Language Selection

English French German Italian Portuguese Spanish

Security

Security: Updates, Podcast, and PDFs

Filed under
Security

Security: Updates, B. F. Skinner, and Yahoo

Filed under
Security
  • Security updates for Monday
  • The father of modern security: B. F. Skinner

    What I mean with that statement is our security process is often based on ideas that don't really work. As an industry we have built up a lot of ideas and processes that aren't actually grounded in facts and science. We don't understand why we do certain things, but we know that if we don't do those things something bad will happen! Will it really happen? I heard something will happen. I suspect the answer is no, but it's very difficult to explain this concept sometimes.

    [...]

    Here's where it gets real. It's easy to pick on the password example because it's in the past. We need to focus on the present and the future. You have an organization that's full of policy, ideas, and stuff. How can we try to make a dent in what we have today? What matters? What doesn't work, and what's actually harmful?

  • US judge says that Yahoo must face lawsuits over data breaches

    B. F. Skinner

    The lawsuit concerns two major breaches: one that occurred in 2013 that impacted more than a billion users, and another in late 2014 that affected at least 500 million accounts. in December, a judicial panel consolidated five putative class action suits that sought to represent account holders who had e-mails, passwords, and other sensitive information compromised.

  • Yahoo must face litigation by data breach victims: U.S. judge

    A U.S. judge said Yahoo must face nationwide litigation brought on behalf of well over 1 billion users who said their personal information was compromised in three massive data breaches.

Spyware Dolls and Intel's vPro

Filed under
Security

For a number of years now there has been growing concern that the management technologies in recent Intel CPUs (ME, AMT and vPro) also conceal capabilities for spying, either due to design flaws (no software is perfect) or backdoors deliberately installed for US spy agencies, as revealed by Edward Snowden. In a 2014 interview, Intel's CEO offered to answer any question, except this one.

The LibreBoot project provides a more comprehensive and technical analysis of the issue, summarized in the statement "the libreboot project recommends avoiding all modern Intel hardware. If you have an Intel based system affected by the problems described below, then you should get rid of it as soon as possible" - eerily similar to the official advice German authorities are giving to victims of Cayla the doll.

All those amateur psychiatrists suggesting LibreBoot developers suffer from symptoms of schizophrenia have had to shut their mouths since May when Intel confirmed a design flaw (or NSA backdoor) in every modern CPU had become known to hackers.

Bill Gates famously started out with the mission to put a computer on every desk and in every home. With more than 80% of new laptops based on an Intel CPU with these hidden capabilities, can you imagine the NSA would not have wanted to come along for the ride?

Read more

IPFire 2.19 - Core Update 113 released

Filed under
GNU
Linux
Security

This is the official release announcement for IPFire 2.19 – Core Update 113. The change log is rather short, but comes with a big new feature...

Read more

Security in Android, Windows

Filed under
Android
Microsoft
Security
  • With Android Oreo, Google is introducing Linux kernel requirements

    Android may be a Linux-based operating system, but the Linux roots are something that few people pay much mind. Regardless of whether it is known or acknowledged by many people, the fact remains that Android is rooted in software regarded as horrendously difficult to use and most-readily associated with the geekier computer users, but also renowned for its security.

  • Exclusive: India and Pakistan hit by spy malware - cybersecurity firm [Ed: When you use Microsoft Windows in government in spite of back doors]

    Symantec Corp, a digital security company, says it has identified a sustained cyber spying campaign, likely state-sponsored, against Indian and Pakistani entities involved in regional security issues.

    In a threat intelligence report that was sent to clients in July, Symantec said the online espionage effort dated back to October 2016. 

    [...]

    Symantec’s report said an investigation into the backdoor showed that it was constantly being modified to provide “additional capabilities” for spying operations.

Security: “Roboto Condensed”, Tor, and TigerSwan

Filed under
Security
  • “Roboto Condensed” Social Engineering Attack Targets Both Chrome and Firefox Users. Various Payloads Being Delivered.
  • [Older] One Week With Tor

    A few people have asked me why I don't trust exit nodes with sensitive tasks like online banking. My distrust is mainly in the horrible state of SSL/TLS PKI. With hundreds of trusted roots, each with SSL/TLS certificate resellers, the amount of trust I must place in the least secure certificate vendor is huge. Any certificate vendor whose chain of trust resolves to a trusted root can issue certificates for any domain I visit. If a malicious exit node also has compromised or coerced a certificate vendor to produce (what we would consider, but our browser wouldn't) fraudulent certificate, I'm now in a pickle.

  • Thousands of mercenary resumés found exposed on Web

    The sensitive personal details of the job applicants, many claiming top-secret security clearance from the US government, were left unsecured by a recruiting company with whom TigerSwan had cut ties in February 2017, according to UpGuard.

Security: Updates, Windows EOL Meltdown, and Intel Back Doors

Filed under
Security
  • Security updates for Friday
  • Two years after Windows 10: Windows 7 is still threatening a 2020 EOL meltdown

    No. The issue is Windows 7. People and more especially businesses are still refusing to give it up. Yes, it has lost its market share - down from 60.75 in August 2015 to 48.43 percent in August 2017. But again - it's actually UP on this time last year, where it was at 47.25.

  • Intel ME controller chip has secret kill switch

    Security researchers at London-based Positive Technologies have identified an undocumented configuration setting that disables Intel Management Engine 11, a CPU control mechanism that has been described as a security risk.

    Intel's ME consists of a microcontroller that works with the Platform Controller Hub chip, in conjunction with integrated peripherals. It handles much of the data travelling between the processor and external devices, and thus has access to most of the data on the host computer.

Security: Onity, Instagram and Intel Management Engine (ME) Back Doors

Filed under
Security
  • The Epic Crime Spree Unleashed By Onity's Ambivalence To Its Easily Hacked Hotel Locks

    Back in 2012, we wrote about Onity, the company that makes a huge percentage of the keycard hotel door locks on the market, and how laughably easy it was to hack its locks with roughly $50 of equipment. Surprisingly, Onity responded to the media coverage and complaints from its hotel customers with offers of fixes that ranged from insufficient (a piece of plastic that covered the port used to hack the door locks) to cumbersome (replacing the circuit boards on the locks entirely) and asked many of these customers to pay for these fixes to its broken product. Many of these customers wanted to sue Onity for obvious reasons, but a judge ruled against allowing a class action suit to proceed. That was our last story on the subject.

  • Site sells Instagram users’ phone and e-mail details, $10 a search

    At first glance, the Instagram security bug that was exploited to obtain celebrities' phone numbers and e-mail addresses appeared to be limited, possibly to a small number of celebrity accounts. Now a database of 10,000 credentials published online Thursday night suggests the breach is much bigger.

  • Celebs’ phone numbers and e-mail addresses exposed in active Instagram hack
  • Intel kill switch code indicates connection to NSA

    Dmitry Sklyarov, Mark Ermolov and Maxim Goryachy, security researchers for Positive Technologies, based in Framingham, Mass., found the Intel kill switch that has the ability to disable the controversial Intel Management Engine (ME).

    Experts have been wary of the Intel ME because it is an embedded subsystem on every chip that essentially functions as a separate CPU with deep access to system processes and could be active even if the system were hibernating or shut off.

Security: Pacemaker Security, Female Hackers, Internet of Things 'Leaks'

Filed under
Security
  • FDA, Homeland Security Issue First Ever Recall, Warnings About Flimsy Pacemaker Security

    We've well established that the internet of things (IOT) market is a large, stinky dumpster fire when it comes to privacy and security. But the same problems that plague your easily hacked thermostat or e-mail password leaking refrigerator take on a decidedly darker tone when we're talking about your health. The health industry's outdated IT systems are a major reason for a startling rise in ransomware attacks at many hospitals, but this same level of security and privacy apathy also extends to medical and surgical equipment -- and integral medical implants like pacemakers.

    After a decade of warnings about dubious pacemaker security, researchers at Medsec earlier this year discovered that a line of pacemakers manufactured by St. Jude Medical were vulnerable to attacks that could kill the owner. The researchers claimed that St. Jude had a history of doing the bare minimum to secure their products, and did little to nothing in response to previous warnings about device security. St. Jude Medical's first response was an outright denial, followed by a lawsuit against MedSec for "trying to frighten patients and caregivers."

  • What Being a Female Hacker {sic} Is Really Like
  • Even encrypted data streams from the Internet of Things are leaking sensitive information; here’s what we can do

    As the Internet of Things (IoT) begins to enter the mainstream, concerns about the impact such “smart” devices will have on users’ privacy are growing. Many of the problems are obvious, but so far largely anecdotal. That makes a new paper from four researchers at Princeton University particularly valuable, because they analyze in detail how IoT devices leak private information to anyone with access to Internet traffic flows, and what might be done about it. Now that basic privacy protections for Internet users have been removed in the US, allowing ISPs to monitor traffic and sell data about their customers’s online habits to third parties, it’s an issue with heightened importance.

Security: Intel ME Back Door, Updates, Back Doors in Cars, Pacemaker, FCC, Hotel and GitHub Flukes

Filed under
Security
  • A Workaround To Disable Intel Management Engine 11

    Positive Technologies is now reporting on a discovery by one of their researches to be able to disable Intel Management Engine 11 (Skylake era) after discovering an undocumented mode.

    The security researchers discovered "an undocumented PCH strap that can be used to switch on a special mode disabling the main Intel ME functionality at an early stage." Those wanting to learn more can read this blog post.

  • Security updates for Thursday
  • Quebec man fights back after dealer remotely disables car over $200 fee

     

    A car dealership in Sherbrooke, Que., may have broken the law when it used a GPS device to disable the car of a client who was refusing to pay an extra $200 fee, say consumer advocates consulted by CBC News.

     

    [...]

     

    "To turn off somebody's vehicle after he had already paid off the loan is clearly illegal … it's not your car anymore," Iny said.

  • 465k patients told to visit doctor to patch critical pacemaker vulnerability

    Talk about painful software updates. An estimated 465,000 people in the US are getting notices that they should update the firmware that runs their life-sustaining pacemakers or risk falling victim to potentially fatal hacks.

    Cardiac pacemakers are small devices that are implanted in a patient's upper chest to correct abnormal or irregular heart rhythms. Pacemakers are generally outfitted with small radio-frequency equipment so the devices can be maintained remotely. That way, new surgeries aren't required after they're implanted. Like many wireless devices, pacemakers from Abbott Laboratories contain critical flaws that allow hijackers within radio range to seize control while the pacemakers are running.

  • FDA alerts on pacemaker recall for cyber flaw

     

    The FDA issued an alert Aug. 29 regarding manufacturer Abbott's recall notice affecting six pacemaker devices. The recall is for firmware updates that will "reduce the risk of patient harm due to potential exploitation of cybersecurity vulnerabilities," the FDA wrote in its alert.

  • FCC “apology” shows anything can be posted to agency site using insecure API

    The Federal Communications Commission's website already gets a lot of traffic—sometimes more than it can handle. But thanks to a weakness in the interface that the FCC published for citizens to file comments on proposed rule changes, there's a lot more interesting—and potentially malicious—content now flowing onto one FCC domain. The system allows just about any file to be hosted on the FCC's site—potentially including malware.

  • Inside an Epic Hotel Room Hacking {sic} Spree

     

    Even after my article on Brocious’ lock hacking and his high-profile Las Vegas reveal, Onity didn’t patch the security flaw in its millions of vulnerable locks. In fact, no software patch could fix it. Like so many other hardware companies that increasingly fill every corner of modern society with tiny computers, Onity was selling a digital product without much of a plan to secure its future from hackers. It had no update mechanism for its locks. Every one of the electronic boards inside of them would need to be replaced. And long after Brocious’ revelation, Onity announced that it wouldn’t pay for those replacements, putting the onus on its hotel customers instead. Many of those customers refused to shell out for the fix—$25 or more per lock depending on the cost of labor—or seemed to remain blissfully unaware of the problem.

     

    [...]

     

    and demanded Cashatt’s entire communication history from Facebook.

  • How I lost 17,000 GitHub Auth Tokens in One Night

     

    Turns out that there was a bug in my logic but not necessarily my code. After all, it did run flawlessly for a few years. So if my code was fine, where was the bug?

     

    Looking at the update time of some of the records, I was able to place them roughly around the time of another event: A GitHub outage.

  • 7 Things to Know About Today's DDoS Attacks

    Distributed denial-of-service (DDoS) attacks continue to be a weapon of choice among threat actors seeking to extort money from victims, disrupt operations, conceal data-exfiltration activities, further hacktivist causes, or even to carry out cyberwar.

    What was once a threat mostly to ISPs and organizations in the financial services, e-commerce, and gaming industry, has become a problem for businesses of all sizes. A small company is just as likely these days to become a target of a DDoS attack, as a big one — and for pretty much the same reasons.

  • Security ROI isn't impossible, we suck at measuring

    As of late I've been seeing a lot of grumbling that security return on investment (ROI) is impossible. This is of course nonsense. Understanding your ROI is one of the most important things you can do as a business leader. You have to understand if what you're doing makes sense. By the very nature of business, some of the things we do have more value than other things. Some things even have negative value. If we don't know which things are the most important, we're just doing voodoo security.

Syndicate content

More in Tux Machines

Microsoft EEE

  • Why the Windows Subsystem for Linux Matters to You – Even if You Don’t Use it [Ed: Microsoft pulling an EEE on GNU/Linux matters. Sure it does... while suing GNU/Linux with software patents Microsoft says it "loves Linux".]
  • Canonical Teams Up with Microsoft to Enable New Azure Tailored Ubuntu Kernel
    In a joint collaboration with Microsoft's Azure team, Canonical managed to enable a new Azure tailored Ubuntu kernel in the Ubuntu Cloud Images for Ubuntu 16.04 LTS on Azure starting today, September 21, 2017. The Azure tailored Ubuntu kernel is now enabled by default for the Ubuntu Cloud images running the Ubuntu 16.04 LTS (Xenial Xerus) operating system on Microsoft's Azure cloud computing platform, and Canonical vows to offer the same level of support as the rest of its Ubuntu kernels until the operating system reaches end of life.

Servers: Kubernetes, Cloud Native Computing Foundation (CNCF), and Sysadmin 101

  • Kubernetes Snaps: The Quick Version
    When we built the Canonical Distribution of Kubernetes (CDK), one of our goals was to provide snap packages for the various Kubernetes clients and services: kubectl, kube-apiserver, kubelet, etc. While we mainly built the snaps for use in CDK, they are freely available to use for other purposes as well. Let’s have a quick look at how to install and configure the Kubernetes snaps directly.
  • Kubernetes is Transforming Operations in the Enterprise
    At many organizations, managing containerized applications at scale is the order of the day (or soon will be). And few open source projects are having the impact in this arena that Kubernetes is. Above all, Kubernetes is ushering in “operations transformation” and helping organizations make the transition to cloud-native computing, says Craig McLuckie co-founder and CEO of Heptio and a co-founder of Kubernetes at Google, in a recent free webinar, ‘Getting to Know Kubernetes.’ Kubernetes was created at Google, which donated the open source project to the Cloud Native Computing Foundation.
  • Kubernetes gains momentum as big-name vendors flock to Cloud Native Computing Foundation
    Like a train gaining speed as it leaves the station, the Cloud Native Computing Foundation is quickly gathering momentum, attracting some of the biggest names in tech. In the last month and a half alone AWS, Oracle, Microsoft, VMware and Pivotal have all joined. It’s not every day you see this group of companies agree on anything, but as Kubernetes has developed into an essential industry tool, each of these companies sees it as a necessity to join the CNCF and support its mission. This is partly driven by customer demand and partly by the desire to simply have a say in how Kubernetes and other related cloud-native technologies are developed.
  • The Cloud-Native Architecture: One Stack, Many Options
    As the chief technology officer of a company specialized in cloud native storage, I have a first hand view of the massive transformation happening right now in enterprise IT. In short, two things are happening in parallel right now that make it radically simpler to build, deploy and run sophisticated applications. The first is the move to the cloud. This topic has been discussed so much that I won’t try to add anything new. We all know it’s happening, and we all know that its impact is huge.
  • Sysadmin 101: Leveling Up
    I hope this description of levels in systems administration has been helpful as you plan your own career. When it comes to gaining experience, nothing quite beats making your own mistakes and having to recover from them yourself. At the same time, it sure is a lot easier to invite battle-hardened senior sysadmins to beers and learn from their war stories. I hope this series in Sysadmin 101 fundamentals has been helpful for those of you new to the sysadmin trenches, and also I hope it helps save you from having to learn from your own mistakes as you move forward in your career.

Databases: PostgreSQL 10 RC1 and Greenplum

  • PostgreSQL 10 RC1 Released
    The PostgreSQL Global Development Group announces today that the first release candidate of version 10 is available for download. As a release candidate, 10 RC 1 should be identical to the final release of the new version. It contains fixes for all known issues found during testing, so users should test and report any issues that they find.
  • PostgreSQL 10 Release Candidate 1 Arrives
    PostgreSQL 10 has been queuing up improvements to declarative partitioning, logical replication support, an improved parallel query system, SCRAM authentication, performance speed-ups, hash indexes are now WAL, extended statistics, new integrity checking tools, smart connection handling, and many other promising improvements. Our earlier performance tests of Postgre 10 during its beta phase showed some speed-ups over PostgreSQL 9.
  • Pivotal Greenplum Analytic Database Adds Multicloud Support
    Pivotal’s latest release of its Greenplum analytic database includes multicloud support and, for the first time, is based entirely on open source code. In 2015, the company open sourced the core of Pivotal Greenplum as the Greenplum Database project. “This is the first commercially available release that we are shipping with the open source project truly at its core,” said Elisabeth Hendrickson, VP of data research and development at Pivotal.

Graphics: NVIDIA Progress, VC4/VC5, Intel's Linux Driver & Mesa

  • NVIDIA 384.90 Linux Driver Brings Fixes, Quadro P5200 Support
    One day after releasing updated GeForce Linux legacy drivers, NVIDIA is now out with an update to their long-lived 384 branch. The NVIDIA 384 Linux series is the current latest series for their proprietary driver. Coming out today is the 384.90 update that is primarily comprised of bug fixes but also includes Quadro P5200 support.
  • NVIDIA Continues Prepping The Linux Desktop Stack For HDR Display Support
    Besides working on the new Unix device memory allocator project, they have also been engaged with upstream open-source Linux developers over preparing the Linux desktop for HDR display support. Alex Goins of the NVIDIA Linux team presented on their HDR ambitions for the Linux desktop and the work they are still doing for prepping the X.Org stack for dealing with these next-generation computer displays. This is a project they have also been looking at for more than one year: NVIDIA Is Working Towards HDR Display Support For Linux, But The Desktop Isn't Ready.
  • The State Of The VC4 Driver Stack, Early Work On VC5
    ric Anholt of Broadcom just finished presenting at XDC2017 Mountain View on the state of the VC4 driver stack most notably used by the Raspberry Pi devices. Additionally, he also shared about his early work on the VC5 driver for next-generation Broadcom graphics.
  • Intel's Linux Driver & Mesa Have Hit Amazing Milestones This Year
    Kaveh Nasri, the manager of Intel's Mesa driver team within the Open-Source Technology Center since 2011, spoke this morning at XDC2017 about the accomplishments of his team and more broadly the Mesa community. Particularly over the past year there has been amazing milestones accomplished for this open-source driver stack.