Security updates for Tuesday

A year with Spectre: a V8 perspective

On January 3, 2018, Google Project Zero and others disclosed the first three of a new class of vulnerabilities that affect CPUs that perform speculative execution, dubbed Spectre and Meltdown. Using the speculative execution mechanisms of CPUs, an attacker could temporarily bypass both implicit and explicit safety checks in code that prevent programs from reading unauthorized data in memory. While processor speculation was designed to be a microarchitectural detail, invisible at the architectural level, carefully crafted programs could read unauthorized information in speculation and disclose it through side channels such as the execution time of a program fragment.

When it was shown that JavaScript could be used to mount Spectre attacks, the V8 team became involved in tackling the problem. We formed an emergency response team and worked closely with other teams at Google, our partners at other browser vendors, and our hardware partners. In concert with them, we proactively engaged in both offensive research (constructing proof-of-concept gadgets) and defensive research (mitigations for potential attacks).

The Purism Librem Key

The Librem Key is a new hardware token for improving Linux security by adding a physical authentication factor to booting, login and disk decryption on supported systems. It also has some features that make it a good general-purpose OpenPGP smart card. This article looks at how the Librem Key stacks up against other multi-factor tokens like the YubiKey 5 and also considers what makes the Librem Key a unique trusted-computing tool.

Purism is a new player in the security key and multi-factor authentication markets. With the introduction of the Librem Key, Purism joins the ranks of other players—such as Yubico, Google, RSA and so on—in providing hardware tokens for multi-factor authentication.

In addition, like the YubiKey 5 series, the Librem Key also provides OpenPGP support with cryptographic functions that take place securely on-key. This allows users to generate and use GnuPG public and private keys without exposing any secret key material to the host computer where the USB device is attached.

The Librem Key is based on the German-manufactured Nitrokey Pro 2, but it has been modified to focus on "trusted boot" when used with Purism's Linux laptops. (I take a closer look at what the trusted boot process is and how the Librem Key fits into that process, later in this article.)

Atom-based network security appliances focus on industrial control

Lanner’s Apollo Lake based “LEC-6041” and Bay Trail “LEC-6032” are Linux-supported network security appliances for industrial control monitoring with up to 7x GbE ports, including SFP ports, plus magnetic isolation and extended temp support.

Guess Who Fooled The Nokia9 PureView – A Pack Of Chewing Gum!

We are all aware that smartphone security options such as fingerprint scanners and facial recognition aren’t 100% secure. This has been proved further with the case of the Nokia 9 PureView, which appears to have been unlocked by a pack of chewing gum.

As per a couple of tweets, the Nokia 9 PureView is reportedly getting unlocked via unidentified fingerprints of another user and a pack of chewing gum.

Linux Distributions Should Enhance how Sudo Asks for Passwords

One thing to be noticed from the picture above is that the password is hidden. When users write anything at that time, nothing will be displayed on the screen, not even asterisks. They’ll have to trust that there’s something written in the terminal and just write their passwords and hit Enter.

Historically, this is done for both ease of implementation and security reasons. It makes it difficult for people standing near your shoulder from knowing your password length. If they don’t know your password length, it would be harder for them to guess it. They can, of course, listen to the keystrokes you are hitting and try to guess how many characters did you hit? But that’s more difficult than just looking at the screen and counting the number of asterisks there.

Also, when they see that your password is too long, they might not even try to use your computer and guess your password. But if your password is less than few characters, it will give them hope.

Additionally, in terms of implementation, displaying an asterisk instead of the password character requires more code and work to do. In the terminal, when you write normal commands and you see them in the terminal, it’s because the “echo mode” is set to On, meaning that all characters will be displayed on your screen. In sensitive commands, however, such as sudo or passwd, “echo mode” is set to Off, which simply doesn’t take the extra step of printing those characters to the screen. So that’s less work and code to do, and it went on like that since the Unix days to simply hide the password characters

Top 10 Best Linux Password Managers In 2019

If you are a Linux users and struggling to get a proper password manager then this post is for you. In this post, We have listed the best (at least for us) Linux password managers for you.

Your Netflix Bandersnatch Choices Can Be Tracked By Hackers

Netflix took the video streaming industry by storm when it debuted Black Mirror: Bandersnatch last year. The “choose your own adventure” themed movie puts viewers in charge of the story and flow of the movie. The success of Bandersnatch even led to the creation of a second interactive show ‘You vs. Wild’ featuring Bear Grylls.

Proactively Identifying Compromised Passwords | Roadmap to Securing Your Infrastructure

The latest Windows patch is breaking even more PCs with antivirus installed

Earlier this week we reported that Microsoft halted updates to Windows PCs running Sophos and Avast’s security solutions, following user complaints that their machines were locking up or failing to boot. Since then, the list of known issues for the rogue update was itself updated to acknowledge compatibility issues with Avira and ArcaBit antivirus installed, with Microsoft temporarily blocking updates to those affected systems, too. Today, Ars Technica noticed that Microsoft is investigating compatibility issues for systems with McAfee antivirus installed, though it hasn’t started blocking the April 9 update from those PCs just yet.

‘WannaCry Hero’ Marcus Hutchins Pleads Guilty to Making Banking Malware [iophk: "It looks like they squeezed malware tech with a “plea bargain”. So I would take reports of a guilty plea with a large grain of salt. They probably threatened him with 1000s of years in prison as an alternative. The plea “deal” is not mentioned in the summary, thus misleading the public about the situation."]

Marcus Hutchins, a security researcher known for helping stop the destructive WannaCry ransomware, plead guilty to hacking crimes on Friday.

Hutchins was accused of writing a banking malware called Kronos in 2014, after he finished high school. The researcher was arrested in Las Vegas after attending the hacker conference Def Con in 2017. Days later, he plead not guilty in a Milwaukee courtroom. He was scheduled to be tried this summer.

Google will begin to block sign-ins from embedded browser frameworks in June

Phishing — schemes to nab personal data with disguised malicious webpages and emails — constituted more than 70% of all cyber attacks in 2016, according to a Verizon report. In an effort to combat them, Google last year announced it would require users to enable JavaScript during Google Account sign-in so that it could run attack-detecting risk assessments, and today, the company said it’ll begin to block all sign-ins from embedded browser frameworks like Chromium Embedded Framework starting in June.

A deeper look into OpenVPN: Security vulnerabilities

OpenVPN is the backbone of online security. It is supported in many popular virtual private network (VPN) providers such as NordVPN and ExpressVPN, and continues to receive frequent updates well into its 17th year in operation.

It’s an unwritten rule of information technology, however, that popular security protocols will attract the largest contingent of hackers. As OpenVPN is open source, it is therefore much easier for hackers to locate and exploit security vulnerabilities within the software design.

Nevertheless, the value of the open-source model is that it promotes open collaboration, thus encouraging other programmers to suggest changes to the design. This way, security vulnerabilities can be communicated directly to the developers, who then have the option to patch the software and eliminate the vulnerability.

DARPA’s New/Old Plan for a Hack-Proof Voting Machine

The Pentagon’s top research arm is working to build a hack-proof voting machine by combining something brand new with something old – specifically, secure open-source hardware and software using advanced cryptography on one end, and good old paper on the other.

The Defense Advanced Research Projects Agency (DARPA) recently awarded the tech company Galois a $10 million contract for the project, which grew out of a broader agency project to remedy hardware vulnerabilities, the snappily named SSITH, for System Security Integrated Through Hardware and Firmware.

Galois, which focuses on ensuring the trustworthiness of hardware and software, will design the system, which will start with a different approach used by established voting machine makers, who have come under criticism over the vulnerabilities in their systems, Motherboard reported. For one, it will use open-source software, rather than the proprietary systems used by companies such as Election Systems & Software. It also will use open-source hardware, built from designs developed under the SSITH program.

New Attacks (and Old Attacks Made New)

This is shown again in Fortinet's latest Global Threat Landscape Report for the fourth quarter of 2018, where we reported that exploits that targeted individual organizations — often variations of existing malware or the misuse of FOSS (free/open source software) security tools — continue to grow at a rapid pace: 10% over the quarter, while the number of unique exploits they experienced increased by 5%. This suggests that, despite some reports suggesting that malicious actors follow the same work routines as their victims, cybercriminals didn't take much of a break over the holidays. And as you would expect, all of this malware — especially botnets — is becoming more complex and harder to detect.

Security flaw in French government messaging app exposed confidential conversations

Tchap wasn’t built from scratch. The DINSIC, France’s government agency in charge of all things digital, forked an open-source project called Riot, which is based on an open-source protocol called Matrix.

In a few words, Matrix is a messaging protocol that features end-to-end encryption. It competes with other protocols, such as the Signal Protocol that is widely used by consumer apps, such as WhatsApp, Signal, Messenger’s secret conversations and Google Allo’s incognito conversions — Messenger and Allo conversations aren’t end-to-end encrypted by default.

French Government's 'Secure' WhatsApp Replacement Hacked In Just 90 Minutes

In order to better protect official conversations, the French government developed its own secure instant messaging alternative to WhatsApp.

Riccardo Padovani: Responsible disclosure: improper access control in Gitlab private project.

As I said back in September with regard to a responsible disclosure about Facebook, data access control isn’t easy. While it can sound quite simple (just give access to the authorized entities), it is very difficult, both on a theoretical side (who is an authorized entity? What does authorized mean? And how do we identify an entity?) and on a practical side.

Integrating Password and Privilege Management for Unix and Linux Systems[Ed: More spammy pages under the guise of "whitepaper"]

Unix and Linux build the foundation for most business-critical systems. Thus, they present target-rich environments for cyber-attackers. Privileged Access Management (PAM) helps to mitigate such risks. To succeed, security teams must follow an integrated approach, covering both privilege elevation and centralized management of shared account credentials.

How Not to Acknowledge a Data Breach

My guess is that what Wipro means by “zero-day” is a malicious email attachment that went undetected by all commercial antivirus tools before it infected Wipro employee systems with malware.

Facebook stored millions of Instagram passwords in plain text

Facebook says it stored millions of Instagram users’ passwords in plain text, leaving them exposed to people with access to certain internal systems. The security lapse was first reported last month, but at the time, Facebook said it only happened to “tens of thousands of Instagram users,” whereas the number is now being revised up to “millions.” The issue also affected “hundreds of millions of Facebook Lite users” and “tens of millions of other Facebook users.”

Update: Facebook passwords for hundreds of millions of users were exposed to Facebook employees

Facebook confirmed March 21 that hundreds of millions of user passwords were being stored in a “readable format” within its servers, accessible to internal Facebook employees—including millions more Instagram users than previously thought. Affected users will be notified, Facebook said, so they can change those passwords.

Facebook 'unintentionally' uploaded 1.5 million people's email contacts without asking

This is how it unfolded: a security researcher spotted that Facebook was asking some users to put in their email passwords when they signed up with a new account to verify their identity. Business Insider then experimented with what would happen if you were brave/mad enough to do so and found that a message popped up saying it was "importing" its contacts without having the decency to check that was okay first.

Apparently, 1.5 million people just accepted this as just one of those things, and the information was then used to build up Facebook's uncanny ability to predict when you know somebody.

In new gaffe, Facebook improperly collects email contacts for 1.5 million

Facebook's privacy gaffes keep coming. On Wednesday, the social media company said it collected the stored email address lists of as many as 1.5 million users without permission. On Thursday, the company said the number of Instagram users affected by a previously reported password storage error was in the "millions," not the "tens of thousands" as previously estimated.

Facebook says it 'unintentionally uploaded' 1.5 million people's email contacts without their consent

Since May 2016, the social-networking company has collected the contact lists of 1.5 million users new to the social network, Business Insider can reveal. The Silicon Valley company said the contact data was "unintentionally uploaded to Facebook," and it is now deleting them.

With Nation Distracted by Mueller Report, Facebook Admits Millions of Users' Passwords Affected by Latest Privacy Breach

On Thursday, Facebook added to a blog post from March 21 to let users know that instead of storing tens of thousands of Instagram passwords, as it had reported last month, the number of users affected by the privacy breach was in the millions. Facebook is the parent company of Instagram.

"Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format," wrote Pedro Canahuati, vice president of Engineering, Security and Privacy. "We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others."

The stored passwords were found in January during a routine security check, according to Facebook. In March, when the breach was first announced, the company said the passwords were never visible to anyone outside of Facebook.