Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • Thursday's security updates
  • Guile security vulnerability w/ listening on localhost + port
  • Akamai Finds Longtime Security Flaw in 2 Million Devices

    It’s well known that the Internet of Things is woefully insecure, but the most shameful and frustrating part is that some of the vulnerabilities that are currently being exploited could have been eradicated years ago. Now evidence of how these bugs are being used in attacks is calling attention to security holes that are long overdue to be plugged.

    New research released this week from the content delivery network Akamai takes a closer look at how hackers are abusing weaknesses in a cryptographic protocol to commandeer millions of ordinary connected devices—routers, cable modems, satellite TV equipment, and DVRs—and then coordinate them to mount attacks. After analyzing IP address data from its Cloud Security Intelligence platform, Akamai estimates that more than 2 million devices have been compromised by this type of hack, which it calls SSHowDowN. The company also says that at least 11 of its customers—in industries like financial services, retail, hospitality, and gaming—have been targets of this attack.

    The exploited protocol, called Secure Shell (SSH), is commonly used to facilitate remote system access and can be implemented robustly. But many IoT manufacturers either don’t incorporate it or are oblivious to the best practices for SSH when setting up default configurations on their devices. As makers scramble to bring their products to market, these oversights sow widespread insecurity in the foundation of the Internet of Things.

  • IoT Devices as Proxies for Cybercrime

    However, WPS also may expose routers to easy compromise. Read more about this vulnerability here. If your router is among those listed as vulnerable, see if you can disable WPS from the router’s administration page. If you’re not sure whether it can be, or if you’d like to see whether your router maker has shipped an update to fix the WPS problem on their hardware, check this spreadsheet.

    Finally, the hardware inside consumer routers is controlled by software known as “firmware,” and occasionally the companies that make these products ship updates for their firmware to correct security and stability issues. When you’re logged in to the administrative panel, if your router prompts you to update the firmware, it’s a good idea to take care of that at some point. If and when you decide to take this step, please be sure to follow the manufacturer’s instructions to the letter: Failing to do so could leave you with an oversized and expensive paperweight.

    Personally, I never run the stock firmware that ships with these devices. Over the years, I’ve replaced the firmware in various routers I purchased with an open source alternative, such as DD-WRT (my favorite) or Tomato. These flavors generally are more secure and offer a much broader array of options and configurations. Again, though, before you embark on swapping out your router’s stock firmware with an open source alternative, take the time to research whether your router model is compatible, and that you understand and carefully observe all of the instructions involved in updating the firmware.

    Since October is officially National Cybersecurity Awareness Month, it probably makes sense to note that the above tips on router security come directly from a piece I wrote a while back called Tools for a Safer PC, which includes a number of other suggestions to help beef up your personal and network security.

  • Microsoft says hackers have exploited zero-days in Windows 10's Edge, Office, IE; issues fix

    Microsoft's October Patch Tuesday fixes dozens of critical flaws, among them five affecting Internet Explorer, Edge, and Office that have already been under attack.

    Tuesday's update addresses 49 vulnerabilities within 10 security bulletins. Five bulletins are rated as critical and concern remote code execution vulnerabilities affecting Edge, Internet Explorer, Adobe Flash Player, Office, Windows, and Skype for Business.

    According to Microsoft, there were four so-called zero-day flaws, or previously unknown bugs that were being exploited in the wild. However, none has been publicly disclosed before now.

    All these bugs serve as a reminder for users to be cautious when clicking on links or opening attachments from unknown sources.

  • Like it or not, here are ALL your October Microsoft patches

    Redmond kicks off the era of the force-fed security update

    [...]

    Microsoft is kicking off a controversial new security program this month by packaging all of its security updates into a single payload.

    The October security release introduces Redmond's new policy of bundling all security bulletins as one download. While more convenient for end users, who now get just one bundle, the move will irk many administrators, who had preferred to individually test and apply each patch to avoid compatibility problems.

Security News

Filed under
Security
  • Just Too Much Administration – Breaking JEA, PowerShell’s New Security Barrier

    Just Enough Administration (JEA) is a new Windows 10/Server 2016 feature to create granular least privilege policies by granting specific administrative privileges to users, defined by built-in and script-defined PowerShell cmdlets. Microsoft's documentation claimed JEA was a security boundary so effective you did not need to worry about an attacker stealing and misusing the credentials of a JEA user.

    But every JEA role capability example I found Microsoft had published had vulnerabilities that could be exploited to obtain complete system administrative rights, most of them immediately, reliably, and without requiring any special configuration. I find it hard to believe most custom role capabilities created by system administrators in the wild are going to be more secure than these, given the track record of the functionally similar features in Linux, the non-obvious nature of vulnerabilities, and the importance of dangerous cmdlets to routine system troubleshooting and maintenance.

    I recommended Microsoft invert what their JEA articles and documentation said about security. Instead of leading with statements that JEA was a security barrier, users with JEA rights should not be considered administrators, and their credentials do not need to be protected like real administrators with a note that this may not be the case if you are not careful; Microsoft's JEA documentation should lead with statements that JEA should not be treated like a security barrier and users with JEA rights and their credentials should be tightly controlled exactly like normal administrators unless the role capabilities have been strictly audited by security professionals. Additionally, the README files and comments of their example role capabilities should start with stern reminders of this.

  • Thousands of internet-connected devices are a security disaster in the making

    The first problem: many IoT devices, like those cameras, are consumer-oriented, which means their owners don't have a security-conscious IT department. "Individuals do not have the purchasing power of a large corporation," says John Dickson, principal of Denim Group, "so they cannot demand security features or privacy protections that a large corporation can of an a product or software vendor."

    PC Pitstop Vice President of Cyber Security Dodi Glenn points out that many IoT purchasers neglect basic security measures, failing to change passwords from obvious defaults. And even if they did want to secure their devices, there are limits to what they can do: "You can't secure these devices with antivirus applications."

  • A SSHowDowN in security: IoT devices enslaved through 12 year old flaw

    In what researchers call the "Internet of Unpatchable Things," a 12-year-old security flaw is being exploited by attackers in a recent spate of SSHowDowN Proxy attacks.

    The Internet of Things (IoT) is an emerging market full of Wi-Fi and networked devices including routers, home security systems, and lighting products. While the idea of making your home more efficient and automating processes is an appealing one, unfortunately, vendors en masse are considering security as an afterthought for thousands of devices now in our homes, leaving our data vulnerable.

  • Microsoft was unable to meaningfully improve the software

    Documents in a class-action lawsuit against Ford and its original MyFord Touch in-vehicle infotainment (IVI) system reveal that the company's engineers and even its top executive were frustrated with the problematic technology.

    The documents from the 2013 lawsuit show Ford engineers believed the IVI, which was powered by the SYNC operating system launched in 2010, might be "unsaleable" and even described a later upgrade as a "polished turd," according to a report in the Detroit News, which was confirmed by Computerworld.

    The SYNC OS was originally powered by Microsoft software. Microsoft continued releasing software revisions it knew were defective, according to the lawsuit.

    "In the spring of 2011, Ford hired Microsoft to oversee revisions, and hopefully the improvement, of the [software]. But ... Microsoft was unable to meaningfully improve the software, and Ford continued releasing revised software that it knew was still defective," the lawsuit states.

    Last week, a U.S. District Court judge certified the case as a class action.

  • Senator wants nationwide, all-mail voting to counter election hacks

    "It's not a question of if you're going to get hacked—it's when you're going to get hacked."

    Those were the words of Verizon CEO Lowell McAdam as he sought to assure investors last week that the company is still interested in purchasing Yahoo despite the massive data breach of Yahoo consumer accounts.

    Whether McAdam's words ring true for the hodgepodge of election systems across the US is anybody's guess. But in the wake of the Obama administration's announcement that the Russian government directed hacks on the Democratic National Committee and other institutions to influence US elections, a senator from Oregon says the nation should conduct its elections like his home state does: all-mail voting.

  • SourceClear Adds Atlassian Stack to Its Open Source Security Platform

    Open source security company SourceClear said it is integrating Atlassian’s suite of developer tools including Bitbucket Pipelines, JIRA Server, JIRA Cloud, and Bamboo into the company’s open source platform. The integration will result in automated security checks being a part of the developer workflow before they ship code.

Security News

Filed under
Security
  • Security updates for Tuesday
  • Systemd and Ubuntu users urged to update to patch Linux flaws

    Linux users should beware of a recently discovered systemd vulnerability that could shut down a system using a command short enough to send in a tweet and Ubuntu users should update to new Linux kernel patches affecting supported operating systems.

    SSLMate founder and Linux administrator Andrew Ayer spotted the bug which has the potential to kill a number of critical commands while making others unstable, according to Betanews.

  • Microsoft: No More Pick-and-Choose Patching

    Adobe and Microsoft today each issued updates to fix critical security flaws in their products. Adobe’s got fixes for Acrobat and Flash Player ready. Microsoft’s patch bundle for October includes fixes for at least five separate “zero-day” vulnerabilities — dangerous flaws that attackers were already exploiting prior to today’s patch release. Also notable this month is that Microsoft is changing how it deploys security updates, removing the ability for Windows users to pick and choose which individual patches to install.

  • Ministry of Defence CIO – defending the data assets of the nation

    An interesting example of knowing what is actually important, such as being ‘secure’ does not mean pulling up drawbridges and never talking. It does seem possible that the MoD has lesson it can teach industry in building security defences in depth, using a wide range of tools, that then map onto the future world of mobile and cloud infrastructures.

Security News

Filed under
Security
  • Security advisories for Monday
  • Crash: how computers are setting us up for disaster

    When a sleepy Marc Dubois walked into the cockpit of his own aeroplane, he was confronted with a scene of confusion. The plane was shaking so violently that it was hard to read the instruments. An alarm was alternating between a chirruping trill and an automated voice: “STALL STALL STALL.” His junior co-pilots were at the controls. In a calm tone, Captain Dubois asked: “What’s happening?”

    Co-pilot David Robert’s answer was less calm. “We completely lost control of the aeroplane, and we don’t understand anything! We tried everything!”

    The crew were, in fact, in control of the aeroplane. One simple course of action could have ended the crisis they were facing, and they had not tried it. But David Robert was right on one count: he didn’t understand what was happening.

    As William Langewiesche, a writer and professional pilot, described in an article for Vanity Fair in October 2014, Air France Flight 447 had begun straightforwardly enough – an on-time take-off from Rio de Janeiro at 7.29pm on 31 May 2009, bound for Paris. With hindsight, the three pilots had their vulnerabilities. Pierre-Cédric Bonin, 32, was young and inexperienced. David Robert, 37, had more experience but he had recently become an Air France manager and no longer flew full-time. Captain Marc Dubois, 58, had experience aplenty but he had been touring Rio with an off-duty flight attendant. It was later reported that he had only had an hour’s sleep.

    Fortunately, given these potential fragilities, the crew were in charge of one of the most advanced planes in the world, an Airbus 330, legendarily smooth and easy to fly. Like any other modern aircraft, the A330 has an autopilot to keep the plane flying on a programmed route, but it also has a much more sophisticated automation system called fly-by-wire. A traditional aeroplane gives the pilot direct control of the flaps on the plane – its rudder, elevators and ailerons. This means the pilot has plenty of latitude to make mistakes. Fly-by-wire is smoother and safer. It inserts itself between the pilot, with all his or her faults, and the plane’s mechanics. A tactful translator between human and machine, it observes the pilot tugging on the controls, figures out how the pilot wanted the plane to move and executes that manoeuvre perfectly. It will turn a clumsy movement into a graceful one.

  • Canonical Patches New Linux Kernel Vulnerabilities in All Supported Ubuntu OSes

    Today, October 11, 2016, Canonical published several security advisories to inform Ubuntu users about new Linux kernel updates for their supported operating systems.

    Four new kernel vulnerabilities are affecting Ubuntu 16.04 LTS (Xenial Xerus) and Ubuntu 14.04 LTS (Trusty Tahr) or later versions, and three the Ubuntu 12.04 LTS (Precise Pangolin) series of operating systems. They are also affecting the Ubuntu 16.04 LTS for Raspberry Pi 2 kernel.

    The first security flaw is an unbounded recursion in Linux kernel's VLAN and TEB Generic Receive Offload (GRO) processing implementations, which could have allowed a remote attacker to crash the system through a denial of service or cause a stack corruption. It was discovered by Vladimír Beneš and affects Ubuntu 16.04 and 14.04.

Security Leftovers

Filed under
Security
  • How 'Security Fatigue' Affects Our Choices Online

    A new study claims many users suffer from 'security fatigue,' which affects the choices we make online. What's the real answer and where does the root cause sit?
    An overabundance of security news and alerts has led to "security fatigue," which is causing users to make bad choices when it comes to online security, suggests a report from the National Institute of Standards and Technology (NIST).

  • Apache Milagro: A New Security System for the Future of the Web
  • Ransomware hackers are hitting the NHS in the knackers [ophk: "politicians’ heads should roll for running MS anywhere near the NHS”]

    Rashmi Knowles, chief EMEA security architect at RSA, said: "Ransomware is an extremely lucrative business for cyber criminals as once they are in they just need to encrypt the data. Whereas actually stealing data and then trying to resell makes it a much longer process.

    "Current data shows that ransomware cases are expected to double from 2015 to 2016, and it should come as no surprise that breaches continue to happen as frequently as they do.

    "The results show organisations relying on a fragmented foundation of data and technologies. Because it remains siloed, visibility is incomplete, making attacker activity difficult to scope.

    "As a result the speed with which they can detect and investigate threats becomes a real challenge."

The top three Wi-Fi pen testing tools in Kali Linux

Filed under
GNU
Linux
Security

Every hacker and security researcher loves Kali Linux. The developers of Kali Linux ethical hacking distro have released the second Kali Rolling ISO release i.e. Kali 2016.2. Just like the previous one, Kali promises to deliver lots of new updates and changes in this release. Over the course of past few months, Kali developers have been busy adding new tools to Kali and fixing multiple bugs. For example, they have added HTTPS support in busybox that allows secure installation over SSL.

Kali Linux provides you the flexibility to install your favorite desktop environment and personalizing your experience. However, Kali developers note that users often talk about how they would love to see another desktop environments instead of GNOME.

Read more

Security News

Filed under
Security
  • One election-system vendor uses developers in Serbia

    The use of proprietary systems in elections has its critics. One Silicon Valley group, the Open Source Election Technology Foundation, is pushing for an election system that shifts from proprietary, vendor-owned systems to one that that is owned "by the people of the United States."

  • Europe to Push New Security Rules Amid IoT Mess

    The European Commission is drafting new cybersecurity requirements to beef up security around so-called Internet of Things (IoT) devices such as Web-connected security cameras, routers and digital video recorders (DVRs). News of the expected proposal comes as security firms are warning that a great many IoT devices are equipped with little or no security protections.

  • Internet of Things botnets: You ain’t seen nothing yet

    Internet of Things (IoT) botnet "Mirai" is the shape of things to come and future assaults could be even more severe, a leading security research firm warns.

    Mirai powered the largest ever DDoS attack ever, spawning a 620Gbps DDoS against KrebsOnSecurity. Source code for the malware was released on hacker forums last week.

    The malware relied on factory default or hard-coded usernames and passwords to compromise vulnerable IoT devices such as insecure routers, IP cameras, digital video recorders and the like.

    PenTestPartners, the UK security consultancy behind numerous hack on Iot devices ranging from Wi-Fi enabled kettles to cars, said that the botnet finally illustrates the consequences of IoT vendors cutting the corners on security.

Security News

Filed under
Security
  • Security advisories for Friday
  • surveillance, whistleblowing, and security engineering

    Imagine for a moment that you are a security engineer who discovers a backdoor that your company execs have been trying to hide from your team. Would you quit on ethical grounds or stay so that you can prevent this from happening again? I don’t think there is one right answer. Personally I am grateful both for those who left and blew the whistle, and for those who stayed to protect Yahoo’s 800 million users.

    Part of the job function of security engineers and pen testers is being ready for the moment you encounter something that you think should be disclosed but your company wants to keep secret. Think about what you would be willing to lose. Be prepared to escalate internally. Know the terms of your NDA and your exit agreement; try your best to honor them. Most of all, keep pushing for end-to-end encryption.

  • Digital Vigilantes Want to Shame DDoS Attackers And Their Corporate Enablers

    Hacker attacks that try to take down websites with a flood of bogus traffic, technically known as Distributed Denial of Service (DDoS) attacks, have become a daily occurrence on the internet. The rise of DDoS has created a cottage industry of companies dedicated to mitigating the attacks, and, on the flip side, professional DDoS-for-hire services and gangs.

    Now, a group of security researchers wants to name and shame not only the hackers responsible for such crippling attacks, but also the internet providers and traffic carriers that enable them by turning a blind eye to their actions, with a project called SpoofIT.

  • Russia Drafting Law to Favor Open Source

    I wrote the original cyber-vulnerability letter to the White House in 1994, and instead of acting responsibly, the US Government allowed NSA -- with the active complicty of US communicaitons and computing provider CEOs -- to compromise all US offerings. Not only are the communications and computing devices and related consulting compromised, but so are larger offerings (e.g. Boeing aircraft, which come with a computer system pre-configured for US Government remote control take-over -- Lufthansa is reported to have discovered this and at great expense removed all US computers from every aircraft). NOTE: I am quite certain about both of the above indictments, but only a proper European Commission investigation can satisfy the public interest; I believe that the same problems infect C4I systems from China, France, Israel, and Russia, and I do not believe most people are aware that the electrical system is now easily used to enter computers that are nominally disconnected from the Internet.

  • Systemd vulnerability crashes Linux systems

    A new vulnerability has been discovered that could shut down most Linux systems using a command short enough to fit in a tweet.

Security Leftovers

Filed under
Security
  • Promoting Cybersecurity Awareness

    We are happy to support National Cyber Security Awareness Month (NCSAM), a global effort between government and industry to ensure everyone has the resources they need to be safer, more secure and better able to protect their personal information online.

    We’ve talked about how cybersecurity is a shared responsibility, and that is the theme for National Cybersecurity Awareness Month – the Internet is a shared resource and securing it is our shared responsibility. This means technology companies, governments, and even users have to work together to protect and improve the security of the Internet. We all have to do our part to make the Internet safer and more secure for everyone. This is a time for all Internet users to Stop. Think. Connect. This month, and all year long, we want to help you be more “CyberAware.”

  • 'Security fatigue' is the worst thing to happen to people since insecurity

    CHANGING PASSWORDS is just too much for some people, according to research, and causes them to do stupid things.

    This is called 'security fatigue', apparently, and comes straight from the National Institute of Standards and Technology (NIST) and a collection of clipboards and pens.

    "After updating your password for the umpteenth time, have you resorted to using one you know you'll remember because you've used it before? Have you ever given up on an online purchase because you just didn't feel like creating a new account?" asked NIST.

    "If you have done any of those things, it might be the result of ‘security fatigue'. It exposes online users to risk and costs businesses money in lost customers."

  • The new BYOD backlash hides an ulterior motive

    Recent research from IDC shows a clear picture: IT organizations are increasingly unhappy about BYOD and now want to curtail or end the practice.

    Their stated concern: The costs are too high and the savings too low. But those concerns are misguided and likely masking a secret agenda to regain control over mobile devices, not to save money. Face it: BYOD was never popular with IT.

Security News

Filed under
Security
Syndicate content

More in Tux Machines

Kernel Space/Linux

Red Hat News

openSUSE Tumbleweed: A Linux distribution on the leading edge

So, to summarize: openSUSE Tumbleweed is a good, solid, stable Linux distribution with a wide range of desktops available. It is not anything particularly exotic or unstable, and it does not require an unusual amount of Linux expertise to install and use on an everyday system. To make a very simple comparison, in my experience installing and using Tumbleweed is much less difficult and much less risky than using the Debian "testing" distribution, and it is kept much (much much) more up to date than openSUSE Leap, Debian "stable", Linux Mint or Ubuntu. I don't say that to demean any of those other distributions. As I said at the end of my recent post about point-release vs. rolling-release distributions, if your hardware is fully supported by one of those point-release distributions, and you are satisfied with the applications included in them, then they are certainly a good choice. But if you like staying on the leading edge, or if you have very new hardware which requires the latest Linux kernel and drivers, or you just want/need the latest version of some application (in my case this would be digiKam), then openSuSE could be just what you want. Read more Also: Google Summer of Code 2017

Graphics in Linux

  • 17 Fresh AMDGPU DC Patches Posted Today
    Seventeen more "DC" display code patches were published today for the AMDGPU DRM driver, but it's still not clear if it will be ready -- or accepted -- for Linux 4.12. AMD developers posted 17 new DC (formerly known as DAL) patches today to provide small fixes for Vega10/GFX9 hardware, various internal code changes, CP2520 DisplayPort compliance, and various small fixes.
  • libinput 1.7.0
  • Libinput 1.7 Released With Support For Lid Switches, Scroll Wheel Improvements
    Peter Hutterer has announced the new release of libinput 1.7.0 as the input handling library most commonly associated with Wayland systems but also with Ubuntu's Mir as well as the X.Org Server via the xf86-input-libinput driver.
  • Nouveau TGSI Shader Cache Enabled In Mesa 17.1 Git
    Building off the work laid by Timothy Arceri and others for enabling a TGSI (and hardware) shader cache in the RadeonSI Gallium3D driver as well as R600g TGSI shader cache due ot the common infrastructure work, the Nouveau driver is now leveraging it to enable the TGSI shader cache for Nouveau Gallium3D drivers.