Language Selection

English French German Italian Portuguese Spanish

Security

Security: Updates, Reproducible Builds and Windows 'Fun'

Filed under
Security
  • Security updates for Tuesday
  • Reproducible Builds: Weekly report #164
  • PyRoMineIoT cryptojacker uses NSA exploit to spread

    Larry Trowell, principal consultant with Synopsys Software Integrity Group, said the government shares some of the blame for the NSA exploit.

    "It's in every country's interest to develop systems enabling offensive and defensive strategies to protect individuals and national services," Trowell wrote via email. "There is no fault in that. If the NSA does have some blame to share in this situation, it is for allowing secrets to be exfiltrated -- not in developing them."

    Jett said although the NSA exploit was stolen, "they didn't create the vulnerabilities that allow for the malware to exploit devices."

    "As such, you can't hold them responsible for the malware that has emerged from the EternalRomance exploit. Vendors whose products are vulnerable to EternalRomance are responsible for resolving the exploit problem," Jett wrote. "Additionally, it has been more than a year since the NSA exploits were released, and vendors have created patches. It becomes incumbent on the users to make sure they are properly patching their software and reducing the threat surface for these exploits."

  • Can Hackers Crack the Ivory Towers?

    While both researchers agreed that their colleagues would gain from incorporating hackers' discoveries into their own work, they diverged when diagnosing the source of the gulf between the two camps and, to a degree, even on the extent of the rift.

  • 6-Year-Old Malware Injects Ads, Takes Screenshots On Windows 10

    A sneaky and persistent malware has surfaced which spams Windows 10 PCs with ads and takes screenshots to eventually send it to the attackers.

    Security researchers at Bitdefender found this malware named Zacinlo which first appeared in 2012. About 90% of Zacinlo’s victims are from the US running Microsoft Windows 10. There are other victims too from Western Europe, China, and India with a small fraction running Windows 7 or 8.

Security: Open Source Security Podcast, New Updates, MysteryBot and Grayshift

Filed under
Security

Security Leftovers

Filed under
Security
  • Hackers May Have Already Defeated Apple’s USB Restricted Mode For iPhone

    Recently, the iPhone-maker announced a security feature to prevent unauthorized cracking of iPhones. When the device isn’t unlocked for an hour, the Lightning port can be used for nothing but charging. The feature is a part of the iOS 12 update, which is expected to launch later this month.

  • Cops Are Confident iPhone Hackers Have Found a Workaround to Apple’s New Security Feature

    Apple confirmed to The New York Times Wednesday it was going to introduce a new security feature, first reported by Motherboard. USB Restricted Mode, as the new feature is called, essentially turns the iPhone’s lightning cable port into a charge-only interface if someone hasn’t unlocked the device with its passcode within the last hour, meaning phone forensic tools shouldn’t be able to unlock phones.

    Naturally, this feature has sent waves throughout the mobile phone forensics and law enforcement communities, as accessing iPhones may now be substantially harder, with investigators having to rush a seized phone to an unlocking device as quickly as possible. That includes GrayKey, a relatively new and increasingly popular iPhone cracking tool. But forensics experts suggest that Grayshift, the company behind the tech, is not giving up yet.

  • How Secure Are Wi-Fi Security Cameras?
  • Trump-Kim Meeting Was a Magnet For Russian Cyberattacks

Security Leftovers

Filed under
Security
  • Vendors, Disclosure, and a bit of WebUSB Madness

    Was there any specific bug to report before we gave the talk? No, because it was widely discussed in the security scene that WebUSB is a bad idea. We believe we have demonstrated that by showing how it breaks U2F. There was no single issue to report to Google or Yubico, but a public discussion to trigger so WebUSB is fixed.

    [...]

    I do not know what “private outreach” means and why Yubico lied about being unable to replicate our findings in a call on March 2nd, even though they had it apparently working internally.

  • Librarian Sues Equifax Over 2017 Data Breach, Wins $600

    “The small claims case was a lot more about raising awareness,” said West, a librarian at the Randolph Technical Career Center who specializes in technology training and frequently conducts talks on privacy and security.

    “I just wanted to change the conversation I was having with all my neighbors who were like, ‘Ugh, computers are hard, what can you do?’ to ‘Hey, here are some things you can do’,” she said. “A lot of people don’t feel they have agency around privacy and technology in general. This case was about having your own agency when companies don’t behave how they’re supposed to with our private information.”

  • On the matter of OpenBSD breaking embargos (KRACK)
  • The UK's worst public sector IT disasters

Lazy FPU Vulnerability Now Patched for Red Hat Enterprise Linux 7, CentOS 7 PCs

Filed under
Security

Red Hat promised to release patches for the new speculative execution security vulnerability (CVE-2018-3665), which affects the "lazy restore" function for floating point state (FPU) in modern processors, leading to the leak of sensitive information, and the patches are now available for all Red Hat Enterprise Linux 7 users. The company urges everyone using any of the systems listed below to update immediately.

Affected systems include Red Hat Enterprise Linux Server 7, Red Hat Enterprise Linux Server - Extended Update Support 7.5, Red Hat Enterprise Linux Workstation 7, Red Hat Enterprise Linux Desktop 7, Red Hat Enterprise Linux 7 for IBM System z, POWER, ARM64 systems, Red Hat Enterprise Linux for Scientific Computing 7, Red Hat Enterprise Linux EUS Compute Node 7.5, and Red Hat Virtualization Host 4.

Read more

Security Leftovers

Filed under
Security

Security: Cortana Hole, Docker Hub Woes, and Intel FPU Speculation Vulnerability

Filed under
Security

Security: Intel, Updates and More

Filed under
Security
  • New Lazy FP State Restore Vulnerability Affects All Intel Core CPUs
  • CVE-2018-3665: Floating Point Lazy State Save/Restore vulnerability affects Intel chips
  • New flaw in Intel processors can be exploited in a similar way to Spectre

    A new security vulnerability has been found in Intel’s family of Core processors, along similar lines of the major Spectre bug that has been making headlines all year. Thankfully, this one appears to be less severe – and is already patched in modern versions of Windows and Linux.

    The freshly-discovered hole is known as the ‘Lazy FP state restore’ bug, and like Spectre, it is a speculative execution side channel attack. Just a few weeks back, we were told to expect further spins on speculative execution attack vectors, and it seems this is one.

    Intel explains: “Systems using Intel Core-based microprocessors may potentially allow a local process to infer data utilizing Lazy FP state restore from another process through a speculative execution side channel.”

  • openSUSE Leap 15 Now Offering Images for RPis, Another Security Vulnerability for Intel, Trusted News Chrome Extension and More

    Intel yesterday announced yet another security vulnerability with its Core-based microprocessors. According to ZDNet, Lazy FP state restore "can theoretically pull data from your programs, including encryption software, from your computer regardless of your operating system." Note that Lazy State does not affect AMD processors.

  • Security updates for Thursday
  • FBI: Smart Meter [Cracks] Likely to Spread

    A series of [cracks] perpetrated against so-called “smart meter” installations over the past several years may have cost a single U.S. electric utility hundreds of millions of dollars annually, the FBI said in a cyber intelligence bulletin obtained by KrebsOnSecurity. The law enforcement agency said this is the first known report of criminals compromising the hi-tech meters, and that it expects this type of fraud to spread across the country as more utilities deploy smart grid technology.

  • Introducing Graphene-ng: running arbitrary payloads in SGX enclaves

    A few months ago, during my keynote at Black Hat Europe, I was discussing how we should be limiting the amount of trust when building computer systems. Recently, a new technology from Intel has been gaining popularity among both developers and researchers, a technology which promises a big step towards such trust-minimizing systems. I’m talking about Intel SGX, of course.

Security: Windows Ransomware, Cortana Holes, Google Play Protect and More

Filed under
Security
  • The worst types of ransomware attacks
  • Patched Cortana Bug Let Hackers Change Your Password From the Lock Screen
  • What is Google Play Protect and How Does it Keep Android Secure?
  • ​Another day, another Intel CPU security hole: Lazy State

    Once upon a time, when we worried about security, we worried about our software. These days, it's our hardware, our CPUs, with problems like Meltdown and Spectre, which are out to get us. The latest Intel revelation, Lazy FP state restore, can theoretically pull data from your programs, including encryption software, from your computer regardless of your operating system.

    Like its forebears, this is a speculative execution vulnerability. In an interview, Red Hat Computer Architect Jon Masters explained: "It affects Intel designs similar to variant 3-a of the previous stuff, but it's NOT Meltdown." Still, "It allows the floating point registers to be leaked from another process, but alas that means the same registers as used for crypto, etc." Lazy State does not affect AMD processors.

  • Eric S. Raymond on Keeping the Bazaar Secure and Functional
  • Purple testing and chaos engineering in security experimentation

    The way we use technology to construct products and services is constantly evolving, at a rate that is difficult to comprehend. Regrettably, the predominant approach used to secure design methodology is preventative, which means we are designing stateful security in a stateless world. The way we design, implement, and instrument security has not kept pace with modern product engineering techniques such as continuous delivery and complex distributed systems. We typically design security controls for Day Zero of a production release, failing to evolve the state of our controls from Day 1 to Day (N).

    This problem is also rooted in the lack of feedback loops between modern software-based architectures and security controls. Iterative build practices constantly push product updates, creating immutable environments and applying complex blue-green deployments and dependencies on ever-changing third-party microservices. As a result, modern products and services are changing every day, even as security drifts into the unknown.

Security Leftovers

Filed under
Security
Syndicate content

More in Tux Machines

Debian GNU/Linux 10 "Buster" Installer Updated with Linux Kernel 4.16 Support

Developed under the Debian Testing umbrella, the forthcoming Debian GNU/Linux 10 "Buster" operating system series just received today the third alpha milestone of its installer, which lets people install the Linux-based operating system on their personal computers, servers, and IoT devices, such as the Raspberry Pi. One of the most interesting changes that caught out eyes is the bump of the kernel support from Linux kernel 4.13, which was used in the second alpha build, to Linux kernel 4.16. Of course, this means that there's better hardware support, so chances are you'll be able to install the development version of Debian GNU/Linux 10 "Buster" on newer machines or if you have some exotic components on your PC. Read more

The New Microsoft

  • Microsoft ICE Contract Draws Fire

    “ICE’s decision to accelerate IT modernization using Azure Government will help them innovate faster while reducing the burden of legacy IT. The agency is currently implementing transformative technologies for homeland security and public safety, and we’re proud to support this work with our mission-critical cloud,” he wrote.

  • Microsoft faces outrage for blog post touting ICE contract

    As outrage grew online, a Microsoft employee quietly removed mention of ICE from the January press release this morning. Social media users noticed that, too. The company has since restored the press release's original language, and called its removal a "mistake."

  • Microsoft Removes Mention of ICE Cloud Work After Protests

    Microsoft Corp. scrubbed an online reference to its work for U.S. Immigration and Customs Enforcement as the agency faces criticism for its role in separating families at the U.S.-Mexican border.

  • Microsoft briefly removes blog post mentioning ICE contract after backlash
  • Microsoft's Ethical Reckoning Is Here

    Tech Workers Coalition, a labor group for tech industry employees, urged Microsoft employees to coordinate their opposition. “If you are a worker building these tools or others at Microsoft, decide now that you will not be complicit,” the group tweeted.

Android Leftovers

First Ubuntu Touch OTA-4 Release Candidate Based on Ubuntu 16.04 LTS Is Here

The latest Ubuntu Touch update from UBports, OTA-3, was released last year near the Christmas holidays, but it was still based on Ubuntu 15.04 (Vivid Vervet), so if you though Ubuntu Phones are dead, think again, because the UBports team has been hard at work to bring you the OTA-4, which will be the first to rebase the operating system on Ubuntu 16.04 LTS (Xenial Xerus). "The main reason why the arrival of OTA-4 seemed to take so long is because Ubuntu Touch switched its base to Ubuntu 16.04 LTS Xenial Xerus. This is a mammoth milestone for the project, because it allowed us to transition from the unsupported Ubuntu 15.04 Vivid Vervet to a Long Term Support (LTS) base," reads today's announcement. Read more Also: UBports' Ubuntu Touch OTA-4 RC Released, Upgrades To Ubuntu 16.04 LTS