Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Ransomware Hits Georgia Courts As Municipal Attacks Spread [iophk: "Windows TCO"]

    "There’s definitely an increase or uptick in the amount of ransomware campaigns that we’re seeing out there, but it’s not specific to municipalities or state or federal organizations, it’s just pretty much across the board in every industry vertical," says David Kennedy, CEO of the penetration testing and incident response consultancy TrustedSec. "We’re working seven consecutive ransomware attacks right now—a couple of manufacturing, a couple of credit unions, and one local type of government incident."

  • Singapore Government Announces Third Bug Bounty Program

    The latest bug bounty program, similar to the previous two, will be hosted by HackerOne. The project is conducted in collaboration with the Cyber Security Agency of Singapore (CSA) and the Government Technology Agency of Singapore (GovTech).

    HackerOne will invite approximately 200 international hackers and 100 local hackers to take part in the challenge, which offers payouts between $250 and $10,000 per vulnerability report. The program will run from July to August and results will be announced in September.

  • US officials are talking about banning end-to-end encryption again

    A source believed to have been in attendance said, "The two paths were to either put out a statement or a general position on encryption, and [say] that they would continue to work on a solution, or to ask Congress for legislation," adding that the importance of the matter was reflected by the attendance of a group of Number 2s (from different stakeholder agencies, it's not a scatological reference).

    The problem for end users doesn't end with the NSA getting a better foothold on your WhatsApp chats because whilst it'll be easier for law enforcement and security agencies to see if you're up to no good, relaxing encryption also opens up a much wider foothold for [attackers] and cybercriminals to abuse the services too. And that's not to mention that if friendly intelligence can access your data, then foreign spies and snoopers can as well - it's all or nothing.

  • Exploit Using Microsoft Excel Power Query for Remote DDE Execution Discovered

    The Mimecast Threat Center team reached out to the Microsoft Security Response Center (MRSC) with our information and a working proof of concept. MRSC opened a case but Microsoft decided not to fix this behavior, and their response included a workaround by either using a Group Policy to block external data connections or use the Office Trust center to achieve the same. MRSC accepted our request to publish this research per the CVD policy.

  • How [Attackers] Turn Microsoft Excel's Own Features Against It [iophk: fails to mention improved options like LibreOffice and Calligra]

    On Thursday, researchers from threat intelligence firm Mimecast are disclosing findings that an Excel feature called Power Query can be manipulated to facilitate established Office 365 system attacks. Power Query allows users to combine data from various sources with a spreadsheet—like a database, second spreadsheet, document, or website. This mechanism for linking out to another component, though, can also be abused to link to a malicious webpage that contains malware. In this way, attackers can distribute tainted Excel spreadsheets that wreak havoc, from granting attackers system privileges to installing backdoors.

    "Attackers don’t need to invest in a very sophisticated attack—they can just open up Microsoft Excel and use its own tools," says Meni Farjon, Mimecast's chief scientist. "And you have basically 100 percent reliability. The exploit will work in all the versions of Excel as well as new versions, and will probably work across all operating systems, programming languages, and sub-versions, because it's based on a legitimate feature. That makes it very viable for attackers."

  • Cyber warfare is here

    Cybereason said they weren’t going to name the affected providers, but said many were sizable, and that it didn’t find evidence that North American providers had been infiltrated.

    The company also didn’t notify the targeted individuals.

    Cybereason thinks a [attack] this sophisticated is very likely the work of a nation-state.

Security and DRM Leftovers

Filed under
Security
  • GNU Binutils Binary File Descriptor Library Heap-Based Buffer Over-Read Vulnerability [CVE-2019-12972]

    A vulnerability in the Binary File Descriptor (BFD) library, as distributed in GNU Binutils could allow a local attacker to cause a denial of service (DoS) condition on a targeted system.The vulnerability is due to a heap-based buffer over-read condition that exists in the _brd_doprntfunction, as defined in the bfd.c source code file of the affected software. An attacker could exploit this vulnerability by submitting malicious executable and linkable format (ELF) input to the targeted system. A successful exploit could cause the affected software to stop responding or crash, resulting in a DoS condition.Proof-of-concept (PoC) code that demonstrates an exploit of this vulnerability is publicly available.The vendor has confirmed the vulnerability and released software updates.

  • enSilo Endpoint Security Platform 3.1 Product Review

    The collector installers were straightforward, but we found the server to be confusing. We had trouble getting all VMs to report back to the cloud server. Additionally, we were unable to get the Ubuntu machine installed and reporting correctly.

    We were able to get the CentOS machine online and connected, but when we went back and checked on it, it was in a disconnected state. The reasons for this were unclear to us, and, we concluded, the Linux offerings need some work.

  • Cleaning a broken GNUpg (gpg) key

    I've long said that the main tools in the Open Source security space, OpenSSL and GnuPG (gpg), are broken and only a complete re-write will solve this. And that is still pending as nobody came forward with the funding. It's not a sexy topic, so it has to get really bad before it'll get better.

    Gpg has a UI that is close to useless. That won't substantially change with more bolted-on improvements.

    Now Robert J. Hansen and Daniel Kahn Gillmor had somebody add ~50k signatures (read 1, 2, 3, 4 for the glory details) to their keys and - oops - they say that breaks gpg.

    But does it?

  • Multiple Facebook Pages Caught Spreading Remote Access Trojans Since 2014

    Researchers from cybersecurity firm Check Point have uncovered a Facebook campaign that has been spreading malware since 2014. The campaign was operating under the posts that discussed the political situation in Libya.

    Notorious Remote Access Trojans (RATs) like SpyNote, Houdini and Remcos were spread through Facebook pages and it is believed that the residents of Libya, the US, China, and Europe have been affected by it.

  • Microsoft is about to shut off its ebook DRM servers: "The books will stop working"

    "The books will stop working": That's the substance of the reminder that Microsoft sent to customers for their ebook store, reminding them that, as announced in April, the company is getting out of the ebook business because it wasn't profitable enough for them, and when they do, they're going to shut off their DRM servers, which will make the books stop working.

    Almost exactly fifteen years ago, I gave an influential, widely cited talk at Microsoft Research where I predicted this exact outcome. I don't feel good about the fact that I got it right. This is a fucking travesty.

  • Sony, Microsoft, Nintendo Say Trump Tariffs Will Make Game Consoles Hugely More Expensive [Ed: Those are just DRM boxes]

    If you hadn't noticed by now, Trump's efforts to use tariffs to somehow magically improve the country's standing in the world aren't based on much in the way of sound logic or economic theory. And companies who've been forced to reconfigure and relocate their entire supply chains (to countries like Taiwan) to avoid massive penalties are likely to just pass those costs on to American consumers, something said consumers haven't really fully grokked yet. Countless CEOs think the entire gambit is immeasurably stupid, but have been hesitant to be too pointed in their criticism for fear of upsetting administration regulators.

    As the actual bill comes due however, consumers are likely to wake up from their slumber. Maybe.

    Case in point: Microsoft, Sony, and Nintendo this week fired off a letter to the Office of the United States Trade Representative, warning the Trump administration's plan to bump Chinese tariffs from 10 to 25 percent will have a profoundly-negative impact on the game industry. With 96 percent of game consoles made in China last year, the act of reconfiguring their entire supply chains will have a massive impact on the sector's bottom line and the numerous connecting companies that tendril out from the big three gaming giants.

Security: Mozilla, OpenPGP and Reproducible Builds

Filed under
Security
  • How quickly do Firefox derived browsers receive security updates

    Mozilla released two security updates to their open source Firefox web browser just two days apart. This provided an excellent stress test and case study for how quickly Firefox derived web browsers ship security updates.

    The two security vulnerabilities in question, CVE-2019-11707 (MFSA-2019-18) and CVE-2019-11708 (MFSA-2019-19), were both zero-day critical security vulnerabilities that were known to be actively exploited on the web. Mozilla released Firefox 67.0.3 and 67.0.4 two days apart to address each of these issues.

    I’ll use the same Firefox derivatives I’ve featured before: Tor Browser, Cliqz, Waterfox, and Pale Moon.

  • Fixing Antivirus Errors

    After the release of Firefox 65 in December, we detected a significant increase in a certain type of TLS error that is often triggered by the interaction of antivirus software with the browser. Today, we are announcing the results of our work to eliminate most of these issues, and explaining how we have done so without compromising security.

    On Windows, about 60% of Firefox users run antivirus software and most of them have HTTPS scanning features enabled by default. Moreover, CloudFlare publishes statistics showing that a significant portion of TLS browser traffic is intercepted. In order to inspect the contents of encrypted HTTPS connections to websites, the antivirus software intercepts the data before it reaches the browser. TLS is designed to prevent this through the use of certificates issued by trusted Certificate Authorities (CAs). Because of this, Firefox will display an error when TLS connections are intercepted unless the antivirus software anticipates this problem.

    Firefox is different than a number of other browsers in that we maintain our own list of trusted CAs, called a root store. In the past we’ve explained how this improves Firefox security. Other browsers often choose to rely on the root store provided by the operating system (OS) (e.g. Windows). This means that antivirus software has to properly reconfigure Firefox in addition to the OS, and if that fails for some reason, Firefox won’t be able to connect to any websites over HTTPS, even when other browsers on the same computer can.

  • Hansen: SKS Keyserver Network Under Attack [Ed: Of course corporate media pretends this is a "Linux" thing and did lots of FUD, scaremongering etc.]

    This attack exploited a defect in the OpenPGP protocol itself in order to "poison" rjh and dkg's OpenPGP certificates. Anyone who attempts to import a poisoned certificate into a vulnerable OpenPGP installation will very likely break their installation in hard-to-debug ways. Poisoned certificates are already on the SKS keyserver network. There is no reason to believe the attacker will stop at just poisoning two certificates. Further, given the ease of the attack and the highly publicized success of the attack, it is prudent to believe other certificates will soon be poisoned.

  • Cosmos Hub and Reproducible Builds

    Open source software allows us to build trust in a distributed, collaborative software development process, to know that the software behaves as expected and is reasonably secure. But the benefits of open source are strongest for those who directly interact with the source code. These people can use a computer which they trust to compile the source code into an operational version for themselves. Distributing binaries of open source software breaks this trust model, and reproducible builds restores it.

    Tendermint Inc is taking the first steps towards a trustworthy binary distribution process. Our investment in reproducible builds makes doing binary distributions of the gaia software a possibility. We envision that the Cosmos Hub community will be our partners in building trust in this process. The governance features of the Cosmos Hub will enable a novel collaboration between Tendermint and that validator community to release only binaries that can be trusted by anyone.

    Here is our game plan.

    The release of the cosmoshub-3 will support our new reproducible build process. Tendermint developers will make a governance proposal with the hashes of all supported binaries. We will ask ATOM holders to reproduce the builds on computers they control and vote YES if the hashes match.

IPFire 2.23 - Core Update 134 in testing updated

Filed under
GNU
Linux
Security

the kernel maintainers have added an additional patch for the TCP SACK fixes so we had to update the kernel again to 4.14.131

If you have installed core134 from testing please reinstall this of you are not already on kernel 4.14.131 by resetting /opt/pakfire/db/core/mine to 133 and run "pakfire upgrade" again.

Read more

Also (Debian): Paul Wise: FLOSS Activities June 2019

Security: VLC, Threats, FUD and More

Filed under
Security

Security Leftovers

Filed under
Security
  • Why cybersecurity has an open-source solution

    SHINN: Yeah. So you know, my colleagues in the open source community may have their own sort of different definitions about what they think open source is. But for me, open source has always been about the fact that if there’s something that I wanted to change in the software, I could do it. And that’s really the core. There are lots of other benefits of open source. It might be free, there might be a lot of people working on it, maybe there’s a community. But for me, it always started with the fact that I had a piece of software that I’m using, and I can make enhancements, changes and fixes

    ABERMAN: True hacker culture.

    SHINN: That’s right. And in cybersecurity, that’s really important. There’s lots of really smart people out there. It’s not possible for any cybersecurity vendor to understand every possible situation in which their product might be used. The people who are going to understand that are the people who are closest to the problem. And it’s great if you can make it possible for them to enhance your software, and hopefully contribute that back to you. All boats rise together. So in the security world, we see some of the more interesting or powerful cybersecurity technologies, like snort, it blew away all of the other network based IDS’s that were out there, all the proprietary ones.

  • The [Microsoft Windows] Worm That Nearly Ate the Internet [iophk: "Windows TCO"]

    Neither theory was correct. While some experts still disagree, most now believe that Conficker was the work of Ukrainian cybercriminals building a platform for global theft who succeeded beyond all expectation, or desire. The last thing a thief wants is to draw attention to himself. Conficker’s unprecedented growth drew the alarmed attention of cybersecurity experts worldwide. It became, simply, too hot to use.

    This explanation was detailed in an article published in December 2015 by The Journal of Sensitive Cyber Research and Engineering, a classified, peer-reviewed publication issued by a federal interagency cybersecurity working group including the Pentagon, Department of Homeland Security and N.S.A. — and distributed to a small number of experts with the appropriate security clearances. The article itself was not classified, but reached only a small readership. I obtained a copy this year.

  • Boeing’s 737 Max Software Outsourced to $9-an-Hour Engineers

    The coders from HCL were typically designing to specifications set by Boeing. Still, “it was controversial because it was far less efficient than Boeing engineers just writing the code,” Rabin said. Frequently, he recalled, “it took many rounds going back and forth because the code was not done correctly.”

  • Hackers Have Been Stealing User Data From Global Cell Networks Since 2012

    We've noted for a long time that the wireless industry is prone to being fairly lax on security and consumer privacy. One example is the recent rabbit hole of a scandal related to the industry's treatment of user location data, which carriers have long sold to a wide array of middlemen without much thought as to how this data could be (and routinely is) abused. Another example is the industry's refusal to address the longstanding flaws in Signaling System 7 (SS7, or Common Channel Signalling System 7 in the US), a series of protocols hackers can exploit to track user location, dodge encryption, and even record private conversations.

    This week, carriers were once again exposed for not being the shining beacons of security they tend to advertise themselves as. A new report emerged this week showcasing how, for years, hackers have been exploiting substandard security at more than 10 global wireless carriers to obtain massive troves of data on specific targets of interest. Researchers at Boston-based Cybereason, who first discovered the operation, say the hackers exploited a vulnerability on an internet-connected web server to gain a foothold into each cell providers internal network.

  • Here We Go Again: Trump Administration Considers Outlawing Encryption

    It's unclear what the final decision was, but if it was to back such a law, we'll know about it soon enough. There are some sensible folks on this issue -- including some from the intelligence communities who actually understand the security value of encryption. The State Department and Commerce Departments are both also said to support keeping encryption legal. It's mostly the law enforcement folks who are against encryption: including parts of the DOJ and FBI, ICE and the Secret Service. As if any of those need any more power. Homeland Security (of which ICE is a part) is apparently "internally divided."

    It's been said before, but this is not a debate. There is no debate. There is no "on the one hand, on the other hand." There is no "privacy v. security." This is "no privacy and weakened security v. actual privacy and actual security." There's literally no debate to be had here. If you understand the issues, encryption is essential, and any effort to take away end-to-end encryption is outlawing technology that keeps everyone safe. While Senators Feinstein and Burr released a truly dangerous bill a few years back to outlaw encryption, who knows what sort of nonsense would come out of this and whether or not it could actually get enough support in Congress. Hopefully not.

  • Medtronic recalls some insulin pumps as FDA warns they can be hacked

    Medtronic is recalling some models of insulin pumps that are open to hacks, and the Food and Drug Administration warned consumers on Thursday that they cannot be patched to fix the holes.

    It’s a rare example of a medical device recall over a cybersecurity issue, although security professionals and the FDA have raised numerous concerns over the vulnerability of these devices for years.

    The insulin pumps subject to the recall connect wirelessly to other insulin equipment, including glucose meters, a monitoring system and controls that pump insulin.

    “The FDA is concerned that, due to cybersecurity vulnerabilities identified in the device, someone other than a patient, caregiver or health care provider could potentially connect wirelessly to a nearby MiniMed insulin pump and change the pump’s settings. This could allow a person to over deliver insulin to a patient, leading to low blood sugar ... or to stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis,” the FDA notice says.

  • EU to stage war games to prepare for hybrid threats

    Hybrid threats can be based on a wide variety of strategies, ranging from the spread of fake news to undermining trust and cyberattacks on energy or communication systems. Russia has often been blamed for using such tactics.

  • America’s Monopoly Crisis Hits the Military

    In historical terms, this is a shocking turnaround. Americans invented the telephone business and until recently dominated production and research. But in the last 20 years, every single American producer of key telecommunication equipment sectors is gone. Today, only two European makers—Ericsson and Nokia—are left to compete with Huawei and another Chinese competitor, ZTE.

    This story of lost American leadership and production is not unique. In fact, the destruction of America’s once vibrant military and commercial industrial capacity in many sectors has become the single biggest unacknowledged threat to our national security. Because of public policies focused on finance instead of production, the United States increasingly cannot produce or maintain vital systems upon which our economy, our military, and our allies rely. Huawei is just a particularly prominent example.

  • Felony Contempt of Business Model: Lexmark's Anti-Competitive Legacy

    Lexmark gave its customers the choice of paying extra for their cartridges (by buying refillable cartridges at a $50 premium), or paying extra for their toner (saving $50 on a cartridge whose "lock-out" chip prevented refilling, so that they would have to buy a whole cartridge when the non-refillable one ran dry). Customers, however, had a counteroffer for Lexmark: they wanted to save $50 on a "non-refillable" cartridge and then go ahead and refill it. After all, carbon is relatively abundant throughout the universe, and more locally, Earth has more carbon that it knows what to do with.

    Various competitors of Lexmark stepped up to help its customers with their counteroffer. One such company was Static Control Components, which reverse-engineered Lexmark's lock-out chip and found that its 55-byte program performed a relatively straightforward function that would be easy to duplicate: when a cartridge was newly filled, this chip signaled to the printer that the cartridge had available toner. Once the cartridge ran out, the chip would tell the printer that it had an empty cartridge. Refilling the cartridge did no good because the chip would still tell the printer that there was no toner available.

    After Static Control performed this bit of reverse engineering, it was able to manufacture its own chips, which it sold to remanufacturers, who would pour in fresh carbon, swap out the chip, and sell the cartridges. Lexmark had a strong objection to this. But like every business, Lexmark’s products should be subject to market pressures, including the possibility that customers will make uses (and re-uses) of your product that aren’t exactly what the manufacturer intended. Lexmark was in a position to create its own refilling business to compete with Static Control, of course. But it didn’t want to. Instead, it wanted to trap purchasers into the lucrative two-tier market it had dreamed up.

Security: OpenPGP, Huawei, Unchanged Passwords and BGP Filters

Filed under
Security
  • Community Impact of OpenPGP Certificate Flooding

    I wrote yesterday about a recent OpenPGP certificate flooding attack, what I think it means for the ecosystem, and how it impacted me. This is a brief followup, trying to zoom out a bit and think about why it affected me emotionally the way that it did.

    One of the reasons this situation makes me sad is not just that it's more breakage that needs cleaning up, or even that my personal identity certificate was on the receiving end. It's that it has impacted (and will continue impacting at least in the short term) many different people -- friends and colleagues -- who I know and care about. It's not just that they may be the next targets of such a flooding attack if we don't fix things, although that's certainly possible. What gets me is that they were affected because they know me and communicate with me. They had my certificate in their keyring, or in some mutually-maintained system, and as a result of what we know to be good practice -- regular keyring refresh -- they got burned.

    Of course, they didn't get actually, physically burned. But from several conversations i've had over the last 24 hours, i know personally at least a half-dozen different people who i personally know have lost hours of work, being stymied by the failing tools, some of that time spent confused and anxious and frustrated. Some of them thought they might have lost access to their encrypted e-mail messages entirely. Others were struggling to wrestle a suddenly non-responsive machine back into order. These are all good people doing other interesting work that I want to succeed, and I can't give them those hours back, or relieve them of that stress retroactively.

  • Nokia disowns CTO's comments about Huawei's 'sloppy' 5G kit

    The firm's chief technology officer Marcus Weldon warned: "That means being wary of adding Chinese vendors into network infrastructure, as long as these security vulnerabilities are either provably there or likely to be there based on past practices."

    Wheldon, referring to recent research from Finite State which saw it uncover back doors in more than 55 per cent of Huawei devices, added: "We read those reports and we think okay, we're doing a much better job than they are.

  • Nokia distances itself from boss's warning over Huawei 5G kit

    In the UK, Huawei equipment has been subject to close scrutiny by a unit staffed by GCHQ. It has produced reports severely critical of the security of some software, although it has not found backdoors in the firm's products.

  • An IoT worm Silex, developed by a 14 year old resulted in malware attack and taking down 2000 devices

    Larry Cashdollar, an Akamai researcher, the first one to spot the malware, told ZDNet in a statement, “It’s using known default credentials for IoT devices to log in and kill the system.”

  • 14-year-old creates dangerous malware, starts bricking thousands of IoT devices
  • Huawei Gets ‘Green Signal’ From Trump To Resume Trade In US

    The possibly lifiting of the ban doesn’t come as a surprise. Last month, President Trump gave an unsatisfactory explanation of the Huawei ban and hinted that it could end soon. Huawei is currently on 90-day temporary license in the US which was issued immediately after the ban was announced.

  • Trump Says He’ll Allow China’s Huawei to Buy From U.S. Suppliers

    President Donald Trump said he’ll allow Huawei Technologies Co. to buy products from U.S. suppliers, in a concession to China after talks with the country’s President Xi Jinping on Saturday.

    “U.S. companies can sell their equipment to Huawei,” Trump said at a news conference following the Group of 20 summit in Osaka, Japan. “We’re talking about equipment where there’s no great national security problem with it.”

    The Commerce Department last month moved to blacklist Huawei, cutting it off from U.S. suppliers, though many companies have managed to skirt the restrictions. Trump met with Xi on Saturday on the sidelines of the Group of 20 summit in Osaka, Japan, and agreed to pause the trade war between their countries.

  • The Infrastructure Mess Causing Countless Internet Outages

    The patchwork problem was on full display with the Cloudflare incident this week. Pennsylvania steel company Allegheny Technologies uses two internet providers for connectivity. It received accidental, inaccurate routing information from one provider, a small Midwest ISP, and unintentionally passed it on to its other provider, Verizon. The smaller ISP started the routing error, but Verizon—an internet backbone behemoth with massive resources—also had not implemented the BGP filters and authentication checks that would have caught the mistake. Without these protections in place, Verizon's other customers worldwide, including Cloudflare, experienced outages and failures. Verizon did not return a request for comment about the incident.

Security: Updates, Silex, History of Cellular Network Security, Are Wi-Fi Cameras Secure in 2019?

Filed under
Security
  • Security updates for Friday
  • New Silex malware is bricking IoT devices across the globe [Ed: Those are devices with default passwords set; the OS is irrelevant to it, but proprietar ysoftware vendors connected would have us believe otherwise]
  • Silex bricks 2,000 plus IoT devices, 14-year-old author has bigger plans for botnet [Ed: It all boils down to bad passwords]

    A new malware dubbed Silex has bricked at least 2,000 IoT devices in an ongoing campaign that is expected to intensify in the coming days.

  • The History of Cellular Network Security Doesn’t Bode Well for 5G

    There’s been quite a bit of media hype about the improvements 5G is set to supposedly bring to users, many of which are no more than telecom talking points. One aspect of the conversation that’s especially important to get right is whether or not 5G will bring much-needed security fixes to cell networks. Unfortunately, we will still need to be concerned about these issues—and more—in 5G.

    Past security flaws in the design of cell network infrastructure are being used for everything from large scale SMS spamming to enabling dragnet surveillance by law enforcement and spying in DC via cell site simulators (a.k.a. Stingrays, IMSI-catchers). Longtime cell network security researcher Roger Piqueras Jover has recently published a short but comprehensive reflection on the history of the cell security research that uncovered much of those flaws, and with it, his view of the security outlook for 5G.

    Jover draws attention to how rapidly the field of cell network security research has been accelerating. It took researchers over 10 years after GSM was first standardized and deployed to find the first security flaws in the GSM (2G) protocol. For LTE (4G), it took approximately 7 years. Fast forward to the 5G standard, which was finalized in March 2018. While there are currently no commercial implementations of 5G widely in use yet, researchers have already discovered over 6 critical security flaws in this new protocol.

  • Are Wi-Fi Cameras Secure in 2019?

    It seemed to happen without anyone noticing, but Wi-Fi cameras are popping up everywhere. In many cases, this includes our homes. Outdoor security cameras are common, but in some homes you’ll find them inside as well. They can be handy, but how secure are they?

    It’s handy being able to see inside your home when you’re not there, but what if someone else can see what’s going on inside your home? It may not be pleasant to think about, but it’s something worth considering if you’re shopping for wireless cameras.

Security: FUD, Package Hardening, Excel and OpenPGP

Filed under
Security
  • Silexbot Bricks Nearly 4,000 IoT Devices [Ed: The problem is the password, not the system]

    Cashdollar explained: “Silexbot is using known default credentials for IoT devices to login and kill the system. The bot does this by writing random data from /dev/random to any mounted storage it finds. Examining binary samples collected from my honeypot, I see Silexbot calling fdisk -l which will list all disk partitions. Using that list, Silexbot then writes random data from /dev/random to any of the partitions it discovers.”

  • package hardening asymptote

    In the long-term view the measurements have a distinctly asymptotic appearance and the graphs are maybe only good for their historical curves now. But then I wonder, what’s next? What new compiler feature adoption could be measured? I think there are still a few good candidates…

  • New Exploit for Microsoft Excel Power Query

    Proof-of-concept, which allows remote code execution, is latest to exploit Dynamic Data Exchange (DDE) and is another reminder why organizations must ensure Office settings are secure.

  • OpenPGP Certificate Flooding

    My public cryptographic identity has been spammed to the point where it is unusable in standard workflows. This blogpost talks about what happened, what I'm doing about it, and what it means for the broader ecosystem.

Security Leftovers

Filed under
Security
  • To defeat ransomware, we must first diagnose it correctly: Today's Talker [iophk: "Windows TCO. Ransomware is a symptom of the cancer of Windows deployment."]

    Before the attack on Stuart, there were rapid-fire attacks through eight weeks. The enemy targeted the city of Baltimore, Maryland; Howard County, Indiana; Imperial County, California; Potter County, Texas; city of Albany, New York; the city of Greenville, North Carolina; Genesee County, Michigan; Orange County, North Carolina; Jackson County, Georgia; and the Cleveland airport.

  • Artificial Intelligence and Counterterrorism: Possibilities and Limitations

    Prepared Written Testimony and Statement for the Record of Alexander Stamos, Director, Stanford Internet Observatory before The U.S. House of Representatives Committee on Homeland Security, Subcommittee on Intelligence and Counterterrorism on June 25, 2019.

  • Premature Cyber Escalation

    This framing of the attack as a calculated atttack to cause damage to Iranian missile C&C assets that’ll be time consuming and costly to repair, is very literally crazy talk. An analogy: a threat actor hacks a company, and on Friday, bust before the end of the work day, they delete MS Office from every computer. The cost to the company is minimal as no one would be working over the weekend. No one except the poor IT staff who have to clean up the mess anyway. For the company the cost they pay is “unpleasant weekend for IT staff, and overtime money.” On the other hand, the company learns a great deal about their vulnerabilities, their risk exposure, and how to deal with a similar attack in future.

    At the cost of some inconvenience for some people, and a bit of money, the company learned a lot of valuable information about their weaknesses. They can now take remedial action to prevent it from happening again, and create processes and procedures to reduce the burden of recovering from such an attack. From any perspective, it’s a great bargain.

    The US used a cyber attack that gained them nothing, and the Iranians pay a small price to learn how to mitigate and respond to such a cyber attack. The US taught Iran a lesson alright, but I very much doubt it was: “if you like your military toys, then leave the US alone.”

  • NASA, Homeland Security receive D- grades on IT issues [iophk: "Windows TCO"]

    The House Oversight government operations subcommittee released version 8.0 of the Federal IT Acquisition Reform Act (FITARA) scorecard in a hearing on Wednesday.

    The scorecard gave IT scores to two dozen agencies, as well as individual scores for each agency in areas such as cybersecurity, the modernization of technology and transparency and risk management.

Syndicate content

More in Tux Machines

Software: TenFourFox/Firefox, Linux Boot Loaders, Viber Alternatives, Switchconf, and HowTos

  • Clean out your fonts, people

    Thus, the number of fonts you have currently installed directly affects TenFourFox's performance, and TenFourFox is definitely not the only application that needs to know what fonts are installed. If you have a large (as in several hundred) number of font files and particularly if you are not using an SSD, you should strongly consider thinning them out or using some sort of font management system. Even simply disabling the fonts in Font Book will help, because under the hood this will move the font to a disabled location, and TenFourFox and other applications will then not have to track it further.

  • Some Of The Linux Boot Loaders
  • Best 4 Viber Alternatives Available to Download with Open-Source License

    We all know what Signal is. By using this app, you can easily talk to your friends without all the SMS fees. You can also create groups, share media and all kinds of attachments – it’s all private. The server never gets access to your messages. However, if you don’t like this app, we come with the best 5 alternatives for it.

  • New release of switchconf 0.0.16

    I have moved the development of switchconf from a private svn repo to a git repo in salsa: https://salsa.debian.org/debian/switchconf Created a virtual host called http://software.calhariz.com were I will publish the sources of the software that I take care. Updated the Makefile to the git repo and released version 0.0.16.

  • How To Install VirtualBox Guest Additions on Ubuntu 18.04
  • How To Install Proxmox VE Hypervisor

OSS Leftovers

  • How open source and AI can take us to the Moon, Mars, and beyond

    Research institutions and national labs across the globe are pouring hundreds of thousands of research hours into every conceivable aspect of space science. And, overwhelmingly, the high performance computing (HPC) systems used for all research are running open source software. In fact, 100% of the current TOP500 supercomputers run on some form of Linux. Therefore, it’s likely that the future of space exploration will be built on the open source philosophy of knowledge sharing and collaboration among researchers and developers. Success will depend on the adoption of open technologies to stimulate collaboration among nations, as well as advances in the field of AI and machine learning. Although these are ambitious objectives that could take several years to fully implement, we are already seeing great progress: open source software is already running in space, AI and machine learning is used in spacecraft communications and navigation, and the number of commercial companies interested in the space economy is growing.

  • ElectrifAi launches AI industry’s first open source machine learning platform

    With the new platform, ElectrifAi’s data scientists – as well as those of its customers – can code and access data in any programming language. According to ElectrifAi, the incorporation of Docker Containers and Kubernetes enables the firm to build and deploy hybrid cloud enterprise solutions at scale.

  • The development of the open source platform – An industry perspective

    There has been much dialog, but not much action with regard to the evolution of retail trading platforms in recent years. For many brokerages, relying on the status quo which represents an unholy alliance between third party vendor MetaQuotes, thereby disabling a broker from owning its own client base or infrastructure and becoming subservient to an affiliate marketing platform rather than empowered by a multi-faceted trading platform, remains. FinanceFeeds has attended numerous meetings with brokerage senior executives across the globe, all of whom understand the value and importance of going down the multi-asset product expansion route, and almost all of whom understand the clear virtues of having a bespoke user interface which engenders a loyal customer base, enables brokers to own the entire intellectual property base of its business – which let’s face it is why entrepreneurs start businesses in the first place – and offer differentiating services to specific audiences. A simple glance at the continuity and geographic location of client bases of companies such as Hargreaves Lansdown or CMC Markets, and the absolute lack of reliance on affiliate networks is testimony to that. This week, Richard Goers, CEO of Australian professional trading platform development company ManagedLeverage spoke out about a continuing issue which is something that has been prominent in the viewpoint of FinanceFeeds for some years, that being the development of open source platforms.

  • Break Up Your Innovation Program, If You Want It To Survive

    With open-source software, problems are solved faster than by any other means.

  • Don’t be fooled by the [Internet]: this week in tech, 20 years ago

    One thing I wanted to say is, don’t be fooled by the internet. It’s cool to get on the computer, but don’t let the computer get on you. It’s cool to use the computer, don’t let the computer use you. Y’all saw The Matrix. There’s a war going on. The battlefield’s in the mind. And the prize is the soul. So just be careful. Be very careful. Thank you.

  • How Suse is taking open source deeper into the enterprise

    The diversity in the open source software world can be a boon and a bane to wider adoption in the enterprise. After all, without the right knowhow, it can be hard to figure out how they are going to work together on existing infrastructure – and if the chosen projects will eventually survive. That’s where open source companies such as Suse step in. While smaller than US-based rival Red Hat, Suse has found its footing in identifying and supporting open source projects that help to run mission-critical enterprise workloads, improve developer productivity and solve business problems in industries such as retail.

  • SUSE joins iRODS Consortium

    iRODS is open source storage data management software for data discovery, workflow automation, secure collaboration, and data virtualization. By creating a unified namespace and a metadata catalog of all the data and users within a storage environment, the iRODS rule engine allows users to automate data management. [...] Alan Clark, SUSE CTO Office lead focused on Industry Initiatives and Emerging Standards and chairman of the OpenStack Foundation board of directors, said, “SUSE is excited to join the iRODS Consortium, lending our open source technical expertise to help advance the iRODS data management software. The integration with SUSE Enterprise Storage helps customers lower total cost of ownership, leveraging commodity hardware to support their iRODS-managed storage environments. As a leading provider of open source software, SUSE helps our customers leverage the latest open source technologies for application delivery and software-defined infrastructure. SUSE tests and hardens our solutions, ensuring they are enterprise ready and backed by our superior support experience.”

  • Cortex Command Goes Open Source, Gets LAN Support

    To help facilitate future community development, Data Realms have released the game’s source code.

  • Why Open Source Matters For Chinese Tech Firms?

    As companies plow more and more investment into AI research, China has finally woken up to the realisation of open source and how it can shape the development of a field that’s becoming increasingly attractive. Over the last few years, open-source has become the foundation of innovation — and the major contributions come from tech giants like Facebook, Microsoft, Google, Uber and Amazon among others. In November 2015, Google made an unparalleled move by open-sourcing its software library — which now rivals Torch, Caffe and Theano. These are the open-source lessons that big Chinese companies seem to be learning fast. Traditionally, Chinese firms have trailed behind their US counterparts when it comes to the contributions from the US and Europe, but that’s changing now. Over a period of time, Chinese tech companies are trying to grow their influence in the open-source world by building a robust ecosystem. Not only that, they have learnt that open-sourcing tech can help attract great ML talent and increasingly it is also making good business sense. At a time when the AI tool stack is evolving, enterprises are rushing to grab a pie and provide a unified software and hardware technology stack. Internet and cloud Chinese tech giants have woken up to the promise of open source and AI-related datasets and models can serve the bigger business goals of the companies.

  • How Open Source Alluxio Is Democratizing Data Orchestration

    Alluxio is one of the many leading open-source projects/companies – including Spark and Mesosphere – that emerged from UC Berkeley Labs. Haoyuan (H.Y.) Li Founder, Chairman and CTO of Alluxio, sat down with Swapnil Bhartiya, Editor-in-Chief of TFIR to discuss how Alluxio is providing new ways for organizations to manage data at scale with its data orchestration platform. Alluxio’s data orchestration layer has increased efficiency by four times, so companies are finding that work that used to take one year now takes three months. For many enterprise companies, the path to the cloud starts with an intermediate step of a hybrid cloud approach, Li said. He also sees widespread enterprise adoption of a multi-cloud strategy.

  • Cloudera Moves To All-Open Source Model In Major Shift

    Amidst financial troubles and departure of chief executive Tom Reilly, company says it wants to emulate success of pure open source pioneer Red Hat.

  • Cloudera Follows Hortonworks' Open Source Lead

    Trying to survive the carnage AWS and the like are causing in the Big Data space, Cloudera is open sourcing its entire product line. [...] Less than six months after closing its merger with Hortonworks, the Big Data company Cloudera has announced it's going all open source.

Database News on YugaByte Going for Apache 2.0 Licence

  • YugaByte Becomes 100% Open Source Under Apache 2.0 License

    YugaByte, a provider of open source distributed SQL databases, announced that YugaByte DB is now 100% open source under the Apache 2.0 license, bringing previously commercial features into the open source core. The transition breaks the boundaries between YugaByte’s Community and Enterprise editions by bringing previously commercial-only, closed-source features such as Distributed Backups, Data Encryption, and Read Replicas into the open source core project distributed under the permissive Apache 2.0 license. Starting immediately, there is only one edition of YugaByte DB for developers to build their business-critical, cloud-native applications.

  • YugaByte's Apache 2.0 License Delivers 100% Open Source Distributed SQL Database

    YugaByte, the open source distributed SQL databases comapny, announced that YugaByte DB is now 100 percent open source under the Apache 2.0 license, bringing previously commercial features into the open source core. The move, in addition to other updates available now through YugaByte DB 1.3, allows users to more openly collaborate across what is now the world’s most powerful open source distributed SQL database.

  • SD Times Open-Source Project of the Week: YugaByte DB

    This week’s SD Times Open Source Project of the Week is the newly open-sourced YugaByte DB, which allows users to better collaborate on the distributed SQL database. The move to the open-source core project distributed under the Apache 2.0 license makes previously closed-sourced features such as distributed backups, data encryption and read replicas more accessible, according to the team. By doing this, YugaByte plans to break the boundaries between YugaByte’s Community and Enterprise editions. “YugaByte DB combines PostgreSQL’s language breadth with Oracle-like reliability, but on modern cloud infrastructure. With our licensing changes, we have removed every barrier that developers face in adopting a business-critical database and operations engineers face in running a fleet of database clusters, with extreme ease,” said Kannan Muthukkaruppan, co-founder and CEO of YugaByte.

Programming: Ruby, NativeScript, Python, Rust/C/C++ FUD From Microsoft