Language Selection

English French German Italian Portuguese Spanish

Security

Security: Facebook, Microsoft and Fruitfly

Filed under
Security
  • Facebook hack: People's accounts appear for sale on dark web
  • Hacked Facebook Logins Are Available On Dark Web Just For $3.90: Report
  • Huge Facebook breach leaves thousands of other apps vulnerable

    Unfortunately, from a security standpoint, using Facebook or any other social media app to log into other services is not a smart thing to do, says Dana Simberkoff, chief risk, privacy, and information security officer for the enterprise security firm AvePoint.

  • Using Microsoft's Dynamics 365 Finance and Operations? Using Skype? Not for long!

    The issue, which could stop a user being able to sign in, affects Microsoft's Dynamics 365 for Finance and Operations in an on-premises environment. A "refactoring" in the way Skype authenticates its users has been blamed.

    Skype integration provides real-time presence and communication for Dynamics 365 users, and for some older versions of the Finance and Operations platform the integration is enabled by default. In these instances, Microsoft strongly recommends manually disabling it.

    [...]

    Microsoft has not been clear when integration with Skype can be switched back on, saying only that the problem could occur "during this update". The Register has contacted the software giant to get a definitive time frame and will update if one is forthcoming.

  • Cameron Kaiser: Fruitfly and the Power Mac

    The history the FBI relates suggests that early infections were initiated manually by him, largely for the purpose of catching compromising webcam pictures and intercepting screenshots and logins when users entered keystrokes suggesting sexual content. If you have an iSight with the iris closed, though, there was no way he could trigger that because of the hardware cutoff, another benefit of having an actual switch on our computer cameras (except the iMac G5, which was a bag of hurt anyway and one of the few Power Macs I don't care for).

    Fruitfly spreads by attacking weak passwords for AFP (Apple Filing Protocol) servers, as well as RDP, VNC, SSH and (on later Macs) Back to My Mac. Fortunately, however, it doesn't seem to get its hooks very deep into the OS. It can be relatively easily found by looking for a suspicious launch agent in ~/Library/LaunchAgents (a Power Mac would undoubtedly be affected by variant A, so check ~/Library/LaunchAgents/com.client.client.plist first), and if this file is present, launchctl unload it, delete it, and delete either ~/.client or ~/fpsaud depending on the variant the system was infected with. After that, change all your passwords and make sure you're not exposing those services where you oughtn't anymore!

Tails 3.9.1 is out

Filed under
Security
Debian

This release is an emergency release to fix critical security vulnerabilities in Tor Browser and Thunderbird.

Read more

Security: ClamAV, Phishing Attack on Azure Blob Storage, Fingbox/Ubuntu

Filed under
Security
  • ClamAV 0.100.2 has been released!

    ClamAV 0.100.2 has been released! This is a patch release to address several vulnerabilities.

  • Phishing Attack on Azure Blog Storage Dodges Users by Displaying a Signed SSL Certificate from Microsoft

    The user when enters their information, the contents will be submitted to a server which is being operated by the phishing attackers. The opened page will pretend that the document is beginning to download but it ultimately just redirects the user to this URL: https://products.office.com/en-us/sharepoint/collaboration Microsoft site.

  • Phishing Attack Uses Azure Blob Storage to Impersonate Microsoft

    Even though phishing attacks can be quite convincing, a give away is when diligent users notice that the login form is unsecured or the SSL certificate is clearly not owned by the company being impersonated. A new Office 365 phishing attack utilizes an interesting method of storing their phishing form hosted on Azure Blob Storage in order to be secured by a Microsoft SSL certificate.

  • Fing: future-proofing Fingbox the IoT home network monitoring device

    As many as 20.4 billion internet of things devices are estimated to be in use by 2020, according to Gartner, with consumer products making up 63% of this figure.

    A large amount of these will be low-cost devices, rushed out by manufacturers in order to capitalise on this opportunity. Unfortunately, this method typically pays no attention to the long-term lifecycle of a product or software strategy.

    Factors that are typically not considered include: how can security updates be rolled out quickly? How to ensure your customers are on the latest version of your software especially once the device is out in consumer’s homes? How can the product lifecycle be extended through software functionality which may even up new revenue opportunities?

Security: Facebook Breach, U2F Key Loss, Three Critical Resources You Should Use to Harden Your Linux Server and Latest Updates

Filed under
Security
  • How Serious Is the New Facebook Breach?

     

    As public frustration has grown, the mood inside Facebook has been, on the whole, sanguine. Executives and rank-and-file employees often say they understand the complaints but also believe that the company is unfairly scapegoated by those (especially journalists) who are troubled by technology or by the outcome of the 2016 election. Executives are confident that they are taking the steps that will solve the company’s problems, as they have over its fourteen-year history. But a Facebook breach today means more than a Facebook breach five or ten years ago, not only because the company has grown so dramatically but also because of the cumulative effect. Isolated problems that might be dismissed as inevitable acquire greater meaning and consequence in the context of a pattern of missteps.

  • What to Do if You Lose a U2F Key

    First off, we should take a closer look at what U2F is. While we have a much more in-depth explanation of what U2F is, we’ll cover the quick and dirty version here.

    In a nutshell, U2F is the standard for physical two-factor authentication tokens. Instead of using something like Authy, Google Authenticator, or SMS to receive a 2FA code, U2F uses a physical key to protect your accounts.

  • Three Critical Resources You Should Use to Harden Your Linux Server

    If you have ever maintained a Linux server with ports accessible to the Internet, you have no doubt had attacks on your server. With so many tools to scan servers, as well as insecure programs and vulnerabilities, no server administrator can take the risk of being complacent. Routine security checks and maintenance are essential to server safety.

    There are numerous blogs, books, and websites that offer guidance on server security as well as resources known for their extensiveness and effectiveness. Though these are robust and detailed, take care to not apply these guidelines blindly, ensure you have a backup, and assert that you have a plan for rollback.

  • Security updates for Wednesday
  • Android Security Bulletin—October 2018
  • Google Fixes 26 Vulnerabilities in the Android Security Patch for October 2018

​IBM mainframe containers grow more secure

Filed under
Server
Security

Of course, you can do a wee bit more with Secure Service Containers (SSC) on IBM LinuxONE and Z mainframes than you could on a 360 mainframe with a maximum of 1MB of memory. IBM Cloud Private is a Platform as a Service (PaaS) environment for developing and managing containerized applications. It's built on top of the Kubernetes container orchestrator Kubernetes.

Read more

Microsoft Takeover of GNU/Linux Machines by Debian/APT

Filed under
Microsoft
Security
Debian
  • Skype's Debian Package Could Allow Attackers To Completely Takeover Machines

    Security researcher Enrico Weigelt uncovered a critical security issue in the way Skype installs itself on Debian Linux machines, adding its Microsoft's APT repository in the system's sources.list file.

    Skype's Debian package uses an APT configuration profile which automatically inserts Microsoft's apt repository to the default system package sources which would allow anyone with access to it to hypothetically use malicious tools to compromise the machine.

    In layman's terms, APT repositories are collections of .deb packages used as the central storage, management and delivery platform for all Debian-based Linux machines.

    The APT repositories can be used to install, remove, or update applications on a Debian machine with the help of the apt-get command.

  • Apt Repositories: Goodbye Aptly, Welcome RepRepro

    I have been using aptly for several years publishing all kinds of repositories for different developments. The other day, when I wanted to update my calibre repository (see previous post) I realized that aptly cannot sign anything anymore. Huuu…

Security Leftovers

Filed under
Security
  • Why Cops Can Force You to Unlock Your Phone With Your Face

    The question of whether cops can force someone to unlock their phone in the US for a search hinges on Fifth Amendment protections against self-incrimination—that no one "shall be compelled in any criminal case to be a witness against" themselves. Privacy advocates argue that this extends to the act of unlocking a phone or generally decrypting data on a device. But while that line of thinking has succeeded as a defense against having to produce a passcode, it works less reliably in the context of Touch ID or other biometrics. Something you know, like a passcode, is easier to view as testimonial—legally speaking, a statement made by a witness—than something you have, like a physical attribute.

  • Equifax penalised $3.5 million for consumer law breaches

    Australia’s largest consumer credit reporting agency Equifax Information Services and Solutions is to pay penalties totalling $3.5 million for misleading and deceptive conduct and unconscionable conduct in relation to credit report services.

  • Canonical Outs New Linux Kernel Security Patch for All Supported Ubuntu Releases

    Canonical releases today a new major Linux kernel security update for all supported Ubuntu releases to fix various vulnerabilities discovered by security researchers lately.

    Available now for the Ubuntu 18.04 LTS (Bionic Beaver), Ubuntu 16.04 LTS (Xenial Xerus), and Ubuntu 14.04 LTS (Trusty Tahr) operating system series, the new Linux kernel security patches address a total of eleven vulnerabilities that affect the Linux 4.15, 4.4, and 3.13 kernels of the aforementioned Ubuntu releases and their derivatives.

    Among the fixes, we can notice a use-after-free vulnerability (CVE-2018-17182) discovered by Jann Horn in Linux kernel's vmacache subsystem, which could allow a local attacker crash the system, as well as a stack-based buffer overflow (CVE-2018-14633) in the iSCSI target implementation, which lets a remote attacker crash the system.

  • India bars Huawei, ZTE from 5G trials

    India's Department of Telecommunications has barred Chinese telecommunications providers Huawei Technologies and ZTE Corporation from participating in trials for developing 5G use cases in the country, the Economic Times has reported.

  • India dials Cisco, Samsung, Nokia, Ericsson, says no to Chinese Huawei, ZTE

    The Department of Telecommunications (DoT) has excluded Huawei and ZTE from its list of companies asked to partner it for trials to develop 5G use cases for India, indicating that New Delhi may well follow the US and Australia in limiting involvement of Chinese telecom equipment makers in the roll-out of the next-gen technology.

  • Symantec SSL certificates no longer trusted

    A browser will check the validity of a SSL certificate in order to confirm the validity of the web site being loaded. This is done by validating a chain of trust. Certificate Authorities (CAs) will guarantee the certificates they issue, along with the bona fides of any secondary issuing authority that is operating under their umbrella. Of course this will require a very rigorous process to validate any entity that wishes to obtain a certificate.

    In 2016 users became aware that Symantec (and their supported issuers) was issuing certificates in contravention of the established guidelines and posted their finding to a Mozilla security mailing list. After considerable discussion amongst the other CAs a decision was made to distrust Symantec and to remove it as a CA.

Debian and Security

Filed under
Security
Debian
  • Thorsten Alteholz: My Debian Activities in September 2018

    As promised in an earlier post, I raised the number of accepted packages to 215, as well as the number of rejects to 69 this month. The overall number of packages that got accepted this month was 314.

  • October 2018 report: LTS, Mastodon, Firefox privacy, etc

    I've played around with the latest attempt from the free software community to come up with a "federation" model to replace Twitter and other social networks, Mastodon. I've had an account for a while but I haven't talked about it much here yet.

    My Mastodon account is linked with my Twitter account through some unofficial Twitter cross-posting app which more or less works. Another "app" I use is the toot client to connect my website with Mastodon through feed2exec.

    And because all of this social networking stuff is just IRC 2.0, I read it all through my IRC client, thanks to Bitlbee and Mastodon is (thankfully) no exception. Unfortunately, there's a problem in my hosting provider's configuration which has made it impossible to read Mastodon status from Bitlbee for a while. I've created a test profile on the main Mastodon instance to double-check, and indeed, Bitlbee works fine there.

    Before I figured that out, I tried upgrading the Bitlbee Mastodon bridge (for which I also filed a RFP) and found a regression has been introduced somewhere after 1.3.1. On the plus side, the feature request I filed to allow for custom visibility statuses from Bitlbee has been accepted, which means it's now possible to send "private" messages from Bitlbee.

    Those messages, unfortunately, are not really private: they are visible to all followers, which, in the social networking world, means a lot of people. In my case, I have already accepted over a dozen followers before realizing how that worked, and I do not really know or trust most of those people. I have still 15 pending follow requests which I don't want to approve until there's a better solution, which would probably involve two levels of followship. There's at least one proposal to fix this already.

    Another thing I'm concerned about with Mastodon is account migration: what happens if I'm unhappy with my current host? Or if I prefer to host it myself? My online identity is strongly tied with that hostname and there doesn't seem to be good mechanisms to support moving around Mastodon instances. OpenID had this concept of delegation where the real OpenID provider could be discovered and redirected, keeping a consistent identity. Mastodon's proposed solutions seem to aim at using redirections or at least informing users your account has moved which isn't as nice, but might be an acceptable long-term compromise.

    Finally, it seems that Mastodon will likely end up in the same space as email with regards to abuse: we are already seeing block lists show up to deal with abusive servers, which is horribly reminiscent of the early days of spam fighting, where you could keep such lists (as opposed to bayesian or machine learning). Fundamentally, I'm worried about the viability of this ecosystem, just like I'm concerned about the amount of fake news, spam, and harassment that takes place on commercial platforms. One theory is that the only way to fix this is to enforce two-way sharing between followers, the approach taken by Manyverse and Scuttlebutt.

    Only time will tell, I guess, but Mastodon does look like a promising platform, at least in terms of raw numbers of users...

  • Reproducible Builds: Weekly report #179
  • The Devil Is in The Details Of Project Verify’s Goal To Eliminate Passwords

    A coalition of the four largest U.S. wireless providers calling itself the Mobile Authentication Taskforce recently announced an initiative named Project Verify. This project would let users log in to apps and websites with their phone instead of a password, or serve as an alternative to multi-factor authentication methods such as SMS or hardware tokens.

    Any work to find a more secure and user-friendly solution than passwords is worthwhile. However, the devil is always in the details—and this project is the work of many devils we already know well. The companies behind this initiative are the same ones responsible for the infrastructure behind security failures like SIM-swapping attacks, neutrality failures like unadvertised throttling, and privacy failures like supercookies and NSA surveillance.

    Research on moving user-friendly security and authentication forward must be open and vendor- and platform-neutral, not tied to any one product, platform, or industry group. It must allow users to take control of our identities, not leave them in the hands of the very same ISP companies that have repeatedly subverted our trust.

  • Touch ID and Face ID Don’t Make You More Secure [Ed: Of course sharing biometrics with the state or the "security state" isn't about security but mere subjugation]

    Touch ID and Face ID area great. We like them, and we use them. But they’re convenience features, not security features, and you have fewer legal protections when using them in the US. When necessary, you can temporarily disable them.

    This also applies to Android phones with fingerprint sensors, iris scans, or other biometric features.

  • How Face ID could be a game-changer for aggressive US border agents

    Apple’s Touch ID is already on its way out. Just five years ago, iPhones began getting the famed fingerprint scanner that makes unlocking your phone dozens of times a day even easier.

    But all of the new iPhones released this year—iPhone XS, iPhone XS Max, and iPhone XR—only have Face ID. They do not have Touch ID.

Security: CVE Data, Updates, Telegram Messenger and Mutagen Astronomy

Filed under
Security
  • Millions of unfixed security flaws is a lie

    On a pretty regular basis I see claims that the public CVE dataset is missing some large number of security issues. I’ve seen ranges from tens of thousands all the way up to millions. The purpose behind such statements is to show that the CVE data is woefully incomplete. Of course almost everyone making that claim has a van filled with security issues and candy they’re trying very hard to lure us into. It’s a pretty typical sales tactic as old as time itself. Whatever you have today isn’t good enough, but what I have, holy cow it’s better. It’s so much better you better come right over and see for yourself. After you pay me of course.

    If you take away any single thing from this post, make it this: There are not millions of unfixed security flaws missing from the CVE data.

  • Security updates for Monday
  • Telegram Leaks IP Addresses by Default When Initiating Calls

    Telegram Messenger is a communication app that allows you to create encrypted chats and phone calls with other users over the Internet. This program describes itself as being a secure and private communication app, but a researcher has shown that in its default configuration it would allow a user's IP address to be leaked when making call.

  • Default Settings In Telegram App Exposes IP Address When Calls Are Initiated

    Telegram, which is a posing a stiff challenge for WhatsApp in the terms of features and security was facing a flaw that exposed IP address of users when a call is initiated.

  • Mutagen Astronomy – Linux Vulnerability Hits CentOS, Debian, and Red Hat Distros

Security: Michael Piacente, Data Protection, From VNC to Reverse Shell

Filed under
Security
Syndicate content

More in Tux Machines

Windows 10 October 2018 Update Performance Against Ubuntu 18.10, Fedora 29

As the latest of our benchmarks using the newly re-released Microsoft Windows 10 October 2018 Update, here are benchmarks of this latest Windows 10 build against seven different Linux distributions on the same hardware for checking out the current performance of these operating systems. For this latest Linux OS benchmarking comparison against Windows, the following platforms were tested: - The Windows 10 April 2018 release as the previous major milestone of Windows 10. - The newest Windows 10 October 2018 build as the latest Windows 10 build from Microsoft. - OpenSUSE Tumbleweed as the openSUSE rolling-release distribution that as of testing was on the Linux 4.18.12 kernel, KDE Plasma 5.14, Mesa 18.1.7, and GCC 8.2.1 atop an XFS home file-system with Btrfs root file-system (the default partitioning scheme). Read more

Android Leftovers

Release of KDE Frameworks 5.51.0

KDE Frameworks are 70 addon libraries to Qt which provide a wide variety of commonly needed functionality in mature, peer reviewed and well tested libraries with friendly licensing terms. For an introduction see the Frameworks 5.0 release announcement. This release is part of a series of planned monthly releases making improvements available to developers in a quick and predictable manner. Read more Also: KDE Frameworks 5.51 Released

Linux 4.19-rc8

As mentioned last week, here's a -rc8 release as it seems needed. There were a lot of "little" pull requests this week, semi-normal for this late in the cycle, but a lot of them were "fix up the previous fix I just sent" which implies that people are having a few issues still. I also know of at least one "bad" bug that finally has a proposed fix, so that should hopefully get merged this week. And there are some outstanding USB fixes I know of that have not yet landed in the tree (I blame me for that...) Anyway, the full shortlog is below, lots of tiny things all over the tree. Please go and test and ensure that all works well for you. Hopefully this should be the last -rc release. Read more Also: Linux 4.19-rc8 Released With A Lot Of "Tiny Things"