Language Selection

English French German Italian Portuguese Spanish

Security

Security: FUD, Adobe, Cybersecurity Improvement Act, Updates and More

Filed under
Security
  • Focusing on Healthcare Open Source Security Awareness [Ed: More Flexera marketing in the form of scare-mongering]
  • Adobe patches zero-day vulnerability used to plant gov't spying software

    Adobe has patched a zero-day vulnerability used by the BlackOasis APT to plant surveillance software developed by Gamma International.

    On Monday, researchers from Kaspersky Lab revealed the new, previously unknown vulnerability, which has been actively used in the wild by advanced persistent threat (APT) group BlackOasis.

  • IoT Cybersecurity: What's Plan B?

    In August, four US Senators introduced a bill designed to improve Internet of Things (IoT) security. The IoT Cybersecurity Improvement Act of 2017 is a modest piece of legislation. It doesn't regulate the IoT market. It doesn't single out any industries for particular attention, or force any companies to do anything. It doesn't even modify the liability laws for embedded software. Companies can continue to sell IoT devices with whatever lousy security they want.

  • Security updates for Wednesday
  • Security updates for Thursday
  • Abuse of RESTEasy Default Providers in JBoss EAP

    Red Hat JBoss Enterprise Application Platform (EAP) is a commonly used host for Restful webservices. A powerful but potentially dangerous feature of Restful webservices on JBoss EAP is the ability to accept any media type. If not configured to accept only a specific media type, JBoss EAP will dynamically process the request with the default provider matching the Content-Type HTTP Header which the client specifies. Some of the default providers where found to have vulnerabilities which have now been removed from JBoss EAP and it's upstream Restful webservice project, RESTEasy.

  • “Security concerns” lead to LTE service shutdown on Chinese Apple Watches

Security: WPA2, Smartwatches, Google, NSA, Microsoft and Flexera FUD

Filed under
Security
  • WPA2 flaw's worst impact on Android, Linux devices

    The flaw in the WPA2 wireless protocol revealed recently has a critical impact on Android phones running version 6.0 of the mobile operating system and Linux devices, a security researcher says.

  • Why the Krack Wi-Fi Mess Will Take Decades to Clean Up

    But given the millions of routers and other IoT devices that will likely never see a fix, the true cost of Krack could play out for years.

  • 'All wifi networks' are vulnerable to hacking, security expert discovers

    WPA2 protocol used by vast majority of wifi connections has been broken by Belgian researchers, highlighting potential for internet traffic to be exposed

  • Kids' smartwatches can be 'easily' hacked, says watchdog

    Smartwatches bought for children who do not necessarily need them can be hacked [sic], according to a warning out of Norway and its local Consumer Council (NCC).

  • John Lewis pulls children's smartwatch from sale over spying fears

    The Norwegian Consumer Council (NCC) revealed that several brands of children’s smartwatch, have such poor security controls that hackers [sic] could easily follow their movements and eavesdrop on conversations.

  • Google's 'Advanced Protection' Locks Down Accounts Like Never Before

    Google hasn't shared the details of what that process entails. But the CDT's Hall, whom Google briefed on the details, says it will include a "cooling-off" period that will lock the account for a period of time while the user proves his or her identity via several other factors. That slowed-down, intensive check is designed to make the account-recovery process a far less appealing backdoor into victims' data.

  • NSA won't say if it knew about KRACK, but don't look to this leaked doc for answers

    Given how involved the NSA has been with remote and local exploitation of networks, systems, devices, and even individuals, many put two and two together and assumed the worst.

    What compounded the matter was that some were pointing to a 2010-dated top secret NSA document leaked by whistleblower Edward Snowden, which detailed a hacking tool called BADDECISION, an "802.11 CNE tool" -- essentially an exploit designed to target wireless networks by using a man-in-the-middle attack within range of the network. It then uses a frame injection technique to redirect targets to one of the NSA's own servers, which acts as a "matchmaker" to supply the best malware for the target device to ensure it's compromised for the long-term. The slide said the hacking tool "works for WPA/WPA2," suggesting that BADDECISION could bypass the encryption.

    Cue the conspiracy theories. No wonder some thought the hacking tool was an early NSA-only version of KRACK.

  • You're doing open source wrong, Microsoft tsk-tsk-tsks at Google: Chrome security fixes made public too early [Ed: Says the company that gives back doors to the NSA and attacks FOSS with patents, lobbying etc.]
  • Why Open Source Security Matters for Healthcare Orgs [Ed: marketing slant for firms that spread FUD]

    Open source software can help healthcare organizations remain flexible as they adopt new IT solutions, but if entities lack open source security measures it can lead to larger cybersecurity issues. A recent survey found that organizations in numerous industries might not be paying enough attention to potential open source risk factors.

    Half of all code used in commercial and Internet of Things (IoT) software products is open source, but only 37 percent of organizations have an open source acquisition or usage policy, according to a recent Flexera report.

    More than 400 commercial software suppliers and in-house software development teams were interviewed, with respondent roles including software developers, DevOps, IT, engineering, legal, and security.

Security: WPA2, RSA/TPM, and Microsoft Breach

Filed under
Security
  • Google and Apple yet to fix Wi-Fi hole in a billion devices

    The WPA2 security protocol has been a mandatory requirement for all devices using the Wi-Fi protocol since 2006, which translates into billions of laptops, mobiles and routers. The weakness identified by Mathy Vanhoef, a digital security researcher at the Catholic University of Leuven (KUL) in Belgium, lies in the way devices running WPA2 encrypt information.

  • The Flawed System Behind the Krack Wi-Fi Meltdown

    No software is perfect. Bugs are inevitable now and then. But experts say that software standards that impact millions of devices are too often developed behind closed doors, making it difficult for the broader security community to assess potential flaws and vulnerabilities early on. They can lack full documentation even months or years after their release.

  • Factorization Flaw in TPM Chips Makes Attacks on RSA Private Keys Feasible

    Security experts say the bug has been present since 2012 and found specifically in the Infineon’s Trusted Platform Module used on a large number of business-class HP, Lenovo and Fijitsu computers, Google Chromebooks as well as routers and IoT devices.

  • ROCA: RSA encryption key flaw puts 'millions' of devices at risk

    This results in cyber criminals computing the private part of an RSA key and affects chips manufactured from 2012 onwards, which are now commonplace in the industry.

  • Infineon RSA Key Generation Issue

    Yubico estimates that approximately 2% of YubiKey customers utilize the functionality affected by this issue. We have addressed this issue in all shipments of YubiKey 4, YubiKey 4 Nano, and YubiKey 4C, since June 6, 2017.

  • Microsoft remains tight-lipped about 2013 internal database hack [sic]

    A secretive internal database used by Microsoft to track bugs in its software was compromised by hackers [sic] in 2013.

  • Exclusive: Microsoft responded quietly after detecting secret database hack in 2013

    Microsoft Corp’s secret internal database for tracking bugs in its own software was broken into by a highly sophisticated hacking [sic] group more than four years ago, according to five former employees, in only the second known breach of such a corporate database.

Microsoft never disclosed 2013 hack of secret vulnerability database

Filed under
Microsoft
Security

Hackers broke into Microsoft's secret, internal bug-tracking database and stole information related to vulnerabilities that were exploited in later attacks. But the software developer never disclosed the breach, Reuters reported, citing former company employees.

In an article published Tuesday, Reuters said Microsoft's decision not to disclose details came after an internal review concluded the exploits used in later attacks could have been discovered elsewhere. That investigation relied, in part, on automated reports Microsoft receives when its software crashes. The problem with that approach, Reuters pointed out, is that advanced computer attacks are written so carefully they rarely cause crashes.

Reuters said Microsoft discovered the database breach in early 2013, after a still-unknown hacking group broke into computers belonging to a raft of companies. Besides Microsoft, the affected companies included Apple, Facebook, and Twitter. As reported at the time, the hackers infected a website frequented by software developers with attack code that exploited a zero-day vulnerability in Oracle's Java software framework. When employees of the targeted companies visited the site, they became infected, too.

Read more

Parrot Security OS 3.9 Ethical Hacking & Penetration Testing Distro Now in Beta

Filed under
Security

The Parrot Project began work on a new version of their Linux-based ethical hacking and penetration testing operating system, Parrot Security OS 3.9, and they recently put out a call for testing.

Read more

Security: Let’s Encrypt, Updates, Google, DHS, Adobe

Filed under
Security

Security: WPA2, CVE-2017-15265, Fuzzing, Hyperledger

Filed under
Security
  • Fedora Dev Teaches Users How to Protect Their Wi-Fi Against WPA2 KRACK Bug

    Former Fedora Project leader Paul W. Frields talks today about how to protect your Fedora computers from the dangerous WPA2 KRACK security vulnerability that affects virtually any device using the security protocol to connect to the Internet.

  • WPA2 was kracked because it was based on a closed standard that you needed to pay to read

    How did a bug like krack fester in WPA2, the 13-year-old wifi standard whose flaws have rendered hundreds of millions of devices insecure, some of them permanently so?

    Thank the IEEE's business model. The IEEE is the standards body that developed WPA2, and they fund their operations by charging hundreds of dollars to review the WPA2 standard, and hundreds more for each of the standards it builds upon, so that would-be auditors of the protocol have to shell out thousands just to start looking.

    It's an issue that Carl Mamamud, Public Resource and the Electronic Frontier Foundation have been fighting hard on for years, ensuring that the standards that undergird public safety and vital infrastructure are available for anyone to review, audit and criticize.

  • Patch Available for Linux Kernel Privilege Escalation

    The issue — tracked as CVE-2017-15265 — is a use-after-free memory corruption issue that affects ALSA (Advanced Linux Sound Architecture), a software framework included in the Linux kernel that provides an API for sound card drivers.

  • ​Linus Torvalds says targeted fuzzing is improving Linux security

    Announcing the fifth release candidate for the Linux kernel version 4.14, Linus Torvalds has revealed that fuzzing is producing a steady stream of security fixes.

    Fuzzing involves stress testing a system by generating random code to induce errors, which in turn may help identify potential security flaws. Fuzzing is helping software developers catch bugs before shipping software to users.

  • Devsecops: Add security to complete your devops process [Ed: more silly buzzwords]
  • Companies overlook risks in open source software [Ed: marketing disguised as "news" (and which is actually FUD)]
  • Q&A: Does blockchain alleviate security concerns or create new challenges?

    According to some, blockchain is one of the hottest and most intriguing technologies currently in the market. Similar to the rising of the internet, blockchain could potentially disrupt multiple industries, including financial services. This Thursday, October 19 at Sibos in Toronto, Hyperledger’s Security Maven Dave Huseby will be moderating a panel “Does Blockchain technology alleviate security concerns or create new challenges?” During this session, experts will explore whether the shared nature of blockchain helps or hinders security.

Ubuntu, Debian, Fedora and elementary OS All Patched Against WPA2 KRACK Bug

Filed under
Security

As you are aware, there's a major WPA2 (Wi-Fi Protected Access II) security vulnerability in the wild, affecting virtually any device or operating system that uses the security protocol, including all GNU/Linux distributions.

Read more

Security Leftovers

Filed under
Security
  • Google and IBM launch open-source security tool for containers

    Google and IBM, together with a few other partners, released an open-source project that gathers metadata that developers can use to secure their software.

    According to an IBM blog post, the goal of the project is to help developers keep security standards, while microservices and containers cut the software supply chain.

  • Top 10 Hacking Techniques Used By Hackers

    We live in a world where cyber security has become more important than physical security, thousands of websites and emails are hacked daily. Hence, It is important to know the Top hacking techniques used by hackers worldwide to exploit vulnerable targets all over the internet.

  • Protect your wifi on Fedora against KRACK

    You may have heard about KRACK (for “Key Reinstallation Attack”), a vulnerability in WPA2-protected Wi-Fi. This attack could let attackers decrypt, forge, or steal data, despite WPA2’s improved encryption capabilities. Fear not — fixes for Fedora packages are on their way to stable.

  • Federal watchdog tells Equifax—no $7.25 million IRS contract for you

    The Government Accountability Office (GAO) on Monday rejected Equifax's bid to retain its $7.25 million "taxpayer identity" contract—the one awarded days after Equifax announced it had exposed the Social Security numbers and other personal data of some 145 million people.

  • Adobe Flash vulnerability exploited by BlackOasis hacking group to plant FinSpy spyware

    Security researchers have discovered a new Adobe Flash vulnerability that has already been exploited by hackers to deploy the latest version of FinSpy malware on targets. Kaspersky Lab researchers said a hacker group called BlackOasis has already taken advantage of the zero-day exploit – CVE-2017-11292 – to deliver its malicious payload via a Microsoft Word document.

  • Companies turn a blind eye to open source risk [Ed: No, Equifax got b0rked due to bad practices, negligence, incompetence, not FOSS]

    For instance, criminals who potentially gained access to the personal data of the Equifax customers exploited an Apache Struts CVE-2017-5638 vulnerability.

  • Checking Your Passwords Against the Have I Been Pwned List

    Two months ago, Troy Hunt, the security professional behind Have I been pwned?, released an incredibly comprehensive password list in the hope that it would allow web developers to steer their users away from passwords that have been compromised in past breaches.

Security: Equifax, Grafeas, Updates and Open Source Security Podcast

Filed under
Security
Syndicate content

More in Tux Machines

More Coverage of New Lumina Release

  • Lumina 1.4 Desktop Environment Released
    The TrueOS BSD folks working on their Qt5-powered Lumina Desktop Environment have issued a new feature update of their open-source desktop.
  • Lumina Desktop 1.4.0 Released
    Lumina 1.4.0 carries a number of changes, optimisations, and feature improvements. Lumina is the default desktop of TrueOS, a BSD-based operating system. The desktop itself is lightweight, modular, built using Qt, and uses Fluxbox for window management. Although Lumina is mostly aimed at BSD users it also runs on Linux, including Fedora, Arch and — *mario coin sfx* — Ubuntu.

today's howtos

Security: Uber Sued, Intel ‘Damage Control’, ZDNet FUD, and XFRM Privilege Escalation

  • Uber hit with 2 lawsuits over gigantic 2016 data breach
    In the 48 hours since the explosive revelations that Uber sustained a massive data breach in 2016, two separate proposed class-action lawsuits have been filed in different federal courts across California. The cases allege substantial negligence on Uber’s part: plaintiffs say the company failed to keep safe the data of the affected 50 million customers and 7 million drivers. Uber reportedly paid $100,000 to delete the stolen data and keep news of the breach quiet. On Tuesday, CEO Dara Khosrowshahi wrote: “None of this should have happened, and I will not make excuses for it.”
  • Intel Releases Linux-Compatible Tool For Confirming ME Vulnerabilities [Ed: ‘Damage control’ strategy is to make it look like just a bug.]
    While Intel ME security issues have been talked about for months, confirming fears that have been present about it for years, this week Intel published the SA-00086 security advisory following their own internal review of ME/TXE/SPS components. The impact is someone could crash or cause instability issues, load and execute arbitrary code outside the visibility of the user and operating system, and other possible issues.
  • Open source's big weak spot? Flawed libraries lurking in key apps [Ed: Linux basher Liam Tung entertains FUD firm Snyk and Microsoft because it suits the employer's agenda]
  • SSD Advisory – Linux Kernel XFRM Privilege Escalation

gThumb 3.6 GNOME Image Viewer Released with Better Wayland and HiDPI Support

gThumb, the open-source image viewer for the GNOME desktop environment, has been updated this week to version 3.6, a new stable branch that introduces numerous new features and improvements. gThumb 3.6 comes with better support for the next-generation Wayland display server as the built-in video player, color profiles, and application icon received Wayland support. The video player component received a "Loop" button to allow you to loop videos, and there's now support for HiDPI displays. The app also ships with a color picker, a new option to open files in full-screen, a zoom popover that offers different zoom commands and a zoom slider, support for double-click activation, faster image loading, aspect ratio filtering, and the ability to display the description of the color profile in the property view. Read more Also: Many Broadway HTML5 Backend Improvements Land In GTK4