Language Selection

English French German Italian Portuguese Spanish

Security

Security: Deloitte, AWS, CCleaner, Equifax, Optionsbleed

Filed under
Security
  • Source: Deloitte Breach Affected All Company Email, Admin Accounts

     

    Deloitte, one of the world’s “big four” accounting firms, has acknowledged a breach of its internal email systems, British news outlet The Guardian revealed today. Deloitte has sought to downplay the incident, saying it impacted “very few” clients. But according to a source close to the investigation, the breach dates back to at least the fall of 2016, and involves the compromise of all administrator accounts at the company as well as Deloitte’s entire internal email system.  

  • Security breach exposes data from half a million vehicle tracking devices

     

    The exposed data, which includes customer credentials, was unearthed through a misconfigured Amazon AWS S3 bucket that was left publically available, and because it wasn't protected by a password, could allow anyone to pinpoint locations visited by customers of the vehicle tracking firm.

  • CCleaner backdoor infecting millions delivered mystery payload to 40 PCs

    At least 40 PCs infected by a backdoored version of the CCleaner disk-maintenance utility received an advanced second-stage payload that researchers are still scrambling to understand, officials from CCleaner's parent company said.

  • Will the Equifax Data Breach Finally Spur the Courts (and Lawmakers) to Recognize Data Harms?

    This summer 143 million Americans had their most sensitive information breached, including their name, addresses, social security numbers (SSNs), and date of birth. The breach occurred at Equifax, one of the three major credit reporting agencies that conducts the credit checks relied on by many industries, including landlords, car lenders, phone and cable service providers, and banks that offer credits cards, checking accounts and mortgages. Misuse of this information can be financially devastating. Worse still, if a criminal uses stolen information to commit fraud, it can lead to the arrest and even prosecution of an innocent data breach victim.    

    Given the scope and seriousness of the risk that the Equifax breach poses to innocent people, and the anxiety that these breaches cause, you might assume that legal remedies would be readily available to compensate those affected. You’d be wrong.

    While there are already several lawsuits filed against Equifax, the pathway for those cases to provide real help to victims is far from clear.  That’s because even as the number and severity of data breaches increases, the law remains too narrowly focused on people who have suffered financial losses directly traceable to a breach.

  • New breach, same lessons

    The story of recent breaches at the credit-rating agency Equifax, which may have involved the personal details of nearly 150 million people, has probably just begun, given the confusion that still surrounds events. But it’s brought the security of open source software to the fore yet again, and highlighted the ongoing struggle organizations still have with cybersecurity.

  • Apache “Optionsbleed” vulnerability – what you need to know [Ed: The security FUD complex came up with a buzzword: Optionsbleed. But it fails to (over)sell this hype.]

Security: Deloitte, Ransomware, Equifax, Denmark, and macOS 0-Day

Filed under
Security
  • Deloitte hack exposes secret emails and plans from firm's blue-chip clients

    Hackers [sic] are said to have accessed confidential emails and plans of Deloitte's blue-chip clients, along with usernames, passwords, IP addresses, architectural diagrams for businesses and health information.

  • Deloitte hit by cyber-attack revealing clients’ secret emails

    Deloitte, which is registered in London and has its global headquarters in New York, was the victim of a cybersecurity attack that went unnoticed for months.

  • A quarter of local UK councils have fallen victim to ransomware

    115 councils (27 per cent) said they had been victims of security ransoms, while 43 per cent said they hadn't.

  • Equifax CEO Richard Smith Retires as Breach Fallout Continues

    Equifax's massive data breach has claimed another victim - Richard Smith, the company's CEO and Chairman of the Board. Equifax announced that Smith is retiring from his role at the company, effective Sept. 26.

    "The cybersecurity incident has affected millions of consumers, and I have been completely dedicated to making this right," Smith stated. "At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward."

    Equifax announced on Sept. 7 that it was the victim of a data breach the exposed personally identifiable information on 143 million Americans. The company initially reported that it first became aware of the breach on July 29, though subsequent reports have alleged that the company was breached as early as March.

  • Denmark continues its work on cyber security plan

    Denmark’s Ministry of Finance is to finalise Denmark’s national strategy for cyber and information security. The ministry recently took over coordination of the plans, which previously were being prepared by the Ministry of Defence. The strategy is to be presented early next year, reports Denmark’s Agency for Digitisation (Digitaliseringsstyrelsen - DIGST).

  • Password-theft 0-day imperils users of High Sierra and earlier macOS versions

    There's a vulnerability in High Sierra and earlier versions of macOS that allows rogue applications to steal plaintext passwords stored in the Mac keychain, a security researcher said Monday. That's the same day the widely anticipated update was released.

    The Mac keychain is a digital vault of sorts that stores passwords and cryptographic keys. Apple engineers have designed it so that installed applications can't access its contents without the user entering a master password. A weakness in the keychain, however, allows rogue apps to steal every plaintext password it stores with no password required. Patrick Wardle, a former National Security Agency hacker who now works for security firm Synack, posted a video demonstration here.

Security: Updates, CCleaner, and Capsule8

Filed under
Security
  • Security updates for Monday
  • CCleaner malware may be from Chinese group: Avast

    Security company Avast says it has found similarities between the code injected into CCleaner and the APT17/Aurora malware created by a Chinese advanced persistent threat group in 2014/2015.

  • Capsule8 Raises New Funds to Help Improve Container Security

    Container security startup Capsule8 is moving forward with beta customer deployments and a Series A round of funding, to help achieve its vision of providing a secure, production-grade approach to container security.

    The Series A round of funding was announced on Sept. 19, with the company raising $6 million, led by Bessemer and ClearSky, bringing total funding to date up to $8.5 million. Capsule8 first emerged from stealth in February 2017, though its' core technology product still remains in private beta as the company fine-tunes the platform for production workload requirements.

Security: Adobe and Apple Fail/Fare Badly

Filed under
Security
  • In spectacular fail, Adobe security team posts private PGP key on blog

    Having some transparency about security problems with software is great, but Adobe's Product Security Incident Response Team (PSIRT) took that transparency a little too far today when a member of the team posted the PGP keys for PSIRT's e-mail account—both the public and the private keys. The keys have since been taken down, and a new public key has been posted in its stead.

  • Hackers Using iCloud's Find My iPhone Feature to Remotely Lock Macs and Demand Ransom Payments

    Over the last day or two, several Mac users appear to have been locked out of their machines after hackers signed into their iCloud accounts and initiated a remote lock using Find My iPhone. 

    With access to an iCloud user's username and password, Find My iPhone on iCloud.com can be used to "lock" a Mac with a passcode even with two-factor authentication turned on, and that's what's going on here.

Security: DHS on Potential Voting Machines Cracking, Joomla Patches Critical Flaw

Filed under
Security
  • DHS tells 21 states they were Russia hacking targets before 2016 election
  • 1. WikiLeaks, Russian edition: how it’s being viewed

    Russia has been investing heavily in a vision of cyberdemocracy that will link the public directly with government officials to increase official responsiveness. But it is also enforcing some of the toughest cybersecurity laws to empower law enforcement access to communications and ban technologies that could be used to evade surveillance. Could WikiLeaks put a check on Russia’s cyber regime? This week, the online activist group released the first of a promised series of document dumps on the nature and workings of Russia’s surveillance state. So far, the data has offered no bombshells. “It’s mostly technical stuff. It doesn’t contain any state contracts, or even a single mention of the FSB [security service], but there is some data here that’s worth publishing,” says Andrei Soldatov, coauthor of “The Red Web,” a history of the Soviet and Russian internet. But, he adds, “Anything that gets people talking about Russia's capabilities and actions in this area should be seen as a positive development.”

  • Joomla patches eight-year-old critical CMS bug

    Joomla has patched a critical bug which could be used to steal account information and fully compromise website domains.

    This week, the content management system (CMS) provider issued a security advisory detailing the flaw, which is found in the LDAP authentication plugin.

    Lightweight Directory Access Protocol (LDAP) is used by Joomla to access directories over TCP/IP. The plugin is integrated with the CMS.

    Joomla considers the bug a "medium" severity issue, but according to researchers from RIPS Technologies, the problem is closer to a critical status.

  • Joomla! 3.7.5 - Takeover in 20 Seconds with LDAP Injection

    With over 84 million downloads, Joomla! is one of the most popular content management systems in the World Wide Web. It powers about 3.3% of all websites’ content and articles. Our code analysis solution RIPS detected a previously unknown LDAP injection vulnerability in the login controller. This one vulnerability could allow remote attackers to leak the super user password with blind injection techniques and to fully take over any Joomla! <= 3.7.5 installation within seconds that uses LDAP for authentication. Joomla! has fixed the vulnerability in the latest version 3.8.

Security: FOSS Updates, SEC, CCleaner

Filed under
Security
  • Security updates for Friday
  • SEC Chairman reveals financial reporting system was hacked
  • CCleaner malware outbreak is much worse than it first appeared
  • CCleaner Hack May Have Been A State-Sponsored Attack On 18 Major Tech Companies

    At the beginning of this week, reports emerged that Avast, owner of the popular CCleaner software, had been hacked. Initial investigations by security researchers at Cisco Talos discovered that the intruder not only compromised Avast's servers, but managed to embed both a backdoor and "a multi-stage malware payload" that rode on top of the installation of CCleaner. That infected software -- traditionally designed to help scrub PCs of cookies and other tracking software and malware -- was subsequently distributed by Avast to 700,000 customers (initially, that number was thought to be 2.27 million).

    And while that's all notably terrible, it appears initial reports dramatically under-stated both the scope and the damage done by the hack. Initially, news reports and statements by Avast insisted that the hackers weren't able to "do any harm" because the second, multi-stage malware payload was never effectively delivered. But subsequent reports by both Avast and Cisco Talos researchers indicate this payload was effectively delivered -- with the express goal of gaining access to the servers and networks of at least 18 technology giants, including Intel, Google, Microsoft, Akamai, Samsung, Sony, VMware, HTC, Linksys, D-Link and Cisco itself.

IoT botnet Linux.ProxyM turns its grubby claws to spam rather than DDoS

Filed under
Security

An IoT botnet is making a nuisance of itself online after becoming a conduit for spam distribution.

Linux.ProxyM has the capability to engage in email spam campaigns with marked difference to other IoT botnets, such as Mirai, that infamously offered a potent platform for running distributed-denial-of-service attacks (DDoSing). Other IoT botnets have been used as proxies to offer online anonymity.

Read more

Security: Antipatterns in IoT Security, Signing Programs for Linux, and Guide to Two-Factor Authentication

Filed under
Security
  • Antipatterns in IoT security

    Security for Internet of Things (IoT) devices is something of a hot topic over the last year or more. Marti Bolivar presented an overview of some of the antipatterns that are leading to the lack of security for these devices at a session at the 2017 Open Source Summit North America in Los Angeles. He also had some specific recommendations for IoT developers on how to think about these problems and where to turn for help in making security a part of the normal development process.

    A big portion of the talk was about antipatterns that he has seen—and even fallen prey to—in security engineering, he said. It was intended to help engineers develop more secure products on a schedule. It was not meant to be a detailed look at security technologies like cryptography, nor even a guide to what technical solutions to use. Instead, it targeted how to think about security with regard to developing IoT products.

  • Signing programs for Linux

    At his 2017 Open Source Summit North America talk, Matthew Garrett looked at the state of cryptographic signing and verification of programs for Linux. Allowing policies that would restrict Linux from executing programs that are not signed would provide a measure of security for those systems, but there is work to be done to get there. Garrett started by talking about "binaries", but programs come in other forms (e.g. scripts) so any solution must look beyond simply binary executables.

    There are a few different reasons to sign programs. The first is to provide an indication of the provenance of a program; whoever controls the key actually did sign it at some point. So if something is signed by a Debian or Red Hat key, it is strong evidence that it came from those organizations (assuming the keys have been securely handled). A signed program might be given different privileges based on the trust you place in a particular organization, as well.

  • A Guide to Common Types of Two-Factor Authentication on the Web

    Two-factor authentication (or 2FA) is one of the biggest-bang-for-your-buck ways to improve the security of your online accounts. Luckily, it's becoming much more common across the web. With often just a few clicks in a given account's settings, 2FA adds an extra layer of security to your online accounts on top of your password.

    In addition to requesting something you know to log in (in this case, your password), an account protected with 2FA will also request information from something you have (usually your phone or a special USB security key). Once you put in your password, you'll grab a code from a text or app on your phone or plug in your security key before you are allowed to log in. Some platforms call 2FA different things—Multi-Factor Authentication (MFA), Two Step Verification (2SV), or Login Approvals—but no matter the name, the idea is the same: Even if someone gets your password, they won't be able to access your accounts unless they also have your phone or security key.

    There are four main types of 2FA in common use by consumer websites, and it's useful to know the differences. Some sites offer only one option; other sites offer a few different options. We recommend checking twofactorauth.org to find out which sites support 2FA and how, and turning on 2FA for as many of your online accounts as possible. For more visual learners, this infographic from Access Now offers additional information.

    Finally, the extra layer of protection from 2FA doesn't mean you should use a weak password. Always make unique, strong passwords for each of your accounts, and then put 2FA on top of those for even better log-in security.

Security: SEC Breach, DNSSEC, FinFisher, CCleaner and CIA

Filed under
Security
Syndicate content

More in Tux Machines

Canonical Says Ubuntu 18.04 LTS (Bionic Beaver) Will Come with Boot Speed Boost

Canonical's Will Cooke published a new Ubuntu Desktop newsletter today to inform the community on the development progress of the upcoming Ubuntu 18.04 LTS (Bionic Beaver) operating system. Besides various improvements for the GNOME desktop environment, the Ubuntu Desktop team over at Canonical recently started to investigate the boot speed of the Ubuntu Linux operating system, planning to give it another boost by using systemd’s latest features to do some profiling, which will help them identify any issues that might cause slow boot up time. Read more Also: Canonical Pulls Intel's Spectre Update from Ubuntu Repos Due to Hardware Issues

Intel's "Utter Garbage" Code Bricks and Delays Linux, Torvalds Furious

today's leftovers

  • 20 Years of LWN
    Back in mid-1997, your editor (Jonathan Corbet) and Liz Coolbaugh were engaged in a long-running discussion on how to trade our nice, stable, reliably paying jobs for a life of uncertainty, poverty, and around-the-clock work. Not that we thought of it in those terms, naturally. We eventually settled on joining Red Hat's nascent "support partner" program; while we were waiting for it to get started, we decided to start a weekly newsletter as a side project — not big and professional like the real press — to establish ourselves in the community. Thus began an amazing journey that has just completed its 20th year. After some time thinking about what we wanted to do and arguing about formats, we published our first edition on January 22, 1998. It covered a number of topics, including the devfs controversy, the pesky 2GB file-size limit on the ext2 filesystem, the use of Linux on Alpha to render scenes in the film "Titanic", the fact that Red Hat had finally hired a full-time quality-assurance person and launched the Red Hat Advanced Development Labs, and more. We got almost no feedback on this issue, though, perhaps because we didn't tell anybody that we had created it.
  •  
  • EzeeLinux Show 18.4 | Ubuntu 17.10 Revisited
    Canonical revised Ubuntu 17.10 with the new 17.10.1. Time to take another look…
  • PodCTL #22 – Highway to Helm
    One of the reasons that Kubernetes has gained so much traction in the marketplace is because it is flexible enough to allow innovation to happen all around the core APIs. One area where that has happened is in application package management, specifically with the Helm project.
  • LibreELEC Linux OS Will Get Meltdown and Spectre Patches with Next Major Release
    The development team behind the Kodi-based LibreELEC (Libre Embedded Linux Entertainment Center) open-source HTPC operating system for embedded systems and PCs released LibreELEC 8.2.3. LibreELEC 8.2.3 is the third maintenance update to the LibreELEC 8.2 "Krypton" series of the Just enough Operating System (JeOS), which is based on the Kodi 17 "Krypton" open-source and cross-platform media center. It's here a month after the LibreELEC 8.2.2 point release to address a few issues.
  • openSUSE 42.2 to Reach End-of-Life This Week
    The minor release of openSUSE Leap 42.2 will reach its End-of-Life (EOL) this week on Jan. 26. The EOL phase ends the updates to the operating system, and those who continue to use EOL versions will be exposed to vulnerabilities because these discontinued versions no longer receive security and maintenance updates; this is why users need to upgrade to the newer minor; openSUSE Leap 42.3. “We are very pleased with the reliability, performance and longevity of Leap,” said openSUSE member Marcus Meissner. “Both the openSUSE community and SUSE engineers have done a fantastic job with security and maintenance of the Leap 42 distribution; users can be confident that their openSUSE operating system is, and will continue to be, receiving bug fixes and maintenance updates until its End-of-Life.”
  • French Gender-Neutral Translation for Roundcube
    Here's a quick blog post to tell the world I'm now doing a French gender-neutral translation for Roundcube.
  •  
  • This Oil Major Has a Supercomputer the Size of a Soccer Field
    Big Oil is now Big Tech. So big, in fact, that Eni SpA’s new supercomputer is the size of a soccer field. In the multimillion-dollar pursuit of the world’s most powerful computers, the Italian explorer says it’s taken the lead. Its new machine, located outside Milan, will scan for oil and gas reservoirs deep below the Earth over thousands of miles. “This is where the company’s heart is, where we hold our most delicate data and proprietary technology,” Eni Chief Executive Officer Claudio Descalzi said in an interview on Thursday.

Compilers and CLI: LLVM, GCC and Bash