Language Selection

English French German Italian Portuguese Spanish

Security

Security: 'Rich' E-mail, BlackBerry, and D-Link

Submitted by Roy Schestowitz on Tuesday 12th of September 2017 10:11:21 AM Filed under
Security
  • The only safe email is text-only email

    The real issue is that today’s web-based email systems are electronic minefields filled with demands and enticements to click and engage in an increasingly responsive and interactive online experience. It’s not just Gmail, Yahoo mail and similar services: Desktop-computer-based email programs like Outlook display messages in the same unsafe way.

  • BlackBerry admits: We could do better at patching

    BlackBerry has confirmed that its first Android device, the Priv, will be stuck on Google's 2015 operating system forevermore, which Google itself will cease supporting next year.

    Having been promised "the most secure Android", BlackBerry loyalists have seen the promise of monthly security updates stutter recently, with distribution of the monthlies getting patchy (no pun intended).

  • Researcher publicly discloses 10 zero-day flaws in D-Link 850L routers

    Peeved about previous vulnerability disclosures experiences with D-Link, a security researcher has publicly disclosed 10 zero-day vulnerabilities in D-Link DIR 850L wireless AC1200 dual-band gigabit cloud routers.

    Security researcher Pierre Kim opted to publicly disclose the vulnerabilities this time, citing a “very badly coordinated” disclosure with D-Link in February. That time around he had reported nine vulnerabilities, but he said it took D-Link five months to release new firmware that ended up patching only one of the flaws he found.

»

A look at TAILS – Privacy oriented GNU/Linux Distribution

Submitted by Roy Schestowitz on Tuesday 12th of September 2017 10:05:48 AM Filed under
Reviews
Security
Debian

The Amensic Incognito Live System, is a Debian based distribution that routes all internet traffic through the TOR network, and leaves no trace of its existence or anything done on the system when the machine is shut down. The obvious aim in this, is to aid in keeping the user anonymous and private. Tails is not installed to a users computer, but instead is run strictly as a LiveUSB / LiveDVD.

TAILS does not utilize the host machines Hard Disk at all, and is loaded entirely into RAM. When a machine is shut down, the data that is stored in RAM disappears over the course of a few minutes, essentially leaving no trace of whatever had been done. Granted, there is a method of attack known as a Cold Boot Attack, where data is extracted from RAM before it has had a chance to disappear, but TAILS has you covered on that front too; the TAILS website says,

“To prevent this attack, the data in RAM is overwritten by random data when shutting down Tails. This erases all traces from your session on that computer.”

Read more

»

Security: Equifax Blame Game and Germany's Election Software

Submitted by Roy Schestowitz on Monday 11th of September 2017 03:56:58 PM Filed under
Security
»

Security: Minnesota, Equifax, Virginia, Kaspersky, F-35

Submitted by Roy Schestowitz on Monday 11th of September 2017 10:13:47 AM Filed under
Security
»

The Apache Software Foundation Blog: Apache Struts Statement on Equifax Security Breach (and More)

Submitted by Roy Schestowitz on Saturday 9th of September 2017 05:21:39 PM Filed under
Security
»

Security: Microsoft Won't Patch, Kaspersky Responds, EU Cyberwar Games

Submitted by Roy Schestowitz on Saturday 9th of September 2017 05:09:45 PM Filed under
Security
  • Microsoft won't patch Edge XSS vulnerability

     

    The flaw has been patched in recent versions of Google Chrome and WebKit-based browsers (such as Apple Safari for macOS and iOS), but not in Microsoft's Edge for Windows 10.

  • Microsoft shrugs off Windows kernel bug that can block malware detection

     

    "After digging into the matter, what started as a seemingly random issue proved to originate from a coding error in the Windows kernel itself. This flaw exists in the most recent Windows 10 release and past versions of the OS, dating back to Windows 2000."

    [...]

     

    "We [also] contacted MSRC [Microsoft Security Response Center] about this issue at the beginning of this year. They did not deem it as a security issue.

  • Kaspersky: Ex-NSA infosec expert asks FBI to put up or shut up

     

    Former NSA employee and information security expert Jake Williams has told the FBI to either provide proof to the public that Kaspersky Lab products are unsafe for use or keep mum.

  • EU hosts its first cyber war games

     

    "The goal of the exercise is to highlight a number of strategic concerns and topics that arise in connection with any hypothetical cyber crisis. This exercise should serve as a forum for discussion at ministerial level and provide strategic guidance to address future crises," it said.

  • Cyber alert: EU ministers test responses in first computer war game [iophk: "blanket ban Microsoft in the EU"]

     

    After a series of global cyber attacks disrupted multinational firms, ports and public services on an unprecedented scale this year, governments are seeking to stop hackers {sic} from shutting down more critical infrastructure or crippling corporate and government networks.  

»

Security: Equifax Fiasco Deepening, Apache STRUTS Blamed

Submitted by Roy Schestowitz on Saturday 9th of September 2017 10:41:18 AM Filed under
Security
  • Equifax Security Breach Is A Complete Disaster... And Will Almost Certainly Get Worse

    Okay, chances are you've already heard about the massive security breach at Equifax, that leaked a ton of important data on potentially 143 million people in the US (basically the majority of adults in America). If you haven't, you need to pay more attention to the news. I won't get into all the details of what happened here, but I want to follow a few threads:

    First, Equifax had been sitting on the knowledge of this breach since July. There is some dispute over how quickly companies should disclose breaches, and it makes sense to give companies at least some time to get everything in order before going public. But here it's not clear what Equifax actually did. The company has seemed almost comically unprepared for this announcement in so many ways. Most incredibly, the site that Equifax set up for checking if your data has been compromised (short answer: yeah, it almost certainly was...) was on a consumer hosting plan using a free shared SSL certificate, a funky domain and an anonymous Whois record. And, incredibly, it asked you for most of your Social Security Number. In short, it's set up in a nearly identical manner to a typical phishing site. Oh and it left open the fact that the site had only one user -- "Edelman" -- the name of a big PR firm.

  • Breach at Equifax May Impact 143M Americans
  • Equifax blames giant breach on vendor software flaw

    “My understanding is the breach was perpetuated via the Apache STRUTS flaw,” Meuler told The Post.

  • The hackers who broke into Equifax exploited a flaw in open-source server software

    The credit reporting agency Equifax announced on Sept. 7 that hackers stole records containing personal information on up to 143 million American consumers. The hackers behind the attack, the company said, “exploited a U.S. website application vulnerability to gain access to certain files.”

  • Apache Struts vulnerability affects versions since 2008

    A researcher discovered a remotely exploitable Apache Struts vulnerability being actively exploited in the wild and a patch was released, users urged to update software immediately.

    [...]

    Man Yue Mo, researcher at the open source software project LGTM.com run by software analytics firm Semmle, Inc., headquartered in San Francisco, disclosed the remotely executable Apache Struts vulnerability, which he said was "a result of unsafe deserialization in Java" and could lead to arbitrary code execution. Mo originally disclosed the issue to Apache on July 17, 2017.  

  • So, Equifax says your data was hacked—now what?

    Yesterday, the credit reporting agency Equifax revealed that the personal data of 143 million US consumers, as well as "limited personal information for certain UK and Canadian residents," was exposed by an attack exploiting security flaws in the company's website. Social Security numbers, dates of birth, addresses, and some drivers license numbers were all exposed—information which could be used to pose as individuals to gain access to financial accounts, open new ones in their names, or file fraudulent tax returns.

  • Are you an Equifax breach victim? You could give up right to sue to find out [Updated]

    By all accounts, the Equifax data breach is, as we reported Thursday, "very possibly the worst leak of personal info ever." The incident affects possibly as many as 143 million people.

    The breach, via a security flaw on the Equifax website, included full names, Social Security numbers, birth dates, addresses, and driver license numbers in some cases. Many of the affected consumers have never even directly done business with the giant consumer credit reporting agency.

  • Equifax won’t bar consumers from joining lawsuits related to breach

    Equifax announced on Friday it will not stop consumers from moving to join a class action lawsuit against the company, which suffered a severe breach on Thursday when hackers gained action to personal information belonging to 143 million people. 

    The firm's was forced to clarify its terms of service after it faced backlash when it appeared that in order to receive credit protection, consumers affected by the breach would have to give up their right to join a lawsuit over the hack. 

»

Security: Equifax, The Shadow Brokers, Microsoft Does Not Care About Security

Submitted by Roy Schestowitz on Saturday 9th of September 2017 04:37:56 AM Filed under
Security
  • Equifax Is Proving Why Forced Arbitration Clauses Ought to Be Banned, Just Like the CFPB Wants to Do

    Equifax, the credit reporting bureau that on Thursday admitted one of the largest data breaches in history, affecting 143 million U.S. consumers, is maneuvering to prevent victims from banding together to sue the company, according to consumer protection advocates and elected officials.

    Equifax is offering all those affected by the breach a free, one-year credit monitoring service called TrustedID Premier, which will watch credit reports for suspicious activity, lock and unlock Equifax credit reports, scan the internet for Social Security numbers, and add insurance for identity theft. But the service includes a forced arbitration clause, which pushes all disputes over the monitoring out of court. It also includes a waiver of the right to enter into a class-action lawsuit.

  • Equifax and Correlatable Identifiers

    The typical response when we hear about these security problems is "why was their security so bad?" While I don't know any specifics about Equifax's security, it's likely that their security was pretty good. But the breach still occurred. Why? Because of Sutton's Law. When Willie Sutton was asked why he robbed banks, he reputedly said "cause that's where the money is."

    So long as we insist on creating huge honeypots of valuable data, hackers will continue to target them. And since no security is perfect, they will eventually succeed. Computer security is difficult because computer systems are non-linear—small errors can result in huge losses. This makes failure points difficult to detect. These failure points are not usually obvious. But hackers have a lot of motivation to find them when the prize is so large.

  • TheShadowBrokers group returns with NSA UNITEDRAKE hacking malware and promises more leaks

    UNITEDRAKE is a remote access hacking tool that can be used to target Windows machines. Modular in nature, the malware can be expanded through the use of plugins to increase its capabilities so it can capture footage from webcams, tap into microphones, capture keystrokes, and more.

  • The Shadow Brokers Unveil United Rake Toolkit and Double Monthly NSA Dump Frequency

    Most people have come to know The Shadow Brokers as a hacker collective that successfully infiltrated the NSA and took some of its goodies. Over the past year or so, we have seen most of these exploits released to the public. More powerful tools remain part of the collective’s monthly subscription service, which has been operational for nearly three months now. If certain tools could earn them money, they would much rather take that option.

    There were some interesting recent changes made by The Shadow Brokers. Instead of doing just one dump of exploits each month, they are shifting things into a higher gear. There will now be two dumps per month, which can still only be paid in ZCash. Their PDF file clearly states that they have no interest in Monero, which is pretty interesting. All of the previously issued dumps are now available for purchase as well, should someone want to see what those are all about.

    The August software is called United Rake, and it is quite a powerful tool. It is a “fully extensible remote collection system.” As one would come to expect, it is designed for the world’s most popular operating system, which is still Microsoft Windows. As is the case with every exploit unveiled by The Shadow Brokers, the release comes with its own detailed manual, allegedly created by and distributed to NSA staffers at some point.

  • Microsoft won't patch Edge browser content security bypass

    Which of Google, Apple and Microsoft think a content security bypass doesn't warrant a browser patch?

    Thanks to Cisco Talos security bod Nicolai Grødum, who found the cross-site scripting bug that affects older Chrome and Safari plus current versions of Edge, we know the answer is "Microsoft".

  • Bug in Windows Kernel Could Prevent Security Software From Identifying Malware
  • Bug In Windows Kernel Could Prevent Security Software From Identifying Malware

    "Malware developers can abuse a programming error in the Windows kernel to prevent security software from identifying if, and when, malicious modules have been loaded at runtime," reports Bleeping Computer. "The bug affects PsSetLoadImageNotifyRoutine, one of the low-level mechanisms some security solutions use to identify when code has been loaded into the kernel or user space. The problem is that an attacker can exploit this bug in a way that PsSetLoadImageNotifyRoutine returns an invalid module name, allowing an attacker to disguise malware as a legitimate operation.

»

Security: Updates, Election, Lenovo and Equifax

Submitted by Roy Schestowitz on Friday 8th of September 2017 06:13:30 PM Filed under
Security
  • Security updates for Thursday
  • Security updates for Friday
  • Software to capture votes in upcoming national election is insecure

    The result of this analysis is somewhat of a „total loss“ for the software product. The CCC is publishing its findings in a report of more than twenty pages. [0] The technical details and the software used to exploit the weaknesses are published in a repository. [1]

    „Elementary principles of IT-security were not heeded to. The amount of vulnerabilities and their severity exceeded our worst expectations“, says Linus Neumann, a speaker for the CCC that was involved in the study.

  • The $3.5 Million Check Comes Due for Lenovo And Its Security-Compromising Superfish Adware

    You might recall that back in 2015, Lenovo was busted for installing a nasty bit of snoopware made by a company named Superfish on select models of the company's Thinkpad laptops. Superfish's VisualDiscovery wasn't just annoying adware however; it was so poorly designed that it effectively made all of Lenovo's customers vulnerable to HTTPS man-in-the-middle attacks that were relatively trivial for an attacker to carry out. More specifically, it installed a self-signed root HTTPS certificate that could intercept encrypted traffic for every website a user visits -- one that falsely represented itself as the official website certificate.

  • Equifax website hack exposes data for ~143 million US consumers

    Equifax, a provider of consumer credit reports, said it experienced a data breach affecting as many as 143 million US people after criminals exploited a vulnerability on its website. The US population is about 324 million people, so that's about 44 percent of its population.

    The data exposed in the hack includes names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers. The hackers also accessed credit card numbers for 209,000 US consumers and dispute documents with personal identifying information for about 182,000 US people. Limited personal information for an unknown number of Canadian and UK residents was also exposed. Equifax—which also provides credit monitoring services for people whose personal information is exposed—said the unauthorized access occurred from mid-May through July. Equifax officials discovered the hack on July 29.

  • Why the Equifax breach is very possibly the worst leak of personal info ever

    It's a sad reality in 2017 that a data breach affecting 143 million people is dwarfed by other recent hacks—for instance, the ones hitting Yahoo in 2013 and 2014, which exposed personal details for 1 billion and 500 million users respectively; another that revealed account details for 412 million accounts on sex and swinger community site AdultFriendFinder last year; and an eBay hack in 2014 that spilled sensitive data for 145 million users.

»

Security: GPG Keysigning Protocol, Reproducible Builds, Struts and Android

Submitted by Roy Schestowitz on Friday 8th of September 2017 12:05:41 AM Filed under
Security
  • GPG Keysigning Protocol

    With Randa approaching, I’ll be meeting some KDE people, some for the first time. So it’s time for another GPG keysigning! The usual approach to a GPG keysigning is to have Harald organise it, that ensures a maximum amount of abiding-by-rules. But .. he’s not going to be there, this year. So this post is a random bit of throw-information-out-there about how typical KDE event keysignings work, and an annoucement of my own protocol in handling keysinging.

  • Reproducible Builds: Weekly report #123
  • 'Critical' RCE vulnerability found in open-source Struts framework
  • Boffins hijack bootloaders for fun and games on Android

    The team of nine researchers decided to look at a little-studied aspect Android architecture – the interaction between OS and chip at power-up. To get inside that operation, they built a tool dubbed “BootStomp” “designed to locate problematic areas where input from an attacker in control of the OS can compromise the bootloader’s execution, or its security features”.

»
Syndicate content

More in Tux Machines

Tizen 3.0 and Home Spying Appliances

Vulkan FOSS Adoptions

  • SDL 2.0.6 released, introduces Vulkan support
    The cross-platform development library has seen the release of its latest version. Quite a few exciting changes this time around, including support for Vulkan and more types of gamepads. SDL [Official Site] is something that has been used in quite a diverse array of projects and plenty of game ports that have made their way to Linux have taken advantage of it. The latest release has its fair share of general improvements but most noticeable is the implementation of Vulkan support. This hopefully will make it easier for developers to take advantage of the Vulkan API and help it gain more traction.
  • X.Org Foundation Has Become A Khronos Adopter
    The X.Org Foundation board announced during this week's XDC2017 summit that they have officially completed the paperwork to become a Khronos adopter. The X.Org Foundation is now considered a pro-bono adopter for The Khronos Group so that the community-based open-source drivers targeting Khronos APIs for conformance can submit conformance test results and become a certified implementation.

Security: DHS on Potential Voting Machines Cracking, Joomla Patches Critical Flaw

  • DHS tells 21 states they were Russia hacking targets before 2016 election
  • 1. WikiLeaks, Russian edition: how it’s being viewed
    Russia has been investing heavily in a vision of cyberdemocracy that will link the public directly with government officials to increase official responsiveness. But it is also enforcing some of the toughest cybersecurity laws to empower law enforcement access to communications and ban technologies that could be used to evade surveillance. Could WikiLeaks put a check on Russia’s cyber regime? This week, the online activist group released the first of a promised series of document dumps on the nature and workings of Russia’s surveillance state. So far, the data has offered no bombshells. “It’s mostly technical stuff. It doesn’t contain any state contracts, or even a single mention of the FSB [security service], but there is some data here that’s worth publishing,” says Andrei Soldatov, coauthor of “The Red Web,” a history of the Soviet and Russian internet. But, he adds, “Anything that gets people talking about Russia's capabilities and actions in this area should be seen as a positive development.”
  • Joomla patches eight-year-old critical CMS bug
    Joomla has patched a critical bug which could be used to steal account information and fully compromise website domains. This week, the content management system (CMS) provider issued a security advisory detailing the flaw, which is found in the LDAP authentication plugin. Lightweight Directory Access Protocol (LDAP) is used by Joomla to access directories over TCP/IP. The plugin is integrated with the CMS. Joomla considers the bug a "medium" severity issue, but according to researchers from RIPS Technologies, the problem is closer to a critical status.
  • Joomla! 3.7.5 - Takeover in 20 Seconds with LDAP Injection
    With over 84 million downloads, Joomla! is one of the most popular content management systems in the World Wide Web. It powers about 3.3% of all websites’ content and articles. Our code analysis solution RIPS detected a previously unknown LDAP injection vulnerability in the login controller. This one vulnerability could allow remote attackers to leak the super user password with blind injection techniques and to fully take over any Joomla! <= 3.7.5 installation within seconds that uses LDAP for authentication. Joomla! has fixed the vulnerability in the latest version 3.8.

OpenSUSE fonts – The sleeping beauty guide

Pandora’s box of fonts is one of the many ailments of the distro world. As long as we do not have standards, and some rather strict ones at that, we will continue to suffer from bad fonts, bad contrast, bad ergonomics, and in general, settings that are not designed for sustained, prolonged use. It’s a shame, because humans actually use computers to interface with information, to READ text and interpret knowledge using the power of language. It’s the most critical element of the whole thing. OpenSUSE under-delivers on two fonts – anti-aliasing and hinting options that are less than ideal, and then it lacks the necessary font libraries to make a relevant, modern and pleasing desktop for general use. All of this can be easily solved if there’s more attention, love and passion for the end product. After all, don’t you want people to be spending a lot of time interacting, using and enjoying the distro? Hopefully, one day, all this will be ancient history. We will be able to choose any which system and never worry or wonder how our experience is going to be impacted by the choice of drivers, monitors, software frameworks, or even where we live. For the time being, if you intend on using openSUSE, this little guide should help you achieve a better, smoother, higher-quality rendering of fonts on the screen, allowing you to enjoy the truly neat Plasma desktop to the fullest. Oh, in the openSUSE review, I promised we would handle this, and handle it we did! Take care. Read more

More on Tux Machines: AboutGalleryForumBlogsSearchNewsRSS Feed

Part of Bytes Media ● Sister sites below.

TechBytes Techrights button

Powered by Drupal, an open source content management system

Content available under CC-BY-SA CC

© by original authors

Powered by CentOS 6.5 (GNU/Linux), Varnish, and Drupal 6