Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security

Security News

Filed under
Security

GitLab Features Expansion

Filed under
Development
Security

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • Security and reproducible-build progress in Guix 0.11

    The GNU Guix package-manager project recently released version 0.11, bringing with it support for several hundred new packages, a range of new tools, and some significant progress toward making an entire operating system (OS) installable using reproducible builds.

    Guix is a "functional" package manager, built on many of the same ideas found in the Nix package manager. As the Nix site explains it, the functional paradigm means that packages are treated like values in a functional programming language—Haskell in Nix's case, Scheme in Guix's. The functions that build and install packages do so without side effects, so the system can easily offer nice features like atomic transactions, rollbacks, and the ability for individual users to build and install separate copies of a package without fear that they will interfere. Part of making such a system reliable is to ensure that builds are "reproducible"—meaning that two corresponding copies of a binary built on different systems at different times will be bit-for-bit identical.

  • VeraCrypt Audit Under Way; Email Mystery Cleared Up

    To say the VeraCrypt audit, which begins today, got off to an inauspicious start would be an understatement.

    On Sunday, two weeks after the announcement that the open source file and disk encryption software would be formally scrutinized for security vulnerabilities, executives at one of the firms funding the audit posted a notice that four emails between the parties involved had been intercepted.

  • Cryptocurrency Mining Virus Targets Linux Machines
  • Why The Windows Secure Boot Hack Is a Good Thing

    Most coverage of the subject has been written in that panicky, alarmist prose that makes for exciting news, but the problem is that the invalidation of Secure Boot is a very positive development for everyone concerned, except for Microsoft. Yes, it shows why backdoors for “the good guys” are a terrible idea — yes, it even has far-reaching implications for every piece of computing technology using the UEFI standard. However, I maintain that it will have a positive influence on the direction of security and tech standards moving forward.

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • Friday's security updates
  • Thursday's security advisories
  • Microsoft Windows UAC can be bypassed for untraceable hacks

    USER ACCOUNT Control (UAC), the thing in Microsoft Windows that creates extra menus you wish would just sod off, can be bypassed, allowing hackers to gain registry access.

    Security researcher Matt Nelson has discovered that the flaw allows someone to start PowerShell, access the registry and then leave no trace.

    The workaround/feature/bug/massive security hole works on any version of Windows with UAC, which was introduced in Windows Vista and later softened in Windows 7 as it proved such a spectacular pain in the Vista.

    The technique uses no files, no injections and leaves no trace. It's just pure direct access via a vulnerability. You could go off and do it to someone now.

    Don't do that, though.

  • all that’s not golden

    Several stories and events recently that in some way relate to backdoors and golden keys and security. Or do they? In a couple cases, I think some of the facts were slightly colored to make for a more exciting narrative. Having decided that golden keys are shitty, that doesn’t imply that all that’s shit is golden. A few different perspectives here, because I think some of the initial hoopla obscured some lessons that even people who don’t like backdoors can learn from.

    Secure Boot

    Microsoft added a feature to Secure Boot, accidentally creating a bypass for older versions. A sweet demo scene release (plain text) compares this incident to the FBI’s requested golden keys. Fortunately, our good friends over at the Register dug into this claim and explained some of the nuance in their article, Bungling Microsoft singlehandedly proves that golden backdoor keys are a terrible idea. Ha, ha, I kid.

    Matthew Garrett also has some notes on Microsoft’s compromised Secure Boot implementation. He’s purportedly a Linux developer, but he doesn’t once in this post call Windows a steaming pile, so he’s probably a Microsoft shill in disguise.

    Returning to the big question, What does the MS Secure Boot Issue teach us about key escrow? Maybe not a whole lot. Some questions to consider are how thoroughly MS tried to guard the key and whether they actually lost the key or just signed the wrong thing.

    Relevant to the crypto backdoor discussion, are the actions taken here the same? In a key escrow scheme, are iPhones sending encrypted data to the FBI or is the FBI sending encrypted messages to iPhones? The direction of information flow probably has a profound effect on the chances of the wrong thing leaking out. Not to say I want anything flowing in either direction, but it does affect how analogous the situations are.

    A perhaps more important lesson, for all security or crypto practitioners, is just barely hinted at in mjg59’s post. Microsoft created a new message format, but signed it with a key trusted by systems that did not understand this format. Misinterpretation of data formats results in many vulnerabilities. Whenever it’s possible that a message may be incorrectly handled by existing systems, it’s vital to roll keys to prevent misinterpretation.

  • Security against Election Hacking – Part 1: Software Independence

    So the good news is: our election system has many checks and balances so we don’t have to trust the hackable computers to tell us who won. The biggest weaknesses are DRE paperless touchscreen voting machines used in a few states, which are completely unacceptable; and possible problems with electronic pollbooks.

    In this article I’ve discussed paper trails: pollbooks, paper ballots, and per-precinct result printouts. Election officials must work hard to assure the security of the paper trail: chain of custody of ballot boxes once the polls close, for example. And they must use the paper trails to audit the election, to protect against hacked computers (and other kinds of fraud, bugs, and accidental mistakes). Many states have laws requiring (for example) random audits of paper ballots; more states need such laws, and in all states the spirit of the laws must be followed as well as the letter.

  • Security against Election Hacking (Freedom to Tinker)

    Over at the Freedom to Tinker blog, Andrew Appel has a two-part series on security attacks and defenses for the upcoming elections in the US (though some of it will obviously be applicable elsewhere too). Part 1 looks at the voting and counting process with an eye toward ways to verify what the computers involved are reporting, but doing so without using the computers themselves (having and verifying the audit trail, essentially). Part 2 looks at the so-called cyberdefense teams and how their efforts are actually harming all of our security (voting and otherwise) by hoarding bugs rather than reporting them to get them fixed.

Security Leftovers

Filed under
Security
  • CVE-2016-5696 and its effects on Tor

    This vulnerability is quite serious, but it doesn’t affect the Tor network any more than it affects the rest of the internet. In particular, the Tor-specific attacks mentioned in the paper will not work as described.

  • Secure Boot Failure, Response, and Mitigation

    Last week, it became public that there is an attack against Secure Boot, utilizing one of Microsoft’s utilities to install a set of security policies which effectively disables bootloader verification.

  • Static Code Analyzer Reportedly Finds 10,000 Open Source Bugs

    A Russian company behind the PVS-Studio static code analyzer claims to have used the tool to discover more than 10,000 bugs in various open source projects, including well-known offerings such as the Firefox Web browser and the Linux kernel.

  • Linux.Lady the Crypto-Currency Mining Trojan Discovered

    Organizations reliant on Redis NoSQL a most sought after database require re-checking their configurations, security researchers advise. That's because the Linux.Lady crypto-currency Trojan, which mines digital money, has been discovered as it piggybacks on insufficient out-of-the-box security.

    It is possible that a maximum of 30K Redis servers are susceptible to attack mainly since inadvertent system admins gave them an Internet connection devoid of constructing a password for them in addition to not having Redis secured by default.

  • DDoS protection in the cloud

    OpenFlow and other software-defined networking controllers can discover and combat DDoS attacks, even from within your own network.

    Attacks based on the distributed denial of service (DDoS) model are, unfortunately, common practice, often used to extort protection money or sweep unwanted services off the web. Currently, such attacks can reach bandwidths of 300GBps or more. Admins usually defend themselves by securing the external borders of their own networks and listening for unusual traffic signatures on the gateways, but sometimes they fight attacks even farther outside the network – on the Internet provider's site – by diverting or blocking the attack before it overloads the line and paralyzes the victim's services.

    In the case of cloud solutions and traditional hosting providers, the attackers and their victims often reside on the same network. Thanks to virtualization, they could even share the same computer core. In this article, I show you how to identify such scenarios and fight them off with software-defined networking (SDN) technologies.

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • Fake Linus Torvalds' Key Found in the Wild, No More Short-IDs.
  • NIST Denounces SMS 2FA - What are the Alternatives?

    Towards the end of July 2016, the National Institute of Standards and Technology (NIST) started the process of deprecating the use of SMS-based out-of-band authentication. This became clear in the issue of the DRAFT NIST Special Publication 800-63B, Digital Authentication Guideline.

  • It's pretty easy to hack traffic lights

    Researchers from the University of Michigan EE/Computer Science Department (previously) presented their work on hacking traffic signals at this year's Usenix Security Symposium (previously), and guess what? It's shockingly easy to pwn the traffic control system.

    The researchers targeted the wireless control systems at each intersection, avoiding any tampering with the actual junction boxes, which might be detected by passers-by (though seriously, some high-viz vests and a couple of traffic cones would likely serve as perfect camouflage), and worked with the permission of a local Michigan traffic authority.

Syndicate content

More in Tux Machines

Android Leftovers

A short critique of Stallmanism

I like Stallman and tend to agree with him often: regarding software, or other politics. This article tries to constructively criticize some parts of the free software movement's ideology, which I collectively refer to as "Stallmanism" (only as pun). It is not an attempt at a personal attack on Stallman, and by reading further you will probably see my politics are very far from that: I coined the term Stallmanism simply because he is at the center of the movement and himself a primary source of the ideas I am critiquing. Read more

Google may unveil merged Android and Chrome OS, dubbed Andromeda, at event

If you thought Google’s October 4 event — where the firm is rumored to launch two smartphones, Google Home, Daydream VR, Chromecast Ultra, and Wi-Fi Routers — wasn’t packed enough, think again. It has been a long time coming, but Google may finally offer a peak at Andromeda, an operating system that sees the merger of Android and Chrome OS. Andromeda is the code name for the long-rumored merger, and Android Police says it have been sitting on a rumor that Google may demo the OS in October. What made the company share it now? A tweet from Hiroshi Lockheimer, senior vice president of Android, Chrome OS, and Google Play at Google. Read more

KDE Leftovers