Language Selection

English French German Italian Portuguese Spanish

Security

Accidental Back Doors and Intentional (Microsoft) Back Doors

Filed under
Security
  • Are you using Python module ‘SSH Decorator’? Newer versions include a backdoor

     

    Early this week, a developer noticed that multiple backdoored versions of the SSH Decorate module, the malicious code included in the library allowed to collect users’ SSH credentials and sent the data to a remote server controlled by the attackers.

  • Crypto backdoors are in the news again, and as bad for privacy as ever

     

    What is troubling, though, is that Ozzie’s reputation as one of the foremost engineers of recent years will allow some to claim that the backdoor puzzle has now been “solved” – because Ray Ozzie says it has. That’s definitely not the case, as the two critiques mentioned above, and others elsewhere, make plain. But politicians won’t worry about such technical niceties when it comes to calling for laws that mandate these “safe” backdoors in devices. That’s why it’s important that everyone who cares about their privacy and security should be ready to push back against attempts to turn a flawed idea into a flawed reality.

  • Ray Ozzie's Encryption Backdoor

     

    I have no idea why anyone is talking as if this were anything new. Several cryptographers have already explained explained why this key escrow scheme is no better than any other key escrow scheme. The short answer is (1) we won't be able to secure that database of backdoor keys, (2) we don't know how to build the secure coprocessor the scheme requires, and (3) it solves none of the policy problems around the whole system. This is the typical mistake non-cryptographers make when they approach this problem: they think that the hard part is the cryptography to create the backdoor. That's actually the easy part. The hard part is ensuring that it's only used by the good guys, and there's nothing in Ozzie's proposal that addresses any of that.

Security: Updates, "Hide n Seek" and World of Warcraft

Filed under
Security

Canonical Outs Kernel Security Update for Ubuntu 17.10, 16.04 LTS, and 14.04 LTS

Filed under
Security
Ubuntu

Following in the footsteps of the Debian Project, which recently released a similar kernel security patch for Debian GNU/Linux 9 "Stretch" and Debian GNU/Linux 8 "Jessie" operating system series to address two security vulnerabilities, Canonical also released kernel updates to patch these two flaws and another vulnerability in Ubuntu 17.10, Ubuntu 16.04 LTS, and Ubuntu 14.04 LTS.

One of these security vulnerabilities was caused by the way Linux kernel handled debug exceptions delivered via Mov SS or Pop SS instructions, which could allow a local attacker to crash the system by causing a denial of service. The issue (CVE-2018-8897) was discovered by Nick Peterson and affects only the amd64 architecture.

Read more

Security: CPUs, Xen, and Drupal

Filed under
Security

Security Leftovers

Filed under
Security
  • Save Joern — Open Source at ShiftLeft

    We want the technology developed at ShiftLeft to benefit open security projects and the security research community as much as possible.

  • Critical Windows bug fixed today is actively being exploited to hack users

    The first vulnerability resides in the VBScript Engine included in all currently supported versions of Windows. A so-called use-after-free flaw involving the way the engine handles computer memory allows attackers to execute code of their choice that runs with the same system privileges chosen by the logged-in user. When targeted users are logged in with administrative rights, attackers who exploit the bug can take complete control of the system. In the event users are logged in with more limited rights, attackers may still be able to escalate privileges by exploiting a separate vulnerability.

  • CVE-2018-10115 Affects All 7-Zip Versions Prior to 18.05

    7-Zip is a free open-source archiver with a high compression ratio. The program is under the License of GNU LGPL & BSD 3-clause and can be used both by home and enterprise users. “You can use 7-Zip on any computer, including a computer in a commercial organization. You don’t need to register or pay for 7-Zip,” its website says.

  • CVE-2018-8897 Opens Xen PV Systems Up To Exploit

    Besides kernels being addressed for the newly-disclosed CVE-2018-8897 vulnerability, users of Xen para-virtualization should also run a patched Xen system right away.

Security Leftovers

Filed under
Security
  • Security updates for Tuesday
  • Google Fixes Pixel XL Charging Bug, 56 Bugs with May 2018 Android Security Patch
  • Death by PowerPoint

    Some pretty wild stuff to send a message directly to Trump, and it seems to have worked (at least until actually informed people got involved.) The influence op was delivered over a channel likely to reach the target audience, using a format designed to appeal to their information consumption, and included a call to action. All necessary criteria for a successful PSYOPS operation. Basically, using TV to deliver a PowerPoint using lots of pictures, small words, and references to the Ego in Chief was textbook propaganda methodology — hats off to Netanyahu on that one. Of course, there is nothing new in the information here, it was just an influence op using misinformation to present factual evidence in the worst possible light. More on that in this thread: [...]

  • New SynAck ransomware uses Process Doppelgänging technique

    A new variant of the SynAck ransomware that infects Windows systems has been spotted by researchers from Russian security firm Kaspersky Lab who say it appears to be targeted malware as attacks have only been observed in the US, Kuwait, Germany and Iran.

    SynAck has been around since September 2017 but the new variant has some added functions which make it able to operate below the radar.

    It uses the Process Doppelgänging technique, basically a way in which malicious code is disguised as a legitimate Windows process. The technique was demonstrated at the Black Hat Europe security conference in December 2017 by the firm enSilo.

Download Kali Linux 2018.2 with new security features

Filed under
GNU
Linux
Security

On April 30th, 2018, Offensive Security announced releasing the new version of Kali Linux which in fact is the first ever version that includes Linux 4.15 kernel. It also includes x64 and x86 patches for the much-hyped Spectre and Meltdown security vulnerabilities.

Kali Linux is a popular Debian-derived Linux distribution developed for penetration testing and digital forensics. The platform is home to hundreds of penetration testing tools making it one of the best and advanced penetration testing distribution ever.

Read more

Security Leftovers

Filed under
Security
  • Report: China's Intelligence Apparatus Linked to Previously Unconnected Threat Groups

    Multiple groups operating under the China state-sponsored Winnti umbrella have been targeting organizations in the US, Japan, and elsewhere, says ProtectWise.

    Multiple previously unconnected Chinese threat actors behind numerous cyber campaigns aimed at organizations in the United States, Japan, and other countries over the past several years are actually operating under the control of the country's state intelligence apparatus.

    An investigation by security vendor ProtectWise has shown that the groups operating under the so-called Winnti umbrella since at least 2009 share a common goal, common infrastructure, and often the same tactics, techniques, and procedures.

  • Episode 95 - Twitter passwords and npm backdoors

    Josh and Kurt talk about Twitter doing the right thing when they logged a lot of passwords, the npm malicious getcookies package, and how backdoors work in code.

  • Security updates for Monday

Security: Spectre Variant One, Spectre-NG, NTLM and China

Filed under
Security
  • Linux Kernel Hardens Sound Drivers Against Spectre V1 Vulnerability

    As part of fixes landing for the Linux kernel sound drivers, several sound drivers were hardened against Spectre Variant One.

    HDA, Control, OSS, OPL3, and HDSPM were among the ALSA code in the kernel now hardened against potential Spectre Variant One exploitation. Spectre V1 as a reminder is the bounds check bypass vulnerability.

  • Spectre-NG: Security bods uncover eight new 'Spectre-class' flaws in Intel CPUs

    According to the website, Google's Project Zero uncovered one of the flaws, which have been collectively named 'Spectre Next Generation' or 'Spectre-NG', and will publicly reveal it on 7 May, a day ahead of Microsoft's Patch Tuesday.

  • PDF Files Can Silently Leak NTLM Credentials

    Attackers looking to steal the credentials for the NT LAN Manager (NTLM) authentication protocol (which consist of a domain name, a user name, and a one-way hash of the user's password) can do so by abusing a feature where remote documents and files can be embedded inside PDF files.

  • Report: Chinese government is behind a decade of hacks on software companies

    Researchers said Chinese intelligence officers are behind almost a decade's worth of network intrusions that use advanced malware to penetrate software and gaming companies in the US, Europe, Russia, and elsewhere. The hackers have struck as recently as March in a campaign that used phishing emails in an attempt to access corporate-sensitive Office 365 and Gmail accounts. In the process, they made serious operational security errors that revealed key information about their targets and possible location.

Security Leftovers

Filed under
Security
  • Twitter Suggests All of Its 336 Million Users Change Their Passwords After Leaving Them Unprotected

     

    Normally, Twitter protects passwords through a process called hashing, in which it replaces the actual characters of a password with random letters and numbers. The bug allowed passwords to be kept in an “internal log” without hashing so they were stored in their readable text format.

  • When Your Employees Post Passwords Online

     

    Storing passwords in plaintext online is never a good idea, but it’s remarkable how many companies have employees who are doing just that using online collaboration tools like Trello.com. Last week, KrebsOnSecurity notified a host of companies that employees were using Trello to share passwords for sensitive internal resources. Among those put at risk by such activity included an insurance firm, a state government agency and ride-hailing service Uber.  

  • Sci-Hub ‘Pirate Bay For Science’ Security Certs Revoked by Comodo

     

    Sci-Hub, often known as 'The Pirate Bay for Science', has lost control of several security certificates after they were revoked by Comodo CA, the world's largest certification authority. Comodo CA informs TorrentFreak that the company responded to a court order which compelled it to revoke four certificates previously issued to the site.

  • DDoS attacks in Europe 'down 60 per cent' following WebStresser takedown

     

    According to Europol, who headed up the international operation to take down WebStresser, the site had over 136,000 registered users at the time it was shut down and had been responsible for more than four million DDoS attacks in recent years - including one aimed at seven of the UK's biggest banks in November last year.

  • Nigerian Email Scammers Are More Effective Than Ever

     

    On Thursday, the security firm Crowdstrike published detailed findings on Nigerian confraternities, cultish gangs that engage in various criminal activities and have steadily evolved email fraud into a reliable cash cow. The groups, like the notorious Black Axe syndicate, have mastered the creation of compelling and credible-looking fraud emails. Crowdstrike notes that the groups aren’t very regimented or technically sophisticated, but flexibility and camaraderie still allow them to develop powerful scams.

Syndicate content

More in Tux Machines

openSUSE Tumbleweed Is Now Powered by Linux Kernel 4.17, KDE Plasma 5.13 Landed

As of today, the openSUSE Tumbleweed rolling operating system is now powered by the latest and most advanced Linux 4.17 kernel series, which landed in the most recent snapshot released earlier. Tumbleweed snapshot 20180615 was released today, June 17, 2018, and it comes only two days after snapshot 20180613, which added the Mesa 18.1.1 graphics stack and KDE Plasma 5.13 desktop environment, along with many components of the latest KDE Applications 18.04.2 software suite. Today's snapshot 20180615 continued upgrading the KDE Applications software suite to version 18.04.2, but it also upgraded the kernel from Linux 4.16.12 to Linux 4.17.1. As such, OpenSuSE Tumbleweed is now officially powered by Linux kernel 4.17, so upgrading your installs as soon as possible would be a good idea. Read more

today's howtos and leftovers

OSS Leftovers

  • Using Open Source Software in a SecDevOps Environment
    On 21 June 2018 the Open Source Software3 Institute is hosting a discussion that should be of high interest to enterprise technologists in the DC/Northern Virginia, Maryland area. From their invite: Come hear from our panelists about how the worlds of Open Source Software and the Secure Development / Operations (SecDevOps) intersect and strengthen one another. SecDevOps seeks to embed security in the development process as deeply as DevOps has done with operations, and Open Source Software is a major factor in Security, Development, and Operations. Tickets are free, but you need to register soon because seating is limited.
  • TenFourFox FPR8b1 available
    TenFourFox Feature Parity Release 8 beta 1 is now available (downloads, release notes, hashes). There is much less in this release than I wanted because of a family member in the hospital and several technical roadblocks. Of note, I've officially abandoned CSS grid again after an extensive testing period due to the fact that we would need substantial work to get a functional implementation, and a partially functional implementation is worse than none at all (in the latter case, we simply gracefully degrade into block-level divs). I also was not able to finish the HTML input date picker implementation, though I've managed to still get a fair amount completed of it, and I'll keep working on that for FPR9. The good news is, once the date picker is done, the time picker will use nearly exactly the same internal plumbing and can just be patterned off it in the same way. Unlike Firefox's implementation, as I've previously mentioned our version uses native OS X controls instead of XUL, which also makes it faster. That said, it is a ghastly hack on the Cocoa widget side and required some tricky programming on 10.4 which will be the subject of a later blog post.
  • GNU dbm 1.15
    GDBM tries to detect inconsistencies in input database files as early as possible. When an inconcistency is detected, a helpful diagnostics is returned and the database is marked as needing recovery. From this moment on, any GDBM function trying to access the database will immediately return error code (instead of eventually segfaulting as previous versions did). In order to reconstruct the database and return it to healthy state, the gdbm_recover function should be used.

Server: GNU/Linux Dominance in Supercomputers, Windows Dominance in Downtime

  • Five Supercomputers That Aren't Supercomputers
    A supercomputer, of course, isn't really a "computer." It's not one giant processor sitting atop an even larger motherboard. Instead, it's a network of thousands of computers tied together to form a single whole, dedicated to a singular set of tasks. They tend to be really fast, but according to the folks at the International Supercomputing Conference, speed is not a prerequisite for being a supercomputer. But speed does help them process tons of data quickly to help solve some of the world's most pressing problems. Summit, for example, is already booked for things such as cancer research; energy research, to model a fusion reactor and its magnetically confined plasma tohasten commercial development of fusion energy; and medical research using AI, centering around identifying patterns in the function and evolution of human proteins and cellular systems to increase understanding of Alzheimer’s, heart disease, or addiction, and to inform the drug discovery process.
  • Office 365 is suffering widespread borkage across Blighty
     

    Some users are complaining that O365 is "completely unusable" with others are reporting a noticeable slowdown, whinging that it's taking 30 minutes to send and receive emails.