Language Selection

English French German Italian Portuguese Spanish

Security: Updates, Reproducible Builds, T-Mobile, ATMs, Microsoft Outlook "Fake Crypto" and Accenture

Filed under
Security
  • Security updates for Tuesday
  • Reproducible Builds: Weekly report #128
  • T-Mobile customer data plundered thanks to bad API

    A bug disclosed and patched last week by T-Mobile in a Web application interface allowed anyone to query account information by simply providing a phone number. That includes customer e-mail addresses, device identification data, and even the answers to account security questions. The bug, which was patched after T-Mobile was contacted by Motherboard's Lorenzo Franceschi-Bicchierai on behalf of an anonymous security researcher, was apparently also exploited by others, giving them access to information that could be used to hijack customers' accounts and move them to new phones. Attackers could potentially gain access to other accounts protected by SMS-based "two factor" authentication simply by acquiring a T-Mobile SIM card.

  • Criminals stole millions from E. Europe banks with ATM “overdraft” hack

    Banks in several former Soviet states were hit with a wave of debit card fraud earlier this year that netted millions of dollars worth of cash. These bank heists relied on a combination of fraudulent bank accounts and hacking to turn nearly empty bank accounts into cash-generating machines. In a report being released by TrustWave's SpiderLabs today, SpiderLabs researchers detailed the crime spree: hackers gained access to bank systems and manipulated the overdraft protection on accounts set up by proxies and then used automated teller machines in other countries to withdraw thousands of dollars via empty or nearly empty accounts.

    While SpiderLabs' investigation accounted for about $40 million in fraudulent withdrawals, the report's authors noted, "when taking into account the undiscovered or uninvestigated attacks along with investigations undertaken by internal groups or third parties, we estimate losses to be in the hundreds of millions in USD." This criminal enterprise was a hybrid of traditional credit fraud and hacking. It relied on an army of individuals with fake identity documents, as these folks were paid to set up accounts at the targeted institutions with the lowest possible deposit. From there, individuals requested debit cards for the accounts, which were forwarded to co-conspirators in other countries throughout Europe and in Russia.

  • Buggy Microsoft Outlook Sending Encrypted S/MIME Emails With Plaintext Copy For Months

    Beware, If you are using S/MIME protocol over Microsoft Outlook to encrypt your email communication, you need to watch out.

    From at least last 6 months, your messages were being sent in both encrypted and unencrypted forms, exposing all your secret and sensitive communications to potential eavesdroppers.

    S/MIME, or Secure/Multipurpose Internet Mail Extensions, is an end-to-end encryption protocol—based on public-key cryptography and works just like SSL connections—that enables users to send digitally signed and encrypted messages.

  • Fake Crypto: Microsoft Outlook S/MIME Cleartext Disclosure (CVE-2017-11776)

    Outlook version XXX (we are still waiting for Microsoft to release detailed information and update the blog accordingly) was the first affected version. So any S/MIME encrypted mail written since that date might be affected.

    Unfortunately there is no easy solution to remediate the impact of this vulnerability (we are still waiting for Microsoft to release detailed information and update the blog).

    In cases where mails have been send to third parties (recipient is outside of the sender’s organization) remediation is not possible by the sending party, since the sender has no authority over the recipient’s mail infrastructure.

  • Accenture data leak: 'Keys to the kingdom' left exposed via multiple unsecured cloud servers

    A massive trove of sensitive corporate and customer data was left freely exposed to the public by Accenture, one of the world's biggest management firms. The tech giant left at least four cloud storage servers, which contained highly sensitive decryption keys and passwords, exposed to the public, without any password protections.

More in Tux Machines

GNU: GnuCash 2.6.19 and GCC 7.3 Status Report

  • GnuCash 2.6.19
    GnuCash is a personal and small business finance application, freely licensed under the GNU GPL and available for GNU/Linux, BSD, Solaris, Mac OS X and Microsoft Windows. It’s designed to be easy to use, yet powerful and flexible. GnuCash allows you to track your income and expenses, reconcile bank accounts, monitor stock portfolios and manage your small business finances. It is based on professional accounting principles to ensure balanced books and accurate reports. GnuCash can keep track of your personal finances in as much detail as you prefer. If you are just starting out, use GnuCash to keep track of your checkbook. You may then decide to track cash as well as credit card purchases to better determine where your money is being spent. When you start investing, you can use GnuCash to help monitor your portfolio. Buying a vehicle or a home? GnuCash will help you plan the investment and track loan payments. If your financial records span the globe, GnuCash provides all the multiple-currency support you need.
  • GCC 7.3 Status report
    GCC 7 is in regression and documentation fixes mode and it is time to think about backports you want/need to do for GCC 7.3. The plan is to do a release candidate for GCC 7.3 in the second week of January following by a release a week after that.
  • GCC 7.3 Is Being Released Next Month
    Richard Biener of SUSE is preparing to release GCC 7.3 next month. GCC 7 has been in only a regression/bug-fix mode for many months now and GCC 7.3 will be the latest installment of that with all of the latest fixes. But right now there are twenty-two more P2 regressions (161 in total) since the last update and overall that puts them at 174 P1-P3 regressions.

Applications: Gradio, PDF Editors (LibreOffice), Cozy, MuPDF, Atom and More

  • New Version of Linux Radio Player ‘Gradio’ Released
    Talking of finding stations, the ‘add station’ and ‘search’ pages are now combined, while the Library no longer contains a separate tab for collections. The collection feature is still included, but is now surfaced when selecting multiple stations in the library. Various parts of the UI have been tweaked, including the selection toolbar, application menu and the collections popover. And, for peace of mind, your connection to the community-powered radio-browser.info database is now encrypted.
  • Best Free PDF Editors For PC, Mac, Linux, Android & iOS
    LibreOffice is one of the best free Office alternatives to Microsoft Office suite. You also get the ability to open and edit the PDF files. If your PDF file contains just pictures/graphics, LibreOffice will automatically suggest the drawing tools to let you modify it. In case of text-oriented documents, you will get the necessary word formatting tools to help you edit it.The user interface may not be the best around but LibreOffice is a free-to-use open-source software with no purchases required.
  • Linux Release Roundup: Cozy, MuPDF, Atom + More
    It’s a Sunday, which means it’s time for me to round-up a rabble of recent Linux releases that did get a mention during the week. With a lot of people busy getting ready for Christmas (and other festivals that happen this time of year) there aren’t too many major releases to mention from the past week, but there is a modest set of minor updates issued you may want to know about. This might be the final Linux Release Roundup before Xmas. If, like some sort of weekly Santa, you only pop by to read these posts I’ll use this moment to say thank you, and wish you a merry denomatively-appropriate holiday.

today's howtos

Graphics: XWayland, AMD, and DRM

  • GNOME's Mutter Now Supports XWayland Keyboard Grabbing, XDG-Output
    More (X)Wayland improvements are en route for GNOME 3.28. The latest addition to the Mutter Wayland compositor is now handling XWayland keyboard grab support so an XWayland/X11 client can exclusively grab the keyboard input. And as part of that a new setting for controlling if XWayland clients can do keyboard grabs.
  • The Architecture Of XWayland To Let X11 Apps Run On Wayland
    ekka Paalanen of Collabora has begun the overdue task of providing documentation on XWayland. While XWayland has been around for a few years in allowing X11 applications/games run atop on an X.Org Server, up to now it's not been officially documented. Pekka has taken up the task of starting to document XWayland within the Wayland Git repository's documentation.
  • OpenGL 4.3 Support Lands In R600 Gallium3D Driver
    In between hacking on the RADV Vulkan driver, David Airlie has found the time to land his patches enabling OpenGL 4.3 and GLSL 430 support within Mesa 17.4-dev Git for the R600g driver. The R600g driver is now able to officially expose OpenGL 4.3 support. But the big caveat is that's only for the R600g-using hardware exposing FP64 support right now... That means just the Radeon HD 5800 series and HD 6900 Cayman series... All the rest of the HD 5000/6000 series and other R600g-supported hardware is still limited to OpenGL 3.3 support.
  • RADV Vulkan Driver Lands Support For External Fences
    Even with AMD open-sourcing their official Vulkan driver any day now, David Airlie, Bas Nieuwenhuizen, and others independently continue to advance the dissenting RADV Vulkan driver. The latest to report on RADV is that it now supports external fences and the associated VK_KHR_external_fence_fd extension. External fences for Vulkan is about allowing synchronized access to external memory using fences. Vulkan external memory in turn is about memory outside of the scope of the logical device and can be used for multi-process/device handling and among the current use-cases for Vulkan external memory is SteamVR on Linux.
  • Libdrm 2.4.89 Released With Leasing & Synchronization Object APIs
    The libdrm Mesa DRM library that principally sits as the interface between Mesa and the kernel Direct Rendering Manager drivers is out with a big update. David Airlie released libdrm 2.4.89 as the latest version of this important library. New in this libdrm update is the new DRM mode lease ioctl wrappers, part of Keith Packard's work on DRM leasing added to the Linux 4.15 kernel as part of improving VR HMD support on Linux.