Language Selection

English French German Italian Portuguese Spanish

Security

Security: Dlink, Equifax, Bluetooth

Filed under
Security
  • Pwning the Dlink 850L routers and abusing the MyDlink Cloud protocol

    The Dlink 850L is a router overall badly designed with a lot of vulnerabilities.

    Basically, everything was pwned, from the LAN to the WAN. Even the custom MyDlink cloud protocol was abused.

  • House Dems demand answers from Equifax CEO

    All 24 minority members of the committee signed a letter to the Equifax executive, Richard Smith, calling on him to come forward with more information about his handling of the crisis.

  • Chatbot lets you sue Equifax for up to $25,000 without a lawyer

    Even if you want to be part of the class action lawsuit against Equifax, you can still sue Equifax for negligence in small claims court using the DoNotPay bot and demand maximum damages. Maximum damages range between $2,500 in states like Rhode Island and Kentucky to $25,000 in Tennessee.

  • Bluetooth flaws leave billions of devices open to attacks

    Researchers at IoT security firm Armis say they have found eight flaws in the Bluetooth protocol that can be used to attack devices running Android, iOS, Linux and Windows.

  • Bluetooth Vulnerability BlueBorne Impacts Android, iOS, Windows, and Linux Devices

    The BlueBorne attack doesn’t even require the victim to tap or click on any malicious links. If your device has Bluetooth and is on then it is possible for an attacker to take complete control of it from 32 feet away. This even works without the attacker pairing anything to the victim’s device and the target device doesn’t need to be set to discoverable mode either. The team at Armis Labs have identified eight zero-day vulnerabilities so far and believes many more are waiting to be discovered.

Security: Updates, Equifax, Snowden, BlueBorne, NSA Windows Hacking and Virginia Electronic Voting Devices

Filed under
Security

Apache Mounts Strong Defense, Equifax Retreats

Filed under
Security

One of the largest financial data breaches in U.S. history, it exposed names, addresses, Social Security Numbers, birth dates, driver's license numbers and other sensitive information belonging to 143 million U.S. consumers, as well as data belonging to an undisclosed number of UK and Canadian consumers.

The attackers also accessed credit card data for about 209,000 consumers and credit dispute information for about 182,000 consumers, Equifax said.

[...]

However, with respect to the possibility that it resulted from an exploitation of a vulnerability in the Apache Struts Web Framework, it was not clear which vulnerability could have been utilized, Gielen said.

One assumption connected the breach to CVE-2017-2805, one of several patches Apache announced on Sept. 4.

"However, the security breach was already detected in July, which means that the attackers either used an earlier announced vulnerabiity on an unpatched Equifax server or exploited a vulnerability not known at this point in time -- a so called Zero Day Exploit," Gielen noted.

The committee members have put enormous effort into "securing and hardening the software we produce," he added, and they fix problems that come to their attention.

There's a distinction between the existence of an unknown flaw in the wild for nine years and failing to address a known flaw for nine years, said Gielen, emphasizing that the committee just learned about this flaw.

The has not had any contact with anyone using the @equifax domain on any Apache list in more than two years, said Apache spokesperson Sally Khudairi.

"To be clear, whilst we haven't had contact with anyone using the @equifax domain -- official or otherwise -- that is not to say there isn't a chance that someone from their team may have done so using an alternate channel," she told LinuxInsider.

Read more

Bluetooth Mess: Almost Everything Affected

Filed under
Security
  • ​Linux gets blasted by BlueBorne too

    he security company Armis has revealed eight separate Bluetooth wireless protocol flaws known collectively as BlueBorne. This new nasty set of vulnerabilities have the potential to wreak havoc on iPhones, Android devices, Windows PC, and, oh yes, Linux desktops and server, as well.

    While BlueBorne requires a Bluetooth connection to spread, once the security holes are exploited, a single infected device could infect numerous devices and computers in seconds. Attacks made with BlueBorne are silent, avoid activating most security measures, and require nothing from new victims except that their devices have Bluetooth on.

  • Linux Impacted By Information Leak & Remote Code Execution Via Bluetooth

    Armis Labs has gone public today with "Bluebourne", an IoT-focused attack vector via Bluetooth. This Bluetooth attack does not require the targeted device to even be paired with the attacker or on discoverable mode, making it more frightening.

  • The IoT Attack Vector “BlueBorne” Exposes Almost Every Connected Device

    Armis Labs revealed a new attack vector endangering major mobile, desktop, and IoT operating systems, including Android, iOS, Windows, and Linux, and the devices using them.

Parrot 3.8 Release Notes

Filed under
GNU
Linux
Security

What i personally love about this project is its little but awesome developers community, and this summer was more productive than ever.

I am proud to announce the official release of Parrot 3.8, that introduces many new features and updates.

A quick look at our changelog will immediately spot the most important changes.

First of all, the new parrot 3.8 is now based on Debian 10 buster (current Debian testing release) with Linux 4.12, ZFS support, better wireless drivers support and the introduction of the new MATE 1.18, GCC 6.4 and 7.2, java 9 and so on, and all the parrot flavors now include electrum, a lightweight bitcoin client.

Read more

Security: 'Bashware' and Other FUD

Filed under
Security

Security: Updates, Equifax, Black Duck FUD, Emacs 25.3, and Measuring Security

Filed under
Security
  • Security updates for Monday
  • Researchers use Windows 10 Linux subsystem to run malware

    The provision of a Linux subsystem on Windows systems — a new Windows 10 feature known as Subsystem for Linux (WSL) — has made it possible to run known malware on such systems and bypass even the most common security solutions, security researchers at Check Point claim.

    In a detailed blog post, researchers Gal Elbaz and Dvir Atias said they had dubbed this technique of getting malware onto a Windows system as Bashware, with Bash being the default shell on a large number of Linux distributions.

  • Episode 62 - All about the Equifax hack
  • Equifax moves to fix weak PINs for “security freeze” on consumer credit reports

    As Equifax moved to provide consumers the ability to protect their credit reports on the heels of a major data breach, some of the details of the company's response were found lacking. As consumers registered and moved to lock their credit reports—in order to prevent anyone who had stolen data from opening credit in their name—they found that the security personal identification number (PIN) provided in the locking process was potentially insecure.

    [...]

    The PIN revelation came on the heels of concerns that Equifax was attempting to block the ability of those checking to see if their data was exposed or enrolling in the TrustedID Premiere service to sue Equifax over the breach. An Equifax spokesperson said that the arbitration clause in the Terms of Service for TrustedID Premier only applied to the service itself, not to the breach.

  • Unpatched Open Source Software Flaw Blamed for Massive Equifax Breach [Ed: But this claim has since then been retracted, so it might be fake news]
  • Equifax Breach Blamed on Open-Source Software Flaw [Ed: This report from a News Corp. tabloid has since been retracted, so why carry on linking to it?]
  • The hidden threat lurking in an otherwise secure software stack [Ed: Yet another attack on FOSS security, courtesy of the Microsoft-connected Black Duck]
  • [ANNOUNCE] Emacs 25.3 released
  • Emacs 25.3 Released To Fix A Security Vulnerability Of Malicious Lisp Scripts

    GNU --
    Emacs 25.3 is now available, but it doesn't offer major new features, rather it fixes a security vulnerability.

    Emacs' x-display decoding feature within the Enriched Text mode could lead to executing arbitrary malicious Lisp code within the text.

  • Measuring security: Part 1 - Things that make money

    If you read my previous post on measuring security, you know I broke measuring into three categories. I have no good reason to do this other than it's something that made sense to me. There are without question better ways to split these apart, I'm sure there is even overlap, but that's not important. What actually matters is to start a discussion on measuring what we do. The first topic is about measuring security that directly adds to revenue such as a product or service.

    [...]

    I see a lot of groups that don't do any of this. They wander in circles sometimes adding security features that don't matter, often engineering solutions that customers only need or want 10% of. I'll never forget when I first looked at actual metrics on new features and realized something we wanted to add was going to have a massive cost and generate zero additional revenue (it may have actually detracted in future product sales). On this day I saw the power in metrics. Overnight my group became heroes for saving everyone a lot of work and headaches. Sometimes doing nothing is the most valuable action you can take.

Security: 'Rich' E-mail, BlackBerry, and D-Link

Filed under
Security
  • The only safe email is text-only email

    The real issue is that today’s web-based email systems are electronic minefields filled with demands and enticements to click and engage in an increasingly responsive and interactive online experience. It’s not just Gmail, Yahoo mail and similar services: Desktop-computer-based email programs like Outlook display messages in the same unsafe way.

  • BlackBerry admits: We could do better at patching

    BlackBerry has confirmed that its first Android device, the Priv, will be stuck on Google's 2015 operating system forevermore, which Google itself will cease supporting next year.

    Having been promised "the most secure Android", BlackBerry loyalists have seen the promise of monthly security updates stutter recently, with distribution of the monthlies getting patchy (no pun intended).

  • Researcher publicly discloses 10 zero-day flaws in D-Link 850L routers

    Peeved about previous vulnerability disclosures experiences with D-Link, a security researcher has publicly disclosed 10 zero-day vulnerabilities in D-Link DIR 850L wireless AC1200 dual-band gigabit cloud routers.

    Security researcher Pierre Kim opted to publicly disclose the vulnerabilities this time, citing a “very badly coordinated” disclosure with D-Link in February. That time around he had reported nine vulnerabilities, but he said it took D-Link five months to release new firmware that ended up patching only one of the flaws he found.

A look at TAILS – Privacy oriented GNU/Linux Distribution

Filed under
Reviews
Security
Debian

The Amensic Incognito Live System, is a Debian based distribution that routes all internet traffic through the TOR network, and leaves no trace of its existence or anything done on the system when the machine is shut down. The obvious aim in this, is to aid in keeping the user anonymous and private. Tails is not installed to a users computer, but instead is run strictly as a LiveUSB / LiveDVD.

TAILS does not utilize the host machines Hard Disk at all, and is loaded entirely into RAM. When a machine is shut down, the data that is stored in RAM disappears over the course of a few minutes, essentially leaving no trace of whatever had been done. Granted, there is a method of attack known as a Cold Boot Attack, where data is extracted from RAM before it has had a chance to disappear, but TAILS has you covered on that front too; the TAILS website says,

“To prevent this attack, the data in RAM is overwritten by random data when shutting down Tails. This erases all traces from your session on that computer.”

Read more

Security: Equifax Blame Game and Germany's Election Software

Filed under
Security
Syndicate content

More in Tux Machines

Is your company an open source parasite?

Getting involved in the open source projects that matter to a company, in other words, gives them more ability to influence their future today, even as dependence on a vendor results in putting one's future in the hands of that vendor to resolve on their timetable. It's simply not smart business, not if an open source alternative exists and your company already depends upon it. In sum, the GitHub contributor counts should be much higher, and not merely for those in the business of selling software (or tech, generally). Any company defined by software—and that's your company, too—needs to get more involved in both using and contributing open source software. Read more

LibreELEC Embedded Linux OS Now Compatible with Windows 10 Fall Creators Update

The LibreELEC 8.2.1 update is based on the latest Kodi 17.6 "Krypton" open-source and cross-platform media center software and it mostly patches some Samba (SMB) "file exists" share errors on Windows 10 Fall Creators Update by updating the protocol to Samba 4.6.10, implementing SMB client options for minimum SMB protocol and an SMB legacy security option with NTLMv1, and disabling SPNEGO. "LibreELEC 8.2.x includes changes that allow the Kodi SMB client and our embedded Samba server to support SMB2/3 connections; deprecating SMB1 to improve security and performance. This is necessary to cope with changes Microsoft introduced in the Windows 10 ‘Fall Creators Update’ to resolve SMB1 security issues," explained the developers. Read more

Canonical Releases Major Kernel Update for Ubuntu 16.04 to Fix 13 Security Flaws

The update is a major one patching a total of 13 security flaws, including race conditions in Linux kernel's ALSA subsystem, the packet fanout implementation, and the key management subsystem, as well as use-after-free vulnerabilities in both the USB serial console driver and the ALSA subsystem. Various other issues were also patched for Linux kernel's key management subsystem, the Ultra Wide Band driver, the ALSA subsystem, the USB unattached storage driver, and the USB subsystem, which received the most attention in this update as several security flaws were recently disclosed. Read more

Graphics: NVIDIA and AMD