Language Selection

English French German Italian Portuguese Spanish

Security

Security: Updates, CVE-2017-7543, and Windows Chaos Again

Filed under
Security
  • Security updates for Wednesday
  • Red Hat Secures Networking Flaws in OpenStack, the Linux Kernel

    Red Hat has fixed an important vulnerability in the OpenStack subsystem that’s used to manage network connectivity to and from virtual machines. If left unpatched, it could allow an attacker to access network resources from virtual machines.

    The vulnerability, tracked as CVE-2017-7543 in the Common Vulnerabilities and Exposures (CVE) database, is located in openstack-neutron, a “pluggable, scalable and API-driven” component of the Red Hat OpenStack Platform that’s used to provision networking services to virtual machines.

  • Atomicorp Releases First Kernel-Level Docker Security and is Available Today Through AWS, Azure and Direct
  • Shadow Brokers Eternal Exploits expected to remain effective

    The Shadow Brokers also leaked exploits such as EternalRomance which is similar to EternalBlue but targets Windows 7 SP1 machines using SMBv2 and targets a vulnerability in the process of handling SMBv1 transactions, EternalSynergy which uses a packet type confusion vulnerability, and EternalChampion which takes advantage of a race condition in transaction hand.

  • Shadow Brokers EternalPulsar malware: All you need to know about the leaked NSA SMB exploits

    Cylance researchers said the DoublePulsar backdoor, which experts previously said had successfully infected around 100,000 computers shortly after the exploit was leaked in April, functions as a backdoor providing hackers with secret access to Windows systems.

  • IoT Security for Developers

    Previous articles focused on how to securely design and configure a system based on existing hardware, software, IoT Devices, and networks. If you are developing IoT devices, software, and systems, there is a lot more you can do to develop secure systems.

    The first thing is to manage and secure communications with IoT Devices. Your software needs to be able to discover, configure, manage and communicate with IoT devices. By considering security implications when designing and implementing these functions you can make the system much more robust. The basic guideline is don’t trust any device. Have checks to verify that a device is what it claims to be, to verify device integrity, and to validate communications with the devices.

  • Powerful backdoor found in software used by >100 banks and energy cos. [Ed: Yet more back doors in proprietary software on Microsoft Windows]

    For 17 days starting last month, an advanced backdoor that gave attackers complete control over networks lurked in digitally signed software used by hundreds of banks, energy companies, and pharmaceutical manufacturers, researchers warned Tuesday.

    The backdoor, dubbed ShadowPad, was added to five server- or network-management products sold by NetSarang, a software developer with offices in South Korea and the US. The malicious products were available from July 17 to August 4, when the backdoor was discovered and privately reported by researchers from antivirus provider Kaspersky Lab. Anyone who uses the five NetSarang titles Xmanager Enterprise 5.0, Xmanager 5.0, Xshell 5.0, Xftp 5.0, or Xlpd 5.0, should immediately review posts here and here from NetSarang and Kaspersky Lab respectively.

Security Leftovers

Filed under
Security

Security: Update, Ransomware, Microsoft Windows at Hotels and More Black Duck FUD

Filed under
Security
  • Security updates for Tuesday
  • Open Source Security Podcast: Episode 59 - The VPN Episode
  • Update gone wrong leaves 500 smart locks inoperable

    Hundreds of Internet-connected locks became inoperable last week after a faulty software update caused them to experience a fatal system error, manufacturer LockState said.

    The incident is the latest reminder that the so-called Internet of Things—in which locks, thermostats, and other everyday appliances are embedded with small Internet-connected computers—often provide as many annoyances as they do conveniences. Over the past week, the Colorado-based company's Twitter feed has been gorged with comments from customers who were suddenly unable to lock or unlock their doors normally. Complicating the matter: the affected LockState model—the RemoteLock 6i—is included in an Airbnb partnership called Host Assist. That left many hosts unable to remotely control their locks.

  • Ransomware Targeting WordPress – An Emerging Threat

    Recently, the Wordfence team has seen ransomware being used in attacks targeting WordPress. We are currently tracking a ransomware variant we are calling “EV ransomware.” The following post describes what this ransomware does and how to protect yourself from being hit by this attack.

  • AWS unveils AI monitoring for Amazon S3
  • FancyBear Use Leaked NSA “WannaCry” Exploit To Target Hospitality Industry [Ed: The solution to this is simple: don't use Microsoft Windows at hotels]

    Microsoft has indicated that a number of different versions of Windows are vulnerable to the EternalBlue exploit, even those currently receiving support. It is imperative that IT teams from all businesses across all industries ensure that the version of Windows that they are using is not vulnerable to EternalBlue and, if so, take the necessary steps to remediate it. With three attacks using this exploit having occurred over just the past few months, we’re likely to see cybercriminals continuing to deploy it until devices are patched and it is no longer an effective vector for them to spread malware.”

  • Researcher who neutralized WCry pleads not guilty to writing banking malware

    Marcus Hutchins, the British security researcher instrumental in neutralizing the virulent WCry ransomware worm that shut down computers worldwide in May, appeared in federal court Monday and pleaded not guilty to unrelated criminal charges that he created and distributed malware that steals banking credentials.

    [...]

    Hutchins, who works for Kryptos Logic of Los Angeles, is going to live in Los Angeles while awaiting an undetermined trial date. He will be tracked by a GPS monitoring device. He has been ordered not to touch the WCry sinkhole, presumably because if it's shut off, it could possibly make the ransomware start spreading again.

  • Innovation may be outpacing security in cars [Ed: ITProPortal cites the liars from Black Duck to make it sound as though FOSS is the root of all security issues. Profitable FUD (to them).]

    As the UK government’s car cybersec guidelines recognise, innovation may be outpacing security in cars. When you put new technology into cars, you’ll inevitably run into security challenges.

Security: Updates, Back Doors and More

Filed under
Security
  • Security updates for Monday
  • Former NSA Official Argues The Real Problem With Undisclosed Exploits Is Careless End Users [Ed: Many are NOT "Undisclosed Exploits" but back doors]

    As leaked NSA software exploits have been redeployed to cause computer-based misery all over the world, the discussion about vulnerability disclosures has become louder. The argument for secrecy is based on the assumption that fighting an existential threat (terrorism, but likely also a variety of normal criminal behavior) outweighs concerns the general public might have about the security of their software/data/personal information. Plenty of recent real-world examples (hospital systems ransomed! etc.) do the arguing for those seeking expanded disclosure of vulnerabilities and exploits.

    Former Deputy Director of the NSA Rick Ledgett appears on the pages of Lawfare to argue against disclosure, just as one would have gathered by reading his brief author bio. Ledgett's arguments, however, feel more like dodges. First off, Ledgett says the NSA shouldn't have to disclose every vulnerability/exploit it has in its arsenal, an argument very few on the other side of the issue are actually making. Then he says arguments against exploit hoarding "oversimplify" the issue.

  • But that's not my job!

    This week I've been thinking about how security people and non security people interact. Various conversations I have often end up with someone suggesting everyone needs some sort of security responsibility. My suspicion is this will never work.

  • HBO hackers release Curb Your Enthusiasm episodes

    Hackers who broke into HBO's computer systems last month continue to release the network's content, including episodes of the return of Curb Your Enthusiasm, which is slated to air in October.

  • The Ultimate Virus: How Malware Encoded In Synthesized DNA Can Compromise A Computer System

    If nothing else, this first DNA malware hack confirms that there is no unbridgeable gulf between the programs running in our cells, and those running on our computers. Digital code is digital code.

Free security service scans open source Linux IoT binaries

Filed under
Linux
OSS
Security

Insignary unveiled TruthIsIntheBinary, a free, cloud-based version of its Clarity binary code scanning software aimed at open source Linux IoT code.

Normally, we board-heads shy away from security software, but Insignary’s latest offering pushed all our buttons: Linux, free, open source, and “IoT security ticking time-bomb.” We were also slapped silly by the oracular sounding name.

Read more

Security: DNA, Marcus Hutchins, and Microsoft Windows in Hotels

Filed under
Security

Slackware Security and Windows Insecurity

Filed under
Microsoft
Security
Slack
  • OpenJDK7 and Flash Player security updates (Aug ’17)

    On the blog of IcedTea release manager Andrew Hughes (aka GNU/Andrew) you can find the announcement for IcedTea 2.6.11 which builds OpenJDK 7u151_b01. This release includes the official July 2017 security fixes for Java 7. Note that the security updates for Java 8 were already pushed to my repository some time ago.

  • Kremlin's hackers 'wield stolen NSA exploit to spy on hotel guests in Europe, Mid East'

    Miscreants are using various techniques, including the leaked NSA EternalBlue exploit also wielded by the WannaCry malware, to hack into laptops and other devices used by government and business travelers, FireEye researchers declared on Friday.

Security: Canonical, CVE-2017-12836, GDPR, CIS, Fancy Bear and More

Filed under
Security

Change Control Security Fixes

Filed under
Development
Security
Syndicate content

More in Tux Machines

NuTyX 10.1-rc1 Available

I'm very please to propose you the first release candidate version of the next version 10.1 stable version of NuTyX As they have been so many security issues, I took the chance to recompile all the collections (1701 packages) for this coming next stable NuTyX version. Read more

Android Leftovers

Events: FOSDEM Samba Talks, USENIX Enigma, LCA (linux.conf.au) and FAST18

  • Authentication and authorization in Samba 4
    Volker Lendecke is one of the first contributors to Samba, having submitted his first patches in 1994. In addition to developing other important file-sharing tools, he's heavily involved in development of the winbind service, which is implemented in winbindd. Although the core Active Directory (AD) domain controller (DC) code was written by his colleague Stefan Metzmacher, winbind is a crucial component of Samba's AD functionality. In his information-packed talk at FOSDEM 2018, Lendecke said he aimed to give a high-level overview of what AD and Samba authentication is, and in particular the communication pathways and trust relationships between the parts of Samba that authenticate a Samba user in an AD environment.
  • Two FOSDEM talks on Samba 4
    Much as some of us would love never to have to deal with Windows, it exists. It wants to authenticate its users and share resources like files and printers over the network. Although many enterprises use Microsoft tools to do this, there is a free alternative, in the form of Samba. While Samba 3 has been happily providing authentication along with file and print sharing to Windows clients for many years, the Microsoft world has been slowly moving toward Active Directory (AD). Meanwhile, Samba 4, which adds a free reimplementation of AD on Linux, has been increasingly ready for deployment. Three short talks at FOSDEM 2018 provided three different views of Samba 4, also known as Samba-AD, and left behind a pretty clear picture that Samba 4 is truly ready for use. I will cover the first two talks in this article, and the third in a later one.
  • A report from the Enigma conference
    The 2018 USENIX Enigma conference was held for the third time in January. Among many interesting talks, three presentations dealing with human security behaviors stood out. This article covers the key messages of these talks, namely the finding that humans are social in their security behaviors: their decision to adopt a good security practice is hardly ever an isolated decision. Security conferences tend to be dominated by security researchers demonstrating their latest exploits. The talks are attack-oriented, they keep a narrow focus, and usually they close with a dark outlook. The security industry has been doing security conferences like this for twenty years and seems to prefer this format. Yet, if you are tired of this style, the annual USENIX Enigma conference is a welcome change of pace. Most of the talks are defense-oriented, they have a horizon going far beyond technology alone, and they are generally focused on successful solutions.
  • DIY biology
    A scientist with a rather unusual name, Meow-Ludo Meow-Meow, gave a talk at linux.conf.au 2018 about the current trends in "do it yourself" (DIY) biology or "biohacking". He is perhaps most famous for being prosecuted for implanting an Opal card RFID chip into his hand; the Opal card is used for public transportation fares in Sydney. He gave more details about his implant as well as describing some other biohacking projects in an engaging presentation. Meow-Meow is a politician with the Australian Science Party, he said by way of introduction; he has run in the last two elections. He founded BioFoundry, which is "Australia's first open-access molecular biology lab"; there are now two such labs in the country. He is also speaks frequently as "an emerging technology evangelist" for biology as well as other topics.
  • Notes from FAST18

    I attended the technical sessions of Usenix's File And Storage Technology conference this week. Below the fold, notes on the papers that caught my attention.

Security: Vista10 and uTorrent Holes Found by Google

  • Google drops new Edge zero-day as Microsoft misses 90-day deadline

    Google originally shared details of the flaw with Microsoft on 17 November 2017, but Microsoft wasn’t able to come up with a patch within Google’s non-negotiable “you have 90 days to do this” period.

  • Google Goes Public with Another Major Windows 10 Bug
    After revealing an Edge browser vulnerability that Microsoft failed to fix, Google is now back with another disclosure, this time aimed at Windows 10 Fall Creators Update (version 1709), but potentially affecting other Windows versions as well. James Forshaw, a security researcher that’s part of Google’s Project Zero program, says the elevation of privilege vulnerability can be exploited because of the way the operating system handles calls to Advanced Local Procedure Call (ALPC). This means a standard user could obtain administrator privileges on a Windows 10 computer, which in the case of an attack, could eventually lead to full control over the impacted system. But as Neowin noted, this is the second bug discovered in the same function, and both of them, labeled as 1427 and 1428, were reported to Microsoft on November 10, 2017. Microsoft said it fixed them with the release of the February 2018 Patch Tuesday updates, yet as it turns out, only issue 1427 was addressed.
  • uTorrent bugs let websites control your computer and steal your downloads

    The vulnerabilities, according to Project Zero, make it possible for any website a user visits to control key functions in both the uTorrent desktop app for Windows and in uTorrent Web, an alternative to desktop BitTorrent apps that uses a web interface and is controlled by a browser. The biggest threat is posed by malicious sites that could exploit the flaw to download malicious code into the Windows startup folder, where it will be automatically run the next time the computer boots up. Any site a user visits can also access downloaded files and browse download histories.

  • BitTorrent Client uTorrent Suffers Security Vulnerability (Updated)

    BitTorrent client uTorrent is suffering from an as yet undisclosed vulnerability. The security flaw was discovered by Google security researcher Tavis Ormandy, who previously said he would reveal a series of "remote code execution flaws" in torrent clients. BitTorrent Inc. has rolled out a 'patch' in the latest Beta release and hopes to fix the stable uTorrent client later this week.