Language Selection

English French German Italian Portuguese Spanish

Security

Hide Complex Passwords in Plain Sight and Give Your Brain a Break

Filed under
Linux
Security
HowTos

As far as people are concerned, there are essentially two types of passwords: the ones we can remember and the ones that are too complex for us to recall. We've learned the latter type is more secure, but it requires us to store impossible-to-memorize-password lists, creating a whole new set of problems. There are some clever tricks to help our brains out a bit, but for most of us the limit of our memory is regrettable. This tip offers a way to pull passwords from unexpected places using the Linux terminal.

Read more

(via DMT/Linux Blog)

Security Leftovers (Back Doors in WhatsApp/Facebook and Microsoft Windows)

Filed under
Security
  • The eight security backdoors that helped kill faith in security

    With the news of WhatsApp's backdoor granting Facebook and government agencies access to user messages, fears over users' privacy issues are sure to be at an all-time high for WhatsApp's 1 billion users.

    Backdoors in computing equipment are the stuff of legend. A decade ago a security expert informed me with absolute certainty that a prominent non-US networking company had designed them into its products for years as a matter of course as if nobody much cared about this fact. Long before the average citizen had heard the letters NSA, it struck me at the time as extraordinary suggestion. It was almost as if the deliberate compromise of an important piece of network equipment was a harmless novelty.

  • Reported “backdoor” in WhatsApp is in fact a feature, defenders say

    The Guardian roiled security professionals everywhere on Friday when it published an article claiming a backdoor in Facebook's WhatsApp messaging service allows attackers to intercept and read encrypted messages. It's not a backdoor—at least as that term is defined by most security experts. Most would probably agree it's not even a vulnerability. Rather, it's a limitation in what cryptography can do in an app that caters to more than 1 billion users.

    At issue is the way WhatsApp behaves when an end user's encryption key changes. By default, the app will use the new key to encrypt messages without ever informing the sender of the change. By enabling a security setting, users can configure WhatsApp to notify the sender that a recently transmitted message used a new key.

    Critics of Friday's Guardian post, and most encryption practitioners, argue such behavior is common in encryption apps and often a necessary requirement. Among other things, it lets existing WhatsApp users who buy a new phone continue an ongoing conversation thread.

  • Security flaw leaves WhatsApp messages susceptible to man-in-the-middle attacks

    FLAWS in the way that WhatsApp deals with encryption keys leaves users wide open to man-in-the-middle attacks, enabling third-parties to tap their communications.

    The flaw has been described as a "security back door" by The Guardian and privacy campaigners (not unlike the back doors that governments of various stripes have been trying to mandate on all internet communications by law), but more sobre voices have described it as a minor bug and criticised The Guardian for going OTT.

    Nor is it new. Vulnerabilities in key handling were first discovered by German computer scientist Tobias Boelter in April 2016.

    The security flaw relates to situations where encryption keys are dropped and have to be re-issued and re-sent. In certain circumstances, a third-party could exploit the bug to persuade the app to resend messages because the authenticity of re-issued keys is not verified in WhatsApp by default.

  • There's No Security Backdoor in WhatsApp, Despite Reports

    This morning, the Guardian published a story with an alarming headline: “WhatsApp backdoor allows snooping on encrypted messages.” If true, this would have massive implications for the security and privacy of WhatsApp’s one-billion-plus users. Fortunately, there’s no backdoor in WhatsApp, and according to Alec Muffett, an experienced security researcher who spoke to Gizmodo, the Guardian’s story is “major league fuckwittage.”

  • WhatsApp vulnerability allows snooping on encrypted messages

    A security vulnerability that can be used to allow Facebook and others to intercept and read encrypted messages has been found within its WhatsApp messaging service.

    Facebook claims that no one can intercept WhatsApp messages, not even the company and its staff, ensuring privacy for its billion-plus users. But new research shows that the company could in fact read messages due to the way WhatsApp has implemented its end-to-end encryption protocol.

  • Hacker group Shadow Brokers retires, dumps more code as parting gift

    The Shadow Brokers claimed to have held even more valuable cyber tools in reserve and offered to sell them to the highest bidder in an unorthodox public auction. On Thursday, they said their sales effort had been unsuccessful and were therefore ceasing operations. “So long, farewell peoples. The Shadow Brokers is going dark, making exit,” the group said according to a screenshot of the webpage posted Thursday on the news website CyberScoop.

  • Suspected NSA tool hackers dump more cyberweapons in farewell

    The hacking group that stole cyberweapons suspected to be from the U.S. National Security Agency is signing off -- but not before releasing another arsenal of tools that appear designed to spy on Windows systems.

  • Shadow Brokers announce retirement, leak NSA Windows Hacking tools as parting gift
  • The Shadow Brokers Leaves the Stage with a Gift of So-Called NSA-Sourced Hacking Tools
  • Shadow Brokers group bids adieu, dumps hacking tools before going silent
  • 'It Always Being About Bitcoins': Shadow Brokers Retire
  • Hacking Group 'ShadowBrokers' Release NSA Exploits, Then Go Dark

Security News

Filed under
Security
  • Security advisories for Friday
  • New Windows backdoor targets intelligence gathering

    New versions of the MM Core Windows backdoor are being used to provide a channel into victims' machines for the purpose of intelligence gathering, according to Carl Leonard, principal security analyst at Forcepoint Security Labs.

    The new versions were found by members of the Forcepoint investigations team.

    MM Core, which is also known as BaneChant, is a file-less advanced persistent threat which is executed in memory by a downloaded component. It was first reported in 2013 with the version 2.0-LNK and used the tag BaneChant in the network request sent to its command-and-control centre.

    A second version, 2.1-LNK, found shortly thereafter, had the network tag StrangeLove.

    Forcepoint researchers Nicholas Griffin and Roland Dela Paz, whose write-up on MM Core was provided to iTWire, said the two new versions they had found were 2.2-LNK (network tag BigBoss) and 2.3-LNK (SillyGoose).

  • Implementing Medical Device Cybersecurity: A Two-Stage Process

    Connectivity is ubiquitous – it’s moved beyond an overhyped buzzword and become part of life. Offering ever-advancing levels of access, control, and convenience, widespread connectivity also increases the risk of unauthorised interference in our everyday lives.

    In what many experts believe was a world first, manufacturer Johnson & Johnson recently issued a warning to patients on a cyber-vulnerability in one of its medical devices. The company announced that an insulin pump it supplies had a potential connectivity vulnerability. The wireless communication link the device used contained a potential exploit that could have been used by an unauthorised third party to alter the insulin dosage delivered to the patient.

  • Dockerfile security tuneup

    I recently watched 2 great talks on container security by Justin Cormack from Docker at Devoxx Belgium and Adrian Mouat from Container Solutions at GOTO Stockholm. We were following many of the suggestions but there was still room for improvement. So we decided it was good time to do a security tuneup of our dockerfiles.

  • FTC Sues D-Link For Pretending To Give A Damn About Hardware Security

    If you've been paying attention, you've probably noticed that the so-called Internet of Things isn't particularly secure. Hardware vendors were so excited to market a universe of new internet-connected devices, they treated things like privacy, security, and end-user control as afterthoughts. As a result, we've now got smart TVs, smart tea kettles, WiFi-connected barbies and all manner of other devices that are not only leaking private customer data, but are being quickly hacked, rolled into botnets, and used in historically unprecedented new, larger DDoS attacks.

    This isn't a problem exclusive to new companies breaking into the IoT space. Long-standing hardware vendors that have consistently paid lip service to security are fueling the problem. Asus, you'll recall, was dinged by the FTC last year for marketing its routers as incredibly secure, yet shipping them with easily-guessed default username/login credentials and cloud-based functionality that was easily exploitable.

    The FTC is back again, this time suing D-Link for routers and video cameras that the company claimed were "easy to secure" and delivered "advanced network security," yet were about as secure as a kitten-guarded pillow fort. Like Asus, D-Link's hardware also frequently ships with easily-guessed default login credentials. This frequently allows "hackers" (that term is generous since it takes just a few keystrokes) to peruse an ocean of unsecured cameras via search engines like Shodan, allowing them to spy on families and businesses in real time.

Security News

Filed under
Security

Security News

Filed under
Security
  • Security updates for Wednesday
  • Third Party Patch Roundup – December 2016
  • The MongoDB hack and the importance of secure defaults

    If you have a MongoDB installation, now would be the time to verify that it is secure. Since just before Christmas, over 28,000 public MongoDB installs have been hacked. The attackers are holding the hacked data ransom, demanding companies pay using Bitcoins to get their data back. From the looks of it, at least 20 companies have given in and paid the ransom so far. This post explains the hack, how to protect yourself, and what we can learn from it.

  • Implantable Cardiac Devices Could Be Vulnerable to Hackers, FDA Warns

    Low-level hackers can play with your heart. Literally. Pacemakers, defibrillators and other devices manufactured by St. Jude Medical, a medical device company based in Minnesota, could have put patients’ lives at risk, the US Food & Drug Administration warned on Monday, the same day a new software patch was released to address these vulnerabilities.

    There are several confirmed vulnerabilities that could have granted hackers remote access a person’s implanted cardiac device. Then, they could change the heart rate, administer shocks, or quickly deplete the battery. There hadn’t been any report of patient harm related to these vulnerabilities as of Monday, the FDA said.

Security Leftovers

Filed under
Security

Security News

Filed under
Security

Security Leftovers

Filed under
Security

Security News

Filed under
Security

Security Leftovers

Filed under
Security
  • How to secure MongoDB on Linux or Unix production server

    MongoDB is a free and open-source NoSQL document database server. It is used by web application for storing data on a public facing server. Securing MongoDB is critical. Crackers and hackers are accessing insecure MongoDB for stealing data and deleting data from unpatched or badly-configured databases. In this tutorial you will learn about how to secure a MongoDB instance or server running cloud server.

  • MongoDB Ransomware Attacks Grow in Number

    Last week when the news started hitting the net about ransomware attacks focusing on unprotected instances of MongoDB, it seemed to me to be a story that would have a short life. After all, the attacks weren’t leveraging some unpatched vulnerabilities in the database, but databases that were misconfigured in a way that left them reachable via the Internet, and with no controls — like a password other than the default — over who had privileges. All that was necessary to get this attack vector under control was for admins to be aware of the situation and to be ready and able to reconfigure and password protect.

  • FTC will pay you to build an IoT security checker

    The Federal Trade Commission (FTC) wants the public to take a crack at developing tools to improve security around Internet of Things (IoT) devices.

    Specifically, the FTC is hosting a competition challenging the public to create a technical solution that would, at a minimum, help protect consumers from security vulnerabilities caused by out-of-date software. Contestants have the option of adding features, such as those that would address hard-coded, factory default or easy-to-guess passwords.

  • Security advisories for Monday
  • Security Advice: Bad, Terrible, or Awful

    As an industry, we suck at giving advice. I don’t mean this in some negative hateful way, it’s just the way it is. It’s human nature really. As a species most of us aren’t very good at giving or receiving advice. There’s always that vision of the wise old person dropping wisdom on the youth like it’s candy. But in reality they don’t like the young people much more than the young people like them. Ever notice the contempt the young and old have for each other? It’s just sort of how things work. If you find someone older and wiser than you who is willing to hand out good advice, stick close to that person. You won’t find many more like that.

Syndicate content

More in Tux Machines

Linux Mint 18.1 Is The Best Mint Yet

The hardcore Linux geeks won’t read this article. They’ll skip right past it… They don’t like Linux Mint much. There’s a good reason for them not to; it’s not designed for them. Linux Mint is for folks who want a stable, elegant desktop operating system that they don’t want to have to constantly tinker with. Anyone who is into Linux will find Mint rather boring because it can get as close to the bleeding edge of computer technology. That said, most of those same hardcore geeks will privately tell you that they’ve put Linux Mint on their Mom’s computer and she just loves it. Linux Mint is great for Mom. It’s stable, offers everything she needs and its familiar UI is easy for Windows refugees to figure out. If you think of Arch Linux as a finicky, high-performance sports car then Linux Mint is a reliable station wagon. The kind of car your Mom would drive. Well, I have always liked station wagons myself and if you’ve read this far then I guess you do, too. A ride in a nice station wagon, loaded with creature comforts, cold blowing AC, and a good sound system can be very relaxing, indeed. Read more

Make Gnome 3 more accessible for everyday use

Gnome 3 is a desktop environment that was created to fix a problem that did not exist. Much like PulseAudio, Wayland and Systemd, it's there to give developers a job, while offering no clear benefit over the original problem. The Gnome 2 desktop was fast, lithe, simple, and elegant, and its replacement is none of that. Maybe the presentation layer is a little less busy and you can search a bit more quickly, but that's about as far as the list of advantages goes, which is a pretty grim result for five years of coding. Despite my reservation toward Gnome 3, I still find it to be a little bit more suitable for general consumption than in the past. Some of the silly early decisions have been largely reverted, and a wee bit more sane functionality added. Not enough. Which is why I'd like to take a moment or three to discuss some extra tweaks and changes you should add to this desktop environment to make it palatable. Read more

When to Use Which Debian Linux Repository

Nothing distinguishes the Debian Linux distribution so much as its system of package repositories. Originally organized into Stable, Testing, and Unstable, additional repositories have been added over the years, until today it takes more than a knowledge of a repository's name to understand how to use it efficiently and safely. Debian repositories are installed with a section called main that consists only of free software. However, by editing the file /etc/apt/sources.list, you can add contrib, which contains software that depends on proprietary software, and non-free, which contains proprietary software. Unless you choose to use only free software, contrib and non-free are especially useful for video and wireless drivers. You should also know that the three main repositories are named for characters from the Toy Story movies. Unstable is always called Sid, while the names of Testing and Stable change. When a new version of Debian is released, Testing becomes Stable, and the new version of Testing receives a name. These names are sometimes necessary for enabling a mirror site, but otherwise, ignoring these names gives you one less thing to remember. Read more

Today in Techrights