Language Selection

English French German Italian Portuguese Spanish

Security

Security: Skype is Malware, Facebook Harvests Data and More on the Latest Massive Breach (Admission Late on a Friday)

Filed under
Security

Security: Cybersecurity Research, Oracle Improves Security, Hype Over Linux Kernel Bug, Singhealth Crack

Filed under
Security
  • Cybersecurity Research Shows Risks Continue to Rise [Ed: Sean Michael Kerner says that cybersecurity market will grow, according to the cybersecurity market]
  • Oracle Improves Security, Performance in Java 11
  • Another Linux Kernel Bug Surfaces, Allowing Root Access [Ed: Far less severe than back doors like Microsoft Windows back doors, which can be remotely exploited without even a local account on the target machine]

    A high-severity cache invalidation bug in the Linux kernel has been uncovered, which could allow an attacker to gain root privileges on the targeted system.

  • Not allowed to code? Really?

    Lots of interesting, but not surprising, information is being made public about the Singhealth data breach.

    The Commitee of Inquiry has been told that there was an IHIS employee who found a bug in the Allscripts “Sunrise Clinic Manager” EMR in 2014 who then made the loophole known to a rival of Allscripts, Epic Systems Corporation. Both of these vendors products are closed, proprietary and, IMHO, unnecessarily and excessively expensive products.

    [...]

    If a bug is reported – whether it is a “the button is of the wrong shape” or “this option dumps out the entire database”, assuming that proprietary vendors have a bug reporting process – nope, they don’t – then things can be moved along without too much excitement. All software have bugs. If a vendor (open or closed) does not offer a way to report bugs, you have to demand that there is a way to do it. Red Hat has both bugzilla.redhat.com and access.redhat.com to submit bug reports on all of the open source projects and open source products (go here for an understanding of the differences between open source projects and an open source products) that Red Hat is involved in and makes available to paying customers (access.redhat.com).

    Maybe there is a some place at Allscripts and at Epic Systems that one can file bug reports, but it is not immediately evident.

Security: Election Security Woes, UEFI Rootkits and at Least 50 Million Facebook Useds [sic] Affected by Breach

Filed under
Security
  • Defcon Voting Village report shows that hacking voting machines takes less time than voting

    Whether it's showing that "secure" firmware can be dumped with a $15 electronic component or that voting systems can be hacked in minutes, the Voting Village researchers do yeoman duty, compiling comprehensive reports on the dismal state of America's voting machines, nearly 20 years after Bush v Gore put the country on notice about the defective systems behind our elections.

  • Election Security Remains Just as Vulnerable as in 2016

    The ability to vote for local, state, and federal representatives is the cornerstone of democracy in America. With mid-term congressional elections looming in early November, many voices have raised concerns that the voting infrastructure used by states across the Union might be suspect, unreliable, or potentially vulnerable to attacks. As Congress considers measures critical to consumer rights and the functioning of technology (net neutrality, data privacy, biometric identification, and surveillance), ensuring the integrity of elections has emerged as a matter of crucial importance.

    With mid-term elections in just two months, Secretaries of State should be pressed to do their jobs and increase security before voters cast their ballots.

    On the one hand, the right to vote may not be guaranteed for many people across the country. Historically, access to the ballot has been hard fought, from the Revolution and the Civil War to the movement for civil rights that compelled the Voting Rights Act (VRA). But recent restrictions on voting rights that have proliferated since the Supreme Court struck down the VRA’s pre-clearance provisions in 2013. Coupled with procedural impediments to voting, unresolved problems continue to plague the security of the technology that many voting precincts use in elections. With mid-term elections in just two months, Secretaries of State should be pressed to do their jobs and increase security before voters cast their ballots.

  • Cybersecurity Researchers Spotted First-Ever UEFI Rootkit in the Wild

    Cybersecurity researchers at ESET have unveiled what they claim to be the first-ever UEFI rootkit being used in the wild, allowing hackers to implant persistent malware on the targeted computers that could survive a complete hard-drive wipe.

    Dubbed LoJax, the UEFI rootkit is part of a malware campaign conducted by the infamous Sednit group, also known as APT28, Fancy Bear, Strontium, and Sofacy, to target several government organizations in the Balkans as well as in Central and Eastern Europe.

  • First-ever UEFI Rootkit Spotted in the Wild

    UEFI is an overly complex replacement for BIOS, and is often conflated with one of its payloads, Restricted Boot aka Secure Boot.

  • Did You Get Logged Out of Facebook? It’s Because 50 Million People Got Hacked

Tomb – A File Encryption and Personal Backup Tool for Linux

Filed under
Software
Security

Tomb is a free open source, small, powerful and simple tool for encrypting files on GNU/Linux. At the time of this writing, it comprises of a shell script (zsh) using generic filesystem GNU tools and the Linux kernel crypto API (cryptsetup and LUKS).

It also employs various GNU/Linux tools such as steghide, lsof, mlocate, resizefs, dcfld and many more, to extend its functionality.

Tomb is used to create secure backups of secret or personal files in encrypted, password-protected directories called tombs. These directories can only be opened using their associated keyfiles and passwords.

After creating a tomb, you can store its key files separately, for example your tomb file can exist on a remote server while the key file is on your laptop or desktop at home or in office. If the tomb file is on your laptop or desktop, you can hide it within the filesystem or as a more secure option, store the key in a USB drive.

Read more

Facebook Cracked

Filed under
Security
  • Facebook Hacked [sic], 50 Million Users Affected

    "The vulnerability itself was the result of three distinct bugs and was introduced in July 2017," Rosen told reporters in a press call. "It’s important to say—the attackers could use the account as if they were the account holder."

  • Facebook confirms major security breach affecting 50 million users

    And it waited until 6 pm on Friday to tell everyone about it

  • The Facebook Security Meltdown Exposes Way More Sites Than Facebook
  • Facebook Says Breach Affected About 50 Million Accounts

    There was a loophole in Facebook’s code for a feature called "View As" that let people see what their account looks like to someone else. The vulnerability allowed hackers [sic] to steal access tokens -- digital keys that keep people logged into Facebook so they don’t need to re-enter passwords. Once logged in, the attackers could take control.

  • Facebook says nearly 50m users compromised in huge security breach

    Articles about the data breach by the Guardian and the Associated Press were temporarily flagged as spam on Facebook, preventing users from sharing news of the attack on their profiles. The company attributed the error to its “automated systems” and apologized, but did not provide further explanation.

  • Everything We Know About Facebook's Massive Security Breach

    Facebook has yet to identify the hackers [sic], or where they may have originated. “We may never know,” Guy Rosen, Facebook’s vice president of product, said on a call with reporters Friday. The company is now working with the Federal Bureau of Investigations to identify the attackers. A Taiwanese hacker named Chang Chi-yuan had earlier this week promised to live-stream the deletion of Mark Zuckerberg's Facebook account, but Rosen said Facebook was "not aware that that person was related to this attack."

  • Facebook is Using Your Phone Number to Target Ads and You Can’t Stop It

    Tech publications are screaming today that giving Facebook your phone number for 2FA allows them to target you for ads. But this misses a bigger point: Facebook is using your phone number to target ads whether you give it to them willingly or not.

    In fact, the problem gets much worse. Researchers have been able to prove that Facebook allows personally identifiable information, like your phone number, to be used to target you based on shadow profiles of information that they build—profiles that you cannot see and have no control over.

Security: Updates, Facebook 'Security', Voting 'Security' and Windows Back Doors (Fake 'Security')

Filed under
Security
  • Security updates for Friday
  • Facebook's been caught using their customers' 2FA information to spam them with text ads

    Just when you thought that Facebook couldn't get any more greasy, they have outdone themselves in a manner that places them well beyond even the most succulent of French Chef finger-kisses: the phone numbers that many folks gave them in order to activate the service's two-factor authentication protection? Zuckerberg and his crew are using it to serve up advertisements to unsuspecting users.

  • Yes Facebook is using your 2FA phone number to target you with ads

    Facebook has confirmed it does in fact use phone numbers that users provided it for security purposes to also target them with ads.

    Specifically a phone number handed over for two factor authentication (2FA) — a security technique that adds a second layer of authentication to help keep accounts secure.

  • Hacker [sic] to Live-Stream Attack on Zuckerberg’s Facebook Page

    Self-professed bug bounty-hunter Chang Chi-yuan, who ferrets out software flaws in return for cash, says he’ll live-stream an endeavor to delete the billionaire’s account at 6 p.m. local time from his own Facebook page. He didn’t get into details or respond to an online query.

  • Defcon Voting Village report: bug in one system could “flip Electoral College”

    Today, six prominent information-security experts who took part in DEF CON's Voting Village in Las Vegas last month issued a report on vulnerabilities they had discovered in voting equipment and related computer systems. One vulnerability they discovered—in a high-speed vote-tabulating system used to count votes for entire counties in 23 states—could allow an attacker to remotely hijack the system over a network and alter the vote count, changing results for large blocks of voters. "Hacking just one of these machines could enable an attacker to flip the Electoral College and determine the outcome of a presidential election," the authors of the report warned.

  • NSA Tools Used to Unleash Crypto Mining Malware by Hackers [Ed: More suitable headline would be, "Microsoft back doors Used to Unleash Crypto Mining Malware by Hackers"]

    Hackers are now using software developed by the US National Security Agency (NSA) to illicitly mine cryptocurrencies. According to a recent report released by the Cyber Threat Alliance (CTA), compiled by a collective of cyber-security experts from McAfee, Cisco Talos, NTT Security, Rapid7 and Sophos, among others, crypto mining malware detections have jumped to over 400 percent within the past one and a half years.

    Malicious actors are hijacking computer processor resources via internet network infrastructure intrusions, and computer hacks, among other means. One of the more worrying trends is the use of an NSA exploit leaked early last year by Shadow Brokers dubbed EternalBlue.

Security: Torii Botnet, GrammaTech, and 'Mutagen Astronomy'

Filed under
Security

Security: UEFI, Apple and Linux

Filed under
Security
  • LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group

    UEFI rootkits are widely viewed as extremely dangerous tools for implementing cyberattacks, as they are hard to detect and able to survive security measures such as operating system reinstallation and even a hard disk replacement. Some UEFI rootkits have been presented as proofs of concept; some are known to be at the disposal of (at least some) governmental agencies. However, no UEFI rootkit has ever been detected in the wild – until we discovered a campaign by the Sednit APT group that successfully deployed a malicious UEFI module on a victim’s system.

  • 16-Year-Old Who Hacked Apple Servers Repeatedly Evades Prison

    A 16-year-old Australian teenager who repeatedly hacked Apple servers over a period of two years has evaded jail. He is set to serve a probation period of 8 months.

  • Apple’s Device Enrollment Program Has A Security Flaw; Allows Hackers To Steal Company Passwords

    Researchers have found a security flaw in Apple’s Device Enrollment Program (DEP) that can allow an attacker to gain complete access to a corporate or school network.

  • MDM Me Maybe: Device Enrollment Program Security

    The Device Enrollment Program (DEP) is a service provided by Apple for bootstrapping Mobile Device Management (MDM) enrollment of iOS, macOS, and tvOS devices. DEP hosts an internet-facing API at https://iprofiles.apple.com, which - among other things - is used by the cloudconfigurationd daemon on macOS systems to request DEP Activation Records and query whether a given device is registered in DEP.

    In our research, we found that in order to retrieve the DEP profile for an Apple device, the DEP service only requires the device serial number to be supplied to an undocumented DEP API. Additionally, we developed a method to instrument the cloudconfigurationd daemon to inject Apple device serial numbers of our choosing into the request sent to the DEP API. This allowed us to retrieve data specific to the device associated with the supplied serial number.

  • ARMv8.5-A Support Being Prepped To Battle Spectre-Style Vulnerabilities

    Earlier this month Arm began publishing details of the ARMv8.5-A instruction set update, which is expected to be officially documented and released by the end of Q1'2019, while the LLVM compiler stack has already received initial support for the interesting additions.

    Landing yesterday in LLVM Git/SVN is the new ARMv8.5-A target while hitting the tree today is the more interesting work.

Security: Canonical, Updates, PKCS, Uber Payout

Filed under
Security
  • Canonical’s Current Security Certifications

    Canonical has entered the security certifications space by achieving a few important security certifications for the first time on Ubuntu.

    Canonical has achieved FIPS 140-2 Level 1 certification for several cryptographic modules on Ubuntu 16.04. Canonical has also achieved Common Criteria EAL2 certification for Ubuntu 16.04. In addition, Defense Information System Agency (DISA) has published Ubuntu 16.04 Security Technical Implementation Guide (STIG) allowing Ubuntu for use by Federal agencies. Center for Internet Security (CIS) has also been publishing benchmarks for Ubuntu which hardens the configuration of Ubuntu systems to make them more secure.

    Canonical has made its security certification offerings available to all Ubuntu Advantage “Server Advanced” customers.

  • Security updates for Thursday
  • Evidence for the Security of PKCS #1 Digital Signatures

    I don't think the protocol is "provably secure," meaning that it cannot have any vulnerabilities. What this paper demonstrates is that there are no vulnerabilities under the model of the proof. And, more importantly, that PKCS #1 v1.5 is as secure as any of its successors like RSA-PSS and RSA Full-Domain.

  • Uber will pay $148 million for 2016 data breach coverup

    The money will be disbursed among all 50 US states as well as Washington, DC.

Linux (Kernel) Security Scares

Filed under
Linux
Security
  • Critical Linux Kernel Flaw Gives Root Access to Attackers [Ed: Somewhat misleading headline as being an "attacker" isn't enough to pose a threat at all; one needs to already have privileged account on the system. Privilege escalation attacks rely on chaining of holes, where one flaw need to be severe enough for remote access unless you foolishly give accounts to your foes (clients you typically have personal details of, which is enough for deterrence).]

    Multiple Linux distributions including all current versions of Red Hat Enterprise Linux and CentOS contain a newly discovered bug that gives attackers a way to obtain full root access on vulnerable systems.

    The integer overflow flaw (CVE-2018-14634)exists in a critical Linux kernel function for memory management and allows attackers with unprivileged local access to a system to escalate their privileges. Researchers from security vendor Qualys discovered the issue and have developed a proof of concept exploit.

  • Google Project Zero to Linux distros: Your sluggish kernel patching puts users at risk [Ed: Well, at least Linux actually patches (works around) Intel's hardware defects. NSA and Microsoft sit on known BACK DOORS. Until the tools that exploit these leak out of the NSA, shutting down HOSPITALS!]

    Jann Horn, the Google Project Zero researcher who discovered the Meltdown and Spectre CPU flaws, has a few words for maintainers of Ubuntu and Debian: raise your game on merging kernel security fixes, you're leaving users exposed for weeks.

Syndicate content

More in Tux Machines

Windows 10 October 2018 Update Performance Against Ubuntu 18.10, Fedora 29

As the latest of our benchmarks using the newly re-released Microsoft Windows 10 October 2018 Update, here are benchmarks of this latest Windows 10 build against seven different Linux distributions on the same hardware for checking out the current performance of these operating systems. For this latest Linux OS benchmarking comparison against Windows, the following platforms were tested: - The Windows 10 April 2018 release as the previous major milestone of Windows 10. - The newest Windows 10 October 2018 build as the latest Windows 10 build from Microsoft. - OpenSUSE Tumbleweed as the openSUSE rolling-release distribution that as of testing was on the Linux 4.18.12 kernel, KDE Plasma 5.14, Mesa 18.1.7, and GCC 8.2.1 atop an XFS home file-system with Btrfs root file-system (the default partitioning scheme). Read more

Android Leftovers

Release of KDE Frameworks 5.51.0

KDE Frameworks are 70 addon libraries to Qt which provide a wide variety of commonly needed functionality in mature, peer reviewed and well tested libraries with friendly licensing terms. For an introduction see the Frameworks 5.0 release announcement. This release is part of a series of planned monthly releases making improvements available to developers in a quick and predictable manner. Read more Also: KDE Frameworks 5.51 Released

Linux 4.19-rc8

As mentioned last week, here's a -rc8 release as it seems needed. There were a lot of "little" pull requests this week, semi-normal for this late in the cycle, but a lot of them were "fix up the previous fix I just sent" which implies that people are having a few issues still. I also know of at least one "bad" bug that finally has a proposed fix, so that should hopefully get merged this week. And there are some outstanding USB fixes I know of that have not yet landed in the tree (I blame me for that...) Anyway, the full shortlog is below, lots of tiny things all over the tree. Please go and test and ensure that all works well for you. Hopefully this should be the last -rc release. Read more Also: Linux 4.19-rc8 Released With A Lot Of "Tiny Things"