Language Selection

English French German Italian Portuguese Spanish

Security

Security: Marriott, Email Security & Privacy, Microsoft's VBScript and Spectre v2

Filed under
Security
  • Hackers access data of half a billion guests at Marriott hotels

    The personal data of half a billion guests of upmarket hotels belonging to Marriott International was illegally accessed by hackers over four years.

    Experts estimate that more than a million British customers could be affected by the breach of the booking system of the group’s Starwood division, which owns hotels including the Sheraton Grand Park Lane and Le Méridien Piccadilly in London.

  • Email Security & Privacy

    If you want to learn more about the topic, you can take a look at the slides I used and do some research of your own. If something seems wrong please let me know in the comments below so that we all can benefit. You can also access (I think?) the speaker notes for more context behind the content on the slides.

    If you are pressed for time, skip to the last slide to learn about some interesting attacks. One of them makes use of Cyrillic script. If you haven’t heard of Cyrillic script before you would love that slide.

  • Out-of-Bounds Vulnerability In Microsoft VBScript Can Cause Internet Explorer To Crash

    Microsoft VBScript is actually an active scripting language modeled on Visual Basic. It’s very similar to visual basic and can be used to create a server-side scripting environment for creating dynamic web pages which use VBScript or JavaScript.

  • Spectre v2 mitigation causes significant slowdown on Linux 4.20

    One of Intel's mitigations for a variant of the Spectre vulnerability will reportedly significantly slow down performance of the latest Linux kernel.

    The mitigation, called Single Thread Indirect Branch Predictors (STIBP), was put in place by Intel earlier this year when the Spectre vulnerability and its variants were first publicly disclosed. Intel proposed two other mitigations to this particular version -- Spectre variant 2, tracked as CVE-2017-5715 -- but this one, it turns out, would have a negative effect on Linux 4.20.

    If Linux 4.20 is run with Intel chips that implemented the STIBP mitigation for Spectre v2, performance could drop 30% to 50%, depending on the application.

Reworked STIBP Code Lands In Linux 4.20 To Fix The Performance

Filed under
Linux
Security

The big Linux 4.20 performance slowdown is now corrected by tonight's Linux 4.20 Git code while still providing reasonable security for cross-hyperthread Spectre V2 mitigation.

Spectre/Meltdown kernel patch wrangler Thomas Gleixner sent in his patch series this afternoon with a subject line of "Cure the STIBP fallout" and started the message with, "The performance destruction department finally got it's act together and came up with a cure for the STIPB regression." That cure is the reworked code around "Single Thread Indirect Branch Predictors."

Rather than enabling STIBP for all processes, which had been done at the start of the Linux 4.20 kernel merge window and was a wreck for performance across many workloads as Phoronix was first to shine the light on this problem, by default it now just applies STIBP to processes opting into that functionality via the prctl interface and additionally for sandboxed processes by means of SECCOMP.

Read more

Security: New Flaws, Technological Independence and Microsoft's Inability to Patch

Filed under
Security
  • IT Security Vulnerability Roundup – November 2018
  • Russia’s largest bank just launched a state-of-the-art coding school to ease dependence on Western tech

    Sberbank, which is currently under U.S. sanctions and whose CEO has ties to Trump, launched School 21 in Moscow last week.

  • Microsoft Has a Huge Problem Dealing with Critical Bugs in Its Software [Ed: Even Microsoft's booster Bogdan Popa isn't happy]

    The way Microsoft handles user feedback is a topic that has made the rounds for too many times lately, mostly after the fiasco that Windows 10 version 1809 proved to be.
    In just a few words, Microsoft released Windows 10 version 1809 on October 2 after the company decided to skip the Release Preview ring in the Windows Insider program, essentially bringing the OS update to devices worldwide without getting it through the final testing stage.

    As it turns out, this wasn’t really the best thing to do, as the October update came with a critical bug that removed the user files stored in the Documents folder on some PCs.

    Microsoft eventually decided to pull the update a few days later in order to develop a fix, and this time, it shipped the updated builds to both the Slow and Release Preview rings.

    While software bugs are something we can’t avoid, the worst thing about this whole saga is that insiders reported the data removal issue several months before the October update received the go-ahead for production devices.

Security: Dell, Marriott, Security Updates

Filed under
Security
  • Dell forces password reset on customers after cyber attack but tells them five whole days later

    Apparently, the [intruders] were after customer names, email addresses and passwords, but Dell explained to Reuters that there were no regulatory or legal requirements for it to notify its customers about why they were being forced to change their passwords.

  • Dell.com resets all customer passwords after cyber attack: statement

    The breach occurred as companies come under increasing scrutiny from regulators worldwide to provide quick and accurate disclosure of customer data theft. The European Union implemented strict new privacy regulations in May that punish violators with fines of up to 20 million euros ($23 million), or 4 percent of global revenue, whichever is higher.

  • Marriott Security Breach Exposed Data of Up to 500M Guests

    A security breach inside the Marriott hotel empire compromised the information of as many as 500 million guests worldwide, exposing their credit card numbers, passport numbers and birth dates for as long as four years, the company said Friday.

    [...]

    For as many as two-thirds of those affected, the exposed data could include mailing addresses, phone numbers, email addresses and passport numbers. Also included might be Starwood Preferred Guest account information, date of birth, gender, arrival and departure times and reservation dates.

    Credit card numbers and expiration dates of some guests may have been taken, according to the company.

    “We fell short of what our guests deserve and what we expect of ourselves,” CEO Arne Sorenson said in a statement. “We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

    It isn’t common for passport numbers to be part of a hack, but it is not unheard of. Hong Kong-based airline Cathay Pacific Airways said in October that 9.4 million passengers’ information had been breached, including passport numbers.

  • This is big!! – 500 Million Marriott Guest Records Stolen

    The world’s biggest hotel chain Marriott International today disclosed that unknown hackers compromised guest reservation database its subsidiary Starwood hotels and walked away with personal details of about 500 million guests.

    Starwood Hotels and Resorts Worldwide was acquired by Marriott International for $13 billion in 2016. The brand includes St. Regis, Sheraton Hotels & Resorts, W Hotels, Westin Hotels & Resorts, Aloft Hotels, Tribute Portfolio, Element Hotels, Le Méridien Hotels & Resorts, The Luxury Collection, Four Points by Sheraton and Design Hotels.

  • Security updates for Friday

Security: FSB and NSA in Linux, HTTPS is Not Enough, Microsoft Back Doors and Exploits (e.g. WannaCry), 5G China Scare

Filed under
Security
  • Linux 4.21 Positioned To Pickup Streebog Crypto Support Developed By Russia's FSB

    In addition to Linux 4.21 set to land Adiantum as the crypto algorithm backed by Google following the company's falling out with the NSA's Speck crypto for low-end data encryption, Streebog is also set to be introduced as a cryptographic hash function developed in large part by the Russian government.

    The Linux kernel patches introducing the Streebog code were posted back in October for review. Those patches were spearheaded by a developer from Russia's ALT Linux distribution. Those patches are now queued into the crypto subsystem's development branch ahead of the Linux 4.21 kernel.

  • HTTPS Is Almost Everywhere. So Why Isn’t the Internet Secure Now?

    Chrome used to display the word “Secure” and a green padlock in the address bar when you were visiting a website using HTTPS. Modern versions of Chrome simple have a little gray lock icon here, without the word “Secure.”

    That’s partly because HTTPS is now considered the new baseline standard. Everything should be secure by default, so Chrome only warns you that a connection is “Not Secure” when you’re accessing a site over an HTTP connection.

    However, the word “Secure” is also gone because it was a little misleading. It sounds like Chrome is vouching for the contents of the site as if everything on this page is “secure.” But that’s not true at all. A “secure” HTTPS site could be filled with malware or be a fake phishing site.

  • WannaCry: One year later, is the world ready for another major attack? [Ed: Somehow that neglects to mention that this was largely the result of a collusion involving Microsoft and the NSA]
  • UK gov report to raise fresh security concerns over Huawei's 5G kit

Security: Dakota Access Pipeline, NSA Back Doors and Updated AMD Zen CPU Microcode

Filed under
Security
  • Hackers Stole Nearly Quarter Million Dollars Our Revolution Raised for Standing Rock Protests

    The money stolen from the compromised account had been raised for the Standing Rock Sioux Native American tribe, which was at the time fighting vigorously to stop the construction of the Dakota Access Pipeline.

    Lucy Flores, a former Our Revolution board member, told Politico that the organization still gave the tribe the $242,924 it had raised on its behalf, though it was forced to dip into other funds to do so.

    "We'd done fundraising specifically on behalf of the tribe, and to have that money just be gone and never reach its intended purpose was unacceptable," Flores said. "So we decided to give them the money that was raised and take the loss as an organization."

  • Remember Those Leaked NSA Tools? Hackers Are Still Using Them To Hijack Computers

    When UPnProxy attack was first spotted, about 3.5 million devices were vulnerable to the attack. Months later, Akamai reported that 277,000 remained vulnerable. As per the latest development, about 45,000 of these systems have already been compromised.

    [...]

    The security researchers are calling the newly discovered implementation Eternal Silence. This is because the attack uses the already popular EternalBlue (affecting Windows devices) and EternalRed (affecting Linux devices) exploits; they also found ‘galleta silenciosa’ or ‘silent cookie/cracker’ in Spanish written in the description field on the affected routers.

  • Mass Router Hack Exposes Millions of Devices to Potent NSA Exploit

    More than 45,000 Internet routers have been compromised by a newly discovered campaign that’s designed to open networks to attacks by EternalBlue, the potent exploit that was developed by, and then stolen from, the National Security Agency and leaked to the Internet at large, researchers said Wednesday.

  • Updated AMD Zen CPU Microcode Posted

    AMD has just dropped a new Family 17h "Zen" microcode file for Linux users.

    Just posted to the kernel mailing list is the latest CPU microcode file for Family 17h. Unfortunately there is no change-log/notes and obviously with it being binary-only there isn't anything to glean by itself.

Security: Updates, Crackers and Huawei

Filed under
Security

Latest Security Issues and Breaches

Filed under
Security
  • Multiple vulnerabilities in FreeBSD NFS server code

    FreeBSD is a free and open source operating system. The NFS (Network File System) is a server and client application that turn FreeBSD into a file sharing server. Users can upload or update files on a remote NFS server. NFS is standard on NAS (network attached storage) devices or sharing data for web servers. A new bug found in NFS server code which could allow a remote attacker to crash the NFS server, resulting in a denial of service (DoS) attack. Another possibility is to execute arbitrary code on the server.

  • Cybersecurity Threats Keep Evolving, Research Shows

    Cybersecurity industry research is a great way to stay on top of the latest threats -- and the controls that can keep those vulnerabilities from affecting your organization. Research released in November 2018 spanned the gamut of IT risk concerns, including identity, application containers, vulnerability disclosures, and the global threat landscape itself. Here are key takeaways from 11 reports released this month, along with cyber defenses organizations should consider implementing.

  • Security updates for Wednesday
  • “New Tech” From DriveSavers Unlocks Locked iPhones With 100% Success Rate

    DriveSavers’s website strictly says that they do not offer their “passcode lockout data recovery” service to law enforcement agencies and it is meant only for the owners of the locked devices.

  • Daniel Lange: Security is hard, open source security unnecessarily harder

    Now it is a commonplace that security is hard. It involves advanced mathematics and a single, tiny mistake or omission in implementation can spoil everything.

    And the only sane IT security can be open source security. Because you need to assess the algorithms and their implementation and you need to be able to completely verify the implementation. You simply can't if you don't have the code and can compile it yourself to produce a trusted (ideally reproducible) build. A no-brainer for everybody in the field.

    But we make it unbelievably hard for people to use security tools. Because these have grown over decades fostered by highly intelligent people with no interest in UX.
    "It was hard to write, so it should be hard to use as well."
    And then complain about adoption.

  • NSA Leaked Tool Used to Exploit Computers, UPnProxy Vulnerability Surfaces

    IT has been over a year since The National Security Agency (NSA) hacking tool was leaked online but its aftermath is coming back to haunt everyone again. Security agency Akamai has warned everyone that the UPnProxy vulnerability can now target your personal computers that are still prone to hacks and other cyber attacks.

    When the NSA was hacked, there were patches released over the time in order to counter the exploits that were being done, but now it looks as if the security vulnerability is back again. Security agency researchers believe that the unpatched computers are now at high risk with hackers using the leaked tool of NSA to create some malicious proxy network.

    The unpatched computers are at risk of being targeted by hackers through the router’s firewall. The hackers are now using more powerful tools through which they can exploit through your personal computer. This can be done by making way through your internet Wi-Fi router that can cause damage to your personal computer on the Wi-Fi network.

  • Dell.com Breached: Hackers Tried To Steal Customer Data

    Dell also revealed that a password reset was initiated for all customer accounts on Dell[.]com online electronics store on November 14 for security purposes.

    While the company didn’t discuss the complexity of the password-hashing algorithms used to protect them, some of them — such as MD5 can be broken within seconds to reveal the plaintext password.

Security: Unbound Tech, Reproducible Builds and Updates

Filed under
Security

Thales, RISC-V and the Linux Foundation

Filed under
Linux
Hardware
OSS
Security
  • Thales joins RISC-V Foundation to help secure open-source microprocessors

    Membership of the RISC-V Foundation is the latest illustration of Thales's commitment to free open-source hardware architectures based on RISC-V processors, and an opportunity for the company to play a major role in a new era microprocessor design. Based on the same philosophy as the Linux success story in the world of software, open source hardware is becoming increasingly important in many key sectors.

  • RISC-V and Linux Foundation partner up

    The RISC-V Foundation and the Linux Foundation agreed to a collaboration to accelerate open source development for the open source RISC-V ISA, starting with RISC-V starter guides for Linux and Zephyr.

    The RISC-V Foundation and the Linux Foundation announced a partnership to “accelerate open source development and adoption of the RISC-V ISA” and “grow the RISC-V ecosystem with improved support for the development of new applications and architectures across all computing platforms.” The Linux Foundation will advise RISC-V on “neutral governance and best practices for open source development” and provide resources for training programs, infrastructure tools, community outreach, and marketing and legal expertise.

  • Linux lobby org joins with RISC-V bods to promote open chip spec

    The Linux Foundation, the non-profit funded by for-profit tech firms to promote the open source operating system, has begun working with the RISC-V Foundation, another non-profit backed by well-heeled companies, to encourage adoption of the open source RISC-V instruction set architecture (ISA).

    The two organizations on Tuesday plan to announce a collaboration to enhance the appeal of the RISC-V ISA, tech that proprietary chip designer Arm recently tried to stifle. The results of the tie-up should come in the form of training programs, tool development, community building and governance, marketing support, and legal advice.

Syndicate content

More in Tux Machines

Linux 4.20--rc76

Well, that's more like it. This is a *tiny* rc7, just how I like it. Maybe it's because everybody is too busy prepping for the holidays, and maybe it's because we simply are doing well. Regardless, it's been a quiet week, and I hope the trend continues. The patch looks pretty small too, although it's skewed by a couple of bigger fixes (re-apply i915 workarounds after reset, and dm zoned bio completion fix). Other than that it's mainly all pretty small, and spread out (usual bulk of drivers, but some arch updates, filesystem fixes, core fixes, test updates..) Read more Also: Linux 4.20-rc7 Kernel Released - Linux 4.20 Should Be Released In Time For Christmas

Android Leftovers

1080p Linux Gaming Performance - NVIDIA 415.22 vs. Mesa 19.0-devel RADV/RadeonSI

Stemming from the recent Radeon RX 590 Linux gaming benchmarks were some requests to see more 1080p gaming benchmarks, so here's that article with the low to medium tier graphics cards from the NVIDIA GeForce and AMD Radeon line-up while using the latest graphics drivers on Ubuntu 18.10. This round of benchmarking was done with the GeForce GTX 980, GTX 1060, GTX 1070, and GTX 1070 Ti using the newest 415.22 proprietary graphics driver. On the AMD side was using the patched Linux 4.20 kernel build (for RX 590 support) paired with Mesa 19.0-devel via the Padoka PPA while testing the Radeon RX 580 and RX 590. Read more

Sparky SU 0.1.0

This tool provides Yad based front-end for su (spsu) allowing users to give a password and run graphical commands as root without needing to invoke su in a terminal emulator. It can be used as a Gksu replacement to run any application as root. Read more