Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • KillDisk Ransomware Now Targets Linux, Prevents Boot-Up, Has Faulty Encryption
  • KillDisk now targeting Linux: Demands $250K ransom, but can’t decrypt
  • lecture: What could possibly go wrong with (insert x86 instruction here)? [Ed: video]

    Hardware is often considered as an abstract layer that behaves correctly, just executing instructions and outputting a result. However, the internal state of the hardware leaks information about the programs that are executing. In this talk, we focus on how to extract information from the execution of simple x86 instructions that do not require any privileges. Beyond classical cache-based side-channel attacks, we demonstrate how to perform cache attacks without a single memory access, as well as how to bypass kernel ASLR. This talk does not require any knowledge about assembly. We promise.

    When hunting for bugs, the focus is mostly on the software layer. On the other hand, hardware is often considered as an abstract layer that behaves correctly, just executing instructions and outputing a result. However, the internal state of the hardware leaks information about the programs that are running. Unlike software bugs, these bugs are not easy to patch on current hardware, and manufacturers are also reluctant to fix them in future generations, as they are tightly tied with performance optimizations.

Security Leftovers

Filed under
Security
  • Security updates for Wednesday
  • MongoDB Data Being Held For Ransom

    If you're using MongoDB, you might want to check to make sure you have it configured properly -- or better yet, that you're running the latest and greatest -- to avoid finding it wiped and your data being held for ransom.

    A hacker who goes by the name Harak1r1 is attacking unprotected MongoDB installations, wiping their content and installing a ransom note in place of the the stolen data. The cost to get the data returned is 0.2 bitcoin, which comes to about $203. If that sounds cheap, it isn't. Not if you're deploying multiple Mongo databases and they all get hit -- which has been happening.

Security News

Filed under
Security

Security Leftovers

Filed under
Security
  • Tuesday's security updates
  • Musl 1.1.16 Released, Fixes CVE Integer Overflow, s390x Support

    A new version of the musl libc standard library is available for those interested in this lightweight alternative to glibc and others.

    Musl 1.1.16 was released to fix CVE-2016-8859, an under-allocation bug in regexec with an integer overflow. Besides this CVE, Musl 1.1.16 improves overflow handling as part of it and has also made other noteworthy bug fixes.

  • musl 1.1.16 release
  • Looks like you have a bad case of embedded libraries

    A long time ago pretty much every application and library carried around its own copy of zlib. zlib is a library that does really fast and really good compression and decompression. If you’re storing data or transmitting data, it’s very likely this library is in use. It’s easy to use and is public domain. It’s no surprise it became the industry standard.

  • Deprecation of Insecure Algorithms and Protocols in RHEL 6.9

    Cryptographic protocols and algorithms have a limited lifetime—much like everything else in technology. Algorithms that provide cryptographic hashes and encryption as well as cryptographic protocols have a lifetime after which they are considered either too risky to use or plain insecure. In this post, we will describe the changes planned for the 6.9 release of Red Hat Enterprise Linux 6, which is already on Production Phase 2.

  • lecture: Million Dollar Dissidents and the Rest of Us [Ed: video]

    In August 2016, Apple issued updates to iOS and macOS that patched three zero-day vulnerabilities that were being exploited in the wild to remotely install persistent malcode on a target’s device if they tapped on a specially crafted link. We linked the vulnerabilities and malcode to US-owned, Israel-based NSO Group, a government-exclusive surveillance vendor described by one of its founders as “a complete ghost”.

    Apple’s updates were the latest chapter in a yearlong investigation by Citizen Lab into a UAE-based threat actor targeting critics of the UAE at home and around the world. In this talk, we will explain how Citizen Lab discovered and tracked this threat actor, and uncovered the first publicly-reported iOS remote jailbreak used in the wild for mobile espionage. Using the NSO case, we will detail some of the tools and techniques we use to track these groups, and how they try to avoid detection and scrutiny. This investigation is Citizen Lab’s latest expose into the abuse of commercial “lawful intercept” malcode.

  • Class Breaks

    There's a concept from computer security known as a class break. It's a particular security vulnerability that breaks not just one system, but an entire class of systems. Examples might be a vulnerability in a particular operating system that allows an attacker to take remote control of every computer that runs on that system's software. Or a vulnerability in Internet-enabled digital video recorders and webcams that allow an attacker to recruit those devices into a massive botnet.

    It's a particular way computer systems can fail, exacerbated by the characteristics of computers and software. It only takes one smart person to figure out how to attack the system. Once he does that, he can write software that automates his attack. He can do it over the Internet, so he doesn't have to be near his victim. He can automate his attack so it works while he sleeps. And then he can pass the ability to someone­ -- or to lots of people -- ­without the skill. This changes the nature of security failures, and completely upends how we need to defend against them.

GNU/Linux CVEs

Filed under
GNU
Linux
Security
  • Android, Debian & Ubuntu Top List Of CVE Vulnerabilities In 2016[Ed: while Microsoft lies]

    On a CVE basis for the number of distinct vulnerabilities, Android is ranked as having the most vulnerability of any piece of software for 2016 followed by Debian and Ubuntu Linux while coming in behind them is the Adobe Flash Player.

    The CVEDetails.com tracking service has compiled a list of software with the most active CVEs. The list isn't limited to just operating systems but all software with Common Vulnerabilities and Exposures.

  • Using systemd for more secure services in Fedora

    The AF_PACKET local privilege escalation (also known as CVE-2016-8655) has been fixed by most distributions at this point; stable kernels addressing the problem were released on December 10. But, as a discussion on the fedora-devel mailing list shows, systemd now provides options that could help mitigate CVE-2016-8655 and, more importantly, other vulnerabilities that remain undiscovered or have yet to be introduced. The genesis for the discussion was a blog post from Lennart Poettering about the RestrictAddressFamilies directive, but recent systemd versions have other sandboxing features that could be used to head off the next vulnerability.

    Fedora project leader Matthew Miller noted the blog post and wondered if the RestrictAddressFamilies directive could be more widely applied in Fedora. That directive allows administrators to restrict access to the network address families a service can use. For example, most services do not require the raw packet access that AF_PACKET provides, so turning off access to that will harden those services to some extent. But Miller was also curious if there were other systemd security features that the distribution should be taking advantage of.

Security News

Filed under
Security
  • Lockpicking in the IoT

    "Smart" devices using BTLE, a mobile phone and the Internet are becoming more and more popular. We will be using mechanical and electronic hardware attacks, TLS MitM, BTLE sniffing and App decompilation to show why those devices and their manufacturers aren't always that smart after all. And that even AES128 on top of the BTLE layer doesn't have to mean "unbreakable". Our main target will be electronic locks, but the methods shown apply to many other smart devices as well...

  • Photocopier Security

    A modern photocopier is basically a computer with a scanner and printer attached. This computer has a hard drive, and scans of images are regularly stored on that drive. This means that when a photocopier is thrown away, that hard drive is filled with pages that the machine copied over its lifetime. As you might expect, some of those pages will contain sensitive information.

  • OpenPGP really works

    After a day of analysis, PGP is used and significantly at various layers of my day-to-day activities. I can clearly said “PGP works”. Indeed, it’s not perfect (that’s the reality of a lot of cryptosystems) but PGP needs some love at the IETF, for the implementations or even some financial support.

Security News

Filed under
Security
  • Security advisories for Monday
  • Penetration Testing and Ethical Hacking Parrot Security OS 3.4.1 Includes GNUnet

    The ParrotSec project kicked off 2017 with the release of Parrot Security OS 3.4 on the first day of the year, followed the next day by a point release that brought improvements to the installer.

    Launched on January 1, 2016, Parrot Security OS 3.4 shipped with various updated packages and new features, among which we can mention the addition of the GNUNet open-source framework for secure peer-to-peer (P2P) networking, an early preview of the Freenet installer, as well as brand-new mirror servers for the netboot images.

  • Future Proof Security

    Are there times we should never make a tradeoff between “right” and “now”? Yes, yes there are. The single most important is verify data correctness. Especially if you think it’s trusted input. Today’s trusted input is tomorrow’s SQL injection. Let’s use a few examples (these are actual examples I saw in the past with the names of the innocent changed).

  • Linux Journal January 2017

    There have been epic battles over whether "insecure" or "unsecure" should be used when referring to computer security. Granted, those epic battles usually take place in really nerdy forums, but still, one sounds funny and the other seems to personify computers. Whichever grammatical construct you choose, the need for security is greater now than ever. As Linux users, we need to make sure we're not overconfident in the inherent security of our systems. Remember, they all have a weak link: us.

Security Leftovers

Filed under
Security
  • Smart electricity meters can be dangerously insecure, warns expert

    Smart electricity meters, of which there are more than 100m installed around the world, are frequently “dangerously insecure”, a security expert has said.

    The lack of security in the smart utilities raises the prospect of a single line of malicious code cutting power to a home or even causing a catastrophic overload leading to exploding meters or house fires, according to Netanel Rubin, co-founder of the security firm Vaultra.

    “Reclaim your home,” Rubin told a conference of hackers and security experts, “or someone else will.”

    If a hacker took control of a smart meter they would be able to know “exactly when and how much electricity you’re using”, Rubin told the 33rd Chaos Communications Congress in Hamburg. An attacker could also see whether a home had any expensive electronics.

  • London Ambulance Service hit by 'computer system crash' on New Year's Eve

    Officials confirmed there was a systems fault in the early hours, though staff are trained for such situations, and they continued to prioritise responses as normal.

    Calls were reportedly logged manually between 12.30am GMT and 5:15am.

  • 33c3 notes

    Some notes and highlights from #33c3. In particular, some talks I found worth watching. I intentionally don't mention any of the much interesting self-organized sessions and workshops I participated since these are not recorded. I'm just listing some interesting projects at the bottom. I wrote these notes quickly, so I'm certainly missing some stuff.

Security Leftovers

Filed under
Security
  • Ex-student charged with cyberattack on school’s internet

    A Connecticut juvenile has been charged with launching cyberattacks against a school’s internet service in connection with outages that happened in 2015 and earlier this year.

    Shelton police say the former Shelton High School student, whose name and age haven’t been released, was arrested Thursday on a charge of computer crimes in the third-degree. He’s due in juvenile court on Friday.

  • 5 signs we're finally getting our act together on security

    The high-water line in information security gets higher each year. Just as we think we’ve finally figured out how to defend against attacks, then attackers come up with something new and we are right back to trying to figure out what to do next.

  • You have one second extra tonight!

    Official clocks will hit 23:59:59 as usual, but then they'll say 23:59:60, before rolling over into 2017. This is known as a ‘leap second’ and timekeepers slip them in periodically to keep our clocks in sync with the Earth’s rotation. The laboratory with responsibility for maintaining the equipment to measure time interval (or frequency) in Ireland is the NSAI’s National Metrology Laboratory.

Security Leftovers

Filed under
Security
  • Washington Post Publishes False News Story About Russians Hacking Electrical Grid

    A story published by The Washington Post Friday claims Russia hacked the electrical grid in Vermont. This caused hysteria on social media but has been denied by a spokesman for a Vermont utility company.

    The Post story was titled, “Russian hackers penetrated U.S. electricity grid through a utility in Vermont, officials say.”

  • Recount 2016: An Uninvited Security Audit of the U.S. Presidential Election

    The 2016 U.S. presidential election was preceded by unprecedented cyberattacks and produced a result that surprised many people in the U.S. and abroad. Was it hacked? To find out, we teamed up with scientists and lawyers from around the country—and a presidential candidate—to initiate the first presidential election recounts motivated primarily by e-voting security concerns. In this talk, we will explain how the recounts took place, what we learned about the integrity of the election, and what needs to change to ensure that future U.S. elections are secure.

  • Malware Purveyor Serving Up Ransomware Via Bogus ICANN Blacklist Removal Emails

    Fun stuff ahead for some website owners, thanks to a breakdown in the registration process. A Swiss security researcher has spotted bogus ICANN blacklist removal emails being sent to site owners containing a Word document that acts as a trigger for ransomware.

Syndicate content

More in Tux Machines

Server: Data Centres, Google, SDN, Amazon, and Microsoft

  • Data Center Networking Performance: New Apps Bring New Requirements
    Large cloud services providers such as Amazon, Google, Baidu, and Tencent have reinvented the way in which IT services can be delivered, with capabilities that go beyond scale in terms of sheer size to also include scale as it pertains to speed and agility. That’s put traditional carriers on notice: John Donovan, chief strategy officer and group president at AT&T technology and operations, for instance, said last year that AT&T wants to be the “most aggressive IT company in the world.” He noted that in a world where over-the-top (OTT) offerings have become commonplace, application and services development can no longer be defined by legacy processes.
  • Google Reveals a Powerful New AI Chip and Supercomputer
    The announcement reflects how rapidly artificial intelligence is transforming Google itself, and it is the surest sign yet that the company plans to lead the development of every relevant aspect of software and hardware. Perhaps most importantly, for those working in machine learning at least, the new processor not only executes at blistering speed, it can also be trained incredibly efficiently. Called the Cloud Tensor Processing Unit, the chip is named after Google’s open-source TensorFlow machine-learning framework.
  • Google's AlphaGo AI is about to face off against the world's best Go player

    This week, the matter will be settled once and for all. Ke Jie and AlphaGo will face off in a three-game match in Wuzhen, China, as part of the Future of Go Summit being held by Google.

  • Keynote: Cloud Native Networking- Amin Vahdat, Fellow & Technical Lead For Networking, Google
  • Google's Networking Lead Talks SDN Challenges for the Next Decade
  • Peace, love and SDN
    Virtualization has been a blessing for data centers – thanks to the humble hypervisor, we can create, move and rearrange computers on a whim, without thinking about the physical infrastructure. The simplicity and efficiency of VMs has prompted network engineers to envision a programmable, flexible network based on open protocols and REST APIs that could be managed from a single interface, without worrying about each router and switch.
  • Bryan Cantrill on Integrity

    Amazon has 14 leadership principles and integrity is not on it.

  • Bankrupt school ITT pleads 'don't let Microsoft wipe our cloud data!'
    The estate of bankrupt US trade school ITT Technical Institutes is today asking a court to stop Microsoft from erasing its cloud data. In a filing [PDF] to the US District Bankruptcy Court of Southern Indiana, the caretakers of the defunct for-profit university seek an order to bar the Redmond giant from wiping the contents of ITT's Office 365 and webmail accounts for students, faculty, and administrators.

Security Leftovers: WannaCry, Windows in Linux, Windows 7, Windows 10 is Spyware

Android Leftovers

Gaming News: SHOGUN, Reus, Two Worlds and More