Language Selection

English French German Italian Portuguese Spanish

Security

Security: MalwareTech, JavaScript, Vista 10, TPM2, Intel Back Door, Linux Bug, Pizza Hut Breach, Telcos Spying

Filed under
Security
  • Let MalwareTech Surf! Status Report
  • 500 million PCs are being used for stealth cryptocurrency mining online

    A month or so ago, torrent search website The Pirate Bay raised concern among the community as visitors noticed their CPU usage surged whenever a page was opened.

  • Dutch slam Windows 10 for breaking privacy laws

    Dutch authorities claim Microsoft’s Windows 10 operating system is violating data protection and privacy laws, and warned they may impose fines on the US technology giant.

    “Microsoft breaches the Dutch data protection law by processing personal data of people that use the Windows 10 operating system on their computers,” the Dutch Data Protection Authority (DPA) said in a statement late Friday.

    The company fails to “clearly inform” users of Windows 10 that it “continuously collects personal data about the usage of apps and web surfing behavior through its web browser Edge, when the default settings are used,” the DPA said.

  • Using Elliptic Curve Cryptography with TPM2

    One of the most significant advances going from TPM1.2 to TPM2 was the addition of algorithm agility: The ability of TPM2 to work with arbitrary symmetric and asymmetric encryption schemes. In practice, in spite of this much vaunted agile encryption capability, most actual TPM2 chips I’ve seen only support a small number of asymmetric encryption schemes, usually RSA2048 and a couple of Elliptic Curves. However, the ability to support any Elliptic Curve at all is a step up from TPM1.2. This blog post will detail how elliptic curve schemes can be integrated into existing cryptographic systems using TPM2. However, before we start on the practice, we need at least a tiny swing through the theory of Elliptic Curves.

  • Sakaki's EFI Install Guide/Disabling the Intel Management Engine

    The Intel Management Engine ('IME' or 'ME') is an out-of-band co-processor integrated in all post-2006 Intel-CPU-based PCs. It has full network and memory access and runs proprietary, signed, closed-source software at ring -3,[1][2][3][4] independently of the BIOS, main CPU and platform operating system[5][6] — a fact which many regard as an unacceptable security risk (particularly given that at least one remotely exploitable security hole has already been reported[7][8]).

  • Linux vulnerable to privilege escalation

    An advisory from Cisco issued last Friday, October 13th, gave us the heads-up on a local privilege escalation vulnerability in the Advanced Linux Sound Architecture (ALSA).

    The bug is designated CVE-2017-15265, but its Mitre entry was still marked “reserved” at the time of writing. Cisco, however, had this to say about it before release:

  • Pizza Hut was hacked, company says

    According to a customer notice emailed from the pizza chain, those who placed an order on its website or mobile app between the morning of Oct. 1 and midday Oct. 2 might have had their information exposed.

    The “temporary security intrusion” lasted for about 28 hours, the notice said, and it’s believed that names, billing ZIP codes, delivery addresses, email addresses and payment card information — meaning account number, expiration date and CVV number — were compromised.

  • Want to see something crazy? Open this link on your phone with WiFi turned off

    These services are using your mobile phone’s IP address to look up your phone number, your billing information and possibly your phone’s current location as provided by cell phone towers (no GPS or phone location services required). These services are doing this with the assistance of the telco providers.

  • Telcos "selling realtime ability to associate web browsing with name & address"

Security: Kaspersky, Grafeas, Schneier Book

Filed under
Security

Microsoft Breaking the Law and Computer Security Woes

Filed under
Microsoft
Security

How do you dump the firmware from a "secure" voting machine? With a $15 open source hardware board

Filed under
Hardware
Security

One of the highlights of this year's Defcon conference in Vegas was the Voting Machine Hacking Village, where security researchers tore apart the "secure" voting machines America trusts its democracy to.

The Voting Machine Hacking Village just released its master report on the vulnerabilities they found, and the participants are talking about it on Twitter, including Joe Fitz's note that he dumped the firmware off a Accuvote TSX with one of Adafruit's $15 open source hardware FT232h breakout boards.

Read more

Security: Australia, IRS, and Grafeas

Filed under
Security
  • Australian defense firm was hacked and F-35 data stolen, DOD confirms

    The Australian Cyber Security Centre noted in its just-issued 2017 Threat Report that a small Australian defense company "with contracting links to national security projects" had been the victim of a cyber-espionage attack detected last November. "ACSC analysis confirmed that the adversary had sustained access to the network for an extended period of time and had stolen a significant amount of data," the ACSC report stated. "The adversary remained active on the network at the time."

    More details of the breach were revealed on Wednesday at an IT conference in Sydney. ASD Incident Response Manager Mitchell Clarke said, "The compromise was extensive and extreme." The attacker behind the breach has been internally referred to at the Australian Signals Directorate as "APT Alf" (named for a character in Australia's long-running television show Home and Away, not the US television furry alien). Alf stole approximately 30 gigabytes of data, including data related to Australia's involvement in the F-35 Joint Strike Fighter program, as well as data on the P-8 Poseidon patrol plane, planned future Australian Navy ships, the C-130 Hercules cargo plane, and the Joint Direct Attack Munition (JDAM) bomb. The breach began in July of 2016.

  • After second bungle, IRS suspends Equifax’s “taxpayer identity” contract

    The tax-collecting agency is now temporarily suspending the contract because of another Equifax snafu. The Equifax site was maliciously manipulated again, this time to deliver fraudulent Adobe Flash updates, which, when clicked, infected visitors' computers with adware that was detected by just three of 65 antivirus providers. The development means that at least for now, taxpayers cannot open new Secure Access accounts with the IRS. Secure Access allows taxpayers to retrieve various online tax records and provides other "tax account tools" to those who have signed up.

  • Google, IBM Partner to Tighten Container Security
  • Grafeas, new open-source API for the software supply chain, released

Security: Updates, Grafeas, Cloudwashing

Filed under
Security

Security: Microsoft Word, Hyatt Hotels, Australian Megabreach, Impersonating iOS Password Prompts, and Equifax

Filed under
Security

Security: Updates, Accenture, Equifax, Passwords, United Airlines, Grafeas Project

Filed under
Security

pfSense 2.4.0-RELEASE Now Available!

Filed under
Security
BSD

We are excited to announce the release of pfSense® software version 2.4, now available for new installations and upgrades!

pfSense software version 2.4.0 was a herculean effort! It is the culmination of 18 months of hard work by Netgate and community contributors, with over 290 items resolved. According to git, 671 files were changed with a total 1651680 lines added, and 185727 lines deleted. Most of those added lines are from translated strings for multiple language support!

pfSense 2.4.0-RELEASE updates and installation images are available now!

Read more

Also: pfSense 2.4 Released, Rebased To FreeBSD 11.1 & New Installer

Security: Updates, Reproducible Builds, T-Mobile, ATMs, Microsoft Outlook "Fake Crypto" and Accenture

Filed under
Security
  • Security updates for Tuesday
  • Reproducible Builds: Weekly report #128
  • T-Mobile customer data plundered thanks to bad API

    A bug disclosed and patched last week by T-Mobile in a Web application interface allowed anyone to query account information by simply providing a phone number. That includes customer e-mail addresses, device identification data, and even the answers to account security questions. The bug, which was patched after T-Mobile was contacted by Motherboard's Lorenzo Franceschi-Bicchierai on behalf of an anonymous security researcher, was apparently also exploited by others, giving them access to information that could be used to hijack customers' accounts and move them to new phones. Attackers could potentially gain access to other accounts protected by SMS-based "two factor" authentication simply by acquiring a T-Mobile SIM card.

  • Criminals stole millions from E. Europe banks with ATM “overdraft” hack

    Banks in several former Soviet states were hit with a wave of debit card fraud earlier this year that netted millions of dollars worth of cash. These bank heists relied on a combination of fraudulent bank accounts and hacking to turn nearly empty bank accounts into cash-generating machines. In a report being released by TrustWave's SpiderLabs today, SpiderLabs researchers detailed the crime spree: hackers gained access to bank systems and manipulated the overdraft protection on accounts set up by proxies and then used automated teller machines in other countries to withdraw thousands of dollars via empty or nearly empty accounts.

    While SpiderLabs' investigation accounted for about $40 million in fraudulent withdrawals, the report's authors noted, "when taking into account the undiscovered or uninvestigated attacks along with investigations undertaken by internal groups or third parties, we estimate losses to be in the hundreds of millions in USD." This criminal enterprise was a hybrid of traditional credit fraud and hacking. It relied on an army of individuals with fake identity documents, as these folks were paid to set up accounts at the targeted institutions with the lowest possible deposit. From there, individuals requested debit cards for the accounts, which were forwarded to co-conspirators in other countries throughout Europe and in Russia.

  • Buggy Microsoft Outlook Sending Encrypted S/MIME Emails With Plaintext Copy For Months

    Beware, If you are using S/MIME protocol over Microsoft Outlook to encrypt your email communication, you need to watch out.

    From at least last 6 months, your messages were being sent in both encrypted and unencrypted forms, exposing all your secret and sensitive communications to potential eavesdroppers.

    S/MIME, or Secure/Multipurpose Internet Mail Extensions, is an end-to-end encryption protocol—based on public-key cryptography and works just like SSL connections—that enables users to send digitally signed and encrypted messages.

  • Fake Crypto: Microsoft Outlook S/MIME Cleartext Disclosure (CVE-2017-11776)

    Outlook version XXX (we are still waiting for Microsoft to release detailed information and update the blog accordingly) was the first affected version. So any S/MIME encrypted mail written since that date might be affected.

    Unfortunately there is no easy solution to remediate the impact of this vulnerability (we are still waiting for Microsoft to release detailed information and update the blog).

    In cases where mails have been send to third parties (recipient is outside of the sender’s organization) remediation is not possible by the sending party, since the sender has no authority over the recipient’s mail infrastructure.

  • Accenture data leak: 'Keys to the kingdom' left exposed via multiple unsecured cloud servers

    A massive trove of sensitive corporate and customer data was left freely exposed to the public by Accenture, one of the world's biggest management firms. The tech giant left at least four cloud storage servers, which contained highly sensitive decryption keys and passwords, exposed to the public, without any password protections.

Syndicate content

More in Tux Machines

Security: Uber, Replacing x86 Firmware, 'IoT' and Chromebook

  • Key Dem calls for FTC to investigate Uber data breach

    A key Democrat is calling on the Federal Trade Commission (FTC) to investigate a massive Uber breach that released data on 57 million people, as well as the company's delay in reporting the cyber incident.

  • Multiple states launch probes into massive Uber breach
  • Replacing x86 firmware with Linux and Go

    The problem, Minnich said, is that Linux has lost its control of the hardware. Back in the 1990s, when many of us started working with Linux, it controlled everything in the x86 platform. But today there are at least two and a half kernels between Linux and the hardware. Those kernels are proprietary and, not surprisingly, exploit friendly. They run at a higher privilege level than Linux and can manipulate both the hardware and the operating system in various ways. Worse yet, exploits can be written into the flash of the system so that they persist and are difficult or impossible to remove—shredding the motherboard is likely the only way out.

  • Connected sex-toy allows for code-injection attacks on a robot you wrap around your genitals

    However, the links included base-64 encoded versions of the entire blowjob file, making it vulnerable to code-injection attacks. As Lewis notes, "I will leave you to ponder the consequences of having an XSS vulnerability on a page with no framebusting and preauthed connection to a robot wrapped around or inside someones genitals..."

  • Chromebook exploit earns researcher second $100k bounty
    For Google’s bug bounty accountants, lightning just struck twice. In September 2016, an anonymous hacker called Gzob Qq earned $100,000 (£75,000) for reporting a critical “persistent compromise” exploit of Google’s Chrome OS, used by Chromebooks. Twelve months on and the same researcher was wired an identical pay out for reporting – yes! – a second critical persistent compromise of Google’s Chrome OS. By this point you might think Google was regretting its 2014 boast that it could confidently double its maximum payout for Chrome OS hacks to $100,000 because “since we introduced the $50,000 reward, we haven’t had a successful submission.” More likely, it wasn’t regretting it at all because isn’t being told about nasty vulnerabilities the whole point of bug bounties?
  • Why microservices are a security issue
    And why is that? Well, for those of us with a systems security bent, the world is an interesting place at the moment. We're seeing a growth in distributed systems, as bandwidth is cheap and latency low. Add to this the ease of deploying to the cloud, and more architects are beginning to realise that they can break up applications, not just into multiple layers, but also into multiple components within the layer. Load balancers, of course, help with this when the various components in a layer are performing the same job, but the ability to expose different services as small components has led to a growth in the design, implementation, and deployment of microservices.

Lumina 1.4 Desktop Environment Debuts with New Theme Engine and ZFS Integrations

Lumina 1.4.0 is a major release that introduces several new core components, such as the Lumina Theme Engine to provide enhanced theming capabilities for the desktop environment and apps written in the Qt 5 application framework. The Lumina Theme Engine comes with a configuration utility and makes the previous desktop theme system obsolete, though it's possible to migrate your current settings to the new engine. "The backend of this engine is a standardized theme plugin for the Qt5 toolkit, so that all Qt5 applications will now present a unified appearance (if the application does not enforce a specific appearance/theme of it’s own)," said the developer in today's announcement. "Users of the Lumina desktop will automatically have this plugin enabled: no special action is required." Read more

today's leftovers

  • qBittorrent 4.0 Is a Massive Update of the Open-Source BitTorrent Client
    qBittorrent, the open-source and cross-platform BitTorrent client written in Qt for GNU/Linux, macOS, and Windows systems, has been updated to version 4.0, a major release adding numerous new features and improvements. qBittorrent 4.0 is the first release of the application to drop OS/2 support, as well as support for the old Qt 4 framework as Qt 5.5.1 or later is now required to run it on all supported platforms. It also brings a new logo and a new SVG-based icon theme can be easily scaled. Lots of other cosmetic changes are present in this release, and the WebGUI received multiple enhancements.
  • FFmpeg Continues Working Its "NVDEC" NVIDIA Video Decoding Into Shape
    Earlier this month the FFmpeg project landed its initial NVDEC NVIDIA video decoding support after already supporting NVENC for video encoding. These new NVIDIA APIs for encode/decode are part of the company's Video Codec SDK with CUDA and is the successor to the long-used VDPAU video decoding on NVIDIA Linux boxes. That NVDEC support has continued getting into shape.
  • Kobo firmware 4.6.10075 mega update (KSM, nickel patch, ssh, fonts)
    A new firmware for the Kobo ebook reader came out and I adjusted the mega update pack to use it. According to the comments in the firmware thread it is working faster than previous releases. The most incredible change though is the update from wpa_supplicant 0.7.1 (around 2010) to 2.7-devel (current). Wow.
  • 3.5-inch Apollo Lake SBC has dual mini-PCIe slots and triple displays
    Avalue’s Linux-friendly, 3.5-inch “ECM-APL2” SBC features Apollo Lake SoCs, 2x GbE, 4x USB 3.0, 2x mini-PCIe, triple displays, and optional -40 to 85°C. Avalue’s 3.5-inch, Apollo Lake based ECM-APL single-board computer was announced a year ago, shortly after Intel unveiled its Apollo Lake generation. Now it has followed up with an ECM-APL2 3.5-incher with a slightly different, and reduced, feature set.
  • 7 Best Android Office Apps To Meet Your Productivity Needs
    Office application is an essential suite that allows you to create powerful spreadsheets, documents, presentations, etc., on a smartphone. Moreover, Android office apps come with cloud integration so that you can directly access the reports from the cloud, edit them, or save them online. To meet the productivity need of Android users, the Play Store offers an extensive collection of Android office apps. But, we have saved you the hassle of going through each one of them and provided you a list of the best office apps for Android. The apps that we have picked are all free, although some do have Pro version or extra features available for in-app purchases. You can also refer to this list if you’re looking for Microsoft Office alternatives for your PC.

Servers and Red Hat