Language Selection

English French German Italian Portuguese Spanish

Security

Security: Patches and Unpatched Systems

Filed under
Security

Security: "Bad Microsoft", Deloitte, Ransom, Equifax, Linux and Phish For the Future

Filed under
Security
  • Risky Business #471 -- Good Microsoft, bad Microsoft

    On this week’s show we’re taking a look at a mediocre response from Microsoft’s security response centre in the face of a fairly run-of-the-mill bug report. Our guest today found some Microsoft software was failing to validate SSL certificates. He reported it, but Microsoft said it wasn’t a security issue because, drum roll please, the attacker would require man in the middle to exploit the failure. Ummm. What?

  • Deloitte did little to ensure safety of data: claim

    The data breach at accountancy firm Deloitte shows that while the company may know a great deal about security, it appears to have done little to make sure that the vast amount of data it has is safe, the head of a cyber security firm claims.

  • SMBs paid US$301m as ransom in last year: survey

    Data protection company Datto has released the results of a ransomware survey based on data from 1700 managed service providers which shows that a sum of US$301 million was paid to attackers between the second quarter of 2016 and the second quarter of 2017.

  • Equifax CEO to collect $90 million: report

    Smith, who announced his retirement Tuesday, will collect about $72 million this year and $17.9 million in coming years, according to Fortune. This reportedly adds up to about 63 cents for each customer who was potentially exposed in the company’s data breach.

  • Linux Kernel Bug Reclassified as Security Issue After Two Years

    Multiple Linux distros are issuing security updates for OS versions that still use an older kernel branch after it recently came to light that a mild memory bug was in reality much worse, and the bug was recently categorized as a security flaw.

    The original bug was discovered by Michael Davidson, a Google employee, back in April 2015 and was fixed in Linux kernel 4.0.

  • Phish For the Future

    This report describes “Phish For The Future,” an advanced persistent spearphishing campaign targeting digital civil liberties activists at Free Press and Fight For the Future. Between July 7th and August 8th of 2017 we observed almost 70 spearphishing attempts against employees of internet freedom NGOs Fight for the Future and Free Press, all coming from the same attackers.

    This campaign appears to have been aimed at stealing credentials for various business services including Google, Dropbox, and LinkedIn. At least one account was compromised and was used to send out additional spearphishing emails to others in the organization. Because the compromised account had been neglected for years and contained no recent activity, we suspect the attackers were trying to leverage trust in order to compromise a more recent or high-value account. We were unable to determine what the secondary goal of the campaign was after the credentials were stolen. The attackers were remarkably persistent, switching up their attacks after each failed attempt and becoming increasingly creative with their targeting over time.

Security: Wi-Fi Patches, Equifax, Deloitte, NSA's EternalBlue Exploit and TalkTalk

Filed under
Security

Security: Deloitte, AWS, CCleaner, Equifax, Optionsbleed

Filed under
Security
  • Source: Deloitte Breach Affected All Company Email, Admin Accounts

     

    Deloitte, one of the world’s “big four” accounting firms, has acknowledged a breach of its internal email systems, British news outlet The Guardian revealed today. Deloitte has sought to downplay the incident, saying it impacted “very few” clients. But according to a source close to the investigation, the breach dates back to at least the fall of 2016, and involves the compromise of all administrator accounts at the company as well as Deloitte’s entire internal email system.  

  • Security breach exposes data from half a million vehicle tracking devices

     

    The exposed data, which includes customer credentials, was unearthed through a misconfigured Amazon AWS S3 bucket that was left publically available, and because it wasn't protected by a password, could allow anyone to pinpoint locations visited by customers of the vehicle tracking firm.

  • CCleaner backdoor infecting millions delivered mystery payload to 40 PCs

    At least 40 PCs infected by a backdoored version of the CCleaner disk-maintenance utility received an advanced second-stage payload that researchers are still scrambling to understand, officials from CCleaner's parent company said.

  • Will the Equifax Data Breach Finally Spur the Courts (and Lawmakers) to Recognize Data Harms?

    This summer 143 million Americans had their most sensitive information breached, including their name, addresses, social security numbers (SSNs), and date of birth. The breach occurred at Equifax, one of the three major credit reporting agencies that conducts the credit checks relied on by many industries, including landlords, car lenders, phone and cable service providers, and banks that offer credits cards, checking accounts and mortgages. Misuse of this information can be financially devastating. Worse still, if a criminal uses stolen information to commit fraud, it can lead to the arrest and even prosecution of an innocent data breach victim.    

    Given the scope and seriousness of the risk that the Equifax breach poses to innocent people, and the anxiety that these breaches cause, you might assume that legal remedies would be readily available to compensate those affected. You’d be wrong.

    While there are already several lawsuits filed against Equifax, the pathway for those cases to provide real help to victims is far from clear.  That’s because even as the number and severity of data breaches increases, the law remains too narrowly focused on people who have suffered financial losses directly traceable to a breach.

  • New breach, same lessons

    The story of recent breaches at the credit-rating agency Equifax, which may have involved the personal details of nearly 150 million people, has probably just begun, given the confusion that still surrounds events. But it’s brought the security of open source software to the fore yet again, and highlighted the ongoing struggle organizations still have with cybersecurity.

  • Apache “Optionsbleed” vulnerability – what you need to know [Ed: The security FUD complex came up with a buzzword: Optionsbleed. But it fails to (over)sell this hype.]

Security: Deloitte, Ransomware, Equifax, Denmark, and macOS 0-Day

Filed under
Security
  • Deloitte hack exposes secret emails and plans from firm's blue-chip clients

    Hackers [sic] are said to have accessed confidential emails and plans of Deloitte's blue-chip clients, along with usernames, passwords, IP addresses, architectural diagrams for businesses and health information.

  • Deloitte hit by cyber-attack revealing clients’ secret emails

    Deloitte, which is registered in London and has its global headquarters in New York, was the victim of a cybersecurity attack that went unnoticed for months.

  • A quarter of local UK councils have fallen victim to ransomware

    115 councils (27 per cent) said they had been victims of security ransoms, while 43 per cent said they hadn't.

  • Equifax CEO Richard Smith Retires as Breach Fallout Continues

    Equifax's massive data breach has claimed another victim - Richard Smith, the company's CEO and Chairman of the Board. Equifax announced that Smith is retiring from his role at the company, effective Sept. 26.

    "The cybersecurity incident has affected millions of consumers, and I have been completely dedicated to making this right," Smith stated. "At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward."

    Equifax announced on Sept. 7 that it was the victim of a data breach the exposed personally identifiable information on 143 million Americans. The company initially reported that it first became aware of the breach on July 29, though subsequent reports have alleged that the company was breached as early as March.

  • Denmark continues its work on cyber security plan

    Denmark’s Ministry of Finance is to finalise Denmark’s national strategy for cyber and information security. The ministry recently took over coordination of the plans, which previously were being prepared by the Ministry of Defence. The strategy is to be presented early next year, reports Denmark’s Agency for Digitisation (Digitaliseringsstyrelsen - DIGST).

  • Password-theft 0-day imperils users of High Sierra and earlier macOS versions

    There's a vulnerability in High Sierra and earlier versions of macOS that allows rogue applications to steal plaintext passwords stored in the Mac keychain, a security researcher said Monday. That's the same day the widely anticipated update was released.

    The Mac keychain is a digital vault of sorts that stores passwords and cryptographic keys. Apple engineers have designed it so that installed applications can't access its contents without the user entering a master password. A weakness in the keychain, however, allows rogue apps to steal every plaintext password it stores with no password required. Patrick Wardle, a former National Security Agency hacker who now works for security firm Synack, posted a video demonstration here.

Security: Updates, CCleaner, and Capsule8

Filed under
Security
  • Security updates for Monday
  • CCleaner malware may be from Chinese group: Avast

    Security company Avast says it has found similarities between the code injected into CCleaner and the APT17/Aurora malware created by a Chinese advanced persistent threat group in 2014/2015.

  • Capsule8 Raises New Funds to Help Improve Container Security

    Container security startup Capsule8 is moving forward with beta customer deployments and a Series A round of funding, to help achieve its vision of providing a secure, production-grade approach to container security.

    The Series A round of funding was announced on Sept. 19, with the company raising $6 million, led by Bessemer and ClearSky, bringing total funding to date up to $8.5 million. Capsule8 first emerged from stealth in February 2017, though its' core technology product still remains in private beta as the company fine-tunes the platform for production workload requirements.

Security: Adobe and Apple Fail/Fare Badly

Filed under
Security
  • In spectacular fail, Adobe security team posts private PGP key on blog

    Having some transparency about security problems with software is great, but Adobe's Product Security Incident Response Team (PSIRT) took that transparency a little too far today when a member of the team posted the PGP keys for PSIRT's e-mail account—both the public and the private keys. The keys have since been taken down, and a new public key has been posted in its stead.

  • Hackers Using iCloud's Find My iPhone Feature to Remotely Lock Macs and Demand Ransom Payments

    Over the last day or two, several Mac users appear to have been locked out of their machines after hackers signed into their iCloud accounts and initiated a remote lock using Find My iPhone. 

    With access to an iCloud user's username and password, Find My iPhone on iCloud.com can be used to "lock" a Mac with a passcode even with two-factor authentication turned on, and that's what's going on here.

Security: DHS on Potential Voting Machines Cracking, Joomla Patches Critical Flaw

Filed under
Security
  • DHS tells 21 states they were Russia hacking targets before 2016 election
  • 1. WikiLeaks, Russian edition: how it’s being viewed

    Russia has been investing heavily in a vision of cyberdemocracy that will link the public directly with government officials to increase official responsiveness. But it is also enforcing some of the toughest cybersecurity laws to empower law enforcement access to communications and ban technologies that could be used to evade surveillance. Could WikiLeaks put a check on Russia’s cyber regime? This week, the online activist group released the first of a promised series of document dumps on the nature and workings of Russia’s surveillance state. So far, the data has offered no bombshells. “It’s mostly technical stuff. It doesn’t contain any state contracts, or even a single mention of the FSB [security service], but there is some data here that’s worth publishing,” says Andrei Soldatov, coauthor of “The Red Web,” a history of the Soviet and Russian internet. But, he adds, “Anything that gets people talking about Russia's capabilities and actions in this area should be seen as a positive development.”

  • Joomla patches eight-year-old critical CMS bug

    Joomla has patched a critical bug which could be used to steal account information and fully compromise website domains.

    This week, the content management system (CMS) provider issued a security advisory detailing the flaw, which is found in the LDAP authentication plugin.

    Lightweight Directory Access Protocol (LDAP) is used by Joomla to access directories over TCP/IP. The plugin is integrated with the CMS.

    Joomla considers the bug a "medium" severity issue, but according to researchers from RIPS Technologies, the problem is closer to a critical status.

  • Joomla! 3.7.5 - Takeover in 20 Seconds with LDAP Injection

    With over 84 million downloads, Joomla! is one of the most popular content management systems in the World Wide Web. It powers about 3.3% of all websites’ content and articles. Our code analysis solution RIPS detected a previously unknown LDAP injection vulnerability in the login controller. This one vulnerability could allow remote attackers to leak the super user password with blind injection techniques and to fully take over any Joomla! <= 3.7.5 installation within seconds that uses LDAP for authentication. Joomla! has fixed the vulnerability in the latest version 3.8.

Security: FOSS Updates, SEC, CCleaner

Filed under
Security
  • Security updates for Friday
  • SEC Chairman reveals financial reporting system was hacked
  • CCleaner malware outbreak is much worse than it first appeared
  • CCleaner Hack May Have Been A State-Sponsored Attack On 18 Major Tech Companies

    At the beginning of this week, reports emerged that Avast, owner of the popular CCleaner software, had been hacked. Initial investigations by security researchers at Cisco Talos discovered that the intruder not only compromised Avast's servers, but managed to embed both a backdoor and "a multi-stage malware payload" that rode on top of the installation of CCleaner. That infected software -- traditionally designed to help scrub PCs of cookies and other tracking software and malware -- was subsequently distributed by Avast to 700,000 customers (initially, that number was thought to be 2.27 million).

    And while that's all notably terrible, it appears initial reports dramatically under-stated both the scope and the damage done by the hack. Initially, news reports and statements by Avast insisted that the hackers weren't able to "do any harm" because the second, multi-stage malware payload was never effectively delivered. But subsequent reports by both Avast and Cisco Talos researchers indicate this payload was effectively delivered -- with the express goal of gaining access to the servers and networks of at least 18 technology giants, including Intel, Google, Microsoft, Akamai, Samsung, Sony, VMware, HTC, Linksys, D-Link and Cisco itself.

Syndicate content

More in Tux Machines

Today in Techrights

Android Leftovers

GNU/Linux on Desktop/Phone: System76, DeX, Librem

  • Pop!_OS Is Finally Here — System76’s Ubuntu-based Operating System For Developers
    The first ever stable release of Pop!_OS is finally here. You can go ahead and download it from this link. Don’t forget to share your feedback. Earlier this year in June, we reported that System76 is creating its own Linux distro called Pop!_OS.
  • Samsung DeX Promises to Bring the Linux PC Experience to Your Mobile Device
    After unveiling its next-generation Bixby 2.0 intelligent assistant, Samsung today announced that it plans to bring the Linux PC experience to the Samsung DeX ecosystem.
  • Steps toward a privacy-preserving phone
    What kind of cell phone would emerge from a concerted effort to design privacy in from the beginning, using free software as much as possible? Some answers are provided by a crowdfunding campaign launched in August by Purism SPC, which has used two such campaigns successfully in the past to build a business around secure laptops. The Librem 5, with a five-inch screen and radio chip for communicating with cell phone companies, represents Purism's hope to bring the same privacy-enhancing vision to the mobile space, which is much more demanding in its threats, technology components, and user experience. The abuse of mobile phone data has become a matter of worldwide concern. The capture and sale of personal data by apps is so notorious that it has been covered in USA Today; concerns over snooping contribute to the appeal of WhatsApp (which has topped 1.3 billion users) and other encrypted and privacy-conscious apps. But apps are only one attack vector. I got in touch with Todd Weaver, founder and CEO of Purism, to find out what the company is doing to plug the leaks in mobile devices.

Servers: DockerCon Coverage, MongoDB IPO

  • DockerCon EU 17 Panel Debates Docker Container Security
    There are many different security capabilities that are part of the Docker container platform, and there are a number of vendors providing container security offerings. At the DockerCon EU 17 conference in Copenhagen, Denmark, eWEEK moderated a panel of leading vendors—Docker, Hewlett Packard Enterprise, Aqua Security, Twistlock and StackRox—to discuss the state of the market. To date, there have been no publicly disclosed data breaches attributed to container usage or flaws. However, that doesn't mean that organizations using containers have not been attacked. In fact, Wei Lien Dang, product manager at StackRox, said one of his firm's financial services customers did have a container-related security incident.
  • DockerCon EU: Tips and Tools for Running Container Workloads on AWS
    Amazon Web Services wants to be a welcome home for developers and organizations looking to deploy containers. At the DockerCon EU conference here, a pair of AWS technical evangelists shared their wisdom on the best ways to benefit from container deployments. The terms microservices and containers are often used interchangeably by people. Abby Fuller, technical evangelist at AWS, provided the definition of microservices coined by Adrian Crockford, VP of Cloud Architecture at AWS and formerly the cloud architect at Netflix.
  • Docker CEO: Embracing Kubernetes Removes Conflict
    Steve Singh has ambitious plans for Docker Inc. that are nothing less than transforming the world of legacy applications into a modern cloud-native approach. Singh was named CEO of Docker on May 2 and hosted his first DockerCon event here Oct. 16-19. The highlight of DockerCon EU was the surprise announcement that Docker is going to support the rival open-source Kubernetes container orchestration system. In a video interview with eWEEK, Singh explained the rationale behind the Kubernetes support and provided insight into his vision for the company he now leads.
  • MongoDB's IPO Beats the Market Out of the Gate
    The folks at MongoDB raised a whole lot of money today in their debut on NASDAQ. Yesterday the open source company announced it was going to be asking $24 a share for the 8 million Class A shares it was letting loose in its IPO, which had some Wall Street investors scratching their heads and wondering if the brains at Mongo were suffering from some kind of undiagnosed damage. Analysts had been estimating an opening price of between $20-22 per share, and on October 6 the company had estimated an opening price in the range of $18-20.