Language Selection

English French German Italian Portuguese Spanish

Security

Security: UEFI, Windows and NSA Back Doors

Filed under
Security
  • Replace Your Exploit-Ridden Firmware with Linux

    With the WikiLeaks release of the vault7 material, the security of the UEFI (Unified Extensible Firmware Interface) firmware used in most PCs and laptops is once again a concern. UEFI is a proprietary and closed-source operating system, with a codebase almost as large as the Linux kernel, that runs when the system is powered on and continues to run after it boots the OS (hence its designation as a “Ring -2 hypervisor"). It is a great place to hide exploits since it never stops running, and these exploits are undetectable by kernels and programs.

  • Your Windows Login Details Can Be Stolen By Hackers Without User Interaction

    From time to time, the security researchers continue to make us realize that Windows operating system is full of loopholes that can be exploited by hackers to steal our data. One such vulnerability was patched by Redmond in recent patch Tuesday.

  • NSA hacking tool EternalRomance found in BadRabbit

    Several research firms have named EternalRomance as the tool BadRabbit used to spread through an organisation once the ransomware was installed in a host computer. When the cyber-attack first sprang up on 24 October there were many reports claiming that EternalBlue, the tool made famous with the Petya/NotPetya attacks that took place earlier this year, was the culprit, but this was quickly disproven by researchers. However, EternalRomance does share at least one similarity with the other attack, each exploits the same Microsoft vulnerability.

Security: Joanna Rutkowska and Microsoft's NSA Back Doors

Filed under
Security

Security: Updates, Reaper, KRACK, Cryptographic kKeycards, Flexera's FUD, Google Play, Windows BadRabbit

Filed under
Security
  • Security updates for Friday
  • Assessing the threat the Reaper botnet poses to the Internet—what we know now
  • KRACK, ROCA, and device insecurity

    It is a fairly bleak picture from a number of different viewpoints. One almost amusing outcome of this mess is contained near the end of Vanhoef's KRACK web page. He notified OpenBSD of the flaw in mid-July with an embargo (at the time) until the end of August. OpenBSD leader Theo de Raadt complained about the length of the embargo, so Vanhoef allowed OpenBSD to silently patch the flaw. "In hindsight this was a bad decision, since others might rediscover the vulnerability by inspecting their silent patch. To avoid this problem in the future, OpenBSD will now receive vulnerability notifications closer to the end of an embargo." That might not quite be the outcome De Raadt was hoping for with his (quite reasonable) complaint, especially given that Vanhoef strongly hints that there are other WiFi vulnerabilities in the pipeline.

  • A comparison of cryptographic keycards

    An earlier LWN article showed that private key storage is an important problem to solve in any cryptographic system and established keycards as a good way to store private key material offline. But which keycard should we use? This article examines the form factor, openness, and performance of four keycards to try to help readers choose the one that will fit their needs.

    I have personally been using a YubiKey NEO, since a 2015 announcement on GitHub promoting two-factor authentication. I was also able to hook up my SSH authentication key into the YubiKey's 2048 bit RSA slot. It seemed natural to move the other subkeys onto the keycard, provided that performance was sufficient. The mail client that I use, (Notmuch), blocks when decrypting messages, which could be a serious problems on large email threads from encrypted mailing lists.

    So I built a test harness and got access to some more keycards: I bought a FST-01 from its creator, Yutaka Niibe, at the last DebConf and Nitrokey donated a Nitrokey Pro. I also bought a YubiKey 4 when I got the NEO. There are of course other keycards out there, but those are the ones I could get my hands on. You'll notice none of those keycards have a physical keypad to enter passwords, so they are all vulnerable to keyloggers that could extract the key's PIN. Keep in mind, however, that even with the PIN, an attacker could only ask the keycard to decrypt or sign material but not extract the key that is protected by the card's firmware.

  • Study Examines Open Source Risks in Enterprise Software [Ed: Microsoft network promotes anti FOSS 'study' (marketing by Flexera)]
  • Google Play Protect is 'dead last' at fingering malware on Android

    Last month, German software testing laboratory AV-Test threw malware at 20 Android antivirus systems – and now the results aren't particularly great for Google.

    Its Play Protect system, which is supposed block malicious apps from running on your handheld, was beaten by every other anti-malware vendor.

  • NSA hacking tool EternalRomance found in BadRabbit

Security: UEFI Risks and Bad Rabbit (Microsoft Windows Strikes Again)

Filed under
Security

Security: Reaper, Bad Rabbit, Kaspersky, CAPTCHA Weaknesses

Filed under
Security

Security: Updates, Microsoft Windows TCO (Bad Rabbit), Back Doors, Honeypot, Security by Obscurity

Filed under
Security
  • Security updates for Thursday
  • Security updates for Wednesday
  • New ransomware strain spreads in some European countries [iophk: "Microsoft Windows TCO"]

     

    A new strain of Windows ransomware, dubbed Bad Rabbit, is spreading in eastern Europe through drive-by attacks, the security firm Kaspersky Lab reported overnight.  

  • Bad Rabbit Ransomware Attack Is On The Rise — Here’s What You Need To Know
  • New wave of data-encrypting malware hits Russia and Ukraine

    Beaumont went on to say that Bad Rabbit relies on hard-coded credentials that are commonly used in enterprise networks for file sharing and takes aim at a particularly vulnerable portion of infected computers' hard drives known as the master boot record. A malicious file called infpub.dat appears to be able to use the credentials to allow the Bad Rabbit to spread to other Windows computers on the same local network, Kaspersky Labs' blog post added. In a second blog post, Eset said the malware also uses the Mimikatz network administrative tool to harvest credentials from the affected systems.

  • What is Bad Rabbit ransomware?
  • The DOJ's Bizarre Subpoena Over An Emoji Highlights Its Ridiculous Vendetta Against A Security Researcher

    Yesterday we broke the crazy story of how the DOJ issued a subpoena to Twitter attempting to identify five Twitter users, not because of anything they had done, but because someone else the DOJ disliked -- a security researcher named Justin Shafer -- had tweeted an emoji at them in response to a discussion about a different case. You can read all the details in that original post, in case you missed it yesterday. There was so much craziness in that story that I didn't even get to cover all of it. Some of those named in the subpoena have posted their thoughts -- including Ken "Popehat" White and Keith Lee. I suggest reading both, as the subpoena directed at each of them was particularly silly, given that both freely make their identities public. The DOJ didn't seem to do even the slightest research into the accounts it was demanding info on, or it would have known just how easy it was to "unmask" White and Lee.

  • Modern Cybersecurity Totally Futile in Quantum Computing Era

    Quantum computing uses the power of atoms to perform memory and processing tasks and remains a theoretical concept. However, it is widely believed that its creation is possible. Most experts now agree that the creation of a quantum computer is simply a matter of engineering, and that the theoretical application will happen. Optimistic estimates for commercialization by the private sector vary between 5 and 15 years, while more conservative estimates by academics put it at 15-25 years.

  • 4 extra-strength container security tools for Docker and Kubernetes

    Docker-style containers aren’t just a way to deploy software more quickly or flexibly. They can also be a way to make software more secure. Automatic analysis of the software components that go into containers, behavioral policies that span container clusters and multiple application versions, and innovative new developments in tracking and managing vulnerability data are just some of the ways containers are bolstering security for the entire application lifecycle.

    How much of this comes out of the box, though, is another story. Container products provide the basics, but not always more than that, leaving more advanced monitoring or management solely in the hands of the admin. Here are four recently revamped products and services that bring additional kinds of security to containers, both in the cloud and in your own datacenter.

  • Worker who snuck NSA malware home had his PC backdoored, Kaspersky says

    The NSA worker's computer ran a home version of Kaspersky AV that had enabled a voluntary service known as Kaspersky Security Network. When turned on, KSN automatically uploads new and previously unknown malware to company Kaspersky Lab servers. The setting eventually caused the previously undetected NSA malware to be uploaded to Kaspersky Lab servers, where it was then reviewed by a company analyst.

  • Open Source Security Podcast:  Episode 67 - Cyber won
  • Increase your network security: Deploy a honeypot
  • Security by Obscurity

    Today this blog post turned up on Hacker News, titled “Obscurity is a Valid Security Layer”. It makes some excellent points on the distinction between good and bad obscurity and it gives an example of good obscurity with SSH.

  • My password keeps me safe. (Not necessarily!)

Security: Security Standards, New Windows Malware, Flexera FUD, Microsoft’s Sonar

Filed under
Security

Security: Updates, Kaspersky Code, FUD, WPA2, and Crippling Crypto

Filed under
Security

Security Leftovers

Filed under
Security
  • Where Did That Software Come From?

    The article explores how cryptography, especially hashing and code signing, can be use to establish the source and integrity. It examines how source code control systems and automated build systems are a key part of the software provenance story. (Provenance means “a record of ownership of a work of art or an antique, used as a guide to authenticity or quality.” It is increasingly being applied to software.)

  • Judge: MalwareTech is no longer under curfew, GPS monitoring [Updated]

    A judge in Milwaukee has modified the pre-trial release conditions of Marcus Hutchins, also known online as "MalwareTech," who was indicted two months ago on federal criminal charges.

    Under US Magistrate Judge William Duffin’s Thursday order, Hutchins, who is currently living in Los Angeles, will no longer be subject to a curfew or to GPS monitoring.

  • [Older] Leicester teen tries to hack CIA and FBI chiefs' computers

    A teenager attempted to hack senior US government officials' computers from his home.

    Kane Gamble, 18, from Coalville, Leicestershire, pleaded guilty to 10 charges relating to computer hacking.

    His targets included the then CIA director John Brennan and former FBI deputy director Mark Giuliano.

Syndicate content

More in Tux Machines

Graphics: Mesa 17.2.6 RC, AMDGPU, and Vulkan

  • Mesa 17.2.6 release candidate
  • Mesa 17.2.6 RC Arrives With 50+ Fixes
    While Mesa 17.3 is imminent and should be released as stable within the next few days, Mesa 17.2.6 is being prepped for release as the current point release.
  • 43 More AMDGPU DC Patches Hit The Streets
    While the massive AMDGPU DC infrastructure has been merged for Linux 4.15, the flow of improvements to this display code continues and it looks like the next few kernel cycles at least could be quite busy on the AMD front.
  • A Prototype Of The Vulkan Portability Initiative: Low-Level 3D To Vulkan / D3D12 / Metal
    A Mozilla engineer has put out a prototype library in working on the Vulkan Portability Initiative for allowing low-level 3D graphics support that's backed by Vulkan / Direct3D 12 / Metal. With Apple sticking to their own Metal graphics API and Direct3D 12 still being the dominant graphics API on Windows 10, The Khronos Group has been working towards better 3D portability for where Vulkan may not be directly supported by the OS/drivers or otherwise available. They've been working to target a subset of the Vulkan API that can be efficiently mapped to these other native graphics APIs and to have the libraries and tooling for better compatibility and code re-use of these different graphics APIs.

Kernel: Linux 4.15, TLDR, and Linus Torvalds' Latest Rant

  • Linux 4.15 Adds AMD Raven Ridge Audio ID
    Not only is AMD Stoney Ridge audio (finally) being supported by the Linux 4.15 kernel, but it also looks like Raven Ridge audio should now be working too.
  • Linux 4.14.2 Fixes The BCache Corruption Bug
    Normally I don't bother mentioning new Linux kernel point releases on Phoronix unless there are some significant changes, as is the case today with Linux 4.14.2.
  • TLDR is what Linux man pages always should have been
    If you get stuck using a Linux tool, the first port of call shouldn’t be to Stack Overflow, but rather its “man pages.” Man — which is short for manual — retrieves documentation for a given program. Unfortunately, this can often be dense, hard to understand, and lacking in practical examples to help you solve your problem. TLDR is another way of looking at documentation. Rather than being a comprehensive guide to a given tool, it instead focuses on offering practical example-driven instructions of how something works.
  • Linux creator Linus Torvalds: This is what drives me nuts about IT security
    Developers are often accused of not thinking about security, but Linux kernel founder Linus Torvalds has had enough of security people who don't think about developers and end-users. After blasting some kernel developers last week for killing processes in the name of hardening the kernel, Torvalds has offered a more measured explanation for his frustration with security myopia. While he agrees that having multiple layers of security in the kernel is a good idea, certain ways of implementing it are not, in particular if it annoys users and developers by killing processes that break users' machines and wreck core kernel code. Because ultimately, if there are no users, there's not much point in having a supremely secure kernel, Torvalds contends.

Unity 7 Hoping To Become An Official Flavor For Ubuntu 18.04 LTS

While Canonical abandoned their work on the Unity desktop environment in favor of the Unity-inspired customized GNOME Shell that debuted in Ubuntu 17.10, some within the community have remained interested in maintaining Unity 7 and even getting it into an official spin/flavor of Ubuntu. Posted today to the community.ubuntu.com was a Unity maintenance roadmap, reiterating the hope by some in the Ubuntu community for Ubuntu Unity to become an official LTS distribution of Ubuntu. They are hoping to make it an official flavor alongside Kubuntu, Ubuntu Budgie, Xubuntu, and others. Read more Original/direct: Unity Maintenance Roadmap

Programming/Development: Django and Google India

  • An introduction to the Django ORM
    One of the most powerful features of Django is its Object-Relational Mapper (ORM), which enables you to interact with your database, like you would with SQL. In fact, Django's ORM is just a pythonical way to create SQL to query and manipulate your database and get results in a pythonic fashion. Well, I say just a way, but it's actually really clever engineering that takes advantage of some of the more complex parts of Python to make developers' lives easier.
  • Hey, Coders! Google India Is Offering 130,000 Free Developer Scholarships — Here’s How To Apply
  • Google to prepare 1.3 lakh Indians for emerging technologies

    "The new scholarship programme is in tandem with Google's aim to train two million developers in India. The country is the second largest developer ecosystem in the world and is bound to overtake the US by 2021," William Florance, Developer Products Group and Skilling Lead for India, Google, told reporters here.