Language Selection

English French German Italian Portuguese Spanish

Security

Security: ZIP Bombs, Shadow Brokers, Linux Bashing Over Weak Passwords etc.

Filed under
Security
  • How to defend your website with ZIP bombs
  • Shadow Brokers translation

    As a service to non native English speakers I am translating the Shadow Brokers “Borat” into simple English. I am not going to do any analysis in this post, just simple translation for people who have difficulty with Shadow Brokers posts.

  • Feelin' safe and snug on Linux while the Windows world burns? Stop that [Ed: Well, with proprietary software the holes (or back doors) are sometimes intentional, unlike in GNU]

    The ransomware problems reported by The Reg over the past few weeks are enough to make you, er, wanna cry. Yet all that's happened is that known issues with Windows machines – desktop and server – have now come to everyone's attention and the bandwidth out of Microsoft's Windows Update servers has likely increased a bit relative to the previous few weeks.

  • Linux is not as safe as you think [Ed: Having default passwords on a router (or other device) is not as safe as you think]
  • IoT Fuels Growth of Linux Malware [Ed: John P. Mello Jr. is the latest among many to cite a Microsoft ally from Seattle to make Linux look terrible]

Security: Updates, Bounties, SS7 Attacks

Filed under
Security
  • Security updates for Wednesday
  • At $30,000 for a flaw, bug bounties are big and getting bigger

    Hackers are being paid as much as $30,000 for finding a single critical flaw in a company's systems, and the amount companies are willing to pay is increasing.

    While the use of such bug hunting programmes is still limited, some large organisations are offering hackers rewards for spotting flaws in their systems.

  • Windows ransomware found to be incredibly rare [Ed: Android and Linux basher Liam Tung seems to be doing some Microsoft PR today]
  • Linux and macOS malware threats tripled in 2016, according to report [Ed: Microsoft-linked sites like to the above]
  • Researchers Build Firewall to Deflect SS7 Attacks

    Security researchers will release an open-source SS7 firewall at Black Hat USA that aims to bolster security of mobile operators' core networks.

    Mobile security software can do little to protect end users and BYOD workers when Signaling System 7 (SS7) vulnerabilities are exploited in mobile operotors' core mobile networks, according to security researchers.

    SS7 vulnerabilities, which can allow cybercriminals to hijack two-factor authentication codes texted to mobile phones, read and redirect text messages, eavesdrop on phone calls, and track a phone's location, have existed since 2014.

Security: Cyberweapons, Kaspersky, and Microsoft-Connected Linux FUD

Filed under
Security
  • When Cyberweapons Go Missing
  • Kaspersky Lab row: Russian minister warns of blowback

    Russian Communications Minister Nikolay Nikiforov said in a Bloomberg interview that Russia was using a "a huge proportion of American software and hardware solutions in the IT sphere, even in very sensitive areas".

    Microsoft and Cisco are said to be the American companies whose products have the highest usage in Russia.

  • Threats to Linux IoT devices on the rise [Ed: there are still puff pieces like these, citing Microsoft partner WatchGuard from Seattle, attacking perception of Linux security]

    Many of these devices, which often use old versions of Linux, have a default username and password which users often do not bother to change. Logging in with these credentials — which are easy to find on the Web — gives root access to the device in question.

  • Cybersecurity battleground shifting to Linux and web servers - report [Ed: another one of those; there have been half a dozen, mostly quoting the press release]

Security: libgcrypt20, NSA, CIA, US Independence Day Updates, Reproducible Builds, and Debian LTS

Filed under
Security
  • GnuPG crypto library cracked, look for patches

    Linux users need to check out their distributions to see if a nasty bug in libgcrypt20 has been patched.

    The patch, which has landed in Debian and Ubuntu, is to address a side-channel attack published last week.

    The researchers published their work at the International Association for Cryptologic Research's e-print archive last week. The paper was authored by David Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal and Yuval Yarom (who hail variously from the Technical University of Eindhoven, the University of Illinois, the University of Pennsylvania, the University of Maryland, and the University of Adelaide).

  • It’s time for the NSA to speak up about its stolen cyber weapons [Not just that; it should be held accountable, along with accomplices like Microsoft]

    After a global ransomware attack extending from Russia to the U.S. hit computer systems last week, security analysts quickly realized the perpetrators were using stolen cyber weapons that were part of the National Security Agency’s (NSA) arsenal — for the second time in just six weeks.

    While the NSA has yet to acknowledge publicly that their hacking tools have fallen into the wrong hands, at least one congressman asked them to take action. “As a computer science major, my long-term fear — which is shared by security researchers — is that this is the tip of the iceberg and many more malware attacks will soon be released based on NSA’s hacking tools,” Rep. Ted Lieu, D-Calif., wrote in a letter to NSA Director Michael Rogers.

  • Linux malware: Leak exposes CIA's OutlawCountry hacking toolkit
  • Security updates for US Independence Day
  • Reproducible Builds: week 114 in Stretch cycle
  • My Free Software Activities in June 2017

    My monthly report covers a large part of what I have been doing in the free software world. I write it for my donors (thanks to them!) but also for the wider Debian community because it can give ideas to newcomers and it’s one of the best ways to find volunteers to work with me on projects that matter to me.

Security: SPAM and AA Breach

Filed under
Security
  • Malicious ReplyTo
  • Is it Time to Can the CAN-SPAM Act?

     

    The “CAN” in CAN-SPAM was a play on the verb “to can,” as in “to put an end to,” or “to throw away,” but critics of the law often refer to it as the YOU-CAN-SPAM Act, charging that it essentially legalized spamming. That’s partly because the law does not require spammers to get permission before they send junk email. But also because the act prevents states from enacting stronger anti-spam protections, and it bars individuals from suing spammers except under laws not specific to email.  

  • AA downplays breach that exposed details of more than 100,000 customers

     

    Car insurance outfit the AA has suffered a major data breach that has exposed the personal information - including partial credit card data - of more than 100,000 customers.

  • The AA Exposed Emails, Credit Card Data, and Didn’t Inform Customers

     

    However, an exposed server contained sensitive information on over 100,000 AA customers, in many cases including partial credit card data, according to a database obtained by Motherboard. Judging by interviews with victims, the AA never directly informed affected customers either, even though the company says it knew about the breach in April.  

Security: Security Updates, WikiLeaks, Let's Encrypt, SystemD

Filed under
Security
  • Security updates for Monday
  • WikiLeaks reveals CIA malware for hacking Linux computers
  • Let's Encrypt Has Issued 100 Million Certificates

    This evening, the Let's Encrypt certificate authority issued its hundred millionth digital certificate. This is a remarkable milestone in just a year and a half of public operation; Let's Encrypt is likely now either the largest or second-largest public CA by volume of certificates issued.

    Let's Encrypt was created by Mozilla, the University of Michigan, and EFF, with Cisco and Akamai as founding sponsors, and is operated by the Internet Security Research Group, a non-profit organization. (See also the thoughts of Josh Aas, ISRG's executive director, on reaching this milestone.)

    Free certificates from Let's Encrypt allow web sites to offer secure HTTPS connections to their users, protecting the privacy and security of those connections against many network-based threats. EFF continues to help develop the Boulder software that Let's Encrypt uses internally, as well as Certbot, Let's Encrypt's recommended software for obtaining and installing certificates on web servers.

  • Linux Bug Gets Squashed Two Years After Being Introduced

    The cycle in which ideas turn into software is getting shorter and shorter. By and large, this is a good thing as new functions are delivered to users faster than ever before. But one of the consequences is software bugs are introduced and sometimes missed. I suspect part of the reason is testing cycles are being squeezed. This is part of the root cause, I think, as to why a two year old bug was introduced into Linux.

Security: Hacker’s Preference, OutlawCountry, and the Latest Black Duck FUD

Filed under
Security

Security: KeyChest, Manjaro Password Weakness in Calamares, systemd Bug, and OutlawCountry

Filed under
Security

Security: TIOCSTI, OutlawCountry, Jeep, and Older News Catchup

Filed under
Security
  • On the Insecurity of TIOCSTI
  • OutlawCountry: CIA’s Hacking Tool For Linux Computers Revealed
  • Feds: Mexican motorcycle club used stolen key data to fuel massive Jeep heist

     

    Once inside, the thieves connected a "handheld vehicle program computer" into the Jeep's diagnostic port. Then, using the second key, the microchip on the duplicate key would be programmed, or "paired." With that complete, the alarm would cease, and the rear lights would stop flashing. Finally, the thieves would drive the Jeep into Mexico.

  • [Old] How Big Fuzzing helps find holes in open source projects

    Is “fuzzing” software to find security vulnerabilities using huge robot clusters an idea whose time has come?

    The latest numbers to emerge from Google’s OSS-Fuzz, a beta launched last December to automatically search for flaws in open source software, look encouraging.

  • [Old] Google's Fuzz Tester IDs Hundreds of Potential Open Source Security Flaws [Ed: This site is connected to Microsoft and cites Black Duck to make FOSS look bad.]

    Also, Black Duck Software Inc. recently revealed the results of security audits it undertook that show "widespread weakness in addressing open source security vulnerability risks."

  • [Old] Buy vs. build to reduce insider threats [Ed: False dichotomy. You do not ever BUY proprietary software, you license or rent. And FOSS is commercial. This site is connected to Microsoft.]

    There is no arguing that cybersecurity is a huge concern for the public, industry and government alike. The general consensus is that we need to be doing more, but we also need to be doing something different.

    The federal government and its agencies spend a lot of money on cybersecurity. The 2017 federal fiscal budget for information security was $19 billion. In recent years, a single cybersecurity contract has cost up to $1 billion. These contracts are largely awarded to federal contractors so that they can build custom solutions for agencies. And there is no lack of research pointing to the fact that the government pays contractors far more than it pays its own employees. All of this spending on cybersecurity could actually be weakening the government’s security posture.

    [...]

    Commercially supported open source has one other feature the contractor-implemented open source doesn't -- economies of scale. Because the majority of financial support for commercially supported software comes from the private sector and not the government, cost savings over the lifetime of a supported feature are massive. Though the government may be the first to request or introduce a software feature, when it's commercially supported those private sector companies co-fund the software O&M. Whenever a major bank adopts the same software the government uses, they both benefit from those advances. But government is one funding contributor among many, saving taxpayers a great deal of money.

  • [Old] #Infosec17 Dangers and Dependencies of Open Source Modules Detailed

    A common attack was by making a spelling mistake, as this can allow you to take over a legitimate account based on the module identity name. “The developers are here to develop and don’t always consider security,” he said.

Security: Security Updates, Systemd, OutlawCountry, Microsoft Cyberattacks, Microsoft Abuses, and Restrictions

Filed under
Security
  • Security updates for Friday
  • USN-3341-1: Systemd vulnerability

    An out-of-bounds write was discovered in systemd-resolved when handling specially crafted DNS responses. A remote attacker could potentially exploit this to cause a denial of service (daemon crash) or execute arbitrary code.

  • About the OutlawCountry Linux malware

    Isn’t that clear? The attacker is loading a custom kernel module as root in your machine. They don’t use Netfilter to break into your system. The problem is not Netfilter, the problem is your whole machine being under their control.

  • Wikileaks Reveals CIA Malware that Hacks & Spy On Linux Computers
  • OutlawCountry: Project of the CIA Targets Computers Running the Linux Operating System
  • NotPetya developers may have obtained NSA exploits weeks before their public leak [Updated]
  • Exclusive: India presses Microsoft for Windows discount in wake of cyber attacks [iophk: "Canonical ought to jump on this, why are they so quiet?"]

     

    India is pressing Microsoft Corp to offer a sharply discounted one-time deal to the more than 50 million Windows users in the country so that they can upgrade to the latest Windows 10 operating system in the wake of ransomware attacks.  

  • So You Think You Can Spot a Skimmer?

     

    Thanks to the myriad methods thieves have devised to fleece unsuspecting cash machine users over the years, there are now more ways than ever to get ripped off at the ATM. Think you’re good at spotting the various scams? A newly released ATM fraud inspection guide may help you test your knowledge.

  • Attacking the kernel via its command line
  • As A New Wave Of Cyberattacks Rolls Out, Rep. Ted Lieu Asks What The NSA's Going To Do About It

    Leaked NSA exploits have now been the basis for two massive cyberattacks. The first -- Wannacry -- caught hospitals and other critical infrastructure across several nations in the crossfire, using a tool built on the NSA's ETERNALBLUE exploit backbone. The second seems to be targeting Ukraine, causing the same sort of havoc but with a couple of particularly nasty twists.

    This one, called Petya, demanded ransom from victims. Things went from bad to worse when email provider Posteo shut down the attacker's account. Doing so prevented affected users from receiving decryption keys, even if they paid the ransom.

    It soon became apparent it didn't matter what Posteo did, no matter how clueless or ill-advised. There was no retrieving files even if ransoms were paid. Two separate sets of security researchers examined the so-called ransomware and discovered Petya is actually a wiper. Once infected, victims' files are as good as gone. No amount of bitcoin is going to reverse the inevitable. The ransomware notices were only there to draw attention to the infection and away from the malware's true purpose.

  • Microsoft, please stop doing things for our own good

    For over 20 years, Microsoft stomped on its competitors and then defended itself against the resulting antitrust lawsuits. But with desktop Windows waning in importance and its desktop software rivals largely gone, Microsoft seemed to have turned a new leaf. Or had it?

    In the one software sphere left where it still has rivals — antivirus and security software — Microsoft is up to its old anti-competitive tricks. Late last year, Eugene Kaspersky, founder of the eponymous antivirus company, said, “When you upgrade to Windows 10, Microsoft automatically and without any warning deactivates all ‘incompatible’ security software and in its place installs… you guessed it — its own Defender antivirus. But what did it expect when independent developers were given all of one week before the release of the new version of the OS to make their software compatible?”

  • Yet more linux security module craziness ..
  • ThunderBolt Security Levels and Linux desktop

    Recently I got Dell XPS 13 as my new work laptop and I use it with the TB16 dock. This dock doesn’t seem to fully work with Linux, only monitors work. But if you go to BIOS settings and set the Thunderbolt Security level to “No security”. Then suddenly almost everything is working.

Syndicate content

More in Tux Machines

Tizen News

OSS Leftovers

  • How Open Source Tech Helps Feds Solve Workforce Turnover Issues
    Just as a mainframe from decades ago might be ready for retirement, the IT staff who originally procured and installed that system might also be preparing for a new phase in their lives. It’s up to the current and next generation of government IT employees to prepare for that eventuality, but there are indications they may not be ready, despite evidence that older IT professionals are retiring or will soon be leaving their positions. Unfortunately, a skills gap exists even among younger generation IT workers. Agencies are scrambling to find personnel with expertise in cloud service management, cybersecurity, technical architecture and legacy technologies, such as common business-oriented language (COBOL) and mainframes, among other areas. At the same time that many workers are getting ready to retire, leaving behind a wealth of knowledge, many younger IT professionals are struggling to gain the knowledge they will need to take their agencies into the future.
  • Introducing Fn: “Serverless must be open, community-driven, and cloud-neutral”
    Fn, a new serverless open source project was announced at this year’s JavaOne. There’s no risk of cloud lock-in and you can write functions in your favorite programming language. “You can make anything, including existing libraries, into a function by packaging it in a Docker container.” We invited Bob Quillin, VP for the Oracle Container Group to talk about Fn, its best features, next milestones and more.
  • Debian seminar in Yokohama, 2017/11/18
    I had attended to Tokyo area debian seminar #157. The day’s special guest is Chris Lamb, the Debian Project Leader in 2017. He had attended to Open Compliance Summit, so we invited him as our guest.
  • Overclock Labs bets on Kubernetes to help companies automate their cloud infrastructure
    Overclock Labs wants to make it easier for developers to deploy and manage their applications across clouds. To do so, the company is building tools to automate distributed cloud infrastructure and, unsurprisingly, it is betting on containers — and specifically the Kubernetes container orchestration tools — to do this. Today, Overclock Labs, which was founded two years ago, is coming out of stealth and announcing that it raised a $1.3 million seed round from a number of Silicon Valley angel investors and CrunchFund — the fund that shares a bit of its name and history with TechCrunch but is otherwise completely unaffiliated with the blog you are currently reading.
  • MariaDB Energizes the Data Warehouse with Open Source Analytics Solution
    MariaDB® Corporation, the company behind the fastest growing open source database, today announced new product enhancements to MariaDB AX, delivering a modern approach to data warehousing that enables customers to easily perform fast and scalable analytics with better price performance over proprietary solutions. MariaDB AX expands the highly successful MariaDB Server, creating a solution that enables high performance analytics with distributed storage and parallel processing, and that scales with existing commodity hardware on premises or across any cloud platform. With MariaDB AX, data across every facet of the business is transformed into meaningful and actionable results.
  • AT&T Wants White Box Routers with an Open Operating System [Ed: AT&T wants to openwash its surveillance equipment]
    AT&T says it’s not enough to deploy white box hardware and to orchestrate its networks with the Open Network Automation Platform (ONAP) software. “Each individual machine also needs its own operating system,” writes Chris Rice, senior vice president of AT&T Labs, Domain 2.0 Architecture, in a blog post. To that end, AT&T announced its newest effort — the Open Architecture for a Disaggregated Network Operating System (dNOS).
  • Intel Lands Support For Vector Neural Network Instructions In LLVM
  • p2k17 Hackathon report: Antoine Jacoutot on ports+packages progress
  • GCC 8 Feature Development Is Over
    Feature development on the GCC 8 compiler is over with it now entering stage three of its development process. SUSE's Richard Biener announced minutes ago that GCC 8 entered stage three development, meaning only general bug fixing and documentation updates are permitted.
  • 2018 Is The Year For Open Source Software For The Pentagon
  • Open-source defenders turn on each other in 'bizarre' trademark fight sparked by GPL fall out
    Two organizations founded to help and support developers of free and open-source software have locked horns in public, betraying a long-running quarrel rumbling mostly behind the scenes. On one side, the Software Freedom Law Center, which today seeks to resolve licensing disputes amicably. On the other, the Software Freedom Conservancy, which takes a relatively harder line against the noncompliance of licensing terms. The battleground: the, er, US Patent and Trademark Office. The law center has demanded the cancellation of a trademark held by the conservancy.
  • Open Source Underwater Glider: An Interview with Alex Williams, Grand Prize Winner
    Alex Williams pulled off an incredible engineering project. He developed an Autonomous Underwater Vehicle (AUV) which uses a buoyancy engine rather than propellers as its propulsion mechanism and made the entire project Open Source and Open Hardware.

Programming Leftovers

Security: Linux, Free Software Principles, Microsoft and Intel

  • Some 'security people are f*cking morons' says Linus Torvalds
    Linux overlord Linus Torvalds has offered some very choice words about different approaches security, during a discussion about whitelisting features proposed for version 4.15 of the Linux kernel. Torvalds' ire was directed at open software aficionado and member of Google's Pixel security team Kees Cook, who he has previously accused of idiocy. Cook earned this round of shoutiness after he posted a request to “Please pull these hardened usercopy changes for v4.15-rc1.”
  • Free Software Principles
    Ten thousand dollars is more than $3,000, so the motives don't add up for me. Hutchins may or may not have written some code, and that code may or may not have been used to commit a crime. Tech-literate people, such as the readers of Linux Magazine, understand the difference between creating a work and using it to commit a crime, but most of the media coverage – in the UK, at least – has been desperate to follow the paradigm of building a man up only to gleefully knock him down. Even his achievement of stopping WannaCry is decried as "accidental," a word full of self-deprecating charm when used by Hutchins, but which simply sounds malicious in the hands of the Daily Mail and The Telegraph.
  • New warning over back door in Linux
    Researchers working at Russian cyber security firm Dr Web claim to have found a new vulnerability that enables remote attackers to crack Linux installations virtually unnoticed. According to the anti-malware company, cyber criminals are getting into the popular open-source operating system via a new backdoor. This, they say, is "indirect evidence" that cyber criminals are showing an increasing interest in targeting Linux and the applications it powers. The trojan, which it's calling Linux.BackDoor.Hook.1, targets the library libz primarily. It offers compression and extraction capabilities for a plethora of Linux-based programmes.
  • IN CHATLOGS, CELEBRATED HACKER AND ACTIVIST CONFESSES COUNTLESS SEXUAL ASSAULTS
  • Bipartisan Harvard panel recommends hacking [sic] safeguards for elections
     

    The guidelines are intended to reduce risks in low-budget local races as well as the high-stakes Congressional midterm contests next year. Though most of the suggestions cost little or nothing to implement and will strike security professionals as common sense, notorious attacks including the leak of the emails of Hillary Clinton’s campaign chair, John Podesta, have succeeded because basic security practices were not followed.  

  • Intel Chip Flaws Leave Millions of Devices Exposed
     

    On Monday, the chipmaker released a security advisory that lists new vulnerabilities in ME, as well as bugs in the remote server management tool Server Platform Services, and Intel’s hardware authentication tool Trusted Execution Engine. Intel found the vulnerabilities after conducting a security audit spurred by recent research. It has also published a Detection Tool so Windows and Linux administrators can check their systems to see if they're exposed.