Language Selection

English French German Italian Portuguese Spanish

Security

Security: Updates, Uber Crack, NSA Breach, Windows Ransom, Barracuda Networks, US Department of Education

Filed under
Security
  • Security updates for Tuesday
  • Chicago: Uber’s claim that hackers fully deleted stolen data is “nonsensical”

    It has now been a full week since the jaw-dropping revelations that Uber sustained a massive data breach in 2016, which affected more than 57 million people.

    Since November 21, the company has been hit with 10 federal lawsuits (including the two Ars reported on last week). On Monday, the city of Chicago and Cook County also sued Uber in Illinois state court, while numerous senators are now demanding answers as well.

  • Yet another NSA intel breach discovered on AWS. It’s time to worry.

    Once again the US government displays a level of ineptitude that can only be described as ‘Equifaxian‘ in nature. An AWS bucket with 47 viewable files was found configured for “public access,” and containing Top Secret information the government designated too sensitive for our foreign allies to see.

  • Classified US Army and NSA data was stored on an unprotected server
  • New NSA leak exposes Red Disk, the Army's failed intelligence system

    The disk image, when unpacked and loaded, is a snapshot of a hard drive dating back to May 2013 from a Linux-based server that forms part of a cloud-based intelligence sharing system, known as Red Disk. The project, developed by INSCOM's Futures Directorate, was slated to complement the Army's so-called distributed common ground system (DCGS), a legacy platform for processing and sharing intelligence, surveillance, and reconnaissance information.

    Each branch of the military has its own version of the intelligence sharing platform -- the Army's is said to be the largest -- but the Army's system struggled to scale to the number of troops who need it.

    Red Disk was envisioned as a highly customizable cloud system that could meet the demands of large, complex military operations. The hope was that Red Disk could provide a consistent picture from the Pentagon to deployed soldiers in the Afghan battlefield, including satellite images and video feeds from drones trained on terrorists and enemy fighters, according to a Foreign Policy report.

  • World’s Biggest Botnet “Necurs” Sends 12.5 Million Scarab Ransomware Emails

    Once the ransomware infects a machine, it encrypts files and adds “[[email protected]].scarab” extension to affected files. A ransom note with filename “IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT” is also dropped in the affected directory.

  • Barracuda Networks Acquired by Thoma Bravo in $1.6B Deal
  • Federal student aid site offers one-stop shopping for ID thieves?

    The arrival of the holidays heralds another season soon to arrive: the tax season and, with it, the tax-return fraud season. And while the Internal Revenue Service has made some moves toward stanching the flow of fraudulent tax returns filed by cyber-criminals, another government agency may be offering up fresh fuel to fraudsters' efforts: the US Department of Education.

Security: Intel's Management Engine (ME) and UPS Backdoor Malware

Filed under
Security
  • Potential impact of the Intel ME vulnerability

    Intel's Management Engine (ME) is a small coprocessor built into the majority of Intel CPU chipsets[0]. Older versions were based on the ARC architecture[1] running an embedded realtime operating system, but from version 11 onwards they've been small x86 cores running Minix. The precise capabilities of the ME have not been publicly disclosed, but it is at minimum capable of interacting with the network[2], display[3], USB, input devices and system flash. In other words, software running on the ME is capable of doing a lot, without requiring any OS permission in the process.

    Back in May, Intel announced a vulnerability in the Advanced Management Technology (AMT) that runs on the ME. AMT offers functionality like providing a remote console to the system (so IT support can connect to your system and interact with it as if they were physically present), remote disk support (so IT support can reinstall your machine over the network) and various other bits of system management. The vulnerability meant that it was possible to log into systems with enabled AMT with an empty authentication token, making it possible to log in without knowing the configured password.

    This vulnerability was less serious than it could have been for a couple of reasons - the first is that "consumer"[4] systems don't ship with AMT, and the second is that AMT is almost always disabled (Shodan found only a few thousand systems on the public internet with AMT enabled, out of many millions of laptops). I wrote more about it here at the time.

  • Chinese nationals indicted on federal computer hacking [sic] charges

     

    Beginning in at least 2013, the defendants “and others known and unknown to the grand jury” used spearphishing emails containing malicious attachments or customized malware to hack into networks used by U.S. and foreign businesses, according to the indictment.  

  • Security firm was front for advanced Chinese hacking operation, Feds say

    Wu Yingzhuo, Dong Hao, and Xia Lei face federal charges that they conspired to steal hundreds of gigabytes of data belonging to Siemens AG, Moody’s Analytics, and the GPS technology company Trimble. The indictment, which was filed in September and unsealed on Monday, said the trio used spear phishing e-mails with malicious attachments or links to infect targeted end users. The defendants used customized tools collectively known as the UPS Backdoor Malware to gain and maintain unauthorized access to the targeted companies' networks.

Qubes OS 4.0-rc3 has been released!

Filed under
OS
Security

We’re pleased to announce the third release candidate for Qubes 4.0! Our goal for this release candidate is to improve the stability and reliability of Qubes 4.0, so we’ve prioritized fixing known bugs over introducing new features. Many of the bugs discovered in our previous release candidate are now resolved. A full list of the Qubes 4.0 issues closed so far is available here.

Read more

Open source nameserver used by millions needs patching

Filed under
OSS
Security

Open source DNS software vendor PowerDNS has advised users to patch its "Authoritative" and "Recursor" products, to squish five bugs disclosed today.

None of the bugs pose a risk that PowerDNS might itself be compromised, but this is the DNS: what an attacker can do is fool around with DNS records in various ways.

That can be catastrophic if done right: for example, if a network is tricked into advertising itself as the whole of the Internet, it can be hosed, or if the wrong network promises it's the best way to reach YouTube, then YouTube is blackholed.

Read more

​Long-term Linux support future clarified

Filed under
Linux
Security

In October 2017, the Linux kernel team agreed to extend the next version of Linux's Long Term Support (LTS) from two years to six years, Linux 4.14. This helps Android, embedded Linux, and Linux Internet of Things (IoT) developers. But this move did not mean all future Linux LTS versions will have a six-year lifespan.

As Konstantin Ryabitsev, The Linux Foundation's director of IT infrastructure security, explained in a Google+ post, "Despite what various news sites out there may have told you, kernel 4.14 LTS is not planned to be supported for 6 years. Just because Greg Kroah-Hartman is doing it for 4.4 does not mean that all LTS kernels from now on are going to be maintained for that long."

So, in short, 4.14 will be supported until January 2020, while the 4.4 Linux kernel, which arrived on Jan. 20, 2016, will be supported until 2022. Therefore, if you're working on a Linux distribution that's meant for the longest possible run, you want to base it on Linux 4.4.

Read more

Security: NHS Pays the Price for Windows, Imgur Cracked, Snyk FUD, and FOSS Updates

Filed under
Security

Security: KrebsOnSecurity, Uber, Bitcoin, Firefox, Imgur

Filed under
Security
  • Name+DOB+SSN=FAFSA Data Gold Mine

    KrebsOnSecurity has sought to call attention to online services which expose sensitive consumer data if the user knows a handful of static details about a person that are broadly for sale in the cybercrime underground, such as name, date of birth, and Social Security Number. Perhaps the most eye-opening example of this is on display at fafsa.ed.gov, the Web site set up by the U.S. Department of Education for anyone interested in applying for federal student financial aid.

  • Uber Hacks and Bitcoin Futures

    What is Uber? Why is it a $70-billion-or-whatever company? You could tell a bunch of stories -- it is an app company, a taxi company, a driverless-car company -- but one possibility is that it is a regulatory-evasion company. Local regulations around the world entrenched taxi companies and allowed them to capture excess value, and Uber's central innovation was not building an app or developing a surge-pricing algorithm but simply saying "what if we took that value instead?" In 2017 it spends a lot of time lobbying and buttering up local governments so that they don't ban it, but earlier on the process was simpler: It would just ignore the local regulations and hope no one would stop it. That worked really well! Not flawlessly, not permanently, not at scale -- that's why it has now pivoted to lobbying and buttering-up -- but well enough to get Uber to this point, the point where its lobbying and buttering-up can work.

  • Segwit2x Bugs Explained

    The Segwit2x hard fork was called off a little over a week ago in an email post to the 2x mailing list. Several parties threatened to split the network anyway, and we eagerly waited for block 494784 to see whether someone would mine the 2x hard fork or not.

    As it turns out, there was a bug in the Segwit2x software which caused the client to stop at block 494782. In this article, I’m going to examine the details of what caused the software to stop, why it stopped a block before it was supposed to and what would have happened had Belshe, et al, not cancelled the hard fork a week early.

  • Firefox to warn users who visit p0wned sites

    Mozilla developer Nihanth Subramanya has revealed the organisation's Firefox browser will soon warn users if they visit sites that have experienced data breaches that led to user credential leaks.

    A recently-released GitHub repo titled “Breach Alerts Prototype” revealed “a vehicle for prototyping basic UI and interaction flow for an upcoming feature in Firefox that notifies users when their credentials have possibly been leaked or stolen in a data breach.”

  • [Imgur] NOTICE OF DATA BREACH

    On November 23, Imgur was notified of a potential security breach that occurred in 2014 that affected the email addresses and passwords of 1.7 million user accounts. While we are still actively investigating the intrusion, we wanted to inform you as quickly as possible as to what we know and what we are doing in response.

Security: Necurs, Uber, and Intel ME

Filed under
Security

Security: Firefox "Breach Alerts", Uber Crack, and Intel Back Doors

Filed under
Security
  • Firefox “Breach Alerts” Will Warn If You Visit A ‘Hacked’ Website

    One more thing is coming to add to the capabilities of the recently released Firefox 57 aka Firefox Quantum.

    Mozilla is working on a new feature for Firefox, dubbed Breach Alerts, which will warn users when they visit a website, whether it was hacked in the past or not.

  • GCHQ: change your passwords now even if Uber says it contained the breach

    Uber claims to have paid $100,000 to secure 57 million accounts exposed in a breach last year, but the UK's spy agency, GCHQ, suggests consumers don't place too much faith in Uber’s claim.

    The GCHQ's National Cyber Security Centre (NCSC) on Thursday published guidance for Uber users, reminding those affected by the firm’s just revealed 2016 breach they should take precautionary action even if their personal details may not have been compromised.

    The agency warned that Uber drivers and riders should “immediately change passwords” that were used for Uber.

  • Drive-By Phishing Scams Race Toward Uber Users

    Indeed, hardly any time elapsed after Uber came clean Tuesday about the year-old breach it had concealed before crack teams of social engineers unleashed appropriately themed phishing messages designed to bamboozle the masses (see Fast and Furious Data Breach Scandal Overtakes Uber).

  • EU authorities consider creating data breach justice league to tackle uber hack

    Multiple investigations prompted by Uber's admission that it concealed a hack could join together for one big mega-probe into the incident.

    An EU working group which has responsibility for data protection will decide next week whether to co-ordinate different investigations taking place in the UK, Italy, Austria, Poland and the Netherlands.

  • Intel Didn't Heed Security Experts Warnings About ME [Ed: Intel refused to speak about back doors until it became too mainstream a topic, then pretended it's a "bug"]

    For nearly eight years, the chip maker has been turning a deaf ear on security warnings about the wisdom of Intel Management Engine.

Security: Uber Sued, Intel ‘Damage Control’, ZDNet FUD, and XFRM Privilege Escalation

Filed under
Security
  • Uber hit with 2 lawsuits over gigantic 2016 data breach

    In the 48 hours since the explosive revelations that Uber sustained a massive data breach in 2016, two separate proposed class-action lawsuits have been filed in different federal courts across California.

    The cases allege substantial negligence on Uber’s part: plaintiffs say the company failed to keep safe the data of the affected 50 million customers and 7 million drivers. Uber reportedly paid $100,000 to delete the stolen data and keep news of the breach quiet.

    On Tuesday, CEO Dara Khosrowshahi wrote: “None of this should have happened, and I will not make excuses for it.”

  • Intel Releases Linux-Compatible Tool For Confirming ME Vulnerabilities [Ed: ‘Damage control’ strategy is to make it look like just a bug.]

    While Intel ME security issues have been talked about for months, confirming fears that have been present about it for years, this week Intel published the SA-00086 security advisory following their own internal review of ME/TXE/SPS components. The impact is someone could crash or cause instability issues, load and execute arbitrary code outside the visibility of the user and operating system, and other possible issues.

  • Open source's big weak spot? Flawed libraries lurking in key apps [Ed: Linux basher Liam Tung entertains FUD firm Snyk and Microsoft because it suits the employer's agenda]
  • SSD Advisory – Linux Kernel XFRM Privilege Escalation
Syndicate content

More in Tux Machines

Qt/KDE: Qt5 in Debian and Slackware, QtCreator on Android, KDE Discover, and Plasma's 10th Anniversary

  • moving Qt 4 from Debian testing (aka Buster): some statistics, update II
    We started filing bugs around September 9. That means roughly 32 weeks which gives us around 5.65 packages fixed per week, aka 0.85 packages per day. Obviously not as good as we started (remaining bugs tend to be more complicated), but still quite good.
  • [Slackware] Plasma5 – April 18 edition for Slackware
    The KDE-5_18.04 release of ‘ktown‘ for Slackware-current offers the latest KDE Frameworks (5.45.0), Plasma (5.12.4) and Applications (18.04.0). The Qt5 was upgraded to 5.9.5. Read the README file for more details and for installation/upgrade instructions. Enjoy the latest Plasma 5 desktop environment.
  • Perfect Debugging Experience with QtCreator on Android
    While I was working on a yet-to-be-announced super secret and cool Qt on Android project, I had to do a lot of debugging. This way I found that debugging Qt apps on Android using QtCreator was ok, but it had some issues, which was kinda frustrating.
  • Discover – Easily Install Software on KDE Neon Desktop
    KDE Discover is an Open Source GUI app installer that comes packaged with KDE Neon. It was particularly built from the ground up to be compatible with other modern Linux distros with emphasis on beauty and convenience. KDE Discover was also designed to allow for an intuitive User Experience as it features a clean and clear layout with a high readability value which makes it easy to browse, search for, install, and uninstall applications.
  • Almost 10 years of Plasma-Desktop
    Last week I was at work and start to listen my boss said: “We need to show this to our director”. So I went to my coworker table to see what was happening. So they were using Gource to make a video about the git history of the project. Gource is a software version control visualization tool. So that triggered in my mind some memories about a friend talking about Python and showing how the project as grow in this past years, but I never discovered about the tool that made that amazing video. So well, I started to make some Gource videos, and because my love about KDE Community, why not make one about it?

GNOME: Getting Real GNOME Back in Ubuntu 18.04, Bug Fix for Memory Leak

  • Getting Real GNOME Back in Ubuntu 18.04 [Quick Tip]
    Ubuntu 18.04 uses a customized version of GNOME and GNOME users might not like those changes. This tutorial shows you how to install vanilla GNOME on Ubuntu 18.04. One of the main new features of Ubuntu 18.04 is the customized GNOME desktop. Ubuntu has done some tweaking on GNOME desktop to make it look similar to its Unity desktop. So you get minimize options in the windows control, a Unity like launcher on the left of the screen, app indicator support among some other changes.
  • The Infamous GNOME Shell Memory Leak
    at this point, I think it’s safe to assume that many of you already heard of a memory leak that was plaguing GNOME Shell. Well, as of yesterday, the two GitLab’s MRs that help fixing that issue were merged, and will be available in the next GNOME version. The fixes are being considered for backporting to GNOME 3.28 – after making sure they work as expected and don’t break your computer.
  • The Big GNOME Shell Memory Leak Has Been Plugged, Might Be Backported To 3.28
    The widely talked about "GNOME Shell memory leak" causing excessive memory usage after a while with recent versions of GNOME has now been fully corrected. The changes are currently staged in Git for what will become GNOME 3.30 but might also be backported to 3.28. Well known GNOME developer Georges Stavracas has provided an update on the matter and confirmed that the issue stems from GJS - the GNOME JavaScript component - with the garbage collection process not being fired off as it should.

Graphics: AMDVLK, XWayland and Vulkan

  • AMDVLK Vulkan Driver Stack Gets Updated With More Extensions, Optimizations & Fixes
    AMD developers maintaining their official Vulkan cross-platform driver code have pushed their end-of-week updates to their external source repositories for those wanting to build the AMDVLK driver on Linux from source. This latest AMDVLK push updates not only their PAL (Platform Abstraction Layer) and XGL (Vulkan API Layer) components but it also updates their fork of the LLVM code-base used for their shader compilation.
  • EGLStreams XWayland Code Revised Ahead Of X.Org Server 1.20
    It's still not clear if the EGLStreams XWayland support will be merged for xorg-server 1.20 but at least the patches were revised this week, making it possible to merge them into this next X.Org Server release for allowing the NVIDIA proprietary driver to work with XWayland.
  • Vulkan 1.1.74 Released With Minor Fixes & Clarifications
    Vulkan continues sticking to the "release early, release often" mantra with the availability today of Vulkan 1.1.74.

Xfce Releases/Updates

  • Xfce Settings 4.12.3 / 4.13.2 Released
    Fixes galore! Xfce Settings 4.12.3 and 4.13.2 were released on March 18th with several improvements, feature parity, and translations.
  • Xfce PulseAudio Plugin 0.4.0 (and 0.4.1) Released
    Stable as a rock. Xfce PulseAudio Plugin hit a new stable milestone with the 0.4.0 release. This release wraps up the awesome development cycle we’ve had on this over the last few months and is recommended for all users.
  • Xfce Settings Update Brings Better Multi-Monitor Support
    While still waiting on the long-awaited Xfce 4.14, out this weekend is an Xfce Settings 4.14.2 preview release as well as an Xfce Settings 4.12.3 stable series update. Both of these Xfce Settings updates bring better multi-monitor support, including visualization of all display configuration states, visually noting if two displays are mirrored, always drawing the active display last so it's on top, and a number of fixes pertaining to the multi-monitor display handling from this Xfce desktop settings agent.