Language Selection

English French German Italian Portuguese Spanish

Security

Security: Kromtech, Nginx, Equifax, Kickstarter, Microsoft Windows

Filed under
Security
  • [Older] The creepiest data breach till date: Passwords of 540,000 Car Tracking Devices Leaked Online

    Data breaches have become so common these days that every single day we get news about a data breach. We have seen data breaches from big to small, from dangerous to embarrassing, but this is one is the creepiest data breach of 2017, this leak of credentials of almost 540,000 Car Tracking Devices might take the biscuit.

    The Kromtech Security Center recently found over half a million login credentials belonging to SVR, a company specializes in “vehicle recovery”, is leaked online and is publicly accessible. SVR provides its customers with around-the-clock surveillance of cars and trucks, just in case those vehicles are towed or stolen.

  • Nginx 1.13.6 Patches Web Server for the Year 2038 Flaw

    Developers and organizations around the world rushed to fix the Y2K bug nearly 20 years ago as the calendar rolled over to the new millennium. There is also a similar bug that is resident in Unix/Linux systems known as the Year 2038 bug.

    The latest vendor to fix its software for the 2038 bug is open-source web application server vendor nginx. The new nginx 1.13.6 release debuts on Oct. 10, fixing 11 different bugs.

    "Bugfix: nginx did not support dates after the year 2038 on 32-bit platforms with 64-bit time_t," the nginx changelog noted.

  • Equifax: About those 400,000 UK records we lost? It's now 15.2M. Yes, M for MEELLLIOON

    Last month, US credit score agency Equifax admitted the personal data for just under 400,000 UK accounts was slurped by hackers raiding its database. On Tuesday this week, it upped that number ever-so-slightly to 15.2 million.

    In true buck-passing fashion, at the time of writing, Equifax hadn't even released a public statement on the matter. Instead it fell to Blighty's National Cyber Security Centre to reveal the bad news that a blundering American firm had put them at risk of phishing attacks.

    “We are aware that Equifax was the victim of a criminal cyber attack in May 2017," the NCSC said in a statement today.

    “Equifax have today updated their guidance to confirm that a file containing 15.2m UK records dating from between 2011 and 2016 was attacked in this incident. NCSC advises that passwords are not re-used on any accounts if you have been told by Equifax that any portion of your membership details have been accessed.”

  • Major Data Breach Left 15 Million Accounts from These Popular Sites Vulnerable

    In what seems like an ever-lengthening line of data breaches in recent weeks (This restaurant, this financial services company, and this supermarket have all been breached in the past month), Lifehacker has reported that information from 15 million Kickstarter and Bitly accounts are now available to the public due to a 2014 data breach. The breach itself isn’t new, much like the fresh news about Yahoo’s massive breach, but it’s much less disconcerting. Although the information is now public, it is still encrypted, and both Kickstarter and Bitly took swift action to notify users of the breach when it originally occurred, urging them to change their passwords and nullifying the breach ones if user action was not taken.

  • It's 2017... And Windows PCs can be pwned via DNS, webpages, Office docs, fonts – and some TPM keys are fscked too

    Microsoft today released patches for more than 60 CVE-listed vulnerabilities in its software. Meanwhile, Adobe is skipping October's Patch Tuesday altogether.

    Among the latest holes that need papering over via Windows Update are three vulnerabilities already publicly disclosed – with one being exploited right now by hackers to infect vulnerable machines. That flaw, CVE-2017-11826, is leveraged when a booby-trapped Microsoft Office document is opened, allowing malicious code within it to run with the same rights as the logged-in user, and should be considered a top priority to patch.

    Dustin Childs, of Trend Micro's Zero Day Initiative, noted today that users and administrators should also pay special attention to Microsoft's ADV170012, an advisory warning of weak cryptographic keys generated by Trusted Platform Modules (TPMs) on Infineon motherboards.

Security: Equifax, Forrester, Akamai, Disqus, WhatsApp, FBI, Accenture

Filed under
Security
  • Equifax will give your salary history to anyone with your SSN and date of birth
  • Forrester Research Discloses Limited Website Data Breach

    At 6:17 ET PM on Oct.6, Forrester Research publicly admitted that it was the victim of a cyber-attack. According to the firm, the attack had limited impact, with no evidence that confidential client data had been stolen.

    According to Forrester Research's preliminary investigation, attackers were able to gain access to Forrester.com content that was intended to be limited exclusively to clients.

    "We recognize that hackers will attack attractive targets—in this case, our research IP," George F. Colony, chairman and chief executive officer of Forrester, stated.

    "We also understand there is a tradeoff between making it easy for our clients to access our research and security measures," Colony added. "We feel that we have taken a common-sense approach to those two priorities; however, we will continuously look at that balance to respond to changing cyber-security risk."

  • Akamai Reports Fast Flux Botnets Remain a Security Risk

    Attackers are continuing to benefit from the use many different technique to remain hidden. New research released Oct.10 by Akamai reveals that a botnet with over 14,000 IP addresses has been using the fast flux DNS technique to evade detection, while still causing damage to users and organizations.

    Fast Flux is an attacker technique that uses the Domain Name System (DNS) to hide the source of an attack. DNS operates by referring a domain name to a specific IP address

  • Disqus reveals data breach, but wins points for transparency

    Disqus has publicly announced that its user database leaked in 2012, exposing the usernames, email addresses, sign-up dates, and last login dates of more than 17 million users.

    In addition, the data included crackable SHA1-hashed passwords of “about one-third” of users. Presumably many accounts registered with the popular blog-commenting service do not have associated passwords due to many users signing-in using third-party social media accounts such as Google or Facebook.

    Quite how the security breach occurred is currently a mystery, and – frankly – despite their good intentions, Disqus may find it difficult to pinpoint exactly what happened five years after the event.

  • WhatsApp Exploit Can Allow Hackers To Monitor Your Sleep And Other Things
  • Multi-Layered Defenses Needed to Improve Cyber-Security, FBI Says
  • Hacking is inevitable, so it’s time to assume our data will be stolen

    If recent hacking attacks such as the one at Equifax, which compromised personal data for about half of all Americans, have taught us anything, it’s that data breaches are a part of life. It’s time to plan for what happens after our data is stolen, according to Rahul Telang, professor of information systems at Carnegie Mellon University.

    Companies are prone to understating the scale of hacks, which suggests that there needs to be better standards for disclosing breaches. Yahoo recently confessed that its data breach actually impacted 3 billion user accounts, three times what it disclosed in December. Equifax also boosted the number of people it says were affected by its hack.

  • 7 Security Risks User and Entity Behavior Analytics Helps Detect
  • UpGuard Reports Accenture Data Exposure, Debuts Risk Detection Service

    Security vendor UpGuard announced on Oct.10 that it discovered that global consulting firm Accenture had left at least four cloud-based storage servers publicly available. UpGuard alleges that the exposed cloud servers could have left Accenture customers to risk, though Accenture is publicly downplaying the impact of the cloud data exposure.

    "There was no risk to any of our clients – no active credentials, PII and other sensitive information was compromised," Accenture noted in a statement sent to eWEEK. "The information involved could not have provided access to client systems and was not production data or applications."

    Accenture added that the company has a multi-layered security model and the data in question would not have allowed anyone that found it to penetrate any of those layers.

Security: Updates, Deloitte Crack, 'Optionsbleed', Browsers Will Store Credit Card Details

Filed under
Security
  • Security updates for Monday
  • Deloitte hack hit server containing emails from across US government

    The hack into the accountancy giant Deloitte compromised a server that contained the emails of an estimated 350 clients, including four US government departments, the United Nations and some of the world’s biggest multinationals, the Guardian has been told.

    Sources with knowledge of the hack say the incident was potentially more widespread than Deloitte has been prepared to acknowledge and that the company cannot be 100% sure what was taken.

    Deloitte said it believed the hack had only “impacted” six clients, and that it was confident it knew where the hackers had been. It said it believed the attack on its systems, which began a year ago, was now over.

    However, sources who have spoken to the Guardian, on condition of anonymity, say the company red-flagged, and has been reviewing, a cache of emails and attachments that may have been compromised from a host of other entities.

  • Apache Patches Optionsbleed Flaw in HTTP Server

    The Apache HTTP Web Server (commonly simply referred to as 'Apache') is the most widely deployed web server in the world, and until last week, it was at risk from a security vulnerability known as Optionsbleed.

  • Browsers Will Store Credit Card Details Similar to How They Save Passwords

    A new W3C standard is slowly creeping into current browser implementations, a standard that will simplify the way people make payments online.

    Called the Payment Request API, this new standard relies on users entering and storing payment card details inside browsers, just like they currently do with passwords.

Security: gnURL 7.56.0, CyberShaolin, Open Source Security Podcast

Filed under
Security
  • gnURL 7.56.0 released

    Merges from cURL 7.56.0 upstream release and some gnURL specific fixes.
    For more info you can read the git log or the generated CHANGELOG file (only present in the tarball).

  • CyberShaolin: Teaching the Next Generation of Cybersecurity Experts

    Reuben Paul is not the only kid who plays video games, but his fascination with games and computers set him on a unique journey of curiosity that led to an early interest in cybersecurity education and advocacy and the creation of CyberShaolin, an organization that helps children understand the threat of cyberattacks. Paul, who is now 11 years old, will present a keynote talk at Open Source Summit in Prague, sharing his experiences and highlighting insecurities in toys, devices, and other technologies in daily use.

  • [Open Source Security Podcast] Episode 65 - Will aliens overthrow us before AI?

Security: AWS, Disqus, Drone Program

Filed under
Security
  • Forget stealing data — these hackers broke into Amazon's cloud to mine bitcoin

    A report from the security intelligence group RedLock found at least two companies which had their AWS cloud services compromised by hackers [sic] who wanted nothing more than to use the computer power to mine the cryptocurrency bitcoin. The hackers [sic] ultimately got access to Amazon's cloud servers after discovering that their administration consoles weren't password protected.

  • Disqus discovers hack [sic] of 17.5m user details after five years

    The biggest Web comment hosting service Disqus was breached in 2012 but the company only knew of it last week, according to an announcement made on Friday.

  • A Mysterious Virus Has Infiltrated America's Drone Program

    There’s something deeply wrong at Creech Air Force Base, the notorious home of America’s drone program, where pilots remotely order US Reaper and Predator drones to unleash destructive missile strikes on unsuspecting villagers in Yemen, Libya, Iraq, Syria, Afghanistan and other war zones.

    Less than a week after the Department of Homeland Security advised all federal agencies using anti-virus software created by Kaspersky Labs to remove the programs from their systems immediately, Ars Technica reports that two weeks ago the Defense Information Systems Agency detected mysterious spyware embedded in the drone “cockpits” – the control stations that pilots use to control the deadly machines.

Security: FireEye, Disqus, EFF on Apple

Filed under
Security
  • FireEye Warns of Expanding FormBook Malware Attacks

    "Because of the affiliate model (or Malware-as-a-Service) set up and its open availability on the web, it is difficult to determine the attack origins, and could be attributed to anyone who has subscribed to the service," Randi Eitzman, FireEye Analyst, told eSecurityPlanet.

    FormBook is being distributed via different document formats, including PDF, DOC and archive files that have some form of download link, macro or executable payload.

  • Disqus hacked [sic] : More than 17.5 million users' details stolen by hackers in 2012 data breach

    About a third of the compromised accounts contained passwords that were salted and hashed using the weak SHA-1 algorithm. Disqus said the exposed user data dates back to 2007 with the most recent data exposed from July 2012.

  • iOS 11’s Misleading “Off-ish” Setting for Bluetooth and Wi-Fi is Bad for User Security

    Turning off your Bluetooth and Wi-Fi radios when you’re not using them is good security practice (not to mention good for your battery usage). When you consider Bluetooth’s known vulnerabilities, it’s especially important to make sure your Bluetooth and Wi-Fi settings are doing what you want them to. The iPhone’s newest operating system, however, makes it harder for users to control these settings.

    On an iPhone, users might instinctively swipe up to open Control Center and toggle Wi-Fi and Bluetooth off from the quick settings. Each icon switches from blue to gray, leading a user to reasonably believe they have been turned off—in other words, fully disabled. In iOS 10, that was true. However, in iOS 11, the same setting change no longer actually turns Wi-Fi or Bluetooth “off.”

    Instead, what actually happens in iOS 11 when you toggle your quick settings to “off” is that the phone will disconnect from Wi-Fi networks and some devices, but remain on for Apple services. Location Services is still enabled, Apple devices (like Apple Watch and Pencil) stay connected, and services such as Handoff and Instant Hotspot stay on. Apple’s UI fails to even attempt to communicate these exceptions to its users.

IPFire 2.19 - Core Update 114 released

Filed under
GNU
Linux
Security

This is the official release announcement for IPFire 2.19 – Core Update 114. It brings some changes under the hood and modernises the base system. On top of that, minor issues are being fixed and some packages have been updated.

Read more

Security: Updates, Apple APFS Passwords, WordPress, Microsoft FUD, and Internet of Broken Things

Filed under
Security
  • Security updates for Friday
  • Apple fixes Keychain vulnerability, but only in macOS High Sierra

     

    The zero-day vulnerability in macOS's Keychain has been addressed by Apple, along with some other issues in High Sierra. But other recent versions of the operating system are still vulnerable.  

  • macOS High Sierra bug exposes APFS passwords in plain text

     

    A Brazilian software developer has uncovered a bug in Apple's macOS High Sierra software that exposes the passwords of encrypted Apple File System (APFS) volumes in plain text.

  • The September 2017 WordPress Attack Report

    This edition of the WordPress Attack Report is a continuation of the monthly series we’ve been publishing since December 2016. Reports from the previous months can be found here.

    This report contains the top 25 attacking IPs for September 2017 and their details. It also includes charts of brute force and complex attack activity for the same period, along with a new section revealing changes to the Wordfence real-time IP blacklist throughout the month. We also include the top themes and plugins that were attacked and which countries generated the most attacks for this period.

  • Step aside, Windows! Open source and Linux are IT’s new security headache [Ed: Microsoft propagandist Preston Gralla is back from the woods. The typical spin, lies. Deflection. Windows has back doors.]
  • Sex Toys Are Just As Poorly-Secured As The Rest Of The Internet of Broken Things

    At this point we've pretty well documented how the "internet of things" is a privacy and security dumpster fire. Whether it's tea kettles that expose your WiFi credentials or smart fridges that leak your Gmail password, companies were so busy trying to make a buck by embedding network chipsets into everything, they couldn't be bothered to adhere to even the most modest security and privacy guidelines. As a result, billions upon billions of devices are now being connected to the internet with little to no meaningful security and a total disregard to user privacy -- posing a potentially fatal threat to us all.

Security: Forseti, Updates, FormBook, Kaspersky, and APFS

Filed under
Security

Security: India's Internet, Equifax, and Yahoo!

Filed under
Security
Syndicate content

More in Tux Machines

Android Leftovers

Software and Development: CodeBlocks, Cumulonimbus, LibreOffice, devRantron, GCC

  • CodeBlocks – A Free & Cross-Platform C, C++ and Fortran IDE
    CodeBlocks is a free and open-source IDE for C, C++ and FORTRAN development. It features a consistent User Interface across all desktop platforms with a class browser, a tabbed interface, and its functions can be extended using plugins. It also features keyboard shortcuts, smart indentation, code folding, and a to-do list management panel that different users can use, among others. It is written in C++ and it does not require any interpreted languages or proprietary libraries.
  • Cumulonimbus: Terrible Name, Terrific Podcast Client
    Unlike many other Electron podcast apps I have come across on Github this one is still being developed, is easy to install, and it supports Linux.
  • LibreOffice Calc Is Finally Being Threaded
    While LibreOffice Calc for a while now has been offering OpenCL support for speeding up spreadsheet computations, with not all drivers/GPUs supporting OpenCL, this Microsoft Office alternative is finally receiving proper multi-threading support. Collabora developers have landed their initial work on multi-threading / parallelism as they look to speed-up the LibreOffice Calc spreadsheet program's calculations.
  • devRantron – An Unofficial Desktop Client for devRant Programmers
    devRantron is a free, open-source, and cross-platform (unofficial) desktop client for the famous Dev Rant Android and iOS social media application for programmers, developers, and designers. Before now, devRant was only accessible on the mobile phones, but now users can post complaints and follow up on rants by developers from all around the globe even while working on their desktops and it’s thanks to a group of friends who concluded that devRant was taking too long to deliver a desktop client.
  • The New Compiler Features & Changes Of GCC 8
    With GCC 8 feature development over and onto bug fixing, here is a look at some of the changes to find with the GCC 8 compiler stack that will be released as stable early next year in the form of GCC 8.1.

ONAP Rolls Out Amsterdam Release

Less than nine months after AT&T and the Linux Foundation merged their open source projects to become the Open Network Automation Platform (ONAP), the group today rolled out its first code release, Amsterdam. The highly anticipated release, which integrates AT&T’s ECOMP and the Linux Foundation’s Open-O code bases into a common open source orchestration platform, aims to automate the virtualization of network services. Read more

Inspiring the Next Generation of Open Source

The Linux Foundation works through our projects, training and certification programs, events and more to bring people of all backgrounds into open source. We meet a lot of people, but find the drive and enthusiasm of some of our youngest community members to be especially infectious. In the past couple of months, we’ve invited 13-year-old algorithmist and cognitive developer Tanmay Bakshi, 11-year-old hacker and cybersecurity ambassador Reuben Paul, and 15-year-old programmer Keila Banks to speak at Linux Foundation conferences. In 2014 when he was 12, Zachary Dupont wrote a letter to his hero Linus Torvalds. We arranged for Zach to meet Linus–a visit that helped clinch his love for Linux. This year, Zach came to Open Source Summit in Los Angeles to catch up with Linus and let us know what he’s been up to. He’s kept busy with an internship at SAP and early acceptance to the Computer Networking and Digital Forensics program at the Delaware County Technical School. Read more