, encrypted smartphone coming next year.

  • The state of cyber security: we’re all screwed

    When cybersecurity professionals converged in Las Vegas last week to expose vulnerabilities and swap hacking techniques at Black Hat and Defcon, a consistent theme emerged: the internet is broken, and if we don’t do something soon, we risk permanent damage to our economy.

    “Half of all Americans are backing away from the net due to fears regarding security and privacy,” longtime tech security guru Dan Kaminsky said in his Black Hat keynote speech, citing a July 2015 study by the National Telecommunications and Information Administration. “We need to go ahead and get the internet fixed or risk losing this engine of beauty.”

  • Oh, not again: US reportedly finds new secret software in VW diesels [Ed: cannot trust proprietary software]

    Volkswagen first ended up in this situation after it admitted to intentionally installing secret software in its 2.0-liter diesels. That software curtailed nitrogen oxide emissions in lab-testing environments, but once on the road, the diesels would pollute well in excess of legal limitations. It was allegedly used in response to ever-stricter emissions regulations.

  • Chinese Hunting Chinese Over POP3 In Fjord Country

    More specifically, here at bsdly.net we've been seeing attempts at logging in to the pop3 mail retrieval service using usernames that sound distinctively like Chinese names, and the attempts originate almost exclusively from Chinese networks.

  • 'Sauron' spyware attacking targets in Belgium, China, Russia and Sweden

    A previously unknown hacking group called Strider has been conducting cyber espionage against selected targets in Belgium, China, Russia and Sweden, according to Symantec.

    The security firm suggested that the product of the espionage would be of interest to a nation state's intelligence services.

    Strider uses malware known as Remsec that appears primarily to have been designed for espionage, rather than as ransomware or any other nefarious software.

    Symantec has linked Strider with a group called Flamer which uses similar attack techniques and malware.

    The Lord of the Rings reference is deliberate as the Remsec stealth tool contains a reference to Sauron, the necromancer and main protagonist in a number of Tolkien's stories.

    "Strider has been active since at least October 2011. The group has maintained a low profile until now and its targets have been mainly organisations and individuals that would be of interest to a nation state's intelligence services," said Symantec in a blog post.

  • New MacBooks expected to feature Touch ID power button as well as OLED touch-panel [iophk: "as UID or password? Former is ok latter is insecure"]

    A source who has provided reliable information in the past has informed us that the new MacBook Pro models, expected to be launched in the fall, will feature a Touch ID power button as well as the previously-reported OLED touch-sensitive function keys.

  • it’s hard work printing nothing

    It all starts with a bug report to LibreSSL that the openssl tool crashes when it tries to print NULL. This bug doesn’t manifest on OpenBSD because libc will convert NULL strings to ”(null)” when printing. However, this behavior is not required, and as observed, it’s not universal. When snprintf silently accepts NULL, that simply leads to propagating the error.

  • London's Met Police has missed the Windows XP escape deadline [Ed: known problem, London's police is a prisoner of NSA and also China, Russia etc. [1, 2]]

    London’s Metropolitan Police has missed its deadline to dump Windows XP, with tens of thousands of copper still running the risky OS.

    The force, on the front line against terrorist threats and criminals in the capital city, is running Windows XP on around 27,000 PCs.

    At last count, in May 2015, the Met had a total of 35,640 PCs, with 34,920 of them running XP. Policemen set themselves a deadline of March 2016 to finish migrating to Windows 8.1.

    London Mayor Sadiq Khan, however, has apparently now revealed that just 8,000 of the force’s PCs have moved to Windows 8.1 since last September. The target is for another 6,000 by the end of September 2016.

    Khan provided the update in response to a question from Conservative Greater London Assembly member Andrew Boff.

  • Met Police still running Windows XP on 27,000 computers [iophk: "forget XP, Windows in general is dangerously out of date"]

    LONDON BOYS IN BLUE the Metropolitan Police may be armed with tasers and extendable batons, but they are backed up by Windows XP in a lot of cases, which is a really bad thing.

    Windows XP no longer gets official security updates, and Microsoft sees it as the sort of thing that should be scraped off shoes before walking on the carpet.

    The company will let people pay to keep using it, but only on a case-by-case basis. We do not know the police arrangement with Microsoft, but the Met needs to accelerate the updating of its computer systems as it puts Londoners' information at risk, according to London Assembly member Andrew Boff.

Security News

Filed under
Security

Security News

Filed under
Security
  • Protect yourself from cyberattacks

    3. Install Linux (free). One big decision making factor will be the age of your computer. If your hardware is old, you may well be better off replacing it with something new.

    I mentioned Linux, which has a few advantages. Windows as you are familiar with, is susceptible to infections by malware (viruses, adware, spyware, etc.), whereas Linux is practically invulnerable to infection. Part of that is down to the dominance of Windows, making it a big fat target, but it is also down to the Linux architecture making it extremely hard to hack. Another advantage with Linux (from my experience using Ubuntu), is that updates are generally installed without having to restart your machine. When a restart is needed, it is nice and quick, unlike a certain other operating system that spends ages ‘configuring updates’.

  • Nigerian Scammers Infect Themselves With Own Malware, Revealing New Wire-Wire Fraud Scheme [Ed: Windows]

    Once they’re in, the scammers allow the employee to continue with business as usual and discreetly monitor the account for potential financial transactions. As soon as they see that the employee is sending an invoice to a customer, they reroute it through their own email account and physically alter the account number and routing number before forwarding it on to the customer. The email address they use is often very similar to the original email address, so it’s easy to miss. Unlike spoofing, BEC techniques such as wire-wire rely on earning internal account access rather than externally impersonating a company account.

  • Is Hidden Linux Subsystem In Windows 10 Making Your PC Unsafe? [Ed: not any worse than a keylogger with back doors]
  • DARPA Cyber Grand Challenge Ends With Mayhem

    After three years of planning and lead-up contests, the finals of the Defense Advanced Research Projects Agency's Cyber Grand Challenge (CGC) to show the best in autonomous computer security concluded with a win by the Mayhem system from the ForAllSecure team, which won the $2 million grand prize. The Xandra system finished in second place, winning $1 million, while the Mechaphish system placed third, claiming $750,000.

Security Leftovers

Filed under
Security
  • Hackers Could Break Into Your Monitor To Spy on You and Manipulate Your Pixels

    We think of our monitors as passive entities. The computer sends them data, and they somehow—magically?—turn it into pixels which make words and pictures.

    But what if that wasn’t the case? What if hackers could hijack our monitors and turn them against us?

    As it turns out, that’s possible. A group of researchers has found a way to hack directly into the tiny computer that controls your monitor without getting into your actual computer, and both see the pixels displayed on the monitor—effectively spying on you—and also manipulate the pixels to display different images.

  • Computer Expert Hacks Into Common Voting Machine in Minutes to Reveal Shocking 2016 Election Threat

    It took Princeton computer science professor Andrew Appel and one of his graduate students just minutes to hack into a voting machine still used in Louisiana, New Jersey, Virginia, and Pennsylvania, Politico reports.

    Professor Andrew Appel purchased for $82 a Sequoia AVC Advantage, one of the oldest machines still in use. Within 7 seconds, he and his student, Alex Halderman, had picked the lock open. Within minutes, the duo had removed the device’s unsecured ROM chips with their own hardware that makes it easy to alter the machine’s results.

  • Researchers Bypass Chip-and-Pin Protections at Black Hat

    Credit card companies for the most part have moved away from “swipe and signature” credit cards to chip and pin cards by this point; the technology known as EMV (Europay, MasterCard, and Visa) which is supposed to provide consumers with an added layer of security is beginning to see some wear, according to researchers.

Security News

Filed under
Security
  • PLC-Blaster Worm Targets Industrial Control Systems [Ed: Remember Stuxnet?]

    PLC-Blaster was designed to target Siemens SIMATIC S7-1200 PLCs. Siemens is Europe’s biggest engineering company and a PLC market share leader. Siemens said in March shortly after the worm was unveiled at Black Hat Asia that the malware was not exploiting a vulnerability in Siemens gear. Maik Brüggemann, software developer and security engineer at OpenSource Security, said that worms like this one are a threat to any industrial network.

    [...]

    When OpenSource Security took its findings to Siemens, the researchers were told there were no flaws in its PLC platforms using its SIMATIC S7-1200 PLC. “We were told these were not vulnerabilities and that everything worked as expected,” Brüggemann said.

  • Security Reseacher explains security issues related to Windows 10 Linux subsystem at Blackhat
  • Def Con: Do smart devices mean dumb security?

    From net-connected sex toys to smart light bulbs you can control via your phone, there's no doubt that the internet of things is here to stay.

    More and more people are finding that the devices forming this network of smart stuff can make their lives easier.

  • 1 billion computer monitors vulnerable to undetectable firmware attacks

    A team led by Ang Cui (previously) -- the guy who showed how he could take over your LAN by sending a print-job to your printer -- have presented research at Defcon, showing that malware on your computer can poison your monitor's firmware, creating nearly undetectable malware implants that can trick users by displaying fake information, and spy on the information being sent to the screen.

    It's a scarier, networked, pluripotent version of Van Eck phreaking that uses an incredibly sly backchannel to communicate with the in-device malware: attackers can blink a single pixel in a website to activate and send instructions to the screen's malware.

    What's more, there's no existing countermeasure for it, and most monitors appear to be vulnerable.

Security News

Filed under
Security
  • Surveillance video shows a case of high-tech grand theft auto, more than 100 cars stolen [Ed: proprietary software, recall this about Jeep]

    Houston, Texas police announced the arrest of two men accused of stealing about 30 Jeep and Dodge vehicles. Authorities say they did it by using a laptop computer.

    Police tell KTRK they've been watching these guys for a while but were never able to catch them in the act stealing Jeeps - until last Friday.

    Police say Michael Arce and Jesse Zelaya stole more than 30 Jeeps in the Houston area over the last six months.

  • Openssh backdoor used on compromised Linux servers

    Some times ago, I have installed honeypot services on one of my servers, in order to see what happens in the real outside world. I especially installed the cowrie ssh honeypot which simulate a Linux shell and gather binaries that people want to install on the server (this tool is awesome, check here to install it).

  • random failures

    Lots of examples of random numbers failing, leading to cryptographic failure.

    The always classic Debian, OpenSSL, and the year of the zero.

    The time Sony signed Playstation code with the same nonce and leaked the keys.

    Samy phpwned session IDS.

    The Bitcoin app Blockchain used random.org for entropy. Bonus giggles for not following the HTTP redirect, but actually using “301 Moved Permanently” as a random number.

    The paper Mining Your Ps and Qs has pretty extensive investigation into weak keys on network devices, many of which result from poor entropy.

    Now here’s a question. How many of these vulnerabilities could have been prevented by plugging in some sort of “true random” USB gizmo of the sort that regularly appears on kickstarter? I’m going to go with not many. USB gizmos don’t prevent inopportune calls to memset. USB gizmos don’t prevent nonce reuse. USB gizmos don’t block utterly retarded HTTP requests.

Security Leftovers

Filed under
Security
  • Desktop / Laptop privacy & security of web browsers on Linux part 1: concepts and theory
  • In DARPA challenge, smart machines compete to fend off cyberattacks

    The first all-machine hacking competition is taking place today in Las Vegas.

    Seven teams, each running a high-performance computer and autonomous systems, are going head-to-head to see which one can best detect, evaluate and patch software vulnerabilities before adversaries have a chance to exploit them.

    It’s the first event where machines – with no human involvement – are competing in a round of "capture the flag, according to DARPA (Defense Advanced Research Projects Agency), which is sponsoring and running the event. DARPA is the research arm of the U.S. Defense Department.

    The teams are vying for a prize pool of $3.75 million, with the winning team receiving $2 million, the runner-up getting $1 million and the third-place team taking home $750,000. The winner will be announced Friday morning.

  • Let's Encrypt will be trusted by Firefox 50

Security News

Filed under
Security
  • How Public Shame Might Force a Revolution in Computer Security

    The numbers are depressing. An estimated 700 million data records were stolen in 2015. But despite the billions spent on computer security, flaws that allow such attacks are fixed slowly. A June report found that financial companies, for example, take on average over five months to fix known online security vulnerabilities.

    “The security industry gets $75 billion every year to try to secure things, and what you get for that is everybody is hacked all the time,” said Jeremiah Grossman, chief of security strategy at SentinelOne, speaking at the Black Hat security conference in Las Vegas on Wednesday.

    Yet Grossman and some other veterans of the security industry have lately become more optimistic. They see a chance that companies will soon have much stronger financial incentives to invest in securing and maintaining software.

  • DefCon: How the Hacker Tracker Mobile App Stays Secure

    The DefCon hacker conference here at the Bally's and Paris Hotels is a massive affair with many rooms, events and workshops spread across multiple times and days. While there is a paper schedule, many hackers now rely on Hacker Tracker, which has become the de facto mobile app of the DefCon conference.

    The Hacker Tracker was developed by two volunteers, Whitney Champion, systems engineer at SPARC, and Seth Law, chief security officer at nVisium. Champion built the Android version of the app while Law built the iOS version.

    In a video interview at DefCon, Law provided details on how Hacker Tracker is built and the steps he and Champion have taken to keep it and hacker data secure.

  • Windows 10 Linux Feature Brings Real, but Manageable Security Risks [Ed: Vista 10 is malware with intentional (baked in) back doors, Linux and GNU won’t make it any worse]

    The Bash shell support in the Anniversary Update for Windows 10 is a valuable tool for developers, but it needs to be used carefully because of potential security risks.

  • Linux Botnets Dominate the DDoS Landscape [Ed: Kaspersky marketing]

Security News

Filed under
Security
  • Friday's security updates
  • How to Hack an Election in 7 Minute

    When Princeton professor Andrew Appel decided to hack into a voting machine, he didn’t try to mimic the Russian attackers who hacked into the Democratic National Committee's database last month. He didn’t write malicious code, or linger near a polling place where the machines can go unguarded for days.

  • Apache OpenOffice and CVE-2016-1513

    The Apache OpenOffice (AOO) project has suffered from a lack of developers for some time now; releases are infrequent and development of new features is relatively slow. But a recent security advisory for CVE-2016-1513 is rather eye-opening in that it further shows that the project is in rough shape. Announcing a potential code execution vulnerability without quickly providing a new release of AOO may be putting users of the tool at more risk than they realize.

Syndicate content

More in Tux Machines

Leftovers: Software

  • A Quick Hands-On With Chatty, A Desktop Twitch Chat Client
    Chatty is a desktop Twitch Chat client for Windows, macOS and Linux written in Ja
  • HP Linux Imaging and Printing 3.16.8 Adds Support for Linux Mint 18, Fedora 24
    The open-source HP Linux Imaging and Printing (HPLIP) project has been updated on August 29, 2016, to version 3.16.8, a maintenance update that adds support for new printers and GNU/Linux operating systems. According to the release notes, HP Linux Imaging and Printing 3.16.8 adds support for new all-in-one HP printers, including HP OfficeJet Pro 6970, HP OfficeJet Pro 6960, HP OfficeJet 250 Mobile, HP DeskJet 3700, as well as HP DeskJet Ink Advantage 3700. Also new in the HPLIP 3.16.8 update is support for the recently released Linux Mint 18 "Sarah" Cinnamon, MATE, Xfce, and the upcoming KDE editions, the Fedora 24 Linux operating system, as well as the Debian GNU/Linux 8.5 "Jessie" distribution. So if you're using any of these OSes, you can now update to the latest HPLIP release.
  • MPlayer-Based MPV 0.20.0 Video Player Released with New Options and Commands
    The popular, open-source, and cross-platform MPV video player software received a new update, version 0.20.0, which comes only two weeks after the previous 0.19.0 maintenance release. MPV 0.20.0 is not a major update, and, according to the release notes, it only implements a couple of new options and commands, such as "--video-unscaled=downscale-big" for changing the aspect ratio. Additionally, the MPlayer-based video playback application also gets the "--image-display-duration" option for controlling the duration of image display, and a new "dcomposition" flag for controlling DirectComposition.
  • FFmpeg 3.1.3 "Laplace" Open-Source Multimedia Framework Now Available for Linux
    The major FFmpeg 3.1 "Laplace" open-source and cross-platform multimedia framework has received recently its third maintenance update, version 3.1.3, which brings updated components. FFmpeg 3.1 was announced two months ago, at the end of June, and it introduced a multitude of new features to make the popular multimedia backend even more reliable and handy to game and application developers. Dubbed Laplace, FFmpeg 3.1 is currently the most advanced FFmpeg release, cut from Git master on June 26, 2016.
  • GNU Scientific Library 2.2 released
    Version 2.2 of the GNU Scientific Library (GSL) is now available. GSL provides a large collection of routines for numerical computing in C. This release contains new linear algebra routines (Pivoted and Modified Cholesky, Complete Orthogonal Decomposition, matrix condition number estimation) as well as a completely rewritten nonlinear least squares module, including support for Levenberg-Marquardt, dogleg, double-dogleg, and Steihaug-Toint methods. The full NEWS file entry is appended below.

today's howtos

Leftovers: OSS

  • Report: If DOD Doesn't Embrace Open Source, It'll 'Be Left Behind'
    Unless the Defense Department and its military components levy increased importance on software development, they risk losing military technical superiority, according to a new report from the Center for a New American Security. In the report, the Washington, D.C.-based bipartisan think tank argues the Pentagon, which for years has relied heavily on proprietary software systems, “must actively embrace open source software” and buck the status quo. Currently, DOD uses open source software “infrequently and on an ad hoc basis,” unlike tech companies like Google, Amazon and Facebook that wouldn’t exist without open source software.
  • The Honey Trap of Copy/Pasting Open Source Code
    I couldn’t agree more with Bill Sourour’s article ‘Copy.Paste.Code?’ which says that copying and pasting code snippets from sources like Google and StackOverflow is fine as long as you understand how they work. However, the same logic can’t be applied to open source code. When I started open source coding at the tender age of fourteen, I was none the wiser to the pitfalls of copy/pasting open source code. I took it for granted that if a particular snippet performed my desired function, I could just insert it into my code, revelling in the fact that I'd just gotten one step closer to getting my software up and running. Yet, since then, through much trial and error, I’ve learned a thing or two about how to use open source code effectively.
  • Affordable, Open Source, 3D Printable CNC Machine is Now on Kickstarter
    The appeals of Kickstarter campaigns are many. There are the rewards for backers, frequently taking the form of either deep discounts on the final product or unusual items that can’t be found anywhere else. Pledging to support any crowdfunding campaign is a gamble, but it’s an exciting gamble; just browsing Kickstarter is pretty exciting, in fact, especially in the technological categories. Inventive individuals and startups offer new twists on machines like 3D printers and CNC machines – often for much less cost than others on the market.
  • Open Standards and Open Source
    Much has changed in the telecommunications industry in the years since Standards Development Organization (SDOs) such as 3GPP, ITU and OMA were formed. In the early days of telecom and the Internet, as fundamental technology was being invented, it was imperative for the growth of the new markets that standards were established prior to large-scale deployment of technology and related services. The process for development of these standards followed a traditional "waterfall" approach, which helped to harmonize (sometimes competing) pre-standard technical solutions to market needs.

Leftovers: BSD

  • The Voicemail Scammers Never Got Past Our OpenBSD Greylisting
    We usually don't see much of the scammy spam and malware. But that one time we went looking for them, we found a campaign where our OpenBSD greylisting setup was 100% effective in stopping the miscreants' messages. During August 23rd to August 24th 2016, a spam campaign was executed with what appears to have been a ransomware payload. I had not noticed anything particularly unusual about the bsdly.net and friends setup that morning, but then Xavier Mertens' post at isc.sans.edu Voice Message Notifications Deliver Ransomware caught my attention in the tweetstream, and I decided to have a look.
  • Why FreeBSD Doesn't Aim For OpenMP Support Out-Of-The-Box