Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers (Back Doors in WhatsApp/Facebook and Microsoft Windows)

Filed under
Security
  • The eight security backdoors that helped kill faith in security

    With the news of WhatsApp's backdoor granting Facebook and government agencies access to user messages, fears over users' privacy issues are sure to be at an all-time high for WhatsApp's 1 billion users.

    Backdoors in computing equipment are the stuff of legend. A decade ago a security expert informed me with absolute certainty that a prominent non-US networking company had designed them into its products for years as a matter of course as if nobody much cared about this fact. Long before the average citizen had heard the letters NSA, it struck me at the time as extraordinary suggestion. It was almost as if the deliberate compromise of an important piece of network equipment was a harmless novelty.

  • Reported “backdoor” in WhatsApp is in fact a feature, defenders say

    The Guardian roiled security professionals everywhere on Friday when it published an article claiming a backdoor in Facebook's WhatsApp messaging service allows attackers to intercept and read encrypted messages. It's not a backdoor—at least as that term is defined by most security experts. Most would probably agree it's not even a vulnerability. Rather, it's a limitation in what cryptography can do in an app that caters to more than 1 billion users.

    At issue is the way WhatsApp behaves when an end user's encryption key changes. By default, the app will use the new key to encrypt messages without ever informing the sender of the change. By enabling a security setting, users can configure WhatsApp to notify the sender that a recently transmitted message used a new key.

    Critics of Friday's Guardian post, and most encryption practitioners, argue such behavior is common in encryption apps and often a necessary requirement. Among other things, it lets existing WhatsApp users who buy a new phone continue an ongoing conversation thread.

  • Security flaw leaves WhatsApp messages susceptible to man-in-the-middle attacks

    FLAWS in the way that WhatsApp deals with encryption keys leaves users wide open to man-in-the-middle attacks, enabling third-parties to tap their communications.

    The flaw has been described as a "security back door" by The Guardian and privacy campaigners (not unlike the back doors that governments of various stripes have been trying to mandate on all internet communications by law), but more sobre voices have described it as a minor bug and criticised The Guardian for going OTT.

    Nor is it new. Vulnerabilities in key handling were first discovered by German computer scientist Tobias Boelter in April 2016.

    The security flaw relates to situations where encryption keys are dropped and have to be re-issued and re-sent. In certain circumstances, a third-party could exploit the bug to persuade the app to resend messages because the authenticity of re-issued keys is not verified in WhatsApp by default.

  • There's No Security Backdoor in WhatsApp, Despite Reports

    This morning, the Guardian published a story with an alarming headline: “WhatsApp backdoor allows snooping on encrypted messages.” If true, this would have massive implications for the security and privacy of WhatsApp’s one-billion-plus users. Fortunately, there’s no backdoor in WhatsApp, and according to Alec Muffett, an experienced security researcher who spoke to Gizmodo, the Guardian’s story is “major league fuckwittage.”

  • WhatsApp vulnerability allows snooping on encrypted messages

    A security vulnerability that can be used to allow Facebook and others to intercept and read encrypted messages has been found within its WhatsApp messaging service.

    Facebook claims that no one can intercept WhatsApp messages, not even the company and its staff, ensuring privacy for its billion-plus users. But new research shows that the company could in fact read messages due to the way WhatsApp has implemented its end-to-end encryption protocol.

  • Hacker group Shadow Brokers retires, dumps more code as parting gift

    The Shadow Brokers claimed to have held even more valuable cyber tools in reserve and offered to sell them to the highest bidder in an unorthodox public auction. On Thursday, they said their sales effort had been unsuccessful and were therefore ceasing operations. “So long, farewell peoples. The Shadow Brokers is going dark, making exit,” the group said according to a screenshot of the webpage posted Thursday on the news website CyberScoop.

  • Suspected NSA tool hackers dump more cyberweapons in farewell

    The hacking group that stole cyberweapons suspected to be from the U.S. National Security Agency is signing off -- but not before releasing another arsenal of tools that appear designed to spy on Windows systems.

  • Shadow Brokers announce retirement, leak NSA Windows Hacking tools as parting gift
  • The Shadow Brokers Leaves the Stage with a Gift of So-Called NSA-Sourced Hacking Tools
  • Shadow Brokers group bids adieu, dumps hacking tools before going silent
  • 'It Always Being About Bitcoins': Shadow Brokers Retire
  • Hacking Group 'ShadowBrokers' Release NSA Exploits, Then Go Dark

Security News

Filed under
Security
  • Security advisories for Friday
  • New Windows backdoor targets intelligence gathering

    New versions of the MM Core Windows backdoor are being used to provide a channel into victims' machines for the purpose of intelligence gathering, according to Carl Leonard, principal security analyst at Forcepoint Security Labs.

    The new versions were found by members of the Forcepoint investigations team.

    MM Core, which is also known as BaneChant, is a file-less advanced persistent threat which is executed in memory by a downloaded component. It was first reported in 2013 with the version 2.0-LNK and used the tag BaneChant in the network request sent to its command-and-control centre.

    A second version, 2.1-LNK, found shortly thereafter, had the network tag StrangeLove.

    Forcepoint researchers Nicholas Griffin and Roland Dela Paz, whose write-up on MM Core was provided to iTWire, said the two new versions they had found were 2.2-LNK (network tag BigBoss) and 2.3-LNK (SillyGoose).

  • Implementing Medical Device Cybersecurity: A Two-Stage Process

    Connectivity is ubiquitous – it’s moved beyond an overhyped buzzword and become part of life. Offering ever-advancing levels of access, control, and convenience, widespread connectivity also increases the risk of unauthorised interference in our everyday lives.

    In what many experts believe was a world first, manufacturer Johnson & Johnson recently issued a warning to patients on a cyber-vulnerability in one of its medical devices. The company announced that an insulin pump it supplies had a potential connectivity vulnerability. The wireless communication link the device used contained a potential exploit that could have been used by an unauthorised third party to alter the insulin dosage delivered to the patient.

  • Dockerfile security tuneup

    I recently watched 2 great talks on container security by Justin Cormack from Docker at Devoxx Belgium and Adrian Mouat from Container Solutions at GOTO Stockholm. We were following many of the suggestions but there was still room for improvement. So we decided it was good time to do a security tuneup of our dockerfiles.

  • FTC Sues D-Link For Pretending To Give A Damn About Hardware Security

    If you've been paying attention, you've probably noticed that the so-called Internet of Things isn't particularly secure. Hardware vendors were so excited to market a universe of new internet-connected devices, they treated things like privacy, security, and end-user control as afterthoughts. As a result, we've now got smart TVs, smart tea kettles, WiFi-connected barbies and all manner of other devices that are not only leaking private customer data, but are being quickly hacked, rolled into botnets, and used in historically unprecedented new, larger DDoS attacks.

    This isn't a problem exclusive to new companies breaking into the IoT space. Long-standing hardware vendors that have consistently paid lip service to security are fueling the problem. Asus, you'll recall, was dinged by the FTC last year for marketing its routers as incredibly secure, yet shipping them with easily-guessed default username/login credentials and cloud-based functionality that was easily exploitable.

    The FTC is back again, this time suing D-Link for routers and video cameras that the company claimed were "easy to secure" and delivered "advanced network security," yet were about as secure as a kitten-guarded pillow fort. Like Asus, D-Link's hardware also frequently ships with easily-guessed default login credentials. This frequently allows "hackers" (that term is generous since it takes just a few keystrokes) to peruse an ocean of unsecured cameras via search engines like Shodan, allowing them to spy on families and businesses in real time.

Security News

Filed under
Security

Security News

Filed under
Security
  • Security updates for Wednesday
  • Third Party Patch Roundup – December 2016
  • The MongoDB hack and the importance of secure defaults

    If you have a MongoDB installation, now would be the time to verify that it is secure. Since just before Christmas, over 28,000 public MongoDB installs have been hacked. The attackers are holding the hacked data ransom, demanding companies pay using Bitcoins to get their data back. From the looks of it, at least 20 companies have given in and paid the ransom so far. This post explains the hack, how to protect yourself, and what we can learn from it.

  • Implantable Cardiac Devices Could Be Vulnerable to Hackers, FDA Warns

    Low-level hackers can play with your heart. Literally. Pacemakers, defibrillators and other devices manufactured by St. Jude Medical, a medical device company based in Minnesota, could have put patients’ lives at risk, the US Food & Drug Administration warned on Monday, the same day a new software patch was released to address these vulnerabilities.

    There are several confirmed vulnerabilities that could have granted hackers remote access a person’s implanted cardiac device. Then, they could change the heart rate, administer shocks, or quickly deplete the battery. There hadn’t been any report of patient harm related to these vulnerabilities as of Monday, the FDA said.

Security Leftovers

Filed under
Security

Security News

Filed under
Security

Security Leftovers

Filed under
Security

Security News

Filed under
Security

Security Leftovers

Filed under
Security
  • How to secure MongoDB on Linux or Unix production server

    MongoDB is a free and open-source NoSQL document database server. It is used by web application for storing data on a public facing server. Securing MongoDB is critical. Crackers and hackers are accessing insecure MongoDB for stealing data and deleting data from unpatched or badly-configured databases. In this tutorial you will learn about how to secure a MongoDB instance or server running cloud server.

  • MongoDB Ransomware Attacks Grow in Number

    Last week when the news started hitting the net about ransomware attacks focusing on unprotected instances of MongoDB, it seemed to me to be a story that would have a short life. After all, the attacks weren’t leveraging some unpatched vulnerabilities in the database, but databases that were misconfigured in a way that left them reachable via the Internet, and with no controls — like a password other than the default — over who had privileges. All that was necessary to get this attack vector under control was for admins to be aware of the situation and to be ready and able to reconfigure and password protect.

  • FTC will pay you to build an IoT security checker

    The Federal Trade Commission (FTC) wants the public to take a crack at developing tools to improve security around Internet of Things (IoT) devices.

    Specifically, the FTC is hosting a competition challenging the public to create a technical solution that would, at a minimum, help protect consumers from security vulnerabilities caused by out-of-date software. Contestants have the option of adding features, such as those that would address hard-coded, factory default or easy-to-guess passwords.

  • Security advisories for Monday
  • Security Advice: Bad, Terrible, or Awful

    As an industry, we suck at giving advice. I don’t mean this in some negative hateful way, it’s just the way it is. It’s human nature really. As a species most of us aren’t very good at giving or receiving advice. There’s always that vision of the wise old person dropping wisdom on the youth like it’s candy. But in reality they don’t like the young people much more than the young people like them. Ever notice the contempt the young and old have for each other? It’s just sort of how things work. If you find someone older and wiser than you who is willing to hand out good advice, stick close to that person. You won’t find many more like that.

Open source server simplifies HTTPS, security certificates

Filed under
OSS
Security

For administrators seeking an easier method to turn on HTTPS for their websites, there is Caddy, an open source web server that automatically sets up security certificates and serves sites over HTTPS by default.

Built on Go 1.7.4, Caddy is a lightweight web server that supports HTTP/2 out of the box and automatically integrates with any ACME-enabled certificate authority such as Let’s Encrypt. HTTP/2 is enabled by default when the site is served over HTTPS, and administrators using Caddy will never have to deal with expired TLS certificates for their websites, as Caddy handles the process of obtaining and deploying certificates.

Read more

Syndicate content

More in Tux Machines

Radeon vs. NVIDIA Performance For HITMAN On Linux With 17 GPUs

Last week Feral Interactive released the much anticipated Linux port of HITMAN, which debuted for Windows last year. Now that there's benchmark support for HITMAN on Linux, I have been running a number of tests for this game that's powered by the Glacier Engine and making use of OpenGL for rendering on Linux. In this article are our initial AMD Radeon performance figures making use of the RadeonSI Gallium3D driver compared to NVIDIA's driver and the assortment of GeForce results published yesterday. Read more

How China Mobile Is Using Linux and Open Source

China Mobile is one of the biggest telecom companies in the world, with more than 800 million users in China -- all of whom are served with open source technologies. During the 2016 Mobile World Congress, China Mobile declared that the operational support system running their massive network would be based on open source software. China Mobile is not alone; many major networking vendors are moving to open source technologies. For example, AT&T is building their future network on top of OpenStack, and they have invested in software-defined technology so significantly that they now call themselves a software company. Read more

Today in Techrights

today's leftovers

  • [elementaryOS] AppCenter: Funded
    A few moments ago, we hit 100% funded for our AppCenter campaign on Indiegogo. Thank you, backers! More than 300 people backed us over just two weeks to help bring our pay-what-you-want indie app store to life.
  • Linux Lite To Have These New Features In The Next Release Linux Lite 3.4
    ...we contacted the creator of the Linux Lite “Jerry Bezencon” and enquired the upcoming new features in the latest version of the Linux Lite. We have also done a review of the latest available distro i.e. 3.2 (32 bit) so that the readers can understand easily where are the new features headed towards.
  • Buy or Sell? What Analysts Recommends: CMS Energy Corporation (CMS), Red Hat, Inc. (RHT)
  • What Does The Chart For Red Hat, Inc. (RHT) Tell Us Presently?
  • LEDE-17.01 is coming [Ed: it has actually just come out, just like LWN's paywall]
    For some years, OpenWrt has arguably been the most active router-oriented distribution. Things changed in May of last year, though, when a group of OpenWrt developers split off to form the competing LEDE project. While the LEDE developers have been busy, the project has yet to make its first release. That situation is about to change, though, as evidenced by the LEDE v17.01.0-rc1 release candidate, which came out on February 1. Many of the changes made in LEDE since the 2015 OpenWrt "Chaos Calmer" release will not be immediately visible to most users. The core software has been updated, of course, including a move to the 4.4.42 kernel. There are a number of security-oriented enhancements, including a switch to SHA256 for package verification, the disabling of support for several old and insecure protocols, compilation with stack-overwrite detection, and more. There is support for a number of new devices. Perhaps the most anticipated new feature, though, is the improved smart queue management and the WiFi fairness work that has been done as part of the bufferbloat project. It has been clear for some time that WiFi should work far better than it does; the work that has found its way into the LEDE release candidate should be a significant step in that direction. Your editor decided that it was time to give LEDE a try, but there was some shopping to be done first. Getting the full benefit from the bufferbloat and airtime fairness work requires the right chipset; most of this work has been done on the Atheros ath9k driver. So the first step was to go out and pick up a new router with ath9k wireless. That is where the things turned out to be harder than one might expect.
  • Microsoft Faces European Privacy Probes Over Windows 10
    Microsoft Corp. faces a coordinated investigation by European privacy regulators after it failed to do enough to address their concerns about the collection and processing of user data with a series of changes to Windows 10 last month. European Union data-protection officials sent a letter to Microsoft saying they remain “concerned about the level of protection of users’ personal data,” according to a copy of the document posted by the Dutch watchdog Tuesday. Regulators from seven countries are concerned that even after the announced changes, “Microsoft does not comply with fundamental privacy rules.”