Language Selection

English French German Italian Portuguese Spanish

Security: Updates, Reproducible Builds, T-Mobile, ATMs, Microsoft Outlook "Fake Crypto" and Accenture

Filed under
  • Security updates for Tuesday
  • Reproducible Builds: Weekly report #128
  • T-Mobile customer data plundered thanks to bad API

    A bug disclosed and patched last week by T-Mobile in a Web application interface allowed anyone to query account information by simply providing a phone number. That includes customer e-mail addresses, device identification data, and even the answers to account security questions. The bug, which was patched after T-Mobile was contacted by Motherboard's Lorenzo Franceschi-Bicchierai on behalf of an anonymous security researcher, was apparently also exploited by others, giving them access to information that could be used to hijack customers' accounts and move them to new phones. Attackers could potentially gain access to other accounts protected by SMS-based "two factor" authentication simply by acquiring a T-Mobile SIM card.

  • Criminals stole millions from E. Europe banks with ATM “overdraft” hack

    Banks in several former Soviet states were hit with a wave of debit card fraud earlier this year that netted millions of dollars worth of cash. These bank heists relied on a combination of fraudulent bank accounts and hacking to turn nearly empty bank accounts into cash-generating machines. In a report being released by TrustWave's SpiderLabs today, SpiderLabs researchers detailed the crime spree: hackers gained access to bank systems and manipulated the overdraft protection on accounts set up by proxies and then used automated teller machines in other countries to withdraw thousands of dollars via empty or nearly empty accounts.

    While SpiderLabs' investigation accounted for about $40 million in fraudulent withdrawals, the report's authors noted, "when taking into account the undiscovered or uninvestigated attacks along with investigations undertaken by internal groups or third parties, we estimate losses to be in the hundreds of millions in USD." This criminal enterprise was a hybrid of traditional credit fraud and hacking. It relied on an army of individuals with fake identity documents, as these folks were paid to set up accounts at the targeted institutions with the lowest possible deposit. From there, individuals requested debit cards for the accounts, which were forwarded to co-conspirators in other countries throughout Europe and in Russia.

  • Buggy Microsoft Outlook Sending Encrypted S/MIME Emails With Plaintext Copy For Months

    Beware, If you are using S/MIME protocol over Microsoft Outlook to encrypt your email communication, you need to watch out.

    From at least last 6 months, your messages were being sent in both encrypted and unencrypted forms, exposing all your secret and sensitive communications to potential eavesdroppers.

    S/MIME, or Secure/Multipurpose Internet Mail Extensions, is an end-to-end encryption protocol—based on public-key cryptography and works just like SSL connections—that enables users to send digitally signed and encrypted messages.

  • Fake Crypto: Microsoft Outlook S/MIME Cleartext Disclosure (CVE-2017-11776)

    Outlook version XXX (we are still waiting for Microsoft to release detailed information and update the blog accordingly) was the first affected version. So any S/MIME encrypted mail written since that date might be affected.

    Unfortunately there is no easy solution to remediate the impact of this vulnerability (we are still waiting for Microsoft to release detailed information and update the blog).

    In cases where mails have been send to third parties (recipient is outside of the sender’s organization) remediation is not possible by the sending party, since the sender has no authority over the recipient’s mail infrastructure.

  • Accenture data leak: 'Keys to the kingdom' left exposed via multiple unsecured cloud servers

    A massive trove of sensitive corporate and customer data was left freely exposed to the public by Accenture, one of the world's biggest management firms. The tech giant left at least four cloud storage servers, which contained highly sensitive decryption keys and passwords, exposed to the public, without any password protections.

More in Tux Machines

today's howtos

Games Chronicon, BROKE PROTOCOL, Internet Archive

  • 2D action RPG 'Chronicon' to arrive on Linux with the next big update
    The colourful action RPG Chronicon [Steam, Official Site] should arrive on Linux with the next big update, the developer has said.
  • BROKE PROTOCOL is like a low-poly GTA Online and it's coming to Linux
    BROKE PROTOCOL [Steam], a low-poly open-world action game that's a little like GTA Online and it's coming to Linux.
  • The Internet Archive Just Uploaded a Bunch of Playable, Classic Handheld Games
    The non-profit Internet Archive is perhaps best known for its Wayback Machine that takes snap shots of web sites so you can see what they looked like in the past. However, it also has a robust side project where it emulates and uploads old, outdated games that aren’t being maintained anymore. Recently, the organization added a slew of a unique kind of game that’s passed into memory: handheld LCD electronic games. The games–like Mortal Kombat, depicted above–used special LCD screens with preset patterns. They could only display the exact images in the exact place that they were specified for. This meant the graphics were incredibly limited and each unit could only play the one game it was designed to play. A Game Boy, this was not.
  • Internet Archive emulator brings dozens of handheld games back from obscurity
    Over the weekend, the Internet Archive announced it was offering a new series of emulators. This time, they’re designed to mimic one of gaming’s most obscure artifacts — handheld games. When I say a “handheld game,” I don’t mean the Game Boy or the PSP — those are handheld consoles. These are single-game handheld or tabletop devices that look and feel more like toys. The collection includes the very old, mostly-forgotten games sold in mini-handhelds from the 80s onward.

Linux Foundation Videos and Projects

LibrePlanet free software conference celebrates 10th anniversary, this weekend at MIT, March 24-25

This weekend, the Free Software Foundation (FSF) and the Student Information Processing Board (SIPB) at the Massachusetts Institute of Technology (MIT) present the tenth annual LibrePlanet free software conference in Cambridge, March 24-25, 2018, at MIT. LibrePlanet is an annual conference for people who care about their digital freedoms, bringing together software developers, policy experts, activists, and computer users to learn skills, share accomplishments, and tackle challenges facing the free software movement. LibrePlanet 2018 will feature sessions for all ages and experience levels. LibrePlanet's tenth anniversary theme is "Freedom Embedded." Embedded systems are everywhere, in cars, digital watches, traffic lights, and even within our bodies. We've come to expect that proprietary software's sinister aspects are embedded in software, digital devices, and our lives, too: we expect that our phones monitor our activity and share that data with big companies, that governments enforce digital restrictions management (DRM), and that even our activity on social Web sites is out of our control. This year's talks and workshops will explore how to defend user freedom in a society reliant on embedded systems. Read more Also: FSF Blogs: Friday Free Software Directory IRC meetup time: March 23rd starting at 12:00 p.m. EDT/16:00 UTC