Language Selection

English French German Italian Portuguese Spanish

Security

Security: Elsevier Left Users’ Passwords Exposed Online and Norsk Hydro of Norway Got Windows Cracked

Filed under
Security
  • Education and Science Giant Elsevier Left Users’ Passwords Exposed Online

    It’s not entirely clear how long the server was exposed or how many accounts were impacted, but it provided a rolling list of passwords as well as password reset links when a user requested to change their login credentials.

  • Norwegian aluminium firm goes manual after Windows ransomware attack

    Norwegian aluminium maker Norsk Hydro has been under what it describes as "an extensive cyber attack" that has affected several areas of the company's operations. The malware affecting the firm is believed to the LockerGoga ransomware that attacks Windows systems.

  • “Severe” ransomware attack cripples big aluminum producer

    Norsk Hydro of Norway said the malware first hit computers in the United States on Monday night. By Tuesday morning, the infection had spread to other parts of the company, which operates in 40 countries. Company officials responded by isolating plants to prevent further spreading. Some plants were temporarily stopped, while others, which had to be kept running continuously, were switched to manual mode when possible. The company’s 35,000 employees were instructed to keep computers turned off but were allowed to use phones and tablets to check email.

Security: Updates, Trust, IPFire 2.21 and Superuserss

Filed under
Security
  • 40 Linux Server Hardening Security Tips [2019 edition]
  • Why Trust Is Key for Cyber-Security Risk Management

    "Trust" is an often-overused term, but according to Rohit Ghai, president of RSA Security, trust is the key to understanding and managing digital risk.

    In a video interview with eWEEK, Ghai discusses his views on trust, where the concept of an artificial intelligence "digital twin" fits in and why there could well be a need to redefine industry cyber-security categories to better reflect how risk management technologies should work. He also provides insight into how RSA Security's products, including Archer, Netwitness and SecurID, fit together to help organizations provide trust and manage risk.

    "As long as we pay attention to the idea of risk and trust co-existing and taking a risk orientation to security, I think we'll be fine," Ghai said. "Trust is important. We are living in an era where people are losing faith or trust in technology, and we have to act now to restore it."

  • IPFire 2.21 - Core Update 129 is ready for testing

    The next release is available for testing - presumably going to be last release in the 2.21 series before we bring some bigger changes. This update has a huge number and significant changes for IPsec as well as many updates to the core system and various smaller bug fixes.

  • Superuser accounts: What they are and how to secure them

    Most security technologies are helpless in protecting against superusers because they were developed to protect the perimeter – but superusers are already on the inside. Superusers may be able to change firewall configurations, create backdoors and override security settings, all while erasing traces of their activity.

    Insufficient policies and controls around superuser provisioning, segregation and monitoring further heighten risks. For instance, database administrators, network engineers and application developers are frequently given full superuser-level access. Sharing of superuser accounts among multiple individuals is also a rampant practice, which muddles the audit trail. And in the case of Windows PCs, users often log in with administrative account privileges –far broader than what is needed.

Security: Updates, "US Huawei Blackballing Efforts" and Microsoft's Back Doors Keep Crackers Busy

Filed under
Security
  • Security updates for Tuesday
  • US Huawei Blackballing Efforts Stall Due To Lack Of 'Actual Facts'

    During the Trump era, the US government has dramatically ramped up claims that Chinese hardware vendor Huawei is a nefarious spy for the Chinese government, blackballing it from the U.S. telecom market. From pressuring U.S. carriers to drop plans to sell Huawei phones to the FCC's decision to ban companies from using Huawei gear if they want to receive federal subsidies, this effort hasn't been subtle.

    While Huawei should never be confused with a saint (what telecom company would be?) there's several problems with the effort. The biggest being that despite a decade of hand-wringing and one eighteen month investigation by the US government, there's still no public evidence Huawei uses its network gear to spy on Americans. That's not sitting well with countries we've asked to join along in the fun.

  • Sorry, Linux. We know you want to be popular, but cyber-crooks are all about Microsoft for now

    Eight out of the ten most exploited vulnerabilities tracked by threat intelligence biz Recorded Future in 2018 targeted Microsoft products – though number two on its list was, surprise surprise, a Flash flaw.

    The most exploited vuln in the firm's hall of shame was a remote code execution flaw in Windows' VBScript engine that could pwn users who opened a booby-trapped web page with Internet Explorer.

    "Exploit kits associated with this vulnerability were noted to spread the malware Trickbot through phishing attacks," said Recorded Future in a report published today.

    The Flash vuln was none other than one exploited by North Korean state-backed hackers – first detected by South Korea's CERT, which discovered a flood of booby-trapped MS Office documents, web pages, spam messages and more.

Security: Update, User Account Review, Fear-Spreading and IPFire 2.21

Filed under
Security
  • Security updates for Monday
  • User Account Review | Roadmap to Securing Your Infrastructure

    One of the topics you may not often think of as being all that important to security is user accounts on systems. We spend so much time on other things — like managing firewall rules, system patching, analyzing report data, etc. — that user accounts are often a neglected topic.

    At a previous employer, I performed many security-focused audits for organizations needing to meet regulatory compliance. As part of these audits, I would review systems for best practice and general housekeeping. You can tell a lot about an administrator by the state of their environment. Too often I would find accounts that had not logged in for years or may have never logged in. Why do you need those accounts if they’re not being used?

  • Brace yourselves: New variant of Mirai takes aim at a new crop of IoT devices [Ed: Install FOSS firmware and brace yourselves for the latest scaremongering from Mr. Goodin (sued for his dramatisation, exaggerations, and distortions)]

    A newly discovered variant contains a total of 27 exploits, 11 of which are new to Mirai, researchers with security firm Palo Alto Networks reported in a blog post Monday. Besides demonstrating an attempt to reinvigorate Mirai’s place among powerful botnets, the new exploits signal an attempt to penetrate an arena that's largely new to Mirai. One of the 11 new exploits targets the WePresent WiPG-1000 Wireless Presentation systems, and another exploit targets LG Supersign TVs. Both of these devices are intended for use by businesses, which typically have networks that offer larger amounts of bandwidth than Mirai’s more traditional target of home consumers.

  • Routed IPsec VPNs are landing in IPFire 2.21 - Core Update 129

    The forthcoming Core Update will have some brilliant changes to our IPsec stack.

    These changes were required for a project that Lightning Wire Labs has been doing and are potentially a little bit niche. We have backported these as well from IPFire 3 where this feature is even more advanced and - to me - a lot more exciting, too.

Security: Cult of the Dead Cow, Huawei, and LastPass

Filed under
Security
  • Open Source Security Podcast: Episode 137.5 - Holy cow Beto was in the cDc, this is awesome!

    Josh and Kurt talk about Beto being in the Cult of the Dead Cow (cDc). This is a pretty big deal in a very good way. We hit on some history, why it's a great thing, what we can probably expect from opponents. There's even some advice at the end how we can all help. We need more politicians with backgrounds like this.

  • Is Huawei a security threat? Seven experts weigh in

    Regardless of how the suit shakes out, it will hardly be the last volley in the ongoing battle. Is the US right to target Chinese equipment makers like Huawei, or has the company, as it maintains, been unfairly maligned? The Verge convened experts, from prominent China-watchers to Sen. Marco Rubio, to give their views.

  • Should you be concerned about LastPass uploading your passwords to its server? [Ed: Wladimir Palant says what I have been saying for years. Alas, it fell on some deaf ears. LastPass is a dangerous trap. Very bad, and not even for convenience. Faith-based security.]

    I’ve written a number of blog posts on LastPass security issues already. The latest one so far looked into the way the LastPass data is encrypted before it is transmitted to the server. The thing is: when your password manager uploads all data to its server backend, you normally want to be very certain that the data visible to the server is useless both to attackers who manage to compromise the server and company employees running that server. Early last year I reported a number of issues that allowed subverting LastPass encryption with comparably little effort. The most severe issues have been addressed, so all should be good now?

    Sadly, no. It is absolutely possible for a password manager to use a server for some functionality while not trusting it. However, LastPass has been designed in a way that makes taking this route very difficult. In particular, the decision to fall back to server-provided pages for parts of the LastPass browser extension functionality is highly problematic. For example, whenever you access Account Settings you leave the trusted browser extension and access a web interface presented to you by the LastPass server, something that the extension tries to hide from you. Some other extension functionality is implemented similarly.

Security: JavaScript, WinRAR, Wi-Fi, Android and More

Filed under
Security
  • A new rash of highly covert card-skimming malware infects ecommerce sites

    Group-IB has dubbed the JavaScript sniffer GMO after the gmo[.]il domain it uses to send pilfered data from infected sites, all of which run the Magento e-commerce Web platform. The researchers said the domain was registered last May and that the malware has been active since then. To conceal itself, GMO compresses the skimmer into a tiny space that’s highly obfuscated and remains dormant when it detects the Firebug or Google Developer Tools running on a visitor’s computer. GMO was manually injected into all seven sites, an indication that it is still relatively fledgling.

  • Nasty WinRAR bug is being actively exploited to install hard-to-detect malware

    Nasty code-execution bug in WinRAR threatened millions of users for 14 years
    The flaw, disclosed last month by Check Point Research, garnered instant mass attention because it made it possible for attackers to surreptitiously install persistent malicious applications when a target opened a compressed ZIP file using any version of WinRAR released over the past 19 years. The absolute path traversal made it possible for archive files to extract to the Windows startup folder (or any other folder of the archive creator’s choosing) without generating a warning. From there, malicious payloads would automatically be run the next time the computer rebooted.

  • How a wireless keyboard lets [intruders] take full control of connected computers

    The attacks can be carried out by anyone who is within range of an affected keyboard set and takes the time to build the hardware that exploits the replay and injection flaws. Normally, that distance is about 30 feet, but the use of special antennas could extend that range. That leaves open the possibility of attacks from hackers in nearby offices or homes.

    Friday’s SySS advisory said that there is currently no known fix for the vulnerabilities. It said company researchers privately reported the vulnerability to Fujitsu. The disclosure timeline is: [...]

  • Security researchers reveal defects that allow wireless hijacking of giant construction cranes, scrapers and excavators

    Using software-defined radios, researchers from Trend Micro were able to reverse-engineer the commands used to control massive industrial machines, including cranes, excavators and scrapers; most of these commands were unencrypted, but even the encrypted systems were vulnerable to "replay attacks" that allowed the researchers to bypass the encryption.

  • [Older] Attacks Against Industrial Machines via Vulnerable Radio Remote Controllers: Security Analysis and Recommendations

    In our research and vulnerability discoveries, we found that weaknesses in the controllers can be (easily) taken advantage of to move full-sized machines such as cranes used in construction sites and factories. In the different attack classes that we’ve outlined, we were able to perform the attacks quickly and even switch on the controlled machine despite an operator’s having issued an emergency stop (e-stop).

    The core of the problem lies in how, instead of depending on wireless, standard technologies, these industrial remote controllers rely on proprietary RF protocols, which are decades old and are primarily focused on safety at the expense of security. It wasn’t until the arrival of Industry 4.0, as well as the continuing adoption of the industrial internet of things (IIoT), that industries began to acknowledge the pressing need for security.

  • How Ethereum Applications Earn A+ Security Ratings

    More than 1.2 million ethereum applications have used a little-known security tool to help them avoid the costly errors arising from self-executing lines of code known as smart contracts.

    Launched by ethereum technology startup Amberdata back in October, the free tool is available for anyone in the general public to interpret the security of active applications on the ethereum blockchain. Smart contracts with bugs that have been exploited have led to huge losses, even to the tune of hundreds of millions.

    The automated service scans for common vulnerabilities found in smart contract code and generates a letter grade rating (e.g. A, B, or C) for the security of a decentralized application (dapp).

    The feature is one of the many tools encouraging best practice and increased transparency between dapp developers and end-users in the ethereum ecosystem.

  • How to protect your router

    Currently, there are a variety of open source and OpenVPN capable routers to choose from, but the most popular models are the Linksys AC3200 and the Netgear Nighthawk AC1900.

  • Fighting Crypto Hacks: Company Tackles Security Issues in Ethereum Smart Contracts

    A decentralized, open-source crypto platform based on the Ethereum protocol named Callisto Network offers users free-of-charge smart contract security audits. The company wants to support them in the battle against cyber criminals and help developers solve security issues in Ethereum codes.

  • Just Android things: 150m phones, gadgets installed 'adware-ridden' mobe simulator games

    Android adware found its way into as many as 150 million devices – after it was stashed inside a large number of those bizarre viral mundane job simulation games, we're told.

    The so-called Simbad malware was built into mobile gaming titles such as Real Tractor Farming Simulator, Heavy Mountain Bus Simulator 2018, and Snow Heavy Excavator Simulator, according to infosec research biz Check Point today.

  • Google sinks more than 200 Android apps infected with SimBad adware

    The adware campaign made use of malware dubbed SimBad, which sits within a malicious software development kit called 'RXDrioder' and can perform actions after an infected Android device is booted. SimBad then connects back to a control and command server where it receives instructions from the malicious actors controlling it.

  • How To Secure Privileged Access In An Organisation
  • Open-source 64-ish-bit serial number gen snafu sparks TLS security cert revoke runaround
  • 25% of software vulnerabilities remain unpatched for more than a year [Ed: How about back doors in proprietary software? These can never be patched, they're there by design and the user cannot change the code ]
  • Shmoocon 2019, Conor Patrick’s ‘Building And Selling Solo: An Open Source Secure Hardware Token’

'CryptoSink' Security Scare

Filed under
Security
  • Cryptojacking Takes a New Turn in CryptoSink Campaign

    Researchers from F5 Labs reported on March 14 that they have discovered a new cryptojacking campaign that is abusing unpatched Elasticsearch servers.

    Unauthorized cryptocurrency mining, commonly referred to as "cryptojacking," is an attack trend that started in 2017 and hit a peak in mid-2018. With a cryptojacking attack, a hacker makes use of a system or server resources to help mine cryptocurrency. F5 Labs is dubbing the cryptojacking campaign it discovered "CryptoSink" as the attackers are identifying systems that have already been compromised by cryptojacking and are "sinkholing" or redirecting the competitive mining effort. When the competitive cryptojacking effort is sinkholed, it is effectively shut down in favor of the new CryptoSink effort.

  • New cryptominer targets Elasticsearch on Windows, Linux

    A new cryptomining campaign that targets both Windows and Linux systems running the Elasticsearch search and analytics engine has been detailed by researchers from F5 Networks.
    Andrey Shalnev and Maxim Zavodchik said in a blog post that the campaign, which they have named Cryptosink, was using a five-year-old vulnerability in Elasticsearch to gain entry to the servers.

    The initial infection vector was a malicious HTTP request that targeted Elasticsearch.

    [...]

    The malware was also able to backdoor the server by adding the SSH keys of the person who was carrying out the attack.

    And it used several command and control servers, with the current live one being in China.

    Shalnev and Zavodchik said the rise of cryptomining botnets and the decline in crypto currency value meant there was tough competition among the various currencies.

Security: Updates, MITRE, Microsoft Holes and "DARPA Is Working On An Open Source And Hack-Proof Voting System"

Filed under
Security
  • Security updates for Friday
  • MITRE names The Document Foundation as a CVE Numbering Authority (CNA)

    MITRE announced that The Document Foundation, the home of LibreOffice, has been approved as CVE Numbering Authttps://blog.documentfoundation.org/blog/2019/03/15/mitre-names-the-document-foundation-as-a-cve-numbering-authority-cna/hority (CNA). The Document Foundation is at the center of one of the largest free open source software ecosystems, where enterprise sponsored developers and contributors work side by side with volunteers coming from every continent. The nomination is the result of significant investments in security provided by the LibreOffice Red Hat team under Caolán McNamara leadership.

  • Update now! Microsoft’s March 2019 Patch Tuesday is here

    If you were among the millions of users who updated Chrome last week to dodge a zero-day exploit, Microsoft has something for you in this month’s Patch Tuesday – a fix for a separate flaw targeting Windows 7 that is being used as part of the same attacks.

    To recap, the Chrome flaw (CVE-2019-5786) was first advised on 1 March with a ‘hurry up and apply the update’ follow-up a few days later when news of exploits emerged. The patch for that took Chrome to 72.0.3626.121.

  • DARPA Is Working On An Open Source And Hack-Proof Voting System

    Voting machines are vulnerable, and lawmakers are pushing hard to come up with a system that is impervious to hacks for fair results. Now, the Defense Advanced Research Projects Agency (DARPA) has launched a project to develop a $10 million open source and highly secure voting system. The new system will not only prevent hackers from hacking the machines but will also allow voters to verify that their vote has been recorded correctly.

    The open source voting system will be designed by Galois, an Oregon-based company and a government contractor. The company has previous experience in designing secure systems.

    [...]

    The new machines will not have barcodes. After submitting the paper ballot in the optical-scan system, a cryptographic representation of votes will be printed on a receipt. After the elections would get concluded, the cryptographic representations will be uploaded on a website where voters can verify their choice.

    This process will bring transparency in the voting system which heavily relies on election officials currently.

mkusb

Filed under
GNU
Linux
Hardware
Software
Security

There is a new tool available for Sparkers: mkusb

Read more

Also: Purism Planning For Three Hardware Kill Switches With The Librem 5

Syndicate content

More in Tux Machines

Excellent Utilities: lnav – the log file navigator

This is the second in a new series highlighting best-of-breed utilities. We’ll be covering a wide range of utilities including tools that boost your productivity, help you manage your workflow, and lots more besides. For this article, we’ll put lnav under the spotlight. lnav is a curses-based utility for viewing and analyzing log files. The software is designed to extract useful information from log files, making it easy to perform advanced queries. Think of lnav as an enhanced log file viewer. For many years system and kernel logs were handled by a utility called syslogd. Most Linux-based operating systems have since moved to systemd, which has a journal. That’s a giant log file for the whole system. Various software and services write their log entries into systemd’s journalctl. lnav can consume the JSON version of journalctl’s output. And it supports a wide range of other log formats. For systems running systemd-journald, you can also use lnav as the pager. We included a couple of log analyzers in our Essential System Tools feature. And lnav wouldn’t be totally out of place in that feature. lnav is optimized for small-scale deployments. Read more

Android Leftovers

Today in Techrights

Video/Audio: Manjaro 18.0 Deepin Edition, Open Source Security Podcast, This Week in Linux, Linux Gaming News Punch, Linux Action News, GNU World Order and Talk Python to Me

  • What’s New in Manjaro 18.0 Deepin Desktop Edition
    Manjaro 18.0 Deepin Edition is official Manjaro Linux flavour with Deepin Desktop Environment 15.8 as default desktop environment includes several deepin applications a free open source software. Manjaro 18.0 Deepin Edition is powered by the latest Long-Term Support of Linux Kernel 4.19, include pamac version 7.3. in manjaro 18.0, The Manjaro Settings Manager (MSM) now provides an easy-to-use graphical interface for installing and removing the many series of kernels. At the time of this release, eight kernel-series are available directly from manjaro binary repositories, from 3.16 series to the latest 4.19 release.
  • Open Source Security Podcast: Episode 142 - Hypothetical security: what if you find a USB flash drive?
    Josh and Kurt talk about what one could do if you find a USB drive. The context is based on the story where the Secret Service was rumored to have plugged a malicious USB drive into a computer. The purpose of discussion is to explore how to handle a situation like this in the real world. We end the episode with a fantastic comparison of swim safety and security.
  • Episode 64 | This Week in Linux
    On this episode of This Week in Linux, we got a lot of releases week. Ubuntu and all of the Flavours have released 19.04 versions along with an interesting update from the Ubuntu derivative Pop!_OS. The KDE Community announced the availability of a bunch of new versions of various KDE Applications.
  • Linux Gaming News Punch - Episode 9
    Coming in hot (please save me from this heat) is the ninth episode of the Linux Gaming News Punch, your weekly round-up of some interesting bits of news. For regular readers, as always this might not be too helpful but for those who don't visit too often this should help keep you updated.
  • Linux Action News 102
    Ubuntu 19.04 is released we share our take, OpenSSH has an important release, and Mozilla brings Python to the browser. Also WebThings is launched and we think it might have a shot.
  • GNU World Order 13x17
  • Talk Python to Me: #208 Packaging, Making the most of PyCon, and more
    Are you going to PyCon (or a similar conference)? Join me and Kenneth Retiz as we discuss how to make the most of PyCon and what makes it special for each of us.