Language Selection

English French German Italian Portuguese Spanish

Security

Security: IoT Cybersecurity Improvement Act, Linux Security Summit 2017, CII on NTP

Filed under
Security
  • IoT Cybersecurity Improvement Act of 2017: The pros and cons from a hacker

    We have early on recognized the state of such security. Our IoT Village has highlighted the problem at many conferences, such as DEFCON and RSA, for the past three years.

  • Linux Security Summit 2017 Roundup

    The 2017 Linux Security Summit (LSS) was held last month in Los Angeles over the 14th and 15th of September.  It was co-located with Open Source Summit North America (OSSNA) and the Linux Plumbers Conference (LPC).

  • Securing Network Time

    Since its inception the CII has considered network time, and implementations of the Network Time Protocol, to be “core infrastructure.” Correctly synchronising clocks is critical both to the smooth functioning of many services and to the effectiveness of numerous security protocols; as a result most computers run some sort of clock synchronization software and most of those computers implement either the Network Time Protocol (NTP, RFC 5905) or the closely related but slimmed down Simple Network Time Protocol (SNTP, RFC 4330).

Security: Cyber Operators , EFI, Equifax, Tor

Filed under
Security
  • Cyber Operators — Differences Matter
  • Equitablefax

    I’m calling this mostly a problem with Equihax architecture. This isn’t about a struts bug, this is about a terrible network design that allows random kiddies to scrape the data store clean via a single shell (well, 30, but still). That Equihax was focussing on buying boxes to protect against 0day, and (from stories I’ve read circa 2015) working on ensuring employee phones are compartmented for BYOD. Well, they were clearly spending money out of the security budget. And it wasn’t trivial sums either, FireEye boxes aren’t exactly free. But from the looks of it, the problem wasn’t that they got compromised, the problem was that they couldn’t detect a compromise and prevent it from becoming a breach (seriously: 30 webshells exfiltrating data on 143 million people would have left some pretty hefty “access.log” files).

  • Critical Code in Millions of Macs Isn't Getting Apple's Updates

    For certain models of Apple laptops and desktop computers, close to a third or half of machines have EFI versions that haven't kept pace with their operating system system updates. And for many models, Apple hasn't released new firmware updates at all, leaving a subset of Apple machines vulnerable to known years-old EFI attacks that could gain deep and persistent control of a victim's machine.

  • Report Bugs, Get $$ Like @atechdad

    The day after Julian Jackson (@atechdad) reported the bug through HackerOne, we released Tor Browser 7.0.3. We saw no indication that it was used in the wild, and the bug didn't affect users of Tails, Whonix, or our sandboxed Tor Browser.

  • Here's What to Ask the Former Equifax CEO

    Richard Smith -- who resigned as chief executive of big-three credit bureau Equifax this week in the wake of a data breach that exposed 143 million Social Security numbers -- is slated to testify in front of no fewer than four committees on Capitol Hill next week. If I were a lawmaker, here are some of the questions I'd ask when Mr. Smith goes to Washington.

  • Without Fanfare, Equifax Makes Bankruptcy Change That Affects Hundreds of Thousands

    For what appears to be decades, the credit rating agency Equifax has quietly layered three more years of tarnish on the credit histories of hundreds of thousands of people who had filed for bankruptcy under Chapter 13.

    While its competitors, TransUnion and Experian, placed a flag on such histories for seven years, Equifax left it on the reports of Chapter 13 filers who failed to complete their bankruptcy plans for 10.

    After ProPublica asked about the difference in its policy, the company said it now leaves the flag on for seven years, but refused to say when and why the change was made.

Security: Updates, EFI Mess, Clarence Birdseye

Filed under
Security
  • Security updates for Friday
  • An alarming number of patched Macs remain vulnerable to stealthy firmware hacks

    An alarming number of Macs remain vulnerable to known exploits that completely undermine their security and are almost impossible to detect or fix even after receiving all security updates available from Apple, a comprehensive study released Friday has concluded.

  • What Clarence Birdseye can teach us about container security

    Clarence Birdseye is generally considered to be the founder of the modern frozen food industry. In 1925, after a couple of false starts, he moved his General Seafood Corporation to Gloucester, Massachusetts. There, he used his newest invention, the double belt freezer, to freeze fish quickly using a pair of brine-cooled stainless steel belts. This and other Birdseye innovations centered on the idea that flash-freezing meant that only small ice crystals could form, and therefore cell membranes were not damaged. Over time, these techniques were applied to a wide range of food — including the ubiquitous frozen peas.

Security: CII, Policy, Investment, and More

Filed under
Security

Security: Updates or Patches

Filed under
Security

Tails 3.2 is out

Filed under
Security
Debian

This release fixes many security issues and users should upgrade as soon as possible.

Read more

Security: Patches and Unpatched Systems

Filed under
Security

Security: "Bad Microsoft", Deloitte, Ransom, Equifax, Linux and Phish For the Future

Filed under
Security
  • Risky Business #471 -- Good Microsoft, bad Microsoft

    On this week’s show we’re taking a look at a mediocre response from Microsoft’s security response centre in the face of a fairly run-of-the-mill bug report. Our guest today found some Microsoft software was failing to validate SSL certificates. He reported it, but Microsoft said it wasn’t a security issue because, drum roll please, the attacker would require man in the middle to exploit the failure. Ummm. What?

  • Deloitte did little to ensure safety of data: claim

    The data breach at accountancy firm Deloitte shows that while the company may know a great deal about security, it appears to have done little to make sure that the vast amount of data it has is safe, the head of a cyber security firm claims.

  • SMBs paid US$301m as ransom in last year: survey

    Data protection company Datto has released the results of a ransomware survey based on data from 1700 managed service providers which shows that a sum of US$301 million was paid to attackers between the second quarter of 2016 and the second quarter of 2017.

  • Equifax CEO to collect $90 million: report

    Smith, who announced his retirement Tuesday, will collect about $72 million this year and $17.9 million in coming years, according to Fortune. This reportedly adds up to about 63 cents for each customer who was potentially exposed in the company’s data breach.

  • Linux Kernel Bug Reclassified as Security Issue After Two Years

    Multiple Linux distros are issuing security updates for OS versions that still use an older kernel branch after it recently came to light that a mild memory bug was in reality much worse, and the bug was recently categorized as a security flaw.

    The original bug was discovered by Michael Davidson, a Google employee, back in April 2015 and was fixed in Linux kernel 4.0.

  • Phish For the Future

    This report describes “Phish For The Future,” an advanced persistent spearphishing campaign targeting digital civil liberties activists at Free Press and Fight For the Future. Between July 7th and August 8th of 2017 we observed almost 70 spearphishing attempts against employees of internet freedom NGOs Fight for the Future and Free Press, all coming from the same attackers.

    This campaign appears to have been aimed at stealing credentials for various business services including Google, Dropbox, and LinkedIn. At least one account was compromised and was used to send out additional spearphishing emails to others in the organization. Because the compromised account had been neglected for years and contained no recent activity, we suspect the attackers were trying to leverage trust in order to compromise a more recent or high-value account. We were unable to determine what the secondary goal of the campaign was after the credentials were stolen. The attackers were remarkably persistent, switching up their attacks after each failed attempt and becoming increasingly creative with their targeting over time.

Security: Wi-Fi Patches, Equifax, Deloitte, NSA's EternalBlue Exploit and TalkTalk

Filed under
Security

Security: Deloitte, AWS, CCleaner, Equifax, Optionsbleed

Filed under
Security
  • Source: Deloitte Breach Affected All Company Email, Admin Accounts

     

    Deloitte, one of the world’s “big four” accounting firms, has acknowledged a breach of its internal email systems, British news outlet The Guardian revealed today. Deloitte has sought to downplay the incident, saying it impacted “very few” clients. But according to a source close to the investigation, the breach dates back to at least the fall of 2016, and involves the compromise of all administrator accounts at the company as well as Deloitte’s entire internal email system.  

  • Security breach exposes data from half a million vehicle tracking devices

     

    The exposed data, which includes customer credentials, was unearthed through a misconfigured Amazon AWS S3 bucket that was left publically available, and because it wasn't protected by a password, could allow anyone to pinpoint locations visited by customers of the vehicle tracking firm.

  • CCleaner backdoor infecting millions delivered mystery payload to 40 PCs

    At least 40 PCs infected by a backdoored version of the CCleaner disk-maintenance utility received an advanced second-stage payload that researchers are still scrambling to understand, officials from CCleaner's parent company said.

  • Will the Equifax Data Breach Finally Spur the Courts (and Lawmakers) to Recognize Data Harms?

    This summer 143 million Americans had their most sensitive information breached, including their name, addresses, social security numbers (SSNs), and date of birth. The breach occurred at Equifax, one of the three major credit reporting agencies that conducts the credit checks relied on by many industries, including landlords, car lenders, phone and cable service providers, and banks that offer credits cards, checking accounts and mortgages. Misuse of this information can be financially devastating. Worse still, if a criminal uses stolen information to commit fraud, it can lead to the arrest and even prosecution of an innocent data breach victim.    

    Given the scope and seriousness of the risk that the Equifax breach poses to innocent people, and the anxiety that these breaches cause, you might assume that legal remedies would be readily available to compensate those affected. You’d be wrong.

    While there are already several lawsuits filed against Equifax, the pathway for those cases to provide real help to victims is far from clear.  That’s because even as the number and severity of data breaches increases, the law remains too narrowly focused on people who have suffered financial losses directly traceable to a breach.

  • New breach, same lessons

    The story of recent breaches at the credit-rating agency Equifax, which may have involved the personal details of nearly 150 million people, has probably just begun, given the confusion that still surrounds events. But it’s brought the security of open source software to the fore yet again, and highlighted the ongoing struggle organizations still have with cybersecurity.

  • Apache “Optionsbleed” vulnerability – what you need to know [Ed: The security FUD complex came up with a buzzword: Optionsbleed. But it fails to (over)sell this hype.]
Syndicate content

More in Tux Machines

OSS Leftovers

  • Sunjun partners with Collabora to offer LibreOffice in the Cloud
  • Tackling the most important issue in a DevOps transformation
    You've been appointed the DevOps champion in your organisation: congratulations. So, what's the most important issue that you need to address?
  • PSBJ Innovator of the Year: Hacking cells at the Allen Institute
  • SUNY math professor makes the case for free and open educational resources
    The open educational resources (OER) movement has been gaining momentum over the past few years, as educators—from kindergarten classes to graduate schools—turn to free and open source educational content to counter the high cost of textbooks. Over the past year, the pace has accelerated. In 2017, OERs were a featured topic at the high-profile SXSW EDU Conference and Festival. Also last year, New York State generated a lot of excitement when it made an $8 million investment in developing OERs, with the goal of lowering the costs of college education in the state. David Usinski, a math and computer science professor and assistant chair of developmental education at the State University of New York's Erie Community College, is an advocate of OER content in the classroom. Before he joined SUNY Erie's staff in 2007, he spent a few years working for the Erie County public school system as a technology staff developer, training teachers how to infuse technology into the classroom.

Mozilla: Wireless Innovation for a Networked Society, New AirMozilla Audience Demo, Firefox Telemetry

  • Net Neutrality, NSF and Mozilla's WINS Challenge Winners, openSUSE Updates and More
    The National Science Foundation and Mozilla recently announced the first round of winners from their Wireless Innovation for a Networked Society (WINS) challenges—$2 million in prizes for "big ideas to connect the unconnected across the US". According to the press release, the winners "are building mesh networks, solar-powered Wi-Fi, and network infrastructure that fits inside a single backpack" and that the common denominator for all of them is "they're affordable, scalable, open-source and secure."
  • New AirMozilla Audience Demo
    The legacy AirMozilla platform will be decommissioned later this year. The reasons for the change are multiple; however, the urgency of the change is driven by deprecated support of both the complex back-end infrastructure by IT and the user interface by Firefox engineering teams in 2016. Additional reasons include a complex user workflow resulting in a poor user experience, no self-service model, poor usability metrics and a lack of integrated, required features.
  • Perplexing Graphs: The Case of the 0KB Virtual Memory Allocations
    Every Monday and Thursday around 3pm I check dev-telemetry-alerts to see if there have been any changes detected in the distribution of any of the 1500-or-so pieces of anonymous usage statistics we record in Firefox using Firefox Telemetry.

Games: All Walls Must Fall, Tales of Maj'Eyal

  • All Walls Must Fall, the quirky tech-noir tactics game, comes out of Early Access
    This isometric tactical RPG blends in sci-fi, a Cold War that never ended and lots of spirited action. It’s powered by Unreal Engine 4 and has good Linux support.
  • Non-Linux FOSS: Tales of Maj'Eyal
    I love gaming, but I have two main problems with being a gamer. First, I'm terrible at video games. Really. Second, I don't have the time to invest in order to increase my skills. So for me, a game that is easy to get started with while also providing an extensive gaming experience is key. It's also fairly rare. All the great games tend to have a horribly steep learning curve, and all the simple games seem to involve crushing candy. Thankfully, there are a few games like Tales of Maj'Eyal that are complex but with a really easy learning curve.

KDE and GNOME: KDE Discover, Okular, Librsvg, and Phone's UI Shell

  • This week in Discover, part 7
    The quest to make Discover the most-loved Linux app store continues at Warp 9 speed! You may laugh, but it’s happening! Mark my words, in a year Discover will be a beloved crown jewel of the KDE experience.
  • Okular gains some more JavaScript support
    With it we support recalculation of some fields based on others. An example that calculates sum, average, product, minimum and maximum of three numbers can be found in this youtube video.
  • Librsvg's continuous integration pipeline
    With the pre-built images, and caching of Rust artifacts, Jordan was able to reduce the time for the "test on every commit" builds from around 20 minutes, to little under 4 minutes in the current iteration. This will get even faster if the builds start using ccache and parallel builds from GNU make. Currently we have a problem in that tests are failing on 32-bit builds, and haven't had a chance to investigate the root cause. Hopefully we can add 32-bit jobs to the CI pipeline to catch this breakage as soon as possible.
  • Design report #3: designing the UI Shell, part 2
    Peter has been quite busy thinking about the most ergonomic mobile gestures and came up with a complete UI shell design. While the last design report was describing the design of the lock screen and the home screen, we will discuss here about navigating within the different features of the shell.