Language Selection

English French German Italian Portuguese Spanish

Security

Security: Defcon, Carbon Black, Open-Source Cyber Fusion Centre, Open Source Security Podcast and Avaya

Filed under
Security
  • DARPA's $10 million voting machine couldn't be hacked at Defcon (for the wrong reasons)

    For the majority of Defcon, hackers couldn't crack the $10 million secure voting machine prototypes that DARPA had set up at the Voting Village. But it wasn't because of the machine's security features that the team had been working on for four months. The reason: technical difficulties during the machines' setup.

    Eager hackers couldn't find vulnerabilities in the DARPA-funded project during the security conference in Las Vegas because a bug in the machines didn't allow hackers to access their systems over the first two days. (DARPA is the Defense Advanced Research Projects Agency.) Galois brought five machines, and each one had difficulties during the setup, said Joe Kiniry, a principal research scientist at the government contractor.

    "They seemed to have had a myriad of different kinds of problems," the Voting Village's co-founder Harri Hursti said. "Unfortunately, when you're pushing the envelope on technology, these kinds of things happen."

    It wasn't until the Voting Village opened on Sunday morning that hackers could finally get a chance to look for vulnerabilities on the machine. Kiniry said his team was able to solve the problem on three of them and was working to fix the last two before Defcon ended.

  • At hacking conference, Pentagon's transparency highlights voting companies' secrecy

    At the country's biggest election security bonanza, the US government is happy to let hackers try to break into its equipment. The private companies that make the machines America votes on, not so much.

    The Def Con Voting Village, a now-annual event at the US's largest hacking conference, gives hackers free rein to try to break into a wide variety of decommissioned election equipment, some of which is still in use today. As in the previous two years, they found a host of new flaws.
    The hunt for vulnerabilities in US election systems has underscored tensions between the Voting Village organizers, who argue that it's a valuable exercise, and the manufacturers of voting equipment, who didn't have a formal presence at the convention.

  • Carbon Black Open-Source Binary Emulator Eases Malware Analysis

    Carbon Black, the cybersecurity and endpoint protection software provider, has unveiled the Binee open-source binary emulator for real-time malware analysis. The company announced Binee at last week’s DEF CON 27 hacker conference in Las Vegas, Nevada.

    [...]

    Carbon Black also has been gaining momentum with MSPs and MSSPs over the past few months. In fact, Carbon Black recorded revenue of $60.9 million and a net loss of $14.6 million in the second quarter of 2019; both of these figures generally beat Wall Street’s expectations.

  • Concordia receives $560K for a new Open-Source Cyber Fusion Centre

    The call for collaborative projects in the area of information communication technologies led to the genesis of the Open-Source Cyber Fusion Centre, a project that will provide companies with a wide array of tools and methodologies for cybersecurity.

    The project is a joint initiative with Carleton University and two industrial partners, eGloo and AvanTech, all of which have recognized expertise in open-source software application programming interfaces (APIs) and technology stacks.

    [...]

    The Open-Source Cyber Fusion Centre’s ongoing research will help strengthen and democratize the Canadian economy. By mitigating cyberthreats, projects of this kind promote entrepreneurship and help nurture a more diverse economy.

    In addition, the centre provides students with unique opportunities to participate in an ever-changing, complex cybersecurity industry that is becoming increasingly prevalent in Canada.

    SMEs can get in touch with the centre and its partners to receive support on their security operations. They can install advanced technologies in their corporate network as a free service to monitor the security of their operations.

  • Open Source Security Podcast Ep. 151– The DARPA Cyber Grand Challenge with David Brumley

    Open Source Security Podcast helps listeners better understand security topics of the day. Hosted by Kurt Seifried and Josh Bressers, the pair covers a wide range of topics including IoT, application security, operational security, cloud, devops, and security news of the day.

  • McAfee Discovers Vulnerability in Avaya VoIP Phones

    McAfee researchers have uncovered a remote code execution (RCE) vulnerability in open-source software from a popular line of Avaya VoIP phones.

    McAfee is warning organizations that use Avaya VoIP phones to check that firmware on the devices have been updated. Avaya’s install base covers 90% of the Fortune 100, with products targeting customers from small business and midmarket, to large corporations.

Security Leftovers

Filed under
Security
  • Bluetooth BR/EDR supported devices are vulnerable to key negotiation attacks

    The encryption key length negotiation process in Bluetooth BR/EDR Core v5.1 and earlier is vulnerable to packet injection by an unauthenticated, adjacent attacker that could result in information disclosure and/or escalation of privileges. This can be achieved using an attack referred to as the Key Negotiation of Bluetooth (KNOB) attack, which is when a third party forces two or more victims to agree on an encryption key with as little as one byte of entropy. Once the entropy is reduced, the attacker can brute-force the encryption key and use it to decrypt communications.

  • Security updates for Thursday

    Security updates have been issued by openSUSE (irssi, ledger, libheimdal, libmediainfo, libqb, and libsass) and Slackware (mozilla).

  • Inspect PyPI event logs to audit your account's and project's security

    To help you check for security problems, PyPI is adding an advanced audit log of user actions beyond the current (existing) journal. This will, for instance, allow publishers to track all actions taken by third party services on their behalf.

Guix Makes Bitcoin Core Development More Trustless

Filed under
GNU
Security

According to Dong, “Guix allows users to verify that the Bitcoin Core client they download corresponds exactly to the code that Bitcoin Core developers write. It mitigates attacks that target the way we turn our codebase into the client executables we release.”

In spite of the clear focus on the needs of developers, Guix is also something that users may need and want to use if they choose to be cautious about the software that they run.

At press time, Guix is only available for Ubuntu builds.

Read more

Security Leftovers

Filed under
Security
  • Security updates for Wednesday

    Security updates have been issued by Debian (kernel, linux-4.9, otrs2, and tomcat8), Fedora (igraph and jhead), openSUSE (ansible, GraphicsMagick, kconfig, kdelibs4, live555, mumble, phpMyAdmin, proftpd, python-Django, and znc), Oracle (kernel and openssl), Red Hat (kernel, openssl, and rh-mysql80-mysql), Scientific Linux (kernel and openssl), Slackware (kernel), SUSE (containerd, docker, docker-runc, golang-github-docker-libnetwork and mariadb-100), and Ubuntu (linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-aws, linux-aws-hwe, linux-lts-xenial, linux-aws, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, linux-snapdragon, php5, php7.0, php7.2, and wpa).

  • He tried to prank the DMV. Then his vanity license plate backfired big time.

    It seemed like a good idea at the time.

  • Thoughts from Defcon 27 – This is why I do what I do

    Every year, thousands of security professionals descend upon Las Vegas to take part in a series of conferences known as Hacker Summer Camp. This year, Black Hat, BSides Las Vegas, Defcon 27 and the Diana Initiative took up the majority of the conference space. So, what makes this one of the most relevant and successful security conferences?

Best Chromebook laptops for school

Filed under
GNU
Linux
Hardware
Security

You might think a Chromebook is limited because it can only run programs when it's online. That's not true. For example, you can still work with Google Docs when you're offline.

Also, you can now run many Android apps on Chromebooks. And, these days you can run a full Linux desktop on your new Intel-based Chromebook. Indeed, as my tech buddy Mike Elgan points out, today's high-end Chromebook laptops "run more apps without dual- or multi-booting than any other computing platform. Chromebook laptops can run apps from Android, Linux, and Windows concurrently in the same session."

In addition, as FutureSource points out, when it comes to school work, Chromebook laptops combine "affordable devices, productivity tools via G-Suite, easy integration with third-party platforms/tools, task management/distribution via Google Classroom, and easy device management remains extremely popular with US teachers and IT buyers alike."

One unsung advantage of Chromebook laptops is that, if your dog ate the Chromebook, you wouldn't have lost your work. All you need do is get another one, log on, and you're back in business with all your e-mail, documents, and calendars intact and ready to go. Another sweet deal that comes when you buy a Chromebook is that you can get 100GB of free Google One cloud storage for a year. That's more than enough room for your homework.

And, since it's easy to erase a Chromebook and then reset it to your account, this is safer than using a used Windows laptop.

Read more

LibreOffice 6.2.6 is ready, all users should update for enhanced security

Filed under
LibO
Security

The Document Foundation announces LibreOffice 6.2.6, the sixth minor release of the LibreOffice 6.2 family, targeted at users in production environments. All users of LibreOffice 6.1.x and LibreOffice 6.2.x versions should upgrade immediately for enhanced security, as the software includes both security fixes and some months of back-ported fixes.

Read more

Pi-Hole - The DNS Triangle

Filed under
GNU
Linux
Security
HowTos

At the end of the day, I had Pi-hole running, but the setup was far from trivial. There were four or five cardinal problems, and none of these should have happened, because the installation wizard could have gone through separate checks to make sure things were working. Part of the first-time run could be the service check, and if there are issues there, some sort of self-diagnosis to make sure FTL is up and running. The same applies to the Web service. Then, there's the password reset and list update. All of these would make the experience much more streamlined.

As a product, Pi-Hole is a very nice and powerful tool. It does its job extremely well, it's fast, effective and robust, and the Web UI is nicely designed. You also gain some on the traffic side, as there's less content that needs to be served, and fewer queries to be resolved, hence performance improvement for the stuff that matters. The setup isn't trivial but it is achievable, and you have a lot of flexibility in how you wire up your network. You could have Pi-Hole as a standalone system, or it could serve all the different devices in your home. All in all, this is the doomsday weapon for if and when the Internet turns rogue on you. Well worth testing, but remember the second rule of thermodynamics. You can't have trivial and complex at the same time.

Read more

Security: PGP & GPG, Flaws, and Nmap 7.80

Filed under
Security
  • The Impending Demise of “PGP & GPG”

    My No Starch books normally sell out their print run, get reprinted a few times, and fade into Out Of Print status. But PG3 never sold out its initial print run.

  • Down the Rabbit-Hole...

    It took a lot of effort and research to reach the point that I could understand enough of CTF to realize it’s broken. These are the kind of hidden attack surfaces where bugs last for years. It turns out it was possible to reach across sessions and violate NT security boundaries for nearly twenty years, and nobody noticed.

    Now that there is tooling available, it will be harder for these bugs to hide going forward.

  • Flaws in 4G Routers of various vendors put millions of users at risk

    “Those manufacturers who are going to be selling 5G routers are currently selling 3G and 4G routers. Which – and I really cannot stress this enough – are mainly bad.”

  • Hack in the box: Hacking into companies with “warshipping”

    Penetration testers have long gone to great lengths to demonstrate the potential chinks in their clients' networks before less friendly attackers exploit them. But in recent tests by IBM's X-Force Red, the penetration testers never had to leave home to get in the door at targeted sites, and the targets weren't aware they were exposed until they got the bad news in report form. That's because the people at X-Force Red put a new spin on sneaking in—something they've dubbed "warshipping."

    Using less than $100 worth of gear—including a Raspberry Pi Zero W, a small battery, and a cellular modem—the X-Force Red team assembled a mobile attack platform that fit neatly within a cardboard spacer dropped into a shipping box or embedded in objects such as a stuffed animal or plaque. At the Black Hat security conference here last week, Ars got a close look at the hardware that has weaponized cardboard.

  • These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer

    It looks like an Apple lightning cable. It works like an Apple lightning cable. But it will give an attacker a way to remotely tap into your computer.

  • Nmap Defcon Release! 80+ improvements include new NSE scripts/libs, new Npcap, etc.

    Nmap 7.80 source code and binary packages for Linux, Windows, and Mac are available for free download from the usual spot: [...]

Stable release: HardenedBSD-stable 12-STABLE v1200059.3

Filed under
Security
BSD

HardenedBSD-12-STABLE-v1200059.3

Read more

Linux Stressed in Fedora, Red Hat/IBM and Security

Filed under
Red Hat
Security
  • Fedora Developers Discuss Ways To Improve Linux Interactivity In Low-Memory Situations

    While hopefully the upstream Linux kernel code can be improved to benefit all distributions for low-memory Linux desktops, Fedora developers at least are discussing their options for in the near-term improving the experience. With various easy "tests", it's possible to easily illustrate just how poorly the Linux desktop responds when under memory pressure. Besides the desktop interactivity becoming awful under memory pressure, some argue that an unprivileged task shouldn't be able to cause such behavior to the system in the first place.

  • How open source can help banks combat fraud and money laundering

    Jump ahead a few years to the Fourth EU AML Directive - a regulation which required compliance by June 2017 - demanding enhanced Customer Due Diligence procedures must be adhered to when cash transactions reach an aggregated amount of more than $11,000 U.S. dollars (USD). (The Fifth EU AML Directive is on the way, with a June 2020 deadline.) In New Zealand’s Anti-Money Laundering and Countering Financing of Terrorism Amendment Act of 2017 it is stated that banks and other financial entities must provide authorities with information about clients making cash transactions over $6,500 USD and international monetary wire transfers from New Zealand exceeding $650 USD. In 2018, the updated open banking European Directive on Payment Services (PSD2) that requires fraud monitoring also went into effect. And the Monetary Authority of Singapore is developing regulations regarding the use of cryptocurrencies for terrorist funding and money laundering, too.

  • Automate security in increasingly complex hybrid environments

    As new technologies and infrastructure such as virtualization, cloud, and containers are introduced into enterprise networks to make them more efficient, these hybrid environments are becoming more complex—potentially adding risks and security vulnerabilities.

    According to the Information Security Forum’s Global Security Threat Outlook for 2019, one of the biggest IT trends to watch this year is the increasing sophistication of cybercrime and ransomware. And even as the volume of ransomware attacks is dropping, cybercriminals are finding new, more potent ways to be disruptive. An article in TechRepublic points to cryptojacking malware, which enables someone to hijack another's hardware without permission to mine cryptocurrency, as a growing threat for enterprise networks.

    To more effectively mitigate these risks, organizations could invest in automation as a component of their security plans. That’s because it takes time to investigate and resolve issues, in addition to applying controlled remediations across bare metal, virtualized systems, and cloud environments -- both private and public -- all while documenting changes.

  • Josh Bressers: Appsec isn’t people

    The best way to think about this is to ask a different but related question. Why don’t we have training for developers to write code with fewer bugs? Even the suggestion of this would be ridiculed by every single person in the software world. I can only imagine the university course “CS 107: Error free development”. Everyone would fail the course. It would probably be a blast to teach, you could spend the whole semester yelling at the students for being stupid and not just writing code with fewer bugs. You don’t even have to grade anything, just fail them all because you know the projects have bugs.

    Humans are never going to write bug free code, this isn’t a controversial subject. Pretending we can somehow teach people to write bug free code would be a monumental waste of time and energy so we don’t even try.

    Now it’s time for a logic puzzle. We know that we can’t train humans to write bug free code. All security vulnerabilities are bugs. So we know we can’t train humans to write vulnerability free code. Well, we don’t really know it, we think we can if you look at history. The last twenty years has had an unhealthy obsession with getting humans to change their behaviors to be “more secure”. The only things that have come out of these efforts are 1) nobody likes security people anymore 2) we had to create our own conferences and parties because we don’t get invited to theirs 3) they probably never liked us in the first place.

Syndicate content

More in Tux Machines

KDE Frameworks 5.61, Applications 19.08 in FreeBSD

Recent releases were KDE Frameworks 5.61 and KDE Applications 19.08. These have both landed in the official FreeBSD ports tree, after Tobias did most of the work and I pushed the big red button. Your FreeBSD machine will need to be following current ports – not the quarterly release branches, since we don’t backport to those. All the modern bits have arrived, maintaining the KDE-FreeBSD team’s commitment to up-to-date software for the FreeBSD desktop. The one thing we’re currently lagging on is Qt 5.13. There’s a FreeBSD problem report tracking that update. Read more

Dev branch moving towards Qt 6

As you know, Qt 5.14 will be branched pretty soon. After that I would expect that most new development work would start to be aimed towards Qt 6. As it looks right now, 5.15 will be a smaller release where we polish what we have in 5.14, and prepare some things for Qt 6. To reflect that and help us all understand that the development focus is now towards Qt 6, I would like to propose that dev becomes the Qt 6 branch after we branched away 5.14 (and we merge wip/qt6 back into dev). We can then either create a 5.15 branch at the same time, or slightly later, once 5.14 has stabilised a bit more (e.g. after the beta or RC). Read more Also: Qt's Development Branch To Begin Forming Qt 6

Today in Techrights

How to Check Which Debian Version are you Running

Wondering which Debian version are you running? This tutorial teaches you several ways to check Debian version in the terminal. Read more