Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Tuesday's security updates
  • Reproducible Builds: week 83 in Stretch cycle
  • Neutralizing Intel’s Management Engine

    Five or so years ago, Intel rolled out something horrible. Intel’s Management Engine (ME) is a completely separate computing environment running on Intel chipsets that has access to everything. The ME has network access, access to the host operating system, memory, and cryptography engine. The ME can be used remotely even if the PC is powered off. If that sounds scary, it gets even worse: no one knows what the ME is doing, and we can’t even look at the code. When — not ‘if’ — the ME is finally cracked open, every computer running on a recent Intel chip will have a huge security and privacy issue. Intel’s Management Engine is the single most dangerous piece of computer hardware ever created.

  • Muni system hacker hit others by scanning for year-old Java vulnerability

    The attacker who infected servers and desktop computers at the San Francisco Metropolitan Transit Agency (SFMTA) with ransomware on November 25 apparently gained access to the agency's network by way of a known vulnerability in an Oracle WebLogic server. That vulnerability is similar to the one used to hack a Maryland hospital network's systems in April and infect multiple hospitals with crypto-ransomware. And evidence suggests that SFMTA wasn't specifically targeted by the attackers; the agency just came up as a target of opportunity through a vulnerability scan.

    In an e-mail to Ars, SFMTA spokesperson Paul Rose said that on November 25, "we became aware of a potential security issue with our computer systems, including e-mail." The ransomware "encrypted some systems mainly affecting computer workstations," he said, "as well as access to various systems. However, the SFMTA network was not breached from the outside, nor did hackers gain entry through our firewalls. Muni operations and safety were not affected. Our customer payment systems were not hacked. Also, despite media reports, no data was accessed from any of our servers."

  • Researchers’ Attack Code Circumvents Defense Mechanisms on Linux, Leaving Machines Susceptible

    Researchers develop such attack codes for aiding Linux security's onward movement. A demonstration of the way an attack code is possible to write towards effectively exploiting just any flaw, the above kinds emphasize that Linux vendors require vigorously enhancing the safety mechanism on Linux instead of just reacting when attacks occur.

Security News

Filed under
Security
  • ‘You Hacked,’ Cyber Attackers Crash Muni Computer System Across SF [Ed: Microsoft Windows]

    That was the message on San Francisco Muni station computer screens across the city, giving passengers free rides all day on Saturday.

  • SF’s Transit Hack Could’ve Been Way Worse—And Cities Must Prepare

    This weekend, San Francisco’s public transit riders got what seemed like a Black Friday surprise: The system wouldn’t take their money. Not that Muni’s bosses didn’t want to, or suddenly forgot about their agency’s budget shortfalls.

    Nope—someone had attacked and locked the computer system through which riders pay their fares. Payment machines told riders, “You Hacked. ALL data encrypted,” and the culprit allegedly demanded a 100 Bitcoin ransom (about $73,000).

    The agency acknowledged the attack, which also disrupted its email system, and a representative said the agency refused to pay off the attacker. Unable to collect fares, Muni opened the gates and kept trains running, so people could at least get where they were going. By Monday morning, everything was back to normal.

  • Newly discovered router flaw being hammered by in-the-wild attacks

    Online criminals—at least some of them wielding the notorious Mirai malware that transforms Internet-of-things devices into powerful denial-of-service cannons—have begun exploiting a critical flaw that may be present in millions of home routers.

  • Locking Down Your Linux Server

    No matter what your Linux, you need to protect it with an iptable-based firewall.

    Yes! You’ve just set up your first Linux server and you’re ready to rock and roll! Right? Uh, no.

    By default, your Linux box is not secure against attackers. Oh sure, it’s more secure than Windows XP, but that’s not saying much.

Security Leftovers

Filed under
Security
  • Security advisories for Monday
  • FutureVault Inc.'s FutureVault

    Though short of Mr Torvalds' aim of world domination, FutureVault, Inc., has set the ambitious goal to "change the way business is done" with its FutureVault digital collaborative vault application. Described by its developer as "at the epicenter of a brand new disruptive category in the financial services world", FutureVault allows users to deposit, store and manage important financial, legal and personal documents digitally by means of a white-label, cloud-based, SaaS platform.

  • Azure glitch allowed attackers to gain admin rights over hosted Red Hat Linux instances

    A VULNERABILITY in Microsoft's Azure cloud platform could have been exploited by an attacker to gain admin rights to instances of Red Hat Enterprise Linux (RHEL) and storage accounts hosted on Azure.

  • Microsoft update servers leave Azure RHEL instances hackable
  • Microsoft update left Azure Linux virtual machines open to hacking
  • Microsoft Azure bug put Red Hat instances at risk
  • Microsoft update servers left all Azure RHEL instances hackable

    Microsoft has patched flaws that attackers could exploit to compromise all Azure Red Hat Enterprise Linux (RHEL) instances.

    Software engineer Ian Duffy found the flaws while building a secure RHEL image for Microsoft Azure. During that process he noticed an installation script Azure uses in its preconfigured RPM Package Manager contains build host information that allows attackers to find all four Red Hat Update Appliances which expose REST APIs over HTTPS.

    From there Duffy found a package labelled PrepareRHUI (Red Hat Update Infrastructure) that runs on all Azure RHEL boxes, and contains the rhui-monitor.cloud build host.

    Duffy accessed that host and found it had broken username and password authentication. This allowed him to access a backend log collector application which returned logs and configuration files along with a SSL certificate that granted full administrative access to the four Red Hat Update Appliances.

  • Deutsche Telekom Says Cyber Attack Hits 900,000 Customers

    Deutsche Telekom (DTEGY) , Europe's largest, said it could have been a victim of a cyber attack as 900,000 fixed-line customers face a second consecutive day of outages.

    The Bonn, Germany-based company, which has 20 million fixed network customers, said 900,000 customers with specific routers have faced temporary problems and marked fluctuations in quality, with some also receiving no service at all. It added that the problems have occurred in a wide region, not in a specific area.

  • San Francisco’s Muni Hacked

    It seems that on Friday, right in the midst of busy Thanksgiving weekend holiday traffic, the San Francisco Municipal Transportation Agency or Muni, was hit by hackers, forcing the system to offer Saturday free rides on the system’s light rail trains. The breach was apparently a ransomware attack, with the hackers demanding 100 Bitcoin, or approximately $73,000, to unencrypt the system.

    It all began when the words “You Hacked, ALL Data Encrypted” appeared on Muni agents’ screens. It’s not known whether Muni paid the ransom, although that’s considered unlikely. Operations of the system’s vehicles were not affected.

Security News

Filed under
Security
  • European Commission knocked offline by 'large scale' DDoS attack

    THE EUROPEAN COMMISSION (EC) was struck by a large-scale distributed denial of service (DDoS) attack on Thursday, bringing down its internet access for hours.

    The EC confirmed the attack to Politico, saying that while it did fall victim to a DDoS attack, no data breached was experienced.

    "No data breach has occurred," a Commission spokesperson said. "The attack has so far been successfully stopped with no interruption of service, although connection speeds have been affected for a time."

  • Overclocked Wearables Can Pick Up Bio-Acoustic Signals

    The sensors incorporated into wearables can sometimes be repurposed to perform tasks beyond their intended applications. For example, it's been shown that it's possible to discover a victim user’s passwords and PINs by applying a sophisticated algorithm to the data gathered by wearable embedded sensors.

    Recently, researchers at the Future Interfaces Group at Carnegie Mellon University have overclocked the accelerometer of an LG smartwatch to extend its capabilities to more than just tracking fitness. By overclocking the off-the-shelf smartwatch via some software updates, they can now detect and process very small vibrations and audio signals.

    The new technology, dubbed ViBand, can allow different apps to understand the context of your activities by capturing bio-acoustic signals.

  • The Economics of stealing a Tesla with a phone

    A few days ago there was a story about how to steal a Tesla by installing malware on the owner's phone. If you look at the big picture view of this problem it's not all that bad, but our security brains want to make a huge deal out of this. Now I'm not saying that Tesla shouldn't fix this problem, especially since it's going to be a trivial fix. What we want to think about is how all these working parts have to fit together. This is something we're not very good at in the security universe; there can be one single horrible problem, but when we paint the full picture, it's not what it seems.

  • Config fumble left Azure Red Hat Enterprise Linux wide open

    A software engineer setting up a secure Red Hat Enterprise Linux virtual machine in the cloud discovered a serious configuration flaw that could be exploited to upload arbitrary software packages to Microsoft Azure update infrastructure.

    Ian Duffy found Microsoft had configured the Red Hat Update Appliance used for Azure in such a way that an attacker could easily get access to the content delivery servers and upload packages that client virtual machines would acquire when updating.

    Duffy was able to bypass the username and password authentication on the content delivery server by running a log file collector application. Once completed, the log file collector provided a link to a downloadable compressed archive.

  • Azure bug bounty Root to storage account administrator

    In my previous blog post Azure bug bounty Pwning Red Hat Enterprise Linux I detailed how it was possible to get administrative access to the Red Hat Update Infrastructure consumed by Red Hat Enterprise Linux virtual machines booted from the Microsoft Azure Marketplace image. In theory, if exploited one could have gained root access to all virtual machines consuming the repositories by releasing an updated version of a common package and waiting for virtual machines to execute yum update.

Security News

Filed under
Security
  • Azure bug bounty Pwning Red Hat Enterprise Linux

    Acquired administrator level access to all of the Microsoft Azure managed Red Hat Update Infrastructure that supplies all the packages for all Red Hat Enterprise Linux instances booted from the Azure marketplace.

  • pledge(2) … or, how I learned to love web application sandboxing

    I use application-level sandboxing a lot because I make mistakes a lot; and when writing web applications, the price of making mistakes is very dear. In the early 2000s, that meant using systrace(4) on OpenBSD and NetBSD. Then it was seccomp(2) (followed by libseccomp(3)) on Linux. Then there was capsicum(4) on FreeBSD and sandbox_init(3) on Mac OS X.

  • [Older] Why is Apache Vulnerable by Default?

    Apache is the most popular web server on Earth, with a market share of 46.4% — well above Nginx (21.8%) and Microsoft IIS (9.8%). Thanks to Linux package managers like Yum and APT you can install and get it up and running in minutes. The core installation even features powerful modules for URL rewriting, user authentication, and more.

Security News

Filed under
Security
  • Friday's security updates
  • Linux hardening: a 15-step checklist for a secure Linux server [Ed: paywall]

    Most people assume Linux is secure, and that’s a false assumption. Imagine your laptop is stolen without first being hardened. A thief would probably assume your username is “root” and your password is “toor” since that’s the default password on Kali and most people continue to use it. Do you? I hope not.

  • Homeland Security Issues 'Strategic Principles' For Securing The Internet Of Broken Things

    For much of the last year, we've noted how the rush to connect everything from toasters to refrigerators to the internet -- without adequate (ok, any) security safeguards -- has resulted in a security, privacy and public safety crisis. At first, the fact that everything from Barbies to tea kettles were now hackable was kind of funny. But in the wake of the realization that these hacked devices are contributing to massive new DDoS botnet attacks (on top of just leaking your data or exposing you to hacks) the conversation has quickly turned serious.

    Security researchers have been noting for a while that it's only a matter of time before the internet-of-not-so-smart-things contributes to human fatalities, potentially on a significant scale if necessary infrastructure is attacked. As such, the Department of Homeland Security recently released what they called "strategic principles" for securing the Internet of Things; an apparent attempt to get the conversation started with industry on how best to avoid a dumb device cyber apocalypse.

  • Microsoft gives third-parties access to Windows 10 Telemetry data

    Microsoft struck a deal with security company FireEye recently according to a report on Australian news magazin Arn which gives FireEye access to all Windows 10 Telemetry data.

Security News

Filed under
Security
  • Microsoft is reportedly sharing Windows 10 telemetry data with third-parties

    MICROSOFT HAS REPORTEDLY signed a deal with FireEye that will see it share telemetry data from Windows 10 with the third-party security outfit.

    So says Australian website ARN, which reports that Microsoft and FireEye's partnership, which will see the security firm's iSIGHT Intelligence tools baked into Windows Defender, will also see FireEye "gain access to telemetry from every device running Windows 10."

    Microsoft uses telemetry data from Windows 10 to help identify security issues, to fix problems and to help improve the quality of its operating system, which sounds like a good thing. However, with the company previously admitting that it's latest OS is harvesting more data than any version before it, Microsoft's mega data-slurp also raised some privacy concerns.

  • Hackers attack European Commission

    The European Commission was the victim of a “large scale” cyberattack Thursday, a spokesperson said.

    “The attack has so far been successfully stopped with no interruption of service, although connection speeds have been affected for a time. No data breach has occurred,” the spokesperson said.

  • 8 Books Security Pros Should Read

    Calling all infosec pros: What are the best books in your security library?

    On a second thought, let's take a step back. A better question may be: Do you have a security library at all? If not, why?

    Security professionals have countless blogs, videos, and podcasts to stay updated on rapidly changing news and trends. Books, on the other hand, are valuable resources for diving into a specific area of security to build knowledge and broaden your expertise.

    Because the security industry is so complex, it's impossible to cram everything there is to know in a single tome. Authors generally focus their works on single topics including cryptography, network security modeling, and security assessment.

    Consider one of the reads on this list of recommendations, Threat Modeling: Designing for Security. This book is based on the idea that while all security pros model threats, few have developed expertise in the area.

  • DoD Opens .Mil to Legal Hacking, Within Limits

    Security researchers are often reluctant to report programming flaws or security holes they’ve stumbled upon for fear that the vulnerable organization might instead decide to shoot the messenger and pursue hacking charges.

    But on Nov. 21, the DoD sought to clear up any ambiguity on that front for the military’s substantial online presence, creating both a centralized place to report cybersecurity flaws across the dot-mil space as well as a legal safe harbor (and the prospect of public recognition) for researchers who abide by a few ground rules.

  • Data breach law 'will create corporate awareness'

    The introduction of a data breach law requiring disclosure of consumer data leaks is important because it will make big corporates aware they need to be transparent about their state of security, the head of a big cyber-security firm says.

    Guy Eilon, the country manager of Forcepoint, was commenting on the speech made by Dan Tehan, the minister assisting the prime minister on cyber security, on Wednesday.

  • US Navy breach: 130,000 soldiers at risk after HPE contractor hacked [iophk: "MS, possibly MS sharepoint?"]

    The Navy has acknowledged the breach and said it was made aware of the incident after being notified that a laptop belonging to an employee of Navy contractor Hewlett-Packard Enterprise (HPE) was compromised by hackers.

  • US Navy warns 134,000 sailors of data breach after HPE laptop is compromised

    Sailors whose details have been compromised are being notified by phone, letter, and e-mail, the Navy said. "For those affected by this incident, the Navy is working to provide further details on what happened, and is reviewing credit monitoring service options for affected sailors."

  • Personal data for more than 130,000 sailors stolen, admits US Navy

    A spokesman for Hewlett Packard Enterprise Services, said: “This event has been reported to the Navy and because this is an ongoing investigation, HPE will not be commenting further out of respect for the privacy of our Navy personnel.”

  • Riseup’s Canary Has Died

    Popular provider of web tools for activists and anarchists and backbone of much infrastructure for internet freedom, Riseup.net has almost certainly been issued a gag order by the US government.

Security News

Filed under
Security
  • The FBI Hacked Over 8,000 Computers In 120 Countries Based on One Warrant

    In January, Motherboard reported on the FBI's “unprecedented” hacking operation, in which the agency, using a single warrant, deployed malware to over one thousand alleged visitors of a dark web child pornography site. Now, it has emerged that the campaign was actually an order of magnitude larger.

    In all, the FBI obtained over 8,000 IP addresses, and hacked computers in 120 different countries, according to a transcript from a recent evidentiary hearing in a related case.

  • curl security audit

    I asked for, and we were granted a security audit of curl from the Mozilla Secure Open Source program a while ago. This was done by Mozilla getting a 3rd party company involved to do the job and footing the bill for it. The auditing company is called Cure53.

  • Personal data for more than 130,000 sailors was breached, Navy says

    The Navy was notified in October by Hewlett Packard Enterprise Services that a computer supporting a Navy contract was “compromised,” and that the names and social security numbers of 134,386 current and former sailors were accessed by unknown persons, the service said in a news release.

  • Your headphones could be spying on you

    JUST WHEN you thought you couldn’t possibly be carrying any more tracking devices, it looks like you can add another one to the mix.

    A team of researchers in Israel have discovered that with a little hardware hackery, your headphones can be used to listen in on you when plugged into your computer.

    It’s been known for a long time that if you plug a microphone into a speaker jack, it can sometimes make a tinny speaker (if you blast the volume). But what about the other way around?

    Ben Gurion University researchers have discovered that with a simple malware program which they've christened SPEAKE(a)R, Realtek codecs, which provide the built in sound on most motherboards, can be reassigned to turn the headphone jack into a microphone.

  • How to create heat maps to show who’s trying to connect your router

Security News

Filed under
Security
  • Security advisories for Wednesday
  • Malware Found on New Windows Computers (Not What You Think)

    It appears that the office supply giant, Office Depot, isn’t adverse to tarnishing its reputation if there’s a buck or two to be made in the process.

    KIRO TV in Seattle reported on November 15 that it had taken brand new out-of-the-box computers that had never been connected to the Internet to Office Depot stores, both in Washington state and Portland, Oregon, and told the repair desk staff that “it’s running a little slow.” In four out of six cases they were told the computer was infected with viruses and would require an up to $180 fix.

    After declining the “fix,” they took the “virus laden” machines to a Seattle security outfit, IOActive, which reexamined the machines. “We found no symptoms of malware when we operated them,” an employee with the firm, Will Longman, said. “Nor did we find any actual malware.”

    In the two cases where undercover reporters weren’t told that their computers showed evidence of an infection, they were advised to install antivirus software. In one of the two stores, a technician evidently noticed that the machine was new and told the reporter to “ignore the test results.”

  • FBI Hacked into 8,000 Computers in 120 Countries Using A Single Warrant

    The FBI hacked into more than 8,000 computers in 120 different countries with just a single warrant during an investigation into a dark web child pornography website, according to a newly published court filings.

    This FBI's mass hacking campaign is related to the high-profile child pornography Playpen case and represents the largest law enforcement hacking campaign known to date.

    The warrant was initially issued in February 2015 when the FBI seized the Playpen site and set up a sting operation on the dark web site, in which the agency deployed malware to obtain IP addresses from alleged site's visitors.

  • How Unikernels Can Better Defend against DDoS Attacks

    On the episode of The New Stack Makers podcast, Dell EMC CTO Idit Levine, an EMC chief technology officer at the cloud management division and office of the CTO, discussed how unikernels are poised to offer all of the developer flexibility afforded to containers, while striving for better security and integrations with many of today’s top container platforms. She spoke with SolarWinds Cloud Technology Lead Lee Calcote at KubeCon 2016:

  • Exploit Code Bypasses Linux Security Features Leaving Systems Vulnerable
  • Researcher writes codeless exploit that bypasses Linux security measures

    If you’re a Linux administrator, then you’re likely aware that even being fully up to date on all of the patches for your Linux distribution of choice is no guarantee that you’re free from vulnerabilities. Linux is made up of numerous components, any of which can open up an installation to one exploit or another.

Tor phone (Android)

Filed under
Android
Security
  • Tor phone is antidote to Google “hostility” over Android, says developer

    The Tor Project recently announced the release of its prototype for a Tor-enabled smartphone—an Android phone beefed up with privacy and security in mind, and intended as equal parts opsec kung fu and a gauntlet to Google.

    The new phone, designed by Tor developer Mike Perry, is based on Copperhead OS, the hardened Android distribution profiled first by Ars earlier this year.

  • Tor-Enabled Phone Offers Various Layers Of Security

    We’ve seen all sorts of Android smartphones released over the years, from the ones that ship with Google’s stock Android or a third-party skin, to the ones that sport two displays, are curved or have heavy security features. There are tons of different smartphones available out there, and a number of different OS’ available for those smartphones, and that’s the true beauty of Android. Now, some of you have probably heard of a Tor-enabled smartphone by Tor Project. This smartphone put a huge emphasis on security and privacy, and those of you who are very concerned about such issues should be interested, though do keep in mind that the Tor-enabled smartphone actually references software that can be installed on a smartphone, not the actual hardware smartphone that will be available for sale, just to make that clear.

Syndicate content

More in Tux Machines

Leftovers: Software

  • GNU Guile 2.2.1 released
    We are happy to announce GNU Guile release 2.2.1, the first bug-fix release in the new 2.2 stable release series.
  • Announcing Nylas Mail 2.0 [Ed: just Electron]
  • Cerebro Is An Amazing Open Source OS X Spotlight Alternative For Linux [Ed: also just Electron]
    You may be fed up with traditional way of searching/opening applications on your system. Cerebro is an amazing utility built using Electron and available for Linux, Windows, and Mac. It is open-source and released under MIT license.
  • Flowblade Another Video Editor for Linux? Give It A Try!
    You may have favorite video editor to edit your videos but there is no harm to try something new, its initial release was not that long, with time it made some great improvements. It can be bit hard to master this video editor but if you are not new in this field you can make it easily and will be total worth of time.
  • Get System Info from CLI Using `NeoFetch` Tool in Ubuntu/Linux Mint
  • Ukuu Kernel Manager Utility lets You Upgrade or Install Kernels in Ubuntu/Linux Mint
    There are many ways to upgrade your Linux Kernel using Synaptics, command line and so. The Ukuu utility is the simply solution to manager your Ubuntu/Linux Mint kernels. If you want to test new fixes in the Linux Kernel then you can install Mainline Kernels released by Ubuntu team but mainline Kernels are intended to use for testing purposes only (so be careful).
  • 10 Reasons Why You Should Use Vi/Vim Text Editor in Linux
    While working with Linux systems, there are several areas where you’ll need to use a text editor including programming/scripting, editing configuration/text files, to mention but a few. There are several remarkable text editors you’ll find out there for Linux-based operating systems.
  • OpenShot 2.3 Linux Video Editor New Features
    It’s been quite some time since we last talked about OpenShot, and more specifically when it had its second major release. Recently, the team behind the popular open source video editor has made its third point release available which happens to come with a couple of exciting new features and tools, so here is a quick guide on where to find them and how to use them.
  • Boostnote: Another Great Note Taking App for Developers? Find Out By Yourself
    Boostnote is an open-source note-taking application especially made for programmers and developers, it is build up with Electron framework and cross-platform available for Linux, Windows and Mac. Being programmers, we take lots of notes which includes commands, code snippets, bug information and so on. It all comes in handy when you have organized them all in one place, Boostnote does this job very well. It lets you organize your notes in folders with tags, so you can find anything you are looking for very quickly.
  • Collabora Office 5.3 Released
    Today we released Collabora Office 5.3 and Collabora GovOffice 5.3, which contain great new features and enhancements. They also contains all fixes from the upstream libreoffice-5-3 branch and several backported features.

Virtualization and Containers

GNOME News

today's howtos