Language Selection

English French German Italian Portuguese Spanish

Security

Security: Data Safety Code, Open Data Model, Microsoft Breaks Windows, Free Software Movement 'Hacking', and FUD From PVS Studio

Filed under
Security
  • Cracking The Data Safety Code

    Keeping our data safe online is something that we get told about a lot. That is because as members of the information generation, it's all too easy for our most valuable assets our identity and privacy to be compromised. But how can we keep our data safer? Read on to find out.

  • Fighting Cyber Threats with an Open Data Model

    From ABTA, to election hacking to WannaCry, it seems not a day goes by without a cyber-attack dominating the headlines. Cybercrime doesn’t discriminate; it affects organizations of all shapes and sizes. Added to this is the mounting pressure caused by the EU General Data Protection Regulation (GDPR) which will penalize organizations that do not comply with laws that aim to keep customer data safe. It’s imperative for organizations to re-evaluate their security posture and plan for the future.

  • Windows 7 and 8.1 receive Patch Tuesday Updates [Ed: Mind last paragraph. Microsoft breaks Vista 7 again with a security update.]

    If an iSCSI target becomes unavailable, attempts to reconnect will cause a leak. Initiating a new connection to an available target will work as expected. Microsoft is working on a resolution and will provide an update in an upcoming release.

  • Hacker Ethic and Free Software Movement

    Why the word hacking go along with computers? The computer gives us a vast area to explore our creativity. It’s huge code base, and their intricacies and the complicated machines offer us opportunities to HACK.

  • Become a Certified Pentester with Super-Sized Ethical Hacking Course
  • 27 000 errors in the Tizen operating system [Ed: PVS Studio 'article' (marketing) that's made by liars. They extrapolate number of POTENTIAL bugs, based on 3.3% of code, then come up with this scary headline.]

Security: Open Source Security Podcast, Reproducible Builds, and Security Updates for Wednesday

Filed under
Security

Security: FOSS Updates, Windows Phone Dies, Unikernels, and National Security

Filed under
Security
  • Security updates for Tuesday
  • Windows Phone dies today

    Microsoft is killing off Windows Phone 8.1 support today, more than three years after the company first introduced the update. The end of support marks an end to the Windows Phone era, and the millions of devices still running the operating system. While most have accepted that the death of Windows Phone occurred more than a year ago, AdDuplex estimates that nearly 80 percent of all Windows-powered phones are still running Windows Phone 7, Windows Phone 8, or Windows Phone 8.1.

    [...]

    Microsoft has shied away from officially killing off its phone OS efforts, but it’s been evident over the past year that the company is no longer focusing its efforts on Windows for phones. Microsoft gutted its phone business last year, resulting in thousands of job cuts.

  •  

  • Unikernels are secure. Here is why.

    There have been put forth various arguments for why unikernels are the better choice security wise and also some contradictory opinions on why they are a disaster. I believe that from a security perspective unikernels can offer a level of security that is unprecedented in mainstream computing.

  • 'Hacking' Of US Nuclear Facilities Appears To Be Little More Than The Sort Of Spying The US Approves Of

    This is where the DHS fell down in its "sharing" of internal documents with the New York Times. No one bothered to correct the Times when it went off on a Stuxnet tangent. This could give some government officials the wrong idea about what's happening -- both here and in foreign nations. There are many people in power who get much of their information from the press. This leads to bad bills being hurriedly crafted and public calls to action based on hearsay from a document someone else viewed. And that's just here in the US.

    On top of that, there's how we behave and how we expect others to behave. We're going to do this sort of thing. So are our adversaries. Both sides will continue to play defense. But going from 0-to-Stuxnet in the DHS's Ambermobile isn't a great idea. And it allows US officials to further distance themselves from actions we condone as part of our national security efforts.

  • Kaspersky under scrutiny after Bloomberg story claims close links to FSB

    Shortly after Bloomberg Businessweek published an explosive story under the headline: "Kaspersky Lab Has Been Working With Russian Intelligence," the security firm released a lengthy statement noting that the company does not have "inappropriate ties with any government."

    The article, which was published in the early morning hours on Tuesday, says that the Moscow-based firm "has maintained a much closer working relationship with Russia's main intelligence agency, the FSB, than it has publicly admitted. It has developed security technology at the spy agency's behest and worked on joint projects the CEO knew would be embarrassing if made public." Media organization McClatchy made seemingly similar claims in a July 3 report.

W3C DRM Backlash

Filed under
Security
Web
  • "W3C Embraces DRM - Declares War on Humanity" - Lunduke Hour

    The W3C has voted to standardize DRM for all of the Web -- in direct opposition to their own Mission Statement. What they are doing could have dire consequences for the entire Web. I yell about that for an hour. Because I'm mad.

  • DRM free Smart TV

    Libreboot is a free BIOS replacement which removes the Intel Management Engine. The Intel Management Engine is proprietary malware which includes a back door and some DRM functions. Netflix uses this hardware DRM called the Protected Audio/Video Path on Windows 10 when watching 4K videos. The Thinkpad T400 does not even have an HDMI port, which is known to be encumbered by HDCP, an ineffective DRM that has been cracked.

    Instead of using DRM encumbered streaming services such as Netflix, Entertain or Vodafone TV, I still buy DVDs and pay them anonymously with cash. In my home there is a DVB-C connector, which I have connected to a FRITZ!WLAN Repeater DVB-C which streams the TV signal to the ThinkPad. The TV set is switched on and off using a FRITZ!DECT 200 which I control using a python script running on the ThinkPad. I also reuse an old IR remote and an IRDuino to control the ThinkPad.

  • Over many objections, W3C approves DRM for HTML5

    A narrower covenant not to sue was proposed, but even this much narrower covenant was rejected. The various members of W3C appeared unlikely agree to any particular set of terms, and ultimately were never polled to see if consensus could be reached. Since the original EME proposal didn't include such a covenant, Berners-Lee decreed that failure to form one should not be allowed to block publication as an official W3C Recommendation.

Security: The .io Error, Security things in Linux v4.12, Avanti Cracked, Reliance Jio data Breach, NSE Down, Medicare Leak, and 2FA

Filed under
Security

Security and Encryption: Revenge, CIA Cracks, FUD, Black Hat, LinuxKit and Docker, GCHQ on e2, and DRM

Filed under
Security
  • Who's got your hack back?

    The topic of hacking back keeps coming up these days. There's an attempt to pass a bill in the US that would legalize hacking back. There are many opinions on this topic, I'm generally not one to take a hard stand against what someone else thinks. In this case though, if you think hacking back is a good idea, you're wrong. Painfully wrong.

    Everything I've seen up to this point tells me the people who think hacking back is a good idea are either mistaken about the issue or they're misleading others on purpose. Hacking back isn't self defense, it's not about being attacked, it's not about protection. It's a terrible idea that has no place in a modern society. Hacking back is some sort of stone age retribution tribal law. It has no place in our world.

    [...]

    So this has me really thinking. Why would anyone want to hack back? There aren't many reasons that don't revolve around revenge. The way most attacks work you can't reliably know who is doing what with any sort of confidence. Hacking back isn't going to make anything better. It would make things a lot worse. Nobody wants to be stuck in the middle of a senseless feud. Well, nobody sane.

  • CIA has hacking tools, says Wikileaks

    The leaked papers have revealed that the agency turned to software which is named BothanSpy and Gyrfalcon to steal user credentials.

  • Linux Malware and Attacks on the Rise [Ed: This whole thing is based on a Microsoft ally from Seattle. Microsoft FUD by proxy, to distract from WannaCry Armageddon?]
  • Black Hat Survey: Security Pros Expect Major Breaches in Next Two Years

    A major compromise of U.S. critical infrastructure will occur in the next couple of years, according to a majority of IT security professionals -- and most expect breaches of their own enterprise networks to occur even sooner.

    These serious concerns are among those registered by respondents to the 2017 Black Hat Attendee Survey, the results of which are being published Wednesday. The survey offers insights on the plans and attitudes of 580 experienced security professionals, including many cybersecurity leaders who work in critical-infrastructure industries.

  • LinuxKit and Docker Security

    Docker got its start not just as a container system, but also as a Linux container system. Since then, Docker has developed versions of its container management systems for other platforms, including widely used cloud service providers, as well as Windows and the Macintosh OS. Many of these platforms, however, either have considerable variation in the Linux features which are available, or do not natively supply a full set of Linux resources.

  • Former GCHQ boss backs end-to-end encryption

    Former GCHQ director Robert Hannigan has spoken out against building backdoors into end-to-end encryption (e2) schemes as a means to intercept communications by terrorists and other ne'er do wells.

    Home Secretary Amber Rudd has criticised mobile messaging services such as WhatsApp, that offer end-to-end encryption in the wake of recent terror outages, such as the Westminster Bridge attack, arguing that there should be no place for terrorists to hide.

    Hannigan, who led GCHQ between November 2014 and January 2017, struck a different tone in an interview with BBC Radio 4 flagship news programme Today on Monday morning, arguing there's no simple answer on the national security challenges posed by encryption.

  • How big is the market for DRM-Free?

     

    They reached a shocking conclusion: DVD players with even minimal circumvention features sell for about 50% more than similarly reviewed DVD players of similar vintage -- that means that in a commodity electronics category where the normal profit would be 2% or less, manufacturers that sell a model with just slightly different software (a choice that adds virtually nothing to the manufacturing costs) pocket 25 times the profits.  

Security: GnuPG Encryption, Wildcard Certificates, Stack Clash, BothanSpy and Gyrfalcon

Filed under
Security
  • Researchers Crack 1024-bit RSA Encryption in GnuPG Crypto Library
  • Wildcard Certificates Coming January 2018

    Let’s Encrypt will begin issuing wildcard certificates in January of 2018. Wildcard certificates are a commonly requested feature and we understand that there are some use cases where they make HTTPS deployment easier. Our hope is that offering wildcards will help to accelerate the Web’s progress towards 100% HTTPS.

    Let’s Encrypt is currently securing 47 million domains via our fully automated DV certificate issuance and management API. This has contributed heavily to the Web going from 40% to 58% encrypted page loads since Let’s Encrypt’s service became available in December 2015. If you’re excited about wildcard availability and our mission to get to a 100% encrypted Web, we ask that you contribute to our summer fundraising campaign.

  • Ripples from Stack Clash

    In one sense, the Stack Clash vulnerability that was announced on June 19 has not had a huge impact: thus far, at least, there have been few (if any) stories of active exploits in the wild. At other levels, though, this would appear to be an important vulnerability, in that it has raised a number of questions about how the community handles security issues and what can be expected in the future. The indications, unfortunately, are not all positive.

  • CIA programs to steal your SSH credentials (BothanSpy and Gyrfalcon)

Security: Cybersecurity Index. Security Updates, Vault 7, and CloudLinux

Filed under
Security

Security: Ransomware, BothanSpy, Gyrfalcon, and Grsecurity

Filed under
Security
  • Hackers {sic} Linked to NotPetya Ransomware Decrypted a File For Us
  • Vault 7: Documents detail implants for stealing SSH traffic

    The implant for Windows is called BothanSpy and targets versions 3,4 and 5 of the SSH client Xshell. It dates back to 2015. The Linux implant is known as Gyrfalcon and is aimed at OpenSSH; it dates back to 2013.

  • WikiLeaks: CIA steals SSH credentials from Windows and Linux with BothanSpy and Gyrfalcon tools

    The leaked documentation for the tools was updated as recently as March 2015, and the file relating to BothanSpy reveals that XShell needs to be installed as it itself installs as a Shellterm extension. There are smatterings of humor throughout the file, with a warning that: "It does not destroy the Death Star, nor does it detect traps laid by The Emperor to destroy Rebel fleets." There is also the introductory quip: "Many Bothan spies will die to bring you this information, remember their sacrifice."

  • Bruce Perens Warns of Potential Contributory Infringement Risk for Grsecurity Customers

    By operating under their policy of terminating customer relations upon distribution of their GPL-licensed software, Open Source Security Inc., the owner of Grsecurity, creates an expectation that the customer’s business will be damaged by losing access to support and later versions of the product, if that customer exercises their re-distribution right under the GPL license. This is tantamount to the addition of a term to the GPL prohibiting distribution or creating a penalty for distribution. GPL section 6 specifically prohibits any addition of terms. Thus, the GPL license, which allows Grsecurity to create its derivative work of the Linux kern

Security: Black Duck FUD, Bitcoin Lapse, and Claims of libgcrypt Weakness

Filed under
Security
  • Open source to blame for rise of ransomware? [Ed: "Black Duck raises concerns" to smear FOSS again; A Microsoft-connected FUD firm.]
  • Hijacking Bitcoin: routing attacks on cryptocurrencies

    The Bitcoin network has more than 6,000 nodes, responsible for up to 300,000 daily transactions and 16 million bitcoins valued at roughly $17B.

    [...]

    BGP (Border Gateway Protocol) is the routing protocol that controls how packets are forwarded in the Internet. Routes are associated with IP prefixes, and are exchanged between neighbouring networks (Autonomous Systems, AS). The origin AS makes the original route announcement, and this then propagates through the network hop by hop.

  • Researchers open sliding window to completely break libgcrypt RSA-1024

    In their paper the researchers display a good sense of humour in calling the vulnerability 'sliding right into disaster'. That's because it exploits the fact that exponent bits leaked by the 'sliding window' process used by libgcrypt can be used to carry out a key recovery attack against RSA. This despite it previously being thought that even if the entire pattern of squarings and multiplications was observed courtesy of s side-channel attack, it wouldn't leak enough exponent bits to be of any real use.

Syndicate content

More in Tux Machines

Red Hat Financial News

Security: Trezor, Kaspersky and Secure [sic] Enclave Processor

Android Leftovers

Linux-loving lecturer 'lost' email, was actually confused by Outlook

ON-CALL Friday means a few things at El Reg: a new BOFH. A couple of beers. And another instalment of On-Call, our weekly column in which we take reader-contributed tales of being asked to do horrible things for horrible people, scrub them up and hope you click. This week, meet “Newt” who a dozen or more years ago worked at a College that “decided to migrate from a Linux system to Microsoft Outlook with an Exchange back end.” Read more