Language Selection

English French German Italian Portuguese Spanish

Security

Security: PeopleSoft, DJI, IoT, Amazon, Microsoft, ​Google, Ad Blocking and Codewarz

Filed under
Security
  • Oracle rushes out 5 patches for huge vulnerabilities in PeopleSoft app server

    Oracle issued a set of urgent security fixes on Tuesday that repair vulnerabilities revealed today by researchers from the managed security provider ERPScan at the DeepSec security conference in Vienna, Austria. The five vulnerabilities include one dubbed "JoltandBleed" by the researchers because of its similarity to the HeartBleed vulnerability discovered in OpenSSL in 2014. JoltandBleed is a serious vulnerability that could expose entire business applications running on PeopleSoft platforms accessible from the public Internet.

    The products affected include Oracle PeopleSoft Campus Solutions, Human Capital Management, Financial Management, and Supply Chain Management, as well as any other product using the Tuxedo 2 application server. According to recent research by ERPScan, more than 1,000 enterprises have their PeopleSoft systems exposed to the Internet, including a number of universities that use PeopleSoft Campus Solutions to manage student data.

  • Man gets threats—not bug bounty—after finding DJI customer data in public view

    DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the "wildcard" certificate for all the company's Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains.

  • New Study Finds Poorly Secured Smart Toys Lets Attackers Listen In On Your Kids

    We've long noted how the painful lack of security and privacy standards in the internet of (broken) things is also very well-represented in the world of connected toys. Like IOT vendors, toymakers were so eager to make money, they left even basic privacy and security standards stranded in the rear view mirror as they rush to connect everything to the internet. As a result, we've seen repeated instances where your kids' conversations and interests are being hoovered up without consent, with the data frequently left unencrypted and openly accessible in the cloud.

    With Luddites everywhere failing to realize that modern Barbie needs a better firewall, this is increasingly becoming a bigger problem. The latest case in point: new research by Which? and the German consumer group Stiftung Warentest found yet more flaws in Bluetooth and wifi-enabled toys that allow a total stranger to listen in on or chat up your toddler:

  • Amazon Key flaw makes entering your home undetected a possibility
  • How to fix a program without the source code? Patch the binary directly
  • ​Google Home and Amazon Echo hit by big bad Bluetooth flaws
  • Senator urges ad blocking by feds as possible remedy to malvertising scourge

    A US Senator trying to eradicate the Internet scourge known as malvertising is proposing that all federal agencies block ads delivered to worker computers unless advertisers can ensure their networks are free of content that contains malicious code.

    In a letter sent today, Oregon Senator Ron Wyden asked White House Cybersecurity Coordinator Rob Joyce to begin discussions with advertising industry officials to ensure ads displayed on websites can't be used to infect US government computers. If, after 180 days, Joyce isn't "completely confident" the industry has curbed the problem, Wyden asked that Joyce direct the US Department of Homeland Security to issue a directive "requiring federal agencies to block the delivery to employees' computers of all Internet ads containing executable code."

    "Malware is increasingly delivered through code embedded in seemingly innocuous advertisements online," Wyden wrote. "Individuals do not even need to click on ads to get infected: this malicious software, including ransomware, is delivered without any interaction by the user."

  • Weekend code warriors prepare to clash in Codewarz

    If you didn't have any weekend plans yet—or maybe even if you did—and you're interested in scratching your programming itch, there's something to add to your calendar. Codewarz, a programming competition that presents participants with 24 coding challenges, is running its first live event starting at 1pm Eastern on November 18 and ending at 9pm on November 20.

    This is not a hacking competition—it’s strictly coding. Participants can use their language of choice as long as it's one of the 15 supported by the event: the various flavors of C, Python, Node.js, Scala, PHP, Go, Ruby, and even BASH. (Sorry, no one has asked them to support ADA or Eiffel yet.) There's no compiling required, either. Each submitted solution is run in an interpreted sandbox on a Linux machine for evaluation and scoring. And the challenges run the gamut from beginner (things like text parsing, math and basic networking) to advanced (more advanced parsing and math, hashing, cryptography, and forensics challenges).

Security: New Release of HardenedBSD, Windows Leaks Details of Windows Back Doors

Filed under
Security
  • Stable release: HardenedBSD-stable 11-STABLE v1100054
  • Kaspersky blames NSA hack on infected Microsoft software

    Embattled computer security firm Kaspersky Lab said Thursday that malware-infected Microsoft Office software and not its own was to blame for the hacking theft of top-secret US intelligence materials.

    Adding tantalizing new details to the cyber-espionage mystery that has rocked the US intelligence community, Kaspersky also said there was a China link to the hack.

  • Investigation Report for the September 2014 Equation malware detection incident in the US

    In early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee’s home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were true, we decided to conduct an internal investigation to attempt to answer a few questions we had related to the article and some others that followed it:

  • Kaspersky: Clumsy NSA leak snoop's PC was packed with malware

    Kaspersky Lab, the US government's least favorite computer security outfit, has published its full technical report into claims Russian intelligence used its antivirus tools to steal NSA secrets.

    Last month, anonymous sources alleged that in 2015, an NSA engineer took home a big bunch of the agency's cyber-weapons to work on them on his home Windows PC, which was running the Russian biz's antimalware software – kind of a compliment when you think about it. The classified exploit code and associated documents on the personal system were then slurped by Kremlin spies via his copy of Kaspersky antivirus, it was claimed.

Security: Google, Vulnerabilities Equities Process (VEP), Quad9 and More

Filed under
Security
  • Google investigators find hackers swipe nearly 250,000 passwords a week

    Hackers are constantly trying to break into Google accounts, so Google researchers spent a year tracing how hackers steal passwords and expose them on the internet's black market.

    To gather hard evidence about the tools hackers use to swipe passwords, Google collaborated with University of California Berkeley cybersecurity experts to track activity on some of these markets. On Thursday, they published their results.

  • Time Will Tell if the New Vulnerabilities Equities Process Is a Step Forward for Transparency

    The White House has released a new and apparently improved Vulnerabilities Equities Process (VEP), showing signs that there will be more transparency into the government’s knowledge and use of zero day vulnerabilities. In recent years, the U.S. intelligence community has faced questions about whether it “stockpiles” vulnerabilities rather than disclosing them to affected companies or organizations, and this scrutiny has only ramped up after groups like the Shadow Brokers have leaked powerful government exploits. According to White House Cybersecurity Coordinator Rob Joyce, the form of yesterday’s release and the revised policy itself are intended to highlight the government’s commitment to transparency because it’s “the right thing to do.”

  • Security updates for Friday
  • Quad9 Secure DNS Service Embeds IBM Security Intelligence
  • New “Quad9” DNS service blocks malicious domains for everyone

    The Global Cyber Alliance (GCA)—an organization founded by law enforcement and research organizations to help reduce cyber-crime—has partnered with IBM and Packet Clearing House to launch a free public Domain Name Service system. That system is intended to block domains associated with botnets, phishing attacks, and other malicious Internet hosts—primarily targeted at organizations that don't run their own DNS blacklisting and whitelisting services. Called Quad9 (after the 9.9.9.9 Internet Protocol address the service has obtained), the service works like any other public DNS server (such as Google's), except that it won't return name resolutions for sites that are identified via threat feeds the service aggregates daily.

  • The Internet of Shit is so manifestly insecure that people are staying away from it in droves
  • Security updates for Thursday
  • [Ubuntu] Security Team Weekly Summary: November 16, 2017
  • Hacking Blockchain with Smart Contracts to Control a Botnet

    Blockchain has been hailed by some in the technology industry as a potential method to help improve cyber security. However, security researcher Majid Malaika warns that Blockchain can potentially be abused to enable a new form of botnet that would be very difficult to take down.

    Malaika detailed his Blockchain-powered botnet in a session at the SecTor security conference on Nov. 15. The overall attack method has been dubbed "Botract" by Malaika, as it abuses inherent functionality in the smart contracts that help to enable Blockchain.

  • What Can The Philosophy of Unix Teach Us About Security?

Security: Boeing 757, Security Education Companion, Kaspersky 'Damage Control' and FUD

Filed under
Security

Security: Jobs, Linux 4.14, Bruce Schneier, Spyhunter

Filed under
Security
  • Security updates for Wednesday
  • Security Jobs Are Hot: Get Trained and Get Noticed

    The demand for security professionals is real. On Dice.com, 15 percent of the more than 75K jobs are security positions. “Every year in the U.S., 40,000 jobs for information security analysts go unfilled, and employers are struggling to fill 200,000 other cyber-security related roles, according to cyber security data tool CyberSeek” (Forbes). We know that there is a fast-increasing need for security specialists, but that the interest level is low.

  • security things in Linux v4.14
  • Schneier: It's Time to Regulate IoT to Improve Cyber-Security

    The time has come for the U.S. government and other governments around the world, to start regulating Internet of Things (IoT) security, according to Bruce Schneier, CTO of IBM's Resilient Systems.

    Schneier delivered his message during a keynote address at the SecTor security conference here. He noted that today everything is basically a computer, whether it's a car, a watch, a phone or a television. IoT today has several parts including sensors that collect data, computing power to figure out what to do with the collected data and then actuators that affect the real world.

  • Shady Anti-Spyware Developer Loses Lawsuit Against Competitor Who Flagged Its Software As Malicious

    Enigma Software makes Spyhunter, a malware-fighting program with a very questionable reputation. But the company isn't known so much for containing threats as it's known for issuing threats. It sued a review site for having the audacity to suggest its pay-to-clean anti-spyware software wasn't a good fit for most users… or really any users at all.

    Bleeping Computer found itself served with a defamation lawsuit for making fact-based claims (with links to supporting evidence) about Enigma's dubious product, dubious customer service tactics (like the always-popular "auto-renew"), and dubious lawsuits. Somehow, this dubious lawsuit managed to survive a motion to dismiss. Fortunately, Bleeping Computer was propped up by Malwarebytes' developers, who tossed $5,000 into Bleeping Computer's legal defense fund.

Security Leftovers

Filed under
Security
  • Survey of bug bounty hunters shows who pans for pwns

    Asking the crowd for help in fixing security problems is going mainstream. Microsoft, Facebook, and other tech giants have offered "bug bounties"—cash rewards or other prizes and recognition—to individuals discovering vulnerabilities in their products for years. (Ars even made it onto Google's security wall of fame in 2014 for reporting a Google search bug, though we didn't get a cash payout.)

  • Mother-Son Duo Fools iPhone X Face ID Like It’s No Big Deal

    Uploaded by Attaullah Malik on YouTube, the 41-second clip shows his 10-year-old son unlocking Face ID on an iPhone X which was configured to accept the mother’s face.

  • Watch a 10-Year-Old's Face Unlock His Mom's iPhone X

     

    Malik offered to let Ammar look at his phone instead, but the boy picked up his mother's, not knowing which was which. And a split second after he looked at it, the phone unlocked.

  • This 10-year-old was able to unlock his mom’s iPhone using Face ID

     

    Although Apple says Face ID is more secure than Touch ID, this raises questions about the possibility of false positives not only happening with twins and siblings around the same age, but with people of different sexes and significantly different ages. It is possible that the son’s age played a role as Apple has said that the “undeveloped facial features” in those under the age of 13 could cause issues with Face ID.

  • Safety alert: see how easy it is for almost anyone to hack [sic] your child’s connected toys

    Watch our video below to see just how easy it is for anyone to take over the voice control of a popular connected toy, and speak directly to your child through it. And we’re not talking professional hackers [sic]. It’s easy enough for almost anyone to do.

  • Trump administation to release rules on disclosure of cybersecurity flaws: NSA

    The Trump administration is expected to publicly release on 15 November its rules for deciding whether to disclose cybersecurity flaws or keep them secret, a national security official told Reuters.

Tails 3.3 is out

Filed under
Security
Debian

This release fixes many security issues and users should upgrade as soon as possible.

Read more

Security: USB Bugs, OnePlus 'Back Door', and ME 'Back Door'

Filed under
Security

Security: Kaspersky in the UK and Apple's Face ID

Filed under
Security

Security: Kaspersky, Shadow Brokers, Core Infrastructure Initiative, Face ID

Filed under
Security
  • The Daily Mail whisks up Kaspersky fears - but where's the meat?

    Make a note. Whenever you see the Daily Mail publish a headline which asks a question, the correct answer is invariably "no". If they had any reason to believe it was "yes", then they wouldn't have posed it as a question.

    The truth is that newspapers post these "Is the Loch Ness Monster on Tinder?"-style headlines because they know they'll get more clicks than if they use a headline which reflects the actual conclusion of the article.

  • NSA Cyber Weapons Turned Against Them in Hack

    A hack on the National Security Agency, claimed by a group called the “Shadow Brokers,” has caused a chilling effect on agency staffers, as they wonder whether it was a foreign hacker or someone on the inside.

  • Why the cybersecurity industry should care about Open Source maintenance

    In June of this year, Thales eSecurity joined the Core Infrastructure Initiative (CII), a project both founded and managed by The Linux Foundation, with the aim of collaboratively enhancing and strengthening the security and resilience of critical Open Source projects. Many of the world’s largest technology companies already belong to the CII, with Thales being officially recognised as the first global security firm to join the initiative.

  • You Can Easily Beat iPhone X Face ID Using This 3D-Printed Mask

    When it launched the iPhone X, Apple said that the company has worked with professional mask makers and Hollywood makeup artists. It was to make sure their facial recognition tech doesn’t fail when someone attempts to beat it.

Syndicate content

More in Tux Machines