Language Selection

English French German Italian Portuguese Spanish

Security

Broken Connections

Filed under
Microsoft
Security
  • A Ton of Popular Netgear Routers Are Exposed—With No Easy Fix

    A vulnerability in some popular Netgear routers has gone unpatched for months. Left unchecked, it leaves thousands of home networking devices exposed to full control by hackers, who can then ensnare them in havoc-wreaking botnets. While Netgear has finally released a tentative fix for some models, the delays and challenges in patching all of them help illustrate just how at risk the Internet of Things is—and how hard it is to patch up when things go wrong.

    Andrew Rollins, a security researcher who also goes by Acew0rm, notified Netgear about the flaw on August 25, but says that the company never responded to him. After waiting more than three months, he went public with the vulnerability, and the Department of Homeland Security’s CERT group released an advisory about it on Friday. Its advice? Pull the plug.

  • Windows 10 is dropping WiFi connections, with no fix from Microsoft yet

    WINDOWS 10 is back to its old tricks again, with a recurrence of problems with WiFi connections dropping, something we’ve not seen since the early days.

    Although Microsoft has released a new version of Windows 10 in the last few days (1607) it doesn’t seem to be that, because most of the complaints predate the code drop by two days.

    KB3201845 was released on 9 December, but the problems started on 7 December and appear to be affecting some Windows 7 and 8.1 machines as well. There’s no pattern in terms of ISPs, routers, and WiFi cards - at the moment, at least, it’s all random.

Security News

Filed under
Security

More Security Leftovers

Filed under
Security
  • Security advisories for Monday
  • security things in Linux v4.9
  • Black Hats Leveraging PowerShell

    Those with long memories might remember that in 1996, Microsoft added support in the Internet Explorer browser for ActiveX controls. While this greatly expanded the functionality of the Internet, it also made the web a much less safe place, especially for the average user. The trouble was, ActiveX made it simple to download and install software with little or no input from users. Even those not old enough to remember have probably already figured out that this didn't work out well.

  • A security lifetime every five years

    A long time ago, it wouldn’t be uncommon to have the same job at the same company for ten or twenty years. People loved their seniority, they loved their company, they loved everything staying the same. Stability was the name of the game. Why learn something new when you can retire in a few years?

    Well, a long time ago, was a long time ago. Things are quite a bit different now. If you’ve been doing the same thing at the same company for more than five years, there’s probably something wrong. Of course there are always exceptions to every rule, but I bet more than 80% of the people in their jobs for more than five years aren’t exceptions. It’s easy to get too comfortable, it’s also dangerous.

  • Hack of Saudi Arabia Exposes Middle East Cybersecurity Flaw

    More than a year after a drowned Syrian toddler washed up on a beach in Turkey, the tiny refugee’s body, captured in a photograph that shocked the world, reappeared on computer screens across Saudi Arabia -- this time as a prelude to a cyberattack.

    The strike last month disabled thousands of computers across multiple government ministries in Saudi Arabia, a rare use of offensive cyberweapons aimed at destroying computers and erasing data. The attackers, who haven’t claimed responsibility, used the same malware that was employed in a 2012 assault against Saudi Arabian Oil Co., known as Saudi Aramco, and which destroyed 35,000 computers within hours.

  • London councils are reliant on unsupported Microsoft server software [Ed: Well, even if supported, still back doors in it. Abandon.]

    ALMOST 70 PER CENT of London councils are running unsupported server software, leaving them vulnerable to exploits for which there are no patches available.

    That's according to backup firm Databarracks, which through a Freedom of Information (FoI) request revealed that 69 per cent of London councils are running out-of-date server software.

    The firm contacted all 32 London boroughs as well as the City of London and received responses from all.

    The data revealed that 63 per cent of London councils are still running Windows Server 2003, 51 per cent run SQL Server 2005 and 10 per cent still use Windows Server 2000 - none of which are still supported by Microsoft.

  • PwC sends 'cease and desist' letters to researchers who found critical flaw

    A security research firm has released details of a "critical" flaw in a security tool, despite being threatened with legal threats.

    Munich-based ESNC published a security advisory last week detailing how a remotely exploitable bug in a security tool, developed by auditing and tax giant PwC, could allow an attacker to gain unauthorized access to an affected SAP system.

Security News

Filed under
Security
  • The sad tale of CVE-2015-1336

    Today I released man-db 2.7.6 (announcement, NEWS, git log), and uploaded it to Debian unstable. The major change in this release was a set of fixes for two security vulnerabilities, one of which affected all man-db installations since 2.3.12 (or 2.3.10-66 in Debian), and the other of which was specific to Debian and its derivatives.

    It’s probably obvious from the dates here that this has not been my finest hour in terms of responding to security issues in a timely fashion, and I apologise for that. Some of this is just the usual life reasons, which I shan’t bore you by reciting, but some of it has been that fixing this properly in man-db was genuinely rather complicated and delicate. Since I’ve previously advocated man-db over some of its competitors on the basis of a better security posture, I think it behooves me to write up a longer description.

  • Dear democracy, you need more hackers

    This is my write up from Nesta’s recent digital democracy day — I wasn’t planning to blog but it inspired me, so here you go.

    The day included two sessions; one focussed on local government and one in parliament focussed on, well, parliament. At the heart of each session were four fantastic presentations showcasing digital democracy projects from Iceland (Citizen’s Foundation —Gunnar Grímsson), Taiwan (Digital Minister — Audrey Tang), France (Cap Collectif — Nicolas Patte) and Brazil (Chamber of Deputies Hacker Lab — Cristiano Falia). Big thanks to Theo and the rest of the gang at Nesta for arranging Smile

    My main thought following the day (there was so much — it’s been hard to boil it down…) is that there needs to be more capacity in our democracy to hack. Government can no longer rely on off the shelf solutions to meet democratic challenges but needs to experiment and adapt - something brilliantly illustrated by each of the four projects.

    [...]

    The tools are not much use if the institutions of democracy are unwilling or unable to respond to them. Nicholas Patte explained how it took a long time to convince the elected representatives in France about their crowd sourced legislation project but, with perseverance, they got there in the end.

    I loved that Taiwan has a ‘Minister of Hacking’ who can get things done at the highest level of government — her sage advice is that politicians can be asked to accept ‘those things they can live with’; compromise clearly plays a role.

  • Users Told Disconnect Certain Netgear Routers

    About this time I’m wondering if I’d even purchase a Netgear router.

    You’d think that with all of the fuss recently about the insecure Internet of things, especially when it comes to routers, that any router maker would be on top of it and patching vulnerabilities as soon as they’re discovered.

    Evidently not, as far as Netgear is concerned.

  • Busted Windows 8, 10 update blamed for breaking Brits' DHCP

    Folks using Windows 10 and 8 on BT and Plusnet networks in the UK are being kicked offline by a mysterious software bug.

    Computers running the Microsoft operating systems are losing network connectivity due to what appears to be a problem with DHCP. Specifically, it seems some Windows 10 and 8 boxes can no longer reliably obtain LAN-side IP addresses and DNS server settings from their BT and Plusnet broadband routers, preventing them from reaching the internet and other devices on their networks.

    (The link between BT and Plusnet is that, while the latter bills itself as a friendly independent ISP, it's really a subsidiary of the former.)

    BT and Plusnet told The Register Microsoft is investigating the blunder. Redmond also confirmed on Thursday in its support forum that it’s looking into the problem.

  • Containers in Production – Is Security a Barrier? A Dataset from Anchore

    Over the last week we have had the opportunity to work with an interesting set of data collected by Anchore (full disclosure: Anchore is a RedMonk client). Anchore collected this data by means of a user survey ran in conjunction with DevOps.com. While the number of respondents is relatively small, at 338, there are some interesting questions asked, and a number of data points which support wider trends we are seeing around container usage. With any data set of this nature, it is important to state that survey results strictly reflect the members of the DevOps.com community.

Security Leftovers

Filed under
Security
  • The IoT: Gateway for enterprise hackers

    The risk of notoriously insecure Internet of Things devices is not so much that those devices themselves will be compromised, but that they provide dozens – perhaps hundreds – of openings that could allow attackers to get inside an enterprise network

  • Netgear users advised to stop using affected routers after severe flaw found
  • We must return transparency to voting [Ed: a real problem]

    With the passage of the Help America Vote Act in 2002, electronic voting systems became the law of the land. This law required proprietary electronic voting systems be used in America.

    It must be noted, however, that Americans would not be permitted to use open-source software to protect their right to vote. When proprietary electronic-voting systems are used for elections, Americans literally lost their right to vote.

    In America, our governments, whether local, state or federal, rely on elections that permit anyone to scrutinize the election process, including the vote count. Whether by paper ballot or electronic voting system, it is every American's right to examine the vote count process to satisfy their personal demand that the vote count is accurate and verifiable.

  • CloudLinux 7 Kernel Update Patches 5-Year-Old Privilege-Escalation Vulnerability

More Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • A 'mystery device' is letting thieves break into cars and drive off with them, insurance group says

    Insurance crime investigators are raising alarms over a device that not only lets thieves break into cars that use keyless entry systems but also helps start and steal them.

    Investigators from the National Insurance Crime Bureau, a not-for-profit organization, said in an interview they obtained what they called the “mystery device” from a third-party security expert at an overseas company.

    So far, the threat here may be mostly theoretical. The crime bureau said it heard of the device being used in Europe and had reports that it had entered the U.S., but said there are no law enforcement reports of a car being stolen using it in the United States.

  • Turkish hacking group offers tiered points rewards program for DoS attacks

    A TURKISH HACKING GANG is taking an unusual approach to funding denial of service attacks, and is soliciting for, and offering hackers rewards for taking down chosen pages.

    This is unusual, as far as we know, and it has led to the creation of comment from the security industry. Often these things do.

  • German judges explain why Adblock Plus is legal

    Last month, Adblock Plus maker Eyeo GmbH won its sixth legal victory in German courts, with a panel of district court judges deciding that ad-blocking software is legal despite German newsmagazine Der Spiegel's arguments to the contrary. Now, the reasoning of the Hamburg-based panel of judges has been made public.

    According to an unofficial English-translated copy (PDF) of the judgment, Spiegel Online argued it was making a "unified offer" to online consumers. Essentially, that offer is: read the news content for free and view some ads. While Internet users have the freedom "not to access this unified offer," neither they nor Adblock Plus have the right to "dismantle" it. Eyeo's behavior thus amounted to unfair competition, and it could even wipe the offer out, Spiegel claimed.

    "The Claimant [Spiegel] argues that the Defendant’s [Eyeo's] business model endangers the Claimant’s existence," reads the judgment, which isn't final because it can be appealed by Spiegel. Because users aren't willing to pay for editorial content on the Web, "it is not economically viable for the Claimant to switch to this business model."

    Spiegel asked for an accounting of all the blocked views on its website and a fine to be paid—or even for managers Wladimir Palant and Till Faida to be placed in "coercive detention" of up to two years.

  • Op-ed: I’m throwing in the towel on PGP, and I work in security [Ed: Onlya tool would drop PGP for Facebook-controlled Whatsapp. The company back-doors everything under gag orders.]

    In the coming weeks I'll import all signatures I received, make all the signatures I promised, and then publish revocations to the keyservers. I'll rotate my Keybase key. Eventually, I'll destroy the private keys.

  • 90 per cent of NHS Trusts are still running Windows XP machines

    90 PER CENT of the NHS continues to run Windows XP machines, two and a half years after Microsoft ditched support for the ageing OS.

    It's Citrix who is ringing the alarm bells, having learnt that 90 per cent of NHS Trusts are still running Windows XP PCs. The firm sent Freedom of Information (FoI) requests to 63 NHS Trusts, 42 of which responded.

    The data also revealed that 24 Trusts are still not sure when they'll migrate from Windows XP to a newer version of Microsoft's OS. 14 per cent said they would be transitioning to a new operating system by the end of this year, while 29 per cent pledged to make the move sometime next year.

  • Ransomware blamed for attack that caused Lincolnshire NHS Trust shutdown

    RANSOMWARE is to blame for an attack which saw an NHS Trust in Lincolnshire that forced to cancel operations for four days in October.

    In a statement, Northern Lincolnshire and Goole NHS Foundation Trust said that a ransomware variant called Globe2 was to blame for the incident.

  • Researchers Find Fresh Fodder for IoT Attack Cannons

    New research published this week could provide plenty of fresh fodder for Mirai, a malware strain that enslaves poorly-secured Internet of Things (IoT) devices for use in powerful online attacks. Researchers in Austria have unearthed a pair of backdoor accounts in more than 80 different IP camera models made by Sony Corp. Separately, Israeli security experts have discovered trivially exploitable weaknesses in nearly a half-million white-labeled IP camera models that are not currently sought out by Mirai.

  • Your data is not safe. Here's how to lock it down

    But some people worry that government surveillance will expand under a Donald Trump presidency, especially because he tapped Mike Pompeo, who supports mass surveillance, for CIA chief.

  • Tor at the Heart: Library Freedom Project

    Library Freedom Project is an initiative that aims to make real the promise of intellectual freedom in libraries by teaching librarians and their local communities about surveillance threats, privacy rights and responsibilities, and privacy-enhancing technologies to help safeguard digital freedoms.

  • PowerShell security threats greater than ever, researchers warn

    Administrators should upgrade to the latest version of Microsoft PowerShell and enable extended logging and monitoring capabilities in the light of a surge in related security threats, warn researchers [...] Now more than 95% of PowerShell scripts analysed by Symantec researchers have been found to be malicious, with 111 threat families using PowerShell.

  • Five-Year-Old Bait-and-Switch Linux Security Flaw Patched

    Maintainers of the Linux Kernel project have fixed three security flaws this week, among which there was a serious bug that lingered in the kernel for the past five years and allowed attackers to bypass some OS security systems and open a root shell.

  • The Internet of Dangerous Auction Sites

    Ok, I know this is kind of old news now, but Bruce Schneier gave testimony to the House of Representatives’ Energy & Commerce Committee about computer security after the Dyn attack. I’m including this quote because I feel it sets the scene nicely for what follows here.

    Last week, I was browsing the popular online auction site eBay and I noticed that there was no TLS. For a moment, I considered that maybe my traffic was being intercepted deliberately, there’s no way that eBay as a global company would be deliberately risking users in this way. I was wrong. There is not and has never been TLS for large swathes of the eBay site. In fact, the only point at which I’ve found TLS is in their help pages and when it comes to entering card details (although it’ll give you back the last 4 digits of your card over a plaintext channel).

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • Security advisories for Friday
  • Oh, the security!

    This security concern has only raised because of using 3rd party parsers (well, in the case of the GStreamer vulnerability in question, decoders, why a parsing facility like GstDiscoverer triggers decoding is another question worth asking), and this parsing of content happens in exactly one place in your common setup: tracker-extract.

  • Patch for CVE-2016-8655 Issue Now Available for CloudLinux OS 7 KernelCare Users

    Just the other day we reported on the general availability of a kernel update for the shared hosting-oriented CloudLinux OS 7 operating system, and today a new patch is available for those running KernelCare.

    If you're not familiar with KernelCare, it's a commercial kernel live patching technology developed and provided by CloudLinux of its CloudLinux OS users. We've discussed CloudLinux's KernelCare in a previous report if you're curious to test drive it.

Three serious Linux kernel security holes patched

Filed under
Linux
Security

The good news is developers are looking very closely at Linux's core code for possible security holes. The bad news is they're finding them.

At least the best news is that they're fixing them as soon as they're uncovered.

The latest three kernel vulnerabilities are designated CVE-2016-8655, CVE-2016-6480, and CVE-2016-6828. Of these, CVE-2016-8655 is the worst of the bunch. It enables local users, which can include remote users with virtual and cloud-based Linux instances, to crash the system or run arbitrary code as root.

Read more

Syndicate content

More in Tux Machines

Ubuntu 16.04.2 LTS Delayed Until February 2, Will Bring Linux 4.8, Newer Mesa

If you've been waiting to upgrade your Ubuntu 16.04 LTS (Xenial Xerus) operating system to the 16.04.2 point release, which should have hit the streets a couple of days ago, you'll have to wait until February 2. We hate to give you guys bad news, but Canonical's engineers are still working hard these days to port all the goodies from the Ubuntu 16.10 (Yakkety Yak) repositories to Ubuntu 16.04 LTS, which is a long-term supported version, until 2019. These include the Linux 4.8 kernel packages and an updated graphics stack based on a newer X.Org Server version and Mesa 3D Graphics Library. Read more

Calamares Release and Adoption

  • Calamares 3.0 Universal Linux Installer Released, Drops Support for KPMcore 2
    Calamares, the open-source distribution-independent system installer, which is used by many GNU/Linux distributions, including the popular KaOS, Netrunner, Chakra GNU/Linux, and recently KDE Neon, was updated today to version 3.0. Calamares 3.0 is a major milestone, ending the support for the 2.4 series, which recently received its last maintenance update, versioned 2.4.6, bringing numerous improvements, countless bug fixes, and some long-anticipated features, including a brand-new PythonQt-based module interface.
  • Due to Popular Request, KDE Neon Is Adopting the Calamares Graphical Installer
    KDE Neon maintainer Jonathan Riddell is announcing today the immediate availability of the popular Calamares distribution-independent Linux installer framework on the Developer Unstable Edition of KDE Neon. It would appear that many KDE Neon users have voted for Calamares to become the default graphical installer system used for installing the Linux-based operating system on their personal computers. Indeed, Calamares is a popular installer framework that's being successfully used by many distros, including Chakra, Netrunner, and KaOS.

Red Hat Financial News

Wine 2.0 RC6 released